November ’25 PostgreSQL Minor Release: What You Need to Know

On November 13th, 2025, the PostgreSQL Global Development Group released updates across all supported versions: 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23. This release addresses two security vulnerabilities and patches over 50 bugs. If you’re running PostgreSQL in production, this isn’t an update you should skip.

End of Life for PostgreSQL 13

Perhaps the most significant announcement: PostgreSQL13 has reached end-of-life. Version 13.23 is the final release for this branch, meaning it will no longer receive security patches or bug fixes. If you’re still running PostgreSQL 13 in production, it’s time to plan your upgrade to a supported version.

Critical Security Vulnerabilities Fixed

1. Authorization Bypass in CREATE STATISTICS (CVSS 3.1)

A missing authorization check in the CREATE STATISTICS command allowed table owners to create statistics objects in any schema, regardless of whether they had CREATE privileges on that schema, which could potentially lead to unexpected naming conflicts. For ALTER TABLE commands that require re-creating statistics objects, this check could be skipped if the user no longer has CREATE privileges on the schema.

The addition of a second parameter check_rights to CreateStatistics() could potentially break ABI compatibility, but how any third-party code would be impacted is currently not known.

2. libpq Integer Wraparound Leading to Memory Corruption (CVSS 5.9)

This is the more serious of the two vulnerabilities. Several places in libpq were not sufficiently careful about computing the required size of a memory allocation. Sufficiently large inputs could cause integer overflow, resulting in an undersized buffer, which would then lead to writing past the end of the buffer. This release switches variables from int to size_t where appropriate, and checks for overflow conditions when the inputs could have plausibly originated outside of the libpq trust boundary.

An integer wraparound in multiple libpq client library functions could allow an attacker to cause memory underallocation, leading to out-of-bounds writes of hundreds of megabytes. This results in a segmentation fault that crashes the application using libpq. The vulnerability could be exploited by either an application input provider or a network peer, making it a significant risk for any application connecting to PostgreSQL databases.

Key Bug Fixes in PostgreSQL 18

This release includes fixes for over 50 bugs. Here are the most impactful ones for PostgreSQL 18 users:

Critical WAL Receiver Bug Fix: Timeline Switch Issue

One of the most significant fixes in this release addresses a problem with the WAL receiver process during timeline switches on standby servers.

The Problem: When a standby server switched from streaming replication to archive recovery (typically during a timeline change), the WAL receiver would incorrectly shut down and immediately restart in a loop. This behavior was unintended—the WAL receiver should remain alive while waiting for a new streaming start point.

The Impact: This bug could cause several issues:

• Confusion in monitoring systems tracking replication status
• Unnecessary overhead from repeated process restarts
• Potential gaps in replication monitoring and alerting
• Misleading log messages about connection state

The Fix: The WAL receiver now correctly maintains its connection during timeline transitions, waiting patiently for the new streaming position rather than cycling through shutdown-restart sequences. This provides smoother failover behavior and more reliable replication monitoring.

This fix is particularly important for high-availability setups where standby servers need to handle timeline switches gracefully during failover scenarios.

Concurrency and Replication Issues

• Beyond the WAL receiver fix, several other replication-related issues were addressed:
• Replication Lag Reporting: The pg_stat_replication view could stop updating write_lag and flush_lag columns when a standby’s replay position stopped advancing. This has been corrected to provide accurate lag metrics.
• Slot Synchronization: The system now handles cases where synchronized_standby_slots references nonexistent replication slots without failing, improving robustness in complex replication topologies.
• Logical Replication: Fixed a use-after-free issue in the pgoutput plugin’s relation synchronization cache, which could cause crashes during error conditions in logical decoding sessions.
• Parallel Apply Workers: Corrected signal handling in parallel apply workers where the same signal number was being used for both shutdown and lock timeout events.

Query Planning and Execution Fixes

Several query planner improvements were made:

• Fixed incorrect optimization of variable-free HAVING clauses with grouping sets
• Disabled parallelism in hash right semi joins due to race conditions
• Corrected division-by-zero possibility in ordered-append plans
• Fixed planner failures with certain extension-provided index types
• Improved hash table size selection logic in hash joins

COPY Command Enhancement

The COPY … FROM … WHERE clause now works correctly, allowing you to selectively import rows based on conditions during the copy operation itself.

Tool Improvements

• pg_dump: Various fixes to ensure accurate database exports.
• pgbench: Bug fixes for more reliable benchmarking.
• pg_combinebackup: Improvements to the backup combination utility.
• pg_prewarm: No longer requires SELECT privileges on tables to preload them into shared buffers.

Upgrading: What You Need to Know

Good news if this is a minor version update

• No dump and reload required – Simply shut down PostgreSQL, update the binaries, and restart
• No pg_upgrade needed – The on-disk format remains compatible
• All changes are cumulative – You can safely skip intermediate minor versions

However, if you’ve skipped multiple minor releases, review the release notes from those versions for any post-update steps you might need to run.

Should You Upgrade?

Yes, especially if:

1. You’re using libpq-based applications.
2. You have multi-user environments where schema-level security matters.
3. You’re using any of the features affected by the 50+ bug fixes.
4. Your production instance is on PostgreSQL 13.

How to Upgrade

1. Create a Proper plan specific to your workload and environment.
2. Test in a staging environment first to identify any issues specific to your workload
3. Plan a maintenance window – while the upgrade is quick, it does require a brief downtime
4. Backup before upgrading – always have a rollback plan
5. Update all related tools – Ensure your client libraries, connection poolers, and extensions are compatible.

Related posts on Upgrades

• The quick and easy way to upgrade Postgres using ‘pg_upgrade’
• Hey Barman Users! Upgrading to PG15 using pg_upgrade??
• PG18 Hacktober: 31 Days of New Features : Unveiling pg_upgrade –swap option
• PG18 Hacktober: 31 Days of New Features : Planning ahead: PG18 retains planner stats during Upgrades
• Running PostgreSQL 9.6? Time for a major upgrade!

Minor version updates should no longer be considered as optional maintenance tasks; they’re critical security and stability patches. The libpq vulnerability alone could crash applications, and running an end-of-life database version leaves you exposed to future vulnerabilities with no fix available. Check the release notes and plan your upgrade.

Thank you and Stay tuned!!

References

https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=00eb646ea
https://postgr.es/c/00eb646ea
https://postgr.es/c/7eb8fcad8
https://postgr.es/c/0f9e0068b
https://postgr.es/c/a14201073