Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10
Subhash Udata <subhashudata@gmail.com>
From: Subhash Udata <subhashudata@gmail.com>
To: "David G. Johnston" <david.g.johnston@gmail.com>
Cc: Adrian Klaver <adrian.klaver@aklaver.com>, 김주연 <mysylph@gmail.com>, "pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
Date: 2024-11-22T04:31:31Z
Lists: pgsql-general
Thank you for your detailed response. I would like to clarify my situation further to ensure I take the appropriate steps. Currently, my environment is running *PostgreSQL 15.0*. I understand that version *15.9* contains the fix for CVE-2024-10979, as mentioned in the release notes. Given that I am not using the *PL/Perl* extension in my environment, I wanted to ask: - Is it still mandatory to upgrade specifically to version *15.9*, or would remaining on version *15.0* suffice in this case? I appreciate your guidance on whether this upgrade is necessary, considering the specifics of my setup. Thank you for your time and support. On Fri, 22 Nov 2024 at 09:39, David G. Johnston <david.g.johnston@gmail.com> wrote: > On Thursday, November 21, 2024, Subhash Udata <subhashudata@gmail.com> > wrote: >> >> >> Thank you for your response regarding the affected versions of >> PostgreSQL. I have a follow-up question for clarification: >> >> The PostgreSQL documentation mentions that the versions with a fix for >> CVE-2024-10979 are *17.1, 16.5, 15.9, 14.14, 13.17, and 12.21*. However, >> your reply states that any version greater than 13+ should suffice. >> >> Could you please confirm if upgrading to one of the specific versions >> listed above is mandatory, or is it acceptable to upgrade to any version >> higher than 13 >> > > It was literally just reported and fixed. If you are on a supported > release of PostgreSQL you have the fix. If you are not, you don’t. > > At this point only major versions 13+ are supported. > > Upgrading to an unsupported minor release is never recommended. > > The fact you are on version 11 means you should not expect an answer to > the question whether this newly discovered CVE affects you - that would be > expecting support for a long-unsupported version. > > Which of the 5 currently supported releases you should upgrade to is a > decision you need to make given your circumstances. > > David J. > >