| From: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
|---|---|
| To: | Matthias Apitz <guru(at)unixarea(dot)de> |
| Cc: | Subhash Udata <subhashudata(at)gmail(dot)com>, "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com>, Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com>, 김주연 <mysylph(at)gmail(dot)com>, "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10 |
| Date: | 2024-11-22 15:52:46 |
| Message-ID: | b9a4ccd664008a3687103be178e7ed4cb180b9b5.camel@cybertec.at |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Fri, 2024-11-22 at 09:00 +0100, Matthias Apitz wrote:
> > > Given that I am not using the PL/Perl extension in my environment, I wanted to ask:
> > > * Is it still mandatory to upgrade specifically to version 15.9, or would
> > > remaining on version 15.0 suffice in this case?
> > > I appreciate your guidance on whether this upgrade is necessary, considering the
> > > specifics of my setup.
> >
> > If you don't use PL/Perl, you are not affected by that security vulnerability.
> >
> > I wonder what you mean by "mandatory".
> >
> > We won't fine or punish you if you don't update PostgreSQL, but perhaps it
> > would make your employer unhappy. If you stay on 15.0, you will be subject to
> > thirteen other security vulnerabilities (if I counted right), and you may end
> > up with corrupted GIN and BRIN indexes. Additionally, you will be subject to
> > countless known bugs that have been fixed since.
> >
> > You should *always* update to the latest minor release shortly after it is
> > released. Everything else is negligent.
>
> The company I'm working for is producer of a Library Management System
> with C/C++ written servers on Linux, using ESQL/C and DBI interfaces of
> PostgreSQL (and older version Sybase too) and the software is deployed
> to 100++ customer installations, sometimes with limited own IT know how.
And you didn't plan how you intend to ship software updates to these
customers?
> "You should *always* update ..." is nice to say, but in the described land
> not easy to do.
If you say so. Still, that is a problem that will come to bite you
some day, as soon as your customers hit some PostgreSQL bug.
> I assume that
> CVE-2024-10979 affects the server side, and not the client side.
Right. I wonder why you are so keen on that vulnerability and ignore
all the others discovered since 15.0.
> Any further comments on this?
No. I told you that you should update, and you explained in great
detail why you cannot. There is nothing more to say. Good luck.
Yours,
Laurenz Albe
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Adrian Klaver | 2024-11-22 16:02:54 | Re: PostgreSQL Log Info |
| Previous Message | David G. Johnston | 2024-11-22 13:43:58 | Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10 |