From 366098ba8476ccae7860d8c6bbb6493a6b5cb0fb Mon Sep 17 00:00:00 2001 From: "Jonathan S. Katz" Date: Mon, 5 May 2025 23:29:39 -0400 Subject: [PATCH] 2025-05-08 release announcement draft --- .../current/20250508securityrelease.md | 118 ++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100644 update_releases/current/20250508securityrelease.md diff --git a/update_releases/current/20250508securityrelease.md b/update_releases/current/20250508securityrelease.md new file mode 100644 index 0000000..eedeb4d --- /dev/null +++ b/update_releases/current/20250508securityrelease.md @@ -0,0 +1,118 @@ +The PostgreSQL Global Development Group has released an update to all supported +versions of PostgreSQL, including 17.5, 16.9, 15.13, 14.18, and 13.21. +This release fixes 1 security vulnerability and over 60 bugs reported over the +last several months. + +For the full list of changes, please review the +[release notes](https://www.postgresql.org/docs/release/). + +PostgreSQL 13 EOL Notice +------------------------ + +PostgreSQL 13 will stop receiving fixes on November 13, 2025. If you are +running PostgreSQL 13 in a production environment, we suggest that you make +plans to upgrade to a newer, supported version of PostgreSQL. Please see our +[versioning policy](https://www.postgresql.org/support/versioning/) for more +information. + +Security Issues +--------------- + +### [CVE-2025-4207](https://www.postgresql.org/support/security/CVE-2025-4207/): PostgreSQL GB18030 encoding validation can read one byte past end of allocation for text that fails validation + +CVSS v3.1 Base Score: [5.9](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) + +Supported, Vulnerable Versions: 13 - 17. + +A buffer over-read in PostgreSQL GB18030 encoding validation allows a database +input provider to achieve temporary denial of service on platforms where a +1-byte over-read can elicit process termination. This affects the database +server and also libpq. Versions before PostgreSQL 17.5, 16.9, 15.13, 14.18, and +13.21 are affected. + +Bug Fixes and Improvements +-------------------------- + +This update fixes over 60 bugs that were reported in the last several months. +The issues listed below affect PostgreSQL 17. Some of these issues may also +affect other supported versions of PostgreSQL. + +* Handle self-referential foreign keys on partitioned tables correctly. Creating +or attaching partitions failed to make the required catalog entries for a +foreign-key constraint if the table referenced by the constraint was the same +partitioned table. This resulted in failure to enforce the constraint fully. To +fix this, please see the instructions in the "Updating" section. +* Fix for potential data loss issue when using BRIN bloom indexes (e.g. using +the `date_bloom_ops` operator class). +* Fix [`MERGE`](https://www.postgresql.org/docs/current/sql-merge.html) into a +partitioned table with `DO NOTHING` actions. +* Prevent failure in [`INSERT`](https://www.postgresql.org/docs/current/sql-insert.html) +commands when the table has a [`GENERATED` column](https://www.postgresql.org/docs/current/ddl-generated-columns.html) +of a [domain data type](https://www.postgresql.org/docs/current/domains.html) +and the domain's constraints disallow `NULL` values. +* Fix [`ALTER TABLE .. ADD COLUMN`](https://www.postgresql.org/docs/current/sql-altertable.html) to correctly handle the case of a [domain](https://www.postgresql.org/docs/current/domains.html) type that has +its own default value and the `DEFAULT` for the column is not set. +* Fix issues when performing casts within the keys of JSON constructor +expressions. +* Fix [`XMLSERIALIZE()`](https://www.postgresql.org/docs/current/datatype-xml.html) so that the `INDENT` option is correctly dumped out when +it's present in views or rules. This was noticeable on restores. +* Several query planner fixes, including avoiding a premature evaluation +of arguments in an aggregate function that has both `FILTER` and either +`ORDER BY` or `DISTINCT` clauses that could lead to unnecessary failures. +* Fix performance issues in GIN index search startup when there are many search +keys, for example, `jsonbcol ?| array[...]` with tens of thousands of array +elements. +* Ensure that I/O statistics of active WAL senders are reported within at most +one second. +* Fix race condition in handling of [`synchronous_standby_names`](https://www.postgresql.org/docs/current/runtime-config-wal.html#GUC-SYNCHRONOUS-COMMIT) immediately +after startup, where a backend might fail to wait for a synchronous commit. +* Avoid infinite loop if [`scram_iterations`](https://www.postgresql.org/docs/current/runtime-config-connection.html#GUC-SCRAM-ITERATIONS) +is set to `INT_MAX`. +* Several fixes for logical replication, including handling of vacuum around +deleted rows that are still required for logical decoding. +* Prevent potential data loss when schema modification operations (DDL) that +don't take a strong lock affect tables that are being logically replicated. +* Prevent issues in logical replication that could allow duplicate data to be +applied due to apply worker error handling. +* Improve how [`reindexdb`](https://www.postgresql.org/docs/current/app-reindexdb.html) +handles scheduling parallel reindex operations to achieve the expected amount of +parallelism. + +This release also updates time zone data files to tzdata release 2025b for DST +law changes in Chile, plus historical corrections for Iran. Additionally, there +is a new time zone America/Coyhaique for Chile's Aysén Region, to account for it +changing to UTC-03 year-round, which diverges from America/Santiago. + +Updating +-------- + +All PostgreSQL update releases are cumulative. As with other minor releases, +users are not required to dump and reload their database or use `pg_upgrade` in +order to apply this update release; you may simply shutdown PostgreSQL and +update its binaries. + +If you created a self-referential foreign key on a partitioned table, after +updating, you should drop and recreate any of these self-referential foreign +keys if partitions have been created or attached since the constraint was +created. There may be rows in the partition that violate this constraint, +in which case recreating the constraint will fail, and you'll need to correct +those rows before trying again. + +Users who have skipped one or more update releases may need to run additional +post-update steps; please see the release notes from earlier versions for +details. + +For more details, please see the +[release notes](https://www.postgresql.org/docs/release/). + +Links +----- +* [Download](https://www.postgresql.org/download/) +* [Release Notes](https://www.postgresql.org/docs/release/) +* [Security](https://www.postgresql.org/support/security/) +* [Versioning Policy](https://www.postgresql.org/support/versioning/) +* [Donate](https://www.postgresql.org/about/donate/) + +If you have corrections or suggestions for this release announcement, please +send them to the _pgsql-www@lists.postgresql.org_ public +[mailing list](https://www.postgresql.org/list/). -- 2.39.5