November 14, 2024: PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 Released!

PostgreSQL 11.4, 10.9, 9.6.14, 9.5.18, 9.4.23, and 12 Beta 2 Released!

Posted on 2019-06-20 by PostgreSQL Global Development Group
PostgreSQL Project Security

The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 11.4, 10.9, 9.6.14, 9.5.18, and 9.4.23, as well as the second beta of PostgreSQL 12. This release fixes one security issue and over 25 bugs since the previous cumulative update in May.

This release is made outside of the normal update release schedule as the security vulnerability was determined to be critical enough to distribute the fix as quickly as possible. Users who are running PostgreSQL 10, PostgreSQL 11, or the PostgreSQL 12 beta should upgrade as soon as possible.

All other users should plan to apply this update at the next scheduled downtime.

Security Issues

This release closes one security vulnerability:

  • CVE-2019-10164: Stack-based buffer overflow via setting a password

Versions affected: 10, 11, 12 beta.

An authenticated user could create a stack-based buffer overflow by changing their own password to a purpose-crafted value. In addition to the ability to crash the PostgreSQL server, this could be further exploited to execute arbitrary code as the PostgreSQL operating system account.

Additionally, a rogue server could send a specifically crafted message during the SCRAM authentication process and cause a libpq-enabled client to either crash or execute arbitrary code as the client's operating system account.

This issue is fixed by upgrading and restarting your PostgreSQL server as well as your libpq installations. All users running PostgreSQL 10, 11, and 12 beta are encouraged to upgrade as soon as possible.

The PostgreSQL Project thanks Alexander Lakhin for reporting this problem.

Bug Fixes and Improvements

This update also fixes over 25 bugs since the previous cumulative update in May. Some of these issues affect only version 11, but many affect all supported versions.

Some of these fixes include:

  • Fix assorted errors in run-time partition pruning that could lead to wrong answers in queries on partitioned tables
  • pg_dump now recreates table partitions using CREATE TABLE and ALTER TABLE .. ATTACH PARTITION rather than including PARTITION OF in the creation command
  • Improve how initdb determines which system time zone to select if there are equivalent names for the time zone. Also explicitly prefer UTC over UCT
  • Fix possible crash while trying to copy trigger definitions to a new partition
  • Fix failure of ALTER TABLE .. ALTER COLUMN TYPE when the table has a partial exclusion constraint
  • Fix failure of COMMENT command for comments on domains
  • Several fixes related to aggregation
  • Fix faulty generation of merge-append plans that could lead to "could not find pathkey item to sort" errors
  • Fix failures on dump/restore where views contained queries with duplicate join names
  • Fix conversion of JSON string literals to JSON-type output columns in json_to_record() and json_populate_record()
  • Fix incorrect optimization of {1,1} quantifiers in regular expressions
  • Fix issue for B-tree indexes during edge case failure involving columns covered with the INCLUDE clause, which manifests itself with errors during VACUUM. If you are affected by this issue, you will need to reindex the specific index
  • Fix race condition in check to see whether a pre-existing shared memory segment is still in use by a conflicting postmaster
  • Fix for the walreceiver process that avoids a crash or deadlock on shutdown
  • Avoid possible hang in libpq if using SSL and OpenSSL's pending-data buffer contains an exact multiple of 256 bytes
  • Fix ordering of GRANT commands emitted by pg_dump and pg_dumpall for databases and tablespaces
  • Fix misleading error reports from reindexdb
  • Ensure that vacuumdb returns correct status if an error occurs while using parallel jobs
  • Fix contrib/auto_explain to not cause problems in parallel queries, which resulted in failures like "could not find key N in shm TOC"
  • Account for possible data modifications by local BEFORE ROW UPDATE triggers in contrib/postgres_fdw
  • On Windows, avoid failure when the database encoding is set to SQL_ASCII and we attempt to log a non-ASCII string

Updating

All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shutdown PostgreSQL and update its binaries.

If one of your B-tree indexes that uses an INCLUDE clause is affected by the issue mentioned above, you will need to reindex any affected indexes. The issue manifests itself based on errors that occur during a VACUUM. You can read more about reindexing here:

https://www.postgresql.org/docs/current/sql-reindex.html

Users who have skipped one or more update releases may need to run additional, post-update steps; please see the release notes for earlier versions for details.

PostgreSQL 9.4 will stop receiving fixes on February 13, 2020. Please see our versioning policy for more information.

Beta Schedule

This includes the second beta release of version 12. The PostgreSQL Project will release additional betas as required for testing, followed by one or more release candidates, until the final release in late 2019. For further information please see the Beta Testing page.

Links