Tom Lane wrote:
>Bruce Momjian <pgman@candle.pha.pa.us> writes:
>
>
>>Should we be thinking about a 7.4.3?
>>
>>
>
>I'm not panicking over this particular bug ... but it does seem like
>we've accumulated enough fixes since 7.4.2 that it may be time to start
>thinking about another dot-release. Maybe set a date towards the end of
>the month?
>
> regards, tom lane
>
>
Industry practices dictate that we do issue SOMETHING now. The bug is
now public, and can be exploited.
This does not necessarily have to be 7.4.3. We can issue 7.4.2.1,
containing only this fix, so that people who need to expose their
database are not left open to attacks.
Also, if we want greater flexibility in handling these cases in the
future, we should set up an invite-only list for reporting security
bugs, and advertise it on the web site as the place to report security
issues. Had this vulnerability been reported there, we could reasonably
hold on without releasing a fix until 7.4.3 was ready.
If you need help in that list, I have a lot of experience with code
security, but very little experience with the Postgresql code. Also, it
would be a good idea to invite all the distro-packagers to be on that list.
Shachar
--
Shachar Shemesh
Lingnu Open Source Consulting
http://www.lingnu.com/