May 8, 2025: PostgreSQL 17.5, 16.9, 15.13, 14.18, and 13.21 Released! | PostgreSQL 18 Beta 1 Released!

PostgreSQL 17.5, 16.9, 15.13, 14.18, and 13.21 Released!

Posted on 2025-05-08 by PostgreSQL Global Development Group
PostgreSQL Project Security

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 17.5, 16.9, 15.13, 14.18, and 13.21. This release fixes 1 security vulnerability and over 60 bugs reported over the last several months.

For the full list of changes, please review the release notes.

PostgreSQL 13 EOL Notice

PostgreSQL 13 will stop receiving fixes on November 13, 2025. If you are running PostgreSQL 13 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information.

Security Issues

CVE-2025-4207: PostgreSQL GB18030 encoding validation can read one byte past end of allocation for text that fails validation

CVSS v3.1 Base Score: 5.9

Supported, Vulnerable Versions: 13 - 17.

A buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq. Versions before PostgreSQL 17.5, 16.9, 15.13, 14.18, and 13.21 are affected.

Bug Fixes and Improvements

This update fixes over 60 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 17. Some of these issues may also affect other supported versions of PostgreSQL.

  • Handle self-referential foreign keys on partitioned tables correctly. Creating or attaching partitions failed to make the required catalog entries for a foreign-key constraint if the table referenced by the constraint was the same partitioned table. This resulted in failure to enforce the constraint fully. To fix this, please see the instructions in the "Updating" section.
  • Fix for potential data loss issue when using BRIN bloom indexes (e.g. using the date_bloom_ops operator class).
  • Fix MERGE into a partitioned table with DO NOTHING actions.
  • Prevent failure in INSERT commands when the table has a GENERATED column of a domain type and the domain's constraints disallow NULL values.
  • Fix ALTER TABLE .. ADD COLUMN to correctly handle the case of a domain type that has its own default value and the DEFAULT for the column is not set.
  • Fix issues when performing casts within the keys of JSON constructor expressions.
  • Fix XMLSERIALIZE() so that the INDENT option is correctly dumped out when it's present in views or rules. This was noticeable on restores.
  • Several query planner fixes, including avoiding a premature evaluation of arguments in an aggregate function that has both FILTER and either ORDER BY or DISTINCT clauses that could lead to unnecessary failures.
  • Fix for potentially returning incorrect results when a bitmap scan without output columns is executed while vacuum is also running on the same table.
  • Fix performance issues in GIN index search startup when there are many search keys, for example, jsonbcol ?| array[...] with tens of thousands of array elements.
  • Ensure that I/O statistics of active WAL senders are reported within at most one second.
  • Fix race condition in handling of synchronous_standby_names immediately after startup, where a backend might fail to wait for a synchronous commit.
  • Avoid infinite loop if scram_iterations is set to INT_MAX.
  • Several fixes for logical replication, including handling of vacuum around deleted rows that are still required for logical decoding.
  • Prevent potential data loss when schema modification operations (DDL) that don't take a strong lock affect tables that are being logically replicated.
  • Prevent issues in logical replication that could allow duplicate data to be applied due to apply worker error handling.
  • Improve how reindexdb handles scheduling parallel reindex operations to achieve the expected amount of parallelism.

This release also updates time zone data files to tzdata release 2025b for DST law changes in Chile, plus historical corrections for Iran. Additionally, there is a new time zone America/Coyhaique for Chile's Aysén Region, to account for it changing to UTC-03 year-round, which diverges from America/Santiago.

Updating

All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shutdown PostgreSQL and update its binaries.

If you created a self-referential foreign key on a partitioned table, after updating, you should drop and recreate any of these self-referential foreign keys if partitions have been created or attached since the constraint was created. There may be rows in the partition that violate this constraint, in which case recreating the constraint will fail, and you'll need to correct those rows before trying again.

Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.

For more details, please see the release notes.

Links

If you have corrections or suggestions for this release announcement, please send them to the pgsql-www@lists.postgresql.org public mailing list.