On Wed, Nov 24, 2021 at 2:53 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
> One other point to be made here is that it seems like a stretch to call
> these particular bugs "high-severity".
Well, I was referring to the CVSS score, which was in the "high" range.
> Given what we learned about
> the difficulty of exploiting the libpq bug, and the certainty that any
> other clients sharing the issue would have their own idiosyncrasies
> necessitating a custom-designed attack, I rather doubt that we're going
> to hear of anybody trying to exploit the issue in the field.
I don't know. The main thing that I find consoling is the fact that
most people probably have the libpq connection behind a firewall where
nasty people can't even connect to the port. But there are probably
exceptions.
> (By no means do I suggest that these bugs aren't worth fixing when we
> find them. But so far they seem very easy to fix. So moving mountains
> to design out just this one type of bug doesn't seem like a great use
> of our finite earth-moving capacity.)
I have enough trouble just moving the couch.
--
Robert Haas
EDB: http://www.enterprisedb.com