postgres vulnerability

Started by Gaetano Mendolaover 21 years ago12 messages

mendola@bigfoot.com

over 21 years ago

Here http://www.sans.org/top20/#u9
are listed postgres vulnerability it's sad see that almost all
are related to third part components

Regards
Gaetano Mendola

Stephan Szabo

sszabo@megazone.bigpanda.com

over 21 years ago

In reply to: Gaetano Mendola (#1)

Re: postgres vulnerability

On Sat, 9 Oct 2004, Gaetano Mendola wrote:

Here http://www.sans.org/top20/#u9
are listed postgres vulnerability it's sad see that almost all
are related to third part components

I'd go further than sad and say irresponsible for the ones that are like
that.

Stephan Szabo

sszabo@megazone.bigpanda.com

over 21 years ago

In reply to: Stephan Szabo (#2)

Re: postgres vulnerability

On Sat, 9 Oct 2004, Stephan Szabo wrote:

On Sat, 9 Oct 2004, Gaetano Mendola wrote:

Here http://www.sans.org/top20/#u9
are listed postgres vulnerability it's sad see that almost all
are related to third part components

I'd go further than sad and say irresponsible for the ones that are like
that.

I should clarify as, irresponsible to be equating bugs in components that
use or misuse PostgreSQL with actual vulnerabilities in the database.

Gaetano Mendola

mendola@bigfoot.com

over 21 years ago

In reply to: Stephan Szabo (#3)

Re: postgres vulnerability

Stephan Szabo wrote:

On Sat, 9 Oct 2004, Stephan Szabo wrote:

On Sat, 9 Oct 2004, Gaetano Mendola wrote:

Here http://www.sans.org/top20/#u9
are listed postgres vulnerability it's sad see that almost all
are related to third part components

I'd go further than sad and say irresponsible for the ones that are like
that.

I should clarify as, irresponsible to be equating bugs in components that
use or misuse PostgreSQL with actual vulnerabilities in the database.

Exactly this was my feeling.

Regards
Gaetano Mendola

Neil Conway

neilc@samurai.com

over 21 years ago

In reply to: Gaetano Mendola (#1)

Re: postgres vulnerability

Gaetano Mendola wrote:

Here http://www.sans.org/top20/#u9
are listed postgres vulnerability it's sad see that almost all
are related to third part components

"Almost all"? By my count, 12 of the 17 vulnerabilities refer to
legitimate problems in PostgreSQL, its RPM distribution, or the ODBC driver.

-Neil

Tom Lane

tgl@sss.pgh.pa.us

over 21 years ago

In reply to: Neil Conway (#5)

Re: postgres vulnerability

Neil Conway <neilc@samurai.com> writes:

Gaetano Mendola wrote:

Here http://www.sans.org/top20/#u9
are listed postgres vulnerability it's sad see that almost all
are related to third part components

"Almost all"? By my count, 12 of the 17 vulnerabilities refer to
legitimate problems in PostgreSQL, its RPM distribution, or the ODBC driver.

However, the ones that are still current (ie, something not fixed many
revs back) are mostly things outside our control. I think the only
really serious charge in the lot is buffer overflows inside the ODBC
driver.

regards, tom lane

Gaetano Mendola

mendola@bigfoot.com

over 21 years ago

In reply to: Neil Conway (#5)

Re: postgres vulnerability

Neil Conway wrote:

Gaetano Mendola wrote:

Here http://www.sans.org/top20/#u9
are listed postgres vulnerability it's sad see that almost all
are related to third part components

"Almost all"? By my count, 12 of the 17 vulnerabilities refer to
legitimate problems in PostgreSQL, its RPM distribution, or the ODBC
driver.

I consider RPM distribution and ODBC driver as third part component.

However doing a full scan :-) on all bugs I widthraw "almost all".

