Schedule - PGConf.DE 2025
All about common vulnerabilities and exposures(CVE) in Postgres
Date: 2025-05-09
Time: 12:40–13:25
Room: Ballsaal 3
Level: Beginner
Security is always of utmost priority in the computing world and Postgres implements it in several ways. One such way is by having Roles and privileges. The highest privileged role is that of a Superuser. A role that is not a superuser is usually restricted from performing some actions, whether it is installing certain extension or viewing certain tables or altering the database state unless granted to do so by a superuser itself. However, since Postgres is an open source community product that is constantly adding new features and to run a project using Postgres database involves not only the Postgres binary but hardware and OS on which it is hosted, the application framework and client libraries and various extensions installed, this can sometimes lead to some bugs that enable a non privileged user to perform certain actions or access certain data which it is not granted to . Therefore it is very important for the DBAs to know about CVEs. A DBA must check for CVE announcements, its impact on their environment and implement minor version upgrades or fixes whichever is applicable. This is also important for users who are hosting their databases on Cloud and check with their cloud providers that the environment is secure and the such vulnerabilities are handled.
My talk will be about: - What is CVE and CNA? - Why it is important? - What Postgres projects are currently included? - Postgres Security Releases : timeline, where to check and what to check , enabling notification - How to report if a user finds a security bug and what actions will follow - Some example CVEs