From: Jonathan S. Katz <jonathan.katz@excoventures.com>
Date: Mon, 6 Feb 2023 18:16:19 +0000 (-0500)
Subject: 2023-02-09 update release first draft
X-Git-Url: http://git.postgresql.org/gitweb/static/gitweb.js?a=commitdiff_plain;h=8479abfc27adb207f674f67ac150d93ea6a4a037;p=press.git

2023-02-09 update release first draft
---

diff --git a/update_releases/current/20230209securityrelease.md b/update_releases/current/20230209securityrelease.md
new file mode 100644
index 0000000..daf5758
--- /dev/null
+++ b/update_releases/current/20230209securityrelease.md
@@ -0,0 +1,130 @@
+The PostgreSQL Global Development Group has released an update to all supported
+versions of PostgreSQL, including 15.2, 14.7, 13.10, 12.14, and 11.19.
+This release closes one security vulnerability and fixes over 60 bugs reported
+over the last several months.
+
+For the full list of changes, please review the
+[release notes](https://www.postgresql.org/docs/release/).
+
+Security Issues
+---------------
+
+### [CVE-2022-41862](https://www.postgresql.org/support/security/CVE-2022-41862/): Client memory disclosure when connecting, with Kerberos, to modified server.
+
+Versions Affected: 12 - 15.
+
+A modified, unauthenticated server can send an unterminated string during the
+establishment of Kerberos transport encryption.  When a `libpq` client
+application has a Kerberos credential cache and doesn't explicitly disable
+option [`gssencmode`](https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNECT-GSSENCMODE),
+a server can cause `libpq` to over-read and report an error message containing
+uninitialized bytes from and following its receive buffer. If `libpq`'s caller
+somehow makes that message accessible to the attacker, this achieves a
+disclosure of the over-read bytes.  We have not confirmed or ruled out viability
+of attacks that arrange for a crash or for presence of notable, confidential
+information in disclosed bytes.
+
+The PostgreSQL project thanks Jacob Champion for reporting this problem.
+
+Bug Fixes and Improvements
+--------------------------
+ 
+This update fixes over 60 bugs that were reported in the last several months.
+The issues listed below affect PostgreSQL 15. Some of these issues may also
+affect other supported versions of PostgreSQL.
+
+Included in this release:
+
+* Fix for partitioned tables to correctly update
+[`GENERATED`](https://www.postgresql.org/docs/current/ddl-generated-columns.html)
+columns in child tables if the `GENERATED` column does not exist in the parent
+table or the child generated column has different dependencies than the parent.
+* Several fixes for the [`MERGE`](https://www.postgresql.org/docs/current/sql-merge.html)
+command.
+* Allow a
+[`WITH RECURSIVE ... CYCLE`](https://www.postgresql.org/docs/current/queries-with.html#QUERIES-WITH-CYCLE)
+query to access its output column.
+* Fix an issue with bulk insertions on foreign tables that could lead to logical
+inconsistencies, for example, a `BEFORE ROW` trigger may not process rows that
+should be available.
+* Reject uses of undefined variables in
+[`jsonpath`](https://www.postgresql.org/docs/current/functions-json.html#FUNCTIONS-SQLJSON-PATH)
+existence checks.
+* Fix for [`jsonb` subscripting](https://www.postgresql.org/docs/current/datatype-json.html#JSONB-SUBSCRIPTING)
+to handle very large subscript values.
+* Honor updated values of `checkpoint_completion_target` on reload.
+* Log the correct ending timestamp in `recovery_target_xid` mode.
+* Fix issue to allow longer column lists when using logical replication.
+* Prevent "wrong tuple length" failure at the end of
+[`VACUUM`](https://www.postgresql.org/docs/current/sql-vacuum.html).
+* Avoid an immediate commit after
+[`ANALYZE`](https://www.postgresql.org/docs/current/sql-analyze.html) when using
+query pipelining.
+* Several fixes to the query planner, including one that provides more
+opportunities for using
+[memoization with partitionwise joins](https://www.postgresql.org/docs/current/runtime-config-query.html).
+* Fix for statistics collection to correctly handle when a relation changes
+(e.g. a table is converted to a view).
+* Ensure [full text search](https://www.postgresql.org/docs/current/textsearch.html)
+queries can be cancelled while performing phrase matches.
+* Fix deadlock between [`DROP DATABASE`](https://www.postgresql.org/docs/current/sql-dropdatabase.html)
+and logical replication worker process.
+* Fix small session-lifespan memory leak when
+[`CREATE SUBSCRIPTION`](https://www.postgresql.org/docs/current/sql-createsubscription.html)
+fails its connection attempt.
+* Performance improvement for replicas with
+[`hot_standby`](https://www.postgresql.org/docs/current/hot-standby.html)
+enabled that are processing `SELECT` queries.
+* Several fixes for logical decoding that improve its stability and bloat
+handling.
+* Fix the default logical replication plug-in, `pgoutput`, to not send columns
+that are not listed in a table's replication
+[column list](https://www.postgresql.org/docs/current/logical-replication-col-lists.html).
+* Fix possible corruption of very large tablespace map files in
+[`pg_basebackup`](https://www.postgresql.org/docs/current/app-pgbasebackup.html).
+* Remove a harmless warning from
+[`pg_dump`](https://www.postgresql.org/docs/current/app-pgdump.html) in
+`--if-exists` mode when the
+[`public` schema](https://www.postgresql.org/docs/current/ddl-schemas.html#DDL-SCHEMAS-PUBLIC)
+has a non-default owner.
+* Fix the [`psql`](https://www.postgresql.org/docs/current/app-psql.html)
+commands `\sf` and `\ef` to handle SQL-language functions that have
+[SQL-standard function bodies](https://www.postgresql.org/docs/currenet/sql-createprocedure.html)
+(i.e. `BEGIN ATOMIC`).
+* Fix tab completion of `ALTER FUNCTION/PROCEDURE/ROUTINE ... SET SCHEMA`.
+* Update the [`pageinspect`](https://www.postgresql.org/docs/current/pageinspect.html)
+extension to mark its disk-accessing functions as `PARALLEL RESTRICTED`.
+* Fix the [`seg`](https://www.postgresql.org/docs/current/seg.html) extension to
+not crash or print garbage if an input number has more than 127 digits.
+
+This release also updates time zone data files to tzdata release 2022g for
+DST law changes in Greenland and Mexico, plus historical corrections for
+northern Canada, Colombia, and Singapore. Notably, a new timezone,
+America/Ciudad_Juarez, has been split off from America/Ojinaga.
+
+For the full list of changes available, please review the
+[release notes](https://www.postgresql.org/docs/release/).
+
+Updating
+--------
+
+All PostgreSQL update releases are cumulative. As with other minor releases,
+users are not required to dump and reload their database or use `pg_upgrade` in
+order to apply this update release; you may simply shutdown PostgreSQL and
+update its binaries.
+
+Users who have skipped one or more update releases may need to run additional,
+post-update steps; please see the release notes for earlier versions for
+details.
+
+For more details, please see the
+[release notes](https://www.postgresql.org/docs/release/).
+
+Links
+-----
+* [Download](https://www.postgresql.org/download/)
+* [Release Notes](https://www.postgresql.org/docs/release/)
+* [Security](https://www.postgresql.org/support/security/)
+* [Versioning Policy](https://www.postgresql.org/support/versioning/)
+* [PostgreSQL 15 Release Announcement](https://www.postgresql.org/about/press/)
+* [Follow @postgresql on Twitter](https://twitter.com/postgresql)