This article was originally published on August 21, 2023
WHAT’S NEW
This update is notifying you of new software releases to EDB repositories of PostgreSQL, EDB Postgres Advanced Server (EPAS) and EDB Postgres Extended (PGE) Server.
EDB Postgres Advanced Server merges fixes from the latest upstream PostgreSQL with security fixes for EPAS functionality, beyond what Postgres offers.
The EDB Postgres Extended Server release only includes merges from the latest upstream fixes from community PostgreSQL. PGE is not affected by security vulnerabilities fixed in the latest release of EPAS.
Database Distributions Versions Released
PostgreSQL 15.4, 14.9, 13.12, 12.16 and 11.21
EDB Postgres Advanced Server 15.4.0, 14.9.0, 13.12.17, 12.16.20, 11.21.32
EDB Postgres Extended Server 15.4.0,14.9.0,13.12r1.1.14, 12.16r1.1.16, 11.21r2.1.16
Important
Several security vulnerabilities affecting all versions of EDB Postgres Advanced Server (EPAS) prior to 11.21.32, 12.16.20, 13.12.17, 14.9.0, and 15.4.0 are addressed in these releases. It is important to visit the EDB security advisories documentation as soon as possible to review the security advisories along with the required fixes or mitigations needed.
Highlights of these releases include:
- Merge with community release. Click here to find more information about the merge and other fixes.
- New extensions: index_advisor and sql_profiler are separate extensions now and can be downloaded independently from the EDB Repos.
Security fixes:
These fixes resolves the issues in all versions of EPAS prior to 11.21.32, 12.16.20, 13.12.17, 14.9.0, 15.4.0
- CVE-2023-XXXXX-1: EDB Postgres Advanced Server (EPAS) SECURITY DEFINER functions and procedures may be hijacked via search_path
- CVE-2023-XXXXX-2: EDB Postgres Advanced Server (EPAS) dbms_aq helper function may run arbitrary SQL as a superuser
- CVE-2023-XXXXX-3: EDB Postgres Advanced Server (EPAS) permissions bypass via accesshistory()
- CVE-2023-XXXXX-4: EDB Postgres Advanced Server (EPAS) UTL_FILE permission bypass
- CVE-2023-XXXXX-5: EDB Postgres Advanced Server (EPAS) permission bypass for materialized views
- CVE-2023-XXXXX-6: EDB Postgres Advanced Server (EPAS) authenticated users may fetch any URL
- CVE-2023-XXXXX-7: EDB Postgres Advanced Server (EPAS) read permission bypass for large objects
- CVE-2023-XXXXX-8: EDB Postgres Advanced Server (EPAS) DBMS_PROFILER data may be removed without permission
Note: Advisories with numbers in the format `CVE-YYYY-XXXXX-n` are submitted and pending full number assignment. Please visit the EDB security page for the latest updates.
Bug fixes:
EPAS 11 and above
- Allow subtypes in INDEX BY clause of the packaged collection types. (#1371)
- Fix %type resolution when pointing to a packaged type field. (#1243)
EPAS 12 and above:
- Profile: Fix upgrade when REUSE constraints are ENABLED/DISABLED. (#92739
- Set correct collation for packaged cursor parameters. (#92739)
- Rollback autonomous transaction creating pg_temp in case of error. (#91614)
EPAS 13 and above:
- Added checks to ensure required WAL logging in EXCHANGE PARTITION command.
EPAS 14 and above:
- Dump/restore the sequences created for GENERATED AS IDENTITY constraint. (#90658)
- Skip updating the last DDL time for the parent table in CREATE INDEX. (#91270)
- Remove existing package private procedure or function entries from the edb_last_ddl_time while replacing the package body.
EPAS 15 and above:
- Fix libpq to allow multiple PQprepare() calls under the same transaction. (#94735)
*References in the parenthesis correspond to customer case numbers.
For more details, please review the EDB Postgres Advanced Server or EDB Postgres Extended Server documentation:
https://www.enterprisedb.com/docs/epas/latest/
https://www.enterprisedb.com/docs/pge/latest/
IS THIS FOR ME?
This announcement is for EDB customers who are using, or are interested in, EDB Postgres Advanced Server or EDB Extended Server (used with EDB Postgres Distributed) and have a database subscription purchased for:
- EDB Standard Plan
- EDB Enterprise Plan
- EDB Extreme HA Plan
HOW TO GET THE SOFTWARE
EDB Postgres Advanced Server and EDB Postgres Extended Server are available as native packages in the form of RPMs and DEBs, visit EDB Repos. To request the credentials required to access EDB repositories, visit Create new account.
TROUBLESHOOTING
If you experience any problems around the installation, migration, upgrade or general use of your EDB software, please contact our Technical Support teams. Customers may reach us at https://techsupport.enterprisedb.com, and we're also available 24x7 via email and phone at the details below:
Customer Support Email: techsupport@enterprisedb.com
Trial Use Assistance: trial-help@enterprisedb.com
US +1-732-331-1320 / 1-800-235-5891
UK +44-2033719820
Brazil +55-2139581371
India +91-20-66449612