PostgreSQL 10 Beta 1 was recently released

New version of one of the most popular database management system 
05 July 2017   1288

An object-relational database management system with an emphasis on extensibility and standards compliance.

Beta release of PostgreSQL 10 contains previews of all of the features which will be available in the final release of version 10, but some details can change. Developers ask users to begin testing their applications with this latest release.

Main Features

The new version has some good features that will allow users to both scale out and scale up their PostgreSQL infrastructure:

  • Logical Replication: built-in option for replicating specific tables or using replication to upgrade
  • Native Table Partitioning: range and list partitioning as native database objects
  • Additional Query Parallelism: including index scans, bitmap scans, and merge joins
  • Quorum Commit for Synchronous Replication: ensure against loss of multiple nodes

Also, users will be able to test:

  • SCRAM Authentication, for more secure password-based access
  • Multi-host "failover", connecting to the first available in a list of hosts
  • target_session_attrs parameter, so a client can request a read/write host

Additional Features

Many other new features and improvements have been added to PostgreSQL 10.  All of them require testing. Among them are:

  • Crash-safe and replicable Hash Indexes
  • Multi-column Correlation Statistics
  • New "monitoring" roles for permission grants
  • Latch Wait times in pg_stat_activity
  • XMLTABLE query expression
  • Restrictive Policies for Row Level Security
  • Full Text Search support for JSON and JSONB
  • Compression support for pg_receivewal
  • ICU collation support
  • Push Down Aggregates to foreign servers
  • Transition Tables in trigger execution

Further, developers have contributed performance improvements in the SUM() function, character encoding conversion, expression evaluation, grouping sets, and joins against unique columns. Analytics queries against large numbers of rows should be up to 40% faster. Please test if these are faster for you and report back.

See the Release Notes for a complete list of new and changed features.

The final release planned in late 2017.  

PostgeSQL to Deny COPY...PROGRAM Vulnerability

Developers state that CVE-2019-9193 is not a vulnerability at all
05 April 2019   317

In response to the news based on the CVE-2019-9193 vulnerability report, PostgreSQL developers have published a refutation. CVE-2019-9193 is being presented by some analysts as a critical remotely exploited problem, which in the default configuration, through manipulations with the COPY TO / FROM PROGRAM construct, executes arbitrary code with user rights under which the DBMS is running. As reported, these statements do not correspond to reality, the problem described is contrived and CVE-2019-9193 is in fact not a vulnerability. The vulnerability identifier CVE-2019-9193 was issued by mistake.

We encourage all users of PostgreSQL to follow the best practice that is to never grant superuser access to remote or otherwise untrusted users. This is a standard security operating procedure that is followed in system administration and extends to database administration as well.

PostgreSQL Team

The construction of "COPY TO / FROM PROGRAM" is a regular functionality that is available only to a user with administrative rights (superuser) or with the explicit delegation of the authority "pg_execute_server_program". Contrary to statements in publications, the pg_read_server_files and pg_write_server_files rights granted by default do not grant authority to execute the COPY..PROGRAM construct. Regular DBMS users do not have the ability to run handlers using the "COPY TO / FROM PROGRAM", and the administrator does not need to break into his own environment in which the database is running and which already has full access (the database administrator has the authority of the user under which PostgreSQL is running).