PostgreSQL 15.3, 14.8, 13.11, 12.15, and 11.20 Released!
URL : https://www.postgresql.org/about/news/postgresql-153-148-1311-1215-and-1120-released-2637/
PostgreSQL DB가 모든 버전에 대한 업데이트를 릴리즈 했습니다. 15.3, 14.8, 13.11, 12.15, 11.20 버전 업데이트 입니다.
이번 릴리즈에는 보안 취약성에 대한 픽스와 직전 버전의 80여가지 이상의 버그의 픽스가 포함되었다고 합니다.
자세한 내용은 위 URL 참고하시거나 아래 원문을 참고하시기 바랍니다.
변경 사항은 release note 참고하시기 바랍니다.
PostgreSQL 15.3, 14.8, 13.11, 12.15, and 11.20 Released!
The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 15.3, 14.8, 13.11, 12.15, and 11.20. This release fixes two security vulnerabilities and over 80 bugs reported over the last several months.
For the full list of changes, please review the release notes.
PostgreSQL 11 EOL Notice
PostgreSQL 11 will stop receiving fixes on November 9, 2023. If you are running PostgreSQL 11 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information.
Security Issues
CVE-2023-2454: CREATE SCHEMA ... schema_element defeats protective search_path changes.
Versions Affected: 11 - 15. The security team typically does not test unsupported versions, but this problem is quite old.
This enabled an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. Database owners have that right by default, and explicit grants may extend it to other users.
The PostgreSQL project thanks Alexander Lakhin for reporting this problem.
CVE-2023-2455: Row security policies disregard user ID changes after inlining.
Versions Affected: 11 - 15. The security team typically does not test unsupported versions, but this problem is quite old.
While CVE-2016-2193 fixed most interaction between row security and user ID changes, it missed a scenario involving function inlining. This leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.
The PostgreSQL project thanks Wolfgang Walther for reporting this problem.
Bug Fixes and Improvements
This update fixes over 80 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 15. Some of these issues may also affect other supported versions of PostgreSQL.
Included in this release:
- Several fixes for
CREATE DATABASEwhen using theSTRATEGY = WAL_LOG, including a potential corruption that could lose modifications to a template/source database. - Fix crash with
CREATE SCHEMA AUTHORIZATION. - Several fixes for
MERGE. - Several fixes for triggers in partitioned tables.
- Disallow altering composite types that are stored in indexes.
- Ensure that
COPY TOfrom a parent table with row-level security enabled does not copy any rows from child tables. - Adjust text-search-related character classification logic to correctly detect whether the prevailing locale is C when the default collation of a database uses the ICU provider.
- Re-allow exponential notation in ISO-8601 interval fields.
- Improve error reporting for various invalid JSON string literals.
- Fix data corruption due to
vacuum_defer_cleanup_agebeing larger than the current 64-bit xid. - Several fixes for the query parser and planner, including better detection of improperly-nested aggregates.
- Fix partition pruning bug with the boolean
IS NOT TRUEandIS NOT FALSEconditions. Prior to this,NULLpartitions were accidentally pruned. - Fix memory leak in memoize plan execution.
- Fix buffer refcount leak on foreign tables using partitions when performing batched inserts.
- Restore support for sub-millisecond
vacuum_cost_delaysettings. - Several fixes for views and rules.
- Avoid unnecessary work while scanning a multi-column BRIN index with multiple scan keys.
- Ignore dropped columns and generated columns during logical replication of an
UPDATEorDELETEaction. - Several fixes for naming and availability of wait events.
- Support RSA-PSS certificates with SCRAM-SHA-256 channel binding. This feature requires building with OpenSSL 1.1.1 or newer.
- Avoid race condition with process ID tracking on Windows.
- Fix memory leak within a session for PL/pgSQL
DOblocks that use cast expressions. - Tighten array dimensionality checks from PL/Perl and PL/Python when converting list structures to multi-dimensional SQL arrays.
- Fix
pg_dumpso that partitioned tables that are hash-partitioned on an enumerated type column can be restored successfully. - Fix for
pg_trgmwhere an unsatisfiable regular expression could lead to a crash when using a GiST or GIN index. - Limit memory usage of
pg_get_wal_records_info()inpg_walinspect.
This release also updates time zone data files to tzdata release 2023c for DST law changes in Egypt, Greenland, Morocco, and Palestine. When observing Moscow time, Europe/Kirov and Europe/Volgograd now use the abbreviations MSK/MSD instead of numeric abbreviations, for consistency with other timezones observing Moscow time. Also, America/Yellowknife is no longer distinct from America/Edmonton; this affects some pre-1948 timestamps in that area.
For the full list of changes available, please review the release notes.
Updating
All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shutdown PostgreSQL and update its binaries.
Users who have skipped one or more update releases may need to run additional, post-update steps; please see the release notes for earlier versions for details.
For more details, please see the release notes.
