The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 15.3, 14.8, 13.11, 12.15, and 11.20. This release fixes two security vulnerabilities and over 80 bugs reported over the last several months.
For the full list of changes, please review the release notes.
PostgreSQL 11 will stop receiving fixes on November 9, 2023. If you are running PostgreSQL 11 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information.
CREATE SCHEMA ... schema_element
defeats protective search_path changes.Versions Affected: 11 - 15. The security team typically does not test unsupported versions, but this problem is quite old.
This enabled an attacker having database-level CREATE
privilege to execute
arbitrary code as the bootstrap superuser. Database owners have that right by
default, and explicit grants may extend it to other users.
The PostgreSQL project thanks Alexander Lakhin for reporting this problem.
Versions Affected: 11 - 15. The security team typically does not test unsupported versions, but this problem is quite old.
While CVE-2016-2193
fixed most interaction between row security and user ID changes, it missed a
scenario involving function inlining. This leads to potentially incorrect
policies being applied in cases where role-specific policies are used and a
given query is planned under one role and then executed under other roles.
This scenario can happen under security definer functions or when a common user
and query is planned initially and then re-used across multiple SET ROLEs.
Applying an incorrect policy may permit a user to complete otherwise-forbidden
reads and modifications. This affects only databases that have used
CREATE POLICY
to define a row security policy.
The PostgreSQL project thanks Wolfgang Walther for reporting this problem.
This update fixes over 80 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 15. Some of these issues may also affect other supported versions of PostgreSQL.
Included in this release:
CREATE DATABASE
when using the STRATEGY = WAL_LOG
, including a potential corruption that could
lose modifications to a template/source database.CREATE SCHEMA AUTHORIZATION
.MERGE
.COPY TO
from a parent table with row-level security
enabled does not copy any rows from child tables.vacuum_defer_cleanup_age
being larger than the
current 64-bit xid.IS NOT TRUE
and IS NOT FALSE
conditions. Prior to this, NULL
partitions were accidentally pruned.vacuum_cost_delay
settings.UPDATE
or DELETE
action.DO
blocks that use cast
expressions.pg_dump
so
that partitioned tables that are hash-partitioned on an
enumerated type
column can be restored successfully.pg_trgm
where
an unsatisfiable regular expression could lead to a crash when using a GiST or
GIN index.pg_get_wal_records_info()
in
pg_walinspect
.This release also updates time zone data files to tzdata release 2023c for DST law changes in Egypt, Greenland, Morocco, and Palestine. When observing Moscow time, Europe/Kirov and Europe/Volgograd now use the abbreviations MSK/MSD instead of numeric abbreviations, for consistency with other timezones observing Moscow time. Also, America/Yellowknife is no longer distinct from America/Edmonton; this affects some pre-1948 timestamps in that area.
For the full list of changes available, please review the release notes.
All PostgreSQL update releases are cumulative. As with other minor releases,
users are not required to dump and reload their database or use pg_upgrade
in
order to apply this update release; you may simply shutdown PostgreSQL and
update its binaries.
Users who have skipped one or more update releases may need to run additional, post-update steps; please see the release notes for earlier versions for details.
For more details, please see the release notes.
If you have corrections or suggestions for this release announcement, please send them to the [email protected] public mailing list.