Below is a complete, one-page listing of changes across all Postgres versions. All versions of PostgreSQL 12 and older are EOL (end of life) and unsupported.
This page was generated on February 20, 2025 by a script (version 1.39) by Greg Sabino Mullane, and contains information for 528 versions of Postgres.
Postgres 17 (end of life: Nov 8, 2029) 17.4 (2025-02-20) 17.3 (2025-02-13) 17.2 (2024-11-21) 17.1 (2024-11-14) 17.0 (2024-09-26) |
Postgres 16 (end of life: Nov 9, 2028) 16.8 (2025-02-20) 16.7 (2025-02-13) 16.6 (2024-11-21) 16.5 (2024-11-14) 16.4 (2024-08-08) 16.3 (2024-05-09) 16.2 (2024-02-08) 16.1 (2023-11-09) 16.0 (2023-09-14) |
Postgres 15 (end of life: Nov 11, 2027) 15.12 (2025-02-20) 15.11 (2025-02-13) 15.10 (2024-11-21) 15.9 (2024-11-14) 15.8 (2024-08-08) 15.7 (2024-05-09) 15.6 (2024-02-08) 15.5 (2023-11-09) 15.4 (2023-08-10) 15.3 (2023-05-11) 15.2 (2023-02-09) 15.1 (2022-11-10) 15.0 (2022-10-13) |
Postgres 14 (end of life: Nov 12, 2026) 14.17 (2025-02-20) 14.16 (2025-02-13) 14.15 (2024-11-21) 14.14 (2024-11-14) 14.13 (2024-08-08) 14.12 (2024-05-09) 14.11 (2024-02-08) 14.10 (2023-11-09) 14.9 (2023-08-10) 14.8 (2023-05-11) 14.7 (2023-02-09) 14.6 (2022-11-10) 14.5 (2022-08-11) 14.4 (2022-06-16) 14.3 (2022-05-12) 14.2 (2022-02-10) 14.1 (2021-11-11) 14.0 (2021-09-30) |
Postgres 13 (end of life: Nov 13, 2025) 13.20 (2025-02-20) 13.19 (2025-02-13) 13.18 (2024-11-21) 13.17 (2024-11-14) 13.16 (2024-08-08) 13.15 (2024-05-09) 13.14 (2024-02-08) 13.13 (2023-11-09) 13.12 (2023-08-10) 13.11 (2023-05-11) 13.10 (2023-02-09) 13.9 (2022-11-10) 13.8 (2022-08-11) 13.7 (2022-05-12) 13.6 (2022-02-10) 13.5 (2021-11-11) 13.4 (2021-08-12) 13.3 (2021-05-13) 13.2 (2021-02-11) 13.1 (2020-11-12) 13.0 (2020-09-24) |
Postgres 12 (end of life: Nov 14, 2024) 12.22 (2024-11-21) 12.21 (2024-11-14) 12.20 (2024-08-08) 12.19 (2024-05-09) 12.18 (2024-02-08) 12.17 (2023-11-09) 12.16 (2023-08-10) 12.15 (2023-05-11) 12.14 (2023-02-09) 12.13 (2022-11-10) 12.12 (2022-08-11) 12.11 (2022-05-12) 12.10 (2022-02-10) 12.9 (2021-11-11) 12.8 (2021-08-12) 12.7 (2021-05-13) 12.6 (2021-02-11) 12.5 (2020-11-12) 12.4 (2020-08-13) 12.3 (2020-05-14) 12.2 (2020-02-13) 12.1 (2019-11-14) 12.0 (2019-10-03) |
Postgres 11 (end of life: Nov 9, 2023) 11.22 (2023-11-09) 11.21 (2023-08-10) 11.20 (2023-05-11) 11.19 (2023-02-09) 11.18 (2022-11-10) 11.17 (2022-08-11) 11.16 (2022-05-12) 11.15 (2022-02-10) 11.14 (2021-11-11) 11.13 (2021-08-12) 11.12 (2021-05-13) 11.11 (2021-02-11) 11.10 (2020-11-12) 11.9 (2020-08-13) 11.8 (2020-05-14) 11.7 (2020-02-13) 11.6 (2019-11-14) 11.5 (2019-08-08) 11.4 (2019-06-20) 11.3 (2019-05-09) 11.2 (2019-02-14) 11.1 (2018-11-08) 11.0 (2018-10-18) |
Postgres 10 (end of life: Nov 10, 2022) 10.23 (2022-11-10) 10.22 (2022-08-11) 10.21 (2022-05-12) 10.20 (2022-02-10) 10.19 (2021-11-11) 10.18 (2021-08-12) 10.17 (2021-05-13) 10.16 (2021-02-11) 10.15 (2020-11-12) 10.14 (2020-08-13) 10.13 (2020-05-14) 10.12 (2020-02-13) 10.11 (2019-11-14) 10.10 (2019-08-08) 10.9 (2019-06-20) 10.8 (2019-05-09) 10.7 (2019-02-14) 10.6 (2018-11-08) 10.5 (2018-08-09) 10.4 (2018-05-10) 10.3 (2018-03-01) 10.2 (2018-02-08) 10.1 (2017-11-09) 10.0 (2017-10-05) |
Postgres 9.6 (end of life: Nov 11, 2021) 9.6.24 (2021-11-11) 9.6.23 (2021-08-12) 9.6.22 (2021-05-13) 9.6.21 (2021-02-11) 9.6.20 (2020-11-12) 9.6.19 (2020-08-13) 9.6.18 (2020-05-14) 9.6.17 (2020-02-13) 9.6.16 (2019-11-14) 9.6.15 (2019-08-08) 9.6.14 (2019-06-20) 9.6.13 (2019-05-09) 9.6.12 (2019-02-14) 9.6.11 (2018-11-08) 9.6.10 (2018-08-09) 9.6.9 (2018-05-10) 9.6.8 (2018-03-01) 9.6.7 (2018-02-08) 9.6.6 (2017-11-09) 9.6.5 (2017-08-31) 9.6.4 (2017-08-10) 9.6.3 (2017-05-11) 9.6.2 (2017-02-09) 9.6.1 (2016-10-27) 9.6.0 (2016-09-29) |
Postgres 9.5 (end of life: Feb 11, 2021) 9.5.25 (2021-02-11) 9.5.24 (2020-11-12) 9.5.23 (2020-08-13) 9.5.22 (2020-05-14) 9.5.21 (2020-02-13) 9.5.20 (2019-11-14) 9.5.19 (2019-08-08) 9.5.18 (2019-06-20) 9.5.17 (2019-05-09) 9.5.16 (2019-02-14) 9.5.15 (2018-11-08) 9.5.14 (2018-08-09) 9.5.13 (2018-05-10) 9.5.12 (2018-03-01) 9.5.11 (2018-02-08) 9.5.10 (2017-11-09) 9.5.9 (2017-08-31) 9.5.8 (2017-08-10) 9.5.7 (2017-05-11) 9.5.6 (2017-02-09) 9.5.5 (2016-10-27) 9.5.4 (2016-08-11) 9.5.3 (2016-05-12) 9.5.2 (2016-03-31) 9.5.1 (2016-02-11) 9.5.0 (2016-01-07) |
Postgres 9.4 (end of life: Feb 13, 2020) 9.4.26 (2020-02-13) 9.4.25 (2019-11-14) 9.4.24 (2019-08-08) 9.4.23 (2019-06-20) 9.4.22 (2019-05-09) 9.4.21 (2019-02-14) 9.4.20 (2018-11-08) 9.4.19 (2018-08-09) 9.4.18 (2018-05-10) 9.4.17 (2018-03-01) 9.4.16 (2018-02-08) 9.4.15 (2017-11-09) 9.4.14 (2017-08-31) 9.4.13 (2017-08-10) 9.4.12 (2017-05-11) 9.4.11 (2017-02-09) 9.4.10 (2016-10-27) 9.4.9 (2016-08-11) 9.4.8 (2016-05-12) 9.4.7 (2016-03-31) 9.4.6 (2016-02-11) 9.4.5 (2015-10-08) 9.4.4 (2015-06-12) 9.4.3 (2015-06-04) 9.4.2 (2015-05-22) 9.4.1 (2015-02-05) 9.4.0 (2014-12-18) |
Postgres 9.3 (end of life: Nov 8, 2018) 9.3.25 (2018-11-08) 9.3.24 (2018-08-09) 9.3.23 (2018-05-10) 9.3.22 (2018-03-01) 9.3.21 (2018-02-08) 9.3.20 (2017-11-09) 9.3.19 (2017-08-31) 9.3.18 (2017-08-10) 9.3.17 (2017-05-11) 9.3.16 (2017-02-09) 9.3.15 (2016-10-27) 9.3.14 (2016-08-11) 9.3.13 (2016-05-12) 9.3.12 (2016-03-31) 9.3.11 (2016-02-11) 9.3.10 (2015-10-08) 9.3.9 (2015-06-12) 9.3.8 (2015-06-04) 9.3.7 (2015-05-22) 9.3.6 (2015-02-05) 9.3.5 (2014-07-24) 9.3.4 (2014-03-20) 9.3.3 (2014-02-20) 9.3.2 (2013-12-05) 9.3.1 (2013-10-10) 9.3.0 (2013-09-09) |
Postgres 9.2 (end of life: Nov 9, 2017) 9.2.24 (2017-11-09) 9.2.23 (2017-08-31) 9.2.22 (2017-08-10) 9.2.21 (2017-05-11) 9.2.20 (2017-02-09) 9.2.19 (2016-10-27) 9.2.18 (2016-08-11) 9.2.17 (2016-05-12) 9.2.16 (2016-03-31) 9.2.15 (2016-02-11) 9.2.14 (2015-10-08) 9.2.13 (2015-06-12) 9.2.12 (2015-06-04) 9.2.11 (2015-05-22) 9.2.10 (2015-02-05) 9.2.9 (2014-07-24) 9.2.8 (2014-03-20) 9.2.7 (2014-02-20) 9.2.6 (2013-12-05) 9.2.5 (2013-10-10) 9.2.4 (2013-04-04) 9.2.3 (2013-02-07) 9.2.2 (2012-12-06) 9.2.1 (2012-09-24) 9.2.0 (2012-09-10) |
Postgres 9.1 (end of life: Oct 27, 2016) 9.1.24 (2016-10-27) 9.1.23 (2016-08-11) 9.1.22 (2016-05-12) 9.1.21 (2016-03-31) 9.1.20 (2016-02-11) 9.1.19 (2015-10-08) 9.1.18 (2015-06-12) 9.1.17 (2015-06-04) 9.1.16 (2015-05-22) 9.1.15 (2015-02-05) 9.1.14 (2014-07-24) 9.1.13 (2014-03-20) 9.1.12 (2014-02-20) 9.1.11 (2013-12-05) 9.1.10 (2013-10-10) 9.1.9 (2013-04-04) 9.1.8 (2013-02-07) 9.1.7 (2012-12-06) 9.1.6 (2012-09-24) 9.1.5 (2012-08-17) 9.1.4 (2012-06-04) 9.1.3 (2012-02-27) 9.1.2 (2011-12-05) 9.1.1 (2011-09-26) 9.1.0 (2011-09-12) |
Postgres 9.0 (end of life: Oct 8, 2015) 9.0.23 (2015-10-08) 9.0.22 (2015-06-12) 9.0.21 (2015-06-04) 9.0.20 (2015-05-22) 9.0.19 (2015-02-05) 9.0.18 (2014-07-24) 9.0.17 (2014-03-20) 9.0.16 (2014-02-20) 9.0.15 (2013-12-05) 9.0.14 (2013-10-10) 9.0.13 (2013-04-04) 9.0.12 (2013-02-07) 9.0.11 (2012-12-06) 9.0.10 (2012-09-24) 9.0.9 (2012-08-17) 9.0.8 (2012-06-04) 9.0.7 (2012-02-27) 9.0.6 (2011-12-05) 9.0.5 (2011-09-26) 9.0.4 (2011-04-18) 9.0.3 (2011-01-31) 9.0.2 (2010-12-16) 9.0.1 (2010-10-04) 9.0.0 (2010-09-20) |
Postgres 8.4 (end of life: Jul 24, 2014) 8.4.22 (2014-07-24) 8.4.21 (2014-03-20) 8.4.20 (2014-02-20) 8.4.19 (2013-12-05) 8.4.18 (2013-10-10) 8.4.17 (2013-04-04) 8.4.16 (2013-02-07) 8.4.15 (2012-12-06) 8.4.14 (2012-09-24) 8.4.13 (2012-08-17) 8.4.12 (2012-06-04) 8.4.11 (2012-02-27) 8.4.10 (2011-12-05) 8.4.9 (2011-09-26) 8.4.8 (2011-04-18) 8.4.7 (2011-01-31) 8.4.6 (2010-12-16) 8.4.5 (2010-10-04) 8.4.4 (2010-05-17) 8.4.3 (2010-03-15) 8.4.2 (2009-12-14) 8.4.1 (2009-09-09) 8.4.0 (2009-07-01) |
Postgres 8.3 (end of life: Feb 7, 2013) 8.3.23 (2013-02-07) 8.3.22 (2012-12-06) 8.3.21 (2012-09-24) 8.3.20 (2012-08-17) 8.3.19 (2012-06-04) 8.3.18 (2012-02-27) 8.3.17 (2011-12-05) 8.3.16 (2011-09-26) 8.3.15 (2011-04-18) 8.3.14 (2011-01-31) 8.3.13 (2010-12-16) 8.3.12 (2010-10-04) 8.3.11 (2010-05-17) 8.3.10 (2010-03-15) 8.3.9 (2009-12-14) 8.3.8 (2009-09-09) 8.3.7 (2009-03-16) 8.3.6 (2009-02-02) 8.3.5 (2008-11-03) 8.3.4 (2008-09-22) 8.3.3 (2008-06-12) 8.3.2 (never released!) 8.3.1 (2008-03-17) 8.3.0 (2008-02-04) |
Postgres 8.2 (end of life: Dec 5, 2011) 8.2.23 (2011-12-05) 8.2.22 (2011-09-26) 8.2.21 (2011-04-18) 8.2.20 (2011-01-31) 8.2.19 (2010-12-16) 8.2.18 (2010-10-04) 8.2.17 (2010-05-17) 8.2.16 (2010-03-15) 8.2.15 (2009-12-14) 8.2.14 (2009-09-09) 8.2.13 (2009-03-16) 8.2.12 (2009-02-02) 8.2.11 (2008-11-03) 8.2.10 (2008-09-22) 8.2.9 (2008-06-12) 8.2.8 (never released!) 8.2.7 (2008-03-17) 8.2.6 (2008-01-07) 8.2.5 (2007-09-17) 8.2.4 (2007-04-23) 8.2.3 (2007-02-07) 8.2.2 (2007-02-05) 8.2.1 (2007-01-08) 8.2.0 (2006-12-05) |
Postgres 8.1 (end of life: Nov 8, 2010) 8.1.23 (2010-12-16) 8.1.22 (2010-10-04) 8.1.21 (2010-05-17) 8.1.20 (2010-03-15) 8.1.19 (2009-12-14) 8.1.18 (2009-09-09) 8.1.17 (2009-03-16) 8.1.16 (2009-02-02) 8.1.15 (2008-11-03) 8.1.14 (2008-09-22) 8.1.13 (2008-06-12) 8.1.12 (never released!) 8.1.11 (2008-01-07) 8.1.10 (2007-09-17) 8.1.9 (2007-04-23) 8.1.8 (2007-02-07) 8.1.7 (2007-02-05) 8.1.6 (2007-01-08) 8.1.5 (2006-10-16) 8.1.4 (2006-05-23) 8.1.3 (2006-02-14) 8.1.2 (2006-01-09) 8.1.1 (2005-12-12) 8.1.0 (2005-11-08) |
Postgres 8.0 (end of life: Oct 1, 2010) 8.0.26 (2010-10-04) 8.0.25 (2010-05-17) 8.0.24 (2010-03-15) 8.0.23 (2009-12-14) 8.0.22 (2009-09-09) 8.0.21 (2009-03-16) 8.0.20 (2009-02-02) 8.0.19 (2008-11-03) 8.0.18 (2008-09-22) 8.0.17 (2008-06-12) 8.0.16 (never released!) 8.0.15 (2008-01-07) 8.0.14 (2007-09-17) 8.0.13 (2007-04-23) 8.0.12 (2007-02-07) 8.0.11 (2007-02-05) 8.0.10 (2007-01-08) 8.0.9 (2006-10-16) 8.0.8 (2006-05-23) 8.0.7 (2006-02-14) 8.0.6 (2006-01-09) 8.0.5 (2005-12-12) 8.0.4 (2005-10-04) 8.0.3 (2005-05-09) 8.0.2 (2005-04-07) 8.0.1 (2005-01-31) 8.0.0 (2005-01-19) |
Postgres 7.4 (end of life: Oct 1, 2010) 7.4.30 (2010-10-04) 7.4.29 (2010-05-17) 7.4.28 (2010-03-15) 7.4.27 (2009-12-14) 7.4.26 (2009-09-09) 7.4.25 (2009-03-16) 7.4.24 (2009-02-02) 7.4.23 (2008-11-03) 7.4.22 (2008-09-22) 7.4.21 (2008-06-12) 7.4.20 (never released!) 7.4.19 (2008-01-07) 7.4.18 (2007-09-17) 7.4.17 (2007-04-23) 7.4.16 (2007-02-05) 7.4.15 (2007-01-08) 7.4.14 (2006-10-16) 7.4.13 (2006-05-23) 7.4.12 (2006-02-14) 7.4.11 (2006-01-09) 7.4.10 (2005-12-12) 7.4.9 (2005-10-04) 7.4.8 (2005-05-09) 7.4.7 (2005-01-31) 7.4.6 (2004-10-22) 7.4.5 (2004-08-18) 7.4.4 (2004-08-16) 7.4.3 (2004-06-14) 7.4.2 (2004-03-08) 7.4.1 (2003-12-22) 7.4.0 (2003-11-17) |
Postgres 7.3 (end of life: Nov 27, 2007) 7.3.21 (2008-01-07) 7.3.20 (2007-09-17) 7.3.19 (2007-04-23) 7.3.18 (2007-02-05) 7.3.17 (2007-01-08) 7.3.16 (2006-10-16) 7.3.15 (2006-05-23) 7.3.14 (2006-02-14) 7.3.13 (2006-01-09) 7.3.12 (2005-12-12) 7.3.11 (2005-10-04) 7.3.10 (2005-05-09) 7.3.9 (2005-01-31) 7.3.8 (2004-10-22) 7.3.7 (2004-08-16) 7.3.6 (2004-03-02) 7.3.5 (2003-12-03) 7.3.4 (2003-07-24) 7.3.3 (2003-05-22) 7.3.2 (2003-02-04) 7.3.1 (2002-12-18) 7.3.0 (2002-11-27) |
Postgres 7.2 (end of life: Feb 4, 2007) 7.2.8 (2005-05-09) 7.2.7 (2005-01-31) 7.2.6 (2004-10-22) 7.2.5 (2004-08-16) 7.2.4 (2003-01-30) 7.2.3 (2002-10-01) 7.2.2 (2002-08-23) 7.2.1 (2002-03-21) 7.2.0 (2002-02-04) Postgres 7.1 (end of life: Apr 13, 2006) 7.1.3 (2001-08-15) 7.1.2 (2001-05-11) 7.1.1 (2001-05-05) 7.1.0 (2001-04-13) Postgres 7.0 (end of life: May 8, 2005) 7.0.3 (2000-11-11) 7.0.2 (2000-06-05) 7.0.1 (2000-06-01) 7.0.0 (2000-05-08) |
Postgres 6.5 (end of life: Jun 9, 2004) 6.5.3 (1999-10-13) 6.5.2 (1999-09-15) 6.5.1 (1999-07-15) 6.5.0 (1999-06-09) Postgres 6.4 (end of life: Oct 30, 2003) 6.4.2 (1998-12-20) 6.4.1 (1998-12-18) 6.4.0 (1998-10-30) Postgres 6.3 (end of life: Mar 1, 2003) 6.3.2 (1998-04-07) 6.3.1 (1998-03-23) 6.3.0 (1998-03-01) Postgres 6.2 (end of life) 6.2.1 (1997-10-17) 6.2.0 (1997-10-02) Postgres 6.1 (end of life) 6.1.1 (1997-07-22) 6.1.0 (1997-06-08) Postgres 6.0 and earlier... (end of life) 6.0.0 (1997-01-29) 1.09 (1996-11-04) 1.02 (1996-08-01) 1.01 (1996-02-23) 1.0 (1995-09-05) 0.03 (1995-07-21) 0.02 (1995-05-25) 0.01 (1995-05-01) |
Release date: 2025-02-20
This release contains a few fixes from 17.3. For information about new features in major release 17, see Version 17.0.
A dump/restore is not required for those running 17.X.
However, if you are upgrading from a version earlier than 17.1, see Version 17.1.
