| From: | "Magnus Hagander" <mha(at)sollentuna(dot)net> |
|---|---|
| To: | "Ferindo Middleton" <fmiddleton(at)verizon(dot)net>, <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: BUG #2052: Federal Agency Tech Hub Refuses to Accept Postgresql on Network because of Security Vulnerabilities |
| Date: | 2005-11-18 14:57:56 |
| Message-ID: | 6BCB9D8A16AC4241919521715F4D8BCE6C7C0F@algol.sollentuna.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
> Bug reference: 2052
> Logged by: Ferindo Middleton
> Email address: fmiddleton(at)verizon(dot)net
> PostgreSQL version: 8.0.4
> Operating system: Windows 2000
> Description: Federal Agency Tech Hub Refuses to Accept
> Postgresql on
> Network because of Security Vulnerabilities
> Details:
>
> This bug report involves more than one proposed bug. I work
> at a federal government agency. The information technology
> division at this agency refuses to allow the database version
> 8.0.4 on their network because of several security
> vulnerabilities they noticed when testing the software
> application. The database would run on a Windows 2000
> Professional computer system. The division I work for wants
> to use the database as a backend to a set Java Server Pages I
> developed to be served via Apache Tomcat. My application
> works great with PostgreSQL but the problem is getting the IS
> team at this agency to accept PostgreSQL db. I know nothing
> about hacking PostgreSQL. I am merely know how to install,
> setup, run the database and write JSP applications to us the
> database in the background so these security vulnerabilities
> are beyond the scope of my own understanding of the database
> from a mere admin/user level.
>
> I am going to paste below the feedback I received concerning
> the vulnerabilities of the database in hopes that The
> PostgreSQL Global Development Group would consider looking
> into each stated flaw. I believe that resolution of these
> vulnerabilities would be a major achievement of our database
> management system and possibly open the software up to more
> government acceptance and utilization, which I believe it is lacking.
I beleive every single one of these bugs is fixed in the currently
available releases.
So if you get 8.0.4 or 8.1.0, you're fine for any of these.
(Oh, and what *do* they allow? Oracle, for example, has had a *lot* more
security vulnerabilities during the same time, some of which aren't even
patched yet.. And they can't seriously have a zero-bugs-even-if-fixed
policy, because then they couldn't install *anything*...)
//Magnus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2005-11-18 15:08:50 | Re: BUG #2052: Federal Agency Tech Hub Refuses to Accept Postgresql on Network because of Security Vulnerabilities |
| Previous Message | Bernhard Weisshuhn | 2005-11-18 14:52:51 | Re: BUG #2050: Bad plan by using of LIKE |