Thread: postgres vulnerability
Here http://www.sans.org/top20/#u9 are listed postgres vulnerability it's sad see that almost all are related to third part components Regards Gaetano Mendola
On Sat, 9 Oct 2004, Gaetano Mendola wrote: > Here http://www.sans.org/top20/#u9 > are listed postgres vulnerability it's sad see that almost all > are related to third part components I'd go further than sad and say irresponsible for the ones that are like that.
On Sat, 9 Oct 2004, Stephan Szabo wrote: > > On Sat, 9 Oct 2004, Gaetano Mendola wrote: > > > Here http://www.sans.org/top20/#u9 > > are listed postgres vulnerability it's sad see that almost all > > are related to third part components > > I'd go further than sad and say irresponsible for the ones that are like > that. I should clarify as, irresponsible to be equating bugs in components that use or misuse PostgreSQL with actual vulnerabilities in the database.
Stephan Szabo wrote: > On Sat, 9 Oct 2004, Stephan Szabo wrote: > > >>On Sat, 9 Oct 2004, Gaetano Mendola wrote: >> >> >>>Here http://www.sans.org/top20/#u9 >>>are listed postgres vulnerability it's sad see that almost all >>>are related to third part components >> >>I'd go further than sad and say irresponsible for the ones that are like >>that. > > > I should clarify as, irresponsible to be equating bugs in components that > use or misuse PostgreSQL with actual vulnerabilities in the database. Exactly this was my feeling. Regards Gaetano Mendola
Gaetano Mendola wrote: > Here http://www.sans.org/top20/#u9 > are listed postgres vulnerability it's sad see that almost all > are related to third part components "Almost all"? By my count, 12 of the 17 vulnerabilities refer to legitimate problems in PostgreSQL, its RPM distribution, or the ODBC driver. -Neil
Neil Conway <neilc@samurai.com> writes: > Gaetano Mendola wrote: >> Here http://www.sans.org/top20/#u9 >> are listed postgres vulnerability it's sad see that almost all >> are related to third part components > "Almost all"? By my count, 12 of the 17 vulnerabilities refer to > legitimate problems in PostgreSQL, its RPM distribution, or the ODBC driver. However, the ones that are still current (ie, something not fixed many revs back) are mostly things outside our control. I think the only really serious charge in the lot is buffer overflows inside the ODBC driver. regards, tom lane
Neil Conway wrote:> Gaetano Mendola wrote:>>> Here http://www.sans.org/top20/#u9>> are listed postgres vulnerability it'ssad see that almost all>> are related to third part components>>> "Almost all"? By my count, 12 of the 17 vulnerabilitiesrefer to> legitimate problems in PostgreSQL, its RPM distribution, or the ODBC> driver. I consider RPM distribution and ODBC driver as third part component. However doing a full scan :-) on all bugs I widthraw "almost all". Regards Gaetano Mendola
Gaetano Mendola wrote: > Neil Conway wrote: > > Gaetano Mendola wrote: > > > >> Here http://www.sans.org/top20/#u9 > >> are listed postgres vulnerability it's sad see that almost all > >> are related to third part components > > > > > > "Almost all"? By my count, 12 of the 17 vulnerabilities refer to > > legitimate problems in PostgreSQL, its RPM distribution, or the ODBC > > driver. > > I consider RPM distribution and ODBC driver as third part component. Unless the vulnerability is introduced by a patch in the RPM, RPM is just a compiled version of the original. Thus, not third party code. > However doing a full scan :-) on all bugs I widthraw "almost all". -- dave
David Garamond wrote: > Gaetano Mendola wrote: > >> Neil Conway wrote: >> > Gaetano Mendola wrote: >> > >> >> Here http://www.sans.org/top20/#u9 >> >> are listed postgres vulnerability it's sad see that almost all >> >> are related to third part components >> > >> > >> > "Almost all"? By my count, 12 of the 17 vulnerabilities refer to >> > legitimate problems in PostgreSQL, its RPM distribution, or the ODBC >> > driver. >> >> I consider RPM distribution and ODBC driver as third part component. > > > Unless the vulnerability is introduced by a patch in the RPM, RPM is > just a compiled version of the original. Thus, not third party code. Well the RPM issue was about wrong file permission, do you think this is a postgres vulnerability ? Regards Gaeatano Mendola
On Sun, 10 Oct 2004, Neil Conway wrote: > Gaetano Mendola wrote: > > Here http://www.sans.org/top20/#u9 > > are listed postgres vulnerability it's sad see that almost all > > are related to third part components > > "Almost all"? By my count, 12 of the 17 vulnerabilities refer to > legitimate problems in PostgreSQL, its RPM distribution, or the ODBC driver. However, even removing "almost all" from the comment, it's still pretty sad that a "trusted source for computer security training, certification and research" would have a >25% miss rate on properly categorizing vulnerabilities.
Actually, I see this differently. This is a classic example of how postgreSQL is viewed by the rest of the world. This argument has been brought up before. It is only the core that differentiates the server from the interfaces. The rest of the world views this as one product. Dave On Sun, 2004-10-10 at 09:48, Stephan Szabo wrote: > On Sun, 10 Oct 2004, Neil Conway wrote: > > > Gaetano Mendola wrote: > > > Here http://www.sans.org/top20/#u9 > > > are listed postgres vulnerability it's sad see that almost all > > > are related to third part components > > > > "Almost all"? By my count, 12 of the 17 vulnerabilities refer to > > legitimate problems in PostgreSQL, its RPM distribution, or the ODBC driver. > > However, even removing "almost all" from the comment, it's still pretty > sad that a "trusted source for computer security training, certification > and research" would have a >25% miss rate on properly categorizing > vulnerabilities. > > ---------------------------(end of broadcast)--------------------------- > TIP 3: if posting/reading through Usenet, please send an appropriate > subscribe-nomail command to majordomo@postgresql.org so that your > message can get through to the mailing list cleanly -- Dave Cramer 519 939 0336 ICQ # 14675561 www.postgresintl.com
On Tue, 12 Oct 2004, Dave Cramer wrote: > Actually, I see this differently. > > This is a classic example of how postgreSQL is viewed by the rest of the > world. This argument has been brought up before. > It is only the core that differentiates the server from the interfaces. > The rest of the world views this as one product. Some of the 5 remaining are things like mod_auth_pgsql or the auth module for courier 0.40 that uses PostgreSQL as a backend. I'm sorry, but I really don't consider those part of PostgreSQL any more than I consider any random piece of software that uses Oracle as a backend part of Oracle.