Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tq89z-00HUhB-On for pgsql-general@arkaria.postgresql.org; Thu, 06 Mar 2025 10:08:59 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tq89x-005tJA-J8 for pgsql-general@arkaria.postgresql.org; Thu, 06 Mar 2025 10:08:57 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tq89x-005tJ2-3p for pgsql-general@lists.postgresql.org; Thu, 06 Mar 2025 10:08:57 +0000 Received: from mail-ot1-x331.google.com ([2607:f8b0:4864:20::331]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1tq89u-001H5z-2H for pgsql-general@lists.postgresql.org; Thu, 06 Mar 2025 10:08:55 +0000 Received: by mail-ot1-x331.google.com with SMTP id 46e09a7af769-728a433ec30so220916a34.1 for ; Thu, 06 Mar 2025 02:08:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741255733; x=1741860533; darn=lists.postgresql.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=CCz0Yp6A7JlZ/yHde/SNOLHTcV3qXUu5ANOyxnegc5M=; b=CrFW/rjpHC+NmZbue5KIZWFBde0/R0Ut1oCFKrDauGWrNTQ/CvFYLwNr2OAILHn45L EKIS3QZSWBEoMQUGCnQ9i5twld4EqG/CCi2SKF7gGfGtVUAYwaw7o7/Dl+ah29xqZXOa ogpRYOhcE+W65xKqHm8KKO6EArzfnjPTukYqnS5UQS31pOVaSfbFwWo8Zy0WXKWFTWtz bvDveiHlEkAGgQNMYvyjlDzOo53hFye5CcLYPQUBYObgBY+j7eCd02ZBJdcLNXuUmCYa wNBzD7+UVMSM3bNqffNor4n6YvGhaaDorz4iazyG/4oXGuKg3zHmYB82WYJF6kw2o2Xd qBng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741255733; x=1741860533; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=CCz0Yp6A7JlZ/yHde/SNOLHTcV3qXUu5ANOyxnegc5M=; b=oqYb7lcZYnN+ctsRIroRyvN/sidTJ5+9xEgcDkYIRUZHrmjziOM8xvrTl0wFANfAAK Ch3eFfn6Z0U/nlly3FeLOHfkiMIokdG5LceGfDo//bvcA1Tn61+x8Kl40R92sjJHocJ3 bgMeR1UZOJ8/KeTQy7S98EXTcJM77FgXtvfyg7ktnXkFTfygvaboeAtZZpCTes7UtnUX 5QTB8FAxlkX0AIpZBvgfUKRMaI6qcN4FbdN4dqEVCMeHyNDyXh88l+sj/L5QvfhEdWiW bqERxaYLOHSNcnRqfRd80CJ+6GFB87ediaTUgnPdGqJN4YzX5mROEYrzxuUmZ4ENaSP6 2+6w== X-Gm-Message-State: AOJu0Yxck5Pm7YiukAKrOd3hcCrGacdivjHBxAioJfRKnWNfNKtI5XQ2 cLU/GlNHKd3CZB8gFytQdtEKktX62/NHGa6qe1N8DeDM7RP38e8I6asszL2HZJz2lcEzP7259vC J+NipMgLE3WnzRtlx0ktM0l2PUFlJXQ== X-Gm-Gg: ASbGncvKOw6KYRWqbtEGq9SpDRSj/vYudFhyUKC1g/D8mbZF2sNOaMl5goG9yRvigAK lpskirofKBQeVBwXzBWx9pott/EKYT8/9ZC/4hmJSCpU4QutOcdaIaDcmeFoXRgc9GRYIOdOyub 4GarqkCAli2sD4saVStSYpWWtozAg= X-Google-Smtp-Source: AGHT+IEGLOJWAO19MGklVCTWPi2pmGJPdsgs7h30Y8Hw83XU2+55an0yz3vLlyxQxFVQ6KcDZQ2ccFKI2K/s0LH49gM= X-Received: by 2002:a05:6830:2682:b0:726:fb8c:ef4 with SMTP id 46e09a7af769-72a1fbfa2d5mr4019860a34.12.1741255733463; Thu, 06 Mar 2025 02:08:53 -0800 (PST) MIME-Version: 1.0 References: <14fc085b-1d48-4bc0-9d44-1d11507c0ded@bmc.com> In-Reply-To: <14fc085b-1d48-4bc0-9d44-1d11507c0ded@bmc.com> From: Ron Johnson Date: Thu, 6 Mar 2025 05:08:42 -0500 X-Gm-Features: AQ5f1JomLvybs6yRChCv_jFSGWAHU1v1xD7xT7jwbTK-ZTaIN9Jw28VzIefoZjs Message-ID: Subject: Re: [EXTERNAL] Re: Asking for OK for a nasty trick to resolve PG CVE-2025-1094 i To: "pgsql-general@lists.postgresql.org" Content-Type: multipart/alternative; boundary="00000000000074d1a1062fa9b1f0" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --00000000000074d1a1062fa9b1f0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Since it's a 24x7 app, you have database replication, virtual IPs and a fail-over manager in case a server crashes? Anyway, read through the PG 15 release notes. If none really affect you, then stay on 15.3. You're certain to miss *something*, though, or not understand the ramifications. And besides, there are always security patches in them. On Thu, Mar 6, 2025 at 4:33=E2=80=AFAM Abraham, Danny wrote: > Explanation. > We have hundreds of pg servers (mainly linux). > App is 7=C3=9724. > We think that patching the server to 15.12.will cost about 30 times more > compared to patching the pg client ( mainly qa effort). > The app working fine using [libpq, psql] on both Linux as well as Windows= . > Would love to hear your opinion. > Thanks > Danny > > > Sent from Workspace ONE Boxer > > On Mar 6, 2025 10:11, Laurenz Albe wrote: > [redirecting to pgsql-general] > > On Thu, 2025-03-06 at 07:39 +0000, Abraham, Danny wrote: > > I have many customers using PG 15.3 happily, and I cannot just snap > upgrade them all to 15.12. > > Why do you think you cannot do that? > In the long run, you'll be sorry if you don't. > It is just a matter of replacing the software and restarting the database > server. > > > I have tested a nasty trick of replacing PSQL,LIBPQ and several other > DLL's so that > > I have a PG client 15.12 within the folders of Server 15.3. > > > > All working just fine. > > > > I plan to ship it as a patch - but would like to hear you opinion on > this "merge". > > > > (Of course, the next version will use PG 17.4, so this is just an SOS > action). > > > > Directory of C:\Users\dbauser\Desktop\15.12 > > > > 02/20/2025 11:48 AM 4,696,576 libcrypto-3-x64.dll > > 02/20/2025 11:48 AM 1,850,401 libiconv-2.dll > > 02/20/2025 11:48 AM 475,769 libintl-9.dll > > 02/20/2025 11:48 AM 323,584 libpq.dll > > 02/20/2025 11:48 AM 779,776 libssl-3-x64.dll > > 02/20/2025 11:48 AM 52,736 libwinpthread-1.dll > > 02/20/2025 11:48 AM 604,160 psql.exe > > > > =3D=3D > > C:\Program Files\BMC Software\Control-M Server\pgsql\bin>postgres -V > > postgres (PostgreSQL) 15.3 > > > > C:\Program Files\BMC Software\Control-M Server\pgsql\bin>psql -V > > psql (PostgreSQL) 15.12 > > There is nothing fundamentally evil about upgrading the client. > > But what is the point? Why are you worried about client bugs more than > about server bugs? The latter are much more likely to eat your data. > > But then, if you are using Windows, perhaps you don't care a lot about > your data... > > Yours, > Laurenz Albe > --=20 Death to , and butter sauce. Don't boil me, I'm still alive. lobster! --00000000000074d1a1062fa9b1f0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Since it's a 24x7 app, you have database=C2=A0rep= lication, virtual IPs and a fail-over manager in case a server crashes?

