On Wed, Nov 24, 2021 at 2:53 PM Tom Lane <t...@sss.pgh.pa.us> wrote: > One other point to be made here is that it seems like a stretch to call > these particular bugs "high-severity".
Well, I was referring to the CVSS score, which was in the "high" range. > Given what we learned about > the difficulty of exploiting the libpq bug, and the certainty that any > other clients sharing the issue would have their own idiosyncrasies > necessitating a custom-designed attack, I rather doubt that we're going > to hear of anybody trying to exploit the issue in the field. I don't know. The main thing that I find consoling is the fact that most people probably have the libpq connection behind a firewall where nasty people can't even connect to the port. But there are probably exceptions. > (By no means do I suggest that these bugs aren't worth fixing when we > find them. But so far they seem very easy to fix. So moving mountains > to design out just this one type of bug doesn't seem like a great use > of our finite earth-moving capacity.) I have enough trouble just moving the couch. -- Robert Haas EDB: http://www.enterprisedb.com
