PostgreSQL 18.3 Emergency Patch

Why an Out-of-Cycle Patch?

Normally, PostgreSQL releases minor updates on a quarterly schedule. But this was an Out-of-cycle Release issued urgently within 14 days of version 18.2. The main reasons:

• Some bugs caused Standby Server to stop working — directly impacting High Availability systems
• Some bugs caused application crashes when using Text Search or JSON functions
• Some bugs caused queries to return wrong results silently without any error — the most dangerous type, very hard to detect

9 Bugs Fixed in This Patch

1. Standby Server Stops — "could not access status of transaction"

This is the most critical bug — it causes Standby Server (Read Replica) to stop working with the error "could not access status of transaction," meaning Disaster Recovery and High Availability systems will be unavailable until patched.

2. substring() Encoding Error on Non-ASCII Text

The substring() function returns incorrect results when used with non-ASCII text such as Thai, Chinese, or Japanese — a regression from the CVE-2026-2006 fix in a previous version. For ERP systems storing Thai-language data, this bug can silently produce incorrect reports.

3. pg_trgm strict_word_similarity() Crash

The strict_word_similarity() function in the pg_trgm extension — used for Fuzzy Text Search — causes PostgreSQL to crash immediately. This is a regression from the CVE-2026-2007 fix. Organizations using pg_trgm for searching customer names, product names, or addresses are directly affected.

4. json_strip_nulls() Function Volatility — Changed to Immutable

The json_strip_nulls() function was previously defined as Stable but should actually be Immutable (always returns the same result for the same input). This fix allows json_strip_nulls() to be used in Expression Indexes, improving query performance for JSON data.

5. LATERAL UNION ALL NULL — Silent Wrong Query Results

When using LATERAL JOIN with UNION ALL where some columns contain NULL, the system returns wrong results without any error. This type of bug is extremely dangerous — wrong data gets used for decision-making without anyone noticing.

6. NOT NULL Constraint Naming Conflicts

Naming NOT NULL constraints may conflict with existing constraints, preventing table creation or column additions — affecting Migration Scripts and Schema Changes in production systems.

7. pg_stat_get_backend_wait_event() for Auxiliary Processes

The Wait Event monitoring function for Backend Processes returns incorrect data for Auxiliary Processes such as Background Writer and Checkpointer — impacting performance monitoring and diagnostics.

8. Composite-type Casting in PL/pgSQL

Casting Composite Type data in PL/pgSQL fails in certain cases — affecting Stored Procedures that use Record Types or Row Types, which are common patterns in ERP systems with complex business logic.

9. hstore Binary Input Crash with Duplicate Keys

The hstore extension crashes when receiving binary input with duplicate keys — affecting systems that use hstore for Key-Value storage such as custom fields or metadata.

Impact Summary by Severity Level

Level	Bug	Impact
Critical	Standby server stops	HA/DR unusable
Critical	pg_trgm crash, hstore crash	System crash
High	substring encoding, LATERAL UNION ALL	Silent wrong data
Medium	NOT NULL naming, PL/pgSQL casting	Schema change fails
Low	json_strip_nulls, wait_event	Performance/Monitoring incorrect

Affected Versions

This patch covers all supported branches of PostgreSQL:

Branch	Buggy Version	Fixed Version
PostgreSQL 18	18.2	18.3
PostgreSQL 17	17.8	17.9
PostgreSQL 16	16.12	16.13
PostgreSQL 15	15.16	15.17
PostgreSQL 14	14.21	14.22

Why This Matters for Organizations Using Saeree ERP

Saeree ERP has used PostgreSQL as its primary database for over 20 years, which means:

• All financial data — accounting, inventory, procurement — runs on PostgreSQL
• Standby Servers used for DR and Read Replicas may stop working if not patched
• Thai-language reports may display incorrect data due to the substring encoding bug
• Stored Procedures using PL/pgSQL may fail due to the Composite-type casting bug

Patching a database is not something you do when you "have spare time" — it must be done immediately when a patch is released, especially an Out-of-cycle Release issued due to critical issues.

— Saeree ERP Team

Best Practices for Patching Databases in Production

For organizations that need to update PostgreSQL in a production system, here are the recommended steps:

1. Check current version — run SELECT version(); on every server, both Primary and Standby
2. Read the Release Notes — check which bugs affect your system. You don't need to panic about every bug, but assess the impact first
3. Test on Staging — update the Staging environment first, run the application test suite to confirm nothing breaks
4. Backup your data — backup with pg_dump or pg_basebackup before every update
5. Update Standby before Primary — for PostgreSQL Minor Releases, you can update the binary and restart directly, no pg_upgrade needed
6. Verify after update — run SELECT version(); again, check Standby Replication Lag, and test key system functions

Summary — What to Do Now

1. Check your PostgreSQL version — if you're on a buggy version (18.2, 17.8, 16.12, 15.16, 14.21), update immediately
2. Update to the latest version in your branch (18.3, 17.9, 16.13, 15.17, 14.22)
3. Check Standby Server — if using Streaming Replication, verify it's still working normally
4. Plan an upgrade if you're still on PostgreSQL 13 or lower — as these versions have reached End of Life

If your organization uses Saeree ERP and needs help updating PostgreSQL or planning Disaster Recovery, feel free to contact our consulting team for a system readiness assessment.

References

• PostgreSQL 18.3, 17.9, 16.13, 15.17, and 14.22 Released — postgresql.org
• PostgreSQL Release Notes — postgresql.org