The PostgreSQL Global Development Group has announced a critical security update applicable to all supported versions of PostgreSQL, including 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. This update addresses a total of four security vulnerabilities alongside over 35 reported bugs that have emerged in recent months.
The vulnerabilities resolved in this update are identified as “CVE-2024-10976,” “CVE-2024-10977,” “CVE-2024-10978,” and “CVE-2024-10979.” Notably, this release also signifies the final update for PostgreSQL 12, marking the conclusion of its support lifecycle.
Security Vulnerabilities
CVE-2024-10976: This row security vulnerability impacts PostgreSQL versions 12 through 17, carrying a CVSS v3.1 Base Score of 4.2. It poses a risk where reused queries might inadvertently access or modify unintended rows due to insufficient tracking of tables that utilize row security.
CVE-2024-10977: This issue relates to libpq error message retention and affects versions 12 to 17, with a CVSS v3.1 Base Score of 3.1. It allows a potentially malicious server to send arbitrary non-NUL bytes to libpq applications, which could be misinterpreted as legitimate query results.
CVE-2024-10978: This user ID reset issue, also impacting versions 12 to 17, has a CVSS v3.1 Base Score of 4.2. It can lead to incorrect privilege assignments when utilizing SET ROLE or SET SESSION AUTHORIZATION, potentially granting less-privileged users access to unauthorized data.
CVE-2024-10979: A critical vulnerability affecting versions 12 to 17, this issue has a CVSS v3.1 Base Score of 8.8. It permits unprivileged database users to alter sensitive process environment variables, which could enable arbitrary code execution.
The update also encompasses more than 35 bug fixes, addressing a variety of issues such as:
- Partition attachment and detachment with foreign key constraints
- Collation provider issues
- Query planner improvements
- Race conditions in transaction commits
- Logical decoding memory consumption
- JIT crashes on ARM systems
Furthermore, the release updates time zone data files to tzdata release 2024b, impacting System-V-compatibility zone names and historical corrections for several countries.
To apply this update, users need to shut down PostgreSQL and update its binaries. However, certain scenarios necessitate additional steps:
- For partitioned tables with foreign key constraints affected by ATTACH/DETACH PARTITION commands, manual adjustments to constraints may be required.
- Users operating PostgreSQL 17.0 with specific locale settings must rebuild text-based indexes using the REINDEX INDEX CONCURRENTLY command.
It is essential to review the release notes for comprehensive upgrade instructions and any potential post-update actions, particularly for users who have not implemented previous updates.
For those running PostgreSQL 12 in production environments, it is highly recommended to upgrade to a newer, supported version to ensure ongoing security and access to bug fixes.
This extensive security update reflects the PostgreSQL Global Development Group’s dedication to maintaining a secure and reliable database management system. Users are encouraged to implement this update promptly to mitigate potential security risks and take advantage of the latest enhancements.
