Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tEuaH-00AOLk-5X
	for pgsql-general@arkaria.postgresql.org; Sat, 23 Nov 2024 18:10:17 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tEuaD-002fOq-Po
	for pgsql-general@arkaria.postgresql.org; Sat, 23 Nov 2024 18:10:13 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <bruce@momjian.us>)
	id 1tEuaD-002fOd-E6
	for pgsql-general@lists.postgresql.org; Sat, 23 Nov 2024 18:10:13 +0000
Received: from momjian.us ([72.94.173.45])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <bruce@momjian.us>)
	id 1tEua9-003TpF-Uh
	for pgsql-general@lists.postgresql.org; Sat, 23 Nov 2024 18:10:11 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=momjian.us;
	s=2024011501; h=In-Reply-To:Content-Transfer-Encoding:Content-Type:
	MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To:
	Content-ID:Content-Description;
	bh=9C/CQJSboR6cLH329dWNgJNBpjcDPS3ItzH+myboZ1A=; b=Sflol53zD1MML29N1UkY+uuuGh
	yxKHnWPG1RUM8EHrZuvcH5HtOnePTEgQhjc/U8InTYihcqXhKX7uypU6qWJrUjRqnCNrNmQu006yQ
	EBAblnndMbmANTSMIBPTHTbR7/PGMG3hevPdtHbl8ozEMuwtjE5CRvRWUT+zoZqMIxSTRibtui6IL
	2Tz/7hSu5TcziVLiv+gVVqYDpQ+fB6pajOMROQN37HVX3bWJC96aSbyBLVvO1SaeaH7eHnS+1/jF3
	BWB7Et4+wrQF/2NMfC+VjDAIsspBzKpqwmiBdk6/FX2br8khc5E5lMY50UHOSPYahdyk4rLPhsOSB
	REWXC9Pw==;
Received: from bruce by momjian.us with local (Exim 4.96)
	(envelope-from <bruce@momjian.us>)
	id 1tEua5-00D6XR-0Q;
	Sat, 23 Nov 2024 13:10:05 -0500
Date: Sat, 23 Nov 2024 13:10:05 -0500
From: Bruce Momjian <bruce@momjian.us>
To: Matthias Apitz <guru@unixarea.de>
Cc: Laurenz Albe <laurenz.albe@cybertec.at>,
	Subhash Udata <subhashudata@gmail.com>,
	"David G. Johnston" <david.g.johnston@gmail.com>,
	Adrian Klaver <adrian.klaver@aklaver.com>,
	=?utf-8?B?6rmA7KO87Jew?= <mysylph@gmail.com>,
	"pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
Subject: Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10
Message-ID: <Z0IafWDrFln-n0P5@momjian.us>
References: <CAONZJQkaLtHeNz3P5wO8-EWPjOJ1M5fgyp8x4Mc4bb_U9n9_6g@mail.gmail.com>
 <7b5846ac-c16e-48d3-b548-99a772a528c5@aklaver.com>
 <CAD=40Z3G8z6d1BMDmQVAAPWzCzK5kbU9wWTCZA58qmq8-L=eoA@mail.gmail.com>
 <CAKFQuwbW-5yyVPCjyTJ0uwZZvn9J94s1XzuFnoBbMXp3BC3XyQ@mail.gmail.com>
 <CAD=40Z2+84YNSM7oMb4QBpuAaadk=9XRw3PGEu5Ui_YsWpmtFA@mail.gmail.com>
 <6c898e6499036ce70ac113b52df5c3ff06286a6a.camel@cybertec.at>
 <Z0A6Eg2FH2Nb5sWO@pureos>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <Z0A6Eg2FH2Nb5sWO@pureos>
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/Z0IafWDrFln-n0P5%40momjian.us>
Precedence: bulk

On Fri, Nov 22, 2024 at 09:00:18AM +0100, Matthias Apitz wrote:
> El día viernes, noviembre 22, 2024 a las 05:52:34 +0100, Laurenz Albe escribió:
> 
> > On Fri, 2024-11-22 at 10:01 +0530, Subhash Udata wrote:
> > > Currently, my environment is running PostgreSQL 15.0. I understand that version
> > > 15.9 contains the fix for CVE-2024-10979, as mentioned in the release notes.
> > > Given that I am not using the PL/Perl extension in my environment, I wanted to ask:
> > >  * Is it still mandatory to upgrade specifically to version 15.9, or would
> > >    remaining on version 15.0 suffice in this case?
> > > I appreciate your guidance on whether this upgrade is necessary, considering the
> > > specifics of my setup.
> > 
> > If you don't use PL/Perl, you are not affected by that security vulnerability.
> > 
> > I wonder what you mean by "mandatory".
> > 
> > We won't fine or punish you if you don't update PostgreSQL, but perhaps it
> > would make your employer unhappy.  If you stay on 15.0, you will be subject to
> > thirteen other security vulnerabilities (if I counted right), and you may end
> > up with corrupted GIN and BRIN indexes.  Additionally, you will be subject to
> > countless known bugs that have been fixed since.
> > 
> > You should *always* update to the latest minor release shortly after it is
> > released.  Everything else is negligent.
> 
> Laurenz, et all,
> 
> The company I'm working for is producer of a Library Management System
> with C/C++ written servers on Linux, using ESQL/C and DBI interfaces of
> PostgreSQL (and older version Sybase too) and the software is deployed
> to 100++ customer installations, sometimes with limited own IT know how.
> 
> "You should *always* update ..." is nice to say, but in the described land
> not easy to do. For the two released versions of our software (V7.2 and
> V7.3) and the current version in development (V7.3-SP1) we plan the
> following migrations of the server and client side of PostgreSQL:

I have to admit, for this question, we just point people to:

	https://www.postgresql.org/support/versioning/

and say bounce the database server and install the binaries.  What I
have never considered before, and I should have, is the complexity of
doing this for many remote servers.  Can we improve our guidance for
these cases?

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

  When a patient asks the doctor, "Am I going to die?", he means 
  "Am I going to die soon?"