Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in

From: "Marc G(dot) Fournier" <scrappy(at)hub(dot)org>
To: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
Cc: Justin Clift <justin(at)postgresql(dot)org>, Robert Treat <xzilla(at)users(dot)sourceforge(dot)net>, Neil Conway <neilc(at)samurai(dot)com>, Gavin Sherry <swm(at)linuxworld(dot)com(dot)au>, Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au>, <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in
Date: 2002-08-21 17:57:35
Message-ID: 20020821145235.P36114-100000@mail1.hub.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Wed, 21 Aug 2002, Bruce Momjian wrote:

> Justin Clift wrote:
> > Only two things which have the potential to be worth waiting for, from
> > what I'm aware of. There may be others:
> >
> > - Find out from Sir Mordred if he wants to take a look at the CVS
> > version of code and audit in that for a bit, Just In Case he turns
> > up something that's serious and requires substantial re-work.
> > Although it means he wouldn't have a bunch of "I found this existing
> > exploit" type releases, we could instead offer him credit on the
> > press release along the lines of "This released has been audited for
> > security flaws in its code by Sir Mordred". Am pretty sure he'd
> > do a very thorough job for that, as it means he'd have an official
> > "product reputation" he'd need to stand by for it.
>
> This is interesting. He would have a month to do it.

A month in beta, ya ... or more, depending on how beta went ... but a
'Security Audit' shouldn' tlogically be done until the code base is frozen
for Beta anyway, since who knows, if it isn't frozen, whether someone is
going to introduce something else in the mean time ...

> The other issue is PITR, which I have been told today will not be ready
> for a September 1 beta but may be ready for an October 1 beta.

Then it can wait for v7.4 ... period. Have we not learnt from past
'delays' ... hell, you yourself use "may be ready for", so, what, Oct 1st
rolls around and we delay for, say, another 2 weeks cause it "may be ready
for then"?

No ... if PITR and Native Windows aren't ready for inclusion, then they
can be the foundation for the v7.4 release ...

Sept 1st - 1st Beta ... Oct 1st is the tentative release date ... which
gives Mordred a month to audit the code and report any security bugs
before th release, where there are no substantive changes going into the
code that will invalidate his results ...

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Rod Taylor 2002-08-21 17:57:37 Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in
Previous Message Marc G. Fournier 2002-08-21 17:52:27 Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in