MIME-Version: 1.0
References: <CAONZJQkaLtHeNz3P5wO8-EWPjOJ1M5fgyp8x4Mc4bb_U9n9_6g@mail.gmail.com>
 <7b5846ac-c16e-48d3-b548-99a772a528c5@aklaver.com> <CAD=40Z3G8z6d1BMDmQVAAPWzCzK5kbU9wWTCZA58qmq8-L=eoA@mail.gmail.com>
 <CAKFQuwbW-5yyVPCjyTJ0uwZZvn9J94s1XzuFnoBbMXp3BC3XyQ@mail.gmail.com>
 <CAD=40Z2+84YNSM7oMb4QBpuAaadk=9XRw3PGEu5Ui_YsWpmtFA@mail.gmail.com>
 <6c898e6499036ce70ac113b52df5c3ff06286a6a.camel@cybertec.at>
 <Z0A6Eg2FH2Nb5sWO@pureos> <Z0IafWDrFln-n0P5@momjian.us> <CANzqJaCph4bT6MQEiDCVROiCQf+jqKKWJowEBqKme-qg83Jzfw@mail.gmail.com>
 <Z0JLe8KsJy_6Si6O@momjian.us>
In-Reply-To: <Z0JLe8KsJy_6Si6O@momjian.us>
From: Ron Johnson <ronljohnsonjr@gmail.com>
Date: Sat, 23 Nov 2024 21:04:03 -0500
Message-ID: <CANzqJaBVgzvNbWFQtLSnk5mGz9hUp7qmJWaO3_OTPvsJVtD_eQ@mail.gmail.com>
Subject: Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10
To: pgsql-general <pgsql-general@postgresql.org>
Content-Type: multipart/alternative; boundary="00000000000062f98406279f0874"
Archived-At: <https://www.postgresql.org/message-id/CANzqJaBVgzvNbWFQtLSnk5mGz9hUp7qmJWaO3_OTPvsJVtD_eQ%40mail.gmail.com>
Precedence: bulk

--00000000000062f98406279f0874
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Sat, Nov 23, 2024 at 4:39=E2=80=AFPM Bruce Momjian <bruce@momjian.us> wr=
ote:

>  On Sat, Nov 23, 2024 at 03:24:47PM -0500, Ron Johnson wrote:
> > On Sat, Nov 23, 2024 at 1:10=E2=80=AFPM Bruce Momjian <bruce@momjian.us=
> wrote:
> > [snip]
> >
> >     I have to admit, for this question, we just point people to:
> >
> >             https://www.postgresql.org/support/versioning/
> >
> >     and say bounce the database server and install the binaries.  What =
I
> >     have never considered before, and I should have, is the complexity =
of
> >     doing this for many remote servers.  Can we improve our guidance fo=
r
> >     these cases?
> >
> >
> > What guidance is needed?  Even for us, where firewalls block our server=
s
> from
> > https://download.postgresql.org, it's as simple as downloading the
> relevant RPM
> > files once (and that done with a PowerShell script), then patching
> thusly:
> >
> > WinScp PG16.4_RHEL8 dir to each server, and on each server
> > $ sudo -iu postgres pg_ctl stop -mfast -wt9999 -D /path/to/data
> > $ sudo yum install PG16.4_RHEL8/*rpm
> > $ sudo -iu postgres pg_ctl start -wt9999 -D /path/to/data
> >
> > Those three sudo commands take, at most, three minutes.
>
> I am thinking more of cases where you have 100+ customers, and you need
> to coordinate/connect to each company to perform the upgrade.  Doing
> that every quarter might be a lot of work, and it might be hard to
> justify for every minor release.
>

Two thoughts:
- PGDG publishes release notes.
- PowerShell + Putty(*) are a darned powerful combo for automating remote
maintenance.

*It's more than just a GUI ssh client.

--=20
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> lobster!

--00000000000062f98406279f0874
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Sat, Nov 23, 2024 at 4:39=E2=80=AFPM B=
ruce Momjian &lt;<a href=3D"mailto:bruce@momjian.us">bruce@momjian.us</a>&g=
t; wrote:</div><div class=3D"gmail_quote"><blockquote class=3D"gmail_quote"=
 style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);p=
adding-left:1ex">=C2=A0On Sat, Nov 23, 2024 at 03:24:47PM -0500, Ron Johnso=
n wrote:<br>
&gt; On Sat, Nov 23, 2024 at 1:10=E2=80=AFPM Bruce Momjian &lt;<a href=3D"m=
ailto:bruce@momjian.us" target=3D"_blank">bruce@momjian.us</a>&gt; wrote:<b=
r>
&gt; [snip]=C2=A0<br>
&gt; <br>
&gt;=C2=A0 =C2=A0 =C2=A0I have to admit, for this question, we just point p=
eople to:<br>
&gt; <br>
&gt;=C2=A0 =C2=A0 =C2=A0=C2=A0 =C2=A0 =C2=A0 =C2=A0 <a href=3D"https://www.=
postgresql.org/support/versioning/" rel=3D"noreferrer" target=3D"_blank">ht=
tps://www.postgresql.org/support/versioning/</a><br>
&gt; <br>
&gt;=C2=A0 =C2=A0 =C2=A0and say bounce the database server and install the =
binaries.=C2=A0 What I<br>
&gt;=C2=A0 =C2=A0 =C2=A0have never considered before, and I should have, is=
 the complexity of<br>
&gt;=C2=A0 =C2=A0 =C2=A0doing this for many remote servers.=C2=A0 Can we im=
prove our guidance for<br>
&gt;=C2=A0 =C2=A0 =C2=A0these cases?<br>
&gt; <br>
&gt; <br>
&gt; What guidance is needed?=C2=A0 Even for us, where firewalls block our =
servers from=C2=A0<br>
&gt; <a href=3D"https://download.postgresql.org" rel=3D"noreferrer" target=
=3D"_blank">https://download.postgresql.org</a>, it&#39;s as simple as down=
loading=C2=A0the relevant RPM<br>
&gt; files once=C2=A0(and that done with a PowerShell script), then patchin=
g thusly:<br>
&gt; <br>
&gt; WinScp PG16.4_RHEL8 dir to each server, and on each server<br>
&gt; $ sudo -iu postgres pg_ctl stop -mfast -wt9999 -D /path/to/data<br>
&gt; $ sudo yum install PG16.4_RHEL8/*rpm<br>
&gt; $ sudo -iu postgres pg_ctl start -wt9999 -D /path/to/data<br>
&gt; <br>
&gt; Those three sudo commands take, at most, three minutes.<br>
<br>
I am thinking more of cases where you have 100+ customers, and you need<br>
to coordinate/connect to each company to perform the upgrade.=C2=A0 Doing<b=
r>
that every quarter might be a lot of work, and it might be hard to<br>
justify for every minor release.<br></blockquote><div><br></div><div>Two th=
oughts:</div><div>- PGDG publishes release notes.=C2=A0</div><div>- PowerSh=
ell=C2=A0+ Putty(*) are a darned powerful combo for automating remote maint=
enance.</div></div><div><br></div><div>*It&#39;s more than just a GUI ssh c=
lient.</div><div><br></div><span class=3D"gmail_signature_prefix">-- </span=
><br><div dir=3D"ltr" class=3D"gmail_signature"><div dir=3D"ltr">Death to &=
lt;Redacted&gt;, and butter sauce.<div>Don&#39;t boil me, I&#39;m still ali=
ve.<br><div><div>&lt;Redacted&gt; lobster!</div></div></div></div></div></d=
iv>

--00000000000062f98406279f0874--