The PostgreSQL team released an update yesterday to the versions 10.5, 9.6.10, 9.5.14, 9.4.19, 9.3.24 of its database system. The latest update focuses on fixing two security issues and bugs detected in the past three months.
PostgreSQL is a popular open source relational database management system that offers reliability, correctness, robustness, and performance measures. It runs on all major operating systems such as Linux, UNIX (AIX, BSD, HP-UX, SGI IRIX, Mac OS X, Solaris, Tru64), and Windows.
Let’s discuss the highlights of the recent major update.
The recent release focuses on fixing two major security issues:
Certain host connection parameters defeat client-side security defenses
There was an internal issue in Libpq, a client connection API for PostgreSQL. When trying to reconnect, all the connection state variables couldn’t be reset.
Specifically, the state variable that helps determine whether or not a password is needed for a connection would not be reset. This allowed the users of features requiring libpq, namely, the dblink or postgres_fdw extensions, to login to servers they should not be able to access.
To check if your database has either extension installed, run the following from your PostgreSQL shell:
Memory disclosure and missing authorization in insert
An attacker can issue CREATE TABLE. This allows the arbitrary bytes of server memory to be easily read with the help of an upsert (INSERT … ON CONFLICT DO UPDATE) query. By default, any user can easily exploit that. A user with specific INSERT privileges and an UPDATE privilege on at least one column in a given table is capable of updating other columns with the help of a view and an upsert query.
Major Bug Fixes
- There was an issue in VACUUM, leading to data corruption in certain system catalog tables, this has been fixed with the latest update.
- There are a lot of performance improvements made allowing to replay the write-ahead logs.
- SQL-standard FETCH FIRST syntax has been fixed to allow parameters ($n), as the standard expects.
- Performance regression related to POSIX semaphores has been fixed for multi-CPU systems running Linux or FreeBSD.
- libpq has been fixed for cases where hostaddr is used.
To get complete information on other bug fixes and improvements, check out the official PostgreSQL release notes.