Feedback-ID: i76984098:Fastmail
Message-ID: <dde2f686-a268-4564-95e7-70783595e2e7@aklaver.com>
Date: Thu, 21 Nov 2024 20:44:07 -0800
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10
To: Subhash Udata <subhashudata@gmail.com>,
 "David G. Johnston" <david.g.johnston@gmail.com>
Cc: =?UTF-8?B?6rmA7KO87Jew?= <mysylph@gmail.com>,
 "pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
References: <CAONZJQkaLtHeNz3P5wO8-EWPjOJ1M5fgyp8x4Mc4bb_U9n9_6g@mail.gmail.com>
 <7b5846ac-c16e-48d3-b548-99a772a528c5@aklaver.com>
 <CAD=40Z3G8z6d1BMDmQVAAPWzCzK5kbU9wWTCZA58qmq8-L=eoA@mail.gmail.com>
 <CAKFQuwbW-5yyVPCjyTJ0uwZZvn9J94s1XzuFnoBbMXp3BC3XyQ@mail.gmail.com>
 <CAD=40Z2+84YNSM7oMb4QBpuAaadk=9XRw3PGEu5Ui_YsWpmtFA@mail.gmail.com>
Content-Language: en-US
From: Adrian Klaver <adrian.klaver@aklaver.com>
In-Reply-To: <CAD=40Z2+84YNSM7oMb4QBpuAaadk=9XRw3PGEu5Ui_YsWpmtFA@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <https://www.postgresql.org/message-id/dde2f686-a268-4564-95e7-70783595e2e7%40aklaver.com>
Precedence: bulk

On 11/21/24 20:31, Subhash Udata wrote:
> Thank you for your detailed response. I would like to clarify my 
> situation further to ensure I take the appropriate steps.
> 
> Currently, my environment is running *PostgreSQL 15.0*. I understand 
> that version *15.9* contains the fix for CVE-2024-10979, as mentioned in 
> the release notes.

Whoa, I thought the topic of discussion from your first post and the 
email subject was:

"I am currently using PostgreSQL 11.10 and would like to know if the
CVE-2024-10979 vulnerability affects this version."

> 
> Given that I am not using the *PL/Perl* extension in my environment, I 
> wanted to ask:
> 
>   * Is it still mandatory to upgrade specifically to version *15.9*, or
>     would remaining on version *15.0* suffice in this case?
> 
> I appreciate your guidance on whether this upgrade is necessary, 
> considering the specifics of my setup.

The upgrades fixed more then this issue, so yes you should upgrade for 
all the reasons listed in the release notes for 15.1 to 15.10.

> 
> Thank you for your time and support.
> 
> 
> On Fri, 22 Nov 2024 at 09:39, David G. Johnston 
> <david.g.johnston@gmail.com <mailto:david.g.johnston@gmail.com>> wrote:
> 
>     On Thursday, November 21, 2024, Subhash Udata
>     <subhashudata@gmail.com <mailto:subhashudata@gmail.com>> wrote:
> 
> 
>         Thank you for your response regarding the affected versions of
>         PostgreSQL. I have a follow-up question for clarification:
> 
>         The PostgreSQL documentation mentions that the versions with a
>         fix for CVE-2024-10979 are *17.1, 16.5, 15.9, 14.14, 13.17, and
>         12.21*. However, your reply states that any version greater than
>         13+ should suffice.
> 
>         Could you please confirm if upgrading to one of the specific
>         versions listed above is mandatory, or is it acceptable to
>         upgrade to any version higher than 13
> 
> 
>     It was literally just reported and fixed.  If you are on a supported
>     release of PostgreSQL you have the fix.  If you are not, you don’t.
> 
>     At this point only major versions 13+ are supported.
> 
>     Upgrading to an unsupported minor release is never recommended.
> 
>     The fact you are on version 11 means you should not expect an answer
>     to the question whether this newly discovered CVE affects you - that
>     would be expecting support for a long-unsupported version.
> 
>     Which of the 5 currently supported releases you should upgrade to is
>     a decision you need to make given your circumstances.
> 
>     David J.
> 

-- 
Adrian Klaver
adrian.klaver@aklaver.com