A new round of corrective updates has been released for all supported branches of PostgreSQL, including versions 17.1, 16.5, 15.9.14, 13.17, and 12.21. A total of 35 errors have been addressed in these updates, with 3 vulnerabilities being eliminated – one of which is classified as dangerous and the other two as non-hazardous. It has also been announced that support for the PostgreSQL 12 branch will be discontinued, meaning that no further updates will be provided for this version.
The dangerous vulnerability, identified as CVE-2024-10979, has a severity rating of 8.8 out of 10. This vulnerability allows local DBMS users to create PL/Perl functions that can execute code using the permissions of the user account under which the DBMS is running. The vulnerability has the potential to manipulate the environment variables of the work process, including the Path variable that specifies the paths to executable files, and other environment variables specific to PostgreSQL. Importantly, exploitation of this vulnerability does not require any system account access.