From 99978b44d6fbf5f1e576d54e2ec8a2f5fdff40b1 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Mon, 23 Sep 2024 13:40:45 +0100 Subject: [PATCH 1/9] POC draft for Security Hub Signed-off-by: Dj Walker-Morgan --- advocacy_docs/security/index.mdx | 124 +++--------------- .../advisories/cve.mdx.template | 0 .../advisories/cve20074639.mdx | 0 .../advisories/cve201910128.mdx | 0 .../advisories/cve202331043.mdx | 0 .../advisories/cve202341113.mdx | 0 .../advisories/cve202341114.mdx | 0 .../advisories/cve202341115.mdx | 0 .../advisories/cve202341116.mdx | 0 .../advisories/cve202341117.mdx | 0 .../advisories/cve202341118.mdx | 0 .../advisories/cve202341119.mdx | 0 .../advisories/cve202341120.mdx | 0 .../advisories/cve20244545.mdx | 0 .../{ => notifications}/advisories/index.mdx | 0 .../advisories/table.template | 0 .../assessments/cve-2024-0985.mdx | 0 .../assessments/cve-2024-1597.mdx | 0 .../assessments/cve-2024-4317.mdx | 0 .../assessments/cve-2024-7348.mdx | 0 .../{ => notifications}/assessments/index.mdx | 0 .../security/notifications/index.mdx | 121 +++++++++++++++++ .../templates/advisoriesindex.njs | 0 .../templates/assessmentsindex.njs | 0 .../templates/securityindex.njs | 0 .../vulnerability-disclosure-policy.mdx | 0 .../security/securing-epas/TDE/index.mdx | 7 + .../security/securing-epas/index.mdx | 8 ++ advocacy_docs/security/securing-pgd/index.mdx | 8 ++ .../securing-postgresql/101/index.mdx | 7 + .../securing-postgresql/201/index.mdx | 7 + .../securing-postgresql/301/index.mdx | 7 + .../security/securing-postgresql/index.mdx | 8 ++ src/pages/index.js | 14 +- 34 files changed, 200 insertions(+), 111 deletions(-) rename advocacy_docs/security/{ => notifications}/advisories/cve.mdx.template (100%) rename advocacy_docs/security/{ => notifications}/advisories/cve20074639.mdx (100%) rename advocacy_docs/security/{ => notifications}/advisories/cve201910128.mdx (100%) rename advocacy_docs/security/{ => notifications}/advisories/cve202331043.mdx (100%) rename advocacy_docs/security/{ => notifications}/advisories/cve202341113.mdx (100%) rename advocacy_docs/security/{ => notifications}/advisories/cve202341114.mdx (100%) rename advocacy_docs/security/{ => notifications}/advisories/cve202341115.mdx (100%) rename advocacy_docs/security/{ => notifications}/advisories/cve202341116.mdx (100%) rename advocacy_docs/security/{ => notifications}/advisories/cve202341117.mdx (100%) rename advocacy_docs/security/{ => notifications}/advisories/cve202341118.mdx (100%) rename advocacy_docs/security/{ => notifications}/advisories/cve202341119.mdx (100%) rename advocacy_docs/security/{ => notifications}/advisories/cve202341120.mdx (100%) rename advocacy_docs/security/{ => notifications}/advisories/cve20244545.mdx (100%) rename advocacy_docs/security/{ => notifications}/advisories/index.mdx (100%) rename advocacy_docs/security/{ => notifications}/advisories/table.template (100%) rename advocacy_docs/security/{ => notifications}/assessments/cve-2024-0985.mdx (100%) rename advocacy_docs/security/{ => notifications}/assessments/cve-2024-1597.mdx (100%) rename advocacy_docs/security/{ => notifications}/assessments/cve-2024-4317.mdx (100%) rename advocacy_docs/security/{ => notifications}/assessments/cve-2024-7348.mdx (100%) rename advocacy_docs/security/{ => notifications}/assessments/index.mdx (100%) create mode 100644 advocacy_docs/security/notifications/index.mdx rename advocacy_docs/security/{ => notifications}/templates/advisoriesindex.njs (100%) rename advocacy_docs/security/{ => notifications}/templates/assessmentsindex.njs (100%) rename advocacy_docs/security/{ => notifications}/templates/securityindex.njs (100%) rename advocacy_docs/security/{ => notifications}/vulnerability-disclosure-policy.mdx (100%) create mode 100644 advocacy_docs/security/securing-epas/TDE/index.mdx create mode 100644 advocacy_docs/security/securing-epas/index.mdx create mode 100644 advocacy_docs/security/securing-pgd/index.mdx create mode 100644 advocacy_docs/security/securing-postgresql/101/index.mdx create mode 100644 advocacy_docs/security/securing-postgresql/201/index.mdx create mode 100644 advocacy_docs/security/securing-postgresql/301/index.mdx create mode 100644 advocacy_docs/security/securing-postgresql/index.mdx diff --git a/advocacy_docs/security/index.mdx b/advocacy_docs/security/index.mdx index 003cb05203d..8471b72b245 100644 --- a/advocacy_docs/security/index.mdx +++ b/advocacy_docs/security/index.mdx @@ -1,120 +1,28 @@ --- -WARNING: THIS IS AN AUTOMATICALLY GENERATED FILE - DO NOT MANUALLY EDIT - SEE tools/automation/generators/advisoryindex -title: EDB Security -navTitle: EDB Security +title: EDB Security Hub +navTitle: Security directoryDefaults: iconName: Security - indexCards: none + indexCards: full hideKBLink: true navigation: - - vulnerability-disclosure-policy - - advisories - - assessments +- securing-postgresql +- securing-epas +- securing-pgd +- notifications --- -EDB is committed to a security first approach, from the products we build and the platforms we operate, to the services we provide our customers. Transparency is a core principle for the program and part of this effort includes welcoming incoming reports so that we can address concerns surfaced by our customers or security researchers. You’ll also find it in our advisories, which detail issues found and the required fixes or mitigations needed to keep your data and databases safe. +This is the EDB Security Hub. It's a collection of resources to help you secure your PostgreSQL and EDB Postgres Databases, with everything from practical guides on how to secure your database, to the latest security updates and patches. -## Policies +If you are loooking for a higher-level overview, at a CISO or CTO level, you may want to check out the **[EDB Trust Center](https://trust.enterprisedb.com)**. -*

EDB Vulnerability Disclosure Policy

-This policy outlines how EnterpriseDB handles disclosures related to suspected vulnerabilities within our products, systems, or services. It also provides guidance for those who wish to perform security research, or may have discovered a potential security vulnerability impacting EDB. +**[Securing PostgreSQL](securing-postgresql)** - This section provides a comprehensive guide on how to secure your PostgreSQL database. It covers everything from the basics of authentication and authorization, to more advanced topics such as encryption and auditing. +* [PostgreSQL Security 101]() - The essentials of PostgreSQL security for those new to securing their database. +* [PostgreSQL Security 201]() - More advanced topics for those looking to take their security to the next level. +* [PostgreSQL Security 301]() - Your guide to Compliance, certifications, auditing and other higher-level issues. -## Advisories +**[Securing EDB Postgres Advanced Server](securing-epas)** - This section provides a comprehensive guide on how to secure your EDB Postgres Advanced Server database. Building on the PostgreSQL guides, it covers features that are unique to EPAS. It includes a guide on how to secure your data at rest using Transparent Data Encryption (TDE) in EDB Postgres Advanced Server. -*

Full list of advisories issued

+**[Securing EDB Postgres Distributed](securing-pgd)** - This section provides a comprehensive guide on how to secure your EDB Postgres Distributed and the needs of a distributed database. Building on the Postgres and EPAS security guides, this section covers the unique security considerations for distributed databases. -## PostgreSQL CVE Assessments - -*

Full list of PostgreSQL CVE advisories assessed by EDB

- -## Most Recent Advisories - - - - - - -
-

CVE-2024-4545

- -  Read Advisory -  Updated: 2024/05/09 -

EDB Postgres Advanced Server (EPAS) authenticated file read permissions bypass using edbldr

-
All versions of EDB Postgres Advanced Server (EPAS) edbldr from 15.0 and prior to 15.7.0 and from 16.0 and prior to 16.3.0
- -
-Summary:  -All versions of EnterpriseDB Postgres Advanced Server (EPAS) from 15.0 and prior to 15.7.0 and from 16.0 and prior to 16.3.0 may allow users using edbldr to bypass role permissions from pg_read_server_files. This could allow low privilege users to read files to which they would not otherwise have access. -
-Read More... -
- -## Most Recent Assessments - - - - - - - - - - - - - - - -
-

CVE-2024-7348

- -  Read Assessment -  Updated: 2024/08/15 -

PostgreSQL relation replacement during pg_dump executes arbitrary SQL

-
All versions of PostgreSQL, EPAS and PGE prior to 16.4, 15.8, and 14.13
- -
-Summary:  -Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected. -
-Read More... -
-

CVE-2024-4317

- -  Read Assessment -  Updated: 2024/05/09 -

Restrict visibility of "pg_stats_ext" and "pg_stats_ext_exprs" entries to the table owner

-
All versions of PostgreSQL, EPAS and PGE prior to 16.3, 15.7, and 14.12
- -
-Summary:  -Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes, which are provided as a convenience in the below section. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected. -
-Read More... -
-

CVE-2024-1597

- -  Read Assessment -  Updated: 2024/03/08 -

SQL Injection via line comment generation

-
pgJDBC all versions prior to 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 and EDB pgJDBC all versions prior to 42.5.5
- -
-Summary:  -pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected. -
-Read More... -
-

