BUG #18193: CVE-2019-9193

On Mon, Nov 13, 2023 at 06:30:43AM +0000, PG Bug reporting form wrote:

The following bug has been logged on the website:

Bug reference: 18193
Logged by: Sumanth Vankineni
Email address: sumanth.vankineni@gmail.com
PostgreSQL version: 13.7
Operating system: Linux
Description:

Just wanted to give an update, I'm not sure if it's mentioned anywhere on
the website. The PostgreSQl version 13.7 is also vuln to the
CVE-2019-9193.
The CVE states only In PostgreSQL 9.3 through 11.2.

You might want to read
https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/

depesz

PG Bug reporting form <noreply@postgresql.org> writes:

Just wanted to give an update, I'm not sure if it's mentioned anywhere on
the website. The PostgreSQl version 13.7 is also vuln to the
CVE-2019-9193.
The CVE states only In PostgreSQL 9.3 through 11.2.

Please see

https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/

That CVE is erroneous in full, and so the fact that it also misstates
relevant versions is hardly surprising.

regards, tom lane

On Monday, November 13, 2023, Tom Lane <tgl@sss.pgh.pa.us> wrote:

PG Bug reporting form <noreply@postgresql.org> writes:

Just wanted to give an update, I'm not sure if it's mentioned anywhere on
the website. The PostgreSQl version 13.7 is also vuln to the
CVE-2019-9193.
The CVE states only In PostgreSQL 9.3 through 11.2.

Please see

https://www.postgresql.org/about/news/cve-2019-9193-not-
a-security-vulnerability-1935/

That CVE is erroneous in full, and so the fact that it also misstates
relevant versions is hardly surprising.

It’s hardly surprising because a CVE from 2019 (they make this fairly
simple, the year is in the assigned number) would not be expected to list
version 13 as that was not released at the time. Assuming 11.2 was indeed
the most recent version released at the time the CVE was issued then indeed
neither v12 nor v13 were relevant as v11 was only about 6 months old.

David J.