X-Original-To: pgsql-bugs-postgresql.org@localhost.postgresql.org
Received: from localhost (av.hub.org [200.46.204.144])
	by svr1.postgresql.org (Postfix) with ESMTP id D7119DBA66
	for <pgsql-bugs-postgresql.org@localhost.postgresql.org>;
	Fri, 18 Nov 2005 10:32:41 -0400 (AST)
Received: from svr1.postgresql.org ([200.46.204.71])
	by localhost (av.hub.org [200.46.204.144]) (amavisd-new, port 10024)
	with ESMTP id 26306-06
	for <pgsql-bugs-postgresql.org@localhost.postgresql.org>;
	Fri, 18 Nov 2005 14:32:44 +0000 (GMT)
X-Greylist: from auto-whitelisted by SQLgrey-
Received: from sss.pgh.pa.us (sss.pgh.pa.us [66.207.139.130])
	by svr1.postgresql.org (Postfix) with ESMTP id 112F2DB98C
	for <pgsql-bugs@postgresql.org>; Fri, 18 Nov 2005 10:32:38 -0400 (AST)
Received: from sss2.sss.pgh.pa.us (tgl@localhost [127.0.0.1])
	by sss.pgh.pa.us (8.13.1/8.13.1) with ESMTP id jAIEWhBM005822;
	Fri, 18 Nov 2005 09:32:43 -0500 (EST)
To: "Ferindo Middleton" <fmiddleton@verizon.net>
cc: pgsql-bugs@postgresql.org
Subject: Re: BUG #2052: Federal Agency Tech Hub Refuses to Accept Postgresql
	on Network because of Security Vulnerabilities
In-reply-to: <20051118035436.294A5F0BB7@svr2.postgresql.org> 
References: <20051118035436.294A5F0BB7@svr2.postgresql.org>
Comments: In-reply-to "Ferindo Middleton" <fmiddleton@verizon.net>
	message dated "Fri, 18 Nov 2005 03:54:36 +0000"
Date: Fri, 18 Nov 2005 09:32:43 -0500
Message-ID: <5821.1132324363@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
X-Virus-Scanned: by amavisd-new at hub.org
X-Spam-Status: No, score=0.005 required=5 tests=[AWL=0.005]
X-Spam-Score: 0.005
X-Spam-Level: 
X-Archive-Number: 200511/186
X-Sequence-Number: 13550

"Ferindo Middleton" <fmiddleton@verizon.net> writes:
> This bug report involves more than one proposed bug. I work at a federal
> government agency. The information technology division at this agency
> refuses to allow the database version 8.0.4 on their network because of
> several security vulnerabilities they noticed when testing the software
> application.

They obviously haven't "tested" anything --- they are merely reading the
CVE reports for old Postgres versions.  All known CVE problems are
resolved in 8.0.4.

(If they were actually serious about security, they wouldn't be letting
you run Windows 2000 inside their network, but I digress.)

			regards, tom lane