PostgreSQL 10.5, 9.6.10, 9.5.14, 9.4.19, 9.3.24, and 11 Beta 3 Released!

Posted on 2018-08-09 by PostgreSQL Global Development Group
PostgreSQL Project

The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 10.5, 9.6.10, 9.5.14, 9.4.19, 9.3.24. This release fixes two security issues as well as bugs reported over the last three months.

If you have untrusted users accessing your system and you are either running PostgreSQL 9.5 or a newer version OR have installed the dblink or postgres_fdw extensions, you must apply this update as soon as possible. All other users can upgrade at the next convenient downtime.

Please note that PostgreSQL changed its versioning scheme with the release of version 10.0, so updating to version 10.5 from any 10.x release is considered a minor update.

The PostgreSQL Global Development Group also announces that the third beta release of PostgreSQL 11 is now available for download. This release contains previews of all features that will be available in the final release of PostgreSQL 11 (though some details of the release could change before then) as well as bug fixes that were reported during the second beta.

Security Issues

Two security vulnerabilities have been closed by this release:

CVE-2018-10915: Certain host connection parameters defeat client-side security defenses

libpq, the client connection API for PostgreSQL that is also used by other connection libraries, had an internal issue where it did not reset all of its connection state variables when attempting to reconnect. In particular, the state variable that determined whether or not a password is needed for a connection would not be reset, which could allow users of features requiring libpq, such as the dblink or postgres_fdw extensions, to login to servers they should not be able to access.

You can check if your database has either extension installed by running the following from your PostgreSQL shell:

\dx dblink|postgres_fdw

Users are advised to upgrade their libpq installations as soon as possible.

The PostgreSQL Global Development Group thanks Andrew Krasichkov for reporting this problem.

CVE-2018-10925: Memory disclosure and missing authorization in INSERT ... ON CONFLICT DO UPDATE

An attacker able to issue CREATE TABLE can read arbitrary bytes of server memory using an upsert (INSERT ... ON CONFLICT DO UPDATE) query. By default, any user can exploit that. A user that has specific INSERT privileges and an UPDATE privilege on at least one column in a given table can also update other columns using a view and an upsert query.

Bug Fixes and Improvements

This update also fixes over 40 bugs reported in the last several months. Some of these issues affect only version 10, but many affect all supported versions.

These fixes include:

  • Several fixes related to VACUUM, including an issue that could lead to data corruption in certain system catalog tables
  • Several fixes for replaying write-ahead logs, including a case where a just-promoted standby server would not restart if it crashed before its first post-recovery checkpoint
  • Several performance improvements for replaying write-ahead logs
  • Several fixes for logical replication and logical decoding, including ensuring logical WAL senders are reporting the streaming state correctly
  • Allow replication slots to be dropped in single-user mode
  • Fix to have variance and similar aggregate functions return accurate results when executed using parallel query
  • Fix SQL-standard FETCH FIRST syntax to allow parameters ($n), as the standard expects
  • Fix to ensure that a process doing a parallel index scan will respond to signals, such as one to abort a query
  • Fix EXPLAIN's accounting for resource usage, particularly buffer accesses, in parallel workers
  • Several fixes for the query planner including improving the cost estimates for hash-joins and choosing to use indexes for mergejoins on composite type columns
  • Fix performance regression related to POSIX semaphores for multi-CPU systems running Linux or FreeBSD
  • Fix for GIN indexes that could lead to an assertion failure after a pg_upgrade from a version before PostgreSQL 9.4
  • Fix for SHOW ALL to display superuser configuration settings to roles that are allowed to read all settings
  • Fix issue where COPY FROM .. WITH HEADER would drop a line after every 4,294,967,296 lines processed
  • Several fixes for XML support, including using the document node as the context for XPath queries as defined in the SQL standard, which affects the xpath and xpath_exists functions, as well as XMLTABLE
  • Fix libpq for certain cases where hostaddr is used
  • Several ecpg fixes for Windows
  • Fix password prompting in Windows client programs so that echo is properly disabled
  • Several pg_dump fixes, including correctly outputting REPLICA IDENTITY properties for constraint indexes
  • Make pg_upgrade check that the old server was shut down cleanly

This update also contains tzdata release 2018e, with updates for North Korea. The 2018e also reintroduces the negative-DST changes that were originally introduced in 2018a, which affects historical and present timestamps for Ireland (1971-), as well as historical timestamps for Namibia (1994-2017) and the former Czechoslovakia (1946-1947). If your application is storing timestamps with those timezones in the affected date ranges, we ask that you please test to ensure your applications behave as expected.

PostgreSQL 11 Beta 3 Fixes and Improvements

PostgreSQL 11 Beta 3 contains applicable bug fixes from the cumulative release as well as over 20 fixes of its own. For a full list of fixes for PostgreSQL 11 Beta 3, please visit the open items page.

EOL Warning for PostgreSQL 9.3

PostgreSQL 9.3 will become end-of-life after the next planned release in November. We urge users to start planning an upgrade to a later version of PostgreSQL as soon as possible. See our Versioning Policy for more information

Updating

All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shutdown PostgreSQL and update its binaries.

Users who have skipped one or more update releases may need to run additional, post-update steps; please see the release notes for earlier versions for details.

Upgrading to PostgreSQL 11 Beta 3

To upgrade to PostgreSQL 11 Beta 3 from Beta 1 or 2, or a earlier version of PostgreSQL, you will to use a strategy similar to upgrading between major versions of PostgreSQL (e.g. pg_upgrade or pg_dump / pg_restore). For more information, please visit the documentation section on upgrading.

PostgreSQL 11 Beta Schedule and Testing

This is the third beta release of version 11. The PostgreSQL Project will release additional betas as required for testing, followed by one or more release candidates, until the final release in late 2018. For further information please see the Beta Testing page.

The stability of each PostgreSQL release greatly depends on you, the community, to test the upcoming version with your workloads and testing tools in order to find bugs and regressions before the release of PostgreSQL 11. We greatly appreciate all of the testing performed to date as we get closer to the final release. Your feedback and testing will help determine the final tweaks on the new features, so please continue to test. The quality of user testing helps determine when we can make a final release.

A list of open items is publicly available in the PostgreSQL wiki. You can report bugs using this form on the PostgreSQL website:

https://www.postgresql.org/account/submitbug/

Links