Crunchy Postgres for Kubernetes 5.4.x Release notes

Release notes for each of the 5.4.x releases.

Component versions

Crunchy Postgres
for Kubernetes		PostgrespgBackRestpgbouncerPatronipgadmin
5.4.616.32.511.223.1.24.30
5.4.516.22.491.213.1.24.30
5.4.416.12.471.213.1.14.30
5.4.316.02.471.193.1.14.30
5.4.215.42.471.193.1.04.30
5.4.115.32.451.192.1.74.30
5.4.015.32.451.192.1.74.30

Postgres extension versions

Crunchy Postgres for Kubernetes versionPostGISpgRoutingpgauditpg_cronpg_partmanpgnodemxset_userwal2jsonTimescaleDBorafcepgvector
5.4.62.5.11 (earliest)
3.4.2 (latest)		2.6.3 (earliest)
3.4.2 (latest)		1.4.3 (earliest)
16.0 (latest)		1.6.25.1.01.64.0.12.52.14.24.9.40.7.0
5.4.52.5.9 (earliest)
3.4.0 (latest)		2.6.3 (earliest)
3.4.2 (latest)		1.4.3 (earliest)
16.0 (latest)		1.6.25.0.11.64.0.12.52.13.04.9.10.6.0
5.4.42.4.10 (earliest)
3.4.0 (latest)		2.6.3 (earliest)
3.4.2 (latest)		1.3.4 (earliest)
16.0 (latest)		1.6.05.0.01.64.0.12.52.12.24.7.00.5.1
5.4.32.4.10 (earliest)
3.4.0 (latest)		2.6.3 (earliest)
3.4.2 (latest)		1.3.4 (earliest)
1.7.0 (latest)		1.6.04.7.41.64.0.12.52.11.24.6.10.4.4
5.4.22.4.10 (earliest)
3.3.2 (latest)		2.6.3 (earliest)
3.3.1 (latest)		1.3.4 (earliest)
1.7.0 (latest)		1.5.24.7.31.44.0.12.52.10.34.2.60.4.4
5.4.12.4.10 (earliest)
3.3.2 (latest)		2.6.3 (earliest)
3.3.1 (latest)		1.3.4 (earliest)
1.7.0 (latest)		1.5.24.7.31.44.0.12.52.10.34.2.60.4.4
5.4.02.4.10 (earliest)
3.3.2 (latest)		2.6.3 (earliest)
3.3.1 (latest)		1.3.4 (earliest)
1.7.0 (latest)		1.5.24.7.31.44.0.12.52.10.34.2.60.4.4

A bold version number indicates that the component version was updated in latest release.

5.4.6

Features

  • Warn when a PASSWORD option is included in spec.users.options.

Changes

  • PostgreSQL versions 16.3, 15.7, 14.12, 13.15, and 12.19 are now available.
  • PostGIS versions 3.4.2, 3.3.6, 3.2.7, 3.1.11, 3.0.11, and 2.5.11 are now available.
  • pgBackRest is now at version 2.51.
  • pgBouncer is now at version 1.22.1.
  • The orafce extension is now at version 4.9.4.
  • The pg_partman extension is now at version 5.1.0 for PG 16, 15 and 14.
  • The pgvector extension is now at version 0.7.0.
  • The TimescaleDB extension is now at version 2.14.2 for PG 16, 15, 14, and 13.
  • The postgres-operator image now uses UBI Minimal.

Notable Security Fixes

Crunchy PostgreSQL 16.3-0, 15.7-0, and 14.12-0 include:

  • CVE-2024-4317

    Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner.

    These views failed to hide statistics for expressions that involve columns the accessing user does not have permission to read. View columns such as most_common_vals might expose security-relevant data. The potential interactions here are not fully clear, so in the interest of erring on the side of safety, make rows in these views visible only to the owner of the associated table.

    By itself, this fix will only fix the behavior in newly initdb'd database clusters. If you wish to apply this change in an existing cluster, you will need to do the following:

    1. Find the SQL script fix-CVE-2024-4317.sql in the share directory of the PostgreSQL installation. In Crunchy Data's PostgreSQL 16 RPM packages, the script can be found in folder /usr/pgsql-16/share/ after installing the postgresql16-server RPM. Be sure to use the script appropriate to your PostgreSQL major version. If you do not see this file, either your version is not vulnerable (only v14-v16 are affected) or your minor version is too old to have the fix.

    2. In each database of the cluster, run the fix-CVE-2024-4317.sql script as superuser. In psql this would look like

      \i /usr/pgsql-16/share/fix-CVE-2024-4317.sql

      (adjust the file path as appropriate). Any error probably indicates that you've used the wrong script version. It will not hurt to run the script more than once.

