The development group of PostgreSQL has recently announced the release of an update of all supported versions of your database system, including 11.3, 10.8, 9.6.13, 9.5.17, and 9.4.22.
This version of fix gets to solve mainly two security problems in PostgreSQL server, a security issue found in two of the PostgreSQL Windows installers, and more than 60 bugs reported in the last three months.
Resolved security issues
Four security vulnerabilities have been corrected by this version, of which two were very important to solve, which are the following:
CVE-2019-10127: BigSQL Windows Installer does not remove permissive access control list entries
CVE-2019-10128: Windows EnterpriseDB configuration does not remove permissive ACL entries
Because the Windows EnterpriseDB and BigSQL installers did not block the PostgreSQL binary installation directory and data directory permissions, an unprivileged Windows user account and an unprivileged PostgreSQL account can cause arbitrary code to be executed by the PostgreSQL service account.
This vulnerability is present in all supported versions of PostgreSQL for these installers and may exist in earlier versions. That is why the developers call for the update:
“Users who have installed PostgreSQL using EnterpriseDB and BigSQL Windows Installer should update as soon as possible. Similarly, users running any version of PostgreSQL 9.5, 9.6, 10, and 11 should also plan to upgrade as soon as possible.
CVE-2019-10129: Memory Disclosure in Partition Routing
Before this release, a user running PostgreSQL 11 could read arbitrary bytes from server memory by executing a specially crafted INSERT statement on a partitioned table.
CVE-2019-10130: selectivity estimators bypass line security policies
PostgreSQL maintains statistics for tables by sampling the available data in columns.
This data is accessed during the consultation planning process. Before this release, a user capable of executing SQL queries with read permissions on a given column could create a leaky operator that could read all the data displayed in that column.
Bug fixes and improvements
This update it also fixes more than 60 bugs reported in the last few months. Some of these issues only apply to version 11, but many relate to all supported earlier versions.
Some of these fixes include:
- Various catalog corruption fixes, including related to running ALTER TABLE on a partitioned table
- Various fixes for the partition.
- Fixed possible failures "cannot access transaction status" in txid_status ()
- Fixed CREATE VIEW to allow non-detached views
- Fixed incompatibility of GIN index WAL records introduced in 11.2, 10.7, 9.6.12, 9.5.16, and 9.4.21 affecting replica servers running these versions when reading changes to the servers' GIN indexes . old versions
- Various fixes related to memory leaks and dynamic shared memory management.
- Various fixes to the query planner, many of which should lead to better planning.
- Fixed a critical issue in the race where a self-consumption manager could not stop after receiving a Smart Stop request
The project recalls that all update versions of PostgreSQL are cumulative. As with other minor versions, users don't have to dump and reload their database or use pg_upgrade to apply this update, just stop PostgreSQL and update the binaries.
Users who skipped one or more update versions may need to take additional steps after the update. If you are in this category, you should refer to the release notes for previous versions for more details.
Finally the development team reminds us that PostgreSQL 9.4 will no longer receive patches as of February 13, 2020.