PostgreSQL Releases Security Updates for All Supported Versions Addressing CVE-2024-10977

The PostgreSQL Global Development Group has announced the release of updates for all supported versions of the database system, including 17.1, 16.5, and 15.9. These updates primarily address CVE-2024-10977, a security vulnerability that allows an authenticated user to modify environment variables via certain PL functions. This flaw could lead to arbitrary code execution or sensitive information disclosure by bypassing intended security boundaries within the server process. The core of the fix involves tightening the restrictions on how session parameters and environment variables are handled during the execution of trusted and untrusted language functions. By preventing the modification of sensitive process-level variables, the developers have mitigated a significant vector for privilege escalation. This release is particularly crucial for users of PostgreSQL 12, as it marks the final scheduled update before the version reaches its end-of-life status. In addition to the security patches, the releases contain over 20 bug fixes addressing issues in the query planner and logical replication. Organizations are urged to apply these updates immediately to protect their data integrity and server security. The update process follows the standard minor version upgrade path, requiring a replacement of the executable binaries and a service restart.