Re[4]: CVE-2022-2625

Thank you all! Everything worked out!

CVE-2022-2625 contains a lot more than it seems...
 
 
>Пятница, 16 сентября 2022, 0:19 +09:00 от Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>:
> 
>=?UTF-8?B?bWlzaGExOTY2IG1pc2hhMTk2Ng==?= < mmisha1966(at)bk(dot)ru > writes:
>> Is there a patch for 9.6 ?
>No; that's out of support too.
>
>You might find that adapting the v10 patch back to 9.6, and
>thence to 9.5, would be easier than trying to do it in one step.
>
>I'm a little bemused by your fixation on this particular CVE,
>though. As such things go, it's not a very big deal. It's only
>of interest if you are routinely installing new extensions, *and*
>those extensions' scripts contain insecure uses of CREATE OR
>REPLACE/CREATE IF NOT EXISTS, *and* you can't fix the extensions
>instead. I would not have thought an institution that's so
>frozen that it can't update to an in-support PG version would be
>doing a lot of new extension installations.
>
>In any case, the real thing you ought to be focusing on is whether
>you are running back-ported patches for any of the *other* CVE-worthy
>security bugs we've fixed since 9.5 went EOL. And how about the
>data-corrupting bugs? Most longtime PG developers think data
>corruption hazards are a good deal more important than a lot of
>the stuff we assign CVEs to. Almost every CVE we've ever issued is
>only relevant if you have hostile actors able to issue arbitrary SQL
>in your database, in which case you're in a world of trouble anyway.
>
>regards, tom lane