|
| 1 | +# 5.10.0 (June 3, 2026) |
| 2 | + |
| 3 | +This release includes a significant amount of hardening against malicious or compromised PostgreSQL servers, |
| 4 | +contributed by Sean Chittenden at CrowdStrike, Inc. This work bounds binary decoders against attacker-controlled |
| 5 | +message sizes, caps server-supplied SCRAM iteration counts, adds `require_auth` to restrict which authentication |
| 6 | +methods a server may use (mitigating downgrade attacks under `sslmode=prefer`), and ensures cancellation requests are |
| 7 | +sent over TLS when the original connection used TLS. |
| 8 | + |
| 9 | +## Features |
| 10 | + |
| 11 | +* Add `require_auth` to restrict accepted server authentication methods (Sean Chittenden at CrowdStrike, Inc.) |
| 12 | +* Add `ParseConfigOptions.ConnStringAllowedKeys` to restrict allowed connection string keys (Sean Chittenden at CrowdStrike, Inc.) |
| 13 | +* Add `StructArgs` and `StrictStructArgs` for `@`-named queries (Tubelight30) |
| 14 | +* Add `ErrConnClosed` sentinel error and unwrap it from `connLockError` (Charlie Tonneslan) |
| 15 | +* pgxpool: check if connection is expired before acquire (arthurdotwork) |
| 16 | + |
| 17 | +## Security Hardening |
| 18 | + |
| 19 | +* Encrypt `CancelRequest` connection when the primary connection used TLS (Sean Chittenden at CrowdStrike, Inc.) |
| 20 | +* Cap server-supplied SCRAM iteration count (Sean Chittenden at CrowdStrike, Inc.) |
| 21 | +* Default Frontend max message body length to ~1 GiB (Sean Chittenden at CrowdStrike, Inc.) |
| 22 | +* Bound hstore binary decode against malicious server input (Sean Chittenden at CrowdStrike, Inc.) |
| 23 | +* Bound array binary decode element length against remaining message bytes (Sean Chittenden at CrowdStrike, Inc.) |
| 24 | +* Bound array element count against remaining message bytes (Sean Chittenden at CrowdStrike, Inc.) |
| 25 | +* Bound range, multirange, and tsvector binary decoders (Sean Chittenden at CrowdStrike, Inc.) |
| 26 | +* Document secure connection configuration (Sean Chittenden at CrowdStrike, Inc.) |
| 27 | +* Fix panic on malformed geometric text; return an error instead (MaIII) |
| 28 | + |
| 29 | +## Fixes |
| 30 | + |
| 31 | +* Fix scanning `"char"` (OID 18) into `*string` in binary format (luongs3) |
| 32 | +* Fix handling of typed-nil `driver.Valuer` in array and composite codecs (Donncha Fahy) |
| 33 | +* Fix `CopyData.Data` hex decoding in `UnmarshalJSON` (Charlie Tonneslan) |
| 34 | +* Fix data race when context is cancelled during connect |
| 35 | +* Fix `parseKeywordValueSettings` rejecting trailing whitespace (alliasgher) |
| 36 | +* pgconn: preserve full error chain in `normalizeTimeoutError` (Charlie Tonneslan) |
| 37 | +* pgconn: use a fresh context for the fallback connection in `connectPreferred` (Charlie Tonneslan) |
| 38 | +* pgxpool: fix `MaxLifetimeDestroyCount` and ping order for acquire-time expiry check |
| 39 | +* Add missing error check of `rows.Err` to load types (Jen Altavilla) |
| 40 | + |
1 | 41 | # 5.9.2 (April 18, 2026) |
2 | 42 |
|
3 | 43 | Fix SQL Injection via placeholder confusion with dollar quoted string literals (GHSA-j88v-2chj-qfwx) |
|
0 commit comments