It has come to our attention that the PostGIS Raster support may give more privileges to users than an administrator is willing to grant. These include reading files from the filesystem and opening connections to network hosts.
Both issues can be limited in existing installations by setting the GDAL_SKIP variable (in the PostgreSQL server environment) to the list of all gdal drivers, but some drivers would still be forceably loaded by some operations.
Releases 2.1.3 and 2.0.6 strengthen the code to load no drivers by default and allows for a fine-grained tuning of what’s allowed and what not through postgis-specific environment variables:
Specifies a list of GDAL drivers to enable (rather than skip) By default all drivers are disabled. Example value: “GTiff PNG JPEG”
Enables read support for out-db raster bands if set to 1. By default out-db raster bands reading is disabled.
Upgrade is highly recommended, especially for online services allowing users to run arbitrary SQL queries.
Special thanks to Even Rouault for bringing up the issue and giving advice on its resolution.
The PostGIS development team is pleased to provide bug fix 2.3.8 and 2.4.6 for the 2.3 and 2.4 stable branches.
The PostGIS development team is pleased to provide bug fix 2.2.8 for the 2.2 stable branch.
This is the End-Of-Life and final release for PostGIS 2.2 series.
We encourage you to upgrade to a newer minor PostGIS version. Refer to our Version compatibility and EOL Policy for details on versions you can upgrade to.
This release supports PostgreSQL 9.1-9.6.
The PostGIS development team is pleased to provide bug fix 2.5.1 for the 2.5 stable branch.
Although this release will work for PostgreSQL 9.4 thru PostgreSQL 11, to take full advantage of what PostGIS 2.5 offers, you should be running PostgreSQL 11 and GEOS 3.7.0.
WARNING: If compiling with PostgreSQL+JIT, LLVM >= 6 is required Supported PostgreSQL versions for this release are: PostgreSQL 9.4 - PostgreSQL 11 GEOS >= 3.5