MIME-Version: 1.0
References: <CAONZJQkaLtHeNz3P5wO8-EWPjOJ1M5fgyp8x4Mc4bb_U9n9_6g@mail.gmail.com>
 <7b5846ac-c16e-48d3-b548-99a772a528c5@aklaver.com> <CAD=40Z3G8z6d1BMDmQVAAPWzCzK5kbU9wWTCZA58qmq8-L=eoA@mail.gmail.com>
 <CAKFQuwbW-5yyVPCjyTJ0uwZZvn9J94s1XzuFnoBbMXp3BC3XyQ@mail.gmail.com> <CAD=40Z2+84YNSM7oMb4QBpuAaadk=9XRw3PGEu5Ui_YsWpmtFA@mail.gmail.com>
In-Reply-To: <CAD=40Z2+84YNSM7oMb4QBpuAaadk=9XRw3PGEu5Ui_YsWpmtFA@mail.gmail.com>
From: Ron Johnson <ronljohnsonjr@gmail.com>
Date: Thu, 21 Nov 2024 23:39:38 -0500
Message-ID: <CANzqJaBBantiqGmrNWf0Ywa_hq1FPK6TWCAw3eu0wfeUgEjfOw@mail.gmail.com>
Subject: Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10
To: "pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
Content-Type: multipart/alternative; boundary="0000000000001a5081062778f965"
Archived-At: <https://www.postgresql.org/message-id/CANzqJaBBantiqGmrNWf0Ywa_hq1FPK6TWCAw3eu0wfeUgEjfOw%40mail.gmail.com>
Precedence: bulk

--0000000000001a5081062778f965
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

15.0 is missing TWO YEARS of bug fixes.
https://www.postgresql.org/docs/release/

And It's your database, not ours.  Plus, we aren't the Version Police that
knock your head with a billy club if you don't upgrade.

Patching takes 10 minutes, and any good DBA will keep his or her systems as
patched as his organization will allow.

On Thu, Nov 21, 2024 at 11:31=E2=80=AFPM Subhash Udata <subhashudata@gmail.=
com>
wrote:

> Thank you for your detailed response. I would like to clarify my situatio=
n
> further to ensure I take the appropriate steps.
>
> Currently, my environment is running *PostgreSQL 15.0*. I understand that
> version *15.9* contains the fix for CVE-2024-10979, as mentioned in the
> release notes.
>
> Given that I am not using the *PL/Perl* extension in my environment, I
> wanted to ask:
>
>    - Is it still mandatory to upgrade specifically to version *15.9*, or
>    would remaining on version *15.0* suffice in this case?
>
> I appreciate your guidance on whether this upgrade is necessary,
> considering the specifics of my setup.
>
> Thank you for your time and support.
>
> On Fri, 22 Nov 2024 at 09:39, David G. Johnston <
> david.g.johnston@gmail.com> wrote:
>
>> On Thursday, November 21, 2024, Subhash Udata <subhashudata@gmail.com>
>> wrote:
>>>
>>>
>>> Thank you for your response regarding the affected versions of
>>> PostgreSQL. I have a follow-up question for clarification:
>>>
>>> The PostgreSQL documentation mentions that the versions with a fix for
>>> CVE-2024-10979 are *17.1, 16.5, 15.9, 14.14, 13.17, and 12.21*.
>>> However, your reply states that any version greater than 13+ should suf=
fice.
>>>
>>> Could you please confirm if upgrading to one of the specific versions
>>> listed above is mandatory, or is it acceptable to upgrade to any versio=
n
>>> higher than 13
>>>
>>
>> It was literally just reported and fixed.  If you are on a supported
>> release of PostgreSQL you have the fix.  If you are not, you don=E2=80=
=99t.
>>
>> At this point only major versions 13+ are supported.
>>
>> Upgrading to an unsupported minor release is never recommended.
>>
>> The fact you are on version 11 means you should not expect an answer to
>> the question whether this newly discovered CVE affects you - that would =
be
>> expecting support for a long-unsupported version.
>>
>> Which of the 5 currently supported releases you should upgrade to is a
>> decision you need to make given your circumstances.
>>
>> David J.
>>
>>
>

--=20
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> lobster!

--0000000000001a5081062778f965
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div>15.0 is missing TWO YEARS of bug fixes.=C2=A0 <a=
 href=3D"https://www.postgresql.org/docs/release/">https://www.postgresql.o=
rg/docs/release/</a></div><div><br></div></div><div>And It&#39;s your datab=
ase, not ours.=C2=A0 Plus, we aren&#39;t the Version Police that knock your=
=C2=A0head with a billy club if you don&#39;t upgrade.</div><div><br></div>=
<div>Patching takes 10 minutes, and any good DBA will keep his or her syste=
ms as patched as his organization will allow.</div><div><br></div><div dir=
=3D"ltr">On Thu, Nov 21, 2024 at 11:31=E2=80=AFPM Subhash Udata &lt;<a href=
=3D"mailto:subhashudata@gmail.com">subhashudata@gmail.com</a>&gt; wrote:</d=
iv><div class=3D"gmail_quote"><blockquote class=3D"gmail_quote" style=3D"ma=
rgin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:=
1ex"><div dir=3D"ltr"><p>Thank you for your detailed response. I would like=
 to clarify my situation further to ensure I take the appropriate steps.</p=
><p>Currently, my environment is running <strong>PostgreSQL 15.0</strong>. =
I understand that version <strong>15.9</strong> contains the fix for CVE-20=
24-10979, as mentioned in the release notes.</p><p>Given that I am not usin=
g the <strong>PL/Perl</strong> extension in my environment, I wanted to ask=
:</p><ul><li>Is it still mandatory to upgrade specifically to version <stro=
ng>15.9</strong>, or would remaining on version <strong>15.0</strong> suffi=
ce in this case?</li></ul><p>I appreciate your guidance on whether this upg=
rade is necessary, considering the specifics of my setup.</p><p>Thank you f=
or your time and support.</p></div><br><div class=3D"gmail_quote"><div dir=
=3D"ltr" class=3D"gmail_attr">On Fri, 22 Nov 2024 at 09:39, David G. Johnst=
on &lt;<a href=3D"mailto:david.g.johnston@gmail.com" target=3D"_blank">davi=
d.g.johnston@gmail.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_q=
uote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,2=
04);padding-left:1ex">On Thursday, November 21, 2024, Subhash Udata &lt;<a =
href=3D"mailto:subhashudata@gmail.com" target=3D"_blank">subhashudata@gmail=
.com</a>&gt; wrote:<blockquote class=3D"gmail_quote" style=3D"margin:0px 0p=
x 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div d=
ir=3D"ltr"><p><br>Thank you for your response regarding the affected versio=
ns of PostgreSQL. I have a follow-up question for clarification:</p><p>The =
PostgreSQL documentation mentions that the versions with a fix for CVE-2024=
-10979 are <strong>17.1, 16.5, 15.9, 14.14, 13.17, and 12.21</strong>. Howe=
ver, your reply states that any version greater than 13+ should suffice.</p=
><p>Could you please confirm if upgrading to one of the specific versions l=
isted above is mandatory, or is it acceptable to upgrade to any version hig=
her than 13</p></div></blockquote><div><br></div><div>It was literally just=
 reported and fixed.=C2=A0 If you are on a supported release of PostgreSQL =
you have the fix.=C2=A0 If you are not, you don=E2=80=99t.</div><div><br></=
div><div>At this point only major versions 13+ are supported.</div><div><br=
></div><div>Upgrading to an unsupported minor release is never recommended.=
</div><div><br></div><div>The fact you are on version 11 means you should n=
ot expect an answer to the question whether this newly discovered CVE affec=
ts you - that would be expecting support for a long-unsupported version.</d=
iv><div><br></div><div>Which of the 5 currently supported releases you shou=
ld upgrade to is a decision you need to make given your circumstances.</div=
><div><br></div><div>David J.</div><div>=C2=A0</div>
</blockquote></div>
</blockquote></div><div><br clear=3D"all"></div><div><br></div><span class=
=3D"gmail_signature_prefix">-- </span><br><div dir=3D"ltr" class=3D"gmail_s=
ignature"><div dir=3D"ltr">Death to &lt;Redacted&gt;, and butter sauce.<div=
>Don&#39;t boil me, I&#39;m still alive.<br><div><div>&lt;Redacted&gt; lobs=
ter!</div></div></div></div></div></div>

--0000000000001a5081062778f965--