On Fri, Apr 12, 2024 at 09:00:11AM -0700, Andres Freund wrote:
> I'm actually fairly bothered by us linking to libxml2. It was effectively
> unmaintained for most of the last decade, with just very occasional drive-by
> commits. And it's not that there weren't significant bugs or such. Maintenance
> has picked up some, but it's still not well maintained, I'd say. If I wanted
> to attack postgres, it's where I'd start.
Indeed, libxml2 worries me to, as much as out-of-core extensions.
There are a bunch of these out there, some of them not that
maintained, and they could face similar attacks.
--
Michael