Thread: MySQL worm attacks Windows servers
Chris, > http://www.theregister.co.uk/2005/01/28/mysql_worm/ Yep. And each time someone asks you "But why can't I install PostgreSQL as Administrator" you can point them to that worm .... -- Josh Berkus Aglio Database Solutions San Francisco
Cross-posting to general due to more general nature of response Josh Berkus wrote: >Chris, > > > >>http://www.theregister.co.uk/2005/01/28/mysql_worm/ >> >> > >Yep. And each time someone asks you "But why can't I install PostgreSQL as >Administrator" you can point them to that worm .... > > > Now, if PostgreSQL is installed with TRUST authentication for remote ports, can't one try to create an untrusted language and function that will cause the sustem to scan for other such servers and connect, thereby spreading a worm? Of course most of the PostgreSQL instances I have seen are behind firewalls, but I don't think we are that invulnerable. Maybe we should set the default authentication to only use TRUST on local sockets only. At least as of 7.4, the default was to trust network ports. Best Wishes, Chris Travers Metatron Technology Consulting
On Sat, Jan 29, 2005 at 00:34:07 -0800, Chris Travers <chris@travelamericas.com> wrote: > > Maybe we should set the default authentication to only use TRUST on > local sockets only. At least as of 7.4, the default was to trust > network ports. I believe the previous default was not to allow network connections by default. For 8.0 only network connections from localhost are allowed by default. No one in their right mind is going to use trust authentication on connections from random IP addresses. And in most cases they aren't even going to allow connections from random IP addresses.
Chris Travers <chris@travelamericas.com> writes:
> Maybe we should set the default authentication to only use TRUST on
> local sockets only. At least as of 7.4, the default was to trust
> network ports.
Perhaps you should check your facts before posting.
regards, tom lane
Chris, > Maybe we should set the default authentication to only use TRUST on > local sockets only. At least as of 7.4, the default was to trust > network ports. If you know of a PostgreSQL package, from any source, that installs with trust on network ports, please notify Core (and Core only, please). -- Josh Berkus Aglio Database Solutions San Francisco
Josh Berkus wrote: > If you know of a PostgreSQL package, from any source, that installs with trust > on network ports, please notify Core (and Core only, please). Why only -core? -Neil
On Sun, 30 Jan 2005 20:23:15 +1100, Neil Conway <neilc@samurai.com> wrote:
> Josh Berkus wrote:
> > If you know of a PostgreSQL package, from any source, that installs with trust
> > on network ports, please notify Core (and Core only, please).
>
> Why only -core?
I think it is in good taste that when you find a bug/vulnerability/etc
first you contact the author (in this case: core), leave them some
time to fix the problem and then go on announcing it to the
world.
I think it is perfectly reasonable!
Regards,
Dawid
Dawid Kuroczko wrote: > I think it is in good taste that when you find a > bug/vulnerability/etc first you contact the author (in this case: > core), leave them some time to fix the problem and then go on > announcing it to the > world. In this case, core is not the author of the object in question. And of course, to report a "bug/vulnerability/etc" you would write to pgsql-bugs, not core. -- Peter Eisentraut http://developer.postgresql.org/~petere/
On Sun, 30 Jan 2005 16:18:53 +0100, Peter Eisentraut <peter_e@gmx.net> wrote:
> Dawid Kuroczko wrote:
> > I think it is in good taste that when you find a
> > bug/vulnerability/etc first you contact the author (in this case:
> > core), leave them some time to fix the problem and then go on
> > announcing it to the
> > world.
>
> In this case, core is not the author of the object in question. And of
> course, to report a "bug/vulnerability/etc" you would write to
> pgsql-bugs, not core.
Well, if some pgsql distribution (say a Foo Package Manager packet
for FooBar *nix) has a modified pg_hba.conf then indeed this
FooBar *nix can be considered as pg_hba.conf's author.
Anyhow I still think >>core<< can be considered as original
author of pg_hba.conf default contents.
...and right you are, pgsql-bugs is the right place.
But all this discussion is getting pointless so I shall from now on
abstain from sending to this thread. ;)
Regards,
Dawid
Peter Eisentraut <peter_e@gmx.net> writes:
> Dawid Kuroczko wrote:
>> I think it is in good taste that when you find a
>> bug/vulnerability/etc first you contact the author (in this case:
>> core), leave them some time to fix the problem and then go on
>> announcing it to the
>> world.
> In this case, core is not the author of the object in question. And of
> course, to report a "bug/vulnerability/etc" you would write to
> pgsql-bugs, not core.
Josh's point is that if you don't want to publicize a vulnerability
to the entire world in advance of there being any chance to fix it,
you don't send your report to an open, publicly-archived bugs list.
