CVE-2024-28849
All,
CVE-2024-28849 was found in Version 15.6 and 16.2 this week. Please refer to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28849 for issues and corrections.
The Binaries .zip files were the files scanned and found with the vulnerability. There are no known workarounds for this vulnerability.
Thank You,
Robert
Robert P. Mathews
rpmathe@sandia.gov<mailto:rpmathe@sandia.gov>
On 4/18/24 11:27 AM, Mathews, Rob wrote:
All,
CVE-2024-28849 was found in Version 15.6 and 16.2 this week. Please
refer to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28849
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28849> for
issues and corrections.The Binaries .zip files were the files scanned and found with the
vulnerability. There are no known workarounds for this vulnerability.
PostgreSQL doesn't have any dependencies on node.js, let alone
JavaScript. This CVE doesn't apply to PostgreSQL.
If you are using a package to install PostgreSQL (as it sounds like you
are), you'll need to reach out to the package maintainers.
Jonathan
RE: Postgres and Javascript
On Apr 18, 2024, at 10:25 AM, Jonathan S. Katz <jkatz@postgresql.org> wrote:
On 4/18/24 11:27 AM, Mathews, Rob wrote:
All,
CVE-2024-28849 was found in Version 15.6 and 16.2 this week. Please refer to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28849 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28849> for issues and corrections.
The Binaries .zip files were the files scanned and found with the vulnerability. There are no known workarounds for this vulnerability.PostgreSQL doesn't have any dependencies on node.js, let alone JavaScript. This CVE doesn't apply to PostgreSQL.
PLV8 and PLJS also have no dependencies from node.js, and do not have this dependency specifically, so are also not affected, even though they implement a Javascript runtime.