PostgreSQL Releases Security Updates for All Supported Versions Addressing Arbitrary Code Execution

The PostgreSQL Global Development Group has released updates for all supported versions of the database system to address two security vulnerabilities and over 40 reported bugs. The most critical fix addresses CVE-2024-10977, a vulnerability related to untrusted search paths that could allow an attacker to execute arbitrary code with the privileges of the user running the database server. This issue is particularly relevant for environments where multiple users share a database and have the ability to create objects. In addition to security fixes, these updates include numerous stability improvements across the planner and logical replication engines. For users of the newly released PostgreSQL 17, this update provides essential first-round bug fixes that enhance general reliability and performance. The release also fixes memory leaks and potential crashes under specific query patterns, ensuring better uptime for high-load production environments. Administrators are urged to apply these updates promptly by replacing the executable binaries and restarting the service. While minor releases are historically compatible at the data file level, users should review their schema security policies as part of a defense-in-depth strategy. Notably, this represents the final scheduled release for PostgreSQL 12, as it reaches its end-of-life this month, making a transition to newer versions a top priority for legacy system maintainers.