MIME-Version: 1.0
In-Reply-To: <CAD=40Z3G8z6d1BMDmQVAAPWzCzK5kbU9wWTCZA58qmq8-L=eoA@mail.gmail.com>
References: <CAONZJQkaLtHeNz3P5wO8-EWPjOJ1M5fgyp8x4Mc4bb_U9n9_6g@mail.gmail.com>
 <7b5846ac-c16e-48d3-b548-99a772a528c5@aklaver.com> <CAD=40Z3G8z6d1BMDmQVAAPWzCzK5kbU9wWTCZA58qmq8-L=eoA@mail.gmail.com>
From: "David G. Johnston" <david.g.johnston@gmail.com>
Date: Thu, 21 Nov 2024 21:09:31 -0700
Message-ID: <CAKFQuwbW-5yyVPCjyTJ0uwZZvn9J94s1XzuFnoBbMXp3BC3XyQ@mail.gmail.com>
Subject: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10
To: Subhash Udata <subhashudata@gmail.com>
Cc: Adrian Klaver <adrian.klaver@aklaver.com>, =?UTF-8?B?6rmA7KO87Jew?= <mysylph@gmail.com>, 
	"pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
Content-Type: multipart/alternative; boundary="000000000000c9c5950627788c21"
Archived-At: <https://www.postgresql.org/message-id/CAKFQuwbW-5yyVPCjyTJ0uwZZvn9J94s1XzuFnoBbMXp3BC3XyQ%40mail.gmail.com>
Precedence: bulk

--000000000000c9c5950627788c21
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Thursday, November 21, 2024, Subhash Udata <subhashudata@gmail.com>
wrote:
>
>
> Thank you for your response regarding the affected versions of PostgreSQL=
.
> I have a follow-up question for clarification:
>
> The PostgreSQL documentation mentions that the versions with a fix for
> CVE-2024-10979 are *17.1, 16.5, 15.9, 14.14, 13.17, and 12.21*. However,
> your reply states that any version greater than 13+ should suffice.
>
> Could you please confirm if upgrading to one of the specific versions
> listed above is mandatory, or is it acceptable to upgrade to any version
> higher than 13
>

It was literally just reported and fixed.  If you are on a supported
release of PostgreSQL you have the fix.  If you are not, you don=E2=80=99t.

At this point only major versions 13+ are supported.

Upgrading to an unsupported minor release is never recommended.

The fact you are on version 11 means you should not expect an answer to the
question whether this newly discovered CVE affects you - that would be
expecting support for a long-unsupported version.

Which of the 5 currently supported releases you should upgrade to is a
decision you need to make given your circumstances.

David J.

--000000000000c9c5950627788c21
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Thursday, November 21, 2024, Subhash Udata &lt;<a href=3D"mailto:subhash=
udata@gmail.com" target=3D"_blank">subhashudata@gmail.com</a>&gt; wrote:<bl=
ockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #=
ccc solid;padding-left:1ex"><div dir=3D"ltr"><p><br>Thank you for your resp=
onse regarding the affected versions of PostgreSQL. I have a follow-up ques=
tion for clarification:</p><p>The PostgreSQL documentation mentions that th=
e versions with a fix for CVE-2024-10979 are <strong>17.1, 16.5, 15.9, 14.1=
4, 13.17, and 12.21</strong>. However, your reply states that any version g=
reater than 13+ should suffice.</p><p>Could you please confirm if upgrading=
 to one of the specific versions listed above is mandatory, or is it accept=
able to upgrade to any version higher than 13</p></div></blockquote><div><b=
r></div><div>It was literally just reported and fixed.=C2=A0 If you are on =
a supported release of PostgreSQL you have the fix.=C2=A0 If you are not, y=
ou don=E2=80=99t.</div><div><br></div><div>At this point only major version=
s 13+ are supported.</div><div><br></div><div>Upgrading to an unsupported m=
inor release is never recommended.</div><div><br></div><div>The fact you ar=
e on version 11 means you should not expect an answer to the question wheth=
er this newly discovered CVE affects you - that would be expecting support =
for a long-unsupported version.</div><div><br></div><div>Which of the 5 cur=
rently supported releases you should upgrade to is a decision you need to m=
ake given your circumstances.</div><div><br></div><div>David J.</div><div>=
=C2=A0</div>

--000000000000c9c5950627788c21--