Re: Postgres Security Patches Question

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com>
Cc: "Patil, Prashant" <Prashant(dot)Patil(at)crowncastle(dot)com>, "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org>
Subject: Re: Postgres Security Patches Question
Date: 2019-04-24 14:57:50
Message-ID: 12413.1556117870@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

[ removing security list, since this is not a security bug report ]

Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> writes:
> On 4/24/19 7:30 AM, Patil, Prashant wrote:
>> ... If there is any security patch that need to apply on postgres
>> database in future, 1. Would security patch available in form of source
>> code/zip file OR do we have to apply it using rpm? 2. If rpm, would it
>> be possible to install security patch on postgres custom directories
>> through RPM? 3. Any caveat that we need to aware about?

> AFAIK the patches are not released separately. In your case you would
> need to download the new patched complete source and rebuild it.

We do not release security patches separately, and are not interested
in doing so. Two points you might wish to consider:

* Security patches are not tested standalone, only on top of the complete
patch-series-to-date. There's no certainty they'd even apply to an
earlier snapshot, let alone work as intended.

* For most database installations, data-loss-risk bugs are at least
as important as "security" bugs, maybe more so. The vast majority
of the things we label security bugs are privilege escalation problems
accessible to someone who is already able to log into the database and
execute arbitrary SQL. But few installations have untrusted users
connecting directly to the database, so these sorts of bug fixes are
really just limiting the possible effects of any security loopholes
(e.g. SQL-injection bugs) you may have in your applications. Which is a
good thing surely, but it pales compared to "this bug might corrupt all
your data".

The PG community's recommendation is that you install new minor releases
in toto. Anybody who thinks it's better to just cherry-pick "security"
patches doesn't understand the realities of database work.

regards, tom lane

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Patil, Prashant 2019-04-24 15:09:35 RE: Postgres Security Patches Question
Previous Message Patil, Prashant 2019-04-24 14:56:59 RE: Postgres Security Patches Question