Hi Michael,
On 11/9/18 4:45 AM, Michael Banck wrote:
>
> AIUI, this security issue only affects v10 and v11, but this is not
> clear from the announcement AFAICT, unless I missed it?
>
> I think it would be good to mention the exact versions that are affected
> by a CVE in the announcement; of course it is always possible to inspect
> the individual release notes, but having the information up front would
> be nice (again, unless I am missing something).
That is a fair point. I have looked through the past few announcements
and we have not included affected versions, just links to the CVE, which
do detail the versions available as well as the release notes which you
mention above. It probably would have helped to do that, and I look into
updating it on the website at a minimum.
That said, when I was drafting the announcement, it was becoming a bit
convoluted to craft clear instructions based on the security release +
additional upgrade steps for pg_stat_statements. I opted for keeping it
simple.
And there is still a problem of people not upgrading to the latest bug
fix releases. If there is language or motivation to continue to stay on
the point releases, personally I'd prefer to encourage that.
Thanks!
Jonathan