[Osgeo4w-trac] [osgeo4w] #813: Vulnerable PostgreSQL 15.2.0 executable exists after install latest of QGIS LTR 3.28.15 using the OSGEO4W installer

OSGeo4W trac_osgeo4w at osgeo.org
Wed Jan 31 09:06:07 PST 2024


#813: Vulnerable PostgreSQL 15.2.0 executable exists after install latest of QGIS
LTR 3.28.15 using the OSGEO4W installer
----------------------+-------------------------------------------------
Reporter:  ascottwwf  |      Owner:  osgeo4w-dev@…
    Type:  defect     |     Status:  new
Priority:  major      |  Component:  Package
 Version:             |   Keywords:  PostgreSQL, OSGEO, QGIS LTR 3.28.15
----------------------+-------------------------------------------------
 Hello,

 In a similar guise to [ticket #811], I have discovered that the latest
 installer is deploying a `15.2.0` version of a PostgreSQL executable, in
 my chosen install path, this is found here:
 `C:\Program Files\OSGeo4W_v2\bin\pg_dump.exe`

 This version currently contains 7 security vulnerabilities (3 High
 Severity, 2 Medium and 2 Low)
 This version of PostgreSQL was only released last year on 9th Febrary 2023
 (https://www.postgresql.org/docs/release/15.2/), the latest v15.x version
 was released on 9th November 2023 (v15.5 -
 https://www.postgresql.org/docs/release/15.5/)

 I am unsure if this PostgreSQL executable is installed as a requirement of
 QGIS LTR or the OSGEO4W installer, but as this bundled software contains
 such critical vulnerabilities it needs to be updated as soon as possible
 to remove the security risk.

 Please can you advise whether I need to raise this with QGIS or if the
 OSGEO4W installer needs to be updated / fixed?

 If it is the OSGEO4W installer, please can you give an indication when we
 can expect to see a fix available?

 Thanks in advance,
 Regards,

 Adrian Scott
-- 
Ticket URL: <https://trac.osgeo.org/osgeo4w/ticket/813>
OSGeo4W <http://trac.osgeo.org/osgeo4w>
OSGeo4W is the Windows installer and package environment for the OSGeo stack.


More information about the Osgeo4w-trac mailing list