Re: Clarification on CVE-2024-10979 and PostgreSQL Upgrade Necessity Without PL/Perl Usage

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Adrian Klaver <[email protected]>
To: Subhash Udata <[email protected]>
To: [email protected]
Subject: Re: Clarification on CVE-2024-10979 and PostgreSQL Upgrade Necessity Without PL/Perl Usage
Date: Wed, 20 Nov 2024 08:12:57 -0800
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAD=40Z1KMXsExhee44Kkce7Lr2xTJ2q34-Af8zwU5BvR47zh6w@mail.gmail.com>
References: <CAD=40Z1KMXsExhee44Kkce7Lr2xTJ2q34-Af8zwU5BvR47zh6w@mail.gmail.com>

On 11/20/24 00:54, Subhash Udata wrote:
> Dear PostgreSQL Community,
> 
> I have a query related to the recent security vulnerability, 
> *CVE-2024-10979*, concerning the PL/Perl extension.
> 
>  From the advisory, it appears the vulnerability impacts systems 
> utilizing the PL/Perl extension. My question is:
> 
>   * If we do not use the PL/Perl extension in our PostgreSQL instance,
>     is it still necessary to upgrade to the patched version of
>     PostgreSQL? Or can we safely continue using our current version
>     without concern?

Yes you should upgrade.

See the rest of the issues fixed:

https://www.postgresql.org/about/news/postgresql-171-165-159-1414-1317-and-1221-released-2955/

It has further CVE's.

Though I would wait until the out-of cycle release that lands 
tomorrow(2024-11-21) is out, see:

https://www.postgresql.org/about/news/out-of-cycle-release-scheduled-for-november-21-2024-2958/

As it fixes some regressions in the previous release.


> 
> We would like to understand whether this vulnerability has any 
> implications for environments where the PL/Perl extension is not 
> installed or used.
> 
> Thank you so much for your guidance on this.
> 
> Best regards,
> 
> Subhash Udata
> 

-- 
Adrian Klaver
[email protected]

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected]
  Subject: Re: Clarification on CVE-2024-10979 and PostgreSQL Upgrade Necessity Without PL/Perl Usage
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox