CVE-2025-1094

[mcvosi]

Is it recommended to update the PostgreSQL instance, per CVE-2025-1094?

[Mildur]

Hi Matthew,

Our R&D team is already aware of the new PostgreSQL patch/security fix. Our upcoming patch Veeam Backup & Replication v12.3.1 will include the most recent PostgreSQL v15 build for new deployments.

For existing servers, PostgreSQL must be patched manually, and it's always recommended to keep PostgreSQL updated with the latest patches, especially if new CVEs are announced.

Updating within the same major version is a straightforward task. Please check KB4386 for guidance on how to patch your PostgreSQL server.

Best,
Fabian

[mkretzer]

When will 12.3.1 arrive and will an upgrade also patch the included Postgres?

[Mildur]

When will 12.3.1 arrive

No ETA, but the plan is to release it in the upcoming weeks.

and will an upgrade also patch the included Postgres?

No, <automated PostgreSQL updating> is planned as a v13 feature and will first be released for backup server on Linux.

Best,
Fabian

[FCU_JE]

My advice probably won't be worth too much as I only (currently) use PSQL for my community edition instance of VBR but essentially what my process is is as follows:

1. Run `gsv *veeam* | sort -Property Name -Descending | Stop-Service -Verbose` several times until it basically returns instantly, indicating they're all stopped.

2. winget update PostgreSQL.PostgreSQL.15 (I think winget is now available on WS2025).

3. Run `gsv *veeam* | sort -Property Name | Start-Service -Verbose`

I don't have any issues with the above process, Veeam always "just works" after this.

[brent-h]

Hello,

Just FYI: When I updated to the latest PostgreSQL 15.12-1, it no longer needs Windows Script Host enabled, since they converted the initcluster script (that the installer runs) to PowerShell now (https://github.com/EnterpriseDB/edb-installers/pull/244). (I still currently use MS SQL as the db, but PostgresSQL is installed with Veeam 12.3 and later).

If 12.3.1 uses that version or later, it shouldn't need to require the Windows Script Host to be enabled anymore ( https://www.veeam.com/kb4699 ).

[k00laid]

Does this same guidance apply to VB365 v8 as well @mildur?

[mkaec]

This is a good example of why I'm not happy about being forced to use PostgreSQL. If a security patch is released for Microsoft SQL Server, it comes through automatically via Windows Update.

[mkretzer]

Indeed. But i also understand that the switch to postgres is a necessary step on the way to a fully linux backup server...

[mkaec]

There are plenty of applications that support choice of database back-ends (including Veeam B&R for the moment). You could have PostgreSQL on Linux and still allow SQL Server on Windows.

[Gostev]

This will become a moot point once Veeam starts managing PostgreSQL so you don't have to think about the database in principle, like you don't think that your Google Chrome runs on an embedded SQLite database.

And until then, Microsoft SQL Server will still be supported.

[iDeNt_5]

Indeed. But i also understand that the switch to postgres is a necessary step on the way to a fully linux backup server...

IDK which distro we're talking about, but SQL Server is also supported on Linux.

[BKoretz]

So PostgreSQL 15.11 is officially supported? KB4386 states to make sure it is on the official system requirements document and it is not, it says 15.x and then mentions 15.10.1 specifically. Has anyone had issues upgrading within 15.x to 15.11?

[d.artzen]

I have updated the VBR Postgres to 15.12 recently and did not have any issues at all. I just followed the steps outlined in https://www.veeam.com/kb4386
After the reboot everything worked as it should.

[t7MevELx0]

Veeam Backup for M365 works with PostgreSQL 17.4. It's odd VBR only "supports" 15.x. Their own documentation clearly states that the M365 software can use 15.x OR later. I figured, well 17.4 is "later"...

I know several people run VBR on PostgreSQL 17.4 in non-production environments with no issues. Given this and VBR can backup 17.4, I find it odd they still refuse to say you can use it.

I hope this changes at some point. It'd be nice to have both Veeam products on the same page so to speak.

[BostjanUNIJA]

So:
https://community.veeam.com/blogs-and-p ... 7&tid=9803

is similiar to:
https://www.veeam.com/kb4386

Right?

[BostjanUNIJA]

Hi.

I have a question:

So upgrading PostgreSQL to 15.12 is supported by VBR, and 16.8 and 17.4 isn't in this moment, right?

Does 15.12 resolve current CVE threats?

[Gostev]

That is correct. If you read the CVE description, even 15.11 is not affected by it already.

[BostjanUNIJA]

Thank you for your reply Gostev.
Just to clarify.

Per URL: “https://helpcenter.veeam.com/docs/backu ... QL&ver=120”

PostgreSQL 15.x is compatible, including 15.12?

[Gostev]

Yes, x includes 12

[mkaec]

And until then, Microsoft SQL Server will still be supported.

I think the last B&R update forced me to install PostgreSQL. And I think Veeam Backup for Microsoft 365 insisted on using PostgreSQL, too.

It would have been a non-issue if it were done in the correct order (implement management of patches, then start moving customers over). But instead customers are having to deal with an unnecessary CVE.

[Gostev]

This requires a packaged "software appliance" experience we won't have until V13.