Details
-
Bug
-
Resolution: Not a Bug
-
Major
-
None
-
2.9 GA, 2.9.1 GA, 2.10 GA
-
False
-
False
-
Not Started
-
Not Started
-
Not Started
-
Not Started
-
Not Started
-
Not Started
-
Undefined
Description
FIx for CVE-2020-25695 which affect Postgresql Database used by zync-database
The zync-database uses PostgreSQL database which is affected by CVE-2020-25695, This CVE is fixed in postgresql 10.15 (Refer https://bugzilla.redhat.com/show_bug.cgi?id=1894425) but current version of 3scale 2.9.0, 2.9.1 and 2.9.10 uses postgresql 10.6, It means both 3scale 2.9 and 2.10 are affected by this CVE at the same time https://access.redhat.com/errata/RHBA-2021:2215 claims that CVE-2020-25695 is fixed in 3scale 2.x.
Q1. Can provide the clarity on why https://access.redhat.com/errata/RHBA-2021:2215 claims that CVE-2020-25695 is fixed in 3scale?
Q2. If it is fixed then how to verify it so that we can share this verification method with the customer?
Q3. If it is not fixed then, How we are going to relase the fix for it, Will it be in 3scale 2.9.2 or 3scale 2.10.1?
