public inbox for [email protected]
help / color / mirror / Atom feedFrom: Bruce Momjian <[email protected]>
To: Matthias Apitz <[email protected]>
Cc: Laurenz Albe <[email protected]>
Cc: Subhash Udata <[email protected]>
Cc: David G. Johnston <[email protected]>
Cc: Adrian Klaver <[email protected]>
Cc: 김주연 <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10
Date: Sat, 23 Nov 2024 13:10:05 -0500
Message-ID: <[email protected]> (raw)
In-Reply-To: <Z0A6Eg2FH2Nb5sWO@pureos>
References: <CAONZJQkaLtHeNz3P5wO8-EWPjOJ1M5fgyp8x4Mc4bb_U9n9_6g@mail.gmail.com>
<[email protected]>
<CAD=40Z3G8z6d1BMDmQVAAPWzCzK5kbU9wWTCZA58qmq8-L=eoA@mail.gmail.com>
<CAKFQuwbW-5yyVPCjyTJ0uwZZvn9J94s1XzuFnoBbMXp3BC3XyQ@mail.gmail.com>
<CAD=40Z2+84YNSM7oMb4QBpuAaadk=9XRw3PGEu5Ui_YsWpmtFA@mail.gmail.com>
<[email protected]>
<Z0A6Eg2FH2Nb5sWO@pureos>
On Fri, Nov 22, 2024 at 09:00:18AM +0100, Matthias Apitz wrote:
> El día viernes, noviembre 22, 2024 a las 05:52:34 +0100, Laurenz Albe escribió:
>
> > On Fri, 2024-11-22 at 10:01 +0530, Subhash Udata wrote:
> > > Currently, my environment is running PostgreSQL 15.0. I understand that version
> > > 15.9 contains the fix for CVE-2024-10979, as mentioned in the release notes.
> > > Given that I am not using the PL/Perl extension in my environment, I wanted to ask:
> > > * Is it still mandatory to upgrade specifically to version 15.9, or would
> > > remaining on version 15.0 suffice in this case?
> > > I appreciate your guidance on whether this upgrade is necessary, considering the
> > > specifics of my setup.
> >
> > If you don't use PL/Perl, you are not affected by that security vulnerability.
> >
> > I wonder what you mean by "mandatory".
> >
> > We won't fine or punish you if you don't update PostgreSQL, but perhaps it
> > would make your employer unhappy. If you stay on 15.0, you will be subject to
> > thirteen other security vulnerabilities (if I counted right), and you may end
> > up with corrupted GIN and BRIN indexes. Additionally, you will be subject to
> > countless known bugs that have been fixed since.
> >
> > You should *always* update to the latest minor release shortly after it is
> > released. Everything else is negligent.
>
> Laurenz, et all,
>
> The company I'm working for is producer of a Library Management System
> with C/C++ written servers on Linux, using ESQL/C and DBI interfaces of
> PostgreSQL (and older version Sybase too) and the software is deployed
> to 100++ customer installations, sometimes with limited own IT know how.
>
> "You should *always* update ..." is nice to say, but in the described land
> not easy to do. For the two released versions of our software (V7.2 and
> V7.3) and the current version in development (V7.3-SP1) we plan the
> following migrations of the server and client side of PostgreSQL:
I have to admit, for this question, we just point people to:
https://www.postgresql.org/support/versioning/
and say bounce the database server and install the binaries. What I
have never considered before, and I should have, is the complexity of
doing this for many remote servers. Can we improve our guidance for
these cases?
--
Bruce Momjian <[email protected]> https://momjian.us
EDB https://enterprisedb.com
When a patient asks the doctor, "Am I going to die?", he means
"Am I going to die soon?"
view thread (25+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox