Jeremy Schneider <schnjere@xxxxxxxxxx> writes: > I'm all for having clear documentation about the security model in > PostgreSQL, but I personally wouldn't be in favor of adding extra > wording to the docs just to pacify concerns about a CVE which may have > been erroneously granted by an assigning authority, who possibly should > have done better due diligence reviewing the content. Particularly if > there's any possibility that the decision to assign the number can be > appealed/changed, though admittedly I know very little about the CVE > process. Just FYI, we have filed a dispute with Mitre about the CVE, and also reached out to trustwave to try to find out why they filed the CVE despite the earlier private discussion. regards, tom lane
