<h1>Security Information <i class="fas fa-lock"></i></h1>
<p>
-If you wish to report a new security vulnerability in PostgreSQL, please
-send an email to
-<a href="mailto:security@postgresql.org">security@postgresql.org</a>.
-For reporting non-security bugs, please see the <a href="/account/submitbug/">Report a Bug</a> page.
+ The PostgreSQL Global Development Group (PGDG) takes security seriously. This
+ allows our users to place their trust in PostgreSQL for protecting their
+ mission-critical data.
+</p>
+
+<p>
+ The PostgreSQL Global Development Group follows a model that shares
+ responsibility between PostgreSQL itself and its deployment environment,
+ including hardware, operating system, and the application layer
+ (programming language, frameworks and client libraries). The PostgreSQL
+ documentation provides info on the inherent security features of PostgreSQL
+ and how to securely configure and run PostgreSQL.
+</p>
+
+<p>
+ Security vulnerabilities can exist both in PostgreSQL and software within the
+ PostgreSQL ecosystem, including client libraries, extensions, installers,
+ and other utilities. This page walks through what is considered a security
+ vulnerability in PostgreSQL, how to report PostgreSQL security
+ vulnerabilities, and how fixes for security vulnerabilities are released.
+</p>
+
+<h2>What is a Security Vulnerability in PostgreSQL?</h2>
+
+<p>
+ A security vulnerability in PostgreSQL is an issue that allows a user to gain
+ access to privileges or data that they do not have permission to use, or
+ allows a user to execute arbitrary code through a PostgreSQL process.
+</p>
+
+<p>
+ The PostgreSQL Security Team does not consider reports on actions a PostgreSQL
+ superuser takes to be a security vulnerability. However, a report on an
+ unprivileged user escalating to superuser generally qualifies as valid.
+</p>
+
+<p>
+ The PostgreSQL Security Team typically does not consider a denial-of-service
+ on a PostgreSQL server from an authenticated, valid SQL statement to be a
+ security vulnerability. A denial-of-service issue of this nature could still
+ be a <a href="/account/submitbug/">bug</a>, and we encourage you to report it
+ on the <a href="/account/submitbug/">Report a Bug</a> page.
+</p>
+
+<p>
+ Please do not report the lack of DMARC on postgresql.org mailing lists. This
+ is by design.
+</p>
+
+<h2>Reporting a PostgreSQL Security Vulnerability</h2>
+
+<p>
+ For security vulnerabilities in PostgreSQL or any of the installers linked
+ from the <a href="/download/">PostgreSQL download page</a>, please email
+ <a href="mailto:security@postgresql.org">security@postgresql.org</a>.
+</p>
+
+<p>
+ For reporting non-security bugs, please visit the
+ <a href="/account/submitbug/">Report a Bug</a> page.
</p>
-{%if version and not version.supported%}
-<h1>UNSUPPORTED VERSION</h1>
<p>
-You are currently viewing security issues for an unsupported version. If
-you are still using PostgreSQL version {{version}}, you should upgrade as
-soon as possible!
+ If you are unsure if an issue is a security vulnerability, please err on the
+ side of caution and email
+ <a href="mailto:security@postgresql.org">security@postgresql.org</a>.
</p>
-{%else%}
+
+<h2>Reporting non-PostgreSQL Security Vulnerabilities</h2>
+
<p>
+ Please see below for how you can report security vulnerabilities in
+ PostgreSQL-related projects:
+</p>
+
+<ul>
+ <li>
+ For security vulnerabilities in the <a href="https://jdbc.postgresql.org">PostgreSQL JDBC Driver</a>,
+ please email
+ <a href="mailto:pgsql-jdbc-security@lists.postgresql.org">pgsql-jdbc-security@lists.postgresql.org</a>.
+ </li>
+ <li>
+ If you wish to report a security vulnerability for an open source project in
+ the PostgreSQL ecosystem (e.g. a driver, an extension, or an installer) and
+ need a secure communication channel, please email
+ <a href="mailto:security@postgresql.org">security@postgresql.org</a>.
+ </li>
+</ul>
+
+<h2>PostgreSQL Security Releases</h2>
-The PostgreSQL Global Development Group (PGDG) takes security seriously,
-allowing our users to place their trust in the web sites and applications
-built around PostgreSQL. Our approach covers fail-safe configuration options,
-a secure and robust database server as well as good integration with other
-security infrastructure software.
+<p>
+ The PostgreSQL Project releases security fixes as part of
+ <a href="/support/versioning/">minor version updates</a>. You are always
+ advised to use the latest minor version available, as it will contain other
+ non-security related fixes.
+</p>
+
+<p>
+ A new PostgreSQL major release, which contains new features, has every prior
+ security fix.
</p>
<p>
-PostgreSQL security updates are primarily made available as <a href="/support/versioning/">minor version</a>
-upgrades. You are always advised to use the latest minor version available,
-as it will likely also contain other non-security related fixes. All known
-security issues are always fixed in the next major release, when it comes out.
