November 14, 2024: PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 Released!

PostgreSQL 15.2, 14.7, 13.10, 12.14, and 11.19 Released!

Posted on 2023-02-09 by PostgreSQL Global Development Group
PostgreSQL Project Security

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 15.2, 14.7, 13.10, 12.14, and 11.19. This release closes one security vulnerability and fixes over 60 bugs reported over the last several months.

For the full list of changes, please review the release notes.

Security Issues

CVE-2022-41862: Client memory disclosure when connecting, with Kerberos, to modified server.

Versions Affected: 12 - 15.

A modified, unauthenticated server or an unauthenticated man-in-the-middle can send an unterminated string during the establishment of Kerberos transport encryption. When a libpq client application has a Kerberos credential cache and doesn't explicitly disable option gssencmode, a server can cause libpq to over-read and report an error message containing uninitialized bytes from and following its receive buffer. If libpq's caller somehow makes that message accessible to the attacker, this achieves a disclosure of the over-read bytes. We have not confirmed or ruled out viability of attacks that arrange for a crash or for presence of notable, confidential information in disclosed bytes.

The PostgreSQL project thanks Jacob Champion for reporting this problem.

Bug Fixes and Improvements

This update fixes over 60 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 15. Some of these issues may also affect other supported versions of PostgreSQL.

Included in this release:

  • Fix for partitioned tables to correctly update GENERATED columns in child tables if the GENERATED column does not exist in the parent table or the child generated column has different dependencies than the parent.
  • Several fixes for the MERGE command.
  • Allow a WITH RECURSIVE ... CYCLE query to access its SET output column.
  • Fix an issue with bulk insertions on foreign tables that could lead to logical inconsistencies, for example, a BEFORE ROW trigger may not process rows that should be available.
  • Reject uses of undefined variables in jsonpath existence checks.
  • Fix for jsonb subscripting that come directly from a text column in a table.
  • Honor updated values of checkpoint_completion_target on reload.
  • Log the correct ending timestamp in recovery_target_xid mode.
  • Fix issue to allow column lists longer than 100 when using logical replication.
  • Prevent "wrong tuple length" failure at the end of VACUUM.
  • Avoid an immediate commit after ANALYZE when using query pipelining.
  • Several fixes to the query planner, including one that provides more opportunities for using memoization with partitionwise joins.
  • Fix for statistics collection to correctly handle when a relation changes type (e.g. a table is converted to a view).
  • Ensure full text search queries can be cancelled while performing phrase matches.
  • Fix deadlock between DROP DATABASE and logical replication worker process.
  • Fix small session-lifespan memory leak when CREATE SUBSCRIPTION fails its connection attempt.
  • Performance improvement for replicas with hot_standby enabled that are processing SELECT queries.
  • Several fixes for logical decoding that improve its stability and bloat handling.
  • Fix the default logical replication plug-in, pgoutput, to not send columns that are not listed in a table's replication column list.
  • Fix possible corruption of very large tablespace map files in pg_basebackup.
  • Remove a harmless warning from pg_dump in --if-exists mode when the public schema has a non-default owner.
  • Fix the psql commands \sf and \ef to handle SQL-language functions that have SQL-standard function bodies (i.e. BEGIN ATOMIC).
  • Fix tab completion of ALTER FUNCTION/PROCEDURE/ROUTINE ... SET SCHEMA.
  • Update the pageinspect extension to mark its disk-accessing functions as PARALLEL RESTRICTED.
  • Fix the seg extension to not crash or print garbage if an input number has more than 127 digits.

This release also updates time zone data files to tzdata release 2022g for DST law changes in Greenland and Mexico, plus historical corrections for northern Canada, Colombia, and Singapore. Notably, a new timezone, America/Ciudad_Juarez, has been split off from America/Ojinaga.

For the full list of changes available, please review the release notes.

Updating

All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shutdown PostgreSQL and update its binaries.

Users who have skipped one or more update releases may need to run additional, post-update steps; please see the release notes for earlier versions for details.

For more details, please see the release notes.

Links