PostgreSQL 13.1, 12.5, 11.10, 10.15, 9.6.20, and 9.5.24 Released!

The PostgreSQL Global Development Group has released an update to all supported
versions of our database system, including 13.1, 12.5, 11.10, 10.15, 9.6.20, and
9.5.24. This release closes three security vulnerabilities and fixes over 65
bugs reported over the last three months.

Due to the nature of CVE-2020-25695, we advise you to [update as soon as possible](https://www.postgresql.org/download/).

Additionally, this is the second-to-last release of PostgreSQL 9.5. If you are
running PostgreSQL 9.5 in a production environment, we suggest that you make
plans to upgrade.

For the full list of changes, please review the
[release notes](https://www.postgresql.org/docs/current/release.html).

Security Issues
---------------

### CVE-2020-25695: Multiple features escape "security restricted operation" sandbox

Versions Affected: 9.5 - 13. The security team typically does not test
unsupported versions, but this problem is quite old.

An attacker having permission to create non-temporary objects in at least one
schema can execute arbitrary SQL functions under the identity of a superuser.

While promptly updating PostgreSQL is the best remediation for most users, a
user unable to do that can work around the vulnerability by disabling
autovacuum and not manually running `ANALYZE`, `CLUSTER`, `REINDEX`,
`CREATE INDEX`, `VACUUM FULL`, `REFRESH MATERIALIZED VIEW`, or a restore from
output of the `pg_dump` command. Performance may degrade quickly under this
workaround.

`VACUUM` without the `FULL` option is safe, and all commands are fine when a
trusted user owns the target object.

The PostgreSQL project thanks Etienne Stalmans for reporting this problem.

### CVE-2020-25694: Reconnection can downgrade connection security settings

Versions Affected: 9.5 - 13. The security team typically does not test
unsupported versions, but this problem is quite old.

Many PostgreSQL-provided client applications have options that create additional
database connections. Some of those applications reuse only the basic
connection parameters (e.g. `host`, `user`, `port`), dropping others. If this
drops a security-relevant parameter (e.g. `channel_binding`, `sslmode`,
`requirepeer`, `gssencmode`), the attacker has an opportunity to complete a MITM
attack or observe cleartext transmission.

Affected applications are `clusterdb`, `pg_dump`, `pg_restore`, `psql`,
`reindexdb`, and `vacuumdb`. The vulnerability arises only if one invokes an
affected client application with a connection string containing a
security-relevant parameter.

This also fixes how the `\connect` command of `psql` reuses connection
parameters, i.e. all non-overridden parameters from a previous connection
string now re-used.

The PostgreSQL project thanks Peter Eisentraut for reporting this problem.

### CVE-2020-25696: `psql`'s `\gset` allows overwriting specially treated variables

Versions Affected: 9.5 - 13. The security team typically does not test
unsupported versions, but this problem likely arrived with the feature's debut
in version 9.3.

The `\gset` meta-command, which sets `psql` variables based on query results,
does not distinguish variables that control `psql` behavior. If an interactive
`psql` session uses `\gset` when querying a compromised server, the attacker can
execute arbitrary code as the operating system account running `psql`.
Using `\gset` with a prefix not found among specially treated variables, e.g.
any lowercase string, precludes the attack in an unpatched `psql`.

The PostgreSQL project thanks Nick Cleaton for reporting this problem.

Bug Fixes and Improvements
--------------------------

This update also fixes over 65 bugs that were reported in the last several
months. Some of these issues only affect version 13, but may also apply to other
supported versions.

Some of these fixes include:

* Fix a breakage in the replication protocol by ensuring that two "command
completion" events are expected for `START_REPLICATION`.
* Ensure `fsync` is called on the SLRU caches that PostgreSQL maintains. This
prevents potential data loss due to an operating system crash.
* Fix `ALTER ROLE` usage for users with the `BYPASSRLS` permission.
* `ALTER TABLE ONLY ... DROP EXPRESSION` is disallowed on partitioned tables
when there are child tables.
* Ensure that `ALTER TABLE ONLY ... ENABLE/DISABLE TRIGGER` does not apply to
child tables.
* Fix for `ALTER TABLE ... SET NOT NULL` on partitioned tables to avoid a
potential deadlock in parallel `pg_restore`.
* Fix handling of expressions in `CREATE TABLE LIKE` with inheritance.
* `DROP INDEX CONCURRENTLY` is disallowed on partitioned tables.
* Allow `LOCK TABLE` to succeed on a self-referential view instead of throwing
an error.
* Several fixes around statistics collection and progress reporting for
`REINDEX CONCURRENTLY`.
* Ensure that `GENERATED` columns are updated when any columns they depend on
are updated via a rule or an updatable view.
* Support hash partitioning with text array columns as partition keys.
* Allow the jsonpath `.datetime()` method to accept ISO 8601-format timestamps.
* During a "smart" shutdown, ensure background processes are not terminated
until all foreground client sessions are completed, fixing an issue that broke
the processing of parallel queries.
* Several fixes for the query planner and optimizer.
* Ensure that data is de-toasted before being inserted into a BRIN index. This
could manifest itself with errors like "missing chunk number 0 for toast value
NNN". If you have seen a similar error in an existing BRIN index, you should be
able to correct it by using `REINDEX` on the index.
* Fix the output of `EXPLAIN` to have the correct XML tag nesting for
incremental sort plans.
* Several fixes for memory leaks, including ones involving RLS policies, using
`CALL` with PL/pgSQL, `SIGHUP` processing a configuration parameter that cannot
be applied without a restart, and an edge-case for index lookup for a partition.
* libpq can now support arbitrary-length lines in the .pgpass file.
* On Windows, `psql` now reads the output of a backtick command in text mode,
not binary mode, so it can now properly handle newlines.
* Fix how `pg_dump`, `pg_restore`, `clusterdb`, `reindexdb`, and `vacuumdb` use
complex connection-string parameters.
* When the `\connect` command of `psql` reuses connection parameters, ensure
that all non-overridden parameters from a previous connection string are also
re-used.
* Ensure that `pg_dump` collects per-column information about extension
configuration tables, avoiding crashes when specifying `--inserts`.
* Ensure that parallel `pg_restore` processes foreign keys referencing
partitioned tables in the correct order.
* Several fixes for `contrib/pgcrypto`, including a memory leak fix.

This update also contains tzdata release 2020d for for DST law changes in Fiji,
Morocco, Palestine, the Canadian Yukon, Macquarie Island, and Casey Station
(Antarctica); plus historical corrections for France, Hungary, Monaco, and
Palestine.

For the full list of changes available, please review the
[release notes](https://www.postgresql.org/docs/current/release.html).

PostgreSQL 9.5 EOL Notice
-------------------------

PostgreSQL 9.5 will stop receiving fixes on February 11, 2021. If you are
running PostgreSQL 9.5 in a production environment, we suggest that you make
plans to upgrade to a newer, supported version of PostgreSQL. Please see our
[versioning policy](https://www.postgresql.org/support/versioning/) for more
information.

Updating
--------

All PostgreSQL update releases are cumulative. As with other minor releases,
users are not required to dump and reload their database or use `pg_upgrade` in
order to apply this update release; you may simply shutdown PostgreSQL and
update its binaries.

Users who have skipped one or more update releases may need to run additional,
post-update steps; please see the release notes for earlier versions for
details.

For more details, please see the
[release notes](https://www.postgresql.org/docs/current/release.html).

**NOTE**: PostgreSQL 9.5 will stop receiving fixes on February 11, 2021. Please
see our [versioning policy](https://www.postgresql.org/support/versioning/) for
more information.

Links
-----
* [Download](https://www.postgresql.org/download/)
* [Release Notes](https://www.postgresql.org/docs/release/)
* [Security](https://www.postgresql.org/support/security/)
* [Versioning Policy](https://www.postgresql.org/support/versioning/)
* [Follow @postgresql on Twitter](https://twitter.com/postgresql)