| From: | Jerry Sievert <jerry(at)legitimatesounding(dot)com> |
|---|---|
| To: | "Jonathan S(dot) Katz" <jkatz(at)postgresql(dot)org> |
| Cc: | "Mathews, Rob" <rpmathe(at)sandia(dot)gov>, PostgreSQL mailing lists <pgsql-bugs(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: CVE-2024-28849 |
| Date: | 2024-04-18 17:37:27 |
| Message-ID: | 6AFC8B74-2A14-44A5-8692-B225D1F67611@legitimatesounding.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
RE: Postgres and Javascript
> On Apr 18, 2024, at 10:25 AM, Jonathan S. Katz <jkatz(at)postgresql(dot)org> wrote:
>
> On 4/18/24 11:27 AM, Mathews, Rob wrote:
>> All,
>> CVE-2024-28849 was found in Version 15.6 and 16.2 this week. Please refer to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28849 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28849> for issues and corrections.
>> The Binaries .zip files were the files scanned and found with the vulnerability. There are no known workarounds for this vulnerability.
>
> PostgreSQL doesn't have any dependencies on node.js, let alone JavaScript. This CVE doesn't apply to PostgreSQL.
PLV8 and PLJS also have no dependencies from node.js, and do not have this dependency specifically, so are also not affected, even though they implement a Javascript runtime.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | PG Bug reporting form | 2024-04-19 03:10:24 | BUG #18442: Unnecessary Sort operator in indexScan Plan |
| Previous Message | Jonathan S. Katz | 2024-04-18 17:25:38 | Re: CVE-2024-28849 |