logical replication Archives

Tech Optimizer

May 21, 2026

PostgreSQL Flaws Expose Databases to Remote Code Execution and SQL Injection

PostgreSQL has released versions 18.4, 17.10, 16.14, 15.18, and 14.23 to address 11 security vulnerabilities and over 60 bugs. The vulnerabilities affect PostgreSQL versions 14 through 18 and include issues such as remote code execution, SQL injection, and denial-of-service risks. Specific vulnerabilities include: - CVE-2026-6472: Missing authorization in CREATE TYPE allows query hijacking. - CVE-2026-6473: Integer wraparound leads to out-of-bounds writes and server crashes. - CVE-2026-6474: Format string issue leaks server memory. - CVE-2026-6475: Symlink attack allows overwriting arbitrary files. - CVE-2026-6476: SQL injection allows execution of arbitrary SQL as superuser. - CVE-2026-6477: Memory buffer overwrite via libpq lo_* functions. - CVE-2026-6478: Timing attack exposes MD5-hashed passwords. - CVE-2026-6479: SSL/GSS recursion flaw allows denial-of-service. - CVE-2026-6575: Buffer over-read leaks memory data (PostgreSQL 18 only). - CVE-2026-6637: Refint module enables stack overflow and SQL injection, leading to possible RCE. - CVE-2026-6638: SQL injection in REFRESH PUBLICATION via table names. Organizations are advised to upgrade to the latest versions, avoid MD5 password authentication, restrict privileges, audit extensions, and monitor for abnormal activity. PostgreSQL 14 will reach its end-of-life on November 12, 2026.

Tech Optimizer

May 20, 2026

Critical PostgreSQL Flaws Enable Code Execution and SQL Injection

On May 14, 2026, PostgreSQL released critical security updates for versions 18.4, 17.10, 16.14, 15.18, and 14.23, addressing 11 Common Vulnerabilities and Exposures (CVEs) related to stack buffer overflows, SQL injection, memory disclosure, and denial-of-service vulnerabilities. The most critical vulnerability, CVE-2026-6637, has a CVSS score of 8.8 and allows remote, unprivileged database users to execute arbitrary code. Other notable vulnerabilities include CVE-2026-6473, which affects memory allocation leading to potential memory corruption, and CVE-2026-6475, which allows overwriting sensitive OS-level files. Additional vulnerabilities include SQL injection flaws and authentication issues, with various CVSS scores ranging from 3.7 to 7.5. The updates can be implemented without a database dump, and PostgreSQL 14 will reach its end-of-life on November 12, 2026.

Tech Optimizer

May 19, 2026

Critical PostgreSQL Vulnerabilities Enables Code Execution and SQL Injections

The PostgreSQL Global Development Group has released security updates for versions 18.4, 17.10, 16.14, 15.18, and 14.23, addressing 11 vulnerabilities, including critical issues related to arbitrary code execution and SQL injection flaws. All supported branches from 14 through 18 are affected by vulnerabilities, necessitating updates. Database administrators can perform in-place upgrades without needing a dump/restore. Key vulnerabilities include: - CVE-2026-6637: Stack buffer overflow in the refint module allowing arbitrary code execution. - CVE-2026-6472: Privilege bypass and arbitrary SQL execution. - CVE-2026-6473: Potential remote code execution and memory corruption. - CVE-2026-6474: Server memory information leak. - CVE-2026-6475: Arbitrary file overwrite vulnerability. - CVE-2026-6476: SQL injection with superuser execution. - CVE-2026-6477: Client-side code execution risk. - CVE-2026-6478: MD5 credential timing leak. - CVE-2026-6479: SSL/GSS denial-of-service flaw. - CVE-2026-6575: Limited memory disclosure issue. - CVE-2026-6638: SQL injection in logical replication. Organizations using PostgreSQL 14 should upgrade to version 14.23 and plan migration to a newer version before the end-of-life on November 12, 2026. The updates are urgent for deployments exposed to the internet or in multi-tenant environments.