    3. Do not forget to include the template0 and template1 databases, or the vulnerability will still exist in databases you create later. To fix template0, you'll need to temporarily make it accept connections. Do that with:

      ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;

      and then after fixing template0, undo it with

      ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;

5.4.5

Fixes

  • Only load datasource.pgbackrest.configuration when performing a cloud based restore.
  • Queue an event based on instance Patroni ‘master’ role change
  • Make Standalone PgAdmin controller the owner of the objects it creates
  • Allow numeric characters in pgAdmin config settings. Contributed by Roman Gherta (@rgherta).

Changes

  • PostgreSQL versions 16.2, 15.6, 14.11, 13.14, and 12.18 are now available.
  • pgBackRest is now at version 2.49.
  • patroni is now at version 3.1.2.
  • pgMonitor is now at version 4.11.
  • The orafce extension is now at version 4.9.1.
  • The pg_cron extension is now at version 1.6.2.
  • The pg_partman extension is now at version 5.0.1 for PG 16, 15 and 14.
  • The pgvector extension is now at version 0.6.0.
  • The TimescaleDB extension is now available for PG 16. The extension is at version 2.13.0 for PG 16, 15, 14, and 13.

5.4.4

Changes

  • PostgreSQL versions 16.1, 15.5, 14.10, 13.13, 12.17, and 11.22 are now available.
  • pgBouncer is now at version 1.21.0.
  • The orafce extension is now at version 4.7.0.
  • The pg_partman extension is now at version 5.0.0 for PG 16, 15 and 14.
  • The pgAudit16 extension is now at version 16.0.
  • The pgvector extension is now at version 0.5.1.
  • The TimescaleDB extension now at version 2.12.2 for PG 15, 14 and 13, version 2.11.2 for PG 12 and version 2.3.1 for PG 11.

5.4.3

Changes

  • PostgreSQL version 16.0 is now available. This release of PostgreSQL 16 does not include the TimescaleDB extension.
  • PostGIS versions 3.4.0, 3.3.4 are now available.
  • Patroni is now at version 3.1.1.
  • pgMonitor is now at version 4.10.
  • The orafce extension is now at version 4.6.1.
  • The pg_cron extension is now at version 1.6.0.
  • The pg_partman extension is now at version 4.7.4.
  • The pgAudit Analyze extension is now at version 1.0.9.
  • The pgnodemx extension is now at version 1.6.
  • The pgRouting extension is now at version 3.4.2 for PG 16, and version 3.3.4 for PG 16 15 & 14.
  • pscyopg is now at version 2.9.7.
  • The TimescaleDB extension is now at version 2.11.2.

5.4.2

Changes

  • PostgreSQL versions 15.4, 14.9, 13.12, 12.16, and 11.21 are now available.
  • Patroni is now at version 3.1.0.
  • pgBackrest is now at version 2.47.
  • pgBouncer is now at version 1.19.1.

5.4.1

Fixes

  • Backup jobs for S3-compatible object storage repositories would fail with a message about config hash mismatch. This is now fixed.
  • PGO now prevents empty image values from impacting a PostgresCluster. With this change, a warning event explains that the cluster will be updated once the necessary images are defined. PostgresClusters with images defined continue to reconcile normally.
  • Recovering from missing images during a Postgres major version upgrade is easier now. Conditions on PGUpgrade are more clearly defined, and new validation checks the upgrade image field.

5.4.0

Features

  • The PGUpgrade API has been added to Crunchy Postgres for Kubernetes OLM installer.
  • The pgo-upgrade deployment is no longer needed and can be removed.
  • Added the ability to add volumes for tablepace support (guarded by feature gate)
  • ARM images are now available
    • PostgreSQL versions 15.3, 14.8, 13.11 are now available.
    • PostGIS versions 3.1.8, 3.2.4 & 3.3.2 are now available.
  • The pgvector extension, version 0.4.4, is now available.

Changes

  • Trivy has been integrated into Continuous Integration pipelines for the detection and resolution of CVE's within Go binaries and container image builds.
  • Major Upgrade doc change providing clarity around deleting old WAL files. Contributed by Stefan Midjich (@stemid).
  • Documentation update to bring our Keycloak example into alignment with the latest version. Contributed by David Jeffers (@dajeffers).
  • The pgaudit_analyze tool is deprecated and may be removed in a future release.

Fixes

  • The major PG upgrades documentation now includes the proper guidance/instructions for updating the pgAudit extension.
  • PostgresClusters that do not request huge pages can now initialize and be restored on nodes with huge pages. Kubernetes container runtimes still configure cgroups incorrectly in these cases, but initdb no longer crashes.
  • The custom TLS documentation now includes the proper information for the Common Name for the certificates for both the customTLSSecret and the customReplicationTLSSecret.