From: | misha1966 misha1966 <mmisha1966(at)bk(dot)ru> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | pgsql-general(at)lists(dot)postgresql(dot)org |
Subject: | Re[4]: CVE-2022-2625 |
Date: | 2022-09-20 00:31:02 |
Message-ID: | 1663633862.62289246@f134.i.mail.ru |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Thank you all! Everything worked out!
CVE-2022-2625 contains a lot more than it seems...
>Пятница, 16 сентября 2022, 0:19 +09:00 от Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>:
>
>=?UTF-8?B?bWlzaGExOTY2IG1pc2hhMTk2Ng==?= < mmisha1966(at)bk(dot)ru > writes:
>> Is there a patch for 9.6 ?
>No; that's out of support too.
>
>You might find that adapting the v10 patch back to 9.6, and
>thence to 9.5, would be easier than trying to do it in one step.
>
>I'm a little bemused by your fixation on this particular CVE,
>though. As such things go, it's not a very big deal. It's only
>of interest if you are routinely installing new extensions, *and*
>those extensions' scripts contain insecure uses of CREATE OR
>REPLACE/CREATE IF NOT EXISTS, *and* you can't fix the extensions
>instead. I would not have thought an institution that's so
>frozen that it can't update to an in-support PG version would be
>doing a lot of new extension installations.
>
>In any case, the real thing you ought to be focusing on is whether
>you are running back-ported patches for any of the *other* CVE-worthy
>security bugs we've fixed since 9.5 went EOL. And how about the
>data-corrupting bugs? Most longtime PG developers think data
>corruption hazards are a good deal more important than a lot of
>the stuff we assign CVEs to. Almost every CVE we've ever issued is
>only relevant if you have hostile actors able to issue arbitrary SQL
>in your database, in which case you're in a world of trouble anyway.
>
>regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Bryn Llewellyn | 2022-09-20 01:13:40 | Re: I slipped up so that no existing role allows connection. Is rescue possible? |
Previous Message | Adrian Klaver | 2022-09-20 00:02:19 | Re: I slipped up so that no existing role allows connection. Is rescue possible? |