Re: CVE-2019-9193 about COPY FROM/TO PROGRAM
| От | Magnus Hagander |
|---|---|
| Тема | Re: CVE-2019-9193 about COPY FROM/TO PROGRAM |
| Дата | |
| Msg-id | CABUevExbzaRZmH6Nz=DLQD-vX+wb7cEBgAOP3Nb_oz4qVoV+8w@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: CVE-2019-9193 about COPY FROM/TO PROGRAM ("Jonathan S. Katz" <jkatz@postgresql.org>) |
| Список | pgsql-general |
On Mon, Apr 1, 2019 at 4:04 PM Jonathan S. Katz <jkatz@postgresql.org> wrote:
> On Apr 1, 2019, at 9:55 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>
> Magnus Hagander <magnus@hagander.net> writes:
>>> On Sat, Mar 30, 2019 at 10:16 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
>>> Yeah; this is supposing that there is a security boundary between
>>> Postgres superusers and the OS account running the server, which
>>> there is not. We could hardly have features like untrusted PLs
>>> if we were trying to maintain such a boundary.
>
>> I wonder if we need to prepare some sort of official response to that.
>> I was considering writing up a blog post about it, but maybe we need
>> something more official?
>
> Blog post seems like a good idea. As for an "official" response,
> it strikes me that maybe we need better documentation.
+1, though I’d want to see if people get noisier about it before we rule
out an official response.
A blog post from a reputable author who can speak to security should
be good enough and we can make noise through our various channels.
I have now made such a post at https://blog.hagander.net/when-a-vulnerability-is-not-a-vulnerability-244/
В списке pgsql-general по дате отправления: