Simon Riggs wrote:
> On Fri, 2005-11-18 at 09:32 -0500, Tom Lane wrote:
> > All known CVE problems are resolved in 8.0.4.
>
> I was unaware of this. I've looked at the release notes and searched the
> archives, but this doesn't seem to be mentioned by CVE number. (The
> vulnerabilities and their resolutions are described, just without direct
> cross reference to their CVE number.)
>
> Do we have an on-project description of this? If we-as-a-project know
> this, it seems straightforward to write it down.
>
> It seems like we need a much clearer resource for security admins to
> check our compliance levels. This could be a source of similar
> refusal-to-implement PostgreSQL at other installations, so could almost
> be regarded as an advocacy issue. Other software projects have been
> criticized badly for their security response and info dissemination - I
> don't believe that applies here, but it does indicate the general
> requirement and its priority. i.e. don't just fix the bugs, tell
> everyone you've fixed the bugs.
>
> Or, at very least, put stronger security warnings onto the releases. (My
> own advice is always to watch for announcements and stay current).
Well, as the original poster mentioned, they were looking for a reason
_not_ to use PostgreSQL, and if that is the goal, you can find a reason,
error numbers or not.
I am not excited about referencing error numbers from someone else. We
know our errors better than anyone else, so I don't see the point.
-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610)
359-1001+ If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square,
Pennsylvania19073