From: | Simon Riggs <simon(at)2ndquadrant(dot)com> |
---|---|
To: | Peter Eisentraut <peter_e(at)gmx(dot)net>, Magnus Hagander <mha(at)sollentuna(dot)net> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: [BUGS] BUG #2052: Federal Agency Tech Hub Refuses to Accept |
Date: | 2005-11-24 15:45:11 |
Message-ID: | 1132847111.4347.80.camel@localhost.localdomain |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thu, 2005-11-24 at 15:09 +0100, Peter Eisentraut wrote:
> We really should write the CVE numbers into the commit messages and the
> release notes.
I think that would be good.
On Thu, 2005-11-24 at 12:35 +0100, Magnus Hagander wrote:
> > > All known CVE problems are resolved in 8.0.4.
> >
> > I was unaware of this. I've looked at the release notes and
> > searched the archives, but this doesn't seem to be mentioned
> > by CVE number. (The vulnerabilities and their resolutions are
> > described, just without direct cross reference to their CVE number.)
> >
> > Do we have an on-project description of this? If
> > we-as-a-project know this, it seems straightforward to write it down.
> >
> > It seems like we need a much clearer resource for security
> > admins to check our compliance levels. This could be a source
> > of similar refusal-to-implement PostgreSQL at other
> > installations, so could almost be regarded as an advocacy
> > issue.
> How about a simple webpage that has more or less a table with:
> CVE-number | present in releases | fixed in releases
> CVE-number | present in releases | fixed in releases
> CVE-number | present in releases | fixed in releases
..and I think we should do this too.
Have to say I'm a bit worried about overloading Tom and Bruce, who write
most of the security patches and relevant release notes.
Anybody else volunteer to maintain the web page?
Best Regards, Simon Riggs
From | Date | Subject | |
---|---|---|---|
Next Message | Jan Wieck | 2005-11-24 16:11:34 | Re: someone working to add merge? |
Previous Message | Tom Lane | 2005-11-24 15:41:01 | Re: PL/php in pg_pltemplate |