Improve behavior of libpq's quoting functions (Andres Freund, Tom Lane) 📜 📜 📜
The changes made forCVE-2025-1094 or CVE-2025-1094 had one serious oversight: PQescapeLiteral()
and PQescapeIdentifier()
failed to honor their string length parameter, instead always reading to the input string's trailing null. This resulted in including unwanted text in the output, if the caller intended to truncate the string via the length parameter. With very bad luck it could cause a crash due to reading off the end of memory.
In addition, modify all these quoting functions so that when invalid encoding is detected, an invalid sequence is substituted for just the first byte of the presumed character, not all of it. This reduces the risk of problems if a calling application performs additional processing on the quoted string.
Fix small memory leak in pg_createsubscriber (Ranier Vilela) 📜
Fix meson build system to correctly detect availability of the bsd_auth.h
system header (Nazir Bilal Yavuz) 📜
Release date: 2025-02-13
This release contains a variety of fixes from 17.2. For information about new features in major release 17, see Version 17.0.
A dump/restore is not required for those running 17.X.
However, if you are upgrading from a version earlier than 17.1, see Version 17.1.
Harden PQescapeString
and allied functions against invalidly-encoded input strings (Andres Freund, Noah Misch) 📜 📜 📜 📜 📜 📜
Data-quoting functions supplied by libpq now fully check the encoding validity of their input. If invalid characters are detected, they report an error if possible. For the ones that lack an error return convention, the output string is adjusted to ensure that the server will report invalid encoding and no intervening processing will be fooled by bytes that might happen to match single quote, backslash, etc.
The purpose of this change is to guard against SQL-injection attacks that are possible if one of these functions is used to quote crafted input. There is no hazard when the resulting string is sent directly to a PostgreSQL server (which would check its encoding anyway), but there is a risk when it is passed through psql or other client-side code. Historically such code has not carefully vetted encoding, and in many cases it's not clear what it should do if it did detect such a problem.
This fix is effective only if the data-quoting function, the server, and any intermediate processing agree on the character encoding that's being used. Applications that insert untrusted input into SQL commands should take special care to ensure that that's true.
Applications and drivers that quote untrusted input without using these libpq functions may be at risk of similar problems. They should first confirm the data is valid in the encoding expected by the server.
The PostgreSQL Project thanks Stephen Fewer for reporting this problem. CVE-2025-1094 or CVE-2025-1094)
Restore auto-truncation of database and user names appearing in connection requests (Nathan Bossart) 📜
This reverts a v17 change that proved to cause trouble for some users. Over-length names should be truncated in an encoding-aware fashion, but for now just return to the former behavior of blind truncation at NAMEDATALEN-1
bytes.
Exclude parallel workers from connection privilege checks and limits (Tom Lane) 📜
Do not check datallowconn
, rolcanlogin
, and ACL_CONNECT
privileges when starting a parallel worker, instead assuming that it's enough for the leader process to have passed similar checks originally. This avoids, for example, unexpected failures of parallelized queries when the leader is running as a role that lacks login privilege. In the same vein, enforce ReservedConnections
, datconnlimit
, and rolconnlimit
limits only against regular backends, and count only regular backends while checking if the limits were already reached. Those limits are meant to prevent excessive consumption of process slots for regular backends --- but parallel workers and other special processes have their own pools of process slots with their own limit checks.
Drop “Lock†suffix from LWLock wait event names (Bertrand Drouvot) 📜
Refactoring unintentionally caused the pg_stat_activity
view to show lock-related wait event names with a “Lock†suffix, which among other things broke joining it to pg_wait_events
.
Fix possible failure to return all matching tuples for a btree index scan with a ScalarArrayOp (= ANY
) condition (Peter Geoghegan) 📜
Fix possible re-use of stale results in window aggregates (David Rowley) 📜
A window aggregate with a “run condition†optimization and a pass-by-reference result type might incorrectly return the result from the previous partition instead of performing a fresh calculation.
Keep TransactionXmin
in sync with MyProc->xmin
(Heikki Linnakangas) 📜
This oversight could permit a process to try to access data that had already been vacuumed away. One known consequence is transient “could not access status of transaction†errors.
Fix race condition that could cause failure to add a newly-inserted catalog entry to a catalog cache list (Heikki Linnakangas) 📜
This could result, for example, in failure to use a newly-created function within an existing session.
Prevent possible catalog corruption when a system catalog is vacuumed concurrently with an update (Noah Misch) 📜 📜
Fix data corruption when relation truncation fails (Thomas Munro) 📜 📜 📜
The filesystem calls needed to perform relation truncation could fail, leaving inconsistent state on disk (for example, effectively reviving deleted data). We can't really prevent that, but we can recover by dint of making such failures into PANICs, so that consistency is restored by replaying from WAL up to just before the attempted truncation. This isn't a hugely desirable behavior, but such failures are rare enough that it seems an acceptable solution.
Prevent checkpoints from starting during relation truncation (Robert Haas) 📜
This avoids a race condition wherein the modified file might not get fsync'd before completing the checkpoint, creating a risk of data corruption if the operating system crashes soon after.
Avoid possibly losing an update of pg_database
.datfrozenxid
when VACUUM
runs concurrently with a REASSIGN OWNED
that changes that database's owner (Kirill Reshke) 📜
Fix incorrect tg_updatedcols
values passed to AFTER UPDATE
triggers (Tom Lane) 📜
In some cases the tg_updatedcols
bitmap could describe the set of columns updated by an earlier command in the same transaction, fooling the trigger into doing the wrong thing.
Also, prevent memory bloat caused by making too many copies of the tg_updatedcols
bitmap.
Fix detach of a partition that has its own foreign-key constraint referencing a partitioned table (Amul Sul) 📜
In common cases, foreign keys are defined on a partitioned table's top level; but if instead one is defined on a partition and references a partitioned table, and the referencing partition is detached, the relevant pg_constraint
entries were updated incorrectly. This led to errors like “could not find ON INSERT check triggers of foreign key constraintâ€.
Fix pg_get_constraintdef
's support for NOT NULL
constraints on domains (Ãlvaro Herrera) 📜
Fix mis-processing of to_timestamp
's FF
format codes (Tom Lane) 📜n
An integer format code immediately preceding FF
would consume all available digits, leaving none for n
FF
.n
When deparsing a PASSING
clause in a SQL/JSON query function, ensure that variable names are double-quoted when necessary (Dean Rasheed) 📜
When deparsing an XMLTABLE()
expression, ensure that XML namespace names are double-quoted when necessary (Dean Rasheed) 📜
Include the ldapscheme
option in pg_hba_file_rules()
output (Laurenz Albe) 📜 📜
Fix planning of pre-sorted UNION
operations for cases where the input column datatypes don't all match (David Rowley) 📜
This error could lead to sorting data with the wrong sort operator, with consequences ranging from no visible problem to core dumps.
Don't merge UNION
operations if their column collations aren't consistent (Tom Lane) 📜
Previously we ignored collations when deciding if it's safe to merge UNION
steps into a single N-way UNION
operation. This was arguably valid before the introduction of nondeterministic collations, but it's not anymore, since the collation in use can affect the definition of uniqueness.
Prevent “wrong varnullingrels†planner errors after pulling up a subquery that's underneath an outer join (Tom Lane) 📜 📜
Ignore nulling-relation marker bits when looking up statistics (Richard Guo) 📜
This oversight could lead to failure to use relevant statistics about expressions, or to “corrupt MVNDistinct entry†errors.
Fix missed expression processing for partition pruning steps (Tom Lane) 📜
This oversight could lead to “unrecognized node type†errors, and perhaps other problems, in queries accessing partitioned tables.
Give the slotsync worker process its own process slot (Tom Lane, Hou Zhijie) 📜
This was overlooked in the addition of the slotsync worker, with the result that its process slot effectively came out of the pool meant for regular backend processes. This could result in failure to launch the worker, or to subsequent failures of connection requests that should have succeeded according to the configured settings, if the number of regular backend processes approached max_connections
.
Allow dshash tables to grow past 1GB (Matthias van de Meent) 📜
This avoids errors like “invalid DSA memory alloc request sizeâ€. The case can occur for example in transactions that process several million tables.
Avoid possible integer overflow in bringetbitmap()
(James Hunter, Evgeniy Gorbanyov) 📜
Since the result is only used for statistical purposes, the effects of this error were mostly cosmetic.
Correct miscalculation of SLRU bank numbers (Yura Sokolov) 📜
This error led to using a smaller number of banks than intended, causing more contention but no functional misbehavior.
Ensure that an already-set process latch doesn't prevent the postmaster from noticing socket events (Thomas Munro) 📜
An extremely heavy workload of backends launching workers and workers exiting could prevent the postmaster from responding to incoming client connections in a timely fashion.
Prevent streaming standby servers from looping infinitely when reading a WAL record that crosses pages (Kyotaro Horiguchi, Alexander Kukushkin) 📜
This would happen when the record's continuation is on a page that needs to be read from a different WAL source.
Fix unintended promotion of FATAL errors to PANIC during early process startup (Noah Misch) 📜
This fixes some unlikely cases that would result in “PANIC: proc_exit() called in child processâ€.
Fix cases where an operator family member operator or support procedure could become a dangling reference (Tom Lane) 📜 📜
In some cases a data type could be dropped while references to its OID still remain in pg_amop
or pg_amproc
. While that caused no immediate issues, an attempt to drop the owning operator family would fail, and pg_dump would produce bogus output when dumping the operator family. This fix causes creation and modification of operator families/classes to add needed dependency entries so that dropping a data type will also drop any dependent operator family elements. That does not help vulnerable pre-existing operator families, though, so a band-aid has also been added to DROP OPERATOR FAMILY
to prevent failure when dropping a family that has dangling members.
Fix multiple memory leaks in logical decoding output (Vignesh C, Masahiko Sawada, Boyu Yang) 📜 📜 📜
Fix small memory leak when updating the application_name
or cluster_name
settings (Tofig Aliev) 📜
Avoid crash when a background process tries to check a new value of synchronized_standby_slots
(Ãlvaro Herrera) 📜
Avoid integer overflow while testing wal_skip_threshold
condition (Tom Lane) 📜
A transaction that created a very large relation could mistakenly decide to ensure durability by copying the relation into WAL instead of fsync'ing it, thereby negating the point of wal_skip_threshold
. (This only matters when wal_level
is set to minimal
, else a WAL copy is required anyway.)
Fix unsafe order of operations during cache lookups (Noah Misch) 📜
The only known consequence was a usually-harmless “you don't own a lock of type ExclusiveLock†warning during GRANT TABLESPACE
.
Avoid potential use-after-free in parallel vacuum (Vallimaharajan G, John Naylor) 📜
This bug seems to have no consequences in standard builds, but it's theoretically a hazard.
Fix possible “failed to resolve name†failures when using JIT on older ARM platforms (Thomas Munro) 📜
This could occur as a consequence of inconsistency about the default setting of -moutline-atomics
between gcc and clang. At least Debian and Ubuntu are known to ship gcc and clang compilers that target armv8-a but differ on the use of outline atomics by default.
Fix assertion failure in WITH RECURSIVE ... UNION
queries (David Rowley) 📜
Avoid assertion failure in rule deparsing if a set operation leaf query contains set operations (Man Zeng, Tom Lane) 📜
Avoid edge-case assertion failure in parallel query startup (Tom Lane) 📜
Fix assertion failure at shutdown when writing out the statistics file (Michael Paquier) 📜
Avoid valgrind complaints about string hashing code (John Naylor) 📜
In NULLIF()
, avoid passing a read-write expanded object pointer to the data type's equality function (Tom Lane) 📜
The equality function could modify or delete the object if it's given a read-write pointer, which would be bad if we decide to return it as the NULLIF()
result. There is probably no problem with any built-in equality function, but it's easy to demonstrate a failure with one coded in PL/pgSQL.
Ensure that expression preprocessing is applied to a default null value in INSERT
(Tom Lane) 📜
If the target column is of a domain type, the planner must insert a coerce-to-domain step not just a null constant, and this expression missed going through some required processing steps. There is no known consequence with domains based on core data types, but in theory an error could occur with domains based on extension types.
Avoid data loss when starting a bulk write on a relation fork that already contains data (Matthias van de Meent) 📜
Any pre-existing data was overwritten with zeroes. This is not an issue for core PostgreSQL, which never does that. Some extensions would like to, however.
Avoid crash if a server process tried to iterate over a shared radix tree that it didn't create (Masahiko Sawada) 📜
There is no code in core PostgreSQL that does this, but an extension might wish to.
Repair memory leaks in PL/Python (Mat Arye, Tom Lane) 📜
Repeated use of PLyPlan.execute
or plpy.cursor
resulted in memory leakage for the duration of the calling PL/Python function.
Fix PL/Tcl to compile with Tcl 9 (Peter Eisentraut) 📜
In the ecpg preprocessor, fix possible misprocessing of cursors that reference out-of-scope variables (Tom Lane) 📜
In ecpg, fix compile-time warnings about unsupported use of COPY ... FROM STDIN
(Ryo Kanbayashi) 📜
Previously, the intended warning was not issued due to a typo.
Fix psql to safely handle file path names that are encoded in SJIS (Tom Lane) 📜
Some two-byte characters in SJIS have a second byte that is equal to ASCII backslash (\
). These characters were corrupted by path name normalization, preventing access to files whose names include such characters.
Add psql tab completion for COPY (MERGE INTO)
(Jian He) 📜
Fix use of wrong version of pqsignal()
in pgbench and psql (Fujii Masao, Tom Lane) 📜
This error could lead to misbehavior when using the -T
option in pgbench or the \watch
command in psql, due to interrupted system calls not being resumed as expected.
Fix misexecution of some nested \if
constructs in pgbench (Michail Nikolaev) 📜
An \if
command appearing within a false (not-being-executed) \if
branch was incorrectly treated the same as \elif
.
In pgbench, fix possible misdisplay of progress messages during table initialization (Yushi Ogiwara, Tatsuo Ishii, Fujii Masao) 📜 📜
Make pg_controldata more robust against corrupted pg_control
files (Ilyasov Ian, Anton Voloshin) 📜
Since pg_controldata will attempt to print the contents of pg_control
even if the CRC check fails, it must take care not to misbehave for invalid field values. This patch fixes some issues triggered by invalid timestamps and apparently-negative WAL segment sizes.
Fix possible crash in pg_dump with identity sequences attached to tables that are extension members (Tom Lane) 📜
Fix memory leak in pg_restore with zstd-compressed data (Tom Lane) 📜
The leak was per-decompression-operation, so would be most noticeable with a dump containing many tables or large objects.
Fix pg_basebackup to correctly handle pg_wal.tar
files exceeding 2GB on Windows (Davinder Singh, Thomas Munro) 📜 📜
Use SQL-standard function bodies in the declarations of contrib/earthdistance
's SQL-language functions (Tom Lane, Ronan Dunklau) 📜
This change allows their references to contrib/cube
to be resolved during extension creation, reducing the risk of search-path-based failures and possible attacks.
In particular, this restores their usability in contexts like generated columns, for which PostgreSQL v17 restricts the search path on security grounds. We have received reports of databases failing to be upgraded to v17 because of that. This patch has been included in v16 to provide a workaround: updating the earthdistance
extension to this version beforehand should allow an upgrade to succeed.
Detect version mismatch between contrib/pageinspect
's SQL declarations and the underlying shared library (Tomas Vondra) 📜
Previously, such a mismatch could result in a crash while calling brin_page_items()
. Instead throw an error recommending updating the extension.
When trying to cancel a remote query in contrib/postgres_fdw
, re-issue the cancel request a few times if it didn't seem to do anything (Tom Lane) 📜
This fixes a race condition where we might try to cancel a just-sent query before the remote server has started to process it, so that the initial cancel request is ignored.
Update configuration probes that determine the compiler switches needed to access ARM CRC instructions (Tom Lane) 📜
On ARM platforms where the baseline CPU target lacks CRC instructions, we need to supply a -march
switch to persuade the compiler to compile such instructions. Recent versions of gcc reject the value we were trying, leading to silently falling back to software CRC.
Fix meson build system to support old OpenSSL libraries on Windows (Darek Slusarczyk) 📜
Add support for the legacy library names ssleay32
and libeay32
.
In Windows builds using meson, ensure all libcommon and libpgport functions are exported (Vladlen Popolitov, Heikki Linnakangas) 📜 📜
This fixes “unresolved external symbol†build errors for extensions.
Fix meson configuration process to correctly detect OSSP's uuid.h
header file under MSVC (Andrew Dunstan) 📜
When building with meson, install pgevent
in pkglibdir
not bindir
(Peter Eisentraut) 📜
This matches the behavior of the make-based build system and the old MSVC build system.
When building with meson, install sepgsql.sql
under share/contrib/
not share/extension/
(Peter Eisentraut) 📜
This matches what the make-based build system does.
Update time zone data files to tzdata release 2025a for DST law changes in Paraguay, plus historical corrections for the Philippines (Tom Lane) 📜
Release date: 2024-11-21
This release contains a few fixes from 17.1. For information about new features in major release 17, see Version 17.0.
A dump/restore is not required for those running 17.X.
However, if you are upgrading from a version earlier than 17.1, see Version 17.1.
Repair ABI break for extensions that work with struct ResultRelInfo
(Tom Lane) 📜
Last week's minor releases unintentionally broke binary compatibility with timescaledb and several other extensions. Restore the affected structure to its previous size, so that such extensions need not be rebuilt.
Restore functionality of ALTER {ROLE|DATABASE} SET role
(Tom Lane, Noah Misch) 📜
The fix forCVE-2024-10978 or CVE-2024-10978 accidentally caused settings for role
to not be applied if they come from non-interactive sources, including previous ALTER {ROLE|DATABASE}
commands and the PGOPTIONS
environment variable.
Fix cases where a logical replication slot's restart_lsn
could go backwards (Masahiko Sawada) 📜
Previously, restarting logical replication could sometimes cause the slot's restart point to be recomputed as an older value than had previously been advertised in pg_replication_slots
. This is bad, since for example WAL files might have been removed on the basis of the later restart_lsn
value, in which case replication would fail to restart.
Avoid deleting still-needed WAL files during pg_rewind (Polina Bungina, Alexander Kukushkin) 📜
Previously, in unlucky cases, it was possible for pg_rewind to remove important WAL files from the rewound demoted primary. In particular this happens if those files have been marked for archival (i.e., their .ready
files were created) but not yet archived. Then the newly promoted node no longer has such files because of them having been recycled, but likely they are needed for recovery in the demoted node. If pg_rewind removes them, recovery is not possible anymore.
Fix race conditions associated with dropping shared statistics entries (Kyotaro Horiguchi, Michael Paquier) 📜
These bugs could lead to loss of statistics data, assertion failures, or “can only drop stats once†errors.
Count index scans in contrib/bloom
indexes in the statistics views, such as the pg_stat_user_indexes
.idx_scan
counter (Masahiro Ikeda) 📜
Fix crash when checking to see if an index's opclass options have changed (Alexander Korotkov) 📜
Some forms of ALTER TABLE
would fail if the table has an index with non-default operator class options.
Avoid assertion failure caused by disconnected NFA sub-graphs in regular expression parsing (Tom Lane) 📜
This bug does not appear to have any visible consequences in non-assert builds.
Release date: 2024-11-14
This release contains a variety of fixes from 17.0. For information about new features in major release 17, see Version 17.0.
A dump/restore is not required for those running 17.X.
However, if you have ever detached a partition from a partitioned table that has a foreign-key reference to another partitioned table, and not dropped the former partition, then you may have catalog and/or data corruption to repair, as detailed in the fifth changelog entry below.
Also, in the uncommon case that a database's LC_CTYPE
setting is C
while its LC_COLLATE
setting is some other locale, indexes on textual columns should be reindexed, as described in the sixth changelog entry below.
Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart) 📜
If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead.
The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. CVE-2024-10976 or CVE-2024-10976)
Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Champion) 📜
An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure.
The PostgreSQL Project thanks Jacob Champion for reporting this problem. CVE-2024-10977 or CVE-2024-10977)
Fix unintended interactions between SET SESSION AUTHORIZATION
and SET ROLE
(Tom Lane) 📜 📜
The SQL standard mandates that SET SESSION AUTHORIZATION
have a side-effect of doing SET ROLE NONE
. Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION
would revert ROLE
to NONE
even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction. Transiently setting session_authorization
in a function SET
clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role')
, it saw none
even when it should see something else.
The PostgreSQL Project thanks Tom Lane for reporting this problem. CVE-2024-10978 or CVE-2024-10978)
Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch) 📜 📜 📜
The ability to manipulate process environment variables such as PATH
gives an attacker opportunities to execute arbitrary code. Therefore, “trusted†PLs must not offer the ability to do that. To fix plperl
, replace %ENV
with a tied hash that rejects any modification attempt with a warning. Untrusted plperlu
retains the ability to change the environment.
