Re: [EXTERNAL] Re: Asking for OK for a nasty trick to resolve PG CVE-2025-1094 i

2025-03-15 Thread Abraham, Danny
Explanation. We have hundreds of pg servers (mainly linux). App is 7×24. We think that patching the server to 15.12.will cost about 30 times more compared to patching the pg client ( mainly qa effort). The app working fine using [libpq, psql] on both Linux as well as Windows. Would love to hear yo

Re: [EXTERNAL] Re: Asking for OK for a nasty trick to resolve PG CVE-2025-1094 i

2025-03-11 Thread Laurenz Albe
On Thu, 2025-03-06 at 09:33 +, Abraham, Danny wrote: > We have hundreds of pg servers (mainly linux). > App is 7×24. > We think that patching the server to 15.12.will cost about 30 times > more compared to patching the pg client ( mainly qa effort). I don't think so. Don't do any QA when in

Re: [EXTERNAL] Re: Asking for OK for a nasty trick to resolve PG CVE-2025-1094 i

2025-03-08 Thread Ron Johnson
Since it's a 24x7 app, you have database replication, virtual IPs and a fail-over manager in case a server crashes? Anyway, read through the PG 15 release notes. If none really affect you, then stay on 15.3. You're certain to miss *something*, though, or not understand the ramifications. And be

Re: [EXTERNAL] Re: Asking for OK for a nasty trick to resolve PG CVE-2025-1094 i

2025-03-07 Thread Greg Sabino Mullane
CVE-2025-1094 has a narrow blast radius. If you are not directly affected, I would focus your efforts on getting to 17. But the lack of an existing process to smoothly upgrade minor revisions is worrying and something that needs to get addressed as well. Cheers, Greg -- Crunchy Data - https://www