Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tEvf7-00ASPp-8K for pgsql-general@arkaria.postgresql.org; Sat, 23 Nov 2024 19:19:21 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tEvf5-003Io5-Re for pgsql-general@arkaria.postgresql.org; Sat, 23 Nov 2024 19:19:19 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tEvf4-003Inx-FA for pgsql-general@lists.postgresql.org; Sat, 23 Nov 2024 19:19:19 +0000 Received: from fout-a7-smtp.messagingengine.com ([103.168.172.150]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tEvf0-003UEh-Ni for pgsql-general@lists.postgresql.org; Sat, 23 Nov 2024 19:19:17 +0000 Received: from phl-compute-12.internal (phl-compute-12.phl.internal [10.202.2.52]) by mailfout.phl.internal (Postfix) with ESMTP id E9DB213803A1; Sat, 23 Nov 2024 14:19:11 -0500 (EST) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-12.internal (MEProxy); Sat, 23 Nov 2024 14:19:11 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm3; t=1732389551; x=1732475951; bh=aOLx3Tjmay5CVFwU8clLYPAEyE++JrWwrStXNvse0mc=; b= USquy01QIfR4KEAPrIwPe7U44elc0Mi2xF8x13e4zJVQAxBKWLqIhkxmTOgpieDR 9zCCozwHH/69R90lqUN1cYCgH9ykSfbmZYj3QnfFCTUo6TOrM9aZEfBZgpD3GN/p sLqyLSmgKjd1mKDNwg2fa2oFvq4bL1TDlE3pLwC8t4uHjYNk2OqF4jKU36qTC1fV oT6eQYkQ1/bmL+mZfCHwWafRnXTi+yiwQRLGUbNg6YAIxd79JZz9aZV21w6pgp45 yOypqj7GhWVlZkTZwIJtjaYU5UBVzy/if6eSAkxPMgmu/Lp1vZc767LgYlq8jVCn y60rPnsSJMK88rSNSTHKkw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1732389551; x= 1732475951; bh=aOLx3Tjmay5CVFwU8clLYPAEyE++JrWwrStXNvse0mc=; b=B USxh3GYJzJO2lLxv56H7uKPMNH7vlB0zJia07/4VwU14eE3xCam8N3ZR8MjcMMiT WIsrocNRUw3G8iRLsjcm3gZLflzJvo2nC9CDSRq0vDltBqySEObVRZGtw6U027ZJ 7gyDA4PpsBoxqVQ9xOeSdvrNj8qGcofzeH1YcAjKmX1xng6uxYUm+sBOEI16WxDe jelRKK4VxyxA+IYt6FIgeMu7NFIXOmr85sZKNzoZj6MWm6MZbW/3r5mhuV3ACpzN HPivYwOTV5ZqOQkHQt7srjKu02AbEzD5+bExc6UOE84ESiwwRnIV0xUJp3yp0EB3 uQ6SJD3bTdT79/3GsiNOA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddrgedugdduvddvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnh htshculddquddttddmnecujfgurhepkfffgggfuffvvehfhfgjtgfgsehtkeertddtvdej necuhfhrohhmpeetughrihgrnhcumfhlrghvvghruceorggurhhirghnrdhklhgrvhgvrh esrghklhgrvhgvrhdrtghomheqnecuggftrfgrthhtvghrnhepgfdufeekhfevfeelveei ueevhedvuddukeduvddvlefhueeuieejtdeuvdevvdeunecuffhomhgrihhnpehpohhsth hgrhgvshhqlhdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgr ihhlfhhrohhmpegrughrihgrnhdrkhhlrghvvghrsegrkhhlrghvvghrrdgtohhmpdhnsg gprhgtphhtthhopeekpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopegsrhhutggv sehmohhmjhhirghnrdhushdprhgtphhtthhopehhthgrmhhfihgushesghhmrghilhdrtg homhdprhgtphhtthhopehguhhruhesuhhnihigrghrvggrrdguvgdprhgtphhtthhopehl rghurhgvnhiirdgrlhgsvgestgihsggvrhhtvggtrdgrthdprhgtphhtthhopehsuhgshh grshhhuhgurghtrgesghhmrghilhdrtghomhdprhgtphhtthhopegurghvihgurdhgrdhj ohhhnhhsthhonhesghhmrghilhdrtghomhdprhgtphhtthhopehmhihshihlphhhsehgmh grihhlrdgtohhmpdhrtghpthhtohepphhgshhqlhdqghgvnhgvrhgrlheslhhishhtshdr phhoshhtghhrvghsqhhlrdhorhhg X-ME-Proxy: Feedback-ID: i76984098:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 23 Nov 2024 14:19:10 -0500 (EST) Message-ID: <906cc022-e33e-4693-ae58-7ecd9f414192@aklaver.com> Date: Sat, 23 Nov 2024 11:19:09 -0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10 To: Bruce Momjian , Greg Sabino Mullane Cc: Matthias Apitz , Laurenz Albe , Subhash Udata , "David G. Johnston" , =?UTF-8?B?6rmA7KO87Jew?= , "pgsql-general@lists.postgresql.org" References: <7b5846ac-c16e-48d3-b548-99a772a528c5@aklaver.com> <6c898e6499036ce70ac113b52df5c3ff06286a6a.camel@cybertec.at> Content-Language: en-US From: Adrian Klaver In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 11/23/24 10:57, Bruce Momjian wrote: > On Sat, Nov 23, 2024 at 01:30:13PM -0500, Greg Sabino Mullane wrote: >> On Sat, Nov 23, 2024 at 1:10 PM Bruce Momjian wrote: >> >> and say bounce the database server and install the binaries.  What I >> have never considered before, and I should have, is the complexity of >> doing this for many remote servers.  Can we improve our guidance for >> these cases? >> >> >> Hmm I'm not sure what else we can say. Our upgrade process is already >> drop-dead-simple, especially compared to many (most?) other products out there. >> People painting themselves into corners is not something we can really help >> with. > > I am wondering if we can highlight which upgrades are most important for > users who have complex upgrade processes. Maybe CVEs and corruption > fixes? Personally I would point then at: https://www.postgresql.org/list/pgsql-announce/ and/or: https://www.postgresql.org/docs/release/ I would think that informs users and let's them determine what is important to their situation. -- Adrian Klaver adrian.klaver@aklaver.com