The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 11.1, 10.6, 9.6.11, 9.5.15, 9.4.20, and 9.3.25. This release fixes one security issue as well as bugs reported over the last three months.
All users using the affected versions of PostgreSQL should update as soon as possible. Please see the notes on "Updating" below for any post-update steps that may be required if you are using
pg_stat_statements in your installation.
This update is also the final release for PostgreSQL 9.3, which is now end-of-life and will no longer receive any bug or security fixes. If your environment still uses PostgreSQL 9.3, please make plans to update to a community supported version as soon as possible. Please see our versioning policy for more information.
One security vulnerability has been closed by this release:
CREATE TRIGGER ... REFERENCING.
Versions Affected: 10, 11
Using a purpose-crafted trigger definition, an attacker can run arbitrary SQL statements with superuser privileges when a superuser runs
pg_upgrade on the database or during a pg_dump dump/restore cycle. This attack requires a
CREATE privilege on some non-temporary schema or a
TRIGGER privilege on a table. This is exploitable in the default PostgreSQL configuration, where all users have
CREATE privilege on
This update also fixes numerous bugs that were reported in the last several months. Some of these issues affect only version 11, but many affect all supported versions.
These releases include fixes that:
ON COMMIT DELETE ROWSto a partitioned temporary table
NULLvalues are handled when using
LEFT JOINwith a parallelized hash join
NULLinputs) with ORDER BY columns that enforces the strictness check
CASEstatements where an expression was cast to an array type
pg_verify_checksumsincorrectly reporting on files that are not expected to have checksums
wal_levelis set to a value that cannot support an existing replication slot
psqlwould not report the receipt of a message from a
NOTIFYcall until after the next command
This updates also contains tzdata release 2018g for DST law changes in Chile, Fiji, Morocco, and Russia (Volgograd), plus historical corrections for China, Hawaii, Japan, Macau, and North Korea.
PostgreSQL 9.3 is now end-of-life and will no longer receive any bug or security fixes. We urge users to start planning an upgrade to a later version of PostgreSQL as soon as possible. Please see our versioning policy for more information.
All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use
pg_upgrade in order to apply this update release; you may simply shutdown PostgreSQL and update its binaries.
If your system is using
pg_stat_statements and you are running a version of PostgreSQL 10 or PostgreSQL 11, we advise that you execute the following command after upgrading:
ALTER EXTENSION pg_stat_statements UPDATE;
Users who have skipped one or more update releases may need to run additional, post-update steps; please see the release notes for earlier versions for details.