September 26, 2024: PostgreSQL 17 Released!

PostgreSQL 16.3, 15.7, 14.12, 13.15, and 12.19 Released!

Posted on 2024-05-09 by PostgreSQL Global Development Group
PostgreSQL Project Security

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 16.3, 15.7, 14.12, 13.15, and 12.19. This release fixes one security vulnerability and over 55 bugs reported over the last several months.

A security vulnerability was found in the system views pg_stats_ext and pg_stats_ext_exprs, potentially allowing authenticated database users to see data they don't have sufficient privileges to view. The fix for this vulnerability only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after this fix is applied. If you have a current PostgreSQL installation and are concerned about this issue, please follow the instructions in the "Updating" section for remediation steps.

For the full list of changes, please review the release notes.

PostgreSQL 12 EOL Notice

PostgreSQL 12 will stop receiving fixes on November 14, 2024. If you are running PostgreSQL 12 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information.

Security Issues

CVE-2024-4317: Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner

CVSS v3.1 Base Score: 3.1

Supported, Vulnerable Versions: 14 - 16.

Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute.

This fix only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after this fix is applied. If you have a current PostgreSQL installation and are concerned about this issue, please follow the instructions in the "Updating" section for remediation steps.

The PostgreSQL project thanks Lukas Fittl for reporting this problem.

Bug Fixes and Improvements

This update fixes over 55 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 16. Some of these issues may also affect other supported versions of PostgreSQL.

  • Fix issue with INSERT with a multi-row VALUES clause where a target column is a domain over an array or composite type.
  • Require the SELECT privilege on the target table when using MERGE when using MERGE ... DO NOTHING.
  • Per the SQL standard, throw an error if a target row in MERGE joins to more than one source row during a modification.
  • Fix incorrect pruning of NULL partition when a table is partitioned on a boolean column and the query has a boolean IS NOT clause.
  • Make ALTER FOREIGN TABLE ... SET SCHEMA move any owned sequences into the new schema.
  • CREATE DATABASE now recognizes STRATEGY keywords case-insensitively.
  • Fix how EXPLAIN counts heap pages during bitmap heap scan to show all counted pages, not just ones with visible tuples.
  • Avoid deadlock during removal of orphaned temporary tables.
  • Several fixes for VACUUM, including one that can reduce unnecessary I/O.
  • Several query planner fixes.
  • Add optimization for certain operations where an installation has thousands of roles.
  • Fix confusion for SQL-language procedures that return a single composite-type column.
  • Fix incorrect rounding and overflow hazards in date_bin().
  • Detect integer overflow when adding or subtracting an interval to/from a timestamp.
  • Fix several race conditions with logical replication, including determining if a table sync operation is required.
  • Disconnect if a new server session's client socket cannot be put into non-blocking mode.
  • initdb -c now matches parameter names case-insensitively.
  • Fix how PL/pgSQL parses of single-line comments (-- style comments) following expression.

Updating

All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shutdown PostgreSQL and update its binaries.

For existing installations that are impacted by CVE-2024-4317 that wish to remediate the issue, you will have to perform the following steps:

  1. Find the SQL script fix-CVE-2024-4317.sql in the share directory of your PostgreSQL installation (e.g. in /usr/share/postgresql/), or download it from the PostgreSQL git repository from one of the URLs below. You will need to use the script that matches your major version:

  2. PostgreSQL 16: https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/backend/catalog/fix-CVE-2024-4317.sql;hb=refs/heads/REL_16_STABLE

  3. PostgreSQL 15: https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/backend/catalog/fix-CVE-2024-4317.sql;hb=refs/heads/REL_15_STABLE
  4. PostgreSQL 14: https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/backend/catalog/fix-CVE-2024-4317.sql;hb=refs/heads/REL_14_STABLE

From the above URLs, you can click the URL that says "raw" to download a version that you can copy and paste.

Be sure to use the script appropriate to your PostgreSQL major version. If you do not see this file, either your version is not vulnerable (only PostgreSQL 14, 15, and 16 are affected) or your minor version is too old to have the fix.

  1. In each database of the cluster, run the fix-CVE-2024-4317.sql script as a database superuser. For example, in psql, with the file located in /usr/share/postgresql/, this command would look like:

\i /usr/share/postgresql/fix-CVE-2024-4317.sql

  1. You must also execute this script in the template0 and template1 databases, or the vulnerability will still exist in databases you create later. To fix template0, you'll need to temporarily allow it accept connections. You can do this with the following command:

ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;

After executing the fix-CVE-2024-4317.sql script in template0 and template1, you should revoke the ability for template0 to accept connections. You can do this with the following command:

ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;

Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.

For more details, please see the release notes.

Links

If you have corrections or suggestions for this release announcement, please send them to the [email protected] public mailing list.