Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tExrW-00Abqp-OV for pgsql-general@arkaria.postgresql.org; Sat, 23 Nov 2024 21:40:18 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tExqV-004CDs-Oq for pgsql-general@arkaria.postgresql.org; Sat, 23 Nov 2024 21:39:15 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tExqV-004CDj-CZ for pgsql-general@lists.postgresql.org; Sat, 23 Nov 2024 21:39:15 +0000 Received: from momjian.us ([72.94.173.45]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tExqO-003QkU-NI for pgsql-general@postgresql.org; Sat, 23 Nov 2024 21:39:14 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=momjian.us; s=2024011501; h=In-Reply-To:Content-Transfer-Encoding:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-ID:Content-Description; bh=Rnie3LNXh/PNw6V8CaBBWArn3jhFSgL75eZ19qO4cRc=; b=R3tcXFpmLMoH/X5BFVkh/A9Gk9 hHeoAQxiaxMyTqk1aMSVlSF5DyAS6/vNu56IIAI7d5OVHm9RFp+aZA+4/N4JfuxRT3Twiq9k8zJFI Mcb/lpwf4pnVLRk/DAs5sXr1ssAdy5T9GQu2MHE26xKPsKKsmu4NkTzN9u9JSUMmhKoerCFpEdtXv KmVPfPfaIzDimdJHlbbOD4sqe6tVYvobPQWCFZK6ZnqT4+kS25huKtbuXX8fBBQRl9uxgcvz0HX+I eF1xAfSK/Vv8c31i9GzJSuCrxKdBjXGKtXJ19/+vOKDJWuWofMaWfTNW5MjA0MPEVPzTZ1tr66J8z KHryR9Ug==; Received: from bruce by momjian.us with local (Exim 4.96) (envelope-from ) id 1tExqN-00DOoU-1w; Sat, 23 Nov 2024 16:39:07 -0500 Date: Sat, 23 Nov 2024 16:39:07 -0500 From: Bruce Momjian To: Ron Johnson Cc: pgsql-general Subject: Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10 Message-ID: References: <7b5846ac-c16e-48d3-b548-99a772a528c5@aklaver.com> <6c898e6499036ce70ac113b52df5c3ff06286a6a.camel@cybertec.at> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Sat, Nov 23, 2024 at 03:24:47PM -0500, Ron Johnson wrote: > On Sat, Nov 23, 2024 at 1:10 PM Bruce Momjian wrote: > [snip]  > > I have to admit, for this question, we just point people to: > >         https://www.postgresql.org/support/versioning/ > > and say bounce the database server and install the binaries.  What I > have never considered before, and I should have, is the complexity of > doing this for many remote servers.  Can we improve our guidance for > these cases? > > > What guidance is needed?  Even for us, where firewalls block our servers from  > https://download.postgresql.org, it's as simple as downloading the relevant RPM > files once (and that done with a PowerShell script), then patching thusly: > > WinScp PG16.4_RHEL8 dir to each server, and on each server > $ sudo -iu postgres pg_ctl stop -mfast -wt9999 -D /path/to/data > $ sudo yum install PG16.4_RHEL8/*rpm > $ sudo -iu postgres pg_ctl start -wt9999 -D /path/to/data > > Those three sudo commands take, at most, three minutes. I am thinking more of cases where you have 100+ customers, and you need to coordinate/connect to each company to perform the upgrade. Doing that every quarter might be a lot of work, and it might be hard to justify for every minor release. -- Bruce Momjian https://momjian.us EDB https://enterprisedb.com When a patient asks the doctor, "Am I going to die?", he means "Am I going to die soon?"