| From: | "Christopher Kings-Lynne" <chriskl(at)familyhealth(dot)com(dot)au> |
|---|---|
| To: | "Justin Clift" <justin(at)postgresql(dot)org> |
| Cc: | "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "Florian Weimer" <Weimer(at)CERT(dot)Uni-Stuttgart(dot)DE>, <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [SECURITY] DoS attack on backend possible (was: Re: |
| Date: | 2002-08-12 02:37:42 |
| Message-ID: | GNELIHDDFBOCMGBFGEFOOEKACDAA.chriskl@familyhealth.com.au |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers pgsql-hackers |
> Hey yep, good point.
>
> Is this the only way that we know of non postgresql-superusers to be
> able to take out the server other than by extremely non-optimal,
> resource wasting queries?
>
> If we release a 7.2.2 because of this, can we be pretty sure we have a
> "no known vulnerabilities" release, or are there other small holes which
> should be fixed too?
What about that "select cash_out(2) crashes because of opaque" entry in the
TODO? That really needs to be fixed.
I was talking to a CS lecturer about switching to postgres from oracle when
7.3 comes out and all he said was "how easily is it hacked?". He says their
systems are the most constantly bombarded in universities. What could I
say? That any unprivileged user can just go 'select cash_out(2)' to DOS the
backend?
Chris
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Gavin Sherry | 2002-08-12 02:41:15 | Re: [SECURITY] DoS attack on backend possible (was: Re: |
| Previous Message | Justin Clift | 2002-08-12 02:31:56 | Re: [SECURITY] DoS attack on backend possible (was: Re: |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Gavin Sherry | 2002-08-12 02:41:15 | Re: [SECURITY] DoS attack on backend possible (was: Re: |
| Previous Message | Justin Clift | 2002-08-12 02:31:56 | Re: [SECURITY] DoS attack on backend possible (was: Re: |