Tatsuo Ishii <ishii@sraoss.co.jp> writes:
> One of our engineer claimed that double free bug itself is a
> vulnerability, thus 8.2.1 release should be called as "security
> release".
[ shrug... ] AFAICS the crashing bugs we fixed in 8.2.1 can't be
exploited for anything beyond crashing the backend, and only by an
attacker who can issue arbitrary SQL commands. There are plenty of
other ways to cause momentary DOS if you can do that, so it doesn't
strike me as a big security vulnerability. But if you want to call
it one, you can.
regards, tom lane