| From: | Thomas Kellerer <shammat(at)gmx(dot)net> |
|---|---|
| To: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Which PG version does CVE-2021-20229 affected? |
| Date: | 2021-03-05 08:19:21 |
| Message-ID: | 7b7344f7-f9a1-b04f-ef76-709aad669795@gmx.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Michael Paquier schrieb am 05.03.2021 um 08:38:
> On Fri, Mar 05, 2021 at 12:32:43AM -0700, bchen90 wrote:
>> NVD link:
>>
>> https://nvd.nist.gov/vuln/detail/CVE-2021-20229#vulnCurrentDescriptionTitle
>
> This link includes incorrect information. CVE-2021-20229 is only a
> problem in 13.0 and 13.1, fixed in 13.2. Please see for example here:
> https://www.postgresql.org/support/security/
>
> The commit that fixed the issue is c028faf, mentioning 9ce77d7 as the
> origin point, a commit introduced in Postgres 13.
I think the information is correct as it says "Up to (excluding) 13.2"
I understand the "(excluding)" part, such that the "excluded" version
is _not_ affected by it.
But it's really a confusing way to present that kind of information.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrey Borodin | 2021-03-05 08:20:53 | Re: 011_crash_recovery.pl intermittently fails |
| Previous Message | Dmitry Dolgov | 2021-03-05 08:19:00 | Re: Keep notnullattrs in RelOptInfo (Was part of UniqueKey patch series) |