Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sjelj-002fIn-Uv for pgsql-hackers@arkaria.postgresql.org; Thu, 29 Aug 2024 13:00:56 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sjeli-001wVU-3S for pgsql-hackers@arkaria.postgresql.org; Thu, 29 Aug 2024 13:00:54 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sjelh-001wVL-Mn for pgsql-hackers@lists.postgresql.org; Thu, 29 Aug 2024 13:00:54 +0000 Received: from smtp.outgoing.loopia.se ([93.188.3.37]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sjelf-0020zr-58 for pgsql-hackers@lists.postgresql.org; Thu, 29 Aug 2024 13:00:53 +0000 Received: from s807.loopia.se (localhost [127.0.0.1]) by s807.loopia.se (Postfix) with ESMTP id 12AD995308 for ; Thu, 29 Aug 2024 15:00:48 +0200 (CEST) Received: from s979.loopia.se (unknown [172.22.191.5]) by s807.loopia.se (Postfix) with ESMTP id 0452E951B8; Thu, 29 Aug 2024 15:00:48 +0200 (CEST) Received: from s471.loopia.se (unknown [172.22.191.6]) by s979.loopia.se (Postfix) with ESMTP id 02CE910BC42D; Thu, 29 Aug 2024 15:00:48 +0200 (CEST) X-Virus-Scanned: amavisd-new at amavis.loopia.se X-Spam-Flag: NO X-Spam-Score: -1.2 X-Spam-Level: X-Spam-Status: No, score=-1.2 tagged_above=-999 required=6.2 tests=[ALL_TRUSTED=-1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1] autolearn=disabled Authentication-Results: s471.loopia.se (amavisd-new); dkim=pass (2048-bit key) header.d=yesql.se Received: from s980.loopia.se ([172.22.191.5]) by s471.loopia.se (s471.loopia.se [172.22.190.35]) (amavisd-new, port 10024) with LMTP id vo2lffm9kTwU; Thu, 29 Aug 2024 15:00:47 +0200 (CEST) X-Loopia-Auth: user X-Loopia-User: daniel@yesql.se X-Loopia-Originating-IP: 89.255.232.193 Received: from smtpclient.apple (customer-89-255-232-193.stosn.net [89.255.232.193]) (Authenticated sender: daniel@yesql.se) by s980.loopia.se (Postfix) with ESMTPSA id 6DA5E2201692; Thu, 29 Aug 2024 15:00:47 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yesql.se; s=loopiadkim1707475645; t=1724936447; bh=urRQtLnaHKW6YMOKQiTyUReduILOJCaf1DP75jFrDKs=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=N8ty9LC8qhdYF9cBKn0ABZtKjCgI4N5lpztnfHyvK/d6tNwPP4l0X7hVhGm5XRBJX bEjP4gSGe0TWH7RwIWF3SqdRp7WwzUv9g6VORDnQvcZ0LrchCvbuXJ/WZq3joUcgc8 fNJL+nN/ECZjvbMZ9EEFGw2RU/Qt8emDHvIbbd6Ad0E8DAkVKA5MQ0zYRU4YbbGu76 H6uclLIFx5SA6LMzw9USfLbddz21l+wtcwSr7nF00C65YZw3hyjbaVpUxDW1QKTSds NwnswTnwDH+X51jw4z/E7ZyTBMUf6ebz0xCEDlWXw0vGixB3DuSwhDa8MQnHfZJcCE M7OfLnF2Qqu8Q== Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.600.62\)) Subject: Re: [BUG] Security bugs affected version detected. From: Daniel Gustafsson In-Reply-To: Date: Thu, 29 Aug 2024 15:00:37 +0200 Cc: pgsql-hackers@lists.postgresql.org Content-Transfer-Encoding: quoted-printable Message-Id: <153AB376-A1F3-4406-B7BB-5677B79939F5@yesql.se> References: To: James Watt X-Mailer: Apple Mail (2.3774.600.62) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > On 29 Aug 2024, at 14:54, James Watt = wrote: >=20 > Our tool have detected that postgre in the version of REL9_6_18~ = REL9_6_24 may also affected by the vulnerability CVE-2022-2625. The = vulnerability database does not include these versions and you may not = fix it in the REL9_6 branch. Is there a need to backport the patch of = CVE-2022-2625? 9.6 was EOL at the time of 2022-2625 being announced and thus wasn't = considered for a backport of the fix, the project only applies fixes to supported versions. Anyone still running 9.6 in production is highly recommended = to upgrade to a supported version. -- Daniel Gustafsson