CVE-2024-0985

- -  Read Assessment -  Updated: 2024/02/26 -

PostgreSQL non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL

-
PostgreSQL, EPAS all versions prior to 15.6.0,14.11.0,13.14.20 and 12.18.23, PGE all versions prior to 15.6.0
- -
-Summary:  -Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability. -
-Read More... -
\ No newline at end of file +**[Notifications](notifications)** - This is where you'll find reported security vulnerabilities and details on how to address them. This includes flaws which have been fixed in the PostgreSQL community and assessments on how they impact EDB users, as well as any advisories and fixes released by EDB. \ No newline at end of file diff --git a/advocacy_docs/security/advisories/cve.mdx.template b/advocacy_docs/security/notifications/advisories/cve.mdx.template similarity index 100% rename from advocacy_docs/security/advisories/cve.mdx.template rename to advocacy_docs/security/notifications/advisories/cve.mdx.template diff --git a/advocacy_docs/security/advisories/cve20074639.mdx b/advocacy_docs/security/notifications/advisories/cve20074639.mdx similarity index 100% rename from advocacy_docs/security/advisories/cve20074639.mdx rename to advocacy_docs/security/notifications/advisories/cve20074639.mdx diff --git a/advocacy_docs/security/advisories/cve201910128.mdx b/advocacy_docs/security/notifications/advisories/cve201910128.mdx similarity index 100% rename from advocacy_docs/security/advisories/cve201910128.mdx rename to advocacy_docs/security/notifications/advisories/cve201910128.mdx diff --git a/advocacy_docs/security/advisories/cve202331043.mdx b/advocacy_docs/security/notifications/advisories/cve202331043.mdx similarity index 100% rename from advocacy_docs/security/advisories/cve202331043.mdx rename to advocacy_docs/security/notifications/advisories/cve202331043.mdx diff --git a/advocacy_docs/security/advisories/cve202341113.mdx b/advocacy_docs/security/notifications/advisories/cve202341113.mdx similarity index 100% rename from advocacy_docs/security/advisories/cve202341113.mdx rename to advocacy_docs/security/notifications/advisories/cve202341113.mdx diff --git a/advocacy_docs/security/advisories/cve202341114.mdx b/advocacy_docs/security/notifications/advisories/cve202341114.mdx similarity index 100% rename from advocacy_docs/security/advisories/cve202341114.mdx rename to advocacy_docs/security/notifications/advisories/cve202341114.mdx diff --git a/advocacy_docs/security/advisories/cve202341115.mdx b/advocacy_docs/security/notifications/advisories/cve202341115.mdx similarity index 100% rename from advocacy_docs/security/advisories/cve202341115.mdx rename to advocacy_docs/security/notifications/advisories/cve202341115.mdx diff --git a/advocacy_docs/security/advisories/cve202341116.mdx b/advocacy_docs/security/notifications/advisories/cve202341116.mdx similarity index 100% rename from advocacy_docs/security/advisories/cve202341116.mdx rename to advocacy_docs/security/notifications/advisories/cve202341116.mdx diff --git a/advocacy_docs/security/advisories/cve202341117.mdx b/advocacy_docs/security/notifications/advisories/cve202341117.mdx similarity index 100% rename from advocacy_docs/security/advisories/cve202341117.mdx rename to advocacy_docs/security/notifications/advisories/cve202341117.mdx diff --git a/advocacy_docs/security/advisories/cve202341118.mdx b/advocacy_docs/security/notifications/advisories/cve202341118.mdx similarity index 100% rename from advocacy_docs/security/advisories/cve202341118.mdx rename to advocacy_docs/security/notifications/advisories/cve202341118.mdx diff --git a/advocacy_docs/security/advisories/cve202341119.mdx b/advocacy_docs/security/notifications/advisories/cve202341119.mdx similarity index 100% rename from advocacy_docs/security/advisories/cve202341119.mdx rename to advocacy_docs/security/notifications/advisories/cve202341119.mdx diff --git a/advocacy_docs/security/advisories/cve202341120.mdx b/advocacy_docs/security/notifications/advisories/cve202341120.mdx similarity index 100% rename from advocacy_docs/security/advisories/cve202341120.mdx rename to advocacy_docs/security/notifications/advisories/cve202341120.mdx diff --git a/advocacy_docs/security/advisories/cve20244545.mdx b/advocacy_docs/security/notifications/advisories/cve20244545.mdx similarity index 100% rename from advocacy_docs/security/advisories/cve20244545.mdx rename to advocacy_docs/security/notifications/advisories/cve20244545.mdx diff --git a/advocacy_docs/security/advisories/index.mdx b/advocacy_docs/security/notifications/advisories/index.mdx similarity index 100% rename from advocacy_docs/security/advisories/index.mdx rename to advocacy_docs/security/notifications/advisories/index.mdx diff --git a/advocacy_docs/security/advisories/table.template b/advocacy_docs/security/notifications/advisories/table.template similarity index 100% rename from advocacy_docs/security/advisories/table.template rename to advocacy_docs/security/notifications/advisories/table.template diff --git a/advocacy_docs/security/assessments/cve-2024-0985.mdx b/advocacy_docs/security/notifications/assessments/cve-2024-0985.mdx similarity index 100% rename from advocacy_docs/security/assessments/cve-2024-0985.mdx rename to advocacy_docs/security/notifications/assessments/cve-2024-0985.mdx diff --git a/advocacy_docs/security/assessments/cve-2024-1597.mdx b/advocacy_docs/security/notifications/assessments/cve-2024-1597.mdx similarity index 100% rename from advocacy_docs/security/assessments/cve-2024-1597.mdx rename to advocacy_docs/security/notifications/assessments/cve-2024-1597.mdx diff --git a/advocacy_docs/security/assessments/cve-2024-4317.mdx b/advocacy_docs/security/notifications/assessments/cve-2024-4317.mdx similarity index 100% rename from advocacy_docs/security/assessments/cve-2024-4317.mdx rename to advocacy_docs/security/notifications/assessments/cve-2024-4317.mdx diff --git a/advocacy_docs/security/assessments/cve-2024-7348.mdx b/advocacy_docs/security/notifications/assessments/cve-2024-7348.mdx similarity index 100% rename from advocacy_docs/security/assessments/cve-2024-7348.mdx rename to advocacy_docs/security/notifications/assessments/cve-2024-7348.mdx diff --git a/advocacy_docs/security/assessments/index.mdx b/advocacy_docs/security/notifications/assessments/index.mdx similarity index 100% rename from advocacy_docs/security/assessments/index.mdx rename to advocacy_docs/security/notifications/assessments/index.mdx diff --git a/advocacy_docs/security/notifications/index.mdx b/advocacy_docs/security/notifications/index.mdx new file mode 100644 index 00000000000..f990617569d --- /dev/null +++ b/advocacy_docs/security/notifications/index.mdx @@ -0,0 +1,121 @@ +--- +WARNING: THIS IS AN AUTOMATICALLY GENERATED FILE - DO NOT MANUALLY EDIT - SEE tools/automation/generators/advisoryindex +title: EDB Security Notifications +navTitle: EDB Notifications +directoryDefaults: + iconName: Security + indexCards: none + hideKBLink: true +description: A full listing of all security advisories and assessments issued by EDB. It includes details on how to address them, as well as any advisories and fixes released by EDB. +navigation: + - vulnerability-disclosure-policy + - advisories + - assessments +--- + +EDB is committed to a security first approach, from the products we build and the platforms we operate, to the services we provide our customers. Transparency is a core principle for the program and part of this effort includes welcoming incoming reports so that we can address concerns surfaced by our customers or security researchers. You’ll also find it in our advisories, which detail issues found and the required fixes or mitigations needed to keep your data and databases safe. + +## Policies + +*

EDB Vulnerability Disclosure Policy

+This policy outlines how EnterpriseDB handles disclosures related to suspected vulnerabilities within our products, systems, or services. It also provides guidance for those who wish to perform security research, or may have discovered a potential security vulnerability impacting EDB. + +## Advisories + +*

Full list of advisories issued

+ +## PostgreSQL CVE Assessments + +*

Full list of PostgreSQL CVE advisories assessed by EDB

+ +## Most Recent Advisories + + + + + + +
+

CVE-2024-4545

+ +  Read Advisory +  Updated: 2024/05/09 +

EDB Postgres Advanced Server (EPAS) authenticated file read permissions bypass using edbldr

+
All versions of EDB Postgres Advanced Server (EPAS) edbldr from 15.0 and prior to 15.7.0 and from 16.0 and prior to 16.3.0
+ +
+Summary:  +All versions of EnterpriseDB Postgres Advanced Server (EPAS) from 15.0 and prior to 15.7.0 and from 16.0 and prior to 16.3.0 may allow users using edbldr to bypass role permissions from pg_read_server_files. This could allow low privilege users to read files to which they would not otherwise have access. +
+Read More... +
+ +## Most Recent Assessments + + + + + + + + + + + + + + + +
+

CVE-2024-7348

+ +  Read Assessment +  Updated: 2024/08/15 +

PostgreSQL relation replacement during pg_dump executes arbitrary SQL

+
All versions of PostgreSQL, EPAS and PGE prior to 16.4, 15.8, and 14.13
+ +
+Summary:  +Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected. +
+Read More... +
+

CVE-2024-4317

+ +  Read Assessment +  Updated: 2024/05/09 +

Restrict visibility of "pg_stats_ext" and "pg_stats_ext_exprs" entries to the table owner

+
All versions of PostgreSQL, EPAS and PGE prior to 16.3, 15.7, and 14.12
+ +
+Summary:  +Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes, which are provided as a convenience in the below section. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected. +
+Read More... +
+

CVE-2024-1597

+ +  Read Assessment +  Updated: 2024/03/08 +

SQL Injection via line comment generation

+
pgJDBC all versions prior to 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 and EDB pgJDBC all versions prior to 42.5.5
+ +
+Summary:  +pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected. +
+Read More... +
+

