Crunchy Postgres for Kubernetes 5.3.x Release Notes

Release notes for each of the 5.3.x releases.

Component versions

Crunchy Postgres
for Kubernetes		PostgrespgBackRestpgbouncerPatronipgadmin
5.3.815.72.511.223.1.24.30
5.3.715.62.491.213.1.24.30
5.3.615.52.471.213.1.14.30
5.3.515.42.471.193.1.14.30
5.3.415.42.471.193.1.04.30
5.3.315.32.451.192.1.74.30
5.3.215.32.451.192.1.74.30
5.3.115.22.401.182.1.74.30
5.3.015.12.401.172.1.34.30

Postgres extension versions

Crunchy Postgres for Kubernetes versionPostGISpgRoutingpgauditpg_cronpg_partmanpgnodemxset_userwal2jsonTimescaleDBorafcepgvector
5.3.82.5.11 (earliest)
3.3.6 (latest)		2.6.3 (earliest)
3.3.4 (latest)		1.4.3 (earliest)
1.7.0 (latest)		1.6.25.1.01.64.0.12.52.14.24.9.40.7.0
5.3.72.5.9 (earliest)
3.3.4 (latest)		2.6.3 (earliest)
3.3.4 (latest)		1.4.3 (earliest)
1.7.0 (latest)		1.6.25.0.11.64.0.12.52.13.04.9.10.6.0
5.3.62.4.10 (earliest)
3.3.4 (latest)		2.6.3 (earliest)
3.3.4 (latest)		1.2.4 (earliest)
1.7.0 (latest)		1.6.05.0.01.64.0.12.52.12.24.7.00.4.4
5.3.52.4.10 (earliest)
3.3.4 (latest)		2.6.3 (earliest)
3.3.4 (latest)		1.2.4 (earliest)
1.7.0 (latest)		1.6.04.7.41.64.0.12.52.11.24.6.10.4.4
5.3.42.4.10 (earliest)
3.2.2 (latest)		2.6.3 (earliest)
3.3.1 (latest)		1.2.4 (earliest)
1.7.0 (latest)		1.5.24.7.31.44.0.12.52.10.34.2.60.4.4
5.3.32.4.10 (earliest)
3.2.2 (latest)		2.6.3 (earliest)
3.3.1 (latest)		1.2.4 (earliest)
1.7.0 (latest)		1.5.24.7.31.44.0.12.52.10.34.2.60.4.4
5.3.22.4.10 (earliest)
3.2.2 (latest)		2.6.3 (earliest)
3.3.1 (latest)		1.2.4 (earliest)
1.7.0 (latest)		1.5.24.7.31.44.0.12.52.10.34.2.6
5.3.12.4.10 (earliest)
3.2.2 (latest)		2.6.3 (earliest)
3.3.1 (latest)		1.2.4 (earliest)
1.7.0 (latest)		1.4.24.7.21.3.04.0.12.52.9.24.1.1
5.3.02.3 (earliest)
3.2.1 (latest)		2.6.3 (earliest)
3.3.1 (latest)		1.2.4 (earliest)
1.7.0 (latest)		1.4.24.7.11.3.03.0.02.52.8.13.25.1

A bold version number indicates that the component version was updated in latest release.

5.3.8

Features

  • Warn when a PASSWORD option is included in spec.users.options.

Changes

  • PostgreSQL versions 16.3, 15.7, 14.12, 13.15, and 12.19 are now available.
  • PostGIS versions 3.4.2, 3.3.6, 3.2.7, 3.1.11, 3.0.11, and 2.5.11 are now available.
  • pgBackRest is now at version 2.51.
  • pgBouncer is now at version 1.22.1.
  • The orafce extension is now at version 4.9.4.
  • The pg_partman extension is now at version 5.1.0 for PG 16, 15 and 14.
  • The pgvector extension is now at version 0.7.0.
  • The TimescaleDB extension is now at version 2.14.2 for PG 16, 15, 14, and 13.
  • The postgres-operator image now uses UBI Minimal.

Notable Security Fixes

Crunchy PostgreSQL 16.3-0, 15.7-0, and 14.12-0 include:

  • CVE-2024-4317

    Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner.

    These views failed to hide statistics for expressions that involve columns the accessing user does not have permission to read. View columns such as most_common_vals might expose security-relevant data. The potential interactions here are not fully clear, so in the interest of erring on the side of safety, make rows in these views visible only to the owner of the associated table.

    By itself, this fix will only fix the behavior in newly initdb'd database clusters. If you wish to apply this change in an existing cluster, you will need to do the following:

    1. Find the SQL script fix-CVE-2024-4317.sql in the share directory of the PostgreSQL installation. In Crunchy Data's PostgreSQL 16 RPM packages, the script can be found in folder /usr/pgsql-16/share/ after installing the postgresql16-server RPM. Be sure to use the script appropriate to your PostgreSQL major version. If you do not see this file, either your version is not vulnerable (only v14-v16 are affected) or your minor version is too old to have the fix.

