Vulnerable version of PostgreSQL bundled with VBR 12.3.2

[bc345346]

Hi forum folks,

Our Nessus Scanner is flagging CVE-2025-1094 on our VBR servers due to PostgreSQL being at a vulnerable version. The scanner is stating that PostgreSQL 13.x < 13.19 / 14.x < 14.16 / 15.x < 15.11 / 16.x < 16.7 / 17.x < 17.3 SQLi. Are there any plans for version 12.3.3 or version 13 being released soon with an updated PostgreSQL version? Or a workaround for this? Since we are federal, these vulnerability flags leave a stain. Thanks!

[Gostev]

Hi, you should just update PostgreSQL manually. As even when 12.3.3 comes out with a newer PostgreSQL version embedded, it won't be able to update existing PostgreSQL installs to the same version. Thanks

[karsten123]

kb4386
btw. postgresql 15.x is only supported up to Server 2019. what are your plans for that?

[Gostev]

No specific plans for V12. As before, we'll keep testing all future V12 maintenance releases on all Windows Server versions we officially support. If we ever encounter an issue that is specific to using PosgreSQL 15 on some Windows Server version, we will decide what to do depending on the issue.

Now, V13 comes with the latest PostgreSQL version of course, specifically 17.6.

[StephanG]

This site states that only the installers are tested on these plattforms.
https://www.postgresql.org/download/windows/

It does not say that PostgreSQL does not run on Win2022 or higher.
It says that they might run on higher versions that are comparable.

[pkuikman]

Interesting, and this makes me thinking. In cases where you are using an external postgres database, the embedded postgres install in VBR will still be vulnerable?

[StephanG]

Why would you keep something running that you are not using?

And isn't it the same with every other software?
When i download the Microsoft Win11 iso - most of the time i have to perform the latest updates afterwards.

[FCU_JE]

I hope my old comment helps in some way:

post540752.html#p540752

[mlumsden76]

Hi, you should just update PostgreSQL manually. As even when 12.3.3 comes out with a newer PostgreSQL version embedded, it won't be able to update existing PostgreSQL installs to the same version. Thanks

Is it possible in the future VBR updates can update postgres to at least the version included in the redistributable folder in the iso? Other Veeam products, such as Veeam Backup for Azure update postgres when you check for updates. I like the move to postgres, but it was nice that SQL patching happened with Windows updates.

[Gostev]

This requires a "software appliance" experience that is coming to VBR with V13. Same idea as Veeam Backup for Azure appliance with the same Veeam Updater tech to maintain base OS, our software and 3rd party components.