CVE-2024-0985

+ +  Read Assessment +  Updated: 2024/02/26 +

PostgreSQL non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL

+
PostgreSQL, EPAS all versions prior to 15.6.0,14.11.0,13.14.20 and 12.18.23, PGE all versions prior to 15.6.0
+ +
+Summary:  +Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability. +
+Read More... +
\ No newline at end of file diff --git a/advocacy_docs/security/templates/advisoriesindex.njs b/advocacy_docs/security/notifications/templates/advisoriesindex.njs similarity index 100% rename from advocacy_docs/security/templates/advisoriesindex.njs rename to advocacy_docs/security/notifications/templates/advisoriesindex.njs diff --git a/advocacy_docs/security/templates/assessmentsindex.njs b/advocacy_docs/security/notifications/templates/assessmentsindex.njs similarity index 100% rename from advocacy_docs/security/templates/assessmentsindex.njs rename to advocacy_docs/security/notifications/templates/assessmentsindex.njs diff --git a/advocacy_docs/security/templates/securityindex.njs b/advocacy_docs/security/notifications/templates/securityindex.njs similarity index 100% rename from advocacy_docs/security/templates/securityindex.njs rename to advocacy_docs/security/notifications/templates/securityindex.njs diff --git a/advocacy_docs/security/vulnerability-disclosure-policy.mdx b/advocacy_docs/security/notifications/vulnerability-disclosure-policy.mdx similarity index 100% rename from advocacy_docs/security/vulnerability-disclosure-policy.mdx rename to advocacy_docs/security/notifications/vulnerability-disclosure-policy.mdx diff --git a/advocacy_docs/security/securing-epas/TDE/index.mdx b/advocacy_docs/security/securing-epas/TDE/index.mdx new file mode 100644 index 00000000000..098d94a457a --- /dev/null +++ b/advocacy_docs/security/securing-epas/TDE/index.mdx @@ -0,0 +1,7 @@ +--- +title: Transparent Data Encryption for Postgres +navTitle: TDE +description: Transparent Data Encryption (TDE) is a technology that encrypts data at rest. This guide provides an overview of TDE and how to implement it in PostgreSQL. +--- + +TBD \ No newline at end of file diff --git a/advocacy_docs/security/securing-epas/index.mdx b/advocacy_docs/security/securing-epas/index.mdx new file mode 100644 index 00000000000..35e0ac12555 --- /dev/null +++ b/advocacy_docs/security/securing-epas/index.mdx @@ -0,0 +1,8 @@ +--- +title: Securing EDB Postgres Advanced Server +navTitle: Securing EPAS +description: This section provides a comprehensive guide on how to secure your EDB Postgres Advanced Server database. Building on the PostgreSQL guides, it covers features that are unique to EPAS. +--- + +TBD + diff --git a/advocacy_docs/security/securing-pgd/index.mdx b/advocacy_docs/security/securing-pgd/index.mdx new file mode 100644 index 00000000000..a01fe0fc1e2 --- /dev/null +++ b/advocacy_docs/security/securing-pgd/index.mdx @@ -0,0 +1,8 @@ +--- +title: Securing EDB Postgres Distributed +navTitle: Securing PGD +description: Containing, a full explanation on why and how to secure your EDB Postgres Distributed clusters and the needs of a distributed database. Building on the PostgreSQL and EPAS security guides, this section covers the unique security considerations for distributed databases. +--- + +TBD + diff --git a/advocacy_docs/security/securing-postgresql/101/index.mdx b/advocacy_docs/security/securing-postgresql/101/index.mdx new file mode 100644 index 00000000000..3d04c501b58 --- /dev/null +++ b/advocacy_docs/security/securing-postgresql/101/index.mdx @@ -0,0 +1,7 @@ +--- +title: Securing PostgreSQL 101 +navTitle: Security 101 +description: The essentials of PostgreSQL security for those new to securing their database. +--- + +TBD diff --git a/advocacy_docs/security/securing-postgresql/201/index.mdx b/advocacy_docs/security/securing-postgresql/201/index.mdx new file mode 100644 index 00000000000..75856a51c16 --- /dev/null +++ b/advocacy_docs/security/securing-postgresql/201/index.mdx @@ -0,0 +1,7 @@ +--- +title: Securing PostgreSQL 201 +navTitle: Security 201 +description: Building on the basics, this guide covers more advanced topics in PostgreSQL security. +--- + +TBD diff --git a/advocacy_docs/security/securing-postgresql/301/index.mdx b/advocacy_docs/security/securing-postgresql/301/index.mdx new file mode 100644 index 00000000000..b0a112576dd --- /dev/null +++ b/advocacy_docs/security/securing-postgresql/301/index.mdx @@ -0,0 +1,7 @@ +--- +title: Securing PostgreSQL 301 +navTitle: Security 301 +description: Your guide to Compliance, certifications, auditing and other higher-level issues. +--- + +TBD diff --git a/advocacy_docs/security/securing-postgresql/index.mdx b/advocacy_docs/security/securing-postgresql/index.mdx new file mode 100644 index 00000000000..28d7ab91cd7 --- /dev/null +++ b/advocacy_docs/security/securing-postgresql/index.mdx @@ -0,0 +1,8 @@ +--- +title: Securing PostgreSQL +navTitle: Securing PostgreSQL +description: Guides on how to secure your PostgreSQL database can be found here. It covers everything from the basics of authentication and authorization, to more advanced topics such as encryption and auditing. +--- + +TBD + diff --git a/src/pages/index.js b/src/pages/index.js index abd5f6d3829..fd2ea601312 100644 --- a/src/pages/index.js +++ b/src/pages/index.js @@ -343,15 +343,23 @@ const Page = () => { - Downloads and Repositories + Downloads & Repositories + Security Hub + + + From 5740e0d4ee2a904cdcd50c8a44126af13dc5e082 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Mon, 23 Sep 2024 13:40:52 +0100 Subject: [PATCH 2/9] Missed from prev commit Signed-off-by: Dj Walker-Morgan --- advocacy_docs/security/securing-epas/TDE/index.mdx | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/advocacy_docs/security/securing-epas/TDE/index.mdx b/advocacy_docs/security/securing-epas/TDE/index.mdx index 098d94a457a..fa3959c03b6 100644 --- a/advocacy_docs/security/securing-epas/TDE/index.mdx +++ b/advocacy_docs/security/securing-epas/TDE/index.mdx @@ -4,4 +4,5 @@ navTitle: TDE description: Transparent Data Encryption (TDE) is a technology that encrypts data at rest. This guide provides an overview of TDE and how to implement it in PostgreSQL. --- -TBD \ No newline at end of file +TBD + From 7a5a96140925589c3c9a52d51567d97a2fb08939 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Mon, 23 Sep 2024 13:50:29 +0100 Subject: [PATCH 3/9] Various link adjustments Signed-off-by: Dj Walker-Morgan --- .../notifications/assessments/cve-2024-1597.mdx | 2 +- .../11/epas_rel_notes/epas11_21_32_rel_notes.mdx | 16 ++++++++-------- .../12/epas_rel_notes/epas12_16_20_rel_notes.mdx | 16 ++++++++-------- .../13/epas_rel_notes/epas13_12_17_rel_notes.mdx | 16 ++++++++-------- .../14/epas_rel_notes/epas14_12_0_rel_notes.mdx | 2 +- .../14/epas_rel_notes/epas14_9_0_rel_notes.mdx | 16 ++++++++-------- .../15/epas_rel_notes/epas15_4_0_rel_notes.mdx | 16 ++++++++-------- .../15/epas_rel_notes/epas15_7_0_rel_notes.mdx | 4 ++-- .../16/epas_rel_notes/epas16_3_0_rel_notes.mdx | 4 ++-- .../jdbc_42.5.1.1_rel_notes.mdx | 2 +- .../jdbc_42.5.4.2_rel_notes.mdx | 2 +- .../docs/pge/15/release_notes/rel_notes15.7.mdx | 2 +- .../docs/pge/16/release_notes/rel_notes16.3.mdx | 2 +- 13 files changed, 50 insertions(+), 50 deletions(-) diff --git a/advocacy_docs/security/notifications/assessments/cve-2024-1597.mdx b/advocacy_docs/security/notifications/assessments/cve-2024-1597.mdx index b43ccb7e657..d0d764282b1 100644 --- a/advocacy_docs/security/notifications/assessments/cve-2024-1597.mdx +++ b/advocacy_docs/security/notifications/assessments/cve-2024-1597.mdx @@ -73,7 +73,7 @@ Updated EDB JDBC Drivers are available in EDB Repos in the form of RPM and DEB n ## Related information -* [pjdbc team's advisory](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56) +* [pjdbc team's advisory](https://github.com/pgjdbc/pgjdbc/security/notifications/advisories/GHSA-24rp-q3w6-vc56) * [EnterpriseDB](https://www.enterprisedb.com/) * [EDB Blogs link](https://enterprisedb.com/blog/) diff --git a/product_docs/docs/epas/11/epas_rel_notes/epas11_21_32_rel_notes.mdx b/product_docs/docs/epas/11/epas_rel_notes/epas11_21_32_rel_notes.mdx index da4d23aa2b9..855fbf02e64 100644 --- a/product_docs/docs/epas/11/epas_rel_notes/epas11_21_32_rel_notes.mdx +++ b/product_docs/docs/epas/11/epas_rel_notes/epas11_21_32_rel_notes.mdx @@ -21,14 +21,14 @@ EDB Postgres Advanced Server 11.21.32 includes the following enhancements and bu | Type | Description | Addresses                | | -------------- | -------------------------------------------------------------------------------------------------------------------------------------| --------------------- | -| Security fix | EDB Postgres Advanced Server (EPAS) SECURITY DEFINER functions and procedures may be hijacked via search_path. | [CVE-2023-41117](/security/advisories/cve202341117/) | -| Security fix | EDB Postgres Advanced Server (EPAS) dbms_aq helper function may run arbitrary SQL as a superuser. | [CVE-2023-41119](/security/advisories/cve202341119/) | -| Security fix | EDB Postgres Advanced Server (EPAS) permissions bypass via accesshistory() | [CVE-2023-41113](/security/advisories/cve202341113/) | -| Security fix | EDB Postgres Advanced Server (EPAS) UTL_FILE permission bypass | [CVE-2023-41118](/security/advisories/cve202341118/) | -| Security fix | EDB Postgres Advanced Server (EPAS) permission bypass for materialized views | [CVE-2023-41116](/security/advisories/cve202341116/) | -| Security fix | EDB Postgres Advanced Server (EPAS) authenticated users may fetch any URL | [CVE-2023-41114](/security/advisories/cve202341114/) | -| Security fix | EDB Postgres Advanced Server (EPAS) permission bypass for large objects | [CVE-2023-41115](/security/advisories/cve202341115/) | -| Security fix | EDB Postgres Advanced Server (EPAS) DBMS_PROFILER data may be removed without permission | [CVE-2023-41120](/security/advisories/cve202341120/) | +| Security fix | EDB Postgres Advanced Server (EPAS) SECURITY DEFINER functions and procedures may be hijacked via search_path. | [CVE-2023-41117](/security/notifications/advisories/cve202341117/) | +| Security fix | EDB Postgres Advanced Server (EPAS) dbms_aq helper function may run arbitrary SQL as a superuser. | [CVE-2023-41119](/security/notifications/advisories/cve202341119/) | +| Security fix | EDB Postgres Advanced Server (EPAS) permissions bypass via accesshistory() | [CVE-2023-41113](/security/notifications/advisories/cve202341113/) | +| Security fix | EDB Postgres Advanced Server (EPAS) UTL_FILE permission bypass | [CVE-2023-41118](/security/notifications/advisories/cve202341118/) | +| Security fix | EDB Postgres Advanced Server (EPAS) permission bypass for materialized views | [CVE-2023-41116](/security/notifications/advisories/cve202341116/) | +| Security fix | EDB Postgres Advanced Server (EPAS) authenticated users may fetch any URL | [CVE-2023-41114](/security/notifications/advisories/cve202341114/) | +| Security fix | EDB Postgres Advanced Server (EPAS) permission bypass for large objects | [CVE-2023-41115](/security/notifications/advisories/cve202341115/) | +| Security fix | EDB Postgres Advanced Server (EPAS) DBMS_PROFILER data may be removed without permission | [CVE-2023-41120](/security/notifications/advisories/cve202341120/) | | Bug fix | Allowed subtypes in INDEX BY clause of the packaged collection. | #1371 | | Bug fix | Fixed %type resolution when pointing to a packaged type field. | #1243 | diff --git a/product_docs/docs/epas/12/epas_rel_notes/epas12_16_20_rel_notes.mdx b/product_docs/docs/epas/12/epas_rel_notes/epas12_16_20_rel_notes.mdx index cce0cfa56ba..9ab9baa7dc8 100644 --- a/product_docs/docs/epas/12/epas_rel_notes/epas12_16_20_rel_notes.mdx +++ b/product_docs/docs/epas/12/epas_rel_notes/epas12_16_20_rel_notes.mdx @@ -21,14 +21,14 @@ EDB Postgres Advanced Server 12.16.20 includes the following enhancements and bu | Type | Description | Addresses                | | -------------- | -------------------------------------------------------------------------------------------------------------------------------------| --------------------- | -| Security fix | EDB Postgres Advanced Server (EPAS) SECURITY DEFINER functions and procedures may be hijacked via search_path. | [CVE-2023-41117](/security/advisories/cve202341117/) | -| Security fix | EDB Postgres Advanced Server (EPAS) dbms_aq helper function may run arbitrary SQL as a superuser. | [CVE-2023-41119](/security/advisories/cve202341119/) | -| Security fix | EDB Postgres Advanced Server (EPAS) permissions bypass