Re: Probably security hole in postgresql-7.4.1 - Mailing list pgsql-hackers

From Shachar Shemesh
Subject Re: Probably security hole in postgresql-7.4.1
Date
Msg-id 40A1D638.2040701@shemesh.biz
Whole thread Raw
In response to Re: Probably security hole in postgresql-7.4.1  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: Probably security hole in postgresql-7.4.1
Re: Probably security hole in postgresql-7.4.1
List pgsql-hackers
Tom Lane wrote:

>Bruce Momjian <pgman@candle.pha.pa.us> writes:
>  
>
>>Should we be thinking about a 7.4.3?
>>    
>>
>
>I'm not panicking over this particular bug ... but it does seem like
>we've accumulated enough fixes since 7.4.2 that it may be time to start
>thinking about another dot-release.  Maybe set a date towards the end of
>the month?
>
>            regards, tom lane
>  
>
Industry practices dictate that we do issue SOMETHING now. The bug is 
now public, and can be exploited.

This does not necessarily have to be 7.4.3. We can issue 7.4.2.1, 
containing only this fix, so that people who need to expose their 
database are not left open to attacks.

Also, if we want greater flexibility in handling these cases in the 
future, we should set up an invite-only list for reporting security 
bugs, and advertise it on the web site as the place to report security 
issues. Had this vulnerability been reported there, we could reasonably 
hold on without releasing a fix until 7.4.3 was ready.

If you need help in that list, I have a lot of experience with code 
security, but very little experience with the Postgresql code. Also, it 
would be a good idea to invite all the distro-packagers to be on that list.
            Shachar

-- 
Shachar Shemesh
Lingnu Open Source Consulting
http://www.lingnu.com/



pgsql-hackers by date:

Previous
From: Simon Riggs
Date:
Subject: Re: XLog: how to log?
Next
From: "Thomas Hallgren"
Date:
Subject: Re: Module dependency on PostgeSQL version