On Thu, Apr 4, 2019 at 9:45 PM Tom Lane <t...@sss.pgh.pa.us> wrote: > Jeremy Schneider <schnj...@amazon.com> writes: > > I'm all for having clear documentation about the security model in > > PostgreSQL, but I personally wouldn't be in favor of adding extra > > wording to the docs just to pacify concerns about a CVE which may have > > been erroneously granted by an assigning authority, who possibly should > > have done better due diligence reviewing the content. Particularly if > > there's any possibility that the decision to assign the number can be > > appealed/changed, though admittedly I know very little about the CVE > > process. > > Just FYI, we have filed a dispute with Mitre about the CVE, and also > reached out to trustwave to try to find out why they filed the CVE > despite the earlier private discussion. >
The original author has also pretty much acknowledged in comments on his blog and on twitter that it's not actually a vulnerability. (He doesn't agree with the design decision, which is apparently enough for a high scoring CVE registration). -- Magnus Hagander Me: https://www.hagander.net/ <http://www.hagander.net/> Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
