On Sun, 2005-11-27 at 12:16 -0500, Tom Lane wrote:
> The list seems a bit short; did you look through the release notes for
> items that seem to be security issues? I suspect there are some that
> don't have CVE names.
"Add checks for invalid field length in binary COPY (Tom)" in 7.4.3,
should probably be included.
If we're not going to describe issues with 7.2 and earlier releases
(which is probably reasonable), I think we should back off the claim
that "all known" security issues are listed. Personally I think we
shouldn't make the latter claim, anyway: for example, whether
COALESCE(NULL, NULL) dumping core (fixed in 8.0.3) is a "security issue"
is often in the eye of the beholder.
From the page:
"Our approach covers fail-safe configuration options, a secure and
robust database server as well as good integration with other security
infrastructure software."
What "good integration with other security infrastructure" can PGDG
legitimately take credit for?
-Neil