2025-08-14 release and PostgreSQL 18 Beta 3

Co-authored-by: Noah Misch <noah@leadboat.com>

diff --git a/update_releases/current/20250814securityrelease.md b/update_releases/current/20250814securityrelease.md
new file mode 100644 (file)
index 0000000..1b9c91d
--- /dev/null
+++ b/update_releases/current/20250814securityrelease.md
@@ -0,0 +1,208 @@
+The PostgreSQL Global Development Group has released an update to all
+supported versions of PostgreSQL, including 17.6, 16.10, 15.14, 14.19, and
+13.22, as well as the third beta release of PostgreSQL 18. This release fixes
+3 security vulnerabilities and over 55 bugs reported over the last several
+months.
+
+If you previously created a BRIN index using the `numeric_minmax_multi_ops`
+operator class, please see the "Updating" section for additional instructions
+after upgrading your instance.
+
+For the full list of changes, please review the [release
+notes](https://www.postgresql.org/docs/release/).
+
+PostgreSQL 13 EOL Notice
+------------------------
+
+PostgreSQL 13 will stop receiving fixes on November 13, 2025. If you are
+running PostgreSQL 13 in a production environment, we suggest that you make
+plans to upgrade to a newer, supported version of PostgreSQL. Please see our
+[versioning policy](https://www.postgresql.org/support/versioning/) for more
+information.
+
+Security Issues
+---------------
+
+### [CVE-2025-8713](https://www.postgresql.org/support/security/CVE-2025-8713/): PostgreSQL optimizer statistics can expose sampled data within a view, partition, or child table
+
+CVSS v3.1 Base Score: [3.1](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
+
+Supported, Vulnerable Versions: 13 - 17.
+
+PostgreSQL optimizer statistics allow a user to read sampled data within a
+view that the user cannot access. Separately, statistics allow a user to read
+sampled data that a row security policy intended to hide. PostgreSQL maintains
+statistics for tables by sampling data available in columns; this data is
+consulted during the query planning process. Prior to this release, a user
+could craft a leaky operator that bypassed view access control lists (ACLs)
+and bypassed row security policies in partitioning or table inheritance
+hierarchies. Reachable statistics data notably included histograms and most-
+common-values lists. CVE-2017-7484 and CVE-2019-10130 intended to close this
+class of vulnerability, but this gap remained. Versions before PostgreSQL
+17.6, 16.10, 15.14, 14.19, and 13.22 are affected.
+
+The PostgreSQL project thanks Dean Rasheed for reporting this problem.
+
+### [CVE-2025-8714](https://www.postgresql.org/support/security/CVE-2025-8714/): PostgreSQL `pg_dump` lets superuser of origin server execute arbitrary code in `psql` client
+
+CVSS v3.1 Base Score: [8.8](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
+
+Supported, Vulnerable Versions: 13 - 17.
+
+Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser
+of the origin server to inject arbitrary code for restore-time execution as
+the client operating system account running psql to restore the dump, via psql
+meta-commands. pg_dumpall is also affected. pg_restore is affected when used
+to generate a plain-format dump. This is similar to MySQL CVE-2024-21096.
+Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.
+
+The PostgreSQL project thanks Martin Rakhmanov, Matthieu Denais, and RyotaK
+for reporting this problem.
+
+### [CVE-2025-8715](https://www.postgresql.org/support/security/CVE-2025-8715/): PostgreSQL `pg_dump` newline in object name executes arbitrary code in `psql` client and in restore target server
+
+CVSS v3.1 Base Score: [8.8](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
+
+Supported, Vulnerable Versions: 13 - 17.
+
+Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of
+the origin server to inject arbitrary code for restore-time execution as the
+client operating system account running psql to restore the dump, via psql
+meta-commands inside a purpose-crafted object name. The same attacks can
+achieve SQL injection as a superuser of the restore target server. pg_dumpall,
+pg_restore, and pg_upgrade are also affected. Versions before PostgreSQL 17.6,
+16.10, 15.14, 14.19, and 13.22 are affected. Versions before 11.20 are
+unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20
+reintroduced it.
+
+The PostgreSQL project thanks Noah Misch for reporting this problem.
+
+Bug Fixes and Improvements
+--------------------------
+
+This update fixes over 55 bugs that were reported in the last several
+months. The issues listed below affect PostgreSQL 17. Some of these issues may
+also affect other supported versions of PostgreSQL.
+
+* Fix for BRIN indexes using the `numeric_minmax_multi_ops` operator class that could cause them to become bloated and inefficient. Please see the "Updating" section for instructions on how to fix these indexes.
+* Several fixes for logical replication, including fixes for memory allocation failure, duplicate transaction replay, infinite wait, unexpected shutdown, and a standby unable to shutdown.
+* Fix premature removal of old WAL during a checkpoint, which could impact recovery when using replication slots.
+* Revert a change that could reject XML documents over 10MB in size.
+* Fix how nested character classes (e.g. `[[:alpha:]%_]`) are handled in [`SIMILAR TO`](https://www.postgresql.org/docs/current/functions-matching.html#FUNCTIONS-SIMILARTO-REGEXP) expressions.
+* Restore the ability for PL/pgSQL expressions to use parallel execution.
+* Avoid a rare scenario where a B-tree index could modify the wrong entry.
+* Several fixes for [`MERGE`](https://www.postgresql.org/docs/current/sql-merge.html), including incorrect query results with concurrency and when targeting a table that is a parent in an inheritance hierarchy.
