From 0f9a7f231966c68681fd6f1c79c8ce3a46b43a98 Mon Sep 17 00:00:00 2001 From: "Jonathan S. Katz" Date: Mon, 6 Nov 2023 16:53:43 -0500 Subject: [PATCH] 2023-11-09 release draft --- .../current/20231109securityrelease.md | 178 ++++++++++++++++++ 1 file changed, 178 insertions(+) create mode 100644 update_releases/current/20231109securityrelease.md diff --git a/update_releases/current/20231109securityrelease.md b/update_releases/current/20231109securityrelease.md new file mode 100644 index 0000000..653dc0a --- /dev/null +++ b/update_releases/current/20231109securityrelease.md @@ -0,0 +1,178 @@ +The PostgreSQL Global Development Group has released an update to all supported +versions of PostgreSQL, including 16.1, 15.5, 14.10, 13.13, 12.17, and 11.22 +This release fixes three security vulnerabilities and over 55 bugs and reported +over the last several months. + +This release includes fixes for indexes where in certain cases, we advise +reindexing. Please see the "Update" section for more details. + +This is the **final release of PostgreSQL 11**. PostgreSQL 10 will no longer +receive +[security and bug fixes](https://www.postgresql.org/support/versioning/). +If you are running PostgreSQL 10 in a production environment, we suggest that +you make plans to upgrade. + +For the full list of changes, please review the +[release notes](https://www.postgresql.org/docs/release/). + +PostgreSQL 11 EOL Notice +------------------------ + +**This is the final release of PostgreSQL 11**. PostgreSQL 11 is now end-of-life +and will no longer receive security and bug fixes. If you are +running PostgreSQL 11 in a production environment, we suggest that you make +plans to upgrade to a newer, supported version of PostgreSQL. Please see our +[versioning policy](https://www.postgresql.org/support/versioning/) for more +information. + +Security Issues +--------------- + +### [CVE-2023-5868](https://www.postgresql.org/support/security/CVE-2023-5868/): Memory disclosure in aggregate function calls + +CVSS v3 Base Score: [4.3](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) + +Supported, Vulnerable Versions: 11 - 16. The security team typically does not +test unsupported versions, but this problem is quite old. + +Certain aggregate function calls receiving "unknown"-type arguments could +disclose bytes of server memory from the end of the "unknown"-type value to the +next zero byte. One typically gets an "unknown"-type value via a string literal +having no type designation. We have not confirmed or ruled out viability of +attacks that arrange for presence of notable, confidential information in +disclosed bytes. + +The PostgreSQL project thanks Jingzhou Fu for reporting this problem. + +### [CVE-2023-5869](https://www.postgresql.org/support/security/CVE-2023-5869/): Buffer overrun from integer overflow in array modification + +CVSS v3 Base Score: [8.8](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) + +Supported, Vulnerable Versions: 11 - 16. The security team typically does not +test unsupported versions, but this problem is quite old. + +While modifying certain SQL array values, missing overflow checks let +authenticated database users write arbitrary bytes to a memory area that +facilitates arbitrary code execution. Missing overflow checks also let +authenticated database users read a wide area of server memory. The +[CVE-2021-32027](https://www.postgresql.org/support/security/CVE-2021-32027/) +fix covered some attacks of this description, but it missed others. + +The PostgreSQL project thanks Pedro Gallegos for reporting this problem. + +### [CVE-2023-5870](https://www.postgresql.org/support/security/CVE-2023-5870/): Role `pg_cancel_backend` can signal certain superuser processes + +CVSS v3 Base Score: [2.2](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L) + +Supported, Vulnerable Versions: 11 - 16. The security team typically does not +test unsupported versions, but this problem is quite old. + +Documentation says the `pg_cancel_backend` role cannot signal "a backend owned +by a superuser". On the contrary, it can signal background workers, including +the logical replication launcher. It can signal `autovacuum` workers and the +`autovacuum` launcher. Signaling `autovacuum` workers and those two launchers +provides no meaningful exploit, so exploiting this vulnerability requires a +non-core extension with a less-resilient background worker. For example, a +non-core background worker that does not auto-restart would experience a +denial of service with respect to that particular background worker. + +The PostgreSQL project thanks Hemanth Sandrana and Mahendrakar Srinivasarao +for reporting this problem. + +Bug Fixes and Improvements +-------------------------- + +This update fixes over 55 bugs that were reported in the last several months. +The issues listed below affect PostgreSQL 16. Some of these issues may also +affect other supported versions of PostgreSQL. + +* Fix issue where GiST indexes had an incorrect behavior during a "page split" +operation that could lead to