Re: CVE-2022-2625

On 9/15/22 10:19, Tom Lane wrote:
> =?UTF-8?B?bWlzaGExOTY2IG1pc2hhMTk2Ng==?=<mmisha1966(at)bk(dot)ru> writes:
>> Is there a patch for 9.6 ?
> No; that's out of support too.
>
> You might find that adapting the v10 patch back to 9.6, and
> thence to 9.5, would be easier than trying to do it in one step.
>
> I'm a little bemused by your fixation on this particular CVE,
> though.

Some auditor might have issued a decree mandating all vulnerabilities
greater than 7.0 *must* be patched.

> As such things go, it's not a very big deal.It's only
> of interest if you are routinely installing new extensions, *and*
> those extensions' scripts contain insecure uses of CREATE OR
> REPLACE/CREATE IF NOT EXISTS, *and* you can't fix the extensions
> instead. I would not have thought an institution that's so
> frozen that it can't update to an in-support PG version would be
> doing a lot of new extension installations.
>
> In any case, the real thing you ought to be focusing on is whether
> you are running back-ported patches for any of the *other* CVE-worthy
> security bugs we've fixed since 9.5 went EOL. And how about the
> data-corrupting bugs?

As to why they're auditing EOL software... no one has ever considered
auditors or Upper Management to be rational or consistent.

> Most longtime PG developers think data
> corruption hazards are a good deal more important than a lot of
> the stuff we assign CVEs to. Almost every CVE we've ever issued is
> only relevant if you have hostile actors able to issue arbitrary SQL
> in your database, in which case you're in a world of trouble anyway.

--
Angular momentum makes the world go 'round.