Shachar Shemesh <[EMAIL PROTECTED]> writes: > Ok. How about an official patch against 7.4.2 that fixes it, so that > packagers can make their own informed decision.
The "official patch" is available to anyone who wants it from our CVS server. http://developer.postgresql.org/cvsweb.cgi/pgsql-server/src/backend/lib/stringinfo.c.diff?r1=1.36&r2=1.36.4.1 BTW, all the principal packagers read this list and have doubtless made their informed decisions already ... > Also, has anybody checked what other versions are affected? Nothing before 7.4, at least by the known implications of this issue. Again, if we wait a while and let Ken keep running his analysis tool, he might turn up other stuff we need to fix. Maybe even stuff that needs a fix much worse than this does. >>>Industry practices dictate that we do issue SOMETHING now. The bug is >>>now public, and can be exploited. I frankly think that this discussion is emblematic of all the worst tendencies of the security community. Have you forgotten the fable about the boy who cried "wolf"? If you demand a Chinese fire drill for every issue that could conceivably be exploited, you'll soon find yourself unable to get peoples' attention for problems that are really serious. I repeat: in my estimation this is not a bug that needs a fix yesterday. AFAICS it would be very difficult to cause more than a nuisance DOS with it, and there are plenty of other ways for authenticated database users to cause those. regards, tom lane ---------------------------(end of broadcast)--------------------------- TIP 5: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faqs/FAQ.html
