| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
| Cc: | Daniel Gustafsson <daniel(at)yesql(dot)se>, "Vibhu Chauhan (iDEAS-ER&D)" <vibhu(dot)chauhan(at)wipro(dot)com>, "pgsql-bugs(at)lists(dot)postgresql(dot)org" <pgsql-bugs(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: OpenSSL v1.1.1n in postgres |
| Date: | 2022-03-26 21:17:20 |
| Message-ID: | 167221.1648329440@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
"David G. Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> writes:
> I do find it sad that this question about when a CVE has been patched is
> being asked where the active version is 10 months old and missing 3
> PostgreSQL CVE fixes, including an SSL related one in 13.5
In the OP's defense, this OpenSSL CVE does look a lot scarier than
any of ours ... if I'm reading it right, anyone who can reach your
postmaster port can arrange to chew 100% CPU on your server.
OTOH, they can't do anything more than that, and you probably
shouldn't have your DB server accessible from the open internet
anyway.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Sandeep Thakkar | 2022-03-27 02:11:32 | Re: OpenSSL v1.1.1n in postgres |
| Previous Message | David G. Johnston | 2022-03-26 20:45:45 | Re: OpenSSL v1.1.1n in postgres |