Professional Web Applications Themes

[pgsql-advocacy] MySQL worm attacks Windows servers - PostgreSQL / PGSQL

Tom Lane wrote: >Chris Travers <christravelamericas.com> writes: > > >>Maybe we should set the default authentication to only use TRUST on >>local sockets only. At least as of 7.4, the default was to trust >>network ports. >> >> > >Perhaps you should check your facts before posting. > > Ok. Pardon me. I misread the file. I apologize. Best Wishes, Chris Travers ---------------------------(end of broadcast)--------------------------- TIP 3: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [email]majordomopostgresql.org[/email] so that your message can get through to the mailing list cleanly...

  1. #1

    Default Re: [pgsql-advocacy] MySQL worm attacks Windows servers

    Tom Lane wrote:
    >Chris Travers <christravelamericas.com> writes:
    >
    >
    >>Maybe we should set the default authentication to only use TRUST on
    >>local sockets only. At least as of 7.4, the default was to trust
    >>network ports.
    >>
    >>
    >
    >Perhaps you should check your facts before posting.
    >
    >
    Ok. Pardon me. I misread the file. I apologize.

    Best Wishes,
    Chris Travers

    ---------------------------(end of broadcast)---------------------------
    TIP 3: if posting/reading through Usenet, please send an appropriate
    subscribe-nomail command to [email]majordomopostgresql.org[/email] so that your
    message can get through to the mailing list cleanly

    Chris Travers Guest

  2. #2

    Default Re: [pgsql-advocacy] MySQL worm attacks Windows servers

    Josh Berkus wrote:
    > If you know of a PostgreSQL package, from any source, that installs with trust
    > on network ports, please notify Core (and Core only, please).
    Why only -core?

    -Neil

    ---------------------------(end of broadcast)---------------------------
    TIP 5: Have you checked our extensive FAQ?

    [url]http://www.postgresql.org/docs/faq[/url]

    Neil Conway Guest

  3. #3

    Default Re: [pgsql-advocacy] MySQL worm attacks Windows servers

    Dawid Kuroczko wrote:
    > I think it is in good taste that when you find a
    > bug/vulnerability/etc first you contact the author (in this case:
    > core), leave them some time to fix the problem and then go on
    > announcing it to the
    > world.
    In this case, core is not the author of the object in question. And of
    course, to report a "bug/vulnerability/etc" you would write to
    pgsql-bugs, not core.

    --
    Peter Eisentraut
    [url]http://developer.postgresql.org/~petere/[/url]

    ---------------------------(end of broadcast)---------------------------
    TIP 1: subscribe and unsubscribe commands go to [email]majordomopostgresql.org[/email]

    Peter Eisentraut Guest

  4. #4

    Default Re: [pgsql-advocacy] MySQL worm attacks Windows servers

    Tom,
    > We don't really have an official security contact. The next best thing
    > is to send such reports to pgsql-core, which is not an open list, but
    > will reach a good chunk of those with an interest in fixing such
    > problems.
    Is there any reason not to set up a "securitypostgresql.org" mail alias?

    --
    Josh Berkus
    Aglio Database Solutions
    San Francisco

    ---------------------------(end of broadcast)---------------------------
    TIP 5: Have you checked our extensive FAQ?

    [url]http://www.postgresql.org/docs/faq[/url]

    Josh Berkus Guest

  5. #5

    Default Re: [pgsql-advocacy] MySQL worm attacks Windows servers


    where should it be aliased to? pgsql-core?

    On Sun, 30 Jan 2005, Josh Berkus wrote:
    > Tom,
    >
    >> We don't really have an official security contact. The next best thing
    >> is to send such reports to pgsql-core, which is not an open list, but
    >> will reach a good chunk of those with an interest in fixing such
    >> problems.
    >
    > Is there any reason not to set up a "securitypostgresql.org" mail alias?
    >
    > --
    > Josh Berkus
    > Aglio Database Solutions
    > San Francisco
    >
    > ---------------------------(end of broadcast)---------------------------
    > TIP 4: Don't 'kill -9' the postmaster
    >
    ----
    Marc G. Fournier Hub.Org Networking Services ([url]http://www.hub.org[/url])
    Email: [email]scrappyhub.org[/email] Yahoo!: yscrappy ICQ: 7615664

    ---------------------------(end of broadcast)---------------------------
    TIP 4: Don't 'kill -9' the postmaster

    Marc G. Fournier Guest

  6. #6

    Default Re: [pgsql-advocacy] MySQL worm attacks Windows servers

    Josh Berkus <joshagliodbs.com> writes:
    >> We don't really have an official security contact. The next best thing
    >> is to send such reports to pgsql-core, which is not an open list, but
    >> will reach a good chunk of those with an interest in fixing such
    >> problems.
    > Is there any reason not to set up a "securitypostgresql.org" mail alias?
    Probably not --- Marc, do you want to do that (and make it point to
    pgsql-core for now)?

