On Mon, 2022-09-19 at 07:35 +0300, misha1966 misha1966 wrote:
> > Четверг, 15 сентября 2022, 17:22 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>:
> >
> > On Thu, 2022-09-15 at 07:24 +0300, misha1966 misha1966 wrote:
> > > > Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>:
> > > >
> > > > On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:
> > > > > Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
> > > > > If so, who knows how to patch it? Patches from version 10 are not suitable at all...
> > > >
> > > > Yes, that vulnerability exists in 9.5.
> > > >
> > > > To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
> > > > https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0
> > > >
> > > > Since 9.5 is out of support, there are no more bugfixes for it provided
> > > > by the community. If security were a real concern for you, you would
> > > > certainly not be running a PostgreSQL version that is out of support.
> > >
> > > All business processes are hooked on postgresql 9.5. There is no way to update.
> > > Unfortunately, I don't have the proper qualifications to change it.
> >
> > So these "business processes" are more important than security at your site.
> > That's fine; everybody has to make their choices.
> > But remember that there are also known data-eating bugs lurking in your
> > outdated software.
>
> How can I check this vulnerability. Which SQL to execute?
Look at the commit message in the link above.
You create a database object (a function or view). Then you create an extension,
and in the SQL script you put "CREATE OR REPLACE ..." for that same object.
If PostgreSQL allows you to create the extension, you are vulnerable.
Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com