Re: Clarification on CVE-2024-10979 and PostgreSQL Upgrade Necessity Without PL/Perl Usage
| От | Adrian Klaver |
|---|---|
| Тема | Re: Clarification on CVE-2024-10979 and PostgreSQL Upgrade Necessity Without PL/Perl Usage |
| Дата | |
| Msg-id | da4ff57d-bc55-4fd6-8b2e-802cbe46472b@aklaver.com обсуждение исходный текст |
| Ответ на | Clarification on CVE-2024-10979 and PostgreSQL Upgrade Necessity Without PL/Perl Usage (Subhash Udata <subhashudata@gmail.com>) |
| Список | pgsql-general |
On 11/20/24 00:54, Subhash Udata wrote: > Dear PostgreSQL Community, > > I have a query related to the recent security vulnerability, > *CVE-2024-10979*, concerning the PL/Perl extension. > > From the advisory, it appears the vulnerability impacts systems > utilizing the PL/Perl extension. My question is: > > * If we do not use the PL/Perl extension in our PostgreSQL instance, > is it still necessary to upgrade to the patched version of > PostgreSQL? Or can we safely continue using our current version > without concern? Yes you should upgrade. See the rest of the issues fixed: https://www.postgresql.org/about/news/postgresql-171-165-159-1414-1317-and-1221-released-2955/ It has further CVE's. Though I would wait until the out-of cycle release that lands tomorrow(2024-11-21) is out, see: https://www.postgresql.org/about/news/out-of-cycle-release-scheduled-for-november-21-2024-2958/ As it fixes some regressions in the previous release. > > We would like to understand whether this vulnerability has any > implications for environments where the PL/Perl extension is not > installed or used. > > Thank you so much for your guidance on this. > > Best regards, > > Subhash Udata > -- Adrian Klaver adrian.klaver@aklaver.com
В списке pgsql-general по дате отправления: