Re: CVE-2019-9193 about COPY FROM/TO PROGRAM

Michael Paquier <michael(at)paquier(dot)xyz> wrote on 04/02/2019 01:05:01 AM:

> From: Michael Paquier <michael(at)paquier(dot)xyz>
> To: "Jonathan S. Katz" <jkatz(at)postgresql(dot)org>
> Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Magnus Hagander
> <magnus(at)hagander(dot)net>, Daniel Verite <daniel(at)manitou-mail(dot)org>,
> pgsql-general <pgsql-general(at)lists(dot)postgresql(dot)org>
> Date: 04/02/2019 01:05 AM
> Subject: Re: CVE-2019-9193 about COPY FROM/TO PROGRAM
>
> On Mon, Apr 01, 2019 at 10:04:32AM -0400, Jonathan S. Katz wrote:
> > +1, though I’d want to see if people get noisier about it before we
rule
> > out an official response.
> >
> > A blog post from a reputable author who can speak to security should
> > be good enough and we can make noise through our various channels.
>
> Need a hand? Not sure if I am reputable enough though :)
>
> By the way, it could be the occasion to consider an official
> PostgreSQL blog on the main website. News are not really a model
> adapted for problem analysis and for entering into technical details.

A blog post would be nice, but it seems to me have something about this
clearly in the manual would be best, assuming it's not there already. I
took a quick look, and couldn't find anything.

Brad