As previously mentioned in this Crunchy Postgres via Automation series, we now use a Bill of Materials (BoM) to ship tested-together versions of the components that comprise the CPA product. Accordingly, when the PostgreSQL Global Development Group (PGDG) releases new versions of PostgreSQL as they did yesterday, we have to iterate our BoMs to include these releases.

This responsibility falls onto the Crunchy Data internal Build team, who not only compiles the newly released PostgreSQL minor releases on all our supported platforms, but also version bumps or recompilations all the additional packages that depend on PostgreSQL (this includes extensions like PostGIS, pgvector, and pgaudit among many others). Once all these compilations are complete and have passed the regression tests, they then assemble twelve new BoMs for my team to review and incorporate.

Why twelve? There is one BoM each for both of our supported Ubuntu releases, and then one BoM for each of the five PostgreSQL supported major versions for RedHat 8 (and compatible) and another five of the same for RedHat 9 (and compatible). These new BoMs are then put up for review, and finally incorporated into CPA itself. This BoM generation and review process is repeated for each of the currently released CPA lines as well as the current development line (making *thirty-six new BoMs as of today). These new BoMs are deliberately limited in scope to only the PostgreSQL minor release and the changes needed to support them. It ends up looking something like this diff:

Having merged these new BoMs into the BoM repository, my team then switches to the CPA repository, updates the BoM submodule for the given branch, and then begins the release process for a minor release of CPA. As PGDG released new PostgreSQL minor releases yesterday, you can expect Crunchy Data to announce minor releases of CPA (2.2.1, and 2.1.6) sometime next week. And since PGDG generally follows a quarterly release schedule, that means that CPA does as well. Of course, we might issue a CPA release outside of this quarterly schedule too if any of our other components have a CVE or other significant issue.

Now about those CVEs. Yesterday’s PGDG releases resolve four different CVEs:

• CVE-2024-10976
• CVE-2024-10977
• CVE-2024-10978
• CVE-2024-10979

Please upgrade your PostgreSQL clusters as soon as your chosen PostgreSQL vendor makes these releases available!

:wq