September 26, 2024: PostgreSQL 17 Released!

PostgreSQL 13.3, 12.7, 11.12, 10.17, and 9.6.22 Released!

Posted on 2021-05-13 by PostgreSQL Global Development Group
PostgreSQL Project Security

The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 13.3, 12.7, 11.12, 10.17, and 9.6.22. This release closes three security vulnerabilities and fixes over 45 bugs reported over the last three months.

For the full list of changes, please review the release notes.

Security Issues

CVE-2021-32027: Buffer overrun from integer overflow in array subscripting calculations

Versions Affected: 9.6 - 13. The security team typically does not test unsupported versions, but this problem is quite old.

While modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory.

The PostgreSQL project thanks Tom Lane for reporting this problem.

CVE-2021-32028: Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE

Versions Affected: 9.6 - 13. The security team typically does not test unsupported versions. The feature first appeared in 9.5.

Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an attacker can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can create prerequisite objects and complete this attack at will. A user lacking the CREATE and TEMPORARY privileges on all databases and the CREATE privilege on all schemas cannot use this attack at will.

The PostgreSQL project thanks Andres Freund for reporting this problem.

CVE-2021-32029: Memory disclosure in partitioned-table UPDATE ... RETURNING

Versions Affected: 11 - 13

Using an UPDATE ... RETURNING on a purpose-crafted partitioned table, an attacker can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can create prerequisite objects and complete this attack at will. A user lacking the CREATE and TEMPORARY privileges on all databases and the CREATE privilege on all schemas typically cannot use this attack at will.

The PostgreSQL project thanks Tom Lane for reporting this problem.

Bug Fixes and Improvements

This update fixes over 45 bugs that were reported in the last several months. Some of these issues only affect version 13, but could also apply to other supported versions.

Some of these fixes include:

  • Fix potential incorrect computation of UPDATE ... RETURNING outputs for joined, cross-partition updates.
  • Fix ALTER TABLE ... ALTER CONSTRAINT when used on foreign-key constraints on partitioned tables. The command would fail to adjust the DEFERRABLE and/or INITIALLY DEFERRED properties of the constraints and triggers of leaf partitions, leading to unexpected behavior. After updating to this version, you can execute the ALTER TABLE ... ALTER CONSTRAINT command to fix any misbehaving partitioned tables.
  • Ensure that when a child table is attached with ALTER TABLE ... INHERIT that generated columns in the parent are generated in the same way in the child.
  • Forbid marking an identity column as NULL.
  • Allow ALTER ROLE ... SET/ALTER DATABASE ... SET to set the role, session_authorization, and temp_buffers parameters.
  • Ensure that REINDEX CONCURRENTLY preserves any statistics target set for the index.
  • Fix an issue where, in some cases, saving records within AFTER triggers could cause crashes.
  • Fix how to_char() handles Roman-numeral month format codes with negative intervals.
  • Fix use of uninitialized value while parsing an \{m,n\} quantifier in a BRE-mode regular expression.
  • Fix "could not find pathkey item to sort" planner errors that occur in some situations when the sort key involves an aggregate or window function.
  • Fix issue with BRIN index bitmap scans that could lead to "could not open file" errors.
  • Fix potentially wrong answers from GIN tsvector index searches when there are many matching records.
  • Fixes for COMMIT AND CHAIN functionality on both the server and psql.
  • Avoid incorrect timeline change while recovering uncommitted two-phase transactions from WAL, which could lead to consistency issues and the inability to restart the server.
  • Ensure thatwal_sync_method is set to fdatasync by default on newer FreeBSD releases.
  • Disable the vacuum_cleanup_index_scale_factor parameter and storage option.
  • Fix several memory leaks in the server, including one with SSL/TLS parameter initialization.
  • Restore the previous behavior of \connect service=XYZ to psql, i.e. disallow environmental variables (e.g. PGPORT) from overriding entries in the service file.
  • Fix how pg_dump handles generated columns in partitioned tables.
  • Add additional checks to pg_upgrade for user tables containing non-upgradable data types.
  • On Windows, initdb now prints instructions about how to start the server with pg_ctl using backslash separators.
  • Fix pg_waldump to count XACT records correctly when generating per-record statistics.

For the full list of changes available, please review the release notes.

PostgreSQL 9.6 EOL Notice

PostgreSQL 9.6 will stop receiving fixes on November 11, 2021. If you are running PostgreSQL 9.6 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information.

Updating

All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shutdown PostgreSQL and update its binaries.

Users who have skipped one or more update releases may need to run additional, post-update steps; please see the release notes for earlier versions for details.

For more details, please see the release notes.

Links