Re: IMPORTANT: Out-of-cycle release scheduled for November 21, 2024

On Fri, Nov 15, 2024 at 06:28:42PM -0500, Jonathan Katz wrote:
> We're scheduling an out-of-cycle release on November 21, 2024 to address two
> regressions that were released as part of the November 14, 2024 update
> release[1]. As part of this release, we will issue fixes for all supported
> versions (17.2, 16.6, 15.10, 14.15, 13.20), and for 12.22, even though
> PostgreSQL 12 is now EOL.
>
> A high-level description of the regressions are as follows.
>
> 1. The fix for CVE-2024-10978 prevented `ALTER USER ... SET ROLE ...` from
> having any effect[2]. This will be fixed in the upcoming release.
>
> 2. Certain PostgreSQL extensions took a dependency on an Application Build
> Interface (ABI) that was modified in this release and caused them to
> break[3]. Currently, this can be mitigated by rebuilding the extensions
> against the updated definition.
>
> Please follow all standard guidelines for commits ahead of the release.
> Thanks for your help in assisting with this release,

I want to point out a complexity of this out-of-cycle release. Our
17.1, etc. releases had four CVEs:

https://www.postgresql.org/message-id/173159332163.1547975.13346191756810493274@wrigleys.postgresql.org

so when we decided to remove the downloads and encourage people to wait
for the 17.2 etc. releases, we had the known CVEs in Postgres releases
with no recommended way to fix them.

I am not sure what we could have done differently, but I am surprised we
didn't get more complaints about the security situation we put them in.

--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com

When a patient asks the doctor, "Am I going to die?", he means
"Am I going to die soon?"