Blog

The PostgreSQL Global Development Group has released an update to all supported
versions of PostgreSQL, including 16.4, 15.8, 14.13, 13.16, and 12.20, as well
as the third beta release of PostgreSQL 17. This release fixes 1 security
vulnerability and over 55 bugs reported over the last several months.

For the full list of changes, please review the
release notes.

PostgreSQL 12 EOL Notice

PostgreSQL 12 will stop receiving fixes on November 14, 2024. If you are
running PostgreSQL 12 in a production environment, we suggest that you make
plans to upgrade to a newer, supported version of PostgreSQL. Please see our
versioning policy for more
information.

Security Issues

CVE-2024-7348: PostgreSQL relation replacement during pg_dump executes arbitrary SQL

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 12 – 16.

An attacker able to create and drop non-temporary objects could inject SQL code
that would be executed by a concurrent pg_dump
session with the privileges of the role running pg_dump (which is often a
superuser). The attack involves replacing a sequence or similar object with a
view or foreign table that will execute malicious code. To prevent this,
introduce a new server parameter restrict_nonsystem_relation_kind that can
disable expansion of non-builtin views as well as access to foreign tables, and
teach pg_dump to set it when available. Note that the attack is prevented only
if both pg_dump and the server it is dumping from are new enough to have this
fix.

The PostgreSQL project thanks Noah Misch for reporting this problem.

Bug Fixes and Improvements

This update fixes over 55 bugs that were reported in the last several months.
The issues listed below affect PostgreSQL 16. Some of these issues may also
affect other supported versions of PostgreSQL.

• Avoid incorrect results from “Merge Right Anti Join” plans, where if the inner relation is known to have unique join keys, the merge could misbehave when there are duplicated join keys in the outer relation.
• Prevent infinite loop in VACUUM.
• Fix partition pruning setup during ALTER TABLE DETACH ... PARTITION CONCURRENTLY.
• Fix behavior of stable functions that are used as an argument to a CALL statement.
• pg_sequence_last_value() now returns NULL instead of throwing an error when called on unlogged sequences on standby servers and on temporary sequences of other sessions.
• Fix parsing of ignored operators in websearch_to_tsquery().
• Correctly check updatability of view columns targeted by INSERT ... DEFAULT.
• Lock owned sequences during ALTER TABLE ... SET LOGGED|UNLOGGED.
• Don’t throw an error if a queued AFTER trigger no longer exists.
• Fix selection of an arbiter index for INSERT ... ON CONFLICT when the desired index has expressions or predicates, for example, through an updatable view.
• Refuse to modify a temporary table of another session with ALTER TABLE.
• Fix handling of extended statistics on expressions in CREATE TABLE ... LIKE STATISTICS.
• Fix failure to recalculate sub-queries generated from MIN() or MAX() aggregates.
• Disallow underscores in positional parameters.
• Avoid crashing when a JIT-inlined backend function throws an error.
• Fix handling of subtransactions of prepared transactions when starting a hot standby server.
• Prevent incorrect initialization of logical replication slots.
• Fix memory leak in the logical replication WAL sender when publishing changes to a partitioned table whose partitions have row types that are physically different from the table.
• Disable creation of stateful TLS session tickets by OpenSSL.
• Fix how PL/pgSQL handles integer ranges containing underscores (e.g., FOR i IN 1_001..1_002).
• Fix incompatibility between PL/Perl and Perl 5.40.
• Several fixes related to recursive PL/Python functions and triggers.
• Ensure that pg_restore -l reports dependent table of contents entries correctly.
• pg_stat_statements now passes a query ID for utility (non-SELECT/INSERT/UPDATE) statements that appears in SQL-language functions.
• Fix for postgres_fdw when mapping a foreign table to a nontrivial remote view.
• postgres_fdw no longer sends a FETCH FIRST WITH TIES clause to a remote server.

Updating

All PostgreSQL update releases are cumulative. As with other minor releases,
users are not required to dump and reload their database or use pg_upgrade in
order to apply this update release; you may simply shutdown PostgreSQL and
update its binaries.

Users who have skipped one or more update releases may need to run additional
post-update steps; please see the release notes from earlier versions for
details.

For more details, please see the
release notes.

A Note on the PostgreSQL 17 Beta

This release marks the third beta release of PostgreSQL 17 and puts the
community one step closer to general availability tentatively around the end of
the third quarter.

In the spirit of the open source PostgreSQL community, we strongly encourage you
to test the new features of PostgreSQL 17 on your systems to help us eliminate
bugs or other issues that may exist. While we do not advise you to run
PostgreSQL 17 Beta 3 in production environments, we encourage you to find ways
to run your typical application workloads against this beta release.

Your testing and feedback will help the community ensure that the PostgreSQL 17
release upholds our standards of delivering a stable, reliable release of the
world’s most advanced open source relational database. Please read more about
our beta testing process and how
you can contribute:

https://www.postgresql.org/developer/beta/

Upgrading to PostgreSQL 17 Beta 3

To upgrade to PostgreSQL 17 Beta 3 from an earlier version of PostgreSQL,
you will need to use a strategy similar to upgrading between major versions of
PostgreSQL (e.g. pg_upgrade or pg_dump / pg_restore). For more
information, please visit the documentation section on
upgrading.

Changes Since Beta 2

Fixes and changes in PostgreSQL 17 Beta 3 include:

• Rename the standby_slot_names parameter to to synchronized_standby_slots.
• Several SQL/JSON fixes.
• Fix pg_combinebackup --clone.
• Fix pg_createsubscriber to work for database names that contain a space.
• pg_createsubscriber now drops pre-existing subscriptions when run on a
  target database.
• Improve efficiency in retrieving subscription information during pg_upgrade.
• Fix TLS fallback behavior during sslmode=prefer to error when a server sends
  an error during the startup process.
• Document an error case with pg_basebackup incremental backup on a standby
  server when it’s executed immediately after the previous backup.
• Fix issue where pg_upgrade --transaction-size can cause the backend to use
  an order of magnitude more RAM.

Please see the release notes
for a complete list of new and changed features, and
PostgreSQL 17 open items
for more details on fixes and changes.

Testing for Bugs & Compatibility

The stability of each PostgreSQL release greatly depends on you, the community,
to test the upcoming version with your workloads and testing tools in order to
find bugs and regressions before the general availability of PostgreSQL 17. As
this is a Beta, minor changes to database behaviors, feature details, and APIs
are still possible. Your feedback and testing will help determine the final
tweaks on the new features, so please test in the near future. The quality of
user testing helps determine when we can make a final release.

A list of open issues
is publicly available in the PostgreSQL wiki. You can
report bugs using this form on
the PostgreSQL website:

https://www.postgresql.org/account/submitbug/

Links

• Download
• Release Notes
• Security
• Versioning Policy
• Beta Testing Information
• PostgreSQL 17 Beta Release Notes
• PostgreSQL 17 Open Issues
• Feature Matrix
• Submit a Bug
• Follow @postgresql on X/Twitter
• Donate

If you have corrections or suggestions for this release announcement, please
send them to the [email protected] public
mailing list.