Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tDnKC-003EjP-Gp for pgsql-general@arkaria.postgresql.org; Wed, 20 Nov 2024 16:13:04 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tDnKB-007DYI-2S for pgsql-general@arkaria.postgresql.org; Wed, 20 Nov 2024 16:13:03 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tDnKA-007DYA-EO for pgsql-general@lists.postgresql.org; Wed, 20 Nov 2024 16:13:02 +0000 Received: from fhigh-a4-smtp.messagingengine.com ([103.168.172.155]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tDnK7-002u2B-Dm for pgsql-general@postgresql.org; Wed, 20 Nov 2024 16:13:01 +0000 Received: from phl-compute-10.internal (phl-compute-10.phl.internal [10.202.2.50]) by mailfhigh.phl.internal (Postfix) with ESMTP id B8B8511400AE; Wed, 20 Nov 2024 11:12:58 -0500 (EST) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-10.internal (MEProxy); Wed, 20 Nov 2024 11:12:58 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h= cc:content-transfer-encoding:content-type:content-type:date:date :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm3; t=1732119178; x=1732205578; bh=z5Gmsbb7Jpre4HkUJoNGZ3JRsxn98itG3d9QfWzAMoc=; b= O3COfwBrMlZZQsHJ2Txn1MCTaO54fqz/eKz5uUAuqww362L0zv4vGVsK1LZy6SC/ eWwK3Y8odToOYnyqU4flHkpE/IEWobyR9Dp2CCLNDri8siOpXEoLKrV0RsNa+smj btel+t3mJV76JNnstlbzBTRbBO00VWOf0eA0XkFtRpm9elW0cGcJMbB8rC9sv5Zj 3IILyDcYd6w3NLrzN2LtAScYZz+N4wV80e9LM15pImsng6B/yx9sdQpFTOAt37hA jwexccw4mziZKggXm7IUkHK7aHZby4NW156jIe5XsIVDNy6e2RHIo7OAfd4oXQnB kCii0sq7qXALAhwPa6IZDg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; t=1732119178; x=1732205578; bh=z 5Gmsbb7Jpre4HkUJoNGZ3JRsxn98itG3d9QfWzAMoc=; b=aAdm49n+cihhJ66Pt FBGwX98FCgLEzJgztwhqdNMJoYqAF23oy3BcItTZHuSopXlljNloYqVyEbx1DBX5 MHbINXy+kNc2g6DIHltRh6jNzBu2amwI5GSqFTRIxqClP2mKbWD1WgITswsd0XTg DIzdV7r2UXIXOeBg/o93uLrMdq2JqhWYMcUUpD44Q7Y8jYved9g5hB0XcZOboSPm M3UJ6m3uDzoKFsVKRJPD/1GYJA7IcFayIpdknNWJV4hxKV0HmTt2ltcI+c46+3cG puDWslIdvOgy2XKnRmXUxIJ1BiviyIWdjtbEHwgScmyNagyO3z5e7L1ekTesppJ9 gAi9Q== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddrfeeggdekhecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdpuffr tefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnth hsucdlqddutddtmdenucfjughrpefkffggfgfuvfhfhfgjtgfgsehtjeertddtvdejnecu hfhrohhmpeetughrihgrnhcumfhlrghvvghruceorggurhhirghnrdhklhgrvhgvrhesrg hklhgrvhgvrhdrtghomheqnecuggftrfgrthhtvghrnhepkeefheduvdejiefgieefjedt udduffelvdefleehfedtieffuefgvdekleegtddvnecuffhomhgrihhnpehpohhsthhgrh gvshhqlhdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhl fhhrohhmpegrughrihgrnhdrkhhlrghvvghrsegrkhhlrghvvghrrdgtohhmpdhnsggprh gtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopehsuhgshhgrshhh uhgurghtrgesghhmrghilhdrtghomhdprhgtphhtthhopehpghhsqhhlqdhgvghnvghrrg hlsehpohhsthhgrhgvshhqlhdrohhrgh X-ME-Proxy: Feedback-ID: i76984098:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 20 Nov 2024 11:12:57 -0500 (EST) Message-ID: Date: Wed, 20 Nov 2024 08:12:57 -0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Clarification on CVE-2024-10979 and PostgreSQL Upgrade Necessity Without PL/Perl Usage To: Subhash Udata , pgsql-general@postgresql.org References: Content-Language: en-US From: Adrian Klaver In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 11/20/24 00:54, Subhash Udata wrote: > Dear PostgreSQL Community, > > I have a query related to the recent security vulnerability, > *CVE-2024-10979*, concerning the PL/Perl extension. > > From the advisory, it appears the vulnerability impacts systems > utilizing the PL/Perl extension. My question is: > > * If we do not use the PL/Perl extension in our PostgreSQL instance, > is it still necessary to upgrade to the patched version of > PostgreSQL? Or can we safely continue using our current version > without concern? Yes you should upgrade. See the rest of the issues fixed: https://www.postgresql.org/about/news/postgresql-171-165-159-1414-1317-and-1221-released-2955/ It has further CVE's. Though I would wait until the out-of cycle release that lands tomorrow(2024-11-21) is out, see: https://www.postgresql.org/about/news/out-of-cycle-release-scheduled-for-november-21-2024-2958/ As it fixes some regressions in the previous release. > > We would like to understand whether this vulnerability has any > implications for environments where the PL/Perl extension is not > installed or used. > > Thank you so much for your guidance on this. > > Best regards, > > Subhash Udata > -- Adrian Klaver adrian.klaver@aklaver.com