On Thu, 2022-09-15 at 11:19 -0400, Tom Lane wrote:
> =?UTF-8?B?bWlzaGExOTY2IG1pc2hhMTk2Ng==?= <mmisha1966@bk.ru> writes:
> > Is there a patch for 9.6 ?
>
> No; that's out of support too.
>
> I'm a little bemused by your fixation on this particular CVE,
> though. As such things go, it's not a very big deal. It's only
> of interest if you are routinely installing new extensions, *and*
> those extensions' scripts contain insecure uses of CREATE OR
> REPLACE/CREATE IF NOT EXISTS, *and* you can't fix the extensions
> instead. I would not have thought an institution that's so
> frozen that it can't update to an in-support PG version would be
> doing a lot of new extension installations.
A lot of times, requests like that come from a brainless kind of
institutionalized security: we have to install all software updates
that say "CVE". Never mind that username = password and
the application is running with a superuser.
Yours,
Laurenz Albe