From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | "Magnus Hagander" <mha(at)sollentuna(dot)net> |
Cc: | "Neil Conway" <neilc(at)samurai(dot)com>, pgsql-www(at)postgresql(dot)org, "Simon Riggs" <simon(at)2ndquadrant(dot)com> |
Subject: | Re: Security information page |
Date: | 2005-11-28 14:12:43 |
Message-ID: | 9398.1133187163@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-www |
"Magnus Hagander" <mha(at)sollentuna(dot)net> writes:
>> Personally I think we shouldn't make the latter
>> claim, anyway: for example, whether COALESCE(NULL, NULL)
>> dumping core (fixed in 8.0.3) is a "security issue"
>> is often in the eye of the beholder.
> If we (the PGDG) beleive that is a security issue, it should be on the
> list. And it should be back-patched to other stable branches - has this
> been done?
2005-04-10 16:57 tgl
* src/backend/optimizer/util/: clauses.c (REL7_4_STABLE), clauses.c
(REL8_0_STABLE), clauses.c: Make constant-folding produce sane
output for COALESCE(NULL,NULL), that is a plain NULL and not a
COALESCE with no inputs. Fixes crash reported by Michael
Williamson.
It wasn't back-patched further because earlier versions don't have the
bug.
In general, I think we consider any potential server core dump to be a
security issue, if it can be provoked by unprivileged users. Even if
it's not exploitable in any other way, denial-of-service is still a
security concern.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2005-11-28 14:44:13 | BTW, the lists are working beautifully |
Previous Message | Dave Page | 2005-11-28 11:04:45 | Re: svr2/unionfs |