On Fri, 2024-11-22 at 09:00 +0100, Matthias Apitz wrote: > > > Given that I am not using the PL/Perl extension in my environment, I wanted to ask: > > > * Is it still mandatory to upgrade specifically to version 15.9, or would > > > remaining on version 15.0 suffice in this case? > > > I appreciate your guidance on whether this upgrade is necessary, considering the > > > specifics of my setup. > > > > If you don't use PL/Perl, you are not affected by that security vulnerability. > > > > I wonder what you mean by "mandatory". > > > > We won't fine or punish you if you don't update PostgreSQL, but perhaps it > > would make your employer unhappy. If you stay on 15.0, you will be subject to > > thirteen other security vulnerabilities (if I counted right), and you may end > > up with corrupted GIN and BRIN indexes. Additionally, you will be subject to > > countless known bugs that have been fixed since. > > > > You should *always* update to the latest minor release shortly after it is > > released. Everything else is negligent. > > The company I'm working for is producer of a Library Management System > with C/C++ written servers on Linux, using ESQL/C and DBI interfaces of > PostgreSQL (and older version Sybase too) and the software is deployed > to 100++ customer installations, sometimes with limited own IT know how. And you didn't plan how you intend to ship software updates to these customers? > "You should *always* update ..." is nice to say, but in the described land > not easy to do. If you say so. Still, that is a problem that will come to bite you some day, as soon as your customers hit some PostgreSQL bug. > I assume that > CVE-2024-10979 affects the server side, and not the client side. Right. I wonder why you are so keen on that vulnerability and ignore all the others discovered since 15.0. > Any further comments on this? No. I told you that you should update, and you explained in great detail why you cannot. There is nothing more to say. Good luck. Yours, Laurenz Albe