> Bug reference: 2052
> Logged by: Ferindo Middleton
> Email address: fmiddleton@verizon.net
> PostgreSQL version: 8.0.4
> Operating system: Windows 2000
> Description: Federal Agency Tech Hub Refuses to Accept=20
> Postgresql on
> Network because of Security Vulnerabilities
> Details:=20
>=20
> This bug report involves more than one proposed bug. I work=20
> at a federal government agency. The information technology=20
> division at this agency refuses to allow the database version=20
> 8.0.4 on their network because of several security=20
> vulnerabilities they noticed when testing the software=20
> application. The database would run on a Windows 2000=20
> Professional computer system. The division I work for wants=20
> to use the database as a backend to a set Java Server Pages I=20
> developed to be served via Apache Tomcat. My application=20
> works great with PostgreSQL but the problem is getting the IS=20
> team at this agency to accept PostgreSQL db. I know nothing=20
> about hacking PostgreSQL. I am merely know how to install,=20
> setup, run the database and write JSP applications to us the=20
> database in the background so these security vulnerabilities=20
> are beyond the scope of my own understanding of the database=20
> from a mere admin/user level.=20
>=20
> I am going to paste below the feedback I received concerning=20
> the vulnerabilities of the database in hopes that The=20
> PostgreSQL Global Development Group would consider looking=20
> into each stated flaw. I believe that resolution of these=20
> vulnerabilities would be a major achievement of our database=20
> management system and possibly open the software up to more=20
> government acceptance and utilization, which I believe it is lacking.=20
I beleive every single one of these bugs is fixed in the currently
available releases.=20
So if you get 8.0.4 or 8.1.0, you're fine for any of these.
(Oh, and what *do* they allow? Oracle, for example, has had a *lot* more
security vulnerabilities during the same time, some of which aren't even
patched yet.. And they can't seriously have a zero-bugs-even-if-fixed
policy, because then they couldn't install *anything*...)
//Magnus