Postgres Changelog - All Versions

Below is a complete, one-page listing of changes across all Postgres versions. All versions of PostgreSQL 12 and older are EOL (end of life) and unsupported.
This page was generated on February 20, 2025 by a script (version 1.39) by Greg Sabino Mullane, and contains information for 528 versions of Postgres.

Postgres version 17.4

Release date: 2025-02-20

This release contains a few fixes from 17.3. For information about new features in major release 17, see Version 17.0.

 Migration to Version 17.4

A dump/restore is not required for those running 17.X.

However, if you are upgrading from a version earlier than 17.1, see Version 17.1.

 Changes

• Improve behavior of libpq's quoting functions (Andres Freund, Tom Lane) 📜 📜 📜

  The changes made forCVE-2025-1094 or CVE-2025-1094 had one serious oversight: PQescapeLiteral() and PQescapeIdentifier() failed to honor their string length parameter, instead always reading to the input string's trailing null. This resulted in including unwanted text in the output, if the caller intended to truncate the string via the length parameter. With very bad luck it could cause a crash due to reading off the end of memory.

  In addition, modify all these quoting functions so that when invalid encoding is detected, an invalid sequence is substituted for just the first byte of the presumed character, not all of it. This reduces the risk of problems if a calling application performs additional processing on the quoted string.

• Fix small memory leak in pg_createsubscriber (Ranier Vilela) 📜

• Fix meson build system to correctly detect availability of the bsd_auth.h system header (Nazir Bilal Yavuz) 📜

Postgres version 17.3

Release date: 2025-02-13

This release contains a variety of fixes from 17.2. For information about new features in major release 17, see Version 17.0.

 Migration to Version 17.3

A dump/restore is not required for those running 17.X.

However, if you are upgrading from a version earlier than 17.1, see Version 17.1.

 Changes

• Harden PQescapeString and allied functions against invalidly-encoded input strings (Andres Freund, Noah Misch) 📜 📜 📜 📜 📜 📜

  Data-quoting functions supplied by libpq now fully check the encoding validity of their input. If invalid characters are detected, they report an error if possible. For the ones that lack an error return convention, the output string is adjusted to ensure that the server will report invalid encoding and no intervening processing will be fooled by bytes that might happen to match single quote, backslash, etc.

  The purpose of this change is to guard against SQL-injection attacks that are possible if one of these functions is used to quote crafted input. There is no hazard when the resulting string is sent directly to a PostgreSQL server (which would check its encoding anyway), but there is a risk when it is passed through psql or other client-side code. Historically such code has not carefully vetted encoding, and in many cases it's not clear what it should do if it did detect such a problem.

  This fix is effective only if the data-quoting function, the server, and any intermediate processing agree on the character encoding that's being used. Applications that insert untrusted input into SQL commands should take special care to ensure that that's true.

  Applications and drivers that quote untrusted input without using these libpq functions may be at risk of similar problems. They should first confirm the data is valid in the encoding expected by the server.

  The PostgreSQL Project thanks Stephen Fewer for reporting this problem. CVE-2025-1094 or CVE-2025-1094)

• Restore auto-truncation of database and user names appearing in connection requests (Nathan Bossart) 📜

  This reverts a v17 change that proved to cause trouble for some users. Over-length names should be truncated in an encoding-aware fashion, but for now just return to the former behavior of blind truncation at NAMEDATALEN-1 bytes.

• Exclude parallel workers from connection privilege checks and limits (Tom Lane) 📜

  Do not check datallowconn, rolcanlogin, and ACL_CONNECT privileges when starting a parallel worker, instead assuming that it's enough for the leader process to have passed similar checks originally. This avoids, for example, unexpected failures of parallelized queries when the leader is running as a role that lacks login privilege. In the same vein, enforce ReservedConnections, datconnlimit, and rolconnlimit limits only against regular backends, and count only regular backends while checking if the limits were already reached. Those limits are meant to prevent excessive consumption of process slots for regular backends --- but parallel workers and other special processes have their own pools of process slots with their own limit checks.

• Drop “Lock” suffix from LWLock wait event names (Bertrand Drouvot) 📜

  Refactoring unintentionally caused the pg_stat_activity view to show lock-related wait event names with a “Lock” suffix, which among other things broke joining it to pg_wait_events.

• Fix possible failure to return all matching tuples for a btree index scan with a ScalarArrayOp (= ANY) condition (Peter Geoghegan) 📜

• Fix possible re-use of stale results in window aggregates (David Rowley) 📜

  A window aggregate with a “run condition” optimization and a pass-by-reference result type might incorrectly return the result from the previous partition instead of performing a fresh calculation.

• Keep TransactionXmin in sync with MyProc->xmin (Heikki Linnakangas) 📜

  This oversight could permit a process to try to access data that had already been vacuumed away. One known consequence is transient “could not access status of transaction” errors.

• Fix race condition that could cause failure to add a newly-inserted catalog entry to a catalog cache list (Heikki Linnakangas) 📜

  This could result, for example, in failure to use a newly-created function within an existing session.

• Prevent possible catalog corruption when a system catalog is vacuumed concurrently with an update (Noah Misch) 📜 📜

• Fix data corruption when relation truncation fails (Thomas Munro) 📜 📜 📜

  The filesystem calls needed to perform relation truncation could fail, leaving inconsistent state on disk (for example, effectively reviving deleted data). We can't really prevent that, but we can recover by dint of making such failures into PANICs, so that consistency is restored by replaying from WAL up to just before the attempted truncation. This isn't a hugely desirable behavior, but such failures are rare enough that it seems an acceptable solution.

• Prevent checkpoints from starting during relation truncation (Robert Haas) 📜

  This avoids a race condition wherein the modified file might not get fsync'd before completing the checkpoint, creating a risk of data corruption if the operating system crashes soon after.

• Avoid possibly losing an update of pg_database.datfrozenxid when VACUUM runs concurrently with a REASSIGN OWNED that changes that database's owner (Kirill Reshke) 📜

• Fix incorrect tg_updatedcols values passed to AFTER UPDATE triggers (Tom Lane) 📜

  In some cases the tg_updatedcols bitmap could describe the set of columns updated by an earlier command in the same transaction, fooling the trigger into doing the wrong thing.

  Also, prevent memory bloat caused by making too many copies of the tg_updatedcols bitmap.

• Fix detach of a partition that has its own foreign-key constraint referencing a partitioned table (Amul Sul) 📜

  In common cases, foreign keys are defined on a partitioned table's top level; but if instead one is defined on a partition and references a partitioned table, and the referencing partition is detached, the relevant pg_constraint entries were updated incorrectly. This led to errors like “could not find ON INSERT check triggers of foreign key constraint”.

• Fix pg_get_constraintdef's support for NOT NULL constraints on domains (Álvaro Herrera) 📜

• Fix mis-processing of to_timestamp's FFn format codes (Tom Lane) 📜

  An integer format code immediately preceding FFn would consume all available digits, leaving none for FFn.

• When deparsing a PASSING clause in a SQL/JSON query function, ensure that variable names are double-quoted when necessary (Dean Rasheed) 📜

• When deparsing an XMLTABLE() expression, ensure that XML namespace names are double-quoted when necessary (Dean Rasheed) 📜

• Include the ldapscheme option in pg_hba_file_rules() output (Laurenz Albe) 📜 📜

• Fix planning of pre-sorted UNION operations for cases where the input column datatypes don't all match (David Rowley) 📜

  This error could lead to sorting data with the wrong sort operator, with consequences ranging from no visible problem to core dumps.

• Don't merge UNION operations if their column collations aren't consistent (Tom Lane) 📜

  Previously we ignored collations when deciding if it's safe to merge UNION steps into a single N-way UNION operation. This was arguably valid before the introduction of nondeterministic collations, but it's not anymore, since the collation in use can affect the definition of uniqueness.

• Prevent “wrong varnullingrels” planner errors after pulling up a subquery that's underneath an outer join (Tom Lane) 📜 📜

• Ignore nulling-relation marker bits when looking up statistics (Richard Guo) 📜

  This oversight could lead to failure to use relevant statistics about expressions, or to “corrupt MVNDistinct entry” errors.

• Fix missed expression processing for partition pruning steps (Tom Lane) 📜

  This oversight could lead to “unrecognized node type” errors, and perhaps other problems, in queries accessing partitioned tables.

• Give the slotsync worker process its own process slot (Tom Lane, Hou Zhijie) 📜

  This was overlooked in the addition of the slotsync worker, with the result that its process slot effectively came out of the pool meant for regular backend processes. This could result in failure to launch the worker, or to subsequent failures of connection requests that should have succeeded according to the configured settings, if the number of regular backend processes approached max_connections.

• Allow dshash tables to grow past 1GB (Matthias van de Meent) 📜

  This avoids errors like “invalid DSA memory alloc request size”. The case can occur for example in transactions that process several million tables.

• Avoid possible integer overflow in bringetbitmap() (James Hunter, Evgeniy Gorbanyov) 📜

  Since the result is only used for statistical purposes, the effects of this error were mostly cosmetic.

• Correct miscalculation of SLRU bank numbers (Yura Sokolov) 📜

  This error led to using a smaller number of banks than intended, causing more contention but no functional misbehavior.

• Ensure that an already-set process latch doesn't prevent the postmaster from noticing socket events (Thomas Munro) 📜

  An extremely heavy workload of backends launching workers and workers exiting could prevent the postmaster from responding to incoming client connections in a timely fashion.

• Prevent streaming standby servers from looping infinitely when reading a WAL record that crosses pages (Kyotaro Horiguchi, Alexander Kukushkin) 📜

  This would happen when the record's continuation is on a page that needs to be read from a different WAL source.

• Fix unintended promotion of FATAL errors to PANIC during early process startup (Noah Misch) 📜

  This fixes some unlikely cases that would result in “PANIC: proc_exit() called in child process”.

• Fix cases where an operator family member operator or support procedure could become a dangling reference (Tom Lane) 📜 📜

  In some cases a data type could be dropped while references to its OID still remain in pg_amop or pg_amproc. While that caused no immediate issues, an attempt to drop the owning operator family would fail, and pg_dump would produce bogus output when dumping the operator family. This fix causes creation and modification of operator families/classes to add needed dependency entries so that dropping a data type will also drop any dependent operator family elements. That does not help vulnerable pre-existing operator families, though, so a band-aid has also been added to DROP OPERATOR FAMILY to prevent failure when dropping a family that has dangling members.

• Fix multiple memory leaks in logical decoding output (Vignesh C, Masahiko Sawada, Boyu Yang) 📜 📜 📜

• Fix small memory leak when updating the application_name or cluster_name settings (Tofig Aliev) 📜

• Avoid crash when a background process tries to check a new value of synchronized_standby_slots (Álvaro Herrera) 📜

• Avoid integer overflow while testing wal_skip_threshold condition (Tom Lane) 📜

  A transaction that created a very large relation could mistakenly decide to ensure durability by copying the relation into WAL instead of fsync'ing it, thereby negating the point of wal_skip_threshold. (This only matters when wal_level is set to minimal, else a WAL copy is required anyway.)

• Fix unsafe order of operations during cache lookups (Noah Misch) 📜

  The only known consequence was a usually-harmless “you don't own a lock of type ExclusiveLock” warning during GRANT TABLESPACE.

• Avoid potential use-after-free in parallel vacuum (Vallimaharajan G, John Naylor) 📜

  This bug seems to have no consequences in standard builds, but it's theoretically a hazard.

• Fix possible “failed to resolve name” failures when using JIT on older ARM platforms (Thomas Munro) 📜

  This could occur as a consequence of inconsistency about the default setting of -moutline-atomics between gcc and clang. At least Debian and Ubuntu are known to ship gcc and clang compilers that target armv8-a but differ on the use of outline atomics by default.

• Fix assertion failure in WITH RECURSIVE ... UNION queries (David Rowley) 📜

• Avoid assertion failure in rule deparsing if a set operation leaf query contains set operations (Man Zeng, Tom Lane) 📜

• Avoid edge-case assertion failure in parallel query startup (Tom Lane) 📜

• Fix assertion failure at shutdown when writing out the statistics file (Michael Paquier) 📜

• Avoid valgrind complaints about string hashing code (John Naylor) 📜

• In NULLIF(), avoid passing a read-write expanded object pointer to the data type's equality function (Tom Lane) 📜

  The equality function could modify or delete the object if it's given a read-write pointer, which would be bad if we decide to return it as the NULLIF() result. There is probably no problem with any built-in equality function, but it's easy to demonstrate a failure with one coded in PL/pgSQL.

• Ensure that expression preprocessing is applied to a default null value in INSERT (Tom Lane) 📜

  If the target column is of a domain type, the planner must insert a coerce-to-domain step not just a null constant, and this expression missed going through some required processing steps. There is no known consequence with domains based on core data types, but in theory an error could occur with domains based on extension types.

• Avoid data loss when starting a bulk write on a relation fork that already contains data (Matthias van de Meent) 📜

  Any pre-existing data was overwritten with zeroes. This is not an issue for core PostgreSQL, which never does that. Some extensions would like to, however.

• Avoid crash if a server process tried to iterate over a shared radix tree that it didn't create (Masahiko Sawada) 📜

  There is no code in core PostgreSQL that does this, but an extension might wish to.

• Repair memory leaks in PL/Python (Mat Arye, Tom Lane) 📜

  Repeated use of PLyPlan.execute or plpy.cursor resulted in memory leakage for the duration of the calling PL/Python function.

• Fix PL/Tcl to compile with Tcl 9 (Peter Eisentraut) 📜

• In the ecpg preprocessor, fix possible misprocessing of cursors that reference out-of-scope variables (Tom Lane) 📜

• In ecpg, fix compile-time warnings about unsupported use of COPY ... FROM STDIN (Ryo Kanbayashi) 📜

  Previously, the intended warning was not issued due to a typo.

• Fix psql to safely handle file path names that are encoded in SJIS (Tom Lane) 📜

  Some two-byte characters in SJIS have a second byte that is equal to ASCII backslash (\). These characters were corrupted by path name normalization, preventing access to files whose names include such characters.

• Add psql tab completion for COPY (MERGE INTO) (Jian He) 📜

• Fix use of wrong version of pqsignal() in pgbench and psql (Fujii Masao, Tom Lane) 📜

  This error could lead to misbehavior when using the -T option in pgbench or the \watch command in psql, due to interrupted system calls not being resumed as expected.

• Fix misexecution of some nested \if constructs in pgbench (Michail Nikolaev) 📜

  An \if command appearing within a false (not-being-executed) \if branch was incorrectly treated the same as \elif.

• In pgbench, fix possible misdisplay of progress messages during table initialization (Yushi Ogiwara, Tatsuo Ishii, Fujii Masao) 📜 📜

• Make pg_controldata more robust against corrupted pg_control files (Ilyasov Ian, Anton Voloshin) 📜

  Since pg_controldata will attempt to print the contents of pg_control even if the CRC check fails, it must take care not to misbehave for invalid field values. This patch fixes some issues triggered by invalid timestamps and apparently-negative WAL segment sizes.

• Fix possible crash in pg_dump with identity sequences attached to tables that are extension members (Tom Lane) 📜

• Fix memory leak in pg_restore with zstd-compressed data (Tom Lane) 📜

  The leak was per-decompression-operation, so would be most noticeable with a dump containing many tables or large objects.

• Fix pg_basebackup to correctly handle pg_wal.tar files exceeding 2GB on Windows (Davinder Singh, Thomas Munro) 📜 📜

• Use SQL-standard function bodies in the declarations of contrib/earthdistance's SQL-language functions (Tom Lane, Ronan Dunklau) 📜

  This change allows their references to contrib/cube to be resolved during extension creation, reducing the risk of search-path-based failures and possible attacks.

  In particular, this restores their usability in contexts like generated columns, for which PostgreSQL v17 restricts the search path on security grounds. We have received reports of databases failing to be upgraded to v17 because of that. This patch has been included in v16 to provide a workaround: updating the earthdistance extension to this version beforehand should allow an upgrade to succeed.

• Detect version mismatch between contrib/pageinspect's SQL declarations and the underlying shared library (Tomas Vondra) 📜

  Previously, such a mismatch could result in a crash while calling brin_page_items(). Instead throw an error recommending updating the extension.

• When trying to cancel a remote query in contrib/postgres_fdw, re-issue the cancel request a few times if it didn't seem to do anything (Tom Lane) 📜

  This fixes a race condition where we might try to cancel a just-sent query before the remote server has started to process it, so that the initial cancel request is ignored.

• Update configuration probes that determine the compiler switches needed to access ARM CRC instructions (Tom Lane) 📜

  On ARM platforms where the baseline CPU target lacks CRC instructions, we need to supply a -march switch to persuade the compiler to compile such instructions. Recent versions of gcc reject the value we were trying, leading to silently falling back to software CRC.

• Fix meson build system to support old OpenSSL libraries on Windows (Darek Slusarczyk) 📜

  Add support for the legacy library names ssleay32 and libeay32.

• In Windows builds using meson, ensure all libcommon and libpgport functions are exported (Vladlen Popolitov, Heikki Linnakangas) 📜 📜

  This fixes “unresolved external symbol” build errors for extensions.

• Fix meson configuration process to correctly detect OSSP's uuid.h header file under MSVC (Andrew Dunstan) 📜

• When building with meson, install pgevent in pkglibdir not bindir (Peter Eisentraut) 📜

  This matches the behavior of the make-based build system and the old MSVC build system.

• When building with meson, install sepgsql.sql under share/contrib/ not share/extension/ (Peter Eisentraut) 📜

  This matches what the make-based build system does.

• Update time zone data files to tzdata release 2025a for DST law changes in Paraguay, plus historical corrections for the Philippines (Tom Lane) 📜

Postgres version 17.2

Release date: 2024-11-21

This release contains a few fixes from 17.1. For information about new features in major release 17, see Version 17.0.

 Migration to Version 17.2

A dump/restore is not required for those running 17.X.

However, if you are upgrading from a version earlier than 17.1, see Version 17.1.

 Changes

• Repair ABI break for extensions that work with struct ResultRelInfo (Tom Lane) 📜

  Last week's minor releases unintentionally broke binary compatibility with timescaledb and several other extensions. Restore the affected structure to its previous size, so that such extensions need not be rebuilt.

• Restore functionality of ALTER {ROLE|DATABASE} SET role (Tom Lane, Noah Misch) 📜

  The fix forCVE-2024-10978 or CVE-2024-10978 accidentally caused settings for role to not be applied if they come from non-interactive sources, including previous ALTER {ROLE|DATABASE} commands and the PGOPTIONS environment variable.

• Fix cases where a logical replication slot's restart_lsn could go backwards (Masahiko Sawada) 📜

  Previously, restarting logical replication could sometimes cause the slot's restart point to be recomputed as an older value than had previously been advertised in pg_replication_slots. This is bad, since for example WAL files might have been removed on the basis of the later restart_lsn value, in which case replication would fail to restart.

• Avoid deleting still-needed WAL files during pg_rewind (Polina Bungina, Alexander Kukushkin) 📜

  Previously, in unlucky cases, it was possible for pg_rewind to remove important WAL files from the rewound demoted primary. In particular this happens if those files have been marked for archival (i.e., their .ready files were created) but not yet archived. Then the newly promoted node no longer has such files because of them having been recycled, but likely they are needed for recovery in the demoted node. If pg_rewind removes them, recovery is not possible anymore.

• Fix race conditions associated with dropping shared statistics entries (Kyotaro Horiguchi, Michael Paquier) 📜

  These bugs could lead to loss of statistics data, assertion failures, or “can only drop stats once” errors.

• Count index scans in contrib/bloom indexes in the statistics views, such as the pg_stat_user_indexes.idx_scan counter (Masahiro Ikeda) 📜

• Fix crash when checking to see if an index's opclass options have changed (Alexander Korotkov) 📜

  Some forms of ALTER TABLE would fail if the table has an index with non-default operator class options.

• Avoid assertion failure caused by disconnected NFA sub-graphs in regular expression parsing (Tom Lane) 📜

  This bug does not appear to have any visible consequences in non-assert builds.

Postgres version 17.1

Release date: 2024-11-14

This release contains a variety of fixes from 17.0. For information about new features in major release 17, see Version 17.0.

 Migration to Version 17.1

A dump/restore is not required for those running 17.X.

However, if you have ever detached a partition from a partitioned table that has a foreign-key reference to another partitioned table, and not dropped the former partition, then you may have catalog and/or data corruption to repair, as detailed in the fifth changelog entry below.

Also, in the uncommon case that a database's LC_CTYPE setting is C while its LC_COLLATE setting is some other locale, indexes on textual columns should be reindexed, as described in the sixth changelog entry below.

 Changes

• Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart) 📜

  If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead.

  The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. CVE-2024-10976 or CVE-2024-10976)

• Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Champion) 📜

  An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure.

  The PostgreSQL Project thanks Jacob Champion for reporting this problem. CVE-2024-10977 or CVE-2024-10977)

• Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE (Tom Lane) 📜 📜

  The SQL standard mandates that SET SESSION AUTHORIZATION have a side-effect of doing SET ROLE NONE. Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION would revert ROLE to NONE even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction. Transiently setting session_authorization in a function SET clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role'), it saw none even when it should see something else.

  The PostgreSQL Project thanks Tom Lane for reporting this problem. CVE-2024-10978 or CVE-2024-10978)

• Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch) 📜 📜 📜

  The ability to manipulate process environment variables such as PATH gives an attacker opportunities to execute arbitrary code. Therefore, “trusted” PLs must not offer the ability to do that. To fix plperl, replace %ENV with a tied hash that rejects any modification attempt with a warning. Untrusted plperlu retains the ability to change the environment.

  The PostgreSQL Project thanks Coby Abrams for reporting this problem. CVE-2024-10979 or CVE-2024-10979)

• Fix updates of catalog state for foreign-key constraints when attaching or detaching table partitions (Jehan-Guillaume de Rorthais, Tender Wang, Álvaro Herrera) 📜 📜

  If the referenced table is partitioned, then different catalog entries are needed for a referencing table that is stand-alone versus one that is a partition. ATTACH/DETACH PARTITION commands failed to perform this conversion correctly. In particular, after DETACH the now stand-alone table would be missing foreign-key enforcement triggers, which could result in the table later containing rows that fail the foreign-key constraint. A subsequent re-ATTACH could fail with surprising errors, too.

  The way to fix this is to do ALTER TABLE DROP CONSTRAINT on the now stand-alone table for each faulty constraint, and then re-add the constraint. If re-adding the constraint fails, then some erroneous data has crept in. You will need to manually re-establish consistency between the referencing and referenced tables, then re-add the constraint.

  This query can be used to identify broken constraints and construct the commands needed to recreate them:

  SELECT conrelid::pg_catalog.regclass AS "constrained table",
         conname AS constraint,
         confrelid::pg_catalog.regclass AS "references",
         pg_catalog.format('ALTER TABLE %s DROP CONSTRAINT %I;',
                           conrelid::pg_catalog.regclass, conname) AS "drop",
         pg_catalog.format('ALTER TABLE %s ADD CONSTRAINT %I %s;',
                           conrelid::pg_catalog.regclass, conname,
                           pg_catalog.pg_get_constraintdef(oid)) AS "add"
  FROM pg_catalog.pg_constraint c
  WHERE contype = 'f' AND conparentid = 0 AND
     (SELECT count(*) FROM pg_catalog.pg_constraint c2
      WHERE c2.conparentid = c.oid) <>
     (SELECT count(*) FROM pg_catalog.pg_inherits i
      WHERE (i.inhparent = c.conrelid OR i.inhparent = c.confrelid) AND
        EXISTS (SELECT 1 FROM pg_catalog.pg_partitioned_table
                WHERE partrelid = i.inhparent));
  

  Since it is possible that one or more of the ADD CONSTRAINT steps will fail, you should save the query's output in a file and then attempt to perform each step.

• Fix test for C locale when LC_COLLATE is different from LC_CTYPE (Jeff Davis) 📜

  When using libc as the default collation provider, the test to see if C locale is in use for collation accidentally checked LC_CTYPE not LC_COLLATE. This has no impact in the typical case where those settings are the same, nor if both are not C (nor its alias POSIX). However, if LC_CTYPE is C while LC_COLLATE is some other locale, wrong query answers could ensue, and corruption of indexes on strings was possible. Users of databases with such settings should reindex affected indexes after installing this update. The converse case with LC_COLLATE being C while LC_CTYPE is some other locale would cause performance degradation, but no actual errors.

• Don't use partitionwise joins or grouping if the query's collation for the key column doesn't match the partition key's collation (Jian He, Webbo Han) 📜 📜

  Such plans could produce incorrect results.

• Avoid planner failure after converting an IS NULL test on a NOT NULL column to constant FALSE (Richard Guo) 📜

  This bug typically led to errors such as “variable not found in subplan target lists”.

• Avoid possible planner crash while inlining a SQL function whose arguments contain certain array-related constructs (Tom Lane, Nathan Bossart) 📜

• Fix possible wrong answers or “wrong varnullingrels” planner errors for MERGE ... WHEN NOT MATCHED BY SOURCE actions (Dean Rasheed) 📜 📜

• Fix possible “could not find pathkey item to sort” error when the output of a UNION ALL member query needs to be sorted, and the sort column is an expression (Andrei Lepikhov, Tom Lane) 📜

• Fix edge case in B-tree ScalarArrayOp index scans (Peter Geoghegan) 📜

  When a scrollable cursor with a plan of this kind was backed up to its starting point and then run forward again, wrong answers were possible.

• Fix assertion failure or confusing error message for COPY (query) TO ..., when the query is rewritten by a DO INSTEAD NOTIFY rule (Tender Wang, Tom Lane) 📜

• Fix validation of COPY's FORCE_NOT_NULL and FORCE_NULL options (Joel Jacobson) 📜

  Some incorrect usages are now rejected as they should be.

• Fix server crash when a json_objectagg() call contains a volatile function (Amit Langote) 📜

• Fix detection of skewed data during parallel hash join (Thomas Munro) 📜

  After repartitioning the inner side of a hash join because one partition has accumulated too many tuples, we check to see if all the partition's tuples went into the same child partition, which suggests that they all have the same hash value and further repartitioning cannot improve matters. This check malfunctioned in some cases, allowing repeated futile repartitioning which would eventually end in a resource-exhaustion error.

• Avoid crash when ALTER DATABASE SET is used to set a server parameter that requires search-path-based lookup, such as default_text_search_config (Jeff Davis) 📜

• Avoid repeated lookups of opclasses and collations while creating a new index on a partitioned table (Tom Lane) 📜

  This was problematic mainly because some of the lookups would be done with a restricted search_path, leading to unexpected failures if the CREATE INDEX command referenced objects outside pg_catalog.

  This fix also prevents comments on the parent partitioned index from being copied to child indexes.

• Add missing dependency from a partitioned table to a non-built-in access method specified in CREATE TABLE ... USING (Michael Paquier) 📜

  Dropping the access method should be blocked when a table exists that depends on it, but it was not, allowing subsequent odd behavior. Note that this fix only prevents problems for partitioned tables created after this update.

• Disallow locale names containing non-ASCII characters (Thomas Munro) 📜

  This is only an issue on Windows, as such locale names are not used elsewhere. They are problematic because it's quite unclear what encoding such names are represented in (since the locale itself defines the encoding to use). In recent PostgreSQL releases, an abort in the Windows runtime library could occur because of confusion about that.

  Anyone who encounters the new error message should either create a new duplicated locale with an ASCII-only name using Windows Locale Builder, or consider using BCP 47-compliant locale names like tr-TR.

• Fix race condition in committing a serializable transaction (Heikki Linnakangas) 📜

  Mis-processing of a recently committed transaction could lead to an assertion failure or a “could not access status of transaction” error.

• Fix race condition in COMMIT PREPARED that resulted in orphaned 2PC files (wuchengwen) 📜

  A concurrent PREPARE TRANSACTION could cause COMMIT PREPARED to not remove the on-disk two-phase state file for the completed transaction. There was no immediate ill effect, but a subsequent crash-and-recovery could fail with “could not access status of transaction”, requiring manual removal of the orphaned file to restore service.

• Avoid invalid memory accesses after skipping an invalid toast index during VACUUM FULL (Tender Wang) 📜

  A list tracking yet-to-be-rebuilt indexes was not properly updated in this code path, risking assertion failures or crashes later on.

• Fix ways in which an “in place” catalog update could be lost (Noah Misch) 📜 📜 📜 📜 📜 📜 📜

  Normal row updates write a new version of the row to preserve rollback-ability of the transaction. However, certain system catalog updates are intentionally non-transactional and are done with an in-place update of the row. These patches fix race conditions that could cause the effects of an in-place update to be lost. As an example, it was possible to forget having set pg_class.relhasindex to true, preventing updates of the new index and thus causing index corruption.

• Reset catalog caches at end of recovery (Noah Misch) 📜

  This prevents scenarios wherein an in-place catalog update could be lost due to using stale data from a catalog cache.

• Avoid using parallel query while holding off interrupts (Francesco Degrassi, Noah Misch, Tom Lane) 📜 📜

  This situation cannot arise normally, but it can be reached with test scenarios such as using a SQL-language function as B-tree support (which would be far too slow for production usage). If it did occur it would result in an indefinite wait.

• Ignore not-yet-defined Portals in the pg_cursors view (Tom Lane) 📜

  It is possible for user-defined code that inspects this view to be called while a new cursor is being set up, and if that happens a null pointer dereference would ensue. Avoid the problem by defining the view to exclude incompletely-set-up cursors.

• Avoid “unexpected table_index_fetch_tuple call during logical decoding” error while decoding a transaction involving insertion of a column default value (Takeshi Ideriha, Hou Zhijie) 📜 📜

• Reduce memory consumption of logical decoding (Masahiko Sawada) 📜

  Use a smaller default block size to store tuple data received during logical replication. This reduces memory wastage, which has been reported to be severe while processing long-running transactions, even leading to out-of-memory failures.

• Fix behavior of stable functions called from a CALL statement's argument list, when the CALL is within a PL/pgSQL EXCEPTION block (Tom Lane) 📜

  As with a similar fix in our previous quarterly releases, this case allowed such functions to be passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.

• Parse libpq's keepalives connection option in the same way as other integer-valued options (Yuto Sasaki) 📜

  The coding used here rejected trailing whitespace in the option value, unlike other cases. This turns out to be problematic in ecpg's usage, for example.

• In ecpglib, fix out-of-bounds read when parsing incorrect datetime input (Bruce Momjian, Pavel Nekrasov) 📜

  It was possible to try to read the location just before the start of a constant array. Real-world consequences seem minimal, though.

• Fix psql's describe commands to again work with pre-9.4 servers (Tom Lane) 📜

  Commands involving display of an ACL (permissions) column failed with very old PostgreSQL servers, due to use of a function not present in those versions.

• Avoid hanging if an interval less than 1ms is specified in psql's \watch command (Andrey Borodin, Michael Paquier) 📜

  Instead, treat this the same as an interval of zero (no wait between executions).

• Fix failure to find replication password in ~/.pgpass (Tom Lane) 📜

  pg_basebackup and pg_receivewal failed to match an entry in ~/.pgpass that had replication in the database name field, if no -d or --dbname switch was supplied. This resulted in an unexpected prompt for password.

• In pg_combinebackup, throw an error if an incremental backup file is present in a directory that is supposed to contain a full backup (Robert Haas) 📜

• In pg_combinebackup, don't construct filenames containing double slashes (Robert Haas) 📜

  This caused no functional problems, but the duplicate slashes were visible in error messages, which could create confusion.

• Avoid trying to reindex temporary tables and indexes in vacuumdb and in parallel reindexdb (VaibhaveS, Michael Paquier, Fujii Masao, Nathan Bossart) 📜 📜 📜

  Reindexing other sessions' temporary tables cannot work, but the check to skip them was missing in some code paths, leading to unwanted failures.

• Fix incorrect LLVM-generated code on ARM64 platforms (Thomas Munro, Anthonin Bonnefoy) 📜

  When using JIT compilation on ARM platforms, the generated code could not support relocation distances exceeding 32 bits, allowing unlucky placement of generated code to cause server crashes on large-memory systems.

• Fix a few places that assumed that process start time (represented as a time_t) will fit into a long value (Max Johnson, Nathan Bossart) 📜

  On platforms where long is 32 bits (notably Windows), this coding would fail after Y2038. Most of the failures appear only cosmetic, but notably pg_ctl start would hang.

• Update time zone data files to tzdata release 2024b (Tom Lane) 📜 📜

  This tzdata release changes the old System-V-compatibility zone names to duplicate the corresponding geographic zones; for example PST8PDT is now an alias for America/Los_Angeles. The main visible consequence is that for timestamps before the introduction of standardized time zones, the zone is considered to represent local mean solar time for the named location. For example, in PST8PDT, timestamptz input such as 1801-01-01 00:00 would previously have been rendered as 1801-01-01 00:00:00-08, but now it is rendered as 1801-01-01 00:00:00-07:52:58.

  Also, historical corrections for Mexico, Mongolia, and Portugal. Notably, Asia/Choibalsan is now an alias for Asia/Ulaanbaatar rather than being a separate zone, mainly because the differences between those zones were found to be based on untrustworthy data.

Postgres version 17.0

Release date: 2024-09-26

 Overview

PostgreSQL 17 contains many new features and enhancements, including:

• New memory management system for VACUUM, which reduces memory consumption and can improve overall vacuuming performance.

• New SQL/JSON capabilities, including constructors, identity functions, and the JSON_TABLE() function, which converts JSON data into a table representation.

• Various query performance improvements, including for sequential reads using streaming I/O, write throughput under high concurrency, and searches over multiple values in a btree index.

• Logical replication enhancements, including:

  • Failover control

  • pg_createsubscriber, a utility that creates logical replicas from physical standbys

  • pg_upgrade now preserves replication slots on both publishers and subscribers

• New client-side connection option, sslnegotiation=direct, that performs a direct TLS handshake to avoid a round-trip negotiation.

• pg_basebackup now supports incremental backup.

• COPY adds a new option, ON_ERROR ignore, that allows a copy operation to continue in the event of an error.

The above items and other new features of PostgreSQL 17 are explained in more detail in the sections below.

 Migration to Version 17

A dump/restore using pg_dumpall or use of pg_upgrade or logical replication is required for those wishing to migrate data from any previous release. See Section 18.6 for general information on migrating to new major releases.

Version 17 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities:

• Change functions to use a safe search_path during maintenance operations (Jeff Davis) 📜

  This prevents maintenance operations (ANALYZE, CLUSTER, REFRESH MATERIALIZED VIEW, REINDEX, or VACUUM) from performing unsafe access. Functions used by expression indexes and materialized views that need to reference non-default schemas must specify a search path during function creation.

• Restrict ago to only appear at the end in interval values (Joseph Koshakow) 📜 📜

  Also, prevent empty interval units from appearing multiple times.

• Remove server variable old_snapshot_threshold (Thomas Munro) 📜

  This variable allowed vacuum to remove rows that potentially could be still visible to running transactions, causing "snapshot too old" errors later if accessed. This feature might be re-added to PostgreSQL later if an improved implementation is found.

• Change SET SESSION AUTHORIZATION handling of the initial session user's superuser status (Joseph Koshakow) 📜

  The new behavior is based on the session user's superuser status at the time the SET SESSION AUTHORIZATION command is issued, rather than their superuser status at connection time.

• Remove feature which simulated per-database users (Nathan Bossart) 📜

  The feature, db_user_namespace, was rarely used.

• Remove wal_sync_method value fsync_writethrough on Windows (Thomas Munro) 📜

  This value was the same as fsync on Windows.

• Change file boundary handling of two WAL file name functions (Kyotaro Horiguchi, Andres Freund, Bruce Momjian) 📜

  The functions pg_walfile_name() and pg_walfile_name_offset() used to report the previous LSN segment number when the LSN was on a file segment boundary; it now returns the current LSN segment.

• Remove server variable trace_recovery_messages since it is no longer needed (Bharath Rupireddy) 📜

• Remove information schema column element_types.domain_default (Peter Eisentraut) 📜

• Change pgrowlocks lock mode output labels (Bruce Momjian) 📜

• Remove buffers_backend and buffers_backend_fsync from pg_stat_bgwriter (Bharath Rupireddy) 📜

  These fields are considered redundant to similar columns in pg_stat_io.

• Rename I/O block read/write timing statistics columns of pg_stat_statements (Nazir Bilal Yavuz) 📜

  This renames blk_read_time to shared_blk_read_time, and blk_write_time to shared_blk_write_time.

• Change pg_attribute.attstattarget and pg_statistic_ext.stxstattarget to represent the default statistics target as NULL (Peter Eisentraut) 📜 📜

• Rename pg_collation.colliculocale to colllocale and pg_database.daticulocale to datlocale (Jeff Davis) 📜

• Rename pg_stat_progress_vacuum column max_dead_tuples to max_dead_tuple_bytes, rename num_dead_tuples to num_dead_item_ids, and add dead_tuple_bytes (Masahiko Sawada) 📜 📜

• Rename SLRU columns in system view pg_stat_slru (�lvaro Herrera) 📜

  The column names accepted by pg_stat_reset_slru() are also changed.

 Changes

Below you will find a detailed account of the changes between PostgreSQL 17 and the previous major release.

 Server (PG 17.0)

 Optimizer (PG 17.0)

• Allow the optimizer to improve CTE plans by considering the statistics and sort order of columns referenced in earlier row output clauses (Jian Guo, Richard Guo, Tom Lane) 📜 📜

• Improve optimization of IS NOT NULL and IS NULL query restrictions (David Rowley, Richard Guo, Andy Fan) 📜 📜

  Remove IS NOT NULL restrictions from queries on NOT NULL columns and eliminate scans on NOT NULL columns if IS NULL is specified.

• Allow partition pruning on boolean columns on IS [NOT] UNKNOWN conditionals (David Rowley) 📜

• Improve optimization of range values when using containment operators <@ and @> (Kim Johan Andersson, Jian He) 📜

• Allow correlated IN subqueries to be transformed into joins (Andy Fan, Tom Lane) 📜

• Improve optimization of the LIMIT clause on partitioned tables, inheritance parents, and UNION ALL queries (Andy Fan, David Rowley) 📜

• Allow query nodes to be run in parallel in more cases (Tom Lane) 📜

• Allow GROUP BY columns to be internally ordered to match ORDER BY (Andrei Lepikhov, Teodor Sigaev) 📜

  This can be disabled using server variable enable_group_by_reordering.

• Allow UNION (without ALL) to use MergeAppend (David Rowley) 📜

• Fix MergeAppend plans to more accurately compute the number of rows that need to be sorted (Alexander Kuzmenkov) 📜

• Allow GiST and SP-GiST indexes to be part of incremental sorts (Miroslav Bendik) 📜

  This is particularly useful for ORDER BY clauses where the first column has a GiST and SP-GiST index, and other columns do not.

• Add columns to pg_stats to report range-type histogram information (Egor Rogov, Soumyadeep Chakraborty) 📜

 Indexes (PG 17.0)

• Allow btree indexes to more efficiently find a set of values, such as those supplied by IN clauses using constants (Peter Geoghegan, Matthias van de Meent) 📜

• Allow BRIN indexes to be created using parallel workers (Tomas Vondra, Matthias van de Meent) 📜

 General Performance (PG 17.0)

• Allow vacuum to more efficiently remove and freeze tuples (Melanie Plageman, Heikki Linnakangas) 📜

  WAL traffic caused by vacuum is also more compact.

• Allow vacuum to more efficiently store tuple references (Masahiko Sawada, John Naylor) 📜 📜 📜 📜

  Additionally, vacuum is no longer silently limited to one gigabyte of memory when maintenance_work_mem or autovacuum_work_mem are higher.

• Optimize vacuuming of relations with no indexes (Melanie Plageman) 📜

• Increase default vacuum_buffer_usage_limit to 2MB (Thomas Munro) 📜

• Improve performance when checking roles with many memberships (Nathan Bossart) 📜

• Improve performance of heavily-contended WAL writes (Bharath Rupireddy) 📜

• Improve performance when transferring large blocks of data to a client (Melih Mutlu) 📜

• Allow the grouping of file system reads with the new system variable io_combine_limit (Thomas Munro, Andres Freund, Melanie Plageman, Nazir Bilal Yavuz) 📜 📜 📜

 Monitoring (PG 17.0)

• Create system view pg_stat_checkpointer (Bharath Rupireddy, Anton A. Melnikov, Alexander Korotkov) 📜 📜 📜

  Relevant columns have been removed from pg_stat_bgwriter and added to this new system view.

• Improve control over resetting statistics (Atsushi Torikoshi, Bharath Rupireddy) 📜 📜 📜

  Allow pg_stat_reset_shared() (with no arguments) and pg_stat_reset_shared(NULL) to reset all shared statistics. Allow pg_stat_reset_shared('slru') and pg_stat_reset_slru() (with no arguments) to reset SLRU statistics, which was already possible with pg_stat_reset_slru (NULL).

• Add log messages related to WAL recovery from backups (Andres Freund) 📜

• Add log_connections log line for trust connections (Jacob Champion) 📜

• Add log message to report walsender acquisition and release of replication slots (Bharath Rupireddy) 📜

  This is enabled by the server variable log_replication_commands.

• Add system view pg_wait_events that reports wait event types (Bertrand Drouvot) 📜

  This is useful for adding descriptions to wait events reported in pg_stat_activity.

• Add wait events for checkpoint delays (Thomas Munro) 📜

• Allow vacuum to report the progress of index processing (Sami Imseih) 📜

  This appears in system view pg_stat_progress_vacuum columns indexes_total and indexes_processed.

 Privileges (PG 17.0)

• Allow granting the right to perform maintenance operations (Nathan Bossart) 📜

  The permission can be granted on a per-table basis using the MAINTAIN privilege and on a per-role basis via the pg_maintain predefined role. Permitted operations are VACUUM, ANALYZE, REINDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and LOCK TABLE.

• Allow roles with pg_monitor membership to execute pg_current_logfile() (Pavlo Golub, Nathan Bossart) 📜

 Server Configuration (PG 17.0)

• Add system variable allow_alter_system to disallow ALTER SYSTEM (Jelte Fennema-Nio, Gabriele Bartolini) 📜

• Allow ALTER SYSTEM to set unrecognized custom server variables (Tom Lane) 📜

  This is also possible with GRANT ON PARAMETER.

• Add server variable transaction_timeout to restrict the duration of transactions (Andrey Borodin, Japin Li, Junwang Zhao, Alexander Korotkov) 📜 📜 📜

• Add a builtin platform-independent collation provider (Jeff Davis) 📜 📜 📜 📜

  This supports C and C.UTF-8 collations.

• Add server variable huge_pages_status to report the use of huge pages by Postgres (Justin Pryzby) 📜

  This is useful when huge_pages is set to try.

• Add server variable to disable event triggers (Daniel Gustafsson) 📜

  The setting, event_triggers, allows for the temporary disabling of event triggers for debugging.

• Allow the SLRU cache sizes to be configured (Andrey Borodin, Dilip Kumar, �lvaro Herrera) 📜

  The new server variables are commit_timestamp_buffers, multixact_member_buffers, multixact_offset_buffers, notify_buffers, serializable_buffers, subtransaction_buffers, and transaction_buffers. commit_timestamp_buffers, transaction_buffers, and subtransaction_buffers scale up automatically with shared_buffers.

 Streaming Replication and Recovery (PG 17.0)

• Add support for incremental file system backup (Robert Haas, Jakub Wartak, Tomas Vondra) 📜 📜

  Incremental backups can be created using pg_basebackup's new --incremental option. The new application pg_combinebackup allows manipulation of base and incremental file system backups.

• Allow the creation of WAL summarization files (Robert Haas, Nathan Bossart, Hubert Depesz Lubaczewski) 📜 📜 📜 📜

  These files record the block numbers that have changed within an LSN range and are useful for incremental file system backups. This is controlled by the server variables summarize_wal and wal_summary_keep_time, and introspected with pg_available_wal_summaries(), pg_wal_summary_contents(), and pg_get_wal_summarizer_state().

• Add the system identifier to file system backup manifest files (Amul Sul) 📜

  This helps detect invalid WAL usage.

• Allow connection string value dbname to be written when pg_basebackup writes connection information to postgresql.auto.conf (Vignesh C, Hayato Kuroda) 📜

• Add column pg_replication_slots.invalidation_reason to report the reason for invalid slots (Shveta Malik, Bharath Rupireddy) 📜 📜

• Add column pg_replication_slots.inactive_since to report slot inactivity duration (Bharath Rupireddy) 📜 📜 📜

• Add function pg_sync_replication_slots() to synchronize logical replication slots (Hou Zhijie, Shveta Malik, Ajin Cherian, Peter Eisentraut) 📜 📜

• Add the failover property to the replication protocol (Hou Zhijie, Shveta Malik) 📜

 Logical Replication (PG 17.0)

• Add application pg_createsubscriber to create a logical replica from a physical standby server (Euler Taveira) 📜

• Have pg_upgrade migrate valid logical slots and subscriptions (Hayato Kuroda, Hou Zhijie, Vignesh C, Julien Rouhaud, Shlok Kyal) 📜 📜

  This allows logical replication to continue quickly after the upgrade. This only works for old PostgreSQL clusters that are version 17 or later.

• Enable the failover of logical slots (Hou Zhijie, Shveta Malik, Ajin Cherian) 📜

  This is controlled by an optional fifth argument to pg_create_logical_replication_slot().

• Add server variable sync_replication_slots to enable failover logical slot synchronization (Shveta Malik, Hou Zhijie, Peter Smith) 📜 📜

• Add logical replication failover control to CREATE/ALTER SUBSCRIPTION (Shveta Malik, Hou Zhijie, Ajin Cherian) 📜 📜

• Allow the application of logical replication changes to use hash indexes on the subscriber (Hayato Kuroda) 📜

  Previously only btree indexes could be used for this purpose.

• Improve logical decoding performance in cases where there are many subtransactions (Masahiko Sawada) 📜

• Restart apply workers if subscription owner's superuser privileges are revoked (Vignesh C) 📜

  This forces reauthentication.

• Add flush option to pg_logical_emit_message() (Michael Paquier) 📜

  This makes the message durable.

• Allow specification of physical standbys that must be synchronized before they are visible to subscribers (Hou Zhijie, Shveta Malik) 📜 📜

  The new server variable is synchronized_standby_slots.

• Add worker type column to pg_stat_subscription (Peter Smith) 📜

 Utility Commands (PG 17.0)

• Add new COPY option ON_ERROR ignore to discard error rows (Damir Belyalov, Atsushi Torikoshi, Alex Shulgin, Jian He, Yugo Nagata) 📜 📜 📜 📜

  The default behavior is ON_ERROR stop.

• Add new COPY option LOG_VERBOSITY which reports COPY FROM ignored error rows (Bharath Rupireddy) 📜

• Allow COPY FROM to report the number of skipped rows during processing (Atsushi Torikoshi) 📜

  This appears in system view column pg_stat_progress_copy.tuples_skipped.

• In COPY FROM, allow easy specification that all columns should be forced null or not null (Zhang Mingli) 📜

• Allow partitioned tables to have identity columns (Ashutosh Bapat) 📜

• Allow exclusion constraints on partitioned tables (Paul A. Jungwirth) 📜

  As long as exclusion constraints compare partition key columns for equality, other columns can use exclusion constraint-specific comparisons.

• Add clearer ALTER TABLE method to set a column to the default statistics target (Peter Eisentraut) 📜

  The new syntax is ALTER TABLE ... SET STATISTICS DEFAULT; using SET STATISTICS -1 is still supported.

• Allow ALTER TABLE to change a column's generation expression (Amul Sul) 📜

  The syntax is ALTER TABLE ... ALTER COLUMN ... SET EXPRESSION.

• Allow specification of table access methods on partitioned tables (Justin Pryzby, Soumyadeep Chakraborty, Michael Paquier) 📜 📜

• Add DEFAULT setting for ALTER TABLE .. SET ACCESS METHOD (Michael Paquier) 📜

• Add support for event triggers that fire at connection time (Konstantin Knizhnik, Mikhail Gribkov) 📜

• Add event trigger support for REINDEX (Garrett Thornburg, Jian He) 📜

• Allow parenthesized syntax for CLUSTER options if a table name is not specified (Nathan Bossart) 📜

 EXPLAIN (PG 17.0)

• Allow EXPLAIN to report optimizer memory usage (Ashutosh Bapat) 📜

  The option is called MEMORY.

• Add EXPLAIN option SERIALIZE to report the cost of converting data for network transmission (Stepan Rutz, Matthias van de Meent) 📜

• Add local I/O block read/write timing statistics to EXPLAIN's BUFFERS output (Nazir Bilal Yavuz) 📜

• Improve EXPLAIN's display of SubPlan nodes and output parameters (Tom Lane, Dean Rasheed) 📜

• Add JIT deform_counter details to EXPLAIN (Dmitry Dolgov) 📜

 Data Types (PG 17.0)

• Allow the interval data type to support +/-infinity values (Joseph Koshakow, Jian He, Ashutosh Bapat) 📜

• Allow the use of an ENUM added via ALTER TYPE if the type was created in the same transaction (Tom Lane) 📜

  This was previously disallowed.

 MERGE (PG 17.0)

• Allow MERGE to modify updatable views (Dean Rasheed) 📜

• Add WHEN NOT MATCHED BY SOURCE to MERGE (Dean Rasheed) 📜

  WHEN NOT MATCHED on target rows was already supported.

• Allow MERGE to use the RETURNING clause (Dean Rasheed) 📜

  The new RETURNING function merge_action() reports on the DML that generated the row.

 Functions (PG 17.0)

• Add function JSON_TABLE() to convert JSON data to a table representation (Nikita Glukhov, Teodor Sigaev, Oleg Bartunov, Alexander Korotkov, Andrew Dunstan, Amit Langote, Jian He) 📜 📜

  This function can be used in the FROM clause of SELECT queries as a tuple source.

• Add SQL/JSON constructor functions JSON(), JSON_SCALAR(), and JSON_SERIALIZE() (Nikita Glukhov, Teodor Sigaev, Oleg Bartunov, Alexander Korotkov, Andrew Dunstan, Amit Langote) 📜

• Add SQL/JSON query functions JSON_EXISTS(), JSON_QUERY(), and JSON_VALUE() (Nikita Glukhov, Teodor Sigaev, Oleg Bartunov, Alexander Korotkov, Andrew Dunstan, Amit Langote, Peter Eisentraut, Jian He) 📜 📜 📜 📜 📜

• Add jsonpath methods to convert JSON values to other JSON data types (Jeevan Chalke) 📜

  The jsonpath methods are .bigint(), .boolean(), .date(), .decimal([precision [, scale]]), .integer(), .number(), .string(), .time(), .time_tz(), .timestamp(), and .timestamp_tz().

• Add to_timestamp() time zone format specifiers (Tom Lane) 📜

  TZ accepts time zone abbreviations or numeric offsets, while OF accepts only numeric offsets.

• Allow the session time zone to be specified by AS LOCAL (Vik Fearing) 📜

  This is useful when converting adding and removing time zones from time stamps values, rather than specifying the literal session time zone.

• Add functions uuid_extract_timestamp() and uuid_extract_version() to return UUID information (Andrey Borodin) 📜

• Add functions to generate random numbers in a specified range (Dean Rasheed) 📜

  The functions are random(min, max) and they take values of type integer, bigint, and numeric.

• Add functions to convert integers to binary and octal strings (Eric Radman, Nathan Bossart) 📜

  The functions are to_bin() and to_oct().

• Add Unicode informational functions (Jeff Davis) 📜

  Function unicode_version() returns the Unicode version, icu_unicode_version() returns the ICU version, and unicode_assigned() returns if the characters are assigned Unicode codepoints.

• Add function xmltext() to convert text to a single XML text node (Jim Jones) 📜

• Add function to_regtypemod() to return the type modifier of a type specification (David Wheeler, Erik Wienhold) 📜

• Add pg_basetype() function to return a domain's base type (Steve Chavez) 📜

• Add function pg_column_toast_chunk_id() to return a value's TOAST identifier (Yugo Nagata) 📜

  This returns NULL if the value is not stored in TOAST.

 PL/pgSQL (PG 17.0)

• Allow plpgsql %TYPE and %ROWTYPE specifications to represent arrays of non-array types (Quan Zongliang, Pavel Stehule) 📜

• Allow plpgsql %TYPE specification to reference composite column (Tom Lane) 📜

 libpq (PG 17.0)

• Add libpq function to change role passwords (Joe Conway) 📜

  The new function, PQchangePassword(), hashes the new password before sending it to the server.

• Add libpq functions to close portals and prepared statements (Jelte Fennema-Nio) 📜

  The functions are PQclosePrepared(), PQclosePortal(), PQsendClosePrepared(), and PQsendClosePortal().

• Add libpq API which allows for blocking and non-blocking cancel requests, with encryption if already in use (Jelte Fennema-Nio) 📜

  Previously only blocking, unencrypted cancel requests were supported.

• Add libpq function PQsocketPoll() to allow polling of network sockets (Tristan Partin, Tom Lane) 📜 📜

• Add libpq function PQsendPipelineSync() to send a pipeline synchronization point (Anton Kirilov) 📜

  This is similar to PQpipelineSync() but it does not flush to the server unless the size threshold of the output buffer is reached.

• Add libpq function PQsetChunkedRowsMode() to allow retrieval of results in chunks (Daniel Vérité) 📜

• Allow TLS connections without requiring a network round-trip negotiation (Greg Stark, Heikki Linnakangas, Peter Eisentraut, Michael Paquier, Daniel Gustafsson) 📜 📜 📜 📜 📜 📜 📜 📜

  This is enabled with the client-side option sslnegotiation=direct, requires ALPN, and only works on PostgreSQL 17 and later servers.

 psql (PG 17.0)

• Improve psql display of default and empty privileges (Erik Wienhold, Laurenz Albe) 📜

  Command \dp now displays (none) for empty privileges; default still displays as empty.

• Have backslash commands honor \pset null (Erik Wienhold, Laurenz Albe) 📜

  Previously \pset null was ignored.

• Allow psql's \watch to stop after a minimum number of rows returned (Greg Sabino Mullane) 📜

  The parameter is min_rows.

• Allow psql connection attempts to be canceled with control-C (Tristan Partin) 📜

• Allow psql to honor FETCH_COUNT for non-SELECT queries (Daniel Vérité) 📜

• Improve psql tab completion (Dagfinn Ilmari Mannsåker, Gilles Darold, Christoph Heiss, Steve Chavez, Vignesh C, Pavel Borisov, Jian He) 📜 📜 📜 📜 📜 📜 📜 📜

 Server Applications (PG 17.0)

• Add application pg_walsummary to dump WAL summary files (Robert Haas) 📜

• Allow pg_dump's large objects to be restorable in batches (Tom Lane) 📜

  This allows the restoration of many large objects to avoid transaction limits and to be restored in parallel.

• Add pg_dump option --exclude-extension (Ayush Vatsa) 📜

• Allow pg_dump, pg_dumpall, and pg_restore to specify include/exclude objects in a file (Pavel Stehule, Daniel Gustafsson) 📜

  The option is called --filter.

• Add the --sync-method parameter to several client applications (Justin Pryzby, Nathan Bossart) 📜

  The applications are initdb, pg_basebackup, pg_checksums, pg_dump, pg_rewind, and pg_upgrade.

• Add pg_restore option --transaction-size to allow object restores in transaction batches (Tom Lane) 📜

  This allows the performance benefits of transaction batches without the problems of excessively large transaction blocks.

• Change pgbench debug mode option from -d to --debug (Greg Sabino Mullane) 📜

  Option -d is now used for the database name, and the new --dbname option can be used as well.

• Add pgbench option --exit-on-abort to exit after any client aborts (Yugo Nagata) 📜

• Add pgbench command \syncpipeline to allow sending of sync messages (Anthonin Bonnefoy) 📜

• Allow pg_archivecleanup to remove backup history files (Atsushi Torikoshi) 📜

  The option is --clean-backup-history.

• Add some long options to pg_archivecleanup (Atsushi Torikoshi) 📜

  The long options are --debug, --dry-run, and --strip-extension.

• Allow pg_basebackup and pg_receivewal to use dbname in their connection specification (Jelte Fennema-Nio) 📜

  This is useful for connection poolers that are sensitive to the database name.

• Add pg_upgrade option --copy-file-range (Thomas Munro) 📜

  This is supported on Linux and FreeBSD.

• Allow reindexdb --index to process indexes from different tables in parallel (Maxim Orlov, Svetlana Derevyanko, Alexander Korotkov) 📜

• Allow reindexdb, vacuumdb, and clusterdb to process objects in all databases matching a pattern (Nathan Bossart) 📜 📜 📜

  The new option --all controls this behavior.

 Source Code (PG 17.0)

• Remove support for OpenSSL 1.0.1 (Michael Paquier) 📜

• Allow tests to pass in OpenSSL FIPS mode (Peter Eisentraut) 📜 📜

• Use CPU AVX-512 instructions for bit counting (Paul Amonson, Nathan Bossart, Ants Aasma) 📜 📜

• Require LLVM version 10 or later (Thomas Munro) 📜

• Use native CRC instructions on 64-bit LoongArch CPUs (Xudong Yang) 📜

• Remove AIX support (Heikki Linnakangas) 📜

• Remove the Microsoft Visual Studio-specific PostgreSQL build option (Michael Paquier) 📜

  Meson is now the only available method for Visual Studio builds.

• Remove configure option --disable-thread-safety (Thomas Munro, Heikki Linnakangas) 📜 📜

  We now assume all supported platforms have sufficient thread support.

• Remove configure option --with-CC (Heikki Linnakangas) 📜

  Setting the CC environment variable is now the only supported method for specifying the compiler.

• User-defined data type receive functions will no longer receive their data null-terminated (David Rowley) 📜

• Add incremental JSON parser for use with huge JSON documents (Andrew Dunstan) 📜

• Convert top-level README file to Markdown (Nathan Bossart) 📜

• Remove no longer needed top-level INSTALL file (Tom Lane) 📜

• Remove make's distprep option (Peter Eisentraut) 📜

• Add make support for Android shared libraries (Peter Eisentraut) 📜

• Add backend support for injection points (Michael Paquier) 📜 📜 📜 📜

  This is used for server debugging and they must be enabled at server compile time.

• Add dynamic shared memory registry (Nathan Bossart) 📜

  This allows shared libraries which are not initialized at startup to coordinate dynamic shared memory access.

• Fix emit_log_hook to use the same time value as other log records for the same query (Kambam Vinay, Michael Paquier) 📜

• Improve documentation for using jsonpath for predicate checks (David Wheeler) 📜

 Additional Modules (PG 17.0)

• Allow joins with non-join qualifications to be pushed down to foreign servers and custom scans (Richard Guo, Etsuro Fujita) 📜

  Foreign data wrappers and custom scans will need to be modified to handle these cases.

• Allow pushdown of EXISTS and IN subqueries to postgres_fdw foreign servers (Alexander Pyhalov) 📜

• Increase the default foreign data wrapper tuple cost (David Rowley, Umair Shahid) 📜 📜

  This value is used by the optimizer.

• Allow dblink database operations to be interrupted (Noah Misch) 📜

• Allow the creation of hash indexes on ltree columns (Tommy Pavlicek) 📜

  This also enables hash join and hash aggregation on ltree columns.

• Allow unaccent character translation rules to contain whitespace and quotes (Michael Paquier) 📜

  The syntax for the unaccent.rules file has changed.

• Allow amcheck to check for unique constraint violations using new option --checkunique (Anastasia Lubennikova, Pavel Borisov, Maxim Orlov) 📜

• Allow citext tests to pass in OpenSSL FIPS mode (Peter Eisentraut) 📜

• Allow pgcrypto tests to pass in OpenSSL FIPS mode (Peter Eisentraut) 📜

• Remove some unused SPI macros (Bharath Rupireddy) 📜

• Remove adminpack contrib extension (Daniel Gustafsson) 📜

  This was used by now end-of-life pgAdmin III.

• Allow ALTER OPERATOR to set more optimization attributes (Tommy Pavlicek) 📜

  This is useful for extensions.

• Allow extensions to define custom wait events (Masahiro Ikeda) 📜 📜 📜 📜

  Custom wait events have been added to postgres_fdw and dblink.

• Add pg_buffercache function pg_buffercache_evict() to allow shared buffer eviction (Palak Chaturvedi, Thomas Munro) 📜

  This is useful for testing.

 pg_stat_statements (PG 17.0)

• Replace CALL parameters in pg_stat_statements with placeholders (Sami Imseih) 📜

• Replace savepoint names stored in pg_stat_statements with placeholders (Greg Sabino Mullane) 📜

  This greatly reduces the number of entries needed to record SAVEPOINT, RELEASE SAVEPOINT, and ROLLBACK TO SAVEPOINT commands.