Tech Optimizer

May 18, 2026

Google Pushes AI for PostgreSQL Development

Google is integrating artificial intelligence into PostgreSQL engineering while ensuring engineers remain responsible for their code contributions. This initiative aims to improve productivity and streamline processes, particularly in version upgrades, replication behavior, and production recovery. Sailesh Krishnamurthy, Google Cloud's VP of Databases, emphasized the importance of human oversight in this AI-driven approach. Between July and December 2025, Google's PostgreSQL engineering focused on logical replication, improvements to pg_upgrade, and upstream bug fixes. Logical replication allows selective database change transfers, which is beneficial for migrations and upgrades. The roadmap includes Automatic Conflict Detection and logical replication of sequences to minimize manual synchronization issues. Enterprise teams are particularly interested in these developments due to the challenges posed by write collisions and misaligned sequence values. The demand for PostgreSQL services at Google is increasing due to migration needs from Oracle and SQL Server. Recent data shows PostgreSQL's rising popularity, ranking fourth in the DB-Engines ranking and gaining 8.37 points year over year, while its competitors experienced declines.

Tech Optimizer

May 6, 2026

How Aurora Blue-Green Upgrades Cut Our Postgres Downtime by 50X

Paxos has implemented Blue-Green upgrades to improve database maintenance for asset trading, achieving a 50-fold reduction in downtime from 30-120 minutes to approximately one minute. This upgrade strategy allows for real-time synchronization between a blue cluster handling production traffic and a new green cluster with the updated version. Challenges included issues with CREATE ROLE statements disrupting upgrades due to temporary roles and the necessity to drop replication slots before PostgreSQL 17, which could lead to data loss. Additionally, upon the green cluster becoming primary, it acquires a new cluster ID, requiring updates for clients using RDS IAM authentication. The transition to PostgreSQL 17 is anticipated to resolve the need to drop logical replication slots, preserving Change Data Capture (CDC) continuity.

Tech Optimizer

April 11, 2026

Google Cloud Highlights Ongoing Work on PostgreSQL Core Capabilities

Google Cloud has made technical contributions to PostgreSQL, focusing on advancements in logical replication, upgrade processes, and system stability. Key developments include the evolution of logical replication towards active-active configurations with automatic conflict detection to identify row-level conflicts during replication. This progress has sparked discussions about consistency models in database systems. Enhancements have also expanded logical replication to include sequences, reducing manual synchronization needs. Improvements to pg_upgrade have streamlined large object management and reduced upgrade times, while ensuring WAL data retention and schema constraint preservation. Bug fixes have addressed issues with index pages, extension loading, and WAL flush logic. Future features under development include a structured conflict log for replication and enhancements to parallel data export in pg_dump.

Tech Optimizer

April 8, 2026

PostgreSQL logical replication: How to replicate only the data that you need

Many organizations using PostgreSQL face challenges in replicating data across different logical databases while controlling shared information. PostgreSQL 15 introduces native logical replication with column-level and row-level filtering within publications, allowing precise control over data transfer between PostgreSQL databases. Logical replication operates on a publish-subscribe model, where the source database logs changes to the Write-Ahead Log (WAL) and applies publication filters to transmit only the relevant data to the target database. Two filtering modes are available: column-level filtering allows users to specify which columns to replicate, while row-level filtering uses WHERE clauses to determine which rows to include. Both filtering modes can be combined in a single publication. The SQL syntax for creating publications and subscriptions is consistent across various PostgreSQL environments, with specific configurations required for enabling logical replication. Use cases for logical replication include multi-tenant SaaS data isolation, regional data distribution for ecommerce, PCI DSS compliance in financial services, development and testing environments, and retail inventory management. Prerequisites for implementing logical replication include using PostgreSQL 15 or later, ensuring network connectivity, having a user with replication privileges, enabling logical replication on the source instance, and monitoring WAL retention. Logical replication has limitations, such as the need for a replica identity for UPDATE and DELETE operations, the non-replication of DDL changes and sequences, and potential performance overhead during initial synchronization and ongoing replication. After testing, it is advisable to clean up by removing replication resources to prevent unnecessary costs.