via accesshistory() | [CVE-2023-41113](/security/advisories/cve202341113/) | -| Security fix | EDB Postgres Advanced Server (EPAS) UTL_FILE permission bypass | [CVE-2023-41118](/security/advisories/cve202341118/) | -| Security fix | EDB Postgres Advanced Server (EPAS) permission bypass for materialized views | [CVE-2023-41116](/security/advisories/cve202341116/) | -| Security fix | EDB Postgres Advanced Server (EPAS) authenticated users may fetch any URL | [CVE-2023-41114](/security/advisories/cve202341114/) | -| Security fix | EDB Postgres Advanced Server (EPAS) permission bypass for large objects | [CVE-2023-41115](/security/advisories/cve202341115/) | -| Security fix | EDB Postgres Advanced Server (EPAS) DBMS_PROFILER data may be removed without permission | [CVE-2023-41120](/security/advisories/cve202341120/) | +| Security fix | EDB Postgres Advanced Server (EPAS) SECURITY DEFINER functions and procedures may be hijacked via search_path. | [CVE-2023-41117](/security/notifications/advisories/cve202341117/) | +| Security fix | EDB Postgres Advanced Server (EPAS) dbms_aq helper function may run arbitrary SQL as a superuser. | [CVE-2023-41119](/security/notifications/advisories/cve202341119/) | +| Security fix | EDB Postgres Advanced Server (EPAS) permissions bypass via accesshistory() | [CVE-2023-41113](/security/notifications/advisories/cve202341113/) | +| Security fix | EDB Postgres Advanced Server (EPAS) UTL_FILE permission bypass | [CVE-2023-41118](/security/notifications/advisories/cve202341118/) | +| Security fix | EDB Postgres Advanced Server (EPAS) permission bypass for materialized views | [CVE-2023-41116](/security/notifications/advisories/cve202341116/) | +| Security fix | EDB Postgres Advanced Server (EPAS) authenticated users may fetch any URL | [CVE-2023-41114](/security/notifications/advisories/cve202341114/) | +| Security fix | EDB Postgres Advanced Server (EPAS) permission bypass for large objects | [CVE-2023-41115](/security/notifications/advisories/cve202341115/) | +| Security fix | EDB Postgres Advanced Server (EPAS) DBMS_PROFILER data may be removed without permission | [CVE-2023-41120](/security/notifications/advisories/cve202341120/) | | Bug fix | Allowed subtypes in INDEX BY clause of the packaged collection. | #1371 | | Bug fix | Fixed %type resolution when pointing to a packaged type field. | #1243 | | Bug fix | Profile: Fixed upgrade when `REUSE` constraints were `ENABLED`/`DISABLED`. | #92739 | diff --git a/product_docs/docs/epas/13/epas_rel_notes/epas13_12_17_rel_notes.mdx b/product_docs/docs/epas/13/epas_rel_notes/epas13_12_17_rel_notes.mdx index 092e3f925ae..6c5811a9e1a 100644 --- a/product_docs/docs/epas/13/epas_rel_notes/epas13_12_17_rel_notes.mdx +++ b/product_docs/docs/epas/13/epas_rel_notes/epas13_12_17_rel_notes.mdx @@ -21,14 +21,14 @@ EDB Postgres Advanced Server 13.12.17 includes the following enhancements and bu | Type | Description | Addresses                | | -------------- | -------------------------------------------------------------------------------------------------------------------------------------| --------------------- | -| Security fix | EDB Postgres Advanced Server (EPAS) SECURITY DEFINER functions and procedures may be hijacked via search_path. | [CVE-2023-41117](/security/advisories/cve202341117/) | -| Security fix | EDB Postgres Advanced Server (EPAS) dbms_aq helper function may run arbitrary SQL as a superuser. | [CVE-2023-41119](/security/advisories/cve202341119/) | -| Security fix | EDB Postgres Advanced Server (EPAS) permissions bypass via accesshistory() | [CVE-2023-41113](/security/advisories/cve202341113/) | -| Security fix | EDB Postgres Advanced Server (EPAS) UTL_FILE permission bypass | [CVE-2023-41118](/security/advisories/cve202341118/) | -| Security fix | EDB Postgres Advanced Server (EPAS) permission bypass for materialized views | [CVE-2023-41116](/security/advisories/cve202341116/) | -| Security fix | EDB Postgres Advanced Server (EPAS) authenticated users may fetch any URL | [CVE-2023-41114](/security/advisories/cve202341114/) | -| Security fix | EDB Postgres Advanced Server (EPAS) permission bypass for large objects | [CVE-2023-41115](/security/advisories/cve202341115/) | -| Security fix | EDB Postgres Advanced Server (EPAS) DBMS_PROFILER data may be removed without permission | [CVE-2023-41120](/security/advisories/cve202341120/) | +| Security fix | EDB Postgres Advanced Server (EPAS) SECURITY DEFINER functions and procedures may be hijacked via search_path. | [CVE-2023-41117](/security/notifications/advisories/cve202341117/) | +| Security fix | EDB Postgres Advanced Server (EPAS) dbms_aq helper function may run arbitrary SQL as a superuser. | [CVE-2023-41119](/security/notifications/advisories/cve202341119/) | +| Security fix | EDB Postgres Advanced Server (EPAS) permissions bypass via accesshistory() | [CVE-2023-41113](/security/notifications/advisories/cve202341113/) | +| Security fix | EDB Postgres Advanced Server (EPAS) UTL_FILE permission bypass | [CVE-2023-41118](/security/notifications/advisories/cve202341118/) | +| Security fix | EDB Postgres Advanced Server (EPAS) permission bypass for materialized views | [CVE-2023-41116](/security/notifications/advisories/cve202341116/) | +| Security fix | EDB Postgres Advanced Server (EPAS) authenticated users may fetch any URL | [CVE-2023-41114](/security/notifications/advisories/cve202341114/) | +| Security fix | EDB Postgres Advanced Server (EPAS) permission bypass for large objects | [CVE-2023-41115](/security/notifications/advisories/cve202341115/) | +| Security fix | EDB Postgres Advanced Server (EPAS) DBMS_PROFILER data may be removed without permission | [CVE-2023-41120](/security/notifications/advisories/cve202341120/) | | Bug fix | Allowed subtypes in INDEX BY clause of the packaged collection. | #1371 | | Bug fix | Fixed %type resolution when pointing to a packaged type field. | #1243 | | Bug fix | Profile: Fixed upgrade when `REUSE` constraints were `ENABLED`/`DISABLED`. | #92739 | diff --git a/product_docs/docs/epas/14/epas_rel_notes/epas14_12_0_rel_notes.mdx b/product_docs/docs/epas/14/epas_rel_notes/epas14_12_0_rel_notes.mdx index 8b09fb72acc..cfc2dd3653f 100644 --- a/product_docs/docs/epas/14/epas_rel_notes/epas14_12_0_rel_notes.mdx +++ b/product_docs/docs/epas/14/epas_rel_notes/epas14_12_0_rel_notes.mdx @@ -9,7 +9,7 @@ EDB Postgres Advanced Server 14.12.0 includes the following enhancements and bug | Type | Description | Addresses                | |----------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Upstream merge | Merged with community PostgreSQL 14.12. This release includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 14.12 Release Notes](https://www.postgresql.org/docs/release/14.12/) for more information. | [CVE-2024-4317](/security/assessments/cve-2024-4317) | +| Upstream merge | Merged with community PostgreSQL 14.12. This release includes a fix for [CVE-2024-4317](/security/notifications/assessments/cve-2024-4317). See the [PostgreSQL 14.12 Release Notes](https://www.postgresql.org/docs/release/14.12/) for more information. | [CVE-2024-4317](/security/notifications/assessments/cve-2024-4317) | | Bug fix | Fixed an issue for `edb_filter_log`. Now it correctly redacts the password when the tab is used before the keyword. | #36220 | | Bug fix | Fixed an issue for `edb_audit` on Windows. Now it correctly rotates the log files based on days configured in `edb_audit_rotation_day`. | #99282 | | Bug fix | Fixed an issue to fetch all the attributes correctly from the sub link in `CONNECT BY` processing to avoid the server crash. | #102746 | diff --git a/product_docs/docs/epas/14/epas_rel_notes/epas14_9_0_rel_notes.mdx b/product_docs/docs/epas/14/epas_rel_notes/epas14_9_0_rel_notes.mdx index 5dd0d882c2c..8392956ddd2 100644 --- a/product_docs/docs/epas/14/epas_rel_notes/epas14_9_0_rel_notes.mdx +++ b/product_docs/docs/epas/14/epas_rel_notes/epas14_9_0_rel_notes.mdx @@ -21,14 +21,14 @@ EDB Postgres Advanced Server 14.9.0 includes the following enhancements and bug | Type | Description | Addresses                | | -------------- | -------------------------------------------------------------------------------------------------------------------------------------| --------------------- | -| Security fix | EDB Postgres Advanced Server (EPAS) SECURITY DEFINER functions and procedures may be hijacked via search_path. | [CVE-2023-41117](/security/advisories/cve202341117/) | -| Security fix | EDB Postgres Advanced Server (EPAS) dbms_aq helper function may run arbitrary SQL as a superuser. | [CVE-2023-41119](/security/advisories/cve202341119/) | -| Security fix | EDB Postgres Advanced Server (EPAS) permissions bypass via accesshistory() | [CVE-2023-41113](/security/advisories/cve202341113/) | -| Security fix | EDB Postgres Advanced Server (EPAS) UTL_FILE permission bypass | [CVE-2023-41118](/security/advisories/cve202341118/) | -| Security fix | EDB Postgres Advanced Server (EPAS) permission bypass for materialized views | [CVE-2023-41116](/security/advisories/cve202341116/) | -| Security fix | EDB Postgres Advanced Server (EPAS) authenticated users may fetch any URL | [CVE-2023-41114](/security/advisories/cve202341114/) | -| Security fix | EDB Postgres Advanced Server (EPAS) permission bypass for large objects | [CVE-2023-41115](/security/advisories/cve202341115/) | -| Security fix | EDB Postgres Advanced Server (EPAS) DBMS_PROFILER data may be removed without permission | [CVE-2023-41120](/security/advisories/cve202341120/) | +| Security fix | EDB Postgres Advanced Server (EPAS) SECURITY DEFINER functions and procedures may be hijacked via search_path. | [CVE-2023-41117](/security/notifications/advisories/cve202341117/) | +| Security fix | EDB Postgres Advanced Server (EPAS) dbms_aq helper function may run arbitrary SQL as a superuser. | [CVE-2023-41119](/security/notifications/advisories/cve202341119/) | +| Security fix | EDB Postgres Advanced Server (EPAS) permissions bypass via accesshistory() | [CVE-2023-41113](/security/notifications/advisories/cve202341113/) | +| Security fix | EDB Postgres Advanced Server (EPAS) UTL_FILE permission bypass | [CVE-2023-41118](/security/notifications/advisories/cve202341118/) | +| Security fix | EDB Postgres Advanced Server (EPAS) permission bypass for materialized views | [CVE-2023-41116](/security/notifications/advisories/cve202341116/) | +| Security fix | EDB Postgres Advanced Server (EPAS) authenticated users may fetch any URL | [CVE-2023-41114](/security/notifications/advisories/cve202341114/) | +| Security fix | EDB Postgres Advanced Server (EPAS) permission bypass for large objects | [CVE-2023-41115](/security/notifications/advisories/cve202341115/) | +| Security fix | EDB Postgres Advanced Server (EPAS) DBMS_PROFILER data may be removed without permission | [CVE-2023-41120](/security/notifications/advisories/cve202341120/) | | Bug fix | Allowed subtypes in INDEX BY clause of the packaged collection. | #1371 | | Bug fix | Fixed %type resolution when pointing to a packaged type field. | #1243 | | Bug fix | Profile: Fixed upgrade when `REUSE` constraints were `ENABLED`/`DISABLED`. | #92739 | diff --git a/product_docs/docs/epas/15/epas_rel_notes/epas15_4_0_rel_notes.mdx b/product_docs/docs/epas/15/epas_rel_notes/epas15_4_0_rel_notes.mdx index ab3c24e9da7..0705deedee0 100644 --- a/product_docs/docs/epas/15/epas_rel_notes/epas15_4_0_rel_notes.mdx +++ b/product_docs/docs/epas/15/epas_rel_notes/epas15_4_0_rel_notes.mdx @@ -23,14 +23,14 @@ EDB Postgres Advanced Server 15.4.0 includes the following enhancements and bug | Type | Description | Addresses                | | | ----------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- | | Upstream merge | Merged with community PostgreSQL 15.4. See the [PostgreSQL 15 Release Notes](https://www.postgresql.org/docs/15/release-15-4.html) for more information. | | -| Security fix | EDB Postgres Advanced Server (EPAS) SECURITY DEFINER functions and procedures may be hijacked via search_path. | [CVE-2023-41117](/security/advisories/cve202341117/) | -| Security fix | EDB Postgres Advanced Server (EPAS) dbms_aq helper function may run arbitrary SQL as a superuser. | [CVE-2023-41119](/security/advisories/cve202341119/) | -| Security fix | EDB Postgres Advanced Server (EPAS) permissions bypass via accesshistory() | [CVE-2023-41113](/security/advisories/cve202341113/) | -| Security fix | EDB Postgres Advanced Server (EPAS) UTL_FILE permission bypass | [CVE-2023-41118](/security/advisories/cve202341118/) | -| Security