| From: | "Neil Conway" <neilc(at)samurai(dot)com> |
|---|---|
| To: | <chriskl(at)familyhealth(dot)com(dot)au> |
| Cc: | <girgen(at)pingpong(dot)net>, <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: why was libpq.so's version number bumped? |
| Date: | 2002-12-30 21:31:45 |
| Message-ID: | 4122.24.112.166.30.1041283905.squirrel@mailbox.samurai.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Christopher Kings-Lynne said:
> There have been HEAPS of security fixes between 7.2 and 7.3.
That's only the case if your definition of a "security fix" is pretty fast
and loose -- as yours seems to be.
> Depending
> on your definition of security. eg. Going 'select cash_out(2);' on any
> 7.2 server and below will crash the backend.
If you consider that a security flaw, there are still innumerable problems
of a very similar nature in 7.3 or 7.4-devel (*any* situation in which an
untrusted client can execute arbitrary SQL will allow for resource
exhaustion, at the very least).
By a more reasonable definition of "security flaw", I'm not aware of any
significant outstanding problems in 7.2.3 -- there are a bunch of buffer
handling fixes in 7.3, but they were made for the sake of correctness
(a.k.a. paranoia), not necessarily to fix an actual vulnerability.
Cheers,
Neil
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2002-12-30 22:39:24 | Re: Bug in Dependencies Code in 7.3.x? |
| Previous Message | Manfred Koizar | 2002-12-30 18:50:52 | Re: MOVE strangeness |