From 0a27cdc85fa174c01cfc89b66231542a7d2f88b6 Mon Sep 17 00:00:00 2001
From: Sam Rose <samuel@supabase.io>
Date: Thu, 14 May 2026 12:58:55 -0400
Subject: [PATCH 1/3] feat: support pg 17.10 and pg 15.18

fix: also update 15.x hash
---
 nix/config.nix | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/nix/config.nix b/nix/config.nix
index e61683674c..a1edf2fbbd 100644
--- a/nix/config.nix
+++ b/nix/config.nix
@@ -46,12 +46,12 @@ in
       supportedPostgresVersions = {
         postgres = {
           "15" = {
-            version = "15.14";
-            hash = "sha256-Bt110wXNOHDuYrOTLmYcYkVD6vmuK6N83sCk+O3QUdI=";
+            version = "15.18";
+            hash = "sha256-Ed8N+X/j6kupp5H6rznO4dL+Vx54iFtbVdhRfSfDI7Q=";
           };
           "17" = {
-            version = "17.6";
-            hash = "sha256-4GMKNgCuonURcVVjJZ7CERzV9DU6SwQOC+gn+UzXqLA=";
+            version = "17.10";
+            hash = "sha256-B4oDUW3NvbcF/sr0Feo9E6lWxYnkbwn+1ooG+wBZjJA=";
           };
         };
         orioledb = {

From 04c83606472120360b68778db4eaf4427b0152a9 Mon Sep 17 00:00:00 2001
From: Utkarash Singh <utkarash2991@gmail.com>
Date: Tue, 26 May 2026 09:57:18 +0100
Subject: [PATCH 2/3] =?UTF-8?q?feat(postgres):=20add=20PG=2017.10,=2015.18?=
 =?UTF-8?q?=20=E2=80=94=20ansible=20vars=20+=20README=20+=20schema=20heade?=
 =?UTF-8?q?rs?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Companion to 0a27cdc8 which bumped nix/config.nix. Resets version
build counters to .1.001 on the new minor (matching the convention
established by 33c70a7f / bddfca27).

- ansible/vars.yml: postgres17 → 17.10.1.001, postgres15 → 15.18.1.001
- README.md: PG version links bumped
- migrations/schema-{15,17}.sql: pg_dump header comments bumped

Refs: PSQL-1233, PSQL-1110
---
 README.md                | 4 ++--
 ansible/vars.yml         | 4 ++--
 migrations/schema-15.sql | 4 ++--
 migrations/schema-17.sql | 4 ++--
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index b509bdddd7..b1e519c170 100644
--- a/README.md
+++ b/README.md
@@ -183,8 +183,8 @@ This is the same PostgreSQL build that powers [Supabase](https://supabase.io), b
 
 
 ## Primary Features
-- ✅ Postgres [postgresql-15.14](https://www.postgresql.org/docs/15/index.html)
-- ✅ Postgres [postgresql-17.6](https://www.postgresql.org/docs/17/index.html)
+- ✅ Postgres [postgresql-15.18](https://www.postgresql.org/docs/15/index.html)
+- ✅ Postgres [postgresql-17.10](https://www.postgresql.org/docs/17/index.html)
 - ✅ Postgres [orioledb-postgresql-17_11](https://github.com/orioledb/orioledb)
 - ✅ Ubuntu 24.04 (Noble Numbat).
 - ✅ [wal_level](https://www.postgresql.org/docs/current/runtime-config-wal.html) = logical and [max_replication_slots](https://www.postgresql.org/docs/current/runtime-config-replication.html) = 5. Ready for replication.
diff --git a/ansible/vars.yml b/ansible/vars.yml
index 56ddc53884..2b0734c388 100644
--- a/ansible/vars.yml
+++ b/ansible/vars.yml
@@ -11,8 +11,8 @@ postgres_major:
 # Full version strings for each major version
 postgres_release:
   postgresorioledb-17: "17.6.0.078-orioledb"
-  postgres17: "17.6.1.121"
-  postgres15: "15.14.1.121"
+  postgres17: "17.10.1.001"
+  postgres15: "15.18.1.001"
 
 # Non Postgres Extensions
 pgbouncer_release: 1.25.1
diff --git a/migrations/schema-15.sql b/migrations/schema-15.sql
index 0ee211e3c9..76b70f1922 100644
--- a/migrations/schema-15.sql
+++ b/migrations/schema-15.sql
@@ -4,8 +4,8 @@
 
 \restrict SupabaseTestDumpKey123
 
--- Dumped from database version 15.14
--- Dumped by pg_dump version 15.14
+-- Dumped from database version 15.18
+-- Dumped by pg_dump version 15.18
 
 SET statement_timeout = 0;
 SET lock_timeout = 0;
diff --git a/migrations/schema-17.sql b/migrations/schema-17.sql
index 30f476e50c..18307c35b5 100644
--- a/migrations/schema-17.sql
+++ b/migrations/schema-17.sql
@@ -4,8 +4,8 @@
 
 \restrict SupabaseTestDumpKey123
 
--- Dumped from database version 17.6
--- Dumped by pg_dump version 17.6
+-- Dumped from database version 17.10
+-- Dumped by pg_dump version 17.10
 
 SET statement_timeout = 0;
 SET lock_timeout = 0;

From 733dffb1e53e26ab4d8b25b23c3ff4912054f170 Mon Sep 17 00:00:00 2001
From: Utkarash Singh <utkarash2991@gmail.com>
Date: Tue, 26 May 2026 10:18:14 +0100
Subject: [PATCH 3/3] test(postgres): pin CVE-2026-2004 operator superuser-gate
 behaviour

Adds a pg_regress regression that exercises the new check from
CVE-2026-2004 (landed 15.16 / 17.8). Non-superuser is verified to be
rejected on both RESTRICT = non-built-in and JOIN = non-built-in,
then verified to still succeed with built-in selectivity estimators.

Without this regression, the same class of failure could silently
regress on a future PG major upgrade.

Refs: PSQL-1110, PSQL-1234
---
 .../expected/operator_breaking_change.out     | 50 ++++++++++++++++
 nix/tests/sql/operator_breaking_change.sql    | 58 +++++++++++++++++++
 2 files changed, 108 insertions(+)
 create mode 100644 nix/tests/expected/operator_breaking_change.out
 create mode 100644 nix/tests/sql/operator_breaking_change.sql

