If you use PostgreSQL you must update to the new version that eliminates a vulnerability

postgreSQL

Recently PostgreSQL unveiled the news that has released several corrective updates for all currently supported PostgreSQL branches, which are versions 14.3, 13.7, 12.11, 11.16, and 10.22.

The new versions offer more than 50 corrections of which some of these issues may also affect other supported versions of PostgreSQL.

  • The problem that could lead to corruption of GiST indexes on ltreecolumns. After the upgrade, you will need to re-index the GiST indexes on the ltree columns.
  • Fix for incorrect rounding when extracting epoch values ​​from intervaltypes.
  • Fix for incorrect output for timestamptz and timetzen table_to_xmlschema() types.
  • Fixed bugs related to a scheduler issue that affected asynchronous remote queries.
  • Fix to ALTER FUNCTION to support changing the parallelism property of a function and its SET list of variables in the same command.
  • Fix for incorrect sorting of table rows when CLUSTER is used on an index whose initial key is an expression.
  • Addresses the risk of deadlock failures when dropping a partitioned index.
  • Fix to race condition between DROP TABLESPACE and checkpoints that could fail to remove all dead files from the tablespace directory.
  • Fixes a potential issue with failover after a TRUNCATE command that overlaps with a checkpoint.
  • Fixed bug PANIC: xlog flush request is not satisfied during standby promotion when a WAL continuation log is missing.
  • Fix for auto-lock possibility in hot standby conflict handling.

Besides that, these new corrective versions also resolve the vulnerability CVE-2022-1552 related to the ability to bypass execution isolation of privileged operations Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck.

It is mentioned that regarding the vulnerability solved in these corrective versions, said problem detected allowed an attacker having the authority to create non-temporary objects in any schema The storage server can execute arbitrary SQL functions with superuser privileges while the privileged user performs the above operations that affect the attacker's object.

Even exploitation of the vulnerability can occur when the database is automatically cleaned when the autovacuum driver is run.

If you can't perform an update, as a workaround to block the issue, can disable automatic vacuum and not performing REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, and CLUSTER operations as the root user and not running the pg_amcheck utility and not restoring the contents of a backup created by the pg_dump utility.

The execution of VACUUM is considered safe, as is the use of any command operation, if the objects being processed belong to trusted users.

Other changes in the new versions include JIT code update to work with LLVM 14, allowing the use of schema database templates of values ​​in the epoch format retrieved from interval type data, incorrect programmer behavior when using asynchronous remote queries, incorrect sorting of table rows when using an expression CLUSTER on expression-based indexes, data loss on crashes immediately after building a sorted GiST index, deadlock on partitioned index deletion, a race condition between DROP TABLESPACE operation and status commit (checkpoint) .

In addition, the release of the pg_ivm 1.0 extension with the implementation of IVM (Incremental View Maintenance) support for PostgreSQL 14 can be highlighted. IVM offers an alternative way of updating materialized views, more efficient if the changes affect a small part of the view.

IVM allows materialized views to be instantly updated with only incremental changes applied to them, without recalculating the view, which is done using the "REFRESH MATERIALIZED VIEW" operation.

Finally, if you are interested in being able to know more about this new version, you can consult the details In the following link.


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published.

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.