On 9/15/22 10:19, Tom Lane wrote:
misha1966 misha1966 <mmisha1966@bk.ru> writes:
Is there a patch for 9.6 ?
No; that's out of support too.
You might find that adapting the v10 patch back to 9.6, and
thence to 9.5, would be easier than trying to do it in one step.
I'm a little bemused by your fixation on this particular CVE,
though.
Some auditor might have issued a decree mandating all vulnerabilities greater than 7.0
must be patched.
As such things go, it's not a very big deal.It's only
of interest if you are routinely installing new extensions, *and*
those extensions' scripts contain insecure uses of CREATE OR
REPLACE/CREATE IF NOT EXISTS, *and* you can't fix the extensions
instead. I would not have thought an institution that's so
frozen that it can't update to an in-support PG version would be
doing a lot of new extension installations.
In any case, the real thing you ought to be focusing on is whether
you are running back-ported patches for any of the *other* CVE-worthy
security bugs we've fixed since 9.5 went EOL. And how about the
data-corrupting bugs?
As to why they're auditing EOL software... no one has ever considered auditors or Upper Management to be rational or consistent.
Most longtime PG developers think data
corruption hazards are a good deal more important than a lot of
the stuff we assign CVEs to. Almost every CVE we've ever issued is
only relevant if you have hostile actors able to issue arbitrary SQL
in your database, in which case you're in a world of trouble anyway.
--
Angular momentum makes the world go 'round.
