From 2cf04c8e383b407822fb15f9dca2f998d3c363f0 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Tue, 7 May 2024 11:14:47 +0100 Subject: [PATCH 1/5] cve20244545 added Signed-off-by: Dj Walker-Morgan --- .../security/advisories/cve20244545.mdx | 65 ++++++++++++++++ advocacy_docs/security/advisories/index.mdx | 25 ++++++ advocacy_docs/security/index.mdx | 78 ++----------------- product_docs/docs/pgd/5/reference/index.mdx | 10 +-- 4 files changed, 102 insertions(+), 76 deletions(-) create mode 100644 advocacy_docs/security/advisories/cve20244545.mdx diff --git a/advocacy_docs/security/advisories/cve20244545.mdx b/advocacy_docs/security/advisories/cve20244545.mdx new file mode 100644 index 00000000000..dda91c16c32 --- /dev/null +++ b/advocacy_docs/security/advisories/cve20244545.mdx @@ -0,0 +1,65 @@ +--- +title: CVE-2024-4545 - EDB Postgres Advanced Server (EPAS) authenticated file read permissions bypass using edbldr +navTitle: CVE-2024-4545 +affectedProducts: All versions of EDB Postgres Advanced Server (EPAS) edbldr prior to 15.6.1 and 16.2.1 +--- + +First Published: 2024/05/09 + +Last Updated: 2024/05/09 + +## Summary + +All versions of EnterpriseDB Postgres Advanced Server (EPAS) prior to 15.6.1 and 16.2.1 may allow users using `edbldr` to bypass role permissions from `pg_read_server_files`. This could allow low privilege users to read files to which they would not otherwise have access. + +## Vulnerability details + +CVE-ID: [CVE-2024-4545](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4545) + +CVSS Base Score: 7.7 + +CVSS Temporal Score: Undefined + +CVSS Environmental Score: Undefined + +CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N + +## Affected products and versions + +* EnterpriseDB Postgres Advanced Server (EPAS) + * All versions prior to 15.6.1 + * All versions prior to 16.2.1 + +## Remediation + +Impacted users must upgrade to a fixed version of EPAS. For questions about updating, users can contact their account representative or [contact EDB](https://www.enterprisedb.com/contact). + +| Product | VRMF | Remediation/First Fix | +|---------|------|-----------------------| +| EPAS | All versions prior to 15.6.1 | [Upgrade EPAS 15 to Minor release](https://www.enterprisedb.com/docs/epas/15/upgrading/04_upgrading_an_installation_with_pg_upgrade/01_performing_an_upgrade/) | +| EPAS | All versions prior to 16.2.1 | [Upgrade EPAS 16 to Minor release](https://www.enterprisedb.com/docs/epas/16/upgrading/04_upgrading_an_installation_with_pg_upgrade/01_performing_an_upgrade/) | + +## References + +* [CVSS Calculator v3.1](https://www.first.org/cvss/calculator/3.1) +* [CWE-284 Improper Access Control](http://cwe.mitre.org/data/definitions/284.html) + + +## Related information + +* [EnterpriseDB](https://www.enterprisedb.com/) +* [PostgreSQL](https://www.postgresql.org/) +* [EDB Postgres Advanced Server (EPAS)](https://www.enterprisedb.com/products/edb-postgres-advanced-server) +* [EDB Blogs link](https://enterprisedb.com/blog/) + +## Acknowledgement + +None + +## Change history + +* 9 May 2024: Original document published + +## Disclaimer + +This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document. \ No newline at end of file diff --git a/advocacy_docs/security/advisories/index.mdx b/advocacy_docs/security/advisories/index.mdx index 0b7733b715f..8d534591473 100644 --- a/advocacy_docs/security/advisories/index.mdx +++ b/advocacy_docs/security/advisories/index.mdx @@ -6,6 +6,7 @@ iconName: Security hideKBLink: true hideToC: false navigation: +- cve20244545 - cve202341120 - cve202341119 - cve202341118 @@ -26,6 +27,30 @@ navigation: +

Updated 2024

+ + + + + + + + + +
+

CVE-2024-4545

+ +  Read Advisory +  Updated: 2024/05/09 +

EDB Postgres Advanced Server (EPAS) authenticated file read permissions bypass using edbldr

+
All versions of EDB Postgres Advanced Server (EPAS) edbldr prior to 15.6.1 and 16.2.1
+ +
+Summary:  +All versions of EnterpriseDB Postgres Advanced Server (EPAS) prior to 15.6.1 and 16.2.1 may allow users using edbldr to bypass role permissions from pg_read_server_files. This could allow low privilege users to read files to which they would not otherwise have access. +
+Read More... +

Updated 2023

diff --git a/advocacy_docs/security/index.mdx b/advocacy_docs/security/index.mdx index 5f469e6c792..eac2c45fdb2 100644 --- a/advocacy_docs/security/index.mdx +++ b/advocacy_docs/security/index.mdx @@ -33,82 +33,18 @@ This policy outlines how EnterpriseDB handles disclosures related to suspected v - - - - - - - - - - - -
-

CVE-2023-41120

+

CVE-2024-4545

-  Read Advisory -  Updated: 2023/08/30 -

EDB Postgres Advanced Server (EPAS) DBMS_PROFILER data may be removed without permission

-
All versions of EnterpriseDB Postgres Advanced Server (EPAS) prior to 11.21.32, 12.16.20, 13.12.17, 14.9.0, 15.4.0
+  Read Advisory +  Updated: 2024/05/09 +

EDB Postgres Advanced Server (EPAS) authenticated file read permissions bypass using edbldr

+
All versions of EDB Postgres Advanced Server (EPAS) edbldr prior to 15.6.1 and 16.2.1
Summary:  -An issue was discovered in EnterpriseDB Postgres Advanced Server (EPAS) before 11.21.32, 12.x before 12.16.20, 13.x before 13.12.16, 14.x before 14.9.0, and 15.x before 15.4.0. It permits an authenticated user to use DBMS_PROFILER to remove all accumulated profiling data on a system-wide basis, regardless of that user's permissions. +All versions of EnterpriseDB Postgres Advanced Server (EPAS) prior to 15.6.1 and 16.2.1 may allow users using edbldr to bypass role permissions from pg_read_server_files. This could allow low privilege users to read files to which they would not otherwise have access.
-Read More... -
-

CVE-2023-41119

- -  Read Advisory -  Updated: 2023/08/30 -

EDB Postgres Advanced Server (EPAS) dbms_aq helper function may run arbitrary SQL as a superuser

-
All versions of EnterpriseDB Postgres Advanced Server (EPAS) prior to 11.21.32, 12.16.20, 13.12.17, 14.9.0, 15.4.0
- -
-Summary:  -An issue was discovered in EnterpriseDB Postgres Advanced Server (EPAS) before 11.21.32, 12.x before 12.16.20, 13.x before 13.12.16, 14.x before 14.9.0, and 15.x before 15.4.0. It contains the function _dbms_aq_move_to_exception_queue that may be used to elevate a user's privileges to superuser. This function accepts the OID of a table, and then accesses that table as the superuser by using SELECT and DML commands. -
-Read More... -
-

CVE-2023-41118

- -  Read Advisory -  Updated: 2023/08/30 -

EDB Postgres Advanced Server (EPAS) UTL_FILE permission bypass

-
All versions of EnterpriseDB Postgres Advanced Server (EPAS) prior to 11.21.32, 12.16.20, 13.12.17, 14.9.0, 15.4.0
- -
-Summary:  -An issue was discovered in EnterpriseDB Postgres Advanced Server (EPAS) before 11.21.32, 12.x before 12.16.20, 13.x before 13.12.16, 14.x before 14.9.0, and 15.x before 15.4.0. It may allow an authenticated user to bypass authorization requirements and access underlying implementation functions. When a superuser has configured file locations using CREATE DIRECTORY, these functions allow users to take a wide range of actions, including read, write, copy, rename, and delete. -
-Read More... -
-

CVE-2023-41117

- -  Read Advisory -  Updated: 2023/08/30 -

EDB Postgres Advanced Server (EPAS) SECURITY DEFINER functions and procedures may be hijacked via search_path

-
All versions of EnterpriseDB Postgres Advanced Server (EPAS) prior to 11.21.32, 12.16.20, 13.12.17, 14.9.0, 15.4.0
- -
-Summary:  -An issue was discovered in EnterpriseDB Postgres Advanced Server (EPAS) before 11.21.32, 12.x before 12.16.20, 13.x before 13.12.16, 14.x before 14.9.0, and 15.x before 15.4.0. It contain packages, standalone packages, and functions that run SECURITY DEFINER but are inadequately secured against search_path attacks. -
-Read More... -
-

