Re: CVE-2018-1058

> On Oct 16, 2019, at 2:55 PM, Ron <ronljohnsonjr(at)gmail(dot)com> wrote:
>
> On 10/16/19 2:40 PM, Adrian Klaver wrote:
>> On 10/14/19 3:27 PM, Lizeth Solis Aramayo wrote:
>>> Good afternoon,
>>>
>>> I am working with postgresql 9.6.15 and I need to restore in a 9.6.5 version, I got an error, and I found this page to install a patch
>>
>> What commands did you use to dump the 9.6.15 version and restore to the 9.6.5 version?
>>
>> Which versions software did you use to do above?
>>
>> What was the error?
>>
>> The reason why you can't upgrade the 9.6.5 to 9.6.15?
>
> There are a thousand and one -- nay, a million and ten -- crazy reasons why software can't be upgraded. (Mostly due to "Process" in large organizations.) It’s best just to swallow “why can't you upgrade" and answer the question.

Well, I don’t know any organization where applying a one time patch is safer, less bug prone, and cheaper than doing a well tested point upgrade for postgres. So the question seems very relevant to me.

In addition, if the company is not going to keep updated to latest point upgrades (meaning they are not applying security and bug fixes) then why would they expect free support. If they want to play with fire by applying individual patches, then, from my standpoint they are on their own. The decision not to do regular maintenance has consequences and individual patches are not guaranteed to be bug free for the system. While the developers try not to miss dependencies, the OP should understand that the Postgres build farm will never have run a configuration with only their individual patch applied against an older system. Sounds really risky to me.

So the reason to ask the question is to make sure the OP understands the high level of risk they are undertaking.