• Replace the two-phase commit GIDs stored in pg_stat_statements with placeholders (Michael Paquier) 📜

  This greatly reduces the number of entries needed to record PREPARE TRANSACTION, COMMIT PREPARED, and ROLLBACK PREPARED.

• Track DEALLOCATE in pg_stat_statements (Dagfinn Ilmari Mannsåker, Michael Paquier) 📜

  DEALLOCATE names are stored in pg_stat_statements as placeholders.

• Add local I/O block read/write timing statistics columns of pg_stat_statements (Nazir Bilal Yavuz) 📜 📜

  The new columns are local_blk_read_time and local_blk_write_time.

• Add JIT deform_counter details to pg_stat_statements (Dmitry Dolgov) 📜

• Add optional fourth argument (minmax_only) to pg_stat_statements_reset() to allow for the resetting of only min/max statistics (Andrei Zubkov) 📜

  This argument defaults to false.

• Add pg_stat_statements columns stats_since and minmax_stats_since to track entry creation time and last min/max reset time (Andrei Zubkov) 📜

 Acknowledgments

The following individuals (in alphabetical order) have contributed to this release as patch authors, committers, reviewers, testers, or reporters of issues.

• Abhijit Menon-Sen
• Adnan Dautovic
• Aidar Imamov
• Ajin Cherian
• Akash Shankaran
• Akshat Jaimini
• Alaa Attya
• Aleksander Alekseev
• Aleksej Orlov
• Alena Rybakina
• Alex Hsieh
• Alex Malek
• Alex Shulgin
• Alex Work
• Alexander Korotkov
• Alexander Kozhemyakin
• Alexander Kuzmenkov
• Alexander Lakhin
• Alexander Pyhalov
• Alexey Palazhchenko
• Alfons Kemper
• Álvaro Herrera
• Amadeo Gallardo
• Amit Kapila
• Amit Langote
• Amul Sul
• Anastasia Lubennikova
• Anatoly Zaretsky
• Andreas Karlsson
• Andreas Ulbrich
• Andrei Lepikhov
• Andrei Zubkov
• Andres Freund
• Andrew Alsup
• Andrew Atkinson
• Andrew Bille
• Andrew Dunstan
• Andrew Kane
• Andrey Borodin
• Andrey Rachitskiy
• Andrey Sokolov
• Andy Fan
• Anthonin Bonnefoy
• Anthony Hsu
• Anton Kirilov
• Anton Melnikov
• Anton Voloshin
• Antonin Houska
• Ants Aasma
• Antti Lampinen
• Aramaki Zyake
• Artem Anisimov
• Artur Zakirov
• Ashutosh Bapat
• Ashutosh Sharma
• Atsushi Torikoshi
• Attila Gulyás
• Ayush Tiwari
• Ayush Vatsa
• Bartosz Chrol
• Benoît Ryder
• Bernd Helmle
• Bertrand Drouvot
• Bharath Rupireddy
• Bo Andreson
• Boshomi Phenix
• Bowen Shi
• Boyu Yang
• Bruce Momjian
• Cameron Vogt
• Cary Huang
• Cédric Villemain
• Changhong Fei
• Chantal Keller
• Chapman Flack
• Chengxi Sun
• Chris Travers
• Christian Maurer
• Christian Stork
• Christoph Berg
• Christoph Heiss
• Christophe Courtois
• Christopher Kline
• Claudio Freire
• Colin Caine
• Corey Huinker
• Curt Kolovson
• Dag Lem
• Dagfinn Ilmari Mannsåker
• Damir Belyalov
• Daniel Fredouille
• Daniel Gustafsson
• Daniel Shelepanov
• Daniel Vérité
• Daniel Westermann
• Darren Rush
• Dave Cramer
• Dave Page
• David Christensen
• David Cook
• David G. Johnston
• David Geier
• David Hillman
• David Perez
• David Rowley
• David Steele
• David Wheeler
• David Zhang
• Dean Rasheed
• Denis Erokhin
• Denis Laxalde
• Devrim Gündüz
• Dilip Kumar
• Dimitrios Apostolou
• Dmitry Dolgov
• Dmitry Koval
• Dmitry Vasiliev
• Dominique Devienne
• Dong Wook Lee
• Donghang Lin
• Dongming Liu
• Drew Callahan
• Drew Kimball
• Dzmitry Jachnik
• Egor Chindyaskin
• Egor Rogov
• Ekaterina Kiryanova
• Elena Indrupskaya
• Elizabeth Christensen
• Emre Hasegeli
• Eric Cyr
• Eric Mutta
• Eric Radman
• Eric Ridge
• Erik Rijkers
• Erik Wienhold
• Erki Eessaar
• Ethan Mertz
• Etsuro Fujita
• Eugen Konkov
• Euler Taveira
• Evan Macbeth
• Evgeny Morozov
• Fabien Coelho
• Fabrízio de Royes Mello
• Farias de Oliveira
• Feliphe Pozzer
• Fire Emerald
• Flavien Guedez
• Floris Van Nee
• Francesco Degrassi
• Frank Streitzig
• Gabriele Bartolini
• Garrett Thornburg
• Gavin Flower
• Gavin Panella
• Gilles Darold
• Gilles Parc
• Grant Gryczan
• Greg Nancarrow
• Greg Sabino Mullane
• Greg Stark
• Gurjeet Singh
• Haiying Tang
• Hajime Matsunaga
• Hal Takahara
• Hanefi Onaldi
• Hannu Krosing
• Hans Buschmann
• Hao Wu
• Hao Zhang
• Hayato Kuroda
• Heikki Linnakangas
• Hemanth Sandrana
• Himanshu Upadhyaya
• Hironobu Suzuki
• Holger Reise
• Hongxu Ma
• Hongyu Song
• Horst Reiterer
• Hubert Lubaczewski
• Hywel Carver
• Ian Barwick
• Ian Ilyasov
• Ilya Nenashev
• Isaac Morland
• Israel Barth Rubio
• Ivan Kartyshov
• Ivan Kolombet
• Ivan Lazarev
• Ivan Panchenko
• Ivan Trofimov
• Jacob Champion
• Jacob Speidel
• Jacques Combrink
• Jaime Casanova
• Jakub Wartak
• James Coleman
• James Pang
• Jani Rahkola
• Japin Li
• Jeevan Chalke
• Jeff Davis
• Jeff Janes
• Jelte Fennema-Nio
• Jeremy Schneider
• Jian Guo
• Jian He
• Jim Jones
• Jim Keener
• Jim Nasby
• Jingtang Zhang
• Jingxian Li
• Jingzhou Fu
• Joe Conway
• Joel Jacobson
• John Ekins
• John Hsu
• John Morris
• John Naylor
• John Russell
• Jonathan Katz
• Jordi Gutiérrez
• Joseph Koshakow
• Josh Kupershmidt
• Joshua D. Drake
• Joshua Uyehara
• Jubilee Young
• Julien Rouhaud
• Junwang Zhao
• Justin Pryzby
• Kaido Vaikla
• Kambam Vinay
• Karen Talarico
• Karina Litskevich
• Karl O. Pinc
• Kashif Zeeshan
• Kim Johan Andersson
• Kirill Reshke
• Kirk Parker
• Kirk Wolak
• Kisoon Kwon
• Koen De Groote
• Kohei KaiGai
• Kong Man
• Konstantin Knizhnik
• Kouhei Sutou
• Krishnakumar R
• Kuntal Ghosh
• Kurt Roeckx
• Kyotaro Horiguchi
• Lang Liu
• Lars Kanis
• Laurenz Albe
• Lauri Laanmets
• Legs Mansion
• Lukas Fittl
• Magnus Hagander
• Mahendrakar Srinivasarao
• Maiquel Grassi
• Manos Emmanouilidis
• Marcel Hofstetter
• Marcos Pegoraro
• Marian Krucina
• Marina Polyakova
• Mark Dilger
• Mark Guertin
• Mark Sloan
• Markus Winand
• Marlene Reiterer
• Martín Marqués
• Martin Nash
• Martin Schlossarek
• Masahiko Sawada
• Masahiro Ikeda
• Masaki Kuwamura
• Masao Fujii
• Mason Sharp
• Matheus Alcantara
• Mats Kindahl
• Matthias Kuhn
• Matthias van de Meent
• Maxim Boguk
• Maxim Orlov
• Maxim Yablokov
• Maxime Boyer
• Melanie Plageman
• Melih Mutlu
• Merlin Moncure
• Micah Gate
• Michael Banck
• Michael Bondarenko
• Michael Paquier
• Michael Wang
• Michael Zhilin
• Michail Nikolaev
• Michal Bartak
• Michal Kleczek
• Mikhail Gribkov
• Mingli Zhang
• Miroslav Bendik
• Mitsuru Hinata
• Moaaz Assali
• Muralikrishna Bandaru
• Nathan Bossart
• Nazir Bilal Yavuz
• Neil Tiffin
• Ngigi Waithaka
• Nikhil Benesch
• Nikhil Raj
• Nikita Glukhov
• Nikita Kalinin
• Nikita Malakhov
• Nikolay Samokhvalov
• Nikolay Shaplov
• Nisha Moond
• Nishant Sharma
• Nitin Jadhav
• Noah Misch
• Noriyoshi Shinoda
• Ole Peder Brandtzæg
• Oleg Bartunov
• Oleg Sibiryakov
• Oleg Tselebrovskiy
• Olleg Samoylov
• Onder Kalaci
• Ondrej Navratil
• Pablo Kharo
• Palak Chaturvedi
• Pantelis Theodosiou
• Paul Amonson
• Paul Jungwirth
• Pavel Borisov
• Pavel Kulakov
• Pavel Luzanov
• Pavel Stehule
• Pavlo Golub
• Pedro Gallegos
• Pete Storer
• Peter Eisentraut
• Peter Geoghegan
• Peter Smith
• Philip Warner
• Philipp Salvisberg
• Pierre Ducroquet
• Pierre Fortin
• Przemyslaw Sztoch
• Quynh Tran
• Raghuveer Devulapalli
• Ranier Vilela
• Reid Thompson
• Rian McGuire
• Richard Guo
• Richard Vesely
• Ridvan Korkmaz
• Robert Haas
• Robert Scott
• Robert Treat
• Roberto Mello
• Robins Tharakan
• Roman Lozko
• Ronan Dunklau
• Rui Zhao
• Ryo Matsumura
• Ryoga Yoshida
• Sameer Kumar
• Sami Imseih
• Samuel Dussault
• Sanjay Minni
• Satoru Koizumi
• Sebastian Skalacki
• Sergei Glukhov
• Sergei Kornilov
• Sergey Prokhorenko
• Sergey Sargsyan
• Sergey Shinderuk
• Shaozhong Shi
• Shaun Thomas
• Shay Rojansky
• Shihao Zhong
• Shinya Kato
• Shlok Kyal
• Shruthi Gowda
• Shubham Khanna
• Shulin Zhou
• Shveta Malik
• Simon Riggs
• Soumyadeep Chakraborty
• Sravan Velagandula
• Stan Hu
• Stepan Neretin
• Stepan Rutz
• Stéphane Schildknecht
• Stephane Tachoires
• Stephen Frost
• Steve Atkins
• Steve Chavez
• Suraj Khamkar
• Suraj Kharage
• Svante Richter
• Svetlana Derevyanko
• Sylvain Frandaz
• Takayuki Tsunakawa
• Tatsuo Ishii
• Tatsuro Yamada
• Tender Wang
• Teodor Sigaev
• Thom Brown
• Thomas Munro
• Tim Carey-Smith
• Tim Needham
• Tim Palmer
• Tobias Bussmann
• Tom Lane
• Tomas Vondra
• Tommy Pavlicek
• Tomonari Katsumata
• Tristan Partin
• Tristen Raab
• Tung Nguyen
• Umair Shahid
• Uwe Binder
• Valerie Woolard
• Vallimaharajan G
• Vasya Boytsov
• Victor Wagner
• Victor Yegorov
• Victoria Shepard
• Vidushi Gupta
• Vignesh C
• Vik Fearing
• Viktor Leis
• Vinayak Pokale
• Vitaly Burovoy
• Vojtech Benes
• Wei Sun
• Wei Wang
• Wenjiang Zhang
• Will Mortensen
• Willi Mann
• Wolfgang Walther
• Xiang Liu
• Xiaoran Wang
• Xing Guo
• Xudong Yang
• Yahor Yuzefovich
• Yajun Hu
• Yaroslav Saburov
• Yong Li
• Yongtao Huang
• Yugo Nagata
• Yuhang Qiu
• Yuki Seino
• Yura Sokolov
• Yurii Rashkovskii
• Yuuki Fujii
• Yuya Watari
• Yves Colin
• Zhihong Yu
• Zhijie Hou
• Zongliang Quan
• Zubeyr Eryilmaz
• Zuming Jiang

Postgres version 16.8

Release date: 2025-02-20

This release contains a few fixes from 16.7. For information about new features in major release 16, see Version 16.0.

 Migration to Version 16.8

A dump/restore is not required for those running 16.X.

However, if you are upgrading from a version earlier than 16.5, see Version 16.5.

 Changes

• Improve behavior of libpq's quoting functions (Andres Freund, Tom Lane) 📜 📜 📜

  The changes made forCVE-2025-1094 or CVE-2025-1094 had one serious oversight: PQescapeLiteral() and PQescapeIdentifier() failed to honor their string length parameter, instead always reading to the input string's trailing null. This resulted in including unwanted text in the output, if the caller intended to truncate the string via the length parameter. With very bad luck it could cause a crash due to reading off the end of memory.

  In addition, modify all these quoting functions so that when invalid encoding is detected, an invalid sequence is substituted for just the first byte of the presumed character, not all of it. This reduces the risk of problems if a calling application performs additional processing on the quoted string.

• Fix meson build system to correctly detect availability of the bsd_auth.h system header (Nazir Bilal Yavuz) 📜

Postgres version 16.7

Release date: 2025-02-13

This release contains a variety of fixes from 16.6. For information about new features in major release 16, see Version 16.0.

 Migration to Version 16.7

A dump/restore is not required for those running 16.X.

However, if you are upgrading from a version earlier than 16.5, see Version 16.5.

 Changes

• Harden PQescapeString and allied functions against invalidly-encoded input strings (Andres Freund, Noah Misch) 📜 📜 📜 📜 📜 📜

  Data-quoting functions supplied by libpq now fully check the encoding validity of their input. If invalid characters are detected, they report an error if possible. For the ones that lack an error return convention, the output string is adjusted to ensure that the server will report invalid encoding and no intervening processing will be fooled by bytes that might happen to match single quote, backslash, etc.

  The purpose of this change is to guard against SQL-injection attacks that are possible if one of these functions is used to quote crafted input. There is no hazard when the resulting string is sent directly to a PostgreSQL server (which would check its encoding anyway), but there is a risk when it is passed through psql or other client-side code. Historically such code has not carefully vetted encoding, and in many cases it's not clear what it should do if it did detect such a problem.

  This fix is effective only if the data-quoting function, the server, and any intermediate processing agree on the character encoding that's being used. Applications that insert untrusted input into SQL commands should take special care to ensure that that's true.

  Applications and drivers that quote untrusted input without using these libpq functions may be at risk of similar problems. They should first confirm the data is valid in the encoding expected by the server.

  The PostgreSQL Project thanks Stephen Fewer for reporting this problem. CVE-2025-1094 or CVE-2025-1094)

• Exclude parallel workers from connection privilege checks and limits (Tom Lane) 📜

  Do not check datallowconn, rolcanlogin, and ACL_CONNECT privileges when starting a parallel worker, instead assuming that it's enough for the leader process to have passed similar checks originally. This avoids, for example, unexpected failures of parallelized queries when the leader is running as a role that lacks login privilege. In the same vein, enforce ReservedConnections, datconnlimit, and rolconnlimit limits only against regular backends, and count only regular backends while checking if the limits were already reached. Those limits are meant to prevent excessive consumption of process slots for regular backends --- but parallel workers and other special processes have their own pools of process slots with their own limit checks.

• Fix possible re-use of stale results in window aggregates (David Rowley) 📜

  A window aggregate with a “run condition” optimization and a pass-by-reference result type might incorrectly return the result from the previous partition instead of performing a fresh calculation.

• Keep TransactionXmin in sync with MyProc->xmin (Heikki Linnakangas) 📜

  This oversight could permit a process to try to access data that had already been vacuumed away. One known consequence is transient “could not access status of transaction” errors.

• Fix race condition that could cause failure to add a newly-inserted catalog entry to a catalog cache list (Heikki Linnakangas) 📜

  This could result, for example, in failure to use a newly-created function within an existing session.

• Prevent possible catalog corruption when a system catalog is vacuumed concurrently with an update (Noah Misch) 📜

• Fix data corruption when relation truncation fails (Thomas Munro) 📜 📜 📜

  The filesystem calls needed to perform relation truncation could fail, leaving inconsistent state on disk (for example, effectively reviving deleted data). We can't really prevent that, but we can recover by dint of making such failures into PANICs, so that consistency is restored by replaying from WAL up to just before the attempted truncation. This isn't a hugely desirable behavior, but such failures are rare enough that it seems an acceptable solution.

• Prevent checkpoints from starting during relation truncation (Robert Haas) 📜

  This avoids a race condition wherein the modified file might not get fsync'd before completing the checkpoint, creating a risk of data corruption if the operating system crashes soon after.

• Avoid possibly losing an update of pg_database.datfrozenxid when VACUUM runs concurrently with a REASSIGN OWNED that changes that database's owner (Kirill Reshke) 📜

• Fix incorrect tg_updatedcols values passed to AFTER UPDATE triggers (Tom Lane) 📜

  In some cases the tg_updatedcols bitmap could describe the set of columns updated by an earlier command in the same transaction, fooling the trigger into doing the wrong thing.

  Also, prevent memory bloat caused by making too many copies of the tg_updatedcols bitmap.

• Fix detach of a partition that has its own foreign-key constraint referencing a partitioned table (Amul Sul) 📜

  In common cases, foreign keys are defined on a partitioned table's top level; but if instead one is defined on a partition and references a partitioned table, and the referencing partition is detached, the relevant pg_constraint entries were updated incorrectly. This led to errors like “could not find ON INSERT check triggers of foreign key constraint”.

• Fix mis-processing of to_timestamp's FFn format codes (Tom Lane) 📜

  An integer format code immediately preceding FFn would consume all available digits, leaving none for FFn.

• When deparsing an XMLTABLE() expression, ensure that XML namespace names are double-quoted when necessary (Dean Rasheed) 📜

• Include the ldapscheme option in pg_hba_file_rules() output (Laurenz Albe) 📜 📜

• Don't merge UNION operations if their column collations aren't consistent (Tom Lane) 📜

  Previously we ignored collations when deciding if it's safe to merge UNION steps into a single N-way UNION operation. This was arguably valid before the introduction of nondeterministic collations, but it's not anymore, since the collation in use can affect the definition of uniqueness.

• Prevent “wrong varnullingrels” planner errors after pulling up a subquery that's underneath an outer join (Tom Lane) 📜 📜

• Ignore nulling-relation marker bits when looking up statistics (Richard Guo) 📜

  This oversight could lead to failure to use relevant statistics about expressions, or to “corrupt MVNDistinct entry” errors.

• Fix missed expression processing for partition pruning steps (Tom Lane) 📜

  This oversight could lead to “unrecognized node type” errors, and perhaps other problems, in queries accessing partitioned tables.

• Allow dshash tables to grow past 1GB (Matthias van de Meent) 📜

  This avoids errors like “invalid DSA memory alloc request size”. The case can occur for example in transactions that process several million tables.

• Avoid possible integer overflow in bringetbitmap() (James Hunter, Evgeniy Gorbanyov) 📜

  Since the result is only used for statistical purposes, the effects of this error were mostly cosmetic.

• Ensure that an already-set process latch doesn't prevent the postmaster from noticing socket events (Thomas Munro) 📜

  An extremely heavy workload of backends launching workers and workers exiting could prevent the postmaster from responding to incoming client connections in a timely fashion.

• Prevent streaming standby servers from looping infinitely when reading a WAL record that crosses pages (Kyotaro Horiguchi, Alexander Kukushkin) 📜

  This would happen when the record's continuation is on a page that needs to be read from a different WAL source.

• Fix unintended promotion of FATAL errors to PANIC during early process startup (Noah Misch) 📜

  This fixes some unlikely cases that would result in “PANIC: proc_exit() called in child process”.

• Fix cases where an operator family member operator or support procedure could become a dangling reference (Tom Lane) 📜 📜

  In some cases a data type could be dropped while references to its OID still remain in pg_amop or pg_amproc. While that caused no immediate issues, an attempt to drop the owning operator family would fail, and pg_dump would produce bogus output when dumping the operator family. This fix causes creation and modification of operator families/classes to add needed dependency entries so that dropping a data type will also drop any dependent operator family elements. That does not help vulnerable pre-existing operator families, though, so a band-aid has also been added to DROP OPERATOR FAMILY to prevent failure when dropping a family that has dangling members.

• Fix multiple memory leaks in logical decoding output (Vignesh C, Masahiko Sawada, Boyu Yang) 📜 📜 📜

• Fix small memory leak when updating the application_name or cluster_name settings (Tofig Aliev) 📜

• Avoid integer overflow while testing wal_skip_threshold condition (Tom Lane) 📜

  A transaction that created a very large relation could mistakenly decide to ensure durability by copying the relation into WAL instead of fsync'ing it, thereby negating the point of wal_skip_threshold. (This only matters when wal_level is set to minimal, else a WAL copy is required anyway.)

• Fix unsafe order of operations during cache lookups (Noah Misch) 📜

  The only known consequence was a usually-harmless “you don't own a lock of type ExclusiveLock” warning during GRANT TABLESPACE.

• Fix possible “failed to resolve name” failures when using JIT on older ARM platforms (Thomas Munro) 📜

  This could occur as a consequence of inconsistency about the default setting of -moutline-atomics between gcc and clang. At least Debian and Ubuntu are known to ship gcc and clang compilers that target armv8-a but differ on the use of outline atomics by default.

• Fix assertion failure in WITH RECURSIVE ... UNION queries (David Rowley) 📜

• Avoid assertion failure in rule deparsing if a set operation leaf query contains set operations (Man Zeng, Tom Lane) 📜

• Avoid edge-case assertion failure in parallel query startup (Tom Lane) 📜

• Fix assertion failure at shutdown when writing out the statistics file (Michael Paquier) 📜

• In NULLIF(), avoid passing a read-write expanded object pointer to the data type's equality function (Tom Lane) 📜

  The equality function could modify or delete the object if it's given a read-write pointer, which would be bad if we decide to return it as the NULLIF() result. There is probably no problem with any built-in equality function, but it's easy to demonstrate a failure with one coded in PL/pgSQL.

• Ensure that expression preprocessing is applied to a default null value in INSERT (Tom Lane) 📜

  If the target column is of a domain type, the planner must insert a coerce-to-domain step not just a null constant, and this expression missed going through some required processing steps. There is no known consequence with domains based on core data types, but in theory an error could occur with domains based on extension types.

• Repair memory leaks in PL/Python (Mat Arye, Tom Lane) 📜

  Repeated use of PLyPlan.execute or plpy.cursor resulted in memory leakage for the duration of the calling PL/Python function.

• Fix PL/Tcl to compile with Tcl 9 (Peter Eisentraut) 📜

• In the ecpg preprocessor, fix possible misprocessing of cursors that reference out-of-scope variables (Tom Lane) 📜

• In ecpg, fix compile-time warnings about unsupported use of COPY ... FROM STDIN (Ryo Kanbayashi) 📜

  Previously, the intended warning was not issued due to a typo.

• Fix psql to safely handle file path names that are encoded in SJIS (Tom Lane) 📜

  Some two-byte characters in SJIS have a second byte that is equal to ASCII backslash (\). These characters were corrupted by path name normalization, preventing access to files whose names include such characters.

• Fix use of wrong version of pqsignal() in pgbench and psql (Fujii Masao, Tom Lane) 📜

  This error could lead to misbehavior when using the -T option in pgbench or the \watch command in psql, due to interrupted system calls not being resumed as expected.

• Fix misexecution of some nested \if constructs in pgbench (Michail Nikolaev) 📜

  An \if command appearing within a false (not-being-executed) \if branch was incorrectly treated the same as \elif.

• In pgbench, fix possible misdisplay of progress messages during table initialization (Yushi Ogiwara, Tatsuo Ishii, Fujii Masao) 📜 📜

• Make pg_controldata more robust against corrupted pg_control files (Ilyasov Ian, Anton Voloshin) 📜

  Since pg_controldata will attempt to print the contents of pg_control even if the CRC check fails, it must take care not to misbehave for invalid field values. This patch fixes some issues triggered by invalid timestamps and apparently-negative WAL segment sizes.

• Fix possible crash in pg_dump with identity sequences attached to tables that are extension members (Tom Lane) 📜

• Fix memory leak in pg_restore with zstd-compressed data (Tom Lane) 📜

  The leak was per-decompression-operation, so would be most noticeable with a dump containing many tables or large objects.

• Fix pg_basebackup to correctly handle pg_wal.tar files exceeding 2GB on Windows (Davinder Singh, Thomas Munro) 📜 📜

• Use SQL-standard function bodies in the declarations of contrib/earthdistance's SQL-language functions (Tom Lane, Ronan Dunklau) 📜

  This change allows their references to contrib/cube to be resolved during extension creation, reducing the risk of search-path-based failures and possible attacks.

  In particular, this restores their usability in contexts like generated columns, for which PostgreSQL v17 restricts the search path on security grounds. We have received reports of databases failing to be upgraded to v17 because of that. This patch has been included in v16 to provide a workaround: updating the earthdistance extension to this version beforehand should allow an upgrade to succeed.

• Update configuration probes that determine the compiler switches needed to access ARM CRC instructions (Tom Lane) 📜

  On ARM platforms where the baseline CPU target lacks CRC instructions, we need to supply a -march switch to persuade the compiler to compile such instructions. Recent versions of gcc reject the value we were trying, leading to silently falling back to software CRC.

• Fix meson build system to support old OpenSSL libraries on Windows (Darek Slusarczyk) 📜

  Add support for the legacy library names ssleay32 and libeay32.

• In Windows builds using meson, ensure all libcommon and libpgport functions are exported (Vladlen Popolitov, Heikki Linnakangas) 📜 📜

  This fixes “unresolved external symbol” build errors for extensions.

• Fix meson configuration process to correctly detect OSSP's uuid.h header file under MSVC (Andrew Dunstan) 📜

• When building with meson, install pgevent in pkglibdir not bindir (Peter Eisentraut) 📜

  This matches the behavior of the make-based build system and the old MSVC build system.

• When building with meson, install sepgsql.sql under share/contrib/ not share/extension/ (Peter Eisentraut) 📜

  This matches what the make-based build system does.

• Update time zone data files to tzdata release 2025a for DST law changes in Paraguay, plus historical corrections for the Philippines (Tom Lane) 📜

Postgres version 16.6

Release date: 2024-11-21

This release contains a few fixes from 16.5. For information about new features in major release 16, see Version 16.0.

 Migration to Version 16.6

A dump/restore is not required for those running 16.X.

However, if you are upgrading from a version earlier than 16.5, see Version 16.5.

 Changes

• Repair ABI break for extensions that work with struct ResultRelInfo (Tom Lane) 📜

  Last week's minor releases unintentionally broke binary compatibility with timescaledb and several other extensions. Restore the affected structure to its previous size, so that such extensions need not be rebuilt.

• Restore functionality of ALTER {ROLE|DATABASE} SET role (Tom Lane, Noah Misch) 📜

  The fix forCVE-2024-10978 or CVE-2024-10978 accidentally caused settings for role to not be applied if they come from non-interactive sources, including previous ALTER {ROLE|DATABASE} commands and the PGOPTIONS environment variable.

• Fix cases where a logical replication slot's restart_lsn could go backwards (Masahiko Sawada) 📜

  Previously, restarting logical replication could sometimes cause the slot's restart point to be recomputed as an older value than had previously been advertised in pg_replication_slots. This is bad, since for example WAL files might have been removed on the basis of the later restart_lsn value, in which case replication would fail to restart.

• Avoid deleting still-needed WAL files during pg_rewind (Polina Bungina, Alexander Kukushkin) 📜

  Previously, in unlucky cases, it was possible for pg_rewind to remove important WAL files from the rewound demoted primary. In particular this happens if those files have been marked for archival (i.e., their .ready files were created) but not yet archived. Then the newly promoted node no longer has such files because of them having been recycled, but likely they are needed for recovery in the demoted node. If pg_rewind removes them, recovery is not possible anymore.

• Fix race conditions associated with dropping shared statistics entries (Kyotaro Horiguchi, Michael Paquier) 📜

  These bugs could lead to loss of statistics data, assertion failures, or “can only drop stats once” errors.

• Count index scans in contrib/bloom indexes in the statistics views, such as the pg_stat_user_indexes.idx_scan counter (Masahiro Ikeda) 📜

• Fix crash when checking to see if an index's opclass options have changed (Alexander Korotkov) 📜

  Some forms of ALTER TABLE would fail if the table has an index with non-default operator class options.

• Avoid assertion failure caused by disconnected NFA sub-graphs in regular expression parsing (Tom Lane) 📜

  This bug does not appear to have any visible consequences in non-assert builds.

Postgres version 16.5

Release date: 2024-11-14

This release contains a variety of fixes from 16.4. For information about new features in major release 16, see Version 16.0.

 Migration to Version 16.5

A dump/restore is not required for those running 16.X.

However, if you have ever detached a partition from a partitioned table that has a foreign-key reference to another partitioned table, and not dropped the former partition, then you may have catalog and/or data corruption to repair, as detailed in the fifth changelog entry below.

Also, if you are upgrading from a version earlier than 16.3, see Version 16.3.

 Changes

• Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart) 📜

  If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead.

  The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. CVE-2024-10976 or CVE-2024-10976)

• Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Champion) 📜

  An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure.

  The PostgreSQL Project thanks Jacob Champion for reporting this problem. CVE-2024-10977 or CVE-2024-10977)

• Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE (Tom Lane) 📜 📜

  The SQL standard mandates that SET SESSION AUTHORIZATION have a side-effect of doing SET ROLE NONE. Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION would revert ROLE to NONE even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction. Transiently setting session_authorization in a function SET clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role'), it saw none even when it should see something else.

