| From: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | "sumanth(dot)vankineni(at)gmail(dot)com" <sumanth(dot)vankineni(at)gmail(dot)com>, "pgsql-bugs(at)lists(dot)postgresql(dot)org" <pgsql-bugs(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: BUG #18193: CVE-2019-9193 |
| Date: | 2023-11-13 15:30:18 |
| Message-ID: | CAKFQuwaaDpEtRgFABUhN1J_peBRHGez5M564uiwfSK59iy9wmg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Monday, November 13, 2023, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> PG Bug reporting form <noreply(at)postgresql(dot)org> writes:
> > Just wanted to give an update, I'm not sure if it's mentioned anywhere on
> > the website. The PostgreSQl version 13.7 is also vuln to the
> > CVE-2019-9193.
> > The CVE states only In PostgreSQL 9.3 through 11.2.
>
> Please see
>
> https://www.postgresql.org/about/news/cve-2019-9193-not-
> a-security-vulnerability-1935/
>
> That CVE is erroneous in full, and so the fact that it also misstates
> relevant versions is hardly surprising.
>
>
It’s hardly surprising because a CVE from 2019 (they make this fairly
simple, the year is in the assigned number) would not be expected to list
version 13 as that was not released at the time. Assuming 11.2 was indeed
the most recent version released at the time the CVE was issued then indeed
neither v12 nor v13 were relevant as v11 was only about 6 months old.
David J.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Abdullah Ergin | 2023-11-13 18:00:17 | Re: BUG #18179: Cluster History Error |
| Previous Message | Tom Lane | 2023-11-13 15:20:30 | Re: BUG #18193: CVE-2019-9193 |