public inbox for [email protected]
help / color / mirror / Atom feedFrom: Magnus Hagander <[email protected]>
To: Neil Conway <[email protected]>
To: Tom Lane <[email protected]>
Cc: [email protected]
Cc: Simon Riggs <[email protected]>
Subject: Re: Security information page
Date: Mon, 28 Nov 2005 09:29:24 +0100
Message-ID: <[email protected]> (raw)
> > The list seems a bit short; did you look through the
> release notes for
> > items that seem to be security issues? I suspect there are
> some that
> > don't have CVE names.
>
> "Add checks for invalid field length in binary COPY (Tom)" in
> 7.4.3, should probably be included.
Yeah. I got that one going through the release notes, had a hard time
finding the actual fix that went along with it to figure out what it
did. Got a reference from Tom now, so I'll add it right away.
> If we're not going to describe issues with 7.2 and earlier
> releases (which is probably reasonable), I think we should
> back off the claim that "all known" security issues are
> listed.
The page clearly says "Please note that versions prior to 7.3 are no
longer supported and vulnerabilities for these versions are not included
in this list". So it should be pretty clear. I'll add something about
them not being fixed either :-)
> Personally I think we shouldn't make the latter
> claim, anyway: for example, whether COALESCE(NULL, NULL)
> dumping core (fixed in 8.0.3) is a "security issue"
> is often in the eye of the beholder.
If we (the PGDG) beleive that is a security issue, it should be on the
list. And it should be back-patched to other stable branches - has this
been done?
> >From the page:
>
> "Our approach covers fail-safe configuration options, a
> secure and robust database server as well as good integration
> with other security infrastructure software."
>
> What "good integration with other security infrastructure"
> can PGDG legitimately take credit for?
Um, I dunno really :-) Simon?
I guess the reference to the fact that we publish all required details
for them to scan for it etc...
//Magnus
view thread (12+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected]
Subject: Re: Security information page
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox