PostgreSQL 10.1, 9.6.6, 9.5.10, 9.4.15, 9.3.20, and 9.2.24 released!

2017-11-09 Security Update Release
==================================

The PostgreSQL Global Development Group has released an update to all
supported versions of our database system, including 10.1, 9.6.6,
9.5.10, 9.4.15, 9.3.20, and 9.2.24. This release fixes three security
issues. This release also fixes issues found in BRIN indexing, logical
replication and other bugs reported over the past three months.

All users using the affected versions of PostgreSQL should update as
soon as possible. If you use BRIN indexes or contrib/start-scripts,
please see the release notes for additional post-upgrade steps.

Security Issues
---------------

Three security vulnerabilities have been fixed by this release:

* CVE-2017-12172: Start scripts permit database administrator to modify
root-owned files
* CVE-2017-15098: Memory disclosure in JSON functions
* CVE-2017-15099: INSERT ... ON CONFLICT DO UPDATE fails to enforce
SELECT privileges

CVE-2017-12172: Start scripts permit database administrator to modify
root-owned files
---------------------------------------------------------------------

Prior to this release, the startup log file for the postmaster (in newer
releases, "postgres") process was opened while the process was still
owned by root. With this setup, the database owner could specify a file
that they did not have access to and cause the file to be corrupted with
logged data.

This fix ensures that the startup log file is opened as the user
specified to run the PostgreSQL server. Any users who have made use of
the start scripts will need to ensure the startup log files are owned by
the user specified to run the PostgreSQL server.

CVE-2017-15099: INSERT ... ON CONFLICT DO UPDATE fails to enforce SELECT
privileges
------------------------------------------------------------------------

Prior to this release, the "INSERT ... ON CONFLICT DO UPDATE" would not
check to see if the executing user had permission to perform a "SELECT"
on the index performing the conflicting check. Additionally, in a table
with row-level security enabled, the "INSERT ... ON CONFLICT DO UPDATE"
would not check the SELECT policies for that table before performing the
update.

This fix ensures that "INSERT ... ON CONFLICT DO UPDATE" checks against
table permissions and RLS policies before executing.

Bug Fixes and Improvements
--------------------------

This update also fixes a number of bugs reported in the last few months.
Some of these issues affect only version 10, but many affect all
supported versions:

* Fix a race condition in BRIN indexing that could cause some rows to
not be included in the indexing.
* Fix crash when logical decoding is invoked from a PL language function.
* Several fixes for logical replication.
* Restored behavior for CTEs attached to INSERT/UPDATE/DELETE statements
to pre-version 10.
* Prevent low-probability crash in processing of nested trigger firings.
* Do not evaluate an aggregate function's argument expressions when the
conditions in the FILTER clause evaluate to FALSE. This complies
with SQL-standard behavior.
* Fix incorrect query results when multiple GROUPING SETS columns
contain the same simple variable.
* Fix memory leak over the lifespan of a query when evaluating a
set-returning function from the target list in a SELECT.
* Several fixes for parallel query execution, including fixing a crash
in the parallel execution of certain queries that contain a certain
type of bitmap scan.
* Fix json_build_array(), json_build_object(), jsonb_build_array(), and
jsonb_build_object() to handle explicit VARIADIC arguments correctly.
* Prevent infinite float values from being casted to the numeric type.
* Fix autovacuum's “work item” logic to prevent possible crashes and
silent loss of work items.
* Several fixes for VIEWs around adding columns to the end of a view.
* Fix for hashability detection of range data types that are created by
a user.
* Improvements on using extended statistics on columns for the purposes
of query planning.
* Prevent idle_in_transaction_session_timeout from being ignored when a
statement_timeout occurred earlier.
* Fix low-probability loss of NOTIFY messages due more than 2 billion
transactions processing before any queries are executed in the
session.
* Several file system interaction fixes.
* Correctly restore the umask setting when file creation fails in COPY
or lo_export().
* Fix pg_dump to ensure that it emits GRANT commands in a valid order.
* Fix pg_basebackup's matching of tablespace paths to canonicalize both
paths before comparing to help improve Windows compatibility.
* Fix libpq to not require user's home directory to exist when trying to
read the "~/.pgpass" file.
* Several fixes for ecpg.

This update also contains tzdata release 2017c, with updates for Fiji,
Namibia, Northern Cyprus, Sudan, Tonga, and Turks & Caicos Islands, plus
historical corrections for Alaska, Apia, Burma, Calcutta, Detroit,
Ireland, Namibia, and Pago Pago.

EOL Notice for Version 9.2
--------------------------

PostgreSQL version 9.2 is now End-of-Life (EOL). No additional updates
or security patches will be released by the community for this
version. Users still on 9.2 are urged to upgrade as soon as
possible. See our Versioning Policy for more information.

Links
-----
* Download: https://www.postgresql.org/download
* Release Notes: https://www.postgresql.org/docs/current/static/release.html
* Security Page: https://www.postgresql.org/support/security/
* Versioning Policy: https://www.postgresql.org/support/versioning/