September 26, 2024: PostgreSQL 17 Released!

PostgreSQL 13.1, 12.5, 11.10, 10.15, 9.6.20, and 9.5.24 Released!

Posted on 2020-11-12 by PostgreSQL Global Development Group
PostgreSQL Project Security

The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 13.1, 12.5, 11.10, 10.15, 9.6.20, and 9.5.24. This release closes three security vulnerabilities and fixes over 65 bugs reported over the last three months.

Due to the nature of CVE-2020-25695, we advise you to update as soon as possible.

Additionally, this is the second-to-last release of PostgreSQL 9.5. If you are running PostgreSQL 9.5 in a production environment, we suggest that you make plans to upgrade.

For the full list of changes, please review the release notes.

Security Issues

CVE-2020-25695: Multiple features escape "security restricted operation" sandbox

Versions Affected: 9.5 - 13. The security team typically does not test unsupported versions, but this problem is quite old.

An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser.

While promptly updating PostgreSQL is the best remediation for most users, a user unable to do that can work around the vulnerability by disabling autovacuum and not manually running ANALYZE, CLUSTER, REINDEX, CREATE INDEX, VACUUM FULL, REFRESH MATERIALIZED VIEW, or a restore from output of the pg_dump command. Performance may degrade quickly under this workaround.

VACUUM without the FULL option is safe, and all commands are fine when a trusted user owns the target object.

The PostgreSQL project thanks Etienne Stalmans for reporting this problem.

CVE-2020-25694: Reconnection can downgrade connection security settings

Versions Affected: 9.5 - 13. The security team typically does not test unsupported versions, but this problem is quite old.

Many PostgreSQL-provided client applications have options that create additional database connections. Some of those applications reuse only the basic connection parameters (e.g. host, user, port), dropping others. If this drops a security-relevant parameter (e.g. channel_binding, sslmode, requirepeer, gssencmode), the attacker has an opportunity to complete a MITM attack or observe cleartext transmission.

Affected applications are clusterdb, pg_dump, pg_restore, psql, reindexdb, and vacuumdb. The vulnerability arises only if one invokes an affected client application with a connection string containing a security-relevant parameter.

This also fixes how the \connect command of psql reuses connection parameters, i.e. all non-overridden parameters from a previous connection string now re-used.

The PostgreSQL project thanks Peter Eisentraut for reporting this problem.

CVE-2020-25696: psql's \gset allows overwriting specially treated variables

Versions Affected: 9.5 - 13. The security team typically does not test unsupported versions, but this problem likely arrived with the feature's debut in version 9.3.

The \gset meta-command, which sets psql variables based on query results, does not distinguish variables that control psql behavior. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating system account running psql. Using \gset with a prefix not found among specially treated variables, e.g. any lowercase string, precludes the attack in an unpatched psql.

The PostgreSQL project thanks Nick Cleaton for reporting this problem.

Bug Fixes and Improvements

This update also fixes over 65 bugs that were reported in the last several months. Some of these issues only affect version 13, but may also apply to other supported versions.

Some of these fixes include:

  • Fix a breakage in the replication protocol by ensuring that two "command completion" events are expected for START_REPLICATION.
  • Ensure fsync is called on the SLRU caches that PostgreSQL maintains. This prevents potential data loss due to an operating system crash.
  • Fix ALTER ROLE usage for users with the BYPASSRLS permission.
  • ALTER TABLE ONLY ... DROP EXPRESSION is disallowed on partitioned tables when there are child tables.
  • Ensure that ALTER TABLE ONLY ... ENABLE/DISABLE TRIGGER does not apply to child tables.
  • Fix for ALTER TABLE ... SET NOT NULL on partitioned tables to avoid a potential deadlock in parallel pg_restore.
  • Fix handling of expressions in CREATE TABLE LIKE with inheritance.
  • DROP INDEX CONCURRENTLY is disallowed on partitioned tables.
  • Allow LOCK TABLE to succeed on a self-referential view instead of throwing an error.
  • Several fixes around statistics collection and progress reporting for REINDEX CONCURRENTLY.
  • Ensure that GENERATED columns are updated when any columns they depend on are updated via a rule or an updatable view.
  • Support hash partitioning with text array columns as partition keys.
  • Allow the jsonpath .datetime() method to accept ISO 8601-format timestamps.
  • During a "smart" shutdown, ensure background processes are not terminated until all foreground client sessions are completed, fixing an issue that broke the processing of parallel queries.
  • Several fixes for the query planner and optimizer.
  • Ensure that data is de-toasted before being inserted into a BRIN index. This could manifest itself with errors like "missing chunk number 0 for toast value NNN". If you have seen a similar error in an existing BRIN index, you should be able to correct it by using REINDEX on the index.
  • Fix the output of EXPLAIN to have the correct XML tag nesting for incremental sort plans.
  • Several fixes for memory leaks, including ones involving RLS policies, using CALL with PL/pgSQL, SIGHUP processing a configuration parameter that cannot be applied without a restart, and an edge-case for index lookup for a partition.
  • libpq can now support arbitrary-length lines in the .pgpass file.
  • On Windows, psql now reads the output of a backtick command in text mode, not binary mode, so it can now properly handle newlines.
  • Fix how pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb use complex connection-string parameters.
  • When the \connect command of psql reuses connection parameters, ensure that all non-overridden parameters from a previous connection string are also re-used.
  • Ensure that pg_dump collects per-column information about extension configuration tables, avoiding crashes when specifying --inserts.
  • Ensure that parallel pg_restore processes foreign keys referencing partitioned tables in the correct order.
  • Several fixes for contrib/pgcrypto, including a memory leak fix.

This update also contains tzdata release 2020d for for DST law changes in Fiji, Morocco, Palestine, the Canadian Yukon, Macquarie Island, and Casey Station (Antarctica); plus historical corrections for France, Hungary, Monaco, and Palestine.

For the full list of changes available, please review the release notes.

PostgreSQL 9.5 EOL Notice

PostgreSQL 9.5 will stop receiving fixes on February 11, 2021. If you are running PostgreSQL 9.5 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information.

Updating

All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shutdown PostgreSQL and update its binaries.

Users who have skipped one or more update releases may need to run additional, post-update steps; please see the release notes for earlier versions for details.

For more details, please see the release notes.

NOTE: PostgreSQL 9.5 will stop receiving fixes on February 11, 2021. Please see our versioning policy for more information.

Links