| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Jeremy Schneider <schnjere(at)amazon(dot)com> |
| Cc: | Brad Nicholson <bradn(at)ca(dot)ibm(dot)com>, Michael Paquier <michael(at)paquier(dot)xyz>, Daniel Verite <daniel(at)manitou-mail(dot)org>, "Jonathan S(dot) Katz" <jkatz(at)postgresql(dot)org>, Magnus Hagander <magnus(at)hagander(dot)net>, pgsql-general <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: CVE-2019-9193 about COPY FROM/TO PROGRAM |
| Date: | 2019-04-04 19:45:41 |
| Message-ID: | 31048.1554407141@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Jeremy Schneider <schnjere(at)amazon(dot)com> writes:
> I'm all for having clear documentation about the security model in
> PostgreSQL, but I personally wouldn't be in favor of adding extra
> wording to the docs just to pacify concerns about a CVE which may have
> been erroneously granted by an assigning authority, who possibly should
> have done better due diligence reviewing the content. Particularly if
> there's any possibility that the decision to assign the number can be
> appealed/changed, though admittedly I know very little about the CVE
> process.
Just FYI, we have filed a dispute with Mitre about the CVE, and also
reached out to trustwave to try to find out why they filed the CVE
despite the earlier private discussion.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2019-04-04 19:50:41 | Re: CVE-2019-9193 about COPY FROM/TO PROGRAM |
| Previous Message | Jeremy Schneider | 2019-04-04 19:34:04 | Re: CVE-2019-9193 about COPY FROM/TO PROGRAM |