    2. In each database of the cluster, run the fix-CVE-2024-4317.sql script as superuser. In psql this would look like

      \i /usr/pgsql-16/share/fix-CVE-2024-4317.sql

      (adjust the file path as appropriate). Any error probably indicates that you've used the wrong script version. It will not hurt to run the script more than once.

    3. Do not forget to include the template0 and template1 databases, or the vulnerability will still exist in databases you create later. To fix template0, you'll need to temporarily make it accept connections. Do that with:

      ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;

      and then after fixing template0, undo it with

      ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;

5.3.7

Fixes

  • Only load datasource.pgbackrest.configuration when performing a cloud based restore.
  • Queue an event based on instance Patroni ‘master’ role change
  • Allow numeric characters in pgAdmin config settings. Contributed by Roman Gherta (@rgherta).

Changes

  • PostgreSQL versions 15.6, 14.11, 13.14, and 12.18 are now available.
  • pgBackRest is now at version 2.49.
  • patroni is now at version 3.1.2.
  • The orafce extension is now at version 4.9.1.
  • The pg_cron extension is now at version 1.6.2.
  • The pg_partman extension is now at version 5.0.1 for PG 16, 15 and 14.
  • The pgvector extension is now at version 0.6.0.
  • The TimescaleDB extension is now available for PG 16. The extension is at version 2.13.0 for PG 16, 15, 14, and 13.

5.3.6

Changes

  • PostgreSQL versions 15.5, 14.10, 13.13, 12.17, and 11.22 are now available.
  • pgBouncer is now at version 1.21.0.
  • The orafce extension is now at version 4.7.0.
  • The pg_partman extension is now at version 5.0.0 for PG 15 and 14.
  • The pgvector extension is now at version 0.5.1.
  • The TimescaleDB extension now at version 2.12.2 for PG 15, 14 and 13, version 2.11.2 for PG 12 and version 2.3.1 for PG 11.

5.3.5

Changes

  • Patroni is now at version 3.1.1.
  • PostGis version 3.3.4 is now available.
  • The orafce extension is now at version 4.6.1.
  • The pg_cron extension is now at version 1.6.0.
  • The pg_partman extension is now at version 4.7.4.
  • The pgAudit Analyze extension is now at version 1.0.9.
  • The pgnodemx extension is now at version 1.6.
  • The pgRouting extension is now at version 3.3.4 for PG 15 & 14.
  • pscyopg is now at version 2.9.7.
  • The TimescaleDB extension is now at version 2.11.2.

5.3.4

Changes

  • PostgreSQL versions 15.4, 14.9, 13.12, 12.16, and 11.21 are now available.
  • Patroni is now at version 3.1.0.
  • pgBackrest is now at version 2.47.
  • pgBouncer is now at version 1.19.1.

Fixes

  • PostgresClusters that do not request huge pages can now be restored on nodes with huge pages.

5.3.3

Changes

  • The pgaudit_analyze tool is deprecated and may be removed in a future release.

Fixes

  • Backup jobs for S3-compatible object storage repositories would fail with a message about config hash mismatch. This is now fixed.

5.3.2

Fixes

  • PostgresClusters that do not request huge pages can now initialize on nodes with huge pages. Kubernetes container runtimes still configure cgroups incorrectly in these cases, but initdb no longer crashes.

5.3.1

This release contains new component and Postgres versions, but no additional fixes or changes.

5.3.0

Features

  • PostgreSQL 15 support.
  • Enable TLS for the PostgreSQL exporter using the new spec.monitoring.pgmonitor.exporter.customTLSSecret field.
  • Configure pgBackRest for IPv6 environments using the postgres-operator.crunchydata.com/pgbackrest-ip-version annotation.
  • Configure the TTL for pgBackRest backup Jobs.
  • Use Helm's OCI registry capability to install Crunchy Postgres for Kubernetes.

Changes

  • JIT is now explicitly disabled for the monitoring user, allowing users to opt-into using JIT elsewhere in the database without impacting exporter functionality. Contributed by Kirill Petrov (@chobostar).
  • PGO now logs both stdout and stderr when running a SQL file referenced via spec.databaseInitSQL during database initialization. Contributed by Jeff Martin (@jmartin127).
  • The pgnodemx and pg_stat_statements extensions are now automatically upgraded.
  • The postgres-startup init container now logs an error message if the version of PostgreSQL installed in the image does not match the PostgreSQL version specified using spec.postgresVersion.
  • Limit the monitoring user to local connections using SCRAM authentication. Contributed by Scott Zelenka (@szelenka)
  • Skip a scheduled backup when the prior one is still running. Contributed by Scott Zelenka (@szelenka)
  • ThedataSource.volumes migration strategy had been improved to better handle PGDATA directories with invalid permissions and a missing postgresql.conf file.

Fixes

  • A psycopg2 error is no longer displayed when connecting to a database using pgAdmin 4.
  • With the exception of the --repo option itself, PGO no longer prevents users from specifying pgBackRest options containing the string "repo" (e.g. --repo1-retention-full).
  • PGO now properly filters Jobs by namespace when reconciling restore or data migrations Job, ensuring PostgresClusters with the same name can be created within different namespaces.
  • The Major PostgreSQL Upgrades API (PGUpgrade) now properly handles clusters that have various extensions enabled.