[QGIS-Developer] PostgreSQL vulnerability in the QGIS application
Richard Duivenvoorde
rdmailings at duif.net
Thu Jul 2 02:30:15 PDT 2026
There is (for what I know) no PostgreSQL database server installation, but there IS a PostgreSQL-client(!) lib included.
Not sure if we are talking about the same thing here?
CVE-2025-4207 says it affects libpq, which I think is part of the client?
According to the osgeo4w packager we are on 18.4 since (from 17.3)... yesterday...
https://github.com/jef-n/OSGeo4W/blob/998472c3de1c3b51615033638c1910c5e5e28173/src/libpq/osgeo4w/package.sh
Not exactly sure when this will be part of new installers.
Regards,
Richard Duivenvoorde
On 7/2/26 09:33, HarishKumar J, (Springbord) via QGIS-Developer wrote:
> Dear Dror,
>
> Thank you for the clarification regarding the bundled installations.
>
> Based on your recommendation to use the Long Term Release (LTR) version for organizational settings, we will look into the current LTR 3.44. We will also monitor the upcoming release of QGIS 4.2.4 in October.
>
> Since QGIS does not come with a prebundled PostgreSQL installation, we will investigate our internal deployment process to identify how PostgreSQL 17.0.3 was included and proceed with the necessary upgrades independently.
>
> Thanks
> Harish
>
>
> On Thu, Jul 2, 2026 at 12:17 PM Dror Bogin <dror.bogin at gmail.com <mailto:dror.bogin at gmail.com>> wrote:
>
> Hi Harish,
>
> Neither the standalone nor the OSGeo4W installations of QGIS come with a prebundled PostgreSQL installation.
> Since it sounds like you installed QGIS in an organization, it is mostly recommended to use the LTR (Long Term Release) version (currently 3.44) in that setting, not the newest version.
> The first LTR of QGIS 4.x is planned to release in October, with QGIS 4.2.4.
>
> On Thu, 2 Jul 2026 at 08:48, HarishKumar J, (Springbord) via QGIS-Developer <qgis-developer at lists.osgeo.org <mailto:qgis-developer at lists.osgeo.org>> wrote:
>
> Hi There,
>
> I hope you are well!
>
> We are currently using QGIS version 4.0.3 and have identified that it comes bundled with PostgreSQL version 17.0.3.
>
> Our security monitoring has flagged multiple high-priority vulnerabilities within this version of PostgreSQL (including CVE-2025-4207 and others). According to PostgreSQL security recommendations, a secure version would be 17.10 or higher.
>
> Could you please confirm if there is a newer release of QGIS that bundles a secure version of PostgreSQL? Additionally, if a bundled update is not yet available, please advise on the recommended process for upgrading the internal PostgreSQL component to version 17.10 or above without impacting the QGIS application's stability.
>
> Thanks,
> Harish
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org <mailto:QGIS-Developer at lists.osgeo.org>
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer <https://lists.osgeo.org/mailman/listinfo/qgis-developer>
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer <https://lists.osgeo.org/mailman/listinfo/qgis-developer>
>
>
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
More information about the QGIS-Developer
mailing list