Re: Probably security hole in postgresql-7.4.1

Bruno Wolff III wrote:

>On Wed, May 12, 2004 at 10:46:00 +0300,
>  Shachar Shemesh <psql@shemesh.biz> wrote:
>  
>
>>Industry practices dictate that we do issue SOMETHING now. The bug is 
>>now public, and can be exploited.
>>    
>>
>
>The description of the problem indicates that it can only be exploited
>after you have authenticated to the database. Since people who can
>connect to a postgres database can already cause denial of service
>attacks, this problem isn't a huge deal.
>
My take on this is different. To me, a DoS is a nuisance, but an 
arbitrary code execution vulnerability means information leak, and a 
major escalation (from which further escalation may be possible).

> It makes breaches in other
>programs (web server process especially) worse and provides another
>way for authorized users to cause problems.
>  
>
Not to mention being another chain.

>A release should probably be made soon, as a way to advertise the problem
>so that people are aware of it and can take appropiate steps. I don't think
>that this problem warrants bypassing normal minor release proceedure.
>  
>
Ok. How about an official patch against 7.4.2 that fixes it, so that 
packagers can make their own informed decision. Also, has anybody 
checked what other versions are affected? Is 7.3? 7.2? Some people can't 
afford to upgrade due to data inconsistancy.

For those reasons I suggested a seperate mailing list.
         Shachar

-- 
Shachar Shemesh
Lingnu Open Source Consulting
http://www.lingnu.com/