The PostgreSQL Project thanks Coby Abrams for reporting this problem. CVE-2024-10979 or CVE-2024-10979)
Fix updates of catalog state for foreign-key constraints when attaching or detaching table partitions (Jehan-Guillaume de Rorthais, Tender Wang, Ãlvaro Herrera) 📜 📜
If the referenced table is partitioned, then different catalog entries are needed for a referencing table that is stand-alone versus one that is a partition. ATTACH/DETACH PARTITION
commands failed to perform this conversion correctly. In particular, after DETACH
the now stand-alone table would be missing foreign-key enforcement triggers, which could result in the table later containing rows that fail the foreign-key constraint. A subsequent re-ATTACH
could fail with surprising errors, too.
The way to fix this is to do ALTER TABLE DROP CONSTRAINT
on the now stand-alone table for each faulty constraint, and then re-add the constraint. If re-adding the constraint fails, then some erroneous data has crept in. You will need to manually re-establish consistency between the referencing and referenced tables, then re-add the constraint.
This query can be used to identify broken constraints and construct the commands needed to recreate them:
SELECT conrelid::pg_catalog.regclass AS "constrained table", conname AS constraint, confrelid::pg_catalog.regclass AS "references", pg_catalog.format('ALTER TABLE %s DROP CONSTRAINT %I;', conrelid::pg_catalog.regclass, conname) AS "drop", pg_catalog.format('ALTER TABLE %s ADD CONSTRAINT %I %s;', conrelid::pg_catalog.regclass, conname, pg_catalog.pg_get_constraintdef(oid)) AS "add" FROM pg_catalog.pg_constraint c WHERE contype = 'f' AND conparentid = 0 AND (SELECT count(*) FROM pg_catalog.pg_constraint c2 WHERE c2.conparentid = c.oid) <> (SELECT count(*) FROM pg_catalog.pg_inherits i WHERE (i.inhparent = c.conrelid OR i.inhparent = c.confrelid) AND EXISTS (SELECT 1 FROM pg_catalog.pg_partitioned_table WHERE partrelid = i.inhparent));
Since it is possible that one or more of the ADD CONSTRAINT
steps will fail, you should save the query's output in a file and then attempt to perform each step.
Fix test for C
locale when LC_COLLATE
is different from LC_CTYPE
(Jeff Davis) 📜
When using libc
as the default collation provider, the test to see if C
locale is in use for collation accidentally checked LC_CTYPE
not LC_COLLATE
. This has no impact in the typical case where those settings are the same, nor if both are not C
(nor its alias POSIX
). However, if LC_CTYPE
is C
while LC_COLLATE
is some other locale, wrong query answers could ensue, and corruption of indexes on strings was possible. Users of databases with such settings should reindex affected indexes after installing this update. The converse case with LC_COLLATE
being C
while LC_CTYPE
is some other locale would cause performance degradation, but no actual errors.
Don't use partitionwise joins or grouping if the query's collation for the key column doesn't match the partition key's collation (Jian He, Webbo Han) 📜 📜
Such plans could produce incorrect results.
Avoid planner failure after converting an IS NULL
test on a NOT NULL
column to constant FALSE
(Richard Guo) 📜
This bug typically led to errors such as “variable not found in subplan target listsâ€.
Avoid possible planner crash while inlining a SQL function whose arguments contain certain array-related constructs (Tom Lane, Nathan Bossart) 📜
Fix possible wrong answers or “wrong varnullingrels†planner errors for MERGE ... WHEN NOT MATCHED BY SOURCE
actions (Dean Rasheed) 📜 📜
Fix possible “could not find pathkey item to sort†error when the output of a UNION ALL
member query needs to be sorted, and the sort column is an expression (Andrei Lepikhov, Tom Lane) 📜
Fix edge case in B-tree ScalarArrayOp index scans (Peter Geoghegan) 📜
When a scrollable cursor with a plan of this kind was backed up to its starting point and then run forward again, wrong answers were possible.
Fix assertion failure or confusing error message for COPY (
, when the query
) TO ...query
is rewritten by a DO INSTEAD NOTIFY
rule (Tender Wang, Tom Lane) 📜
Fix validation of COPY
's FORCE_NOT_NULL
and FORCE_NULL
options (Joel Jacobson) 📜
Some incorrect usages are now rejected as they should be.
Fix server crash when a json_objectagg()
call contains a volatile function (Amit Langote) 📜
Fix detection of skewed data during parallel hash join (Thomas Munro) 📜
After repartitioning the inner side of a hash join because one partition has accumulated too many tuples, we check to see if all the partition's tuples went into the same child partition, which suggests that they all have the same hash value and further repartitioning cannot improve matters. This check malfunctioned in some cases, allowing repeated futile repartitioning which would eventually end in a resource-exhaustion error.
Avoid crash when ALTER DATABASE SET
is used to set a server parameter that requires search-path-based lookup, such as default_text_search_config
(Jeff Davis) 📜
Avoid repeated lookups of opclasses and collations while creating a new index on a partitioned table (Tom Lane) 📜
This was problematic mainly because some of the lookups would be done with a restricted search_path
, leading to unexpected failures if the CREATE INDEX
command referenced objects outside pg_catalog
.
This fix also prevents comments on the parent partitioned index from being copied to child indexes.
Add missing dependency from a partitioned table to a non-built-in access method specified in CREATE TABLE ... USING
(Michael Paquier) 📜
Dropping the access method should be blocked when a table exists that depends on it, but it was not, allowing subsequent odd behavior. Note that this fix only prevents problems for partitioned tables created after this update.
Disallow locale names containing non-ASCII characters (Thomas Munro) 📜
This is only an issue on Windows, as such locale names are not used elsewhere. They are problematic because it's quite unclear what encoding such names are represented in (since the locale itself defines the encoding to use). In recent PostgreSQL releases, an abort in the Windows runtime library could occur because of confusion about that.
Anyone who encounters the new error message should either create a new duplicated locale with an ASCII-only name using Windows Locale Builder, or consider using BCP 47-compliant locale names like tr-TR
.
Fix race condition in committing a serializable transaction (Heikki Linnakangas) 📜
Mis-processing of a recently committed transaction could lead to an assertion failure or a “could not access status of transaction†error.
Fix race condition in COMMIT PREPARED
that resulted in orphaned 2PC files (wuchengwen) 📜
A concurrent PREPARE TRANSACTION
could cause COMMIT PREPARED
to not remove the on-disk two-phase state file for the completed transaction. There was no immediate ill effect, but a subsequent crash-and-recovery could fail with “could not access status of transactionâ€, requiring manual removal of the orphaned file to restore service.
Avoid invalid memory accesses after skipping an invalid toast index during VACUUM FULL
(Tender Wang) 📜
A list tracking yet-to-be-rebuilt indexes was not properly updated in this code path, risking assertion failures or crashes later on.
Fix ways in which an “in place†catalog update could be lost (Noah Misch) 📜 📜 📜 📜 📜 📜 📜
Normal row updates write a new version of the row to preserve rollback-ability of the transaction. However, certain system catalog updates are intentionally non-transactional and are done with an in-place update of the row. These patches fix race conditions that could cause the effects of an in-place update to be lost. As an example, it was possible to forget having set pg_class
.relhasindex
to true, preventing updates of the new index and thus causing index corruption.
Reset catalog caches at end of recovery (Noah Misch) 📜
This prevents scenarios wherein an in-place catalog update could be lost due to using stale data from a catalog cache.
Avoid using parallel query while holding off interrupts (Francesco Degrassi, Noah Misch, Tom Lane) 📜 📜
This situation cannot arise normally, but it can be reached with test scenarios such as using a SQL-language function as B-tree support (which would be far too slow for production usage). If it did occur it would result in an indefinite wait.
Ignore not-yet-defined Portals in the pg_cursors
view (Tom Lane) 📜
It is possible for user-defined code that inspects this view to be called while a new cursor is being set up, and if that happens a null pointer dereference would ensue. Avoid the problem by defining the view to exclude incompletely-set-up cursors.
Avoid “unexpected table_index_fetch_tuple call during logical decoding†error while decoding a transaction involving insertion of a column default value (Takeshi Ideriha, Hou Zhijie) 📜 📜
Reduce memory consumption of logical decoding (Masahiko Sawada) 📜
Use a smaller default block size to store tuple data received during logical replication. This reduces memory wastage, which has been reported to be severe while processing long-running transactions, even leading to out-of-memory failures.
Fix behavior of stable functions called from a CALL
statement's argument list, when the CALL
is within a PL/pgSQL EXCEPTION
block (Tom Lane) 📜
As with a similar fix in our previous quarterly releases, this case allowed such functions to be passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.
Parse libpq's keepalives
connection option in the same way as other integer-valued options (Yuto Sasaki) 📜
The coding used here rejected trailing whitespace in the option value, unlike other cases. This turns out to be problematic in ecpg's usage, for example.
In ecpglib, fix out-of-bounds read when parsing incorrect datetime input (Bruce Momjian, Pavel Nekrasov) 📜
It was possible to try to read the location just before the start of a constant array. Real-world consequences seem minimal, though.
Fix psql's describe commands to again work with pre-9.4 servers (Tom Lane) 📜
Commands involving display of an ACL (permissions) column failed with very old PostgreSQL servers, due to use of a function not present in those versions.
Avoid hanging if an interval less than 1ms is specified in psql's \watch
command (Andrey Borodin, Michael Paquier) 📜
Instead, treat this the same as an interval of zero (no wait between executions).
Fix failure to find replication password in ~/.pgpass
(Tom Lane) 📜
pg_basebackup and pg_receivewal failed to match an entry in ~/.pgpass
that had replication
in the database name field, if no -d
or --dbname
switch was supplied. This resulted in an unexpected prompt for password.
In pg_combinebackup, throw an error if an incremental backup file is present in a directory that is supposed to contain a full backup (Robert Haas) 📜
In pg_combinebackup, don't construct filenames containing double slashes (Robert Haas) 📜
This caused no functional problems, but the duplicate slashes were visible in error messages, which could create confusion.
Avoid trying to reindex temporary tables and indexes in vacuumdb and in parallel reindexdb (VaibhaveS, Michael Paquier, Fujii Masao, Nathan Bossart) 📜 📜 📜
Reindexing other sessions' temporary tables cannot work, but the check to skip them was missing in some code paths, leading to unwanted failures.
Fix incorrect LLVM-generated code on ARM64 platforms (Thomas Munro, Anthonin Bonnefoy) 📜
When using JIT compilation on ARM platforms, the generated code could not support relocation distances exceeding 32 bits, allowing unlucky placement of generated code to cause server crashes on large-memory systems.
Fix a few places that assumed that process start time (represented as a time_t
) will fit into a long
value (Max Johnson, Nathan Bossart) 📜
On platforms where long
is 32 bits (notably Windows), this coding would fail after Y2038. Most of the failures appear only cosmetic, but notably pg_ctl start
would hang.
Update time zone data files to tzdata release 2024b (Tom Lane) 📜 📜
This tzdata release changes the old System-V-compatibility zone names to duplicate the corresponding geographic zones; for example PST8PDT
is now an alias for America/Los_Angeles
. The main visible consequence is that for timestamps before the introduction of standardized time zones, the zone is considered to represent local mean solar time for the named location. For example, in PST8PDT
, timestamptz
input such as 1801-01-01 00:00
would previously have been rendered as 1801-01-01 00:00:00-08
, but now it is rendered as 1801-01-01 00:00:00-07:52:58
.
Also, historical corrections for Mexico, Mongolia, and Portugal. Notably, Asia/Choibalsan
is now an alias for Asia/Ulaanbaatar
rather than being a separate zone, mainly because the differences between those zones were found to be based on untrustworthy data.
Release date: 2024-09-26
PostgreSQL 17 contains many new features and enhancements, including:
New memory management system for VACUUM
, which reduces memory consumption and can improve overall vacuuming performance.
New SQL/JSON capabilities, including constructors, identity functions, and the JSON_TABLE()
function, which converts JSON data into a table representation.
Various query performance improvements, including for sequential reads using streaming I/O, write throughput under high concurrency, and searches over multiple values in a btree index.
Logical replication enhancements, including:
Failover control
pg_createsubscriber, a utility that creates logical replicas from physical standbys
pg_upgrade now preserves replication slots on both publishers and subscribers
New client-side connection option, sslnegotiation=direct
, that performs a direct TLS handshake to avoid a round-trip negotiation.
pg_basebackup now supports incremental backup.
COPY
adds a new option, ON_ERROR ignore
, that allows a copy operation to continue in the event of an error.
The above items and other new features of PostgreSQL 17 are explained in more detail in the sections below.
A dump/restore using pg_dumpall or use of pg_upgrade or logical replication is required for those wishing to migrate data from any previous release. See Section 18.6 for general information on migrating to new major releases.
Version 17 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities:
Change functions to use a safe search_path during maintenance operations (Jeff Davis) 📜
This prevents maintenance operations (ANALYZE
, CLUSTER
, REFRESH MATERIALIZED VIEW
, REINDEX
, or VACUUM
) from performing unsafe access. Functions used by expression indexes and materialized views that need to reference non-default schemas must specify a search path during function creation.
Restrict ago
to only appear at the end in interval
values (Joseph Koshakow) 📜 📜
Also, prevent empty interval units from appearing multiple times.
Remove server variable old_snapshot_threshold (Thomas Munro) 📜
This variable allowed vacuum to remove rows that potentially could be still visible to running transactions, causing "snapshot too old" errors later if accessed. This feature might be re-added to PostgreSQL later if an improved implementation is found.
Change SET SESSION AUTHORIZATION
handling of the initial session user's superuser status (Joseph Koshakow) 📜
The new behavior is based on the session user's superuser status at the time the SET SESSION AUTHORIZATION
command is issued, rather than their superuser status at connection time.
Remove feature which simulated per-database users (Nathan Bossart) 📜
The feature, db_user_namespace
, was rarely used.
Remove wal_sync_method value fsync_writethrough
on Windows (Thomas Munro) 📜
This value was the same as fsync
on Windows.
Change file boundary handling of two WAL file name functions (Kyotaro Horiguchi, Andres Freund, Bruce Momjian) 📜
The functions pg_walfile_name()
and pg_walfile_name_offset()
used to report the previous LSN segment number when the LSN was on a file segment boundary; it now returns the current LSN segment.
Remove server variable trace_recovery_messages
since it is no longer needed (Bharath Rupireddy) 📜
Remove information schema column element_types
.domain_default
(Peter Eisentraut) 📜
Change pgrowlocks lock mode output labels (Bruce Momjian) 📜
Remove buffers_backend
and buffers_backend_fsync
from pg_stat_bgwriter
(Bharath Rupireddy) 📜
These fields are considered redundant to similar columns in pg_stat_io
.
Rename I/O block read/write timing statistics columns of pg_stat_statements (Nazir Bilal Yavuz) 📜
This renames blk_read_time
to shared_blk_read_time
, and blk_write_time
to shared_blk_write_time
.
Change pg_attribute
.attstattarget
and pg_statistic_ext
.stxstattarget
to represent the default statistics target as NULL
(Peter Eisentraut) 📜 📜
Rename pg_collation
.colliculocale
to colllocale
and pg_database
.daticulocale
to datlocale
(Jeff Davis) 📜
Rename pg_stat_progress_vacuum
column max_dead_tuples
to max_dead_tuple_bytes
, rename num_dead_tuples
to num_dead_item_ids
, and add dead_tuple_bytes
(Masahiko Sawada) 📜 📜
Rename SLRU columns in system view pg_stat_slru
(Álvaro Herrera) 📜
The column names accepted by pg_stat_reset_slru()
are also changed.
Below you will find a detailed account of the changes between PostgreSQL 17 and the previous major release.
Allow the optimizer to improve CTE plans by considering the statistics and sort order of columns referenced in earlier row output clauses (Jian Guo, Richard Guo, Tom Lane) 📜 📜
Improve optimization of IS NOT NULL
and IS NULL
query restrictions (David Rowley, Richard Guo, Andy Fan) 📜 📜
Remove IS NOT NULL
restrictions from queries on NOT NULL
columns and eliminate scans on NOT NULL
columns if IS NULL
is specified.
Allow partition pruning on boolean columns on IS [NOT] UNKNOWN
conditionals (David Rowley) 📜
Improve optimization of range values when using containment operators <@ and @> (Kim Johan Andersson, Jian He) 📜
Allow correlated IN
subqueries to be transformed into joins (Andy Fan, Tom Lane) 📜
Improve optimization of the LIMIT
clause on partitioned tables, inheritance parents, and UNION ALL
queries (Andy Fan, David Rowley) 📜
Allow query nodes to be run in parallel in more cases (Tom Lane) 📜
Allow GROUP BY
columns to be internally ordered to match ORDER BY
(Andrei Lepikhov, Teodor Sigaev) 📜
This can be disabled using server variable enable_group_by_reordering.
Allow UNION
(without ALL
) to use MergeAppend (David Rowley) 📜
Fix MergeAppend plans to more accurately compute the number of rows that need to be sorted (Alexander Kuzmenkov) 📜
Allow GiST and SP-GiST indexes to be part of incremental sorts (Miroslav Bendik) 📜
This is particularly useful for ORDER BY
clauses where the first column has a GiST and SP-GiST index, and other columns do not.
Add columns to pg_stats
to report range-type histogram information (Egor Rogov, Soumyadeep Chakraborty) 📜
Allow btree indexes to more efficiently find a set of values, such as those supplied by IN
clauses using constants (Peter Geoghegan, Matthias van de Meent) 📜
Allow BRIN indexes to be created using parallel workers (Tomas Vondra, Matthias van de Meent) 📜
Allow vacuum to more efficiently remove and freeze tuples (Melanie Plageman, Heikki Linnakangas) 📜
WAL traffic caused by vacuum is also more compact.
Allow vacuum to more efficiently store tuple references (Masahiko Sawada, John Naylor) 📜 📜 📜 📜
Additionally, vacuum is no longer silently limited to one gigabyte of memory when maintenance_work_mem or autovacuum_work_mem are higher.
Optimize vacuuming of relations with no indexes (Melanie Plageman) 📜
Increase default vacuum_buffer_usage_limit to 2MB (Thomas Munro) 📜
Improve performance when checking roles with many memberships (Nathan Bossart) 📜
Improve performance of heavily-contended WAL writes (Bharath Rupireddy) 📜
Improve performance when transferring large blocks of data to a client (Melih Mutlu) 📜
Allow the grouping of file system reads with the new system variable io_combine_limit (Thomas Munro, Andres Freund, Melanie Plageman, Nazir Bilal Yavuz) 📜 📜 📜
Create system view pg_stat_checkpointer
(Bharath Rupireddy, Anton A. Melnikov, Alexander Korotkov) 📜 📜 📜
Relevant columns have been removed from pg_stat_bgwriter
and added to this new system view.
Improve control over resetting statistics (Atsushi Torikoshi, Bharath Rupireddy) 📜 📜 📜
Allow pg_stat_reset_shared()
(with no arguments) and pg_stat_reset_shared(NULL
) to reset all shared statistics. Allow pg_stat_reset_shared('slru') and pg_stat_reset_slru()
(with no arguments) to reset SLRU statistics, which was already possible with pg_stat_reset_slru (NULL).
Add log messages related to WAL recovery from backups (Andres Freund) 📜
Add log_connections log line for trust
connections (Jacob Champion) 📜
Add log message to report walsender acquisition and release of replication slots (Bharath Rupireddy) 📜
This is enabled by the server variable log_replication_commands.
Add system view pg_wait_events
that reports wait event types (Bertrand Drouvot) 📜
This is useful for adding descriptions to wait events reported in pg_stat_activity
.
Add wait events for checkpoint delays (Thomas Munro) 📜
Allow vacuum to report the progress of index processing (Sami Imseih) 📜
This appears in system view pg_stat_progress_vacuum
columns indexes_total
and indexes_processed
.
Allow granting the right to perform maintenance operations (Nathan Bossart) 📜
The permission can be granted on a per-table basis using the MAINTAIN
privilege and on a per-role basis via the pg_maintain
predefined role. Permitted operations are VACUUM
, ANALYZE
, REINDEX
, REFRESH MATERIALIZED VIEW
, CLUSTER
, and LOCK TABLE
.
Allow roles with pg_monitor
membership to execute pg_current_logfile()
(Pavlo Golub, Nathan Bossart) 📜
Add system variable allow_alter_system to disallow ALTER SYSTEM
(Jelte Fennema-Nio, Gabriele Bartolini) 📜
Allow ALTER SYSTEM
to set unrecognized custom server variables (Tom Lane) 📜
This is also possible with GRANT ON PARAMETER
.
Add server variable transaction_timeout to restrict the duration of transactions (Andrey Borodin, Japin Li, Junwang Zhao, Alexander Korotkov) 📜 📜 📜
Add a builtin platform-independent collation provider (Jeff Davis) 📜 📜 📜 📜
This supports C
and C.UTF-8
collations.
Add server variable huge_pages_status to report the use of huge pages by Postgres (Justin Pryzby) 📜
This is useful when huge_pages is set to try
.
Add server variable to disable event triggers (Daniel Gustafsson) 📜
The setting, event_triggers, allows for the temporary disabling of event triggers for debugging.
