On Thursday, November 21, 2024, Subhash Udata <subhashud...@gmail.com>
wrote:
>
> Currently, my environment is running *PostgreSQL 15.0*. I understand that
> version *15.9* contains the fix for CVE-2024-10979, as mentioned in the
> release notes.
>
> Given that I am not using the *PL/Perl* extension in my environment
>

IIUC, any user that can execute “create extension plperl” in a database
they are connected to (or, it having been installed, users that have been
granted usage on the language) can exploit this vulnerability.  Whether
that is possible in your environment is something you’d need to determine.

I believe this particular detail probably should have been part of the
release announcement but was not.

In any case if you aren’t willing to update consistently you really
shouldn’t be deploying .0 releases.

David J.

Reply via email to