Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tELOF-006pak-Kc
	for pgsql-general@arkaria.postgresql.org; Fri, 22 Nov 2024 04:35:31 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tELOD-004nCg-LE
	for pgsql-general@arkaria.postgresql.org; Fri, 22 Nov 2024 04:35:29 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1tELOD-004nCX-AJ
	for pgsql-general@lists.postgresql.org; Fri, 22 Nov 2024 04:35:29 +0000
Received: from sss.pgh.pa.us ([68.162.161.243])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1tELOA-003A79-NV
	for pgsql-general@lists.postgresql.org; Fri, 22 Nov 2024 04:35:28 +0000
Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1])
	by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 4AM4ZND8507774;
	Thu, 21 Nov 2024 23:35:23 -0500
From: Tom Lane <tgl@sss.pgh.pa.us>
To: "David G. Johnston" <david.g.johnston@gmail.com>
cc: Subhash Udata <subhashudata@gmail.com>,
        Adrian Klaver <adrian.klaver@aklaver.com>,
        =?UTF-8?B?6rmA7KO87Jew?= <mysylph@gmail.com>,
        "pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
Subject: Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10
In-reply-to: <CAKFQuwbW-5yyVPCjyTJ0uwZZvn9J94s1XzuFnoBbMXp3BC3XyQ@mail.gmail.com>
References: <CAONZJQkaLtHeNz3P5wO8-EWPjOJ1M5fgyp8x4Mc4bb_U9n9_6g@mail.gmail.com> <7b5846ac-c16e-48d3-b548-99a772a528c5@aklaver.com> <CAD=40Z3G8z6d1BMDmQVAAPWzCzK5kbU9wWTCZA58qmq8-L=eoA@mail.gmail.com> <CAKFQuwbW-5yyVPCjyTJ0uwZZvn9J94s1XzuFnoBbMXp3BC3XyQ@mail.gmail.com>
Comments: In-reply-to "David G. Johnston" <david.g.johnston@gmail.com>
	message dated "Thu, 21 Nov 2024 21:09:31 -0700"
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <507772.1732250123.1@sss.pgh.pa.us>
Date: Thu, 21 Nov 2024 23:35:23 -0500
Message-ID: <507773.1732250123@sss.pgh.pa.us>
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/507773.1732250123%40sss.pgh.pa.us>
Precedence: bulk

"David G. Johnston" <david.g.johnston@gmail.com> writes:
> On Thursday, November 21, 2024, Subhash Udata <subhashudata@gmail.com>
> wrote:
>> The PostgreSQL documentation mentions that the versions with a fix for
>> CVE-2024-10979 are *17.1, 16.5, 15.9, 14.14, 13.17, and 12.21*. However,
>> your reply states that any version greater than 13+ should suffice.
>> Could you please confirm if upgrading to one of the specific versions
>> listed above is mandatory, or is it acceptable to upgrade to any version
>> higher than 13

Minor versions earlier than those do not contain the fix.

> The fact you are on version 11 means you should not expect an answer to the
> question whether this newly discovered CVE affects you - that would be
> expecting support for a long-unsupported version.

The Postgres security team does not ordinarily test out-of-support
branches, so no official answer to that will be forthcoming.
Unofficially, however, I have no doubt that this bug is quite ancient.

			regards, tom lane