Allow the SLRU cache sizes to be configured (Andrey Borodin, Dilip Kumar, Álvaro Herrera) 📜
The new server variables are commit_timestamp_buffers, multixact_member_buffers, multixact_offset_buffers, notify_buffers, serializable_buffers, subtransaction_buffers, and transaction_buffers. commit_timestamp_buffers, transaction_buffers, and subtransaction_buffers scale up automatically with shared_buffers.
Add support for incremental file system backup (Robert Haas, Jakub Wartak, Tomas Vondra) 📜 📜
Incremental backups can be created using pg_basebackup's new --incremental
option. The new application pg_combinebackup allows manipulation of base and incremental file system backups.
Allow the creation of WAL summarization files (Robert Haas, Nathan Bossart, Hubert Depesz Lubaczewski) 📜 📜 📜 📜
These files record the block numbers that have changed within an LSN range and are useful for incremental file system backups. This is controlled by the server variables summarize_wal and wal_summary_keep_time, and introspected with pg_available_wal_summaries()
, pg_wal_summary_contents()
, and pg_get_wal_summarizer_state()
.
Add the system identifier to file system backup manifest files (Amul Sul) 📜
This helps detect invalid WAL usage.
Allow connection string value dbname
to be written when pg_basebackup writes connection information to postgresql.auto.conf
(Vignesh C, Hayato Kuroda) 📜
Add column pg_replication_slots
.invalidation_reason
to report the reason for invalid slots (Shveta Malik, Bharath Rupireddy) 📜 📜
Add column pg_replication_slots
.inactive_since
to report slot inactivity duration (Bharath Rupireddy) 📜 📜 📜
Add function pg_sync_replication_slots()
to synchronize logical replication slots (Hou Zhijie, Shveta Malik, Ajin Cherian, Peter Eisentraut) 📜 📜
Add the failover
property to the replication protocol (Hou Zhijie, Shveta Malik) 📜
Add application pg_createsubscriber to create a logical replica from a physical standby server (Euler Taveira) 📜
Have pg_upgrade migrate valid logical slots and subscriptions (Hayato Kuroda, Hou Zhijie, Vignesh C, Julien Rouhaud, Shlok Kyal) 📜 📜
This allows logical replication to continue quickly after the upgrade. This only works for old PostgreSQL clusters that are version 17 or later.
Enable the failover of logical slots (Hou Zhijie, Shveta Malik, Ajin Cherian) 📜
This is controlled by an optional fifth argument to pg_create_logical_replication_slot()
.
Add server variable sync_replication_slots to enable failover logical slot synchronization (Shveta Malik, Hou Zhijie, Peter Smith) 📜 📜
Add logical replication failover control to CREATE/ALTER SUBSCRIPTION
(Shveta Malik, Hou Zhijie, Ajin Cherian) 📜 📜
Allow the application of logical replication changes to use hash indexes on the subscriber (Hayato Kuroda) 📜
Previously only btree indexes could be used for this purpose.
Improve logical decoding performance in cases where there are many subtransactions (Masahiko Sawada) 📜
Restart apply workers if subscription owner's superuser privileges are revoked (Vignesh C) 📜
This forces reauthentication.
Add flush
option to pg_logical_emit_message()
(Michael Paquier) 📜
This makes the message durable.
Allow specification of physical standbys that must be synchronized before they are visible to subscribers (Hou Zhijie, Shveta Malik) 📜 📜
The new server variable is synchronized_standby_slots.
Add worker type column to pg_stat_subscription
(Peter Smith) 📜
Add new COPY
option ON_ERROR ignore
to discard error rows (Damir Belyalov, Atsushi Torikoshi, Alex Shulgin, Jian He, Yugo Nagata) 📜 📜 📜 📜
The default behavior is ON_ERROR stop
.
Add new COPY
option LOG_VERBOSITY
which reports COPY FROM
ignored error rows (Bharath Rupireddy) 📜
Allow COPY FROM
to report the number of skipped rows during processing (Atsushi Torikoshi) 📜
This appears in system view column pg_stat_progress_copy
.tuples_skipped
.
In COPY FROM
, allow easy specification that all columns should be forced null or not null (Zhang Mingli) 📜
Allow partitioned tables to have identity columns (Ashutosh Bapat) 📜
Allow exclusion constraints on partitioned tables (Paul A. Jungwirth) 📜
As long as exclusion constraints compare partition key columns for equality, other columns can use exclusion constraint-specific comparisons.
Add clearer ALTER TABLE
method to set a column to the default statistics target (Peter Eisentraut) 📜
The new syntax is ALTER TABLE ... SET STATISTICS DEFAULT
; using SET STATISTICS -1
is still supported.
Allow ALTER TABLE
to change a column's generation expression (Amul Sul) 📜
The syntax is ALTER TABLE ... ALTER COLUMN ... SET EXPRESSION
.
Allow specification of table access methods on partitioned tables (Justin Pryzby, Soumyadeep Chakraborty, Michael Paquier) 📜 📜
Add DEFAULT
setting for ALTER TABLE .. SET ACCESS METHOD
(Michael Paquier) 📜
Add support for event triggers that fire at connection time (Konstantin Knizhnik, Mikhail Gribkov) 📜
Add event trigger support for REINDEX
(Garrett Thornburg, Jian He) 📜
Allow parenthesized syntax for CLUSTER
options if a table name is not specified (Nathan Bossart) 📜
EXPLAIN
(PG 17.0)Allow EXPLAIN
to report optimizer memory usage (Ashutosh Bapat) 📜
The option is called MEMORY
.
Add EXPLAIN
option SERIALIZE
to report the cost of converting data for network transmission (Stepan Rutz, Matthias van de Meent) 📜
Add local I/O block read/write timing statistics to EXPLAIN
's BUFFERS
output (Nazir Bilal Yavuz) 📜
Improve EXPLAIN
's display of SubPlan nodes and output parameters (Tom Lane, Dean Rasheed) 📜
Add JIT deform_counter
details to EXPLAIN
(Dmitry Dolgov) 📜
Allow the interval
data type to support +/-infinity
values (Joseph Koshakow, Jian He, Ashutosh Bapat) 📜
Allow the use of an ENUM
added via ALTER TYPE
if the type was created in the same transaction (Tom Lane) 📜
This was previously disallowed.
Allow MERGE
to modify updatable views (Dean Rasheed) 📜
Add WHEN NOT MATCHED BY SOURCE
to MERGE
(Dean Rasheed) 📜
WHEN NOT MATCHED
on target rows was already supported.
Allow MERGE
to use the RETURNING
clause (Dean Rasheed) 📜
The new RETURNING
function merge_action()
reports on the DML that generated the row.
Add function JSON_TABLE()
to convert JSON
data to a table representation (Nikita Glukhov, Teodor Sigaev, Oleg Bartunov, Alexander Korotkov, Andrew Dunstan, Amit Langote, Jian He) 📜 📜
This function can be used in the FROM
clause of SELECT
queries as a tuple source.
Add SQL/JSON constructor functions JSON()
, JSON_SCALAR()
, and JSON_SERIALIZE()
(Nikita Glukhov, Teodor Sigaev, Oleg Bartunov, Alexander Korotkov, Andrew Dunstan, Amit Langote) 📜
Add SQL/JSON query functions JSON_EXISTS()
, JSON_QUERY()
, and JSON_VALUE()
(Nikita Glukhov, Teodor Sigaev, Oleg Bartunov, Alexander Korotkov, Andrew Dunstan, Amit Langote, Peter Eisentraut, Jian He) 📜 📜 📜 📜 📜
Add jsonpath methods to convert JSON
values to other JSON
data types (Jeevan Chalke) 📜
The jsonpath methods are .bigint()
, .boolean()
, .date()
, .decimal([precision [, scale]])
, .integer()
, .number()
, .string()
, .time()
, .time_tz()
, .timestamp()
, and .timestamp_tz()
.
Add to_timestamp()
time zone format specifiers (Tom Lane) 📜
TZ
accepts time zone abbreviations or numeric offsets, while OF
accepts only numeric offsets.
Allow the session time zone to be specified by AS LOCAL
(Vik Fearing) 📜
This is useful when converting adding and removing time zones from time stamps values, rather than specifying the literal session time zone.
Add functions uuid_extract_timestamp()
and uuid_extract_version()
to return UUID information (Andrey Borodin) 📜
Add functions to generate random numbers in a specified range (Dean Rasheed) 📜
The functions are random(min, max)
and they take values of type integer
, bigint
, and numeric
.
Add functions to convert integers to binary and octal strings (Eric Radman, Nathan Bossart) 📜
The functions are to_bin()
and to_oct()
.
Add Unicode informational functions (Jeff Davis) 📜
Function unicode_version()
returns the Unicode version, icu_unicode_version()
returns the ICU version, and unicode_assigned()
returns if the characters are assigned Unicode codepoints.
Add function xmltext()
to convert text to a single XML
text node (Jim Jones) 📜
Add function to_regtypemod()
to return the type modifier of a type specification (David Wheeler, Erik Wienhold) 📜
Add pg_basetype()
function to return a domain's base type (Steve Chavez) 📜
Add function pg_column_toast_chunk_id()
to return a value's TOAST identifier (Yugo Nagata) 📜
This returns NULL
if the value is not stored in TOAST.
Allow plpgsql %TYPE
and %ROWTYPE
specifications to represent arrays of non-array types (Quan Zongliang, Pavel Stehule) 📜
Allow plpgsql %TYPE
specification to reference composite column (Tom Lane) 📜
Add libpq function to change role passwords (Joe Conway) 📜
The new function, PQchangePassword()
, hashes the new password before sending it to the server.
Add libpq functions to close portals and prepared statements (Jelte Fennema-Nio) 📜
The functions are PQclosePrepared()
, PQclosePortal()
, PQsendClosePrepared()
, and PQsendClosePortal()
.
Add libpq API which allows for blocking and non-blocking cancel requests, with encryption if already in use (Jelte Fennema-Nio) 📜
Previously only blocking, unencrypted cancel requests were supported.
Add libpq function PQsocketPoll()
to allow polling of network sockets (Tristan Partin, Tom Lane) 📜 📜
Add libpq function PQsendPipelineSync()
to send a pipeline synchronization point (Anton Kirilov) 📜
This is similar to PQpipelineSync()
but it does not flush to the server unless the size threshold of the output buffer is reached.
Add libpq function PQsetChunkedRowsMode()
to allow retrieval of results in chunks (Daniel Vérité) 📜
Allow TLS connections without requiring a network round-trip negotiation (Greg Stark, Heikki Linnakangas, Peter Eisentraut, Michael Paquier, Daniel Gustafsson) 📜 📜 📜 📜 📜 📜 📜 📜
This is enabled with the client-side option sslnegotiation=direct
, requires ALPN, and only works on PostgreSQL 17 and later servers.
Improve psql display of default and empty privileges (Erik Wienhold, Laurenz Albe) 📜
Command \dp
now displays (none)
for empty privileges; default still displays as empty.
Have backslash commands honor \pset null
(Erik Wienhold, Laurenz Albe) 📜
Previously \pset null
was ignored.
Allow psql's \watch
to stop after a minimum number of rows returned (Greg Sabino Mullane) 📜
The parameter is min_rows
.
Allow psql connection attempts to be canceled with control-C (Tristan Partin) 📜
Allow psql to honor FETCH_COUNT
for non-SELECT
queries (Daniel Vérité) 📜
Improve psql tab completion (Dagfinn Ilmari MannsÃ¥ker, Gilles Darold, Christoph Heiss, Steve Chavez, Vignesh C, Pavel Borisov, Jian He) 📜 📜 📜 📜 📜 📜 📜 📜
Add application pg_walsummary to dump WAL summary files (Robert Haas) 📜
Allow pg_dump's large objects to be restorable in batches (Tom Lane) 📜
This allows the restoration of many large objects to avoid transaction limits and to be restored in parallel.
Add pg_dump option --exclude-extension
(Ayush Vatsa) 📜
Allow pg_dump, pg_dumpall, and pg_restore to specify include/exclude objects in a file (Pavel Stehule, Daniel Gustafsson) 📜
The option is called --filter
.
Add the --sync-method
parameter to several client applications (Justin Pryzby, Nathan Bossart) 📜
The applications are initdb, pg_basebackup, pg_checksums, pg_dump, pg_rewind, and pg_upgrade.
Add pg_restore option --transaction-size
to allow object restores in transaction batches (Tom Lane) 📜
This allows the performance benefits of transaction batches without the problems of excessively large transaction blocks.
Change pgbench debug mode option from -d
to --debug
(Greg Sabino Mullane) 📜
Option -d
is now used for the database name, and the new --dbname
option can be used as well.
Add pgbench option --exit-on-abort
to exit after any client aborts (Yugo Nagata) 📜
Add pgbench command \syncpipeline
to allow sending of sync messages (Anthonin Bonnefoy) 📜
Allow pg_archivecleanup to remove backup history files (Atsushi Torikoshi) 📜
The option is --clean-backup-history
.
Add some long options to pg_archivecleanup (Atsushi Torikoshi) 📜
The long options are --debug
, --dry-run
, and --strip-extension
.
Allow pg_basebackup and pg_receivewal to use dbname in their connection specification (Jelte Fennema-Nio) 📜
This is useful for connection poolers that are sensitive to the database name.
Add pg_upgrade option --copy-file-range
(Thomas Munro) 📜
This is supported on Linux and FreeBSD.
Allow reindexdb --index
to process indexes from different tables in parallel (Maxim Orlov, Svetlana Derevyanko, Alexander Korotkov) 📜
Allow reindexdb, vacuumdb, and clusterdb to process objects in all databases matching a pattern (Nathan Bossart) 📜 📜 📜
The new option --all
controls this behavior.
Remove support for OpenSSL 1.0.1 (Michael Paquier) 📜
Allow tests to pass in OpenSSL FIPS mode (Peter Eisentraut) 📜 📜
Use CPU AVX-512 instructions for bit counting (Paul Amonson, Nathan Bossart, Ants Aasma) 📜 📜
Require LLVM version 10 or later (Thomas Munro) 📜
Use native CRC instructions on 64-bit LoongArch CPUs (Xudong Yang) 📜
Remove AIX support (Heikki Linnakangas) 📜
Remove the Microsoft Visual Studio-specific PostgreSQL build option (Michael Paquier) 📜
Meson is now the only available method for Visual Studio builds.
Remove configure option --disable-thread-safety
(Thomas Munro, Heikki Linnakangas) 📜 📜
We now assume all supported platforms have sufficient thread support.
Remove configure option --with-CC
(Heikki Linnakangas) 📜
Setting the CC
environment variable is now the only supported method for specifying the compiler.
User-defined data type receive functions will no longer receive their data null-terminated (David Rowley) 📜
Add incremental JSON
parser for use with huge JSON
documents (Andrew Dunstan) 📜
Convert top-level README
file to Markdown (Nathan Bossart) 📜
Remove no longer needed top-level INSTALL
file (Tom Lane) 📜
Remove make's distprep
option (Peter Eisentraut) 📜
Add make support for Android shared libraries (Peter Eisentraut) 📜
Add backend support for injection points (Michael Paquier) 📜 📜 📜 📜
This is used for server debugging and they must be enabled at server compile time.
Add dynamic shared memory registry (Nathan Bossart) 📜
This allows shared libraries which are not initialized at startup to coordinate dynamic shared memory access.
Fix emit_log_hook
to use the same time value as other log records for the same query (Kambam Vinay, Michael Paquier) 📜
Improve documentation for using jsonpath
for predicate checks (David Wheeler) 📜
Allow joins with non-join qualifications to be pushed down to foreign servers and custom scans (Richard Guo, Etsuro Fujita) 📜
Foreign data wrappers and custom scans will need to be modified to handle these cases.
Allow pushdown of EXISTS
and IN
subqueries to postgres_fdw foreign servers (Alexander Pyhalov) 📜
Increase the default foreign data wrapper tuple cost (David Rowley, Umair Shahid) 📜 📜
This value is used by the optimizer.
Allow dblink database operations to be interrupted (Noah Misch) 📜
Allow the creation of hash indexes on ltree columns (Tommy Pavlicek) 📜
This also enables hash join and hash aggregation on ltree columns.
Allow unaccent character translation rules to contain whitespace and quotes (Michael Paquier) 📜
The syntax for the unaccent.rules
file has changed.
Allow amcheck to check for unique constraint violations using new option --checkunique
(Anastasia Lubennikova, Pavel Borisov, Maxim Orlov) 📜
Allow citext tests to pass in OpenSSL FIPS mode (Peter Eisentraut) 📜
Allow pgcrypto tests to pass in OpenSSL FIPS mode (Peter Eisentraut) 📜
Remove adminpack contrib extension (Daniel Gustafsson) 📜
This was used by now end-of-life pgAdmin III.
Allow ALTER OPERATOR
to set more optimization attributes (Tommy Pavlicek) 📜
This is useful for extensions.
Allow extensions to define custom wait events (Masahiro Ikeda) 📜 📜 📜 📜
Custom wait events have been added to postgres_fdw and dblink.
Add pg_buffercache function pg_buffercache_evict()
to allow shared buffer eviction (Palak Chaturvedi, Thomas Munro) 📜
This is useful for testing.
Replace CALL
parameters in pg_stat_statements with placeholders (Sami Imseih) 📜
Replace savepoint names stored in pg_stat_statements
with placeholders (Greg Sabino Mullane) 📜
This greatly reduces the number of entries needed to record SAVEPOINT
, RELEASE SAVEPOINT
, and ROLLBACK TO SAVEPOINT
commands.
Replace the two-phase commit GIDs stored in pg_stat_statements
with placeholders (Michael Paquier) 📜
This greatly reduces the number of entries needed to record PREPARE TRANSACTION
, COMMIT PREPARED
, and ROLLBACK PREPARED
.
Track DEALLOCATE
in pg_stat_statements
(Dagfinn Ilmari MannsÃ¥ker, Michael Paquier) 📜
DEALLOCATE
names are stored in pg_stat_statements
as placeholders.
Add local I/O block read/write timing statistics columns of pg_stat_statements
(Nazir Bilal Yavuz) 📜 📜
The new columns are local_blk_read_time
and local_blk_write_time
.
Add JIT deform_counter details to pg_stat_statements
(Dmitry Dolgov) 📜
Add optional fourth argument (minmax_only
) to pg_stat_statements_reset()
to allow for the resetting of only min/max statistics (Andrei Zubkov) 📜
This argument defaults to false
.
Add pg_stat_statements
columns stats_since
and minmax_stats_since
to track entry creation time and last min/max reset time (Andrei Zubkov) 📜
The following individuals (in alphabetical order) have contributed to this release as patch authors, committers, reviewers, testers, or reporters of issues.
Release date: 2025-02-20
This release contains a few fixes from 16.7. For information about new features in major release 16, see Version 16.0.
A dump/restore is not required for those running 16.X.
However, if you are upgrading from a version earlier than 16.5, see Version 16.5.
Improve behavior of libpq's quoting functions (Andres Freund, Tom Lane) 📜 📜 📜
The changes made forCVE-2025-1094 or CVE-2025-1094 had one serious oversight: PQescapeLiteral()
and PQescapeIdentifier()
failed to honor their string length parameter, instead always reading to the input string's trailing null. This resulted in including unwanted text in the output, if the caller intended to truncate the string via the length parameter. With very bad luck it could cause a crash due to reading off the end of memory.
In addition, modify all these quoting functions so that when invalid encoding is detected, an invalid sequence is substituted for just the first byte of the presumed character, not all of it. This reduces the risk of problems if a calling application performs additional processing on the quoted string.
Fix meson build system to correctly detect availability of the bsd_auth.h
system header (Nazir Bilal Yavuz) 📜
Release date: 2025-02-13
This release contains a variety of fixes from 16.6. For information about new features in major release 16, see Version 16.0.
A dump/restore is not required for those running 16.X.
However, if you are upgrading from a version earlier than 16.5, see Version 16.5.
Harden PQescapeString
and allied functions against invalidly-encoded input strings (Andres Freund, Noah Misch) 📜 📜 📜 📜 📜 📜
Data-quoting functions supplied by libpq now fully check the encoding validity of their input. If invalid characters are detected, they report an error if possible. For the ones that lack an error return convention, the output string is adjusted to ensure that the server will report invalid encoding and no intervening processing will be fooled by bytes that might happen to match single quote, backslash, etc.
The purpose of this change is to guard against SQL-injection attacks that are possible if one of these functions is used to quote crafted input. There is no hazard when the resulting string is sent directly to a PostgreSQL server (which would check its encoding anyway), but there is a risk when it is passed through psql or other client-side code. Historically such code has not carefully vetted encoding, and in many cases it's not clear what it should do if it did detect such a problem.
This fix is effective only if the data-quoting function, the server, and any intermediate processing agree on the character encoding that's being used. Applications that insert untrusted input into SQL commands should take special care to ensure that that's true.
Applications and drivers that quote untrusted input without using these libpq functions may be at risk of similar problems. They should first confirm the data is valid in the encoding expected by the server.
