--- /dev/null
+The PostgreSQL Global Development Group has released an update to all supported
+versions of our database system, including 14.1, 13.5, 12.9, 11.14, 10.19, and
+9.6.24. This release closes two security vulnerabilities and fixes over 40 bugs
+reported over the last three months.
+
+Additionally, this is the **final release of PostgreSQL 9.6**. If you are
+running PostgreSQL 9.6 in a production environment, we suggest that you make
+plans to upgrade.
+
+For the full list of changes, please review the
+[release notes](https://www.postgresql.org/docs/release/).
+
+Security Issues
+---------------
+
+### [CVE-2021-23214](https://www.postgresql.org/support/security/CVE-2021-23214/): Server processes unencrypted bytes from man-in-the-middle
+
+Versions Affected: 9.6 - 14. The security team typically does not test
+unsupported versions, but this problem is quite old.
+
+When the server is configured to use `trust` authentication with a `clientcert`
+requirement or to use `cert` authentication, a man-in-the-middle attacker can
+inject arbitrary SQL queries when a connection is first established, despite the
+use of SSL certificate verification and encryption.
+
+The PostgreSQL project thanks Jacob Champion for reporting this problem.
+
+### [CVE-2021-23222](https://www.postgresql.org/support/security/CVE-2021-23222/): libpq processes unencrypted bytes from man-in-the-middle
+
+Versions Affected: 9.6 - 14. The security team typically does not test
+unsupported versions, but this problem is quite old.
+
+A man-in-the-middle attacker can inject false responses to the client's first
+few queries, despite the use of SSL certificate verification and encryption.
+
+If more preconditions hold, the attacker can exfiltrate the client's password
+or other confidential data that might be transmitted early in a session. The
+attacker must have a way to trick the client's intended server into making the
+confidential data accessible to the attacker. A known implementation having
+that property is a PostgreSQL configuration vulnerable to [CVE-2021-23214](https://www.postgresql.org/support/security/CVE-2021-23214/).
+
+As with any exploitation of [CVE-2021-23214](https://www.postgresql.org/support/security/CVE-2021-23214/), the server must be using `trust`
+authentication with a `clientcert` requirement or using `cert` authentication.
+To disclose a password, the client must be in possession of a password, which is
+atypical when using an authentication configuration vulnerable to
+[CVE-2021-23214](https://www.postgresql.org/support/security/CVE-2021-23214/). The attacker must have some other way to access the server to
+retrieve the exfiltrated data (a valid, unprivileged login account would be
+sufficient).
+
+The PostgreSQL project thanks Jacob Champion for reporting this problem.
+
+Bug Fixes and Improvements
+--------------------------
+
+This update fixes over 40 bugs that were reported in the last several months.
+The issues listed below affect PostgreSQL 14. Some of these issues may also
+affect other supported versions of PostgreSQL.
+
+Some of these fixes include:
+
+* Fix physical replication for cases where the primary crashes after shipping a
+WAL segment that ends with a partial WAL record. When applying this update,
+update your standby servers before the primary so that they will be ready to
+handle the fix if the primary happens to crash.
+* Fix parallel `VACUUM` so that it will process indexes below the
+[`min_parallel_index_scan_size`](https://www.postgresql.org/docs/14/runtime-config-query.html#GUC-MIN-PARALLEL-INDEX-SCAN-SIZE)
+threshold if the table has at least two indexes that are above that size. This
+problem does not affect autovacuum. If you are affected by this issue, you
+should reindex any manually-vacuumed tables.
+* Fix causes of `CREATE INDEX CONCURRENTLY` and `REINDEX CONCURRENTLY` writing
+corrupt indexes. You should reindex any concurrently-built indexes.
+* Fix for attaching/detaching a partition that could allow certain
+`INSERT`/`UPDATE` queries to misbehave in active sessions.
+* Fix for creating a new range type with `CREATE TYPE` that could cause
+problems for later event triggers or subsequent executions of the `CREATE TYPE`
+command.
+* Fix updates of element fields in arrays of a domain that is a part of a
+composite.
+* Disallow the combination of `FETCH FIRST WITH TIES` and
+`FOR UPDATE SKIP LOCKED`.
+* Fix corner-case loss of precision in the numeric `power()` function.
+* Fix restoration of a Portal's snapshot inside a subtransaction, which could
+lead to a crash. For example, this could occur in PL/pgSQL when a `COMMIT` is
+immediately followed by a `BEGIN ... EXCEPTION` block that performs a query.
+* Clean up correctly if a transaction fails after exporting its snapshot. This
+could occur if a replication slot was created then rolled back, and then another
+replication slot was created in the same session.
+* Fix for "overflowed-subtransaction" wraparound tracking on standby servers
+that could lead to performance degradation.
+* Ensure that prepared transactions are properly accounted for during promotion
+of a standby server.
+* Ensure that the correct lock level is used when renaming a table.
+* Avoid crash when dropping a role that owns objects being dropped concurrently.
+* Disallow setting `huge_pages` to on when `shared_memory_type` is `sysv`
+* Fix query type checking in the PL/pgSQL `RETURN QUERY`.
+* Several fixes for `pg_dump`, including the ability to dump non-global default
+privileges correctly.
+* Use the CLDR project's data to map Windows time zone names to IANA time zones.
+
+This update also contains tzdata release 2021e for DST law changes in Fiji,
+Jordan, Palestine, and Samoa, plus historical corrections for Barbados,
+Cook Islands, Guyana, Niue, Portugal, and Tonga.
+
+Also, the Pacific/Enderbury zone has been renamed to Pacific/Kanton. Also, the
+following zones have been merged into nearby, more-populous zones whose clocks
+have agreed with them since 1970: Africa/Accra, America/Atikokan,
+America/Blanc-Sablon, America/Creston, America/Curacao, America/Nassau,
+America/Port_of_Spain, Antarctica/DumontDUrville, and Antarctica/Syowa. In all
+these cases, the previous zone name remains as an alias.
+
+For the full list of changes available, please review the
+[release notes](https://www.postgresql.org/docs/release/).
+
+PostgreSQL 9.6 is EOL
+---------------------
+
+This is the final release of PostgreSQL 9.6. If you are running PostgreSQL 9.6
+in a production environment, we suggest that you make plans to upgrade to a
+newer, supported version of PostgreSQL. Please see our
+[versioning policy](https://www.postgresql.org/support/versioning/) for more
+information.
+
+Updating
+--------
+
+All PostgreSQL update releases are cumulative. As with other minor releases,
+users are not required to dump and reload their database or use `pg_upgrade` in
+order to apply this update release; you may simply shutdown PostgreSQL and
+update its binaries.
+
+Users who have skipped one or more update releases may need to run additional,
+post-update steps; please see the release notes for earlier versions for
+details.
+
+For more details, please see the
+[release notes](https://www.postgresql.org/docs/release/).
+
+Links
+-----
+* [Download](https://www.postgresql.org/download/)
+* [Release Notes](https://www.postgresql.org/docs/release/)
+* [Security](https://www.postgresql.org/support/security/)
+* [Versioning Policy](https://www.postgresql.org/support/versioning/)
+* [Follow @postgresql on Twitter](https://twitter.com/postgresql)
projects / press.git / commitdiff