Paris, November 10th 2017
The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 10.1, 9.6.6, 9.5.10, 9.4.15, 9.3.20, and 9.2.24. This release fixes three security issues. This release also fixes issues found in BRIN indexing, logical replication and other bugs reported over the past three months.
All users using the affected versions of PostgreSQL should update as soon as possible. If you use BRIN indexes or contrib/start-scripts, please see the release notes for additional post-upgrade steps.
Three security vulnerabilities have been fixed by this release:
- CVE-2017-12172: Start scripts permit database administrator to modify root-owned files
- CVE-2017-15098: Memory disclosure in JSON functions
- CVE-2017-15099: INSERT … ON CONFLICT DO UPDATE fails to enforce SELECT privileges
CVE-2017-12172: Start scripts permit database administrator to modify root-owned files
Prior to this release, the startup log file for the postmaster (in newer releases, “postgres”) process was opened while the process was still owned by root. With this setup, the database owner could specify a file that they did not have access to and cause the file to be corrupted with logged data. This fix ensures that the startup log file is opened as the user specified to run the PostgreSQL server. Any users who have made use of the start scripts will need to ensure the startup log files are owned by the user specified to run the PostgreSQL server.
CVE-2017-15099: INSERT … ON CONFLICT DO UPDATE fails to enforce SELECT privileges
Prior to this release, the “INSERT … ON CONFLICT DO UPDATE” would not check to see if the executing user had permission to perform a “SELECT” on the index performing the conflicting check. Additionally, in a table with row-level security enabled, the “INSERT … ON CONFLICT DO UPDATE” would not check the SELECT policies for that table before performing the update.
This fix ensures that “INSERT … ON CONFLICT DO UPDATE” checks against table permissions and RLS policies before executing.
Bug Fixes and Improvements
This update also fixes a number of bugs reported in the last few months. Some of these issues affect only version 10, but many affect all supported versions:
- Fix a race condition in BRIN indexing that could cause some rows to not be included in the indexing.
- Fix crash when logical decoding is invoked from a PL language function.
- Several fixes for logical replication.
- Restored behavior for CTEs attached to INSERT/UPDATE/DELETE statements to pre-version 10.
- Prevent low-probability crash in processing of nested trigger firings.
- Do not evaluate an aggregate function’s argument expressions when the conditions in the FILTER clause evaluate to FALSE. This complies with SQL-standard behavior.
- Fix incorrect query results when multiple GROUPING SETS columns contain the same simple variable.
- Fix memory leak over the lifespan of a query when evaluating a set-returning function from the target list in a SELECT.
- Several fixes for parallel query execution, including fixing a crash in the parallel execution of certain queries that contain a certain type of bitmap scan.
- Fix json_build_array(), json_build_object(), jsonb_build_array(), and jsonb_build_object() to handle explicit VARIADIC arguments correctly.
- Prevent infinite float values from being casted to the numeric type.
- Fix autovacuum’s “work item” logic to prevent possible crashes and silent loss of work items.
- Several fixes for VIEWs around adding columns to the end of a view.
- Fix for hashability detection of range data types that are created by a user.
- Improvements on using extended statistics on columns for the purposes of query planning.
- Prevent idle_in_transaction_session_timeout from being ignored when a statement_timeout occurred earlier.
- Fix low-probability loss of NOTIFY messages due more than 2 billion transactions processing before any queries are executed in the session.
- Several file system interaction fixes.
- Correctly restore the umask setting when file creation fails in COPY or lo_export().
- Fix pg_dump to ensure that it emits GRANT commands in a valid order.
- Fix pg_basebackup’s matching of tablespace paths to canonicalize both paths before comparing to help improve Windows compatibility.
- Fix libpq to not require user’s home directory to exist when trying to read the “~/.pgpass” file.
- Several fixes for ecpg.
This update also contains tzdata release 2017c, with updates for Fiji, Namibia, Northern Cyprus, Sudan, Tonga, and Turks & Caicos Islands, plus historical corrections for Alaska, Apia, Burma, Calcutta, Detroit, Ireland, Namibia, and Pago Pago.
EOL Notice for Version 9.2
PostgreSQL version 9.2 is now End-of-Life (EOL). No additional updates or security patches will be released by the community for this version. Users still on 9.2 are urged to upgrade as soon as possible. See our Versioning Policy for more information.