PostgreSQL news

PostgreSQL 17.4, 16.8, 15.12, 14.17, and 13.20 Released!

Thu, 20 Feb 2025 00:00:00 +0000

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 17.4, 16.8, 15.12, 14.17, and 13.20.

For the full list of changes, please review the release notes.

Bug Fixes and Improvements

The issues listed below affect PostgreSQL 17. Some of these issues may also affect other supported versions of PostgreSQL.

Improve behavior of quoting functions in libpq. The fix for CVE-2025-1094 caused the quoting functions to not honor their string length parameters and, in some cases, cause crashes. This problem could be noticeable from a PostgreSQL client library, based on how it is integrated with libpq.
Fix small memory leak in pg_createsubscriber.

Updating

All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shutdown PostgreSQL and update its binaries.

Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.

For more details, please see the release notes.

Links

If you have corrections or suggestions for this release announcement, please send them to the pgsql-www@lists.postgresql.org public mailing list.

Out-of-cycle release scheduled for February 20, 2025

Fri, 14 Feb 2025 00:00:00 +0000

The PostgreSQL Global Development Group is planning for an out-of-cycle release on February 20, 2025 to address a regression that was released as part of the February 13, 2025 update release, which included release 17.3, 16.7, 15.11, 14.16, and 13.19. As part of this release, we will issue fixes for all supported versions (17.4, 16.8, 15.12, 14.17, 13.20). While these fixes may not impact all PostgreSQL users, PostgreSQL Global Development Group determined that it would be better to address these sooner than the next scheduled release on May 8, 2025.

The fix for CVE-2025-1094, which closed a vulnerability in the libpq PostgreSQL client library, introduced a regression related to string handling for non-null terminated strings. The error would be visible based on how a PostgreSQL client implemented this behavior, and may not impact all PostgreSQL drivers. As a precaution, the PostgreSQL Global Development Group opted for a follow up release.

If you are impacted by this issue, we advise to consider waiting for the availability of 17.4, 16.8, 15.12, 14.17, and 13.20 before upgrading.

PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 Released!

Thu, 13 Feb 2025 00:00:00 +0000

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 17.3, 16.7, 15.11, 14.16, and 13.19. This release fixes 1 security vulnerability and over 70 bugs reported over the last several months.

For the full list of changes, please review the release notes.

Security Issues

CVE-2025-1094: PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation

CVSS v3.1 Base Score: 8.1

Supported, Vulnerable Versions: 13 - 17.

Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.

The PostgreSQL project thanks Stephen Fewer, Principal Security Researcher, Rapid7 for reporting this problem.

Bug Fixes and Improvements

This update fixes over 70 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 17. Some of these issues may also affect other supported versions of PostgreSQL.

Restore pre-v17 truncation behavior for >63-byte database names and usernames in connection requests.
Don't perform connection privilege checks and limits on parallel workers, and instead inherit these from the leader process.
Remove Lock suffix from LWLock wait event names.
Fix possible re-use of stale results in window aggregates, which could lead to incorrect results.
Several race condition fixes for vacuum that in the worst case could cause corruption to a system catalog.
Several fixes for truncating tables and indexes that prevent potential corruption.
Fix for detaching a partition where its own foreign-key constraint references a partitioned table.
Fix for the FFn (e.g., FF1) format codes for to_timestamp, where an integer format code before the FFn would consume all available digits.
Fixes for SQL/JSON and XMLTABLE() to double-quote specific entries when necessary.
Include the ldapscheme option in pg_hba_file_rules().
Several fixes for UNION, including not merging columns with non-compatible collations.
Several fixes that could impact availability or speed of starting a connection to PostgreSQL.
Fix multiple memory leaks in logical decoding output.
Fix several memory leaks in PL/Python.
Add psql tab completion for COPY (MERGE INTO).
Make pg_controldata more resilient when displaying info from corruptedpg_control files.
Fix for a memory leak in pg_restore with zstd-compressed data.
Fix pg_basebackup to correctly handle pg_wal.tar files exceeding 2GB on Windows.
Modify earthdistance to use SQL-standard function bodies, which fixes possible issues with major version upgrades to v17 when databases use this extension.
Fix crash in pageinspect in instances where the brin_page_items() function definition is not updated to the latest version.
Fix race condition when trying to cancel a postgres_fdw remote query.