The PostgreSQL Project thanks Stephen Fewer for reporting this problem. CVE-2025-1094 or CVE-2025-1094)
Exclude parallel workers from connection privilege checks and limits (Tom Lane) 📜
Do not check datallowconn
, rolcanlogin
, and ACL_CONNECT
privileges when starting a parallel worker, instead assuming that it's enough for the leader process to have passed similar checks originally. This avoids, for example, unexpected failures of parallelized queries when the leader is running as a role that lacks login privilege. In the same vein, enforce ReservedConnections
, datconnlimit
, and rolconnlimit
limits only against regular backends, and count only regular backends while checking if the limits were already reached. Those limits are meant to prevent excessive consumption of process slots for regular backends --- but parallel workers and other special processes have their own pools of process slots with their own limit checks.
Fix possible re-use of stale results in window aggregates (David Rowley) 📜
A window aggregate with a “run condition†optimization and a pass-by-reference result type might incorrectly return the result from the previous partition instead of performing a fresh calculation.
Keep TransactionXmin
in sync with MyProc->xmin
(Heikki Linnakangas) 📜
This oversight could permit a process to try to access data that had already been vacuumed away. One known consequence is transient “could not access status of transaction†errors.
Fix race condition that could cause failure to add a newly-inserted catalog entry to a catalog cache list (Heikki Linnakangas) 📜
This could result, for example, in failure to use a newly-created function within an existing session.
Prevent possible catalog corruption when a system catalog is vacuumed concurrently with an update (Noah Misch) 📜
Fix data corruption when relation truncation fails (Thomas Munro) 📜 📜 📜
The filesystem calls needed to perform relation truncation could fail, leaving inconsistent state on disk (for example, effectively reviving deleted data). We can't really prevent that, but we can recover by dint of making such failures into PANICs, so that consistency is restored by replaying from WAL up to just before the attempted truncation. This isn't a hugely desirable behavior, but such failures are rare enough that it seems an acceptable solution.
Prevent checkpoints from starting during relation truncation (Robert Haas) 📜
This avoids a race condition wherein the modified file might not get fsync'd before completing the checkpoint, creating a risk of data corruption if the operating system crashes soon after.
Avoid possibly losing an update of pg_database
.datfrozenxid
when VACUUM
runs concurrently with a REASSIGN OWNED
that changes that database's owner (Kirill Reshke) 📜
Fix incorrect tg_updatedcols
values passed to AFTER UPDATE
triggers (Tom Lane) 📜
In some cases the tg_updatedcols
bitmap could describe the set of columns updated by an earlier command in the same transaction, fooling the trigger into doing the wrong thing.
Also, prevent memory bloat caused by making too many copies of the tg_updatedcols
bitmap.
Fix detach of a partition that has its own foreign-key constraint referencing a partitioned table (Amul Sul) 📜
In common cases, foreign keys are defined on a partitioned table's top level; but if instead one is defined on a partition and references a partitioned table, and the referencing partition is detached, the relevant pg_constraint
entries were updated incorrectly. This led to errors like “could not find ON INSERT check triggers of foreign key constraintâ€.
Fix mis-processing of to_timestamp
's FF
format codes (Tom Lane) 📜n
An integer format code immediately preceding FF
would consume all available digits, leaving none for n
FF
.n
When deparsing an XMLTABLE()
expression, ensure that XML namespace names are double-quoted when necessary (Dean Rasheed) 📜
Include the ldapscheme
option in pg_hba_file_rules()
output (Laurenz Albe) 📜 📜
Don't merge UNION
operations if their column collations aren't consistent (Tom Lane) 📜
Previously we ignored collations when deciding if it's safe to merge UNION
steps into a single N-way UNION
operation. This was arguably valid before the introduction of nondeterministic collations, but it's not anymore, since the collation in use can affect the definition of uniqueness.
Prevent “wrong varnullingrels†planner errors after pulling up a subquery that's underneath an outer join (Tom Lane) 📜 📜
Ignore nulling-relation marker bits when looking up statistics (Richard Guo) 📜
This oversight could lead to failure to use relevant statistics about expressions, or to “corrupt MVNDistinct entry†errors.
Fix missed expression processing for partition pruning steps (Tom Lane) 📜
This oversight could lead to “unrecognized node type†errors, and perhaps other problems, in queries accessing partitioned tables.
Allow dshash tables to grow past 1GB (Matthias van de Meent) 📜
This avoids errors like “invalid DSA memory alloc request sizeâ€. The case can occur for example in transactions that process several million tables.
Avoid possible integer overflow in bringetbitmap()
(James Hunter, Evgeniy Gorbanyov) 📜
Since the result is only used for statistical purposes, the effects of this error were mostly cosmetic.
Ensure that an already-set process latch doesn't prevent the postmaster from noticing socket events (Thomas Munro) 📜
An extremely heavy workload of backends launching workers and workers exiting could prevent the postmaster from responding to incoming client connections in a timely fashion.
Prevent streaming standby servers from looping infinitely when reading a WAL record that crosses pages (Kyotaro Horiguchi, Alexander Kukushkin) 📜
This would happen when the record's continuation is on a page that needs to be read from a different WAL source.
Fix unintended promotion of FATAL errors to PANIC during early process startup (Noah Misch) 📜
This fixes some unlikely cases that would result in “PANIC: proc_exit() called in child processâ€.
Fix cases where an operator family member operator or support procedure could become a dangling reference (Tom Lane) 📜 📜
In some cases a data type could be dropped while references to its OID still remain in pg_amop
or pg_amproc
. While that caused no immediate issues, an attempt to drop the owning operator family would fail, and pg_dump would produce bogus output when dumping the operator family. This fix causes creation and modification of operator families/classes to add needed dependency entries so that dropping a data type will also drop any dependent operator family elements. That does not help vulnerable pre-existing operator families, though, so a band-aid has also been added to DROP OPERATOR FAMILY
to prevent failure when dropping a family that has dangling members.
Fix multiple memory leaks in logical decoding output (Vignesh C, Masahiko Sawada, Boyu Yang) 📜 📜 📜
Fix small memory leak when updating the application_name
or cluster_name
settings (Tofig Aliev) 📜
Avoid integer overflow while testing wal_skip_threshold
condition (Tom Lane) 📜
A transaction that created a very large relation could mistakenly decide to ensure durability by copying the relation into WAL instead of fsync'ing it, thereby negating the point of wal_skip_threshold
. (This only matters when wal_level
is set to minimal
, else a WAL copy is required anyway.)
Fix unsafe order of operations during cache lookups (Noah Misch) 📜
The only known consequence was a usually-harmless “you don't own a lock of type ExclusiveLock†warning during GRANT TABLESPACE
.
Fix possible “failed to resolve name†failures when using JIT on older ARM platforms (Thomas Munro) 📜
This could occur as a consequence of inconsistency about the default setting of -moutline-atomics
between gcc and clang. At least Debian and Ubuntu are known to ship gcc and clang compilers that target armv8-a but differ on the use of outline atomics by default.
Fix assertion failure in WITH RECURSIVE ... UNION
queries (David Rowley) 📜
Avoid assertion failure in rule deparsing if a set operation leaf query contains set operations (Man Zeng, Tom Lane) 📜
Avoid edge-case assertion failure in parallel query startup (Tom Lane) 📜
Fix assertion failure at shutdown when writing out the statistics file (Michael Paquier) 📜
In NULLIF()
, avoid passing a read-write expanded object pointer to the data type's equality function (Tom Lane) 📜
The equality function could modify or delete the object if it's given a read-write pointer, which would be bad if we decide to return it as the NULLIF()
result. There is probably no problem with any built-in equality function, but it's easy to demonstrate a failure with one coded in PL/pgSQL.
Ensure that expression preprocessing is applied to a default null value in INSERT
(Tom Lane) 📜
If the target column is of a domain type, the planner must insert a coerce-to-domain step not just a null constant, and this expression missed going through some required processing steps. There is no known consequence with domains based on core data types, but in theory an error could occur with domains based on extension types.
Repair memory leaks in PL/Python (Mat Arye, Tom Lane) 📜
Repeated use of PLyPlan.execute
or plpy.cursor
resulted in memory leakage for the duration of the calling PL/Python function.
Fix PL/Tcl to compile with Tcl 9 (Peter Eisentraut) 📜
In the ecpg preprocessor, fix possible misprocessing of cursors that reference out-of-scope variables (Tom Lane) 📜
In ecpg, fix compile-time warnings about unsupported use of COPY ... FROM STDIN
(Ryo Kanbayashi) 📜
Previously, the intended warning was not issued due to a typo.
Fix psql to safely handle file path names that are encoded in SJIS (Tom Lane) 📜
Some two-byte characters in SJIS have a second byte that is equal to ASCII backslash (\
). These characters were corrupted by path name normalization, preventing access to files whose names include such characters.
Fix use of wrong version of pqsignal()
in pgbench and psql (Fujii Masao, Tom Lane) 📜
This error could lead to misbehavior when using the -T
option in pgbench or the \watch
command in psql, due to interrupted system calls not being resumed as expected.
Fix misexecution of some nested \if
constructs in pgbench (Michail Nikolaev) 📜
An \if
command appearing within a false (not-being-executed) \if
branch was incorrectly treated the same as \elif
.
In pgbench, fix possible misdisplay of progress messages during table initialization (Yushi Ogiwara, Tatsuo Ishii, Fujii Masao) 📜 📜
Make pg_controldata more robust against corrupted pg_control
files (Ilyasov Ian, Anton Voloshin) 📜
Since pg_controldata will attempt to print the contents of pg_control
even if the CRC check fails, it must take care not to misbehave for invalid field values. This patch fixes some issues triggered by invalid timestamps and apparently-negative WAL segment sizes.
Fix possible crash in pg_dump with identity sequences attached to tables that are extension members (Tom Lane) 📜
Fix memory leak in pg_restore with zstd-compressed data (Tom Lane) 📜
The leak was per-decompression-operation, so would be most noticeable with a dump containing many tables or large objects.
Fix pg_basebackup to correctly handle pg_wal.tar
files exceeding 2GB on Windows (Davinder Singh, Thomas Munro) 📜 📜
Use SQL-standard function bodies in the declarations of contrib/earthdistance
's SQL-language functions (Tom Lane, Ronan Dunklau) 📜
This change allows their references to contrib/cube
to be resolved during extension creation, reducing the risk of search-path-based failures and possible attacks.
In particular, this restores their usability in contexts like generated columns, for which PostgreSQL v17 restricts the search path on security grounds. We have received reports of databases failing to be upgraded to v17 because of that. This patch has been included in v16 to provide a workaround: updating the earthdistance
extension to this version beforehand should allow an upgrade to succeed.
Update configuration probes that determine the compiler switches needed to access ARM CRC instructions (Tom Lane) 📜
On ARM platforms where the baseline CPU target lacks CRC instructions, we need to supply a -march
switch to persuade the compiler to compile such instructions. Recent versions of gcc reject the value we were trying, leading to silently falling back to software CRC.
Fix meson build system to support old OpenSSL libraries on Windows (Darek Slusarczyk) 📜
Add support for the legacy library names ssleay32
and libeay32
.
In Windows builds using meson, ensure all libcommon and libpgport functions are exported (Vladlen Popolitov, Heikki Linnakangas) 📜 📜
This fixes “unresolved external symbol†build errors for extensions.
Fix meson configuration process to correctly detect OSSP's uuid.h
header file under MSVC (Andrew Dunstan) 📜
When building with meson, install pgevent
in pkglibdir
not bindir
(Peter Eisentraut) 📜
This matches the behavior of the make-based build system and the old MSVC build system.
When building with meson, install sepgsql.sql
under share/contrib/
not share/extension/
(Peter Eisentraut) 📜
This matches what the make-based build system does.
Update time zone data files to tzdata release 2025a for DST law changes in Paraguay, plus historical corrections for the Philippines (Tom Lane) 📜
Release date: 2024-11-21
This release contains a few fixes from 16.5. For information about new features in major release 16, see Version 16.0.
A dump/restore is not required for those running 16.X.
However, if you are upgrading from a version earlier than 16.5, see Version 16.5.
Repair ABI break for extensions that work with struct ResultRelInfo
(Tom Lane) 📜
Last week's minor releases unintentionally broke binary compatibility with timescaledb and several other extensions. Restore the affected structure to its previous size, so that such extensions need not be rebuilt.
Restore functionality of ALTER {ROLE|DATABASE} SET role
(Tom Lane, Noah Misch) 📜
The fix forCVE-2024-10978 or CVE-2024-10978 accidentally caused settings for role
to not be applied if they come from non-interactive sources, including previous ALTER {ROLE|DATABASE}
commands and the PGOPTIONS
environment variable.
Fix cases where a logical replication slot's restart_lsn
could go backwards (Masahiko Sawada) 📜
Previously, restarting logical replication could sometimes cause the slot's restart point to be recomputed as an older value than had previously been advertised in pg_replication_slots
. This is bad, since for example WAL files might have been removed on the basis of the later restart_lsn
value, in which case replication would fail to restart.
Avoid deleting still-needed WAL files during pg_rewind (Polina Bungina, Alexander Kukushkin) 📜
Previously, in unlucky cases, it was possible for pg_rewind to remove important WAL files from the rewound demoted primary. In particular this happens if those files have been marked for archival (i.e., their .ready
files were created) but not yet archived. Then the newly promoted node no longer has such files because of them having been recycled, but likely they are needed for recovery in the demoted node. If pg_rewind removes them, recovery is not possible anymore.
Fix race conditions associated with dropping shared statistics entries (Kyotaro Horiguchi, Michael Paquier) 📜
These bugs could lead to loss of statistics data, assertion failures, or “can only drop stats once†errors.
Count index scans in contrib/bloom
indexes in the statistics views, such as the pg_stat_user_indexes
.idx_scan
counter (Masahiro Ikeda) 📜
Fix crash when checking to see if an index's opclass options have changed (Alexander Korotkov) 📜
Some forms of ALTER TABLE
would fail if the table has an index with non-default operator class options.
Avoid assertion failure caused by disconnected NFA sub-graphs in regular expression parsing (Tom Lane) 📜
This bug does not appear to have any visible consequences in non-assert builds.
Release date: 2024-11-14
This release contains a variety of fixes from 16.4. For information about new features in major release 16, see Version 16.0.
A dump/restore is not required for those running 16.X.
However, if you have ever detached a partition from a partitioned table that has a foreign-key reference to another partitioned table, and not dropped the former partition, then you may have catalog and/or data corruption to repair, as detailed in the fifth changelog entry below.
Also, if you are upgrading from a version earlier than 16.3, see Version 16.3.
Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart) 📜
If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead.
The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. CVE-2024-10976 or CVE-2024-10976)
Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Champion) 📜
An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure.
The PostgreSQL Project thanks Jacob Champion for reporting this problem. CVE-2024-10977 or CVE-2024-10977)
Fix unintended interactions between SET SESSION AUTHORIZATION
and SET ROLE
(Tom Lane) 📜 📜
The SQL standard mandates that SET SESSION AUTHORIZATION
have a side-effect of doing SET ROLE NONE
. Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION
would revert ROLE
to NONE
even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction. Transiently setting session_authorization
in a function SET
clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role')
, it saw none
even when it should see something else.
The PostgreSQL Project thanks Tom Lane for reporting this problem. CVE-2024-10978 or CVE-2024-10978)
Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch) 📜 📜 📜 📜 📜
The ability to manipulate process environment variables such as PATH
gives an attacker opportunities to execute arbitrary code. Therefore, “trusted†PLs must not offer the ability to do that. To fix plperl
, replace %ENV
with a tied hash that rejects any modification attempt with a warning. Untrusted plperlu
retains the ability to change the environment.
The PostgreSQL Project thanks Coby Abrams for reporting this problem. CVE-2024-10979 or CVE-2024-10979)
Fix updates of catalog state for foreign-key constraints when attaching or detaching table partitions (Jehan-Guillaume de Rorthais, Tender Wang, Ãlvaro Herrera) 📜 📜
If the referenced table is partitioned, then different catalog entries are needed for a referencing table that is stand-alone versus one that is a partition. ATTACH/DETACH PARTITION
commands failed to perform this conversion correctly. In particular, after DETACH
the now stand-alone table would be missing foreign-key enforcement triggers, which could result in the table later containing rows that fail the foreign-key constraint. A subsequent re-ATTACH
could fail with surprising errors, too.
The way to fix this is to do ALTER TABLE DROP CONSTRAINT
on the now stand-alone table for each faulty constraint, and then re-add the constraint. If re-adding the constraint fails, then some erroneous data has crept in. You will need to manually re-establish consistency between the referencing and referenced tables, then re-add the constraint.
This query can be used to identify broken constraints and construct the commands needed to recreate them:
SELECT conrelid::pg_catalog.regclass AS "constrained table", conname AS constraint, confrelid::pg_catalog.regclass AS "references", pg_catalog.format('ALTER TABLE %s DROP CONSTRAINT %I;', conrelid::pg_catalog.regclass, conname) AS "drop", pg_catalog.format('ALTER TABLE %s ADD CONSTRAINT %I %s;', conrelid::pg_catalog.regclass, conname, pg_catalog.pg_get_constraintdef(oid)) AS "add" FROM pg_catalog.pg_constraint c WHERE contype = 'f' AND conparentid = 0 AND (SELECT count(*) FROM pg_catalog.pg_constraint c2 WHERE c2.conparentid = c.oid) <> (SELECT count(*) FROM pg_catalog.pg_inherits i WHERE (i.inhparent = c.conrelid OR i.inhparent = c.confrelid) AND EXISTS (SELECT 1 FROM pg_catalog.pg_partitioned_table WHERE partrelid = i.inhparent));
Since it is possible that one or more of the ADD CONSTRAINT
steps will fail, you should save the query's output in a file and then attempt to perform each step.
Avoid possible crashes and “could not open relation†errors in queries on a partitioned table occurring concurrently with a DETACH CONCURRENTLY
and immediate drop of a partition (Ãlvaro Herrera, Kuntal Gosh) 📜 📜
Disallow ALTER TABLE ATTACH PARTITION
if the table to be attached has a foreign key referencing the partitioned table (Ãlvaro Herrera) 📜 📜
This arrangement is not supported, and other ways of creating it already fail.
Don't use partitionwise joins or grouping if the query's collation for the key column doesn't match the partition key's collation (Jian He, Webbo Han) 📜 📜
Such plans could produce incorrect results.
Fix possible “could not find pathkey item to sort†error when the output of a UNION ALL
member query needs to be sorted, and the sort column is an expression (Andrei Lepikhov, Tom Lane) 📜
Fix performance regressions involving flattening of subqueries underneath outer joins that are later reduced to plain joins (Tom Lane) 📜
v16 failed to optimize some queries as well as prior versions had, because of overoptimistic simplification of query-pullup logic.
Allow cancellation of the second stage of index build for large hash indexes (Pavel Borisov) 📜
Fix assertion failure or confusing error message for COPY (
, when the query
) TO ...query
is rewritten by a DO INSTEAD NOTIFY
rule (Tender Wang, Tom Lane) 📜
Fix server crash when a json_objectagg()
call contains a volatile function (Amit Langote) 📜
Fix checking of key uniqueness in JSON object constructors (Junwang Zhao, Tomas Vondra) 📜
When building an object larger than a kilobyte, it was possible to accept invalid input that includes duplicate object keys, or to falsely report that duplicate keys are present.
Fix detection of skewed data during parallel hash join (Thomas Munro) 📜
After repartitioning the inner side of a hash join because one partition has accumulated too many tuples, we check to see if all the partition's tuples went into the same child partition, which suggests that they all have the same hash value and further repartitioning cannot improve matters. This check malfunctioned in some cases, allowing repeated futile repartitioning which would eventually end in a resource-exhaustion error.
Disallow locale names containing non-ASCII characters (Thomas Munro) 📜
This is only an issue on Windows, as such locale names are not used elsewhere. They are problematic because it's quite unclear what encoding such names are represented in (since the locale itself defines the encoding to use). In recent PostgreSQL releases, an abort in the Windows runtime library could occur because of confusion about that.
Anyone who encounters the new error message should either create a new duplicated locale with an ASCII-only name using Windows Locale Builder, or consider using BCP 47-compliant locale names like tr-TR
.
Fix race condition in committing a serializable transaction (Heikki Linnakangas) 📜
Mis-processing of a recently committed transaction could lead to an assertion failure or a “could not access status of transaction†error.
Fix race condition in COMMIT PREPARED
that resulted in orphaned 2PC files (wuchengwen) 📜
A concurrent PREPARE TRANSACTION
could cause COMMIT PREPARED
to not remove the on-disk two-phase state file for the completed transaction. There was no immediate ill effect, but a subsequent crash-and-recovery could fail with “could not access status of transactionâ€, requiring manual removal of the orphaned file to restore service.
Avoid invalid memory accesses after skipping an invalid toast index during VACUUM FULL
(Tender Wang) 📜
A list tracking yet-to-be-rebuilt indexes was not properly updated in this code path, risking assertion failures or crashes later on.
