Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tELR1-006pnz-Ew
	for pgsql-general@arkaria.postgresql.org; Fri, 22 Nov 2024 04:38:23 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tELR0-004qXr-1g
	for pgsql-general@arkaria.postgresql.org; Fri, 22 Nov 2024 04:38:22 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <adrian.klaver@aklaver.com>)
	id 1tELQy-004qWt-CP
	for pgsql-general@lists.postgresql.org; Fri, 22 Nov 2024 04:38:21 +0000
Received: from fhigh-a2-smtp.messagingengine.com ([103.168.172.153])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <adrian.klaver@aklaver.com>)
	id 1tELQv-003A8J-3o
	for pgsql-general@lists.postgresql.org; Fri, 22 Nov 2024 04:38:19 +0000
Received: from phl-compute-08.internal (phl-compute-08.phl.internal [10.202.2.48])
	by mailfhigh.phl.internal (Postfix) with ESMTP id 3A7E811400E3;
	Thu, 21 Nov 2024 23:38:15 -0500 (EST)
Received: from phl-mailfrontend-01 ([10.202.2.162])
  by phl-compute-08.internal (MEProxy); Thu, 21 Nov 2024 23:38:15 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h=
	cc:cc:content-transfer-encoding:content-type:content-type:date
	:date:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to; s=fm3; t=1732250295;
	 x=1732336695; bh=W73zvcuU9V7N06C9U9C3W60e1xyRlscF4C8RQZ6wB6A=; b=
	W1Jd8Ld3SAVqZ+AW/N8bcTYP7cRC2hlz402Seamo2QsqpxRqj1Kkky9q4b2h1nIe
	nGdVY+1Wt3W1dGXXEuHK7Dw1B5TwJ6uY2BBWxwj2y/sJAOLjxwy0bJIAP7MIL361
	JhXCEFuA+Q5kd9vxAKoi7s+ynp2hG3GjYZD0Fuh7YrlHNkJqvMrd7Qpd3qQjN4N8
	TInP7GTUtlIlpmGwGUU1M2Ut1waej9xo5ytkGme9LAGdkJLeq8mZvAx3lSvOtrYB
	uMJk6BrvvAkZlmIzU/JVaafefAOgNn39Sdfq1kAYXMzdC3ukAjJkzmhus+gsmF9A
	I7fOD7HANS9wE+LXYuJtMw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-transfer-encoding
	:content-type:content-type:date:date:feedback-id:feedback-id
	:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to:x-me-proxy
	:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1732250295; x=
	1732336695; bh=W73zvcuU9V7N06C9U9C3W60e1xyRlscF4C8RQZ6wB6A=; b=K
	4IIv1gnlz6CdQPzwG+qJzWWW8MuyICQM7C1HebuU+n8UBxsVhvhr6r8nO/H8/33k
	0EnD5kJjJDRGTMMlpykndfQvgKcbaB97RQvhS2oiVidj87IGx+3tZNhvxa4HY9Py
	eaVQNGb7CYBCYvT9pVMCLYkreAIXfhCM4wgAWaLBTbknLIkFgdUD4204Bon7y1gh
	O820JFssAirGcTzb3RyDP7DVBTbG7TeyF/KXXPDgNqV/ILg4yVU0ZV9z9qSK4Y5r
	ooiifNXjg/5lVIE0qSCqAO5lz86V9QNJDPLGPGO1Yu+1Huu5oCjb3kzz1F6jhY7i
	KXScoACIwG3mpSB5fUOXg==
X-ME-Sender: <xms:twpAZ4vo0dPF5DOdvmHOnycHsL8C5oAJzL0sL0ZiCF6LKwJj9c3Wow>
    <xme:twpAZ1cBZ_lDuCURj6aHJlQdq44DsIsGDvi1Sgi4D76ips9kexblqK4q9oapTuurh
    BlfTnzfjyh7GkE>
X-ME-Received: <xmr:twpAZzwUpGEzwwUeUND2YAxcKcweYBhPn9bLtrnedMWlgjLmCF3EiowlJsbQA-beoiN7PpANY9HT_qMVb5z3pqlgxff5dpYG>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddrfeejgdejvdcutefuodetggdotefrodftvf
    curfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdpuffr
    tefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnth
    hsucdlqddutddtmdenucfjughrpefkffggfgfuvfevfhfhjggtgfesthekredttddvjeen
    ucfhrhhomheptegurhhirghnucfmlhgrvhgvrhcuoegrughrihgrnhdrkhhlrghvvghrse
    grkhhlrghvvghrrdgtohhmqeenucggtffrrghtthgvrhhnpefgudefkefhveefleevieeu
    veehvdduudekuddvvdelhfeuueeijedtuedvvedvueenucffohhmrghinhepphhoshhtgh
    hrvghsqhhlrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghi
    lhhfrhhomheprggurhhirghnrdhklhgrvhgvrhesrghklhgrvhgvrhdrtghomhdpnhgspg
    hrtghpthhtohepfedpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepshhusghhrghs
    hhhuuggrthgrsehgmhgrihhlrdgtohhmpdhrtghpthhtohepmhihshihlhhphhesghhmrg
    hilhdrtghomhdprhgtphhtthhopehpghhsqhhlqdhgvghnvghrrghlsehlihhsthhsrdhp
    ohhsthhgrhgvshhqlhdrohhrgh
X-ME-Proxy: <xmx:twpAZ7PxPfFFvYJStTR4uSMpskXctyntDFObKgQIdNF36iCf2rWXjw>
    <xmx:twpAZ49_zqXPBT3-kFqtXg_w0qK_NBwOz9Yq0QRx3OFKq0qb8oDDvA>
    <xmx:twpAZzVmQTosymhf4E3-lPGOmNRWPa2t5SyDCdMrPSryH54C4OniQA>
    <xmx:twpAZxe0JTG4XPYOygy0SYIwT31FrMtAEHQO2K9HadfdDr8RPbTVxQ>
    <xmx:twpAZ3Z9OrfYG2krz4SNIP-yaGNyaL2f8uMhgPbwBaWEb6sf4e9MsgTX>
Feedback-ID: i76984098:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu,
 21 Nov 2024 23:38:14 -0500 (EST)
Message-ID: <3a853424-3c5f-4ed5-a729-f5a22c49eb11@aklaver.com>
Date: Thu, 21 Nov 2024 20:38:13 -0800
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10
To: Subhash Udata <subhashudata@gmail.com>
Cc: =?UTF-8?B?6rmA7KO87Jew?= <mysylph@gmail.com>,
 pgsql-general@lists.postgresql.org
References: <CAONZJQkaLtHeNz3P5wO8-EWPjOJ1M5fgyp8x4Mc4bb_U9n9_6g@mail.gmail.com>
 <7b5846ac-c16e-48d3-b548-99a772a528c5@aklaver.com>
 <CAD=40Z3G8z6d1BMDmQVAAPWzCzK5kbU9wWTCZA58qmq8-L=eoA@mail.gmail.com>
Content-Language: en-US
From: Adrian Klaver <adrian.klaver@aklaver.com>
In-Reply-To: <CAD=40Z3G8z6d1BMDmQVAAPWzCzK5kbU9wWTCZA58qmq8-L=eoA@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/3a853424-3c5f-4ed5-a729-f5a22c49eb11%40aklaver.com>
Precedence: bulk

