public inbox for [email protected]
help / color / mirror / Atom feedFrom: Subhash Udata <[email protected]>
To: David G. Johnston <[email protected]>
Cc: Adrian Klaver <[email protected]>
Cc: 김주연 <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10
Date: Fri, 22 Nov 2024 10:01:31 +0530
Message-ID: <CAD=40Z2+84YNSM7oMb4QBpuAaadk=9XRw3PGEu5Ui_YsWpmtFA@mail.gmail.com> (raw)
In-Reply-To: <CAKFQuwbW-5yyVPCjyTJ0uwZZvn9J94s1XzuFnoBbMXp3BC3XyQ@mail.gmail.com>
References: <CAONZJQkaLtHeNz3P5wO8-EWPjOJ1M5fgyp8x4Mc4bb_U9n9_6g@mail.gmail.com>
<[email protected]>
<CAD=40Z3G8z6d1BMDmQVAAPWzCzK5kbU9wWTCZA58qmq8-L=eoA@mail.gmail.com>
<CAKFQuwbW-5yyVPCjyTJ0uwZZvn9J94s1XzuFnoBbMXp3BC3XyQ@mail.gmail.com>
Thank you for your detailed response. I would like to clarify my situation
further to ensure I take the appropriate steps.
Currently, my environment is running *PostgreSQL 15.0*. I understand that
version *15.9* contains the fix for CVE-2024-10979, as mentioned in the
release notes.
Given that I am not using the *PL/Perl* extension in my environment, I
wanted to ask:
- Is it still mandatory to upgrade specifically to version *15.9*, or
would remaining on version *15.0* suffice in this case?
I appreciate your guidance on whether this upgrade is necessary,
considering the specifics of my setup.
Thank you for your time and support.
On Fri, 22 Nov 2024 at 09:39, David G. Johnston <[email protected]>
wrote:
> On Thursday, November 21, 2024, Subhash Udata <[email protected]>
> wrote:
>>
>>
>> Thank you for your response regarding the affected versions of
>> PostgreSQL. I have a follow-up question for clarification:
>>
>> The PostgreSQL documentation mentions that the versions with a fix for
>> CVE-2024-10979 are *17.1, 16.5, 15.9, 14.14, 13.17, and 12.21*. However,
>> your reply states that any version greater than 13+ should suffice.
>>
>> Could you please confirm if upgrading to one of the specific versions
>> listed above is mandatory, or is it acceptable to upgrade to any version
>> higher than 13
>>
>
> It was literally just reported and fixed. If you are on a supported
> release of PostgreSQL you have the fix. If you are not, you don’t.
>
> At this point only major versions 13+ are supported.
>
> Upgrading to an unsupported minor release is never recommended.
>
> The fact you are on version 11 means you should not expect an answer to
> the question whether this newly discovered CVE affects you - that would be
> expecting support for a long-unsupported version.
>
> Which of the 5 currently supported releases you should upgrade to is a
> decision you need to make given your circumstances.
>
> David J.
>
>
view thread (25+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10
In-Reply-To: <CAD=40Z2+84YNSM7oMb4QBpuAaadk=9XRw3PGEu5Ui_YsWpmtFA@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox