Crunchy Postgres for Kubernetes 5.5.x Release notes

Release notes for each of the 5.5.x releases.

Component versions

Postgres extension versions

A bold version number indicates that the component version was updated in latest release.

5.5.2

Features

• Warn when a PASSWORD option is included in spec.users.options.
• pgAdmin v8 is now supported by the Namespace-Scoped PGAdmin API.

Changes

• PostgreSQL versions 16.3, 15.7, 14.12, 13.15, and 12.19 are now available.
• PostGIS versions 3.4.2, 3.3.6, 3.2.7, 3.1.11, 3.0.11, and 2.5.11 are now available.
• pgAdmin v8.6 is now available.
• pgBackRest is now at version 2.51.
• pgBouncer is now at version 1.22.1.
• The orafce extension is now at version 4.9.4.
• The pg_partman extension is now at version 5.1.0 for PG 16, 15 and 14.
• The pgvector extension is now at version 0.7.0.
• The TimescaleDB extension is now at version 2.14.2 for PG 16, 15, 14, and 13.
• The postgres-operator image now uses UBI Minimal.

Notable Security Fixes

Crunchy PostgreSQL 16.3-0, 15.7-0, and 14.12-0 include:

• CVE-2024-4317

  Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner.

  These views failed to hide statistics for expressions that involve columns the accessing user does not have permission to read. View columns such as most_common_vals might expose security-relevant data. The potential interactions here are not fully clear, so in the interest of erring on the side of safety, make rows in these views visible only to the owner of the associated table.

  By itself, this fix will only fix the behavior in newly initdb'd database clusters. If you wish to apply this change in an existing cluster, you will need to do the following:

  1. Find the SQL script fix-CVE-2024-4317.sql in the share directory of the PostgreSQL installation. In Crunchy Data's PostgreSQL 16 RPM packages, the script can be found in folder /usr/pgsql-16/share/ after installing the postgresql16-server RPM. Be sure to use the script appropriate to your PostgreSQL major version. If you do not see this file, either your version is not vulnerable (only v14-v16 are affected) or your minor version is too old to have the fix.

  2. In each database of the cluster, run the fix-CVE-2024-4317.sql script as superuser. In psql this would look like

     \i /usr/pgsql-16/share/fix-CVE-2024-4317.sql

     (adjust the file path as appropriate). Any error probably indicates that you've used the wrong script version. It will not hurt to run the script more than once.

  3. Do not forget to include the template0 and template1 databases, or the vulnerability will still exist in databases you create later. To fix template0, you'll need to temporarily make it accept connections. Do that with:

     ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;

     and then after fixing template0, undo it with

     ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;

5.5.1

Fixes

• Only load datasource.pgbackrest.configuration when performing a cloud based restore.
• Queue an event based on instance Patroni ‘master’ role change
• The pgAdmin controller now owns any objects it creates
• pgAdmin can now be accessed from Kubernetes networks by default
• Allow numeric characters in pgAdmin config settings. Contributed by Roman Gherta (@rgherta).

Changes

• PostgreSQL versions 16.2, 15.6, 14.11, 13.14, and 12.18 are now available.
• pgBackRest is now at version 2.49.
• patroni is now at version 3.1.2.
• pgMonitor is now at version 4.11.
• The orafce extension is now at version 4.9.1.
• The pg_cron extension is now at version 1.6.2.
• The pg_partman extension is now at version 5.0.1 for PG 16, 15 and 14.
• The pgvector extension is now at version 0.6.0.
• The TimescaleDB extension is now available for PG 16. The extension is at version 2.13.0 for PG 16, 15, 14, and 13.

5.5.0

Features

• The monitoring stack has undergone a number of significant improvements in 5.5, including:
  • Transitioning the crunchy-postgres-exporter image into a component container, thereby decoupling it from the postgres-operator.
  • The ability to append custom exporter queries to the default queries provided by Crunchy Postgres for Kubernetes.
  • You can now monitor your standby clusters by editing the ccp_monitoring password.
  • Postgres 16 support!
• We added a new API for pgAdmin 4, which allows you to create a single pgAdmin 4 to manage multiple clusters in a namespace! This new API also comes with a new image containing the latest version of pgAdmin 4.

Changes

• When specified, the citus extension is loaded before other shared_preload_libraries.
• You can reduce metrics to those provided by pgMonitor by setting the postgres-operator.crunchydata.com/postgres-exporter-collectors annotation to None.
• PostgreSQL versions 16.1, 15.5, 14.10, 13.13, 12.17, and 11.22 are now available.
• As of February, 2023, public builds will offer the latest PG 16 and 15.
• pgBouncer is now at version 1.21.0.
• The orafce extension is now at version 4.7.0.
• The pg_partman extension is now at version 5.0.0 for PG 16, 15 and 14.
• The pgAudit16 extension is now at version 16.0.
• The pgvector extension is now at version 0.5.1.
• The TimescaleDB extension now at version 2.12.2 for PG 15, 14 and 13, version 2.11.2 for PG 12 and version 2.3.1 for PG 11.
• DNS names for the replica service have been added to the certificates generated for the PostgresCluster to facilitate TLS connections between pgBouncer and read replicas. Contributed by Scott Zelenka (@szelenka)