Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-bugs-owner+archive@lists.postgresql.org>)
	id 1uOI8B-000off-HF
	for pgsql-bugs@arkaria.postgresql.org; Sun, 08 Jun 2025 15:40:19 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-bugs-owner+archive@lists.postgresql.org>)
	id 1uOI88-001qZk-Eh
	for pgsql-bugs@arkaria.postgresql.org; Sun, 08 Jun 2025 15:40:17 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1uOI88-001qZc-6Z
	for pgsql-bugs@lists.postgresql.org; Sun, 08 Jun 2025 15:40:16 +0000
Received: from sss.pgh.pa.us ([68.162.161.243])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1uOI86-000uCD-2W
	for pgsql-bugs@lists.postgresql.org;
	Sun, 08 Jun 2025 15:40:16 +0000
Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1])
	by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 558FeBrd182095;
	Sun, 8 Jun 2025 11:40:11 -0400
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Jim Jones <jim.jones@uni-muenster.de>
cc: Michael Paquier <michael@paquier.xyz>, pgsql-bugs@lists.postgresql.org,
        maralist86@mail.ru
Subject: Re: BUG #18943: Return value of a function 'xmlBufferCreate' is dereferenced at xpath.c:177 without checking for NUL
In-reply-to: <ccbc7e75-6ae7-4ec8-bff9-d6c4ce5dd42e@uni-muenster.de>
References: <18943-2f2a04ab03904598@postgresql.org> <aD001M5BUG9GwF_Y@paquier.xyz> <aD53hVjiW-9C29VT@paquier.xyz> <861593.1748970933@sss.pgh.pa.us> <aEEingzOta_S_Nu7@paquier.xyz> <CAPLXN34Dr3Gbi+xJ6BgCeTyBJkMVe3cn7qxoADV72rC9ZHeBtQ@mail.gmail.com> <d2410ca0-c0dd-4f63-9e70-3d7a62a5d705@uni-muenster.de> <b35e2342-0f02-4365-94cf-55052ac9bda1@uni-muenster.de> <aEKCoNIfLxjyKY3r@paquier.xyz> <31f3480e-cd7d-4021-b392-87922572cc37@uni-muenster.de> <aETzMep2fGfB0AIp@paquier.xyz> <ccbc7e75-6ae7-4ec8-bff9-d6c4ce5dd42e@uni-muenster.de>
Comments: In-reply-to Jim Jones <jim.jones@uni-muenster.de>
	message dated "Sun, 08 Jun 2025 10:33:17 +0200"
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <182093.1749397211.1@sss.pgh.pa.us>
Date: Sun, 08 Jun 2025 11:40:11 -0400
Message-ID: <182094.1749397211@sss.pgh.pa.us>
List-Id: <pgsql-bugs.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-bugs@lists.postgresql.org>
List-Owner: <mailto:pgsql-bugs-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-bugs>
Archived-At: <https://www.postgresql.org/message-id/182094.1749397211%40sss.pgh.pa.us>
Precedence: bulk

Jim Jones <jim.jones@uni-muenster.de> writes:
> Out of curiosity, why aren't we applying this to v18?

Our risk-aversion level rises steadily over the course of a release
cycle, and is pretty high post beta1.  While I think the problems
we're trying to fix here are real, they are very low-probability
(I don't recall hearing any field reports traceable to this).
And you have to remember there is also some risk of introducing
new bugs.  On balance it's not a change I would back-patch, and
at this point v18 is pretty close to being a stable branch so
it's not getting fixes we wouldn't back-patch, unless that's
because they are in new-in-18 code.

tl;dr: I agree with Michael's choice to hold it for v19.
It's a judgment call of course, but I think it's the right one.

			regards, tom lane