  The PostgreSQL Project thanks Tom Lane for reporting this problem. CVE-2024-10978 or CVE-2024-10978)

• Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch) 📜 📜 📜 📜 📜

  The ability to manipulate process environment variables such as PATH gives an attacker opportunities to execute arbitrary code. Therefore, “trusted” PLs must not offer the ability to do that. To fix plperl, replace %ENV with a tied hash that rejects any modification attempt with a warning. Untrusted plperlu retains the ability to change the environment.

  The PostgreSQL Project thanks Coby Abrams for reporting this problem. CVE-2024-10979 or CVE-2024-10979)

• Fix updates of catalog state for foreign-key constraints when attaching or detaching table partitions (Jehan-Guillaume de Rorthais, Tender Wang, Álvaro Herrera) 📜 📜

  If the referenced table is partitioned, then different catalog entries are needed for a referencing table that is stand-alone versus one that is a partition. ATTACH/DETACH PARTITION commands failed to perform this conversion correctly. In particular, after DETACH the now stand-alone table would be missing foreign-key enforcement triggers, which could result in the table later containing rows that fail the foreign-key constraint. A subsequent re-ATTACH could fail with surprising errors, too.

  The way to fix this is to do ALTER TABLE DROP CONSTRAINT on the now stand-alone table for each faulty constraint, and then re-add the constraint. If re-adding the constraint fails, then some erroneous data has crept in. You will need to manually re-establish consistency between the referencing and referenced tables, then re-add the constraint.

  This query can be used to identify broken constraints and construct the commands needed to recreate them:

  SELECT conrelid::pg_catalog.regclass AS "constrained table",
         conname AS constraint,
         confrelid::pg_catalog.regclass AS "references",
         pg_catalog.format('ALTER TABLE %s DROP CONSTRAINT %I;',
                           conrelid::pg_catalog.regclass, conname) AS "drop",
         pg_catalog.format('ALTER TABLE %s ADD CONSTRAINT %I %s;',
                           conrelid::pg_catalog.regclass, conname,
                           pg_catalog.pg_get_constraintdef(oid)) AS "add"
  FROM pg_catalog.pg_constraint c
  WHERE contype = 'f' AND conparentid = 0 AND
     (SELECT count(*) FROM pg_catalog.pg_constraint c2
      WHERE c2.conparentid = c.oid) <>
     (SELECT count(*) FROM pg_catalog.pg_inherits i
      WHERE (i.inhparent = c.conrelid OR i.inhparent = c.confrelid) AND
        EXISTS (SELECT 1 FROM pg_catalog.pg_partitioned_table
                WHERE partrelid = i.inhparent));
  

  Since it is possible that one or more of the ADD CONSTRAINT steps will fail, you should save the query's output in a file and then attempt to perform each step.

• Avoid possible crashes and “could not open relation” errors in queries on a partitioned table occurring concurrently with a DETACH CONCURRENTLY and immediate drop of a partition (Álvaro Herrera, Kuntal Gosh) 📜 📜

• Disallow ALTER TABLE ATTACH PARTITION if the table to be attached has a foreign key referencing the partitioned table (Álvaro Herrera) 📜 📜

  This arrangement is not supported, and other ways of creating it already fail.

• Don't use partitionwise joins or grouping if the query's collation for the key column doesn't match the partition key's collation (Jian He, Webbo Han) 📜 📜

  Such plans could produce incorrect results.

• Fix possible “could not find pathkey item to sort” error when the output of a UNION ALL member query needs to be sorted, and the sort column is an expression (Andrei Lepikhov, Tom Lane) 📜

• Fix performance regressions involving flattening of subqueries underneath outer joins that are later reduced to plain joins (Tom Lane) 📜

  v16 failed to optimize some queries as well as prior versions had, because of overoptimistic simplification of query-pullup logic.

• Allow cancellation of the second stage of index build for large hash indexes (Pavel Borisov) 📜

• Fix assertion failure or confusing error message for COPY (query) TO ..., when the query is rewritten by a DO INSTEAD NOTIFY rule (Tender Wang, Tom Lane) 📜

• Fix server crash when a json_objectagg() call contains a volatile function (Amit Langote) 📜

• Fix checking of key uniqueness in JSON object constructors (Junwang Zhao, Tomas Vondra) 📜

  When building an object larger than a kilobyte, it was possible to accept invalid input that includes duplicate object keys, or to falsely report that duplicate keys are present.

• Fix detection of skewed data during parallel hash join (Thomas Munro) 📜

  After repartitioning the inner side of a hash join because one partition has accumulated too many tuples, we check to see if all the partition's tuples went into the same child partition, which suggests that they all have the same hash value and further repartitioning cannot improve matters. This check malfunctioned in some cases, allowing repeated futile repartitioning which would eventually end in a resource-exhaustion error.

• Disallow locale names containing non-ASCII characters (Thomas Munro) 📜

  This is only an issue on Windows, as such locale names are not used elsewhere. They are problematic because it's quite unclear what encoding such names are represented in (since the locale itself defines the encoding to use). In recent PostgreSQL releases, an abort in the Windows runtime library could occur because of confusion about that.

  Anyone who encounters the new error message should either create a new duplicated locale with an ASCII-only name using Windows Locale Builder, or consider using BCP 47-compliant locale names like tr-TR.

• Fix race condition in committing a serializable transaction (Heikki Linnakangas) 📜

  Mis-processing of a recently committed transaction could lead to an assertion failure or a “could not access status of transaction” error.

• Fix race condition in COMMIT PREPARED that resulted in orphaned 2PC files (wuchengwen) 📜

  A concurrent PREPARE TRANSACTION could cause COMMIT PREPARED to not remove the on-disk two-phase state file for the completed transaction. There was no immediate ill effect, but a subsequent crash-and-recovery could fail with “could not access status of transaction”, requiring manual removal of the orphaned file to restore service.

• Avoid invalid memory accesses after skipping an invalid toast index during VACUUM FULL (Tender Wang) 📜

  A list tracking yet-to-be-rebuilt indexes was not properly updated in this code path, risking assertion failures or crashes later on.

• Fix ways in which an “in place” catalog update could be lost (Noah Misch) 📜 📜 📜 📜 📜 📜 📜

  Normal row updates write a new version of the row to preserve rollback-ability of the transaction. However, certain system catalog updates are intentionally non-transactional and are done with an in-place update of the row. These patches fix race conditions that could cause the effects of an in-place update to be lost. As an example, it was possible to forget having set pg_class.relhasindex to true, preventing updates of the new index and thus causing index corruption.

• Reset catalog caches at end of recovery (Noah Misch) 📜

  This prevents scenarios wherein an in-place catalog update could be lost due to using stale data from a catalog cache.

• Avoid using parallel query while holding off interrupts (Francesco Degrassi, Noah Misch, Tom Lane) 📜 📜

  This situation cannot arise normally, but it can be reached with test scenarios such as using a SQL-language function as B-tree support (which would be far too slow for production usage). If it did occur it would result in an indefinite wait.

• Report the active query ID for statistics purposes at the start of processing of Bind and Execute protocol messages (Sami Imseih) 📜

  This allows more of the work done in extended query protocol to be attributed to the correct query.

• Guard against stack overflow in libxml2 with too-deeply-nested XML input (Tom Lane, with hat tip to Nick Wellnhofer) 📜

  Use xmlXPathCtxtCompile() rather than xmlXPathCompile(), because the latter fails to protect itself against recursion-to-stack-overflow in libxml2 releases before 2.13.4.

• Fix some whitespace issues in the result of XMLSERIALIZE(... INDENT) (Jim Jones) 📜

  Fix failure to indent nodes separated by whitespace, and ensure that a trailing newline is not added.

• Do not ignore a concurrent REINDEX CONCURRENTLY that is working on an index with predicates or expressions (Michail Nikolaev) 📜

  Normally, REINDEX CONCURRENTLY does not need to wait for other REINDEX CONCURRENTLY operations on other tables. However, this optimization is not applied if the other REINDEX CONCURRENTLY is processing an index with predicates or expressions, on the chance that such expressions contain user-defined code that accesses other tables. Careless coding created a race condition such that that rule was not applied uniformly, possibly allowing inconsistent behavior.

• Fix mis-deparsing of ORDER BY lists when there is a name conflict (Tom Lane) 📜

  If an ORDER BY item in SELECT is a bare identifier, the parser first seeks it as an output column name of the SELECT, for SQL92 compatibility. However, ruleutils.c expects the SQL99 interpretation where such a name is an input column name. So it was possible to produce an incorrect display of a view in the (rather ill-advised) case where some other column is renamed in the SELECT output list to match an input column used in ORDER BY. Fix by table-qualifying such names in the dumped view text.

• Fix “failed to find plan for subquery/CTE” errors in EXPLAIN (Richard Guo, Tom Lane) 📜 📜

  This case arose while trying to print references to fields of a RECORD-type output of a subquery when the subquery has been optimized out of the plan altogether (which is possible at least in the case that it has a constant-false WHERE condition). Nothing remains in the plan to identify the original field names, so fall back to printing fN for the N'th record column. (That's actually the right thing anyway, if the record output arose from a ROW() constructor.)

• Disallow a USING clause when altering the type of a generated column (Peter Eisentraut) 📜

  A generated column already has an expression specifying the column contents, so including USING doesn't make sense.

• Ignore not-yet-defined Portals in the pg_cursors view (Tom Lane) 📜

  It is possible for user-defined code that inspects this view to be called while a new cursor is being set up, and if that happens a null pointer dereference would ensue. Avoid the problem by defining the view to exclude incompletely-set-up cursors.

• Fix incorrect output of the pg_stat_io view on 32-bit machines (Bertrand Drouvot) 📜

  The stats_reset timestamp column contained garbage on such hardware.

• Prevent mis-encoding of “trailing junk after numeric literal” error messages (Karina Litskevich) 📜

  We do not allow identifiers to appear immediately following numeric literals (there must be some whitespace between). If a multibyte character immediately followed a numeric literal, the syntax error message about it included only the first byte of that character, causing bad-encoding problems both in the report to the client and in the postmaster log file.

• Avoid “unexpected table_index_fetch_tuple call during logical decoding” error while decoding a transaction involving insertion of a column default value (Takeshi Ideriha, Hou Zhijie) 📜 📜

• Reduce memory consumption of logical decoding (Masahiko Sawada) 📜

  Use a smaller default block size to store tuple data received during logical replication. This reduces memory wastage, which has been reported to be severe while processing long-running transactions, even leading to out-of-memory failures.

• In a logical replication apply worker, ensure that origin progress is not advanced during an error or apply worker shutdown (Hayato Kuroda, Shveta Malik) 📜

  This avoids possible loss of a transaction, since once the origin progress point is advanced the source server won't send that data again.

• Re-disable sending of stateless (TLSv1.2) session tickets (Daniel Gustafsson) 📜

  A previous change to prevent sending of stateful (TLSv1.3) session tickets accidentally re-enabled sending of stateless ones. Thus, while we intended to prevent clients from thinking that TLS session resumption is supported, some still did.

• Avoid “wrong tuple length” failure when dropping a database with many ACL (permission) entries (Ayush Tiwari) 📜 📜

• Allow adjusting the session_authorization and role settings in parallel workers (Tom Lane) 📜

  Our code intends to allow modifiable server settings to be set by function SET clauses, but not otherwise within a parallel worker. SET clauses failed for these two settings, though.

• Fix behavior of stable functions called from a CALL statement's argument list, when the CALL is within a PL/pgSQL EXCEPTION block (Tom Lane) 📜

  As with a similar fix in our previous quarterly releases, this case allowed such functions to be passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.

• Fix “cache lookup failed for function” errors in edge cases in PL/pgSQL's CALL (Tom Lane) 📜

• Fix thread safety of our fallback (non-OpenSSL) MD5 implementation on big-endian hardware (Heikki Linnakangas) 📜

  Thread safety is not currently a concern in the server, but it is for libpq.

• Parse libpq's keepalives connection option in the same way as other integer-valued options (Yuto Sasaki) 📜

  The coding used here rejected trailing whitespace in the option value, unlike other cases. This turns out to be problematic in ecpg's usage, for example.

• Avoid use of pnstrdup() in ecpglib (Jacob Champion) 📜

  That function will call exit() on out-of-memory, which is undesirable in a library. The calling code already handles allocation failures properly.

• In ecpglib, fix out-of-bounds read when parsing incorrect datetime input (Bruce Momjian, Pavel Nekrasov) 📜

  It was possible to try to read the location just before the start of a constant array. Real-world consequences seem minimal, though.

• Fix memory leak in psql during repeated use of \bind (Michael Paquier) 📜

• Avoid hanging if an interval less than 1ms is specified in psql's \watch command (Andrey Borodin, Michael Paquier) 📜

  Instead, treat this the same as an interval of zero (no wait between executions).

• Fix pg_dump's handling of identity sequences that have persistence different from their owning table's persistence (Tom Lane) 📜

  Since v15, it's been possible to set an identity sequence to be LOGGED when its owning table is UNLOGGED or vice versa. However, pg_dump's method for recreating that situation failed in binary-upgrade mode, causing pg_upgrade to fail when such sequences are present. Fix by introducing a new option for ADD/ALTER COLUMN GENERATED AS IDENTITY to allow the sequence's persistence to be set correctly at creation. Note that this means a dump from a database containing such a sequence will only load into a server of this minor version or newer.

• Include the source timeline history in pg_rewind's debug output (Heikki Linnakangas) 📜

  This was the intention to begin with, but a coding error caused the source history to always print as empty.

• Avoid trying to reindex temporary tables and indexes in vacuumdb and in parallel reindexdb (VaibhaveS, Michael Paquier, Fujii Masao, Nathan Bossart) 📜 📜 📜

  Reindexing other sessions' temporary tables cannot work, but the check to skip them was missing in some code paths, leading to unwanted failures.

• Allow inspection of sequence relations in relevant functions of contrib/pageinspect and contrib/pgstattuple (Nathan Bossart, Ayush Vatsa) 📜 📜

  This had been allowed in the past, but it got broken during the introduction of non-default access methods for tables.

• Fix incorrect LLVM-generated code on ARM64 platforms (Thomas Munro, Anthonin Bonnefoy) 📜

  When using JIT compilation on ARM platforms, the generated code could not support relocation distances exceeding 32 bits, allowing unlucky placement of generated code to cause server crashes on large-memory systems.

• Fix a few places that assumed that process start time (represented as a time_t) will fit into a long value (Max Johnson, Nathan Bossart) 📜

  On platforms where long is 32 bits (notably Windows), this coding would fail after Y2038. Most of the failures appear only cosmetic, but notably pg_ctl start would hang.

• Fix building with Strawberry Perl on Windows (Andrew Dunstan) 📜

• Update time zone data files to tzdata release 2024b (Tom Lane) 📜 📜

  This tzdata release changes the old System-V-compatibility zone names to duplicate the corresponding geographic zones; for example PST8PDT is now an alias for America/Los_Angeles. The main visible consequence is that for timestamps before the introduction of standardized time zones, the zone is considered to represent local mean solar time for the named location. For example, in PST8PDT, timestamptz input such as 1801-01-01 00:00 would previously have been rendered as 1801-01-01 00:00:00-08, but now it is rendered as 1801-01-01 00:00:00-07:52:58.

  Also, historical corrections for Mexico, Mongolia, and Portugal. Notably, Asia/Choibalsan is now an alias for Asia/Ulaanbaatar rather than being a separate zone, mainly because the differences between those zones were found to be based on untrustworthy data.

Postgres version 16.4

Release date: 2024-08-08

This release contains a variety of fixes from 16.3. For information about new features in major release 16, see Version 16.0.

 Migration to Version 16.4

A dump/restore is not required for those running 16.X.

However, if you are upgrading from a version earlier than 16.3, see Version 16.3.

 Changes

• Prevent unauthorized code execution during pg_dump (Masahiko Sawada)

  An attacker able to create and drop non-temporary objects could inject SQL code that would be executed by a concurrent pg_dump session with the privileges of the role running pg_dump (which is often a superuser). The attack involves replacing a sequence or similar object with a view or foreign table that will execute malicious code. To prevent this, introduce a new server parameter restrict_nonsystem_relation_kind that can disable expansion of non-builtin views as well as access to foreign tables, and teach pg_dump to set it when available. Note that the attack is prevented only if both pg_dump and the server it is dumping from are new enough to have this fix.

  The PostgreSQL Project thanks Noah Misch for reporting this problem. CVE-2024-7348 or CVE-2024-7348)

• Avoid incorrect results from Merge Right Anti Join plans (Richard Guo)

  If the inner relation is known to have unique join keys, the merge could misbehave when there are duplicated join keys in the outer relation.

• Prevent infinite loop in VACUUM (Melanie Plageman)

  After a disconnected standby server with an old running transaction reconnected to the primary, it was possible for VACUUM on the primary to get confused about which tuples are removable, resulting in an infinite loop.

• Fix failure after attaching a table as a partition, if the table had previously had inheritance children (Álvaro Herrera)

• Fix ALTER TABLE DETACH PARTITION for cases involving inconsistent index-based constraints (Álvaro Herrera, Tender Wang)

  When a partitioned table has an index that is not associated with a constraint, but a partition has an equivalent index that is, then detaching the partition would misbehave, leaving the ex-partition's constraint with an incorrect coninhcount value. This would cause trouble during any further manipulations of that constraint.

• Fix partition pruning setup during ALTER TABLE DETACH PARTITION CONCURRENTLY (Álvaro Herrera)

  The executor assumed that no partition could be detached between planning and execution of a query on a partitioned table. This is no longer true since the introduction of DETACH PARTITION's CONCURRENTLY option, making it possible for query execution to fail transiently when that is used.

• Correctly update a partitioned table's pg_class.reltuples field to zero after its last child partition is dropped (Noah Misch)

  The first ANALYZE on such a partitioned table must update relhassubclass as well, and that caused the reltuples update to be lost.

• Fix handling of polymorphic output arguments for procedures (Tom Lane)

  The SQL CALL statement did not resolve the correct data types for such arguments, leading to errors such as “cannot display a value of type anyelement”, or even outright crashes. (But CALL in PL/pgSQL worked correctly.)

• Fix behavior of stable functions called from a CALL statement's argument list (Tom Lane)

  If the CALL is within an atomic context (e.g. there's an outer transaction block), such functions were passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.

• Fix input of ISO-8601 “extended” time format for types time and timetz (Tom Lane)

  Re-allow cases such as T12:34:56.

• Detect integer overflow in money calculations (Joseph Koshakow)

  None of the arithmetic functions for the money type checked for overflow before, so they would silently give wrong answers for overflowing cases.

• Fix over-aggressive clamping of the scale argument in round(numeric) and trunc(numeric) (Dean Rasheed)

  These functions clamped their scale argument to +/-2000, but there are valid use-cases for it to be larger; the functions returned incorrect results in such cases. Instead clamp to the actual allowed range of type numeric.

• Fix result for pg_size_pretty() when applied to the smallest possible bigint value (Joseph Koshakow)

• Prevent pg_sequence_last_value() from failing on unlogged sequences on standby servers and on temporary sequences of other sessions (Nathan Bossart)

  Make it return NULL in these cases instead of throwing an error.

• Fix parsing of ignored operators in websearch_to_tsquery() (Tom Lane)

  Per the manual, punctuation in the input of websearch_to_tsquery() is ignored except for the special cases of dashes and quotes. However, parentheses and a few other characters appearing immediately before an or could cause or to be treated as a data word, rather than as an OR operator as expected.

• Detect another integer overflow case while computing new array dimensions (Joseph Koshakow)

  Reject applying array dimensions [-2147483648:2147483647] to an empty array. This is closely related toCVE-2023-5869 or CVE-2023-5869, but appears harmless since the array still ends up empty.

• Fix unportable usage of strnxfrm() (Jeff Davis)

  Some code paths for non-deterministic collations could fail with errors like “pg_strnxfrm() returned unexpected result”.

• Detect another case of a new catalog cache entry becoming stale while detoasting its fields (Noah Misch)

  An in-place update occurring while we expand out-of-line fields in a catalog tuple could be missed, leading to a catalog cache entry that lacks the in-place change but is not known to be stale. This is only possible in the pg_database catalog, so the effects are narrow, but misbehavior is possible.

• Correctly check updatability of view columns targeted by INSERT ... DEFAULT (Tom Lane)

  If such a column is non-updatable, we should give an error reporting that. But the check was missed and then later code would report an unhelpful error such as “attribute number N not found in view targetlist”.

• Avoid reporting an unhelpful internal error for incorrect recursive queries (Tom Lane)

  Rearrange the order of error checks so that we throw an on-point error when a WITH RECURSIVE query does not have a self-reference within the second arm of the UNION, but does have one self-reference in some other place such as ORDER BY.

• Lock owned sequences during ALTER TABLE SET LOGGED|UNLOGGED (Noah Misch)

  These commands change the persistence of a table's owned sequences along with the table, but they failed to acquire lock on the sequences while doing so. This could result in losing the effects of concurrent nextval() calls.

• Don't throw an error if a queued AFTER trigger no longer exists (Tom Lane)

  It's possible for a transaction to execute an operation that queues a deferred AFTER trigger for later execution, and then to drop the trigger before that happens. Formerly this led to weird errors such as “could not find trigger NNNN”. It seems better to silently do nothing if the trigger no longer exists at the time when it would have been executed.

• Fix failure to remove pg_init_privs entries for column-level privileges when their table is dropped (Tom Lane)

  If an extension grants some column-level privileges on a table it creates, relevant catalog entries would remain behind after the extension is dropped. This was harmless until/unless the table's OID was re-used for another relation, when it could interfere with what pg_dump dumps for that relation.

• Fix selection of an arbiter index for ON CONFLICT when the desired index has expressions or predicates (Tom Lane)

  If a query using ON CONFLICT accesses the target table through an updatable view, it could fail with “there is no unique or exclusion constraint matching the ON CONFLICT specification”, even though a matching index does exist.

• Refuse to modify a temporary table of another session with ALTER TABLE (Tom Lane)

  Permissions checks normally would prevent this case from arising, but it is possible to reach it by altering a parent table whose child is another session's temporary table. Throw an error if we discover that such a child table belongs to another session.

• Fix handling of extended statistics on expressions in CREATE TABLE LIKE STATISTICS (Tom Lane)

  The CREATE command failed to adjust column references in statistics expressions to the possibly-different column numbering of the new table. This resulted in invalid statistics objects that would cause problems later. A typical scenario where renumbering columns is needed is when the source table contains some dropped columns.

• Fix failure to recalculate sub-queries generated from MIN() or MAX() aggregates (Tom Lane)

  In some cases the aggregate result computed at one row of the outer query could be re-used for later rows when it should not be. This has only been seen to happen when the outer query uses DISTINCT that is implemented with hash aggregation, but other cases may exist.

• Re-forbid underscore in positional parameters (Erik Wienhold)

  As of v16 we allow integer literals to contain underscores. This change caused input such as $1_234 to be taken as a single token, but it did not work correctly. It seems better to revert to the original definition in which a parameter symbol is only $ followed by digits.

• Avoid crashing when a JIT-inlined backend function throws an error (Tom Lane)

  The error state can include pointers into the dynamically loaded module holding the JIT-compiled code (for error location strings). In some code paths the module could get unloaded before the error report is processed, leading to SIGSEGV when the location strings are accessed.

• Cope with behavioral changes in libxml2 version 2.13.x (Erik Wienhold, Tom Lane)

  Notably, we now suppress “chunk is not well balanced” errors from libxml2, unless that is the only reported error. This is to make error reports consistent between 2.13.x and earlier libxml2 versions. In earlier versions, that message was almost always redundant or outright incorrect, so 2.13.x substantially reduced the number of cases in which it's reported.

• Fix handling of subtransactions of prepared transactions when starting a hot standby server (Heikki Linnakangas)

  When starting a standby's replay at a shutdown checkpoint WAL record, transactions that had been prepared but not yet committed on the primary are correctly understood as being still in progress. But subtransactions of a prepared transaction (created by savepoints or PL/pgSQL exception blocks) were not accounted for and would be treated as aborted. That led to inconsistency if the prepared transaction was later committed.

• Prevent incorrect initialization of logical replication slots (Masahiko Sawada)

  In some cases a replication slot's start point within the WAL stream could be set to a point within a transaction, leading to assertion failures or incorrect decoding results.

• Avoid “can only drop stats once” error during replication slot creation and drop (Floris Van Nee)

• Fix resource leakage in logical replication WAL sender (Hou Zhijie)

  The walsender process leaked memory when publishing changes to a partitioned table whose partitions have row types physically different from the partitioned table's.

• Avoid memory leakage after servicing a notify or sinval interrupt (Tom Lane)

  The processing functions for these events could switch the current memory context to TopMemoryContext, resulting in session-lifespan leakage of any data allocated before the incorrect setting gets replaced. There were observable leaks associated with (at least) encoding conversion of incoming queries and parameters attached to Bind messages.

• Prevent leakage of reference counts for the shared memory block used for statistics (Anthonin Bonnefoy)

  A new backend process attaching to the statistics shared memory incremented its reference count, but failed to decrement the count when exiting. After 2³² sessions had been created, the reference count would overflow to zero, causing failures in all subsequent backend process starts.

• Prevent deadlocks and assertion failures during truncation of the multixact SLRU log (Heikki Linnakangas)

  A process trying to delete SLRU segments could deadlock with the checkpointer process.

• Avoid possibly missing end-of-input events on Windows sockets (Thomas Munro)

  Windows reports an FD_CLOSE event only once after the remote end of the connection disconnects. With unlucky timing, we could miss that report and wait indefinitely, or at least until a timeout elapsed, expecting more input.

• Fix buffer overread in JSON parse error reports for incomplete byte sequences (Jacob Champion)

  It was possible to walk off the end of the input buffer by a few bytes when the last bytes comprise an incomplete multi-byte character. While usually harmless, in principle this could cause a crash.

• Disable creation of stateful TLS session tickets by OpenSSL (Daniel Gustafsson)

  This avoids possible failures with clients that think receipt of a session ticket means that TLS session resumption is supported.

• When replanning a PL/pgSQL “simple expression”, check it's still simple (Tom Lane)

  Certain fairly-artificial cases, such as dropping a referenced function and recreating it as an aggregate, could lead to surprising failures such as “unexpected plan node type”.

• Fix PL/pgSQL's handling of integer ranges containing underscores (Erik Wienhold)

  As of v16 we allow integer literals to contain underscores, but PL/pgSQL failed to handle examples such as FOR i IN 1_001..1_003.

• Fix recursive RECORD-returning PL/Python functions (Tom Lane)

  If we recurse to a new call of the same function that passes a different column definition list (AS clause), it would fail because the inner call would overwrite the outer call's idea of what rowtype to return.

• Don't corrupt PL/Python's TD dictionary during a recursive trigger call (Tom Lane)

  If a PL/Python-language trigger caused another one to be invoked, the TD dictionary created for the inner one would overwrite the outer one's TD dictionary.

• Fix PL/Tcl's reporting of invalid list syntax in the result of a function returning tuple (Erik Wienhold, Tom Lane)

  Such a case could result in a crash, or in emission of misleading context information that actually refers to the previous Tcl error.

• Avoid non-thread-safe usage of strerror() in libpq (Peter Eisentraut)

  Certain error messages returned by OpenSSL could become garbled in multi-threaded applications.

• Avoid memory leak within pg_dump during a binary upgrade (Daniel Gustafsson)

• Ensure that pg_restore -l reports dependent TOC entries correctly (Tom Lane)

  If -l was specified together with selective-restore options such as -n or -N, dependent TOC entries such as comments would be omitted from the listing, even when an actual restore would have selected them.

• Allow contrib/pg_stat_statements to distinguish among utility statements appearing within SQL-language functions (Anthonin Bonnefoy)

  The SQL-language function executor failed to pass along the query ID that is computed for a utility (non SELECT/INSERT/UPDATE/DELETE/MERGE) statement.

• Avoid “cursor can only scan forward” error in contrib/postgres_fdw (Etsuro Fujita)

  This error could occur if the remote server is v15 or later and a foreign table is mapped to a non-trivial remote view.

• In contrib/postgres_fdw, do not send FETCH FIRST WITH TIES clauses to the remote server (Japin Li)

  The remote server might not implement this clause, or might interpret it differently than we would locally, so don't risk attempting remote execution.

• Avoid clashing with system-provided <regex.h> headers (Thomas Munro)

  This fixes a compilation failure on macOS version 15 and up.

• Fix otherwise-harmless assertion failure in Memoize cost estimation (David Rowley)

• Fix otherwise-harmless assertion failures in REINDEX CONCURRENTLY applied to an SP-GiST index (Tom Lane)

Postgres version 16.3

Release date: 2024-05-09

This release contains a variety of fixes from 16.2. For information about new features in major release 16, see Version 16.0.

 Migration to Version 16.3

A dump/restore is not required for those running 16.X.

However, a security vulnerability was found in the system views pg_stats_ext and pg_stats_ext_exprs, potentially allowing authenticated database users to see data they shouldn't. If this is of concern in your installation, follow the steps in the first changelog entry below to rectify it.

Also, if you are upgrading from a version earlier than 16.2, see Version 16.2.

 Changes

• Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner (Nathan Bossart)

  These views failed to hide statistics for expressions that involve columns the accessing user does not have permission to read. View columns such as most_common_vals might expose security-relevant data. The potential interactions here are not fully clear, so in the interest of erring on the side of safety, make rows in these views visible only to the owner of the associated table.

  The PostgreSQL Project thanks Lukas Fittl for reporting this problem. CVE-2024-4317 or CVE-2024-4317)

  By itself, this fix will only fix the behavior in newly initdb'd database clusters. If you wish to apply this change in an existing cluster, you will need to do the following:

  1. Find the SQL script fix-CVE-2024-4317.sql in the share directory of the PostgreSQL installation (typically located someplace like /usr/share/postgresql/). Be sure to use the script appropriate to your PostgreSQL major version. If you do not see this file, either your version is not vulnerable (only v14–v16 are affected) or your minor version is too old to have the fix.

  2. In each database of the cluster, run the fix-CVE-2024-4317.sql script as superuser. In psql this would look like

     \i /usr/share/postgresql/fix-CVE-2024-4317.sql
     

     (adjust the file path as appropriate). Any error probably indicates that you've used the wrong script version. It will not hurt to run the script more than once.

