The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 9.6.3, 9.5.7, 9.4.12, 9.3.17, and 9.2.21. This release fixes three security issues. It also patches a number of other bugs reported over the last three months. Users who use the PGREQUIRESSL environment variable to control connections, and users who rely on security isolation between database users when using foreign servers, should update as soon as possible. Other users should plan to update at the next convenient downtime.
Three security vulnerabilities have been closed by this release:
The fix for CVE-2017-7486 applies to new databases, see the release notes for the procedure to apply the fix to an existing database.
Any user relying on the PGREQUIRESSL environment variable is encouraged to use the sslmode connection string option, as use of PGREQUIRESSL is deprecated. CVE-2017-7485 does not affect the 9.2 series. For more information on these issues and how they affect backwards-compatibility, see the Release Notes.
This update also fixes a number of bugs reported in the last few months. Some of these issues affect only the 9.6 series, but many affect all supported versions. There are more than 90 fixes in this release, including:
Users of replication tools based on logical decoding, as well as users of unlogged indexes, should consult the release notes for potential extra steps during the upgrade.
This update also contains tzdata release 2017b with updates for DST law changes in Chile, Haiti, and Mongolia, plus historical corrections for Ecuador, Kazakhstan, Liberia, and Spain. Switch to numeric abbreviations for numerous time zones in South America, the Pacific and Indian oceans, and some Asian and Middle Eastern countries. The timezone library is synchronized with IANA release tzcode2017b.
PostgreSQL version 9.2 will be End-of-Life in September 2017. The project expects to only release one, or two, more updates for that version. We urge users to start planning an upgrade to a later version of PostgreSQL as soon as possible. See our Versioning Policy for more information.
All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shut down PostgreSQL and update its binaries.
After update, users of replication tools based on logical decoding, as well as users of unlogged indexes, should consult the release notes for potential extra steps during the upgrade. See the Release Notes for more details.
Users who have skipped one or more update releases may need to run additional, post-update steps; please see the release notes for earlier versions for details.