MIME-Version: 1.0
References: <CAONZJQkaLtHeNz3P5wO8-EWPjOJ1M5fgyp8x4Mc4bb_U9n9_6g@mail.gmail.com>
 <7b5846ac-c16e-48d3-b548-99a772a528c5@aklaver.com> <CAD=40Z3G8z6d1BMDmQVAAPWzCzK5kbU9wWTCZA58qmq8-L=eoA@mail.gmail.com>
 <CAKFQuwbW-5yyVPCjyTJ0uwZZvn9J94s1XzuFnoBbMXp3BC3XyQ@mail.gmail.com>
In-Reply-To: <CAKFQuwbW-5yyVPCjyTJ0uwZZvn9J94s1XzuFnoBbMXp3BC3XyQ@mail.gmail.com>
From: Subhash Udata <subhashudata@gmail.com>
Date: Fri, 22 Nov 2024 10:01:31 +0530
Message-ID: <CAD=40Z2+84YNSM7oMb4QBpuAaadk=9XRw3PGEu5Ui_YsWpmtFA@mail.gmail.com>
Subject: Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10
To: "David G. Johnston" <david.g.johnston@gmail.com>
Cc: Adrian Klaver <adrian.klaver@aklaver.com>, =?UTF-8?B?6rmA7KO87Jew?= <mysylph@gmail.com>, 
	"pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
Content-Type: multipart/alternative; boundary="0000000000001e68c4062778dcb6"
Archived-At: <https://www.postgresql.org/message-id/CAD%3D40Z2%2B84YNSM7oMb4QBpuAaadk%3D9XRw3PGEu5Ui_YsWpmtFA%40mail.gmail.com>
Precedence: bulk

--0000000000001e68c4062778dcb6
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Thank you for your detailed response. I would like to clarify my situation
further to ensure I take the appropriate steps.

Currently, my environment is running *PostgreSQL 15.0*. I understand that
version *15.9* contains the fix for CVE-2024-10979, as mentioned in the
release notes.

Given that I am not using the *PL/Perl* extension in my environment, I
wanted to ask:

   - Is it still mandatory to upgrade specifically to version *15.9*, or
   would remaining on version *15.0* suffice in this case?

I appreciate your guidance on whether this upgrade is necessary,
considering the specifics of my setup.

Thank you for your time and support.

On Fri, 22 Nov 2024 at 09:39, David G. Johnston <david.g.johnston@gmail.com=
>
wrote:

> On Thursday, November 21, 2024, Subhash Udata <subhashudata@gmail.com>
> wrote:
>>
>>
>> Thank you for your response regarding the affected versions of
>> PostgreSQL. I have a follow-up question for clarification:
>>
>> The PostgreSQL documentation mentions that the versions with a fix for
>> CVE-2024-10979 are *17.1, 16.5, 15.9, 14.14, 13.17, and 12.21*. However,
>> your reply states that any version greater than 13+ should suffice.
>>
>> Could you please confirm if upgrading to one of the specific versions
>> listed above is mandatory, or is it acceptable to upgrade to any version
>> higher than 13
>>
>
> It was literally just reported and fixed.  If you are on a supported
> release of PostgreSQL you have the fix.  If you are not, you don=E2=80=99=
t.
>
> At this point only major versions 13+ are supported.
>
> Upgrading to an unsupported minor release is never recommended.
>
> The fact you are on version 11 means you should not expect an answer to
> the question whether this newly discovered CVE affects you - that would b=
e
> expecting support for a long-unsupported version.
>
> Which of the 5 currently supported releases you should upgrade to is a
> decision you need to make given your circumstances.
>
> David J.
>
>

--0000000000001e68c4062778dcb6
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><p>Thank you for your detailed response. I would like to c=
larify my situation further to ensure I take the appropriate steps.</p><p>C=
urrently, my environment is running <strong>PostgreSQL 15.0</strong>. I und=
erstand that version <strong>15.9</strong> contains the fix for CVE-2024-10=
979, as mentioned in the release notes.</p><p>Given that I am not using the=
 <strong>PL/Perl</strong> extension in my environment, I wanted to ask:</p>=
<ul><li>Is it still mandatory to upgrade specifically to version <strong>15=
.9</strong>, or would remaining on version <strong>15.0</strong> suffice in=
 this case?</li></ul><p>I appreciate your guidance on whether this upgrade =
is necessary, considering the specifics of my setup.</p><p>Thank you for yo=
ur time and support.</p></div><br><div class=3D"gmail_quote"><div dir=3D"lt=
r" class=3D"gmail_attr">On Fri, 22 Nov 2024 at 09:39, David G. Johnston &lt=
;<a href=3D"mailto:david.g.johnston@gmail.com">david.g.johnston@gmail.com</=
a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0p=
x 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On=
 Thursday, November 21, 2024, Subhash Udata &lt;<a href=3D"mailto:subhashud=
ata@gmail.com" target=3D"_blank">subhashudata@gmail.com</a>&gt; wrote:<bloc=
kquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:=
1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><p><br>Thank =
you for your response regarding the affected versions of PostgreSQL. I have=
 a follow-up question for clarification:</p><p>The PostgreSQL documentation=
 mentions that the versions with a fix for CVE-2024-10979 are <strong>17.1,=
 16.5, 15.9, 14.14, 13.17, and 12.21</strong>. However, your reply states t=
hat any version greater than 13+ should suffice.</p><p>Could you please con=
firm if upgrading to one of the specific versions listed above is mandatory=
, or is it acceptable to upgrade to any version higher than 13</p></div></b=
lockquote><div><br></div><div>It was literally just reported and fixed.=C2=
=A0 If you are on a supported release of PostgreSQL you have the fix.=C2=A0=
 If you are not, you don=E2=80=99t.</div><div><br></div><div>At this point =
only major versions 13+ are supported.</div><div><br></div><div>Upgrading t=
o an unsupported minor release is never recommended.</div><div><br></div><d=
iv>The fact you are on version 11 means you should not expect an answer to =
the question whether this newly discovered CVE affects you - that would be =
expecting support for a long-unsupported version.</div><div><br></div><div>=
Which of the 5 currently supported releases you should upgrade to is a deci=
sion you need to make given your circumstances.</div><div><br></div><div>Da=
vid J.</div><div>=C2=A0</div>
</blockquote></div>

--0000000000001e68c4062778dcb6--