Re: a vulnerability in PostgreSQL
| От | Lamar Owen |
|---|---|
| Тема | Re: a vulnerability in PostgreSQL |
| Дата | |
| Msg-id | 200205031332.53813.lamar.owen@wgcr.org обсуждение исходный текст |
| Ответ на | Re: a vulnerability in PostgreSQL (Lincoln Yeoh <lyeoh@pop.jaring.my>) |
| Список | pgsql-hackers |
On Thursday 02 May 2002 11:43 pm, Lincoln Yeoh wrote: > Any idea which versions of Postgresql have been bundled with O/S CDs? For RedHat: 5.0 -> PG6.2.1 5.1 -> PG6.3.2 5.2 -> PG6.3.2 6.0 -> PG6.4.2 6.1 -> PG6.5.2 (I think -- this was my first RPMset in Red Hat Linux, but I'm not 100% sure it was 6.5.2 -- it might have been 6.5.3) 6.2 -> PG6.5.3 7.0 -> PG7.0.2 7.1 -> PG7.0.3 7.2 -> PG7.1.3 7.2.93 > PG7.2.1 Red Hat 7.2 is the current official Red Hat, and _currently_ ships with 7.1.3. If this bug applies there, it should be backpatched, and I would be willing to roll another 7.1.3 RPM with the backpatch in it. Prior to that -- well, I don't have any machines running those versions any more. I stay pretty much on the frontline of things -- not the bleeding edge of RawHide, but close. I have had the 7.2.93 beta installed, for instance. I'm even going to get out of the Red Hat 6.2 on SPARC business at some point, by going to the Aurora version (current Red Hat version ported to SPARC). 6.2 is just old, and iptables on the 2.4 kernel is just too useful. I guess I _could_ reinstall an OS to provide a security patch -- but methinks Red Hat would do that as an errata instead. If a patch can be worked up, it should be passed through those channels. Unless we want to consider rolling 6.5.4, 7.0.4, and 7.1.4 security bugfix releases. Of course, this is open source, and there's nothing preventing a third party from forking off and releasing a 6.5.4 bugfix release. But I wouldn't count on getting core developers to interested in it -- the bug is fixed in the current version, and their time is far better spent on fixing bugs and developing new features in the current version. And I'm sure that if someone wanted to volunteer to provide a patchset for each affected version, Bruce might just apply them, and you might talk Marc into rolling them up. But good luck doing so. Then I'd be happy building RPMs out of them -- on the my current box. You would then have to rebuild the RPMs for your box from my src.rpm. 'Upgrade to the next version' is not a good answer, either, particularly since we don't have a true upgrade path, and the problems that dump/restore reinstalls have brought to light. In a similar vein, due to some baroque dependencies, I still have a client running RedHat 5.2 in production. Not pretty to support. Still at 6.5.3, too. We need a better upgrade path, but that's a different discussion. -- Lamar Owen WGCR Internet Radio 1 Peter 4:11
В списке pgsql-hackers по дате отправления: