Michael Paquier <michael@paquier.xyz> wrote on 04/02/2019 01:05:01 AM:
> From: Michael Paquier <michael@paquier.xyz>
> To: "Jonathan S. Katz" <jkatz@postgresql.org>
> Cc: Tom Lane <tgl@sss.pgh.pa.us>, Magnus Hagander
> <magnus@hagander.net>, Daniel Verite <daniel@manitou-mail.org>,
> pgsql-general <pgsql-general@lists.postgresql.org>
> Date: 04/02/2019 01:05 AM
> Subject: Re: CVE-2019-9193 about COPY FROM/TO PROGRAM
>
> On Mon, Apr 01, 2019 at 10:04:32AM -0400, Jonathan S. Katz wrote:
> > +1, though I’d want to see if people get noisier about it before we rule
> > out an official response.
> >
> > A blog post from a reputable author who can speak to security should
> > be good enough and we can make noise through our various channels.
>
> Need a hand? Not sure if I am reputable enough though :)
>
> By the way, it could be the occasion to consider an official
> PostgreSQL blog on the main website. News are not really a model
> adapted for problem analysis and for entering into technical details.
A blog post would be nice, but it seems to me have something about this clearly in the manual would be best, assuming it's not there already. I took a quick look, and couldn't find anything.
Brad