The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 13.2, 12.6, 11.11, 10.16, 9.6.21, and 9.5.25. This release closes two security vulnerabilities and fixes over 80 bugs reported over the last three months.
Additionally, this is the final release of PostgreSQL 9.5. If you are running PostgreSQL 9.5 in a production environment, we suggest that you make plans to upgrade.
For the full list of changes, please review the release notes.
Versions Affected: 11 - 13.
A user having an
UPDATE privilege on a partitioned table but lacking the
SELECT privilege on some column may be able to acquire denied-column values
from an error message. This is similar to CVE-2014-8161, but the conditions to
exploit are more rare.
The PostgreSQL project thanks Heikki Linnakangas for reporting this problem.
Versions Affected: 13.
A user having a
SELECT privilege on an individual column can craft a special
query that returns all columns of the table.
Additionally, a stored view that uses column-level privileges will have
incomplete column-usage bitmaps. In installations that depend on column-level
permissions for security, it is recommended to execute
CREATE OR REPLACE on
all user-defined views to force them to be re-parsed.
The PostgreSQL project thanks Sven Klemm for reporting this problem.
This update fixes over 80 bugs that were reported in the last several months. Some of these issues only affect version 13, but could also apply to other supported versions.
Some of these fixes include:
affected GiST indexes.
CREATE INDEX CONCURRENTLY to ensure rows from concurrent prepared
transactions are included in the index. Installations that have enabled prepared
REINDEX any concurrently-built indexes.
DO statement that performs a transaction
rollback is executed via extended query protocol, such as from prepared
CALL on another procedure that
OUT parameters that executed a
BEFORE UPDATE triggers on partitioned tables for
restrictions that no longer apply.
ORDER BY expressions when trying to parallelize sorts.
ALTER DEFAULT PRIVILEGES to handle duplicate arguments safely.
wal_level is set to
minimal, including when
tables are rewritten within a transaction.
CREATE TABLE LIKE.
NOTIFY queue handling.
jsonb concatenation operator (
||) to handle all combinations of
JSON data types.
walsender process around logical decoding and
krb_server_keyfile always overrides any
KRB5_KTNAME in the server environment
\connect command allows the use of a password in the
pg_rewind accounts for all WAL when rewinding a standby server.
postgres_fdw connections are closed if the a user mapping or
foreign server object those connections depend on are dropped.
This update also contains tzdata release 2021a for DST law changes in Russia (Volgograd zone) and South Sudan, plus historical corrections for Australia, Bahamas, Belize, Bermuda, Ghana, Israel, Kenya, Nigeria, Palestine, Seychelles, and Vanuatu.
Notably, the Australia/Currie zone has been corrected to the point where it is identical to Australia/Hobart.
For the full list of changes available, please review the release notes.
This is the final release of PostgreSQL 9.5. If you are running PostgreSQL 9.5 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information.
All PostgreSQL update releases are cumulative. As with other minor releases,
users are not required to dump and reload their database or use
order to apply this update release; you may simply shutdown PostgreSQL and
update its binaries.
Users who have skipped one or more update releases may need to run additional, post-update steps; please see the release notes for earlier versions for details.
For more details, please see the release notes.
NOTE: PostgreSQL 9.6 will stop receiving fixes on November 11, 2021. Please see our versioning policy for more information.