CVE-2023-41116

- -  Read Advisory -  Updated: 2023/08/30 -

EDB Postgres Advanced Server (EPAS) permission bypass for materialized views

-
All versions of EnterpriseDB Postgres Advanced Server (EPAS) prior to 11.21.32, 12.16.20, 13.12.17, 14.9.0, 15.4.0
- -
-Summary:  -An issue was discovered in EnterpriseDB Postgres Advanced Server (EPAS) before 11.21.32, 12.x before 12.16.20, 13.x before 13.12.16, 14.x before 14.9.0, and 15.x before 15.4.0. It allows an authenticated user to refresh any materialized view, regardless of that user's permissions. -
-Read More... +Read More...
diff --git a/product_docs/docs/pgd/5/reference/index.mdx b/product_docs/docs/pgd/5/reference/index.mdx index a1947e24d6c..da38c8af657 100644 --- a/product_docs/docs/pgd/5/reference/index.mdx +++ b/product_docs/docs/pgd/5/reference/index.mdx @@ -1,8 +1,8 @@ --- -title: "PGD reference" -navTitle: "PGD reference" +title: "PGD Reference" +navTitle: "PGD Reference" description: > - The complete reference to all functions, views, and commands available in EDB Postgres Distributed. + The complete reference to all functions, views and commands available in EDB Postgres Distributed. indexCards: none navigation: - catalogs-visible @@ -23,7 +23,7 @@ navigation: - functions-internal --- -The reference section is a definitive listing of all functions, views, and commands available in EDB Postgres Distributed. +The reference section is a definitive listing of all functions, views and commands available in EDB Postgres Distributed. @@ -345,7 +345,7 @@ The reference section is a definitive listing of all functions, views, and comma * [Internal functions](autopartition#internal-functions) * [`bdr.autopartition_create_partition`](autopartition#bdrautopartition_create_partition) * [`bdr.autopartition_drop_partition`](autopartition#bdrautopartition_drop_partition) -## Stream Triggers Reference +## Stream triggers reference ## [Stream triggers manipulation interfaces](streamtriggers/interfaces) From 400f67f037151be32b44701cf0c7cf3e1fd4b6cc Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Wed, 8 May 2024 11:11:49 +0100 Subject: [PATCH 2/5] First rel note pass - pge good, epas tbd Signed-off-by: Dj Walker-Morgan --- .../security/advisories/cve20244545.mdx | 18 ++++++++++++------ advocacy_docs/security/advisories/index.mdx | 4 ++-- advocacy_docs/security/index.mdx | 4 ++-- .../16/epas_rel_notes/epas16_3_0_rel_notes.mdx | 17 +++++++++++++++++ .../docs/pge/15/release_notes/index.mdx | 2 ++ .../pge/15/release_notes/rel_notes15.7.mdx | 16 ++++++++++++++++ .../docs/pge/16/release_notes/index.mdx | 2 ++ .../pge/16/release_notes/rel_notes16.3.mdx | 12 ++++++++++++ 8 files changed, 65 insertions(+), 10 deletions(-) create mode 100644 product_docs/docs/epas/16/epas_rel_notes/epas16_3_0_rel_notes.mdx create mode 100644 product_docs/docs/pge/15/release_notes/rel_notes15.7.mdx create mode 100644 product_docs/docs/pge/16/release_notes/rel_notes16.3.mdx diff --git a/advocacy_docs/security/advisories/cve20244545.mdx b/advocacy_docs/security/advisories/cve20244545.mdx index dda91c16c32..5f73256e654 100644 --- a/advocacy_docs/security/advisories/cve20244545.mdx +++ b/advocacy_docs/security/advisories/cve20244545.mdx @@ -1,7 +1,7 @@ --- title: CVE-2024-4545 - EDB Postgres Advanced Server (EPAS) authenticated file read permissions bypass using edbldr navTitle: CVE-2024-4545 -affectedProducts: All versions of EDB Postgres Advanced Server (EPAS) edbldr prior to 15.6.1 and 16.2.1 +affectedProducts: All versions of EDB Postgres Advanced Server (EPAS) edbldr from 15.0 and prior to 15.7.0 and from 16.0 and prior to 16.3.0 --- First Published: 2024/05/09 @@ -10,7 +10,7 @@ Last Updated: 2024/05/09 ## Summary -All versions of EnterpriseDB Postgres Advanced Server (EPAS) prior to 15.6.1 and 16.2.1 may allow users using `edbldr` to bypass role permissions from `pg_read_server_files`. This could allow low privilege users to read files to which they would not otherwise have access. +All versions of EnterpriseDB Postgres Advanced Server (EPAS) from 15.0 and prior to 15.7.0 and from 16.0 and prior to 16.3.0 may allow users using `edbldr` to bypass role permissions from `pg_read_server_files`. This could allow low privilege users to read files to which they would not otherwise have access. ## Vulnerability details @@ -27,8 +27,8 @@ CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N ## Affected products and versions * EnterpriseDB Postgres Advanced Server (EPAS) - * All versions prior to 15.6.1 - * All versions prior to 16.2.1 + * All versions from 15.0 and prior to 15.7.0 + * All versions from 16.0 and prior to 16.3.0 ## Remediation @@ -36,8 +36,14 @@ Impacted users must upgrade to a fixed version of EPAS. For questions about upda | Product | VRMF | Remediation/First Fix | |---------|------|-----------------------| -| EPAS | All versions prior to 15.6.1 | [Upgrade EPAS 15 to Minor release](https://www.enterprisedb.com/docs/epas/15/upgrading/04_upgrading_an_installation_with_pg_upgrade/01_performing_an_upgrade/) | -| EPAS | All versions prior to 16.2.1 | [Upgrade EPAS 16 to Minor release](https://www.enterprisedb.com/docs/epas/16/upgrading/04_upgrading_an_installation_with_pg_upgrade/01_performing_an_upgrade/) | +| EPAS | All versions from 15.0 and prior to 15.7.0 | [Upgrade EPAS 15 to Minor release](https://www.enterprisedb.com/docs/epas/15/upgrading/04_upgrading_an_installation_with_pg_upgrade/01_performing_an_upgrade/) | +| EPAS | All versions from 16.0 and prior to 16.7.0 | [Upgrade EPAS 16 to Minor release](https://www.enterprisedb.com/docs/epas/16/upgrading/04_upgrading_an_installation_with_pg_upgrade/01_performing_an_upgrade/) | + +!!! Warning +If impacted users are currently relying on non-superusers to run edbldr and read data from the server filesystem without any special permissions, the fixed versions of EPAS could break these workflows. It is recommended that users do one of the following: +* Grant such users the `pg_read_server_files` role +* Change the way data is being loaded into the database, such as loading files from standard input rather than specifying a pathname. +!!! ## References diff --git a/advocacy_docs/security/advisories/index.mdx b/advocacy_docs/security/advisories/index.mdx index 8d534591473..1912a042234 100644 --- a/advocacy_docs/security/advisories/index.mdx +++ b/advocacy_docs/security/advisories/index.mdx @@ -38,11 +38,11 @@ navigation:   Read Advisory   Updated: 2024/05/09

EDB Postgres Advanced Server (EPAS) authenticated file read permissions bypass using edbldr

-
All versions of EDB Postgres Advanced Server (EPAS) edbldr prior to 15.6.1 and 16.2.1
+
All versions of EDB Postgres Advanced Server (EPAS) edbldr from 15.0 and prior to 15.7.0 and from 16.0 and prior to 16.3.0
Summary:  -All versions of EnterpriseDB Postgres Advanced Server (EPAS) prior to 15.6.1 and 16.2.1 may allow users using edbldr to bypass role permissions from pg_read_server_files. This could allow low privilege users to read files to which they would not otherwise have access. +All versions of EnterpriseDB Postgres Advanced Server (EPAS) from 15.0 and prior to 15.7.0 and from 16.0 and prior to 16.3.0 may allow users using edbldr to bypass role permissions from pg_read_server_files. This could allow low privilege users to read files to which they would not otherwise have access.
Read More... diff --git a/advocacy_docs/security/index.mdx b/advocacy_docs/security/index.mdx index eac2c45fdb2..b6b148eec9e 100644 --- a/advocacy_docs/security/index.mdx +++ b/advocacy_docs/security/index.mdx @@ -38,11 +38,11 @@ This policy outlines how EnterpriseDB handles disclosures related to suspected v   Read Advisory   Updated: 2024/05/09

EDB Postgres Advanced Server (EPAS) authenticated file read permissions bypass using edbldr

