Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tEwgo-00AW65-4E
	for pgsql-general@arkaria.postgresql.org; Sat, 23 Nov 2024 20:25:10 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tEwgl-003kkU-O4
	for pgsql-general@arkaria.postgresql.org; Sat, 23 Nov 2024 20:25:07 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <ronljohnsonjr@gmail.com>)
	id 1tEwgl-003kkC-CA
	for pgsql-general@lists.postgresql.org; Sat, 23 Nov 2024 20:25:07 +0000
Received: from mail-oi1-x233.google.com ([2607:f8b0:4864:20::233])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <ronljohnsonjr@gmail.com>)
	id 1tEwge-003Ubu-ID
	for pgsql-general@postgresql.org; Sat, 23 Nov 2024 20:25:06 +0000
Received: by mail-oi1-x233.google.com with SMTP id 5614622812f47-3e606cba08eso1588876b6e.0
        for <pgsql-general@postgresql.org>; Sat, 23 Nov 2024 12:25:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1732393498; x=1732998298; darn=postgresql.org;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :from:to:cc:subject:date:message-id:reply-to;
        bh=2SjGIjGFitABqXUJJhjF9VpI2A3Nkk9zAnxfvQpplxs=;
        b=QfkIihSGGo/HYUhKMu7gVqnSggWExFMvp7v09xsEDnP9mE9mor55TLHwnqLiFH8ozH
         +2HYw+mf/XBd0AxiAqXpoY0NU9uMVjwLWt/S05cN0cZtG085no+w6Q91hnozLTOOTwA0
         EbyzHhNZEBg68wrU+9Q6PM2P/YyIcbCWSqhSO+Y7VmvjVcAnFmTVQb2tydwnFPjEOWBA
         6m+FpTrVZJwx/P20Cm0Jcf5CBlUrWRTyp443tzmCNq6mnm+VoWXnsOWhcvGtvjIE4oo7
         /zgmWhlsGnMPVRP902OARRKgWYBAJEALoW1LtvwsnGbXZDmYM8Y2F/Z/RbtxCPDLvaUv
         rCGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1732393498; x=1732998298;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=2SjGIjGFitABqXUJJhjF9VpI2A3Nkk9zAnxfvQpplxs=;
        b=bn8Wq9ch0uWRrD/pC56XXBZzB+h4jd79gdxWJAQT93s8Jf/Lg9Z39ge890Leh1ISO2
         Okzv0AaJlIXSckzenVIJ/d3pWIE3rUPKdazWxYr5AmIBay/nBAeysoWhuYu5FQSeOl1f
         sGwDST5QEjTj1CxH1t7JT24wKOb/vLrvhwHyg4MkB8Ezr26pa9/nmIfKSPZZXTO+MNSg
         JJBb0Wcbp9K8Az3BTSoNAH2FBX8XX8h7pmy35MNZ5KjFtumpFu1v37VxtKQ4VyVXgqwK
         axIqwZBVyUAM5ItAqSahZLAgz14tzUz4fQBpDqptXwWap2HcEa3aaeCyvKU9zYSdQSub
         jqAw==
X-Gm-Message-State: AOJu0YwOvs2zjY1SoVnTzGH1IQi8YZKIM4xLwsHWQWrI529oDRJ3beQz
	eGwd278FOMkO5cZAwHgamhqhY3IUjD2fwxU5vHurwLphjc0rofSLJhSSKz6CNzMlmkQMNvGrwd1
	4kSHCAiASjSkPqvLTBzacMMT5MwUt7l4w
X-Gm-Gg: ASbGncuavW3V6/K3c4P22zUh0vtyHqSZIHH3jOKEw6RMKsinReKFVX95mT807i2G3qC
	U7B17dVemdVQpVLh58ZjxtAVn0SMp2t5BKbyVjoi84kUEKALTzLWkHGDpHQNlkw==
X-Google-Smtp-Source: AGHT+IF7HHVORaGl+Grjf7EAgl1F1v6mB/Ll1xS96aHWqr4vm3Qret3PD92EBmPC1URcvQJefYqi5ynMM92VEHjGywc=
X-Received: by 2002:a05:6808:2e48:b0:3e8:1ed7:e6d9 with SMTP id
 5614622812f47-3e9158776d7mr8220484b6e.23.1732393498233; Sat, 23 Nov 2024
 12:24:58 -0800 (PST)
MIME-Version: 1.0
References: <CAONZJQkaLtHeNz3P5wO8-EWPjOJ1M5fgyp8x4Mc4bb_U9n9_6g@mail.gmail.com>
 <7b5846ac-c16e-48d3-b548-99a772a528c5@aklaver.com> <CAD=40Z3G8z6d1BMDmQVAAPWzCzK5kbU9wWTCZA58qmq8-L=eoA@mail.gmail.com>
 <CAKFQuwbW-5yyVPCjyTJ0uwZZvn9J94s1XzuFnoBbMXp3BC3XyQ@mail.gmail.com>
 <CAD=40Z2+84YNSM7oMb4QBpuAaadk=9XRw3PGEu5Ui_YsWpmtFA@mail.gmail.com>
 <6c898e6499036ce70ac113b52df5c3ff06286a6a.camel@cybertec.at>
 <Z0A6Eg2FH2Nb5sWO@pureos> <Z0IafWDrFln-n0P5@momjian.us>
In-Reply-To: <Z0IafWDrFln-n0P5@momjian.us>
From: Ron Johnson <ronljohnsonjr@gmail.com>
Date: Sat, 23 Nov 2024 15:24:47 -0500
Message-ID: <CANzqJaCph4bT6MQEiDCVROiCQf+jqKKWJowEBqKme-qg83Jzfw@mail.gmail.com>
Subject: Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10
To: pgsql-general <pgsql-general@postgresql.org>
Content-Type: multipart/alternative; boundary="00000000000012e40e06279a4b3f"
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CANzqJaCph4bT6MQEiDCVROiCQf%2BjqKKWJowEBqKme-qg83Jzfw%40mail.gmail.com>
Precedence: bulk

