The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 12.2, 11.7, 10.12, 9.6.17, 9.5.21, and 9.4.26. This release fixes one security issue found in the PostgreSQL server and over 75 bugs reported over the last three months.
Users should plan to update as soon as possible.
This is the last release for PostgreSQL 9.4, which will no longer receive
security updates and bug fixes. PostgreSQL 9.4 introduced new features
such as JSONB support, the
ALTER SYSTEM command, the ability to stream logical
changes to an output plugin, and more.
While we are very proud of this release, these features are also found in newer versions of PostgreSQL. Many of these features have also received improvements, and, per our versioning policy, it is time to retire PostgreSQL 9.4.
To receive continued support, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see the PostgreSQL versioning policy for more information.
ALTER ... DEPENDS ON EXTENSIONis missing authorization checks.
Versions Affected: 9.6 - 12
ALTER ... DEPENDS ON EXTENSION sub-commands do not perform authorization
checks, which can allow an unprivileged user to drop any function, procedure,
materialized view, index, or trigger under certain conditions. This attack is
possible if an administrator has installed an extension and an unprivileged
CREATE, or an extension owner either executes
predictably or can be convinced to execute
The PostgreSQL project thanks Tom Lane for reporting this problem.
This update also fixes over 75 bugs that were reported in the last several months. Some of these issues affect only version 12, but may also affect all supported versions.
Some of these fixes include:
TRUNCATE ... CASCADEwould not remove all data. If you have previously used
TRUNCATE ... CASCADEon a partitioned table with foreign-key references please see the "Updating" section for verification and cleanup steps.
REPLICA IDENTITY FULL.
pg_replication_slot_advance()on a physical replication slot will persist changes across restarts.
CONCURRENTLYoption when performing an index creation, drop, or reindex on a temporary table.
ALTER TABLEwhen a column referenced in a
GENERATEDexpression is added or changed in type earlier in the same
AFTER ROWtriggers on a foreign table.
EXTRACT(ISOYEAR FROM timestamp)for BC dates.
pg_restorewhen run in parallel mode.
postgres_fdwwhen trying to execute a remote query on the remote server such as
UPDATE remote_tab SET (x,y) = (SELECT ...).
contrib/tablefuncto prevent crashes.
For the full list of changes available, please review the release notes.
All PostgreSQL update releases are cumulative. As with other minor releases,
users are not required to dump and reload their database or use
order to apply this update release; you may simply shutdown PostgreSQL and
update its binaries.
Users who have skipped one or more update releases may need to run additional, post-update steps; please see the release notes for earlier versions for details.
If you had previously executed
TRUNCATE ... CASCADE on a sub-partition of a
partitioned table, and the partitioned table has a foreign-key reference from
another table, you may have to execute the
TRUNCATE on the other table, or
DELETE if you have added rows since running
TRUNCATE ... CASCADE.
The issue that caused this is fixed in this release, but you will have to
perform this step to ensure all of your data is cleaned up.
For more details, please see the release notes.