-
All versions of EDB Postgres Advanced Server (EPAS) edbldr prior to 15.6.1 and 16.2.1
+
All versions of EDB Postgres Advanced Server (EPAS) edbldr from 15.0 and prior to 15.7.0 and from 16.0 and prior to 16.3.0
Summary:  -All versions of EnterpriseDB Postgres Advanced Server (EPAS) prior to 15.6.1 and 16.2.1 may allow users using edbldr to bypass role permissions from pg_read_server_files. This could allow low privilege users to read files to which they would not otherwise have access. +All versions of EnterpriseDB Postgres Advanced Server (EPAS) from 15.0 and prior to 15.7.0 and from 16.0 and prior to 16.3.0 may allow users using edbldr to bypass role permissions from pg_read_server_files. This could allow low privilege users to read files to which they would not otherwise have access.
Read More... diff --git a/product_docs/docs/epas/16/epas_rel_notes/epas16_3_0_rel_notes.mdx b/product_docs/docs/epas/16/epas_rel_notes/epas16_3_0_rel_notes.mdx new file mode 100644 index 00000000000..ee006e4afc9 --- /dev/null +++ b/product_docs/docs/epas/16/epas_rel_notes/epas16_3_0_rel_notes.mdx @@ -0,0 +1,17 @@ +--- +title: EDB Postgres Advanced Server 16.3 release notes +navTitle: "Version 16.3" +--- + +Released: 9 May 2024 + +EDB Postgres Advanced Server 16.3 includes the following enhancements and bug fixes: + +| Type | Description | Category | +|----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------| +| Upstream merge | Merged with community PostgreSQL 16.3. Addresses CVE-2024-4317. See the [PostgreSQL 16.3 Release Notes](https://www.postgresql.org/docs/16/release-16-3.html) for more information. | +| Security |edbldr: check pg_read_server_files privilege before data file access. (#35906) +Permission to read data from the server File System should be restricted to superusers or users who possess the pg_read_server_files role. However, in affected versions of EPAS, any user can use edbldr to read data from any server file which is accessible to the OS user account under which EPAS is running. With this fix, a non-superuser using edbldr must either possess the pg_read_server_files role or must load data from standard input, rather than the server filesystem. Customer Advisory: CVE-2024-4545-for-db-2681 | +| Bug fix | +Fix assertion in DROP ROLE statement having duplicate names. | Bug | +| Security fix | Fixed a security vulnerability that could allow users using edbldr to bypass role permissions from pg_read_server_files. This could allow low privilege users to read files to which they would not otherwise have access. This issue is tracked as [CVE-2024-4545](linktoadvisory). | Security | \ No newline at end of file diff --git a/product_docs/docs/pge/15/release_notes/index.mdx b/product_docs/docs/pge/15/release_notes/index.mdx index 787e1f8320c..46a3acf4941 100644 --- a/product_docs/docs/pge/15/release_notes/index.mdx +++ b/product_docs/docs/pge/15/release_notes/index.mdx @@ -1,6 +1,7 @@ --- title: "Release notes" navigation: + - rel_notes15.7 - rel_notes15.6 - rel_notes15.5 - rel_notes15.4 @@ -13,6 +14,7 @@ release notes cover what was new in each release. | Version | Release date | | ------------------------ | ------------ | +| [15.7](rel_notes15.7) | 09 May 2024 | | [15.6](rel_notes15.6) | 08 Feb 2024 | | [15.5](rel_notes15.5) | 09 Nov 2023 | | [15.4](rel_notes15.4) | 21 Aug 2023 | diff --git a/product_docs/docs/pge/15/release_notes/rel_notes15.7.mdx b/product_docs/docs/pge/15/release_notes/rel_notes15.7.mdx new file mode 100644 index 00000000000..23c767dc7f3 --- /dev/null +++ b/product_docs/docs/pge/15/release_notes/rel_notes15.7.mdx @@ -0,0 +1,16 @@ +--- +title: "EDB Postgres Extended Server 15.7 release notes" +navTitle: Version 15.7 +--- + +Released: 9 May 2024 + +New features, enhancements, bug fixes, and other changes in EDB Postgres Extended Server 15.7 include: + +| Type | Description | +| -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Upstream merge | Merged with community PostgreSQL 15.7. Addresses CVE-2024-4137. See the [PostgreSQL 15 Release Notes](https://www.postgresql.org/docs/15/release-15-6.html) for more information. | + + + + diff --git a/product_docs/docs/pge/16/release_notes/index.mdx b/product_docs/docs/pge/16/release_notes/index.mdx index bb7d8c875b8..7194a5d1b1e 100644 --- a/product_docs/docs/pge/16/release_notes/index.mdx +++ b/product_docs/docs/pge/16/release_notes/index.mdx @@ -1,6 +1,7 @@ --- title: "Release notes" navigation: + - rel_notes16.3 - rel_notes16.2 - rel_notes16.1 --- @@ -10,6 +11,7 @@ cover what was new in each release. | Version | Release date | | ------------------------ | ------------ | +| [16.3](rel_notes16.3) | 09 May 2024 | | [16.2](rel_notes16.2) | 08 Feb 2024 | | [16.1](rel_notes16.1) | 09 Nov 2023 | diff --git a/product_docs/docs/pge/16/release_notes/rel_notes16.3.mdx b/product_docs/docs/pge/16/release_notes/rel_notes16.3.mdx new file mode 100644 index 00000000000..37504405e28 --- /dev/null +++ b/product_docs/docs/pge/16/release_notes/rel_notes16.3.mdx @@ -0,0 +1,12 @@ +--- +title: EDB Postgres Advanced Server 16.3 release notes +navTitle: "Version 16.3" +--- + +Released: 9 May 2024 + +EDB Postgres Extended Server 16.3 includes the following enhancements and bug fixes: + +| Type | Description +| -------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- +| Upstream merge | Merged with community PostgreSQL 16.3. Addresses CVE-2024-4317. See the [PostgreSQL 16.3 Release Notes](https://www.postgresql.org/docs/16/release-16-3.html) for more information. From 17d517063cb6e94b358753039d16da1955242436 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Wed, 8 May 2024 15:00:25 +0100 Subject: [PATCH 3/5] EPAS/PGE Rel Notes and advisory/assessment added Signed-off-by: Dj Walker-Morgan --- .../security/assessments/cve-2024-4317.mdx | 96 +++++++++++++++++++ advocacy_docs/security/assessments/index.mdx | 20 ++++ advocacy_docs/security/index.mdx | 22 ++++- .../security/templates/securityindex.njs | 4 +- .../epas_rel_notes/epas12_15_19_rel_notes.mdx | 24 ++--- .../epas_rel_notes/epas12_19_24_rel_notes.mdx | 17 ++++ .../docs/epas/12/epas_rel_notes/index.mdx | 2 + .../epas_rel_notes/epas13_15_21_rel_notes.mdx | 17 ++++ .../docs/epas/13/epas_rel_notes/index.mdx | 6 +- .../epas_rel_notes/epas14_12_0_rel_notes.mdx | 17 ++++ .../docs/epas/14/epas_rel_notes/index.mdx | 10 +- .../epas_rel_notes/epas15_7_0_rel_notes.mdx | 19 ++++ .../docs/epas/15/epas_rel_notes/index.mdx | 8 +- .../epas_rel_notes/epas16_3_0_rel_notes.mdx | 26 ++--- .../docs/epas/16/epas_rel_notes/index.mdx | 4 +- .../pge/15/release_notes/rel_notes15.7.mdx | 2 +- .../pge/16/release_notes/rel_notes16.3.mdx | 2 +- 17 files changed, 256 insertions(+), 40 deletions(-) create mode 100644 advocacy_docs/security/assessments/cve-2024-4317.mdx create mode 100644 product_docs/docs/epas/12/epas_rel_notes/epas12_19_24_rel_notes.mdx create mode 100644 product_docs/docs/epas/13/epas_rel_notes/epas13_15_21_rel_notes.mdx create mode 100644 product_docs/docs/epas/14/epas_rel_notes/epas14_12_0_rel_notes.mdx create mode 100644 product_docs/docs/epas/15/epas_rel_notes/epas15_7_0_rel_notes.mdx diff --git a/advocacy_docs/security/assessments/cve-2024-4317.mdx b/advocacy_docs/security/assessments/cve-2024-4317.mdx new file mode 100644 index 00000000000..f1441fcdbc4 --- /dev/null +++ b/advocacy_docs/security/assessments/cve-2024-4317.mdx @@ -0,0 +1,96 @@ +--- +title: CVE-2024-4317 - TBD +navTitle: CVE-2024-4317 +affectedProducts: TBD +--- + +First Published: 2024/05/09 + +Last Updated: 2024/05/09 + +Important: This is an assessment of the impact of CVE-2024-4317 on EDB products and services. It links to and details the CVE and supplements that information with EDB's own assessment. + +## Summary + +TBC + +## Vulnerability details + +CVE-ID: [CVE-2024-4317](https://nvd.nist.gov/vuln/detail/CVE-2024-4317) + +CVSS Base Score: TBC + +CVSS Temporal Score: TBC + +CVSS Environmental Score: TBC + +CVSS Vector: TBC + +## Affected products and versions + +### PostgreSQL + +TBC + +### EnterpriseDB Postgres Advanced Server (EPAS) +TBC + +### EnterpriseDB Postgres Extended +TBC + +## Remediation/fixes + +### PostgreSQL Version Information + +| Affected Version | Fixed In | Fix Published | +|-------------------|----------|---------------| +| 15 | TBC | 2024-05-09 | +| 14 | TBC | 2024-05-09 | +| 13 | TBC | 2024-05-09 | +| 12 | TBC | 2024-05-09 | + +### EPAS Version Information + +TBC + +| Product | VRMF | Remediation/First Fix | +|---------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------| +| EPAS | TBC | TBC | +### PGE Version Information + +| Product | VRMF | Remediation/First Fix | +|---------|--------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------| +| PGE | TBC | TBC | + +!!! Note +The exploit referred to in this CVE did not work on PostgreSQL 16. The +same defensive code as other releases has been added in PostgreSQL 16.2, EPAS +16.2 and PGE 16.2 to ensure strength in depth. We strongly recommend upgrading +your PostgreSQL 16, EPAS 16 and PGE 16 deployments to these versions. +!!! + +## References + +* [CVSS Calculator v3.1](https://www.first.org/cvss/calculator/3.1) + + +## Related information + +* [EnterpriseDB](https://www.enterprisedb.com/) +* [EDB Blogs link](https://enterprisedb.com/blog/) + +## Acknowledgement + +Source: PostgreSQL.org + +## Change history + +## Disclaimer + + +This document is provided on an "as is" basis and does not imply any kind of +guarantee or warranty, including the warranties of merchantability or fitness +for a particular use. Your use of the information on the document is at your own +risk. EDB reserves the right to change or update this document at any time. +Customers are therefore recommended to always view the latest version of this +document. diff --git a/advocacy_docs/security/assessments/index.mdx b/advocacy_docs/security/assessments/index.mdx index cab7c7ecb97..16450c0a7b7 100644 --- a/advocacy_docs/security/assessments/index.mdx +++ b/advocacy_docs/security/assessments/index.mdx @@ -6,6 +6,7 @@ iconName: Security hideKBLink: true hideToC: false navigation: +- cve-2024-4317 - cve-2024-1597 - cve-2024-0985 --- @@ -25,6 +26,25 @@ The CVEs listed in this section are from PostgreSQL and other parties who have r + + + + + +
+

CVE-2024-4317

+ +  Read Assessment +  Updated: 2024/05/09 +

TBD

+
TBD
+ +
+Summary:  +TBC +
+Read More... +

CVE-2024-1597

diff --git a/advocacy_docs/security/index.mdx b/advocacy_docs/security/index.mdx index b6b148eec9e..9b6851d16f5 100644 --- a/advocacy_docs/security/index.mdx +++ b/advocacy_docs/security/index.mdx @@ -49,15 +49,31 @@ All versions of EnterpriseDB Postgres Advanced Server (EPAS) from 15.0 and prior
-## Most Recent Assesments +## Most Recent Assessments + + +
+

CVE-2024-4317

+ +  Read Assessment +  Updated: 2024/05/09 +

TBD

+
TBD
+ +
+Summary:  +TBC +
+Read More... +

CVE-2024-1597

-  Read Assesment +  Read Assessment   Updated: 2024/03/08

SQL Injection via line comment generation

pgJDBC all versions prior to 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 and EDB pgJDBC all versions prior to 42.5.5
@@ -73,7 +89,7 @@ pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using Prefe

CVE-2024-0985

-  Read Assesment +  Read Assessment   Updated: 2024/02/26

PostgreSQL non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL

PostgreSQL, EPAS all versions prior to 15.6.0,14.11.0,13.14.20 and 12.18.23, PGE all versions prior to 15.6.0
diff --git a/advocacy_docs/security/templates/securityindex.njs b/advocacy_docs/security/templates/securityindex.njs index 3f39d08581f..45acc33522c 100755 --- a/advocacy_docs/security/templates/securityindex.njs +++ b/advocacy_docs/security/templates/securityindex.njs @@ -49,7 +49,7 @@ This policy outlines how EnterpriseDB handles disclosures related to suspected v {% endfor %}
-## Most Recent Assesments +## Most Recent Assessments {% for ass in shortasslist %} @@ -57,7 +57,7 @@ This policy outlines how EnterpriseDB handles disclosures related to suspected v diff --git a/advocacy_docs/security/index.mdx b/advocacy_docs/security/index.mdx index 9b6851d16f5..b198d05e9e7 100644 --- a/advocacy_docs/security/index.mdx +++ b/advocacy_docs/security/index.mdx @@ -59,12 +59,12 @@ All versions of EnterpriseDB Postgres Advanced Server (EPAS) from 15.0 and prior   Read Assessment   Updated: 2024/05/09 -

