From owner-cvs-all  Mon Aug 26  6:30: 7 2002
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id E7F8837B400; Mon, 26 Aug 2002 06:29:59 -0700 (PDT)
Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id DDA9243E6A; Mon, 26 Aug 2002 06:29:57 -0700 (PDT)
	(envelope-from sheldonh@starjuice.net)
Received: from sheldonh by axl.seasidesoftware.co.za with local (Exim 4.10)
	id 17jJwC-00015u-00; Mon, 26 Aug 2002 15:29:48 +0200
Date: Mon, 26 Aug 2002 15:29:48 +0200
From: Sheldon Hearn <sheldonh@starjuice.net>
To: Trevor Johnson <trevor@jpj.net>
Cc: Tim Robbins <tjr@FreeBSD.org>, cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org
Subject: Re: cvs commit: ports/databases/postgresql7 Makefile
Message-ID: <20020826132948.GE98501@starjuice.net>
Mail-Followup-To: Trevor Johnson <trevor@jpj.net>,
	Tim Robbins <tjr@FreeBSD.org>, cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org
References: <20020825161241.A69260@dilbert.robbins.dropbear.id.au> <20020825213303.K31112-100000@blues.jpj.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020825213303.K31112-100000@blues.jpj.net>
User-Agent: Mutt/1.5.1i
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

On (2002/08/25 21:34), Trevor Johnson wrote:

> > Wouldn't it be a better idea to update the port to 7.2.2 instead of
> > forbidding 7.2.1?
> 
> Of course, but there were extensive changes between 7.2.1 and 7.2.2:
> 
> 	895 files changed, 1266 insertions(+), 155653 deletions(-)

Not necessarily, according to the PostgreSQL-released advisory.  There
may have been many changes to the source, but their impact is not
believed to be extensive.

Anyway, the vulnerabilities are a bit of a joke; they allow folks
with authority to talk directly to the database to elevate privelege
all the way up to that of the pgsql user.  The guy who posted the
vulnerabilities quite obviously has ill feelings toward PostgreSQL.

I'm not saying you've done anything wrong.  Just giving you a bit more
background.

Ciao,
Sheldon.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message