| From: | Alvaro Herrera <alvherre(at)dcc(dot)uchile(dot)cl> |
|---|---|
| To: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
| Cc: | Neil Conway <neilc(at)samurai(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: 7.4 changes |
| Date: | 2004-10-19 13:02:13 |
| Message-ID: | 20041019130213.GE4134@dcc.uchile.cl |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Oct 19, 2004 at 08:47:20AM -0400, Andrew Dunstan wrote:
> But maybe we can just live with what we have and advertise that 8.0's
> plperl is more secure.
The release notes should point out that 7.4's plperl is unsecure unless
the correct version of Safe.pm is installed. Maybe it works to make it
croak if an unsafe version of Safe.pm is found?
I'm not sure about "living with" known security vulnerabilities. What
about ISPs which give Pg hosting with plperl installed? They surely
will want to know about this.
--
Alvaro Herrera (<alvherre[a]dcc.uchile.cl>)
One man's impedance mismatch is another man's layer of abstraction.
(Lincoln Yeoh)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2004-10-19 13:50:37 | Command-line parsing in pg_ctl is not portable |
| Previous Message | Andrew Dunstan | 2004-10-19 12:47:20 | Re: 7.4 changes |