PostgreSQL 13.3, 12.7, 11.12, 10.17, and 9.6.22 Released! The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 13.3, 12.7, 11.12, 10.17, and 9.6.22. This release closes three security vulnerabilities and fixes over 45 bugs reported over the last three months. For the full list of changes, please review the release notes. Security IssuesCVE-2021-32027: Buffer overrun from integer overflow in array subscripting calculationsVersions Affected: 9.6 - 13. The security team typically does not test unsupported versions, but this problem is quite old. While modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory. The PostgreSQL project thanks Tom Lane for reporting this problem. CVE-2021-32028: Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE Versions Affected: 9.6 - 13. The security team typically does not test unsupported versions. The feature first appeared in 9.5. Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an attacker can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can create prerequisite objects and complete this attack at will. A user lacking the CREATE and TEMPORARY privileges on all databases and the CREATE privilege on all schemas cannot use this attack at will. The PostgreSQL project thanks Andres Freund for reporting this problem. CVE-2021-32029: Memory disclosure in partitioned-table UPDATE ... RETURNING Versions Affected: 11 - 13 Using an UPDATE ... RETURNING on a purpose-crafted partitioned table, an attacker can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can create prerequisite objects and complete this attack at will. A user lacking the CREATE and TEMPORARY privileges on all databases and the CREATE privilege on all schemas typically cannot use this attack at will. The PostgreSQL project thanks Tom Lane for reporting this problem. Bug Fixes and ImprovementsThis update fixes over 45 bugs that were reported in the last several months. Some of these issues only affect version 13, but could also apply to other supported versions. Some of these fixes include: - Fix potential incorrect computation of
UPDATE ... RETURNING outputs for joined, cross-partition updates. - Fix
ALTER TABLE ... ALTER CONSTRAINT when used on foreign-key constraints on partitioned tables. The command would fail to adjust the DEFERRABLE and/or INITIALLY DEFERRED properties of the constraints and triggers of leaf partitions, leading to unexpected behavior. After updating to this version, you can execute the ALTER TABLE ... ALTER CONSTRAINT command to fix any misbehaving partitioned tables. - Ensure that when a child table is attached with
ALTER TABLE ... INHERIT that generated columns in the parent are generated in the same way in the child. - Forbid marking an identity column as
NULL . - Allow
ALTER ROLE ... SET /ALTER DATABASE ... SET to set the role, session_authorization, and temp_buffers parameters. - Ensure that REINDEX CONCURRENTLY preserves any statistics target set for the index.
- Fix an issue where, in some cases, saving records within
AFTER triggers could cause crashes. - Fix how
to_char() handles Roman-numeral month format codes with negative intervals. - Fix use of uninitialized value while parsing an
\{m,n\} quantifier in a BRE-mode regular expression. - Fix "could not find pathkey item to sort" planner errors that occur in some situations when the sort key involves an aggregate or window function.
- Fix issue with BRIN index bitmap scans that could lead to "could not open file" errors.
- Fix potentially wrong answers from GIN
tsvector index searches when there are many matching records. - Fixes for
COMMIT AND CHAIN functionality on both the server and psql . - Avoid incorrect timeline change while recovering uncommitted two-phase transactions from WAL, which could lead to consistency issues and the inability to restart the server.
- Ensure that
wal_sync_method is set to fdatasync by default on newer FreeBSD releases. - Disable the
vacuum_cleanup_index_scale_factor parameter and storage option. - Fix several memory leaks in the server, including one with SSL/TLS parameter initialization.
- Restore the previous behavior of
\connect service=XYZ to psql , i.e. disallow environmental variables (e.g. PGPORT ) from overriding entries in the service file. - Fix how
pg_dump handles generated columns in partitioned tables. - Add additional checks to
pg_upgrade for user tables containing non-upgradable data types. - On Windows,
initdb now prints instructions about how to start the server with pg_ctl using backslash separators. - Fix
pg_waldump to count XACT records correctly when generating per-record statistics.
For the full list of changes available, please review the release notes. PostgreSQL 9.6 EOL NoticePostgreSQL 9.6 will stop receiving fixes on November 11, 2021. If you are running PostgreSQL 9.6 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information. UpdatingAll PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shutdown PostgreSQL and update its binaries. Users who have skipped one or more update releases may need to run additional, post-update steps; please see the release notes for earlier versions for details. For more details, please see the release notes. Links |