Re: Re[2]: CVE-2022-2625

On Thu, 2022-09-15 at 11:19 -0400, Tom Lane wrote:
> =?UTF-8?B?bWlzaGExOTY2IG1pc2hhMTk2Ng==?= <mmisha1966@bk.ru> writes:
> > Is there a patch for 9.6 ?
> 
> No; that's out of support too.
> 
> I'm a little bemused by your fixation on this particular CVE,
> though.  As such things go, it's not a very big deal.  It's only
> of interest if you are routinely installing new extensions, *and*
> those extensions' scripts contain insecure uses of CREATE OR
> REPLACE/CREATE IF NOT EXISTS, *and* you can't fix the extensions
> instead.  I would not have thought an institution that's so
> frozen that it can't update to an in-support PG version would be
> doing a lot of new extension installations.

A lot of times, requests like that come from a brainless kind of
institutionalized security: we have to install all software updates
that say "CVE".  Never mind that username = password and
the application is running with a superuser.

Yours,
Laurenz Albe