Re: Security information page

> > The list seems a bit short; did you look through the
> release notes for
> > items that seem to be security issues? I suspect there are
> some that
> > don't have CVE names.
>
> "Add checks for invalid field length in binary COPY (Tom)" in
> 7.4.3, should probably be included.

Yeah. I got that one going through the release notes, had a hard time
finding the actual fix that went along with it to figure out what it
did. Got a reference from Tom now, so I'll add it right away.

> If we're not going to describe issues with 7.2 and earlier
> releases (which is probably reasonable), I think we should
> back off the claim that "all known" security issues are
> listed.

The page clearly says "Please note that versions prior to 7.3 are no
longer supported and vulnerabilities for these versions are not included
in this list". So it should be pretty clear. I'll add something about
them not being fixed either :-)

> Personally I think we shouldn't make the latter
> claim, anyway: for example, whether COALESCE(NULL, NULL)
> dumping core (fixed in 8.0.3) is a "security issue"
> is often in the eye of the beholder.

If we (the PGDG) beleive that is a security issue, it should be on the
list. And it should be back-patched to other stable branches - has this
been done?

> >From the page:
>
> "Our approach covers fail-safe configuration options, a
> secure and robust database server as well as good integration
> with other security infrastructure software."
>
> What "good integration with other security infrastructure"
> can PGDG legitimately take credit for?

Um, I dunno really :-) Simon?
I guess the reference to the fact that we publish all required details
for them to scan for it etc...

//Magnus