Version 13.12.17 v13

Released: 21 Aug 2023

Updated: 30 Aug 2023

Upgrading

Once you have upgraded to this version of EDB Postgres Advanced Server, you will need to run edb_sqlpatch on all your databases to complete the upgrade. This application will check that your databases system objects are up to date with this version. See the EDB SQL Patch documentation for more information on how to deploy this tool.

After applying patches

Users making use of the UTL_MAIL package now require EXECUTE permission on the UTL_SMTP and UTL_TCP packages in addition to EXECUTE permission on UTL_MAIL.

Users making use of the UTL_SMTP package now require EXECUTE permission on the UTL_TCP packages in addition to EXECUTE permission on UTL_SMTP.

EDB Postgres Advanced Server 13.12.17 includes the following enhancements and bug fixes:

TypeDescriptionAddresses               
Security fixEDB Postgres Advanced Server (EPAS) SECURITY DEFINER functions and procedures may be hijacked via search_path.CVE-2023-XXXXX-1
Security fixEDB Postgres Advanced Server (EPAS) dbms_aq helper function may run arbitrary SQL as a superuser.CVE-2023-XXXXX-2
Security fixEDB Postgres Advanced Server (EPAS) permissions bypass via accesshistory()CVE-2023-XXXXX-3
Security fixEDB Postgres Advanced Server (EPAS) UTL_FILE permission bypassCVE-2023-XXXXX-4
Security fixEDB Postgres Advanced Server (EPAS) permission bypass for materialized viewsCVE-2023-XXXXX-5
Security fixEDB Postgres Advanced Server (EPAS) authenticated users may fetch any URLCVE-2023-XXXXX-6
Security fixEDB Postgres Advanced Server (EPAS) permission bypass for large objectsCVE-2023-XXXXX-7
Security fixEDB Postgres Advanced Server (EPAS) DBMS_PROFILER data may be removed without permissionCVE-2023-XXXXX-8
Bug fixAllowed subtypes in INDEX BY clause of the packaged collection.#1371
Bug fixFixed %type resolution when pointing to a packaged type field.#1243
Bug fixProfile: Fixed upgrade when REUSE constraints were ENABLED/DISABLED.#92739
Bug fixSet correct collation for packaged cursor parameters.#92739
Bug fixRolled back autonomous transaction creating pg_temp in case of error.#91614
Bug fixAdded checks to ensure required WAL logging in EXCHANGE PARTITION command.
Addresses

Entries in the Addresses column are either CVE numbers or, if preceded by #, a customer case number.