fix | EDB Postgres Advanced Server (EPAS) permission bypass for materialized views | [CVE-2023-41116](/security/advisories/cve202341116/) | -| Security fix | EDB Postgres Advanced Server (EPAS) authenticated users may fetch any URL | [CVE-2023-41114](/security/advisories/cve202341114/) | -| Security fix | EDB Postgres Advanced Server (EPAS) permission bypass for large objects | [CVE-2023-41115](/security/advisories/cve202341115/) | -| Security fix | EDB Postgres Advanced Server (EPAS) DBMS_PROFILER data may be removed without permission | [CVE-2023-41120](/security/advisories/cve202341120/) | +| Security fix | EDB Postgres Advanced Server (EPAS) SECURITY DEFINER functions and procedures may be hijacked via search_path. | [CVE-2023-41117](/security/notifications/advisories/cve202341117/) | +| Security fix | EDB Postgres Advanced Server (EPAS) dbms_aq helper function may run arbitrary SQL as a superuser. | [CVE-2023-41119](/security/notifications/advisories/cve202341119/) | +| Security fix | EDB Postgres Advanced Server (EPAS) permissions bypass via accesshistory() | [CVE-2023-41113](/security/notifications/advisories/cve202341113/) | +| Security fix | EDB Postgres Advanced Server (EPAS) UTL_FILE permission bypass | [CVE-2023-41118](/security/notifications/advisories/cve202341118/) | +| Security fix | EDB Postgres Advanced Server (EPAS) permission bypass for materialized views | [CVE-2023-41116](/security/notifications/advisories/cve202341116/) | +| Security fix | EDB Postgres Advanced Server (EPAS) authenticated users may fetch any URL | [CVE-2023-41114](/security/notifications/advisories/cve202341114/) | +| Security fix | EDB Postgres Advanced Server (EPAS) permission bypass for large objects | [CVE-2023-41115](/security/notifications/advisories/cve202341115/) | +| Security fix | EDB Postgres Advanced Server (EPAS) DBMS_PROFILER data may be removed without permission | [CVE-2023-41120](/security/notifications/advisories/cve202341120/) | | Bug fix | Allowed subtypes in INDEX BY clause of the packaged collection. | #1371 | | Bug fix | Fixed %type resolution when pointing to a packaged type field. | #1243 | | Bug fix | Profile: Fixed upgrade when `REUSE` constraints were `ENABLED`/`DISABLED`. | #92739 | diff --git a/product_docs/docs/epas/15/epas_rel_notes/epas15_7_0_rel_notes.mdx b/product_docs/docs/epas/15/epas_rel_notes/epas15_7_0_rel_notes.mdx index 13a411b0f0a..411033f18a1 100644 --- a/product_docs/docs/epas/15/epas_rel_notes/epas15_7_0_rel_notes.mdx +++ b/product_docs/docs/epas/15/epas_rel_notes/epas15_7_0_rel_notes.mdx @@ -9,8 +9,8 @@ EDB Postgres Advanced Server 15.7.0 includes the following enhancements and bug | Type | Description | Addresses                | |-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Upstream merge | Merged with community PostgreSQL 15.7. This release includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 15.7 Release Notes](https://www.postgresql.org/docs/release/15.7/) for more information. | [CVE-2024-4317](/security/assessments/cve-2024-4317)| -| Security fix | Fixed an issue for `edbldr`. Now `edbldr` checks the `pg_read_server_files` privilege before accessing the data files. | #35906, [CVE-2024-4545](/security/advisories/cve20244545/) | +| Upstream merge | Merged with community PostgreSQL 15.7. This release includes a fix for [CVE-2024-4317](/security/notifications/assessments/cve-2024-4317). See the [PostgreSQL 15.7 Release Notes](https://www.postgresql.org/docs/release/15.7/) for more information. | [CVE-2024-4317](/security/notifications/assessments/cve-2024-4317)| +| Security fix | Fixed an issue for `edbldr`. Now `edbldr` checks the `pg_read_server_files` privilege before accessing the data files. | #35906, [CVE-2024-4545](/security/notifications/advisories/cve20244545/) | | Bug fix | Fixed an issue for `edb_filter_log`. Now it correctly redacts the password when the tab is used before the keyword. | #36220 | | Bug fix | Fixed an issue for `edb_audit` on Windows. Now it correctly rotates the log files based on days configured in `edb_audit_rotation_day`. | #99282 | | Bug fix | Fixed an issue to fetch all the attributes correctly from the sublink in `CONNECT BY` processing to avoid the server crash. | #102746 | diff --git a/product_docs/docs/epas/16/epas_rel_notes/epas16_3_0_rel_notes.mdx b/product_docs/docs/epas/16/epas_rel_notes/epas16_3_0_rel_notes.mdx index 4a7e46d417f..7c7a51631e3 100644 --- a/product_docs/docs/epas/16/epas_rel_notes/epas16_3_0_rel_notes.mdx +++ b/product_docs/docs/epas/16/epas_rel_notes/epas16_3_0_rel_notes.mdx @@ -9,8 +9,8 @@ EDB Postgres Advanced Server 16.3.0 includes the following enhancements and bug | Type | Description | Addresses                | |-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Upstream merge | Merged with community PostgreSQL 16.3. This release includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 16.3 Release Notes](https://www.postgresql.org/docs/release/16.3/) for more information. | [CVE-2024-4317](/security/assessments/cve-2024-4317) | -| Security fix | Fixed an issue for `edbldr`. Now `edbldr` checks the `pg_read_server_files` privilege before accessing the data files. | #35906, [CVE-2024-4545](/security/advisories/cve20244545/) | +| Upstream merge | Merged with community PostgreSQL 16.3. This release includes a fix for [CVE-2024-4317](/security/notifications/assessments/cve-2024-4317). See the [PostgreSQL 16.3 Release Notes](https://www.postgresql.org/docs/release/16.3/) for more information. | [CVE-2024-4317](/security/notifications/assessments/cve-2024-4317) | +| Security fix | Fixed an issue for `edbldr`. Now `edbldr` checks the `pg_read_server_files` privilege before accessing the data files. | #35906, [CVE-2024-4545](/security/notifications/advisories/cve20244545/) | | Bug fix | Fixed an issue for `edb_filter_log`. Now it correctly redacts the password when the tab is used before the keyword. | #36220 | | Bug fix | Fixed an issue for `edb_audit` on Windows. Now it correctly rotates the log files based on days configured in `edb_audit_rotation_day`. | #99282 | | Bug fix | Fixed an issue to fetch all the attributes correctly from the sublink in `CONNECT BY` processing to avoid the server crash. | #102746 | diff --git a/product_docs/docs/jdbc_connector/42.7.3.1/01_jdbc_rel_notes/jdbc_42.5.1.1_rel_notes.mdx b/product_docs/docs/jdbc_connector/42.7.3.1/01_jdbc_rel_notes/jdbc_42.5.1.1_rel_notes.mdx index 76dd70a8c0e..b4a918bc315 100644 --- a/product_docs/docs/jdbc_connector/42.7.3.1/01_jdbc_rel_notes/jdbc_42.5.1.1_rel_notes.mdx +++ b/product_docs/docs/jdbc_connector/42.7.3.1/01_jdbc_rel_notes/jdbc_42.5.1.1_rel_notes.mdx @@ -12,7 +12,7 @@ New features, enhancements, bug fixes, and other changes in the EDB JDBC Connect | Type | Description | | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Upstream Merge | Merged with the upstream community driver version 42.5.1. See the community [JDBC documentation](https://jdbc.postgresql.org/changelogs/2022-11-23-42.5.1-release/) for details. | -| Security Fix | [CVE-2022-41946](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h) - StreamWrapper spills to disk if setText or setBytea sends very large strings or arrays to the server. createTempFile creates a file that can be read by other users on Unix-like systems (not MacOS). | +| Security Fix | [CVE-2022-41946](https://github.com/pgjdbc/pgjdbc/security/notifications/advisories/GHSA-562r-vg33-8x8h) - StreamWrapper spills to disk if setText or setBytea sends very large strings or arrays to the server. createTempFile creates a file that can be read by other users on Unix-like systems (not MacOS). | diff --git a/product_docs/docs/jdbc_connector/42.7.3.1/01_jdbc_rel_notes/jdbc_42.5.4.2_rel_notes.mdx b/product_docs/docs/jdbc_connector/42.7.3.1/01_jdbc_rel_notes/jdbc_42.5.4.2_rel_notes.mdx index 06c8f93f3b0..39293626d71 100644 --- a/product_docs/docs/jdbc_connector/42.7.3.1/01_jdbc_rel_notes/jdbc_42.5.4.2_rel_notes.mdx +++ b/product_docs/docs/jdbc_connector/42.7.3.1/01_jdbc_rel_notes/jdbc_42.5.4.2_rel_notes.mdx @@ -11,7 +11,7 @@ New features, enhancements, bug fixes, and other changes in the EDB JDBC Connect | Type | Description | | -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Security Fix | [CVE-2024-1597](https://www.cve.org/CVERecord?id=CVE-2024-1597) - As outlined in the [Security Advisory](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56), SQL injection is possible while using a non-default connection property (preferQueryMode=simple) along with application code that has a vulnerable SQL that negates a parameter value. There is no vulnerability in the driver while using the default query mode. | +| Security Fix | [CVE-2024-1597](https://www.cve.org/CVERecord?id=CVE-2024-1597) - As outlined in the [Security Advisory](https://github.com/pgjdbc/pgjdbc/security/notifications/advisories/GHSA-24rp-q3w6-vc56), SQL injection is possible while using a non-default connection property (preferQueryMode=simple) along with application code that has a vulnerable SQL that negates a parameter value. There is no vulnerability in the driver while using the default query mode. | diff --git a/product_docs/docs/pge/15/release_notes/rel_notes15.7.mdx b/product_docs/docs/pge/15/release_notes/rel_notes15.7.mdx index 8b69cd8ac50..faa37abb2dc 100644 --- a/product_docs/docs/pge/15/release_notes/rel_notes15.7.mdx +++ b/product_docs/docs/pge/15/release_notes/rel_notes15.7.mdx @@ -11,7 +11,7 @@ New features, enhancements, bug fixes, and other changes in EDB Postgres Extende | Type | Description | Ticket | |----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------| -| Upstream merge | Merged with community PostgreSQL 15.7. Includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 15 Release Notes](https://www.postgresql.org/docs/15/release-15-7.html) for more information. | | +| Upstream merge | Merged with community PostgreSQL 15.7. Includes a fix for [CVE-2024-4317](/security/notifications/assessments/cve-2024-4317). See the [PostgreSQL 15 Release Notes](https://www.postgresql.org/docs/15/release-15-7.html) for more information. | | | Bug fix | Fixed issue in WAL-logging of XID assignments that could crash standby | #99297/35451 | diff --git a/product_docs/docs/pge/16/release_notes/rel_notes16.3.mdx b/product_docs/docs/pge/16/release_notes/rel_notes16.3.mdx index f9bf18eec46..0df4409cfd8 100644 --- a/product_docs/docs/pge/16/release_notes/rel_notes16.3.mdx +++ b/product_docs/docs/pge/16/release_notes/rel_notes16.3.mdx @@ -11,7 +11,7 @@ EDB Postgres Extended Server 16.3 includes the following enhancements and bug fi | Type | Description | Ticket | |----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------| -| Upstream merge | Merged with community PostgreSQL 16.3. Includes a fix for [CVE-2024-4317](/security/assessments/cve-2024-4317). See the [PostgreSQL 16.3 Release Notes](https://www.postgresql.org/docs/16/release-16-3.html) for more information. | | +| Upstream merge | Merged with community PostgreSQL 16.3. Includes a fix for [CVE-2024-4317](/security/notifications/assessments/cve-2024-4317). See the [PostgreSQL 16.3 Release Notes](https://www.postgresql.org/docs/16/release-16-3.html) for more information. | | | Bug fix | Fixed issue in WAL-logging of XID assignments that could crash standby | #99297/35451 | From 38fb94fc043f711a4f13ba1973e8fec42ae31629 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Mon, 23 Sep 2024 14:45:32 +0100 Subject: [PATCH 4/9] Text fix Signed-off-by: Dj Walker-Morgan --- advocacy_docs/security/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/advocacy_docs/security/index.mdx b/advocacy_docs/security/index.mdx index 8471b72b245..efe315956c0 100644 --- a/advocacy_docs/security/index.mdx +++ b/advocacy_docs/security/index.mdx @@ -14,7 +14,7 @@ navigation: This is the EDB Security Hub. It's a collection of resources to help you secure your PostgreSQL and EDB Postgres Databases, with everything from practical guides on how to secure your database, to the latest security updates and patches. -If you are loooking for a higher-level overview, at a CISO or CTO level, you may want to check out the **[EDB Trust Center](https://trust.enterprisedb.com)**. +If you are looking for a higher-level overview of EDB's security posture, practices and commitments, you may want to check out the **[EDB Trust Center](https://trust.enterprisedb.com)**. **[Securing PostgreSQL](securing-postgresql)** - This section provides a comprehensive guide on how to secure your PostgreSQL database. It covers everything from the basics of authentication and authorization, to more advanced topics such as encryption and auditing. * [PostgreSQL Security 101]() - The essentials of PostgreSQL security for those new to securing their database. From 6e13cb6d1387963ad72825e080882f549ec002a2 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Mon, 23 Sep 2024 18:48:01 +0100 Subject: [PATCH 5/9] Image box Signed-off-by: Dj Walker-Morgan --- .../security/images/trust-center.png | 3 +++ advocacy_docs/security/index.mdx | 23 +++++++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 advocacy_docs/security/images/trust-center.png diff --git a/advocacy_docs/security/images/trust-center.png b/advocacy_docs/security/images/trust-center.png new file mode 100644 index 00000000000..a1f171a63a8 --- /dev/null +++ b/advocacy_docs/security/images/trust-center.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1b2f8ccb2f3c9e7a37635f991d7f3beaf2f3ee5a4df2f174955c6ff24354762d +size 230919 diff --git a/advocacy_docs/security/index.mdx b/advocacy_docs/security/index.mdx index efe315956c0..0b59ef2edc9 100644 --- a/advocacy_docs/security/index.mdx +++ b/advocacy_docs/security/index.mdx @@ -14,6 +14,29 @@ navigation: This is the EDB Security Hub. It's a collection of resources to help you secure your PostgreSQL and EDB Postgres Databases, with everything from practical guides on how to secure your database, to the latest security updates and patches. + +
