supported versions of our database system, including 11.3, 10.8, 9.6.13,
9.5.17, and 9.4.22. This release fixes two security issues in the
PostgreSQL server, a security issue found in two of the PostgreSQL
Windows installers, and over 60 bugs reported over the last three months.
Security: CVE-2019-10129: Memory disclosure in partition routing
Prior to this release, a user running PostgreSQL 11 can read arbitrary
bytes of server memory by executing a purpose-crafted INSERT statement
to a partitioned table.
Security: CVE-2019-10130: Selectivity estimators bypass row security policies
PostgreSQL maintains statistics for tables by sampling data available in
columns; this data is consulted during the query planning process. Prior
to this release, a user able to execute SQL queries with permissions to
read a given column could craft a leaky operator that could read
whatever data had been sampled from that column. If this happened to
include values from rows that the user is forbidden to see by a row
security policy, the user could effectively bypass the policy. This is
fixed by only allowing a non-leakproof operator to use this data if
there are no relevant row security policies for the table.
This issue is present in PostgreSQL 9.5, 9.6, 10, and 11. The PostgreSQL
project thanks Dean Rasheed for reporting this problem.
Also fix a FreeBSD port problem with LLVM [1] and add promote command
to `service postgresql` [2]
PR: 236100, 234879
Submitted by: tomonori.usaka@ubin.jp [1], Trix Farrar [2]
PostgreSQL 11, the latest version of the world’s most advanced open
source database.
PostgreSQL 11 provides users with improvements to overall performance of
the database system, with specific enhancements associated with very
large databases and high computational workloads. Further, PostgreSQL 11
makes significant improvements to the table partitioning system, adds
support for stored procedures capable of transaction management,
improves query parallelism and adds parallelized data definition
capabilities, and introduces just-in-time (JIT) compilation for
accelerating the execution of expressions in queries.
"For PostgreSQL 11, our development community focused on adding features
that improve PostgreSQL's ability to manage very large databases," said
Bruce Momjian, a core team member of the PostgreSQL Global Development
Group. "On top of PostgreSQL's proven performance for transactional
workloads, PostgreSQL 11 makes it even easier for developers to run big
data applications at scale."
PostgreSQL benefits from over 20 years of open source development and
has become the preferred open source relational database for developers.
The project continues to receive recognition across the industry, and
has been featured as the "DBMS of the Year 2017" by DB-Engines and in
the SD Times 2018 100.
PostgreSQL 11 is the first major release since PostgreSQL 10 was
released on October 5, 2017. The next update release for PostgreSQL 11
containing bug fixes will be PostgreSQL 11.1, and the next major release
with new features will be PostgreSQL 12.
Release Notes: https://www.postgresql.org/docs/11/static/release-11.html
