Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tEVxs-007q0R-Sv
	for pgsql-general@arkaria.postgresql.org; Fri, 22 Nov 2024 15:53:01 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tEVxq-009fTj-57
	for pgsql-general@arkaria.postgresql.org; Fri, 22 Nov 2024 15:52:58 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <laurenz.albe@cybertec.at>)
	id 1tEVxp-009fTa-Oi
	for pgsql-general@lists.postgresql.org; Fri, 22 Nov 2024 15:52:57 +0000
Received: from mail-wm1-x32c.google.com ([2a00:1450:4864:20::32c])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <laurenz.albe@cybertec.at>)
	id 1tEVxm-003IxL-O8
	for pgsql-general@lists.postgresql.org; Fri, 22 Nov 2024 15:52:56 +0000
Received: by mail-wm1-x32c.google.com with SMTP id 5b1f17b1804b1-4315839a7c9so20800135e9.3
        for <pgsql-general@lists.postgresql.org>; Fri, 22 Nov 2024 07:52:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=cybertec.at; s=google; t=1732290773; x=1732895573; darn=lists.postgresql.org;
        h=mime-version:user-agent:content-transfer-encoding:references
         :in-reply-to:date:cc:to:from:subject:message-id:from:to:cc:subject
         :date:message-id:reply-to;
        bh=Un02JnXaxQNUuVop7SJOfcGQhAizZCs9TNtgY3bZQr0=;
        b=XkcsA7NigvM850NAZsMbh7UXELDZBQX5NUq6XS/xquoqY/7Pnoo/MdepjBgbjKHTCr
         cLfJFwdnqCbRZjJqcx9hGQ+SHPUaj0O0duS1ooPjdQBTEpnH+PgzKkxS0zZLBY/voNmK
         fvZHM+cqS0Y3mYKxz7F18opOQFOm/ZGiU9ahdJN9GmABZJ4arlNIIG9w3gDimI/MmgP+
         KCGrcww84sjvimisW9h9P7rNta4QWGt+RhAcxaZy7E3cOgcn8VdEcMOJqdh0y6t/t56w
         Q3VkW5vAl5XruWfOk7jYhor9urWvqpLBkhK1KD1/2vtkeUC7BLWfP+kCxpBdrIvswyCz
         OLzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1732290773; x=1732895573;
        h=mime-version:user-agent:content-transfer-encoding:references
         :in-reply-to:date:cc:to:from:subject:message-id:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=Un02JnXaxQNUuVop7SJOfcGQhAizZCs9TNtgY3bZQr0=;
        b=defeJeQHAmnrENSJLiinfvXBABBAKpObDK/tDqhRtigqFaCnOk7JKXeJM7Ox3in86F
         WJvqJOmVN+Okxkc5GwIJ+yUIS9ClMnwz+y5sc6RADvbUhUGeVsHZvWvr7okqTNdqghdg
         BIlQaV8AI3xmhPXzeVvP9g0fRZhfNHNbEq+wv+x4a87ksVplwchD2Af3uXtylwF8W/xW
         Ew6tf7m3Hqp3F3lPnEBz8qnMYeeQSPbdhTYoxVDRJIpLMwnZ0rigmsrNhwZCu02PTsrG
         +c083NVJtdo5jWZbYwzKoMDnaWYohgtn7i0fZqNJc3MWEqzsN3NBEXWlUKpF7A86CLI/
         OO8A==
X-Forwarded-Encrypted: i=1; AJvYcCXKV6GfTtL9eQK1ZY9gMIYcKq3HJ3asQ4I+Ct0aLjypjVrAxgSPd2v5UhoY/TYAXUlUMb/UH/7/uXlSknj4@lists.postgresql.org
X-Gm-Message-State: AOJu0Yyfehyf6h4sUAG8/HtJhuP11VKiVQDkh5fH0id8h+2a+EeLSF3W
	2GFIEZYTAs2dJC0fgU6lJ+UQ4MvcXN99/zLhK98d1p7GeB+mBrJ8eKh+CKg9tAQ=
X-Gm-Gg: ASbGncu2UA312iyuCKeX9xNWZfMxBJtUeFS59gzMKesZnmfu8lOm7MtzSYC4f5ta4Kw
	nQvwHwKuznzWXiZWwukrQgBzQH2g4PhRvPWzB/z05+P6k2SzEuwYunBO27lgIB4Z0rdOuK/v3a8
	h7f9we9Kf2AKddnrT7mR6CKiZrFIfib2CR8Ekt7EZn3mafA8UU2luMjHGkrB4p4uywwWhf49jDJ
	XOSNJe/GCxAjLBUeYnoiEmVubfkEv1vl50ds3aFaRjnuYhXp4oW6T0G8uUbnuSR+nSyze0PNECb
	AVpSI0qRBLo1sfQJCBgvwOs6cbHv
X-Google-Smtp-Source: AGHT+IHMeHUC1ybweHx7W1yeOKIqHTrW5EprR0vTeFqOWXiUb21MrkoFOQ27BSzMwtUABEDsHSsVjQ==
X-Received: by 2002:a05:6000:1f86:b0:382:5aae:87cf with SMTP id ffacd0b85a97d-38260b861bcmr2579224f8f.31.1732290773264;
        Fri, 22 Nov 2024 07:52:53 -0800 (PST)
Received: from localhost.localdomain (ip-185-104-138-49.ptr.icomera.net. [185.104.138.49])
        by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-433b45bdb61sm94660215e9.16.2024.11.22.07.52.50
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 22 Nov 2024 07:52:52 -0800 (PST)
Message-ID: <b9a4ccd664008a3687103be178e7ed4cb180b9b5.camel@cybertec.at>
Subject: Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10
From: Laurenz Albe <laurenz.albe@cybertec.at>
To: Matthias Apitz <guru@unixarea.de>
Cc: Subhash Udata <subhashudata@gmail.com>, "David G. Johnston"
	 <david.g.johnston@gmail.com>, Adrian Klaver <adrian.klaver@aklaver.com>, 
 =?UTF-8?Q?=EA=B9=80=EC=A3=BC=EC=97=B0?=
	 <mysylph@gmail.com>, "pgsql-general@lists.postgresql.org"
	 <pgsql-general@lists.postgresql.org>
Date: Fri, 22 Nov 2024 16:52:46 +0100
In-Reply-To: <Z0A6Eg2FH2Nb5sWO@pureos>
References: 
	<CAONZJQkaLtHeNz3P5wO8-EWPjOJ1M5fgyp8x4Mc4bb_U9n9_6g@mail.gmail.com>
	 <7b5846ac-c16e-48d3-b548-99a772a528c5@aklaver.com>
	 <CAD=40Z3G8z6d1BMDmQVAAPWzCzK5kbU9wWTCZA58qmq8-L=eoA@mail.gmail.com>
	 <CAKFQuwbW-5yyVPCjyTJ0uwZZvn9J94s1XzuFnoBbMXp3BC3XyQ@mail.gmail.com>
	 <CAD=40Z2+84YNSM7oMb4QBpuAaadk=9XRw3PGEu5Ui_YsWpmtFA@mail.gmail.com>
	 <6c898e6499036ce70ac113b52df5c3ff06286a6a.camel@cybertec.at>
	 <Z0A6Eg2FH2Nb5sWO@pureos>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.52.4 (3.52.4-2.fc40) 
MIME-Version: 1.0
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/b9a4ccd664008a3687103be178e7ed4cb180b9b5.camel%40cybertec.at>
Precedence: bulk

