Fixes on why-upgrade.depesz.com

In case you're not familiar with this site, why-upgrade.depesz.com shows you aggregated changelog between any two releases, with optionally searching for some keywords.

Yesterday azeem on irc pointed me towards a problem on why-upgrade.depesz.com. Specifically, when displaying changes from 9.5.24 to 13.1 site showed 30 security fixes. But in reality there should be only 10.

The problem stemmed from the fact that site got change logs for all versions 9.5.24 .. 13.1, and aggregated them, not taking into account that some changes could have been already applied to 9.5.24 or even some earlier 9.5.

This happens quite often – for example, change:

Prevent exposure of statistical information via leaky operators (Peter Eisentraut)

Some selectivity estimation functions in the planner will apply user-defined operators to values obtained from pg_statistic, such as most common values and histogram entries. This occurs before table permissions are checked, so a nefarious user could exploit the behavior to obtain these values for table columns he does not have permission to read. To fix, fall back to a default estimate if the operator's implementation function is not certified leak-proof and the calling user does not have permission to read the table column whose statistics are needed. At least one of these criteria is satisfied in most cases in practice. (CVE-2017-7484)

Was committed to all of these versions:

Now, after this commit this problem should be gone. Thanks, azeem, for the report.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.