Re: Ola Lundqvist 2017-05-21 <CABY6=0kd_h+hjigkponfm0+tdct6fuurlz4vtopbjugfp8m...@mail.gmail.com> > Hi Thorsten > > I had a look into this and I'm not sure both statements are correct for > Jessie. > > For CVE-2017-7486 I think the information in Jessie is wrong. The > patched code is definitely there in wheezy at least. But maybe it is > not triggered for some reason.
postgresql-9.1 in jessie is a reduced package that only builds postgresql-plperl-9.1, so anything non-perl isn't relevant for 9.1 in jessie. postgresql-9.1 in wheezy is affected from my understanding of when pg_user_mappings was introduced. > For CVE-2017-7484 the code do not exist. The same applies to > postgresql-8.4 in wheezy. Same argument, 8.4 in wheezy is postgresql-plperl-8.4 only. Christoph