    I was just in the middle of adding notes to problems.sgml and
    bug.template to tell people to send security issues to pgsql-core,
    but I can make it say security instead.

    regards, tom lane

    ---------------------------(end of broadcast)---------------------------
    TIP 7: don't forget to increase your free space map settings

    Tom Lane Guest

  7. #7

    Default Re: [pgsql-advocacy] MySQL worm attacks Windows servers


    Dawid Kuroczko <qnex42> writes:
    > > Why only -core?
    >
    > I think it is in good taste that when you find a bug/vulnerability/etc
    > first you contact the author (in this case: core), leave them some
    > time to fix the problem and then go on announcing it to the
    > world.
    >
    > I think it is perfectly reasonable!
    In case there are some that are not aware, this is a matter of some
    controversy. Many people believe it better to disclose vulnerabilities
    publicly.

    There are always ways for a sysadmin to close the vulnerability, even if it
    means temporarily limiting access until the fix is available. How would you
    like to be a sysadmin that finds his system exploited only to discover that
    the vulnerability was known and he could have worked around it had he been
    informed but those in the know kept it secret until a patch was published.

    The only way keeping it secret is really justified is if a) You know no
    malicious persons are aware of the vulnerability (which of course one never
    really knows for certain) b) it's more reasonable for a sysadmin to run with
    the vulnerability than to work around it using whatever means necessary (and
    you feel comfortable making that decision for every sysadmin everywhere).

    There are certainly others that disagree but I think history shows that when
    vulnerabilities are disclosed in full sysadmins can react more effectively and
    vendors release fixes faster and the net result is fewer compromises and
    better software.

    Of course in this case the argument that Postgres would have responded quicker
    had the vulnerability been known is almost certainly baseless. And it may turn
    out to be the case that there were no compromises because not a single
    malicious user knew about the hole. It doesn't always work out that way
    though.

    --
    greg


    ---------------------------(end of broadcast)---------------------------
    TIP 7: don't forget to increase your free space map settings

    Greg Stark Guest

  8. #8

    Default Re: [pgsql-advocacy] MySQL worm attacks Windows servers

    On Sun, Jan 30, 2005 at 06:05:37PM -0500, Greg Stark wrote:
    > There are always ways for a sysadmin to close the vulnerability, even if it
    > means temporarily limiting access until the fix is available. How would you
    > like to be a sysadmin that finds his system exploited only to discover that
    > the vulnerability was known and he could have worked around it had he been
    > informed but those in the know kept it secret until a patch was published.
    While true, I think an argument can be made to notify as many people as
    possible and posting to -core means a message is more likely to go
    -announce where more PostgreSQL admins will see it. It's possible not
    all admins will be reading -general.
    > The only way keeping it secret is really justified is if a) You know no
    > malicious persons are aware of the vulnerability (which of course one never
    > really knows for certain) b) it's more reasonable for a sysadmin to run with
    > the vulnerability than to work around it using whatever means necessary (and
    > you feel comfortable making that decision for every sysadmin everywhere).
    Sure. Actually for something as obvious as trusting network access I'd
    actually assume the person posting it would be smart enough to point
    out the solution as well. While I'm for public disclosure in general I
    do think 24 hour notice is not too much to ask for.

    And hey, given the volume of -general sending to security might get it
    read a little earlier by people who can do something than just dumping
    on the mailing list. My preferred scenario would be to actually ring
    someone in -core on the phone and discuss it directly and work it out
    from there. But I don't know the chances of that.

    At the end of the day the people making the disclosure make the
    decision, our discussing it won't make a difference there... :)

    Have a nice day,
    --
    Martijn van Oosterhout <kleptogsvana.org> [url]http://svana.org/kleptog/[/url]
    > Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
    > tool for doing 5% of the work and then sitting around waiting for someone
    > else to do the other 95% so you can sue them.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see [url]http://www.gnupg.org[/url]

    iD8DBQFB/XY4Y5Twig3Ge+YRArEZAKCnXqBimmNsJgrW+0aNSH0QlRA8PAC gkTlM
    3vDOVKmm6fL1JZsXA2hkNs4=
    =MyLJ
    -----END PGP SIGNATURE-----

    Martijn van Oosterhout Guest

  9. #9

    Default Re: [pgsql-advocacy] MySQL worm attacks Windows servers

    On 1/30/2005 10:18 AM, Peter Eisentraut wrote:
     
    >
    > In this case, core is not the author of the object in question. And of
    > course, to report a "bug/vulnerability/etc" you would write to
    > pgsql-bugs, not core.
    >[/ref]

    No, Peter.

    Posting a vulnerability on a public mailing list "before" there is a
    known fix for it means that you put everyone who has that vulnerability
    into jeopardy. Vulnerabilities are a special breed of bugs and need to
    be exterminated a little different.


