New Compose PostgreSQL updates address security issues: Noteworthy Extra


Last week saw the release of PostgreSQL updates which included fixes for two security issues. These issues are of concern as they involve vulnerabilities which could be exploited remotely to potentially expose server memory (9.5.x and 9.6.x) or access other servers through extensions such as dblink or pg_fdw (9.4.x, 9.5.x, 9.6.x).

What Compose is doing

We are making PostgreSQL 9.4.19, 9.5.14 and 9.6.10 available immediately to allow users to upgrade as soon as possible to the new versions.

The vulnerabilities are fixed as part of a range of bug fixes and other corrections incorporated in the various updates. Notes for 9.4.19, 9.5.14 and 9.6.10 list the changes made in each edition.

We are not setting these new versions to preferred – the Compose default for new deployments – yet, so when creating a new deployment, please remember to select the most recent version. We are currently planning to make these new versions preferred in 30 days time after which we'll be removing the ability to provision older versions of PostgreSQL.

Your options for action

We hope that you will make the time to protect your database by upgrading it to the latest minor version using the in-place upgrade option in settings.

You may wish to consider also taking to opportunity to upgrade to a more recent major version of PostgreSQL so you can make use of the many new features available such as the "Upsert" feature and enhanced JSONB in 9.5 or improved vacuuming and full-text search for phrases in 9.6. That can be achieved by using the Restore-from-Backup capability of Compose, taking a recent backup and creating a new deployment with a newer version of PostgreSQL on it. Read more about the process in the Compose documentation on upgrading PostgreSQL.

Whatever you do, upgrade to one of these new versions. In 30 days, when we move to "preferred" status for them, we will also be announcing a schedule of managed, forced upgrades on older versions to eliminate the underlying security issues from the Compose platform.

attribution Hans Veth via Unsplash

Default avatar The default author avatar
The Compose Team The fine team of people at Compose have brought this article to you through teamwork. Remember, teamwork makes the dreamwork. Love this article? Head over to The Compose Team’s author page to keep reading.

Conquer the Data Layer

Spend your time developing apps, not managing databases.