Tech Optimizer

March 29, 2026

PostgreSQL cost model: estimating the cost of flushing temp buffers to disk

The project focuses on enabling temporary tables in PostgreSQL's parallel query execution by benchmarking sequential writes and reads of temporary buffers. Functions were introduced to measure buffer flush operations, and tests were conducted to estimate the cost of flushing temporary table buffer pages to disk. Findings indicate that sequential writes are about 30% slower than reads, leading to a proposed cost model. Temporary tables have limited parallel usage due to their function as relational variables and the complexity of parallel workers accessing the leader process's local state. Two enterprise PostgreSQL distributions already support parallel operations on temporary tables, and discussions on logical replication of DDL highlight the need for improved tooling for temporary tables. A significant challenge is that temporary buffer pages are local to the leader process, and if not flushed to disk, parallel workers cannot access them. A comment from 2015 suggests flushing the leader's temporary buffers to disk before parallel operations to allow workers to scan the table in parallel. However, this raises concerns about the cost of writing buffers versus the benefits of parallelism. The benchmarking toolkit includes modifications to PostgreSQL to facilitate measurement of local buffers. Two key commits added statistics infrastructure to track allocated and dirty local buffers and UI functions to manage buffer operations. The methodology involves creating a temporary table, flushing buffers, measuring I/O, and evaluating scan overhead. The tests reveal that the cost of writing a temporary table approximates the cost of a sequential page, leading to a proposed formula for flushing costs. The results show that larger buffer sizes lead to higher write overhead and increased variability. A comprehensive formula for pre-flushing temp buffers is suggested, factoring in the number of dirtied and allocated local buffers. Next steps include adding planner flags for temporary objects, implementing executor support for worker access to temporary table storage, introducing a temp-buffer flush operation, and integrating the cost model into the planner for parallel scans of temporary tables.

Tech Optimizer

March 11, 2026

Netflix Automates RDS PostgreSQL to Aurora PostgreSQL Migration Across 400 Production Clusters

Netflix has developed an internal automation platform to migrate Amazon RDS for PostgreSQL databases to Amazon Aurora PostgreSQL, reducing operational risks and downtime for nearly 400 production clusters. The platform allows service teams to perform migrations through a self-service workflow while ensuring processes like replication validation and rollback safeguards are maintained. Database access is managed through a platform-managed layer using Envoy, which standardizes mutual TLS and abstracts database endpoints, enhancing security and efficiency. The migration process starts with creating an Aurora PostgreSQL cluster as a read replica of the source RDS instance, initialized from a storage snapshot and continuously replaying write-ahead log (WAL) records. Validation checks are performed to ensure the replica can handle peak write throughput before cutover. For change data capture workloads, the system coordinates the state of replication slots and pauses CDC consumers to prevent excessive WAL retention. The Enablement Applications team at Netflix successfully migrated databases for device certification and partner billing workflows, addressing issues like elevated replication lag due to inactive logical replication slots. As replication lag decreases, the system enters a controlled quiescence phase, adjusts security rules, and reboots the source RDS instance. Once all transactions are processed and the Aurora replica is ready, it is promoted to a writable cluster, and traffic is rerouted. Rollback capabilities are prioritized, allowing redirection back to the original RDS instance if validation checks fail or anomalies are detected post-promotion. This setup enables seamless restoration without redeployment, and CDC consumers can resume from recorded slot positions if needed.

Tech Optimizer

February 14, 2026

PostgreSQL vs MySQL: Which Database is Better in 2026?

PostgreSQL 17 introduces significant enhancements, including refined memory management in VACUUM processes, improved SQL/JSON capabilities with features like JSON_TABLE(), advancements in logical replication and parallel processing, and overall increased efficiency for handling complex queries and large datasets. MySQL, under Oracle's stewardship, focuses on performance, reliability, and cloud integration, with updates unveiled at the HeatWave Summit in 2025 that support both transactional and analytical workloads in a unified system, enabling real-time analytics without data transfer to separate tools.