Skip to content

Commit 7f230d0

Browse files
asheshvasheshv
committed
docs: add release notes for v9.15
Drafts the user-facing release notes for the 9.15 release. Covers all 47 non-merge commits since REL-9_14: - 18 issue-linked entries under New features / Housekeeping / Bug fixes, with reporter credits (names only) for the six external CVE reports - #9901 absorbs 14 follow-up commits (session encryption + 0o600, SHA-256 digest, drop of live AuthSourceManager / cloud provider instances, DATA_DIR perms, log file mode, log handler hardening, user_info_server prompt-loop bound) via "Also..." - #9830 absorbs the @with_object_filters extension to ServerNode.list - 14 commits without an associated GitHub issue listed under "Additional changes" (bug fixes / test stability / refactoring / housekeeping) for transparency CVE IDs are placeholders ("CVE pending") and will be filled in once MITRE assigns them. Release date and bundled-utility version are also placeholders pending the actual release.
1 parent fcb3db7 commit 7f230d0

1 file changed

Lines changed: 75 additions & 0 deletions

File tree

docs/en_US/release_notes_9_15.rst

Lines changed: 75 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,75 @@
1+
************
2+
Version 9.15
3+
************
4+
5+
Release date: 2026-05-11
6+
7+
This release contains a number of bug fixes and new features since the release of pgAdmin 4 v9.14.
8+
9+
Supported Database Servers
10+
**************************
11+
**PostgreSQL**: 13, 14, 15, 16, 17 and 18
12+
13+
**EDB Advanced Server**: 13, 14, 15, 16, 17 and 18
14+
15+
Bundled PostgreSQL Utilities
16+
****************************
17+
**psql**, **pg_dump**, **pg_dumpall**, **pg_restore**: 18.2
18+
19+
20+
New features
21+
************
22+
23+
| `Issue #9657 <https://github.com/pgadmin-org/pgadmin4/issues/9657>`_ - Allow the container image to run as a non-default user via the PUID and PGID environment variables.
24+
25+
Housekeeping
26+
************
27+
28+
| `Issue #9764 <https://github.com/pgadmin-org/pgadmin4/issues/9764>`_ - Update the Swedish translation.
29+
| `Issue #9827 <https://github.com/pgadmin-org/pgadmin4/issues/9827>`_ - Bump Python and JavaScript dependencies.
30+
| `Issue #9832 <https://github.com/pgadmin-org/pgadmin4/issues/9832>`_ - Fix the Czech translation for 'Refresh'.
31+
| `Issue #9834 <https://github.com/pgadmin-org/pgadmin4/issues/9834>`_ - Bump runtime dependencies and upgrade ESLint to v10.
32+
| `Issue #9839 <https://github.com/pgadmin-org/pgadmin4/issues/9839>`_ - Update the Russian translation.
33+
| `Issue #9870 <https://github.com/pgadmin-org/pgadmin4/issues/9870>`_ - Bump runtime and development dependencies.
34+
| `Issue #9873 <https://github.com/pgadmin-org/pgadmin4/issues/9873>`_ - Use an ``<OWNER>`` placeholder in resql tests instead of a hardcoded 'postgres' role to support non-default superuser names.
35+
| `Issue #9893 <https://github.com/pgadmin-org/pgadmin4/issues/9893>`_ - Update the Spanish translation.
36+
37+
Bug fixes
38+
*********
39+
40+
| `Issue #9656 <https://github.com/pgadmin-org/pgadmin4/issues/9656>`_ - Use absolute paths for ``a2enmod`` and ``a2enconf`` in the Debian setup script so it works when ``/usr/sbin`` is not on PATH.
41+
| `Issue #9830 <https://github.com/pgadmin-org/pgadmin4/issues/9830>`_ - Fix cross-user data access and shared-server privilege escalation in server mode (CVE pending). Also applies the ``@with_object_filters`` access-control decorator to ``ServerNode.list``.
42+
| `Issue #9835 <https://github.com/pgadmin-org/pgadmin4/issues/9835>`_ - Tighten Shared Server feature parity, owner-only field handling, and write guards as a follow-up to the data-isolation hardening (CVE pending).
43+
| `Issue #9865 <https://github.com/pgadmin-org/pgadmin4/issues/9865>`_ - Fix stored cross-site scripting (XSS) via crafted PostgreSQL object names rendered in the Browser Tree and Explain Visualizer (CVE pending). Reported by Fahar Abbas.
44+
| `Issue #9898 <https://github.com/pgadmin-org/pgadmin4/issues/9898>`_ - Fix SQL injection in Maintenance tool option values (CVE pending). Reported by j3seer.
45+
| `Issue #9899 <https://github.com/pgadmin-org/pgadmin4/issues/9899>`_ - Fix OS command injection in Import/Export query export (CVE pending). Reported by Chung Kim (chungkn), OneMount Group.
46+
| `Issue #9900 <https://github.com/pgadmin-org/pgadmin4/issues/9900>`_ - Fix local-file inclusion and server-side request forgery in LLM API configuration endpoints (CVE pending). Reported by j3seer.
47+
| `Issue #9901 <https://github.com/pgadmin-org/pgadmin4/issues/9901>`_ - Fix unsafe deserialization in the session manager that could lead to remote code execution (CVE pending). Also encrypts session files at rest using Fernet, restricts session-file permissions to 0o600, switches the session-digest default from SHA-1 to SHA-256, drops several non-roundtrippable live objects from the session (``AuthSourceManager`` and the Azure, RDS, Google Cloud, and BigAnimal cloud-provider instances), tightens DATA_DIR file and directory permissions at creation, creates ``pgadmin4.log`` with mode 0o600, hardens ``EnhancedRotatingFileHandler._open`` against rotation failures, and bounds the ``user_info_server`` prompt retry loop so a non-interactive caller cannot spin forever. Reported by Fernando Bortotti.
48+
| `Issue #9902 <https://github.com/pgadmin-org/pgadmin4/issues/9902>`_ - Fix symlink-based path traversal in the file manager (CVE pending). Reported by Fernando Bortotti.
49+
50+
Additional changes (no associated issue)
51+
****************************************
52+
53+
The commits below did not have a dedicated GitHub issue. They are listed here for transparency.
54+
55+
Bug fixes
56+
---------
57+
58+
| ``1518b0828`` - Restore the SERVER_MODE python-test path and fix two endpoint regressions surfaced by it.
59+
| ``d57acce35`` - Harden validation, preference, and connection-params paths against pre-existing edge cases.
60+
61+
Test-suite stability
62+
--------------------
63+
64+
| ``a11d289bd`` - Harden ``click_modal`` backdrop wait and ``open_query_tool`` stale-element retry in feature tests.
65+
| ``a50a553b0`` - Feature tests use ``sys.executable``; sync ``yarn.lock`` to ``package.json``.
66+
| ``0fad04de8`` - PSQL socket tests use the authenticated tester; the role-dependencies test skips cleanly on auth failure.
67+
| ``1f7194924`` - Harden six regression tests against environmental drift.
68+
| ``dc61039e9`` - Quote the username in the views/mview test helper for dotted local roles.
69+
| ``9b29bc203`` - Quote the username in the types/compound-triggers test helpers for dotted local roles.
70+
| ``504775de8`` - Quote the username in the user-mappings test helper for dotted local roles.
71+
72+
Refactoring
73+
-----------
74+
75+
| ``6f4f28def`` - Factor the WTForms-error-to-JSON conversion into a helper and drop a dead import.

0 commit comments

Comments
 (0)