Search Postgresql Archives

Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2024-11-22 at 09:00 +0100, Matthias Apitz wrote:
> > > Given that I am not using the PL/Perl extension in my environment, I wanted to ask:
> > >  * Is it still mandatory to upgrade specifically to version 15.9, or would
> > >     remaining on version 15.0 suffice in this case?
> > > I appreciate your guidance on whether this upgrade is necessary, considering the
> > > specifics of my setup.
> > 
> > If you don't use PL/Perl, you are not affected by that security vulnerability.
> > 
> > I wonder what you mean by "mandatory".
> > 
> > We won't fine or punish you if you don't update PostgreSQL, but perhaps it
> > would make your employer unhappy.  If you stay on 15.0, you will be subject to
> > thirteen other security vulnerabilities (if I counted right), and you may end
> > up with corrupted GIN and BRIN indexes.  Additionally, you will be subject to
> > countless known bugs that have been fixed since.
> > 
> > You should *always* update to the latest minor release shortly after it is
> > released.  Everything else is negligent.
> 
> The company I'm working for is producer of a Library Management System
> with C/C++ written servers on Linux, using ESQL/C and DBI interfaces of
> PostgreSQL (and older version Sybase too) and the software is deployed
> to 100++ customer installations, sometimes with limited own IT know how.

And you didn't plan how you intend to ship software updates to these
customers?

> "You should *always* update ..." is nice to say, but in the described land
> not easy to do.

If you say so.  Still, that is a problem that will come to bite you
some day, as soon as your customers hit some PostgreSQL bug.

> I assume that 
> CVE-2024-10979 affects the server side, and not the client side.

Right.  I wonder why you are so keen on that vulnerability and ignore
all the others discovered since 15.0.

> Any further comments on this?

No.  I told you that you should update, and you explained in great
detail why you cannot.  There is nothing more to say.  Good luck.

Yours,
Laurenz Albe






[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]

  Powered by Linux