X-Original-To: pgsql-www-postgresql.org@localhost.postgresql.org Received: from localhost (av.hub.org [200.46.204.144]) by svr1.postgresql.org (Postfix) with ESMTP id B0FADD8707 for ; Sun, 27 Nov 2005 18:35:57 -0400 (AST) Received: from svr1.postgresql.org ([200.46.204.71]) by localhost (av.hub.org [200.46.204.144]) (amavisd-new, port 10024) with ESMTP id 41275-06 for ; Sun, 27 Nov 2005 18:35:58 -0400 (AST) X-Greylist: from auto-whitelisted by SQLgrey- Received: from mailbox.samurai.com (mailbox.samurai.com [205.207.28.82]) by svr1.postgresql.org (Postfix) with ESMTP id 1F598D79CF for ; Sun, 27 Nov 2005 18:35:54 -0400 (AST) Received: from localhost (mailbox.samurai.com [205.207.28.82]) by mailbox.samurai.com (Postfix) with ESMTP id 041692394FF; Sun, 27 Nov 2005 17:35:57 -0500 (EST) Received: from mailbox.samurai.com ([205.207.28.82]) by localhost (mailbox.samurai.com [205.207.28.82]) (amavisd-new, port 10024) with LMTP id 33749-01-2; Sun, 27 Nov 2005 17:35:55 -0500 (EST) Received: from [192.168.1.104] (d226-86-55.home.cgocable.net [24.226.86.55]) by mailbox.samurai.com (Postfix) with ESMTP id 96309239467; Sun, 27 Nov 2005 17:35:55 -0500 (EST) Subject: Re: Security information page From: Neil Conway To: Tom Lane Cc: Magnus Hagander , pgsql-www@postgresql.org, Simon Riggs In-Reply-To: <2803.1133111793@sss.pgh.pa.us> References: <6BCB9D8A16AC4241919521715F4D8BCE92E8A9@algol.sollentuna.se> <2803.1133111793@sss.pgh.pa.us> Content-Type: text/plain Date: Sun, 27 Nov 2005 17:35:54 -0500 Message-Id: <1133130954.8928.13.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.5.2 Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at mailbox.samurai.com X-Virus-Scanned: by amavisd-new at hub.org X-Spam-Status: No, score=0 required=5 tests=[none] X-Spam-Score: 0 X-Spam-Level: X-Archive-Number: 200511/160 X-Sequence-Number: 8875 On Sun, 2005-11-27 at 12:16 -0500, Tom Lane wrote: > The list seems a bit short; did you look through the release notes for > items that seem to be security issues? I suspect there are some that > don't have CVE names. "Add checks for invalid field length in binary COPY (Tom)" in 7.4.3, should probably be included. If we're not going to describe issues with 7.2 and earlier releases (which is probably reasonable), I think we should back off the claim that "all known" security issues are listed. Personally I think we shouldn't make the latter claim, anyway: for example, whether COALESCE(NULL, NULL) dumping core (fixed in 8.0.3) is a "security issue" is often in the eye of the beholder. From the page: "Our approach covers fail-safe configuration options, a secure and robust database server as well as good integration with other security infrastructure software." What "good integration with other security infrastructure" can PGDG legitimately take credit for? -Neil