Asking for OK for a nasty trick to resolve PG CVE-2025-1094 i
Hi,
I have many customers using PG 15.3 happily, and I cannot just snap upgrade them all to 15.12.
I have tested a nasty trick of replacing PSQL,LIBPQ and several other DLL's so that I have a PG client 15.12 within the folders of Server 15.3.
All working just fine.
I plan to ship it as a patch - but would like to hear you opinion on this "merge".
(Of course, the next version will use PG 17.4, so this is just an SOS action).
Thanks
Danny
BMC Software
Directory of C:\Users\dbauser\Desktop\15.12
02/20/2025 11:48 AM 4,696,576 libcrypto-3-x64.dll
02/20/2025 11:48 AM 1,850,401 libiconv-2.dll
02/20/2025 11:48 AM 475,769 libintl-9.dll
02/20/2025 11:48 AM 323,584 libpq.dll
02/20/2025 11:48 AM 779,776 libssl-3-x64.dll
02/20/2025 11:48 AM 52,736 libwinpthread-1.dll
02/20/2025 11:48 AM 604,160 psql.exe
==
C:\Program Files\BMC Software\Control-M Server\pgsql\bin>postgres -V
postgres (PostgreSQL) 15.3
C:\Program Files\BMC Software\Control-M Server\pgsql\bin>psql -V
psql (PostgreSQL) 15.12
[redirecting to pgsql-general]
On Thu, 2025-03-06 at 07:39 +0000, Abraham, Danny wrote:
I have many customers using PG 15.3 happily, and I cannot just snap upgrade them all to 15.12.
Why do you think you cannot do that?
In the long run, you'll be sorry if you don't.
It is just a matter of replacing the software and restarting the database server.
I have tested a nasty trick of replacing PSQL,LIBPQ and several other DLL's so that
I have a PG client 15.12 within the folders of Server 15.3.All working just fine.
I plan to ship it as a patch - but would like to hear you opinion on this "merge".
(Of course, the next version will use PG 17.4, so this is just an SOS action).
Directory of C:\Users\dbauser\Desktop\15.12
02/20/2025 11:48 AM 4,696,576 libcrypto-3-x64.dll
02/20/2025 11:48 AM 1,850,401 libiconv-2.dll
02/20/2025 11:48 AM 475,769 libintl-9.dll
02/20/2025 11:48 AM 323,584 libpq.dll
02/20/2025 11:48 AM 779,776 libssl-3-x64.dll
02/20/2025 11:48 AM 52,736 libwinpthread-1.dll
02/20/2025 11:48 AM 604,160 psql.exe==
C:\Program Files\BMC Software\Control-M Server\pgsql\bin>postgres -V
postgres (PostgreSQL) 15.3C:\Program Files\BMC Software\Control-M Server\pgsql\bin>psql -V
psql (PostgreSQL) 15.12
There is nothing fundamentally evil about upgrading the client.
But what is the point? Why are you worried about client bugs more than
about server bugs? The latter are much more likely to eat your data.
But then, if you are using Windows, perhaps you don't care a lot about
your data...
Yours,
Laurenz Albe
On Thu, Mar 6, 2025 at 3:12 AM Laurenz Albe <laurenz.albe@cybertec.at>
wrote:
[redirecting to pgsql-general]
On Thu, 2025-03-06 at 07:39 +0000, Abraham, Danny wrote:
I have many customers using PG 15.3 happily, and I cannot just snap
upgrade them all to 15.12.
Why do you think you cannot do that?
In the long run, you'll be sorry if you don't.
It is just a matter of replacing the software and restarting the database
server.
It really is that simple. On Linux, at least, it takes me less than two
minutes to:
1. Pause streaming replication between 2 nodes.
2. Stop PG on both nodes.
3. Install the new software.
4. Start PG on both nodes.
5. Resume streaming replication.
That's using PowerShell to do everything; a noticeable part of that 110
seconds is the ssh overhead of logging in and out of servers over our
network, and even more is taken up by me scanning for errors between each
step, and then pasting the next set of commands.
If all your database servers are Windows, then the PS to stop, install and
start on a remote node *should* be even faster (especially if you don't
have replication).
--
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> lobster!
Explanation.
We have hundreds of pg servers (mainly linux).
App is 7×24.
We think that patching the server to 15.12.will cost about 30 times more compared to patching the pg client ( mainly qa effort).
The app working fine using [libpq, psql] on both Linux as well as Windows.
Would love to hear your opinion.
Thanks
Danny
Sent from Workspace ONE Boxer
On Mar 6, 2025 10:11, Laurenz Albe <laurenz.albe@cybertec.at> wrote:
[redirecting to pgsql-general]
On Thu, 2025-03-06 at 07:39 +0000, Abraham, Danny wrote:
I have many customers using PG 15.3 happily, and I cannot just snap upgrade them all to 15.12.
Why do you think you cannot do that?
In the long run, you'll be sorry if you don't.
