PostgreSQL has fared well when comparing the number of reported security vulnerabilities against bugs in other commercial and open source databases. The Common Vulnerabilities and Exposures database (http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=postgresql) reveals in the region of 20 entries for PostgreSQL and associated applications as of January 2005, far fewer than in other DBMS. Furthermore, PostgreSQL has not had a vulnerability in the core database code that permits an unauthenticated compromise.
A number of factors perhaps explain the paucity of reported PostgreSQL vulnerabilities. First, the general standard of coding is high, and security has been integral to the development of the product for a number of years. It can also be argued that PostgreSQL has a smaller attack surface than other DBMSes. Evidence of this presents itself in the installation procedure that, by default, prevents network access and refuses to allow operation under a privileged user context; contrast this with Microsoft SQL Server, which used to install with a blank administrator password, run with system-level privilege, and listen on a number of protocols.
Table 25-1 lists the vulnerabilities that have been reported in PostgreSQL.
|CVE-2002-0802||The multibyte support in PostgreSQL 6.5.x with SQL_ASCII encoding consumes an extra character when processing a character that cannot be converted, which could ...|