Currently, my environment is running PostgreSQL 15.0. I understand that version 15.9 contains the fix for CVE-2024-10979, as mentioned in the release notes.
Given that I am not using the PL/Perl extension in my environment
IIUC, any user that can execute “create extension plperl” in a database they are connected to (or, it having been installed, users that have been granted usage on the language) can exploit this vulnerability. Whether that is possible in your environment is something you’d need to determine.
I believe this particular detail probably should have been part of the release announcement but was not.
In any case if you aren’t willing to update consistently you really shouldn’t be deploying .0 releases.
David J.