    Jan

    --
    #================================================= =====================#
    # It's easier to get forgiveness for being wrong than for being right. #
    # Let's break this rule - forgive me. #
    #================================================= = com #

    ---------------------------(end of broadcast)---------------------------
    TIP 8: explain yze is your friend

    Jan Guest

  10. #10

    Default Re: [pgsql-advocacy] MySQL worm attacks Windows servers



    Jan Wieck wrote: 
    >>
    >>
    >> In this case, core is not the author of the object in question. And
    >> of course, to report a "bug/vulnerability/etc" you would write to
    >> pgsql-bugs, not core.
    >>[/ref]
    >
    > No, Peter.
    >
    > Posting a vulnerability on a public mailing list "before" there is a
    > known fix for it means that you put everyone who has that vulnerability
    > into jeopardy. Vulnerabilities are a special breed of bugs and need to
    > be exterminated a little different.
    >
    >
    > Jan
    >[/ref]

    ain't that the truth.
    if a vulnerability is found, try to find a fix, or work around, post it
    privately to the developer, give them an opportunity to get it fixed
    before going public.

    when dealing with open souurce, this system works great.
    when dealing with proprietary / closed source [ specifically microsoft ]
    expect that it's the public announcement that's going to start them
    doing something about it.

    I personally would only give ms a week at most to fix the problem before
    going public.
    since open source if usually fixed in that time frame.


    Jaqui


    ---------------------------(end of broadcast)---------------------------
    TIP 9: the planner will ignore your desire to choose an index scan if your
    joining column's datatypes do not match

    J. Guest

  11. #11

    Default Re: [pgsql-advocacy] MySQL worm attacks Windows servers


    Jan Wieck <com> writes:
     

    Many people disagree with this. Posting the vulnerability isn't what puts
    people into jeopardy, the presence of the vulnerability puts people in
    jeopardy. Posting it at least allows people to disable the feature or close
    off access. Or at least monitor for possible intrusions. Not posting it leaves
    people in jeopardy and in the dark about it.

    If you think you're the first one to find the vulnerability you're probably
    wrong. Often malicious hackers who search for vulnerabilities find them and
    keep them secret long before they're reported.

    How would you feel if your system was compromised and then you found out later
    that it was a known security hole in a feature you had no need for and the
    vulnerability had been kept secret?

    This is really the wrong place to have such a debate. This is a long-standing
    debate and one that you should at just recognize exists. Don't present one
    side as dogma.

    --
    greg


    ---------------------------(end of broadcast)---------------------------
    TIP 6: Have you searched our list archives?

    http://archives.postgresql.org

    Greg Guest

  12. #12

    Default Re: [pgsql-advocacy] MySQL worm attacks Windows servers

    On 2/6/2005 4:31 PM, Greg Stark wrote:
     
    >
    > Many people disagree with this. Posting the vulnerability isn't what puts
    > people into jeopardy, the presence of the vulnerability puts people in
    > jeopardy. Posting it at least allows people to disable the feature or close
    > off access. Or at least monitor for possible intrusions. Not posting it leaves
    > people in jeopardy and in the dark about it.
    >
    > If you think you're the first one to find the vulnerability you're probably
    > wrong. Often malicious hackers who search for vulnerabilities find them and
    > keep them secret long before they're reported.
    >
    > How would you feel if your system was compromised and then you found out later
    > that it was a known security hole in a feature you had no need for and the
    > vulnerability had been kept secret?[/ref]

    It's interesting that everyone advocating for "immediate public report"
    is allways talking about vulnerabilities that can be taken care of by
    disabling some unused feature. What do you do if you find a
    vulnerability in the text/varchar data type multibyte handling? Still
    tell the world about it before having a fix?


    Jan

    --
    #================================================= =====================#
    # It's easier to get forgiveness for being wrong than for being right. #
    # Let's break this rule - forgive me. #
    #================================================= = com #

    ---------------------------(end of broadcast)---------------------------
    TIP 6: Have you searched our list archives?

    http://archives.postgresql.org

    Jan Guest

Similar Threads

  1. [pgsql-advocacy] OLS BOF for linux & postgresql
    By Robert Bernier in forum PostgreSQL / PGSQL
    Replies: 1
    Last Post: January 29th, 06:57 AM
  2. Replies: 1
    Last Post: June 13th, 10:24 AM
  3. mySQL vs pgSQL | php vs others
    By Nabil in forum PHP Development
    Replies: 1
    Last Post: September 24th, 11:23 AM
  4. MySQL and PGSQL and Hostname Question
    By Jeff Skeith in forum PHP Development
    Replies: 2
    Last Post: September 14th, 10:47 PM
  5. Replies: 0
    Last Post: September 9th, 07:11 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139