public inbox for [email protected]
help / color / mirror / Atom feedFrom: Matthias Apitz <[email protected]>
To: Laurenz Albe <[email protected]>
Cc: Subhash Udata <[email protected]>
Cc: David G. Johnston <[email protected]>
Cc: Adrian Klaver <[email protected]>
Cc: 김주연 <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10
Date: Fri, 22 Nov 2024 09:00:18 +0100
Message-ID: <Z0A6Eg2FH2Nb5sWO@pureos> (raw)
In-Reply-To: <[email protected]>
References: <CAONZJQkaLtHeNz3P5wO8-EWPjOJ1M5fgyp8x4Mc4bb_U9n9_6g@mail.gmail.com>
<[email protected]>
<CAD=40Z3G8z6d1BMDmQVAAPWzCzK5kbU9wWTCZA58qmq8-L=eoA@mail.gmail.com>
<CAKFQuwbW-5yyVPCjyTJ0uwZZvn9J94s1XzuFnoBbMXp3BC3XyQ@mail.gmail.com>
<CAD=40Z2+84YNSM7oMb4QBpuAaadk=9XRw3PGEu5Ui_YsWpmtFA@mail.gmail.com>
<[email protected]>
El día viernes, noviembre 22, 2024 a las 05:52:34 +0100, Laurenz Albe escribió:
> On Fri, 2024-11-22 at 10:01 +0530, Subhash Udata wrote:
> > Currently, my environment is running PostgreSQL 15.0. I understand that version
> > 15.9 contains the fix for CVE-2024-10979, as mentioned in the release notes.
> > Given that I am not using the PL/Perl extension in my environment, I wanted to ask:
> > * Is it still mandatory to upgrade specifically to version 15.9, or would
> > remaining on version 15.0 suffice in this case?
> > I appreciate your guidance on whether this upgrade is necessary, considering the
> > specifics of my setup.
>
> If you don't use PL/Perl, you are not affected by that security vulnerability.
>
> I wonder what you mean by "mandatory".
>
> We won't fine or punish you if you don't update PostgreSQL, but perhaps it
> would make your employer unhappy. If you stay on 15.0, you will be subject to
> thirteen other security vulnerabilities (if I counted right), and you may end
> up with corrupted GIN and BRIN indexes. Additionally, you will be subject to
> countless known bugs that have been fixed since.
>
> You should *always* update to the latest minor release shortly after it is
> released. Everything else is negligent.
Laurenz, et all,
The company I'm working for is producer of a Library Management System
with C/C++ written servers on Linux, using ESQL/C and DBI interfaces of
PostgreSQL (and older version Sybase too) and the software is deployed
to 100++ customer installations, sometimes with limited own IT know how.
"You should *always* update ..." is nice to say, but in the described land
not easy to do. For the two released versions of our software (V7.2 and
V7.3) and the current version in development (V7.3-SP1) we plan the
following migrations of the server and client side of PostgreSQL:
under development: V7.3-SP1 (we will not support 15.9 as cluster in SP1)
used ESQL/C 15.9 (i.e. PostgreSQL client side)
migrate the used cluster/database 'from' --> 'to'
15.1 --> 16.5
16.2 --> 16.5
released: V7.3 (we will not support 15.9 as cluster in V7.3)
used ESQL/C 15.1 (i.e. PostgreSQL client side)
migrate the used cluster/database 'from' --> 'to'
15.1 --> 16.5
16.2 --> 16.5
released: V7.2 (we will not support 15.9 as cluster in V7.2)
used ESQL/C 11.4 (i.e. PostgreSQL client side)
migrate the used cluster/database 'from' --> 'to'
13.1 --> 16.5
16.2 --> 16.5
Especially the version V7.2 (released in 2021) can't be updated on the
client side, the cluster will be migrated to 16.5. I assume that
CVE-2024-10979 affects the server side, and not the client side.
Any further comments on this?
Thanks
matthias
--
Matthias Apitz, ✉ [email protected], http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
view thread (25+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10
In-Reply-To: <Z0A6Eg2FH2Nb5sWO@pureos>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox