| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Matthias Apitz <guru(at)unixarea(dot)de> |
| Cc: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at>, Subhash Udata <subhashudata(at)gmail(dot)com>, "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com>, Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com>, 김주연 <mysylph(at)gmail(dot)com>, "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10 |
| Date: | 2024-11-23 18:10:05 |
| Message-ID: | Z0IafWDrFln-n0P5@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Fri, Nov 22, 2024 at 09:00:18AM +0100, Matthias Apitz wrote:
> El día viernes, noviembre 22, 2024 a las 05:52:34 +0100, Laurenz Albe escribió:
>
> > On Fri, 2024-11-22 at 10:01 +0530, Subhash Udata wrote:
> > > Currently, my environment is running PostgreSQL 15.0. I understand that version
> > > 15.9 contains the fix for CVE-2024-10979, as mentioned in the release notes.
> > > Given that I am not using the PL/Perl extension in my environment, I wanted to ask:
> > > * Is it still mandatory to upgrade specifically to version 15.9, or would
> > > remaining on version 15.0 suffice in this case?
> > > I appreciate your guidance on whether this upgrade is necessary, considering the
> > > specifics of my setup.
> >
> > If you don't use PL/Perl, you are not affected by that security vulnerability.
> >
> > I wonder what you mean by "mandatory".
> >
> > We won't fine or punish you if you don't update PostgreSQL, but perhaps it
> > would make your employer unhappy. If you stay on 15.0, you will be subject to
> > thirteen other security vulnerabilities (if I counted right), and you may end
> > up with corrupted GIN and BRIN indexes. Additionally, you will be subject to
> > countless known bugs that have been fixed since.
> >
> > You should *always* update to the latest minor release shortly after it is
> > released. Everything else is negligent.
>
> Laurenz, et all,
>
> The company I'm working for is producer of a Library Management System
> with C/C++ written servers on Linux, using ESQL/C and DBI interfaces of
> PostgreSQL (and older version Sybase too) and the software is deployed
> to 100++ customer installations, sometimes with limited own IT know how.
>
> "You should *always* update ..." is nice to say, but in the described land
> not easy to do. For the two released versions of our software (V7.2 and
> V7.3) and the current version in development (V7.3-SP1) we plan the
> following migrations of the server and client side of PostgreSQL:
I have to admit, for this question, we just point people to:
https://www.postgresql.org/support/versioning/
and say bounce the database server and install the binaries. What I
have never considered before, and I should have, is the complexity of
doing this for many remote servers. Can we improve our guidance for
these cases?
--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com
When a patient asks the doctor, "Am I going to die?", he means
"Am I going to die soon?"
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Greg Sabino Mullane | 2024-11-23 18:22:02 | Re: Question About Native Support for SQL:2011 Temporal Tables in PostgreSQL |
| Previous Message | Greg Sabino Mullane | 2024-11-23 17:49:45 | Re: Database stats ( pg_stat_database.stats_reset ) get reset on daily basis - why? |