The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 16.3, 15.7, 14.12, 13.15, and 12.19. This release fixes one security vulnerability and over 55 bugs reported over the last several months.
A security vulnerability was found in the system views
pg_stats_ext
and pg_stats_ext_exprs
,
potentially allowing authenticated database users to see data they don't have
sufficient privileges to view. The fix for this vulnerability only fixes
fresh PostgreSQL installations, namely those that are created with the
initdb
utility
after this fix is applied. If you have a current PostgreSQL installation and are
concerned about this issue, please follow the instructions in the "Updating"
section for remediation steps.
For the full list of changes, please review the release notes.
PostgreSQL 12 will stop receiving fixes on November 14, 2024. If you are running PostgreSQL 12 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information.
pg_stats_ext
and pg_stats_ext_exprs
entries to the table ownerCVSS v3.1 Base Score: 3.1
Supported, Vulnerable Versions: 14 - 16.
Missing authorization in PostgreSQL built-in views
pg_stats_ext
and pg_stats_ext_exprs
allows an unprivileged database user to read most common values and other
statistics from CREATE STATISTICS
commands of other users. The most common values may reveal column values the
eavesdropper could not otherwise read or results of functions they cannot
execute.
This fix only fixes fresh PostgreSQL installations, namely those that are
created with the initdb
utility after this fix is applied. If you have a current PostgreSQL installation
and are concerned about this issue, please follow the instructions in the
"Updating" section for remediation steps.
The PostgreSQL project thanks Lukas Fittl for reporting this problem.
This update fixes over 55 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 16. Some of these issues may also affect other supported versions of PostgreSQL.
INSERT
with a multi-row VALUES
clause where a target column is a domain over an array or composite type.MERGE
when using MERGE ... DO NOTHING
.MERGE
joins to more
than one source row during a modification.NULL
partition when a table is partitioned on
a boolean column and the query has a boolean IS NOT
clause.ALTER FOREIGN TABLE ... SET SCHEMA
move any owned sequences into the new schema.CREATE DATABASE
now recognizes STRATEGY
keywords case-insensitively.VACUUM
,
including one that can reduce unnecessary I/O.date_bin()
.initdb -c
now
matches parameter names case-insensitively.-- style comments
)
following expression.All PostgreSQL update releases are cumulative. As with other minor releases,
users are not required to dump and reload their database or use pg_upgrade
in
order to apply this update release; you may simply shutdown PostgreSQL and
update its binaries.
For existing installations that are impacted by CVE-2024-4317 that wish to remediate the issue, you will have to perform the following steps:
Find the SQL script fix-CVE-2024-4317.sql
in the share
directory of
your PostgreSQL installation (e.g. in /usr/share/postgresql/
), or download it
from the PostgreSQL git repository from one of the URLs below. You will need to
use the script that matches your major version:
PostgreSQL 16: https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/backend/catalog/fix-CVE-2024-4317.sql;hb=refs/heads/REL_16_STABLE
From the above URLs, you can click the URL that says "raw" to download a version that you can copy and paste.
Be sure to use the script appropriate to your PostgreSQL major version. If you do not see this file, either your version is not vulnerable (only PostgreSQL 14, 15, and 16 are affected) or your minor version is too old to have the fix.
fix-CVE-2024-4317.sql
script as
a database superuser. For example, in psql
,
with the file located in /usr/share/postgresql/
, this command would look like:\i /usr/share/postgresql/fix-CVE-2024-4317.sql
template0
and template1
databases, or the vulnerability will still exist in databases you create later.
To fix template0
, you'll need to temporarily allow it accept connections. You
can do this with the following command:ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;
After executing the fix-CVE-2024-4317.sql
script in template0
and
template1
, you should revoke the ability for template0
to accept
connections. You can do this with the following command:
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;
Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.
For more details, please see the release notes.
If you have corrections or suggestions for this release announcement, please send them to the [email protected] public mailing list.