Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tETyA-007aw1-KA for pgsql-general@arkaria.postgresql.org; Fri, 22 Nov 2024 13:45:10 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tETxA-008jsy-5x for pgsql-general@arkaria.postgresql.org; Fri, 22 Nov 2024 13:44:08 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tETx9-008jsO-PW for pgsql-general@lists.postgresql.org; Fri, 22 Nov 2024 13:44:07 +0000 Received: from mail-ot1-x332.google.com ([2607:f8b0:4864:20::332]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1tETx3-003HKP-Lt for pgsql-general@lists.postgresql.org; Fri, 22 Nov 2024 13:44:07 +0000 Received: by mail-ot1-x332.google.com with SMTP id 46e09a7af769-71a6c05dc10so1579947a34.1 for ; Fri, 22 Nov 2024 05:44:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1732283039; x=1732887839; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=s/ERgybnnWimQImVEXrxM7QxfbqrjBzJPjTcL1ZFi9g=; b=YC9iS2F+Ng+SOMpp7bxKZbTOY7rF/Y3OBFKI1HdNKNQm90vrmxBTHrzkBcdmLWhX/w Q5wjlsGtzpca1bXrDEKWXV0VPi0w999yKBSzbSoBCQsrma6K9BxNho/ZO5vFUDMrqrar G71wgK103YzJROJMouHtoZksWVGzY3eRv6ukcZBY0FbYidge9IJF33Jezb3PhG9RfM27 TmjaRhnl7tUxEk8cYBnYGgRwF2ta4E94EyYKbA4kmPXreJ1n7s1seq6P7HQ9Sg1W5PVw gYaeIKnlImTdzolJYnza0BUXkr2qzfU6oh29xl9/XU6ruasseMF4ONghIq2NQiOmKB/3 lcyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1732283039; x=1732887839; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=s/ERgybnnWimQImVEXrxM7QxfbqrjBzJPjTcL1ZFi9g=; b=i5VVeC0DgX6tf0HRLlKD6C8jB0l3sv8Dt4iNzijpR52/h0BOJjKG0b2oE1+ZaR6j3d 3MGYIDHiS7Bzn+Y3ROXTPVcd0qfdFvSXGLIMxi1VMC0HHin4DpwKY8gSi2LsZTZ7EWqn UBxBWpYeH/yi2YSpCGqu9cBWmOdhK+OZWI8iSsim99xHUsv/v9OWmOub1CjxluPOHs30 chGLqbrSrNgm48PcOWlXKrpKDjZhmQiz444OvJd7M1rYwB5H8pEUlPFFje8s6KCshvdK 33c4TtGviZCYCCyIXgiwGLEtmmRjOQiullqrlygP/nSIn9F6BVkl9HRwdJz+adR6fwK5 c4/A== X-Forwarded-Encrypted: i=1; AJvYcCW7zKpsbZAFA7bwOuw/srSSRAUHLhik4Bf4kbQhro7G7VHvWu0dB4EIZRHl3Tgf8XsMCCQf0YksZK/wFyUJ@lists.postgresql.org X-Gm-Message-State: AOJu0YzP4PRI54/pSMwlh5Dd/3WqJ5kstCOOL2XZnoV0GrSwuktJtNyQ mITfxXQHWfnkSrArArZa96LTGNyjrHqEkndIn7pvG8ka1dGFl8LQPveGnVSKX+JNLJy74eBvchC KLgYCV5X1JkiYuws1JWy4FLdnp6k= X-Gm-Gg: ASbGnct6cTLpMBFjSO7GIc51PHCnFuXrZzjohBAeXET04/GbSbsYDTfxeEDUfTver0k cBU/TtxOluaZGuhLGj8xEUVFrFyVvEVs= X-Google-Smtp-Source: AGHT+IG0F4vQmOi9Xx/rNeEkQL7rAbqSUka8/4eXGa35a4t1wAthjPXeo/b1lCWSAyNj1FF4n02jeA1YycWOd43/VHI= X-Received: by 2002:a05:6830:2117:b0:718:a7e:860a with SMTP id 46e09a7af769-71b0378ae0cmr4664887a34.8.1732283039592; Fri, 22 Nov 2024 05:43:59 -0800 (PST) MIME-Version: 1.0 Received: by 2002:a8a:5fc:0:b0:56c:c9af:3ee6 with HTTP; Fri, 22 Nov 2024 05:43:58 -0800 (PST) In-Reply-To: References: <7b5846ac-c16e-48d3-b548-99a772a528c5@aklaver.com> <6c898e6499036ce70ac113b52df5c3ff06286a6a.camel@cybertec.at> From: "David G. Johnston" Date: Fri, 22 Nov 2024 06:43:58 -0700 Message-ID: Subject: Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10 To: Matthias Apitz Cc: Laurenz Albe , Subhash Udata , Adrian Klaver , =?UTF-8?B?6rmA7KO87Jew?= , "pgsql-general@lists.postgresql.org" Content-Type: multipart/alternative; boundary="00000000000039b77906278093a3" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --00000000000039b77906278093a3 Content-Type: text/plain; charset="UTF-8" On Friday, November 22, 2024, Matthias Apitz wrote: > > Especially the version V7.2 (released in 2021) can't be updated on the > client side, the cluster will be migrated to 16.5. I assume that > CVE-2024-10979 affects the server side, and not the client side. > Yes, it is the server that executes procedural language code like plperl. David J. --00000000000039b77906278093a3 Content-Type: text/html; charset="UTF-8" On Friday, November 22, 2024, Matthias Apitz <guru@unixarea.de> wrote:

Especially the version V7.2 (released in 2021) can't be updated on the
client side, the cluster will be migrated to 16.5. I assume that
CVE-2024-10979 affects the server side, and not the client side.

Yes, it is the server that executes procedural language code like plperl.

David J.
--00000000000039b77906278093a3--