AWS Security ChangesHomeSearch

AWS AmazonRDS high security documentation change

Service: AmazonRDS · 2026-04-25 · Security-related high

File: AmazonRDS/latest/AuroraPostgreSQLReleaseNotes/AuroraPostgreSQL.Updates.md

Summary

Updated release notes for multiple Aurora PostgreSQL versions (17.9, 16.13, 15.17, 14.22) with typo corrections, improved descriptions, and added new patch releases (17.6.2, 16.10.2, 15.14.2, 14.19.2) containing critical stability fixes, high priority enhancements including backported PostgreSQL security fixes for 6 CVEs, and security enhancements for babelfish_set_role permission validation.

Security assessment

The change explicitly documents backported fixes for 6 PostgreSQL community security issues (CVE-2026-2003 through CVE-2026-2007 and CVE-2026-3172) and includes a security enhancement for babelfish_set_role function permission validation. These are direct references to security vulnerabilities being addressed.

Diff

diff --git a/AmazonRDS/latest/AuroraPostgreSQLReleaseNotes/AuroraPostgreSQL.Updates.md b/AmazonRDS/latest/AuroraPostgreSQLReleaseNotes/AuroraPostgreSQL.Updates.md
index efaadcbbb..308d03d37 100644
--- a//AmazonRDS/latest/AuroraPostgreSQLReleaseNotes/AuroraPostgreSQL.Updates.md
+++ b//AmazonRDS/latest/AuroraPostgreSQLReleaseNotes/AuroraPostgreSQL.Updates.md
@@ -275 +275 @@ This release of Aurora PostgreSQL is compatible with PostgreSQL 17.9. For more i
-  * Fixed an issue in the Aurora Storage Daemon that could lead to brief periods of availability when enhanced logical replication is enabled.
+  * Fixed an issue in the Aurora Storage Daemon that could lead to brief periods of unavailability when enhanced logical replication is enabled.
@@ -330 +330 @@ This release of Aurora PostgreSQL is compatible with PostgreSQL 17.9. For more i
-  * Fixed an issue where the pg_hint_plan SET hint cannot set GUCs marked as PGC_RDSSUSET.
+  * Fixed an issue with pg_hint_plan where session configuration parameters requiring rds_superuser permissions could not be set in hints.
@@ -509,0 +510,2 @@ This release of Aurora PostgreSQL is compatible with PostgreSQL 17.6. For more i
+  * Aurora PostgreSQL 17.6.2, April 22, 2026
+
@@ -516,0 +519,55 @@ This release of Aurora PostgreSQL is compatible with PostgreSQL 17.6. For more i
+#### Aurora PostgreSQL 17.6.2, April 22, 2026
+
+**Critical stability enhancements**
+
+  * Babelfish cross-database queries now respect dynamic data masking policies, displaying tables with masked data based on policies defined for the current login.
+
+  * Fixed an issue where executing queries from PostgreSQL endpoint on instances with Active Directory Authentication enabled could result in database unavailability.
+
+  * Fixed a bug in the aws_s3 extension which, in rare circumstances, can cause database unavailability.
+
+  * Fixed an issue where read nodes may restart when attempting to connect to the new write node following a failover.
+
+
+
+
+**High priority enhancements**
+
+  * Backported fixes for the following PostgreSQL community security issues:
+
+    * [CVE-2026-2003](https://nvd.nist.gov/vuln/detail/CVE-2026-2003).
+
+    * [CVE-2026-2004](https://nvd.nist.gov/vuln/detail/CVE-2026-2004).
+
+    * [CVE-2026-2005](https://nvd.nist.gov/vuln/detail/CVE-2026-2005).
+
+    * [CVE-2026-2006](https://nvd.nist.gov/vuln/detail/CVE-2026-2006).
+
+    * [CVE-2026-2007](https://nvd.nist.gov/vuln/detail/CVE-2026-2007).
+
+    * [CVE-2026-3172](https://nvd.nist.gov/vuln/detail/CVE-2026-3172).
+
+  * Fixed a bug in Query Plan Management that prevented plan capture.
+
+  * Fixed a bug in the Aurora Storage Daemon that could cause database unavailability in rare cases when enhanced logical replication is enabled.
+
+  * nan
+
+  * Fixed an issue where file handlers could remain improperly allocated after a major version upgrade.
+
+  * Fixed an issue where databases could run out of memory due to excessive storage metadata in rare circumstances.
+
+  * Fixed an issue in cache initialization that could cause database unavailability during startup.
+
+  * Fixed an issue where global databases planned switchover operations could become unresponsive while waiting for storage volume growth to complete.
+
+
+
+
+**Security enhancements**
+
+  * Fixed a bug in the babelfish_set_role function that improved permission validation when setting roles.
+
+
+
+
@@ -1310 +1367 @@ This release of Aurora PostgreSQL is compatible with PostgreSQL 16.13. For more
-  * Fixed an issue in the Aurora Storage Daemon that could lead to brief periods of availability when enhanced logical replication is enabled.
+  * Fixed an issue in the Aurora Storage Daemon that could lead to brief periods of unavailability when enhanced logical replication is enabled.
@@ -1365 +1422 @@ This release of Aurora PostgreSQL is compatible with PostgreSQL 16.13. For more
-  * Fixed an issue where the pg_hint_plan SET hint cannot set GUCs marked as PGC_RDSSUSET.
+  * Fixed an issue with pg_hint_plan where session configuration parameters requiring rds_superuser permissions could not be set in hints.
@@ -1544,0 +1602,2 @@ This release of Aurora PostgreSQL is compatible with PostgreSQL 16.10. For more
+  * Aurora PostgreSQL 16.10.2, April 22, 2026
+
