Laurenz Albe <laurenz.albe@xxxxxxxxxxx> writes: > On Thu, 2022-09-15 at 11:19 -0400, Tom Lane wrote: >> I'm a little bemused by your fixation on this particular CVE, >> though. As such things go, it's not a very big deal. > A lot of times, requests like that come from a brainless kind of > institutionalized security: we have to install all software updates > that say "CVE". Never mind that username = password and > the application is running with a superuser. Indeed :-(. But we've issued several CVEs since 9.5 went out of support --- notably, I'd say CVE-2022-1552 from the previous minor-release cycle is a good deal more dangerous than this one. So, again, why worry about -2625 in particular? I'm still wondering whether the OP's installation is even on 9.5.latest; if not, they've likely got even more serious things to worry about. A quick troll through the 9.5.x release notes finds a lot of bugs... regards, tom lane
