[bitnami/postgresql] Release 18.4.0-debian-12-r5

bitnami/postgresql/18/debian-12/Dockerfile

@@ -9,7 +9,7 @@ ARG TARGETARCH
 ARG WITH_ALL_LOCALES="no"
 
 LABEL org.opencontainers.image.base.name="docker.io/bitnami/minideb:bookworm" \
-      org.opencontainers.image.created="2026-05-28T08:14:10Z" \
+      org.opencontainers.image.created="2026-06-05T18:29:40Z" \
       org.opencontainers.image.description="Application packaged by Broadcom, Inc." \
       org.opencontainers.image.documentation="https://github.com/bitnami/containers/tree/main/bitnami/postgresql/README.md" \
       org.opencontainers.image.source="https://github.com/bitnami/containers/tree/main/bitnami/postgresql" \
@@ -31,7 +31,7 @@ RUN --mount=type=secret,id=downloads_url,env=SECRET_DOWNLOADS_URL \
     mkdir -p /tmp/bitnami/pkg/cache/ ; cd /tmp/bitnami/pkg/cache/ || exit 1 ; \
     COMPONENTS=( \
       "nss-wrapper-1.1.16-0-linux-${OS_ARCH}-debian-12" \
-      "postgresql-18.4.0-0-linux-${OS_ARCH}-debian-12" \
+      "postgresql-18.4.0-1-linux-${OS_ARCH}-debian-12" \
     ) ; \
     for COMPONENT in "${COMPONENTS[@]}"; do \
       if [ ! -f "${COMPONENT}.tar.gz" ]; then \
@@ -56,7 +56,7 @@ COPY rootfs /
 RUN /opt/bitnami/scripts/postgresql/postunpack.sh
 ENV APP_VERSION="18.4.0" \
     BITNAMI_APP_NAME="postgresql" \
-    IMAGE_REVISION="4" \
+    IMAGE_REVISION="5" \
     LANG="en_US.UTF-8" \
     LANGUAGE="en_US:en" \
     NSS_WRAPPER_LIB="/opt/bitnami/common/lib/libnss_wrapper.so" \

bitnami/postgresql/18/debian-12/prebuildfs/opt/bitnami/checksums/postgresql-18.4.0-1-linux-amd64-debian-12.tar.gz.sha256

@@ -0,0 +1 @@
+f899c1ed519370b9a04a32f672c5bcca52e180a4ade2fd787d248b122e50b028  postgresql-18.4.0-1-linux-amd64-debian-12.tar.gz

bitnami/postgresql/18/debian-12/prebuildfs/opt/bitnami/checksums/postgresql-18.4.0-1-linux-arm64-debian-12.tar.gz.sha256

@@ -0,0 +1 @@
+4dce3513036f5aece69713f08c71ae3e27af7ebb34aa4dce39fa8a62f1a9153e  postgresql-18.4.0-1-linux-arm64-debian-12.tar.gz

bitnami/postgresql/18/debian-12/prebuildfs/opt/bitnami/scripts/libos.sh

@@ -170,7 +170,7 @@ ensure_user_exists() {
     if [[ -n "$home" ]]; then
         mkdir -p "$home"
         usermod -d "$home" "$user" >/dev/null 2>&1
-        configure_permissions_ownership "$home" -d "775" -f "664" -u "$user" -g "$group"
+        configure_permissions_ownership "$home" -d "775" -f "664" -u "$user" -g "$group" -n
     fi
 }
 

bitnami/postgresql/18/debian-12/prebuildfs/opt/bitnami/scripts/libvalidations.sh

@@ -20,7 +20,7 @@
 #########################
 is_int() {
     local -r int="${1:?missing value}"
-    if [[ "$int" =~ ^-?[0-9]+ ]]; then
+    if [[ "$int" =~ ^-?[0-9]+$ ]]; then
         true
     else
         false

bitnami/postgresql/18/debian-12/prebuildfs/opt/bitnami/scripts/libversion.sh

@@ -49,3 +49,36 @@ get_sematic_version () {
         fi
     fi
 }
+
+########################
+# Compares two semantic versions
+# Arguments:
+#   $1 - version1: first version to compare
+#   $2 - version2: second version to compare
+# Returns:
+#   -1 if version1 is less than version2
+#   0 if version1 is equal to version2
+#   1 if version1 is greater than version2
+#########################
+compare_semantic_versions() {
+    local version1="${1:?version1 is required}"
+    local version2="${2:?version2 is required}"
+    local major1 major2 minor1 minor2 patch1 patch2
+
+    major1="$(get_sematic_version "$version1" 1)"
+    major2="$(get_sematic_version "$version2" 1)"
+    minor1="$(get_sematic_version "$version1" 2)"
+    minor2="$(get_sematic_version "$version2" 2)"
+    patch1="$(get_sematic_version "$version1" 3)"
+    patch2="$(get_sematic_version "$version2" 3)"
+
+    if [[ "$major1" -eq "$major2" ]] && [[ "$minor1" -eq "$minor2" ]] && [[ "$patch1" -eq "$patch2" ]]; then
+        echo "0"
+    elif [[ "$major1" -lt "$major2" ]] ||
+      { [[ "$major1" -eq "$major2" ]] && [[ "$minor1" -lt "$minor2" ]]; } ||
+      { [[ "$major1" -eq "$major2" ]] && [[ "$minor1" -eq "$minor2" ]] && [[ "$patch1" -lt "$patch2" ]]; }; then
+        echo "-1"
+    else
+        echo "1"
+    fi
+}

bitnami/postgresql/18/debian-12/rootfs/opt/bitnami/scripts/libpostgresql.sh

@@ -55,22 +55,25 @@ postgresql_validate() {
         error "$1"
         error_code=1
     }
-
     check_multi_value() {
         if [[ " ${2} " != *" ${!1} "* ]]; then
             print_validation_error "The allowed values for ${1} are: ${2}"
         fi
     }
-
     empty_password_enabled_warn() {
         warn "You set the environment variable ALLOW_EMPTY_PASSWORD=${ALLOW_EMPTY_PASSWORD}. For safety reasons, do not use this flag in a production environment."
     }
     empty_password_error() {
         print_validation_error "The $1 environment variable is empty or not set. Set the environment variable ALLOW_EMPTY_PASSWORD=yes to allow the container to be started with blank passwords. This is recommended only for development."
     }
+
+    check_multi_value "POSTGRESQL_PGHBA_AUTH_METHOD" "md5 scram-sha-256"
     if is_boolean_yes "$ALLOW_EMPTY_PASSWORD"; then
         empty_password_enabled_warn
     else
+        if [[ "$POSTGRESQL_PGHBA_AUTH_METHOD" = "md5" ]]; then
+            warn "POSTGRESQL_AUTH_METHOD is 'md5': md5 format is vulnerable to pass-the-hash attacks. Please consider using 'scram-sha-256' instead."
+        fi
         if [[ -z "$POSTGRESQL_PASSWORD" ]]; then
             empty_password_error "POSTGRESQL_PASSWORD"
         fi
@@ -333,7 +336,7 @@ EOF
 #########################
 postgresql_restrict_pghba() {
     if [[ -n "$POSTGRESQL_PASSWORD" ]]; then
-        replace_in_file "$POSTGRESQL_PGHBA_FILE" "trust" "md5" false
+        replace_in_file "$POSTGRESQL_PGHBA_FILE" "trust" "$POSTGRESQL_PGHBA_AUTH_METHOD" false
     fi
 }
 
@@ -349,7 +352,7 @@ postgresql_restrict_pghba() {
 postgresql_add_replication_to_pghba() {
     local replication_auth="trust"
     if [[ -n "$POSTGRESQL_REPLICATION_PASSWORD" ]]; then
-        replication_auth="md5"
+        replication_auth="$POSTGRESQL_PGHBA_AUTH_METHOD"
     fi
     cat <<EOF >>"$POSTGRESQL_PGHBA_FILE"
 host      replication     all             0.0.0.0/0               ${replication_auth}
@@ -369,7 +372,7 @@ EOF
 postgresql_add_sr_check_user_to_pghba() {
     local sr_check_auth="trust"
     if [[ -n "$POSTGRESQL_SR_CHECK_PASSWORD" ]]; then
-        sr_check_auth="md5"
+        sr_check_auth="$POSTGRESQL_PGHBA_AUTH_METHOD"
     fi
     cat <<EOF >>"$POSTGRESQL_PGHBA_FILE"
 host      $POSTGRESQL_SR_CHECK_DATABASE     $POSTGRESQL_SR_CHECK_USERNAME      0.0.0.0/0               ${sr_check_auth}

bitnami/postgresql/18/debian-12/rootfs/opt/bitnami/scripts/postgresql-env.sh

@@ -94,6 +94,7 @@ postgresql_env_vars=(
     POSTGRESQL_TCP_KEEPALIVES_INTERVAL
     POSTGRESQL_TCP_KEEPALIVES_COUNT
     POSTGRESQL_STATEMENT_TIMEOUT
+    POSTGRESQL_PGHBA_AUTH_METHOD
     POSTGRESQL_PGHBA_REMOVE_FILTERS
     POSTGRESQL_USERNAME_CONNECTION_LIMIT
     POSTGRESQL_POSTGRES_CONNECTION_LIMIT
@@ -168,6 +169,7 @@ postgresql_env_vars=(
     POSTGRES_TCP_KEEPALIVES_INTERVAL
     POSTGRES_TCP_KEEPALIVES_COUNT
     POSTGRES_STATEMENT_TIMEOUT
+    POSTGRES_PGHBA_AUTH_METHOD
     POSTGRES_PGHBA_REMOVE_FILTERS
     POSTGRES_USER_CONNECTION_LIMIT
     POSTGRES_POSTGRES_CONNECTION_LIMIT
@@ -342,6 +344,8 @@ POSTGRESQL_TCP_KEEPALIVES_COUNT="${POSTGRESQL_TCP_KEEPALIVES_COUNT:-"${POSTGRES_
 export POSTGRESQL_TCP_KEEPALIVES_COUNT="${POSTGRESQL_TCP_KEEPALIVES_COUNT:-}"
 POSTGRESQL_STATEMENT_TIMEOUT="${POSTGRESQL_STATEMENT_TIMEOUT:-"${POSTGRES_STATEMENT_TIMEOUT:-}"}"
 export POSTGRESQL_STATEMENT_TIMEOUT="${POSTGRESQL_STATEMENT_TIMEOUT:-}"
+POSTGRESQL_PGHBA_AUTH_METHOD="${POSTGRESQL_PGHBA_AUTH_METHOD:-"${POSTGRES_PGHBA_AUTH_METHOD:-}"}"
+export POSTGRESQL_PGHBA_AUTH_METHOD="${POSTGRESQL_PGHBA_AUTH_METHOD:-md5}"
 POSTGRESQL_PGHBA_REMOVE_FILTERS="${POSTGRESQL_PGHBA_REMOVE_FILTERS:-"${POSTGRES_PGHBA_REMOVE_FILTERS:-}"}"
 export POSTGRESQL_PGHBA_REMOVE_FILTERS="${POSTGRESQL_PGHBA_REMOVE_FILTERS:-}"
 POSTGRESQL_USERNAME_CONNECTION_LIMIT="${POSTGRESQL_USERNAME_CONNECTION_LIMIT:-"${POSTGRES_USER_CONNECTION_LIMIT:-}"}"

bitnami/postgresql/README.md

@@ -148,6 +148,7 @@
 | `POSTGRESQL_TCP_KEEPALIVES_INTERVAL`       | Set the TCP keepalive interval time                                                                  | `nil`                                   |
 | `POSTGRESQL_TCP_KEEPALIVES_COUNT`          | Set the TCP keepalive count                                                                          | `nil`                                   |
 | `POSTGRESQL_STATEMENT_TIMEOUT`             | Set the SQL statement timeout                                                                        | `nil`                                   |
+| `POSTGRESQL_PGHBA_AUTH_METHOD`             | Auth method to use for pg_hba.conf                                                                   | `md5`                                   |
 | `POSTGRESQL_PGHBA_REMOVE_FILTERS`          | Comma-separated list of strings for removing pg_hba.conf lines (example: md5, local)                 | `nil`                                   |
 | `POSTGRESQL_USERNAME_CONNECTION_LIMIT`     | Set the user connection limit                                                                        | `nil`                                   |
 | `POSTGRESQL_POSTGRES_CONNECTION_LIMIT`     | Set the postgres user connection limit                                                               | `nil`                                   |
@@ -385,7 +386,7 @@
 
 ### 9.6.11-r38, 10.6.0-r39 and 11.1.0-r34
 
 - The PostgreSQL container now contains options to easily configure synchronous commits between slaves. This provides more data stability, but must be configured with caution as it also has a cost in performance. For more information, check [Synchronous Commits](#synchronous-commits).
 
 ### 9.6.9-r19 and 10.4.0-r19