Re: Security information page - Mailing list pgsql-www

From Neil Conway
Subject Re: Security information page
Date
Msg-id 1133130954.8928.13.camel@localhost.localdomain
Whole thread Raw
In response to Re: Security information page  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: Security information page
List pgsql-www
On Sun, 2005-11-27 at 12:16 -0500, Tom Lane wrote:
> The list seems a bit short; did you look through the release notes for
> items that seem to be security issues?  I suspect there are some that
> don't have CVE names.

"Add checks for invalid field length in binary COPY (Tom)" in 7.4.3,
should probably be included.

If we're not going to describe issues with 7.2 and earlier releases
(which is probably reasonable), I think we should back off the claim
that "all known" security issues are listed. Personally I think we
shouldn't make the latter claim, anyway: for example, whether
COALESCE(NULL, NULL) dumping core (fixed in 8.0.3) is a "security issue"
is often in the eye of the beholder.

From the page:

"Our approach covers fail-safe configuration options, a secure and
robust database server as well as good integration with other security
infrastructure software."

What "good integration with other security infrastructure" can PGDG
legitimately take credit for?

-Neil



pgsql-www by date:

Previous
From: "Magnus Hagander"
Date:
Subject: Re: Security information page
Next
From: Simon Riggs
Date:
Subject: Re: Security information page