This release also updates time zone data files to tzdata release 2025a for DST law changes in Paraguay, plus historical corrections for the Philippines.

Updating

Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.

For more details, please see the release notes.

Links

If you have corrections or suggestions for this release announcement, please send them to the pgsql-www@lists.postgresql.org public mailing list.

PostgreSQL 17.2, 16.6, 15.10, 14.15, 13.18, and 12.22 Released!

Thu, 21 Nov 2024 00:00:00 +0000

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 17.2, 16.6, 15.10, 14.15, and 13.18. Additionally, due to the nature of one of the issues in the previous update release, the PostgreSQL Global Development Group is also releasing a 12.22 release for PostgreSQL 12. PostgreSQL 12 is now EOL and will not receive more fixes.

For the full list of changes, please review the release notes.

PostgreSQL 12 EOL Notice

This is the final release of PostgreSQL 12. PostgreSQL 12 is now end-of-life and will no longer receive security and bug fixes. If you are running PostgreSQL 12 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information.

Bug Fixes and Improvements

The issues listed below affect PostgreSQL 17. Some of these issues may also affect other supported versions of PostgreSQL.

Restore functionality of ALTER ROLE .. SET ROLE and ALTER DATABASE .. SET ROLE. The fix for CVE-2024-10978 accidentally caused settings for role to not be applied if they came from non-interactive sources, including previous ALTER {ROLE|DATABASE} commands and the PGOPTIONS environment variable.
Restore compatibility for the timescaledb and other PostgreSQL extensions built using PostgreSQL prior to the 2024-11-14 release (17.0, 16.4, 15.8, 14.13, 13.16, 12.20, and earlier). This fix restores struct ResultRelInfo to its previous size, so that affected extensions don't need to be rebuilt.
Fix cases where a logical replication slot's restart_lsn could go backwards.
Avoid deleting still-needed WAL files during pg_rewind.
Fix race conditions associated with dropping shared statistics entries, which could lead to loss of statistics data.
Fix crash with ALTER TABLE when checking to see if an index's opclass options have changed if the table has an index with a non-default operator class.

Updating

Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.

For more details, please see the release notes.

Links

If you have corrections or suggestions for this release announcement, please send them to the pgsql-www@lists.postgresql.org public mailing list.

Out-of-cycle release scheduled for November 21, 2024

Fri, 15 Nov 2024 00:00:00 +0000

The PostgreSQL Global Development Group is planning for an out-of-cycle release on November 21, 2024 to address two regressions that were released as part of the November 14, 2024 update release, which included releases for 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. As part of this release, we will issue fixes for all supported versions (17.2, 16.6, 15.10, 14.15, 13.18), and for 12.22, even though PostgreSQL 12 is now EOL.

While these regressions may not impact all users, the PostgreSQL Global Development Group determined that it would be better to address these sooner than the next scheduled release on February 13, 2025. A high-level description of the regressions are as follows.

The fix for CVE-2024-10978 prevented ALTER USER ... SET ROLE ... from having any effect. This will be fixed in the upcoming release.
Certain PostgreSQL extensions took a dependency on an Application Binary Interface (ABI) that was modified in this release and caused them to break. Currently, this can be mitigated by rebuilding the extensions against the updated definition.

If you are impacted by either of these issues, we advise to wait for the availability of 17.2, 16.6, 15.10, 14.15, 13.18, and 12.22 before upgrading.

PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 Released!

Thu, 14 Nov 2024 00:00:00 +0000

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. This release fixes 4 security vulnerabilities and over 35 bugs reported over the last several months.

For the full list of changes, please review the release notes.

PostgreSQL 12 EOL Notice

Security Issues

CVE-2024-10976: PostgreSQL row security below e.g. subqueries disregards user ID changes

CVSS v3.1 Base Score: 4.2

Supported, Vulnerable Versions: 12 - 17.

Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs.

Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

The PostgreSQL project thanks Wolfgang Walther for reporting this problem.

CVE-2024-10977: PostgreSQL libpq retains an error message from man-in-the-middle

CVSS v3.1 Base Score: 3.1

Supported, Vulnerable Versions: 12 - 17.

Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. For example, a man-in-the-middle attacker could send a long error message that a human or screen-scraper user of psql mistakes for valid query results. This is probably not a concern for clients where the user interface unambiguously indicates the boundary between one error message and other text. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

The PostgreSQL project thanks Jacob Champion for reporting this problem.

CVE-2024-10978: PostgreSQL SET ROLE, SET SESSION AUTHORIZATION reset to wrong user ID

CVSS v3.1 Base Score: 4.2

Supported, Vulnerable Versions: 12 - 17.

Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises when an application query uses parameters from the attacker or conveys query results to the attacker. If that query reacts to current_setting('role') or the current user ID, it may modify or return data as though the session had not used SET ROLE or SET SESSION AUTHORIZATION. The attacker does not control which incorrect user ID applies. Query text from less-privileged sources is not a concern here, because SET ROLE and SET SESSION AUTHORIZATION are not sandboxes for unvetted queries. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

The PostgreSQL project thanks Tom Lane for reporting this problem.

CVE-2024-10979: PostgreSQL PL/Perl environment variable changes execute arbitrary code

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 12 - 17.

Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

The PostgreSQL project thanks Coby Abrams for reporting this problem.

Bug Fixes and Improvements

This update fixes over 35 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 17. Some of these issues may also affect other supported versions of PostgreSQL.

Fix when attaching or detaching table partitions with foreign key constraints. After upgrade, users impacted by this issue will need to perform manual steps to finish fixing it. Please see the "Upgrading" section and the release notes for more information.
Fix when using libc as the default collation provider when LC_CTYPE is C while LC_COLLATE is a different locale. This could lead to incorrect query results. If you have these settings in your database, please reindex any affected indexes after updating to this release. This issue impacted 17.0 only.
Several query planner fixes, including disallowing joining partitions (partitionwise join) if the collations of the partitions don't match.
Fix possible wrong answers or wrong varnullingrels planner errors for MERGE ... WHEN NOT MATCHED BY SOURCE actions.
Fix validation of the COPY FORCE_NOT_NULL and FORCE_NULL.
Fix server crash when a json_objectagg() call contains a volatile function.
Ensure there's a registered dependency between a partitioned table and a non-built-in access method specified in CREATE TABLE ... USING. This fix only prevents problems for partitioned tables created after this update.
Fix race condition in committing a serializable transaction.
Fix race condition in COMMIT PREPARED that could require manual file removal after a crash-and-recovery.
Fix for pg_cursors view to prevent errors by excluding cursors that aren't completely set up.
Reduce logical decoding memory consumption.
Fix to prevent stable functions from receiving stale row values when they're called from a CALL statement's argument list and the CALL is within a PL/pgSQL EXCEPTION block.
Fix for JIT crashes on ARM (aarch64) systems.
The psql \watch now treats values that are less than 1ms to be 0 (no wait between executions).
Fix failure to use credentials for a replication user in the password file (pgpass)
pg_combinebackup now throws an error if an incremental backup file is present in a directory that should contain a full backup.
Fix to avoid reindexing temporary tables and indexes in vacuumdb and parallel reindexdb.

This release also updates time zone data files to tzdata release 2024b. This tzdata release changes the old System-V-compatibility zone names to duplicate the corresponding geographic zones; for example PST8PDT is now an alias for America/Los_Angeles. The main visible consequence is that for timestamps before the introduction of standardized time zones, the zone is considered to represent local mean solar time for the named location. For example, in PST8PDT, timestamptz input such as 1801-01-01 00:00 would previously have been rendered as 1801-01-01 00:00:00-08, but now it is rendered as 1801-01-01 00:00:00-07:52:58.

Also, historical corrections for Mexico, Mongolia, and Portugal. Notably, Asia/Choibalsan is now an alias for Asia/Ulaanbaatar rather than being a separate zone, mainly because the differences between those zones were found to be based on untrustworthy data.

Updating

If you have a partitioned table with foreign key constraints where you've run the ATTACH PARTITION/DETACH PARTITION commands, you will need to take further steps after upgrading. You can fix this by executing an ALTER TABLE ... DROP CONSTRAINT on the now stand-alone table for each faulty constraint, and then re-add the constraint. If re-adding the constraint fails, you will need to manually re-establish consistency between the referencing and referenced tables, then re-add the constraint.

