[osgeo4w-dev] [osgeo4w] #813: Vulnerable PostgreSQL 15.2.0 executable exists after install latest of QGIS LTR 3.28.15 using the OSGEO4W installer

Thu Feb 1 08:58:05 PST 2024

#813: Vulnerable PostgreSQL 15.2.0 executable exists after install latest of QGIS
LTR 3.28.15 using the OSGEO4W installer
------------------------------------------------+--------------------------
Reporter:  ascottwwf                            |       Owner:  osgeo4w-
                                                |  dev@…
    Type:  defect                               |      Status:  new
Priority:  major                                |   Component:  Package
 Version:                                       |  Resolution:
Keywords:  PostgreSQL, OSGEO, QGIS LTR 3.28.15  |
------------------------------------------------+--------------------------
Comment (by ascottwwf):

 Yes this appears that it might be a false reporting issue <sigh>
 Searching this page (https://www.postgresql.org/support/security/10/) for
 pg_dump returns only 2 results but these are for much earlier versions of
 PostgreSQL.

 It may take some time to get the false reporting issue removed.

 It might still be prudent (if it can be done?) to get the OSGEO / QGIS
 distro updated to deliver the latest PostgreSQL version v15.5 as mentioned
 in my original posting, at least then it has not installed a version of
 pg_dump.exe that comes from a package which is considered vulnerable?
-- 
Ticket URL: <https://trac.osgeo.org/osgeo4w/ticket/813#comment:3>
OSGeo4W <http://trac.osgeo.org/osgeo4w>
OSGeo4W is the Windows installer and package environment for the OSGeo stack.