Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tELdx-006qwW-49 for pgsql-general@arkaria.postgresql.org; Fri, 22 Nov 2024 04:51:45 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tELdu-0054Te-Mg for pgsql-general@arkaria.postgresql.org; Fri, 22 Nov 2024 04:51:42 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tELdu-0054TT-BX for pgsql-general@lists.postgresql.org; Fri, 22 Nov 2024 04:51:42 +0000 Received: from mail-oa1-x29.google.com ([2001:4860:4864:20::29]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1tELdn-003DaV-TR for pgsql-general@lists.postgresql.org; Fri, 22 Nov 2024 04:51:41 +0000 Received: by mail-oa1-x29.google.com with SMTP id 586e51a60fabf-297078d8eaeso1006988fac.1 for ; Thu, 21 Nov 2024 20:51:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1732251093; x=1732855893; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=UBKZLvyQAeoWpwg4YUJf3XLN7LFG3qkKFKGVHhNHYsc=; b=VmR8kN27nLvW1DXHCF0dUzwKx6eP3oBVVZ8rcGy6owwu6QdGhSkH6Ofi7s7ksPQM77 Qo3x8kaPxTlLvKnZlQgPOF+Fbc9vIDSmX8EayhGOkYIZQKeRlaQbJ3a32Cg9N45bWcyz lVU3Sh+SC2bUdtUILuk04Zp3OWKnDzZviL1CiyBtIWAjJBD12N92/dLPrrlQuUN/eGk5 FL7FmXWTHVkLisP/L+MR8BkmNSzbzOkORtJdXhRxMULTbydMIQf3Vnt2+S9g7bCWRhZY eISESBXb8867GN09GQW4oYyON98glHPTVPVF5nFWzvirHsenqJWvNxQQ0Zf6bRXxYBhE +LRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1732251093; x=1732855893; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=UBKZLvyQAeoWpwg4YUJf3XLN7LFG3qkKFKGVHhNHYsc=; b=Pir92n3Y75S97COkqwHHQcHfEma1xhB6A71HUJxcDzpx4ZSM1rmzJYGf6P981eZP3o S+OwwETFyihyNLMVdv0OOv/IM6drdj3n0GYdZ2K9P5kg7eZLxOVH85tK11TIBcxML/Pv ye+2BvxmbLR9eEQs3VQn/0d+pdM27kaL3rQQrIPpsy8+z4ESaqQrAuROf8e8KQW4z4sI UkuTk16SHRSQowjmWqjgoBsyUDtPcZJB8UI0O1VMtlGa0JTO1k/84MM5G7wq3Y9zRU9B Vgp3tGg75V5VJEmSyWiBV2psOdUyk/Kc9L01XtmaEXabfcQhpgRyCKM+HmM4JA3CyBpt j08g== X-Forwarded-Encrypted: i=1; AJvYcCUF7p3LE1leSaOV1EPw2gcGnLzIX7oZ2DNHmuYu3cBvKAGhV2dAvcKWwHkYdwHDFZoP2YylfEfRjlyOQCDS@lists.postgresql.org X-Gm-Message-State: AOJu0Yww1uddeh2+H9LmYZ4TXW8zsF52Ie4CdPZH9tSqzIpGo6EEWIZn BTbqlxwVFNNZvrOre//+O7DdJSDmvELS0Fqjw9bFPiznd6fb0io7XWl5t5QZW2SaBp4OtZz2ddr RBnJTrxxgZulr6a89degdug/4fWs= X-Gm-Gg: ASbGnct9l6HONe5ozWCE1lfYG+nNi8/ywVRh+ty39prO+UsMKGaZO3PGYNKldf/iHSl bzeaRNXB8kF1duVRfRfx0rDjPVfYjhk8= X-Google-Smtp-Source: AGHT+IGV0mnZPCvJruKf6HxhLddEYQBwhKQxeVQ2WRC5VZsl9915iVt7bmQjnfwEOrde1XAYEqCmEUnTmDEIctdtXmg= X-Received: by 2002:a05:6870:3306:b0:296:ddd4:37a4 with SMTP id 586e51a60fabf-29720d905cdmr1697529fac.24.1732251093483; Thu, 21 Nov 2024 20:51:33 -0800 (PST) MIME-Version: 1.0 Received: by 2002:a8a:5fc:0:b0:56c:c9af:3ee6 with HTTP; Thu, 21 Nov 2024 20:51:32 -0800 (PST) In-Reply-To: References: <7b5846ac-c16e-48d3-b548-99a772a528c5@aklaver.com> From: "David G. Johnston" Date: Thu, 21 Nov 2024 21:51:32 -0700 Message-ID: Subject: Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10 To: Subhash Udata Cc: Adrian Klaver , =?UTF-8?B?6rmA7KO87Jew?= , "pgsql-general@lists.postgresql.org" Content-Type: multipart/alternative; boundary="00000000000016c80a06277923c8" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --00000000000016c80a06277923c8 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thursday, November 21, 2024, Subhash Udata wrote: > > Currently, my environment is running *PostgreSQL 15.0*. I understand that > version *15.9* contains the fix for CVE-2024-10979, as mentioned in the > release notes. > > Given that I am not using the *PL/Perl* extension in my environment > IIUC, any user that can execute =E2=80=9Ccreate extension plperl=E2=80=9D i= n a database they are connected to (or, it having been installed, users that have been granted usage on the language) can exploit this vulnerability. Whether that is possible in your environment is something you=E2=80=99d need to det= ermine. I believe this particular detail probably should have been part of the release announcement but was not. In any case if you aren=E2=80=99t willing to update consistently you really shouldn=E2=80=99t be deploying .0 releases. David J. --00000000000016c80a06277923c8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thursday, November 21, 2024, Subhash Udata <subhashudata@gmail.com> wrote:

Currently, my environment is running = PostgreSQL 15.0. I understand that version 15.9 c= ontains the fix for CVE-2024-10979, as mentioned in the release notes.

<= p>Given that I am not using the PL/Perl extension in my en= vironment


IIUC, any user that can= execute =E2=80=9Ccreate extension plperl=E2=80=9D in a database they are c= onnected to (or, it having been installed, users that have been granted usa= ge on the language) can exploit this vulnerability.=C2=A0 Whether that is p= ossible in your environment is something you=E2=80=99d need to determine.

I believe this particular detail probably should ha= ve been part of the release announcement but was not.

<= div>In any case if you aren=E2=80=99t willing to update consistently you re= ally shouldn=E2=80=99t be deploying .0 releases.

D= avid J.

--00000000000016c80a06277923c8--