formed Corrective updates for all supported branches PostgreSQL: 13.3 , 12.7 , 11.12 , 10.17 and 9.6.22 . Updates for branch 9.6 will be formed until November 2021, 10 – until November 2022, 11 – until November 2023, 12 – until November 2024, 13 until November 2025. In new releases, three vulnerabilities have been fixed and fixed accumulated errors.
CVE-2021-32027 vulnerability can lead to data recording per borders of the buffer due to integer overflow when calculating arrays. Through manipulation with the values of arrays in SQL queries, an attacker having access to SQL queries can record any data into an arbitrary process of process memory and achieve the execution of its code with the DBMS server rights. Two other vulnerabilities (CVE-2021-32028, CVE-2021-32029) lead from the process memory content when manipulation with requests “INSERT … ON Conflict … Do Update” and “Update … Returning”.
from non-vulnerable fixes can be highlighted:
- Troubleshooting incorrect calculations when performing “Update … Returning” to update the combined segmented tables.
- Eliminating the “ALTER Table … Alter Constraint” command failure with restrictions for external keys in combination with the use of segmented tables.
- Functionality is established. Commit and Chain.
- For new FreeBSD issues, the default FDATASYNC mode is provided in that_sync_method.
- disabled by default parameter Vacuum_CleanUp_index_scale_factor.
- corrected memory leaks that manifest themselves when initializing TLS connections.
- In PG_UPGRADE, additional checks have been added for the availability of data types not subject to update in the user tables.