<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi , </p>
<p>Your scanner finds Postgres CVE because OSGEO4W ships clients for
postgresql, ie psql, libpq and common libs. </p>
<p>The CVE catalog often mix client and server together, which can
be a reason for false positives. <br>
Please check if the CVE concerns the client, in which case, you
can raise the issue on the security list <a class="moz-txt-link-abbreviated" href="mailto:security@qgis.org">security@qgis.org</a>, which
is private ... because security is one a the few reasons were we
fix things privately and disclose them afterward . </p>
<p>From what I read "Buffer over-read in PostgreSQL GB18030 encoding
validation allows a database input provider to achieve temporary
denial of service on platforms where a 1-byte over-read can elicit
process termination. This affects the database server and also
libpq. Versions before PostgreSQL 17.5, 16.9, 15.13, 14.18, and
13.21 are affected." , libpq is affected, so yes, this version is
concerned. </p>
<p>Please be all aware that the whole numeric ecosystems faces
massive CVE disclosure because (or thanks to) AI helping security
researchers. We do our best to upgrade libraries as soon as
critical vulnerabilities are confirmed. For lower level
vulnerabilities, we keep on track with our monthly release
schedule. </p>
<p>To sum up : </p>
<p>- for production and IT deployment, please stick to LTR</p>
<p>- please continue to raise your scanner issues on
<a class="moz-txt-link-abbreviated" href="mailto:security@qgis.org">security@qgis.org</a>, after having checked the latest installers
before</p>
<p>- please consider subscribing to a QGIS sustaining membership. We
are trying to get enough fund so that permanent staff can handle
this security and compliance wave. If you make value from QGIS,
and consider security and digital strategic autonomy priorities ,
our membership is easy to find at
<a class="moz-txt-link-freetext" href="https://www.qgis.org/#sustaining-members">https://www.qgis.org/#sustaining-members</a> . </p>
<p>Best regards </p>
<p><br>
</p>
<pre class="moz-signature" cols="72">Bien cordialement,
Régis Haubourg</pre>
<div class="moz-cite-prefix">On 02/07/2026 09:33, HarishKumar J,
(Springbord) via QGIS-Developer wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAASG=T2pfrWHN8VXCrLZCVYUeAtHhaPNodfzSt60K13GZwb8rw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div>Dear Dror,</div>
<div><br>
</div>
<div>Thank you for the clarification regarding the bundled
installations.</div>
<div><br>
</div>
<div>Based on your recommendation to use the Long Term Release
(LTR) version for organizational settings, we will look into
the current LTR 3.44. We will also monitor the upcoming
release of QGIS 4.2.4 in October.</div>
<div><br>
</div>
<div>Since QGIS does not come with a prebundled PostgreSQL
installation, we will investigate our internal deployment
process to identify how PostgreSQL 17.0.3 was included and
proceed with the necessary upgrades independently.</div>
<div><br>
</div>
<div>Thanks</div>
<div>Harish</div>
<br>
</div>
<br>
<div class="gmail_quote gmail_quote_container">
<div dir="ltr" class="gmail_attr">On Thu, Jul 2, 2026 at
12:17 PM Dror Bogin <<a href="mailto:dror.bogin@gmail.com"
moz-do-not-send="true" class="moz-txt-link-freetext">dror.bogin@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>
<div>Hi Harish,<br>
<br>
</div>
Neither the standalone nor the OSGeo4W installations of
QGIS come with a prebundled PostgreSQL installation.<br>
</div>
<div>Since it sounds like you installed QGIS in an
organization, it is mostly recommended to use the LTR
(Long Term Release) version (currently 3.44) in that
setting, not the newest version.</div>
<div>The first LTR of QGIS 4.x is planned to release in
October, with QGIS 4.2.4.</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, 2 Jul 2026 at
08:48, HarishKumar J, (Springbord) via QGIS-Developer <<a
href="mailto:qgis-developer@lists.osgeo.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">qgis-developer@lists.osgeo.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div dir="ltr">
<div>Hi There,</div>
<div><br>
</div>
<div>I hope you are well!</div>
<div><br>
</div>
<div>We are currently using QGIS version 4.0.3 and
have identified that it comes bundled with
PostgreSQL version 17.0.3.</div>
<div><br>
</div>
<div>Our security monitoring has flagged multiple
high-priority vulnerabilities within this version of
PostgreSQL (including CVE-2025-4207 and others).
According to PostgreSQL security recommendations, a
secure version would be 17.10 or higher.</div>
<div><br>
</div>
<div>Could you please confirm if there is a newer
release of QGIS that bundles a secure version of
PostgreSQL? Additionally, if a bundled update is not
yet available, please advise on the recommended
process for upgrading the internal PostgreSQL
component to version 17.10 or above without
impacting the QGIS application's stability.</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Harish</div>
</div>
</div>
_______________________________________________<br>
QGIS-Developer mailing list<br>
<a href="mailto:QGIS-Developer@lists.osgeo.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">QGIS-Developer@lists.osgeo.org</a><br>
List info: <a
href="https://lists.osgeo.org/mailman/listinfo/qgis-developer"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br>
Unsubscribe: <a
href="https://lists.osgeo.org/mailman/listinfo/qgis-developer"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br>
</blockquote>
</div>
</blockquote>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre wrap="" class="moz-quote-pre">_______________________________________________
QGIS-Developer mailing list
<a class="moz-txt-link-abbreviated" href="mailto:QGIS-Developer@lists.osgeo.org">QGIS-Developer@lists.osgeo.org</a>
List info: <a class="moz-txt-link-freetext" href="https://lists.osgeo.org/mailman/listinfo/qgis-developer">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a>
Unsubscribe: <a class="moz-txt-link-freetext" href="https://lists.osgeo.org/mailman/listinfo/qgis-developer">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a>
</pre>
</blockquote>
</body>
</html>