The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 10.5, 9.6.10, 9.5.14, 9.4.19, 9.3.24. This release fixes two security issues as well as bugs reported over the last three months.
If you have untrusted users accessing your system and you are either running PostgreSQL 9.5 or a newer version OR have installed the dblink or postgres_fdw extensions, you must apply this update as soon as possible. All other users can upgrade at the next convenient downtime.
Please note that PostgreSQL changed its versioning scheme with the release of version 10.0, so updating to version 10.5 from any 10.x release is considered a minor update.
The PostgreSQL Global Development Group also announces that the third beta release of PostgreSQL 11 is now available for download. This release contains previews of all features that will be available in the final release of PostgreSQL 11 (though some details of the release could change before then) as well as bug fixes that were reported during the second beta.
Two security vulnerabilities have been closed by this release:
libpq, the client connection API for PostgreSQL that is also used by other connection libraries, had an internal issue where it did not reset all of its connection state variables when attempting to reconnect. In particular, the state variable that determined whether or not a password is needed for a connection would not be reset, which could allow users of features requiring libpq, such as the dblink or postgres_fdw extensions, to login to servers they should not be able to access.
You can check if your database has either extension installed by running the following from your PostgreSQL shell:
Users are advised to upgrade their libpq installations as soon as possible.
The PostgreSQL Global Development Group thanks Andrew Krasichkov for reporting this problem.
INSERT ... ON CONFLICT DO UPDATE
An attacker able to issue CREATE TABLE can read arbitrary bytes of server memory using an upsert (
INSERT ... ON CONFLICT DO UPDATE) query. By default, any user can exploit that. A user that has specific INSERT privileges and an UPDATE privilege on at least one column in a given table can also update other columns using a view and an upsert query.
This update also fixes over 40 bugs reported in the last several months. Some of these issues affect only version 10, but many affect all supported versions.
These fixes include:
VACUUM, including an issue that could lead to data corruption in certain system catalog tables
varianceand similar aggregate functions return accurate results when executed using parallel query
SHOW ALLto display superuser configuration settings to roles that are allowed to read all settings
COPY FROM .. WITH HEADERwould drop a line after every 4,294,967,296 lines processed
xpath_existsfunctions, as well as
pg_dumpfixes, including correctly outputting
REPLICA IDENTITYproperties for constraint indexes
pg_upgradecheck that the old server was shut down cleanly
This update also contains tzdata release 2018e, with updates for North Korea. The 2018e also reintroduces the negative-DST changes that were originally introduced in 2018a, which affects historical and present timestamps for Ireland (1971-), as well as historical timestamps for Namibia (1994-2017) and the former Czechoslovakia (1946-1947). If your application is storing timestamps with those timezones in the affected date ranges, we ask that you please test to ensure your applications behave as expected.
PostgreSQL 11 Beta 3 contains applicable bug fixes from the cumulative release as well as over 20 fixes of its own. For a full list of fixes for PostgreSQL 11 Beta 3, please visit the open items page.
PostgreSQL 9.3 will become end-of-life after the next planned release in November. We urge users to start planning an upgrade to a later version of PostgreSQL as soon as possible. See our Versioning Policy for more information
All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use
pg_upgrade in order to apply this update release; you may simply shutdown PostgreSQL and update its binaries.
Users who have skipped one or more update releases may need to run additional, post-update steps; please see the release notes for earlier versions for details.
To upgrade to PostgreSQL 11 Beta 3 from Beta 1 or 2, or a earlier version of PostgreSQL, you will to use a strategy similar to upgrading between major versions of PostgreSQL (e.g.
pg_restore). For more information, please visit the documentation section on upgrading.
This is the third beta release of version 11. The PostgreSQL Project will release additional betas as required for testing, followed by one or more release candidates, until the final release in late 2018. For further information please see the Beta Testing page.
The stability of each PostgreSQL release greatly depends on you, the community, to test the upcoming version with your workloads and testing tools in order to find bugs and regressions before the release of PostgreSQL 11. We greatly appreciate all of the testing performed to date as we get closer to the final release. Your feedback and testing will help determine the final tweaks on the new features, so please continue to test. The quality of user testing helps determine when we can make a final release.