+
+
+ EDB Trust Center +
+
+
+
+ If you are looking for a higher-level overview of EDB's security posture, practices and commitments, you may want to check out the EDB Trust Center +
+
+
+
+
+
+ Go to the Trust Center +
+
+
+ +
+ If you are looking for a higher-level overview of EDB's security posture, practices and commitments, you may want to check out the **[EDB Trust Center](https://trust.enterprisedb.com)**. **[Securing PostgreSQL](securing-postgresql)** - This section provides a comprehensive guide on how to secure your PostgreSQL database. It covers everything from the basics of authentication and authorization, to more advanced topics such as encryption and auditing. From 1db4ef4bcd620337dd3912ca1251e7bb99ff9f58 Mon Sep 17 00:00:00 2001 From: Josh Heyer Date: Tue, 24 Sep 2024 00:01:24 +0000 Subject: [PATCH 6/9] Factor out CTA component --- advocacy_docs/security/index.mdx | 27 +++------- product_docs/docs/pgd/5/index.mdx | 23 +++------ product_docs/docs/pgd/5/overview/index.mdx | 23 +++------ src/components/cta.js | 58 ++++++++++++++++++++++ src/components/index.js | 2 + src/components/layout.js | 2 + 6 files changed, 84 insertions(+), 51 deletions(-) create mode 100644 src/components/cta.js diff --git a/advocacy_docs/security/index.mdx b/advocacy_docs/security/index.mdx index 0b59ef2edc9..1211701a0a8 100644 --- a/advocacy_docs/security/index.mdx +++ b/advocacy_docs/security/index.mdx @@ -14,28 +14,13 @@ navigation: This is the EDB Security Hub. It's a collection of resources to help you secure your PostgreSQL and EDB Postgres Databases, with everything from practical guides on how to secure your database, to the latest security updates and patches. +import TrustCenterLogo from './images/trust-center.png' -
-
-
- EDB Trust Center -
-
-
-
- If you are looking for a higher-level overview of EDB's security posture, practices and commitments, you may want to check out the EDB Trust Center -
-
-
-
-
-
- Go to the Trust Center -
-
-
- -
+ + +If you are looking for a higher-level overview of EDB's security posture, practices and commitments, you may want to check out the EDB Trust Center + + If you are looking for a higher-level overview of EDB's security posture, practices and commitments, you may want to check out the **[EDB Trust Center](https://trust.enterprisedb.com)**. diff --git a/product_docs/docs/pgd/5/index.mdx b/product_docs/docs/pgd/5/index.mdx index cc7c02dcb15..b96c69f6dd0 100644 --- a/product_docs/docs/pgd/5/index.mdx +++ b/product_docs/docs/pgd/5/index.mdx @@ -45,22 +45,15 @@ navigation: EDB Postgres Distributed (PGD) provides multi-master replication and data distribution with advanced conflict management, data-loss protection, and [throughput up to 5X faster than native logical replication](https://www.enterprisedb.com/blog/performance-improvements-edb-postgres-distributed). It enables distributed Postgres clusters with high availability up to five 9s. + + +Read about why PostgreSQL is better when it’s distributed with EDB Postgres Distributed in [Distributed PostgreSQL:The Key to Always On Database Availability](https://www.enterprisedb.com/distributed-postgresql-always-on-database-availability) + + -
-
-
-Read about why PostgreSQL is better when it’s distributed with EDB Postgres Distributed in Distributed PostgreSQL:The Key to Always On Database Availability -
-
-
-
-PGD Free Trial -
-
-Contact Sales -
-
-
By default, EDB Postgres Distributed uses asynchronous replication, applying changes on diff --git a/product_docs/docs/pgd/5/overview/index.mdx b/product_docs/docs/pgd/5/overview/index.mdx index 190e12f9b55..d0bd85be8ea 100644 --- a/product_docs/docs/pgd/5/overview/index.mdx +++ b/product_docs/docs/pgd/5/overview/index.mdx @@ -8,21 +8,14 @@ redirects: EDB Postgres Distributed (PGD) provides multi-master replication and data distribution with advanced conflict management, data-loss protection, and [throughput up to 5X faster than native logical replication](https://www.enterprisedb.com/blog/performance-improvements-edb-postgres-distributed). It also enables distributed Postgres clusters with high availability up to five 9s. -
-
-
-Read about why PostgreSQL is better when it’s distributed with EDB Postgres Distributed in Distributed PostgreSQL:The Key to Always On Database Availability -
-
-
-
-PGD Free Trial -
-
-Contact Sales -
-
-
+ + +Read about why PostgreSQL is better when it’s distributed with EDB Postgres Distributed in [Distributed PostgreSQL:The Key to Always On Database Availability](https://www.enterprisedb.com/distributed-postgresql-always-on-database-availability) + + PGD provides loosely coupled, multimaster logical replication using a mesh topology. This means that you can write to any server and the changes are sent directly, row-by-row, to all the other servers that are part of the same PGD group. diff --git a/src/components/cta.js b/src/components/cta.js new file mode 100644 index 00000000000..97e4e6ccc39 --- /dev/null +++ b/src/components/cta.js @@ -0,0 +1,58 @@ +import React from "react"; + +const CTAAction = ({ url, text, title, columnbreak }) => { + return ( + + ); +}; + +const CTA = ({ actions, image, alt, children }) => { + actions = actions.length ? actions : [actions]; + return ( +
+
+ {image && ( +
+ {alt} +
+ )} +
+
+
{children}
+
+
+ {actions.map((a) => ( + + ))} +
+
+
+
+ ); +}; + +export default CTA; diff --git a/src/components/index.js b/src/components/index.js index c42a9e30b77..b675c1ddda3 100644 --- a/src/components/index.js +++ b/src/components/index.js @@ -3,6 +3,7 @@ import AuthenticatedContentPlaceholder from "./authenticated-content-placeholder import BackButton from "./back-button"; import CardDecks from "./card-decks"; import CodeBlock from "./code-block"; +import CTA from "./cta"; import DarkModeToggle from "./dark-mode-toggle"; import DevOnly from "./dev-only"; import DevFrontmatter from "./dev-frontmatter"; @@ -38,6 +39,7 @@ export { BackButton, CardDecks, CodeBlock, + CTA, DarkModeToggle, DevOnly, DevFrontmatter, diff --git a/src/components/layout.js b/src/components/layout.js index c39446b5e30..670d3f05561 100644 --- a/src/components/layout.js +++ b/src/components/layout.js @@ -6,6 +6,7 @@ import { Archive, AuthenticatedContentPlaceholder, CodeBlock, + CTA, KatacodaPageLink, KatacodaPanel, LayoutContext, @@ -138,6 +139,7 @@ const Layout = ({ IconList, Archive, AuthenticatedContentPlaceholder, + CTA, }), [katacodaPanelData, meta.path, meta.isIndexPage, meta.productVersions], ); From 6e269e03a822ae763c0182132a3e24325b3e984c Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Tue, 24 Sep 2024 12:42:32 +0100 Subject: [PATCH 7/9] Remove CTA image, bump up headings Signed-off-by: Dj Walker-Morgan --- advocacy_docs/security/index.mdx | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/advocacy_docs/security/index.mdx b/advocacy_docs/security/index.mdx index 1211701a0a8..9f6b096ba2b 100644 --- a/advocacy_docs/security/index.mdx +++ b/advocacy_docs/security/index.mdx @@ -5,10 +5,13 @@ directoryDefaults: iconName: Security indexCards: full hideKBLink: true +deepToC: true navigation: +- '#Guides' - securing-postgresql - securing-epas - securing-pgd +- '#Resources' - notifications --- @@ -16,13 +19,15 @@ This is the EDB Security Hub. It's a collection of resources to help you secure import TrustCenterLogo from './images/trust-center.png' - + If you are looking for a higher-level overview of EDB's security posture, practices and commitments, you may want to check out the EDB Trust Center -If you are looking for a higher-level overview of EDB's security posture, practices and commitments, you may want to check out the **[EDB Trust Center](https://trust.enterprisedb.com)**. +## What's in the Security Hub? + +### Guides **[Securing PostgreSQL](securing-postgresql)** - This section provides a comprehensive guide on how to secure your PostgreSQL database. It covers everything from the basics of authentication and authorization, to more advanced topics such as encryption and auditing. * [PostgreSQL Security 101]() - The essentials of PostgreSQL security for those new to securing their database. @@ -33,4 +38,9 @@ If you are looking for a higher-level overview of EDB's security posture, practi **[Securing EDB Postgres Distributed](securing-pgd)** - This section provides a comprehensive guide on how to secure your EDB Postgres Distributed and the needs of a distributed database. Building on the Postgres and EPAS security guides, this section covers the unique security considerations for distributed databases. -**[Notifications](notifications)** - This is where you'll find reported security vulnerabilities and details on how to address them. This includes flaws which have been fixed in the PostgreSQL community and assessments on how they impact EDB users, as well as any advisories and fixes released by EDB. \ No newline at end of file +### Resources + +**[Notifications](notifications)** - This is where you'll find reported security vulnerabilities and details on how to address them. This includes flaws which have been fixed in the PostgreSQL community and assessments on how they impact EDB users, as well as any advisories and fixes released by EDB. + +--- + From 1251bf4292efea44d75b0e0ee713be4ef72808ca Mon Sep 17 00:00:00 2001 From: piano35-edb <160748516+piano35-edb@users.noreply.github.com> Date: Tue, 22 Oct 2024 19:05:04 -0500 Subject: [PATCH 8/9] add pg security 101,201,301 --- .../securing-postgresql/101/index.mdx | 136 ++++++++++++++- .../securing-postgresql/201/index.mdx | 161 ++++++++++++++++- .../securing-postgresql/301/index.mdx | 163 +++++++++++++++++- 3 files changed, 457 insertions(+), 3 deletions(-) diff --git a/advocacy_docs/security/securing-postgresql/101/index.mdx b/advocacy_docs/security/securing-postgresql/101/index.mdx index 3d04c501b58..a4890128f08 100644 --- a/advocacy_docs/security/securing-postgresql/101/index.mdx +++ b/advocacy_docs/security/securing-postgresql/101/index.mdx @@ -4,4 +4,138 @@ navTitle: Security 101 description: The essentials of PostgreSQL security for those new to securing their database. --- -TBD +The following are basic practices for securing your PostgreSQL installation. + +## Install the latest version + +- **Always use the most recent version.** Regularly update PostgreSQL to the latest stable release. For EDB releases, see the [EDB repositories](https://www.enterprisedb.com/repos-downloads). + +- **Apply security patches.** Ensure security patches are applied promptly. For EDB security vulnerabilities and advisories, see the [EDB Vulnerability disclosure policy](https://www.enterprisedb.com/docs/security/vulnerability-disclosure-policy/). + +## Use strong authentication methods + +PostgreSQL supports several authentication methods. Always use the most secure option available. + +- **Password authentication.** Ensure that all users authenticate with strong passwords. Because it provides stronger hashing, use `scram-sha-256` for password hashing instead of `md5`. + +- **LDAP/Kerberos/SSO.