public inbox for [email protected]
help / color / mirror / Atom feedFrom: Tom Lane <[email protected]>
To: Magnus Hagander <[email protected]>
Cc: Neil Conway <[email protected]>
Cc: [email protected]
Cc: Simon Riggs <[email protected]>
Subject: Re: Security information page
Date: Mon, 28 Nov 2005 09:12:43 -0500
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
"Magnus Hagander" <[email protected]> writes:
>> Personally I think we shouldn't make the latter
>> claim, anyway: for example, whether COALESCE(NULL, NULL)
>> dumping core (fixed in 8.0.3) is a "security issue"
>> is often in the eye of the beholder.
> If we (the PGDG) beleive that is a security issue, it should be on the
> list. And it should be back-patched to other stable branches - has this
> been done?
2005-04-10 16:57 tgl
* src/backend/optimizer/util/: clauses.c (REL7_4_STABLE), clauses.c
(REL8_0_STABLE), clauses.c: Make constant-folding produce sane
output for COALESCE(NULL,NULL), that is a plain NULL and not a
COALESCE with no inputs. Fixes crash reported by Michael
Williamson.
It wasn't back-patched further because earlier versions don't have the
bug.
In general, I think we consider any potential server core dump to be a
security issue, if it can be provoked by unprivileged users. Even if
it's not exploitable in any other way, denial-of-service is still a
security concern.
regards, tom lane
view thread (12+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected]
Subject: Re: Security information page
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox