Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tELer-006r0q-B3 for pgsql-general@arkaria.postgresql.org; Fri, 22 Nov 2024 04:52:41 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tELeq-0057eQ-0a for pgsql-general@arkaria.postgresql.org; Fri, 22 Nov 2024 04:52:40 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tELep-0057e6-LZ for pgsql-general@lists.postgresql.org; Fri, 22 Nov 2024 04:52:39 +0000 Received: from mail-wm1-x334.google.com ([2a00:1450:4864:20::334]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1tELen-003Db8-48 for pgsql-general@lists.postgresql.org; Fri, 22 Nov 2024 04:52:39 +0000 Received: by mail-wm1-x334.google.com with SMTP id 5b1f17b1804b1-43158625112so14791135e9.3 for ; Thu, 21 Nov 2024 20:52:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cybertec.at; s=google; t=1732251156; x=1732855956; darn=lists.postgresql.org; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:from:to:cc:subject :date:message-id:reply-to; bh=5dxXLdgRihYssw2PmEpLzoCnK9vUlgb/L0mK17mnLq4=; b=TgBUwV1yHEbuyC8qZxnBK03SgnebtgmiM7cM4n1wN0R8yihppwzR2OY2liE+VjSIJn oHtZnLd4E0OAtlMfjh7xw7MFDtolAaA222hlhgjK3xA5thtJr3Q31YWWkpMFhbZofL+I MNWF5V3SKi2/9IRj5+u354+Crhjes9hc4oIIcn8T/jbHH8GKSMhbYrBRsOs53HaI6dGY qMtVjTy5zHYs9NU4ePlkP3xryxvEjdCZ3iVLVPZxggq0lt/VW8iYDDypbFDlvkRm2Bnd zMCLE/sN04hBHZvXnV9tFdBL53IDkqUnbo0Q9ZIXZ7Jbj7aMyUR4sLKneECtHpBLyQc3 OQyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1732251156; x=1732855956; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=5dxXLdgRihYssw2PmEpLzoCnK9vUlgb/L0mK17mnLq4=; b=VSIPhsfyQFEem605qdO2JJyJL5gouEYCazt8fJiY2T0X+Zx+yVr9dZCxH+TOxVrKwF 61fsjqK5C/j3KY9ZdJi5wf9eK8ka0kv7KPK3fxB+Hgx9AtvPQHU3GyK8LccVm+f/pzJ1 4NjcZ030HyRdx9dSM62Cu2zUcY8tvjddNn2B60gBStJpx0DVD9j0HvtmU12CP9zKFp8R W3Z9O2WONHl4WHffn7HiCgQs8IZutTggauXGUcALCTlJ0aDv605ckaxsktKwvU0Xiwoo cqxgfgRDznzqo9wRfrdxWU5pROPzdQTXjdlobo7L8LhnKAonIA+bg0Rvvz34jBnS0IN5 DPeA== X-Forwarded-Encrypted: i=1; AJvYcCWgsD1sm4lZBLocfV+BCXkiZC7lffxIAKVGCcX9VqLYUxyYFZR2RIH5ucrl6v2LjKZD6zdxY8irZQxafi6u@lists.postgresql.org X-Gm-Message-State: AOJu0YzZckn2ZSRvYXR4nGhhgQV/dOCALaskwLdXbE8abI1gUYM+NDGJ e82LXt0GE4TbhKirWimlwoCvms5+dp/xgq2NjhzKdCL2+KErJH+YylLDV7UwDT8= X-Gm-Gg: ASbGncuSJPegNTkweLu9P0vpfJRRzo/+658k3Evw2G40c4CI5pVerWRu8heA1R4skDZ yu655cI7juVyE0wG9QhnjHWW07O22ObJaQ55QKbvEO3fd643euoYjI4+zNMeP/65FPw/YZlxdTq OKuO1Q4hlz90B5SLFqi6orMEKLVHkRbbIi72vkRTdrFOTLfpb7Qx1zGoD4ny2CotXrxiSbGLc8x HwL/BiyGvZ9u0d37UQITl/dWSxQG3JZYpjV4xUZE+JoMZPd43RZEVE95zDxaYz1QY5TEqNFbw== X-Google-Smtp-Source: AGHT+IFamEBr3UZADhAeS//OSmJHGYBC+A/WzU3WKCpgnXW+zrg7yUuWJgmii5XI/MkfWnv7aCtJ7Q== X-Received: by 2002:a05:600c:198b:b0:431:518a:683b with SMTP id 5b1f17b1804b1-433ce428fbdmr10400995e9.18.1732251155676; Thu, 21 Nov 2024 20:52:35 -0800 (PST) Received: from localhost.localdomain ([2001:16b8:c384:3b00:8b71:998b:be10:16bb]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-433cde070easm14349685e9.5.2024.11.21.20.52.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 Nov 2024 20:52:35 -0800 (PST) Message-ID: <6c898e6499036ce70ac113b52df5c3ff06286a6a.camel@cybertec.at> Subject: Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10 From: Laurenz Albe To: Subhash Udata , "David G. Johnston" Cc: Adrian Klaver , =?UTF-8?Q?=EA=B9=80=EC=A3=BC=EC=97=B0?= , "pgsql-general@lists.postgresql.org" Date: Fri, 22 Nov 2024 05:52:34 +0100 In-Reply-To: References: <7b5846ac-c16e-48d3-b548-99a772a528c5@aklaver.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.52.4 (3.52.4-2.fc40) MIME-Version: 1.0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Fri, 2024-11-22 at 10:01 +0530, Subhash Udata wrote: > Currently, my environment is running PostgreSQL 15.0. I understand that v= ersion > 15.9 contains the fix for CVE-2024-10979, as mentioned in the release not= es. > Given that I am not using the PL/Perl extension in my environment, I want= ed to ask: > =C2=A0* Is it still mandatory to upgrade specifically to version 15.9, or= would > remaining on version 15.0 suffice in this case? > I appreciate your guidance on whether this upgrade is necessary, consider= ing the > specifics of my setup. If you don't use PL/Perl, you are not affected by that security vulnerabili= ty. I wonder what you mean by "mandatory". We won't fine or punish you if you don't update PostgreSQL, but perhaps it would make your employer unhappy. If you stay on 15.0, you will be subject= to thirteen other security vulnerabilities (if I counted right), and you may e= nd up with corrupted GIN and BRIN indexes. Additionally, you will be subject = to countless known bugs that have been fixed since. You should *always* update to the latest minor release shortly after it is released. Everything else is negligent. Yours, Laurenz Albe