Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10

On Fri, 2024-11-22 at 10:01 +0530, Subhash Udata wrote:
> Currently, my environment is running PostgreSQL 15.0. I understand that version
> 15.9 contains the fix for CVE-2024-10979, as mentioned in the release notes.
> Given that I am not using the PL/Perl extension in my environment, I wanted to ask:
>  * Is it still mandatory to upgrade specifically to version 15.9, or would
> remaining on version 15.0 suffice in this case?
> I appreciate your guidance on whether this upgrade is necessary, considering the
> specifics of my setup.

If you don't use PL/Perl, you are not affected by that security vulnerability.

I wonder what you mean by "mandatory".

We won't fine or punish you if you don't update PostgreSQL, but perhaps it
would make your employer unhappy. If you stay on 15.0, you will be subject to
thirteen other security vulnerabilities (if I counted right), and you may end
up with corrupted GIN and BRIN indexes. Additionally, you will be subject to
countless known bugs that have been fixed since.

You should *always* update to the latest minor release shortly after it is
released. Everything else is negligent.

Yours,
Laurenz Albe