PostgreSQL 14.5, 13.8, 12.12, 11.17, 10.22, and 15 Beta 3 Released!
The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 14.5, 13.8, 12.12, 11.17, and 10.22, as well as the third beta release of PostgreSQL 15. This release closes one security vulnerability and fixes over 40 bugs reported over the last three months.
For the full list of changes, please review the release notes.
PostgreSQL 10 EOL Upcoming
PostgreSQL 10 will stop receiving fixes on November 10, 2022. If you are running PostgreSQL 10 in a production environment, we strongly advise that you make plans to upgrade to a newer, supported version of PostgreSQL so you can continue to receive bug and security fixes. Please see our versioning policy for more information.
Security Issues
CVE-2022-2625: Extension scripts replace objects not belonging to the extension.
Versions Affected: 10 - 14. The security team typically does not test unsupported versions, but this problem is quite old.
Some extensions use CREATE OR REPLACE or CREATE IF NOT EXISTS commands. However, some don't adhere to the documented rule to target only objects known to be extension members already. An attack requires permission to create non-temporary objects in at least one schema, ability to lure or wait for an administrator to create or update an affected extension in that schema, and ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS.
Given all three prerequisites, the attacker can run arbitrary code as the victim role, which may be a superuser. Known-affected extensions include both PostgreSQL-bundled and non-bundled extensions. PostgreSQL blocks this attack in the core server, so there's no need to modify individual extensions.
The PostgreSQL project thanks Sven Klemm for reporting this problem.
A Note on the PostgreSQL 15 Beta
This release marks the third beta release of PostgreSQL 15 and puts the community one step closer to general availability tentatively around the end of the third quarter.
In the spirit of the open source PostgreSQL community, we strongly encourage you to test the new features of PostgreSQL 15 on your systems to help us eliminate bugs or other issues that may exist. While we do not advise you to run PostgreSQL 15 Beta 3 in production environments, we encourage you to find ways to run your typical application workloads against this beta release.
Your testing and feedback will help the community ensure that PostgreSQL 15 upholds our standards of delivering a stable, reliable release of the world's most advanced open source relational database. Please read more about our beta testing process and how you can contribute:
https://www.postgresql.org/developer/beta/
You can find information about all of the PostgreSQL 15 features and changes in the release notes:
https://www.postgresql.org/docs/15/release-15.html
Bug Fixes and Improvements
This update fixes over 40 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 14. Some of these issues may also affect other supported versions of PostgreSQL.
Included in this release:
- Fix replay of CREATE DATABASE write-ahead log (WAL) records on standby servers when encountering a missing tablespace directory.
- Add support for tablespaces that are plain directories instead of symbolic links to other directories.
- Fix permission checks in CREATE INDEX to use the user's permissions. This fixes broken dump/restore scenarios that relied on the behavior prior to the fix for CVE-2022-1552.
- In the extended query protocol, force an immediate commit after CREATE DATABASE and other commands that can't run in a transaction block.
- Fix a race condition around checking transaction visibility that was more likely to happen when using synchronous replication.
- Fix incorrect permission-checking code for extended statistics.
- Fix extended statistics machinery to handle most common value ( MCV)-type statistics on boolean-valued expressions.
- Avoid planner core dump with constant = ANY(array) clauses when there are MCV-type extended statistics on the array variable.
- Allow cancellation of ANALYZE while it is computing extended statistics.
- Fix ALTER TABLE ... ENABLE/DISABLE TRIGGER to handle recursion for triggers on partitioned tables.
- Reject ROW() expressions and functions in FROM that have more than 1600 columns.
- Fix memory leak in logical replication subscribers.
- Fix checks in logical replication of replica identity when the target table is partitioned.
- Arrange to clean up after commit-time errors within SPI_commit(), rather than expecting callers to do that. This includes a fix for the same scenario in PL/Python, which had reported crashes on Python 3.11 and memory leaks on older versions of Python 3.
- Improve handling in libpq of idle states in pipeline mode.
- In the psql \watch command, echo a newline after cancellation with control-C.
- Fix pg_upgrade to detect non-upgradable usages of functions accepting anyarray parameters.
- Several postgres_fdw fixes, including prevention of batch insertions when there are WITH CHECK OPTION constraints present.
For the full list of changes available, please review the release notes.
PostgreSQL 14.5, 13.8, 12.12, 11.17, 10.22, and 15 Beta 3 Released!
PostgreSQL 14.5, 13.8, 12.12, 11.17, 10.22, and 15 Beta 3 are now available.