

Security Release FAQ - teoruiz
http://www.postgresql.org/support/security/faq/2013-04-04/

======
throwaway1460
>Who discovered the vulnerability? >Mitsumasa Kondo and Kyotaro Horiguchi of
NTT Open Source Software Center while conducting a security audit.

I'm not surprised. Some years ago I worked for a company that had NTT as a
customer, and they were easily an order of magnitude more thorough and careful
than anyone else. We used to joke that they knew our product better than we
did.

------
craigkerstiens
Here is our official response from Heroku Postgres –
[https://postgres.heroku.com/blog/past/2013/4/4/postgres_secu...](https://postgres.heroku.com/blog/past/2013/4/4/postgres_security_updates_and_your_heroku_postgres_database/)

------
facorreia
In relation to the criticism about Heroku's early access: "Heroku was given
access to updated source code which patched the vulnerability at the same time
as other packagers. Because Heroku was especially vulnerable, the PostgreSQL
Core Team worked with them both to secure their infrastructure and to use
their deployment as a test-bed for the security patches, in order to verify
that the security update did not break any application functionality. Heroku
has a history both of working closely with community developers, and of
testing experimental features in their PostgreSQL service."

------
badgar
> Any system that allows unrestricted access to the PostgreSQL network port,
> such as users running PostgreSQL on a public cloud, is especially
> vulnerable.

Heroku allows unauthenticated access to the Postres port to anyone on the
Internet? I guess that makes development a lot faster for users... nobody has
to think about the implications of secured ports if you just punt on securing
them.

~~~
nathanstitt
I believe they mean unrestricted as in not behind a firewall.

Heroku still requires authentication, but doesn't filter access by ip. If
someone wanted to they could port-scan all of Heroku's (and really Amazon)
internal network and find quite a few postgresql servers listening on network
ports.

That's what this is intended to prevent.

~~~
badgar
> Heroku still requires authentication, but doesn't filter access by ip.

Which means unauthenticated access _to the postgres port_ as I said in my
post. I didn't say "unauthenticated access to postgres" which would be plainly
ridiculous.

