| Version | Change log |
| PostgreSQL 17.4 Feb 20, 2025 |
Improve behavior of libpq's quoting functions (Andres Freund, Tom Lane) § § § The changes made for CVE-2025-1094 had one serious oversight: PQescapeLiteral() and PQescapeIdentifier() failed to honor their string length parameter, instead always reading to the input string's trailing null. This resulted in including unwanted text in the output, if the caller intended to truncate the string via the length parameter. With very bad luck it could cause a crash due to reading off the end of memory. In addition, modify all these quoting functions so that when invalid encoding is detected, an invalid sequence is substituted for just the first byte of the presumed character, not all of it. This reduces the risk of problems if a calling application performs additional processing on the quoted string. Fix small memory leak in pg_createsubscriber (Ranier Vilela) § Fix meson build system to correctly detect availability of the bsd_auth.h system header (Nazir Bilal Yavuz) § |
| PostgreSQL 17.3 Feb 13, 2025 |
Harden PQescapeString and allied functions against invalidly-encoded input strings (Andres Freund, Noah Misch) Data-quoting functions supplied by libpq now fully check the encoding validity of their input. If invalid characters are detected, they report an error if possible. For the ones that lack an error return convention, the output string is adjusted to ensure that the server will report invalid encoding and no intervening processing will be fooled by bytes that might happen to match single quote, backslash, etc. The purpose of this change is to guard against SQL-injection attacks that are possible if one of these functions is used to quote crafted input. There is no hazard when the resulting string is sent directly to a PostgreSQL server (which would check its encoding anyway), but there is a risk when it is passed through psql or other client-side code. Historically such code has not carefully vetted encoding, and in many cases it's not clear what it should do if it did detect such a problem. This fix is effective only if the data-quoting function, the server, and any intermediate processing agree on the character encoding that's being used. Applications that insert untrusted input into SQL commands should take special care to ensure that that's true. Applications and drivers that quote untrusted input without using these libpq functions may be at risk of similar problems. They should first confirm the data is valid in the encoding expected by the server. The PostgreSQL Project thanks Stephen Fewer for reporting this problem. (CVE-2025-1094) Restore auto-truncation of database and user names appearing in connection requests (Nathan Bossart) This reverts a v17 change that proved to cause trouble for some users. Over-length names should be truncated in an encoding-aware fashion, but for now just return to the former behavior of blind truncation at NAMEDATALEN-1 bytes. Exclude parallel workers from connection privilege checks and limits (Tom Lane) Do not check da |
| PostgreSQL 17.2 Nov 21, 2024 |
The issues listed below affect PostgreSQL 17. Some of these issues may also affect other supported versions of PostgreSQL: Restore functionality of ALTER ROLE .. SET ROLE and ALTER DATABASE .. SET ROLE. The fix for CVE-2024-10978 accidentally caused settings for role to not be applied if they came from non-interactive sources, including previous ALTER {ROLE|DATABASE} commands and the PGOPTIONS environment variable. Restore compatibility for the timescaledb and other PostgreSQL extensions built using PostgreSQL prior to the 2024-11-14 release (17.0, 16.4, 15.8, 14.13, 13.16, 12.20, and earlier). This fix restores struct ResultRelInfo to its previous size, so that affected extensions don't need to be rebuilt. Fix cases where a logical replication slot's restart_lsn could go backwards. Avoid deleting still-needed WAL files during pg_rewind. Fix race conditions associated with dropping shared statistics entries, which could lead to loss of statistics data. Fix crash with ALTER TABLE when checking to see if an index's opclass options have changed if the table has an index with a non-default operator class. |
Total downloads
50
Last month's downloads
3
Last week's downloads
1
PostgreSQL Maestro, developed by SQL Maestro Group, is an exceptional database management tool designed specifically for PostgreSQL users. This powerful software provides a user-friendly interface ... database administrators. With its robust set of features, PostgreSQL Maestro enables seamless database management, allowing users to ...
... full potential of your data integration processes with PostgreSQL SSIS Components by Devart. Designed specifically for SQL ... powerful toolset enables seamless connectivity and interaction with PostgreSQL databases, making it an essential asset for data ... data flows, ensuring efficient data migration and transformation. Devart’s PostgreSQL SSIS Components offer robust features, including advanced data ...
PostgreSQL PHP Generator Lite, developed by SQL Maestro Group, ... streamline the process of creating PHP scripts for PostgreSQL databases. This intuitive software empowers developers and database ... for extensive coding knowledge. With its user-friendly interface, PostgreSQL PHP Generator Lite simplifies the complexities of database ...