+ If you find a security vulnerability in PostgreSQL, the PostgreSQL Security
+ Team will credit you in the release notes and register a CVE for the
+ vulnerability. <strong>Please do not register a CVE independently of the
+ PostgreSQL Security Team</strong>.
</p>
<p>
-PGDG believes that accuracy, completeness and availability of security
-information is essential for our users. We choose to pool all information on
-this one page, allowing easy searching for vulnerabilities by a range of
-criteria.
+ The PostgreSQL Security Team does not file a CVE for vulnerabilities in
+ PostgreSQL-related projects nor does it list those vulnerabilities in the
+ section below. It is up to external project maintainers to register a CVE for
+ a security vulnerability.
</p>
+<h2>Known PostgreSQL Security Vulnerabilities</h2>
+
<p>
-Vulnerabilities list which major releases they were present
-in, and which version they are fixed in for each. If the vulnerability
-was exploitable without a valid login, this is also stated. They also
-list a vulnerability class, but we urge all users to read the description
-to determine if the bug affects specific installations or not.
+ The PostgreSQL Global Development Group believes that accuracy, completeness
+ and availability of security information is essential for our users. We choose
+ to pool all information on this one page, allowing easy searching for security
+ vulnerabilities over a range of criteria. This includes:
</p>
-{%endif%}
+<ul>
+ <li>Which major versions a security vulnerability is present in</li>
+ <li>Which minor version update releases a security vulnerability is fixed in</li>
+ <li>Whether an exploit requires a valid login</li>
+ <li>CVSS score</li>
+</ul>
-<h2>Known security issues in {%if version%}version {{version.numtree}}{%else%}all supported versions{%endif%}</h2>
<p>
-You can filter the view of patches to show just patches for version:<br/>
-{%for v in supported%}
-<a href="/support/security/{{v.numtree}}/">{{v.numtree}}</a>{%if not forloop.last%} -{%endif%}
-{%endfor%}
-- <a href="/support/security/">all</a>
+ You can find more detailed information about a security vulnerability by
+ clicking on the links in the table below.
+</p>
+
+<h3>
+ Known PostgreSQL Security Vulnerabilities in
+ {%if version%}PostgreSQL {{version.numtree}}{%else%}Supported Versions{%endif%}
+</h3>
+
+{%if version and not version.supported%}
+<div class="border border-danger text-danger text-center mb-3">
+ <h1 class="text-danger">UNSUPPORTED VERSION</h1>
+ <p>
+ You are currently viewing PostgreSQL security vulnerabilities for an
+ unsupported version. If you are still using PostgreSQL {{version.numtree}},
+ you should upgrade as soon as possible.
+ </p>
+</div>
+{% endif %}
+
+<p>
+ You can filter the view of patches to show just patches for version:<br />
+ {%for v in supported%}
+ <a href="/support/security/{{v.numtree}}/">{{v.numtree}}</a>{%if not forloop.last%} -{%endif%}
+ {%endfor%}
+ - <a href="/support/security/">all</a>
</p>
<table class="table table-striped">
</table>
<h3>Unsupported versions</h3>
+
<p>
You can also view archived security patches for unsupported versions. Note that no further
security patches are made available for these versions as they are end of life.<br/>
-{%for v in unsupported%}
-<a href="/support/security/{{v.numtree}}/">{{v.numtree}}</a>{%if not forloop.last%} -{%endif%}
-{%endfor%}
+ {%for v in unsupported%}
+
<a href="/support/security/{{v.numtree}}/">{{v.numtree}}</a>{%if not forloop.last%} -{%endif%}
+ {%endfor%}
</p>
+<h3 id="comp">Components</h3>
-<h2 id="comp">Components</h2>
<p>
-The following component references are used in the above table:
+ The following component references are used in the above table:
</p>
<table class="table table-striped">
</tbody>
</table>
+<h2>The PostgreSQL Security Team</h2>
+
+<p>
+ The PostgreSQL Security Team is made up of a group of contributors to the
+ PostgreSQL project who have experience in different aspects of database and
+ information security.
+</p>
+
+<p>
+ You can find a list of members on the security team here:
+</p>
+<ul>
+ <li>Γlvaro Herrera</li>
+ <li>Andres Freund</li>
+ <li>Andrew Dunstan</li>
+ <li>Bruce Momjian</li>
+ <li>Dave Page</li>
+ <li>Greg Stark</li>
+ <li>Heikki Linnakangas</li>
+ <li>Tatsuo Ishii</li>
+ <li>Jonathan Katz</li>
+ <li>Magnus Hagander</li>
+ <li>Michael Paquier</li>
+ <li>Noah Misch</li>
+ <li>Peter Eisentraut</li>
+ <li>Robert Haas</li>
+ <li>Stephen Frost</li>
+ <li>Simon Riggs</li>
+ <li>Stefan Kaltenbrunner</li>
+ <li>Tom Lane</li>
+</ul>
{%endblock%}
projects / pgweb.git / commitdiff