| From: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> |
|---|---|
| To: | Subhash Udata <subhashudata(at)gmail(dot)com>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Clarification on CVE-2024-10979 and PostgreSQL Upgrade Necessity Without PL/Perl Usage |
| Date: | 2024-11-20 16:12:57 |
| Message-ID: | da4ff57d-bc55-4fd6-8b2e-802cbe46472b@aklaver.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 11/20/24 00:54, Subhash Udata wrote:
> Dear PostgreSQL Community,
>
> I have a query related to the recent security vulnerability,
> *CVE-2024-10979*, concerning the PL/Perl extension.
>
> From the advisory, it appears the vulnerability impacts systems
> utilizing the PL/Perl extension. My question is:
>
> * If we do not use the PL/Perl extension in our PostgreSQL instance,
> is it still necessary to upgrade to the patched version of
> PostgreSQL? Or can we safely continue using our current version
> without concern?
Yes you should upgrade.
See the rest of the issues fixed:
https://www.postgresql.org/about/news/postgresql-171-165-159-1414-1317-and-1221-released-2955/
It has further CVE's.
Though I would wait until the out-of cycle release that lands
tomorrow(2024-11-21) is out, see:
https://www.postgresql.org/about/news/out-of-cycle-release-scheduled-for-november-21-2024-2958/
As it fixes some regressions in the previous release.
>
> We would like to understand whether this vulnerability has any
> implications for environments where the PL/Perl extension is not
> installed or used.
>
> Thank you so much for your guidance on this.
>
> Best regards,
>
> Subhash Udata
>
--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Adrian Klaver | 2024-11-20 16:15:01 | Re: Update to postgresql 14.14 |
| Previous Message | Adrian Klaver | 2024-11-20 16:05:03 | Re: Fwd: Error when opening pgAdmin |