Corrective updates have been generated for all supported PostgreSQL branches: 13.3, 12.7, 11.12, 10.17 and 9.6.22. Updates for the 9.6 branch will be formed until November 2021, 10 - until November 2022, 11 - until November 2023, 12 - until November 2024, 13 - until November 2025. The new releases address three vulnerabilities and fix backlogs.
Vulnerability CVE-2021-32027 could result in data being written out of buffer bounds due to an integer overflow when calculating array indexes. By manipulating array values ββin SQL queries, an attacker who has access to executing SQL queries can write any data to an arbitrary area of ββprocess memory and achieve execution of his code with the rights of the DBMS server. Two other vulnerabilities (CVE-2021-32028, CVE-2021-32029) cause process memory to leak when manipulating "INSERT ... ON CONFLICT ... DO UPDATE" and "UPDATE ... RETURNING" queries.
Non-vulnerability fixes include:
- Elimination of incorrect calculations when performing "UPDATE ... RETURNING" to update joined sharded tables.
- Fix crash of "ALTER TABLE ... ALTER CONSTRAINT" command when there are foreign key constraints in combination with using sharded tables.
- The work of the "COMMIT AND CHAIN" functionality has been adjusted.
- For new releases of FreeBSD, the default fdatasync mode is set to thatwal_sync_method.
- The vacuum_cleanup_index_scale_factor parameter is disabled by default.
- Fixed memory leaks that appeared when initializing TLS connections.
- Added additional checks to pg_upgrade to check if user tables have data types that cannot be upgraded.
Source: opennet.ru