The PostgreSQL Global Development Group has released an important update with fixes for multiple security issues to all supported versions of the PostgreSQL database system, which includes minor versions 9.4.1, 9.3.6, 9.2.10, 9.1.15, and 9.0.19. This update includes both security fixes and fixes for issues discovered since the last release. In particular for the 9.4 update, there is a change to the way unicode strings are escaped for the JSON and JSONB data types.
All users should update their PostgreSQL installation at the next opportunity.
This update fixes multiple security issues reported in PostgreSQL over the past few months. All of these issues require prior authentication, and some require additional conditions, and as such are not considered generally urgent. However, users should examine the list of security holes patched below in case they are particularly vulnerable.
This update also fixes the previously reported problem that, during regression testing on Windows, the test postmaster process was vulnerable to unauthorized connections. This vulnerability was fixed on non-Windows platforms in the prior update releases.
More information about these issues, as well as older patched issues, is available on the PostgreSQL Security Page.
The handling of Unicode escape strings for JSON and JSONB in PostgreSQL 9.4.0 has been changed in a way which may break compatibility for some users. To fix some inconsistencies, type JSONB no longer accepts the escape sequence "\u0000". Type JSON accepts "\u0000" only in contexts where it does not need to be converted to de-escaped form. See the release notes for more detail.
In addition to the above, more than 60 reported issues have been fixed in this cumulative update release. Some of them affect only version 9.4, but many of them fix problems present in older versions. These fixes include:
In addition to the fixes above, the following contrib modules and extensions have had bugs fixed in this release: pg_upgrade, auto_explain, hstore, pageinspect, pgcrypto, pg_test_fsync, tablefunc, and xml2. Also, multiple functions across several contrib modules have been modified with the correct level of volatility. There are also multiple cleanup fixes based on minor issues found by the Coverity Scan static analyzer.
This update also contains many changes to PostgreSQL's timezone files. This includes an update to tzdata release 2015a, with updates to Chile, Mexico, Caicos Islands, and Fiji. PostgreSQL now takes date into account when assigning an offset based on a timezone abbreviation for historically changeable timezones. We have also done a general cleanup on timezone abbreviations, and added "CST" as an abbreviation for China Standard Time.
As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shut down PostgreSQL and update its binaries. Users who have skipped multiple update releases may need to perform additional post-update steps; see the Release Notes for details.