"David G. Johnston" <david.g.johnston@gmail.com> writes:
> I do find it sad that this question about when a CVE has been patched is
> being asked where the active version is 10 months old and missing 3
> PostgreSQL CVE fixes, including an SSL related one in 13.5
In the OP's defense, this OpenSSL CVE does look a lot scarier than
any of ours ... if I'm reading it right, anyone who can reach your
postmaster port can arrange to chew 100% CPU on your server.
OTOH, they can't do anything more than that, and you probably
shouldn't have your DB server accessible from the open internet
anyway.
regards, tom lane