** Integrate centralized authentication systems like LDAP, Kerberos, or single sign-on (SSO) for enhanced security. + +## Limit access with pg_hba.conf + +PostgreSQL’s host-based access control file (`pg_hba.conf`) is your first line of defense for controlling who can connect to the database. To ensure security: + +- **Restrict host connections.** Allow only trusted hosts. + +- **Use CIDR notation.** Limit access to specific IP ranges in `pg_hba.conf`. Example: + +```bash +host all all 192.168.1.0/24 scram-sha-256 +``` +- **Use local method.** For connections from the same machine, use Unix domain sockets with peer authentication, limiting connections to system users. + +## Enforce SSL/TLS connections + +Encrypt traffic between the client and PostgreSQL server using SSL. This practice can prevent sensitive data (like passwords and query results) from being intercepted. + +- **Enable SSL.** Ensure that `ssl = on` in `postgresql.conf`. + +- **Use valid SSL certificates.** Use certificates for secure communication (self-signed or CA-signed). + +- **Force SSL.** Ensure all connections use SSL via `pg_hba.conf`. Example: + +```bash +hostssl all all 0.0.0.0/0 scram-sha-256 +``` + +## Use role-based access control (RBAC) + +PostgreSQL implements a robust role-based access control system. Some key practices include: + +- **Principle of least privilege.** Grant roles the minimum permissions necessary. + +- **Separate roles for users/applications.** Avoid using superuser accounts or the default postgres role for daily operations. + +- **Use GRANT/REVOKE.** Assign specific privileges to roles. Example: + +```sql +GRANT SELECT, INSERT ON my_table TO my_user; +``` + +## Use encrypted passwords + +Make sure that passwords are stored using secure hashing methods (scram-sha-256 in modern PostgreSQL versions). + +- **Enable scram-sha-256.** Configure PostgreSQL to store passwords securely by setting `password_encryption = 'scram-sha-256'` in your `postgresql.conf` file: + +```bash +password_encryption = 'scram-sha-256' +``` + +## Audit and monitor database activity + +Enable logging and auditing to keep track of database activity. + +- **Enable logging.** Log all user connections and queries. + +- **Track role changes.** Regularly audit role modifications and permissions to detect unauthorized changes. + +- **Use pgAudit.** Third-party tools like pgAudit can enable detailed audit logging. + +- **Enable connection and query logs.** Capture login attempts, successful connections, and queries executed using settings in `postgresql.conf`: + +```bash +log_connections = on +log_disconnections = on +log_statement = 'all' +``` + +## Regular backups and secure backup storage + +Backups are crucial, but they must also be secured. Be sure to: + +- **Use encrypted backups.** Encrypt database backups to reduce the chance of unauthorized access. + +- **Restrict backup access.** Allow only authorized personnel to access, view, or restore backups. + +- **Test restores.** Regularly test backups to ensure they're complete and can be restored properly without any data integrity issues. + +## Disable unnecessary features + +Reduce your attack surface by disabling unused features: + +- **Remove unused extensions.** Disable any extensions that aren't actively used. + +- **Disable trust authentication.** Ensure `trust` authentication isn't used in production as it allows users to log in without a password. + +- **Disable untrusted languages.** Prevent the use of languages that allow arbitrary code execution, such as PL/Python. + +## Vulnerability scanning and penetration testing + +- **Regularly scan for vulnerabilities.** Use security scanners to find vulnerabilities. + +- **Penetration resting.** Test the security of your PostgreSQL instance. You may need to hire security professionals to test your database security periodically. + +## Network security controls + +Strengthen PostgreSQL’s security by securing the network it operates in. + +- **Set firewall rules.** Restrict database access to necessary ports. + +- **Limit network exposure.** Use VPNs or internal networks for database access. Avoid exposing PostgreSQL directly to the internet. + +- **Use intrusion detection.** Use IDS tools to monitor for suspicious activity. + +## Regularly review user permissions + +- **Develop a review cadence.** Regularly review user and role permissions to ensure no unnecessary privileges were granted. + +- **Remove unnecessary privileges.** Periodically review and revoke unnecessary privileges. Remove access immediately when a user no longer needs it. + +## Secure OS and file permissions + +PostgreSQL runs on an operating system that also needs to be secured. + +- **Restrict file access.** Ensure that only the PostgreSQL service user can access critical files such as the data directory and logs. Set restrictive permissions (700) on the data directory. + +- **Harden the OS.** Apply operating system hardening practices, including disabling unnecessary services and ensuring regular OS updates. + diff --git a/advocacy_docs/security/securing-postgresql/201/index.mdx b/advocacy_docs/security/securing-postgresql/201/index.mdx index 75856a51c16..623341ac2dd 100644 --- a/advocacy_docs/security/securing-postgresql/201/index.mdx +++ b/advocacy_docs/security/securing-postgresql/201/index.mdx @@ -4,4 +4,163 @@ navTitle: Security 201 description: Building on the basics, this guide covers more advanced topics in PostgreSQL security. --- -TBD +After you've mastered the basics of securing your PostgreSQL database, you can dive deeper into intermediate topics. + +These intermediate security techniques help to further safeguard your data, improve auditability, and reduce risks associated with more sophisticated attacks. By focusing on enhanced role management, encryption, fine-grained access control, auditing, and cloud-specific configurations, you can build a robust defense for your databases. + +Keep evolving your security posture by staying updated on emerging threats and security features in new PostgreSQL releases. + +## Advanced role management and privileges + +Effective management of roles and privileges is essential for maintaining a secure PostgreSQL environment. + +- **Avoid using superuser roles.** Limit superuser privileges to only the most essential operations. Always create distinct, minimally privileged roles for day-to-day database tasks. + +- **Create custom roles.** Create task-specific roles for finer privilege management. Rather than using a single, all-encompassing role, create custom roles for different functions like read-only, read-write, and admin tasks. This practice limits the scope of potential security breaches. For example: + +```sql +CREATE ROLE read_only NOINHERIT; +GRANT SELECT ON ALL TABLES IN SCHEMA public TO read_only; +``` + +- **Establish role inheritance.** Use role inheritance to streamline privilege assignments and create hierarchies of roles that simplify privilege management. A parent role can be granted a specific set of privileges, which can then be inherited by child roles: + +```sql +CREATE ROLE base_role; +CREATE ROLE admin_role INHERIT base_role; +``` + +- **Revoke public privileges.** Remove default permissions from the public role. By default, new databases and tables grant certain privileges to the public role. Best practice is to revoke these: + +```sql +REVOKE ALL ON DATABASE mydb FROM PUBLIC; +REVOKE ALL ON SCHEMA public FROM PUBLIC; +``` + +## Fine-grained access control with row-level security + +- **Enable row-level security.** Row-level security (RLS) provides fine-grained control over who can access specific rows in a table. This type of security is essential when different users need access to different subsets of data. + + Enforce RLS policies on sensitive tables. To activate RLS for a table, you first need to enable it: + +```sql +ALTER TABLE employees ENABLE ROW LEVEL SECURITY; +``` + +- **Define security policies.** Once RLS is enabled, you can create policies to specify which users can access or modify rows in the table. For example: + +```sql +CREATE POLICY employee_policy ON employees +FOR SELECT +USING (employee_id = current_user); +``` + +### Database encryption + +Encryption is critical for protecting data at rest and in transit. Intermediate PostgreSQL setups often leverage encryption to secure sensitive information. + +- **Encrypt sensitive columns.** Use pgcrypto to encrypt sensitive data at the column level. While PostgreSQL doesn’t natively support column-level encryption, +you can use client-side encryption libraries such as pgcrypto to encrypt and decrypt data. For example: + +```sql +SELECT pgp_sym_encrypt('secret data', 'encryption key'); +``` + Ensure that encryption keys are stored securely outside the database, such as in AWS KMS, HashiCorp Vault, or other secure key management systems. + +- **Use full disk encryption.** If column-level encryption isn't feasible, use full-disk encryption to secure the data directory. Encrypting the entire disk ensures that sensitive data is protected in the event of unauthorized physical access to the database server. + +## pg_hba.conf advanced configurations + +The `pg_hba.conf` file controls access to PostgreSQL at the network level. Intermediate configurations involve more complex filtering and control mechanisms. + +- **Set granular network restrictions.** Configure specific IP ranges or hosts for different roles. Define access based on user, database, or IP address to create fine-grained network policies. For example, restrict administrative access to a specific IP range: + +```bash +host all postgres 10.0.0.0/8 scram-sha-256 +``` + +- **Separate roles by network.** Allow different roles based on their origin IP. You can create roles that have different levels of access based on their network of origin. For instance, you can create read-only users on a public network and read-write users on a private network: + +```bash +host all read_only_user 0.0.0.0/0 scram-sha-256 +host all read_write_user 10.0.0.0/8 scram-sha-256 +``` + +## Database auditing and logging + +Auditing is essential for identifying abnormal behavior and unauthorized access. It also helps in compliance with security standards like PCI-DSS and GDPR. + +- **Enable pgaudit.** Use pgaudit for detailed logging of database activity. This extension provides detailed logging of SQL statements at various levels (DDL, DML, and more). To install and configure it: + +```sql +CREATE EXTENSION pgaudit; +``` + + To configure pgaudit to log SELECT statements: + +```bash +pgaudit.log = 'read' +``` + +- **Configure fine-grained logging.** Customize logging configurations to capture DDL, DML, and more. PostgreSQL offers several levels of logging, but for performance reasons, fine-tune it. +Enable specific logging for failed login attempts or DDL changes: + +```bash +log_connections = on +log_disconnections = on +log_statement = 'ddl' +``` + +For more information on pgAudit, see the [pgAudit documentation](https://www.pgaudit.org). + +## Monitoring and alerting + +Intermediate PostgreSQL security requires robust monitoring and alerting. Several tools and configurations can help with this: + +- **PostgreSQL monitoring tools.** Tools like pg_stat_statements, pgBadger, or third-party tools such as Prometheus and Grafana, provide insights into database activity and performance metrics. + +- **CloudWatch for AWS Aurora.** For AWS Aurora PostgreSQL users, leverage CloudWatch to monitor database performance metrics and set up alarms for unusual patterns in CPU, memory, or I/O usage. + +- **Alerts for suspicious activity.** Configure alerts for specific actions and abnormal behaviors, such as multiple failed login attempts, database role changes, or connections from unknown IP addresses. For example: + +```bash +log_min_error_statement = 'ERROR' +log_min_duration_statement = 1000 +``` + +## Database hardening + +Hardening your PostgreSQL server is an intermediate security practice that reduces the attack surface by removing or disabling unnecessary features. + +- **Remove unused extensions.** Extensions can increase the attack surface of PostgreSQL. Disable or remove any extensions you don't actively use. For example: + +```sql +DROP EXTENSION IF EXISTS plperl; +``` + +- **Lock down data directory.** Ensure that the PostgreSQL data directory is accessible only by the PostgreSQL user. Use file system permissions (chmod 700) to lock down access: + +```bash +chmod 700 /var/lib/postgresql/data +``` + +## Securing PostgreSQL on cloud providers + +Cloud environments introduce additional layers of complexity. The following can help secure your PostgreSQL instances in the cloud: + +- **AWS RDS encryption.