| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
| Cc: | misha1966 misha1966 <mmisha1966(at)bk(dot)ru>, pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Re[2]: CVE-2022-2625 |
| Date: | 2022-09-16 06:14:08 |
| Message-ID: | 3580694.1663308848@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> writes:
> On Thu, 2022-09-15 at 11:19 -0400, Tom Lane wrote:
>> I'm a little bemused by your fixation on this particular CVE,
>> though. As such things go, it's not a very big deal.
> A lot of times, requests like that come from a brainless kind of
> institutionalized security: we have to install all software updates
> that say "CVE". Never mind that username = password and
> the application is running with a superuser.
Indeed :-(. But we've issued several CVEs since 9.5 went out
of support --- notably, I'd say CVE-2022-1552 from the previous
minor-release cycle is a good deal more dangerous than this one.
So, again, why worry about -2625 in particular?
I'm still wondering whether the OP's installation is even on
9.5.latest; if not, they've likely got even more serious things
to worry about. A quick troll through the 9.5.x release notes
finds a lot of bugs...
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Marcos Pegoraro | 2022-09-16 13:00:25 | Re: get user info on log |
| Previous Message | Laurenz Albe | 2022-09-16 05:51:16 | Re: Re[2]: CVE-2022-2625 |