The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 9.4.5, 9.3.10, 9.2.14, 9.1.19 and 9.0.23. This release fixes two security issues, as well as several bugs found over the last four months. Users vulnerable to the security issues should update their installations immediately; other users should update at the next scheduled downtime. This is also the final update release for major version 9.0.
Two security issues have been fixed in this release which affect users of specific PostgreSQL features:
CVE-2015-5289: json or jsonb input values constructed from arbitrary user input can crash the PostgreSQL server and cause a denial of service.
CVE-2015-5288: The crypt() function included with the optional pgCrypto extension could be exploited to read a few additional bytes of memory. No working exploit for this issue has been developed.
The PostgreSQL project thanks Josh Kupershmidt and Oskari Saarenmaa for reporting these issues.
This update will also disable SSL renegotiation by default; previously, it was enabled by default. SSL renegotiation will be removed entirely in PostgreSQL versions 9.5 and later.
In addition to the above, many other issues were patched in this release based on bugs reported by our users over the last few months. These fixes include:
This update also contains tzdata release 2015g, with updates for Cayman Islands, Fiji, Moldova, Morocco, Norfolk Island, North Korea, Turkey, Uruguay, and the new zone America/Fort_Nelson.
9.0.23 is the final update for major version 9.0, which is now End-Of-Life (EOL) as scheduled. Future security updates will not include version 9.0. As such, users of that version should plan to upgrade to another major version as soon as possible. For more information about the community's support policy and EOL schedule, see the Versioning Policy.
All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shut down PostgreSQL and update its binaries. Users who have skipped multiple update releases may need to perform additional post-update steps; see the Release Notes for details.