Software-update: PostgreSQL 11.22 / 12.17 / 13.13 / 14.10 / 15.5 / 16.1

Er zijn updates verschenen voor alle nog ondersteunde versies van PostgreSQL. Dit is tevens de laatste update voor versie 11. Dit populaire 'opensource relational database management system' draait op een groot aantal besturingssystemen en is daardoor uitstekend inzetbaar in diverse omgevingen. Het is een afgeleide van Ingres, nadat de hoofdontwikkelaar daarvan voor zichzelf is begonnen en deze database van opensource closedsource werd. De releasenotes voor deze uitgave kunnen hieronder worden gevonden.

PostgreSQL 16.1, 15.5, 14.10, 13.13, 12.17, and 11.22 Released!

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 16.1, 15.5, 14.10, 13.13, 12.17, and 11.22 This release fixes three security vulnerabilities and over 55 bugs reported over the last several months. This release includes fixes for indexes where in certain cases, we advise reindexing. Please see the "Updating" section for more details. For the full list of changes, please review the release notes.

PostgreSQL 11 EOL Notice

This is the final release of PostgreSQL 11. PostgreSQL 11 is now end-of-life and will no longer receive security and bug fixes. If you are running PostgreSQL 11 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information.

Security Issues CVE-2023-5868: Memory disclosure in aggregate function calls

CVSS v3 Base Score: 4.3
Supported, Vulnerable Versions: 11 - 16. The security team typically does not test unsupported versions, but this problem is quite old.
Certain aggregate function calls receiving "unknown"-type arguments could disclose bytes of server memory from the end of the "unknown"-type value to the next zero byte. One typically gets an "unknown"-type value via a string literal having no type designation. We have not confirmed or ruled out viability of attacks that arrange for presence of notable, confidential information in disclosed bytes.

CVE-2023-5869: Buffer overrun from integer overflow in array modification

CVSS v3 Base Score: 8.8
Supported, Vulnerable Versions: 11 - 16. The security team typically does not test unsupported versions, but this problem is quite old.
While modifying certain SQL array values, missing overflow checks let authenticated database users write arbitrary bytes to a memory area that facilitates arbitrary code execution. Missing overflow checks also let authenticated database users read a wide area of server memory. The CVE-2021-32027 fix covered some attacks of this description, but it missed others.

CVE-2023-5870: Role pg_cancel_backend can signal certain superuser processes

CVSS v3 Base Score: 2.2
Supported, Vulnerable Versions: 11 - 16. The security team typically does not test unsupported versions, but this problem is quite old.
Documentation says the pg_cancel_backend role cannot signal "a backend owned by a superuser". On the contrary, it can signal background workers, including the logical replication launcher. It can signal autovacuum workers and the autovacuum launcher. Signaling autovacuum workers and those two launchers provides no meaningful exploit, so exploiting this vulnerability requires a non-core extension with a less-resilient background worker. For example, a non-core background worker that does not auto-restart would experience a denial of service with respect to that particular background worker.

Bug Fixes and Improvements

This update fixes over 55 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 16. Some of these issues may also affect other supported versions of PostgreSQL.

• Fix issue where GiST indexes had an incorrect behavior during a "page split" operation that could lead to incorrect results in subsequent index searches. Please reindex GiST indexes after installing this update.
• Fix issue where B-tree indexes would incorrectly de-duplicate interval columns. Please reindex any B-tree index that includes an interval column after installing this update.
• Provide more efficient indexing of date, timestamptz, and timestamp values in BRIN indexes when using a minmax_multi opsclass. While not required, we recommend reindexing BRIN indexes that include these data types after installing this update.
• Fix for bulk table insertion into partitioned tables.
• Fix for hash-partitioned tables with multiple partition keys during step generation and runtime pruning that could lead to crashes in some cases.
• Throw the correct error if pgrowlocks() is applied to a partitioned table
• Fix inconsistent rechecking of concurrently-updated rows during MERGE when using READ COMMITTED mode.
• Fix over-allocation of a constructed tsvector.
• Fix ALTER SUBSCRIPTION to apply changes in the run_as_owner option.
• Several fixes for COPY FROM,
• Several fixes for handling torn reads with pg_control.
• Fix "could not find pathkey item to sort" errors occurring while planning aggregate functions with ORDER BY or DISTINCT options.
• When track_io_timing is enabled, include the time taken by relation extension operations as write time.
• Track the dependencies of cached CALL statements, and re-plan them when needed.
• Treat out-of-memory failures as FATAL while reading WAL.
• Fix pg_dump to dump the new run_as_owner option of subscriptions.
• Fix pg_restore so that selective restores will include both table-level and column-level ACLs for selected tables.
• Add logic to pg_upgrade to check for use of obsolete data types abstime, reltime, and tinterval.
• Fix vacuumdb to have multiple -N switches actually exclude tables in multiple schemas.
• amcheck will no longer report interrupted page deletion as corruption.
• Fix btree_gin indexes on interval columns to properly return data when using the < and <= operators.