Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10

Adrian Klaver <adrian.klaver@aklaver.com>

From: Adrian Klaver <adrian.klaver@aklaver.com>
To: Bruce Momjian <bruce@momjian.us>, Greg Sabino Mullane <htamfids@gmail.com>
Cc: Matthias Apitz <guru@unixarea.de>, Laurenz Albe <laurenz.albe@cybertec.at>, Subhash Udata <subhashudata@gmail.com>, "David G. Johnston" <david.g.johnston@gmail.com>, 김주연 <mysylph@gmail.com>, "pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
Date: 2024-11-23T19:19:09Z
Lists: pgsql-general
On 11/23/24 10:57, Bruce Momjian wrote:
> On Sat, Nov 23, 2024 at 01:30:13PM -0500, Greg Sabino Mullane wrote:
>> On Sat, Nov 23, 2024 at 1:10 PM Bruce Momjian <bruce@momjian.us> wrote:
>>
>>      and say bounce the database server and install the binaries.  What I
>>      have never considered before, and I should have, is the complexity of
>>      doing this for many remote servers.  Can we improve our guidance for
>>      these cases?
>>
>>
>> Hmm I'm not sure what else we can say. Our upgrade process is already
>> drop-dead-simple, especially compared to many (most?) other products out there.
>> People painting themselves into corners is not something we can really help
>> with.
> 
> I am wondering if we can highlight which upgrades are most important for
> users who have complex upgrade processes.  Maybe CVEs and corruption
> fixes?

Personally I would point then at:

https://www.postgresql.org/list/pgsql-announce/

and/or:

https://www.postgresql.org/docs/release/

I would think that informs users and let's them determine what is 
important to their situation.



-- 
Adrian Klaver
adrian.klaver@aklaver.com