The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 12.4, 11.9, 10.14, 9.6.19, and 9.5.23, as well as the 3rd Beta release of PostgreSQL 13. This release closes two security vulnerabilities and fixes over 50 bugs reported over the last three months.
Please plan to update at your earliest convenience.
Versions Affected: 10 - 12.
search_path setting determines schemas searched for tables,
functions, operators, etc. The CVE-2018-1058
fix caused most PostgreSQL-provided client applications to sanitize
but logical replication continued to leave
search_path unchanged. Users of a
replication publisher or subscriber database can create objects in the
schema and harness them to execute arbitrary SQL functions under the identity
running replication, often a superuser. Installations having adopted a documented
secure schema usage pattern
are not vulnerable.
The PostgreSQL project thanks Noah Misch for reporting this problem.
Versions Affected: 9.5 - 12. The security team typically does not test unsupported versions, but this problem is quite old.
When a superuser runs certain
CREATE EXTENSION statements, users may be able
to execute arbitrary SQL functions under the identity of that superuser. The
attacker must have permission to create objects in the new extension's schema
or a schema of a prerequisite extension. Not all extensions are vulnerable.
In addition to correcting the extensions provided with PostgreSQL, the PostgreSQL Global Development Group is issuing guidance for third-party extension authors to secure their own work.
The PostgreSQL project thanks Andres Freund for reporting this problem.
This release marks the third beta release of PostgreSQL 13 and puts the community one step closer to general availability this fall.
In the spirit of the open source PostgreSQL community, we strongly encourage you to test the new features of PostgreSQL 13 in your database systems to help us eliminate any bugs or other issues that may exist. While we do not advise you to run PostgreSQL 13 Beta 3 in your production environments, we encourage you to find ways to run your typical application workloads against this beta release.
Your testing and feedback will help the community ensure that the PostgreSQL 13 release upholds our standards of providing a stable, reliable release of the world's most advanced open source relational database.
PostgreSQL 9.5 will stop receiving fixes on February 11, 2021. If you are running PostgreSQL 9.5 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information.
This update also fixes over 50 bugs that were reported in the last several months. Some of these issues affect only version 12, but many affect all supported versions.
Some of these fixes include:
pg_replication_slot_advance()now updates the oldest xmin and LSN values, as the failure to do this could prevent resources (e.g. WAL files) from being cleaned up.
pg_read_file()and related functions read until EOF is reached, which fixes compatibility with pipes and other virtual files.
NaNvalues in jsonpath computations, which do not exist in SQL nor JSON.
NaNinputs with aggregate functions. This fixes a change in PostgreSQL 12 where
NaNvalues caused the following aggregates to emit values of
timetzvalues fractionally greater than
24:00:00are now rejected.
EXPLAIN, including a fix for reporting resource usage when a plan uses parallel workers with "Gather Merge" nodes.
ALTER TABLEthat could lead to odd errors.
pg_controlcould be written out with an inconsistent checksum, which could lead to the inability to restart the database if it crashed before the next
pg_restore, including a fix for parallel restore on tables that have both table-level and column-level privileges.
pg_upgradeto ensure it runs with
pg_rewindhandles just-deleted files in the source data directory
contrib/dblink, which could lead to
dblink_close()issuing an unexpected
COMMITon the remote server.
contrib/amcheckto not report about deleted index pages that are empty, as this is normal during WAL replay.
For the full list of changes available, please review the release notes.
All PostgreSQL update releases are cumulative. As with other minor releases,
users are not required to dump and reload their database or use
order to apply this update release; you may simply shutdown PostgreSQL and
update its binaries.
Users who have skipped one or more update releases may need to run additional, post-update steps; please see the release notes for earlier versions for details.
For more details, please see the release notes.
NOTE: PostgreSQL 9.5 will stop receiving fixes on February 11, 2021. Please see our versioning policy for more information.
PostgreSQL 13 Beta 3 introduces a new configuration parameter,
hash_mem_multiplier, which allows users to tune how much memory should be
allotted for a hash aggregation. This gives users more control over whether
hash aggregates will use disk storage or remain in memory, the latter being the
only option prior to PostgreSQL 13.
PostgreSQL 13 Beta 3 also removes the
parameter, which was also previously known as
For a list of changes that are included in PostgreSQL 13 Beta 3, please review the open items page:
To upgrade to PostgreSQL 13 Beta 3 from Beta 2, Beta 1, or an earlier version of
PostgreSQL, you will need to use a strategy similar to upgrading between
major versions of PostgreSQL (e.g.
For more information, please visit the documentation section on
The stability of each PostgreSQL release greatly depends on you, the community, to test the upcoming version with your workloads and testing tools in order to find bugs and regressions before the general availability of PostgreSQL 13. As this is a Beta, minor changes to database behaviors, feature details, and APIs are still possible. Your feedback and testing will help determine the final tweaks on the new features, so please test in the near future. The quality of user testing helps determine when we can make a final release.
This is the third beta release of version 13. The PostgreSQL Project will release additional betas as required for testing, followed by one or more release candidates, until the final release in late 2020. For further information please see the Beta Testing page.