PostgreSQL 14.1, 13.5, 12.9, 11.14, 10.19, and 9.6.24 Released!

The PostgreSQL Global Development Group has released an update to all supported
versions of our database system, including 14.1, 13.5, 12.9, 11.14, 10.19, and
9.6.24. This release closes two security vulnerabilities and fixes over 40 bugs
reported over the last three months.

Additionally, this is the **final release of PostgreSQL 9.6**. If you are
running PostgreSQL 9.6 in a production environment, we suggest that you make
plans to upgrade.

For the full list of changes, please review the
[release notes](https://www.postgresql.org/docs/release/).

Security Issues
---------------

### [CVE-2021-23214](https://www.postgresql.org/support/security/CVE-2021-23214/): Server processes unencrypted bytes from man-in-the-middle

Versions Affected: 9.6 - 14. The security team typically does not test
unsupported versions, but this problem is quite old.

When the server is configured to use `trust` authentication with a `clientcert`
requirement or to use `cert` authentication, a man-in-the-middle attacker can
inject arbitrary SQL queries when a connection is first established, despite the
use of SSL certificate verification and encryption.

The PostgreSQL project thanks Jacob Champion for reporting this problem.

### [CVE-2021-23222](https://www.postgresql.org/support/security/CVE-2021-23222/): libpq processes unencrypted bytes from man-in-the-middle

Versions Affected: 9.6 - 14. The security team typically does not test
unsupported versions, but this problem is quite old.

A man-in-the-middle attacker can inject false responses to the client's first
few queries, despite the use of SSL certificate verification and encryption.

If more preconditions hold, the attacker can exfiltrate the client's password
or other confidential data that might be transmitted early in a session. The
attacker must have a way to trick the client's intended server into making the
confidential data accessible to the attacker. A known implementation having
that property is a PostgreSQL configuration vulnerable to [CVE-2021-23214](https://www.postgresql.org/support/security/CVE-2021-23214/).

As with any exploitation of [CVE-2021-23214](https://www.postgresql.org/support/security/CVE-2021-23214/), the server must be using `trust`
authentication with a `clientcert` requirement or using `cert` authentication.
To disclose a password, the client must be in possession of a password, which is
atypical when using an authentication configuration vulnerable to
[CVE-2021-23214](https://www.postgresql.org/support/security/CVE-2021-23214/). The attacker must have some other way to access the server to
retrieve the exfiltrated data (a valid, unprivileged login account would be
sufficient).

The PostgreSQL project thanks Jacob Champion for reporting this problem.

Bug Fixes and Improvements
--------------------------

This update fixes over 40 bugs that were reported in the last several months.
The issues listed below affect PostgreSQL 14. Some of these issues may also
affect other supported versions of PostgreSQL.

Some of these fixes include:

* Fix physical replication for cases where the primary crashes after shipping a
WAL segment that ends with a partial WAL record. When applying this update,
update your standby servers before the primary so that they will be ready to
handle the fix if the primary happens to crash.
* Fix parallel `VACUUM` so that it will process indexes below the
[`min_parallel_index_scan_size`](https://www.postgresql.org/docs/14/runtime-config-query.html#GUC-MIN-PARALLEL-INDEX-SCAN-SIZE)
threshold if the table has at least two indexes that are above that size. This
problem does not affect autovacuum. If you are affected by this issue, you
should reindex any manually-vacuumed tables.
* Fix causes of `CREATE INDEX CONCURRENTLY` and `REINDEX CONCURRENTLY` writing
corrupt indexes. You should reindex any concurrently-built indexes.
* Fix for attaching/detaching a partition that could allow certain
`INSERT`/`UPDATE` queries to misbehave in active sessions.
* Fix for creating a new range type with `CREATE TYPE` that could cause
problems for later event triggers or subsequent executions of the `CREATE TYPE`
command.
* Fix updates of element fields in arrays of a domain that is a part of a
composite.
* Disallow the combination of `FETCH FIRST WITH TIES` and
`FOR UPDATE SKIP LOCKED`.
* Fix corner-case loss of precision in the numeric `power()` function.
* Fix restoration of a Portal's snapshot inside a subtransaction, which could
lead to a crash. For example, this could occur in PL/pgSQL when a `COMMIT` is
immediately followed by a `BEGIN ... EXCEPTION` block that performs a query.
* Clean up correctly if a transaction fails after exporting its snapshot. This
could occur if a replication slot was created then rolled back, and then another
replication slot was created in the same session.
* Fix for "overflowed-subtransaction" wraparound tracking on standby servers
that could lead to performance degradation.
* Ensure that prepared transactions are properly accounted for during promotion
of a standby server.
* Ensure that the correct lock level is used when renaming a table.
* Avoid crash when dropping a role that owns objects being dropped concurrently.
* Disallow setting `huge_pages` to on when `shared_memory_type` is `sysv`
* Fix query type checking in the PL/pgSQL `RETURN QUERY`.
* Several fixes for `pg_dump`, including the ability to dump non-global default
privileges correctly.
* Use the CLDR project's data to map Windows time zone names to IANA time zones.

This update also contains tzdata release 2021e for DST law changes in Fiji,
Jordan, Palestine, and Samoa, plus historical corrections for Barbados,
Cook Islands, Guyana, Niue, Portugal, and Tonga.

Also, the Pacific/Enderbury zone has been renamed to Pacific/Kanton. Also, the
following zones have been merged into nearby, more-populous zones whose clocks
have agreed with them since 1970: Africa/Accra, America/Atikokan,
America/Blanc-Sablon, America/Creston, America/Curacao, America/Nassau,
America/Port_of_Spain, Antarctica/DumontDUrville, and Antarctica/Syowa. In all
these cases, the previous zone name remains as an alias.

For the full list of changes available, please review the
[release notes](https://www.postgresql.org/docs/release/).

PostgreSQL 9.6 is EOL
---------------------

This is the final release of PostgreSQL 9.6. If you are running PostgreSQL 9.6
in a production environment, we suggest that you make plans to upgrade to a
newer, supported version of PostgreSQL. Please see our
[versioning policy](https://www.postgresql.org/support/versioning/) for more
information.

Updating
--------

All PostgreSQL update releases are cumulative. As with other minor releases,
users are not required to dump and reload their database or use `pg_upgrade` in
order to apply this update release; you may simply shutdown PostgreSQL and
update its binaries.

Users who have skipped one or more update releases may need to run additional,
post-update steps; please see the release notes for earlier versions for
details.

For more details, please see the
[release notes](https://www.postgresql.org/docs/release/).

Links
-----
* [Download](https://www.postgresql.org/download/)
* [Release Notes](https://www.postgresql.org/docs/release/)
* [Security](https://www.postgresql.org/support/security/)
* [Versioning Policy](https://www.postgresql.org/support/versioning/)
* [Follow @postgresql on Twitter](https://twitter.com/postgresql)