On 11/20/24 00:54, Subhash Udata wrote:
> Dear PostgreSQL Community,
>
> I have a query related to the recent security vulnerability,
> *CVE-2024-10979*, concerning the PL/Perl extension.
>
> From the advisory, it appears the vulnerability impacts systems
> utilizing the PL/Perl extension. My question is:
>
> * If we do not use the PL/Perl extension in our PostgreSQL instance,
> is it still necessary to upgrade to the patched version of
> PostgreSQL? Or can we safely continue using our current version
> without concern?
Yes you should upgrade.
See the rest of the issues fixed:
https://www.postgresql.org/about/news/postgresql-171-165-159-1414-1317-and-1221-released-2955/
It has further CVE's.
Though I would wait until the out-of cycle release that lands
tomorrow(2024-11-21) is out, see:
https://www.postgresql.org/about/news/out-of-cycle-release-scheduled-for-november-21-2024-2958/
As it fixes some regressions in the previous release.
>
> We would like to understand whether this vulnerability has any
> implications for environments where the PL/Perl extension is not
> installed or used.
>
> Thank you so much for your guidance on this.
>
> Best regards,
>
> Subhash Udata
>
--
Adrian Klaver
adrian.klaver@aklaver.com
