The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 13.2, 12.6, 11.11, 10.16, 9.6.21, and 9.5.25. This release closes two security vulnerabilities and fixes over 80 bugs reported over the last three months.
Additionally, this is the final release of PostgreSQL 9.5. If you are running PostgreSQL 9.5 in a production environment, we suggest that you make plans to upgrade.
For the full list of changes, please review the release notes.
Versions Affected: 11 - 13.
A user having an
UPDATE privilege on a partitioned table but lacking the
SELECT privilege on some column may be able to acquire denied-column values
from an error message. This is similar to CVE-2014-8161, but the conditions to
exploit are more rare.
The PostgreSQL project thanks Heikki Linnakangas for reporting this problem.
Versions Affected: 13.
A user having a
SELECT privilege on an individual column can craft a special
query that returns all columns of the table.
Additionally, a stored view that uses column-level privileges will have
incomplete column-usage bitmaps. In installations that depend on column-level
permissions for security, it is recommended to execute
CREATE OR REPLACE on
all user-defined views to force them to be re-parsed.
The PostgreSQL project thanks Sven Klemm for reporting this problem.
This update fixes over 80 bugs that were reported in the last several months. Some of these issues only affect version 13, but could also apply to other supported versions.
Some of these fixes include:
REINDEXany affected GiST indexes.
CREATE INDEX CONCURRENTLYto ensure rows from concurrent prepared transactions are included in the index. Installations that have enabled prepared transactions should
REINDEXany concurrently-built indexes.
DOstatement that performs a transaction rollback is executed via extended query protocol, such as from prepared statements.
CALLon another procedure that has
OUTparameters that executed a
BEFORE UPDATEtriggers on partitioned tables for restrictions that no longer apply.
ORDER BYexpressions when trying to parallelize sorts.
ALTER DEFAULT PRIVILEGESto handle duplicate arguments safely.
wal_levelis set to
minimal, including when tables are rewritten within a transaction.
CREATE TABLE LIKE.
jsonbconcatenation operator (
||) to handle all combinations of JSON data types.
walsenderprocess around logical decoding and replication.
krb_server_keyfilealways overrides any setting of
KRB5_KTNAMEin the server environment
\connectcommand allows the use of a password in the
pg_rewindaccounts for all WAL when rewinding a standby server.
postgres_fdwconnections are closed if the a user mapping or foreign server object those connections depend on are dropped.
This update also contains tzdata release 2021a for DST law changes in Russia (Volgograd zone) and South Sudan, plus historical corrections for Australia, Bahamas, Belize, Bermuda, Ghana, Israel, Kenya, Nigeria, Palestine, Seychelles, and Vanuatu.
Notably, the Australia/Currie zone has been corrected to the point where it is identical to Australia/Hobart.
For the full list of changes available, please review the release notes.
This is the final release of PostgreSQL 9.5. If you are running PostgreSQL 9.5 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information.
All PostgreSQL update releases are cumulative. As with other minor releases,
users are not required to dump and reload their database or use
order to apply this update release; you may simply shutdown PostgreSQL and
update its binaries.
Users who have skipped one or more update releases may need to run additional, post-update steps; please see the release notes for earlier versions for details.
For more details, please see the release notes.
NOTE: PostgreSQL 9.6 will stop receiving fixes on November 11, 2021. Please see our versioning policy for more information.