[osgeo4w-dev] [osgeo4w] #813: Vulnerable PostgreSQL 15.2.0 executable exists after install latest of QGIS LTR 3.28.15 using the OSGEO4W installer
OSGeo4W
trac_osgeo4w at osgeo.org
Wed Jan 31 09:06:07 PST 2024
#813: Vulnerable PostgreSQL 15.2.0 executable exists after install latest of QGIS
LTR 3.28.15 using the OSGEO4W installer
----------------------+-------------------------------------------------
Reporter: ascottwwf | Owner: osgeo4w-dev@…
Type: defect | Status: new
Priority: major | Component: Package
Version: | Keywords: PostgreSQL, OSGEO, QGIS LTR 3.28.15
----------------------+-------------------------------------------------
Hello,
In a similar guise to [ticket #811], I have discovered that the latest
installer is deploying a `15.2.0` version of a PostgreSQL executable, in
my chosen install path, this is found here:
`C:\Program Files\OSGeo4W_v2\bin\pg_dump.exe`
This version currently contains 7 security vulnerabilities (3 High
Severity, 2 Medium and 2 Low)
This version of PostgreSQL was only released last year on 9th Febrary 2023
(https://www.postgresql.org/docs/release/15.2/), the latest v15.x version
was released on 9th November 2023 (v15.5 -
https://www.postgresql.org/docs/release/15.5/)
I am unsure if this PostgreSQL executable is installed as a requirement of
QGIS LTR or the OSGEO4W installer, but as this bundled software contains
such critical vulnerabilities it needs to be updated as soon as possible
to remove the security risk.
Please can you advise whether I need to raise this with QGIS or if the
OSGEO4W installer needs to be updated / fixed?
If it is the OSGEO4W installer, please can you give an indication when we
can expect to see a fix available?
Thanks in advance,
Regards,
Adrian Scott
--
Ticket URL: <https://trac.osgeo.org/osgeo4w/ticket/813>
OSGeo4W <http://trac.osgeo.org/osgeo4w>
OSGeo4W is the Windows installer and package environment for the OSGeo stack.
More information about the osgeo4w-dev
mailing list