Re: [pgsql-advocacy] MySQL worm attacks Windows servers

From: Martijn van Oosterhout <kleptog(at)svana(dot)org>
To: Greg Stark <gsstark(at)mit(dot)edu>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: [pgsql-advocacy] MySQL worm attacks Windows servers
Date: 2005-01-31 00:05:13
Message-ID: 20050131000512.GD13273@svana.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-advocacy pgsql-general pgsql-www

On Sun, Jan 30, 2005 at 06:05:37PM -0500, Greg Stark wrote:
> There are always ways for a sysadmin to close the vulnerability, even if it
> means temporarily limiting access until the fix is available. How would you
> like to be a sysadmin that finds his system exploited only to discover that
> the vulnerability was known and he could have worked around it had he been
> informed but those in the know kept it secret until a patch was published.

While true, I think an argument can be made to notify as many people as
possible and posting to -core means a message is more likely to go
-announce where more PostgreSQL admins will see it. It's possible not
all admins will be reading -general.

> The only way keeping it secret is really justified is if a) You know no
> malicious persons are aware of the vulnerability (which of course one never
> really knows for certain) b) it's more reasonable for a sysadmin to run with
> the vulnerability than to work around it using whatever means necessary (and
> you feel comfortable making that decision for every sysadmin everywhere).

Sure. Actually for something as obvious as trusting network access I'd
actually assume the person posting it would be smart enough to point
out the solution as well. While I'm for public disclosure in general I
do think 24 hour notice is not too much to ask for.

And hey, given the volume of -general sending to security@ might get it
read a little earlier by people who can do something than just dumping
on the mailing list. My preferred scenario would be to actually ring
someone in -core on the phone and discuss it directly and work it out
from there. But I don't know the chances of that.

At the end of the day the people making the disclosure make the
decision, our discussing it won't make a difference there... :)

Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.

In response to

Browse pgsql-advocacy by date

  From Date Subject
Next Message Ned Lilly 2005-01-31 20:23:04 PostgreSQL at LinuxWorld Boston
Previous Message Greg Stark 2005-01-30 23:05:37 Re: [pgsql-advocacy] MySQL worm attacks Windows servers

Browse pgsql-general by date

  From Date Subject
Next Message elein 2005-01-31 01:01:36 Re: example for read committed/volitile functions
Previous Message Tom Lane 2005-01-30 23:51:42 Re: example for read committed/volitile functions

Browse pgsql-www by date

  From Date Subject
Next Message Bruce Momjian 2005-01-31 02:53:46 Re: Linux Seminar Sheffield UK - 2nd March 2005
Previous Message Greg Stark 2005-01-30 23:05:37 Re: [pgsql-advocacy] MySQL worm attacks Windows servers