Thank you for your detailed response. I would like to clarify my situation further to ensure I take the appropriate steps.
Currently, my environment is running *PostgreSQL 15.0*. I understand that version *15.9* contains the fix for CVE-2024-10979, as mentioned in the release notes. Given that I am not using the *PL/Perl* extension in my environment, I wanted to ask: - Is it still mandatory to upgrade specifically to version *15.9*, or would remaining on version *15.0* suffice in this case? I appreciate your guidance on whether this upgrade is necessary, considering the specifics of my setup. Thank you for your time and support. On Fri, 22 Nov 2024 at 09:39, David G. Johnston <david.g.johns...@gmail.com> wrote: > On Thursday, November 21, 2024, Subhash Udata <subhashud...@gmail.com> > wrote: >> >> >> Thank you for your response regarding the affected versions of >> PostgreSQL. I have a follow-up question for clarification: >> >> The PostgreSQL documentation mentions that the versions with a fix for >> CVE-2024-10979 are *17.1, 16.5, 15.9, 14.14, 13.17, and 12.21*. However, >> your reply states that any version greater than 13+ should suffice. >> >> Could you please confirm if upgrading to one of the specific versions >> listed above is mandatory, or is it acceptable to upgrade to any version >> higher than 13 >> > > It was literally just reported and fixed. If you are on a supported > release of PostgreSQL you have the fix. If you are not, you don’t. > > At this point only major versions 13+ are supported. > > Upgrading to an unsupported minor release is never recommended. > > The fact you are on version 11 means you should not expect an answer to > the question whether this newly discovered CVE affects you - that would be > expecting support for a long-unsupported version. > > Which of the 5 currently supported releases you should upgrade to is a > decision you need to make given your circumstances. > > David J. > >
