Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tEvJx-00AQxo-2Y for pgsql-general@arkaria.postgresql.org; Sat, 23 Nov 2024 18:57:29 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tEvJu-0035hk-SX for pgsql-general@arkaria.postgresql.org; Sat, 23 Nov 2024 18:57:26 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tEvJu-0035fb-GY for pgsql-general@lists.postgresql.org; Sat, 23 Nov 2024 18:57:26 +0000 Received: from momjian.us ([72.94.173.45]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tEvJo-003U60-3i for pgsql-general@lists.postgresql.org; Sat, 23 Nov 2024 18:57:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=momjian.us; s=2024011501; h=In-Reply-To:Content-Transfer-Encoding:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-ID:Content-Description; bh=BM28WqIFaEVTAMtFJOF+Y3FlP+DbrnYsubK6IApD8UY=; b=l6UhPO4oWLmmOcStxG9dkdIIxQ S58+ZRZXOGLsFeoh6C31egCtzgqW2xItISorOBX/y/N6CtIsbPITpiW0fpedvvK4Iz+Qr30GPk46Z emV1uGPcarSjL2PQIHbgtLHeQrPDSm3Ro+TSehVhtZVbzYdaMX6/kkNkgXTqABE7EjE6OzNS0zIal jHHf1sPcKfTFhTKQIT22IbQuoCr0ywhlnD7xSgzLsmPFEMoADlshlGCd60gBom3qHYbwhUvfeuBzp gCSyCoFRZtE5ubhc9OIbv4XHJdLe/I15MdSQBJr/fa7nqRsZ8wAmFiqQrwSKUXNPrk1GVUyLzeg4D XaAw0rBw==; Received: from bruce by momjian.us with local (Exim 4.96) (envelope-from ) id 1tEvJk-00D9Ru-0R; Sat, 23 Nov 2024 13:57:16 -0500 Date: Sat, 23 Nov 2024 13:57:16 -0500 From: Bruce Momjian To: Greg Sabino Mullane Cc: Matthias Apitz , Laurenz Albe , Subhash Udata , "David G. Johnston" , Adrian Klaver , =?utf-8?B?6rmA7KO87Jew?= , "pgsql-general@lists.postgresql.org" Subject: Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10 Message-ID: References: <7b5846ac-c16e-48d3-b548-99a772a528c5@aklaver.com> <6c898e6499036ce70ac113b52df5c3ff06286a6a.camel@cybertec.at> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Sat, Nov 23, 2024 at 01:30:13PM -0500, Greg Sabino Mullane wrote: > On Sat, Nov 23, 2024 at 1:10 PM Bruce Momjian wrote: > > and say bounce the database server and install the binaries.  What I > have never considered before, and I should have, is the complexity of > doing this for many remote servers.  Can we improve our guidance for > these cases? > > > Hmm I'm not sure what else we can say. Our upgrade process is already > drop-dead-simple, especially compared to many (most?) other products out there. > People painting themselves into corners is not something we can really help > with. I am wondering if we can highlight which upgrades are most important for users who have complex upgrade processes. Maybe CVEs and corruption fixes? -- Bruce Momjian https://momjian.us EDB https://enterprisedb.com When a patient asks the doctor, "Am I going to die?", he means "Am I going to die soon?"