  3. Do not forget to include the template0 and template1 databases, or the vulnerability will still exist in databases you create later. To fix template0, you'll need to temporarily make it accept connections. Do that with

     ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;
     

     and then after fixing template0, undo it with

     ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;
     

• Fix INSERT from multiple VALUES rows into a target column that is a domain over an array or composite type (Tom Lane)

  Such cases would either fail with surprising complaints about mismatched datatypes, or insert unexpected coercions that could lead to odd results.

• Require SELECT privilege on the target table for MERGE with a DO NOTHING clause (Álvaro Herrera)

  SELECT privilege would be required in all practical cases anyway, but require it even if the query reads no columns of the target table. This avoids an edge case in which MERGE would require no privileges whatever, which seems undesirable even when it's a do-nothing command.

• Fix handling of self-modified tuples in MERGE (Dean Rasheed)

  Throw an error if a target row joins to more than one source row, as required by the SQL standard. (The previous coding could silently ignore this condition if a concurrent update was involved.) Also, throw a non-misleading error if a target row is already updated by a later command in the current transaction, thanks to a BEFORE trigger or a volatile function used in the query.

• Fix incorrect pruning of NULL partition when a table is partitioned on a boolean column and the query has a boolean IS NOT clause (David Rowley)

  A NULL value satisfies a clause such as boolcol IS NOT FALSE, so pruning away a partition containing NULLs yielded incorrect answers.

• Make ALTER FOREIGN TABLE SET SCHEMA move any owned sequences into the new schema (Tom Lane)

  Moving a regular table to a new schema causes any sequences owned by the table to be moved to that schema too (along with indexes and constraints). This was overlooked for foreign tables, however.

• Make ALTER TABLE ... ADD COLUMN create identity/serial sequences with the same persistence as their owning tables (Peter Eisentraut)

  CREATE UNLOGGED TABLE will make any owned sequences be unlogged too. ALTER TABLE missed that consideration, so that an added identity column would have a logged sequence, which seems pointless.

• Improve ALTER TABLE ... ALTER COLUMN TYPE's error message when there is a dependent function or publication (Tom Lane)

• In CREATE DATABASE, recognize strategy keywords case-insensitively for consistency with other options (Tomas Vondra)

• Fix EXPLAIN's counting of heap pages accessed by a bitmap heap scan (Melanie Plageman)

  Previously, heap pages that contain no visible tuples were not counted; but it seems more consistent to count all pages returned by the bitmap index scan.

• Fix EXPLAIN's output for subplans in MERGE (Dean Rasheed)

  EXPLAIN would sometimes fail to properly display subplan Params referencing variables in other parts of the plan tree.

• Avoid deadlock during removal of orphaned temporary tables (Mikhail Zhilin)

  If the session that creates a temporary table crashes without removing the table, autovacuum will eventually try to remove the orphaned table. However, an incoming session that's been assigned the same temporary namespace will do that too. If a temporary table has a dependency (such as an owned sequence) then a deadlock could result between these two cleanup attempts.

• Fix updating of visibility map state in VACUUM with the DISABLE_PAGE_SKIPPING option (Heikki Linnakangas)

  Due to an oversight, this mode caused all heap pages to be dirtied, resulting in excess I/O. Also, visibility map bits that were incorrectly set would not get cleared.

• Avoid race condition while examining per-relation frozen-XID values (Noah Misch)

  VACUUM's computation of per-database frozen-XID values from per-relation values could get confused by a concurrent update of those values by another VACUUM.

• Fix buffer usage reporting for parallel vacuuming (Anthonin Bonnefoy)

  Buffer accesses performed by parallel workers were not getting counted in the statistics reported in VERBOSE mode.

• Ensure that join conditions generated from equivalence classes are applied at the correct plan level (Tom Lane)

  In versions before PostgreSQL 16, it was possible for generated conditions to be evaluated below outer joins when they should be evaluated above (after) the outer join, leading to incorrect query results. All versions have a similar hazard when considering joins to UNION ALL trees that have constant outputs for the join column in some SELECT arms.

• Fix “could not find pathkey item to sort” errors occurring while planning aggregate functions with ORDER BY or DISTINCT options (David Rowley)

  This is similar to a fix applied in 16.1, but it solves the problem for parallel plans.

• Prevent potentially-incorrect optimization of some window functions (David Rowley)

  Disable “run condition” optimization of ntile() and count() with non-constant arguments. This avoids possible misbehavior with sub-selects, typically leading to errors like “WindowFunc not found in subplan target lists”.

• Avoid unnecessary use of moving-aggregate mode with a non-moving window frame (Vallimaharajan G)

  When a plain aggregate is used as a window function, and the window frame start is specified as UNBOUNDED PRECEDING, the frame's head cannot move so we do not need to use the special (and more expensive) moving-aggregate mode. This optimization was intended all along, but due to a coding error it never triggered.

• Avoid use of already-freed data while planning partition-wise joins under GEQO (Tom Lane)

  This would typically end in a crash or unexpected error message.

• Avoid freeing still-in-use data in Memoize (Tender Wang, Andrei Lepikhov)

  In production builds this error frequently didn't cause any problems, as the freed data would most likely not get overwritten before it was used.

• Fix incorrectly-reported statistics kind codes in “requested statistics kind X is not yet built” error messages (David Rowley)

• Use a hash table instead of linear search for “catcache list” objects (Tom Lane)

  This change solves performance problems that were reported for certain operations in installations with many thousands of roles.

• Be more careful with RECORD-returning functions in FROM (Tom Lane)

  The output columns of such a function call must be defined by an AS clause that specifies the column names and data types. If the actual function output value doesn't match that, an error is supposed to be thrown at runtime. However, some code paths would examine the actual value prematurely, and potentially issue strange errors or suffer assertion failures if it doesn't match expectations.

• Fix confusion about the return rowtype of SQL-language procedures (Tom Lane)

  A procedure implemented in SQL language that returns a single composite-type column would cause an assertion failure or core dump.

• Add protective stack depth checks to some recursive functions (Egor Chindyaskin)

• Fix mis-rounding and overflow hazards in date_bin() (Moaaz Assali)

  In the case where the source timestamp is before the origin timestamp and their difference is already an exact multiple of the stride, the code incorrectly subtracted the stride anyway. Also, detect some integer-overflow cases that would have produced incorrect results.

• Detect integer overflow when adding or subtracting an interval to/from a timestamp (Joseph Koshakow)

  Some cases that should cause an out-of-range error produced an incorrect result instead.

• Avoid race condition in pg_get_expr() (Tom Lane)

  If the relation referenced by the argument is dropped concurrently, the function's intention is to return NULL, but sometimes it failed instead.

• Fix detection of old transaction IDs in XID status functions (Karina Litskevich)

  Transaction IDs more than 2³¹ transactions in the past could be misidentified as recent, leading to misbehavior of pg_xact_status() or txid_status().

• Ensure that a table's freespace map won't return a page that's past the end of the table (Ronan Dunklau)

  Because the freespace map isn't WAL-logged, this was possible in edge cases involving an OS crash, a replica promote, or a PITR restore. The result would be a “could not read block” error.

• Fix file descriptor leakage when an error is thrown while waiting in WaitEventSetWait (Etsuro Fujita)

• Avoid corrupting exception stack if an FDW implements async append but doesn't configure any wait conditions for the Append plan node to wait for (Alexander Pyhalov)

• Throw an error if an index is accessed while it is being reindexed (Tom Lane)

  Previously this was just an assertion check, but promote it into a regular runtime error. This will provide a more on-point error message when reindexing a user-defined index expression that attempts to access its own table.

• Ensure that index-only scans on name columns return a fully-padded value (David Rowley)

  The value physically stored in the index is truncated, and previously a pointer to that value was returned to callers. This provoked complaints when testing under valgrind. In theory it could result in crashes, though none have been reported.

• Fix race condition that could lead to reporting an incorrect conflict cause when invalidating a replication slot (Bertrand Drouvot)

• Fix race condition in deciding whether a table sync operation is needed in logical replication (Vignesh C)

  An invalidation event arriving while a subscriber identifies which tables need to be synced would be forgotten about, so that any tables newly in need of syncing might not get processed in a timely fashion.

• Fix crash with DSM allocations larger than 4GB (Heikki Linnakangas)

• Disconnect if a new server session's client socket cannot be put into non-blocking mode (Heikki Linnakangas)

  It was once theoretically possible for us to operate with a socket that's in blocking mode; but that hasn't worked fully in a long time, so fail at connection start rather than misbehave later.

• Fix inadequate error reporting with OpenSSL 3.0.0 and later (Heikki Linnakangas, Tom Lane)

  System-reported errors passed through by OpenSSL were reported with a numeric error code rather than anything readable.

• Fix thread-safety of error reporting for getaddrinfo() on Windows (Thomas Munro)

  A multi-threaded libpq client program could get an incorrect or corrupted error message after a network lookup failure.

• Avoid concurrent calls to bindtextdomain() in libpq and ecpglib (Tom Lane)

  Although GNU gettext's implementation seems to be fine with concurrent calls, the version available on Windows is not.

• Fix crash in ecpg's preprocessor if the program tries to redefine a macro that was defined on the preprocessor command line (Tom Lane)

• In ecpg, avoid issuing false “unsupported feature will be passed to server” warnings (Tom Lane)

• Ensure that the string result of ecpg's intoasc() function is correctly zero-terminated (Oleg Tselebrovskiy)

• In initdb's -c option, match parameter names case-insensitively (Tom Lane)

  The server treats parameter names case-insensitively, so this code should too. This avoids putting redundant entries into the generated postgresql.conf file.

• In psql, avoid leaking a query result after the query is cancelled (Tom Lane)

  This happened only when cancelling a non-last query in a query string made with \; separators.

• Fix pg_dumpall so that role comments, if present, will be dumped regardless of the setting of --no-role-passwords (Daniel Gustafsson, Álvaro Herrera)

• Skip files named .DS_Store in pg_basebackup, pg_checksums, and pg_rewind (Daniel Gustafsson)

  This avoids problems on macOS, where the Finder may create such files.

• Fix PL/pgSQL's parsing of single-line comments (---style comments) following expressions (Erik Wienhold, Tom Lane)

  This mistake caused parse errors if such a comment followed a WHEN expression in a PL/pgSQL CASE statement.

• In contrib/amcheck, don't report false match failures due to short- versus long-header values (Andrey Borodin, Michael Zhilin)

  A variable-length datum in a heap tuple or index tuple could have either a short or a long header, depending on compression parameters that applied when it was made. Treat these cases as equivalent rather than complaining if there's a difference.

• Fix bugs in BRIN output functions (Tomas Vondra)

  These output functions are only used for displaying index entries in contrib/pageinspect, so the errors are of limited practical concern.

• In contrib/postgres_fdw, avoid emitting requests to sort by a constant (David Rowley)

  This could occur in cases involving UNION ALL with constant-emitting subqueries. Sorting by a constant is useless of course, but it also risks being misinterpreted by the remote server, leading to “ORDER BY position N is not in select list” errors.

• Make contrib/postgres_fdw set the remote session's time zone to GMT not UTC (Tom Lane)

  This should have the same results for practical purposes. However, GMT is recognized by hard-wired code in the server, while UTC is looked up in the timezone database. So the old code could fail in the unlikely event that the remote server's timezone database is missing entries.

• In contrib/xml2, avoid use of library functions that have been deprecated in recent versions of libxml2 (Dmitry Koval)

• Fix incompatibility with LLVM 18 (Thomas Munro, Dmitry Dolgov)

• Allow make check to work with the musl C library (Thomas Munro, Bruce Momjian, Tom Lane)

Postgres version 16.2

Release date: 2024-02-08

This release contains a variety of fixes from 16.1. For information about new features in major release 16, see Version 16.0.

 Migration to Version 16.2

A dump/restore is not required for those running 16.X.

However, one bug was fixed that could have resulted in corruption of GIN indexes during concurrent updates. If you suspect such corruption, reindex affected indexes after installing this update.

Also, if you are upgrading from a version earlier than 16.1, see Version 16.1.

 Changes

• Tighten security restrictions within REFRESH MATERIALIZED VIEW CONCURRENTLY (Heikki Linnakangas)

  One step of a concurrent refresh command was run under weak security restrictions. If a materialized view's owner could persuade a superuser or other high-privileged user to perform a concurrent refresh on that view, the view's owner could control code executed with the privileges of the user running REFRESH. Fix things so that all user-determined code is run as the view's owner, as expected.

  The only known exploit for this error does not work in PostgreSQL 16.0 and later, so it may be that v16 is not vulnerable in practice.

  The PostgreSQL Project thanks Pedro Gallegos for reporting this problem. CVE-2024-0985 or CVE-2024-0985)

• Fix memory leak when performing JIT inlining (Andres Freund, Daniel Gustafsson)

  There have been multiple reports of backend processes suffering out-of-memory conditions after sufficiently many JIT compilations. This fix should resolve that.

• Avoid generating incorrect partitioned-join plans (Richard Guo)

  Some uncommon situations involving lateral references could create incorrect plans. Affected queries could produce wrong answers, or odd failures such as “variable not found in subplan target list”, or executor crashes.

• Fix incorrect wrapping of subquery output expressions in PlaceHolderVars (Tom Lane)

  This fixes incorrect results when a subquery is underneath an outer join and has an output column that laterally references something outside the outer join's scope. The output column might not appear as NULL when it should do so due to the action of the outer join.

• Fix misprocessing of window function run conditions (Richard Guo)

  This oversight could lead to “WindowFunc not found in subplan target lists” errors.

• Fix detection of inner-side uniqueness for Memoize plans (Richard Guo)

  This mistake could lead to “cache entry already complete” errors.

• Fix computation of nullingrels when constant-folding field selection (Richard Guo)

  Failure to do this led to errors like “wrong varnullingrels (b) (expected (b 3)) for Var 2/2”.

• Skip inappropriate actions when MERGE causes a cross-partition update (Dean Rasheed)

  When executing a MERGE UPDATE action on a partitioned table, if the UPDATE is turned into a DELETE and INSERT due to changing a partition key column, skip firing AFTER UPDATE ROW triggers, as well as other post-update actions such as RLS checks. These actions would typically fail, which is why a regular UPDATE doesn't do them in such cases; MERGE shouldn't either.

• Cope with BEFORE ROW DELETE triggers in cross-partition MERGE updates (Dean Rasheed)

  If such a trigger attempted to prevent the update by returning NULL, MERGE would suffer an error or assertion failure.

• Prevent access to a no-longer-pinned buffer in BEFORE ROW UPDATE triggers (Alexander Lakhin, Tom Lane)

  If the tuple being updated had just been updated and moved to another page by another session, there was a narrow window where we would attempt to fetch data from the new tuple version without any pin on its buffer. In principle this could result in garbage data appearing in non-updated columns of the proposed new tuple. The odds of problems in practice seem rather low, however.

• Avoid requesting an oversize shared-memory area in parallel hash join (Thomas Munro, Andrei Lepikhov, Alexander Korotkov)

  The limiting value was too large, allowing “invalid DSA memory alloc request size” errors to occur with sufficiently large expected hash table sizes.

• Fix corruption of local buffer state when an error occurs while trying to extend a temporary table (Tender Wang)

• Fix use of wrong tuple slot while evaluating DISTINCT aggregates that have multiple arguments (David Rowley)

  This mistake could lead to errors such as “attribute 1 of type record has wrong type”.

• Avoid assertion failures in heap_update() and heap_delete() when a tuple to be updated by a foreign-key enforcement trigger fails the extra visibility crosscheck (Alexander Lakhin)

  This error had no impact in non-assert builds.

• Fix possible failure during ALTER TABLE ADD COLUMN on a complex inheritance tree (Tender Wang)

  If a grandchild table would inherit the new column via multiple intermediate parents, the command failed with “tuple already updated by self”.

• Fix problems with duplicate token names in ALTER TEXT SEARCH CONFIGURATION ... MAPPING commands (Tender Wang, Michael Paquier)

• Fix DROP ROLE with duplicate role names (Michael Paquier)

  Previously this led to a “tuple already updated by self” failure. Instead, ignore the duplicate.

• Properly lock the associated table during DROP STATISTICS (Tomas Vondra)

  Failure to acquire the lock could result in “tuple concurrently deleted” errors if the DROP executes concurrently with ANALYZE.

• Fix function volatility checking for GENERATED and DEFAULT expressions (Tom Lane)

  These places could fail to detect insertion of a volatile function default-argument expression, or decide that a polymorphic function is volatile although it is actually immutable on the datatype of interest. This could lead to improperly rejecting or accepting a GENERATED clause, or to mistakenly applying the constant-default-value optimization in ALTER TABLE ADD COLUMN.

• Detect that a new catalog cache entry became stale while detoasting its fields (Tom Lane)

  We expand any out-of-line fields in a catalog tuple before inserting it into the catalog caches. That involves database access which might cause invalidation of catalog cache entries — but the new entry isn't in the cache yet, so we would miss noticing that it should get invalidated. The result is a race condition in which an already-stale cache entry could get made, and then persist indefinitely. This would lead to hard-to-predict misbehavior. Fix by rechecking the tuple's visibility after detoasting.

• Fix edge-case integer overflow detection bug on some platforms (Dean Rasheed)

  Computing 0 - INT64_MIN should result in an overflow error, and did on most platforms. However, platforms with neither integer overflow builtins nor 128-bit integers would fail to spot the overflow, instead returning INT64_MIN.

• Detect Julian-date overflow when adding or subtracting an interval to/from a timestamp (Tom Lane)

  Some cases that should cause an out-of-range error produced an incorrect result instead.

• Add more checks for overflow in interval_mul() and interval_div() (Dean Rasheed)

  Some cases that should cause an out-of-range error produced an incorrect result instead.

• Allow scram_SaltedPassword() to be interrupted (Bowen Shi)

  With large scram_iterations values, this function could take a long time to run. Allow it to be interrupted by query cancel requests.

• Ensure cached statistics are discarded after a change to stats_fetch_consistency (Shinya Kato)

  In some code paths, it was possible for stale statistics to be returned.

• Make the pg_file_settings view check validity of unapplied values for settings with backend or superuser-backend context (Tom Lane)

  Invalid values were not noted in the view as intended. This escaped detection because there are very few settings in these groups.

• Match collation too when matching an existing index to a new partitioned index (Peter Eisentraut)

  Previously we could accept an index that has a different collation from the corresponding element of the partition key, possibly leading to misbehavior.

• Avoid failure if a child index is dropped concurrently with REINDEX INDEX on a partitioned index (Fei Changhong)

• Fix insufficient locking when cleaning up an incomplete split of a GIN index's internal page (Fei Changhong, Heikki Linnakangas)

  The code tried to do this with shared rather than exclusive lock on the buffer. This could lead to index corruption if two processes attempted the cleanup concurrently.

• Avoid premature release of buffer pin in GIN index insertion (Tom Lane)

  If an index root page split occurs concurrently with our own insertion, the code could fail with “buffer NNNN is not owned by resource owner”.

• Avoid failure with partitioned SP-GiST indexes (Tom Lane)

  Trying to use an index of this kind could lead to “No such file or directory” errors.

• Fix ownership tests for large objects (Tom Lane)

  Operations on large objects that require ownership privilege failed with “unrecognized class ID: 2613”, unless run by a superuser.

• Fix ownership change reporting for large objects (Tom Lane)

  A no-op ALTER LARGE OBJECT OWNER command (that is, one selecting the existing owner) passed the wrong class ID to the PostAlterHook, probably confusing any extension using that hook.

• Fix reporting of I/O timing data in EXPLAIN (BUFFERS) (Michael Paquier)

  The numbers labeled as “shared/local” actually refer only to shared buffers, so change that label to “shared”.

• Ensure durability of CREATE DATABASE (Noah Misch)

  If an operating system crash occurred during or shortly after CREATE DATABASE, recovery could fail, or subsequent connections to the new database could fail. If a base backup was taken in that window, similar problems could be observed when trying to use the backup. The symptom would be that the database directory, PG_VERSION file, or pg_filenode.map file was missing or empty.

• Add more LOG messages when starting and ending recovery from a backup (Andres Freund)

  This change provides additional information in the postmaster log that may be useful for diagnosing recovery problems.

• Prevent standby servers from incorrectly processing dead index tuples during subtransactions (Fei Changhong)

  The startedInRecovery flag was not correctly set for a subtransaction. This affects only processing of dead index tuples. It could allow a query in a subtransaction to ignore index entries that it should return (if they are already dead on the primary server, but not dead to the standby transaction), or to prematurely mark index entries as dead that are not yet dead on the primary. It is not clear that the latter case has any serious consequences, but it's not the intended behavior.

• Fix signal handling in walreceiver processes (Heikki Linnakangas)

  Revert a change that made walreceivers non-responsive to SIGTERM while waiting for the replication connection to be established.

• Fix integer overflow hazard in checking whether a record will fit into the WAL decoding buffer (Thomas Munro)

  This bug appears to be only latent except when running a 32-bit PostgreSQL build on a 64-bit platform.

• Fix deadlock between a logical replication apply worker, its tablesync worker, and a session process trying to alter the subscription (Shlok Kyal)

  One edge of the deadlock loop did not involve a lock wait, so the deadlock went undetected and would persist until manual intervention.

• Ensure that column default values are correctly transmitted by the pgoutput logical replication plugin (Nikhil Benesch)

  ALTER TABLE ADD COLUMN with a constant default value for the new column avoids rewriting existing tuples, instead expecting that reading code will insert the correct default into a tuple that lacks that column. If replication was subsequently initiated on the table, pgoutput would transmit NULL instead of the correct default for such a column, causing incorrect replication on the subscriber.

• Fix failure of logical replication's initial sync for a table with no columns (Vignesh C)

  This case generated an improperly-formatted COPY command.

• Re-validate a subscription's connection string before use (Vignesh C)

  This is meant to detect cases where a subscription was created without a password (which is allowed to superusers) but then the subscription owner is changed to a non-superuser.

• Return the correct status code when a new client disconnects without responding to the server's password challenge (Liu Lang, Tom Lane)

  In some cases we'd treat this as a loggable error, which was not the intention and tends to create log spam, since common clients like psql frequently do this. It may also confuse extensions that use ClientAuthentication_hook.

• Fix incompatibility with OpenSSL 3.2 (Tristan Partin, Bo Andreson)

  Use the BIO “app_data” field for our private storage, instead of assuming it's okay to use the “data” field. This mistake didn't cause problems before, but with 3.2 it leads to crashes and complaints about double frees.

• Be more wary about OpenSSL not setting errno on error (Tom Lane)

  If errno isn't set, assume the cause of the reported failure is read EOF. This fixes rare cases of strange error reports like “could not accept SSL connection: Success”.

• Fix file descriptor leakage when a foreign data wrapper's ForeignAsyncRequest function fails (Heikki Linnakangas)

• Fix minor memory leak in connection string validation for CREATE SUBSCRIPTION (Jeff Davis)

• Report ENOMEM errors from file-related system calls as ERRCODE_OUT_OF_MEMORY, not ERRCODE_INTERNAL_ERROR (Alexander Kuzmenkov)

• In PL/pgSQL, support SQL commands that are CREATE FUNCTION/CREATE PROCEDURE with SQL-standard bodies (Tom Lane)

  Previously, such cases failed with parsing errors due to the semicolon(s) appearing in the function body.

• Fix libpq's handling of errors in pipelines (Álvaro Herrera)

  The pipeline state could get out of sync if an error is returned for reasons other than a query problem (for example, if the connection is lost). Potentially this would lead to a busy-loop in the calling application.

• Make libpq's PQsendFlushRequest() function flush the client output buffer under the same rules as other PQsend functions (Jelte Fennema-Nio)

  In pipeline mode, it may still be necessary to call PQflush() as well; but this change removes some inconsistency.

• Avoid race condition when libpq initializes OpenSSL support concurrently in two different threads (Willi Mann, Michael Paquier)

• Fix timing-dependent failure in GSSAPI data transmission (Tom Lane)

  When using GSSAPI encryption in non-blocking mode, libpq sometimes failed with “GSSAPI caller failed to retransmit all data needing to be retried”.

• Change initdb to always un-comment the postgresql.conf entries for the lc_xxx parameters (Kyotaro Horiguchi)

  initdb used to work this way before v16, and now it does again. The change caused initdb's --no-locale option to not have the intended effect on lc_messages.

• In pg_dump, don't dump RLS policies or security labels for extension member objects (Tom Lane, Jacob Champion)

  Previously, commands would be included in the dump to set these properties, which is really incorrect since they should be considered as internal affairs of the extension. Moreover, the restoring user might not have adequate privilege to set them, and indeed the dumping user might not have enough privilege to dump them (since dumping RLS policies requires acquiring lock on their table).

• In pg_dump, don't dump an extended statistics object if its underlying table isn't being dumped (Rian McGuire, Tom Lane)

  This conforms to the behavior for other dependent objects such as indexes.

• Properly detect out-of-memory in one code path in pg_dump (Daniel Gustafsson)

• Make it an error for a pgbench script to end with an open pipeline (Anthonin Bonnefoy)

  Previously, pgbench would behave oddly if a \startpipeline command lacked a matching \endpipeline. This seems like a scripting mistake rather than a case that pgbench needs to handle nicely, so throw an error.

• In contrib/bloom, fix overly tight assertion about false_positive_rate (Alexander Lakhin)

• Fix crash in contrib/intarray if an array with an element equal to INT_MAX is inserted into a gist__int_ops index (Alexander Lakhin, Tom Lane)

• Report a better error when contrib/pageinspect's hash_bitmap_info() function is applied to a partitioned hash index (Alexander Lakhin, Michael Paquier)

• Report a better error when contrib/pgstattuple's pgstathashindex() function is applied to a partitioned hash index (Alexander Lakhin)

• On Windows, suppress autorun options when launching subprocesses in pg_ctl and pg_regress (Kyotaro Horiguchi)

  When launching a child process via cmd.exe, pass the /D flag to prevent executing any autorun commands specified in the registry. This avoids possibly-surprising side effects.

• Move is_valid_ascii() from mb/pg_wchar.h to utils/ascii.h (Jubilee Young)

  This change avoids the need to include <simd.h> in pg_wchar.h, which was causing problems for some third-party code.

• Fix compilation failures with libxml2 version 2.12.0 and later (Tom Lane)

• Fix compilation failure of WAL_DEBUG code on Windows (Bharath Rupireddy)

• Suppress compiler warnings from Python's header files (Peter Eisentraut, Tom Lane)

  Our preferred compiler options provoke warnings about constructs appearing in recent versions of Python's header files. When using gcc, we can suppress these warnings with a pragma.

• Avoid deprecation warning when compiling with LLVM 18 (Thomas Munro)

• Update time zone data files to tzdata release 2024a for DST law changes in Greenland, Kazakhstan, and Palestine, plus corrections for the Antarctic stations Casey and Vostok. Also historical corrections for Vietnam, Toronto, and Miquelon.

Postgres version 16.1

Release date: 2023-11-09

This release contains a variety of fixes from 16.0. For information about new features in major release 16, see Version 16.0.

 Migration to Version 16.1

A dump/restore is not required for those running 16.X.

However, several mistakes have been discovered that could lead to certain types of indexes yielding wrong search results or being unnecessarily inefficient. It is advisable to REINDEX potentially-affected indexes after installing this update. See the fourth through seventh changelog entries below.

 Changes

• Fix handling of unknown-type arguments in DISTINCT "any" aggregate functions (Tom Lane)

  This error led to a text-type value being interpreted as an unknown-type value (that is, a zero-terminated string) at runtime. This could result in disclosure of server memory following the text value.

  The PostgreSQL Project thanks Jingzhou Fu for reporting this problem. CVE-2023-5868 or CVE-2023-5868)

• Detect integer overflow while computing new array dimensions (Tom Lane)

  When assigning new elements to array subscripts that are outside the current array bounds, an undetected integer overflow could occur in edge cases. Memory stomps that are potentially exploitable for arbitrary code execution are possible, and so is disclosure of server memory.

  The PostgreSQL Project thanks Pedro Gallegos for reporting this problem. CVE-2023-5869 or CVE-2023-5869)

• Prevent the pg_signal_backend role from signalling background workers and autovacuum processes (Noah Misch, Jelte Fennema-Nio)

  The documentation says that pg_signal_backend cannot issue signals to superuser-owned processes. It was able to signal these background processes, though, because they advertise a role OID of zero. Treat that as indicating superuser ownership. The security implications of cancelling one of these process types are fairly small so far as the core code goes (we'll just start another one), but extensions might add background workers that are more vulnerable.

  Also ensure that the is_superuser parameter is set correctly in such processes. No specific security consequences are known for that oversight, but it might be significant for some extensions.

  The PostgreSQL Project thanks Hemanth Sandrana and Mahendrakar Srinivasarao for reporting this problem. CVE-2023-5870 or CVE-2023-5870)

• Fix misbehavior during recursive page split in GiST index build (Heikki Linnakangas)

  Fix a case where the location of a page downlink was incorrectly tracked, and introduce some logic to allow recovering from such situations rather than silently doing the wrong thing. This error could result in incorrect answers from subsequent index searches. It may be advisable to reindex all GiST indexes after installing this update.

• Prevent de-duplication of btree index entries for interval columns (Noah Misch)

  There are interval values that are distinguishable but compare equal, for example 24:00:00 and 1 day. This breaks assumptions made by btree de-duplication, so interval columns need to be excluded from de-duplication. This oversight can cause incorrect results from index-only scans. Moreover, after updating amcheck will report an error for almost all such indexes. Users should reindex any btree indexes on interval columns.

• Process date values more sanely in BRIN datetime_minmax_multi_ops indexes (Tomas Vondra)

  The distance calculation for dates was backward, causing poor decisions about which entries to merge. The index still produces correct results, but is much less efficient than it should be. Reindexing BRIN minmax_multi indexes on date columns is advisable.

• Process large timestamp and timestamptz values more sanely in BRIN datetime_minmax_multi_ops indexes (Tomas Vondra)

  Infinities were mistakenly treated as having distance zero rather than a large distance from other values, causing poor decisions about which entries to merge. Also, finite-but-very-large values (near the endpoints of the representable timestamp range) could result in internal overflows, again causing poor decisions. The index still produces correct results, but is much less efficient than it should be. Reindexing BRIN minmax_multi indexes on timestamp and timestamptz columns is advisable if the column contains, or has contained, infinities or large finite values.

• Avoid calculation overflows in BRIN interval_minmax_multi_ops indexes with extreme interval values (Tomas Vondra)

  This bug might have caused unexpected failures while trying to insert large interval values into such an index.