+* Fix LZ4 decompression failure that could occur on data that is not very compressible.
+* Prevent an infinite loop in checkpoints on systems with very large `shared_buffers` settings.
+* Fix issues with GSSAPI authentication when using Active Directory accounts with many group memberships. This release also fixes timing-dependent connection failures when using SSL or GSSAPI encryption in non-blocking mode.
+* Fix a crash in libpq function `PQcancelCreate()`.
+* Fix several resource leaks.
+
+Updating
+--------
+
+All PostgreSQL update releases are cumulative. As with other minor releases,
+users are not required to dump and reload their database or use `pg_upgrade`
+in order to apply this update release; you may simply shutdown PostgreSQL and
+update its binaries.
+
+If you have any BRIN indexes that use the `numeric_minmax_multi_ops` operator
+class, it is advisable to `REINDEX` them after updating to fix any potential
+bloating and inefficiency.
+
+Users who have skipped one or more update releases may need to run additional
+post-update steps; please see the release notes from earlier versions for
+details.
+
+For more details, please see the [release
+notes](https://www.postgresql.org/docs/release/).
+
+A Note on the PostgreSQL 18 Beta
+--------------------------------
+
+This release marks the third beta release of PostgreSQL 18 and puts the
+community one step closer to general availability tentatively around
+September/October 2025.
+
+In the spirit of the open source PostgreSQL community, we strongly encourage you
+to test the new features of PostgreSQL 18 on your systems to help us eliminate
+bugs and other issues. While we do not advise you to run PostgreSQL 18 Beta 3 in
+production environments, we encourage you to find ways to run your typical
+application workloads against this beta release.
+
+Your testing and feedback helps the community ensure that PostgreSQL 18
+upholds our standards of delivering a stable, reliable release of the
+world's most advanced open source relational database. Please read more about
+our [beta testing process](https://www.postgresql.org/developer/beta/) and how
+you can contribute:
+
+  [https://www.postgresql.org/developer/beta/](https://www.postgresql.org/developer/beta/)
+
+Upgrading to PostgreSQL 18 Beta 3
+---------------------------------
+
+To upgrade to PostgreSQL 18 Beta 3 from an earlier version of PostgreSQL,
+you will need to use a strategy similar to upgrading between major versions of
+PostgreSQL (e.g. `pg_upgrade` or `pg_dump` / `pg_restore`). For more
+information, please visit the documentation section on
+[upgrading](https://www.postgresql.org/docs/18/static/upgrading.html).
+
+Changes Since Beta 2
+--------------------
+
+Fixes and changes in PostgreSQL 18 Beta 3 include:
+
+* Fix for performance regression in trivial queries.
+* Fix `can't get cancellation key` error observed with some additional software.
+* Fix for background workers failing to restart after crashes.
+* Fix a rare asynchronous I/O failure.
+* Stop dumping excess objects in `pg_dumpall --statistics-only` and `--no-schema`.
+* Remove `pg_dumpall` non-text output file formats.
+* Fix `date_trunc(..., 'infinity'::timestamptz)` on 32-bit systems.
+
+Please see the [release notes](https://www.postgresql.org/docs/18/release-18.html) for a complete list of new and changed features:
+
+[https://www.postgresql.org/docs/18/release-18.html](https://www.postgresql.org/docs/18/release-18.html)
+
+Testing for Bugs & Compatibility
+--------------------------------
+
+The stability of each PostgreSQL release greatly depends on you, the community,
+to test the upcoming version with your workloads and testing tools to find bugs
+and regressions before the general availability of PostgreSQL 18. As this is a
+Beta, minor changes to database behaviors, feature details, and APIs are still
+possible. Your feedback and testing will help determine the final tweaks on the
+new features, so please test in the near future. The quality of user testing
+helps determine when we can make a final release.
+
+A list of [open issues](https://wiki.postgresql.org/wiki/PostgreSQL_18_Open_Items)
+is publicly available in the PostgreSQL wiki.  You can
+[report bugs](https://www.postgresql.org/account/submitbug/) using this form on
+the PostgreSQL website:
+
+  [https://www.postgresql.org/account/submitbug/](https://www.postgresql.org/account/submitbug/)
+
+Beta Schedule
+-------------
+
+This is the third beta release of version 18. The PostgreSQL Project will
+release one or more release candidates, before the final release around
+September/October 2025. For further information please see the [Beta
+Testing](https://www.postgresql.org/developer/beta/) page.
+
+Links
+-----
+
+* [Download](https://www.postgresql.org/download/)
+* [Release Notes](https://www.postgresql.org/docs/release/)
+* [Security](https://www.postgresql.org/support/security/)
+* [Versioning Policy](https://www.postgresql.org/support/versioning/)
+* [Beta Testing Information](https://www.postgresql.org/developer/beta/)
+* [PostgreSQL 18 Beta Release Notes](https://www.postgresql.org/docs/18/release-18.html)
+* [PostgreSQL 18 Open Issues](https://wiki.postgresql.org/wiki/PostgreSQL_18_Open_Items)
+* [Submit a Bug](https://www.postgresql.org/account/submitbug/)
+* [Donate](https://www.postgresql.org/about/donate/)
+
+If you have corrections or suggestions for this release announcement, please
+send them to the _pgsql-www@lists.postgresql.org_ public [mailing
+list](https://www.postgresql.org/list/).