PostgreSQL Patching version 9, 10,11

If you are used to patch Oracle databases you probably know how to use opatch to apply PSUs. How does PostgreSQL handle this? Do we need to patch the existing binaries to apply security fixes? The answer is: No.

Lets say you want to patch PostgreSQL from version 10.5/11.3 to version 10.10/11.5.

This is called minor version postgres upgrade or postgres patching

 

Why need to patch postgresql server  ?

Multiple SQL injection vulnerabilities have been discovered in PostgreSQL that could allow for arbitrary code execution. The vulnerabilities are the result of the application’s failure to sufficiently sanitize user-supplied input before using it in an SQL query. These vulnerabilities allow attackers with the CREATE permission (or Trigger permission in some tables) to exploit input sanitation vulnerabilities in the pg_upgrade and pg_dump functions. The CREATE permission is automatically given to new users on the public schema, and the public schema is the default schema used on these databases. Successful exploitation of these vulnerabilities could allow the attacker to execute arbitrary SQL statements, which could them to compromise the application, access or modify data, or exploit other vulnerabilities in the database.

Solution :

This issue is fixed by upgrading to below mentioned point releases and restarting your PostgreSQL server.

Below are the new point releases to fix the vulnerability.

  • PostgreSQL version 9.6.15
  • PostgreSQL version 10.10
  • PostgreSQL version 11.5

For More Info refer the below link

https://www.cvedetails.com/vulnerability-list/vendor_id-336/product_id-575/Postgresql-Postgresql.html

Below steps will helpful to apply patch on postgres server

Step 1. Install the below packages on linux server.

[On RHEL/CentOS]
# yum install gcc*
# yum install zlib-devel*
# yum install readline-devel*

[On Debian/Ubuntu]
# apt install gcc*
# apt install zlib1g-dev*
# apt install libreadline6-dev*

[On SUSE Linux ]
# Zypper in gcc*
# zlib1g-dev*
# libreadline6-dev*
# zypper in zlib*

Step 2. Install the new version of postgres server as root user.

# ./configure --prefix=/nijam/10.10/ --without-readline
# make (or) # make world -->>(additional modules (contrib), type instead PostgreSQL, contrib, and documentation 
# make install (or) # make install-world -->>(if you want contribution extension)

(OR)

rpm -ivh postgresql1010-10.10-1.x86_64.rpm --nodeps
rpm -ivh postgresql1010-contrib-10.10-1.x86_64.rpm --nodeps
rpm -ivh postgresql1010-contrib-debuginfo-10.10-1.x86_64.rpm --nodeps
rpm -ivh postgresql1010-debuginfo-10.10-1.x86_64.rpm --nodeps
rpm -ivh postgresql1010-debugsource-10.10-1.x86_64.rpm --nodeps
rpm -ivh postgresql1010-devel-10.10-1.x86_64.rpm --nodeps
rpm -ivh postgresql1010-devel-debuginfo-10.10-1.x86_64.rpm --nodeps
rpm -ivh postgresql1010-docs-10.10-1.x86_64.rpm --nodeps
rpm -ivh postgresql1010-libs-10.10-1.x86_64.rpm --nodeps
rpm -ivh postgresql1010-libs-debuginfo-10.10-1.x86_64.rpm --nodeps
rpm -ivh postgresql1010-pglogical-2.2.2-1.x86_64.rpm --nodeps
rpm -ivh postgresql1010-pglogical-debuginfo-2.2.2-1.x86_64.rpm --nodeps
rpm -ivh postgresql1010-pglogical-debugsource-2.2.2-1.x86_64.rpm --nodeps
rpm -ivh postgresql1010-plperl-10.10-1.x86_64.rpm --nodeps
rpm -ivh postgresql1010-plperl-debuginfo-10.10-1.x86_64.rpm --nodeps
rpm -ivh postgresql1010-plpython-10.10-1.x86_64.rpm --nodeps
rpm -ivh postgresql1010-plpython-debuginfo-10.10-1.x86_64.rpm --nodeps
rpm -ivh postgresql1010-pltcl-10.10-1.x86_64.rpm --nodeps
rpm -ivh postgresql1010-pltcl-debuginfo-10.10-1.x86_64.rpm --nodeps
rpm -ivh postgresql1010-server-10.10-1.x86_64.rpm --nodeps
rpm -ivh postgresql1010-server-debuginfo-10.10-1.x86_64.rpm --nodeps
rpm -ivh postgresql1010-test-10.10-1.x86_64.rpm --nodeps
rpm -ivh postgresql1010-test-debuginfo-10.10-1.x86_64.rpm --nodeps

Step 3. Take the backup physical or logical backup and Stop the old version of postgres server 10.5 with seperate path.

tutorialdba.com:/nijam/10.10/postgresql-10.10 # ps -ef|grep postgres
pginsta 2779 1 0 May15 ? 00:10:45 /nijam/10.5/bin/postgres -D /data/
pginsta 2781 2779 0 May15 ? 00:00:01 postgres: logger process
pginsta 2783 2779 0 May15 ? 00:00:52 postgres: checkpointer process
pginsta 2784 2779 0 May15 ? 00:12:33 postgres: writer process
pginsta 2785 2779 0 May15 ? 00:04:03 postgres: wal writer process


/nijam/10.5/bin/pg_ctl -D /data/  stop

Step 4. Start the new server from new installation bin path and pointing existing data directory.

/nijam/10.10/bin/pg_ctl -D /data/ -l logfile start

Note : While patching 9 version you won’t get any error but 10 and 11 version you may get pg_hba.conf error means peer connection will not support so you have to comment it then start the server.

For postgres major upgrade this blog will helpful for you  https://2ndquadrant.in/postgresql-upgradation-from-9-5-to-11-3/

 

Tag:, ,

Nijamutheen J
Nijamutheen J

Nijamutheen J 7+ years of experience in PostgreSQL, Linux admin , web hosting - apache server , Oracle ,mySQL, Mriadb, vertica DB & Server security administrator

My updated resume is https://www.tutorialdba.com/p/hi-i-have-4.html

Leave A Reply

Connect with