• Fix partition step generation and runtime partition pruning for hash-partitioned tables with multiple partition keys (David Rowley)

  Some cases involving an IS NULL condition on one of the partition keys could result in a crash.

• Fix inconsistent rechecking of concurrently-updated rows during MERGE (Dean Rasheed)

  In READ COMMITTED mode, an update that finds that its target row was just updated by a concurrent transaction will recheck the query's WHERE conditions on the updated row. MERGE failed to ensure that the proper rows of other joined tables were used during this recheck, possibly resulting in incorrect decisions about whether the newly-updated row should be updated again by MERGE.

• Correctly identify the target table in an inherited UPDATE/DELETE/MERGE even when the parent table is excluded by constraints (Amit Langote, Tom Lane)

  If the initially-named table is excluded by constraints, but not all its inheritance descendants are, the first non-excluded descendant was identified as the primary target table. This would lead to firing statement-level triggers associated with that table, rather than the initially-named table as should happen. In v16, the same oversight could also lead to “invalid perminfoindex 0 in RTE with relid NNNN” errors.

• Fix edge case in btree mark/restore processing of ScalarArrayOpExpr clauses (Peter Geoghegan)

  When restoring an indexscan to a previously marked position, the code could miss required setup steps if the scan had advanced exactly to the end of the matches for a ScalarArrayOpExpr (that is, an indexcol = ANY (ARRAY[])) clause. This could result in missing some rows that should have been fetched.

• Fix intra-query memory leak in Memoize execution (Orlov Aleksej, David Rowley)

• Fix intra-query memory leak when a set-returning function repeatedly returns zero rows (Tom Lane)

• Don't crash if cursor_to_xmlschema() is applied to a non-data-returning Portal (Boyu Yang)

• Fix improper sharing of origin filter condition across successive pg_logical_slot_get_changes() calls (Hou Zhijie)

  The origin condition set by one call of this function would be re-used by later calls that did not specify the origin argument. This was not intended.

• Throw the intended error if pgrowlocks() is applied to a partitioned table (David Rowley)

  Previously, a not-on-point complaint “only heap AM is supported” would be raised.

• Handle invalid indexes more cleanly in assorted SQL functions (Noah Misch)

  Report an error if pgstatindex(), pgstatginindex(), pgstathashindex(), or pgstattuple() is applied to an invalid index. If brin_desummarize_range(), brin_summarize_new_values(), brin_summarize_range(), or gin_clean_pending_list() is applied to an invalid index, do nothing except to report a debug-level message. Formerly these functions attempted to process the index, and might fail in strange ways depending on what the failed CREATE INDEX had left behind.

• Avoid premature memory allocation failure with long inputs to to_tsvector() (Tom Lane)

• Fix over-allocation of the constructed tsvector in tsvectorrecv() (Denis Erokhin)

  If the incoming vector includes position data, the binary receive function left wasted space (roughly equal to the size of the position data) in the finished tsvector. In extreme cases this could lead to “maximum total lexeme length exceeded” failures for vectors that were under the length limit when emitted. In any case it could lead to wasted space on-disk.

• Improve checks for corrupt PGLZ compressed data (Flavien Guedez)

• Fix ALTER SUBSCRIPTION so that a commanded change in the run_as_owner option is actually applied (Hou Zhijie)

• Fix bulk table insertion into partitioned tables (Andres Freund)

  Improper sharing of insertion state across partitions could result in failures during COPY FROM, typically manifesting as “could not read block NNNN in file XXXX: read only 0 of 8192 bytes” errors.

• In COPY FROM, avoid evaluating column default values that will not be needed by the command (Laurenz Albe)

  This avoids a possible error if the default value isn't actually valid for the column, or if the default's expression would fail in the current execution context. Such edge cases sometimes arise while restoring dumps, for example. Previous releases did not fail in this situation, so prevent v16 from doing so.

• In COPY FROM, fail cleanly when an unsupported encoding conversion is needed (Tom Lane)

  Recent refactoring accidentally removed the intended error check for this, such that it ended in “cache lookup failed for function 0” instead of a useful error message.

• Avoid crash in EXPLAIN if a parameter marked to be displayed by EXPLAIN has a NULL boot-time value (Xing Guo, Aleksander Alekseev, Tom Lane)

  No built-in parameter fits this description, but an extension could define such a parameter.

• Ensure we have a snapshot while dropping ON COMMIT DROP temp tables (Tom Lane)

  This prevents possible misbehavior if any catalog entries for the temp tables have fields wide enough to require toasting (such as a very complex CHECK condition).

• Avoid improper response to shutdown signals in child processes just forked by system() (Nathan Bossart)

  This fix avoids a race condition in which a child process that has been forked off by system(), but hasn't yet exec'd the intended child program, might receive and act on a signal intended for the parent server process. That would lead to duplicate cleanup actions being performed, which will not end well.

• Cope with torn reads of pg_control in frontend programs (Thomas Munro)

  On some file systems, reading pg_control may not be an atomic action when the server concurrently writes that file. This is detectable via a bad CRC. Retry a few times to see if the file becomes valid before we report error.

• Avoid torn reads of pg_control in relevant SQL functions (Thomas Munro)

  Acquire the appropriate lock before reading pg_control, to ensure we get a consistent view of that file.

• Fix “could not find pathkey item to sort” errors occurring while planning aggregate functions with ORDER BY or DISTINCT options (David Rowley)

• Avoid integer overflow when computing size of backend activity string array (Jakub Wartak)

  On 64-bit machines we will allow values of track_activity_query_size large enough to cause 32-bit overflow when multiplied by the allowed number of connections. The code actually allocating the per-backend local array was careless about this though, and allocated the array incorrectly.

• Fix briefly showing inconsistent progress statistics for ANALYZE on inherited tables (Heikki Linnakangas)

  The block-level counters should be reset to zero at the same time we update the current-relation field.

• Fix the background writer to report any WAL writes it makes to the statistics counters (Nazir Bilal Yavuz)

• Fix confusion about forced-flush behavior in pgstat_report_wal() (Ryoga Yoshida, Michael Paquier)

  This could result in some statistics about WAL I/O being forgotten in a shutdown.

• Fix statistics tracking of temporary-table extensions (Karina Litskevich, Andres Freund)

  These were counted as normal-table writes when they should be counted as temp-table writes.

• When track_io_timing is enabled, include the time taken by relation extension operations as write time (Nazir Bilal Yavuz)

• Track the dependencies of cached CALL statements, and re-plan them when needed (Tom Lane)

  DDL commands, such as replacement of a function that has been inlined into a CALL argument, can create the need to re-plan a CALL that has been cached by PL/pgSQL. That was not happening, leading to misbehavior or strange errors such as “cache lookup failed”.

• Avoid a possible pfree-a-NULL-pointer crash after an error in OpenSSL connection setup (Sergey Shinderuk)

• Track nesting depth correctly when inspecting RECORD-type Vars from outer query levels (Richard Guo)

  This oversight could lead to assertion failures, core dumps, or “bogus varno” errors.

• Track hash function and negator function dependencies of ScalarArrayOpExpr plan nodes (David Rowley)

  In most cases this oversight was harmless, since these functions would be unlikely to disappear while the node's original operator remains present.

• Fix error-handling bug in RECORD type cache management (Thomas Munro)

  An out-of-memory error occurring at just the wrong point could leave behind inconsistent state that would lead to an infinite loop.

• Treat out-of-memory failures as fatal while reading WAL (Michael Paquier)

  Previously this would be treated as a bogus-data condition, leading to the conclusion that we'd reached the end of WAL, which is incorrect and could lead to inconsistent WAL replay.

• Fix possible recovery failure due to trying to allocate memory based on a bogus WAL record length field (Thomas Munro, Michael Paquier)

• Fix “could not duplicate handle” error occurring on Windows when min_dynamic_shared_memory is set above zero (Thomas Munro)

• Fix order of operations in GenericXLogFinish (Jeff Davis)

  This code violated the conditions required for crash safety by writing WAL before marking changed buffers dirty. No core code uses this function, but extensions do (contrib/bloom does, for example).

• Remove incorrect assertion in PL/Python exception handling (Alexander Lakhin)

• Fix pg_dump to dump the new run_as_owner option of subscriptions (Philip Warner)

  Due to this oversight, subscriptions would always be restored with run_as_owner set to false, which is not equivalent to their behavior in pre-v16 releases.

• Fix pg_restore so that selective restores will include both table-level and column-level ACLs for selected tables (Euler Taveira, Tom Lane)

  Formerly, only the table-level ACL would get restored if both types were present.

• Add logic to pg_upgrade to check for use of abstime, reltime, and tinterval data types (Álvaro Herrera)

  These obsolete data types were removed in PostgreSQL version 12, so check to make sure they aren't present in an older database before claiming it can be upgraded.

• Avoid false “too many client connections” errors in pgbench on Windows (Noah Misch)

• Fix vacuumdb's handling of multiple -N switches (Nathan Bossart, Kuwamura Masaki)

  Multiple -N switches should exclude tables in multiple schemas, but in fact excluded nothing due to faulty construction of a generated query.

• Fix vacuumdb to honor its --buffer-usage-limit option in analyze-only mode (Ryoga Yoshida, David Rowley)

• In contrib/amcheck, do not report interrupted page deletion as corruption (Noah Misch)

  This fix prevents false-positive reports of “the first child of leftmost target page is not leftmost of its level”, “block NNNN is not leftmost” or “left link/right link pair in index XXXX not in agreement”. They appeared if amcheck ran after an unfinished btree index page deletion and before VACUUM had cleaned things up.

• Fix failure of contrib/btree_gin indexes on interval columns, when an indexscan using the < or <= operator is performed (Dean Rasheed)

  Such an indexscan failed to return all the entries it should.

• Add support for LLVM 16 and 17 (Thomas Munro, Dmitry Dolgov)

• Suppress assorted build-time warnings on recent macOS (Tom Lane)

  Xcode 15 (released with macOS Sonoma) changed the linker's behavior in a way that causes many duplicate-library warnings while building PostgreSQL. These were harmless, but they're annoying so avoid citing the same libraries twice. Also remove use of the -multiply_defined suppress linker switch, which apparently has been a no-op for a long time, and is now actively complained of.

• When building contrib/unaccent's rules file, fall back to using python if --with-python was not given and make variable PYTHON was not set (Japin Li)

• Remove PHOT (Phoenix Islands Time) from the default timezone abbreviations list (Tom Lane)

  Presence of this abbreviation in the default list can cause failures on recent Debian and Ubuntu releases, as they no longer install the underlying tzdb entry by default. Since this is a made-up abbreviation for a zone with a total human population of about two dozen, it seems unlikely that anyone will miss it. If someone does, they can put it back via a custom abbreviations file.

Postgres version 16.0

Release date: 2023-09-14

 Overview

PostgreSQL 16 contains many new features and enhancements, including:

• Allow parallelization of FULL and internal right OUTER hash joins

• Allow logical replication from standby servers

• Allow logical replication subscribers to apply large transactions in parallel

• Allow monitoring of I/O statistics using the new pg_stat_io view

• Add SQL/JSON constructors and identity functions

• Improve performance of vacuum freezing

• Add support for regular expression matching of user and database names in pg_hba.conf, and user names in pg_ident.conf

The above items and other new features of PostgreSQL 16 are explained in more detail in the sections below.

 Migration to Version 16

A dump/restore using pg_dumpall or use of pg_upgrade or logical replication is required for those wishing to migrate data from any previous release. See Section 19.6 for general information on migrating to new major releases.

Version 16 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities:

• Change assignment rules for PL/pgSQL bound cursor variables (Tom Lane)

  Previously, the string value of such variables was set to match the variable name during cursor assignment; now it will be assigned during OPEN, and will not match the variable name. To restore the previous behavior, assign the desired portal name to the cursor variable before OPEN.

• Disallow NULLS NOT DISTINCT indexes for primary keys (Daniel Gustafsson)

• Change REINDEX DATABASE and reindexdb to not process indexes on system catalogs (Simon Riggs)

  Processing such indexes is still possible using REINDEX SYSTEM and reindexdb --system.

• Tighten GENERATED expression restrictions on inherited and partitioned tables (Amit Langote, Tom Lane)

  Columns of parent/partitioned and child/partition tables must all have the same generation status, though now the actual generation expressions can be different.

• Remove pg_walinspect functions pg_get_wal_records_info_till_end_of_wal() and pg_get_wal_stats_till_end_of_wal() (Bharath Rupireddy)

• Rename server variable force_parallel_mode to debug_parallel_query (David Rowley)

• Remove the ability to create views manually with ON SELECT rules (Tom Lane)

• Remove the server variable vacuum_defer_cleanup_age (Andres Freund)

  This has been unnecessary since hot_standby_feedback and replication slots were added.

• Remove server variable promote_trigger_file (Simon Riggs)

  This was used to promote a standby to primary, but is now easier accomplished with pg_ctl promote or pg_promote().

• Remove read-only server variables lc_collate and lc_ctype (Peter Eisentraut)

  Collations and locales can vary between databases so having them as read-only server variables was unhelpful.

• Role inheritance now controls the default inheritance status of member roles added during GRANT (Robert Haas)

  The role's default inheritance behavior can be overridden with the new GRANT ... WITH INHERIT clause. This allows inheritance of some roles and not others because the members' inheritance status is set at GRANT time. Previously the inheritance status of member roles was controlled only by the role's inheritance status, and changes to a role's inheritance status affected all previous and future member roles.

• Restrict the privileges of CREATEROLE and its ability to modify other roles (Robert Haas)

  Previously roles with CREATEROLE privileges could change many aspects of any non-superuser role. Such changes, including adding members, now require the role requesting the change to have ADMIN OPTION permission. For example, they can now change the CREATEDB, REPLICATION, and BYPASSRLS properties only if they also have those permissions.

• Remove symbolic links for the postmaster binary (Peter Eisentraut)

 Changes

Below you will find a detailed account of the changes between PostgreSQL 16 and the previous major release.

 Server (PG 16.0)

 Optimizer (PG 16.0)

• Allow incremental sorts in more cases, including DISTINCT (David Rowley)

• Add the ability for aggregates having ORDER BY or DISTINCT to use pre-sorted data (David Rowley)

  The new server variable enable_presorted_aggregate can be used to disable this.

• Allow memoize atop a UNION ALL (Richard Guo)

• Allow anti-joins to be performed with the non-nullable input as the inner relation (Richard Guo)

• Allow parallelization of FULL and internal right OUTER hash joins (Melanie Plageman, Thomas Munro)

• Improve the accuracy of GIN index access optimizer costs (Ronan Dunklau)

 General Performance (PG 16.0)

• Allow more efficient addition of heap and index pages (Andres Freund)

• During non-freeze operations, perform page freezing where appropriate (Peter Geoghegan)

  This makes full-table freeze vacuums less necessary.

• Allow window functions to use the faster ROWS mode internally when RANGE mode is active but unnecessary (David Rowley)

• Allow optimization of always-increasing window functions ntile(), cume_dist() and percent_rank() (David Rowley)

• Allow aggregate functions string_agg() and array_agg() to be parallelized (David Rowley)

• Improve performance by caching RANGE and LIST partition lookups (Amit Langote, Hou Zhijie, David Rowley)

• Allow control of the shared buffer usage by vacuum and analyze (Melanie Plageman)

  The VACUUM/ANALYZE option is BUFFER_USAGE_LIMIT, and the vacuumdb option is --buffer-usage-limit. The default value is set by server variable vacuum_buffer_usage_limit, which also controls autovacuum.

• Support wal_sync_method=fdatasync on Windows (Thomas Munro)

• Allow HOT updates if only BRIN-indexed columns are updated (Matthias van de Meent, Josef Simanek, Tomas Vondra)

• Improve the speed of updating the process title (David Rowley)

• Allow xid/subxid searches and ASCII string detection to use vector operations (Nathan Bossart, John Naylor)

  ASCII detection is particularly useful for COPY FROM. Vector operations are also used for some C array searches.

• Reduce overhead of memory allocations (Andres Freund, David Rowley)

 Monitoring (PG 16.0)

• Add system view pg_stat_io view to track I/O statistics (Melanie Plageman)

• Record statistics on the last sequential and index scans on tables (Dave Page)

  This information appears in pg_stat_*_tables and pg_stat_*_indexes.

• Record statistics on the occurrence of updated rows moving to new pages (Corey Huinker)

  The pg_stat_*_tables column is n_tup_newpage_upd.

• Add speculative lock information to the pg_locks system view (Masahiko Sawada, Noriyoshi Shinoda)

  The transaction id is displayed in the transactionid column and the speculative insertion token is displayed in the objid column.

• Add the display of prepared statement result types to the pg_prepared_statements view (Dagfinn Ilmari Mannsåker)

• Create subscription statistics entries at subscription creation time so stats_reset is accurate (Andres Freund)

  Previously entries were created only when the first statistics were reported.

• Correct the I/O accounting for temp relation writes shown in pg_stat_database (Melanie Plageman)

• Add function pg_stat_get_backend_subxact() to report on a session's subtransaction cache (Dilip Kumar)

• Have pg_stat_get_backend_idset(), pg_stat_get_backend_activity(), and related functions use the unchanging backend id (Nathan Bossart)

  Previously the index values might change during the lifetime of the session.

• Report stand-alone backends with a special backend type (Melanie Plageman)

• Add wait event SpinDelay to report spinlock sleep delays (Andres Freund)

• Create new wait event DSMAllocate to indicate waiting for dynamic shared memory allocation (Thomas Munro)

  Previously this type of wait was reported as DSMFillZeroWrite, which was also used by mmap() allocations.

• Add the database name to the process title of logical WAL senders (Tatsuhiro Nakamori)

  Physical WAL senders do not display a database name.

• Add checkpoint and REDO LSN information to log_checkpoints messages (Bharath Rupireddy, Kyotaro Horiguchi)

• Provide additional details during client certificate failures (Jacob Champion)

 Privileges (PG 16.0)

• Add predefined role pg_create_subscription with permission to create subscriptions (Robert Haas)

• Allow subscriptions to not require passwords (Robert Haas)

  This is accomplished with the option password_required=false.

• Simplify permissions for LOCK TABLE (Jeff Davis)

  Previously a user's ability to perform LOCK TABLE at various lock levels was limited to the lock levels required by the commands they had permission to execute on the table. For example, someone with UPDATE permission could perform all lock levels except ACCESS SHARE, even though it was a lesser lock level. Now users can issue lesser lock levels if they already have permission for greater lock levels.

• Allow GRANT group_name TO user_name to be performed with ADMIN OPTION (Robert Haas)

  Previously CREATEROLE permission was required.

• Allow GRANT to use WITH ADMIN TRUE/FALSE syntax (Robert Haas)

  Previously only the WITH ADMIN OPTION syntax was supported.

• Allow roles that create other roles to automatically inherit the new role's rights or the ability to SET ROLE to the new role (Robert Haas, Shi Yu)

  This is controlled by server variable createrole_self_grant.

• Prevent users from changing the default privileges of non-inherited roles (Robert Haas)

  This is now only allowed for inherited roles.

• When granting role membership, require the granted-by role to be a role that has appropriate permissions (Robert Haas)

  This is a requirement even when a non-bootstrap superuser is granting role membership.

• Allow non-superusers to grant permissions using a granted-by user that is not the current user (Robert Haas)

  The current user still must have sufficient permissions given by the specified granted-by user.

• Add GRANT to control permission to use SET ROLE (Robert Haas)

  This is controlled by a new GRANT ... SET option.

• Add dependency tracking to roles which have granted privileges (Robert Haas)

  For example, removing ADMIN OPTION will fail if there are privileges using that option; CASCADE must be used to revoke dependent permissions.

• Add dependency tracking of grantors for GRANT records (Robert Haas)

  This guarantees that pg_auth_members.grantor values are always valid.

• Allow multiple role membership records (Robert Haas)

  Previously a new membership grant would remove a previous matching membership grant, even if other aspects of the grant did not match.

• Prevent removal of superuser privileges for the bootstrap user (Robert Haas)

  Restoring such users could lead to errors.

• Allow makeaclitem() to accept multiple privilege names (Robins Tharakan)

  Previously only a single privilege name, like SELECT, was accepted.

 Server Configuration (PG 16.0)

• Add support for Kerberos credential delegation (Stephen Frost)

  This is enabled with server variable gss_accept_delegation and libpq connection parameter gssdelegation.

• Allow the SCRAM iteration count to be set with server variable scram_iterations (Daniel Gustafsson)

• Improve performance of server variable management (Tom Lane)

• Tighten restrictions on which server variables can be reset (Masahiko Sawada)

  Previously, while certain variables, like transaction_isolation, were not affected by RESET ALL, they could be individually reset in inappropriate situations.

• Move various postgresql.conf items into new categories (Shinya Kato)

  This also affects the categories displayed in the pg_settings view.

• Prevent configuration file recursion beyond 10 levels (Julien Rouhaud)

• Allow autovacuum to more frequently honor changes to delay settings (Melanie Plageman)

  Rather than honor changes only at the start of each relation, honor them at the start of each block.

• Remove restrictions that archive files be durably renamed (Nathan Bossart)

  The archive_command command is now more likely to be called with already-archived files after a crash.

• Prevent archive_library and archive_command from being set at the same time (Nathan Bossart)

  Previously archive_library would override archive_command.

• Allow the postmaster to terminate children with an abort signal (Tom Lane)

  This allows collection of a core dump for a stuck child process. This is controlled by send_abort_for_crash and send_abort_for_kill. The postmaster's -T switch is now the same as setting send_abort_for_crash.

• Remove the non-functional postmaster -n option (Tom Lane)

• Allow the server to reserve backend slots for roles with pg_use_reserved_connections membership (Nathan Bossart)

  The number of reserved slots is set by server variable reserved_connections.

• Allow huge pages to work on newer versions of Windows 10 (Thomas Munro)

  This adds the special handling required to enable huge pages on newer versions of Windows 10.

• Add debug_io_direct setting for developer usage (Thomas Munro, Andres Freund, Bharath Rupireddy)

  While primarily for developers, wal_sync_method=open_sync/open_datasync has been modified to not use direct I/O with wal_level=minimal; this is now enabled with debug_io_direct=wal.

• Add function pg_split_walfile_name() to report the segment and timeline values of WAL file names (Bharath Rupireddy)

 pg_hba.conf (PG 16.0)

• Add support for regular expression matching on database and role entries in pg_hba.conf (Bertrand Drouvot)

  Regular expression patterns are prefixed with a slash. Database and role names that begin with slashes need to be double-quoted if referenced in pg_hba.conf.

• Improve user-column handling of pg_ident.conf to match pg_hba.conf (Jelte Fennema)

  Specifically, add support for all, role membership with +, and regular expressions with a leading slash. Any user name that matches these patterns must be double-quoted.

• Allow include files in pg_hba.conf and pg_ident.conf (Julien Rouhaud)

  These are controlled by include, include_if_exists, and include_dir. System views pg_hba_file_rules and pg_ident_file_mappings now display the file name.

• Allow pg_hba.conf tokens to be of unlimited length (Tom Lane)

• Add rule and map numbers to the system view pg_hba_file_rules (Julien Rouhaud)

 Localization (PG 16.0)

• Determine the default encoding from the locale when using ICU (Jeff Davis)

  Previously the default was always UTF-8.

• Have CREATE DATABASE and CREATE COLLATION's LOCALE options, and initdb and createdb --locale options, control non-libc collation providers (Jeff Davis)

  Previously they only controlled libc providers.

• Add predefined collations unicode and ucs_basic (Peter Eisentraut)

  This only works if ICU support is enabled.

• Allow custom ICU collation rules to be created (Peter Eisentraut)

  This is done using CREATE COLLATION's new RULES clause, as well as new options for CREATE DATABASE, createdb, and initdb.

• Allow Windows to import system locales automatically (Juan José Santamaría Flecha)

  Previously, only ICU locales could be imported on Windows.

 Logical Replication (PG 16.0)

• Allow logical decoding on standbys (Bertrand Drouvot, Andres Freund, Amit Khandekar)

  Snapshot WAL records are required for logical slot creation but cannot be created on standbys. To avoid delays, the new function pg_log_standby_snapshot() allows creation of such records.

• Add server variable to control how logical decoding publishers transfer changes and how subscribers apply them (Shi Yu)

  The variable is debug_logical_replication_streaming.

• Allow logical replication initial table synchronization to copy rows in binary format (Melih Mutlu)

  This is only possible for subscriptions marked as binary.

• Allow parallel application of logical replication (Hou Zhijie, Wang Wei, Amit Kapila)

  The CREATE SUBSCRIPTION STREAMING option now supports parallel to enable application of large transactions by parallel workers. The number of parallel workers is controlled by the new server variable max_parallel_apply_workers_per_subscription. Wait events LogicalParallelApplyMain, LogicalParallelApplyStateChange, and LogicalApplySendData were also added. Column leader_pid was added to system view pg_stat_subscription to track parallel activity.

• Improve performance for logical replication apply without a primary key (Onder Kalaci, Amit Kapila)

  Specifically, REPLICA IDENTITY FULL can now use btree indexes rather than sequentially scanning the table to find matches.

• Allow logical replication subscribers to process only changes that have no origin (Vignesh C, Amit Kapila)

  This can be used to avoid replication loops. This is controlled by the new CREATE SUBSCRIPTION ... ORIGIN option.

• Perform logical replication SELECT and DML actions as the table owner (Robert Haas)

  This improves security and now requires subscription owners to be either superusers or to have SET ROLE permission on all roles owning tables in the replication set. The previous behavior of performing all operations as the subscription owner can be enabled with the subscription run_as_owner option.

• Have wal_retrieve_retry_interval operate on a per-subscription basis (Nathan Bossart)

  Previously the retry time was applied globally. This also adds wait events >LogicalRepLauncherDSA and LogicalRepLauncherHash.

 Utility Commands (PG 16.0)

• Add EXPLAIN option GENERIC_PLAN to display the generic plan for a parameterized query (Laurenz Albe)

• Allow a COPY FROM value to map to a column's DEFAULT (Israel Barth Rubio)

• Allow COPY into foreign tables to add rows in batches (Andrey Lepikhov, Etsuro Fujita)

  This is controlled by the postgres_fdw option batch_size.

• Allow the STORAGE type to be specified by CREATE TABLE (Teodor Sigaev, Aleksander Alekseev)

  Previously only ALTER TABLE could control this.

• Allow truncate triggers on foreign tables (Yugo Nagata)

• Allow VACUUM and vacuumdb to only process TOAST tables (Nathan Bossart)

  This is accomplished by having VACUUM turn off PROCESS_MAIN or by vacuumdb using the --no-process-main option.

• Add VACUUM options to skip or update all frozen statistics (Tom Lane, Nathan Bossart)

  The options are SKIP_DATABASE_STATS and ONLY_DATABASE_STATS.

• Change REINDEX DATABASE and REINDEX SYSTEM to no longer require an argument (Simon Riggs)

  Previously the database name had to be specified.

• Allow CREATE STATISTICS to generate a statistics name if none is specified (Simon Riggs)

 Data Types (PG 16.0)

• Allow non-decimal integer literals (Peter Eisentraut)

  For example, 0x42F, 0o273, and 0b100101.

• Allow NUMERIC to process hexadecimal, octal, and binary integers of any size (Dean Rasheed)

  Previously only unquoted eight-byte integers were supported with these non-decimal bases.

• Allow underscores in integer and numeric constants (Peter Eisentraut, Dean Rasheed)

  This can improve readability for long strings of digits.

• Accept the spelling +infinity in datetime input (Vik Fearing)

• Prevent the specification of epoch and infinity together with other fields in datetime strings (Joseph Koshakow)

• Remove undocumented support for date input in the form YyearMmonthDday (Joseph Koshakow)

• Add functions pg_input_is_valid() and pg_input_error_info() to check for type conversion errors (Tom Lane)

 General Queries (PG 16.0)

• Allow subqueries in the FROM clause to omit aliases (Dean Rasheed)

• Add support for enhanced numeric literals in SQL/JSON paths (Peter Eisentraut)

  For example, allow hexadecimal, octal, and binary integers and underscores between digits.

 Functions (PG 16.0)

• Add SQL/JSON constructors (Nikita Glukhov, Teodor Sigaev, Oleg Bartunov, Alexander Korotkov, Amit Langote)

  The new functions JSON_ARRAY(), JSON_ARRAYAGG(), JSON_OBJECT(), and JSON_OBJECTAGG() are part of the SQL standard.

• Add SQL/JSON object checks (Nikita Glukhov, Teodor Sigaev, Oleg Bartunov, Alexander Korotkov, Amit Langote, Andrew Dunstan)

  The IS JSON checks include checks for values, arrays, objects, scalars, and unique keys.

• Allow JSON string parsing to use vector operations (John Naylor)

• Improve the handling of full text highlighting function ts_headline() for OR and NOT expressions (Tom Lane)

• Add functions to add, subtract, and generate timestamptz values in a specified time zone (Przemyslaw Sztoch, Gurjeet Singh)

  The functions are date_add(), date_subtract(), and generate_series().

• Change date_trunc(unit, timestamptz, time_zone) to be an immutable function (Przemyslaw Sztoch)

  This allows the creation of expression indexes using this function.

• Add server variable SYSTEM_USER (Bertrand Drouvot)

  This reports the authentication method and its authenticated user.

• Add functions array_sample() and array_shuffle() (Martin Kalcher)

• Add aggregate function ANY_VALUE() which returns any value from a set (Vik Fearing)

• Add function random_normal() to supply normally-distributed random numbers (Paul Ramsey)

• Add error function erf() and its complement erfc() (Dean Rasheed)

• Improve the accuracy of numeric power() for integer exponents (Dean Rasheed)

• Add XMLSERIALIZE() option INDENT to pretty-print its output (Jim Jones)

• Change pg_collation_actual_version() to return a reasonable value for the default collation (Jeff Davis)

  Previously it returned NULL.

• Allow pg_read_file() and pg_read_binary_file() to ignore missing files (Kyotaro Horiguchi)

• Add byte specification (B) to pg_size_bytes() (Peter Eisentraut)

• Allow to_reg* functions to accept numeric OIDs as input (Tom Lane)

 PL/pgSQL (PG 16.0)

• Add the ability to get the current function's OID in PL/pgSQL (Pavel Stehule)

  This is accomplished with GET DIAGNOSTICS variable = PG_ROUTINE_OID.

 libpq (PG 16.0)

• Add libpq connection option require_auth to specify a list of acceptable authentication methods (Jacob Champion)

  This can also be used to disallow certain authentication methods.

