8th September 2022: PostgreSQL 15 Beta 4 Released!

PostgreSQL 14.1, 13.5, 12.9, 11.14, 10.19, and 9.6.24 Released!

Posted on 2021-11-11 by PostgreSQL Global Development Group
PostgreSQL Project Security

The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 14.1, 13.5, 12.9, 11.14, 10.19, and 9.6.24. This release closes two security vulnerabilities and fixes over 40 bugs reported over the last three months.

Additionally, this is the final release of PostgreSQL 9.6. If you are running PostgreSQL 9.6 in a production environment, we suggest that you make plans to upgrade.

For the full list of changes, please review the release notes.

Security Issues

CVE-2021-23214: Server processes unencrypted bytes from man-in-the-middle

Versions Affected: 9.6 - 14. The security team typically does not test unsupported versions, but this problem is quite old.

When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.

The PostgreSQL project thanks Jacob Champion for reporting this problem.

CVE-2021-23222: libpq processes unencrypted bytes from man-in-the-middle

Versions Affected: 9.6 - 14. The security team typically does not test unsupported versions, but this problem is quite old.

A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption.

If more preconditions hold, the attacker can exfiltrate the client's password or other confidential data that might be transmitted early in a session. The attacker must have a way to trick the client's intended server into making the confidential data accessible to the attacker. A known implementation having that property is a PostgreSQL configuration vulnerable to CVE-2021-23214.

As with any exploitation of CVE-2021-23214, the server must be using trust authentication with a clientcert requirement or using cert authentication. To disclose a password, the client must be in possession of a password, which is atypical when using an authentication configuration vulnerable to CVE-2021-23214. The attacker must have some other way to access the server to retrieve the exfiltrated data (a valid, unprivileged login account would be sufficient).

The PostgreSQL project thanks Jacob Champion for reporting this problem.

Bug Fixes and Improvements

This update fixes over 40 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 14. Some of these issues may also affect other supported versions of PostgreSQL.

Some of these fixes include:

  • Fix physical replication for cases where the primary crashes after shipping a WAL segment that ends with a partial WAL record. When applying this update, update your standby servers before the primary so that they will be ready to handle the fix if the primary happens to crash.
  • Fix parallel VACUUM so that it will process indexes below the min_parallel_index_scan_size threshold if the table has at least two indexes that are above that size. This problem does not affect autovacuum. If you are affected by this issue, you should reindex any manually-vacuumed tables.
  • Fix causes of CREATE INDEX CONCURRENTLY and REINDEX CONCURRENTLY writing corrupt indexes. You should reindex any concurrently-built indexes.
  • Fix for attaching/detaching a partition that could allow certain INSERT/UPDATE queries to misbehave in active sessions.
  • Fix for creating a new range type with CREATE TYPE that could cause problems for later event triggers or subsequent executions of the CREATE TYPE command.
  • Fix updates of element fields in arrays of a domain that is a part of a composite.
  • Disallow the combination of FETCH FIRST WITH TIES and FOR UPDATE SKIP LOCKED.
  • Fix corner-case loss of precision in the numeric power() function.
  • Fix restoration of a Portal's snapshot inside a subtransaction, which could lead to a crash. For example, this could occur in PL/pgSQL when a COMMIT is immediately followed by a BEGIN ... EXCEPTION block that performs a query.
  • Clean up correctly if a transaction fails after exporting its snapshot. This could occur if a replication slot was created then rolled back, and then another replication slot was created in the same session.
  • Fix for "overflowed-subtransaction" wraparound tracking on standby servers that could lead to performance degradation.
  • Ensure that prepared transactions are properly accounted for during promotion of a standby server.
  • Ensure that the correct lock level is used when renaming a table.
  • Avoid crash when dropping a role that owns objects being dropped concurrently.
  • Disallow setting huge_pages to on when shared_memory_type is sysv
  • Fix query type checking in the PL/pgSQL RETURN QUERY.
  • Several fixes for pg_dump, including the ability to dump non-global default privileges correctly.
  • Use the CLDR project's data to map Windows time zone names to IANA time zones.

This update also contains tzdata release 2021e for DST law changes in Fiji, Jordan, Palestine, and Samoa, plus historical corrections for Barbados, Cook Islands, Guyana, Niue, Portugal, and Tonga.

Also, the Pacific/Enderbury zone has been renamed to Pacific/Kanton. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Africa/Accra, America/Atikokan, America/Blanc-Sablon, America/Creston, America/Curacao, America/Nassau, America/Port_of_Spain, Antarctica/DumontDUrville, and Antarctica/Syowa. In all these cases, the previous zone name remains as an alias.

For the full list of changes available, please review the release notes.

PostgreSQL 9.6 is EOL

This is the final release of PostgreSQL 9.6. If you are running PostgreSQL 9.6 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information.

Updating

All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shutdown PostgreSQL and update its binaries.

Users who have skipped one or more update releases may need to run additional, post-update steps; please see the release notes for earlier versions for details.

For more details, please see the release notes.

Links