Software-update: PostgreSQL 12.19 / 13.15 / 14.12 / 15.7 / 16.3

Er zijn updates verschenen voor alle nog ondersteunde versies van PostgreSQL. Dit populaire 'opensource relational database management system' draait op een groot aantal besturingssystemen en is daardoor uitstekend inzetbaar in diverse omgevingen. Het is een afgeleide van Ingres, nadat de hoofdontwikkelaar daarvan voor zichzelf is begonnen en deze database van opensource closedsource werd. De releasenotes voor deze uitgave kunnen hieronder worden gevonden.

PostgreSQL 16.3, 15.7, 14.12, 13.15, and 12.19 Released!

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 16.3, 15.7, 14.12, 13.15, and 12.19. This release fixes one security vulnerability and over 55 bugs reported over the last several months.

A security vulnerability was found in the system views pg_stats_ext and pg_stats_ext_exprs, potentially allowing authenticated database users to see data they don't have sufficient privileges to view. The fix for this vulnerability only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after this fix is applied. If you have a current PostgreSQL installation and are concerned about this issue, please follow the instructions in the "Updating" section for remediation steps.

For the full list of changes, please review the release notes.

PostgreSQL 12 EOL Notice

PostgreSQL 12 will stop receiving fixes on November 14, 2024. If you are running PostgreSQL 12 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information.

Security Issues CVE-2024-4317: Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner

CVSS v3.1 Base Score: 3.1. Supported, Vulnerable Versions: 14 - 16.

Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute.

This fix only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after this fix is applied. If you have a current PostgreSQL installation and are concerned about this issue, please follow the instructions in the "Updating" section for remediation steps.

Bug Fixes and Improvements

This update fixes over 55 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 16. Some of these issues may also affect other supported versions of PostgreSQL.

• Fix issue with INSERT with a multi-row VALUES clause where a target column is a domain over an array or composite type.
• Require the SELECT privilege on the target table when using MERGE when using MERGE ... DO NOTHING.
• Per the SQL standard, throw an error if a target row in MERGE joins to more than one source row during a modification.
• Fix incorrect pruning of NULL partition when a table is partitioned on a boolean column and the query has a boolean IS NOT clause.
• Make ALTER FOREIGN TABLE ... SET SCHEMA move any owned sequences into the new schema.
• CREATE DATABASE now recognizes STRATEGY keywords case-insensitively.
• Fix how EXPLAIN counts heap pages during bitmap heap scan to show all counted pages, not just ones with visible tuples.
• Avoid deadlock during removal of orphaned temporary tables.
• Several fixes for VACUUM, including one that can reduce unnecessary I/O.
• Several query planner fixes.
• Add optimization for certain operations where an installation has thousands of roles.
• Fix confusion for SQL-language procedures that return a single composite-type column.
• Fix incorrect rounding and overflow hazards in date_bin().
• Detect integer overflow when adding or subtracting an interval to/from a timestamp.
• Fix several race conditions with logical replication, including determining if a table sync operation is required.
• Disconnect if a new server session's client socket cannot be put into non-blocking mode.
• initdb -c now matches parameter names case-insensitively.
• Fix how PL/pgSQL parses of single-line comments (-- style comments) following expression.