CVE-2022-2625
Good afternoon to everyone!
Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5? If so, who knows how to patch it? Patches from version 10 are not suitable at all...
On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:
Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
If so, who knows how to patch it? Patches from version 10 are not suitable at all...
Yes, that vulnerability exists in 9.5.
To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0
Since 9.5 is out of support, there are no more bugfixes for it provided
by the community. If security were a real concern for you, you would
certainly not be running a PostgreSQL version that is out of support.
Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
All business processes are hooked on postgresql 9.5. There is no way to update.
Unfortunately, I don't have the proper qualifications to change it.
Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>:
On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
If so, who knows how to patch it? Patches from version 10 are not suitable at all...Yes, that vulnerability exists in 9.5.
To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0Since 9.5 is out of support, there are no more bugfixes for it provided
by the community. If security were a real concern for you, you would
certainly not be running a PostgreSQL version that is out of support.Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
On Thu, 2022-09-15 at 07:24 +0300, misha1966 misha1966 wrote:
Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>:
On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
If so, who knows how to patch it? Patches from version 10 are not suitable at all...Yes, that vulnerability exists in 9.5.
To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0Since 9.5 is out of support, there are no more bugfixes for it provided
by the community. If security were a real concern for you, you would
certainly not be running a PostgreSQL version that is out of support.All business processes are hooked on postgresql 9.5. There is no way to update.
Unfortunately, I don't have the proper qualifications to change it.
So these "business processes" are more important than security at your site.
That's fine; everybody has to make their choices.
But remember that there are also known data-eating bugs lurking in your
outdated software.
Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
Software is only certified for 9.5? Hopefully you're running 9.5.25.
I feel your pain... we've got some databases that will stay at 9.6 for
another year.
On 9/14/22 23:24, misha1966 misha1966 wrote:
All business processes are hooked on postgresql 9.5. There is no way to
update.
Unfortunately, I don't have the proper qualifications to change it.Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe
<laurenz.albe@cybertec.at>:
On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
If so, who knows how to patch it? Patches from version 10 are notsuitable at all...
Yes, that vulnerability exists in 9.5.
To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0Since 9.5 is out of support, there are no more bugfixes for it provided
by the community. If security were a real concern for you, you would
certainly not be running a PostgreSQL version that is out of support.Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
--
Angular momentum makes the world go 'round.
All right :(
Четверг, 15 сентября 2022, 17:55 +09:00 от Ron <ronljohnsonjr@gmail.com>:
Software is only certified for 9.5? Hopefully you're running 9.5.25.I feel your pain... we've got some databases that will stay at 9.6 for another year.
On 9/14/22 23:24, misha1966 misha1966 wrote:All business processes are hooked on postgresql 9.5. There is no way to update.
Unfortunately, I don't have the proper qualifications to change it.
Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at> :
On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
If so, who knows how to patch it? Patches from version 10 are not suitable at all...Yes, that vulnerability exists in 9.5.
To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0Since 9.5 is out of support, there are no more bugfixes for it provided
by the community. If security were a real concern for you, you would
certainly not be running a PostgreSQL version that is out of support.Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
--
Angular momentum makes the world go 'round.
Is there a patch for 9.6 ?
Четверг, 15 сентября 2022, 17:55 +09:00 от Ron <ronljohnsonjr@gmail.com>:
Software is only certified for 9.5? Hopefully you're running 9.5.25.I feel your pain... we've got some databases that will stay at 9.6 for another year.
On 9/14/22 23:24, misha1966 misha1966 wrote:All business processes are hooked on postgresql 9.5. There is no way to update.
Unfortunately, I don't have the proper qualifications to change it.
Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at> :
On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
If so, who knows how to patch it? Patches from version 10 are not suitable at all...Yes, that vulnerability exists in 9.5.
To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0Since 9.5 is out of support, there are no more bugfixes for it provided
by the community. If security were a real concern for you, you would
certainly not be running a PostgreSQL version that is out of support.Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
--
Angular momentum makes the world go 'round.
Le jeu. 15 sept. 2022 à 16:52, misha1966 misha1966 <mmisha1966@bk.ru> a
écrit :
Is there a patch for 9.6 ?
A quick Google search for "postgres CVE-2022-2625" gives you
https://www.postgresql.org/support/security/CVE-2022-2625/. And this page
tells you there's only a fix for releases 10 to 14. Moreover, fixes in 2022
won't have a patch for releases prior to v10.
Четверг, 15 сентября 2022, 17:55 +09:00 от Ron <ronljohnsonjr@gmail.com>:
Software is only certified for 9.5? Hopefully you're running 9.5.25.
I feel your pain... we've got some databases that will stay at 9.6 for
another year.On 9/14/22 23:24, misha1966 misha1966 wrote:
All business processes are hooked on postgresql 9.5. There is no way to
update.
