Re: [BUGS] BUG #2052: Federal Agency Tech Hub Refuses to Accept - Mailing list pgsql-hackers

From Magnus Hagander
Subject Re: [BUGS] BUG #2052: Federal Agency Tech Hub Refuses to Accept
Date
Msg-id 6BCB9D8A16AC4241919521715F4D8BCE92E8A0@algol.sollentuna.se
Whole thread Raw
List pgsql-hackers
> > > > We really should write the CVE numbers into the commit messages
> > > > and the release notes.
> > >
> > > I think that would be good.
> >
> > That requires the CVE number to be available at the time of commit.
> > Not sure if it'll always be. But if it is, it's certainly a
> good idea
> > to put it in.
>
> I think that depends on who discovers it. CVEs are assigned
> even if it's not clear that the vulnerability is exploitable.
> In anycase, some distributors (like Debian) already track
> CVEs on your behalf. In general they refer to the CVE when
> releasing fixes.

Right. This is exactly why it's good to have a list of our own, so ppl
can cross reference.


> In any case, PostgreSQL already seems to have had 29 CVEs logged:
>
> http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=postgresql

Not quite that many. Several of those are not for postgresql at all, but
for third party products *using* postgresql.

//Magnus


pgsql-hackers by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: SHOW ALL output too wide
Next
From: Alvaro Herrera
Date:
Subject: Re: SHOW ALL output too wide