TBD

+

Restrict visibility of "pg_stats_ext" and "pg_stats_ext_exprs" entries to the table owner

TBD
Summary:  -TBC +Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes, which are provided as a convenience in the below section. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.
Read More... diff --git a/product_docs/docs/epas/12/epas_rel_notes/epas12_19_24_rel_notes.mdx b/product_docs/docs/epas/12/epas_rel_notes/epas12_19_24_rel_notes.mdx index c48e0cebb7c..e2706ce7de1 100644 --- a/product_docs/docs/epas/12/epas_rel_notes/epas12_19_24_rel_notes.mdx +++ b/product_docs/docs/epas/12/epas_rel_notes/epas12_19_24_rel_notes.mdx @@ -9,7 +9,7 @@ EDB Postgres Advanced Server 12.19.24 includes the following enhancements and bu | Type | Description | Addresses            | |----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------| -| Upstream merge | Merged with community PostgreSQL 12.19. Important: this release includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 12.19 Release Notes](https://www.postgresql.org/docs/release/12.19/) for more information. | [CVE-2024-4317](/security/assessments/cve-2024-4317) | +| Upstream merge | Merged with community PostgreSQL 12.19. See the [PostgreSQL 12.19 Release Notes](https://www.postgresql.org/docs/release/12.19/) for more information. | | | Bug fix | Fixed an issue for `edb_filter_log`. Now it correctly redacts the password when the tab is used before the keyword. | #36220 | | Bug fix | Fixed an issue for `edb_audit` on Windows. Now it correctly rotates the log files based on days configured in `edb_audit_rotation_day`. | #99282 | | Bug fix | Fixed an issue to fetch all the attributes correctly from the sub link in `CONNECT BY` processing to avoid the server crash. | #102746 | diff --git a/product_docs/docs/epas/13/epas_rel_notes/epas13_15_21_rel_notes.mdx b/product_docs/docs/epas/13/epas_rel_notes/epas13_15_21_rel_notes.mdx index 64a8db33c42..44031b5efec 100644 --- a/product_docs/docs/epas/13/epas_rel_notes/epas13_15_21_rel_notes.mdx +++ b/product_docs/docs/epas/13/epas_rel_notes/epas13_15_21_rel_notes.mdx @@ -9,7 +9,7 @@ EDB Postgres Advanced Server 13.15.21 includes the following enhancements and bu | Type | Description | Addresses                | |----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Upstream merge | Merged with community PostgreSQL 13.15. Important: this release includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 13.15 Release Notes](https://www.postgresql.org/docs/release/14.15/) for more information. | [CVE-2024-4317](/security/assessments/cve-2024-4317) | +| Upstream merge | Merged with community PostgreSQL 13.15. See the [PostgreSQL 13.15 Release Notes](https://www.postgresql.org/docs/release/14.15/) for more information. | | | Bug fix | Fixed an issue for `edb_filter_log`. Now it correctly redacts the password when the tab is used before the keyword. | #36220 | | Bug fix | Fixed an issue for `edb_audit` on Windows. Now it correctly rotates the log files based on days configured in `edb_audit_rotation_day`. | #99282 | | Bug fix | Fixed an issue to fetch all the attributes correctly from the sub link in `CONNECT BY` processing to avoid the server crash. | #102746 | diff --git a/product_docs/docs/epas/14/epas_rel_notes/epas14_12_0_rel_notes.mdx b/product_docs/docs/epas/14/epas_rel_notes/epas14_12_0_rel_notes.mdx index 6017ec579d0..8b09fb72acc 100644 --- a/product_docs/docs/epas/14/epas_rel_notes/epas14_12_0_rel_notes.mdx +++ b/product_docs/docs/epas/14/epas_rel_notes/epas14_12_0_rel_notes.mdx @@ -9,7 +9,7 @@ EDB Postgres Advanced Server 14.12.0 includes the following enhancements and bug | Type | Description | Addresses                | |----------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Upstream merge | Merged with community PostgreSQL 14.12. Important: this release includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 14.12 Release Notes](https://www.postgresql.org/docs/release/14.12/) for more information. | [CVE-2024-4317](/security/assessments/cve-2024-4317) | +| Upstream merge | Merged with community PostgreSQL 14.12. This release includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 14.12 Release Notes](https://www.postgresql.org/docs/release/14.12/) for more information. | [CVE-2024-4317](/security/assessments/cve-2024-4317) | | Bug fix | Fixed an issue for `edb_filter_log`. Now it correctly redacts the password when the tab is used before the keyword. | #36220 | | Bug fix | Fixed an issue for `edb_audit` on Windows. Now it correctly rotates the log files based on days configured in `edb_audit_rotation_day`. | #99282 | | Bug fix | Fixed an issue to fetch all the attributes correctly from the sub link in `CONNECT BY` processing to avoid the server crash. | #102746 | diff --git a/product_docs/docs/epas/15/epas_rel_notes/epas15_7_0_rel_notes.mdx b/product_docs/docs/epas/15/epas_rel_notes/epas15_7_0_rel_notes.mdx index 9e354230428..e10641507f9 100644 --- a/product_docs/docs/epas/15/epas_rel_notes/epas15_7_0_rel_notes.mdx +++ b/product_docs/docs/epas/15/epas_rel_notes/epas15_7_0_rel_notes.mdx @@ -9,7 +9,7 @@ EDB Postgres Advanced Server 15.7.0 includes the following enhancements and bug | Type | Description | Addresses                | |-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Upstream merge | Merged with community PostgreSQL 15.7. Important: this release includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 15.7 Release Notes](https://www.postgresql.org/docs/release/15.7/) for more information. | [CVE-2024-4317](/security/assessments/cve-2024-4317)| +| Upstream merge | Merged with community PostgreSQL 15.7. This release includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 15.7 Release Notes](https://www.postgresql.org/docs/release/15.7/) for more information. | [CVE-2024-4317](/security/assessments/cve-2024-4317)| | Security fix | Fixed an issue for `edbldr`. Now `edbldr` checks the `pg_read_server_files` privilege before accessing the data files. | #35906, [CVE-2024-4545](/security/advisories/cve2024545/) | | Bug fix | Fixed an issue for `edb_filter_log`. Now it correctly redacts the password when the tab is used before the keyword. | #36220 | | Bug fix | Fixed an issue for `edb_audit` on Windows. Now it correctly rotates the log files based on days configured in `edb_audit_rotation_day`. | #99282 | diff --git a/product_docs/docs/epas/16/epas_rel_notes/epas16_3_0_rel_notes.mdx b/product_docs/docs/epas/16/epas_rel_notes/epas16_3_0_rel_notes.mdx index a84b5607245..eb6b9caaf4c 100644 --- a/product_docs/docs/epas/16/epas_rel_notes/epas16_3_0_rel_notes.mdx +++ b/product_docs/docs/epas/16/epas_rel_notes/epas16_3_0_rel_notes.mdx @@ -9,7 +9,7 @@ EDB Postgres Advanced Server 16.3.0 includes the following enhancements and bug | Type | Description | Addresses                | |-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Upstream merge | Merged with community PostgreSQL 16.3. Important: this release includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 16.3 Release Notes](https://www.postgresql.org/docs/release/16.3/) for more information. | [CVE-2024-4317](/security/assessments/cve-2024-4317) | +| Upstream merge | Merged with community PostgreSQL 16.3. This release includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 16.3 Release Notes](https://www.postgresql.org/docs/release/16.3/) for more information. | [CVE-2024-4317](/security/assessments/cve-2024-4317) | | Security fix | Fixed an issue for `edbldr`. Now `edbldr` checks the `pg_read_server_files` privilege before accessing the data files. | #35906, [CVE-2024-4545](/security/advisories/cve2024545/) | | Bug fix | Fixed an issue for `edb_filter_log`. Now it correctly redacts the password when the tab is used before the keyword. | #36220 | | Bug fix | Fixed an issue for `edb_audit` on Windows. Now it correctly rotates the log files based on days configured in `edb_audit_rotation_day`. | #99282 | diff --git a/product_docs/docs/pge/15/release_notes/rel_notes15.7.mdx b/product_docs/docs/pge/15/release_notes/rel_notes15.7.mdx index ce6b83e9182..cf94e96f896 100644 --- a/product_docs/docs/pge/15/release_notes/rel_notes15.7.mdx +++ b/product_docs/docs/pge/15/release_notes/rel_notes15.7.mdx @@ -9,7 +9,7 @@ New features, enhancements, bug fixes, and other changes in EDB Postgres Extende | Type | Description | | -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Upstream merge | Merged with community PostgreSQL 15.7. Includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 15 Release Notes](https://www.postgresql.org/docs/15/release-15-6.html) for more information. | +| Upstream merge | Merged with community PostgreSQL 15.7. Includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 15 Release Notes](https://www.postgresql.org/docs/15/release-15-7.html) for more information. | diff --git a/product_docs/docs/pge/16/release_notes/rel_notes16.2.mdx b/product_docs/docs/pge/16/release_notes/rel_notes16.2.mdx index 395e8efcf90..6709c591584 100644 --- a/product_docs/docs/pge/16/release_notes/rel_notes16.2.mdx +++ b/product_docs/docs/pge/16/release_notes/rel_notes16.2.mdx @@ -1,5 +1,5 @@ --- -title: EDB Postgres Advanced Server 16.2 release notes +title: EDB Postgres Extended Server 16.2 release notes navTitle: "Version 16.2" --- diff --git a/product_docs/docs/pge/16/release_notes/rel_notes16.3.mdx b/product_docs/docs/pge/16/release_notes/rel_notes16.3.mdx index eb1f6406528..11d3b3fcffc 100644 --- a/product_docs/docs/pge/16/release_notes/rel_notes16.3.mdx +++ b/product_docs/docs/pge/16/release_notes/rel_notes16.3.mdx @@ -1,5 +1,5 @@ --- -title: EDB Postgres Advanced Server 16.3 release notes +title: EDB Postgres Extended Server 16.3 release notes navTitle: "Version 16.3" ---

{{ thisass.vulnerability_details.cve_id }}

-  Read Assesment +  Read Assessment   Updated: {{ thisass.open.last_updated }}

{{ thisass.frontmatter.title }}

{{ thisass.frontmatter.affectedProducts }}
diff --git a/product_docs/docs/epas/12/epas_rel_notes/epas12_15_19_rel_notes.mdx b/product_docs/docs/epas/12/epas_rel_notes/epas12_15_19_rel_notes.mdx index f26122eb6ae..01efd75c309 100644 --- a/product_docs/docs/epas/12/epas_rel_notes/epas12_15_19_rel_notes.mdx +++ b/product_docs/docs/epas/12/epas_rel_notes/epas12_15_19_rel_notes.mdx @@ -4,16 +4,16 @@ title: "Version 12.15.19" EDB Postgres Advanced Server 12.15.19 includes the following enhancements: -| Type | Description | Category | -| -------------- | -------------------------------------------------------------------------------------------------------------------------------------| --------------------- | -| Upstream merge | Merged with community PostgreSQL 12.15.19. See the community [Release Notes](https://www.postgresql.org/docs/release/12.15/) for details. | | -| Enhancement | SQL Profiler and Index Advisor are now extensions and can be downloaded from [EDB Repos](https://repos.enterprisedb.com/). | | +| Type | Description | Category | +|----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------| +| Upstream merge | Merged with community PostgreSQL 12.15.19. See the community [Release Notes](https://www.postgresql.org/docs/release/12.15/) for details. | | +| Enhancement | SQL Profiler and Index Advisor are now extensions and can be downloaded from [EDB Repos](https://repos.enterprisedb.com/). | | | Bug fix | Fixed an issue in which "PASSWORD EXPIRE AT" was dumped when the password status wasn't expired. This fix prevents marking the user account as expired after an upgrade. | Profile | -| Bug fix | Fixed the password profile behavior after the password grace time has changed. | | -| Bug fix | Fixed unexpected error for `edb_enable_pruning` parameter. [Support ticket: #89863] | | -| Bug fix | Fixed an issue when a user enters `Ctrl-c`(SIGINT) to cancel the load in EDB\*Loader. [Support ticket: #88734] | | -| Bug fix | Set correct object descriptions for redaction policy to make pg_dump work cleanly with `--clean` and `--if-exists` options. | | -| Bug fix | Fixed pg_dump to dump password verify function for the user profile. | | -| Bug fix | Fixed assertion failure while terminating the process within the autonomous transaction. | | -| Bug fix | Fixed corner-case uninitialized-variable issues in SPL. | | -| Bug fix | Fixed memory leakage in anonymous blocks that use cast expressions. [Support ticket: #88816] | | +| Bug fix | Fixed the password profile behavior after the password grace time has changed. | | +| Bug fix | Fixed unexpected error for `edb_enable_pruning` parameter. [Support ticket: #89863] | | +| Bug fix | Fixed an issue when a user enters `Ctrl-c`(SIGINT) to cancel the load in EDB\*Loader. [Support ticket: #88734] | | +| Bug fix | Set correct object descriptions for redaction policy to make pg_dump work cleanly with `--clean` and `--if-exists` options. | | +| Bug fix | Fixed pg_dump to dump password verify function for the user profile. | | +| Bug fix | Fixed assertion failure while terminating the process within the autonomous transaction. | | +| Bug fix | Fixed corner-case uninitialized-variable issues in SPL. | | +| Bug fix | Fixed memory leakage in anonymous blocks that use cast expressions. [Support ticket: #88816] | | diff --git a/product_docs/docs/epas/12/epas_rel_notes/epas12_19_24_rel_notes.mdx b/product_docs/docs/epas/12/epas_rel_notes/epas12_19_24_rel_notes.mdx new file mode 100644 index 00000000000..da22247b828 --- /dev/null +++ b/product_docs/docs/epas/12/epas_rel_notes/epas12_19_24_rel_notes.mdx @@ -0,0 +1,17 @@ +--- +title: EDB Postgres Advanced Server 12.19.24 release notes +navTitle: "Version 12.19.24" +--- + +Released: 9 May 2024 + +EDB Postgres Advanced Server 12.19.24 includes the following enhancements and bug fixes: + +| Type | Description | Category | +|----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------| +| Upstream merge | Merged with community PostgreSQL 12.19. Important: this release includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 12.19 Release Notes](https://www.postgresql.org/docs/release/12.19/) for more information. | | +| Bug fix | Fixed an issue for `edb_filter_log`. Now it correctly redacts the password when the tab is used before the keyword. [Support ticket: #36220] | | +| Bug fix | Fixed an issue for `edb_audit` on Windows. Now it correctly rotates the log files based on days configured in `edb_audit_rotation_day`. [Support ticket: #99282]| | +| Bug fix | Fixed an issue to fetch all the attributes correctly from the sub link in `CONNECT BY` processing to avoid the server crash. [Support ticket: 102746] | | +| Bug fix | Added conditional free path in `add_path()` to avoid the rare possible server crashes when the free path is still in use, specially in the FDWs. [Support ticket: #86497] | | +| Bug fix | Fixed a crash issue for `edbldr`. Now `edbldr` loads data into multiple tables with different encodings from the target database. | | \ No newline at end of file diff --git a/product_docs/docs/epas/12/epas_rel_notes/index.mdx b/product_docs/docs/epas/12/epas_rel_notes/index.mdx index 7456d3d422b..84152502872 100644 --- a/product_docs/docs/epas/12/epas_rel_notes/index.mdx +++ b/product_docs/docs/epas/12/epas_rel_notes/index.mdx @@ -2,6 +2,7 @@ navTitle: Release Notes title: "EDB Postgres Advanced Server Release Notes" navigation: +- epas12_19_24_rel_notes - epas12_18_23_rel_notes - epas12_17_22_rel_notes - epas12_16_21_rel_notes @@ -30,6 +31,7 @@ The EDB Postgres Advanced Server (Advanced Server) documentation describes the l | Version | Release Date | Upstream Merges | | ----------------------------------------- | ------------ | -------------------------------------------------------------- | +| [12.19.24](epas12_19_24_rel_notes.mdx) | 09 May 2024 | [12.19](https://www.postgresql.org/docs/12/release-12-19.html) | | [12.18.23](epas12_18_23_rel_notes.mdx) | 08 Feb 2023 | [12.18](https://www.postgresql.org/docs/12/release-12-18.html) | | [12.17.22](epas12_17_22_rel_notes.mdx) | 09 Nov 2023 | [12.17](https://www.postgresql.org/docs/12/release-12-17.html) | | [12.16.21](epas12_16_21_rel_notes.mdx) | 25 Sep 2023 | | diff --git a/product_docs/docs/epas/13/epas_rel_notes/epas13_15_21_rel_notes.mdx b/product_docs/docs/epas/13/epas_rel_notes/epas13_15_21_rel_notes.mdx new file mode 100644 index 00000000000..df27f2a9203 --- /dev/null +++ b/product_docs/docs/epas/13/epas_rel_notes/epas13_15_21_rel_notes.mdx @@ -0,0 +1,17 @@ +--- +title: EDB Postgres Advanced Server 13.15.21 release notes +navTitle: "Version 13.15.21" +--- + +Released: 9 May 2024 + +EDB Postgres Advanced Server 13.15.21 includes the following enhancements and bug fixes: + +| Type | Description | Addresses                | +|----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Upstream merge | Merged with community PostgreSQL 13.15. Important: this release includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 13.15 Release Notes](https://www.postgresql.org/docs/release/14.15/) for more information. | | +| Bug fix | Fixed an issue for `edb_filter_log`. Now it correctly redacts the password when the tab is used before the keyword. | #36220 | +| Bug fix | Fixed an issue for `edb_audit` on Windows. Now it correctly rotates the log files based on days configured in `edb_audit_rotation_day`. | #99282 | +| Bug fix | Fixed an issue to fetch all the attributes correctly from the sub link in `CONNECT BY` processing to avoid the server crash. | #102746 | +| Bug fix | Added conditional free path in `add_path()` to avoid the rare possible server crashes when the free path is still in use, specially in the FDWs. | #86497 | +| Bug fix | Fixed a crash issue for `edbldr`. Now `edbldr` loads data into multiple tables with different encodings from the target database. | | diff --git a/product_docs/docs/epas/13/epas_rel_notes/index.mdx b/product_docs/docs/epas/13/epas_rel_notes/index.mdx index d011ce584a7..4ee32a0b812 100644 --- a/product_docs/docs/epas/13/epas_rel_notes/index.mdx +++ b/product_docs/docs/epas/13/epas_rel_notes/index.mdx @@ -2,6 +2,7 @@ navTitle: Release Notes title: "EDB Postgres Advanced Server Release Notes" navigation: +- epas13_15_21_rel_notes - epas13_14_20_rel_notes - epas13_13_19_rel_notes - epas13_12_18_rel_notes @@ -21,8 +22,9 @@ EDB Postgres Advanced Server 13 is built on open-source PostgreSQL 13, which int The EDB Postgres Advanced Server (Advanced Server) documentation describes the latest version of Advanced Server 13 including minor releases and patches. The release notes in this section provide information on what was new in each release. -| Version | Release Date | Upstream Merges | -| ----------------------------------- | ------------ | ---------------------------------------------------------------------------------------------------------------------- | +| Version | Release Date | Upstream Merges | +|-------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------| +| [13.15.21](epas13_15_21_rel_notes) | 09 May 2024 | [13.15](https://www.postgresql.org/docs/release/13.15/) | | [13.14.20](epas13_14_20_rel_notes) | 08 Feb 2024 | [13.14](https://www.postgresql.org/docs/release/13.14/) | | [13.13.19](epas13_13_19_rel_notes) | 09 Nov 2023 | [13.13](https://www.postgresql.org/docs/release/13.13/) | | [13.12.18](epas13_12_17_rel_notes) | 25 Sep 2023 | | diff --git a/product_docs/docs/epas/14/epas_rel_notes/epas14_12_0_rel_notes.mdx b/product_docs/docs/epas/14/epas_rel_notes/epas14_12_0_rel_notes.mdx new file mode 100644 index 00000000000..e1368f2829a --- /dev/null +++ b/product_docs/docs/epas/14/epas_rel_notes/epas14_12_0_rel_notes.mdx @@ -0,0 +1,17 @@ +--- +title: EDB Postgres