Re: Release of CVEs

From: Michael Paquier <michael(dot)paquier(at)gmail(dot)com>
To: Greg Sabino Mullane <greg(at)endpoint(dot)com>
Cc: PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Release of CVEs
Date: 2015-10-11 13:13:14
Message-ID: CAB7nPqQqqre4G2DxBN14iT9z7OwSToBxkzGDJ277wSeGKkbq0A@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Sun, Oct 11, 2015 at 8:54 PM, Greg Sabino Mullane <greg(at)endpoint(dot)com> wrote:
> The release notes for the new version reference some CVEs that
> have not been publically released yet. Are they slow, or is
> this something that needs to be added to the release
> process checklist?

My guess is that they are simply slow to refresh. If you look at
RedHat stuff they mark those CVEs with the same numbers in their bug
tracker (the database is not updated though).
https://access.redhat.com/security/cve/CVE-2015-5288
https://access.redhat.com/security/cve/CVE-2015-5289

> It's also possible the wrong CVE was entered, but I don't see
> one that seems to pertain to the issue described (and
> CVE-2015-5288, -3166, -3167, -0243, -0244 are in the same boat).

As is CVE-2015-0241, which dates of February. This is way more than
slow... Perhaps we should contact cve at mitre dot org regarding that.
Thoughts?
--
Michael

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Andrew Dunstan 2015-10-11 14:32:53 Re: Postgres service stops when I kill client backend on Windows
Previous Message Jinyu 2015-10-11 11:55:28 Re: Improve the concurency of vacuum full table and select statement on the same relation