On Fri, Apr 12, 2024 at 09:00:11AM -0700, Andres Freund wrote: > I'm actually fairly bothered by us linking to libxml2. It was effectively > unmaintained for most of the last decade, with just very occasional drive-by > commits. And it's not that there weren't significant bugs or such. Maintenance > has picked up some, but it's still not well maintained, I'd say. If I wanted > to attack postgres, it's where I'd start.
Indeed, libxml2 worries me to, as much as out-of-core extensions. There are a bunch of these out there, some of them not that maintained, and they could face similar attacks. -- Michael
signature.asc
Description: PGP signature