Advanced Server 14.12.0 release notes +navTitle: "Version 14.12.0" +--- + +Released: 9 May 2024 + +EDB Postgres Advanced Server 14.12.0 includes the following enhancements and bug fixes: + +| Type | Description | Addresses                | +|----------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Upstream merge | Merged with community PostgreSQL 14.12. Important: this release includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 14.12 Release Notes](https://www.postgresql.org/docs/release/14.12/) for more information. | | +| Bug fix | Fixed an issue for `edb_filter_log`. Now it correctly redacts the password when the tab is used before the keyword. | #36220 | +| Bug fix | Fixed an issue for `edb_audit` on Windows. Now it correctly rotates the log files based on days configured in `edb_audit_rotation_day`. | #99282 | +| Bug fix | Fixed an issue to fetch all the attributes correctly from the sub link in `CONNECT BY` processing to avoid the server crash. | #102746 | +| Bug fix | Added conditional free path in `add_path()` to avoid the rare possible server crashes when the free path is still in use, specially in the FDWs. | #86497 | +| Bug fix | Fixed a crash issue for `edbldr`. Now `edbldr` loads data into multiple tables with different encodings from the target database. | | \ No newline at end of file diff --git a/product_docs/docs/epas/14/epas_rel_notes/index.mdx b/product_docs/docs/epas/14/epas_rel_notes/index.mdx index 0a27a139ad0..9f38fd51efa 100644 --- a/product_docs/docs/epas/14/epas_rel_notes/index.mdx +++ b/product_docs/docs/epas/14/epas_rel_notes/index.mdx @@ -2,6 +2,7 @@ navTitle: Release notes title: "EDB Postgres Advanced Server release notes" navigation: +- epas14_12_0_rel_notes - epas14_11_0_rel_notes - epas14_10_0_rel_notes - epas14_9_1_rel_notes @@ -20,10 +21,11 @@ EDB Postgres Advanced Server 14 is built on open-source PostgreSQL 14, which int The EDB Postgres Advanced Server (EDB Postgres Advanced Server) documentation describes the latest version of EDB Postgres Advanced Server 14 including minor releases and patches. The release notes in this section provide information on what was new in each release. -| Version | Release date | Upstream merges | -| --------------------------------- | ------------ | ------------------------------------------------------------------------------------------------------------------------ | -| [14.11.0](epas14_11_0_rel_notes) | 08 Feb 2024 | [14.11](https://www.postgresql.org/docs/14/release-14-11.html) | -| [14.10.0](epas14_10_0_rel_notes) | 09 Nov 2023 | [14.10](https://www.postgresql.org/docs/14/release-14-10.html) | +| Version | Release date | Upstream merges | +|-----------------------------------|--------------|--------------------------------------------------------------------------------------------------------------------------| +| [14.12.0](epas14_12_0_rel_notes) | 09 May 2024 | [14.12](https://www.postgresql.org/docs/14/release-14-12.html) | +| [14.11.0](epas14_11_0_rel_notes) | 08 Feb 2024 | [14.11](https://www.postgresql.org/docs/14/release-14-11.html) | +| [14.10.0](epas14_10_0_rel_notes) | 09 Nov 2023 | [14.10](https://www.postgresql.org/docs/14/release-14-10.html) | | [14.9.1](epas14_9_1_rel_notes) | 25 Sep 2023 | | | [14.9.0](epas14_9_0_rel_notes) | 21 Aug 2023 | [14.9](https://www.postgresql.org/docs/14/release-14-9.html) | | [14.8.0](epas14_8_0_rel_notes) | 11 May 2023 | [14.8](https://www.postgresql.org/docs/14/release-14-8.html) | diff --git a/product_docs/docs/epas/15/epas_rel_notes/epas15_7_0_rel_notes.mdx b/product_docs/docs/epas/15/epas_rel_notes/epas15_7_0_rel_notes.mdx new file mode 100644 index 00000000000..6fadd698179 --- /dev/null +++ b/product_docs/docs/epas/15/epas_rel_notes/epas15_7_0_rel_notes.mdx @@ -0,0 +1,19 @@ +--- +title: EDB Postgres Advanced Server 15.7.0 release notes +navTitle: "Version 15.7.0 " +--- + +Released: 9 May 2024 + +EDB Postgres Advanced Server 15.7.0 includes the following enhancements and bug fixes: + +| Type | Description | Addresses                | +|-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Upstream merge | Merged with community PostgreSQL 15.7. Important: this release includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 15.7 Release Notes](https://www.postgresql.org/docs/release/15.7/) for more information. | | +| Security fix | Fixed an issue for `edbldr`. Now `edbldr` checks the `pg_read_server_files` privilege before accessing the data files. | #35906, [CVE-2024-4545](/security/advisories/cve2024545/) | +| Bug fix | Fixed an issue for `edb_filter_log`. Now it correctly redacts the password when the tab is used before the keyword. | #36220 | +| Bug fix | Fixed an issue for `edb_audit` on Windows. Now it correctly rotates the log files based on days configured in `edb_audit_rotation_day`. | #99282 | +| Bug fix | Fixed an issue to fetch all the attributes correctly from the sublink in `CONNECT BY` processing to avoid the server crash. | #102746 | +| Bug fix | Added conditional free path in `add_path()` to avoid the rare possible server crashes when the freed path is still in use, specially in FDWs. | #86497 | +| Bug fix | Fixed an crash issue for `edbldr`. Now `edbldr` loads data into multiple tables with different encodings from the target database. | | +| Bug fix | Fixed an issue with possible data loss and `pg_dump` failures when using rowids. | #35901 | diff --git a/product_docs/docs/epas/15/epas_rel_notes/index.mdx b/product_docs/docs/epas/15/epas_rel_notes/index.mdx index bbef2bebd7f..e413b74f2fc 100644 --- a/product_docs/docs/epas/15/epas_rel_notes/index.mdx +++ b/product_docs/docs/epas/15/epas_rel_notes/index.mdx @@ -2,6 +2,7 @@ navTitle: Release notes title: "EDB Postgres Advanced Server release notes" navigation: +- epas15_7_0_rel_notes - epas15_6_0_rel_notes - epas15_5_0_rel_notes - epas15_4_1_rel_notes @@ -14,9 +15,10 @@ EDB Postgres Advanced Server 15 is built on open-source PostgreSQL 15, which int The EDB Postgres Advanced Server documentation describes the latest version of EDB Postgres Advanced Server 15 including minor releases and patches. These release notes provide information on what was new in each release. -| Version | Release date | Upstream merges | -| ------------------------------ | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [15.6.0](epas15_6_0_rel_notes) | 08 Feb 2024 | [15.6](https://www.postgresql.org/docs/release/15.6/) +| Version | Release date | Upstream merges | +|--------------------------------|--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| [15.7.0](epas15_7_0_rel_notes) | 09 May 2024 | [15.7](https://www.postgresql.org/docs/release/15.7/) | +| [15.6.0](epas15_6_0_rel_notes) | 08 Feb 2024 | [15.6](https://www.postgresql.org/docs/release/15.6/) | | [15.5.0](epas15_5_0_rel_notes) | 09 Nov 2023 | [15.5](https://www.postgresql.org/docs/release/15.5/) | | [15.4.1](epas15_4_1_rel_notes) | 25 Sep 2023 | | | [15.4.0](epas15_4_0_rel_notes) | 21 Aug 2023 | [15.4](https://www.postgresql.org/docs/release/15.4/) | diff --git a/product_docs/docs/epas/16/epas_rel_notes/epas16_3_0_rel_notes.mdx b/product_docs/docs/epas/16/epas_rel_notes/epas16_3_0_rel_notes.mdx index ee006e4afc9..055a4d019c1 100644 --- a/product_docs/docs/epas/16/epas_rel_notes/epas16_3_0_rel_notes.mdx +++ b/product_docs/docs/epas/16/epas_rel_notes/epas16_3_0_rel_notes.mdx @@ -1,17 +1,21 @@ --- -title: EDB Postgres Advanced Server 16.3 release notes -navTitle: "Version 16.3" +title: EDB Postgres Advanced Server 16.3.0 release notes +navTitle: "Version 16.3.0" --- Released: 9 May 2024 -EDB Postgres Advanced Server 16.3 includes the following enhancements and bug fixes: +EDB Postgres Advanced Server 16.3.0 includes the following enhancements and bug fixes: -| Type | Description | Category | -|----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------| -| Upstream merge | Merged with community PostgreSQL 16.3. Addresses CVE-2024-4317. See the [PostgreSQL 16.3 Release Notes](https://www.postgresql.org/docs/16/release-16-3.html) for more information. | -| Security |edbldr: check pg_read_server_files privilege before data file access. (#35906) -Permission to read data from the server File System should be restricted to superusers or users who possess the pg_read_server_files role. However, in affected versions of EPAS, any user can use edbldr to read data from any server file which is accessible to the OS user account under which EPAS is running. With this fix, a non-superuser using edbldr must either possess the pg_read_server_files role or must load data from standard input, rather than the server filesystem. Customer Advisory: CVE-2024-4545-for-db-2681 | -| Bug fix | -Fix assertion in DROP ROLE statement having duplicate names. | Bug | -| Security fix | Fixed a security vulnerability that could allow users using edbldr to bypass role permissions from pg_read_server_files. This could allow low privilege users to read files to which they would not otherwise have access. This issue is tracked as [CVE-2024-4545](linktoadvisory). | Security | \ No newline at end of file +| Type | Description | Addresses                | +|-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Upstream merge | Merged with community PostgreSQL 16.3. Important: this release includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 16.3 Release Notes](https://www.postgresql.org/docs/release/16.3/) for more information. | | +| Security fix | Fixed an issue for `edbldr`. Now `edbldr` checks the `pg_read_server_files` privilege before accessing the data files. | #35906, [CVE-2024-4545](/security/advisories/cve2024545/) | +| Bug fix | Fixed an issue for `edb_filter_log`. Now it correctly redacts the password when the tab is used before the keyword. | #36220 | +| Bug fix | Fixed an issue for `edb_audit` on Windows. Now it correctly rotates the log files based