Thread: CVE-2024-28849
All,
CVE-2024-28849 was found in Version 15.6 and 16.2 this week. Please refer to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28849 for issues and corrections.
The Binaries .zip files were the files scanned and found with the vulnerability. There are no known workarounds for this vulnerability.
Thank You,
Robert
Robert P. Mathews
On 4/18/24 11:27 AM, Mathews, Rob wrote: > All, > > CVE-2024-28849 was found in Version 15.6 and 16.2 this week. Please > refer to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28849 > <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28849> for > issues and corrections. > > The Binaries .zip files were the files scanned and found with the > vulnerability. There are no known workarounds for this vulnerability. PostgreSQL doesn't have any dependencies on node.js, let alone JavaScript. This CVE doesn't apply to PostgreSQL. If you are using a package to install PostgreSQL (as it sounds like you are), you'll need to reach out to the package maintainers. Jonathan
Attachment
RE: Postgres and Javascript > On Apr 18, 2024, at 10:25 AM, Jonathan S. Katz <jkatz@postgresql.org> wrote: > > On 4/18/24 11:27 AM, Mathews, Rob wrote: >> All, >> CVE-2024-28849 was found in Version 15.6 and 16.2 this week. Please refer to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28849 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28849>for issues and corrections. >> The Binaries .zip files were the files scanned and found with the vulnerability. There are no known workarounds for thisvulnerability. > > PostgreSQL doesn't have any dependencies on node.js, let alone JavaScript. This CVE doesn't apply to PostgreSQL. PLV8 and PLJS also have no dependencies from node.js, and do not have this dependency specifically, so are also not affected,even though they implement a Javascript runtime.