FIND-20260329-021 · 2026-03-29 · Innovation Veille

PostgreSQL 17.9 released February 26 — out-of-cycle release fixing CVE-2026-2005 regression

release HIGH
PostgreSQL 17.9 was released February 26, 2026 as an out-of-cycle release. The February 12 release (17.8) introduced regressions including a substring() function error and replica crashes. PostgreSQL 17.9 fixes those regressions while retaining all 5 security vulnerability patches from 17.8, including the fix for CVE-2026-2005 (pgcrypto heap buffer overflow, CVSS 8.8). ODS currently runs PostgreSQL 17 — the ods-postgres container must be updated to at least 17.9. Previously tracked version was 17.9, confirming last-versions.json is current but the ods-postgres container image should be validated to ensure it is on this version.

Source

https://www.postgresql.org/about/news/out-of-cycle-release-scheduled-for-february-26-2026-3241/

ODS Impact

ods-postgres Docker container: validate the running image tag is postgres:17.9 or later. If still on 17.7 or earlier, CVE-2026-2005 is unpatched. All 9 ODS schemas (oid, docstore, pdf, workflow, notifications, forms, billing, securemail, editor) are affected until the container is updated.

Security Review

License: PostgreSQL License | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE

Tags

postgresql release security database pgcrypto upgrade
Generated by ODS Innovation Veille · 2026-03-29T09:06:57+00:00