Home > mailing lists

Re: [GENERAL] PostgreSQL 7.2.2: Security Release - Mailing list pgsql-hackers

From	Tom Lane
Subject	Re: [GENERAL] PostgreSQL 7.2.2: Security Release
Date	August 24, 2002 03:37:44
Msg-id	25492.1030163864@sss.pgh.pa.us Whole thread Raw
In response to	Re: [GENERAL] PostgreSQL 7.2.2: Security Release ("Marc G. Fournier" <scrappy@hub.org>)
Responses	Re: [GENERAL] PostgreSQL 7.2.2: Security Release (Lamar Owen <lamar.owen@wgcr.org>)
List	pgsql-hackers

Tree view

"Marc G. Fournier" <scrappy@hub.org> writes:
> Right, but you have to get a connection to the backend in order to crash
> it ... no?

The point was that it might be possible to exploit this with only
indirect access to the database, such as entering "date" information
into a webform that would hand off the value to the database with
little or no checking.  Most of the risks we've been discussing require
the ability to issue chosen SQL commands, but this one only requires
the ability to determine a data value that's used in a SQL command.
Big difference.
        regards, tom lane

pgsql-hackers by date:

From: Bruce Momjian
Date: 24 August 2002, 03:36:14
Subject: Re: Large file support available

From: Bruce Momjian
Date: 24 August 2002, 03:38:11
Subject: Re: [GENERAL] PostgreSQL 7.2.2: Security Release

Re: [GENERAL] PostgreSQL 7.2.2: Security Release - Mailing list pgsql-hackers

Previous

Next