Re: Re[2]: CVE-2022-2625 - Mailing list pgsql-general

From Guillaume Lelarge
Subject Re: Re[2]: CVE-2022-2625
Date
Msg-id CAECtzeXzz-h_bgjLWKbCvGS92rSGPkNKSLvozw6eogR2DwG1rQ@mail.gmail.com
Whole thread Raw
In response to Re[2]: CVE-2022-2625  (misha1966 misha1966 <mmisha1966@bk.ru>)
List pgsql-general
Le jeu. 15 sept. 2022 à 16:52, misha1966 misha1966 <mmisha1966@bk.ru> a écrit :
Is there a patch for 9.6 ?

A quick Google search for "postgres CVE-2022-2625" gives you https://www.postgresql.org/support/security/CVE-2022-2625/. And this page tells you there's only a fix for releases 10 to 14. Moreover, fixes in 2022 won't have a patch for releases prior to v10.

 
 
Четверг, 15 сентября 2022, 17:55 +09:00 от Ron <ronljohnsonjr@gmail.com>:
 
Software is only certified for 9.5?  Hopefully you're running 9.5.25.

I feel your pain... we've got some databases that will stay at 9.6 for another year.
 
On 9/14/22 23:24, misha1966 misha1966 wrote:
All business processes are hooked on postgresql 9.5. There is no way to update.
Unfortunately, I don't have the proper qualifications to change it.
 
Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>:
 
On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:
> Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
> If so, who knows how to patch it? Patches from version 10 are not suitable at all...

Yes, that vulnerability exists in 9.5.

To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0

Since 9.5 is out of support, there are no more bugfixes for it provided
by the community. If security were a real concern for you, you would
certainly not be running a PostgreSQL version that is out of support.

Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
 
 
 
--
Angular momentum makes the world go 'round.
 


--
Guillaume.

pgsql-general by date:

Previous
From: misha1966 misha1966
Date:
Subject: Re[2]: CVE-2022-2625
Next
From: Ron
Date:
Subject: Re: CVE-2022-2625