From: | Dave Page <dpage(at)pgadmin(dot)org> |
---|---|
To: | Sandeep Thakkar <sandeep(dot)thakkar(at)enterprisedb(dot)com> |
Cc: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us>, Kishore Isaac <k(dot)isaac(at)loccioni(dot)com>, "pgsql-bugs(at)lists(dot)postgresql(dot)org" <pgsql-bugs(at)lists(dot)postgresql(dot)org> |
Subject: | Re: Tenable Report Issue even after upgrading to correct Postgres version |
Date: | 2021-11-15 10:12:59 |
Message-ID: | CA+OCxow94OiSMv3wOm++Dzc6jFvfv-KOVocZ4qgwpU9rmvU1=w@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
On Mon, Nov 15, 2021 at 10:05 AM Sandeep Thakkar <
sandeep(dot)thakkar(at)enterprisedb(dot)com> wrote:
> Hi,
>
> I installed v12.2-4 on my Windows VM, launched StackBuilder and upgraded
> to version v12.9-1 (the latest stable release) and the registry entry was
> updated. I've attached the screenshots.
>
>
Please also note that Tenable should really *not* be checking what version
is installed in this way, as that info is intended for the installer (and
pgAdmin, and other similar apps) for internal use and non-security related
service discovery. It is easily possible for a user to update parts of the
PostgreSQL installation without changing that registry value, e.g. by
unpacking the zipped binary distribution over an existing installation.
Any security scanner worth it's salt should be examining the VERSIONINFO
resource in postgres.exe to see what is actually installed (or connecting
to the database server and asking it, but that might be harder).
--
Dave Page
Blog: https://pgsnake.blogspot.com
Twitter: @pgsnake
From | Date | Subject | |
---|---|---|---|
Next Message | Michael Paquier | 2021-11-15 11:03:04 | Re: BUG #17268: Possible corruption in toast index after reindex index concurrently |
Previous Message | Andrey Borodin | 2021-11-15 07:19:56 | Re: conchuela timeouts since 2021-10-09 system upgrade |