On Thu, 2005-11-24 at 15:09 +0100, Peter Eisentraut wrote:
> We really should write the CVE numbers into the commit messages and the
> release notes.
I think that would be good.
On Thu, 2005-11-24 at 12:35 +0100, Magnus Hagander wrote:
> > > All known CVE problems are resolved in 8.0.4.
> >
> > I was unaware of this. I've looked at the release notes and
> > searched the archives, but this doesn't seem to be mentioned
> > by CVE number. (The vulnerabilities and their resolutions are
> > described, just without direct cross reference to their CVE number.)
> >
> > Do we have an on-project description of this? If
> > we-as-a-project know this, it seems straightforward to write it down.
> >
> > It seems like we need a much clearer resource for security
> > admins to check our compliance levels. This could be a source
> > of similar refusal-to-implement PostgreSQL at other
> > installations, so could almost be regarded as an advocacy
> > issue.
> How about a simple webpage that has more or less a table with:
> CVE-number | present in releases | fixed in releases
> CVE-number | present in releases | fixed in releases
> CVE-number | present in releases | fixed in releases
..and I think we should do this too.
Have to say I'm a bit worried about overloading Tom and Bruce, who write
most of the security patches and relevant release notes.
Anybody else volunteer to maintain the web page?
Best Regards, Simon Riggs