@@ -1551,0 +1611,55 @@ This release of Aurora PostgreSQL is compatible with PostgreSQL 16.10. For more
+#### Aurora PostgreSQL 16.10.2, April 22, 2026
+
+**Critical stability enhancements**
+
+  * Babelfish cross-database queries now respect dynamic data masking policies, displaying tables with masked data based on policies defined for the current login.
+
+  * Fixed an issue where executing queries from PostgreSQL endpoint on instances with Active Directory Authentication enabled could result in database unavailability.
+
+  * Fixed a bug in the aws_s3 extension which, in rare circumstances, can cause database unavailability.
+
+  * Fixed an issue where read nodes may restart when attempting to connect to the new write node following a failover.
+
+
+
+
+**High priority enhancements**
+
+  * Backported fixes for the following PostgreSQL community security issues:
+
+    * [CVE-2026-2003](https://nvd.nist.gov/vuln/detail/CVE-2026-2003).
+
+    * [CVE-2026-2004](https://nvd.nist.gov/vuln/detail/CVE-2026-2004).
+
+    * [CVE-2026-2005](https://nvd.nist.gov/vuln/detail/CVE-2026-2005).
+
+    * [CVE-2026-2006](https://nvd.nist.gov/vuln/detail/CVE-2026-2006).
+
+    * [CVE-2026-2007](https://nvd.nist.gov/vuln/detail/CVE-2026-2007).
+
+    * [CVE-2026-3172](https://nvd.nist.gov/vuln/detail/CVE-2026-3172).
+
+  * Fixed a bug in Query Plan Management that prevented plan capture.
+
+  * Fixed a bug in the Aurora Storage Daemon that could cause database unavailability in rare cases when enhanced logical replication is enabled.
+
+  * nan
+
+  * Fixed an issue where file handlers could remain improperly allocated after a major version upgrade.
+
+  * Fixed an issue where databases could run out of memory due to excessive storage metadata in rare circumstances.
+
+  * Fixed an issue in cache initialization that could cause database unavailability during startup.
+
+  * Fixed an issue where global databases planned switchover operations could become unresponsive while waiting for storage volume growth to complete.
+
+
+
+
+**Security enhancements**
+
+  * Fixed a bug in the babelfish_set_role function that improved permission validation when setting roles.
+
+
+
+
@@ -3546 +3660 @@ This release of Aurora PostgreSQL is compatible with PostgreSQL 15.17. For more
-  * Fixed an issue in the Aurora Storage Daemon that could lead to brief periods of availability when enhanced logical replication is enabled.
+  * Fixed an issue in the Aurora Storage Daemon that could lead to brief periods of unavailability when enhanced logical replication is enabled.
@@ -3601 +3715 @@ This release of Aurora PostgreSQL is compatible with PostgreSQL 15.17. For more
-  * Fixed an issue where the pg_hint_plan SET hint cannot set GUCs marked as PGC_RDSSUSET.
+  * Fixed an issue with pg_hint_plan where session configuration parameters requiring rds_superuser permissions could not be set in hints.
@@ -3772,0 +3887,2 @@ This release of Aurora PostgreSQL is compatible with PostgreSQL 15.14. For more
+  * Aurora PostgreSQL 15.14.2, April 22, 2026
+
@@ -3779,0 +3896,55 @@ This release of Aurora PostgreSQL is compatible with PostgreSQL 15.14. For more
+#### Aurora PostgreSQL 15.14.2, April 22, 2026
+
+**Critical stability enhancements**
+
+  * Babelfish cross-database queries now respect dynamic data masking policies, displaying tables with masked data based on policies defined for the current login.
+
+  * Fixed an issue where executing queries from PostgreSQL endpoint on instances with Active Directory Authentication enabled could result in database unavailability.
+
+  * Fixed a bug in the aws_s3 extension which, in rare circumstances, can cause database unavailability.
+
+  * Fixed an issue where read nodes may restart when attempting to connect to the new write node following a failover.
+
+
+
+
+**High priority enhancements**
+
+  * Backported fixes for the following PostgreSQL community security issues:
+
+    * [CVE-2026-2003](https://nvd.nist.gov/vuln/detail/CVE-2026-2003).
+
+    * [CVE-2026-2004](https://nvd.nist.gov/vuln/detail/CVE-2026-2004).
+
+    * [CVE-2026-2005](https://nvd.nist.gov/vuln/detail/CVE-2026-2005).
+
+    * [CVE-2026-2006](https://nvd.nist.gov/vuln/detail/CVE-2026-2006).
+
+    * [CVE-2026-2007](https://nvd.nist.gov/vuln/detail/CVE-2026-2007).
+
+    * [CVE-2026-3172](https://nvd.nist.gov/vuln/detail/CVE-2026-3172).
+
+  * Fixed a bug in Query Plan Management that prevented plan capture.
+
+  * Fixed a bug in the Aurora Storage Daemon that could cause database unavailability in rare cases when enhanced logical replication is enabled.
+
+  * nan
+
+  * Fixed an issue where file handlers could remain improperly allocated after a major version upgrade.
+
+  * Fixed an issue where databases could run out of memory due to excessive storage metadata in rare circumstances.
+
+  * Fixed an issue in cache initialization that could cause database unavailability during startup.
+
+  * Fixed an issue where global databases planned switchover operations could become unresponsive while waiting for storage volume growth to complete.
+
+
+
+
+**Security enhancements**
+
+  * Fixed a bug in the babelfish_set_role function that improved permission validation when setting roles.
+
+
+
+
@@ -6757 +6928 @@ This release of Aurora PostgreSQL is compatible with PostgreSQL 14.22. For more