PostgreSQL 12.3, 11.8, 10.13, 9.6.18 & 9.5.22 releases: bug & security fix and improvements
PostgreSQL, often simply Postgres, is an object-relational database management system (ORDBMS) with an emphasis on extensibility and standards compliance. It can handle workloads ranging from small single-machine applications to large Internet-facing applications (or for data warehousing) with many concurrent users; on macOS Server, PostgreSQL is the default database; and it is also available for Microsoft Windows and Linux (supplied in most distributions).
PostgreSQL is ACID-compliant and transactional. PostgreSQL has updatable views and materialized views, triggers, foreign keys; supports functions and stored procedures, and other expandability.
PostgreSQL is developed by the PostgreSQL Global Development Group, a diverse group of many companies and individual contributors. It is free and open-source, released under the terms of the PostgreSQL License, a permissive software license. _Wiki
Changelog
Security Issues
- CVE-2020-10733: Windows installer runs executables from uncontrolled directories.
Versions Affected: 9.5 – 12. The security team does not test unsupported versions, but this issue existed before PostgreSQL 9.5.
The Windows installer for PostgreSQL invokes system-provided executables that do not have fully-qualified paths. Executables in the directory where the installer loads or the current working directory take precedence over the intended executables. An attacker having permission to add files into one of those directories can use this to execute arbitrary code with the installer’s administrative rights.
The PostgreSQL project thanks Hou JingYi (@hjy79425575) for reporting this problem.
Bug Fixes and Improvements
This update also fixes over 75 bugs that were reported in the last several months. Some of these issues affect only version 12, but may also affect all supported versions.
Some of these fixes include:
- Several fixes for GENERATED columns, including an issue where it was possible to crash or corrupt data in a table when the output of the generated column was the exact copy of a physical column on the table, e.g. if the expression called a function which could return its own input.
- Several fixes for
ALTER TABLE
, including ensuring theSET STORAGE
directive is propagated to a table’s indexes.- Fix a potential race condition when using
DROP OWNED BY
while another session is deleting the same objects.- Allow for a partition to be detached when it has inherited ROW triggers.
- Several fixes for
REINDEX CONCURRENTLY
, particularly with issues when aREINDEX CONCURRENTLY
operation fails.- Fix crash when COLLATE is applied to an uncollatable type in a partition bound expression.
- Fix performance regression in floating point overflow/underflow detection.
- Several fixes for full text search, particularly with phrase searching.
- Fix query-lifespan memory leak for a set-returning function used in a query’s FROM clause.
- Several reporting fixes for the output of
VACUUM VERBOSE
.- Allow input of type circle to accept the format
(x,y),r
, which is specified in the documentation.- Allow for the
get_bit()
andset_bit()
functions to not fail onbytea
strings longer than 256MB.- Avoid premature recycling of WAL segments during crash recovery, which could lead to WAL segments being recycled before being archived.
- Avoid attempting to fetch nonexistent WAL files from archive storage during recovery by skipping irrelevant timelines.
- Several fixes for logical replication and replication slots.
- Fix several race conditions in synchronous standby management, including one that occurred when changing the
synchronous_standby_names
setting.- Several fixes for GSSAPI support, include a fix for a memory leak that occurred when using GSSAPI encryption.
- Ensure that members of the
pg_read_all_stats
role can read all statistics views.- Fix performance regression in information_schema.triggers view.
- Fix memory leak in libpq when using
sslmode=verify-full
.- Fix crash in
psql
when attempting to re-establish a failed connection.- Allow tab-completion of the filename argument to
\gx
command inpsql
.- Add
pg_dump
support forALTER ... DEPENDS ON EXTENSION
.- Several other fixes for
pg_dump
, which include dumping comments on RLS policies and postponing restore of event triggers until the end.- Ensure
pg_basebackup
generates valid tar files.pg_checksums
skips tablespace subdirectories that belong to a different PostgreSQL major version- Several Windows compatibility fixes