| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
| Cc: | Subhash Udata <subhashudata(at)gmail(dot)com>, Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com>, 김주연 <mysylph(at)gmail(dot)com>, "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10 |
| Date: | 2024-11-22 04:35:23 |
| Message-ID: | 507773.1732250123@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
"David G. Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> writes:
> On Thursday, November 21, 2024, Subhash Udata <subhashudata(at)gmail(dot)com>
> wrote:
>> The PostgreSQL documentation mentions that the versions with a fix for
>> CVE-2024-10979 are *17.1, 16.5, 15.9, 14.14, 13.17, and 12.21*. However,
>> your reply states that any version greater than 13+ should suffice.
>> Could you please confirm if upgrading to one of the specific versions
>> listed above is mandatory, or is it acceptable to upgrade to any version
>> higher than 13
Minor versions earlier than those do not contain the fix.
> The fact you are on version 11 means you should not expect an answer to the
> question whether this newly discovered CVE affects you - that would be
> expecting support for a long-unsupported version.
The Postgres security team does not ordinarily test out-of-support
branches, so no official answer to that will be forthcoming.
Unofficially, however, I have no doubt that this bug is quite ancient.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Adrian Klaver | 2024-11-22 04:38:13 | Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10 |
| Previous Message | Subhash Udata | 2024-11-22 04:31:31 | Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10 |