Thanks for all of your opinions. I have almost the same feeling.
The best layer for mitigation should be probably a user application.
There can be arranged the correct data layout in the database, set up
access limit for the app, and many other mitigation mechanisms.
-Filip-
st 6. 4. 2022 v
On Wed, 6 Apr 2022 at 10:29, Robert Haas wrote:
>
> I think that the paper shows that, under the right set of
> circumstances, a timing-based attack is possible here.
Generally any argument that an attack is infeasible is risky and
usually leads to security professionals showing that surprisingly
On Wed, Apr 6, 2022 at 10:14 AM Tom Lane wrote:
> Robert Haas writes:
> > One last thought: I don't think it's right to suppose that every
> > security vulnerability is the result of some design flaw and every
> > security vulnerability must be patched.
>
> As far as Postgres is concerned, I'm ki
Robert Haas writes:
> One last thought: I don't think it's right to suppose that every
> security vulnerability is the result of some design flaw and every
> security vulnerability must be patched.
As far as Postgres is concerned, I'm kind of unimpressed by timing-based
attacks. There are enough
On Wed, Apr 6, 2022 at 7:18 AM Filip Janus wrote:
> A few months ago a group of researchers published a paper about LZ77
> vulnerability[1]. And it also affects PGLZ. From my point of view, it could
> be a really dangerous issue for some kind of application. If I understand it
> correctly there
Hi all,
A few months ago a group of researchers published a paper about LZ77
vulnerability[1]. And it also affects PGLZ. From my point of view, it could
be a really dangerous issue for some kind of application. If I understand
it correctly there is a possibility of leaking approx. 24B secret data p
