Postgres Pro
Downloads
Home   >   mailing lists

Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL - Mailing list pgsql-hackers

From Dann Corbit
Subject Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL
Date
Msg-id D90A5A6C612A39408103E6ECDD77B82920D177@voyager.corporate.connx.com
Whole thread Raw
In response to @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL  (Sir Mordred The Traitor <mordred@s-mail.com>)
Responses How To Make Things Appear More Dramatic  (cbbrowne@cbbrowne.com)
Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL  (Lamar Owen <lamar.owen@wgcr.org>)
List pgsql-hackers
Tree view 
> -----Original Message-----
> From: Lamar Owen [mailto:lamar.owen@wgcr.org]
> Sent: Monday, August 26, 2002 10:50 AM
> To: Bruce Momjian; Tom Lane
> Cc: Sir Mordred The Traitor; pgsql-hackers@postgresql.org
> Subject: Re: [HACKERS] @(#)Mordred Labs advisory 0x0007:
> Remove DoS in PostgreSQL
>
>
> On Monday 26 August 2002 12:59 pm, Bruce Momjian wrote:
> > Tom Lane wrote:
> > > It may indeed make sense to put a range check here, but
> I'm getting
> > > tired of hearing the words "dos attack" applied to
> conditions that
> > > cannot be exploited to cause any real problem.  All you are
> > > accomplishing is to spread FUD among people who aren't
> sufficiently
> > > familiar with the code to evaluate the seriousness of problems...
>
> > It isn't fun to have our code nit-picked apart, and Sir-* is
> > over-hyping the vulnerability, but it is a valid concern.
> The length
> > should probably be clipped to a reasonable length and a
> comment put in
> > the code describing why.
>
> The pseudo-security-alert format used isn't terribly
> palatable here, IMHO.  On
> BugTraq it might fly -- but not here.

An alarmist style when posting a serious error is a good idea.
"Hey guys, I found a possible problem..."
Does not seem to generate the needed level of excitement.
DOS attacks means that business stops.  I think that should generate a
furrowed brow, to say the least.

> A simple 'Hey guys, I
> found a possible
> problem when.....' without the big-sounding fluff would sit
> better with me,
> at least.  The substance of the message is perhaps valuable
> -- but the
> wrapper distracts from the substance.

As long as the needed data is included (here is how to reproduce the
problem...) I don't see any problem.
> And dealing with a real name would be nice, IMHO.  Otherwise
> we may end up
> with 'SMtT' as the nickname -- Hmmm, 'SMitTy' perhaps?  :-)
> Reminds me of
> 'Uncle George' who did quite a bit for the Alpha port and
> then disappeared.

If he wants to call himself 'Sir Modred' or 'Donald Duck' or 'Jack the
Ripper' or whatever, I don't see how it matters.  He is providing a
valuable service by location of serious problems.  These are the sort of
thing that must be addressed.  This is the *EXACT* sort of information
that is needed to make PostgreSQL become as robust as Oracle,
SQL*Server, DB/2, etc.

Every free database engine project should be so lucky as to have a 'Sir
Modred'

IMO-YMMV.

pgsql-hackers by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL
Next
From: Tom Lane
Date:
Subject: Re: Queries using rules show no rows modified?