Re: Probably security hole in postgresql-7.4.1 - Mailing list pgsql-hackers

From Bruno Wolff III
Subject Re: Probably security hole in postgresql-7.4.1
Date
Msg-id 20040512180506.GA4372@wolff.to
Whole thread Raw
In response to Re: Probably security hole in postgresql-7.4.1  (Shachar Shemesh <psql@shemesh.biz>)
Responses Re: Probably security hole in postgresql-7.4.1
List pgsql-hackers
On Wed, May 12, 2004 at 10:46:00 +0300, Shachar Shemesh <psql@shemesh.biz> wrote:
> Industry practices dictate that we do issue SOMETHING now. The bug is 
> now public, and can be exploited.

The description of the problem indicates that it can only be exploited
after you have authenticated to the database. Since people who can
connect to a postgres database can already cause denial of service
attacks, this problem isn't a huge deal. It makes breaches in other
programs (web server process especially) worse and provides another
way for authorized users to cause problems.

A release should probably be made soon, as a way to advertise the problem
so that people are aware of it and can take appropiate steps. I don't think
that this problem warrants bypassing normal minor release proceedure.


pgsql-hackers by date:

Previous
From: Thomas Hallgren
Date:
Subject: Parser change needed?
Next
From: "Marc G. Fournier"
Date:
Subject: Re: threads stuff/UnixWare