Regards
Gaetano Mendola

David Garamond

lists@zara.6.isreserved.com

over 21 years ago

In reply to: Gaetano Mendola (#7)

Re: postgres vulnerability

Gaetano Mendola wrote:

Neil Conway wrote:

Gaetano Mendola wrote:

Here http://www.sans.org/top20/#u9
are listed postgres vulnerability it's sad see that almost all
are related to third part components

"Almost all"? By my count, 12 of the 17 vulnerabilities refer to
legitimate problems in PostgreSQL, its RPM distribution, or the ODBC
driver.

I consider RPM distribution and ODBC driver as third part component.

Unless the vulnerability is introduced by a patch in the RPM, RPM is
just a compiled version of the original. Thus, not third party code.

However doing a full scan :-) on all bugs I widthraw "almost all".

--
dave

Gaetano Mendola

mendola@bigfoot.com

over 21 years ago

In reply to: David Garamond (#8)

Re: postgres vulnerability

David Garamond wrote:

Gaetano Mendola wrote:

Neil Conway wrote:

Gaetano Mendola wrote:

Here http://www.sans.org/top20/#u9
are listed postgres vulnerability it's sad see that almost all
are related to third part components

"Almost all"? By my count, 12 of the 17 vulnerabilities refer to
legitimate problems in PostgreSQL, its RPM distribution, or the ODBC
driver.

I consider RPM distribution and ODBC driver as third part component.

Unless the vulnerability is introduced by a patch in the RPM, RPM is
just a compiled version of the original. Thus, not third party code.

Well the RPM issue was about wrong file permission, do you think this is
a postgres vulnerability ?

Regards
Gaeatano Mendola

#10

Stephan Szabo

sszabo@megazone.bigpanda.com

over 21 years ago

In reply to: Neil Conway (#5)

Re: postgres vulnerability

On Sun, 10 Oct 2004, Neil Conway wrote:

Gaetano Mendola wrote:

Here http://www.sans.org/top20/#u9
are listed postgres vulnerability it's sad see that almost all
are related to third part components

"Almost all"? By my count, 12 of the 17 vulnerabilities refer to
legitimate problems in PostgreSQL, its RPM distribution, or the ODBC driver.

However, even removing "almost all" from the comment, it's still pretty
sad that a "trusted source for computer security training, certification
and research" would have a >25% miss rate on properly categorizing
vulnerabilities.

#11

Dave Cramer

pg@fastcrypt.com

over 21 years ago

In reply to: Stephan Szabo (#10)

Re: postgres vulnerability

Actually, I see this differently.

This is a classic example of how postgreSQL is viewed by the rest of the
world. This argument has been brought up before.
It is only the core that differentiates the server from the interfaces.
The rest of the world views this as one product.

Dave
On Sun, 2004-10-10 at 09:48, Stephan Szabo wrote:

On Sun, 10 Oct 2004, Neil Conway wrote:

Gaetano Mendola wrote:

Here http://www.sans.org/top20/#u9
are listed postgres vulnerability it's sad see that almost all
are related to third part components

"Almost all"? By my count, 12 of the 17 vulnerabilities refer to
legitimate problems in PostgreSQL, its RPM distribution, or the ODBC driver.

However, even removing "almost all" from the comment, it's still pretty
sad that a "trusted source for computer security training, certification
and research" would have a >25% miss rate on properly categorizing
vulnerabilities.

---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly

--
Dave Cramer
519 939 0336
ICQ # 14675561
www.postgresintl.com

#12

Stephan Szabo

sszabo@megazone.bigpanda.com

over 21 years ago

In reply to: Dave Cramer (#11)

Re: postgres vulnerability

On Tue, 12 Oct 2004, Dave Cramer wrote:

Actually, I see this differently.

This is a classic example of how postgreSQL is viewed by the rest of the
world. This argument has been brought up before.
It is only the core that differentiates the server from the interfaces.
The rest of the world views this as one product.

Some of the 5 remaining are things like mod_auth_pgsql or the auth module
for courier 0.40 that uses PostgreSQL as a backend. I'm sorry, but I
really don't consider those part of PostgreSQL any more than I consider
any random piece of software that uses Oracle as a backend part of Oracle.