• Allow multiple libpq-specified hosts to be randomly selected (Jelte Fennema)

  This is enabled with load_balance_hosts=random and can be used for load balancing.

• Add libpq option sslcertmode to control transmission of the client certificate (Jacob Champion)

  The option values are disable, allow, and require.

• Allow libpq to use the system certificate pool for certificate verification (Jacob Champion, Thomas Habets)

  This is enabled with sslrootcert=system, which also enables sslmode=verify-full.

 Client Applications (PG 16.0)

• Allow ECPG variable declarations to use typedef names that match unreserved SQL keywords (Tom Lane)

  This change does prevent keywords which match C typedef names from being processed as keywords in later EXEC SQL blocks.

 psql (PG 16.0)

• Allow psql to control the maximum width of header lines in expanded format (Platon Pronko)

  This is controlled by xheader_width.

• Add psql command \drg to show role membership details (Pavel Luzanov)

  The Member of output column has been removed from \du and \dg because this new command displays this informaion in more detail.

• Allow psql's access privilege commands to show system objects (Nathan Bossart)

  The options are \dpS and \zS.

• Add FOREIGN designation to psql \d+ for foreign table children and partitions (Ian Lawrence Barwick)

• Prevent \df+ from showing function source code (Isaac Morland)

  Function bodies are more easily viewed with \sf.

• Allow psql to submit queries using the extended query protocol (Peter Eisentraut)

  Passing arguments to such queries is done using the new psql \bind command.

• Allow psql \watch to limit the number of executions (Andrey Borodin)

  The \watch options can now be named when specified.

• Detect invalid values for psql \watch, and allow zero to specify no delay (Andrey Borodin)

• Allow psql scripts to obtain the exit status of shell commands and queries (Corey Huinker, Tom Lane)

  The new psql control variables are SHELL_ERROR and SHELL_EXIT_CODE.

• Various psql tab completion improvements (Vignesh C, Aleksander Alekseev, Dagfinn Ilmari Mannsåker, Shi Yu, Michael Paquier, Ken Kato, Peter Smith)

 pg_dump (PG 16.0)

• Add pg_dump control of dumping child tables and partitions (Gilles Darold)

  The new options are --table-and-children, --exclude-table-and-children, and --exclude-table-data-and-children.

• Add LZ4 and Zstandard compression to pg_dump (Georgios Kokolatos, Justin Pryzby)

• Allow pg_dump and pg_basebackup to use long mode for compression (Justin Pryzby)

• Improve pg_dump to accept a more consistent compression syntax (Georgios Kokolatos)

  Options like --compress=gzip:5.

 Server Applications (PG 16.0)

• Add initdb option to set server variables for the duration of initdb and all future server starts (Tom Lane)

  The option is -c name=value.

• Add options to createuser to control more user options (Shinya Kato)

  Specifically, the new options control the valid-until date, bypassing of row-level security, and role membership.

• Deprecate createuser option --role (Nathan Bossart)

  This option could be easily confused with new createuser role membership options, so option --member-of has been added with the same functionality. The --role option can still be used.

• Allow control of vacuumdb schema processing (Gilles Darold)

  These are controlled by options --schema and --exclude-schema.

• Use new VACUUM options to improve the performance of vacuumdb (Tom Lane, Nathan Bossart)

• Have pg_upgrade set the new cluster's locale and encoding (Jeff Davis)

  This removes the requirement that the new cluster be created with the same locale and encoding settings.

• Add pg_upgrade option to specify the default transfer mode (Peter Eisentraut)

  The option is --copy.

• Improve pg_basebackup to accept numeric compression options (Georgios Kokolatos, Michael Paquier)

  Options like --compress=server-5 are now supported.

• Fix pg_basebackup to handle tablespaces stored in the PGDATA directory (Robert Haas)

• Add pg_waldump option --save-fullpage to dump full page images (David Christensen)

• Allow pg_waldump options -t/--timeline to accept hexadecimal values (Peter Eisentraut)

• Add support for progress reporting to pg_verifybackup (Masahiko Sawada)

• Allow pg_rewind to properly track timeline changes (Heikki Linnakangas)

  Previously if pg_rewind was run after a timeline switch but before a checkpoint was issued, it might incorrectly determine that a rewind was unnecessary.

• Have pg_receivewal and pg_recvlogical cleanly exit on SIGTERM (Christoph Berg)

  This signal is often used by systemd.

 Source Code (PG 16.0)

• Build ICU support by default (Jeff Davis)

  This removes build flag --with-icu and adds flag --without-icu.

• Add support for SSE2 (Streaming SIMD Extensions 2) vector operations on x86-64 architectures (John Naylor)

• Add support for Advanced SIMD (Single Instruction Multiple Data) (NEON) instructions on ARM architectures (Nathan Bossart)

• Have Windows binaries built with MSVC use RandomizedBaseAddress (ASLR) (Michael Paquier)

  This was already enabled on MinGW builds.

• Prevent extension libraries from exporting their symbols by default (Andres Freund, Tom Lane)

  Functions that need to be called from the core backend or other extensions must now be explicitly marked PGDLLEXPORT.

• Require Windows 10 or newer versions (Michael Paquier, Juan José Santamaría Flecha)

  Previously Windows Vista and Windows XP were supported.

• Require Perl version 5.14 or later (John Naylor)

• Require Bison version 2.3 or later (John Naylor)

• Require Flex version 2.5.35 or later (John Naylor)

• Require MIT Kerberos for GSSAPI support (Stephen Frost)

• Remove support for Visual Studio 2013 (Michael Paquier)

• Remove support for HP-UX (Thomas Munro)

• Remove support for HP/Intel Itanium (Thomas Munro)

• Remove support for M68K, M88K, M32R, and SuperH CPU architectures (Thomas Munro)

• Remove libpq support for SCM credential authentication (Michael Paquier)

  Backend support for this authentication method was removed in PostgresSQL 9.1.

• Add meson build system (Andres Freund, Nazir Bilal Yavuz, Peter Eisentraut)

  This eventually will replace the Autoconf and Windows-based MSVC build systems.

• Allow control of the location of the openssl binary used by the build system (Peter Eisentraut)

  Make finding openssl program a configure or meson option

• Add build option to allow testing of small WAL segment sizes (Andres Freund)

  The build options are --with-segsize-blocks and -Dsegsize_blocks.

• Add pgindent options (Andrew Dunstan)

  The new options are --show-diff, --silent-diff, --commit, and --help, and allow multiple --exclude options. Also require the typedef file to be explicitly specified. Options --code-base and --build were also removed.

• Add pg_bsd_indent source code to the main tree (Tom Lane)

• Improve make_ctags and make_etags (Yugo Nagata)

• Adjust pg_attribute columns for efficiency (Peter Eisentraut)

 Additional Modules (PG 16.0)

• Improve use of extension-based indexes on boolean columns (Zongliang Quan, Tom Lane)

• Add support for Daitch-Mokotoff Soundex to fuzzystrmatch (Dag Lem)

• Allow auto_explain to log values passed to parameterized statements (Dagfinn Ilmari Mannsåker)

  This affects queries using server-side PREPARE/EXECUTE and client-side parse/bind. Logging is controlled by auto_explain.log_parameter_max_length; by default query parameters will be logged with no length restriction.

• Have auto_explain's log_verbose mode honor the value of compute_query_id (Atsushi Torikoshi)

  Previously even if compute_query_id was enabled, log_verbose was not showing the query identifier.

• Change the maximum length of ltree labels from 256 to 1000 and allow hyphens (Garen Torikian)

• Have pg_stat_statements normalize constants used in utility commands (Michael Paquier)

  Previously constants appeared instead of placeholders, e.g., $1.

• Add pg_walinspect function pg_get_wal_block_info() to report WAL block information (Michael Paquier, Melanie Plageman, Bharath Rupireddy)

• Change how pg_walinspect functions pg_get_wal_records_info() and pg_get_wal_stats() interpret ending LSNs (Bharath Rupireddy)

  Previously ending LSNs which represent nonexistent WAL locations would generate an error, while they will now be interpreted as the end of the WAL.

• Add detailed descriptions of WAL records in pg_walinspect and pg_waldump (Melanie Plageman, Peter Geoghegan)

• Add pageinspect function bt_multi_page_stats() to report statistics on multiple pages (Hamid Akhtar)

  This is similar to bt_page_stats() except it can report on a range of pages.

• Add empty range output column to pageinspect function brin_page_items() (Tomas Vondra)

• Redesign archive modules to be more flexible (Nathan Bossart)

  Initialization changes will require modules written for older versions of Postgres to be updated.

• Correct inaccurate pg_stat_statements row tracking extended query protocol statements (Sami Imseih)

• Add pg_buffercache function pg_buffercache_usage_counts() to report usage totals (Nathan Bossart)

• Add pg_buffercache function pg_buffercache_summary() to report summarized buffer statistics (Melih Mutlu)

• Allow the schemas of required extensions to be referenced in extension scripts using the new syntax @extschema:referenced_extension_name@ (Regina Obe)

• Allow required extensions to be marked as non-relocatable using no_relocate (Regina Obe)

  This allows @extschema:referenced_extension_name@ to be treated as a constant for the lifetime of the extension.

 postgres_fdw (PG 16.0)

• Allow postgres_fdw to do aborts in parallel (Etsuro Fujita)

  This is enabled with postgres_fdw option parallel_abort.

• Make ANALYZE on foreign postgres_fdw tables more efficient (Tomas Vondra)

  The postgres_fdw option analyze_sampling controls the sampling method.

• Restrict shipment of reg* type constants in postgres_fdw to those referencing built-in objects or extensions marked as shippable (Tom Lane)

• Have postgres_fdw and dblink handle interrupts during connection establishment (Andres Freund)

 Acknowledgments

The following individuals (in alphabetical order) have contributed to this release as patch authors, committers, reviewers, testers, or reporters of issues.

• Abhijit Menon-Sen
• Adam Mackler
• Adrian Klaver
• Ahsan Hadi
• Ajin Cherian
• Ajit Awekar
• Alan Hodgson
• Aleksander Alekseev
• Alex Denman
• Alex Kozhemyakin
• Alexander Korolev
• Alexander Korotkov
• Alexander Lakhin
• Alexander Pyhalov
• Alexey Borzov
• Alexey Ermakov
• Alexey Makhmutov
• Álvaro Herrera
• Amit Kapila
• Amit Khandekar
• Amit Langote
• Amul Sul
• Anastasia Lubennikova
• Anban Company
• Andreas Dijkman
• Andreas Karlsson
• Andreas Scherbaum
• Andrei Zubkov
• Andres Freund
• Andrew Alsup
• Andrew Bille
• Andrew Dunstan
• Andrew Gierth
• Andrew Kesper
• Andrey Borodin
• Andrey Lepikhov
• Andrey Sokolov
• Ankit Kumar Pandey
• Ante Kresic
• Anton Melnikov
• Anton Sidyakin
• Anton Voloshin
• Antonin Houska
• Arne Roland
• Artem Anisimov
• Arthur Zakirov
• Ashutosh Bapat
• Ashutosh Sharma
• Asim Praveen
• Atsushi Torikoshi
• Ayaki Tachikake
• Balazs Szilfai
• Benoit Lobréau
• Bernd Helmle
• Bertrand Drouvot
• Bharath Rupireddy
• Bilva Sanaba
• Bob Krier
• Boris Zentner
• Brad Nicholson
• Brar Piening
• Bruce Momjian
• Bruno da Silva
• Carl Sopchak
• Cary Huang
• Changhong Fei
• Chris Travers
• Christoph Berg
• Christophe Pettus
• Corey Huinker
• Craig Ringer
• Curt Kolovson
• Dag Lem
• Dagfinn Ilmari Mannsåker
• Daniel Gustafsson
• Daniel Vérité
• Daniel Watzinger
• Daniel Westermann
• Daniele Varrazzo
• Daniil Anisimov
• Danny Shemesh
• Dave Page
• David Christensen
• David G. Johnston
• David Geier
• David Gilman
• David Kimura
• David Rowley
• David Steele
• David Turon
• David Zhang
• Davinder Singh
• Dean Rasheed
• Denis Laxalde
• Dilip Kumar
• Dimos Stamatakis
• Dmitriy Kuzmin
• Dmitry Astapov
• Dmitry Dolgov
• Dmitry Koval
• Dong Wook Lee
• Dongming Liu
• Drew DeVault
• Duncan Sands
• Ed Maste
• Egor Chindyaskin
• Ekaterina Kiryanova
• Elena Indrupskaya
• Emmanuel Quincerot
• Eric Mutta
• Erik Rijkers
• Erki Eessaar
• Erwin Brandstetter
• Etsuro Fujita
• Eugeny Zhuzhnev
• Euler Taveira
• Evan Jones
• Evgeny Morozov
• Fabrízio de Royes Mello
• Farias de Oliveira
• Florin Irion
• Franz-Josef Färber
• Garen Torikian
• Georgios Kokolatos
• Gilles Darold
• Greg Stark
• Guillaume Lelarge
• Gunnar Bluth
• Gunnar Morling
• Gurjeet Singh
• Haiyang Wang
• Haiying Tang
• Hamid Akhtar
• Hans Buschmann
• Hao Wu
• Hayato Kuroda
• Heath Lord
• Heikki Linnakangas
• Himanshu Upadhyaya
• Hisahiro Kauchi
• Hongyu Song
• Hubert Lubaczewski
• Hung Nguyen
• Ian Barwick
• Ibrar Ahmed
• Ilya Gladyshev
• Ilya Nenashev
• Isaac Morland
• Israel Barth Rubio
• Jacob Champion
• Jacob Speidel
• Jaime Casanova
• Jakub Wartak
• James Coleman
• James Inform
• James Vanns
• Jan Wieck
• Japin Li
• Jeevan Ladhe
• Jeff Davis
• Jeff Janes
• Jehan-Guillaume de Rorthais
• Jelte Fennema
• Jian He
• Jim Jones
• Jinbao Chen
• Joe Conway
• Joel Jacobson
• John Naylor
• Jonathan Katz
• Josef Simanek
• Joseph Koshakow
• Juan José Santamaría Flecha
• Julien Rouhaud
• Julien Roze
• Junwang Zhao
• Justin Pryzby
• Justin Zhang
• Karina Litskevich
• Karl O. Pinc
• Keisuke Kuroda
• Ken Kato
• Kevin McKibbin
• Kieran McCusker
• Kirk Wolak
• Konstantin Knizhnik
• Koshi Shibagaki
• Kotaro Kawamoto
• Kui Liu
• Kyotaro Horiguchi
• Lakshmi Narayanan Sreethar
• Laurence Parry
• Laurenz Albe
• Luca Ferrari
• Lukas Fittl
• Maciek Sakrejda
• Magnus Hagander
• Maja Zaloznik
• Marcel Hofstetter
• Marina Polyakova
• Mark Dilger
• Marko Tiikkaja
• Markus Winand
• Martijn van Oosterhout
• Martin Jurca
• Martin Kalcher
• Mary Xu
• Masahiko Sawada
• Masahiro Ikeda
• Masao Fujii
• Mason Sharp
• Matheus Alcantara
• Mats Kindahl
• Matthias van de Meent
• Matthijs van der Vleuten
• Maxim Orlov
• Maxim Yablokov
• Mehmet Emin Karakas
• Melanie Plageman
• Melih Mutlu
• Micah Gate
• Michael Banck
• Michael Paquier
• Michail Nikolaev
• Michel Pelletier
• Mike Oh
• Mikhail Gribkov
• Mingli Zhang
• Miroslav Bendik
• Mitsuru Hinata
• Myo Wai Thant
• Naeem Akhter
• Naoki Okano
• Nathan Bossart
• Nazir Bilal Yavuz
• Neha Sharma
• Nick Babadzhanian
• Nicola Contu
• Nikhil Shetty
• Nikita Glukhov
• Nikolay Samokhvalov
• Nikolay Shaplov
• Nishant Sharma
• Nitin Jadhav
• Noah Misch
• Noboru Saito
• Noriyoshi Shinoda
• Nuko Yokohama
• Oleg Bartunov
• Oleg Tselebrovskiy
• Olly Betts
• Onder Kalaci
• Onur Tirtir
• Pablo Federico
• Palle Girgensohn
• Paul Guo
• Paul Jungwirth
• Paul Ramsey
• Pavel Borisov
• Pavel Kulakov
• Pavel Luzanov
• Pavel Stehule
• Peifeng Qiu
• Peter Eisentraut
• Peter Geoghegan
• Peter Smith
• Phil Florent
• Philippe Godfrin
• Platon Pronko
• Przemyslaw Sztoch
• Rachel Heaton
• Ranier Vilela
• Regina Obe
• Reid Thompson
• Reiner Peterke
• Richard Guo
• Riivo Kolka
• Rishu Bagga
• Robert Haas
• Robert Sjöblom
• Robert Treat
• Roberto Mello
• Robins Tharakan
• Roman Zharkov
• Ronan Dunklau
• Rushabh Lathia
• Ryo Matsumura
• Samay Sharma
• Sami Imseih
• Sandeep Thakkar
• Sandro Santilli
• Sebastien Flaesch
• Sébastien Lardière
• Sehrope Sarkuni
• Sergey Belyashov
• Sergey Pankov
• Sergey Shinderuk
• Shi Yu
• Shinya Kato
• Sho Kato
• Shruthi Gowda
• Shveta Mallik
• Simon Riggs
• Sindy Senorita
• Sirisha Chamarthi
• Sravan Kumar
• Stéphane Tachoires
• Stephen Frost
• Steve Chavez
• Stone Tickle
• Sven Klemm
• Takamichi Osumi
• Takeshi Ideriha
• Tatsuhiro Nakamori
• Tatsuo Ishii
• Ted Yu
• Teja Mupparti
• Tender Wang
• Teodor Sigaev
• Thiago Nunes
• Thom Brown
• Thomas Habets
• Thomas Mc Kay
• Thomas Munro
• Tim Carey-Smith
• Tim Field
• Timo Stolz
• Tom Lane
• Tomas Vondra
• Tor Erik Linnerud
• Torsten Förtsch
• Tristan Partin
• Troy Frericks
• Tushar Ahuja
• Valerie Woolard
• Vibhor Kumar
• Victor Spirin
• Victoria Shepard
• Vignesh C
• Vik Fearing
• Vitaly Burovoy
• Vitaly Davydov
• Wang Wei
• Wenjing Zeng
• Whale Song
• Will Mortensen
• Wolfgang Walther
• Xin Wen
• Xing Guo
• Xingwang Xu
• XueJing Zhao
• Yanliang Lei
• Youmiu Mo
• Yugo Nagata
• Yura Sokolov
• Yuta Katsuragi
• Zhen Mingyang
• Zheng Li
• Zhihong Yu
• Zhijie Hou
• Zongliang Quan
• Zuming Jiang

Postgres version 15.12

Release date: 2025-02-20

This release contains a few fixes from 15.11. For information about new features in major release 15, see Version 15.0.

 Migration to Version 15.12

A dump/restore is not required for those running 15.X.

However, if you are upgrading from a version earlier than 15.9, see Version 15.9.

 Changes

• Improve behavior of libpq's quoting functions (Andres Freund, Tom Lane) 📜 📜 📜

  The changes made forCVE-2025-1094 or CVE-2025-1094 had one serious oversight: PQescapeLiteral() and PQescapeIdentifier() failed to honor their string length parameter, instead always reading to the input string's trailing null. This resulted in including unwanted text in the output, if the caller intended to truncate the string via the length parameter. With very bad luck it could cause a crash due to reading off the end of memory.

  In addition, modify all these quoting functions so that when invalid encoding is detected, an invalid sequence is substituted for just the first byte of the presumed character, not all of it. This reduces the risk of problems if a calling application performs additional processing on the quoted string.

Postgres version 15.11

Release date: 2025-02-13

This release contains a variety of fixes from 15.10. For information about new features in major release 15, see Version 15.0.

 Migration to Version 15.11

A dump/restore is not required for those running 15.X.

However, if you are upgrading from a version earlier than 15.9, see Version 15.9.

 Changes

• Harden PQescapeString and allied functions against invalidly-encoded input strings (Andres Freund, Noah Misch) 📜 📜 📜 📜 📜 📜

  Data-quoting functions supplied by libpq now fully check the encoding validity of their input. If invalid characters are detected, they report an error if possible. For the ones that lack an error return convention, the output string is adjusted to ensure that the server will report invalid encoding and no intervening processing will be fooled by bytes that might happen to match single quote, backslash, etc.

  The purpose of this change is to guard against SQL-injection attacks that are possible if one of these functions is used to quote crafted input. There is no hazard when the resulting string is sent directly to a PostgreSQL server (which would check its encoding anyway), but there is a risk when it is passed through psql or other client-side code. Historically such code has not carefully vetted encoding, and in many cases it's not clear what it should do if it did detect such a problem.

  This fix is effective only if the data-quoting function, the server, and any intermediate processing agree on the character encoding that's being used. Applications that insert untrusted input into SQL commands should take special care to ensure that that's true.

  Applications and drivers that quote untrusted input without using these libpq functions may be at risk of similar problems. They should first confirm the data is valid in the encoding expected by the server.

  The PostgreSQL Project thanks Stephen Fewer for reporting this problem. CVE-2025-1094 or CVE-2025-1094)

• Exclude parallel workers from connection privilege checks and limits (Tom Lane) 📜

  Do not check datallowconn, rolcanlogin, and ACL_CONNECT privileges when starting a parallel worker, instead assuming that it's enough for the leader process to have passed similar checks originally. This avoids, for example, unexpected failures of parallelized queries when the leader is running as a role that lacks login privilege. In the same vein, enforce ReservedConnections, datconnlimit, and rolconnlimit limits only against regular backends, and count only regular backends while checking if the limits were already reached. Those limits are meant to prevent excessive consumption of process slots for regular backends --- but parallel workers and other special processes have their own pools of process slots with their own limit checks.

• Fix possible re-use of stale results in window aggregates (David Rowley) 📜

  A window aggregate with a “run condition” optimization and a pass-by-reference result type might incorrectly return the result from the previous partition instead of performing a fresh calculation.

• Keep TransactionXmin in sync with MyProc->xmin (Heikki Linnakangas) 📜

  This oversight could permit a process to try to access data that had already been vacuumed away. One known consequence is transient “could not access status of transaction” errors.

• Fix race condition that could cause failure to add a newly-inserted catalog entry to a catalog cache list (Heikki Linnakangas) 📜

  This could result, for example, in failure to use a newly-created function within an existing session.

• Prevent possible catalog corruption when a system catalog is vacuumed concurrently with an update (Noah Misch) 📜

• Fix data corruption when relation truncation fails (Thomas Munro) 📜 📜 📜

  The filesystem calls needed to perform relation truncation could fail, leaving inconsistent state on disk (for example, effectively reviving deleted data). We can't really prevent that, but we can recover by dint of making such failures into PANICs, so that consistency is restored by replaying from WAL up to just before the attempted truncation. This isn't a hugely desirable behavior, but such failures are rare enough that it seems an acceptable solution.

• Prevent checkpoints from starting during relation truncation (Robert Haas) 📜

  This avoids a race condition wherein the modified file might not get fsync'd before completing the checkpoint, creating a risk of data corruption if the operating system crashes soon after.

• Use rename() not link()/unlink() to rename files (Nathan Bossart) 📜

  The previous coding was intended to assure that the operation could not accidentally overwrite an existing file. However a failure could leave two links to the same file in existence, confusing subsequent operations and creating a risk of data corruption. In practice we do not use this functionality in places where the target filename could already exist, so it seems better to give up the no-overwrite guarantee to remove the multiple-link hazard.

• Avoid possibly losing an update of pg_database.datfrozenxid when VACUUM runs concurrently with a REASSIGN OWNED that changes that database's owner (Kirill Reshke) 📜

• Fix incorrect tg_updatedcols values passed to AFTER UPDATE triggers (Tom Lane) 📜

  In some cases the tg_updatedcols bitmap could describe the set of columns updated by an earlier command in the same transaction, fooling the trigger into doing the wrong thing.

  Also, prevent memory bloat caused by making too many copies of the tg_updatedcols bitmap.

• Fix detach of a partition that has its own foreign-key constraint referencing a partitioned table (Amul Sul) 📜

  In common cases, foreign keys are defined on a partitioned table's top level; but if instead one is defined on a partition and references a partitioned table, and the referencing partition is detached, the relevant pg_constraint entries were updated incorrectly. This led to errors like “could not find ON INSERT check triggers of foreign key constraint”.

• Fix mis-processing of to_timestamp's FFn format codes (Tom Lane) 📜

  An integer format code immediately preceding FFn would consume all available digits, leaving none for FFn.

• When deparsing an XMLTABLE() expression, ensure that XML namespace names are double-quoted when necessary (Dean Rasheed) 📜

• Include the ldapscheme option in pg_hba_file_rules() output (Laurenz Albe) 📜 📜

• Don't merge UNION operations if their column collations aren't consistent (Tom Lane) 📜

  Previously we ignored collations when deciding if it's safe to merge UNION steps into a single N-way UNION operation. This was arguably valid before the introduction of nondeterministic collations, but it's not anymore, since the collation in use can affect the definition of uniqueness.

• Fix missed expression processing for partition pruning steps (Tom Lane) 📜

  This oversight could lead to “unrecognized node type” errors, and perhaps other problems, in queries accessing partitioned tables.

• Allow dshash tables to grow past 1GB (Matthias van de Meent) 📜

  This avoids errors like “invalid DSA memory alloc request size”. The case can occur for example in transactions that process several million tables.

• Avoid possible integer overflow in bringetbitmap() (James Hunter, Evgeniy Gorbanyov) 📜

  Since the result is only used for statistical purposes, the effects of this error were mostly cosmetic.

• Prevent streaming standby servers from looping infinitely when reading a WAL record that crosses pages (Kyotaro Horiguchi, Alexander Kukushkin) 📜

  This would happen when the record's continuation is on a page that needs to be read from a different WAL source.

• Fix unintended promotion of FATAL errors to PANIC during early process startup (Noah Misch) 📜

  This fixes some unlikely cases that would result in “PANIC: proc_exit() called in child process”.

• Fix cases where an operator family member operator or support procedure could become a dangling reference (Tom Lane) 📜 📜

  In some cases a data type could be dropped while references to its OID still remain in pg_amop or pg_amproc. While that caused no immediate issues, an attempt to drop the owning operator family would fail, and pg_dump would produce bogus output when dumping the operator family. This fix causes creation and modification of operator families/classes to add needed dependency entries so that dropping a data type will also drop any dependent operator family elements. That does not help vulnerable pre-existing operator families, though, so a band-aid has also been added to DROP OPERATOR FAMILY to prevent failure when dropping a family that has dangling members.

• Fix multiple memory leaks in logical decoding output (Vignesh C, Masahiko Sawada, Boyu Yang) 📜 📜 📜

• Avoid low-probability crash on out-of-memory, due to missing check for failure return from malloc() (Karina Litskevich) 📜

• Avoid integer overflow while testing wal_skip_threshold condition (Tom Lane) 📜

  A transaction that created a very large relation could mistakenly decide to ensure durability by copying the relation into WAL instead of fsync'ing it, thereby negating the point of wal_skip_threshold. (This only matters when wal_level is set to minimal, else a WAL copy is required anyway.)

• Fix unsafe order of operations during cache lookups (Noah Misch) 📜

  The only known consequence was a usually-harmless “you don't own a lock of type ExclusiveLock” warning during GRANT TABLESPACE.

• Fix possible “failed to resolve name” failures when using JIT on older ARM platforms (Thomas Munro) 📜

  This could occur as a consequence of inconsistency about the default setting of -moutline-atomics between gcc and clang. At least Debian and Ubuntu are known to ship gcc and clang compilers that target armv8-a but differ on the use of outline atomics by default.

• Fix handling of Windows junction points that are not of PostgreSQL origin (Thomas Munro) 📜 📜

  Previously, initdb would fail if the path to the data directory included junction points whose expansion isn't in “drive absolute” format, or whose expansion points to another junction point.

• Fix assertion failure in WITH RECURSIVE ... UNION queries (David Rowley) 📜

• Avoid assertion failure in rule deparsing if a set operation leaf query contains set operations (Man Zeng, Tom Lane) 📜

• Avoid edge-case assertion failure in parallel query startup (Tom Lane) 📜

• Fix assertion failure at shutdown when writing out the statistics file (Michael Paquier) 📜

• In NULLIF(), avoid passing a read-write expanded object pointer to the data type's equality function (Tom Lane) 📜

  The equality function could modify or delete the object if it's given a read-write pointer, which would be bad if we decide to return it as the NULLIF() result. There is probably no problem with any built-in equality function, but it's easy to demonstrate a failure with one coded in PL/pgSQL.

• Ensure that expression preprocessing is applied to a default null value in INSERT (Tom Lane) 📜

  If the target column is of a domain type, the planner must insert a coerce-to-domain step not just a null constant, and this expression missed going through some required processing steps. There is no known consequence with domains based on core data types, but in theory an error could occur with domains based on extension types.

• Repair memory leaks in PL/Python (Mat Arye, Tom Lane) 📜

  Repeated use of PLyPlan.execute or plpy.cursor resulted in memory leakage for the duration of the calling PL/Python function.

• Fix PL/Tcl to compile with Tcl 9 (Peter Eisentraut) 📜

• In the ecpg preprocessor, fix possible misprocessing of cursors that reference out-of-scope variables (Tom Lane) 📜

• In ecpg, fix compile-time warnings about unsupported use of COPY ... FROM STDIN (Ryo Kanbayashi) 📜

  Previously, the intended warning was not issued due to a typo.

• Fix psql to safely handle file path names that are encoded in SJIS (Tom Lane) 📜

  Some two-byte characters in SJIS have a second byte that is equal to ASCII backslash (\). These characters were corrupted by path name normalization, preventing access to files whose names include such characters.

• Fix use of wrong version of pqsignal() in pgbench and psql (Fujii Masao, Tom Lane) 📜

  This error could lead to misbehavior when using the -T option in pgbench or the \watch command in psql, due to interrupted system calls not being resumed as expected.

• Fix misexecution of some nested \if constructs in pgbench (Michail Nikolaev) 📜

  An \if command appearing within a false (not-being-executed) \if branch was incorrectly treated the same as \elif.