On 11/21/24 19:57, Subhash Udata wrote:
> Hi Adrian,
> 
> Thank you for your response regarding the affected versions of 
> PostgreSQL. I have a follow-up question for clarification:
> 
> The PostgreSQL documentation mentions that the versions with a fix for 
> CVE-2024-10979 are *17.1, 16.5, 15.9, 14.14, 13.17, and 12.21*. However, 
> your reply states that any version greater than 13+ should suffice.

Any major version 13+. Postgres uses a X.x numbering scheme where X is 
major version and x is minor version. If you go here:

https://www.postgresql.org/support/versioning/

you will see that translates to in terms of support. If you move to 13.x 
you will have one more year before you would need to move to a newer 
version. It is up to you to decide if that is okay or whether you want 
to move a version that is newer to have more time to plan the next move. 
In either case you should use the latest minor release that is current 
at the time. Minor releases are bug/security fixes and it is important 
that you keep up with them. The latest round of minor releases where 
done yesterday and that is what you should be installing.


> 
> Could you please confirm if upgrading to one of the specific versions 
> listed above is mandatory, or is it acceptable to upgrade to any version 
> higher than 13?
> 
> Your guidance will help us determine the appropriate upgrade path for 
> our environment.
> 
> Thank you for your time and assistance.
> 
> 
> On Thu, 21 Nov 2024 at 12:24, Adrian Klaver <adrian.klaver@aklaver.com 
> <mailto:adrian.klaver@aklaver.com>> wrote:
> 
>     On 11/20/24 22:44, 김주연 wrote:
>      > Hello, I am currently using PostgreSQL 11.10 and would like to
>     know if
>      > the CVE-2024-10979 vulnerability affects this version.
> 
>     Postgres 11 is past EOL, see:
> 
>     https://www.postgresql.org/support/versioning/
>     <https://www.postgresql.org/support/versioning/>
> 
> 
>      > If it does impact my version, I would like to know which version I
>      > should upgrade to.
> 
>     Any version from 13+.
> 
>     -- 
>     Adrian Klaver
>     adrian.klaver@aklaver.com <mailto:adrian.klaver@aklaver.com>
> 
> 
> 

-- 
Adrian Klaver
adrian.klaver@aklaver.com