Re: Information to CVE-2022-42889

From: Imre Samu <pella(dot)samu(at)gmail(dot)com>
To: Cedric Aaron Towstyka <Cedric-Aaron(dot)Towstyka(at)barmenia(dot)de>
Cc: "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org>
Subject: Re: Information to CVE-2022-42889
Date: 2022-11-08 14:05:34
Message-ID: CAJnEWwm6=GSouXzjDxrhO4xxYn9i4e==V9Hr9pQJPz07t1EESg@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

> if the above product is affected by the CVE

You will find the "Known PostgreSQL Security Vulnerabilities in Supported
Versions"
here: https://www.postgresql.org/support/security/

For the PostgreSQL JDBC Driver:
please check https://jdbc.postgresql.org/security/
or the fixed CVE lists:
https://github.com/pgjdbc/pgjdbc/issues?q=CVE+sort%3Aupdated-desc
or https://github.com/pgjdbc/pgjdbc/security/advisories ( Security
Advisories )

Based on
https://www.docker.com/blog/security-advisory-cve-2022-42889-text4shell/
you have to search for the "commons-text-1.9.jar" ( commons-text-*.* ) in
the servers or in the clients ..
The PostgreSQL ecosystem is huge (e.g. a driver, an extension, or an
installer) so you have to check any java related software.

Anyway, it's a good time to install the latest patch version of everything.
( Latest PostgreSQL JDBC Driver ;
or Latest Postgres minor version; see:
https://www.postgresql.org/support/versioning/ )
The Next minor release is expected on: *November 10th, 2022 * ( see
https://www.postgresql.org/developer/roadmap/ )
*"The PostgreSQL Project releases security fixes as part of minor version
updates. You are always advised to use the latest minor version available,
as it will contain other non-security related fixes."*

You will find professional services here:
https://www.postgresql.org/support/professional_support/

Regards,
Imre
( Disclaimer: I am just a Postgres user and not a security expert! )

Cedric Aaron Towstyka <Cedric-Aaron(dot)Towstyka(at)barmenia(dot)de> ezt írta
(időpont: 2022. nov. 8., K, 12:10):

> Hello dear PostgreSQL Server Team,
>
> the german bureau for IT-Security "BSI" (Bundesamt für Sicherheit in der
> Informationstechnik) has issued a warning for CVE CVE-2022-42889 with the
> name commons-text. Insurance companies are obliged to analyse the
> installed software for vulnerabilities of this type.
> As the Barmenia is using your product PostgreSQL Server it is necessary to
> obtain all information regarding any vulnerability against above CVE.
>
> We kindly ask you to provide information if the above product is affected
> by the CVE and if yes, when a fix will be available.
>
>
>
> With the request for short-term feedback.
>
> Kind Regards.
>
>
>
> Cedric Aaron Towstyka
>
> Databaseadministrator
>
>
>
> Barmenia Krankenversicherung a. G.
>
> Barmenia Allgemeine Versicherungs-AG
>
> Barmenia Lebensversicherung a. G.
>
> Barmenia-Allee 1
>
> 42119 Wuppertal
>
>
>
> +49 202 438 2964
>
>
>
> <http://www.barmenia.de>
> - facebook.de/barmenia <https://de-de.facebook.com/Barmenia/> -
> xing.de/companies/barmenia
> <https://www.xing.com/companies/barmeniaversicherungen> -
> twitter.com/barmenia - youtube.de/barmenia
> <https://www.youtube.com/user/barmenia>
>
> Barmenia Allgemeine Versicherungs-AG
> Vorstand: Dr. Andreas Eurich (Vorsitzender) - Frank Lamsfuß - Ulrich Lamy
> - Carola Schroeder
> Aufsichtsrats-Vorsitzender: Dr. h. c. Josef Beutelmann; Rechtsform des
> Unternehmens: Aktiengesellschaft
> Sitz: Wuppertal; Amtsgericht Wuppertal HRB 3033;
> USt.-Identifikationsnummer: DE 811425914; Versicherungsteuernummer:
> 810/V90810006337
>
> Barmenia Krankenversicherung AG
> Vorstand: Dr. Andreas Eurich (Vorsitzender) - Frank Lamsfuß - Ulrich Lamy
> - Carola Schroeder
> Aufsichtsrats-Vorsitzender: Dr. h. c. Josef Beutelmann; Rechtsform des
> Unternehmens: Aktiengesellschaft
> Sitz: Wuppertal; Amtsgericht Wuppertal HRB 28475;
> USt.-Identifikationsnummer: DE 121102508
>
> Barmenia Lebensversicherung a. G.
> Vorstand: Dr. Andreas Eurich (Vorsitzender) - Frank Lamsfuß - Ulrich Lamy
> - Carola Schroeder
> Aufsichtsrats-Vorsitzender: Dr. h. c. Josef Beutelmann; Rechtsform des
> Unternehmens: Versicherungsverein auf Gegenseitigkeit
> Sitz: Wuppertal; Amtsgericht Wuppertal HRB 3854;
> USt.-Identifikationsnummer: DE 121102516
>
>
>

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Willian Colognesi 2022-11-08 16:40:01 Re: Segmentation Fault PG 14
Previous Message Albrecht Dreß 2022-11-08 13:16:03 Q: pg_hba.conf separate database names file format