Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10

Thank you for your detailed response. I would like to clarify my situation
further to ensure I take the appropriate steps.

Currently, my environment is running *PostgreSQL 15.0*. I understand that
version *15.9* contains the fix for CVE-2024-10979, as mentioned in the
release notes.

Given that I am not using the *PL/Perl* extension in my environment, I
wanted to ask:

- Is it still mandatory to upgrade specifically to version *15.9*, or
would remaining on version *15.0* suffice in this case?

I appreciate your guidance on whether this upgrade is necessary,
considering the specifics of my setup.

Thank you for your time and support.

On Fri, 22 Nov 2024 at 09:39, David G. Johnston <david(dot)g(dot)johnston(at)gmail(dot)com>
wrote:

> On Thursday, November 21, 2024, Subhash Udata <subhashudata(at)gmail(dot)com>
> wrote:
>>
>>
>> Thank you for your response regarding the affected versions of
>> PostgreSQL. I have a follow-up question for clarification:
>>
>> The PostgreSQL documentation mentions that the versions with a fix for
>> CVE-2024-10979 are *17.1, 16.5, 15.9, 14.14, 13.17, and 12.21*. However,
>> your reply states that any version greater than 13+ should suffice.
>>
>> Could you please confirm if upgrading to one of the specific versions
>> listed above is mandatory, or is it acceptable to upgrade to any version
>> higher than 13
>>
>
> It was literally just reported and fixed. If you are on a supported
> release of PostgreSQL you have the fix. If you are not, you don’t.
>
> At this point only major versions 13+ are supported.
>
> Upgrading to an unsupported minor release is never recommended.
>
> The fact you are on version 11 means you should not expect an answer to
> the question whether this newly discovered CVE affects you - that would be
> expecting support for a long-unsupported version.
>
> Which of the 5 currently supported releases you should upgrade to is a
> decision you need to make given your circumstances.
>
> David J.
>
>