We don't really have an official security contact. The next best thing
is to send such reports to pgsql-core, which is not an open list, but
will reach a good chunk of those with an interest in fixing such
problems.
regards, tom lane
On Sun, Jan 30, 2005 at 12:55:28PM -0500, Tom Lane wrote: > We don't really have an official security contact. The next best thing > is to send such reports to pgsql-core, which is not an open list, but > will reach a good chunk of those with an interest in fixing such > problems. IMHO this fact should be more clearly announced somewhere on the website. A little phrase like "Please send security vulnerability reports to pgsql-core@postgresql.org" at the top of the developer's page should do. -- Alvaro Herrera (<alvherre[@]dcc.uchile.cl>) "Some men are heterosexual, and some are bisexual, and some men don't think about sex at all... they become lawyers" (Woody Allen)
Tom, > We don't really have an official security contact. The next best thing > is to send such reports to pgsql-core, which is not an open list, but > will reach a good chunk of those with an interest in fixing such > problems. Is there any reason not to set up a "security@postgresql.org" mail alias? -- Josh Berkus Aglio Database Solutions San Francisco
where should it be aliased to? pgsql-core? On Sun, 30 Jan 2005, Josh Berkus wrote: > Tom, > >> We don't really have an official security contact. The next best thing >> is to send such reports to pgsql-core, which is not an open list, but >> will reach a good chunk of those with an interest in fixing such >> problems. > > Is there any reason not to set up a "security@postgresql.org" mail alias? > > -- > Josh Berkus > Aglio Database Solutions > San Francisco > > ---------------------------(end of broadcast)--------------------------- > TIP 4: Don't 'kill -9' the postmaster > ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email: scrappy@hub.org Yahoo!: yscrappy ICQ: 7615664
Josh Berkus <josh@agliodbs.com> writes:
>> We don't really have an official security contact. The next best thing
>> is to send such reports to pgsql-core, which is not an open list, but
>> will reach a good chunk of those with an interest in fixing such
>> problems.
> Is there any reason not to set up a "security@postgresql.org" mail alias?
Probably not --- Marc, do you want to do that (and make it point to
pgsql-core for now)?
I was just in the middle of adding notes to problems.sgml and
bug.template to tell people to send security issues to pgsql-core,
but I can make it say security@ instead.
regards, tom lane
Tom Lane wrote: > > Is there any reason not to set up a "security@postgresql.org" mail > > alias? > > Probably not --- Marc, do you want to do that (and make it point to > pgsql-core for now)? I think this is a good idea. But note that mail addressed to pgsql-core will be held up in the moderator queue. I'm not sure that we want that for mail addressed to security@. -- Peter Eisentraut http://developer.postgresql.org/~petere/
Peter Eisentraut <peter_e@gmx.net> writes:
>> Probably not --- Marc, do you want to do that (and make it point to
>> pgsql-core for now)?
> I think this is a good idea. But note that mail addressed to pgsql-core
> will be held up in the moderator queue. I'm not sure that we want that
> for mail addressed to security@.
That's something that can and should be dealt with behind the scenes,
though. The immediate point is to agree on having this alias.
I'm about to commit documentation updates into all the upcoming release
branches recommending security@postgresql.org for security-sensitive
reports.
regards, tom lane
On Sun, 30 Jan 2005, Tom Lane wrote: > Josh Berkus <josh@agliodbs.com> writes: >>> We don't really have an official security contact. The next best thing >>> is to send such reports to pgsql-core, which is not an open list, but >>> will reach a good chunk of those with an interest in fixing such >>> problems. > >> Is there any reason not to set up a "security@postgresql.org" mail alias? > > Probably not --- Marc, do you want to do that (and make it point to > pgsql-core for now)? > > I was just in the middle of adding notes to problems.sgml and > bug.template to tell people to send security issues to pgsql-core, > but I can make it say security@ instead. Consider it done ... ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email: scrappy@hub.org Yahoo!: yscrappy ICQ: 7615664
On 1/30/2005 10:18 AM, Peter Eisentraut wrote: > Dawid Kuroczko wrote: >> I think it is in good taste that when you find a >> bug/vulnerability/etc first you contact the author (in this case: >> core), leave them some time to fix the problem and then go on >> announcing it to the >> world. > > In this case, core is not the author of the object in question. And of > course, to report a "bug/vulnerability/etc" you would write to > pgsql-bugs, not core. > No, Peter. Posting a vulnerability on a public mailing list "before" there is a known fix for it means that you put everyone who has that vulnerability into jeopardy. Vulnerabilities are a special breed of bugs and need to be exterminated a little different. Jan -- #======================================================================# # It's easier to get forgiveness for being wrong than for being right. # # Let's break this rule - forgive me. # #================================================== JanWieck@Yahoo.com #
Jan Wieck wrote: > On 1/30/2005 10:18 AM, Peter Eisentraut wrote: > >> Dawid Kuroczko wrote: >> >>> I think it is in good taste that when you find a >>> bug/vulnerability/etc first you contact the author (in this case: >>> core), leave them some time to fix the problem and then go on >>> announcing it to the >>> world. >> >> >> In this case, core is not the author of the object in question. And >> of course, to report a "bug/vulnerability/etc" you would write to >> pgsql-bugs, not core. >> > > No, Peter. > > Posting a vulnerability on a public mailing list "before" there is a > known fix for it means that you put everyone who has that vulnerability > into jeopardy. Vulnerabilities are a special breed of bugs and need to > be exterminated a little different. > > > Jan > ain't that the truth. if a vulnerability is found, try to find a fix, or work around, post it privately to the developer, give them an opportunity to get it fixed before going public. when dealing with open souurce, this system works great. when dealing with proprietary / closed source [ specifically microsoft ] expect that it's the public announcement that's going to start them doing something about it. I personally would only give ms a week at most to fix the problem before going public. since open source if usually fixed in that time frame. Jaqui