supported versions of our database system, including 12.2, 11.7, 10.12,
9.6.17, 9.5.21, and 9.4.26. This release fixes one security issue found
in the PostgreSQL server and over 75 bugs reported over the last three
months.
Users should plan to update as soon as possible.
PostgreSQL 9.4 Now EOL
This is the last release for PostgreSQL 9.4, which will no longer
receive security updates and bug fixes. PostgreSQL 9.4 introduced new
features such as JSONB support, the `ALTER SYSTEM` command, the ability
to stream logical changes to an output plugin, and more:
https://www.postgresql.org/about/news/1557/https://www.postgresql.org/docs/9.4/release-9-4.html
While we are very proud of this release, these features are also found
in newer versions of PostgreSQL. Many of these features have also
received improvements, and, per our versioning policy, it is time to
retire PostgreSQL 9.4.
To receive continued support, we suggest that you make plans to upgrade
to a newer, supported version of PostgreSQL. Please see the PostgreSQL
versioning policy for more information.
Security Issues
* CVE-2020-1720: `ALTER ... DEPENDS ON EXTENSION` is missing
authorization checks.
Versions Affected: 9.6 - 12
The `ALTER ... DEPENDS ON EXTENSION` sub-commands do not perform
authorization checks, which can allow an unprivileged user to drop any
function, procedure, materialized view, index, or trigger under certain
conditions. This attack is possible if an administrator has installed an
extension and an unprivileged user can `CREATE`, or an extension owner
either executes `DROP EXTENSION` predictably or can be convinced to
execute `DROP EXTENSION`.
Release notes: https://www.postgresql.org/docs/current/release.html
The PostgreSQL Global Development Group has released an update to all
supported versions of our database system, including 12.1, 11.6, 10.11,
9.6.16, 9.5.20, and 9.4.25. This release fixes over 50 bugs reported
over the last three months.
PostgreSQL 9.4 will stop receiving fixes on February 13, 2020, which is
the next planned cumulative update release. We suggest that you make
plans to upgrade to a newer, supported version of PostgreSQL. Please see
our versioning policy for more information:
This update also fixes over 50 bugs that were reported in the last
several months. Some of these issues affect only version 12, but may
also affect all supported versions.
Specific change to the FreeBSD port:
Starting now, the default for TZDATA has changed to using the underlying OS'
time zone database instead of the one built in to PostgreSQL. This change is
made since PostgreSQL will not release a patch in the event where the time zone
database changes, whereas FreeBSD will.
Release notes: https://www.postgresql.org/about/news/1994/
URL: https://www.postgresql.org/support/versioning/
PostgreSQL 12 enhancements include notable improvements to query
performance, particularly over larger data sets, and overall space
utilization. This release provides application developers with new
capabilities such as SQL/JSON path expression support, optimizations for
how common table expression ("WITH") queries are executed, and generated
columns. The PostgreSQL community continues to support the extensibility
and robustness of PostgreSQL, with further additions to
internationalization, authentication, and providing easier ways to
administrate PostgreSQL. This release also introduces the pluggable
table storage interface, which allows developers to create their own
methods for storing data.
"The development community behind PostgreSQL contributed features for
PostgreSQL 12 that offer performance and space management gains that our
users can achieve with minimal effort, as well as improvements in
enterprise authentication, administration functionality, and SQL/JSON
support." said Dave Page, a core team member of the PostgreSQL Global
Development Group. "This release continues the trend of making it easier
to manage database workloads large and small while building on
PostgreSQL's reputation of flexibility, reliability and stability in
production environments."
