Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10

On Sat, Nov 23, 2024 at 03:24:47PM -0500, Ron Johnson wrote:
> On Sat, Nov 23, 2024 at 1:10 PM Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> [snip] 
>
> I have to admit, for this question, we just point people to:
>
>         https://www.postgresql.org/support/versioning/
>
> and say bounce the database server and install the binaries.  What I
> have never considered before, and I should have, is the complexity of
> doing this for many remote servers.  Can we improve our guidance for
> these cases?
>
>
> What guidance is needed?  Even for us, where firewalls block our servers from 
> https://download.postgresql.org, it's as simple as downloading the relevant RPM
> files once (and that done with a PowerShell script), then patching thusly:
>
> WinScp PG16.4_RHEL8 dir to each server, and on each server
> $ sudo -iu postgres pg_ctl stop -mfast -wt9999 -D /path/to/data
> $ sudo yum install PG16.4_RHEL8/*rpm
> $ sudo -iu postgres pg_ctl start -wt9999 -D /path/to/data
>
> Those three sudo commands take, at most, three minutes.

I am thinking more of cases where you have 100+ customers, and you need
to coordinate/connect to each company to perform the upgrade. Doing
that every quarter might be a lot of work, and it might be hard to
justify for every minor release.

--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com

When a patient asks the doctor, "Am I going to die?", he means
"Am I going to die soon?"