From: Jonathan S. Katz Date: Mon, 9 Nov 2020 22:10:00 +0000 (-0500) Subject: 2020-11-12 release announcement X-Git-Url: http://git.postgresql.org/gitweb/?a=commitdiff_plain;h=941643e8b70f9cc7fb0bcd21edfd71ea871cd79a;p=press.git 2020-11-12 release announcement --- diff --git a/update_releases/current/20201112securityrelease.md b/update_releases/current/20201112securityrelease.md new file mode 100644 index 0000000..4291d7e --- /dev/null +++ b/update_releases/current/20201112securityrelease.md @@ -0,0 +1,176 @@ +The PostgreSQL Global Development Group has released an update to all supported +versions of our database system, including 13.1, 12.5, 11.10, 10.15, 9.6.20, and +9.5.24. This release closes three security vulnerabilities and fixes over 65 +bugs reported over the last three months. + +Due to the nature of CVE-2020-25695, we advise you to update as soon as +possible. + +Additionally, this is the second-to-last release of PostgreSQL 9.5. If you are +running PostgreSQL 9.5 in a production environment, we suggest that you make +plans to upgrade. + +For the full list of changes, please review the +[release notes](https://www.postgresql.org/docs/current/release.html). + +Security Issues +--------------- + +* CVE-2020-25695: Multiple features escape "security restricted operation" sandbox + +Versions Affected: 9.5 - 13. The security team typically does not test +unsupported versions, but this problem is quite old. + +An attacker having permission to create non-temporary objects in at least one +schema can execute arbitrary SQL functions under the identity of a superuser. + +While promptly updating PostgreSQL is the best remediation for most users, a +user unable to do that can work around the vulnerability by disabling +autovacuum and not manually running `ANALYZE`, `CLUSTER`, `REINDEX`, +`CREATE INDEX`, `VACUUM FULL`, `REFRESH MATERIALIZED VIEW`, or a restore from +output of the `pg_dump` command. Performance may degrade quickly under this +workaround. + +`VACUUM` without the `FULL` option is safe, and all commands are fine when a +trusted user owns the target object. + +The PostgreSQL project thanks Etienne Stalmans for reporting this problem. + +* CVE-2020-25694: Reconnection can downgrade connection security settings + +Versions Affected: 9.5 - 13. The security team typically does not test +unsupported versions, but this problem is quite old. + +Many PostgreSQL-provided client applications have options that create additional +database connections. Some of those applications reuse only the basic +connection parameters (e.g. `host`, `user`, `port`), dropping others. If this +drops a security-relevant parameter (e.g. `channel_binding`, `sslmode`, +`requirepeer`, `gssencmode`), the attacker has an opportunity to complete a MITM +attack or observe cleartext transmission. + +Affected applications are `clusterdb`, `pg_dump`, `pg_restore`, `psql`, +`reindexdb`, and `vacuumdb`. The vulnerability arises only if one invokes an +affected client application with a connection string containing a +security-relevant parameter. + +This also fixes how the `\connect` command of `psql` reuses connection +parameters, i.e. all non-overridden parameters from a previous connection +string now re-used. + +The PostgreSQL project thanks Peter Eisentraut for reporting this problem. + +* CVE-2020-25696: `psql`'s `\gset` allows overwriting specially treated variables + +Versions Affected: 9.5 - 13. The security team typically does not test +unsupported versions, but this problem likely arrived with the feature's debut +in version 9.3. + +The `\gset` meta-command, which sets `psql` variables based on query results, +does not distinguish variables that control `psql` behavior. If an interactive +`psql` session uses `\gset` when querying a compromised server, the attacker can +execute arbitrary code as the operating system account running `psql`. +Using `\gset` with a prefix not found among specially treated variables, e.g. +any lowercase string, precludes the attack in an unpatched `psql`. + +The PostgreSQL project thanks Nick Cleaton for reporting this problem. + +Bug Fixes and Improvements +-------------------------- + +This update also fixes over 65 bugs that were reported in the last several +months. Some of these issues only affect version 13, but may also apply to other +supported versions. + +Some of these fixes include: + +* Fix a breakage in the replication protocol by ensuring that two "command +completion" events are expected for `START_REPLICATION`. +* Ensure `fsync` is called on the SLRU caches that PostgreSQL maintains. This +prevents potential data loss due to an operating system crash. +* Fix `ALTER ROLE` usage for users with the `BYPASSRLS` permission. +* `ALTER TABLE ONLY ... DROP EXPRESSION` is disallowed on partitioned tables +when there are child tables. +* Ensure that `ALTER TABLE ONLY ... ENABLE/DISABLE TRIGGER` does not apply to +child tables. +* Fix for `ALTER TABLE ... SET NOT NULL` on partitioned tables to avoid a +potential deadlock in parallel `pg_restore`. +* Fix handling of expressions in `CREATE TABLE LIKE` with inheritance. +* `DROP INDEX CONCURRENTLY` is disallowed on partitioned tables. +* Allow `LOCK TABLE` to succeed on a self-referential view instead of throwing +an error. +* Several fixes around statistics collection and progress reporting for +`REINDEX CONCURRENTLY`. +* Ensure that `GENERATED` columns are updated when any columns they depend on +are updated via a rule or an updatable view. +* Support hash partitioning with text array columns as partition keys. +* Allow the jsonpath `.datetime()` method to accept ISO 8601-format timestamps. +* During a "smart" shutdown, ensure background processes are not terminated +until all foreground client sessions are completed, fixing an issue that broke +the processing of parallel queries. +* Several fixes for the query planner and optimizer. +* Ensure that data is de-toasted before being inserted into a BRIN index. This +could manifest itself with errors like "missing chunk number 0 for toast value +NNN". If you have seen a similar error in an existing BRIN index, you should be +able to correct it by using `REINDEX` on the index. +* Fix the output of `EXPLAIN` to have the correct XML tag nesting for +incremental sort plans. +* Several fixes for memory leaks, including ones involving RLS policies, using +`CALL` with PL/pgSQL, `SIGHUP` processing a configuration parameter that cannot +be applied without a restart, and an edge-case for index lookup for a partition. +* libpq can now support arbitrary-length lines in the .pgpass file. +* On Windows, `psql` now reads the output of a backtick command in text mode, +not binary mode, so it can now properly handle newlines. +* Fix how `pg_dump`, `pg_restore`, `clusterdb`, `reindexdb`, and `vacuumdb` use +complex connection-string parameters. +* When the `\connect` command of `psql` reuses connection parameters, ensure +that all non-overridden parameters from a previous connection string are also +re-used. +* Ensure that `pg_dump` collects per-column information about extension +configuration tables, avoiding crashes when specifying `--inserts`. +* Ensure that parallel `pg_restore` processes foreign keys referencing +partitioned tables in the correct order. +* Several fixes for `contrib/pgcrypto`, including a memory leak fix. + +This update also contains tzdata release 2020d for for DST law changes in Fiji, +Morocco, Palestine, the Canadian Yukon, Macquarie Island, and Casey Station +(Antarctica); plus historical corrections for France, Hungary, Monaco, and +Palestine. + +For the full list of changes available, please review the +[release notes](https://www.postgresql.org/docs/current/release.html). + +PostgreSQL 9.5 EOL Notice +------------------------- + +PostgreSQL 9.5 will stop receiving fixes on February 11, 2021. If you are +running PostgreSQL 9.5 in a production environment, we suggest that you make +plans to upgrade to a newer, supported version of PostgreSQL. Please see our +[versioning policy](https://www.postgresql.org/support/versioning/) for more +information. + +Updating +-------- + +All PostgreSQL update releases are cumulative. As with other minor releases, +users are not required to dump and reload their database or use `pg_upgrade` in +order to apply this update release; you may simply shutdown PostgreSQL and +update its binaries. + +Users who have skipped one or more update releases may need to run additional, +post-update steps; please see the release notes for earlier versions for +details. + +For more details, please see the +[release notes](https://www.postgresql.org/docs/current/release.html). + +**NOTE**: PostgreSQL 9.5 will stop receiving fixes on February 11, 2021. Please +see our [versioning policy](https://www.postgresql.org/support/versioning/) for +more information. + +Links +----- +* [Download](https://www.postgresql.org/download/) +* [Release Notes](https://www.postgresql.org/docs/release/) +* [Security](https://www.postgresql.org/support/security/) +* [Versioning Policy](https://www.postgresql.org/support/versioning/) +* [Follow @postgresql on Twitter](https://twitter.com/postgresql)