Postgres minor releases closing 11 CVEs
4 hours ago
- #PostgreSQL
- #Bug Fixes
- #Security Updates
- PostgreSQL releases updates for versions 18.4, 17.10, 16.14, 15.18, and 14.23, fixing 11 security vulnerabilities and over 60 bugs.
- Key security fixes include: CVE-2024-XXXXX (missing authorization in CREATE TYPE), CVE-2024-XXXXX (integer wraparound), CVE-2024-XXXXX (format string in timeofday), CVE-2024-XXXXX (symlink following in pg_basebackup/pg_rewind), CVE-2024-XXXXX (SQL injection in pg_createsubscriber), CVE-2024-XXXXX (libpq lo_* functions buffer overflow), CVE-2024-XXXXX (MD5 password timing channel), CVE-2024-XXXXX (uncontrolled recursion in SSL/GSS), CVE-2024-XXXXX (buffer over-read in pg_restore_attribute_stats), CVE-2024-XXXXX (stack buffer overflow in refint), and CVE-2024-XXXXX (SQL injection in REFRESH PUBLICATION).
- PostgreSQL 14 will reach end-of-life on November 12, 2026; users are advised to upgrade to supported versions.
- Bug fixes address issues with DEFERRABLE foreign keys, INSERT ... ON CONFLICT, MERGE concurrency, CREATE TABLE ... LIKE, domain support for WITHOUT OVERLAPS, parallel execution of array_agg, system view corrections, and improvements in pg_basebackup, pg_dumpall, pg_upgrade, and postgres_fdw.
- Time zone data updated to tzdata 2026b, including changes for British Columbia (permanent DST from November 2026) and historical corrections for Moldova.
- Update releases are cumulative; no database dump/reload is required—just stop PostgreSQL and update binaries, though users skipping updates may need additional post-update steps.