|
|
|
|
|
|
by vidarh
4821 days ago
|
|
|
The reason they are not willing to say no risk is presumably that if you don't upgrade, then any other security vulnerability that allows an attacker to trigger a network connection with a suitable payload to port 5432 (or any other ports you may have Postgres on) on your hosts could still be harmful. That means anything that gives local shell as any user that run normal tools, but potentially also a lot of other things. E.g. any software that can be tricked to try to connect to a local address/port pair and send a suitable string. That dramatically escalates any minor little hole that might otherwise not be a risk for you. (That's a reminder to always verify before trusting any hostname/IP a user passes you that it's not a local address or address you have privileged access to, and to also consider internally firewalling connections between your various hosts down to just what you need) |
|
|