incorrect results in subsequent index searches. +Please [reindex](https://www.postgresql.org/docs/current/sql-reindex.html) GiST +indexes after installing this update. +* Fix issue where B-tree indexes would incorrectly de-duplicate `interval` +columns. Please [reindex](https://www.postgresql.org/docs/current/sql-reindex.html) +any B-tree index that includes an `interval` column after installing this +update. +* Provide more efficient indexing of `date`, `timestamptz`, and `timestamp` +values in BRIN indexes. While not required, we recommend +[reindexing](https://www.postgresql.org/docs/current/sql-reindex.html) BRIN +indexes that include these data types after installing this update. +* Fix for bulk table insertion into partitioned tables. +* Fix for hash-partitioned tables with multiple partition keys during step +generation and runtime pruning that could lead to crashes in some cases. +* Throw the correct error if [`pgrowlocks()`](https://www.postgresql.org/docs/current/pgrowlocks.html) is applied to a partitioned table + +* Fix inconsistent rechecking of concurrently-updated rows during +[`MERGE`](https://www.postgresql.org/docs/current/sql-merge.html) when using +[`READ COMMITTED`](https://www.postgresql.org/docs/current/transaction-iso.html#XACT-READ-COMMITTED) +mode. +* Correctly identify the target table in an inherited `UPDATE`/`DELETE`/`MERGE` +even when the parent table is excluded by constraints. +* Fix over-allocation of a constructed [`tsvector`](https://www.postgresql.org/docs/current/datatype-textsearch.html#DATATYPE-TSVECTOR). +* Fix [`ALTER SUBSCRIPTION`](https://www.postgresql.org/docs/current/sql-altersubscription.html) +to apply changes in the `run_as_owner` option. +* Several fixes for [`COPY FROM`](https://www.postgresql.org/docs/current/sql-copy.html), +* Several fixes for handling torn reads with [`pg_control`](https://www.postgresql.org/docs/current/wal-internals.html). +* Fix "could not find pathkey item to sort" errors occurring while planning +aggregate functions with `ORDER BY` or `DISTINCT` options. +* When [`track_io_timing`](https://www.postgresql.org/docs/current/runtime-config-statistics.html#GUC-TRACK-IO-TIMING) +is enabled, include the time taken by relation extension operations as write +time. +* Track the dependencies of cached [`CALL`](https://www.postgresql.org/docs/current/sql-call.html) +statements, and re-plan them when needed. +* Treat out-of-memory failures as `FATAL` while reading WAL. +* Fix [`pg_dump`](https://www.postgresql.org/docs/current/app-pgdump.html) to +dump the new `run_as_owner` option of subscriptions. +* Fix [`pg_restore`](https://www.postgresql.org/docs/current/app-pgrestore.html) +so that selective restores will include both table-level and column-level ACLs +for selected tables. +* Add logic to [`pg_upgrade`](https://www.postgresql.org/docs/current/pgupgrade.html) +to check for use of obsolete data types `abstime`, `reltime`, and `tinterval`. +* Fix [`vacuumdb`](https://www.postgresql.org/docs/current/app-vacuumdb.html) +to have multiple `-N` switches actually exclude tables in multiple schemas. +* [`amcheck`](https://www.postgresql.org/docs/current/amcheck.html) +will no longer report interrupted page deletion as corruption. +* Fix `btree_gin` indexes on `interval` columns to properly return data when +using the `<` and `<=` operators. + +Updating +-------- + +All PostgreSQL update releases are cumulative. As with other minor releases, +users are not required to dump and reload their database or use `pg_upgrade` in +order to apply this update release; you may simply shutdown PostgreSQL and +update its binaries. + +------ +If you use [BRIN]((https://www.postgresql.org/docs/current/brin-intro.html)) +indexes to look up `NULL` values, you will need to [reindex](https://www.postgresql.org/docs/current/sql-reindex.html) +them after upgrading to this release. On PostgreSQL 12 and above, you can use +[`REINDEX CONCURRENTLY`](https://www.postgresql.org/docs/current/sql-reindex.html) +to avoid blocking writes to the affected index and table, for example: + +``` +REINDEX INDEX CONCURRENTLY your_index_name; +``` +---- + +Users who have skipped one or more update releases may need to run additional +post-update steps; please see the release notes from earlier versions for +details. + +For more details, please see the +[release notes](https://www.postgresql.org/docs/release/). + +Links +----- +* [Download](https://www.postgresql.org/download/) +* [Release Notes](https://www.postgresql.org/docs/release/) +* [Security](https://www.postgresql.org/support/security/) +* [Versioning Policy](https://www.postgresql.org/support/versioning/) +* [PostgreSQL 16 Release Announcement](https://www.postgresql.org/about/press/) +* [Follow @postgresql on Twitter](https://twitter.com/postgresql) +* [Donate](https://www.postgresql.org/about/donate/) + +If you have corrections or suggestions for this release announcement, please +send them to the _pgsql-www@lists.postgresql.org_ public +[mailing list](https://www.postgresql.org/list/). -- 2.39.5