[QGIS-Developer] PostgreSQL vulnerability in the QGIS application
Greg Troxel
gdt at lexort.com
Thu Jul 2 05:02:22 PDT 2026
"HarishKumar J, (Springbord) via QGIS-Developer"
<qgis-developer at lists.osgeo.org> writes:
> We are currently using QGIS version 4.0.3 and have identified that it comes
> bundled with PostgreSQL version 17.0.3.
You should understand that qgis is fundamentally a source code release,
and that therefore it is incorrect in general to speak of it as having a
specific associated postgresql version.
It is likely that you are using some specific bundled installer that
also contains dependencies, for a specific operating system -- but you
did not give any information about that.
> Could you please confirm if there is a newer release of QGIS that bundles a
> secure version of PostgreSQL? Additionally, if a bundled update is not yet
> available, please advise on the recommended process for upgrading the
> internal PostgreSQL component to version 17.10 or above without impacting
> the QGIS application's stability.
This is open source, and you are (legally) able to modify the control
files for the bundle and produce your own updated installers -- and then
contribute changes back. Given your organization's security concerns,
you may wish to hire an employee or consultant who can help with this.
I would expect that the cost of consulting or a managed build service
would be far below the cost of proprietary licenses for proprietary
GIS software.
Separately, if you are concerned about stability, it is a surprising and
perhaps unwise choice to be using 4.0.3. qgis continues to recommend
3.44.x as the stable version.
More information about the QGIS-Developer
mailing list