Paul Baker wrote:
All,
I received this question from a customer yesterday (below), and unfortunately I do not have the answer. Please let us know if you know the answer, it would be greatly appreciated...
"What we are trying to figure out is if removing the packages SUNWpostgr-83-devel, SUNWpostgr-83-pl, SUNWpostgr-devel, SUNWpostgr-pl will cause any harm to our systems. For example, in the PDF that you sent yesterday, it states that package SUNWpostgr-pl is part of the core server package.
I am not sure as to what the core server package is, but when you try to remove those packages from prodreg it gives about 2 or 3 warnings on the performing the action.
Just to be on the cautious side, we want to verify that removing those packages will not have any negative impact on our systems. The reasons behind wanting to perform these actions are CVE-2010-1169, CVE-2010-1170, and CVE-2010-1447."
if the customer is using a Solaris supplied version of PostgreSQL,
removing it would cause them a significant amount of grief. If they
aren't, AFAIK, nothing else built into Solaris uses it. If they aren't
using Postgres, and they haven't enabled and configured the service,
those CVE's wouldn't matter. Even if the customer is using Postgres,
if they don't give untrusted users direct database access, those CVE's
have zero impact.
It appears (using the public Sunsolve patchfinder) that the newest
version of PostgreSQL 8.3 that Sun has a patch for is 8.3.9 (138826-06
or 138827-06), while 8.3.11 has been out for about a month now, and
fixes these CVEs.
(note, I'm just a random subscriber to the pgsql-general email list who
happens to occasionally use Solaris. and even runs PostgreSQL on it, so
i speak for noone official)
--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general