Hi, I've noticed this post being currently shared on social media: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2019-9193-authenticated-arbitrary-command-execution-on-postgresql-9-3/ The claim that COPY FROM PROGRAM warrants a CVE seems groundless because you need to be superuser in the first place to do that. Apparently these guys have not figured out that a superuser can also inject arbitrary code with CREATE EXTENSION or even CREATE FUNCTION since forever, or maybe that will be for a future post? The CVE itself has not been published, in the sense that it's not on https://cve.mitre.org, but the ID is reserved. I don't know if there are precedents of people claiming CVE entries on Postgres without seemingly reaching out to the community first. Should something be done proactively about that particular claim? Best regards, -- Daniel Vérité PostgreSQL-powered mailer: http://www.manitou-mail.org Twitter: @DanielVerite
