After some discussion the pgsql-security team has decided that we must
treat this bug as a security issue:
http://archives.postgresql.org/pgsql-bugs/2009-02/msg00172.php
because an unprivileged user can crash his backend and thereby create
a denial-of-service situation. There's no point in secrecy though,
since the bug is already public. Rather, this just means that we will
make a set of back-branch releases shortly, whereas we probably wouldn't
have done new ones for awhile otherwise.
The proposed fixes for the bug are already in CVS, but what we need now
is for people to study and test the fixes. This is (at least) the third
time we've gone back to re-address the area of crashes caused by
failures in error message translation/conversion :-(. So even though
I believe we got it right this time, it could definitely do with more
eyeballs. Please take a look and see if you can break it.
Also, if you've got pending fixes or bug reports for back branches,
now's a good time to get them sent in. We have not set a release
date yet but it'll likely happen in a week or so.
regards, tom lane
