Log Message:
postgresql: updated to 14.1, 13.5, 12.9, 11.14, 10.19, 9.6.24

PostgreSQL 14.1, 13.5, 12.9, 11.14, 10.19, and 9.6.24

Security Issues

CVE-2021-23214: Server processes unencrypted bytes from man-in-the-middle

Versions Affected: 9.6 - 14. The security team typically does not test \ 
unsupported versions, but this problem is quite old.

When the server is configured to use trust authentication with a clientcert \ 
requirement or to use cert authentication, a man-in-the-middle attacker can \ 
inject arbitrary SQL queries when a connection is first established, despite the \ 
use of SSL certificate verification and encryption.

The PostgreSQL project thanks Jacob Champion for reporting this problem.

CVE-2021-23222: libpq processes unencrypted bytes from man-in-the-middle

Versions Affected: 9.6 - 14. The security team typically does not test \ 
unsupported versions, but this problem is quite old.

A man-in-the-middle attacker can inject false responses to the client's first \ 
few queries, despite the use of SSL certificate verification and encryption.

If more preconditions hold, the attacker can exfiltrate the client's password or \ 
other confidential data that might be transmitted early in a session. The \ 
attacker must have a way to trick the client's intended server into making the \ 
confidential data accessible to the attacker. A known implementation having that \ 
property is a PostgreSQL configuration vulnerable to CVE-2021-23214.

As with any exploitation of CVE-2021-23214, the server must be using trust \ 
authentication with a clientcert requirement or using cert authentication. To \ 
disclose a password, the client must be in possession of a password, which is \ 
atypical when using an authentication configuration vulnerable to \ 
CVE-2021-23214. The attacker must have some other way to access the server to \ 
retrieve the exfiltrated data (a valid, unprivileged login account would be \ 
sufficient).

The PostgreSQL project thanks Jacob Champion for reporting this problem.

Bug Fixes and Improvements

This update fixes over 40 bugs that were reported in the last several months. \ 
The issues listed below affect PostgreSQL 14. Some of these issues may also \ 
affect other supported versions of PostgreSQL.

Some of these fixes include:

Fix physical replication for cases where the primary crashes after shipping a \ 
WAL segment that ends with a partial WAL record. When applying this update, \ 
update your standby servers before the primary so that they will be ready to \ 
handle the fix if the primary happens to crash.
Fix parallel VACUUM so that it will process indexes below the \ 
min_parallel_index_scan_size threshold if the table has at least two indexes \ 
that are above that size. This problem does not affect autovacuum. If you are \ 
affected by this issue, you should reindex any manually-vacuumed tables.
Fix causes of CREATE INDEX CONCURRENTLY and REINDEX CONCURRENTLY writing corrupt \ 
indexes. You should reindex any concurrently-built indexes.
Fix for attaching/detaching a partition that could allow certain INSERT/UPDATE \ 
queries to misbehave in active sessions.
Fix for creating a new range type with CREATE TYPE that could cause problems for \ 
later event triggers or subsequent executions of the CREATE TYPE command.
Fix updates of element fields in arrays of a domain that is a part of a composite.
Disallow the combination of FETCH FIRST WITH TIES and FOR UPDATE SKIP LOCKED.
Fix corner-case loss of precision in the numeric power() function.
Fix restoration of a Portal's snapshot inside a subtransaction, which could lead \ 
to a crash. For example, this could occur in PL/pgSQL when a COMMIT is \ 
immediately followed by a BEGIN ... EXCEPTION block that performs a query.
Clean up correctly if a transaction fails after exporting its snapshot. This \ 
could occur if a replication slot was created then rolled back, and then another \ 
replication slot was created in the same session.
Fix for "overflowed-subtransaction" wraparound tracking on standby \ 
servers that could lead to performance degradation.
Ensure that prepared transactions are properly accounted for during promotion of \ 
a standby server.
Ensure that the correct lock level is used when renaming a table.
Avoid crash when dropping a role that owns objects being dropped concurrently.
Disallow setting huge_pages to on when shared_memory_type is sysv
Fix query type checking in the PL/pgSQL RETURN QUERY.
Several fixes for pg_dump, including the ability to dump non-global default \ 
privileges correctly.
Use the CLDR project's data to map Windows time zone names to IANA time zones.
This update also contains tzdata release 2021e for DST law changes in Fiji, \ 
Jordan, Palestine, and Samoa, plus historical corrections for Barbados, Cook \ 
Islands, Guyana, Niue, Portugal, and Tonga.

Also, the Pacific/Enderbury zone has been renamed to Pacific/Kanton. Also, the \ 
following zones have been merged into nearby, more-populous zones whose clocks \ 
have agreed with them since 1970: Africa/Accra, America/Atikokan, \ 
America/Blanc-Sablon, America/Creston, America/Curacao, America/Nassau, \ 
America/Port_of_Spain, Antarctica/DumontDUrville, and Antarctica/Syowa. In all \ 
these cases, the previous zone name remains as an alias.