Unfortunately, I don't have the proper qualifications to change it.Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe
<laurenz.albe@cybertec.at>
<//e.mail.ru/compose/?mailto=mailto%3alaurenz.albe@cybertec.at>:On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:
Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
If so, who knows how to patch it? Patches from version 10 are notsuitable at all...
Yes, that vulnerability exists in 9.5.
To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
Since 9.5 is out of support, there are no more bugfixes for it provided
by the community. If security were a real concern for you, you would
certainly not be running a PostgreSQL version that is out of support.Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com--
Angular momentum makes the world go 'round.
--
Guillaume.
There are nine months of bug fixes.
On 9/15/22 09:52, misha1966 misha1966 wrote:
Is there a patch for 9.6 ?
Четверг, 15 сентября 2022, 17:55 +09:00 от Ron <ronljohnsonjr@gmail.com>:
Software is only certified for 9.5? Hopefully you're running 9.5.25.I feel your pain... we've got some databases that will stay at 9.6 for
another year.
On 9/14/22 23:24, misha1966 misha1966 wrote:All business processes are hooked on postgresql 9.5. There is no way
to update.
Unfortunately, I don't have the proper qualifications to change it.Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe
<laurenz.albe@cybertec.at>:
On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
If so, who knows how to patch it? Patches from version 10 arenot suitable at all...
Yes, that vulnerability exists in 9.5.
To patch that, you'd have to try and backpatch the commit to 9.5
yourself:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0Since 9.5 is out of support, there are no more bugfixes for it
provided
by the community. If security were a real concern for you, you would
certainly not be running a PostgreSQL version that is out of support.Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com--
Angular momentum makes the world go 'round.
--
Angular momentum makes the world go 'round.
=?UTF-8?B?bWlzaGExOTY2IG1pc2hhMTk2Ng==?= <mmisha1966@bk.ru> writes:
Is there a patch for 9.6 ?
No; that's out of support too.
You might find that adapting the v10 patch back to 9.6, and
thence to 9.5, would be easier than trying to do it in one step.
I'm a little bemused by your fixation on this particular CVE,
though. As such things go, it's not a very big deal. It's only
of interest if you are routinely installing new extensions, *and*
those extensions' scripts contain insecure uses of CREATE OR
REPLACE/CREATE IF NOT EXISTS, *and* you can't fix the extensions
instead. I would not have thought an institution that's so
frozen that it can't update to an in-support PG version would be
doing a lot of new extension installations.
In any case, the real thing you ought to be focusing on is whether
you are running back-ported patches for any of the *other* CVE-worthy
security bugs we've fixed since 9.5 went EOL. And how about the
data-corrupting bugs? Most longtime PG developers think data
corruption hazards are a good deal more important than a lot of
the stuff we assign CVEs to. Almost every CVE we've ever issued is
only relevant if you have hostile actors able to issue arbitrary SQL
in your database, in which case you're in a world of trouble anyway.
regards, tom lane
On 9/15/22 10:19, Tom Lane wrote:
=?UTF-8?B?bWlzaGExOTY2IG1pc2hhMTk2Ng==?=<mmisha1966@bk.ru> writes:
Is there a patch for 9.6 ?
No; that's out of support too.
You might find that adapting the v10 patch back to 9.6, and
thence to 9.5, would be easier than trying to do it in one step.I'm a little bemused by your fixation on this particular CVE,
though.
Some auditor might have issued a decree mandating all vulnerabilities
greater than 7.0 *must* be patched.
As such things go, it's not a very big deal.It's only
of interest if you are routinely installing new extensions, *and*
those extensions' scripts contain insecure uses of CREATE OR
REPLACE/CREATE IF NOT EXISTS, *and* you can't fix the extensions
instead. I would not have thought an institution that's so
frozen that it can't update to an in-support PG version would be
doing a lot of new extension installations.In any case, the real thing you ought to be focusing on is whether
you are running back-ported patches for any of the *other* CVE-worthy
security bugs we've fixed since 9.5 went EOL. And how about the
data-corrupting bugs?
As to why they're auditing EOL software... no one has ever considered
auditors or Upper Management to be rational or consistent.
Most longtime PG developers think data
corruption hazards are a good deal more important than a lot of
the stuff we assign CVEs to. Almost every CVE we've ever issued is
only relevant if you have hostile actors able to issue arbitrary SQL
in your database, in which case you're in a world of trouble anyway.
--
Angular momentum makes the world go 'round.
On Thu, 2022-09-15 at 11:19 -0400, Tom Lane wrote:
=?UTF-8?B?bWlzaGExOTY2IG1pc2hhMTk2Ng==?= <mmisha1966@bk.ru> writes:
Is there a patch for 9.6 ?
No; that's out of support too.