This query can be used to identify broken constraints and construct the commands needed to recreate them:

SELECT conrelid::pg_catalog.regclass AS "constrained table", conname AS constraint, confrelid::pg_catalog.regclass AS "references", pg_catalog.format('ALTER TABLE %s DROP CONSTRAINT %I;', conrelid::pg_catalog.regclass, conname) AS "drop", pg_catalog.format('ALTER TABLE %s ADD CONSTRAINT %I %s;', conrelid::pg_catalog.regclass, conname, pg_catalog.pg_get_constraintdef(oid)) AS "add" FROM pg_catalog.pg_constraint c WHERE contype = 'f' AND conparentid = 0 AND (SELECT count(*) FROM pg_catalog.pg_constraint c2 WHERE c2.conparentid = c.oid) <> (SELECT count(*) FROM pg_catalog.pg_inherits i WHERE (i.inhparent = c.conrelid OR i.inhparent = c.confrelid) AND EXISTS (SELECT 1 FROM pg_catalog.pg_partitioned_table WHERE partrelid = i.inhparent));

Since it is possible that one or more of the ADD CONSTRAINT steps will fail, you should save the query's output in a file and then attempt to perform each step.

Additionally, if you are running PostgreSQL 17.0 and using libc as your default collation provider, and have set LC_CTYPE to be C while LC_COLLATE is a different locale, you will need to rebuild your text-based indexes. You can do this with the REINDEX INDEX CONCURRENTLY command.

Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.

For more details, please see the release notes.

Links

If you have corrections or suggestions for this release announcement, please send them to the pgsql-www@lists.postgresql.org public mailing list.

PostgreSQL 17 Released!

Thu, 26 Sep 2024 00:00:00 +0000

The PostgreSQL Global Development Group today announced the release of PostgreSQL 17, the latest version of the world's most advanced open source database.

PostgreSQL 17 builds on decades of open source development, improving its performance and scalability while adapting to emergent data access and storage patterns. This release of PostgreSQL adds significant overall performance gains, including an overhauled memory management implementation for vacuum, optimizations to storage access and improvements for high concurrency workloads, speedups in bulk loading and exports, and query execution improvements for indexes. PostgreSQL 17 has features that benefit brand new workloads and critical systems alike, such as additions to the developer experience with the SQL/JSON JSON_TABLE command, and enhancements to logical replication that simplify management of high availability workloads and major version upgrades.

"PostgreSQL 17 highlights how the global open source community, which drives the development of PostgreSQL, builds enhancements that help users at all stages of their database journey," said Jonathan Katz, a member of the PostgreSQL core team. "Whether it's improvements for operating databases at scale or new features that build on a delightful developer experience, PostgreSQL 17 will enhance your data management experience."

PostgreSQL, an innovative data management system known for its reliability, robustness, and extensibility, benefits from over 25 years of open source development from a global developer community and has become the preferred open source relational database for organizations of all sizes.

System-wide performance gains

The PostgreSQL vacuum process is critical for healthy operations, requiring server instance resources to operate. PostgreSQL 17 introduces a new internal memory structure for vacuum that consumes up to 20x less memory. This improves vacuum speed and also reduces the use of shared resources, making more available for your workload.

PostgreSQL 17 continues to improve performance of its I/O layer. High concurrency workloads may see up to 2x better write throughput due to improvements with write-ahead log (WAL) processing. Additionally, the new streaming I/O interface speeds up sequential scans (reading all the data from a table) and how quickly ANALYZE can update planner statistics.

PostgreSQL 17 also extends its performance gains to query execution. PostgreSQL 17 improves the performance of queries with IN clauses that use B-tree indexes, the default index method in PostgreSQL. Additionally, BRIN indexes now support parallel builds. PostgreSQL 17 includes several improvements for query planning, including optimizations for NOT NULL constraints, and improvements in processing common table expressions (WITH queries). This release adds more SIMD (Single Instruction/Multiple Data) support for accelerating computations, including using AVX-512 for the bit_count function.

