On Thu, 2022-09-15 at 11:19 -0400, Tom Lane wrote: > =?UTF-8?B?bWlzaGExOTY2IG1pc2hhMTk2Ng==?= <mmisha1966@xxxxx> writes: > > Is there a patch for 9.6 ? > > No; that's out of support too. > > I'm a little bemused by your fixation on this particular CVE, > though. As such things go, it's not a very big deal. It's only > of interest if you are routinely installing new extensions, *and* > those extensions' scripts contain insecure uses of CREATE OR > REPLACE/CREATE IF NOT EXISTS, *and* you can't fix the extensions > instead. I would not have thought an institution that's so > frozen that it can't update to an in-support PG version would be > doing a lot of new extension installations. A lot of times, requests like that come from a brainless kind of institutionalized security: we have to install all software updates that say "CVE". Never mind that username = password and the application is running with a superuser. Yours, Laurenz Albe
