PostgreSQL 13.22

What's new in this version:

Security Issues:
CVE-2025-8713: PostgreSQL optimizer statistics can expose sampled data within a view, partition, or child table:
- Supported, Vulnerable Versions: 13 - 17
- PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. Separately, statistics allow a user to read sampled data that a row security policy intended to hide. PostgreSQL maintains statistics for tables by sampling data available in columns; this data is consulted during the query planning process. Prior to this release, a user could craft a leaky operator that bypassed view access control lists (ACLs) and bypassed row security policies in partitioning or table inheritance hierarchies. Reachable statistics data notably included histograms and most- common-values lists. CVE-2017-7484 and CVE-2019-10130 intended to close this class of vulnerability, but this gap remained. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.

CVE-2025-8714: PostgreSQL pg_dump lets superuser of origin server execute arbitrary code in psql client:
- Supported, Vulnerable Versions: 13 - 17
- Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to generate a plain-format dump. This is similar to MySQL CVE-2024-21096. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.

CVE-2025-8715: PostgreSQL pg_dump newline in object name executes arbitrary code in psql client and in restore target server:
- Supported, Vulnerable Versions: 13 - 17
- Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it.

Bug Fixes and Improvements:
- This update fixes over 55 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 17. Some of these issues may also affect other supported versions of PostgreSQL.
- Fix for BRIN indexes using the numeric_minmax_multi_ops operator class that could cause them to become bloated and inefficient. Please see the "Updating" section for instructions on how to fix these indexes.
- Several fixes for logical replication, including fixes for memory allocation failure, duplicate transaction replay, infinite wait, unexpected shutdown, and a standby unable to shutdown.
- Fix premature removal of old WAL during a checkpoint, which could impact recovery when using replication slots.
- Revert a change that could reject XML documents over 10MB in size.
- Fix how nested character classes (e.g. [[:alpha:]%_]) are handled in SIMILAR TO expressions
- Restore the ability for PL/pgSQL expressions to use parallel execution
- Avoid a rare scenario where a B-tree index could modify the wrong entry
- Several fixes for MERGE, including incorrect query results with concurrency and when targeting a table that is a parent in an inheritance hierarchy
- Fix LZ4 decompression failure that could occur on data that is not very compressible
- Prevent an infinite loop in checkpoints on systems with very large shared_buffers settings
- Fix issues with GSSAPI authentication when using Active Directory accounts with many group memberships. This release also fixes timing-dependent connection failures when using SSL or GSSAPI encryption in non-blocking mode.
- Fix a crash in libpq function PQcancelCreate()
- Fix several resource leaks