Further expansion of a robust developer experience

PostgreSQL was the first relational database to add JSON support (2012), and PostgreSQL 17 adds to its implementation of the SQL/JSON standard. JSON_TABLE is now available in PostgreSQL 17, letting developers convert JSON data into a standard PostgreSQL table. PostgreSQL 17 now supports SQL/JSON constructors (JSON, JSON_SCALAR, JSON_SERIALIZE) and query functions (JSON_EXISTS, JSON_QUERY, JSON_VALUE), giving developers other ways of interfacing with their JSON data. This release adds more jsonpath expressions, with an emphasis of converting JSON data to a native PostgreSQL data type, including numeric, boolean, string, and date/time types.

PostgreSQL 17 adds more features to MERGE, which is used for conditional updates, including a RETURNING clause and the ability to update views. Additionally, PostgreSQL 17 has new capabilities for bulk loading and data exporting, including up to a 2x performance improvement when exporting large rows using the COPY command. COPY performance also has improvements when the source and destination encodings match, and includes a new option, ON_ERROR, that allows an import to continue even if there is an insert error.

This release expands on functionality both for managing data in partitions and data distributed across remote PostgreSQL instances. PostgreSQL 17 supports using identity columns and exclusion constraints on partitioned tables. The PostgreSQL foreign data wrapper (postgres_fdw), used to execute queries on remote PostgreSQL instances, can now push EXISTS and IN subqueries to the remote server for more efficient processing.

PostgreSQL 17 also includes a built-in, platform independent, immutable collation provider that's guaranteed to be immutable and provides similar sorting semantics to the C collation except with utf-8 encoding rather than SQL_ASCII. Using this new collation provider guarantees that your text-based queries will return the same sorted results regardless of where you run PostgreSQL.

Logical replication enhancements for high availability and major version upgrades

Logical replication is used to stream data in real-time across many use cases. However, prior to this release, users who wanted to perform a major version upgrade would have to drop logical replication slots, which requires resynchronizing data to subscribers after an upgrade. Starting with upgrades from PostgreSQL 17, users don't have to drop logical replication slots, simplifying the upgrade process when using logical replication.

PostgreSQL 17 now includes failover control for logical replication, making it more resilient when deployed in high availability environments. Additionally, PostgreSQL 17 introduces the pg_createsubscriber command-line tool for converting a physical replica into a new logical replica.

More options for managing security and operations

PostgreSQL 17 further extends how users can manage the overall lifecycle of their database systems. PostgreSQL has a new TLS option, sslnegotiation, that lets users perform a direct TLS handshakes when using ALPN (registered as postgresql in the ALPN directory). PostgreSQL 17 also adds the pg_maintain predefined role, which gives users permission to perform maintenance operations.

pg_basebackup, the backup utility included in PostgreSQL, now supports incremental backups and adds the pg_combinebackup utility to reconstruct a full backup. Additionally, pg_dump includes a new option called --filter that lets you select what objects to include when generating a dump file.

PostgreSQL 17 also includes enhancements to monitoring and analysis features. EXPLAIN now shows the time spent for local I/O block reads and writes, and includes two new options: SERIALIZE and MEMORY, useful for seeing the time spent in data conversion for network transmission, and how much memory was used. PostgreSQL 17 now reports the progress of vacuuming indexes, and adds the pg_wait_events system view that, when combined with pg_stat_activity, gives more insight into why an active session is waiting.

Additional Features

Many other new features and improvements have been added to PostgreSQL 17 that may also be helpful for your use cases. Please see the release notes for a complete list of new and changed features.

About PostgreSQL

PostgreSQL is the world's most advanced open source database, with a global community of thousands of users, contributors, companies and organizations. Built on over 35 years of engineering, starting at the University of California, Berkeley, PostgreSQL has continued with an unmatched pace of development. PostgreSQL's mature feature set not only matches top proprietary database systems, but exceeds them in advanced database features, extensibility, security, and stability.

Code of Conduct Committee Seeking New Volunteers

Mon, 09 Sep 2024 00:00:00 +0000

This message is being sent from the Community Code of Conduct Committee, with the approval of the Core Team. As part of the Community CoC policy, the Committee membership is to be refreshed on an annual basis. We are seeking up to 4 volunteers to serve on the Committee for the coming year, October 1, 2024 - September 30, 2024.

We are seeking people who reflect the diversity of the PostgreSQL community, with the goal to have members from multiple countries and varied demographics. The time commitment for Committee involvement varies, based on internal administrative work and the number of active investigations. We estimate an average of 5 to 10 hours per month, but that could increase if there is an increase in the number of incident reports.

