Re: CVE-2019-9193 about COPY FROM/TO PROGRAM
| От | Magnus Hagander |
|---|---|
| Тема | Re: CVE-2019-9193 about COPY FROM/TO PROGRAM |
| Дата | |
| Msg-id | CABUevEznSFn2FD-N0Tv+aFM85UkoVBe4cvWG2DhYz8FntVaQrQ@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: CVE-2019-9193 about COPY FROM/TO PROGRAM (Tom Lane <tgl@sss.pgh.pa.us>) |
| Ответы |
Re: CVE-2019-9193 about COPY FROM/TO PROGRAM
|
| Список | pgsql-general |
On Thu, Apr 4, 2019 at 9:45 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Jeremy Schneider <schnjere@amazon.com> writes:
> I'm all for having clear documentation about the security model in
> PostgreSQL, but I personally wouldn't be in favor of adding extra
> wording to the docs just to pacify concerns about a CVE which may have
> been erroneously granted by an assigning authority, who possibly should
> have done better due diligence reviewing the content. Particularly if
> there's any possibility that the decision to assign the number can be
> appealed/changed, though admittedly I know very little about the CVE
> process.
Just FYI, we have filed a dispute with Mitre about the CVE, and also
reached out to trustwave to try to find out why they filed the CVE
despite the earlier private discussion.
The original author has also pretty much acknowledged in comments on his blog and on twitter that it's not actually a vulnerability. (He doesn't agree with the design decision, which is apparently enough for a high scoring CVE registration).
В списке pgsql-general по дате отправления: