Re: [EXTERNAL] Re: Asking for OK for a nasty trick to resolve PG CVE-2025-1094 i

Since it's a 24x7 app, you have database replication, virtual IPs and a
fail-over manager in case a server crashes?

Anyway, read through the PG 15 release notes. If none really affect you,
then stay on 15.3. You're certain to miss *something*, though, or not
understand the ramifications. And besides, there are always security
patches in them.

On Thu, Mar 6, 2025 at 4:33 AM Abraham, Danny <danny_abraham(at)bmc(dot)com> wrote:

> Explanation.
> We have hundreds of pg servers (mainly linux).
> App is 7×24.
> We think that patching the server to 15.12.will cost about 30 times more
> compared to patching the pg client ( mainly qa effort).
> The app working fine using [libpq, psql] on both Linux as well as Windows.
> Would love to hear your opinion.
> Thanks
> Danny
>
>
> Sent from Workspace ONE Boxer
>
> On Mar 6, 2025 10:11, Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> wrote:
> [redirecting to pgsql-general]
>
> On Thu, 2025-03-06 at 07:39 +0000, Abraham, Danny wrote:
> > I have many customers using PG 15.3 happily, and I cannot just snap
> upgrade them all to 15.12.
>
> Why do you think you cannot do that?
> In the long run, you'll be sorry if you don't.
> It is just a matter of replacing the software and restarting the database
> server.
>
> > I have tested a nasty trick of replacing PSQL,LIBPQ and several other
> DLL's so that
> > I have a PG client 15.12 within the folders of Server 15.3.
> >
> > All working just fine.
> >
> > I plan to ship it as a patch - but would like to hear you opinion on
> this "merge".
> >
> > (Of course, the next version will use PG 17.4, so this is just an SOS
> action).
> >
> > Directory of C:\Users\dbauser\Desktop\15.12
> >
> > 02/20/2025 11:48 AM 4,696,576 libcrypto-3-x64.dll
> > 02/20/2025 11:48 AM 1,850,401 libiconv-2.dll
> > 02/20/2025 11:48 AM 475,769 libintl-9.dll
> > 02/20/2025 11:48 AM 323,584 libpq.dll
> > 02/20/2025 11:48 AM 779,776 libssl-3-x64.dll
> > 02/20/2025 11:48 AM 52,736 libwinpthread-1.dll
> > 02/20/2025 11:48 AM 604,160 psql.exe
> >
> > ==
> > C:\Program Files\BMC Software\Control-M Server\pgsql\bin>postgres -V
> > postgres (PostgreSQL) 15.3
> >
> > C:\Program Files\BMC Software\Control-M Server\pgsql\bin>psql -V
> > psql (PostgreSQL) 15.12
>
> There is nothing fundamentally evil about upgrading the client.
>
> But what is the point? Why are you worried about client bugs more than
> about server bugs? The latter are much more likely to eat your data.
>
> But then, if you are using Windows, perhaps you don't care a lot about
> your data...
>
> Yours,
> Laurenz Albe
>

--
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> lobster!