Software 42837 Published by

PostgreSQL versions 16.3, 15.7, 14.12, 13.15, and 12.19 are now available. This release fixes over 55 problems identified in the previous few months that impact PostgreSQL 16. Some of these vulnerabilities may affect other PostgreSQL versions. The changes include difficulties with INSERT with multi-row VALUES clauses, requiring the SELECT privilege when using MERGE, and correctly pruning NULL partitions. ALTER FOREIGN TABLE... SET SCHEMA now moves sequences into new schemas without regard to case.



PostgreSQL 16.3, 15.7, 14.12, 13.15, and 12.19 Released!

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 16.3, 15.7, 14.12, 13.15, and 12.19. This release fixes one security vulnerability and over 55 bugs reported over the last several months.

A security vulnerability was found in the system views  pg_stats_ext and  pg_stats_ext_exprs, potentially allowing authenticated database users to see data they don't have sufficient privileges to view. The fix for this vulnerability only fixes fresh PostgreSQL installations, namely those that are created with the  initdb utility after this fix is applied. If you have a current PostgreSQL installation and are concerned about this issue, please follow the instructions in the "Updating" section for remediation steps.

For the full list of changes, please review the  release notes.

PostgreSQL 12 EOL Notice

PostgreSQL 12 will stop receiving fixes on November 14, 2024. If you are running PostgreSQL 12 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our  versioning policy for more information.

Security Issues

CVE-2024-4317: Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner

CVSS v3.1 Base Score:  3.1

Supported, Vulnerable Versions: 14 - 16.

Missing authorization in PostgreSQL built-in views  pg_stats_ext and  pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from  CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute.

This fix only fixes fresh PostgreSQL installations, namely those that are created with the  initdb utility after this fix is applied. If you have a current PostgreSQL installation and are concerned about this issue, please follow the instructions in the "Updating" section for remediation steps.

The PostgreSQL project thanks Lukas Fittl for reporting this problem.

Bug Fixes and Improvements

This update fixes over 55 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 16. Some of these issues may also affect other supported versions of PostgreSQL.

  • Fix issue with  INSERT with a multi-row  VALUES clause where a target column is a domain over an array or composite type.
  • Require the  SELECT privilege on the target table when using  MERGE when using MERGE ... DO NOTHING.
  • Per the SQL standard, throw an error if a target row in MERGE joins to more than one source row during a modification.
  • Fix incorrect pruning of NULL partition when a table is partitioned on a boolean column and the query has a boolean IS NOT clause.
  • Make  ALTER FOREIGN TABLE ... SET SCHEMA move any owned sequences into the new schema.
  • CREATE DATABASE now recognizes STRATEGY keywords case-insensitively.
  • Fix how  EXPLAIN counts heap pages during bitmap heap scan to show all counted pages, not just ones with visible tuples.
  • Avoid deadlock during removal of orphaned temporary tables.
  • Several fixes for  VACUUM, including one that can reduce unnecessary I/O.
  • Several query planner fixes.
  • Add optimization for certain operations where an installation has thousands of roles.
  • Fix confusion for SQL-language procedures that return a single composite-type column.
  • Fix incorrect rounding and overflow hazards in  date_bin().
  • Detect integer overflow when adding or subtracting an  interval to/from a timestamp.
  • Fix several race conditions with logical replication, including determining if a table sync operation is required.
  • Disconnect if a new server session's client socket cannot be put into non-blocking mode.
  • initdb -c now matches parameter names case-insensitively.
  • Fix how PL/pgSQL parses of  single-line comments (-- style comments) following expression.

  PostgreSQL 16.3, 15.7, 14.12, 13.15, and 12.19 Released!