commit 8ef98fe (HEAD, master) Author: Noah Misch AuthorDate: Sun Apr 22 14:46:58 2018 -0700 Commit: Noah Misch CommitDate: Sun Apr 22 14:46:58 2018 -0700 Correct pg_recvlogical server version test. The predecessor test boiled down to "PQserverVersion(NULL) >= 100000", which is always false. No release includes that, so it could not have reintroduced CVE-2018-1058. Back-patch to 9.4, like the addition of the predecessor in commit 8d2814f274def85f39fbe997d454b01628cb5667. Discussion: https://postgr.es/m/TBD --- src/bin/pg_basebackup/streamutil.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/bin/pg_basebackup/streamutil.c b/src/bin/pg_basebackup/streamutil.c index 4fd5369..77ae91f 100644 --- a/src/bin/pg_basebackup/streamutil.c +++ b/src/bin/pg_basebackup/streamutil.c @@ -223,7 +223,7 @@ GetConnection(void) * 10, so the search path cannot be changed (by us or attackers) on * earlier versions. */ - if (dbname != NULL && PQserverVersion(conn) >= 100000) + if (dbname != NULL && PQserverVersion(tmpconn) >= 100000) { PGresult *res;