Developer Briefing — February 13, 2020

Executive briefing: The PostgreSQL Global Development Group released PostgreSQL 12.2, 11.7, 10.12, 9.6.17, and 9.5.21 on 13 February 2020. The updates remediate CVE-2020-1720, where an authenticated replication user can execute arbitrary SQL during slot creation, and include numerous stability fixes.

Why it matters: Environments that expose replication roles or logical decoding could allow privilege escalation without upgrading. Minor version updates are required to stay on supported branches and avoid data corruption edge cases fixed in this cycle.

• Upgrade clusters: Schedule minor version upgrades to 12.2/11.7/10.12/9.6.17/9.5.21 following standard backup and failover procedures.
• Harden replication roles: Ensure replication users are restricted and connections secured with SSL; rotate credentials after patching.
• Validate extensions: Test logical decoding and replication slots after upgrading to confirm plugins and standby behaviors remain stable.
• Retire 9.5: Plan migration off PostgreSQL 9.5 ahead of its scheduled end of life in February 2021.