Laurenz Albe <laurenz.albe@cybertec.at> writes:
> On Thu, 2022-09-15 at 11:19 -0400, Tom Lane wrote:
>> I'm a little bemused by your fixation on this particular CVE,
>> though. As such things go, it's not a very big deal.
> A lot of times, requests like that come from a brainless kind of
> institutionalized security: we have to install all software updates
> that say "CVE". Never mind that username = password and
> the application is running with a superuser.
Indeed :-(. But we've issued several CVEs since 9.5 went out
of support --- notably, I'd say CVE-2022-1552 from the previous
minor-release cycle is a good deal more dangerous than this one.
So, again, why worry about -2625 in particular?
I'm still wondering whether the OP's installation is even on
9.5.latest; if not, they've likely got even more serious things
to worry about. A quick troll through the 9.5.x release notes
finds a lot of bugs...
regards, tom lane