Thread: BUG #18193: CVE-2019-9193
The following bug has been logged on the website: Bug reference: 18193 Logged by: Sumanth Vankineni Email address: sumanth.vankineni@gmail.com PostgreSQL version: 13.7 Operating system: Linux Description: Just wanted to give an update, I'm not sure if it's mentioned anywhere on the website. The PostgreSQl version 13.7 is also vuln to the CVE-2019-9193. The CVE states only In PostgreSQL 9.3 through 11.2.
On Mon, Nov 13, 2023 at 06:30:43AM +0000, PG Bug reporting form wrote: > The following bug has been logged on the website: > > Bug reference: 18193 > Logged by: Sumanth Vankineni > Email address: sumanth.vankineni@gmail.com > PostgreSQL version: 13.7 > Operating system: Linux > Description: > > Just wanted to give an update, I'm not sure if it's mentioned anywhere on > the website. The PostgreSQl version 13.7 is also vuln to the > CVE-2019-9193. > The CVE states only In PostgreSQL 9.3 through 11.2. You might want to read https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/ depesz
PG Bug reporting form <noreply@postgresql.org> writes: > Just wanted to give an update, I'm not sure if it's mentioned anywhere on > the website. The PostgreSQl version 13.7 is also vuln to the > CVE-2019-9193. > The CVE states only In PostgreSQL 9.3 through 11.2. Please see https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/ That CVE is erroneous in full, and so the fact that it also misstates relevant versions is hardly surprising. regards, tom lane
On Monday, November 13, 2023, Tom Lane <tgl@sss.pgh.pa.us> wrote:
PG Bug reporting form <noreply@postgresql.org> writes:
> Just wanted to give an update, I'm not sure if it's mentioned anywhere on
> the website. The PostgreSQl version 13.7 is also vuln to the
> CVE-2019-9193.
> The CVE states only In PostgreSQL 9.3 through 11.2.
Please see
https://www.postgresql.org/about/news/cve-2019-9193-not- a-security-vulnerability-1935/
That CVE is erroneous in full, and so the fact that it also misstates
relevant versions is hardly surprising.
It’s hardly surprising because a CVE from 2019 (they make this fairly simple, the year is in the assigned number) would not be expected to list version 13 as that was not released at the time. Assuming 11.2 was indeed the most recent version released at the time the CVE was issued then indeed neither v12 nor v13 were relevant as v11 was only about 6 months old.
David J.