Last week saw the release of PostgreSQL updates which included fixes for two security issues. These issues are of concern as they involve vulnerabilities which could be exploited remotely to potentially expose server memory (9.5.x and 9.6.x) or access other servers through extensions such as dblink or pg_fdw (9.4.x, 9.5.x, 9.6.x).
What Compose is doing
We are making PostgreSQL 9.4.19, 9.5.14 and 9.6.10 available immediately to allow users to upgrade as soon as possible to the new versions.
The vulnerabilities are fixed as part of a range of bug fixes and other corrections incorporated in the various updates. Notes for 9.4.19, 9.5.14 and 9.6.10 list the changes made in each edition.
We are not setting these new versions to preferred – the Compose default for new deployments – yet, so when creating a new deployment, please remember to select the most recent version. We are currently planning to make these new versions preferred in 30 days time after which we'll be removing the ability to provision older versions of PostgreSQL.
Your options for action
We hope that you will make the time to protect your database by upgrading it to the latest minor version using the in-place upgrade option in settings.
You may wish to consider also taking to opportunity to upgrade to a more recent major version of PostgreSQL so you can make use of the many new features available such as the "Upsert" feature and enhanced JSONB in 9.5 or improved vacuuming and full-text search for phrases in 9.6. That can be achieved by using the Restore-from-Backup capability of Compose, taking a recent backup and creating a new deployment with a newer version of PostgreSQL on it. Read more about the process in the Compose documentation on upgrading PostgreSQL.
Whatever you do, upgrade to one of these new versions. In 30 days, when we move to "preferred" status for them, we will also be announcing a schedule of managed, forced upgrades on older versions to eliminate the underlying security issues from the Compose platform.
attribution Hans Veth via Unsplash