X-Original-To: pgsql-www-postgresql.org@localhost.postgresql.org Received: from localhost (av.hub.org [200.46.204.144]) by postgresql.org (Postfix) with ESMTP id E5A609DCB74 for ; Mon, 28 Nov 2005 04:29:25 -0400 (AST) Received: from postgresql.org ([200.46.204.71]) by localhost (av.hub.org [200.46.204.144]) (amavisd-new, port 10024) with ESMTP id 45505-01 for ; Mon, 28 Nov 2005 04:29:26 -0400 (AST) X-Greylist: from auto-whitelisted by SQLgrey- Received: from mx-2.sollentuna.net (mx-2.sollentuna.net [195.84.163.199]) by postgresql.org (Postfix) with ESMTP id 5022C9DCAB3 for ; Mon, 28 Nov 2005 04:29:23 -0400 (AST) Received: from ALGOL.sollentuna.se (janus.sollentuna.se [62.65.68.67]) by mx-2.sollentuna.net (Postfix) with ESMTP id BE9DE8F286; Mon, 28 Nov 2005 09:29:24 +0100 (CET) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Subject: Re: Security information page Date: Mon, 28 Nov 2005 09:29:24 +0100 Message-ID: <6BCB9D8A16AC4241919521715F4D8BCE6C7C5F@algol.sollentuna.se> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [pgsql-www] Security information page thread-index: AcXzovIchJV735tkTyC+yE0dlMo/IQAUc2xg From: "Magnus Hagander" To: "Neil Conway" , "Tom Lane" Cc: , "Simon Riggs" X-Virus-Scanned: by amavisd-new at hub.org X-Spam-Status: No, score=0.001 required=5 tests=[AWL=0.001] X-Spam-Score: 0.001 X-Spam-Level: X-Archive-Number: 200511/173 X-Sequence-Number: 8888 > > The list seems a bit short; did you look through the=20 > release notes for=20 > > items that seem to be security issues? I suspect there are=20 > some that=20 > > don't have CVE names. >=20 > "Add checks for invalid field length in binary COPY (Tom)" in=20 > 7.4.3, should probably be included. Yeah. I got that one going through the release notes, had a hard time finding the actual fix that went along with it to figure out what it did. Got a reference from Tom now, so I'll add it right away. > If we're not going to describe issues with 7.2 and earlier=20 > releases (which is probably reasonable), I think we should=20 > back off the claim that "all known" security issues are=20 > listed. The page clearly says "Please note that versions prior to 7.3 are no longer supported and vulnerabilities for these versions are not included in this list". So it should be pretty clear. I'll add something about them not being fixed either :-) > Personally I think we shouldn't make the latter=20 > claim, anyway: for example, whether COALESCE(NULL, NULL)=20 > dumping core (fixed in 8.0.3) is a "security issue" > is often in the eye of the beholder. If we (the PGDG) beleive that is a security issue, it should be on the list. And it should be back-patched to other stable branches - has this been done? > >From the page: >=20 > "Our approach covers fail-safe configuration options, a=20 > secure and robust database server as well as good integration=20 > with other security infrastructure software." >=20 > What "good integration with other security infrastructure"=20 > can PGDG legitimately take credit for? Um, I dunno really :-) Simon? I guess the reference to the fact that we publish all required details for them to scan for it etc... //Magnus