#813 closed defect (fixed)
Vulnerable PostgreSQL 15.2.0 executable exists after install latest of QGIS LTR 3.28.15 using the OSGEO4W installer
Reported by: | ascottwwf | Owned by: | |
---|---|---|---|
Priority: | major | Component: | Package |
Version: | Keywords: | PostgreSQL, OSGEO, QGIS LTR 3.28.15 | |
Cc: |
Description
Hello,
In a similar guise to [ticket #811], I have discovered that the latest installer is deploying a 15.2.0
version of a PostgreSQL executable, in my chosen install path, this is found here:
C:\Program Files\OSGeo4W_v2\bin\pg_dump.exe
This version currently contains 7 security vulnerabilities (3 High Severity, 2 Medium and 2 Low) This version of PostgreSQL was only released last year on 9th Febrary 2023 (https://www.postgresql.org/docs/release/15.2/), the latest v15.x version was released on 9th November 2023 (v15.5 - https://www.postgresql.org/docs/release/15.5/)
I am unsure if this PostgreSQL executable is installed as a requirement of QGIS LTR or the OSGEO4W installer, but as this bundled software contains such critical vulnerabilities it needs to be updated as soon as possible to remove the security risk.
Please can you advise whether I need to raise this with QGIS or if the OSGEO4W installer needs to be updated / fixed?
If it is the OSGEO4W installer, please can you give an indication when we can expect to see a fix available?
Thanks in advance, Regards,
Adrian Scott
Change History (6)
comment:1 by , 11 months ago
comment:2 by , 11 months ago
I do not know why the pg_dump https://www.postgresql.org/docs/current/app-pgdump.html program comes with QGIS, but I do not see this backup/restore utility mentioned in the vulnerabilities https://security.snyk.io/package/linux/debian:12/postgresql-15.
comment:3 by , 11 months ago
Yes this appears that it might be a false reporting issue <sigh>!
Searching this page (https://www.postgresql.org/support/security/15/) for pg_dump returns no results, however it is not conclusive that just because there is no mention of this specific file it is not still vulnerable.
FYI: I do note however that there are mentions of pg_dump being vulnerable found in much earlier versions of PostgreSQL (e.g. v10).
If it is a case of false reporting, it may take some time to get the false report issue removed.
If it can be done? - It might still be prudent to get the OSGEO / QGIS distro updated to deliver the latest PostgreSQL version v15.5 as mentioned in my original posting, at least then it has not installed a version of pg_dump.exe that comes from a package which is considered vulnerable / has vulnerable components? - Which for now we do have to consider pg_dump.exe could be vulnerable.
follow-up: 5 comment:4 by , 11 months ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
comment:5 by , 11 months ago
Replying to jef:
fixed in https://github.com/jef-n/OSGeo4W/commit/33f5fb72a3357a56d4ab8da8d96c830815039a48
Thanks for the prompt turnaround again @jef
comment:6 by , 11 months ago
As confirmation, I have just updated my QGIS LTR 3.28.15 install, and all the PostgreSQL files have been successfully updated to PostgreSQL v16.1
PowerShell evidence:
PS C:\Program Files\OSGeo4W_v2\bin> Get-ChildItem *.dll,*.exe | % {$_.VersionInfo} | Select-Object * | Where-Object CompanyName -like "PostgreSQL*" | Select-Object ProductVersion,FileVersionRaw,FileName,FileDescription | Format-Table -AutoSize ProductVersion FileVersionRaw FileName FileDescription -------------- -------------- -------- --------------- 16.1 16.0.1.0 C:\Program Files\OSGeo4W_v2\bin\libpq.dll PostgreSQL Access Library 16.1 16.0.1.0 C:\Program Files\OSGeo4W_v2\bin\pg_dump.exe pg_dump/pg_restore/pg_dumpall - backup and restore PostgreSQL databases 16.1 16.0.1.0 C:\Program Files\OSGeo4W_v2\bin\pg_dumpall.exe pg_dump/pg_restore/pg_dumpall - backup and restore PostgreSQL databases 16.1 16.0.1.0 C:\Program Files\OSGeo4W_v2\bin\pg_restore.exe pg_dump/pg_restore/pg_dumpall - backup and restore PostgreSQL databases 16.1 16.0.1.0 C:\Program Files\OSGeo4W_v2\bin\psql.exe psql - the PostgreSQL interactive terminal
Thanks again :-)
Do those affect the client at all?