Bruce Momjian <[EMAIL PROTECTED]> writes:Industry practices dictate that we do issue SOMETHING now. The bug is now public, and can be exploited.
Should we be thinking about a 7.4.3?
I'm not panicking over this particular bug ... but it does seem like we've accumulated enough fixes since 7.4.2 that it may be time to start thinking about another dot-release. Maybe set a date towards the end of the month?
regards, tom lane
This does not necessarily have to be 7.4.3. We can issue 7.4.2.1, containing only this fix, so that people who need to expose their database are not left open to attacks.
Also, if we want greater flexibility in handling these cases in the future, we should set up an invite-only list for reporting security bugs, and advertise it on the web site as the place to report security issues. Had this vulnerability been reported there, we could reasonably hold on without releasing a fix until 7.4.3 was ready.
If you need help in that list, I have a lot of experience with code security, but very little experience with the Postgresql code. Also, it would be a good idea to invite all the distro-packagers to be on that list.
Shachar
-- Shachar Shemesh Lingnu Open Source Consulting http://www.lingnu.com/
---------------------------(end of broadcast)--------------------------- TIP 2: you can get off all lists at once with the unregister command (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])
