| From: | Bruno Wolff III <bruno(at)wolff(dot)to> |
|---|---|
| To: | Shachar Shemesh <psql(at)shemesh(dot)biz> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Probably security hole in postgresql-7.4.1 |
| Date: | 2004-05-12 18:05:06 |
| Message-ID: | 20040512180506.GA4372@wolff.to |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, May 12, 2004 at 10:46:00 +0300,
Shachar Shemesh <psql(at)shemesh(dot)biz> wrote:
> Industry practices dictate that we do issue SOMETHING now. The bug is
> now public, and can be exploited.
The description of the problem indicates that it can only be exploited
after you have authenticated to the database. Since people who can
connect to a postgres database can already cause denial of service
attacks, this problem isn't a huge deal. It makes breaches in other
programs (web server process especially) worse and provides another
way for authorized users to cause problems.
A release should probably be made soon, as a way to advertise the problem
so that people are aware of it and can take appropiate steps. I don't think
that this problem warrants bypassing normal minor release proceedure.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Larry Rosenman | 2004-05-12 18:05:15 | Re: threads stuff/UnixWare |
| Previous Message | Marc G. Fournier | 2004-05-12 18:02:30 | Re: threads stuff/UnixWare |