If you are interested, please complete the questionnaire below, and email your responses to the Committee at coc@postgresql.org no later than September 15, 2024 at 05:00 PM UTC.

The Questionnaire

Your name:

Current employer:

Current country of residence:

(We ask for employer and residence because one of the goals of the Committee is to have representation from a variety of geographical areas. We also want to avoid a concentration of members from one company.)

What interests you about being on the CoC Committee?
Have you been on another CoC Committee, or had a similar role at another organization? (Prior experience is not required, it's just helpful to know everyone's background.)
What else do you want to tell us about yourself that is helpful for us to know about your potential involvement with the CoC Committee?

Please be sure to send your reply to the CoC email listed above.

Thank you!

Regards, Chris Travers Chair PostgreSQL Community Code of Conduct Committee

PostgreSQL 17 RC1 Released!

Thu, 05 Sep 2024 00:00:00 +0000

The PostgreSQL Global Development Group announces that the first release candidate of PostgreSQL 17 is now available for download. As a release candidate, PostgreSQL 17 RC 1 will be mostly identical to the initial release of PostgreSQL 17, though some more fixes may be applied prior to the general availability of PostgreSQL 17.

The planned date for the general availability of PostgreSQL 17 is September 26, 2024. Please see the "Release Schedule" section for more details.

Upgrading to PostgreSQL 17 RC 1

To upgrade to PostgreSQL 17 RC 1 from earlier versions of PostgreSQL, you will need to use a major version upgrade strategy, e.g. pg_upgrade or pg_dump / pg_restore. For more information, please visit the documentation section on upgrading:

/docs/17/upgrading.html

Changes Since 17 Beta 3

Several bug fixes were applied for PostgreSQL 17 during the Beta 3 period. These include:

Revert the MERGE/SPLIT partition feature.
Fix for feature that improves performance around logical decoding of subtransactions.

For a detailed list of fixes, please visit the open items page.

Release Schedule

This is the first release candidate for PostgreSQL 17. Unless an issue is discovered that warrants a delay or to produce an additional release candidate, PostgreSQL 17 should be made generally available on September 26, 2024.

For further information please see the Beta Testing page.

PostgreSQL 16.4, 15.8, 14.13, 13.16, 12.20, and 17 Beta 3 Released!

Thu, 08 Aug 2024 00:00:00 +0000

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 16.4, 15.8, 14.13, 13.16, and 12.20, as well as the third beta release of PostgreSQL 17. This release fixes 1 security vulnerability and over 55 bugs reported over the last several months.

For the full list of changes, please review the release notes.

PostgreSQL 12 EOL Notice

PostgreSQL 12 will stop receiving fixes on November 14, 2024. If you are running PostgreSQL 12 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information.

Security Issues

CVE-2024-7348: PostgreSQL relation replacement during pg_dump executes arbitrary SQL

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 12 - 16.

An attacker able to create and drop non-temporary objects could inject SQL code that would be executed by a concurrent pg_dump session with the privileges of the role running pg_dump (which is often a superuser). The attack involves replacing a sequence or similar object with a view or foreign table that will execute malicious code. To prevent this, introduce a new server parameter restrict_nonsystem_relation_kind that can disable expansion of non-builtin views as well as access to foreign tables, and teach pg_dump to set it when available. Note that the attack is prevented only if both pg_dump and the server it is dumping from are new enough to have this fix.

The PostgreSQL project thanks Noah Misch for reporting this problem.

Bug Fixes and Improvements

This update fixes over 55 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 16. Some of these issues may also affect other supported versions of PostgreSQL.

