Version 14.9.0 v14

Released: 21 Aug 2023

Updated: 30 Aug 2023


After you upgrade to this version of EDB Postgres Advanced Server, you need to run edb_sqlpatch on all your databases to complete the upgrade. This application checks that your databases system objects are up to date with this version. See the EDB SQL Patch documentation for more information on how to deploy this tool.

After applying patches

Users making use of the UTL_MAIL package now require EXECUTE permission on the UTL_SMTP and UTL_TCP packages in addition to EXECUTE permission on UTL_MAIL.

Users making use of the UTL_SMTP package now require EXECUTE permission on the UTL_TCP packages in addition to EXECUTE permission on UTL_SMTP.

EDB Postgres Advanced Server 14.9.0 includes the following enhancements and bug fixes:

Security fixEDB Postgres Advanced Server (EPAS) SECURITY DEFINER functions and procedures may be hijacked via search_path.CVE-2023-41117
Security fixEDB Postgres Advanced Server (EPAS) dbms_aq helper function may run arbitrary SQL as a superuser.CVE-2023-41119
Security fixEDB Postgres Advanced Server (EPAS) permissions bypass via accesshistory()CVE-2023-41113
Security fixEDB Postgres Advanced Server (EPAS) UTL_FILE permission bypassCVE-2023-41118
Security fixEDB Postgres Advanced Server (EPAS) permission bypass for materialized viewsCVE-2023-41116
Security fixEDB Postgres Advanced Server (EPAS) authenticated users may fetch any URLCVE-2023-41114
Security fixEDB Postgres Advanced Server (EPAS) permission bypass for large objectsCVE-2023-41115
Security fixEDB Postgres Advanced Server (EPAS) DBMS_PROFILER data may be removed without permissionCVE-2023-41120
Bug fixAllowed subtypes in INDEX BY clause of the packaged collection.#1371
Bug fixFixed %type resolution when pointing to a packaged type field.#1243
Bug fixProfile: Fixed upgrade when REUSE constraints were ENABLED/DISABLED.#92739
Bug fixSet correct collation for packaged cursor parameters.#92739
Bug fixRolled back autonomous transaction creating pg_temp in case of error.#91614
Bug fixAdded checks to ensure required WAL logging in EXCHANGE PARTITION command.
Bug fixDumped/restored the sequences created for GENERATED AS IDENTITY constraint.#90658
Bug fixSkipped updating the last DDL time for the parent table in CREATE INDEX.#91270
Bug fixRemoved existing package private procedure or function entries from the edb_last_ddl_time while replacing the package body.

Entries in the Addresses column are either CVE numbers or, if preceded by #, a customer case number.