• In pgbench, fix possible misdisplay of progress messages during table initialization (Yushi Ogiwara, Tatsuo Ishii, Fujii Masao) 📜 📜

• Make pg_controldata more robust against corrupted pg_control files (Ilyasov Ian, Anton Voloshin) 📜

  Since pg_controldata will attempt to print the contents of pg_control even if the CRC check fails, it must take care not to misbehave for invalid field values. This patch fixes some issues triggered by invalid timestamps and apparently-negative WAL segment sizes.

• Fix possible crash in pg_dump with identity sequences attached to tables that are extension members (Tom Lane) 📜

• Fix pg_basebackup to correctly handle pg_wal.tar files exceeding 2GB on Windows (Davinder Singh, Thomas Munro) 📜 📜

• Update configuration probes that determine the compiler switches needed to access ARM CRC instructions (Tom Lane) 📜

  On ARM platforms where the baseline CPU target lacks CRC instructions, we need to supply a -march switch to persuade the compiler to compile such instructions. Recent versions of gcc reject the value we were trying, leading to silently falling back to software CRC.

• During configure, if a C23 compiler is detected, try asking for C17 (Thomas Munro) 📜

  PostgreSQL versions before v16 will not compile under C23 rules. If the chosen compiler defaults to C23 or later, try adding a -std=gnu17 switch to change that. (If this won't work for your compiler, manually specify CFLAGS with a suitable switch.)

• Update time zone data files to tzdata release 2025a for DST law changes in Paraguay, plus historical corrections for the Philippines (Tom Lane) 📜

Postgres version 15.10

Release date: 2024-11-21

This release contains a few fixes from 15.9. For information about new features in major release 15, see Version 15.0.

 Migration to Version 15.10

A dump/restore is not required for those running 15.X.

However, if you are upgrading from a version earlier than 15.9, see Version 15.9.

 Changes

• Repair ABI break for extensions that work with struct ResultRelInfo (Tom Lane) 📜

  Last week's minor releases unintentionally broke binary compatibility with timescaledb and several other extensions. Restore the affected structure to its previous size, so that such extensions need not be rebuilt.

• Restore functionality of ALTER {ROLE|DATABASE} SET role (Tom Lane, Noah Misch) 📜

  The fix forCVE-2024-10978 or CVE-2024-10978 accidentally caused settings for role to not be applied if they come from non-interactive sources, including previous ALTER {ROLE|DATABASE} commands and the PGOPTIONS environment variable.

• Fix cases where a logical replication slot's restart_lsn could go backwards (Masahiko Sawada) 📜

  Previously, restarting logical replication could sometimes cause the slot's restart point to be recomputed as an older value than had previously been advertised in pg_replication_slots. This is bad, since for example WAL files might have been removed on the basis of the later restart_lsn value, in which case replication would fail to restart.

• Avoid deleting still-needed WAL files during pg_rewind (Polina Bungina, Alexander Kukushkin) 📜

  Previously, in unlucky cases, it was possible for pg_rewind to remove important WAL files from the rewound demoted primary. In particular this happens if those files have been marked for archival (i.e., their .ready files were created) but not yet archived. Then the newly promoted node no longer has such files because of them having been recycled, but likely they are needed for recovery in the demoted node. If pg_rewind removes them, recovery is not possible anymore.

• Fix race conditions associated with dropping shared statistics entries (Kyotaro Horiguchi, Michael Paquier) 📜

  These bugs could lead to loss of statistics data, assertion failures, or “can only drop stats once” errors.

• Count index scans in contrib/bloom indexes in the statistics views, such as the pg_stat_user_indexes.idx_scan counter (Masahiro Ikeda) 📜

• Fix crash when checking to see if an index's opclass options have changed (Alexander Korotkov) 📜

  Some forms of ALTER TABLE would fail if the table has an index with non-default operator class options.

• Avoid assertion failure caused by disconnected NFA sub-graphs in regular expression parsing (Tom Lane) 📜

  This bug does not appear to have any visible consequences in non-assert builds.

Postgres version 15.9

Release date: 2024-11-14

This release contains a variety of fixes from 15.8. For information about new features in major release 15, see Version 15.0.

 Migration to Version 15.9

A dump/restore is not required for those running 15.X.

However, if you have ever detached a partition from a partitioned table that has a foreign-key reference to another partitioned table, and not dropped the former partition, then you may have catalog and/or data corruption to repair, as detailed in the fifth changelog entry below.

Also, if you are upgrading from a version earlier than 15.7, see Version 15.7.

 Changes

• Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart) 📜

  If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead.

  The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. CVE-2024-10976 or CVE-2024-10976)

• Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Champion) 📜

  An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure.

  The PostgreSQL Project thanks Jacob Champion for reporting this problem. CVE-2024-10977 or CVE-2024-10977)

• Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE (Tom Lane) 📜 📜

  The SQL standard mandates that SET SESSION AUTHORIZATION have a side-effect of doing SET ROLE NONE. Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION would revert ROLE to NONE even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction. Transiently setting session_authorization in a function SET clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role'), it saw none even when it should see something else.

  The PostgreSQL Project thanks Tom Lane for reporting this problem. CVE-2024-10978 or CVE-2024-10978)

• Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch) 📜 📜 📜

  The ability to manipulate process environment variables such as PATH gives an attacker opportunities to execute arbitrary code. Therefore, “trusted” PLs must not offer the ability to do that. To fix plperl, replace %ENV with a tied hash that rejects any modification attempt with a warning. Untrusted plperlu retains the ability to change the environment.

  The PostgreSQL Project thanks Coby Abrams for reporting this problem. CVE-2024-10979 or CVE-2024-10979)

• Fix updates of catalog state for foreign-key constraints when attaching or detaching table partitions (Jehan-Guillaume de Rorthais, Tender Wang, Álvaro Herrera) 📜 📜

  If the referenced table is partitioned, then different catalog entries are needed for a referencing table that is stand-alone versus one that is a partition. ATTACH/DETACH PARTITION commands failed to perform this conversion correctly. In particular, after DETACH the now stand-alone table would be missing foreign-key enforcement triggers, which could result in the table later containing rows that fail the foreign-key constraint. A subsequent re-ATTACH could fail with surprising errors, too.

  The way to fix this is to do ALTER TABLE DROP CONSTRAINT on the now stand-alone table for each faulty constraint, and then re-add the constraint. If re-adding the constraint fails, then some erroneous data has crept in. You will need to manually re-establish consistency between the referencing and referenced tables, then re-add the constraint.

  This query can be used to identify broken constraints and construct the commands needed to recreate them:

  SELECT conrelid::pg_catalog.regclass AS "constrained table",
         conname AS constraint,
         confrelid::pg_catalog.regclass AS "references",
         pg_catalog.format('ALTER TABLE %s DROP CONSTRAINT %I;',
                           conrelid::pg_catalog.regclass, conname) AS "drop",
         pg_catalog.format('ALTER TABLE %s ADD CONSTRAINT %I %s;',
                           conrelid::pg_catalog.regclass, conname,
                           pg_catalog.pg_get_constraintdef(oid)) AS "add"
  FROM pg_catalog.pg_constraint c
  WHERE contype = 'f' AND conparentid = 0 AND
     (SELECT count(*) FROM pg_catalog.pg_constraint c2
      WHERE c2.conparentid = c.oid) <>
     (SELECT count(*) FROM pg_catalog.pg_inherits i
      WHERE (i.inhparent = c.conrelid OR i.inhparent = c.confrelid) AND
        EXISTS (SELECT 1 FROM pg_catalog.pg_partitioned_table
                WHERE partrelid = i.inhparent));
  

  Since it is possible that one or more of the ADD CONSTRAINT steps will fail, you should save the query's output in a file and then attempt to perform each step.

• Avoid possible crashes and “could not open relation” errors in queries on a partitioned table occurring concurrently with a DETACH CONCURRENTLY and immediate drop of a partition (Álvaro Herrera, Kuntal Gosh) 📜 📜

• Disallow ALTER TABLE ATTACH PARTITION if the table to be attached has a foreign key referencing the partitioned table (Álvaro Herrera) 📜 📜

  This arrangement is not supported, and other ways of creating it already fail.

• Don't use partitionwise joins or grouping if the query's collation for the key column doesn't match the partition key's collation (Jian He, Webbo Han) 📜 📜

  Such plans could produce incorrect results.

• Fix possible “could not find pathkey item to sort” error when the output of a UNION ALL member query needs to be sorted, and the sort column is an expression (Andrei Lepikhov, Tom Lane) 📜

• Allow cancellation of the second stage of index build for large hash indexes (Pavel Borisov) 📜

• Fix assertion failure or confusing error message for COPY (query) TO ..., when the query is rewritten by a DO INSTEAD NOTIFY rule (Tender Wang, Tom Lane) 📜

• Fix detection of skewed data during parallel hash join (Thomas Munro) 📜

  After repartitioning the inner side of a hash join because one partition has accumulated too many tuples, we check to see if all the partition's tuples went into the same child partition, which suggests that they all have the same hash value and further repartitioning cannot improve matters. This check malfunctioned in some cases, allowing repeated futile repartitioning which would eventually end in a resource-exhaustion error.

• Fix race condition in committing a serializable transaction (Heikki Linnakangas) 📜

  Mis-processing of a recently committed transaction could lead to an assertion failure or a “could not access status of transaction” error.

• Fix race condition in COMMIT PREPARED that resulted in orphaned 2PC files (wuchengwen) 📜

  A concurrent PREPARE TRANSACTION could cause COMMIT PREPARED to not remove the on-disk two-phase state file for the completed transaction. There was no immediate ill effect, but a subsequent crash-and-recovery could fail with “could not access status of transaction”, requiring manual removal of the orphaned file to restore service.

• Avoid invalid memory accesses after skipping an invalid toast index during VACUUM FULL (Tender Wang) 📜

  A list tracking yet-to-be-rebuilt indexes was not properly updated in this code path, risking assertion failures or crashes later on.

• Fix ways in which an “in place” catalog update could be lost (Noah Misch) 📜 📜 📜 📜 📜 📜 📜

  Normal row updates write a new version of the row to preserve rollback-ability of the transaction. However, certain system catalog updates are intentionally non-transactional and are done with an in-place update of the row. These patches fix race conditions that could cause the effects of an in-place update to be lost. As an example, it was possible to forget having set pg_class.relhasindex to true, preventing updates of the new index and thus causing index corruption.

• Reset catalog caches at end of recovery (Noah Misch) 📜

  This prevents scenarios wherein an in-place catalog update could be lost due to using stale data from a catalog cache.

• Avoid using parallel query while holding off interrupts (Francesco Degrassi, Noah Misch, Tom Lane) 📜 📜

  This situation cannot arise normally, but it can be reached with test scenarios such as using a SQL-language function as B-tree support (which would be far too slow for production usage). If it did occur it would result in an indefinite wait.

• Report the active query ID for statistics purposes at the start of processing of Bind and Execute protocol messages (Sami Imseih) 📜

  This allows more of the work done in extended query protocol to be attributed to the correct query.

• Guard against stack overflow in libxml2 with too-deeply-nested XML input (Tom Lane, with hat tip to Nick Wellnhofer) 📜

  Use xmlXPathCtxtCompile() rather than xmlXPathCompile(), because the latter fails to protect itself against recursion-to-stack-overflow in libxml2 releases before 2.13.4.

• Do not ignore a concurrent REINDEX CONCURRENTLY that is working on an index with predicates or expressions (Michail Nikolaev) 📜

  Normally, REINDEX CONCURRENTLY does not need to wait for other REINDEX CONCURRENTLY operations on other tables. However, this optimization is not applied if the other REINDEX CONCURRENTLY is processing an index with predicates or expressions, on the chance that such expressions contain user-defined code that accesses other tables. Careless coding created a race condition such that that rule was not applied uniformly, possibly allowing inconsistent behavior.

• Fix “failed to find plan for subquery/CTE” errors in EXPLAIN (Richard Guo, Tom Lane) 📜 📜

  This case arose while trying to print references to fields of a RECORD-type output of a subquery when the subquery has been optimized out of the plan altogether (which is possible at least in the case that it has a constant-false WHERE condition). Nothing remains in the plan to identify the original field names, so fall back to printing fN for the N'th record column. (That's actually the right thing anyway, if the record output arose from a ROW() constructor.)

• Disallow a USING clause when altering the type of a generated column (Peter Eisentraut) 📜

  A generated column already has an expression specifying the column contents, so including USING doesn't make sense.

• Ignore not-yet-defined Portals in the pg_cursors view (Tom Lane) 📜

  It is possible for user-defined code that inspects this view to be called while a new cursor is being set up, and if that happens a null pointer dereference would ensue. Avoid the problem by defining the view to exclude incompletely-set-up cursors.

• Prevent mis-encoding of “trailing junk after numeric literal” error messages (Karina Litskevich) 📜

  We do not allow identifiers to appear immediately following numeric literals (there must be some whitespace between). If a multibyte character immediately followed a numeric literal, the syntax error message about it included only the first byte of that character, causing bad-encoding problems both in the report to the client and in the postmaster log file.

• Avoid “unexpected table_index_fetch_tuple call during logical decoding” error while decoding a transaction involving insertion of a column default value (Takeshi Ideriha, Hou Zhijie) 📜 📜

• Reduce memory consumption of logical decoding (Masahiko Sawada) 📜

  Use a smaller default block size to store tuple data received during logical replication. This reduces memory wastage, which has been reported to be severe while processing long-running transactions, even leading to out-of-memory failures.

• Re-disable sending of stateless (TLSv1.2) session tickets (Daniel Gustafsson) 📜

  A previous change to prevent sending of stateful (TLSv1.3) session tickets accidentally re-enabled sending of stateless ones. Thus, while we intended to prevent clients from thinking that TLS session resumption is supported, some still did.

• Avoid “wrong tuple length” failure when dropping a database with many ACL (permission) entries (Ayush Tiwari) 📜 📜

• Allow adjusting the session_authorization and role settings in parallel workers (Tom Lane) 📜

  Our code intends to allow modifiable server settings to be set by function SET clauses, but not otherwise within a parallel worker. SET clauses failed for these two settings, though.

• Fix behavior of stable functions called from a CALL statement's argument list, when the CALL is within a PL/pgSQL EXCEPTION block (Tom Lane) 📜

  As with a similar fix in our previous quarterly releases, this case allowed such functions to be passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.

• Fix “cache lookup failed for function” errors in edge cases in PL/pgSQL's CALL (Tom Lane) 📜

• Fix thread safety of our fallback (non-OpenSSL) MD5 implementation on big-endian hardware (Heikki Linnakangas) 📜

  Thread safety is not currently a concern in the server, but it is for libpq.

• Parse libpq's keepalives connection option in the same way as other integer-valued options (Yuto Sasaki) 📜

  The coding used here rejected trailing whitespace in the option value, unlike other cases. This turns out to be problematic in ecpg's usage, for example.

• Avoid use of pnstrdup() in ecpglib (Jacob Champion) 📜

  That function will call exit() on out-of-memory, which is undesirable in a library. The calling code already handles allocation failures properly.

• In ecpglib, fix out-of-bounds read when parsing incorrect datetime input (Bruce Momjian, Pavel Nekrasov) 📜

  It was possible to try to read the location just before the start of a constant array. Real-world consequences seem minimal, though.

• Fix pg_dump's handling of identity sequences that have persistence different from their owning table's persistence (Tom Lane) 📜

  Since v15, it's been possible to set an identity sequence to be LOGGED when its owning table is UNLOGGED or vice versa. However, pg_dump's method for recreating that situation failed in binary-upgrade mode, causing pg_upgrade to fail when such sequences are present. Fix by introducing a new option for ADD/ALTER COLUMN GENERATED AS IDENTITY to allow the sequence's persistence to be set correctly at creation. Note that this means a dump from a database containing such a sequence will only load into a server of this minor version or newer.

• Include the source timeline history in pg_rewind's debug output (Heikki Linnakangas) 📜

  This was the intention to begin with, but a coding error caused the source history to always print as empty.

• Fix misbehavior with junction points on Windows, particularly in pg_rewind (Alexandra Wang) 📜 📜 📜 📜

  This entailed back-patching previous fixes by Thomas Munro, Peter Eisentraut, Alexander Lakhin, and Juan José Santamaría Flecha. Those changes were originally not back-patched out of caution, but they have been in use in later branches for long enough to deem them safe.

• Avoid trying to reindex temporary tables and indexes in vacuumdb and in parallel reindexdb (VaibhaveS, Michael Paquier, Fujii Masao, Nathan Bossart) 📜 📜 📜

  Reindexing other sessions' temporary tables cannot work, but the check to skip them was missing in some code paths, leading to unwanted failures.

• Allow inspection of sequence relations in relevant functions of contrib/pageinspect and contrib/pgstattuple (Nathan Bossart, Ayush Vatsa) 📜 📜

  This had been allowed in the past, but it got broken during the introduction of non-default access methods for tables.

• Fix incorrect LLVM-generated code on ARM64 platforms (Thomas Munro, Anthonin Bonnefoy) 📜

  When using JIT compilation on ARM platforms, the generated code could not support relocation distances exceeding 32 bits, allowing unlucky placement of generated code to cause server crashes on large-memory systems.

• Fix a few places that assumed that process start time (represented as a time_t) will fit into a long value (Max Johnson, Nathan Bossart) 📜

  On platforms where long is 32 bits (notably Windows), this coding would fail after Y2038. Most of the failures appear only cosmetic, but notably pg_ctl start would hang.

• Fix building with Strawberry Perl on Windows (Andrew Dunstan) 📜

• Prevent “missing declaration for inet_pton” compiler warning or error when building with MinGW (Thomas Munro, Andrew Dunstan) 📜

• Update time zone data files to tzdata release 2024b (Tom Lane) 📜 📜

  This tzdata release changes the old System-V-compatibility zone names to duplicate the corresponding geographic zones; for example PST8PDT is now an alias for America/Los_Angeles. The main visible consequence is that for timestamps before the introduction of standardized time zones, the zone is considered to represent local mean solar time for the named location. For example, in PST8PDT, timestamptz input such as 1801-01-01 00:00 would previously have been rendered as 1801-01-01 00:00:00-08, but now it is rendered as 1801-01-01 00:00:00-07:52:58.

  Also, historical corrections for Mexico, Mongolia, and Portugal. Notably, Asia/Choibalsan is now an alias for Asia/Ulaanbaatar rather than being a separate zone, mainly because the differences between those zones were found to be based on untrustworthy data.

Postgres version 15.8

Release date: 2024-08-08

This release contains a variety of fixes from 15.7. For information about new features in major release 15, see Version 15.0.

 Migration to Version 15.8

A dump/restore is not required for those running 15.X.

However, if you are upgrading from a version earlier than 15.7, see Version 15.7.

 Changes

• Prevent unauthorized code execution during pg_dump (Masahiko Sawada)

  An attacker able to create and drop non-temporary objects could inject SQL code that would be executed by a concurrent pg_dump session with the privileges of the role running pg_dump (which is often a superuser). The attack involves replacing a sequence or similar object with a view or foreign table that will execute malicious code. To prevent this, introduce a new server parameter restrict_nonsystem_relation_kind that can disable expansion of non-builtin views as well as access to foreign tables, and teach pg_dump to set it when available. Note that the attack is prevented only if both pg_dump and the server it is dumping from are new enough to have this fix.

  The PostgreSQL Project thanks Noah Misch for reporting this problem. CVE-2024-7348 or CVE-2024-7348)

• Prevent infinite loop in VACUUM (Melanie Plageman)

  After a disconnected standby server with an old running transaction reconnected to the primary, it was possible for VACUUM on the primary to get confused about which tuples are removable, resulting in an infinite loop.

• Fix failure after attaching a table as a partition, if the table had previously had inheritance children (Álvaro Herrera)

• Fix ALTER TABLE DETACH PARTITION for cases involving inconsistent index-based constraints (Álvaro Herrera, Tender Wang)

  When a partitioned table has an index that is not associated with a constraint, but a partition has an equivalent index that is, then detaching the partition would misbehave, leaving the ex-partition's constraint with an incorrect coninhcount value. This would cause trouble during any further manipulations of that constraint.

• Fix partition pruning setup during ALTER TABLE DETACH PARTITION CONCURRENTLY (Álvaro Herrera)

  The executor assumed that no partition could be detached between planning and execution of a query on a partitioned table. This is no longer true since the introduction of DETACH PARTITION's CONCURRENTLY option, making it possible for query execution to fail transiently when that is used.

• Correctly update a partitioned table's pg_class.reltuples field to zero after its last child partition is dropped (Noah Misch)

  The first ANALYZE on such a partitioned table must update relhassubclass as well, and that caused the reltuples update to be lost.

• Fix handling of polymorphic output arguments for procedures (Tom Lane)

  The SQL CALL statement did not resolve the correct data types for such arguments, leading to errors such as “cannot display a value of type anyelement”, or even outright crashes. (But CALL in PL/pgSQL worked correctly.)

• Fix behavior of stable functions called from a CALL statement's argument list (Tom Lane)

  If the CALL is within an atomic context (e.g. there's an outer transaction block), such functions were passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.

• Detect integer overflow in money calculations (Joseph Koshakow)

  None of the arithmetic functions for the money type checked for overflow before, so they would silently give wrong answers for overflowing cases.

• Fix over-aggressive clamping of the scale argument in round(numeric) and trunc(numeric) (Dean Rasheed)

  These functions clamped their scale argument to +/-2000, but there are valid use-cases for it to be larger; the functions returned incorrect results in such cases. Instead clamp to the actual allowed range of type numeric.

• Fix result for pg_size_pretty() when applied to the smallest possible bigint value (Joseph Koshakow)

• Prevent pg_sequence_last_value() from failing on unlogged sequences on standby servers and on temporary sequences of other sessions (Nathan Bossart)

  Make it return NULL in these cases instead of throwing an error.

• Fix parsing of ignored operators in websearch_to_tsquery() (Tom Lane)

  Per the manual, punctuation in the input of websearch_to_tsquery() is ignored except for the special cases of dashes and quotes. However, parentheses and a few other characters appearing immediately before an or could cause or to be treated as a data word, rather than as an OR operator as expected.

• Detect another integer overflow case while computing new array dimensions (Joseph Koshakow)

  Reject applying array dimensions [-2147483648:2147483647] to an empty array. This is closely related toCVE-2023-5869 or CVE-2023-5869, but appears harmless since the array still ends up empty.

• Detect another case of a new catalog cache entry becoming stale while detoasting its fields (Noah Misch)

  An in-place update occurring while we expand out-of-line fields in a catalog tuple could be missed, leading to a catalog cache entry that lacks the in-place change but is not known to be stale. This is only possible in the pg_database catalog, so the effects are narrow, but misbehavior is possible.

• Correctly check updatability of view columns targeted by INSERT ... DEFAULT (Tom Lane)

  If such a column is non-updatable, we should give an error reporting that. But the check was missed and then later code would report an unhelpful error such as “attribute number N not found in view targetlist”.

• Avoid reporting an unhelpful internal error for incorrect recursive queries (Tom Lane)

  Rearrange the order of error checks so that we throw an on-point error when a WITH RECURSIVE query does not have a self-reference within the second arm of the UNION, but does have one self-reference in some other place such as ORDER BY.

• Lock owned sequences during ALTER TABLE SET LOGGED|UNLOGGED (Noah Misch)

  These commands change the persistence of a table's owned sequences along with the table, but they failed to acquire lock on the sequences while doing so. This could result in losing the effects of concurrent nextval() calls.

• Don't throw an error if a queued AFTER trigger no longer exists (Tom Lane)

  It's possible for a transaction to execute an operation that queues a deferred AFTER trigger for later execution, and then to drop the trigger before that happens. Formerly this led to weird errors such as “could not find trigger NNNN”. It seems better to silently do nothing if the trigger no longer exists at the time when it would have been executed.

• Fix failure to remove pg_init_privs entries for column-level privileges when their table is dropped (Tom Lane)

  If an extension grants some column-level privileges on a table it creates, relevant catalog entries would remain behind after the extension is dropped. This was harmless until/unless the table's OID was re-used for another relation, when it could interfere with what pg_dump dumps for that relation.

• Fix selection of an arbiter index for ON CONFLICT when the desired index has expressions or predicates (Tom Lane)

  If a query using ON CONFLICT accesses the target table through an updatable view, it could fail with “there is no unique or exclusion constraint matching the ON CONFLICT specification”, even though a matching index does exist.

• Refuse to modify a temporary table of another session with ALTER TABLE (Tom Lane)

  Permissions checks normally would prevent this case from arising, but it is possible to reach it by altering a parent table whose child is another session's temporary table. Throw an error if we discover that such a child table belongs to another session.

• Fix handling of extended statistics on expressions in CREATE TABLE LIKE STATISTICS (Tom Lane)

  The CREATE command failed to adjust column references in statistics expressions to the possibly-different column numbering of the new table. This resulted in invalid statistics objects that would cause problems later. A typical scenario where renumbering columns is needed is when the source table contains some dropped columns.

• Fix failure to recalculate sub-queries generated from MIN() or MAX() aggregates (Tom Lane)

  In some cases the aggregate result computed at one row of the outer query could be re-used for later rows when it should not be. This has only been seen to happen when the outer query uses DISTINCT that is implemented with hash aggregation, but other cases may exist.

• Avoid crashing when a JIT-inlined backend function throws an error (Tom Lane)

  The error state can include pointers into the dynamically loaded module holding the JIT-compiled code (for error location strings). In some code paths the module could get unloaded before the error report is processed, leading to SIGSEGV when the location strings are accessed.

• Cope with behavioral changes in libxml2 version 2.13.x (Erik Wienhold, Tom Lane)

  Notably, we now suppress “chunk is not well balanced” errors from libxml2, unless that is the only reported error. This is to make error reports consistent between 2.13.x and earlier libxml2 versions. In earlier versions, that message was almost always redundant or outright incorrect, so 2.13.x substantially reduced the number of cases in which it's reported.

• Fix handling of subtransactions of prepared transactions when starting a hot standby server (Heikki Linnakangas)

  When starting a standby's replay at a shutdown checkpoint WAL record, transactions that had been prepared but not yet committed on the primary are correctly understood as being still in progress. But subtransactions of a prepared transaction (created by savepoints or PL/pgSQL exception blocks) were not accounted for and would be treated as aborted. That led to inconsistency if the prepared transaction was later committed.

• Prevent incorrect initialization of logical replication slots (Masahiko Sawada)

  In some cases a replication slot's start point within the WAL stream could be set to a point within a transaction, leading to assertion failures or incorrect decoding results.

• Avoid “can only drop stats once” error during replication slot creation and drop (Floris Van Nee)

• Fix resource leakage in logical replication WAL sender (Hou Zhijie)

  The walsender process leaked memory when publishing changes to a partitioned table whose partitions have row types physically different from the partitioned table's.

• Avoid memory leakage after servicing a notify or sinval interrupt (Tom Lane)

  The processing functions for these events could switch the current memory context to TopMemoryContext, resulting in session-lifespan leakage of any data allocated before the incorrect setting gets replaced. There were observable leaks associated with (at least) encoding conversion of incoming queries and parameters attached to Bind messages.

• Prevent leakage of reference counts for the shared memory block used for statistics (Anthonin Bonnefoy)

  A new backend process attaching to the statistics shared memory incremented its reference count, but failed to decrement the count when exiting. After 2³² sessions had been created, the reference count would overflow to zero, causing failures in all subsequent backend process starts.

• Prevent deadlocks and assertion failures during truncation of the multixact SLRU log (Heikki Linnakangas)

  A process trying to delete SLRU segments could deadlock with the checkpointer process.

• Avoid possibly missing end-of-input events on Windows sockets (Thomas Munro)

  Windows reports an FD_CLOSE event only once after the remote end of the connection disconnects. With unlucky timing, we could miss that report and wait indefinitely, or at least until a timeout elapsed, expecting more input.

• Fix buffer overread in JSON parse error reports for incomplete byte sequences (Jacob Champion)

  It was possible to walk off the end of the input buffer by a few bytes when the last bytes comprise an incomplete multi-byte character. While usually harmless, in principle this could cause a crash.

• Disable creation of stateful TLS session tickets by OpenSSL (Daniel Gustafsson)

  This avoids possible failures with clients that think receipt of a session ticket means that TLS session resumption is supported.

• When replanning a PL/pgSQL “simple expression”, check it's still simple (Tom Lane)

  Certain fairly-artificial cases, such as dropping a referenced function and recreating it as an aggregate, could lead to surprising failures such as “unexpected plan node type”.

• Fix incompatibility between PL/Perl and Perl 5.40 (Andrew Dunstan)

• Fix recursive RECORD-returning PL/Python functions (Tom Lane)

  If we recurse to a new call of the same function that passes a different column definition list (AS clause), it would fail because the inner call would overwrite the outer call's idea of what rowtype to return.

• Don't corrupt PL/Python's TD dictionary during a recursive trigger call (Tom Lane)

  If a PL/Python-language trigger caused another one to be invoked, the TD dictionary created for the inner one would overwrite the outer one's TD dictionary.

• Fix PL/Tcl's reporting of invalid list syntax in the result of a function returning tuple (Erik Wienhold, Tom Lane)

  Such a case could result in a crash, or in emission of misleading context information that actually refers to the previous Tcl error.

• Avoid non-thread-safe usage of strerror() in libpq (Peter Eisentraut)

  Certain error messages returned by OpenSSL could become garbled in multi-threaded applications.

• Avoid memory leak within pg_dump during a binary upgrade (Daniel Gustafsson)

• Ensure that pg_restore -l reports dependent TOC entries correctly (Tom Lane)

  If -l was specified together with selective-restore options such as -n or -N, dependent TOC entries such as comments would be omitted from the listing, even when an actual restore would have selected them.

• Avoid “cursor can only scan forward” error in contrib/postgres_fdw (Etsuro Fujita)

  This error could occur if the remote server is v15 or later and a foreign table is mapped to a non-trivial remote view.

• In contrib/postgres_fdw, do not send FETCH FIRST WITH TIES clauses to the remote server (Japin Li)

  The remote server might not implement this clause, or might interpret it differently than we would locally, so don't risk attempting remote execution.

• Avoid clashing with system-provided <regex.h> headers (Thomas Munro)

  This fixes a compilation failure on macOS version 15 and up.

• Fix otherwise-harmless assertion failure in Memoize cost estimation (David Rowley)

• Fix otherwise-harmless assertion failures in REINDEX CONCURRENTLY applied to an SP-GiST index (Tom Lane)