[windows] PostgreSQL pinned to vulnerable version on Windows #10871
Comments
|
Relevant CVE: https://www.postgresql.org/support/security/CVE-2024-7348/ Also, I'm happy to propose a PR to fix this, but given that I don't know the context around why this was pinned, I wanted to at least discuss first. |
kishorekumar-anchala
added
OS: Windows
Area: Common Tools
and removed
needs triage
labels
|
Hi @AtOMiCNebula , Thanks for bringing to us , we will look into this and update. Thank you ! |
I wouldn't say it's not official but if nothing else it's endorsed as the Windows distribution of Postgres. |
|
Wow, I stand enlightened. Thank you for pointing that out, I definitely read the PostgreSQL page a bit too quickly. 😇 |
|
I'll plus 1 the request to upgrade the postgres version to 14.13. The current version (14.12) is triggering security alerts for us due to the missing security fixes. |
Description
In #10014, the Windows images were pinned to a 14.12-forked version of PostgreSQL. v14.13 is available, contains security fixes, and the version in the agents should be updated. The PR suggested the pinning was temporary, but it was never revisited. Can it be unpinned now?
Also, why do the Windows agents use some Enterprise-y distribution of PostgreSQL, instead of the official one?Platforms affected
Runner images affected
Image version and build link
Latest Windows 2019/2022 images
Is it regression?
No
Expected behavior
Latest secure version of PostgreSQL available is included in the image
Actual behavior
A vulnerable version of PostgreSQL is included in the image
Repro steps
The text was updated successfully, but these errors were encountered: