Re: Security information page

> >> Personally I think we shouldn't make the latter claim, anyway: for
> >> example, whether COALESCE(NULL, NULL) dumping core (fixed
> in 8.0.3)
> >> is a "security issue"
> >> is often in the eye of the beholder.
>
> > If we (the PGDG) beleive that is a security issue, it
> should be on the
> > list. And it should be back-patched to other stable branches - has
> > this been done?
>
> 2005-04-10 16:57  tgl
>
>     * src/backend/optimizer/util/: clauses.c
> (REL7_4_STABLE), clauses.c
>     (REL8_0_STABLE), clauses.c: Make constant-folding produce sane
>     output for COALESCE(NULL,NULL), that is a plain NULL and not a
>     COALESCE with no inputs.  Fixes crash reported by Michael
>     Williamson.
>
> It wasn't back-patched further because earlier versions don't
> have the bug.

Rihgt. Added to the list.


> In general, I think we consider any potential server core
> dump to be a security issue, if it can be provoked by
> unprivileged users.  Even if it's not exploitable in any
> other way, denial-of-service is still a security concern.

Seems like a good policy to me.

Anybody have anything else to add to the list?

//Magnus