Re: a vulnerability in PostgreSQL

Tom Lane <tgl@sss.pgh.pa.us> writes:

> Tatsuo Ishii <t-ishii@sra.co.jp> writes:
> > Here are the precise conditions to trigger the scenario:
> 
> > (1) the backend is PostgreSQL 6.5.x
> > (2) multibyte support is enabled (--enable-multibyte)
> > (3) the database encoding is SQL_ASCII (other encodings are not
> >     affected by the bug). 
> > (4) the client encoding is set to other than SQL_ASCII
> 
> > I think I am responsible for this since I originally wrote the
> > code. Sorry for this. I'm going to make back port patches to fix the
> > problem for pre 7.2 versions.
> 
> It doesn't really seem worth the trouble to make patches for 6.5.x.
> If someone hasn't upgraded yet, they aren't likely to install patches
> either.  (ISTR there are other known security risks in 6.5, anyway.)
> If the problem is fixed in 7.0 and later, why not just tell people to
> upgrade?

Postgresql doesn't support upgrades[1], so if we're going to release
upgrades[2], we'd need the backported fixes for 6.5, 7.0 and 7.1 

[1] Not the first time I mention this, is it?
[2] We got lucky - 6.5.x is not compiled with multibyte support.
-- 
Trond Eivind Glomsrød
Red Hat, Inc.