The PostgreSQL Global Development Group has released a critical security update for all supported versions of PostgreSQL.
All the supported versions of PostgreSQL includes 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21.
While this security update addresses four security vulnerabilities and over 35 bugs reported in recent months.
The vulnerabilities that are addressed in this security update are tracked as “CVE-2024-10976,” “CVE-2024-10977,” “CVE-2024-10978,” and “CVE-2024-10979.”
Moreover, PostgreSQL developers unveiled this update as the final release of PostgreSQL 12, and this release marks the end of support for PostgreSQL 12.
Security Vulnerabilities
CVE-2024-10976: Row Security Vulnerability
This vulnerability affects PostgreSQL versions 12 to 17, with a CVSS v3.1 Base Score of 4.2. It allows reused queries to potentially view or change unintended rows due to incomplete tracking of tables with row security.
CVE-2024-10977: libpq Error Message Retention
Affecting versions 12 to 17, this vulnerability has a CVSS v3.1 Base Score of 3.1. It enables a potentially malicious server to send arbitrary non-NUL bytes to libpq applications, which could be mistaken for valid query results.
CVE-2024-10978: User ID Reset Issue
With a CVSS v3.1 Base Score of 4.2, this vulnerability impacts versions 12 to 17. It can lead to incorrect privilege assignments when using SET ROLE or SET SESSION AUTHORIZATION, potentially allowing less-privileged users to access unauthorized data.
CVE-2024-10979: PL/Perl Environment Variable Vulnerability
This critical vulnerability affects versions 12 to 17, with a CVSS v3.1 Base Score of 8.8. It allows unprivileged database users to modify sensitive process environment variables, potentially enabling arbitrary code execution.
The update includes over 35 bug fixes, addressing issues such as:
- Partition attachment and detachment with foreign key constraints
- Collation provider issues
- Query planner improvements
- Race conditions in transaction commits
- Logical decoding memory consumption
- JIT crashes on ARM systems
Additionally, the release updates time zone data files to tzdata release 2024b, affecting System-V-compatibility zone names and historical corrections for several countries.
Users can apply this update by shutting down PostgreSQL and updating its binaries. However, some scenarios require additional steps:-
- For partitioned tables with foreign key constraints affected by ATTACH/DETACH PARTITION commands, manual constraint adjustments may be necessary.
- Users of PostgreSQL 17.0 with specific locale settings need to rebuild text-based indexes using the REINDEX INDEX CONCURRENTLY command.
It’s crucial to review the release notes for detailed upgrade instructions and potential post-update steps, especially for users who have skipped previous updates.
Users running PostgreSQL 12 in production environments are strongly advised to upgrade to a newer, supported version to ensure continued security and bug fixes.
In conclusion, this comprehensive security update underscores the PostgreSQL Global Development Group’s commitment to maintaining a secure and reliable database management system.
Users are urged to apply this update promptly to mitigate potential security risks and benefit from the latest improvements.