Re: BUG #2052: Federal Agency Tech Hub Refuses to Accept Postgresql on Network because of Security Vulnerabilities
| От | Magnus Hagander |
|---|---|
| Тема | Re: BUG #2052: Federal Agency Tech Hub Refuses to Accept Postgresql on Network because of Security Vulnerabilities |
| Дата | |
| Msg-id | 6BCB9D8A16AC4241919521715F4D8BCE6C7C0F@algol.sollentuna.se обсуждение исходный текст |
| Ответ на | BUG #2052: Federal Agency Tech Hub Refuses to Accept Postgresql on Network because of Security Vulnerabilities ("Ferindo Middleton" <fmiddleton@verizon.net>) |
| Список | pgsql-bugs |
> Bug reference: 2052 > Logged by: Ferindo Middleton > Email address: fmiddleton@verizon.net > PostgreSQL version: 8.0.4 > Operating system: Windows 2000 > Description: Federal Agency Tech Hub Refuses to Accept=20 > Postgresql on > Network because of Security Vulnerabilities > Details:=20 >=20 > This bug report involves more than one proposed bug. I work=20 > at a federal government agency. The information technology=20 > division at this agency refuses to allow the database version=20 > 8.0.4 on their network because of several security=20 > vulnerabilities they noticed when testing the software=20 > application. The database would run on a Windows 2000=20 > Professional computer system. The division I work for wants=20 > to use the database as a backend to a set Java Server Pages I=20 > developed to be served via Apache Tomcat. My application=20 > works great with PostgreSQL but the problem is getting the IS=20 > team at this agency to accept PostgreSQL db. I know nothing=20 > about hacking PostgreSQL. I am merely know how to install,=20 > setup, run the database and write JSP applications to us the=20 > database in the background so these security vulnerabilities=20 > are beyond the scope of my own understanding of the database=20 > from a mere admin/user level.=20 >=20 > I am going to paste below the feedback I received concerning=20 > the vulnerabilities of the database in hopes that The=20 > PostgreSQL Global Development Group would consider looking=20 > into each stated flaw. I believe that resolution of these=20 > vulnerabilities would be a major achievement of our database=20 > management system and possibly open the software up to more=20 > government acceptance and utilization, which I believe it is lacking.=20 I beleive every single one of these bugs is fixed in the currently available releases.=20 So if you get 8.0.4 or 8.1.0, you're fine for any of these. (Oh, and what *do* they allow? Oracle, for example, has had a *lot* more security vulnerabilities during the same time, some of which aren't even patched yet.. And they can't seriously have a zero-bugs-even-if-fixed policy, because then they couldn't install *anything*...) //Magnus
В списке pgsql-bugs по дате отправления: