The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 12.2, 11.7, 10.12, 9.6.17, 9.5.21, and 9.4.26. This release fixes one security issue found in the PostgreSQL server and over 75 bugs reported over the last three months.
Users should plan to update as soon as possible.
This is the last release for PostgreSQL 9.4, which will no longer receive
security updates and bug fixes. PostgreSQL 9.4 introduced new features
such as JSONB support, the ALTER SYSTEM
command, the ability to stream logical
changes to an output plugin, and more.
While we are very proud of this release, these features are also found in newer versions of PostgreSQL. Many of these features have also received improvements, and, per our versioning policy, it is time to retire PostgreSQL 9.4.
To receive continued support, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see the PostgreSQL versioning policy for more information.
ALTER ... DEPENDS ON EXTENSION
is missing authorization
checks.Versions Affected: 9.6 - 12
The ALTER ... DEPENDS ON EXTENSION
sub-commands do not perform authorization
checks, which can allow an unprivileged user to drop any function, procedure,
materialized view, index, or trigger under certain conditions. This attack is
possible if an administrator has installed an extension and an unprivileged
user can CREATE
, or an extension owner either executes DROP EXTENSION
predictably or can be convinced to execute DROP EXTENSION
.
The PostgreSQL project thanks Tom Lane for reporting this problem.
This update also fixes over 75 bugs that were reported in the last several months. Some of these issues affect only version 12, but may also affect all supported versions.
Some of these fixes include:
TRUNCATE ... CASCADE
would not remove all data. If you have previously used
TRUNCATE ... CASCADE
on a partitioned table with foreign-key references
please see the "Updating" section for verification and cleanup steps.RECORD
.UPDATE
triggers.REPLICA IDENTITY FULL
.pg_replication_slot_advance()
on a physical replication
slot will persist changes across restarts.CONCURRENTLY
option when performing an index creation, drop, or
reindex on a temporary table.box
, range
and inet
data types.ALTER TABLE
when a column referenced in a GENERATED
expression is added or changed in type earlier in the same ALTER TABLE
statement.AFTER ROW
triggers on a foreign table.EXTRACT(ISOYEAR FROM timestamp)
for BC dates.pg_hba.conf
file.pg_dump
and pg_restore
when run in parallel mode.postgres_fdw
when trying to execute a remote query on the
remote server such as UPDATE remote_tab SET (x,y) = (SELECT ...)
.crosstab()
function of
contrib/tablefunc
to prevent crashes.NOTIFY
.For the full list of changes available, please review the release notes.
All PostgreSQL update releases are cumulative. As with other minor releases,
users are not required to dump and reload their database or use pg_upgrade
in
order to apply this update release; you may simply shutdown PostgreSQL and
update its binaries.
Users who have skipped one or more update releases may need to run additional, post-update steps; please see the release notes for earlier versions for details.
If you had previously executed TRUNCATE ... CASCADE
on a sub-partition of a
partitioned table, and the partitioned table has a foreign-key reference from
another table, you may have to execute the TRUNCATE
on the other table, or
execute a DELETE
if you have added rows since running TRUNCATE ... CASCADE
.
The issue that caused this is fixed in this release, but you will have to
perform this step to ensure all of your data is cleaned up.
For more details, please see the release notes.