| From: | "Magnus Hagander" <mha(at)sollentuna(dot)net> |
|---|---|
| To: | "Martijn van Oosterhout" <kleptog(at)svana(dot)org> |
| Cc: | "Simon Riggs" <simon(at)2ndquadrant(dot)com>, "Peter Eisentraut" <peter_e(at)gmx(dot)net>, "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>, <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [BUGS] BUG #2052: Federal Agency Tech Hub Refuses to Accept |
| Date: | 2005-11-25 21:10:22 |
| Message-ID: | 6BCB9D8A16AC4241919521715F4D8BCE92E8A0@algol.sollentuna.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> > > > We really should write the CVE numbers into the commit messages
> > > > and the release notes.
> > >
> > > I think that would be good.
> >
> > That requires the CVE number to be available at the time of commit.
> > Not sure if it'll always be. But if it is, it's certainly a
> good idea
> > to put it in.
>
> I think that depends on who discovers it. CVEs are assigned
> even if it's not clear that the vulnerability is exploitable.
> In anycase, some distributors (like Debian) already track
> CVEs on your behalf. In general they refer to the CVE when
> releasing fixes.
Right. This is exactly why it's good to have a list of our own, so ppl
can cross reference.
> In any case, PostgreSQL already seems to have had 29 CVEs logged:
>
> http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=postgresql
Not quite that many. Several of those are not for postgresql at all, but
for third party products *using* postgresql.
//Magnus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2005-11-25 22:24:13 | Re: SHOW ALL output too wide |
| Previous Message | John R Pierce | 2005-11-25 20:42:56 | Re: [HACKERS] BUG #2052: Federal Agency Tech Hub Refuses to |