Which PG version does CVE-2021-20229 affected?
Hi, all
Recently, I retrieved CVE-2021-20229 on the NVD website which describes
the affected PG version are "before 13.2, before 12.6, before 11.11, before
10.16, before 9.6.21 and before 9.5.25", but we I look the official website
of PG and look the git commit log, I found only 13 version is affect. So I
confused?
Best regards
NVD link:
https://nvd.nist.gov/vuln/detail/CVE-2021-20229#vulnCurrentDescriptionTitle
--
Sent from: https://www.postgresql-archive.org/PostgreSQL-hackers-f1928748.html
On Fri, Mar 05, 2021 at 12:32:43AM -0700, bchen90 wrote:
NVD link:
https://nvd.nist.gov/vuln/detail/CVE-2021-20229#vulnCurrentDescriptionTitle
This link includes incorrect information. CVE-2021-20229 is only a
problem in 13.0 and 13.1, fixed in 13.2. Please see for example here:
https://www.postgresql.org/support/security/
The commit that fixed the issue is c028faf, mentioning 9ce77d7 as the
origin point, a commit introduced in Postgres 13.
--
Michael
Michael Paquier schrieb am 05.03.2021 um 08:38:
On Fri, Mar 05, 2021 at 12:32:43AM -0700, bchen90 wrote:
NVD link:
https://nvd.nist.gov/vuln/detail/CVE-2021-20229#vulnCurrentDescriptionTitle
This link includes incorrect information. CVE-2021-20229 is only a
problem in 13.0 and 13.1, fixed in 13.2. Please see for example here:
https://www.postgresql.org/support/security/The commit that fixed the issue is c028faf, mentioning 9ce77d7 as the
origin point, a commit introduced in Postgres 13.
I think the information is correct as it says "Up to (excluding) 13.2"
I understand the "(excluding)" part, such that the "excluded" version
is _not_ affected by it.
But it's really a confusing way to present that kind of information.
On Fri, Mar 05, 2021 at 04:38:17PM +0900, Michael Paquier wrote:
On Fri, Mar 05, 2021 at 12:32:43AM -0700, bchen90 wrote:
NVD link:
https://nvd.nist.gov/vuln/detail/CVE-2021-20229#vulnCurrentDescriptionTitle
This link includes incorrect information. CVE-2021-20229 is only a
problem in 13.0 and 13.1, fixed in 13.2. Please see for example here:
https://www.postgresql.org/support/security/
Probably because the referenced Red Hat bugzilla bug claims it's
affecting all back branches and they scrapes that info from there:
https://bugzilla.redhat.com/show_bug.cgi?id=1925296
Michael
--
Michael Banck
Projektleiter / Senior Berater
Tel.: +49 2166 9901-171
Fax: +49 2166 9901-100
Email: michael.banck@credativ.de
credativ GmbH, HRB Mönchengladbach 12080
USt-ID-Nummer: DE204566209
Trompeterallee 108, 41189 Mönchengladbach
Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer
Unser Umgang mit personenbezogenen Daten unterliegt
folgenden Bestimmungen: https://www.credativ.de/datenschutz
Michael Banck <michael.banck@credativ.de> writes:
On Fri, Mar 05, 2021 at 04:38:17PM +0900, Michael Paquier wrote:
This link includes incorrect information. CVE-2021-20229 is only a
problem in 13.0 and 13.1, fixed in 13.2. Please see for example here:
https://www.postgresql.org/support/security/
Probably because the referenced Red Hat bugzilla bug claims it's
affecting all back branches and they scrapes that info from there:
Indeed. Must have been some internal miscommunication in Red Hat,
because we certainly gave them the right info when we filed for the
CVE number. I've commented on that BZ entry, hopefully that'll be
enough to get them to update things.
regards, tom lane