On Fri, 2024-11-22 at 09:00 +0100, Matthias Apitz wrote:
> > > Given that I am not using the PL/Perl extension in my environment, I =
wanted to ask:
> > > =C2=A0* Is it still mandatory to upgrade specifically to version 15.9=
, or would
> > > =C2=A0=C2=A0=C2=A0 remaining on version 15.0 suffice in this case?
> > > I appreciate your guidance on whether this upgrade is necessary, cons=
idering the
> > > specifics of my setup.
> >=20
> > If you don't use PL/Perl, you are not affected by that security vulnera=
bility.
> >=20
> > I wonder what you mean by "mandatory".
> >=20
> > We won't fine or punish you if you don't update PostgreSQL, but perhaps=
 it
> > would make your employer unhappy.=C2=A0 If you stay on 15.0, you will b=
e subject to
> > thirteen other security vulnerabilities (if I counted right), and you m=
ay end
> > up with corrupted GIN and BRIN indexes.=C2=A0 Additionally, you will be=
 subject to
> > countless known bugs that have been fixed since.
> >=20
> > You should *always* update to the latest minor release shortly after it=
 is
> > released.=C2=A0 Everything else is negligent.
>=20
> The company I'm working for is producer of a Library Management System
> with C/C++ written servers on Linux, using ESQL/C and DBI interfaces of
> PostgreSQL (and older version Sybase too) and the software is deployed
> to 100++ customer installations, sometimes with limited own IT know how.

And you didn't plan how you intend to ship software updates to these
customers?

> "You should *always* update ..." is nice to say, but in the described lan=
d
> not easy to do.

If you say so.  Still, that is a problem that will come to bite you
some day, as soon as your customers hit some PostgreSQL bug.

> I assume that=20
> CVE-2024-10979 affects the server side, and not the client side.

Right.  I wonder why you are so keen on that vulnerability and ignore
all the others discovered since 15.0.

> Any further comments on this?

No.  I told you that you should update, and you explained in great
detail why you cannot.  There is nothing more to say.  Good luck.

Yours,
Laurenz Albe