diff --git a/nix/tests/expected/operator_breaking_change.out b/nix/tests/expected/operator_breaking_change.out
new file mode 100644
index 0000000000..ffce8babd3
--- /dev/null
+++ b/nix/tests/expected/operator_breaking_change.out
@@ -0,0 +1,50 @@
+-- Pin CVE-2026-2004 behaviour: attaching a non-built-in selectivity estimator
+-- to an operator requires superuser. Verified against both RESTRICT and JOIN.
+--
+-- Upstream commits: b764b26f (PG 15.16), bbf5bcf5 (PG 17.8). The check fires in
+-- both ValidateRestrictionEstimator() and ValidateJoinEstimator() in
+-- src/backend/commands/operatorcmds.c.
+--
+-- Refs: PSQL-1110, PSQL-1234.
+BEGIN;
+-- Build a non-built-in restriction estimator and a non-built-in join estimator.
+CREATE FUNCTION public.fake_restrict_sel(internal, oid, internal, integer)
+  RETURNS float8 LANGUAGE sql IMMUTABLE STRICT PARALLEL SAFE
+  AS $$ SELECT 0.5::float8 $$;
+CREATE FUNCTION public.fake_join_sel(internal, oid, internal, smallint, internal)
+  RETURNS float8 LANGUAGE sql IMMUTABLE STRICT PARALLEL SAFE
+  AS $$ SELECT 0.5::float8 $$;
+-- Trivial procedure for the operator definition.
+CREATE FUNCTION public.fake_op_proc(_int4, _int4)
+  RETURNS bool LANGUAGE sql IMMUTABLE
+  AS $$ SELECT true $$;
+-- Switch to a non-superuser role.
+SET ROLE postgres;
+-- 1) RESTRICT = non-built-in should be rejected.
+SAVEPOINT before_restrict;
+CREATE OPERATOR public.@@@ (
+  LEFTARG = _int4, RIGHTARG = _int4,
+  PROCEDURE = public.fake_op_proc,
+  RESTRICT = public.fake_restrict_sel
+);
+ERROR:  must be superuser to specify a non-built-in restriction estimator function
+ROLLBACK TO SAVEPOINT before_restrict;
+-- 2) JOIN = non-built-in should be rejected.
+SAVEPOINT before_join;
+CREATE OPERATOR public.@@@ (
+  LEFTARG = _int4, RIGHTARG = _int4,
+  PROCEDURE = public.fake_op_proc,
+  JOIN = public.fake_join_sel
+);
+ERROR:  must be superuser to specify a non-built-in join estimator function
+ROLLBACK TO SAVEPOINT before_join;
+-- 3) Sanity check: built-in selectivity estimators still work for non-superusers.
+CREATE OPERATOR public.@@@ (
+  LEFTARG = _int4, RIGHTARG = _int4,
+  PROCEDURE = public.fake_op_proc,
+  RESTRICT = eqsel,
+  JOIN = eqjoinsel
+);
+DROP OPERATOR public.@@@ (_int4, _int4);
+RESET ROLE;
+ROLLBACK;
diff --git a/nix/tests/sql/operator_breaking_change.sql b/nix/tests/sql/operator_breaking_change.sql
new file mode 100644
index 0000000000..cf60336279
--- /dev/null
+++ b/nix/tests/sql/operator_breaking_change.sql
@@ -0,0 +1,58 @@
+-- Pin CVE-2026-2004 behaviour: attaching a non-built-in selectivity estimator
+-- to an operator requires superuser. Verified against both RESTRICT and JOIN.
+--
+-- Upstream commits: b764b26f (PG 15.16), bbf5bcf5 (PG 17.8). The check fires in
+-- both ValidateRestrictionEstimator() and ValidateJoinEstimator() in
+-- src/backend/commands/operatorcmds.c.
+--
+-- Refs: PSQL-1110, PSQL-1234.
+
+BEGIN;
+
+-- Build a non-built-in restriction estimator and a non-built-in join estimator.
+CREATE FUNCTION public.fake_restrict_sel(internal, oid, internal, integer)
+  RETURNS float8 LANGUAGE sql IMMUTABLE STRICT PARALLEL SAFE
+  AS $$ SELECT 0.5::float8 $$;
+
+CREATE FUNCTION public.fake_join_sel(internal, oid, internal, smallint, internal)
+  RETURNS float8 LANGUAGE sql IMMUTABLE STRICT PARALLEL SAFE
+  AS $$ SELECT 0.5::float8 $$;
+
+-- Trivial procedure for the operator definition.
+CREATE FUNCTION public.fake_op_proc(_int4, _int4)
+  RETURNS bool LANGUAGE sql IMMUTABLE
+  AS $$ SELECT true $$;
+
+-- Switch to a non-superuser role.
+SET ROLE postgres;
+
+-- 1) RESTRICT = non-built-in should be rejected.
+SAVEPOINT before_restrict;
+CREATE OPERATOR public.@@@ (
+  LEFTARG = _int4, RIGHTARG = _int4,
+  PROCEDURE = public.fake_op_proc,
+  RESTRICT = public.fake_restrict_sel
+);
+ROLLBACK TO SAVEPOINT before_restrict;
+
+-- 2) JOIN = non-built-in should be rejected.
+SAVEPOINT before_join;
+CREATE OPERATOR public.@@@ (
+  LEFTARG = _int4, RIGHTARG = _int4,
+  PROCEDURE = public.fake_op_proc,
+  JOIN = public.fake_join_sel
+);
+ROLLBACK TO SAVEPOINT before_join;
+
+-- 3) Sanity check: built-in selectivity estimators still work for non-superusers.
+CREATE OPERATOR public.@@@ (
+  LEFTARG = _int4, RIGHTARG = _int4,
+  PROCEDURE = public.fake_op_proc,
+  RESTRICT = eqsel,
+  JOIN = eqjoinsel
+);
+
+DROP OPERATOR public.@@@ (_int4, _int4);
+
+RESET ROLE;
+ROLLBACK;