September 26, 2024: PostgreSQL 17 Released!

PostgreSQL 16.1, 15.5, 14.10, 13.13, 12.17, and 11.22 Released!

Posted on 2023-11-09 by PostgreSQL Global Development Group
PostgreSQL Project Security

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 16.1, 15.5, 14.10, 13.13, 12.17, and 11.22 This release fixes three security vulnerabilities and over 55 bugs reported over the last several months.

This release includes fixes for indexes where in certain cases, we advise reindexing. Please see the "Updating" section for more details.

For the full list of changes, please review the release notes.

PostgreSQL 11 EOL Notice

This is the final release of PostgreSQL 11. PostgreSQL 11 is now end-of-life and will no longer receive security and bug fixes. If you are running PostgreSQL 11 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information.

Security Issues

CVE-2023-5868: Memory disclosure in aggregate function calls

CVSS v3 Base Score: 4.3

Supported, Vulnerable Versions: 11 - 16. The security team typically does not test unsupported versions, but this problem is quite old.

Certain aggregate function calls receiving "unknown"-type arguments could disclose bytes of server memory from the end of the "unknown"-type value to the next zero byte. One typically gets an "unknown"-type value via a string literal having no type designation. We have not confirmed or ruled out viability of attacks that arrange for presence of notable, confidential information in disclosed bytes.

The PostgreSQL project thanks Jingzhou Fu for reporting this problem.

CVE-2023-5869: Buffer overrun from integer overflow in array modification

CVSS v3 Base Score: 8.8

Supported, Vulnerable Versions: 11 - 16. The security team typically does not test unsupported versions, but this problem is quite old.

While modifying certain SQL array values, missing overflow checks let authenticated database users write arbitrary bytes to a memory area that facilitates arbitrary code execution. Missing overflow checks also let authenticated database users read a wide area of server memory. The CVE-2021-32027 fix covered some attacks of this description, but it missed others.

The PostgreSQL project thanks Pedro Gallegos for reporting this problem.

CVE-2023-5870: Role pg_signal_backend can signal certain superuser processes

CVSS v3 Base Score: 2.2

Supported, Vulnerable Versions: 11 - 16. The security team typically does not test unsupported versions, but this problem is quite old.

Documentation says the pg_signal_backend role cannot signal "a backend owned by a superuser". On the contrary, it can signal background workers, including the logical replication launcher. It can signal autovacuum workers and the autovacuum launcher. Signaling autovacuum workers and those two launchers provides no meaningful exploit, so exploiting this vulnerability requires a non-core extension with a less-resilient background worker. For example, a non-core background worker that does not auto-restart would experience a denial of service with respect to that particular background worker.

The PostgreSQL project thanks Hemanth Sandrana and Mahendrakar Srinivasarao for reporting this problem.

Bug Fixes and Improvements

This update fixes over 55 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 16. Some of these issues may also affect other supported versions of PostgreSQL.

  • Fix issue where GiST indexes had an incorrect behavior during a "page split" operation that could lead to incorrect results in subsequent index searches. Please reindex GiST indexes after installing this update.
  • Fix issue where B-tree indexes would incorrectly de-duplicate interval columns. Please reindex any B-tree index that includes an interval column after installing this update.
  • Provide more efficient indexing of date, timestamptz, and timestamp values in BRIN indexes when using a minmax_multi opsclass. While not required, we recommend reindexing BRIN indexes that include these data types after installing this update.
  • Fix for bulk table insertion into partitioned tables.
  • Fix for hash-partitioned tables with multiple partition keys during step generation and runtime pruning that could lead to crashes in some cases.
  • Throw the correct error if pgrowlocks() is applied to a partitioned table

  • Fix inconsistent rechecking of concurrently-updated rows during MERGE when using READ COMMITTED mode.

  • Correctly identify the target table in an inherited UPDATE/DELETE/MERGE even when the parent table is excluded by constraints.
  • Fix over-allocation of a constructed tsvector.
  • Fix ALTER SUBSCRIPTION to apply changes in the run_as_owner option.
  • Several fixes for COPY FROM,
  • Several fixes for handling torn reads with pg_control.
  • Fix "could not find pathkey item to sort" errors occurring while planning aggregate functions with ORDER BY or DISTINCT options.
  • When track_io_timing is enabled, include the time taken by relation extension operations as write time.
  • Track the dependencies of cached CALL statements, and re-plan them when needed.
  • Treat out-of-memory failures as FATAL while reading WAL.
  • Fix pg_dump to dump the new run_as_owner option of subscriptions.
  • Fix pg_restore so that selective restores will include both table-level and column-level ACLs for selected tables.
  • Add logic to pg_upgrade to check for use of obsolete data types abstime, reltime, and tinterval.
  • Fix vacuumdb to have multiple -N switches actually exclude tables in multiple schemas.
  • amcheck will no longer report interrupted page deletion as corruption.
  • Fix btree_gin indexes on interval columns to properly return data when using the < and <= operators.

Updating

All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shutdown PostgreSQL and update its binaries.

We recommend reindexing certain types of indexes after you apply this update, including:

  • GiST indexes
  • B-tree indexes that use the interval data type
  • BRIN indexes that use the date, timestamptz, and timestamp data types and a minmax_multi opsclass

On PostgreSQL 12 and above, you can use REINDEX CONCURRENTLY to avoid blocking writes to the affected index and table, for example:

REINDEX INDEX CONCURRENTLY your_index_name;

Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.

For more details, please see the release notes.

Links

If you have corrections or suggestions for this release announcement, please send them to the [email protected] public mailing list.