On 2/6/2005 4:31 PM, Greg Stark wrote:
Jan Wieck <[EMAIL PROTECTED]> writes:
No, Peter.
Posting a vulnerability on a public mailing list "before" there is a known fix
for it means that you put everyone who has that vulnerability into jeopardy.
Vulnerabilities are a special breed of bugs and need to
Jan Wieck <[EMAIL PROTECTED]> writes:
> No, Peter.
>
> Posting a vulnerability on a public mailing list "before" there is a known fix
> for it means that you put everyone who has that vulnerability into jeopardy.
> Vulnerabilities are a special breed of bugs and need to be exterminated a
> littl
Jan Wieck wrote:
On 1/30/2005 10:18 AM, Peter Eisentraut wrote:
Dawid Kuroczko wrote:
I think it is in good taste that when you find a
bug/vulnerability/etc first you contact the author (in this case:
core), leave them some time to fix the problem and then go on
announcing it to the
world.
In thi
On 1/30/2005 10:18 AM, Peter Eisentraut wrote:
Dawid Kuroczko wrote:
I think it is in good taste that when you find a
bug/vulnerability/etc first you contact the author (in this case:
core), leave them some time to fix the problem and then go on
announcing it to the
world.
In this case, core is not
On Sun, Jan 30, 2005 at 06:05:37PM -0500, Greg Stark wrote:
> There are always ways for a sysadmin to close the vulnerability, even if it
> means temporarily limiting access until the fix is available. How would you
> like to be a sysadmin that finds his system exploited only to discover that
> the
Dawid Kuroczko <[EMAIL PROTECTED]> writes:
> > Why only -core?
>
> I think it is in good taste that when you find a bug/vulnerability/etc
> first you contact the author (in this case: core), leave them some
> time to fix the problem and then go on announcing it to the
> world.
>
> I think it is
On Sun, 30 Jan 2005, Tom Lane wrote:
Josh Berkus writes:
We don't really have an official security contact. The next best thing
is to send such reports to pgsql-core, which is not an open list, but
will reach a good chunk of those with an interest in fixing such
problems.
Is there any reason not
where should it be aliased to? pgsql-core?
On Sun, 30 Jan 2005, Josh Berkus wrote:
Tom,
We don't really have an official security contact. The next best thing
is to send such reports to pgsql-core, which is not an open list, but
will reach a good chunk of those with an interest in fixing such
pro
Josh Berkus writes:
>> We don't really have an official security contact. The next best thing
>> is to send such reports to pgsql-core, which is not an open list, but
>> will reach a good chunk of those with an interest in fixing such
>> problems.
> Is there any reason not to set up a "[EMAIL PR
Tom,
> We don't really have an official security contact. The next best thing
> is to send such reports to pgsql-core, which is not an open list, but
> will reach a good chunk of those with an interest in fixing such
> problems.
Is there any reason not to set up a "[EMAIL PROTECTED]" mail alias?
On Sun, Jan 30, 2005 at 12:55:28PM -0500, Tom Lane wrote:
> We don't really have an official security contact. The next best thing
> is to send such reports to pgsql-core, which is not an open list, but
> will reach a good chunk of those with an interest in fixing such
> problems.
IMHO this fact
Peter Eisentraut <[EMAIL PROTECTED]> writes:
> Dawid Kuroczko wrote:
>> I think it is in good taste that when you find a
>> bug/vulnerability/etc first you contact the author (in this case:
>> core), leave them some time to fix the problem and then go on
>> announcing it to the
>> world.
> In this
Dawid Kuroczko wrote:
> I think it is in good taste that when you find a
> bug/vulnerability/etc first you contact the author (in this case:
> core), leave them some time to fix the problem and then go on
> announcing it to the
> world.
In this case, core is not the author of the object in questio
On Sun, 30 Jan 2005 20:23:15 +1100, Neil Conway <[EMAIL PROTECTED]> wrote:
> Josh Berkus wrote:
> > If you know of a PostgreSQL package, from any source, that installs with
> > trust
> > on network ports, please notify Core (and Core only, please).
>
> Why only -core?
I think it is in good taste
Josh Berkus wrote:
If you know of a PostgreSQL package, from any source, that installs with trust
on network ports, please notify Core (and Core only, please).
Why only -core?
-Neil
---(end of broadcast)---
TIP 5: Have you checked our extensive FAQ?
Tom Lane wrote:
Chris Travers <[EMAIL PROTECTED]> writes:
Maybe we should set the default authentication to only use TRUST on
local sockets only. At least as of 7.4, the default was to trust
network ports.
Perhaps you should check your facts before posting.
Ok. Pardon me. I misread
Chris,
> Maybe we should set the default authentication to only use TRUST on
> local sockets only. At least as of 7.4, the default was to trust
> network ports.
If you know of a PostgreSQL package, from any source, that installs with trust
on network ports, please notify Core (and Core only, pl
Chris Travers <[EMAIL PROTECTED]> writes:
> Maybe we should set the default authentication to only use TRUST on
> local sockets only. At least as of 7.4, the default was to trust
> network ports.
Perhaps you should check your facts before posting.
regards, tom lane
---
Cross-posting to general due to more general nature of response
Josh Berkus wrote:
Chris,
http://www.theregister.co.uk/2005/01/28/mysql_worm/
Yep. And each time someone asks you "But why can't I install PostgreSQL as
Administrator" you can point them to that worm
Now, if Postgre
19 matches
Mail list logo
