Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10
David G. Johnston <david.g.johnston@gmail.com>
From: "David G. Johnston" <david.g.johnston@gmail.com>
To: Subhash Udata <subhashudata@gmail.com>
Cc: Adrian Klaver <adrian.klaver@aklaver.com>, 김주연 <mysylph@gmail.com>, "pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
Date: 2024-11-22T04:51:32Z
Lists: pgsql-general
On Thursday, November 21, 2024, Subhash Udata <subhashudata@gmail.com> wrote: > > Currently, my environment is running *PostgreSQL 15.0*. I understand that > version *15.9* contains the fix for CVE-2024-10979, as mentioned in the > release notes. > > Given that I am not using the *PL/Perl* extension in my environment > IIUC, any user that can execute “create extension plperl” in a database they are connected to (or, it having been installed, users that have been granted usage on the language) can exploit this vulnerability. Whether that is possible in your environment is something you’d need to determine. I believe this particular detail probably should have been part of the release announcement but was not. In any case if you aren’t willing to update consistently you really shouldn’t be deploying .0 releases. David J.