Security: Change your PostgreSQL database password

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Security: Change your PostgreSQL database password

Lukas Reschke-2
Hey all,

With todays release we fixed a major security vulnerability related to our
installation routine. (oC-SA-2013-015, CVE-2013-1941)

In our installation process, a new database user is generated with a random
password. However, our PostgreSQL setup routine was using the PHP function
time() as random source, which allows an attacker to guess the database
password very easily.

We highly recommend any PostgreSQL user to change the database password
(have a look at config/config.php). Sorry for any inconvenience this might
cause.

Thanks,
Lukas

--
ownCloud
Your Cloud, Your Data, Your Way!

GPG: 0xEB32B77BA406BE99
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.owncloud.org/pipermail/announcements/attachments/20130411/6c567756/attachment.html>