Fix ways in which an “in place†catalog update could be lost (Noah Misch) 📜 📜 📜 📜 📜 📜 📜
Normal row updates write a new version of the row to preserve rollback-ability of the transaction. However, certain system catalog updates are intentionally non-transactional and are done with an in-place update of the row. These patches fix race conditions that could cause the effects of an in-place update to be lost. As an example, it was possible to forget having set pg_class
.relhasindex
to true, preventing updates of the new index and thus causing index corruption.
Reset catalog caches at end of recovery (Noah Misch) 📜
This prevents scenarios wherein an in-place catalog update could be lost due to using stale data from a catalog cache.
Avoid using parallel query while holding off interrupts (Francesco Degrassi, Noah Misch, Tom Lane) 📜 📜
This situation cannot arise normally, but it can be reached with test scenarios such as using a SQL-language function as B-tree support (which would be far too slow for production usage). If it did occur it would result in an indefinite wait.
Report the active query ID for statistics purposes at the start of processing of Bind and Execute protocol messages (Sami Imseih) 📜
This allows more of the work done in extended query protocol to be attributed to the correct query.
Guard against stack overflow in libxml2 with too-deeply-nested XML input (Tom Lane, with hat tip to Nick Wellnhofer) 📜
Use xmlXPathCtxtCompile()
rather than xmlXPathCompile()
, because the latter fails to protect itself against recursion-to-stack-overflow in libxml2 releases before 2.13.4.
Fix some whitespace issues in the result of XMLSERIALIZE(... INDENT)
(Jim Jones) 📜
Fix failure to indent nodes separated by whitespace, and ensure that a trailing newline is not added.
Do not ignore a concurrent REINDEX CONCURRENTLY
that is working on an index with predicates or expressions (Michail Nikolaev) 📜
Normally, REINDEX CONCURRENTLY
does not need to wait for other REINDEX CONCURRENTLY
operations on other tables. However, this optimization is not applied if the other REINDEX CONCURRENTLY
is processing an index with predicates or expressions, on the chance that such expressions contain user-defined code that accesses other tables. Careless coding created a race condition such that that rule was not applied uniformly, possibly allowing inconsistent behavior.
Fix mis-deparsing of ORDER BY
lists when there is a name conflict (Tom Lane) 📜
If an ORDER BY
item in SELECT
is a bare identifier, the parser first seeks it as an output column name of the SELECT
, for SQL92 compatibility. However, ruleutils.c expects the SQL99 interpretation where such a name is an input column name. So it was possible to produce an incorrect display of a view in the (rather ill-advised) case where some other column is renamed in the SELECT
output list to match an input column used in ORDER BY
. Fix by table-qualifying such names in the dumped view text.
Fix “failed to find plan for subquery/CTE†errors in EXPLAIN
(Richard Guo, Tom Lane) 📜 📜
This case arose while trying to print references to fields of a RECORD-type output of a subquery when the subquery has been optimized out of the plan altogether (which is possible at least in the case that it has a constant-false WHERE
condition). Nothing remains in the plan to identify the original field names, so fall back to printing f
for the N
N
'th record column. (That's actually the right thing anyway, if the record output arose from a ROW()
constructor.)
Disallow a USING
clause when altering the type of a generated column (Peter Eisentraut) 📜
A generated column already has an expression specifying the column contents, so including USING
doesn't make sense.
Ignore not-yet-defined Portals in the pg_cursors
view (Tom Lane) 📜
It is possible for user-defined code that inspects this view to be called while a new cursor is being set up, and if that happens a null pointer dereference would ensue. Avoid the problem by defining the view to exclude incompletely-set-up cursors.
Fix incorrect output of the pg_stat_io
view on 32-bit machines (Bertrand Drouvot) 📜
The stats_reset
timestamp column contained garbage on such hardware.
Prevent mis-encoding of “trailing junk after numeric literal†error messages (Karina Litskevich) 📜
We do not allow identifiers to appear immediately following numeric literals (there must be some whitespace between). If a multibyte character immediately followed a numeric literal, the syntax error message about it included only the first byte of that character, causing bad-encoding problems both in the report to the client and in the postmaster log file.
Avoid “unexpected table_index_fetch_tuple call during logical decoding†error while decoding a transaction involving insertion of a column default value (Takeshi Ideriha, Hou Zhijie) 📜 📜
Reduce memory consumption of logical decoding (Masahiko Sawada) 📜
Use a smaller default block size to store tuple data received during logical replication. This reduces memory wastage, which has been reported to be severe while processing long-running transactions, even leading to out-of-memory failures.
In a logical replication apply worker, ensure that origin progress is not advanced during an error or apply worker shutdown (Hayato Kuroda, Shveta Malik) 📜
This avoids possible loss of a transaction, since once the origin progress point is advanced the source server won't send that data again.
Re-disable sending of stateless (TLSv1.2) session tickets (Daniel Gustafsson) 📜
A previous change to prevent sending of stateful (TLSv1.3) session tickets accidentally re-enabled sending of stateless ones. Thus, while we intended to prevent clients from thinking that TLS session resumption is supported, some still did.
Avoid “wrong tuple length†failure when dropping a database with many ACL (permission) entries (Ayush Tiwari) 📜 📜
Allow adjusting the session_authorization
and role
settings in parallel workers (Tom Lane) 📜
Our code intends to allow modifiable server settings to be set by function SET
clauses, but not otherwise within a parallel worker. SET
clauses failed for these two settings, though.
Fix behavior of stable functions called from a CALL
statement's argument list, when the CALL
is within a PL/pgSQL EXCEPTION
block (Tom Lane) 📜
As with a similar fix in our previous quarterly releases, this case allowed such functions to be passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.
Fix “cache lookup failed for function†errors in edge cases in PL/pgSQL's CALL
(Tom Lane) 📜
Fix thread safety of our fallback (non-OpenSSL) MD5 implementation on big-endian hardware (Heikki Linnakangas) 📜
Thread safety is not currently a concern in the server, but it is for libpq.
Parse libpq's keepalives
connection option in the same way as other integer-valued options (Yuto Sasaki) 📜
The coding used here rejected trailing whitespace in the option value, unlike other cases. This turns out to be problematic in ecpg's usage, for example.
Avoid use of pnstrdup()
in ecpglib (Jacob Champion) 📜
That function will call exit()
on out-of-memory, which is undesirable in a library. The calling code already handles allocation failures properly.
In ecpglib, fix out-of-bounds read when parsing incorrect datetime input (Bruce Momjian, Pavel Nekrasov) 📜
It was possible to try to read the location just before the start of a constant array. Real-world consequences seem minimal, though.
Fix memory leak in psql during repeated use of \bind
(Michael Paquier) 📜
Avoid hanging if an interval less than 1ms is specified in psql's \watch
command (Andrey Borodin, Michael Paquier) 📜
Instead, treat this the same as an interval of zero (no wait between executions).
Fix pg_dump's handling of identity sequences that have persistence different from their owning table's persistence (Tom Lane) 📜
Since v15, it's been possible to set an identity sequence to be LOGGED when its owning table is UNLOGGED or vice versa. However, pg_dump's method for recreating that situation failed in binary-upgrade mode, causing pg_upgrade to fail when such sequences are present. Fix by introducing a new option for ADD/ALTER COLUMN GENERATED AS IDENTITY
to allow the sequence's persistence to be set correctly at creation. Note that this means a dump from a database containing such a sequence will only load into a server of this minor version or newer.
Include the source timeline history in pg_rewind's debug output (Heikki Linnakangas) 📜
This was the intention to begin with, but a coding error caused the source history to always print as empty.
Avoid trying to reindex temporary tables and indexes in vacuumdb and in parallel reindexdb (VaibhaveS, Michael Paquier, Fujii Masao, Nathan Bossart) 📜 📜 📜
Reindexing other sessions' temporary tables cannot work, but the check to skip them was missing in some code paths, leading to unwanted failures.
Allow inspection of sequence relations in relevant functions of contrib/pageinspect
and contrib/pgstattuple
(Nathan Bossart, Ayush Vatsa) 📜 📜
This had been allowed in the past, but it got broken during the introduction of non-default access methods for tables.
Fix incorrect LLVM-generated code on ARM64 platforms (Thomas Munro, Anthonin Bonnefoy) 📜
When using JIT compilation on ARM platforms, the generated code could not support relocation distances exceeding 32 bits, allowing unlucky placement of generated code to cause server crashes on large-memory systems.
Fix a few places that assumed that process start time (represented as a time_t
) will fit into a long
value (Max Johnson, Nathan Bossart) 📜
On platforms where long
is 32 bits (notably Windows), this coding would fail after Y2038. Most of the failures appear only cosmetic, but notably pg_ctl start
would hang.
Fix building with Strawberry Perl on Windows (Andrew Dunstan) 📜
Update time zone data files to tzdata release 2024b (Tom Lane) 📜 📜
This tzdata release changes the old System-V-compatibility zone names to duplicate the corresponding geographic zones; for example PST8PDT
is now an alias for America/Los_Angeles
. The main visible consequence is that for timestamps before the introduction of standardized time zones, the zone is considered to represent local mean solar time for the named location. For example, in PST8PDT
, timestamptz
input such as 1801-01-01 00:00
would previously have been rendered as 1801-01-01 00:00:00-08
, but now it is rendered as 1801-01-01 00:00:00-07:52:58
.
Also, historical corrections for Mexico, Mongolia, and Portugal. Notably, Asia/Choibalsan
is now an alias for Asia/Ulaanbaatar
rather than being a separate zone, mainly because the differences between those zones were found to be based on untrustworthy data.
Release date: 2024-08-08
This release contains a variety of fixes from 16.3. For information about new features in major release 16, see Version 16.0.
A dump/restore is not required for those running 16.X.
However, if you are upgrading from a version earlier than 16.3, see Version 16.3.
Prevent unauthorized code execution during pg_dump (Masahiko Sawada)
An attacker able to create and drop non-temporary objects could inject SQL code that would be executed by a concurrent pg_dump session with the privileges of the role running pg_dump (which is often a superuser). The attack involves replacing a sequence or similar object with a view or foreign table that will execute malicious code. To prevent this, introduce a new server parameter restrict_nonsystem_relation_kind
that can disable expansion of non-builtin views as well as access to foreign tables, and teach pg_dump to set it when available. Note that the attack is prevented only if both pg_dump and the server it is dumping from are new enough to have this fix.
The PostgreSQL Project thanks Noah Misch for reporting this problem. CVE-2024-7348 or CVE-2024-7348)
Avoid incorrect results from Merge Right Anti Join plans (Richard Guo)
If the inner relation is known to have unique join keys, the merge could misbehave when there are duplicated join keys in the outer relation.
Prevent infinite loop in VACUUM
(Melanie Plageman)
After a disconnected standby server with an old running transaction reconnected to the primary, it was possible for VACUUM
on the primary to get confused about which tuples are removable, resulting in an infinite loop.
Fix failure after attaching a table as a partition, if the table had previously had inheritance children (Ãlvaro Herrera)
Fix ALTER TABLE DETACH PARTITION
for cases involving inconsistent index-based constraints (Ãlvaro Herrera, Tender Wang)
When a partitioned table has an index that is not associated with a constraint, but a partition has an equivalent index that is, then detaching the partition would misbehave, leaving the ex-partition's constraint with an incorrect coninhcount
value. This would cause trouble during any further manipulations of that constraint.
Fix partition pruning setup during ALTER TABLE DETACH PARTITION CONCURRENTLY
(Ãlvaro Herrera)
The executor assumed that no partition could be detached between planning and execution of a query on a partitioned table. This is no longer true since the introduction of DETACH PARTITION
's CONCURRENTLY
option, making it possible for query execution to fail transiently when that is used.
Correctly update a partitioned table's pg_class
.reltuples
field to zero after its last child partition is dropped (Noah Misch)
The first ANALYZE
on such a partitioned table must update relhassubclass
as well, and that caused the reltuples
update to be lost.
Fix handling of polymorphic output arguments for procedures (Tom Lane)
The SQL CALL
statement did not resolve the correct data types for such arguments, leading to errors such as “cannot display a value of type anyelementâ€, or even outright crashes. (But CALL
in PL/pgSQL worked correctly.)
Fix behavior of stable functions called from a CALL
statement's argument list (Tom Lane)
If the CALL
is within an atomic context (e.g. there's an outer transaction block), such functions were passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.
Fix input of ISO-8601 “extended†time format for types time
and timetz
(Tom Lane)
Re-allow cases such as T12:34:56
.
Detect integer overflow in money
calculations (Joseph Koshakow)
None of the arithmetic functions for the money
type checked for overflow before, so they would silently give wrong answers for overflowing cases.
Fix over-aggressive clamping of the scale argument in round(numeric)
and trunc(numeric)
(Dean Rasheed)
These functions clamped their scale argument to +/-2000, but there are valid use-cases for it to be larger; the functions returned incorrect results in such cases. Instead clamp to the actual allowed range of type numeric
.
Fix result for pg_size_pretty()
when applied to the smallest possible bigint
value (Joseph Koshakow)
Prevent pg_sequence_last_value()
from failing on unlogged sequences on standby servers and on temporary sequences of other sessions (Nathan Bossart)
Make it return NULL in these cases instead of throwing an error.
Fix parsing of ignored operators in websearch_to_tsquery()
(Tom Lane)
Per the manual, punctuation in the input of websearch_to_tsquery()
is ignored except for the special cases of dashes and quotes. However, parentheses and a few other characters appearing immediately before an or
could cause or
to be treated as a data word, rather than as an OR
operator as expected.
Detect another integer overflow case while computing new array dimensions (Joseph Koshakow)
Reject applying array dimensions [-2147483648:2147483647]
to an empty array. This is closely related toCVE-2023-5869 or CVE-2023-5869, but appears harmless since the array still ends up empty.
Fix unportable usage of strnxfrm()
(Jeff Davis)
Some code paths for non-deterministic collations could fail with errors like “pg_strnxfrm() returned unexpected resultâ€.
Detect another case of a new catalog cache entry becoming stale while detoasting its fields (Noah Misch)
An in-place update occurring while we expand out-of-line fields in a catalog tuple could be missed, leading to a catalog cache entry that lacks the in-place change but is not known to be stale. This is only possible in the pg_database
catalog, so the effects are narrow, but misbehavior is possible.
Correctly check updatability of view columns targeted by INSERT
... DEFAULT
(Tom Lane)
If such a column is non-updatable, we should give an error reporting that. But the check was missed and then later code would report an unhelpful error such as “attribute number N
not found in view targetlistâ€.
Avoid reporting an unhelpful internal error for incorrect recursive queries (Tom Lane)
Rearrange the order of error checks so that we throw an on-point error when a WITH RECURSIVE
query does not have a self-reference within the second arm of the UNION
, but does have one self-reference in some other place such as ORDER BY
.
Lock owned sequences during ALTER TABLE SET LOGGED|UNLOGGED
(Noah Misch)
These commands change the persistence of a table's owned sequences along with the table, but they failed to acquire lock on the sequences while doing so. This could result in losing the effects of concurrent nextval()
calls.
Don't throw an error if a queued AFTER
trigger no longer exists (Tom Lane)
It's possible for a transaction to execute an operation that queues a deferred AFTER
trigger for later execution, and then to drop the trigger before that happens. Formerly this led to weird errors such as “could not find trigger NNNN
â€. It seems better to silently do nothing if the trigger no longer exists at the time when it would have been executed.
Fix failure to remove pg_init_privs
entries for column-level privileges when their table is dropped (Tom Lane)
If an extension grants some column-level privileges on a table it creates, relevant catalog entries would remain behind after the extension is dropped. This was harmless until/unless the table's OID was re-used for another relation, when it could interfere with what pg_dump dumps for that relation.
Fix selection of an arbiter index for ON CONFLICT
when the desired index has expressions or predicates (Tom Lane)
If a query using ON CONFLICT
accesses the target table through an updatable view, it could fail with “there is no unique or exclusion constraint matching the ON CONFLICT specificationâ€, even though a matching index does exist.
Refuse to modify a temporary table of another session with ALTER TABLE
(Tom Lane)
Permissions checks normally would prevent this case from arising, but it is possible to reach it by altering a parent table whose child is another session's temporary table. Throw an error if we discover that such a child table belongs to another session.
Fix handling of extended statistics on expressions in CREATE TABLE LIKE STATISTICS
(Tom Lane)
The CREATE
command failed to adjust column references in statistics expressions to the possibly-different column numbering of the new table. This resulted in invalid statistics objects that would cause problems later. A typical scenario where renumbering columns is needed is when the source table contains some dropped columns.
Fix failure to recalculate sub-queries generated from MIN()
or MAX()
aggregates (Tom Lane)
In some cases the aggregate result computed at one row of the outer query could be re-used for later rows when it should not be. This has only been seen to happen when the outer query uses DISTINCT
that is implemented with hash aggregation, but other cases may exist.
Re-forbid underscore in positional parameters (Erik Wienhold)
As of v16 we allow integer literals to contain underscores. This change caused input such as $1_234
to be taken as a single token, but it did not work correctly. It seems better to revert to the original definition in which a parameter symbol is only $
followed by digits.
Avoid crashing when a JIT-inlined backend function throws an error (Tom Lane)
The error state can include pointers into the dynamically loaded module holding the JIT-compiled code (for error location strings). In some code paths the module could get unloaded before the error report is processed, leading to SIGSEGV when the location strings are accessed.
Cope with behavioral changes in libxml2 version 2.13.x (Erik Wienhold, Tom Lane)
Notably, we now suppress “chunk is not well balanced†errors from libxml2, unless that is the only reported error. This is to make error reports consistent between 2.13.x and earlier libxml2 versions. In earlier versions, that message was almost always redundant or outright incorrect, so 2.13.x substantially reduced the number of cases in which it's reported.
Fix handling of subtransactions of prepared transactions when starting a hot standby server (Heikki Linnakangas)
When starting a standby's replay at a shutdown checkpoint WAL record, transactions that had been prepared but not yet committed on the primary are correctly understood as being still in progress. But subtransactions of a prepared transaction (created by savepoints or PL/pgSQL exception blocks) were not accounted for and would be treated as aborted. That led to inconsistency if the prepared transaction was later committed.
Prevent incorrect initialization of logical replication slots (Masahiko Sawada)
In some cases a replication slot's start point within the WAL stream could be set to a point within a transaction, leading to assertion failures or incorrect decoding results.
Avoid “can only drop stats once†error during replication slot creation and drop (Floris Van Nee)
Fix resource leakage in logical replication WAL sender (Hou Zhijie)
The walsender process leaked memory when publishing changes to a partitioned table whose partitions have row types physically different from the partitioned table's.
Avoid memory leakage after servicing a notify or sinval interrupt (Tom Lane)
The processing functions for these events could switch the current memory context to TopMemoryContext, resulting in session-lifespan leakage of any data allocated before the incorrect setting gets replaced. There were observable leaks associated with (at least) encoding conversion of incoming queries and parameters attached to Bind messages.
Prevent leakage of reference counts for the shared memory block used for statistics (Anthonin Bonnefoy)
A new backend process attaching to the statistics shared memory incremented its reference count, but failed to decrement the count when exiting. After 232 sessions had been created, the reference count would overflow to zero, causing failures in all subsequent backend process starts.
Prevent deadlocks and assertion failures during truncation of the multixact SLRU log (Heikki Linnakangas)
A process trying to delete SLRU segments could deadlock with the checkpointer process.
Avoid possibly missing end-of-input events on Windows sockets (Thomas Munro)
Windows reports an FD_CLOSE event only once after the remote end of the connection disconnects. With unlucky timing, we could miss that report and wait indefinitely, or at least until a timeout elapsed, expecting more input.
Fix buffer overread in JSON parse error reports for incomplete byte sequences (Jacob Champion)
It was possible to walk off the end of the input buffer by a few bytes when the last bytes comprise an incomplete multi-byte character. While usually harmless, in principle this could cause a crash.
Disable creation of stateful TLS session tickets by OpenSSL (Daniel Gustafsson)
This avoids possible failures with clients that think receipt of a session ticket means that TLS session resumption is supported.
When replanning a PL/pgSQL “simple expressionâ€, check it's still simple (Tom Lane)
Certain fairly-artificial cases, such as dropping a referenced function and recreating it as an aggregate, could lead to surprising failures such as “unexpected plan node typeâ€.
Fix PL/pgSQL's handling of integer ranges containing underscores (Erik Wienhold)
As of v16 we allow integer literals to contain underscores, but PL/pgSQL failed to handle examples such as FOR i IN 1_001..1_003
.
Fix recursive RECORD
-returning PL/Python functions (Tom Lane)
If we recurse to a new call of the same function that passes a different column definition list (AS
clause), it would fail because the inner call would overwrite the outer call's idea of what rowtype to return.
Don't corrupt PL/Python's TD
dictionary during a recursive trigger call (Tom Lane)
If a PL/Python-language trigger caused another one to be invoked, the TD
dictionary created for the inner one would overwrite the outer one's TD
dictionary.
Fix PL/Tcl's reporting of invalid list syntax in the result of a function returning tuple (Erik Wienhold, Tom Lane)
Such a case could result in a crash, or in emission of misleading context information that actually refers to the previous Tcl error.