Avoid incorrect results from "Merge Right Anti Join" plans, where if the inner relation is known to have unique join keys, the merge could misbehave when there are duplicated join keys in the outer relation.
Prevent infinite loop in VACUUM.
Fix partition pruning setup during ALTER TABLE DETACH ... PARTITION CONCURRENTLY.
Fix behavior of stable functions that are used as an argument to a CALL statement.
pg_sequence_last_value() now returns NULL instead of throwing an error when called on unlogged sequences on standby servers and on temporary sequences of other sessions.
Fix parsing of ignored operators in websearch_to_tsquery().
Correctly check updatability of view columns targeted by INSERT ... DEFAULT.
Lock owned sequences during ALTER TABLE ... SET LOGGED|UNLOGGED.
Don't throw an error if a queued AFTER trigger no longer exists.
Fix selection of an arbiter index for INSERT ... ON CONFLICT when the desired index has expressions or predicates, for example, through an updatable view.
Refuse to modify a temporary table of another session with ALTER TABLE.
Fix handling of extended statistics on expressions in CREATE TABLE ... LIKE STATISTICS.
Fix failure to recalculate sub-queries generated from MIN() or MAX() aggregates.
Disallow underscores in positional parameters.
Avoid crashing when a JIT-inlined backend function throws an error.
Fix handling of subtransactions of prepared transactions when starting a hot standby server.
Prevent incorrect initialization of logical replication slots.
Fix memory leak in the logical replication WAL sender when publishing changes to a partitioned table whose partitions have row types that are physically different from the table.
Disable creation of stateful TLS session tickets by OpenSSL.
Fix how PL/pgSQL handles integer ranges containing underscores (e.g., FOR i IN 1_001..1_002).
Fix incompatibility between PL/Perl and Perl 5.40.
Several fixes related to recursive PL/Python functions and triggers.
Ensure that pg_restore -l reports dependent table of contents entries correctly.
pg_stat_statements now passes a query ID for utility (non-SELECT/INSERT/UPDATE) statements that appears in SQL-language functions.
Fix for postgres_fdw when mapping a foreign table to a nontrivial remote view.
postgres_fdw no longer sends a FETCH FIRST WITH TIES clause to a remote server.

Updating

Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.

For more details, please see the release notes.

A Note on the PostgreSQL 17 Beta

This release marks the third beta release of PostgreSQL 17 and puts the community one step closer to general availability tentatively around the end of the third quarter.

In the spirit of the open source PostgreSQL community, we strongly encourage you to test the new features of PostgreSQL 17 on your systems to help us eliminate bugs or other issues that may exist. While we do not advise you to run PostgreSQL 17 Beta 3 in production environments, we encourage you to find ways to run your typical application workloads against this beta release.

Your testing and feedback will help the community ensure that the PostgreSQL 17 release upholds our standards of delivering a stable, reliable release of the world's most advanced open source relational database. Please read more about our beta testing process and how you can contribute:

/developer/beta/

Upgrading to PostgreSQL 17 Beta 3

To upgrade to PostgreSQL 17 Beta 3 from an earlier version of PostgreSQL, you will need to use a strategy similar to upgrading between major versions of PostgreSQL (e.g. pg_upgrade or pg_dump / pg_restore). For more information, please visit the documentation section on upgrading.

Changes Since Beta 2

Fixes and changes in PostgreSQL 17 Beta 3 include:

Rename the standby_slot_names parameter to to synchronized_standby_slots.
Several SQL/JSON fixes.
Fix pg_combinebackup --clone.
Fix pg_createsubscriber to work for database names that contain a space.
pg_createsubscriber now drops pre-existing subscriptions when run on a target database.
Improve efficiency in retrieving subscription information during pg_upgrade.
Fix TLS fallback behavior during sslmode=prefer to error when a server sends an error during the startup process.
Document an error case with pg_basebackup incremental backup on a standby server when it's executed immediately after the previous backup.
Fix issue where pg_upgrade --transaction-size can cause the backend to use an order of magnitude more RAM.

Please see the release notes for a complete list of new and changed features, and PostgreSQL 17 open items for more details on fixes and changes.

Testing for Bugs & Compatibility

The stability of each PostgreSQL release greatly depends on you, the community, to test the upcoming version with your workloads and testing tools in order to find bugs and regressions before the general availability of PostgreSQL 17. As this is a Beta, minor changes to database behaviors, feature details, and APIs are still possible. Your feedback and testing will help determine the final tweaks on the new features, so please test in the near future. The quality of user testing helps determine when we can make a final release.

A list of open issues is publicly available in the PostgreSQL wiki. You can report bugs using this form on the PostgreSQL website:

/account/submitbug/

Links

If you have corrections or suggestions for this release announcement, please send them to the pgsql-www@lists.postgresql.org public mailing list.