I'm a little bemused by your fixation on this particular CVE,
though. As such things go, it's not a very big deal. It's only
of interest if you are routinely installing new extensions, *and*
those extensions' scripts contain insecure uses of CREATE OR
REPLACE/CREATE IF NOT EXISTS, *and* you can't fix the extensions
instead. I would not have thought an institution that's so
frozen that it can't update to an in-support PG version would be
doing a lot of new extension installations.
A lot of times, requests like that come from a brainless kind of
institutionalized security: we have to install all software updates
that say "CVE". Never mind that username = password and
the application is running with a superuser.
Yours,
Laurenz Albe
Laurenz Albe <laurenz.albe@cybertec.at> writes:
On Thu, 2022-09-15 at 11:19 -0400, Tom Lane wrote:
I'm a little bemused by your fixation on this particular CVE,
though. As such things go, it's not a very big deal.
A lot of times, requests like that come from a brainless kind of
institutionalized security: we have to install all software updates
that say "CVE". Never mind that username = password and
the application is running with a superuser.
Indeed :-(. But we've issued several CVEs since 9.5 went out
of support --- notably, I'd say CVE-2022-1552 from the previous
minor-release cycle is a good deal more dangerous than this one.
So, again, why worry about -2625 in particular?
I'm still wondering whether the OP's installation is even on
9.5.latest; if not, they've likely got even more serious things
to worry about. A quick troll through the 9.5.x release notes
finds a lot of bugs...
regards, tom lane
How can I check this vulnerability. Which SQL to execute?
Четверг, 15 сентября 2022, 17:22 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>:
On Thu, 2022-09-15 at 07:24 +0300, misha1966 misha1966 wrote:Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe < laurenz.albe@cybertec.at >:
On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
If so, who knows how to patch it? Patches from version 10 are not suitable at all...Yes, that vulnerability exists in 9.5.
To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0Since 9.5 is out of support, there are no more bugfixes for it provided
by the community. If security were a real concern for you, you would
certainly not be running a PostgreSQL version that is out of support.All business processes are hooked on postgresql 9.5. There is no way to update.
Unfortunately, I don't have the proper qualifications to change it.So these "business processes" are more important than security at your site.
That's fine; everybody has to make their choices.
But remember that there are also known data-eating bugs lurking in your
outdated software.Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
On Mon, 2022-09-19 at 07:35 +0300, misha1966 misha1966 wrote:
Четверг, 15 сентября 2022, 17:22 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>:
On Thu, 2022-09-15 at 07:24 +0300, misha1966 misha1966 wrote:Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>:
On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
If so, who knows how to patch it? Patches from version 10 are not suitable at all...Yes, that vulnerability exists in 9.5.
To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0Since 9.5 is out of support, there are no more bugfixes for it provided
by the community. If security were a real concern for you, you would
certainly not be running a PostgreSQL version that is out of support.All business processes are hooked on postgresql 9.5. There is no way to update.
Unfortunately, I don't have the proper qualifications to change it.So these "business processes" are more important than security at your site.
That's fine; everybody has to make their choices.
But remember that there are also known data-eating bugs lurking in your
outdated software.How can I check this vulnerability. Which SQL to execute?
Look at the commit message in the link above.
You create a database object (a function or view). Then you create an extension,
and in the SQL script you put "CREATE OR REPLACE ..." for that same object.
If PostgreSQL allows you to create the extension, you are vulnerable.
Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
Thank you all! Everything worked out!
CVE-2022-2625 contains a lot more than it seems...
Пятница, 16 сентября 2022, 0:19 +09:00 от Tom Lane <tgl@sss.pgh.pa.us>:
=?UTF-8?B?bWlzaGExOTY2IG1pc2hhMTk2Ng==?= < mmisha1966@bk.ru > writes:Is there a patch for 9.6 ?
No; that's out of support too.
You might find that adapting the v10 patch back to 9.6, and
thence to 9.5, would be easier than trying to do it in one step.I'm a little bemused by your fixation on this particular CVE,
though. As such things go, it's not a very big deal. It's only
of interest if you are routinely installing new extensions, *and*
those extensions' scripts contain insecure uses of CREATE OR
REPLACE/CREATE IF NOT EXISTS, *and* you can't fix the extensions
instead. I would not have thought an institution that's so
frozen that it can't update to an in-support PG version would be
doing a lot of new extension installations.In any case, the real thing you ought to be focusing on is whether
you are running back-ported patches for any of the *other* CVE-worthy
security bugs we've fixed since 9.5 went EOL. And how about the
data-corrupting bugs? Most longtime PG developers think data
corruption hazards are a good deal more important than a lot of
the stuff we assign CVEs to. Almost every CVE we've ever issued is
only relevant if you have hostile actors able to issue arbitrary SQL
in your database, in which case you're in a world of trouble anyway.regards, tom lane