November 14, 2024: PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 Released!

PostgreSQL 16.4, 15.8, 14.13, 13.16, 12.20, and 17 Beta 3 Released!

Posted on 2024-08-08 by PostgreSQL Global Development Group
PostgreSQL Project Security

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 16.4, 15.8, 14.13, 13.16, and 12.20, as well as the third beta release of PostgreSQL 17. This release fixes 1 security vulnerability and over 55 bugs reported over the last several months.

For the full list of changes, please review the release notes.

PostgreSQL 12 EOL Notice

PostgreSQL 12 will stop receiving fixes on November 14, 2024. If you are running PostgreSQL 12 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information.

Security Issues

CVE-2024-7348: PostgreSQL relation replacement during pg_dump executes arbitrary SQL

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 12 - 16.

An attacker able to create and drop non-temporary objects could inject SQL code that would be executed by a concurrent pg_dump session with the privileges of the role running pg_dump (which is often a superuser). The attack involves replacing a sequence or similar object with a view or foreign table that will execute malicious code. To prevent this, introduce a new server parameter restrict_nonsystem_relation_kind that can disable expansion of non-builtin views as well as access to foreign tables, and teach pg_dump to set it when available. Note that the attack is prevented only if both pg_dump and the server it is dumping from are new enough to have this fix.

The PostgreSQL project thanks Noah Misch for reporting this problem.

Bug Fixes and Improvements

This update fixes over 55 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 16. Some of these issues may also affect other supported versions of PostgreSQL.

  • Avoid incorrect results from "Merge Right Anti Join" plans, where if the inner relation is known to have unique join keys, the merge could misbehave when there are duplicated join keys in the outer relation.
  • Prevent infinite loop in VACUUM.
  • Fix partition pruning setup during ALTER TABLE DETACH ... PARTITION CONCURRENTLY.
  • Fix behavior of stable functions that are used as an argument to a CALL statement.
  • pg_sequence_last_value() now returns NULL instead of throwing an error when called on unlogged sequences on standby servers and on temporary sequences of other sessions.
  • Fix parsing of ignored operators in websearch_to_tsquery().
  • Correctly check updatability of view columns targeted by INSERT ... DEFAULT.
  • Lock owned sequences during ALTER TABLE ... SET LOGGED|UNLOGGED.
  • Don't throw an error if a queued AFTER trigger no longer exists.
  • Fix selection of an arbiter index for INSERT ... ON CONFLICT when the desired index has expressions or predicates, for example, through an updatable view.
  • Refuse to modify a temporary table of another session with ALTER TABLE.
  • Fix handling of extended statistics on expressions in CREATE TABLE ... LIKE STATISTICS.
  • Fix failure to recalculate sub-queries generated from MIN() or MAX() aggregates.
  • Disallow underscores in positional parameters.
  • Avoid crashing when a JIT-inlined backend function throws an error.
  • Fix handling of subtransactions of prepared transactions when starting a hot standby server.
  • Prevent incorrect initialization of logical replication slots.
  • Fix memory leak in the logical replication WAL sender when publishing changes to a partitioned table whose partitions have row types that are physically different from the table.
  • Disable creation of stateful TLS session tickets by OpenSSL.
  • Fix how PL/pgSQL handles integer ranges containing underscores (e.g., FOR i IN 1_001..1_002).
  • Fix incompatibility between PL/Perl and Perl 5.40.
  • Several fixes related to recursive PL/Python functions and triggers.
  • Ensure that pg_restore -l reports dependent table of contents entries correctly.
  • pg_stat_statements now passes a query ID for utility (non-SELECT/INSERT/UPDATE) statements that appears in SQL-language functions.
  • Fix for postgres_fdw when mapping a foreign table to a nontrivial remote view.
  • postgres_fdw no longer sends a FETCH FIRST WITH TIES clause to a remote server.

Updating

All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shutdown PostgreSQL and update its binaries.

Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.

For more details, please see the release notes.

A Note on the PostgreSQL 17 Beta

This release marks the third beta release of PostgreSQL 17 and puts the community one step closer to general availability tentatively around the end of the third quarter.

In the spirit of the open source PostgreSQL community, we strongly encourage you to test the new features of PostgreSQL 17 on your systems to help us eliminate bugs or other issues that may exist. While we do not advise you to run PostgreSQL 17 Beta 3 in production environments, we encourage you to find ways to run your typical application workloads against this beta release.

Your testing and feedback will help the community ensure that the PostgreSQL 17 release upholds our standards of delivering a stable, reliable release of the world's most advanced open source relational database. Please read more about our beta testing process and how you can contribute:

https://www.postgresql.org/developer/beta/

Upgrading to PostgreSQL 17 Beta 3

To upgrade to PostgreSQL 17 Beta 3 from an earlier version of PostgreSQL, you will need to use a strategy similar to upgrading between major versions of PostgreSQL (e.g. pg_upgrade or pg_dump / pg_restore). For more information, please visit the documentation section on upgrading.

Changes Since Beta 2

Fixes and changes in PostgreSQL 17 Beta 3 include:

  • Rename the standby_slot_names parameter to to synchronized_standby_slots.
  • Several SQL/JSON fixes.
  • Fix pg_combinebackup --clone.
  • Fix pg_createsubscriber to work for database names that contain a space.
  • pg_createsubscriber now drops pre-existing subscriptions when run on a target database.
  • Improve efficiency in retrieving subscription information during pg_upgrade.
  • Fix TLS fallback behavior during sslmode=prefer to error when a server sends an error during the startup process.
  • Document an error case with pg_basebackup incremental backup on a standby server when it's executed immediately after the previous backup.
  • Fix issue where pg_upgrade --transaction-size can cause the backend to use an order of magnitude more RAM.

Please see the release notes for a complete list of new and changed features, and PostgreSQL 17 open items for more details on fixes and changes.

Testing for Bugs & Compatibility

The stability of each PostgreSQL release greatly depends on you, the community, to test the upcoming version with your workloads and testing tools in order to find bugs and regressions before the general availability of PostgreSQL 17. As this is a Beta, minor changes to database behaviors, feature details, and APIs are still possible. Your feedback and testing will help determine the final tweaks on the new features, so please test in the near future. The quality of user testing helps determine when we can make a final release.

A list of open issues is publicly available in the PostgreSQL wiki. You can report bugs using this form on the PostgreSQL website:

https://www.postgresql.org/account/submitbug/

Links

If you have corrections or suggestions for this release announcement, please send them to the pgsql-www@lists.postgresql.org public mailing list.