Anyway, read through the PG 15 release no= tes.=C2=A0 If none really affect you, then stay on 15.3.=C2=A0 You're c= ertain to miss something, though, or not understand the ramification= s.=C2=A0 And besides, there are always security patches in them.

<= div class=3D"gmail_quote gmail_quote_container">
On Thu, Mar 6, 2025 at 4:33=E2=80=AFAM Abraham, Danny <danny_abraham@bmc.com> wrote:
=
Explanation.
We have hundreds of pg servers (mainly linux).
App is 7=C3=9724.
We think that patching the server to 15.12.will cost about= 30 times more compared to patching the pg client ( mainly qa effort).
The app working fine using [libpq, psql] on both Linux as = well as Windows.
Would love to hear your opinion.
Thanks
Danny


Sent from Workspace ONE Boxer

On Mar 6, 2025 10:11, Laurenz Albe <laurenz.albe@cybertec.at> wrote:
[redirecting to pgsql-general]

On Thu, 2025-03-06 at 07:39 +0000, Abraham, Danny wrote:
> I have many customers using PG 15.3 happily, and I cannot just snap up= grade them all to 15.12.

Why do you think you cannot do that?
In the long run, you'll be sorry if you don't.
It is just a matter of replacing the software and restarting the database s= erver.

> I have tested a nasty trick of replacing PSQL,LIBPQ and several other = DLL's so that
> I have a PG client 15.12 within the folders of Server 15.3.
>
> All working just fine.
>
> I plan to ship it as a patch - but would like to hear you opinion on t= his "merge".
>
> (Of course, the next version will use PG 17.4, so this is just an SOS = action).
>
> Directory of C:\Users\dbauser\Desktop\15.12
>
> 02/20/2025=C2=A0 11:48 AM=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 4,696,576 libcrypto-3-x64.dll
> 02/20/2025=C2=A0 11:48 AM=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 1,850,401 libiconv-2.dll
> 02/20/2025=C2=A0 11:48 AM=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0 475,769 libintl-9.dll
> 02/20/2025=C2=A0 11:48 AM=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0 323,584 libpq.dll
> 02/20/2025=C2=A0 11:48 AM=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0 779,776 libssl-3-x64.dll
> 02/20/2025=C2=A0 11:48 AM=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 52,736 libwinpthread-1.dll
> 02/20/2025=C2=A0 11:48 AM=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0 604,160 psql.exe
>
> =3D=3D
> C:\Program Files\BMC Software\Control-M Server\pgsql\bin>postgres -= V
> postgres (PostgreSQL) 15.3
>
> C:\Program Files\BMC Software\Control-M Server\pgsql\bin>psql -V > psql (PostgreSQL) 15.12

There is nothing fundamentally evil about upgrading the client.

But what is the point?=C2=A0 Why are you worried about client bugs more tha= n
about server bugs?=C2=A0 The latter are much more likely to eat your data.<= br>
But then, if you are using Windows, perhaps you don't care a lot about<= br> your data...

Yours,
Laurenz Albe


--
Death to <Redacted>, and butter sauce= .
Don't boil me, I'm still alive.
<Redacted>= lobster!
--00000000000074d1a1062fa9b1f0--