| From: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
|---|---|
| To: | Subhash Udata <subhashudata(at)gmail(dot)com> |
| Cc: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com>, 김주연 <mysylph(at)gmail(dot)com>, "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10 |
| Date: | 2024-11-22 04:51:32 |
| Message-ID: | CAKFQuwZr=j14Da+n=b8zWERQYBic3iYx0ynTjH3K5Do2=ZLfDw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Thursday, November 21, 2024, Subhash Udata <subhashudata(at)gmail(dot)com>
wrote:
>
> Currently, my environment is running *PostgreSQL 15.0*. I understand that
> version *15.9* contains the fix for CVE-2024-10979, as mentioned in the
> release notes.
>
> Given that I am not using the *PL/Perl* extension in my environment
>
IIUC, any user that can execute “create extension plperl” in a database
they are connected to (or, it having been installed, users that have been
granted usage on the language) can exploit this vulnerability. Whether
that is possible in your environment is something you’d need to determine.
I believe this particular detail probably should have been part of the
release announcement but was not.
In any case if you aren’t willing to update consistently you really
shouldn’t be deploying .0 releases.
David J.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Laurenz Albe | 2024-11-22 04:52:34 | Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10 |
| Previous Message | Adrian Klaver | 2024-11-22 04:44:07 | Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10 |