The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 9.5.2, 9.4.7, 9.3.12, 9.2.16, and 9.1.21. This release fixes two security issues and one index corruption issue in version 9.5. It also contains a variety of bug fixes for earlier versions. Users of PostgreSQL 9.5.0 or 9.5.1 should update as soon as possible.
This release closes security hole CVE-2016-2193, where a query plan might get reused for more than one ROLE in the same session. This could cause the wrong set of Row Level Security (RLS) policies to be used for the query.
The update also fixes CVE-2016-3065, a server crash bug triggered by using pageinspect with BRIN index pages. Since an attacker might be able to expose a few bytes of server memory, this crash is being treated as a security issue.
In this release, the PostgreSQL Project has been forced to disable 9.5's Abbreviated Keys performance feature for many indexes due to reports of index corruption. This may affect any B-tree indexes on TEXT, VARCHAR, and CHAR columns which are not in "C" locale. Indexes in other locales will lose the performance benefits of the feature, and should be REINDEXed in case of existing index corruption. The feature may be re-enabled in future versions if the project finds a solution for the problem. See the release notes, and the wiki page on this issue for more information.
In addition to the above, many other issues were patched in this release based on bugs reported by our users over the last few months. This includes bugs which affect multiple versions of PostgreSQL, such as:
This update also contains tzdata release 2016c, with updates for Azerbaijan, Chile, Haiti, Palestine, and Russia, and historical fixes for other regions.
Users of version 9.5 will want to REINDEX any indexes they created on character columns in non-C locales. Users of other versions who have skipped multiple update releases may need to perform additional post-update steps; see the Release Notes for details.
All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shut down PostgreSQL and update its binaries.