On Mon, 12 Feb 2007, Tom Lane wrote: > Jeremy Drake <[EMAIL PROTECTED]> writes: > > On Mon, 12 Feb 2007, Teodor Sigaev wrote: > >> Fix backend crash in parsing incorrect tsquery. > > > Is this a security issue? Does it need a new security release? > > We looked at this and determined that the worst that could be done with > it is crash the backend. Which is annoying, but if we treated every > such bug as a security exercise then we'd be having a new release every > week or so. Core's current policy is that we'll consider a bug worthy > of a security release if it can be used to force execution of arbitrary > code, access otherwise-unavailable information, etc. A simple crash is > at worst a momentary denial of service to other DB users, and if you've > got the ability to issue arbitrary SQL there are lots of ways to create > denial-of-service situations of one magnitude or another. > > Also, recent history should impress on you the disadvantages of treating > problems as security exercises: patches that go in without any public > review or testing are far more likely to create new problems than those > that go through the normal process. So setting a low bar for what > constitutes a security issue is likely to decrease the system's overall > reliability.
I understand. This is reasonable. I am glad that this was considered, and weighed against the same policy as core. -- Andrea: Unhappy the land that has no heroes. Galileo: No, unhappy the land that _____needs heroes. -- Bertolt Brecht, "Life of Galileo" ---------------------------(end of broadcast)--------------------------- TIP 3: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faq