Home > mailing lists

Re: CVE-2024-28849 - Mailing list pgsql-bugs

From	Jerry Sievert
Subject	Re: CVE-2024-28849
Date	April 18, 2024 17:37:27
Msg-id	6AFC8B74-2A14-44A5-8692-B225D1F67611@legitimatesounding.com Whole thread Raw
In response to	Re: CVE-2024-28849 ("Jonathan S. Katz" <jkatz@postgresql.org>)
List	pgsql-bugs

Tree view

RE: Postgres and Javascript

> On Apr 18, 2024, at 10:25 AM, Jonathan S. Katz <jkatz@postgresql.org> wrote:
>
> On 4/18/24 11:27 AM, Mathews, Rob wrote:
>> All,
>>    CVE-2024-28849 was found in Version 15.6 and 16.2 this week. Please refer to
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28849
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28849>for issues and corrections. 
>> The Binaries .zip files were the files scanned and found with the vulnerability. There are no known workarounds for
thisvulnerability. 
>
> PostgreSQL doesn't have any dependencies on node.js, let alone JavaScript. This CVE doesn't apply to PostgreSQL.

PLV8 and PLJS also have no dependencies from node.js, and do not have this dependency specifically, so are also not
affected,even though they implement a Javascript runtime.

pgsql-bugs by date:

From: "Jonathan S. Katz"
Date: 18 April 2024, 17:25:38
Subject: Re: CVE-2024-28849

From: PG Bug reporting form
Date: 19 April 2024, 03:10:24
Subject: BUG #18442: Unnecessary Sort operator in indexScan Plan

Re: CVE-2024-28849 - Mailing list pgsql-bugs

Previous

Next