It is just a matter of replacing the software and restarting the database server.
I have tested a nasty trick of replacing PSQL,LIBPQ and several other DLL's so that
I have a PG client 15.12 within the folders of Server 15.3.All working just fine.
I plan to ship it as a patch - but would like to hear you opinion on this "merge".
(Of course, the next version will use PG 17.4, so this is just an SOS action).
Directory of C:\Users\dbauser\Desktop\15.12
02/20/2025 11:48 AM 4,696,576 libcrypto-3-x64.dll
02/20/2025 11:48 AM 1,850,401 libiconv-2.dll
02/20/2025 11:48 AM 475,769 libintl-9.dll
02/20/2025 11:48 AM 323,584 libpq.dll
02/20/2025 11:48 AM 779,776 libssl-3-x64.dll
02/20/2025 11:48 AM 52,736 libwinpthread-1.dll
02/20/2025 11:48 AM 604,160 psql.exe==
C:\Program Files\BMC Software\Control-M Server\pgsql\bin>postgres -V
postgres (PostgreSQL) 15.3C:\Program Files\BMC Software\Control-M Server\pgsql\bin>psql -V
psql (PostgreSQL) 15.12
There is nothing fundamentally evil about upgrading the client.
But what is the point? Why are you worried about client bugs more than
about server bugs? The latter are much more likely to eat your data.
But then, if you are using Windows, perhaps you don't care a lot about
your data...
Yours,
Laurenz Albe
Since it's a 24x7 app, you have database replication, virtual IPs and a
fail-over manager in case a server crashes?
Anyway, read through the PG 15 release notes. If none really affect you,
then stay on 15.3. You're certain to miss *something*, though, or not
understand the ramifications. And besides, there are always security
patches in them.
On Thu, Mar 6, 2025 at 4:33 AM Abraham, Danny <danny_abraham@bmc.com> wrote:
Explanation.
We have hundreds of pg servers (mainly linux).
App is 7×24.
We think that patching the server to 15.12.will cost about 30 times more
compared to patching the pg client ( mainly qa effort).
The app working fine using [libpq, psql] on both Linux as well as Windows.
Would love to hear your opinion.
Thanks
DannySent from Workspace ONE Boxer
On Mar 6, 2025 10:11, Laurenz Albe <laurenz.albe@cybertec.at> wrote:
[redirecting to pgsql-general]On Thu, 2025-03-06 at 07:39 +0000, Abraham, Danny wrote:
I have many customers using PG 15.3 happily, and I cannot just snap
upgrade them all to 15.12.
Why do you think you cannot do that?
In the long run, you'll be sorry if you don't.
It is just a matter of replacing the software and restarting the database
server.I have tested a nasty trick of replacing PSQL,LIBPQ and several other
DLL's so that
I have a PG client 15.12 within the folders of Server 15.3.
All working just fine.
I plan to ship it as a patch - but would like to hear you opinion on
this "merge".
(Of course, the next version will use PG 17.4, so this is just an SOS
action).
Directory of C:\Users\dbauser\Desktop\15.12
02/20/2025 11:48 AM 4,696,576 libcrypto-3-x64.dll
02/20/2025 11:48 AM 1,850,401 libiconv-2.dll
02/20/2025 11:48 AM 475,769 libintl-9.dll
02/20/2025 11:48 AM 323,584 libpq.dll
02/20/2025 11:48 AM 779,776 libssl-3-x64.dll
02/20/2025 11:48 AM 52,736 libwinpthread-1.dll
02/20/2025 11:48 AM 604,160 psql.exe==
C:\Program Files\BMC Software\Control-M Server\pgsql\bin>postgres -V
postgres (PostgreSQL) 15.3C:\Program Files\BMC Software\Control-M Server\pgsql\bin>psql -V
psql (PostgreSQL) 15.12There is nothing fundamentally evil about upgrading the client.
But what is the point? Why are you worried about client bugs more than
about server bugs? The latter are much more likely to eat your data.But then, if you are using Windows, perhaps you don't care a lot about
your data...Yours,
Laurenz Albe
--
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> lobster!
On Thu, 2025-03-06 at 09:33 +0000, Abraham, Danny wrote:
We have hundreds of pg servers (mainly linux).
App is 7×24.
We think that patching the server to 15.12.will cost about 30 times
more compared to patching the pg client ( mainly qa effort).
I don't think so. Don't do any QA when installing a PostgreSQL patch
(just roll it out on the test systems first to see if your installation
procedure works).
Down time because of data corruption will cost *way* more than patching.
Yours,
Laurenz Albe
CVE-2025-1094 has a narrow blast radius. If you are not directly affected,
I would focus your efforts on getting to 17. But the lack of an existing
process to smoothly upgrade minor revisions is worrying and something that
needs to get addressed as well.
Cheers,
Greg
--
Crunchy Data - https://www.crunchydata.com
Enterprise Postgres Software Products & Tech Support