--00000000000012e40e06279a4b3f
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Sat, Nov 23, 2024 at 1:10=E2=80=AFPM Bruce Momjian <bruce@momjian.us> wr=
ote:
[snip]

> I have to admit, for this question, we just point people to:
>
>         https://www.postgresql.org/support/versioning/
>
> and say bounce the database server and install the binaries.  What I
> have never considered before, and I should have, is the complexity of
> doing this for many remote servers.  Can we improve our guidance for
> these cases?
>

What guidance is needed?  Even for us, where firewalls block our servers
from https://download.postgresql.org, it's as simple as downloading the
relevant RPM files *once* (and that done with a PowerShell script), then
patching thusly:

WinScp PG16.4_RHEL8 dir to each server, and on each server
$ sudo -iu postgres pg_ctl stop -mfast -wt9999 -D /path/to/data
$ sudo yum install PG16.4_RHEL8/*rpm
$ sudo -iu postgres pg_ctl start -wt9999 -D /path/to/data

Those three sudo commands take, at most, three minutes.

--
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> lobster!

--00000000000012e40e06279a4b3f
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Sat, Nov 23, 2024 at 1:10=E2=80=AFPM B=
ruce Momjian &lt;<a href=3D"mailto:bruce@momjian.us">bruce@momjian.us</a>&g=
t; wrote:</div><div class=3D"gmail_quote"><div>[snip]=C2=A0</div><blockquot=
e class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px s=
olid rgb(204,204,204);padding-left:1ex">I have to admit, for this question,=
 we just point people to:<br>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 <a href=3D"https://www.postgresql.org/support/v=
ersioning/" rel=3D"noreferrer" target=3D"_blank">https://www.postgresql.org=
/support/versioning/</a><br>
<br>
and say bounce the database server and install the binaries.=C2=A0 What I<b=
r>
have never considered before, and I should have, is the complexity of<br>
doing this for many remote servers.=C2=A0 Can we improve our guidance for<b=
r>
these cases?<br></blockquote><div><br></div><div>What guidance is needed?=
=C2=A0 Even for us, where firewalls block our servers from=C2=A0<a href=3D"=
https://download.postgresql.org">https://download.postgresql.org</a>, it&#3=
9;s as simple as downloading=C2=A0the relevant RPM files <i>once</i>=C2=A0(=
and that done with a PowerShell script), then patching thusly:</div><div><b=
r></div><div>WinScp PG16.4_RHEL8 dir to each server, and on each server</di=
v><div>$ sudo -iu postgres pg_ctl stop -mfast -wt9999 -D /path/to/data</div=
><div>$ sudo yum install PG16.4_RHEL8/*rpm</div><div><div>$ sudo -iu postgr=
es pg_ctl start -wt9999 -D /path/to/data</div></div><div><br></div><div>Tho=
se three sudo commands take, at most, three minutes.</div><div><br></div><d=
iv>--</div></div><div dir=3D"ltr" class=3D"gmail_signature"><div dir=3D"ltr=
">Death to &lt;Redacted&gt;, and butter sauce.<div>Don&#39;t boil me, I&#39=
;m still alive.<br><div><div>&lt;Redacted&gt; lobster!</div></div></div></d=
iv></div></div>

--00000000000012e40e06279a4b3f--