====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN633
_____________________________________________________________________

DATE                : 20/11/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running PostgreSQL versions prior to 13.1,
                         12.5, 11.10, 10.15, 9.6.20, 9.5.24.

=====================================================================
https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524-released-2111/
_____________________________________________________________________


PostgreSQL 13.1, 12.5, 11.10, 10.15, 9.6.20, and 9.5.24 Released!
Posted on 2020-11-12 by PostgreSQL Global Development Group
PostgreSQL Project Security

The PostgreSQL Global Development Group has released an update to all
supported versions of our database system, including 13.1, 12.5, 11.10,
10.15, 9.6.20, and 9.5.24. This release closes three security
vulnerabilities and fixes over 65 bugs reported over the last three
months.

Due to the nature of CVE-2020-25695, we advise you to update as soon as
possible.

Additionally, this is the second-to-last release of PostgreSQL 9.5. If
you are running PostgreSQL 9.5 in a production environment, we suggest
that you make plans to upgrade.

For the full list of changes, please review the release notes.


Security Issues
CVE-2020-25695: Multiple features escape "security restricted operation"
sandbox

Versions Affected: 9.5 - 13. The security team typically does not test
unsupported versions, but this problem is quite old.

An attacker having permission to create non-temporary objects in at
least one schema can execute arbitrary SQL functions under the identity
of a superuser.

While promptly updating PostgreSQL is the best remediation for most
users, a user unable to do that can work around the vulnerability by
disabling autovacuum and not manually running ANALYZE, CLUSTER, REINDEX,
CREATE INDEX, VACUUM FULL, REFRESH MATERIALIZED VIEW, or a restore from
output of the pg_dump command. Performance may degrade quickly under
this workaround.

VACUUM without the FULL option is safe, and all commands are fine when a
trusted user owns the target object.

The PostgreSQL project thanks Etienne Stalmans for reporting this
problem.


CVE-2020-25694: Reconnection can downgrade connection security settings

Versions Affected: 9.5 - 13. The security team typically does not test
unsupported versions, but this problem is quite old.

Many PostgreSQL-provided client applications have options that create
additional database connections. Some of those applications reuse only
the basic connection parameters (e.g. host, user, port), dropping
others. If this drops a security-relevant parameter (e.g.
channel_binding, sslmode, requirepeer, gssencmode), the attacker has an
opportunity to complete a MITM attack or observe cleartext transmission.

Affected applications are clusterdb, pg_dump, pg_restore, psql,
reindexdb, and vacuumdb. The vulnerability arises only if one invokes an
affected client application with a connection string containing a
security-relevant parameter.

This also fixes how the \connect command of psql reuses connection
parameters, i.e. all non-overridden parameters from a previous
connection string now re-used.

The PostgreSQL project thanks Peter Eisentraut for reporting this
problem.


CVE-2020-25696: psql's \gset allows overwriting specially treated variables

Versions Affected: 9.5 - 13. The security team typically does not test
unsupported versions, but this problem likely arrived with the feature's
debut in version 9.3.

The \gset meta-command, which sets psql variables based on query
results, does not distinguish variables that control psql behavior. If
an interactive psql session uses \gset when querying a compromised
server, the attacker can execute arbitrary code as the operating system
account running psql. Using \gset with a prefix not found among
specially treated variables, e.g. any lowercase string, precludes the
attack in an unpatched psql.

The PostgreSQL project thanks Nick Cleaton for reporting this problem.


Bug Fixes and Improvements

This update also fixes over 65 bugs that were reported in the last
several months. Some of these issues only affect version 13, but may
also apply to other supported versions.

Some of these fixes include:

    Fix a breakage in the replication protocol by ensuring that two
"command completion" events are expected for START_REPLICATION.

    Ensure fsync is called on the SLRU caches that PostgreSQL maintains.
This prevents potential data loss due to an operating system crash.

    Fix ALTER ROLE usage for users with the BYPASSRLS permission.

    ALTER TABLE ONLY ... DROP EXPRESSION is disallowed on partitioned
tables when there are child tables.

    Ensure that ALTER TABLE ONLY ... ENABLE/DISABLE TRIGGER does not
apply to child tables.

    Fix for ALTER TABLE ... SET NOT NULL on partitioned tables to avoid
a potential deadlock in parallel pg_restore.

    Fix handling of expressions in CREATE TABLE LIKE with inheritance.

    DROP INDEX CONCURRENTLY is disallowed on partitioned tables.
    Allow LOCK TABLE to succeed on a self-referential view instead of
throwing an error.

    Several fixes around statistics collection and progress reporting
for REINDEX CONCURRENTLY.

    Ensure that GENERATED columns are updated when any columns they
depend on are updated via a rule or an updatable view.

    Support hash partitioning with text array columns as partition keys.

    Allow the jsonpath .datetime() method to accept ISO 8601-format
timestamps.

    During a "smart" shutdown, ensure background processes are not
terminated until all foreground client sessions are completed, fixing an
issue that broke the processing of parallel queries.

    Several fixes for the query planner and optimizer.

    Ensure that data is de-toasted before being inserted into a BRIN
index. This could manifest itself with errors like "missing chunk number
0 for toast value NNN". If you have seen a similar error in an existing
BRIN index, you should be able to correct it by using REINDEX on the
index.

    Fix the output of EXPLAIN to have the correct XML tag nesting for
incremental sort plans.

    Several fixes for memory leaks, including ones involving RLS
policies, using CALL with PL/pgSQL, SIGHUP processing a configuration
parameter that cannot be applied without a restart, and an edge-case for
index lookup for a partition.

    libpq can now support arbitrary-length lines in the .pgpass file.

    On Windows, psql now reads the output of a backtick command in text
mode, not binary mode, so it can now properly handle newlines.

    Fix how pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb use
complex connection-string parameters.

    When the \connect command of psql reuses connection parameters,
ensure that all non-overridden parameters from a previous connection
string are also re-used.

    Ensure that pg_dump collects per-column information about extension
configuration tables, avoiding crashes when specifying --inserts.

    Ensure that parallel pg_restore processes foreign keys referencing
partitioned tables in the correct order.

    Several fixes for contrib/pgcrypto, including a memory leak fix.

This update also contains tzdata release 2020d for for DST law changes
in Fiji, Morocco, Palestine, the Canadian Yukon, Macquarie Island, and
Casey Station (Antarctica); plus historical corrections for France,
Hungary, Monaco, and Palestine.

For the full list of changes available, please review the release notes.


PostgreSQL 9.5 EOL Notice

PostgreSQL 9.5 will stop receiving fixes on February 11, 2021. If you
are running PostgreSQL 9.5 in a production environment, we suggest that
you make plans to upgrade to a newer, supported version of PostgreSQL.
Please see our versioning policy for more information.


Updating

All PostgreSQL update releases are cumulative. As with other minor
releases, users are not required to dump and reload their database or
use pg_upgrade in order to apply this update release; you may simply
shutdown PostgreSQL and update its binaries.

Users who have skipped one or more update releases may need to run
additional, post-update steps; please see the release notes for earlier
versions for details.

For more details, please see the release notes.

NOTE: PostgreSQL 9.5 will stop receiving fixes on February 11, 2021.


Please see our versioning policy for more information.


Links

    Download
    Release Notes
    Security
    Versioning Policy
    Follow @postgresql on Twitter


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================