Bug 872527 (CVE-2012-4575)
| Summary: | pgbouncer: DoS (pooler server shutdown) by adding database with large name | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | devrim |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-06-10 20:23:39 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 872529 | ||
| Bug Blocks: | |||
|
Description
Jan Lieskovsky
2012-11-02 10:48:56 UTC
This issue affects the versions of the pgbouncer package, as shipped with Fedora release of 16 and 17. Please schedule an update. Created pgbouncer tracking bugs for this issue Affects: fedora-all [bug 872529] CVE Request: [3] http://www.openwall.com/lists/oss-security/2012/11/02/4 I fixed this in master and f18. Do you think that I should push it also to f17? The current patch set that I applied also moves conf file under /etc/pgbouncer/pgbouncer.ini, instead of /etc/pgbouncer.ini. This is an incompatible change for released version. I can rip it out, but... BTW I am also maintaining the community RPMs, I used exactly the same patches that I used there. That is the reason of the change. (In reply to comment #4) > I fixed this in master and f18. Thank you for that update, Devrim. > Do you think that I should push it also to > f17? Ad the DoS - yes, the patch should be applied to both pgbouncer versions (Fedora-16 and Fedora-17). > The current patch set that I applied also moves conf file under > /etc/pgbouncer/pgbouncer.ini, instead of /etc/pgbouncer.ini. This is an > incompatible change for released version. I can rip it out, but... Depends on you (to be honest I am not sure what are the rules wrt to rebasing packages in Fedora against more recent upstream versions). But if this (move /etc/pgbouncer.ini to /etc/pgbouncer/pgbouncer.ini) upstream decision, which is supposed to be supported from now onwards, I would say OK to make that change (under assumption you would simultaneously rebase Fedora-16 and Fedora-17 pgbouncer versions to upstream 1.5.3 one too). The users would need to get accustomed with that change anyway (now or later). And if this is new *.ini file location (IOW it won't be changed to the original in two weeks back), I would say it's OK. If you would just selectively apply patches (IOW keep the Fedora-16 / Fedora-17 still based on upstream 1.4 version), I would say just fix the DoS and keep the *.ini file in its older / previous location. > > BTW I am also maintaining the community RPMs, I used exactly the same > patches that I used there. That is the reason of the change. Ok, understood. See above (if this change is intended to be long term option), OK to apply that in Fedora too (maybe you could symlink /etc/pgbouncer/pgbouncer.ini to /etc/pgbouncer.ini if you think such a change might cause issues). Thank you, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team Assigned CVE as per http://www.openwall.com/lists/oss-security/2012/11/02/8 |