Share this post:
Update your IBM Cloud Compose for PostgreSQL version today
IBM Cloud Compose for PostgreSQL has new, updated versions available. The new versions address security issues for which we recommend updating existing deployments as soon as possible.
Last week saw the release of PostgreSQL updates which included fixes for two security issues. These issues are of concern as they involve vulnerabilities which could be exploited remotely to potentially expose server memory (9.5.x and 9.6.x) or access other servers through extensions such as dblink or pg_fdw (9.4.x, 9.5.x, 9.6.x). That said, there are no known exploits for either issue.
What IBM Cloud Compose is doing
We are making PostgreSQL 9.4.19, 9.5.14, and 9.6.10 available immediately. This is to allow users to upgrade as soon as possible to the new versions.
The vulnerabilities have been fixed as part of a range of bug fixes incorporated in the various updates. Notes for 9.4.19, 9.5.14, and 9.6.10 list the changes made in each edition.
We are not setting these new versions to preferred—the default for new deployments—yet, so when creating a new deployment, please remember to select the most recent version. We are currently planning to make these new versions preferred on September 20th. When that happens, we’ll be removing the ability to provision older versions of PostgreSQL. From that point onwards, we will beginning managed, forced upgrades of PostgreSQL databases to the highest minor version.
Your options for action
We hope that you will make the time to protect your database by upgrading it to the latest minor version using the in-place upgrade option in settings. This will allow you to control when the upgrade is scheduled. In place upgrades have minimal disruption as they are done on a rolling basis, allowing the database to gracefully failover as the nodes are upgraded.
You may wish to consider also taking the opportunity to upgrade to a more recent major version of PostgreSQL. You can then make use of the many new features available. PostgreSQL 9.5 added the “Upsert” feature and enhanced JSONB. PostgreSQL 9.6 improved vacuuming and added full-text search for phrases. You can do that with the Restore-from-Backup capability. This allows you to take a recent backup and create a new deployment with a newer version of PostgreSQL on it. Read more about the process in the migration section of IBM Cloud Compose documentation on upgrading PostgreSQL major versions.
Whatever you do, upgrade to one of these new versions. On September 20th, when we move to “preferred” status for them, we will be begin the process on managed, forced upgrades on older versions. This will help eliminate the underlying security issues from the IBM Cloud Compose platform.