PostgeSQL to Deny COPY...PROGRAM Vulnerability

Developers state that CVE-2019-9193 is not a vulnerability at all
05 April 2019   385

In response to the news based on the CVE-2019-9193 vulnerability report, PostgreSQL developers have published a refutation. CVE-2019-9193 is being presented by some analysts as a critical remotely exploited problem, which in the default configuration, through manipulations with the COPY TO / FROM PROGRAM construct, executes arbitrary code with user rights under which the DBMS is running. As reported, these statements do not correspond to reality, the problem described is contrived and CVE-2019-9193 is in fact not a vulnerability. The vulnerability identifier CVE-2019-9193 was issued by mistake.

We encourage all users of PostgreSQL to follow the best practice that is to never grant superuser access to remote or otherwise untrusted users. This is a standard security operating procedure that is followed in system administration and extends to database administration as well.

PostgreSQL Team

The construction of "COPY TO / FROM PROGRAM" is a regular functionality that is available only to a user with administrative rights (superuser) or with the explicit delegation of the authority "pg_execute_server_program". Contrary to statements in publications, the pg_read_server_files and pg_write_server_files rights granted by default do not grant authority to execute the COPY..PROGRAM construct. Regular DBMS users do not have the ability to run handlers using the "COPY TO / FROM PROGRAM", and the administrator does not need to break into his own environment in which the database is running and which already has full access (the database administrator has the authority of the user under which PostgreSQL is running).

TimescaleDB 1.2 to be Released

TimescaleDB is implemented as an extension to PostgreSQL and uses Apache 2.0 license
31 January 2019   509

The release of TimescaleDB 1.2 DBMS is presented. It is intended for storing and processing data in the form of a time series (cuts of parameter values ​​at specified intervals, the record forms a time and a set of values ​​corresponding to this time). This form of storage is optimal for applications such as monitoring systems, trading platforms, systems for collecting metrics and sensor states. Means are provided for integration with the Grafana and Prometheus project. The TimescaleDB project is implemented as an extension to PostgreSQL and is distributed under the Apache 2.0 license.

The new release is notable for changing the licensing model. In addition to the previously used free Apache 2.0 license, part of the code with advanced features is now supplied under a separate proprietary Timescale license (TSL), which does not allow changes, prohibits the use of code in third-party products and does not allow free use in cloud databases (database-as-a- service). In fact, the code under the TSL license is available only for viewing. Some of the functions under the TSL license are delivered free of charge to the Community editions of the product, and some under the commercial license as part of a closed paid Enterprise edition (a time-limited trial version is available for review). This includes developing a code for processing obsolete data suppression policies under a commercial license, which allows you to store only up-to-date data and automatically delete, aggregate or archive obsolete records.

Get more info at official blog.