On Wed, May 12, 2004 at 10:46:00 +0300,My take on this is different. To me, a DoS is a nuisance, but an arbitrary code execution vulnerability means information leak, and a major escalation (from which further escalation may be possible).
Shachar Shemesh <[EMAIL PROTECTED]> wrote:
Industry practices dictate that we do issue SOMETHING now. The bug is now public, and can be exploited.
The description of the problem indicates that it can only be exploited after you have authenticated to the database. Since people who can connect to a postgres database can already cause denial of service attacks, this problem isn't a huge deal.
It makes breaches in otherNot to mention being another chain.
programs (web server process especially) worse and provides another
way for authorized users to cause problems.
A release should probably be made soon, as a way to advertise the problemOk. How about an official patch against 7.4.2 that fixes it, so that packagers can make their own informed decision. Also, has anybody checked what other versions are affected? Is 7.3? 7.2? Some people can't afford to upgrade due to data inconsistancy.
so that people are aware of it and can take appropiate steps. I don't think
that this problem warrants bypassing normal minor release proceedure.
For those reasons I suggested a seperate mailing list.
Shachar
-- Shachar Shemesh Lingnu Open Source Consulting http://www.lingnu.com/
---------------------------(end of broadcast)--------------------------- TIP 8: explain analyze is your friend
