[GTALUG] Debian postgresql security advisory
Giles Orr
gilesorr at gmail.com
Fri Aug 12 11:12:43 EDT 2016
On 11 August 2016 at 17:27, Giles Orr <gilesorr at gmail.com> wrote:
> Debian issued a security advisory for postgresql today:
> https://www.debian.org/security/2016/dsa-3646 . So I want to upgrade
> my pgsql install on stable. The advisory says "these problems have
> been fixed in version 9.4.9-0+deb8u1." I upgraded, and found myself
> with version 9.4+165+deb8u1. And this has me very confused,
> particularly since the online database (
> https://packages.debian.org/search?searchon=sourcenames&keywords=postgresql-9.4
> ) shows the jessie version recommended by the advisory. If I run
> "lsb_release -c" I get "Codename: jessie" in response. The
> sources.list is basic but complete(?):
>
> deb http://http.debian.net/debian jessie main
> deb http://security.debian.org/ jessie/updates main
> deb http://http.debian.net/debian jessie-updates main
>
> (I've left out the deb-src statements.)
>
> First, why the discrepancy? Second, where do I go to find out what
> went into the current package? ie. is there a place to look that will
> say "9.4+165+deb8u1 was compiled for X reason?"
>
> I installed a new virtual machine from a fresh download of
> debian-8.5.0-amd64-netinst.iso. A final "apt-get update ; apt-get
> dist-upgrade" finds me at the same 9.4+165+deb8u1.
The security advisory was against "postgresql-9.4", but I updated
"postgresql" - that seems reasonable, right? No, you literally have
to do "apt-get install postgresql-9.4" - with the numbers - to install
the correct package. The installation of two separate packages like
that seems counter-intuitive and misleading ... although I can also
guess at the reasons for it. But one would hope that upgrading one
would haul the other with it. <sigh>
--
Giles
http://www.gilesorr.com/
gilesorr at gmail.com
More information about the talk
mailing list