Hello dear PostgreSQL Server Team,
the german bureau for IT-Security "BSI" (Bundesamt für Sicherheit in der Informationstechnik) has issued a warning for CVE CVE-2022-42889 with the name commons-text. Insurance companies are obliged to analyse the installed software for vulnerabilities of this type.
As the Barmenia is using your product PostgreSQL Server it is necessary to obtain all information regarding any vulnerability against above CVE.We kindly ask you to provide information if the above product is affected by the CVE and if yes, when a fix will be available.
With the request for short-term feedback.
Kind Regards.
Cedric Aaron Towstyka
Databaseadministrator
Barmenia Krankenversicherung a. G.
Barmenia Allgemeine Versicherungs-AG
Barmenia Lebensversicherung a. G.
Barmenia-Allee 1
42119 Wuppertal
+49 202 438 2964
- facebook.de/barmenia - xing.de/companies/barmenia - twitter.com/barmenia - youtube.de/barmeniaBarmenia Allgemeine Versicherungs-AG
Vorstand: Dr. Andreas Eurich (Vorsitzender) - Frank Lamsfuß - Ulrich Lamy - Carola Schroeder
Aufsichtsrats-Vorsitzender: Dr. h. c. Josef Beutelmann; Rechtsform des Unternehmens: Aktiengesellschaft
Sitz: Wuppertal; Amtsgericht Wuppertal HRB 3033; USt.-Identifikationsnummer: DE 811425914; Versicherungsteuernummer: 810/V90810006337Barmenia Krankenversicherung AG
Vorstand: Dr. Andreas Eurich (Vorsitzender) - Frank Lamsfuß - Ulrich Lamy - Carola Schroeder
Aufsichtsrats-Vorsitzender: Dr. h. c. Josef Beutelmann; Rechtsform des Unternehmens: Aktiengesellschaft
Sitz: Wuppertal; Amtsgericht Wuppertal HRB 28475; USt.-Identifikationsnummer: DE 121102508Barmenia Lebensversicherung a. G.
Vorstand: Dr. Andreas Eurich (Vorsitzender) - Frank Lamsfuß - Ulrich Lamy - Carola Schroeder
Aufsichtsrats-Vorsitzender: Dr. h. c. Josef Beutelmann; Rechtsform des Unternehmens: Versicherungsverein auf Gegenseitigkeit
Sitz: Wuppertal; Amtsgericht Wuppertal HRB 3854; USt.-Identifikationsnummer: DE 121102516
> if the above product is affected by the CVE
you have to search for the "commons-text-1.9.jar" ( commons-text-*.* ) in the servers or in the clients ..
You will find the "Known PostgreSQL Security Vulnerabilities in Supported Versions"
For the PostgreSQL JDBC Driver:
please check https://jdbc.postgresql.org/security/
or the fixed CVE lists: https://github.com/pgjdbc/pgjdbc/issues?q=CVE+sort%3Aupdated-desc
or https://github.com/pgjdbc/pgjdbc/security/advisories ( Security Advisories )
The PostgreSQL ecosystem is huge (e.g. a driver, an extension, or an installer) so you have to check any java related software.
Anyway, it's a good time to install the latest patch version of everything.
( Latest PostgreSQL JDBC Driver ;
or Latest Postgres minor version; see: https://www.postgresql.org/support/versioning/ )
The Next minor release is expected on: November 10th, 2022 ( see https://www.postgresql.org/developer/roadmap/ )
"The PostgreSQL Project releases security fixes as part of minor version updates. You are always advised to use the latest minor version available, as it will contain other non-security related fixes."
You will find professional services here: https://www.postgresql.org/support/professional_support/
Regards,
Imre
( Disclaimer: I am just a Postgres user and not a security expert! )
Cedric Aaron Towstyka <Cedric-Aaron.Towstyka@xxxxxxxxxxx> ezt írta (időpont: 2022. nov. 8., K, 12:10):
