The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 15.2, 14.7, 13.10, 12.14, and 11.19. This release closes one security vulnerability and fixes over 60 bugs reported over the last several months.
For the full list of changes, please review the release notes.
Versions Affected: 12 - 15.
A modified, unauthenticated server or an unauthenticated man-in-the-middle can
send an unterminated string during the establishment of Kerberos transport
encryption. When a
libpq client application has a Kerberos credential cache
and doesn't explicitly disable option
a server can cause
libpq to over-read and report an error message containing
uninitialized bytes from and following its receive buffer. If
somehow makes that message accessible to the attacker, this achieves a
disclosure of the over-read bytes. We have not confirmed or ruled out viability
of attacks that arrange for a crash or for presence of notable, confidential
information in disclosed bytes.
The PostgreSQL project thanks Jacob Champion for reporting this problem.
This update fixes over 60 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 15. Some of these issues may also affect other supported versions of PostgreSQL.
Included in this release:
GENERATEDcolumns in child tables if the
GENERATEDcolumn does not exist in the parent table or the child generated column has different dependencies than the parent.
WITH RECURSIVE ... CYCLEquery to access its
BEFORE ROWtrigger may not process rows that should be available.
jsonbsubscripting that come directly from a
textcolumn in a table.
ANALYZEwhen using query pipelining.
DROP DATABASEand logical replication worker process.
CREATE SUBSCRIPTIONfails its connection attempt.
hot_standbyenabled that are processing
pgoutput, to not send columns that are not listed in a table's replication column list.
--if-existsmode when the
publicschema has a non-default owner.
\efto handle SQL-language functions that have SQL-standard function bodies (i.e.
ALTER FUNCTION/PROCEDURE/ROUTINE ... SET SCHEMA.
pageinspectextension to mark its disk-accessing functions as
segextension to not crash or print garbage if an input number has more than 127 digits.
This release also updates time zone data files to tzdata release 2022g for DST law changes in Greenland and Mexico, plus historical corrections for northern Canada, Colombia, and Singapore. Notably, a new timezone, America/Ciudad_Juarez, has been split off from America/Ojinaga.
For the full list of changes available, please review the release notes.
All PostgreSQL update releases are cumulative. As with other minor releases,
users are not required to dump and reload their database or use
order to apply this update release; you may simply shutdown PostgreSQL and
update its binaries.
Users who have skipped one or more update releases may need to run additional, post-update steps; please see the release notes for earlier versions for details.
For more details, please see the release notes.