Thread: Clarification on CVE-2024-10979 and PostgreSQL Upgrade Necessity Without PL/Perl Usage

On 11/20/24 00:54, Subhash Udata wrote:
> Dear PostgreSQL Community,
> 
> I have a query related to the recent security vulnerability, 
> *CVE-2024-10979*, concerning the PL/Perl extension.
> 
>  From the advisory, it appears the vulnerability impacts systems 
> utilizing the PL/Perl extension. My question is:
> 
>   * If we do not use the PL/Perl extension in our PostgreSQL instance,
>     is it still necessary to upgrade to the patched version of
>     PostgreSQL? Or can we safely continue using our current version
>     without concern?

Yes you should upgrade.

See the rest of the issues fixed:

https://www.postgresql.org/about/news/postgresql-171-165-159-1414-1317-and-1221-released-2955/

It has further CVE's.

Though I would wait until the out-of cycle release that lands 
tomorrow(2024-11-21) is out, see:

https://www.postgresql.org/about/news/out-of-cycle-release-scheduled-for-november-21-2024-2958/

As it fixes some regressions in the previous release.


> 
> We would like to understand whether this vulnerability has any 
> implications for environments where the PL/Perl extension is not 
> installed or used.
> 
> Thank you so much for your guidance on this.
> 
> Best regards,
> 
> Subhash Udata
> 

-- 
Adrian Klaver
adrian.klaver@aklaver.com