Обсуждение: Vulnerability identified with Postgres 13.4 for Windows
Hi,
The scanning tool used by our organization has detected the presence of vulnerable libxml version in the latest Postgres 13.4 release for windows (Zip version).
Detected by Automated Scanning tool:
libxml 2.9.10
Can you confirm if this is the same version of libxml used in Postgres?
We want to confirm if the detection is a false positive or a vulnerability.
Regards,
Joel
On Friday, October 29, 2021, Joel Mariadasan (jomariad) <jomariad@cisco.com> wrote:
Detected by Automated Scanning tool:
libxml 2.9.10
Can you confirm if this is the same version of libxml used in Postgres?
We want to confirm if the detection is a false positive or a vulnerability.
IIUC (though I’m more familiar with Linux) the core project has now control over which versions of external libraries get installed onto ones machine. In particular the core project only supports compiled from source installation.
David J.
On Fri, Oct 29, 2021 at 10:40:06AM +0000, Joel Mariadasan (jomariad) wrote: > Hi, > > The scanning tool used by our organization has detected the presence of vulnerable libxml version in the latest Postgres13.4 release for windows (Zip version). > > Detected by Automated Scanning tool: > libxml 2.9.10 > > Can you confirm if this is the same version of libxml used in Postgres? > We want to confirm if the detection is a false positive or a vulnerability. Joel: Could you provide the exact link for the postgres ZIP you used ? -- Justin