Release notes: https://www.postgresql.org/about/news/1976/
There have been many bug fixes for PostgreSQL 12 reported during the Beta 4
period and applied to this release candidate. These include:
Add additional "leakproof" markings to certain string functions to better
support nondeterministic collations. This can positively impact the performance
of some query plans
Removal of the ECPG DECLARE STATEMENT functionality
The ecpglib major version change was reverted
Fix handling of nondeterministic collations with pattern_ops opclasses
Release notes: https://www.postgresql.org/about/news/1975/
The PostgreSQL Global Development Group announces that the fourth beta
release of PostgreSQL 12 is now available for download. This release
contains previews of all features that will be available in the final
release of PostgreSQL 12, though some details of the release could
change before then.
This is likely the final beta release of PostgreSQL 12 before a release
candidate is made available.
In the spirit of the open source PostgreSQL community, we strongly
encourage you to test the new features of PostgreSQL 12 in your database
systems to help us eliminate any bugs or other issues that may exist.
Upgrading to PostgreSQL 12 Beta 4
To upgrade to PostgreSQL 12 Beta 4 from Beta 3 or an earlier version of
PostgreSQL 12, you will need to use a strategy similar to upgrading
between major versions of PostgreSQL (e.g. `pg_upgrade` or `pg_dump` /
`pg_restore`). For more information, please visit the documentation
section on upgrading:
https://www.postgresql.org/docs/12/static/upgrading.html
URL: https://wiki.postgresql.org/wiki/PostgreSQL_12_Open_Items#resolved_before_12beta4
Avoids libxml2/libxslt for systems that don't need XML support.
Although there was substantial interest in the PR to backport to
10, I've only done pgsql12 for now, as I don't want to interfere
with the effort to make pgsql11 the default. If things work well
here, it can be backported to earlier versions as well.
PR: 239638
Approved by: maintainer timeout (2 weeks)
supported versions of our database system, including 11.5, 10.10,
9.6.15, 9.5.19, and 9.4.24, as well as the third beta of PostgreSQL 12.
This release fixes two security issues in the PostgreSQL server, two
security issues found in one of the PostgreSQL Windows installers, and
over 40 bugs reported since the previous release.
Users should install these updates as soon as possible.
A Note on the PostgreSQL 12 Beta
================================
In the spirit of the open source PostgreSQL community, we strongly
encourage you to test the new features of PostgreSQL 12 in your database
systems to help us eliminate any bugs or other issues that may exist.
While we do not advise you to run PostgreSQL 12 Beta 3 in your
production environments, we encourage you to find ways to run your
typical application workloads against this beta release.
Your testing and feedback will help the community ensure that the
PostgreSQL 12 release upholds our standards of providing a stable,
reliable release of the world's most advanced open source relational
database.
Security Issues
===============
Two security vulnerabilities have been closed by this release:
* CVE-2019-10208: `TYPE` in `pg_temp` executes arbitrary SQL during
`SECURITY DEFINER` execution
Versions Affected: 9.4 - 11
Given a suitable `SECURITY DEFINER` function, an attacker can execute
arbitrary SQL under the identity of the function owner. An attack
requires `EXECUTE` permission on the function, which must itself contain
a function call having inexact argument type match. For example,
`length('foo'::varchar)` and `length('foo')` are inexact, while
`length('foo'::text)` is exact. As part of exploiting this
vulnerability, the attacker uses `CREATE DOMAIN` to create a type in a
`pg_temp` schema. The attack pattern and fix are similar to that for
CVE-2007-2138.
Writing `SECURITY DEFINER` functions continues to require following the
considerations noted in the documentation:
https://www.postgresql.org/docs/devel/sql-createfunction.html#SQL-CREATEFUNCTION-SECURITY
The PostgreSQL project thanks Tom Lane for reporting this problem.
* CVE-2019-10209: Memory disclosure in cross-type comparison for hashed
subplan
Versions Affected: 11
In a database containing hypothetical, user-defined hash equality operators, an attacker could read arbitrary bytes of server memory. For an attack to become possible, a superuser would need to create unusual operators. It is possible for operators not purpose-crafted for attack to have the properties that enable an attack, but we are not aware of specific examples.
The PostgreSQL project thanks Andreas Seltenreich for reporting this problem.
