Re: Probably security hole in postgresql-7.4.1

From: Bruno Wolff III <bruno(at)wolff(dot)to>
To: Shachar Shemesh <psql(at)shemesh(dot)biz>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Probably security hole in postgresql-7.4.1
Date: 2004-05-12 18:05:06
Message-ID: 20040512180506.GA4372@wolff.to
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Wed, May 12, 2004 at 10:46:00 +0300,
Shachar Shemesh <psql(at)shemesh(dot)biz> wrote:
> Industry practices dictate that we do issue SOMETHING now. The bug is
> now public, and can be exploited.

The description of the problem indicates that it can only be exploited
after you have authenticated to the database. Since people who can
connect to a postgres database can already cause denial of service
attacks, this problem isn't a huge deal. It makes breaches in other
programs (web server process especially) worse and provides another
way for authorized users to cause problems.

A release should probably be made soon, as a way to advertise the problem
so that people are aware of it and can take appropiate steps. I don't think
that this problem warrants bypassing normal minor release proceedure.

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Larry Rosenman 2004-05-12 18:05:15 Re: threads stuff/UnixWare
Previous Message Marc G. Fournier 2004-05-12 18:02:30 Re: threads stuff/UnixWare