Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: "David G. Johnston" <david.g.johnston@gmail.com>
Cc: Subhash Udata <subhashudata@gmail.com>, Adrian Klaver <adrian.klaver@aklaver.com>, 김주연 <mysylph@gmail.com>, "pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
Date: 2024-11-22T04:35:23Z
Lists: pgsql-general
"David G. Johnston" <david.g.johnston@gmail.com> writes: > On Thursday, November 21, 2024, Subhash Udata <subhashudata@gmail.com> > wrote: >> The PostgreSQL documentation mentions that the versions with a fix for >> CVE-2024-10979 are *17.1, 16.5, 15.9, 14.14, 13.17, and 12.21*. However, >> your reply states that any version greater than 13+ should suffice. >> Could you please confirm if upgrading to one of the specific versions >> listed above is mandatory, or is it acceptable to upgrade to any version >> higher than 13 Minor versions earlier than those do not contain the fix. > The fact you are on version 11 means you should not expect an answer to the > question whether this newly discovered CVE affects you - that would be > expecting support for a long-unsupported version. The Postgres security team does not ordinarily test out-of-support branches, so no official answer to that will be forthcoming. Unofficially, however, I have no doubt that this bug is quite ancient. regards, tom lane