Avoid non-thread-safe usage of strerror()
in libpq (Peter Eisentraut)
Certain error messages returned by OpenSSL could become garbled in multi-threaded applications.
Avoid memory leak within pg_dump during a binary upgrade (Daniel Gustafsson)
Ensure that pg_restore
-l
reports dependent TOC entries correctly (Tom Lane)
If -l
was specified together with selective-restore options such as -n
or -N
, dependent TOC entries such as comments would be omitted from the listing, even when an actual restore would have selected them.
Allow contrib/pg_stat_statements
to distinguish among utility statements appearing within SQL-language functions (Anthonin Bonnefoy)
The SQL-language function executor failed to pass along the query ID that is computed for a utility (non SELECT
/INSERT
/UPDATE
/DELETE
/MERGE
) statement.
Avoid “cursor can only scan forward†error in contrib/postgres_fdw
(Etsuro Fujita)
This error could occur if the remote server is v15 or later and a foreign table is mapped to a non-trivial remote view.
In contrib/postgres_fdw
, do not send FETCH FIRST WITH TIES
clauses to the remote server (Japin Li)
The remote server might not implement this clause, or might interpret it differently than we would locally, so don't risk attempting remote execution.
Avoid clashing with system-provided <regex.h>
headers (Thomas Munro)
This fixes a compilation failure on macOS version 15 and up.
Fix otherwise-harmless assertion failure in Memoize cost estimation (David Rowley)
Fix otherwise-harmless assertion failures in REINDEX CONCURRENTLY
applied to an SP-GiST index (Tom Lane)
Release date: 2024-05-09
This release contains a variety of fixes from 16.2. For information about new features in major release 16, see Version 16.0.
A dump/restore is not required for those running 16.X.
However, a security vulnerability was found in the system views pg_stats_ext
and pg_stats_ext_exprs
, potentially allowing authenticated database users to see data they shouldn't. If this is of concern in your installation, follow the steps in the first changelog entry below to rectify it.
Also, if you are upgrading from a version earlier than 16.2, see Version 16.2.
Restrict visibility of pg_stats_ext
and pg_stats_ext_exprs
entries to the table owner (Nathan Bossart)
These views failed to hide statistics for expressions that involve columns the accessing user does not have permission to read. View columns such as most_common_vals
might expose security-relevant data. The potential interactions here are not fully clear, so in the interest of erring on the side of safety, make rows in these views visible only to the owner of the associated table.
The PostgreSQL Project thanks Lukas Fittl for reporting this problem. CVE-2024-4317 or CVE-2024-4317)
By itself, this fix will only fix the behavior in newly initdb'd database clusters. If you wish to apply this change in an existing cluster, you will need to do the following:
Find the SQL script fix-CVE-2024-4317.sql
in the share
directory of the PostgreSQL installation (typically located someplace like /usr/share/postgresql/
). Be sure to use the script appropriate to your PostgreSQL major version. If you do not see this file, either your version is not vulnerable (only v14–v16 are affected) or your minor version is too old to have the fix.
In each database of the cluster, run the fix-CVE-2024-4317.sql
script as superuser. In psql this would look like
\i /usr/share/postgresql/fix-CVE-2024-4317.sql
(adjust the file path as appropriate). Any error probably indicates that you've used the wrong script version. It will not hurt to run the script more than once.
Do not forget to include the template0
and template1
databases, or the vulnerability will still exist in databases you create later. To fix template0
, you'll need to temporarily make it accept connections. Do that with
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;
and then after fixing template0
, undo it with
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;
Fix INSERT
from multiple VALUES
rows into a target column that is a domain over an array or composite type (Tom Lane)
Such cases would either fail with surprising complaints about mismatched datatypes, or insert unexpected coercions that could lead to odd results.
Require SELECT
privilege on the target table for MERGE
with a DO NOTHING
clause (Ãlvaro Herrera)
SELECT
privilege would be required in all practical cases anyway, but require it even if the query reads no columns of the target table. This avoids an edge case in which MERGE
would require no privileges whatever, which seems undesirable even when it's a do-nothing command.
Fix handling of self-modified tuples in MERGE
(Dean Rasheed)
Throw an error if a target row joins to more than one source row, as required by the SQL standard. (The previous coding could silently ignore this condition if a concurrent update was involved.) Also, throw a non-misleading error if a target row is already updated by a later command in the current transaction, thanks to a BEFORE
trigger or a volatile function used in the query.
Fix incorrect pruning of NULL partition when a table is partitioned on a boolean column and the query has a boolean IS NOT
clause (David Rowley)
A NULL value satisfies a clause such as
, so pruning away a partition containing NULLs yielded incorrect answers.boolcol
IS NOT FALSE
Make ALTER FOREIGN TABLE SET SCHEMA
move any owned sequences into the new schema (Tom Lane)
Moving a regular table to a new schema causes any sequences owned by the table to be moved to that schema too (along with indexes and constraints). This was overlooked for foreign tables, however.
Make ALTER TABLE ... ADD COLUMN
create identity/serial sequences with the same persistence as their owning tables (Peter Eisentraut)
CREATE UNLOGGED TABLE
will make any owned sequences be unlogged too. ALTER TABLE
missed that consideration, so that an added identity column would have a logged sequence, which seems pointless.
Improve ALTER TABLE ... ALTER COLUMN TYPE
's error message when there is a dependent function or publication (Tom Lane)
In CREATE DATABASE
, recognize strategy keywords case-insensitively for consistency with other options (Tomas Vondra)
Fix EXPLAIN
's counting of heap pages accessed by a bitmap heap scan (Melanie Plageman)
Previously, heap pages that contain no visible tuples were not counted; but it seems more consistent to count all pages returned by the bitmap index scan.
Fix EXPLAIN
's output for subplans in MERGE
(Dean Rasheed)
EXPLAIN
would sometimes fail to properly display subplan Params referencing variables in other parts of the plan tree.
Avoid deadlock during removal of orphaned temporary tables (Mikhail Zhilin)
If the session that creates a temporary table crashes without removing the table, autovacuum will eventually try to remove the orphaned table. However, an incoming session that's been assigned the same temporary namespace will do that too. If a temporary table has a dependency (such as an owned sequence) then a deadlock could result between these two cleanup attempts.
Fix updating of visibility map state in VACUUM
with the DISABLE_PAGE_SKIPPING
option (Heikki Linnakangas)
Due to an oversight, this mode caused all heap pages to be dirtied, resulting in excess I/O. Also, visibility map bits that were incorrectly set would not get cleared.
Avoid race condition while examining per-relation frozen-XID values (Noah Misch)
VACUUM
's computation of per-database frozen-XID values from per-relation values could get confused by a concurrent update of those values by another VACUUM
.
Fix buffer usage reporting for parallel vacuuming (Anthonin Bonnefoy)
Buffer accesses performed by parallel workers were not getting counted in the statistics reported in VERBOSE
mode.
Ensure that join conditions generated from equivalence classes are applied at the correct plan level (Tom Lane)
In versions before PostgreSQL 16, it was possible for generated conditions to be evaluated below outer joins when they should be evaluated above (after) the outer join, leading to incorrect query results. All versions have a similar hazard when considering joins to UNION ALL
trees that have constant outputs for the join column in some SELECT
arms.
Fix “could not find pathkey item to sort†errors occurring while planning aggregate functions with ORDER BY
or DISTINCT
options (David Rowley)
This is similar to a fix applied in 16.1, but it solves the problem for parallel plans.
Prevent potentially-incorrect optimization of some window functions (David Rowley)
Disable “run condition†optimization of ntile()
and count()
with non-constant arguments. This avoids possible misbehavior with sub-selects, typically leading to errors like “WindowFunc not found in subplan target listsâ€.
Avoid unnecessary use of moving-aggregate mode with a non-moving window frame (Vallimaharajan G)
When a plain aggregate is used as a window function, and the window frame start is specified as UNBOUNDED PRECEDING
, the frame's head cannot move so we do not need to use the special (and more expensive) moving-aggregate mode. This optimization was intended all along, but due to a coding error it never triggered.
Avoid use of already-freed data while planning partition-wise joins under GEQO (Tom Lane)
This would typically end in a crash or unexpected error message.
Avoid freeing still-in-use data in Memoize (Tender Wang, Andrei Lepikhov)
In production builds this error frequently didn't cause any problems, as the freed data would most likely not get overwritten before it was used.
Fix incorrectly-reported statistics kind codes in “requested statistics kind X
is not yet built†error messages (David Rowley)
Use a hash table instead of linear search for “catcache list†objects (Tom Lane)
This change solves performance problems that were reported for certain operations in installations with many thousands of roles.
Be more careful with RECORD
-returning functions in FROM
(Tom Lane)
The output columns of such a function call must be defined by an AS
clause that specifies the column names and data types. If the actual function output value doesn't match that, an error is supposed to be thrown at runtime. However, some code paths would examine the actual value prematurely, and potentially issue strange errors or suffer assertion failures if it doesn't match expectations.
Fix confusion about the return rowtype of SQL-language procedures (Tom Lane)
A procedure implemented in SQL language that returns a single composite-type column would cause an assertion failure or core dump.
Add protective stack depth checks to some recursive functions (Egor Chindyaskin)
Fix mis-rounding and overflow hazards in date_bin()
(Moaaz Assali)
In the case where the source timestamp is before the origin timestamp and their difference is already an exact multiple of the stride, the code incorrectly subtracted the stride anyway. Also, detect some integer-overflow cases that would have produced incorrect results.
Detect integer overflow when adding or subtracting an interval
to/from a timestamp
(Joseph Koshakow)
Some cases that should cause an out-of-range error produced an incorrect result instead.
Avoid race condition in pg_get_expr()
(Tom Lane)
If the relation referenced by the argument is dropped concurrently, the function's intention is to return NULL, but sometimes it failed instead.
Fix detection of old transaction IDs in XID status functions (Karina Litskevich)
Transaction IDs more than 231 transactions in the past could be misidentified as recent, leading to misbehavior of pg_xact_status()
or txid_status()
.
Ensure that a table's freespace map won't return a page that's past the end of the table (Ronan Dunklau)
Because the freespace map isn't WAL-logged, this was possible in edge cases involving an OS crash, a replica promote, or a PITR restore. The result would be a “could not read block†error.
Fix file descriptor leakage when an error is thrown while waiting in WaitEventSetWait
(Etsuro Fujita)
Avoid corrupting exception stack if an FDW implements async append but doesn't configure any wait conditions for the Append plan node to wait for (Alexander Pyhalov)
Throw an error if an index is accessed while it is being reindexed (Tom Lane)
Previously this was just an assertion check, but promote it into a regular runtime error. This will provide a more on-point error message when reindexing a user-defined index expression that attempts to access its own table.
Ensure that index-only scans on name
columns return a fully-padded value (David Rowley)
The value physically stored in the index is truncated, and previously a pointer to that value was returned to callers. This provoked complaints when testing under valgrind. In theory it could result in crashes, though none have been reported.
Fix race condition that could lead to reporting an incorrect conflict cause when invalidating a replication slot (Bertrand Drouvot)
Fix race condition in deciding whether a table sync operation is needed in logical replication (Vignesh C)
An invalidation event arriving while a subscriber identifies which tables need to be synced would be forgotten about, so that any tables newly in need of syncing might not get processed in a timely fashion.
Fix crash with DSM allocations larger than 4GB (Heikki Linnakangas)
Disconnect if a new server session's client socket cannot be put into non-blocking mode (Heikki Linnakangas)
It was once theoretically possible for us to operate with a socket that's in blocking mode; but that hasn't worked fully in a long time, so fail at connection start rather than misbehave later.
Fix inadequate error reporting with OpenSSL 3.0.0 and later (Heikki Linnakangas, Tom Lane)
System-reported errors passed through by OpenSSL were reported with a numeric error code rather than anything readable.
Fix thread-safety of error reporting for getaddrinfo()
on Windows (Thomas Munro)
A multi-threaded libpq client program could get an incorrect or corrupted error message after a network lookup failure.
Avoid concurrent calls to bindtextdomain()
in libpq and ecpglib (Tom Lane)
Although GNU gettext's implementation seems to be fine with concurrent calls, the version available on Windows is not.
Fix crash in ecpg's preprocessor if the program tries to redefine a macro that was defined on the preprocessor command line (Tom Lane)
In ecpg, avoid issuing false “unsupported feature will be passed to server†warnings (Tom Lane)
Ensure that the string result of ecpg's intoasc()
function is correctly zero-terminated (Oleg Tselebrovskiy)
In initdb's -c
option, match parameter names case-insensitively (Tom Lane)
The server treats parameter names case-insensitively, so this code should too. This avoids putting redundant entries into the generated postgresql.conf
file.
In psql, avoid leaking a query result after the query is cancelled (Tom Lane)
This happened only when cancelling a non-last query in a query string made with \;
separators.
Fix pg_dumpall so that role comments, if present, will be dumped regardless of the setting of --no-role-passwords
(Daniel Gustafsson, Ãlvaro Herrera)
Skip files named .DS_Store
in pg_basebackup, pg_checksums, and pg_rewind (Daniel Gustafsson)
This avoids problems on macOS, where the Finder may create such files.
Fix PL/pgSQL's parsing of single-line comments (--
-style comments) following expressions (Erik Wienhold, Tom Lane)
This mistake caused parse errors if such a comment followed a WHEN
expression in a PL/pgSQL CASE
statement.
In contrib/amcheck
, don't report false match failures due to short- versus long-header values (Andrey Borodin, Michael Zhilin)
A variable-length datum in a heap tuple or index tuple could have either a short or a long header, depending on compression parameters that applied when it was made. Treat these cases as equivalent rather than complaining if there's a difference.
Fix bugs in BRIN output functions (Tomas Vondra)
These output functions are only used for displaying index entries in contrib/pageinspect
, so the errors are of limited practical concern.
In contrib/postgres_fdw
, avoid emitting requests to sort by a constant (David Rowley)
This could occur in cases involving UNION ALL
with constant-emitting subqueries. Sorting by a constant is useless of course, but it also risks being misinterpreted by the remote server, leading to “ORDER BY position N
is not in select list†errors.
Make contrib/postgres_fdw
set the remote session's time zone to GMT
not UTC
(Tom Lane)
This should have the same results for practical purposes. However, GMT
is recognized by hard-wired code in the server, while UTC
is looked up in the timezone database. So the old code could fail in the unlikely event that the remote server's timezone database is missing entries.
In contrib/xml2
, avoid use of library functions that have been deprecated in recent versions of libxml2 (Dmitry Koval)
Fix incompatibility with LLVM 18 (Thomas Munro, Dmitry Dolgov)
Allow make check
to work with the musl C library (Thomas Munro, Bruce Momjian, Tom Lane)
Release date: 2024-02-08
This release contains a variety of fixes from 16.1. For information about new features in major release 16, see Version 16.0.
A dump/restore is not required for those running 16.X.
However, one bug was fixed that could have resulted in corruption of GIN indexes during concurrent updates. If you suspect such corruption, reindex affected indexes after installing this update.
Also, if you are upgrading from a version earlier than 16.1, see Version 16.1.
Tighten security restrictions within REFRESH MATERIALIZED VIEW CONCURRENTLY
(Heikki Linnakangas)
One step of a concurrent refresh command was run under weak security restrictions. If a materialized view's owner could persuade a superuser or other high-privileged user to perform a concurrent refresh on that view, the view's owner could control code executed with the privileges of the user running REFRESH
. Fix things so that all user-determined code is run as the view's owner, as expected.
The only known exploit for this error does not work in PostgreSQL 16.0 and later, so it may be that v16 is not vulnerable in practice.
The PostgreSQL Project thanks Pedro Gallegos for reporting this problem. CVE-2024-0985 or CVE-2024-0985)
Fix memory leak when performing JIT inlining (Andres Freund, Daniel Gustafsson)
There have been multiple reports of backend processes suffering out-of-memory conditions after sufficiently many JIT compilations. This fix should resolve that.
Avoid generating incorrect partitioned-join plans (Richard Guo)
Some uncommon situations involving lateral references could create incorrect plans. Affected queries could produce wrong answers, or odd failures such as “variable not found in subplan target listâ€, or executor crashes.
Fix incorrect wrapping of subquery output expressions in PlaceHolderVars (Tom Lane)
This fixes incorrect results when a subquery is underneath an outer join and has an output column that laterally references something outside the outer join's scope. The output column might not appear as NULL when it should do so due to the action of the outer join.
Fix misprocessing of window function run conditions (Richard Guo)
This oversight could lead to “WindowFunc not found in subplan target lists†errors.
Fix detection of inner-side uniqueness for Memoize plans (Richard Guo)
This mistake could lead to “cache entry already complete†errors.
Fix computation of nullingrels when constant-folding field selection (Richard Guo)
Failure to do this led to errors like “wrong varnullingrels (b) (expected (b 3)) for Var 2/2â€.
Skip inappropriate actions when MERGE
causes a cross-partition update (Dean Rasheed)
When executing a MERGE UPDATE
action on a partitioned table, if the UPDATE
is turned into a DELETE
and INSERT
due to changing a partition key column, skip firing AFTER UPDATE ROW
triggers, as well as other post-update actions such as RLS checks. These actions would typically fail, which is why a regular UPDATE
doesn't do them in such cases; MERGE
shouldn't either.
Cope with BEFORE ROW DELETE
triggers in cross-partition MERGE
updates (Dean Rasheed)
If such a trigger attempted to prevent the update by returning NULL, MERGE
would suffer an error or assertion failure.
Prevent access to a no-longer-pinned buffer in BEFORE ROW UPDATE
triggers (Alexander Lakhin, Tom Lane)
If the tuple being updated had just been updated and moved to another page by another session, there was a narrow window where we would attempt to fetch data from the new tuple version without any pin on its buffer. In principle this could result in garbage data appearing in non-updated columns of the proposed new tuple. The odds of problems in practice seem rather low, however.
Avoid requesting an oversize shared-memory area in parallel hash join (Thomas Munro, Andrei Lepikhov, Alexander Korotkov)
The limiting value was too large, allowing “invalid DSA memory alloc request size†errors to occur with sufficiently large expected hash table sizes.
Fix corruption of local buffer state when an error occurs while trying to extend a temporary table (Tender Wang)
Fix use of wrong tuple slot while evaluating DISTINCT
aggregates that have multiple arguments (David Rowley)
This mistake could lead to errors such as “attribute 1 of type record has wrong typeâ€.
Avoid assertion failures in heap_update()
and heap_delete()
when a tuple to be updated by a foreign-key enforcement trigger fails the extra visibility crosscheck (Alexander Lakhin)
This error had no impact in non-assert builds.
Fix possible failure during ALTER TABLE ADD COLUMN
on a complex inheritance tree (Tender Wang)
If a grandchild table would inherit the new column via multiple intermediate parents, the command failed with “tuple already updated by selfâ€.
Fix problems with duplicate token names in ALTER TEXT SEARCH CONFIGURATION ... MAPPING
commands (Tender Wang, Michael Paquier)
Fix DROP ROLE
with duplicate role names (Michael Paquier)
Previously this led to a “tuple already updated by self†failure. Instead, ignore the duplicate.
Properly lock the associated table during DROP STATISTICS
(Tomas Vondra)
Failure to acquire the lock could result in “tuple concurrently deleted†errors if the DROP
executes concurrently with ANALYZE
.
Fix function volatility checking for GENERATED
and DEFAULT
expressions (Tom Lane)
These places could fail to detect insertion of a volatile function default-argument expression, or decide that a polymorphic function is volatile although it is actually immutable on the datatype of interest. This could lead to improperly rejecting or accepting a GENERATED
clause, or to mistakenly applying the constant-default-value optimization in ALTER TABLE ADD COLUMN
.
Detect that a new catalog cache entry became stale while detoasting its fields (Tom Lane)
We expand any out-of-line fields in a catalog tuple before inserting it into the catalog caches. That involves database access which might cause invalidation of catalog cache entries — but the new entry isn't in the cache yet, so we would miss noticing that it should get invalidated. The result is a race condition in which an already-stale cache entry could get made, and then persist indefinitely. This would lead to hard-to-predict misbehavior. Fix by rechecking the tuple's visibility after detoasting.
Fix edge-case integer overflow detection bug on some platforms (Dean Rasheed)
Computing 0 - INT64_MIN
should result in an overflow error, and did on most platforms. However, platforms with neither integer overflow builtins nor 128-bit integers would fail to spot the overflow, instead returning INT64_MIN
.
Detect Julian-date overflow when adding or subtracting an interval
to/from a timestamp
(Tom Lane)
Some cases that should cause an out-of-range error produced an incorrect result instead.
Add more checks for overflow in interval_mul()
and interval_div()
(Dean Rasheed)
Some cases that should cause an out-of-range error produced an incorrect result instead.
Allow scram_SaltedPassword()
to be interrupted (Bowen Shi)
With large scram_iterations
values, this function could take a long time to run. Allow it to be interrupted by query cancel requests.
Ensure cached statistics are discarded after a change to stats_fetch_consistency
(Shinya Kato)
In some code paths, it was possible for stale statistics to be returned.
