Thread

  1. BUG #18193: CVE-2019-9193

    PG Bug reporting form <noreply@postgresql.org> — 2023-11-13T06:30:43Z

    The following bug has been logged on the website:
    
    Bug reference:      18193
    Logged by:          Sumanth Vankineni
    Email address:      sumanth.vankineni@gmail.com
    PostgreSQL version: 13.7
    Operating system:   Linux
    Description:        
    
    Just wanted to give an update, I'm not sure if it's mentioned anywhere on
    the website. The PostgreSQl version 13.7 is also vuln to the
    CVE-2019-9193.
    The CVE states only In PostgreSQL 9.3 through 11.2.
    
    
  2. Re: BUG #18193: CVE-2019-9193

    hubert depesz lubaczewski <depesz@depesz.com> — 2023-11-13T12:17:22Z

    On Mon, Nov 13, 2023 at 06:30:43AM +0000, PG Bug reporting form wrote:
    > The following bug has been logged on the website:
    > 
    > Bug reference:      18193
    > Logged by:          Sumanth Vankineni
    > Email address:      sumanth.vankineni@gmail.com
    > PostgreSQL version: 13.7
    > Operating system:   Linux
    > Description:        
    > 
    > Just wanted to give an update, I'm not sure if it's mentioned anywhere on
    > the website. The PostgreSQl version 13.7 is also vuln to the
    > CVE-2019-9193.
    > The CVE states only In PostgreSQL 9.3 through 11.2.
    
    You might want to read
    https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/
    
    depesz
    
    
    
    
  3. Re: BUG #18193: CVE-2019-9193

    Tom Lane <tgl@sss.pgh.pa.us> — 2023-11-13T15:20:30Z

    PG Bug reporting form <noreply@postgresql.org> writes:
    > Just wanted to give an update, I'm not sure if it's mentioned anywhere on
    > the website. The PostgreSQl version 13.7 is also vuln to the
    > CVE-2019-9193.
    > The CVE states only In PostgreSQL 9.3 through 11.2.
    
    Please see
    
    https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/
    
    That CVE is erroneous in full, and so the fact that it also misstates
    relevant versions is hardly surprising.
    
    			regards, tom lane
    
    
    
    
  4. Re: BUG #18193: CVE-2019-9193

    David G. Johnston <david.g.johnston@gmail.com> — 2023-11-13T15:30:18Z

    On Monday, November 13, 2023, Tom Lane <tgl@sss.pgh.pa.us> wrote:
    
    > PG Bug reporting form <noreply@postgresql.org> writes:
    > > Just wanted to give an update, I'm not sure if it's mentioned anywhere on
    > > the website. The PostgreSQl version 13.7 is also vuln to the
    > > CVE-2019-9193.
    > > The CVE states only In PostgreSQL 9.3 through 11.2.
    >
    > Please see
    >
    > https://www.postgresql.org/about/news/cve-2019-9193-not-
    > a-security-vulnerability-1935/
    >
    > That CVE is erroneous in full, and so the fact that it also misstates
    > relevant versions is hardly surprising.
    >
    >
    It’s hardly surprising because a CVE from 2019 (they make this fairly
    simple, the year is in the assigned number) would not be expected to list
    version 13 as that was not released at the time.  Assuming 11.2 was indeed
    the most recent version released at the time the CVE was issued then indeed
    neither v12 nor v13 were relevant as v11 was only about 6 months old.
    
    David J.