On Fri, Nov 22, 2024 at 09:00:18AM +0100, Matthias Apitz wrote:
> El día viernes, noviembre 22, 2024 a las 05:52:34 +0100, Laurenz Albe
> escribió:
>
> > On Fri, 2024-11-22 at 10:01 +0530, Subhash Udata wrote:
> > > Currently, my environment is running PostgreSQL 15.0. I understand that
> > > version
> > > 15.9 contains the fix for CVE-2024-10979, as mentioned in the release
> > > notes.
> > > Given that I am not using the PL/Perl extension in my environment, I
> > > wanted to ask:
> > > * Is it still mandatory to upgrade specifically to version 15.9, or would
> > > remaining on version 15.0 suffice in this case?
> > > I appreciate your guidance on whether this upgrade is necessary,
> > > considering the
> > > specifics of my setup.
> >
> > If you don't use PL/Perl, you are not affected by that security
> > vulnerability.
> >
> > I wonder what you mean by "mandatory".
> >
> > We won't fine or punish you if you don't update PostgreSQL, but perhaps it
> > would make your employer unhappy. If you stay on 15.0, you will be subject
> > to
> > thirteen other security vulnerabilities (if I counted right), and you may
> > end
> > up with corrupted GIN and BRIN indexes. Additionally, you will be subject
> > to
> > countless known bugs that have been fixed since.
> >
> > You should *always* update to the latest minor release shortly after it is
> > released. Everything else is negligent.
>
> Laurenz, et all,
>
> The company I'm working for is producer of a Library Management System
> with C/C++ written servers on Linux, using ESQL/C and DBI interfaces of
> PostgreSQL (and older version Sybase too) and the software is deployed
> to 100++ customer installations, sometimes with limited own IT know how.
>
> "You should *always* update ..." is nice to say, but in the described land
> not easy to do. For the two released versions of our software (V7.2 and
> V7.3) and the current version in development (V7.3-SP1) we plan the
> following migrations of the server and client side of PostgreSQL:
I have to admit, for this question, we just point people to:
https://www.postgresql.org/support/versioning/
and say bounce the database server and install the binaries. What I
have never considered before, and I should have, is the complexity of
doing this for many remote servers. Can we improve our guidance for
these cases?
--
Bruce Momjian <br...@momjian.us> https://momjian.us
EDB https://enterprisedb.com
When a patient asks the doctor, "Am I going to die?", he means
"Am I going to die soon?"
