Re: postgresql-9.1 and postgresql-8.4 in Wheezy

[Christoph Berg <myon@debian.org>]

Re: Ola Lundqvist 2017-05-21 <[🔎] CABY6=0kd_h+hJigKpONfM0+tdcT6FuuRLz4vtOpBJugFp8Mp+w@mail.gmail.com>
> Hi Thorsten
> 
> I had a look into this and I'm not sure both statements are correct for Jessie.
> 
> For CVE-2017-7486 I think the information in Jessie is wrong. The
> patched code is definitely there in wheezy at least. But maybe it is
> not triggered for some reason.

postgresql-9.1 in jessie is a reduced package that only builds
postgresql-plperl-9.1, so anything non-perl isn't relevant for 9.1 in
jessie.

postgresql-9.1 in wheezy is affected from my understanding of when
pg_user_mappings was introduced.

> For CVE-2017-7484 the code do not exist. The same applies to
> postgresql-8.4 in wheezy.

Same argument, 8.4 in wheezy is postgresql-plperl-8.4 only.

Christoph