on days configured in `edb_audit_rotation_day`. | #99282 | +| Bug fix | Fixed an issue to fetch all the attributes correctly from the sublink in `CONNECT BY` processing to avoid the server crash. | #102746 | +| Bug fix | Added conditional free path in `add_path()` to avoid the rare possible server crashes when the freed path is still in use, specially in FDWs. | #86497 | +| Bug fix | Fixed an crash issue for `edbldr`. Now `edbldr` loads data into multiple tables with different encodings from the target database. | | +| Bug fix | Fixed an issue with possible data loss and `pg_dump` failures when using rowids. | #35901 | +| Bug fix | Fixed an issue with assertion in `DROP ROLE` statement having duplicate names. | | +| Buf fix | Fixed server crash with `edb_dblink_oci` in left join with whole row reference. | | diff --git a/product_docs/docs/epas/16/epas_rel_notes/index.mdx b/product_docs/docs/epas/16/epas_rel_notes/index.mdx index 11057b59f9d..f2dfda4fec7 100644 --- a/product_docs/docs/epas/16/epas_rel_notes/index.mdx +++ b/product_docs/docs/epas/16/epas_rel_notes/index.mdx @@ -2,7 +2,8 @@ navTitle: Release notes title: "EDB Postgres Advanced Server release notes" navigation: -- epas16_02_0_rel_notes +- epas16_3_0_rel_notes +- epas16_2_0_rel_notes - epas16_rel_notes --- @@ -13,6 +14,7 @@ The EDB Postgres Advanced Server documentation describes the latest version of E | Version | Release date | Upstream merges | | ------------------------ | ------------ | ---------------------------------------------------------- | +| [16.3.0](epas16_3_0_rel_notes) | 09 May 2024 | [16.3](https://www.postgresql.org/docs/16/release-16-3.html) | | [16.2](epas16_2_0_rel_notes)| 08 Feb 2024 | [16.2](https://www.postgresql.org/docs/16/release-16-2.html) | [16.1](epas16_rel_notes) | 09 Nov 2023 | [16.0](https://www.postgresql.org/docs/16/release-16.html),[16.1](https://www.postgresql.org/docs/release/16.1/) | diff --git a/product_docs/docs/pge/15/release_notes/rel_notes15.7.mdx b/product_docs/docs/pge/15/release_notes/rel_notes15.7.mdx index 23c767dc7f3..ce6b83e9182 100644 --- a/product_docs/docs/pge/15/release_notes/rel_notes15.7.mdx +++ b/product_docs/docs/pge/15/release_notes/rel_notes15.7.mdx @@ -9,7 +9,7 @@ New features, enhancements, bug fixes, and other changes in EDB Postgres Extende | Type | Description | | -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Upstream merge | Merged with community PostgreSQL 15.7. Addresses CVE-2024-4137. See the [PostgreSQL 15 Release Notes](https://www.postgresql.org/docs/15/release-15-6.html) for more information. | +| Upstream merge | Merged with community PostgreSQL 15.7. Includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 15 Release Notes](https://www.postgresql.org/docs/15/release-15-6.html) for more information. | diff --git a/product_docs/docs/pge/16/release_notes/rel_notes16.3.mdx b/product_docs/docs/pge/16/release_notes/rel_notes16.3.mdx index 37504405e28..eb1f6406528 100644 --- a/product_docs/docs/pge/16/release_notes/rel_notes16.3.mdx +++ b/product_docs/docs/pge/16/release_notes/rel_notes16.3.mdx @@ -9,4 +9,4 @@ EDB Postgres Extended Server 16.3 includes the following enhancements and bug fi | Type | Description | -------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -| Upstream merge | Merged with community PostgreSQL 16.3. Addresses CVE-2024-4317. See the [PostgreSQL 16.3 Release Notes](https://www.postgresql.org/docs/16/release-16-3.html) for more information. +| Upstream merge | Merged with community PostgreSQL 16.3. Includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 16.3 Release Notes](https://www.postgresql.org/docs/16/release-16-3.html) for more information. From 5d7782a0dbb4d462016fce50b7a6567c7b456561 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Thu, 9 May 2024 08:55:26 +0100 Subject: [PATCH 4/5] Small tweaks to Upstream Merge lines Signed-off-by: Dj Walker-Morgan --- .../12/epas_rel_notes/epas12_19_24_rel_notes.mdx | 12 ++++++------ .../13/epas_rel_notes/epas13_15_21_rel_notes.mdx | 16 ++++++++-------- .../14/epas_rel_notes/epas14_12_0_rel_notes.mdx | 2 +- .../15/epas_rel_notes/epas15_7_0_rel_notes.mdx | 2 +- .../16/epas_rel_notes/epas16_3_0_rel_notes.mdx | 2 +- 5 files changed, 17 insertions(+), 17 deletions(-) diff --git a/product_docs/docs/epas/12/epas_rel_notes/epas12_19_24_rel_notes.mdx b/product_docs/docs/epas/12/epas_rel_notes/epas12_19_24_rel_notes.mdx index da22247b828..c48e0cebb7c 100644 --- a/product_docs/docs/epas/12/epas_rel_notes/epas12_19_24_rel_notes.mdx +++ b/product_docs/docs/epas/12/epas_rel_notes/epas12_19_24_rel_notes.mdx @@ -7,11 +7,11 @@ Released: 9 May 2024 EDB Postgres Advanced Server 12.19.24 includes the following enhancements and bug fixes: -| Type | Description | Category | +| Type | Description | Addresses            | |----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------| -| Upstream merge | Merged with community PostgreSQL 12.19. Important: this release includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 12.19 Release Notes](https://www.postgresql.org/docs/release/12.19/) for more information. | | -| Bug fix | Fixed an issue for `edb_filter_log`. Now it correctly redacts the password when the tab is used before the keyword. [Support ticket: #36220] | | -| Bug fix | Fixed an issue for `edb_audit` on Windows. Now it correctly rotates the log files based on days configured in `edb_audit_rotation_day`. [Support ticket: #99282]| | -| Bug fix | Fixed an issue to fetch all the attributes correctly from the sub link in `CONNECT BY` processing to avoid the server crash. [Support ticket: 102746] | | -| Bug fix | Added conditional free path in `add_path()` to avoid the rare possible server crashes when the free path is still in use, specially in the FDWs. [Support ticket: #86497] | | +| Upstream merge | Merged with community PostgreSQL 12.19. Important: this release includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 12.19 Release Notes](https://www.postgresql.org/docs/release/12.19/) for more information. | [CVE-2024-4317](/security/assessments/cve-2024-4317) | +| Bug fix | Fixed an issue for `edb_filter_log`. Now it correctly redacts the password when the tab is used before the keyword. | #36220 | +| Bug fix | Fixed an issue for `edb_audit` on Windows. Now it correctly rotates the log files based on days configured in `edb_audit_rotation_day`. | #99282 | +| Bug fix | Fixed an issue to fetch all the attributes correctly from the sub link in `CONNECT BY` processing to avoid the server crash. | #102746 | +| Bug fix | Added conditional free path in `add_path()` to avoid the rare possible server crashes when the free path is still in use, specially in the FDWs.| #86497 | | Bug fix | Fixed a crash issue for `edbldr`. Now `edbldr` loads data into multiple tables with different encodings from the target database. | | \ No newline at end of file diff --git a/product_docs/docs/epas/13/epas_rel_notes/epas13_15_21_rel_notes.mdx b/product_docs/docs/epas/13/epas_rel_notes/epas13_15_21_rel_notes.mdx index df27f2a9203..64a8db33c42 100644 --- a/product_docs/docs/epas/13/epas_rel_notes/epas13_15_21_rel_notes.mdx +++ b/product_docs/docs/epas/13/epas_rel_notes/epas13_15_21_rel_notes.mdx @@ -7,11 +7,11 @@ Released: 9 May 2024 EDB Postgres Advanced Server 13.15.21 includes the following enhancements and bug fixes: -| Type | Description | Addresses                | -|----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Upstream merge | Merged with community PostgreSQL 13.15. Important: this release includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 13.15 Release Notes](https://www.postgresql.org/docs/release/14.15/) for more information. | | -| Bug fix | Fixed an issue for `edb_filter_log`. Now it correctly redacts the password when the tab is used before the keyword. | #36220 | -| Bug fix | Fixed an issue for `edb_audit` on Windows. Now it correctly rotates the log files based on days configured in `edb_audit_rotation_day`. | #99282 | -| Bug fix | Fixed an issue to fetch all the attributes correctly from the sub link in `CONNECT BY` processing to avoid the server crash. | #102746 | -| Bug fix | Added conditional free path in `add_path()` to avoid the rare possible server crashes when the free path is still in use, specially in the FDWs. | #86497 | -| Bug fix | Fixed a crash issue for `edbldr`. Now `edbldr` loads data into multiple tables with different encodings from the target database. | | +| Type | Description | Addresses                | +|----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Upstream merge | Merged with community PostgreSQL 13.15. Important: this release includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 13.15 Release Notes](https://www.postgresql.org/docs/release/14.15/) for more information. | [CVE-2024-4317](/security/assessments/cve-2024-4317) | +| Bug fix | Fixed an issue for `edb_filter_log`. Now it correctly redacts the password when the tab is used before the keyword. | #36220 | +| Bug fix | Fixed an issue for `edb_audit` on Windows. Now it correctly rotates the log files based on days configured in `edb_audit_rotation_day`. | #99282 | +| Bug fix | Fixed an issue to fetch all the attributes correctly from the sub link in `CONNECT BY` processing to avoid the server crash. | #102746 | +| Bug fix | Added conditional free path in `add_path()` to avoid the rare possible server crashes when the free path is still in use, specially in the FDWs. | #86497 | +| Bug fix | Fixed a crash issue for `edbldr`. Now `edbldr` loads data into multiple tables with different encodings from the target database. | | diff --git a/product_docs/docs/epas/14/epas_rel_notes/epas14_12_0_rel_notes.mdx b/product_docs/docs/epas/14/epas_rel_notes/epas14_12_0_rel_notes.mdx index e1368f2829a..6017ec579d0 100644 --- a/product_docs/docs/epas/14/epas_rel_notes/epas14_12_0_rel_notes.mdx +++ b/product_docs/docs/epas/14/epas_rel_notes/epas14_12_0_rel_notes.mdx @@ -9,7 +9,7 @@ EDB Postgres Advanced Server 14.12.0 includes the following enhancements and bug | Type | Description | Addresses                | |----------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Upstream merge | Merged with community PostgreSQL 14.12. Important: this release includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 14.12 Release Notes](https://www.postgresql.org/docs/release/14.12/) for more information. | | +| Upstream merge | Merged with community PostgreSQL 14.12. Important: this release includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 14.12 Release Notes](https://www.postgresql.org/docs/release/14.12/) for more information. | [CVE-2024-4317](/security/assessments/cve-2024-4317) | | Bug fix | Fixed an issue for `edb_filter_log`. Now it correctly redacts the password when the tab is used before the keyword. | #36220 | | Bug fix | Fixed an issue for `edb_audit` on Windows. Now it correctly rotates the log files based on days configured in `edb_audit_rotation_day`. | #99282 | | Bug fix | Fixed an issue to fetch all the attributes correctly from the sub link in `CONNECT BY` processing to avoid the server crash. | #102746 | diff --git a/product_docs/docs/epas/15/epas_rel_notes/epas15_7_0_rel_notes.mdx b/product_docs/docs/epas/15/epas_rel_notes/epas15_7_0_rel_notes.mdx index 6fadd698179..9e354230428 100644 --- a/product_docs/docs/epas/15/epas_rel_notes/epas15_7_0_rel_notes.mdx +++ b/product_docs/docs/epas/15/epas_rel_notes/epas15_7_0_rel_notes.mdx @@ -9,7 +9,7 @@ EDB Postgres Advanced Server 15.7.0 includes the following enhancements and bug | Type | Description | Addresses                | |-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Upstream merge | Merged with community PostgreSQL 15.7. Important: this release includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 15.7 Release Notes](https://www.postgresql.org/docs/release/15.7/) for more information. | | +| Upstream merge | Merged with community PostgreSQL 15.7. Important: this release includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 15.7 Release Notes](https://www.postgresql.org/docs/release/15.7/) for more information. | [CVE-2024-4317](/security/assessments/cve-2024-4317)| | Security fix | Fixed an issue for `edbldr`. Now `edbldr` checks the `pg_read_server_files` privilege before accessing the data files. | #35906, [CVE-2024-4545](/security/advisories/cve2024545/) | | Bug fix | Fixed an issue for `edb_filter_log`. Now it correctly redacts the password when the tab is used before the keyword. | #36220 | | Bug fix | Fixed an issue for `edb_audit` on Windows. Now it correctly rotates the log files based on days configured in `edb_audit_rotation_day`. | #99282 | diff --git a/product_docs/docs/epas/16/epas_rel_notes/epas16_3_0_rel_notes.mdx b/product_docs/docs/epas/16/epas_rel_notes/epas16_3_0_rel_notes.mdx index 055a4d019c1..a84b5607245 100644 --- a/product_docs/docs/epas/16/epas_rel_notes/epas16_3_0_rel_notes.mdx +++ b/product_docs/docs/epas/16/epas_rel_notes/epas16_3_0_rel_notes.mdx @@ -9,7 +9,7 @@ EDB Postgres Advanced Server 16.3.0 includes the following enhancements and bug | Type | Description | Addresses                | |-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Upstream merge | Merged with community PostgreSQL 16.3. Important: this release includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 16.3 Release Notes](https://www.postgresql.org/docs/release/16.3/) for more information. | | +| Upstream merge | Merged with community PostgreSQL 16.3. Important: this release includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 16.3 Release Notes](https://www.postgresql.org/docs/release/16.3/) for more information. | [CVE-2024-4317](/security/assessments/cve-2024-4317) | | Security fix | Fixed an issue for `edbldr`. Now `edbldr` checks the `pg_read_server_files` privilege before accessing the data files. | #35906, [CVE-2024-4545](/security/advisories/cve2024545/) | | Bug fix | Fixed an issue for `edb_filter_log`. Now it correctly redacts the password when the tab is used before the keyword. | #36220 | | Bug fix | Fixed an issue for `edb_audit` on Windows. Now it correctly rotates the log files based on days configured in `edb_audit_rotation_day`. | #99282 | From 91ebc9c9043759f40bb2c6cb9d0ddb4f85f7f91f Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Thu, 9 May 2024 15:33:07 +0100 Subject: [PATCH 5/5] Various fixes Signed-off-by: Dj Walker-Morgan --- .../security/assessments/cve-2024-4317.mdx | 65 +++++++++++-------- advocacy_docs/security/assessments/index.mdx | 4 +- advocacy_docs/security/index.mdx | 4 +- .../epas_rel_notes/epas12_19_24_rel_notes.mdx | 2 +- .../epas_rel_notes/epas13_15_21_rel_notes.mdx | 2 +- .../epas_rel_notes/epas14_12_0_rel_notes.mdx | 2 +- .../epas_rel_notes/epas15_7_0_rel_notes.mdx | 2 +- .../epas_rel_notes/epas16_3_0_rel_notes.mdx | 2 +- .../pge/15/release_notes/rel_notes15.7.mdx | 2 +- .../pge/16/release_notes/rel_notes16.2.mdx | 2 +- .../pge/16/release_notes/rel_notes16.3.mdx | 2 +- 11 files changed, 49 insertions(+), 40 deletions(-) diff --git a/advocacy_docs/security/assessments/cve-2024-4317.mdx b/advocacy_docs/security/assessments/cve-2024-4317.mdx index f1441fcdbc4..d553264aa94 100644 --- a/advocacy_docs/security/assessments/cve-2024-4317.mdx +++ b/advocacy_docs/security/assessments/cve-2024-4317.mdx @@ -1,5 +1,5 @@ --- -title: CVE-2024-4317 - TBD +title: CVE-2024-4317 - Restrict visibility of "pg_stats_ext" and "pg_stats_ext_exprs" entries to the table owner navTitle: CVE-2024-4317 affectedProducts: TBD --- @@ -12,17 +12,18 @@ Important: This is an assessment of the impact of CVE-2024-4317 on EDB products ## Summary -TBC +Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes, which are provided as a convenience in the below section. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected. + ## Vulnerability details -CVE-ID: [CVE-2024-4317](https://nvd.nist.gov/vuln/detail/CVE-2024-4317) +CVE-ID: [CVE-2024-4317](https://www.postgresql.org/support/security/CVE-2024-4317/) -CVSS Base Score: TBC +CVSS Base Score: 3.1 -CVSS Temporal Score: TBC +CVSS Temporal Score: Undefined -CVSS Environmental Score: TBC +CVSS Environmental Score: Undefined CVSS Vector: TBC @@ -30,49 +31,56 @@ CVSS Vector: TBC ### PostgreSQL -TBC +* All versions of PostgreSQL prior to 16.3 +* All versions of PostgreSQL prior to 15.7 +* All versions of PostgreSQL prior to 14.12 ### EnterpriseDB Postgres Advanced Server (EPAS) -TBC + +* All versions of EPAS prior to 16.3 +* All versions of EPAS prior to 15.7 +* All versions of EPAS prior to 14.12 ### EnterpriseDB Postgres Extended -TBC + +* All versions of PGE prior to 16.3 +* All versions of PGE prior to 15.7 +* All versions of PGE prior to 14.12 ## Remediation/fixes +The fix is included in the following versions: 16.3, 15.7, and 14.12. + +Installing the fix will not remove the vulnerability from existing installations. To remove the vulnerability, follow the instructions in the [CVE-2024-4317](https://www.postgresql.org/support/security/CVE-2024-4317/) advisory. + ### PostgreSQL Version Information -| Affected Version | Fixed In | Fix Published | -|-------------------|----------|---------------| -| 15 | TBC | 2024-05-09 | -| 14 | TBC | 2024-05-09 | -| 13 | TBC | 2024-05-09 | -| 12 | TBC | 2024-05-09 | +| Affected Version | Fixed In | Fix Published | +|-----------------------------|----------|---------------| +| All versions prior to 16.3 | 16.3 | 2024-05-09 | +| All versions prior to 15.7 | 15.7 | 2024-05-09 | +| All versions prior to 14.12 | 14.12 | 2024-05-09 | ### EPAS Version Information -TBC - | Product | VRMF | Remediation/First Fix | |---------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------| -| EPAS | TBC | TBC | +| EPAS | All versions prior to 16.3 | Update to version 16.3 or later | +| EPAS | All versions prior to 15.7 | Update to version 15.7 or later | +| EPAS | All versions prior to 14.12 | Update to version 14.12 or later | + ### PGE Version Information | Product | VRMF | Remediation/First Fix | |---------|--------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------| -| PGE | TBC | TBC | - -!!! Note -The exploit referred to in this CVE did not work on PostgreSQL 16. The -same defensive code as other releases has been added in PostgreSQL 16.2, EPAS -16.2 and PGE 16.2 to ensure strength in depth. We strongly recommend upgrading -your PostgreSQL 16, EPAS 16 and PGE 16 deployments to these versions. -!!! +| PGE | All versions prior to 16.3 | Update to version 16.3 or later | +| PGE | All versions prior to 15.7 | Update to version 15.7 or later | +| PGE | All versions prior to 14.12 | Update to version 14.12 or later | ## References * [CVSS Calculator v3.1](https://www.first.org/cvss/calculator/3.1) - +* [CWE-284 Improper Access Control](http://cwe.mitre.org/data/definitions/284.html) ## Related information @@ -85,8 +93,9 @@ Source: PostgreSQL.org ## Change history -## Disclaimer +9 May 2024: Original Copy Published +## Disclaimer This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness diff --git a/advocacy_docs/security/assessments/index.mdx b/advocacy_docs/security/assessments/index.mdx index 16450c0a7b7..9202d30d36e 100644 --- a/advocacy_docs/security/assessments/index.mdx +++ b/advocacy_docs/security/assessments/index.mdx @@ -31,12 +31,12 @@ The CVEs listed in this section are from PostgreSQL and other parties who have r   Read Assessment   Updated: 2024/05/09 -

TBD

+

Restrict visibility of "pg_stats_ext" and "pg_stats_ext_exprs" entries to the table owner

TBD
Summary:  -TBC +Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes, which are provided as a convenience in the below section. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.
Read More...