[QGIS-Developer] PostgreSQL vulnerability in the QGIS application
Bo Victor Thomsen
bo.victor.thomsen at gmail.com
Wed Jul 8 06:54:00 PDT 2026
Harish -
As of today, You have 2 options to get the desired postgres upgrades
(18.4.1):
* Install the latest LTR version af QGIS, ver. 3.44.12. It comes with
version 18.4.1 of pqlib (Postgres communication).
* Install the newest version of QGIS, version 4.2.0 . It too, comes
with pqlib version 18.4.1.
Version 4.2.*0* is an "Early adopter" version - not yet suited for
enterprise use. However, If you can wait, version 4.2*.4*, will be
the new LRT version around October 30, 2026.
Med venlig hilsen / Best regards
Bo Victor Thomsen
On 02-07-2026 07:47, HarishKumar J, (Springbord) via QGIS-Developer wrote:
> Hi There,
>
> I hope you are well!
>
> We are currently using QGIS version 4.0.3 and have identified that it
> comes bundled with PostgreSQL version 17.0.3.
>
> Our security monitoring has flagged multiple high-priority
> vulnerabilities within this version of PostgreSQL (including
> CVE-2025-4207 and others). According to PostgreSQL security
> recommendations, a secure version would be 17.10 or higher.
>
> Could you please confirm if there is a newer release of QGIS that
> bundles a secure version of PostgreSQL? Additionally, if a bundled
> update is not yet available, please advise on the recommended process
> for upgrading the internal PostgreSQL component to version 17.10 or
> above without impacting the QGIS application's stability.
>
> Thanks,
> Harish
>
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info:https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe:https://lists.osgeo.org/mailman/listinfo/qgis-developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20260708/74fff5b4/attachment-0001.htm>
More information about the QGIS-Developer
mailing list