** Use AWS RDS's built-in encryption for data at rest with KMS-managed keys. You can easily enable it while creating an RDS instance. + +- **Network access restrictions.** Use cloud-level security groups or firewalls to restrict access to the PostgreSQL instance. Allow only trusted IPs or VPCs to connect to the database. + +- **IAM authentication.** Use AWS IAM roles and policies to manage access to PostgreSQL instances. IAM authentication provides an extra layer of security, reducing the need for password management: + +```bash +aws rds generate-db-auth-token --hostname --port 5432 --region --username +``` + +## Implementing multi-factor authentication (MFA) + +Using MFA for database access further secures your system by requiring users to provide a second factor beyond a password. You can integrate PostgreSQL with an external identity provider (IdP) that supports MFA. + +- **External identity providers.** For added security, integrate MFA with identity providers such as Okta, Google Identity, Azure AD, or AWS IAM. + diff --git a/advocacy_docs/security/securing-postgresql/301/index.mdx b/advocacy_docs/security/securing-postgresql/301/index.mdx index b0a112576dd..22583e57a41 100644 --- a/advocacy_docs/security/securing-postgresql/301/index.mdx +++ b/advocacy_docs/security/securing-postgresql/301/index.mdx @@ -4,4 +4,165 @@ navTitle: Security 301 description: Your guide to Compliance, certifications, auditing and other higher-level issues. --- -TBD +As security requirements increase in complexity, it’s critical to move beyond basic and intermediate configurations. +Advanced security in PostgreSQL focuses on hardening systems to meet strict compliance standards, such as Security Technical Implementation Guides (STIGs), GDPR, PCI-DSS, HIPAA, and FISMA. +Use the following advanced strategies to secure PostgreSQL in high-stakes environments. + +## Security Technical Implementation Guides (STIGs) + +STIGs are configuration standards developed by the Defense Information Systems Agency (DISA) to ensure that IT systems meet strict security controls. PostgreSQL has its own specific STIGs, which must be followed when the database is used in government or defense environments. + +- **Install PostgreSQL STIG.** Ensure that your PostgreSQL installation meets the guidelines of the PostgreSQL STIG. This includes hardening configurations, removing unnecessary features, and enforcing security controls. + +- **Audit STIG compliance.** The stig-postgresql project provides automated scripts to check for STIG compliance. Use pgstigcheck or other security auditing tools to verify your PostgreSQL configurations against STIG guidelines. + +- **Implement STIG hardening.** Follow STIG guidelines for logging, encryption, and auditing role changes. + +- **Log all activity.** STIGs mandate strict logging of user activity. Configure PostgreSQL to log all SQL commands—even reads—to ensure traceability. + +```bash +log_statement = 'all' +log_connections = on +log_disconnections = on +``` + +- **Encrypt data at rest.** Encrypt the data directory and backups as per STIG requirements. Use encryption standards that follow industry best practices, such as AES-256 encryption. + +- **Audit role changes and privileges.** Regularly audit role changes and privilege escalations, logging all role modifications and access control changes: + +```bash +log_statement = 'ddl' +``` + +## Compliance requirements + +For information on EDB data privacy and compliance policies, see the [EDB Trust Center](https://trust.enterprisedb.com). + +### General Data Protection Regulation (GDPR) + +The European Union’s GDPR focuses on protecting the privacy and security of personal data. PostgreSQL must be configured to ensure data privacy, security, and accountability. + +- **Data minimization and encryption.** Ensure that only essential data is collected and stored. Implement both column-level encryption for sensitive data and full-disk encryption for databases. +pgcrypto allows you to encrypt/decrypt sensitive columns: + +```sql +SELECT pgp_sym_encrypt('personal data', 'encryption_key'); +``` + +- **Right to erasure.** Implement functionality to allow for complete and secure deletion of user data upon request. For a compliant data deletion process, ensure that records are fully purged, including from backup systems, to comply with GDPR's "Right to be Forgotten." + +- **Data breach notifications.** In the event of a data breach, GDPR mandates prompt notification. PostgreSQL logging, auditing, and alerting help to detect breaches immediately. + +### Payment Card Industry Data Security Standard (PCI-DSS) + +PCI-DSS ensures the secure handling of payment card information. PostgreSQL must be hardened to prevent unauthorized access to sensitive cardholder data. + +- **Encryption.** PCI-DSS mandates encryption of cardholder data both in transit and at rest. Use scram-sha-256 for encrypting connections and client-side encryption for cardholder data. + +- **Segregation of duties.** Ensure that users accessing the database are restricted to specific tasks and can't access cardholder data unnecessarily. You can do this using PostgreSQL’s role-based access control (RBAC). + + Use RBAC to separate administrative and data access functions. For example: + +```sql +CREATE ROLE cardholder_data_access; +GRANT SELECT ON card_data TO cardholder_data_access; +``` + +- **Detailed logging.** PCI-DSS requires detailed logging of all access to cardholder data. Use pgaudit to track reads, writes, and role changes to sensitive data. + +### Health Insurance Portability and Accountability Act (HIPAA) + +HIPAA governs the protection of healthcare data in the United States. PostgreSQL installations dealing with protected health information (PHI) must meet stringent confidentiality, integrity, and availability requirements. + +- **Encrypt PHI.** All PHI must be encrypted at rest and in transit. Use pgcrypto or external encryption tools to secure PHI in PostgreSQL. + +- **Access control.** Implement strong authentication and authorization. Ensure that users and roles are defined clearly, and use multi-factor authentication (MFA) for administrative access. + +- **Audit trails.** HIPAA requires tracking and logging any access to PHI. You can configure PostgreSQL’s logging system and pgaudit to log these actions. For example: + +```bash +log_statement = 'all' +log_min_duration_statement = 1000 +``` + +## PostgreSQL in FISMA-compliant environments + +The Federal Information Security Management Act (FISMA) establishes security requirements for federal IT systems. To be used in FISMA environments, PostgreSQL must comply with the NIST SP 800-53 framework. + +- **FIPS-140-2 encryption.** Ensure PostgreSQL uses FIPS-compliant encryption algorithms for secure communication. PostgreSQL can be integrated with OpenSSL configured for FIPS mode, or you can use external encryption tools. + +- **Multi-factor authentication (MFA).** Use MFA for administrative access to the database. Integration with external identity providers (for example, Okta, AWS IAM) can help enforce MFA policies for critical roles. + +- **Incident response.** Configure PostgreSQL to detect and respond to security incidents. All security-related events must be logged, and systems must have defined incident response plans. + +## Advanced encryption practices + +Encryption is a cornerstone of advanced database security. Beyond basic encryption of data in transit and at rest, advanced encryption practices include key management and more sophisticated data protection strategies. + +### Key management + +- **External key management.** Rather than storing encryption keys within the database or filesystem, use external systems like AWS KMS, HashiCorp Vault, or Azure Key Vault to manage encryption keys. For example: + +```bash +aws kms encrypt --key-id alias/myKey --plaintext fileb://myfile +``` + +- **Key rotation.** To limit the potential damage from key compromise, regularly rotate encryption keys. Ensure PostgreSQL encryption supports key rotation without downtime. + +### Transparent data encryption (TDE) + +TDE encrypts the entire database at the file level. While not natively supported in PostgreSQL, tools like pgcrypto and external software can implement TDE. + +- **Use pgTDE.** You can use the pgTDE extension to encrypt entire databases or specific tablespaces. Data is encrypted transparently as it's written to disk. + +## Data masking and tokenization + +Data masking and tokenization protect sensitive data by obfuscating it when it isn't needed. This is especially useful in test or staging environments, where real data might be exposed. + +- **Dynamic data masking.** PostgreSQL doesn't natively support data masking, but you can implement it using views to hide sensitive data: + +```sql +CREATE VIEW masked_view AS +SELECT id, '****' AS credit_card FROM customers; +``` + +- **Tokenization.** Use external tokenization services to replace sensitive data like credit card numbers or social security numbers with tokens. These tokens can be used for processing without exposing the real data. + +## Advanced logging and monitoring + +Advanced PostgreSQL setups require more detailed logging and monitoring, especially in environments subject to compliance audits or high-level threat detection. + +### pgaudit configuration + +- **Log DDL, DML, and role changes.** Configure pgaudit to log detailed events, including access to sensitive tables, role changes, and permission escalations: + +```bash +pgaudit.log = 'ddl, role, read, write' +``` + +### Integration with SIEM systems + +For real-time monitoring and alerting on suspicious activity, integrate PostgreSQL logs into security information and event management (SIEM) systems, such as Splunk, ELK Stack, or AWS CloudWatch. + +- **Log integration.** Ship PostgreSQL logs to a SIEM system for real-time monitoring and alerting on suspicious activity: + +```bash +log_destination = 'stderr' +logging_collector = on +log_directory = '/var/log/postgresql' +``` + +- **Custom alerts.** Set up custom alerts in your SIEM system to notify administrators of anomalous activities like repeated failed login attempts or unauthorized role changes. + +## Database hardening automation + +Automating database hardening ensures consistency and repeatability in applying security configurations. Use tools like Ansible, Terraform, or Chef to enforce PostgreSQL hardening at scale. + +- **Automation with Ansible/Terraform.** Use Terraform or Ansible scripts to enforce role-based access controls consistently across environments. For example: + +```bash +ansible-playbook -i inventory.yml playbook.yml +``` + +- **STIG compliance automation.** Use automation scripts to ensure all PostgreSQL servers comply with STIGs or other regulatory guidelines. Run compliance checks regularly to detect deviations. + From 7f43adf689a16943ba994b4d69bd2f6c83e40834 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Thu, 24 Oct 2024 15:29:09 +0100 Subject: [PATCH 9/9] Fixed link to vuln policy Signed-off-by: Dj Walker-Morgan --- advocacy_docs/security/securing-postgresql/101/index.mdx | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/advocacy_docs/security/securing-postgresql/101/index.mdx b/advocacy_docs/security/securing-postgresql/101/index.mdx index a4890128f08..e47cc46173a 100644 --- a/advocacy_docs/security/securing-postgresql/101/index.mdx +++ b/advocacy_docs/security/securing-postgresql/101/index.mdx @@ -10,7 +10,7 @@ The following are basic practices for securing your PostgreSQL installation. - **Always use the most recent version.** Regularly update PostgreSQL to the latest stable release. For EDB releases, see the [EDB repositories](https://www.enterprisedb.com/repos-downloads). -- **Apply security patches.** Ensure security patches are applied promptly. For EDB security vulnerabilities and advisories, see the [EDB Vulnerability disclosure policy](https://www.enterprisedb.com/docs/security/vulnerability-disclosure-policy/). +- **Apply security patches.** Ensure security patches are applied promptly. For EDB security vulnerabilities and advisories, see the [EDB Vulnerability disclosure policy](/security/notifications/vulnerability-disclosure-policy/). ## Use strong authentication methods @@ -139,3 +139,4 @@ PostgreSQL runs on an operating system that also needs to be secured. - **Harden the OS.** Apply operating system hardening practices, including disabling unnecessary services and ensuring regular OS updates. +