runner-images icon indicating copy to clipboard operation
runner-images copied to clipboard

Published 20 hours ago verified publisher icon actions

[windows] PostgreSQL pinned to vulnerable version on Windows

Open AtOMiCNebula opened this issue 3 months ago • 5 comments

Description

In #10014, the Windows images were pinned to a 14.12-forked version of PostgreSQL. v14.13 is available, contains security fixes, and the version in the agents should be updated. The PR suggested the pinning was temporary, but it was never revisited. Can it be unpinned now?

~Also, why do the Windows agents use some Enterprise-y distribution of PostgreSQL, instead of the official one?~

Platforms affected

  • [X] Azure DevOps
  • [X] GitHub Actions - Standard Runners
  • [X] GitHub Actions - Larger Runners

Runner images affected

  • [ ] Ubuntu 20.04
  • [ ] Ubuntu 22.04
  • [ ] Ubuntu 24.04
  • [ ] macOS 12
  • [ ] macOS 13
  • [ ] macOS 13 Arm64
  • [ ] macOS 14
  • [ ] macOS 14 Arm64
  • [ ] macOS 15
  • [ ] macOS 15 Arm64
  • [X] Windows Server 2019
  • [X] Windows Server 2022

Image version and build link

Latest Windows 2019/2022 images

Is it regression?

No

Expected behavior

Latest secure version of PostgreSQL available is included in the image

Actual behavior

A vulnerable version of PostgreSQL is included in the image

Repro steps

  1. Open image readme, scroll to PostgreSQL section

AtOMiCNebula avatar Oct 28 '24 20:10 AtOMiCNebula