Postgres Pro
Downloads
Home   >   mailing lists

Thread: BUG #18696: Compatibility Query for Updating zlib1.dll in PostgreSQL 10.2 to Address Security Vulnerabilities

BUG #18696: Compatibility Query for Updating zlib1.dll in PostgreSQL 10.2 to Address Security Vulnerabilities

From
PG Bug reporting form
Date:
The following bug has been logged on the website:

Bug reference:      18696
Logged by:          Minaketan Sabar
Email address:      minaketan.sabar@gmail.com
PostgreSQL version: Unsupported/Unknown
Operating system:   Windows Server 2019 Standard
Description:

Hello Team,

I’d like to share the details of an issue and seek guidance:

Issue/Query: To address the security vulnerabilities “CVE-2022-37434,
CVE-2023-45853,” we are planning to replace the zlib1.dll (currently version
1.2.8, default in PostgreSQL 10.2) with the latest zlib1.dll version 1.3.1.
This version is included in PostgreSQL 16, and we intend to update by
copying the file from the PostgreSQL 16 installation (PostgreSQL\16\bin
folder).

Since the latest version of zlib1.dll (1.3.1) isn’t available for download
as a standalone file, we are considering this approach

I would appreciate your input on the following points:

1. Is zlib1.dll version 1.3.1 compatible with PostgreSQL 10.2, given that
it’s a newer version?
2. If we obtain zlib1.dll from PostgreSQL 16.0 and replace the current file
in PostgreSQL 10.2, will it work seamlessly without introducing any
issues?
3. Is there a URL or source where we could download the zlib1.dll 1.3.1
directly, rather than compiling from source?

Your insights on this would be immensely helpful. Thank you in advance!

Best regards,
Ketan

Re: BUG #18696: Compatibility Query for Updating zlib1.dll in PostgreSQL 10.2 to Address Security Vulnerabilities

From
Bruce Momjian
Date:
On Thu, Nov  7, 2024 at 10:02:01AM +0000, PG Bug reporting form wrote:
> The following bug has been logged on the website:
> 
> Bug reference:      18696
> Logged by:          Minaketan Sabar
> Email address:      minaketan.sabar@gmail.com
> PostgreSQL version: Unsupported/Unknown
> Operating system:   Windows Server 2019 Standard
> Description:        
> 
> Hello Team,
> 
> I’d like to share the details of an issue and seek guidance:
> 
> Issue/Query: To address the security vulnerabilities “CVE-2022-37434,
> CVE-2023-45853,” we are planning to replace the zlib1.dll (currently version
> 1.2.8, default in PostgreSQL 10.2) with the latest zlib1.dll version 1.3.1.
> This version is included in PostgreSQL 16, and we intend to update by
> copying the file from the PostgreSQL 16 installation (PostgreSQL\16\bin
> folder).

You are running an unsupported version of Postgres, so I think zlib is
only a minor security issue compared to running PG 10.X --- and you
didn't even upgrade to the later minor versions of PG 10.

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

  When a patient asks the doctor, "Am I going to die?", he means 
  "Am I going to die soon?"

Re: BUG #18696: Compatibility Query for Updating zlib1.dll in PostgreSQL 10.2 to Address Security Vulnerabilities

From
Bruce Momjian
Date:
On Mon, Nov 18, 2024 at 10:47:39PM -0500, Bruce Momjian wrote:
> On Thu, Nov  7, 2024 at 10:02:01AM +0000, PG Bug reporting form wrote:
> > The following bug has been logged on the website:
> > 
> > Bug reference:      18696
> > Logged by:          Minaketan Sabar
> > Email address:      minaketan.sabar@gmail.com
> > PostgreSQL version: Unsupported/Unknown
> > Operating system:   Windows Server 2019 Standard
> > Description:        
> > 
> > Hello Team,
> > 
> > I’d like to share the details of an issue and seek guidance:
> > 
> > Issue/Query: To address the security vulnerabilities “CVE-2022-37434,
> > CVE-2023-45853,” we are planning to replace the zlib1.dll (currently version
> > 1.2.8, default in PostgreSQL 10.2) with the latest zlib1.dll version 1.3.1.
> > This version is included in PostgreSQL 16, and we intend to update by
> > copying the file from the PostgreSQL 16 installation (PostgreSQL\16\bin
> > folder).
> 
> You are running an unsupported version of Postgres, so I think zlib is
> only a minor security issue compared to running PG 10.X --- and you
> didn't even upgrade to the later minor versions of PG 10.

Sorry, I should have also referenced this:

    https://www.postgresql.org/support/versioning/

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

  When a patient asks the doctor, "Am I going to die?", he means 
  "Am I going to die soon?"