Dear PostgreSQL Team, We are currently running a production environment based on PostgreSQL 17.x with the following extensions:
Citus 13.2 TimescaleDB PostGIS Following the recent disclosure of CVEs for 2026 affecting PostgreSQL, we would appreciate clarification on the following points: If the vulnerability affects the PostgreSQL core binaries only, is upgrading to the latest 17.x minor release sufficient to mitigate the issue? Are there any known implications for extensions such as Citus, TimescaleDB, or PostGIS when upgrading PostgreSQL minor versions to address security fixes? In your experience, are there scenarios where rebuilding or explicitly upgrading extensions (via ALTER EXTENSION UPDATE) is required after applying a security-related minor upgrade? Are there known compatibility considerations for distributed environments (Citus) or time-series workloads (TimescaleDB) in the context of these CVEs? We aim to minimize downtime while ensuring full mitigation of the reported vulnerabilities, and we would appreciate any guidance or best practices you can share. Thank you for your time and for your continuous work on PostgreSQL security. Best regards, Gian Gianfranco Cocco Infrastructure Database Administration [cid:d43a3107-cf26-49dd-b6ef-3828039a4e07]<https://www.vargroup.com/> vargroup.com [Immagine]<https://www.greatplacetowork.it/scheda_azienda/var-group/> Questo messaggio รจ stato spedito da Var Group S.p.A. o da una delle aziende del Gruppo. Esso, e gli eventuali allegati, potrebbero contenere informazioni di carattere estremamente riservato e confidenziale. Qualora non foste i destinatari designati, vogliate cortesemente informarci immediatamente con lo stesso mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza trattenerne copia.
