The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 13.3, 12.7, 11.12, 10.17, and 9.6.22. This release closes three security vulnerabilities and fixes over 45 bugs reported over the last three months.
For the full list of changes, please review the release notes.
Versions Affected: 9.6 - 13. The security team typically does not test unsupported versions, but this problem is quite old.
While modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory.
The PostgreSQL project thanks Tom Lane for reporting this problem.
INSERT ... ON CONFLICT ... DO UPDATE
Versions Affected: 9.6 - 13. The security team typically does not test unsupported versions. The feature first appeared in 9.5.
Using an INSERT ... ON CONFLICT ... DO UPDATE
command on a purpose-crafted
table, an attacker can read arbitrary bytes of server memory. In the default
configuration, any authenticated database user can create prerequisite objects
and complete this attack at will. A user lacking the CREATE
and TEMPORARY
privileges on all databases and the CREATE
privilege on all schemas cannot use
this attack at will.
The PostgreSQL project thanks Andres Freund for reporting this problem.
UPDATE ... RETURNING
Versions Affected: 11 - 13
Using an UPDATE ... RETURNING
on a purpose-crafted partitioned table, an
attacker can read arbitrary bytes of server memory. In the default
configuration, any authenticated database user can create prerequisite objects
and complete this attack at will. A user lacking the CREATE
and TEMPORARY
privileges on all databases and the CREATE
privilege on all schemas typically
cannot use this attack at will.
The PostgreSQL project thanks Tom Lane for reporting this problem.
This update fixes over 45 bugs that were reported in the last several months. Some of these issues only affect version 13, but could also apply to other supported versions.
Some of these fixes include:
UPDATE ... RETURNING
outputs for
joined, cross-partition updates.ALTER TABLE ... ALTER CONSTRAINT
when used on foreign-key constraints on
partitioned tables. The command would fail to adjust the DEFERRABLE
and/or
INITIALLY DEFERRED
properties of the constraints and triggers of leaf
partitions, leading to unexpected behavior. After updating to this version, you
can execute the ALTER TABLE ... ALTER CONSTRAINT
command to fix any
misbehaving partitioned tables.ALTER TABLE ... INHERIT
that
generated columns in the parent are generated in the same way in the child.NULL
.ALTER ROLE ... SET
/ALTER DATABASE ... SET
to set the role,
session_authorization, and temp_buffers parameters.AFTER
triggers
could cause crashes.to_char()
handles Roman-numeral month format codes with negative
intervals.\{m,n\}
quantifier in a
BRE-mode regular expression.tsvector
index searches when there
are many matching records.COMMIT AND CHAIN
functionality on both the server and psql
.wal_sync_method
is set to fdatasync
by default on newer
FreeBSD releases.vacuum_cleanup_index_scale_factor
parameter and storage option.\connect service=XYZ
to psql
, i.e.
disallow environmental variables (e.g. PGPORT
) from overriding entries in the
service file.pg_dump
handles generated columns in partitioned tables.pg_upgrade
for user tables containing
non-upgradable data types.initdb
now prints instructions about how to start the server
with pg_ctl
using backslash separators.pg_waldump
to count XACT records correctly when generating per-record
statistics.For the full list of changes available, please review the release notes.
PostgreSQL 9.6 will stop receiving fixes on November 11, 2021. If you are running PostgreSQL 9.6 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information.
All PostgreSQL update releases are cumulative. As with other minor releases,
users are not required to dump and reload their database or use pg_upgrade
in
order to apply this update release; you may simply shutdown PostgreSQL and
update its binaries.
Users who have skipped one or more update releases may need to run additional, post-update steps; please see the release notes for earlier versions for details.
For more details, please see the release notes.