Make the pg_file_settings
view check validity of unapplied values for settings with backend
or superuser-backend
context (Tom Lane)
Invalid values were not noted in the view as intended. This escaped detection because there are very few settings in these groups.
Match collation too when matching an existing index to a new partitioned index (Peter Eisentraut)
Previously we could accept an index that has a different collation from the corresponding element of the partition key, possibly leading to misbehavior.
Avoid failure if a child index is dropped concurrently with REINDEX INDEX
on a partitioned index (Fei Changhong)
Fix insufficient locking when cleaning up an incomplete split of a GIN index's internal page (Fei Changhong, Heikki Linnakangas)
The code tried to do this with shared rather than exclusive lock on the buffer. This could lead to index corruption if two processes attempted the cleanup concurrently.
Avoid premature release of buffer pin in GIN index insertion (Tom Lane)
If an index root page split occurs concurrently with our own insertion, the code could fail with “buffer NNNN is not owned by resource ownerâ€.
Avoid failure with partitioned SP-GiST indexes (Tom Lane)
Trying to use an index of this kind could lead to “No such file or directory†errors.
Fix ownership tests for large objects (Tom Lane)
Operations on large objects that require ownership privilege failed with “unrecognized class ID: 2613â€, unless run by a superuser.
Fix ownership change reporting for large objects (Tom Lane)
A no-op ALTER LARGE OBJECT OWNER
command (that is, one selecting the existing owner) passed the wrong class ID to the PostAlterHook
, probably confusing any extension using that hook.
Fix reporting of I/O timing data in EXPLAIN (BUFFERS)
(Michael Paquier)
The numbers labeled as “shared/local†actually refer only to shared buffers, so change that label to “sharedâ€.
Ensure durability of CREATE DATABASE
(Noah Misch)
If an operating system crash occurred during or shortly after CREATE DATABASE
, recovery could fail, or subsequent connections to the new database could fail. If a base backup was taken in that window, similar problems could be observed when trying to use the backup. The symptom would be that the database directory, PG_VERSION
file, or pg_filenode.map
file was missing or empty.
Add more LOG
messages when starting and ending recovery from a backup (Andres Freund)
This change provides additional information in the postmaster log that may be useful for diagnosing recovery problems.
Prevent standby servers from incorrectly processing dead index tuples during subtransactions (Fei Changhong)
The startedInRecovery
flag was not correctly set for a subtransaction. This affects only processing of dead index tuples. It could allow a query in a subtransaction to ignore index entries that it should return (if they are already dead on the primary server, but not dead to the standby transaction), or to prematurely mark index entries as dead that are not yet dead on the primary. It is not clear that the latter case has any serious consequences, but it's not the intended behavior.
Fix signal handling in walreceiver processes (Heikki Linnakangas)
Revert a change that made walreceivers non-responsive to SIGTERM while waiting for the replication connection to be established.
Fix integer overflow hazard in checking whether a record will fit into the WAL decoding buffer (Thomas Munro)
This bug appears to be only latent except when running a 32-bit PostgreSQL build on a 64-bit platform.
Fix deadlock between a logical replication apply worker, its tablesync worker, and a session process trying to alter the subscription (Shlok Kyal)
One edge of the deadlock loop did not involve a lock wait, so the deadlock went undetected and would persist until manual intervention.
Ensure that column default values are correctly transmitted by the pgoutput logical replication plugin (Nikhil Benesch)
ALTER TABLE ADD COLUMN
with a constant default value for the new column avoids rewriting existing tuples, instead expecting that reading code will insert the correct default into a tuple that lacks that column. If replication was subsequently initiated on the table, pgoutput would transmit NULL instead of the correct default for such a column, causing incorrect replication on the subscriber.
Fix failure of logical replication's initial sync for a table with no columns (Vignesh C)
This case generated an improperly-formatted COPY
command.
Re-validate a subscription's connection string before use (Vignesh C)
This is meant to detect cases where a subscription was created without a password (which is allowed to superusers) but then the subscription owner is changed to a non-superuser.
Return the correct status code when a new client disconnects without responding to the server's password challenge (Liu Lang, Tom Lane)
In some cases we'd treat this as a loggable error, which was not the intention and tends to create log spam, since common clients like psql frequently do this. It may also confuse extensions that use ClientAuthentication_hook
.
Fix incompatibility with OpenSSL 3.2 (Tristan Partin, Bo Andreson)
Use the BIO “app_data†field for our private storage, instead of assuming it's okay to use the “data†field. This mistake didn't cause problems before, but with 3.2 it leads to crashes and complaints about double frees.
Be more wary about OpenSSL not setting errno
on error (Tom Lane)
If errno
isn't set, assume the cause of the reported failure is read EOF. This fixes rare cases of strange error reports like “could not accept SSL connection: Successâ€.
Fix file descriptor leakage when a foreign data wrapper's ForeignAsyncRequest
function fails (Heikki Linnakangas)
Fix minor memory leak in connection string validation for CREATE SUBSCRIPTION
(Jeff Davis)
Report ENOMEM errors from file-related system calls as ERRCODE_OUT_OF_MEMORY
, not ERRCODE_INTERNAL_ERROR
(Alexander Kuzmenkov)
In PL/pgSQL, support SQL commands that are CREATE FUNCTION
/CREATE PROCEDURE
with SQL-standard bodies (Tom Lane)
Previously, such cases failed with parsing errors due to the semicolon(s) appearing in the function body.
Fix libpq's handling of errors in pipelines (Ãlvaro Herrera)
The pipeline state could get out of sync if an error is returned for reasons other than a query problem (for example, if the connection is lost). Potentially this would lead to a busy-loop in the calling application.
Make libpq's PQsendFlushRequest()
function flush the client output buffer under the same rules as other PQsend
functions (Jelte Fennema-Nio)
In pipeline mode, it may still be necessary to call PQflush()
as well; but this change removes some inconsistency.
Avoid race condition when libpq initializes OpenSSL support concurrently in two different threads (Willi Mann, Michael Paquier)
Fix timing-dependent failure in GSSAPI data transmission (Tom Lane)
When using GSSAPI encryption in non-blocking mode, libpq sometimes failed with “GSSAPI caller failed to retransmit all data needing to be retriedâ€.
Change initdb to always un-comment the postgresql.conf
entries for the lc_
parameters (Kyotaro Horiguchi)xxx
initdb used to work this way before v16, and now it does again. The change caused initdb's --no-locale
option to not have the intended effect on lc_messages
.
In pg_dump, don't dump RLS policies or security labels for extension member objects (Tom Lane, Jacob Champion)
Previously, commands would be included in the dump to set these properties, which is really incorrect since they should be considered as internal affairs of the extension. Moreover, the restoring user might not have adequate privilege to set them, and indeed the dumping user might not have enough privilege to dump them (since dumping RLS policies requires acquiring lock on their table).
In pg_dump, don't dump an extended statistics object if its underlying table isn't being dumped (Rian McGuire, Tom Lane)
This conforms to the behavior for other dependent objects such as indexes.
Properly detect out-of-memory in one code path in pg_dump (Daniel Gustafsson)
Make it an error for a pgbench script to end with an open pipeline (Anthonin Bonnefoy)
Previously, pgbench would behave oddly if a \startpipeline
command lacked a matching \endpipeline
. This seems like a scripting mistake rather than a case that pgbench needs to handle nicely, so throw an error.
In contrib/bloom
, fix overly tight assertion about false_positive_rate
(Alexander Lakhin)
Fix crash in contrib/intarray
if an array with an element equal to INT_MAX
is inserted into a gist__int_ops
index (Alexander Lakhin, Tom Lane)
Report a better error when contrib/pageinspect
's hash_bitmap_info()
function is applied to a partitioned hash index (Alexander Lakhin, Michael Paquier)
Report a better error when contrib/pgstattuple
's pgstathashindex()
function is applied to a partitioned hash index (Alexander Lakhin)
On Windows, suppress autorun options when launching subprocesses in pg_ctl and pg_regress (Kyotaro Horiguchi)
When launching a child process via cmd.exe
, pass the /D
flag to prevent executing any autorun commands specified in the registry. This avoids possibly-surprising side effects.
Move is_valid_ascii()
from mb/pg_wchar.h
to utils/ascii.h
(Jubilee Young)
This change avoids the need to include <simd.h>
in pg_wchar.h
, which was causing problems for some third-party code.
Fix compilation failures with libxml2 version 2.12.0 and later (Tom Lane)
Fix compilation failure of WAL_DEBUG
code on Windows (Bharath Rupireddy)
Suppress compiler warnings from Python's header files (Peter Eisentraut, Tom Lane)
Our preferred compiler options provoke warnings about constructs appearing in recent versions of Python's header files. When using gcc, we can suppress these warnings with a pragma.
Avoid deprecation warning when compiling with LLVM 18 (Thomas Munro)
Update time zone data files to tzdata release 2024a for DST law changes in Greenland, Kazakhstan, and Palestine, plus corrections for the Antarctic stations Casey and Vostok. Also historical corrections for Vietnam, Toronto, and Miquelon.
Release date: 2023-11-09
This release contains a variety of fixes from 16.0. For information about new features in major release 16, see Version 16.0.
A dump/restore is not required for those running 16.X.
However, several mistakes have been discovered that could lead to certain types of indexes yielding wrong search results or being unnecessarily inefficient. It is advisable to REINDEX
potentially-affected indexes after installing this update. See the fourth through seventh changelog entries below.
Fix handling of unknown-type arguments in DISTINCT
"any"
aggregate functions (Tom Lane)
This error led to a text
-type value being interpreted as an unknown
-type value (that is, a zero-terminated string) at runtime. This could result in disclosure of server memory following the text
value.
The PostgreSQL Project thanks Jingzhou Fu for reporting this problem. CVE-2023-5868 or CVE-2023-5868)
Detect integer overflow while computing new array dimensions (Tom Lane)
When assigning new elements to array subscripts that are outside the current array bounds, an undetected integer overflow could occur in edge cases. Memory stomps that are potentially exploitable for arbitrary code execution are possible, and so is disclosure of server memory.
The PostgreSQL Project thanks Pedro Gallegos for reporting this problem. CVE-2023-5869 or CVE-2023-5869)
Prevent the pg_signal_backend
role from signalling background workers and autovacuum processes (Noah Misch, Jelte Fennema-Nio)
The documentation says that pg_signal_backend
cannot issue signals to superuser-owned processes. It was able to signal these background processes, though, because they advertise a role OID of zero. Treat that as indicating superuser ownership. The security implications of cancelling one of these process types are fairly small so far as the core code goes (we'll just start another one), but extensions might add background workers that are more vulnerable.
Also ensure that the is_superuser
parameter is set correctly in such processes. No specific security consequences are known for that oversight, but it might be significant for some extensions.
The PostgreSQL Project thanks Hemanth Sandrana and Mahendrakar Srinivasarao for reporting this problem. CVE-2023-5870 or CVE-2023-5870)
Fix misbehavior during recursive page split in GiST index build (Heikki Linnakangas)
Fix a case where the location of a page downlink was incorrectly tracked, and introduce some logic to allow recovering from such situations rather than silently doing the wrong thing. This error could result in incorrect answers from subsequent index searches. It may be advisable to reindex all GiST indexes after installing this update.
Prevent de-duplication of btree index entries for interval
columns (Noah Misch)
There are interval
values that are distinguishable but compare equal, for example 24:00:00
and 1 day
. This breaks assumptions made by btree de-duplication, so interval
columns need to be excluded from de-duplication. This oversight can cause incorrect results from index-only scans. Moreover, after updating amcheck will report an error for almost all such indexes. Users should reindex any btree indexes on interval
columns.
Process date
values more sanely in BRIN datetime_minmax_multi_ops
indexes (Tomas Vondra)
The distance calculation for dates was backward, causing poor decisions about which entries to merge. The index still produces correct results, but is much less efficient than it should be. Reindexing BRIN minmax_multi
indexes on date
columns is advisable.
Process large timestamp
and timestamptz
values more sanely in BRIN datetime_minmax_multi_ops
indexes (Tomas Vondra)
Infinities were mistakenly treated as having distance zero rather than a large distance from other values, causing poor decisions about which entries to merge. Also, finite-but-very-large values (near the endpoints of the representable timestamp range) could result in internal overflows, again causing poor decisions. The index still produces correct results, but is much less efficient than it should be. Reindexing BRIN minmax_multi
indexes on timestamp
and timestamptz
columns is advisable if the column contains, or has contained, infinities or large finite values.
Avoid calculation overflows in BRIN interval_minmax_multi_ops
indexes with extreme interval values (Tomas Vondra)
This bug might have caused unexpected failures while trying to insert large interval values into such an index.
Fix partition step generation and runtime partition pruning for hash-partitioned tables with multiple partition keys (David Rowley)
Some cases involving an IS NULL
condition on one of the partition keys could result in a crash.
Fix inconsistent rechecking of concurrently-updated rows during MERGE
(Dean Rasheed)
In READ COMMITTED
mode, an update that finds that its target row was just updated by a concurrent transaction will recheck the query's WHERE
conditions on the updated row. MERGE
failed to ensure that the proper rows of other joined tables were used during this recheck, possibly resulting in incorrect decisions about whether the newly-updated row should be updated again by MERGE
.
Correctly identify the target table in an inherited UPDATE
/DELETE
/MERGE
even when the parent table is excluded by constraints (Amit Langote, Tom Lane)
If the initially-named table is excluded by constraints, but not all its inheritance descendants are, the first non-excluded descendant was identified as the primary target table. This would lead to firing statement-level triggers associated with that table, rather than the initially-named table as should happen. In v16, the same oversight could also lead to “invalid perminfoindex 0 in RTE with relid NNNN†errors.
Fix edge case in btree mark/restore processing of ScalarArrayOpExpr clauses (Peter Geoghegan)
When restoring an indexscan to a previously marked position, the code could miss required setup steps if the scan had advanced exactly to the end of the matches for a ScalarArrayOpExpr (that is, an indexcol = ANY (ARRAY[])
) clause. This could result in missing some rows that should have been fetched.
Fix intra-query memory leak in Memoize execution (Orlov Aleksej, David Rowley)
Fix intra-query memory leak when a set-returning function repeatedly returns zero rows (Tom Lane)
Don't crash if cursor_to_xmlschema()
is applied to a non-data-returning Portal (Boyu Yang)
Fix improper sharing of origin filter condition across successive pg_logical_slot_get_changes()
calls (Hou Zhijie)
The origin condition set by one call of this function would be re-used by later calls that did not specify the origin argument. This was not intended.
Throw the intended error if pgrowlocks()
is applied to a partitioned table (David Rowley)
Previously, a not-on-point complaint “only heap AM is supported†would be raised.
Handle invalid indexes more cleanly in assorted SQL functions (Noah Misch)
Report an error if pgstatindex()
, pgstatginindex()
, pgstathashindex()
, or pgstattuple()
is applied to an invalid index. If brin_desummarize_range()
, brin_summarize_new_values()
, brin_summarize_range()
, or gin_clean_pending_list()
is applied to an invalid index, do nothing except to report a debug-level message. Formerly these functions attempted to process the index, and might fail in strange ways depending on what the failed CREATE INDEX
had left behind.
Avoid premature memory allocation failure with long inputs to to_tsvector()
(Tom Lane)
Fix over-allocation of the constructed tsvector
in tsvectorrecv()
(Denis Erokhin)
If the incoming vector includes position data, the binary receive function left wasted space (roughly equal to the size of the position data) in the finished tsvector
. In extreme cases this could lead to “maximum total lexeme length exceeded†failures for vectors that were under the length limit when emitted. In any case it could lead to wasted space on-disk.
Improve checks for corrupt PGLZ compressed data (Flavien Guedez)
Fix ALTER SUBSCRIPTION
so that a commanded change in the run_as_owner
option is actually applied (Hou Zhijie)
Fix bulk table insertion into partitioned tables (Andres Freund)
Improper sharing of insertion state across partitions could result in failures during COPY FROM
, typically manifesting as “could not read block NNNN in file XXXX: read only 0 of 8192 bytes†errors.
In COPY FROM
, avoid evaluating column default values that will not be needed by the command (Laurenz Albe)
This avoids a possible error if the default value isn't actually valid for the column, or if the default's expression would fail in the current execution context. Such edge cases sometimes arise while restoring dumps, for example. Previous releases did not fail in this situation, so prevent v16 from doing so.
In COPY FROM
, fail cleanly when an unsupported encoding conversion is needed (Tom Lane)
Recent refactoring accidentally removed the intended error check for this, such that it ended in “cache lookup failed for function 0†instead of a useful error message.
Avoid crash in EXPLAIN
if a parameter marked to be displayed by EXPLAIN
has a NULL boot-time value (Xing Guo, Aleksander Alekseev, Tom Lane)
No built-in parameter fits this description, but an extension could define such a parameter.
Ensure we have a snapshot while dropping ON COMMIT DROP
temp tables (Tom Lane)
This prevents possible misbehavior if any catalog entries for the temp tables have fields wide enough to require toasting (such as a very complex CHECK
condition).
Avoid improper response to shutdown signals in child processes just forked by system()
(Nathan Bossart)
This fix avoids a race condition in which a child process that has been forked off by system()
, but hasn't yet exec'd the intended child program, might receive and act on a signal intended for the parent server process. That would lead to duplicate cleanup actions being performed, which will not end well.
Cope with torn reads of pg_control
in frontend programs (Thomas Munro)
On some file systems, reading pg_control
may not be an atomic action when the server concurrently writes that file. This is detectable via a bad CRC. Retry a few times to see if the file becomes valid before we report error.
Avoid torn reads of pg_control
in relevant SQL functions (Thomas Munro)
Acquire the appropriate lock before reading pg_control
, to ensure we get a consistent view of that file.
Fix “could not find pathkey item to sort†errors occurring while planning aggregate functions with ORDER BY
or DISTINCT
options (David Rowley)
Avoid integer overflow when computing size of backend activity string array (Jakub Wartak)
On 64-bit machines we will allow values of track_activity_query_size
large enough to cause 32-bit overflow when multiplied by the allowed number of connections. The code actually allocating the per-backend local array was careless about this though, and allocated the array incorrectly.
Fix briefly showing inconsistent progress statistics for ANALYZE
on inherited tables (Heikki Linnakangas)
The block-level counters should be reset to zero at the same time we update the current-relation field.
Fix the background writer to report any WAL writes it makes to the statistics counters (Nazir Bilal Yavuz)
Fix confusion about forced-flush behavior in pgstat_report_wal()
(Ryoga Yoshida, Michael Paquier)
This could result in some statistics about WAL I/O being forgotten in a shutdown.
Fix statistics tracking of temporary-table extensions (Karina Litskevich, Andres Freund)
These were counted as normal-table writes when they should be counted as temp-table writes.
When track_io_timing
is enabled, include the time taken by relation extension operations as write time (Nazir Bilal Yavuz)
Track the dependencies of cached CALL
statements, and re-plan them when needed (Tom Lane)
DDL commands, such as replacement of a function that has been inlined into a CALL
argument, can create the need to re-plan a CALL
that has been cached by PL/pgSQL. That was not happening, leading to misbehavior or strange errors such as “cache lookup failedâ€.
Avoid a possible pfree-a-NULL-pointer crash after an error in OpenSSL connection setup (Sergey Shinderuk)
Track nesting depth correctly when inspecting RECORD
-type Vars from outer query levels (Richard Guo)
This oversight could lead to assertion failures, core dumps, or “bogus varno†errors.
Track hash function and negator function dependencies of ScalarArrayOpExpr plan nodes (David Rowley)
In most cases this oversight was harmless, since these functions would be unlikely to disappear while the node's original operator remains present.
Fix error-handling bug in RECORD
type cache management (Thomas Munro)
An out-of-memory error occurring at just the wrong point could leave behind inconsistent state that would lead to an infinite loop.
Treat out-of-memory failures as fatal while reading WAL (Michael Paquier)
Previously this would be treated as a bogus-data condition, leading to the conclusion that we'd reached the end of WAL, which is incorrect and could lead to inconsistent WAL replay.
Fix possible recovery failure due to trying to allocate memory based on a bogus WAL record length field (Thomas Munro, Michael Paquier)
Fix “could not duplicate handle†error occurring on Windows when min_dynamic_shared_memory
is set above zero (Thomas Munro)
Fix order of operations in GenericXLogFinish
(Jeff Davis)
This code violated the conditions required for crash safety by writing WAL before marking changed buffers dirty. No core code uses this function, but extensions do (contrib/bloom
does, for example).
Remove incorrect assertion in PL/Python exception handling (Alexander Lakhin)
Fix pg_dump to dump the new run_as_owner
option of subscriptions (Philip Warner)
Due to this oversight, subscriptions would always be restored with run_as_owner
set to false
, which is not equivalent to their behavior in pre-v16 releases.
Fix pg_restore so that selective restores will include both table-level and column-level ACLs for selected tables (Euler Taveira, Tom Lane)
Formerly, only the table-level ACL would get restored if both types were present.
Add logic to pg_upgrade to check for use of abstime
, reltime
, and tinterval
data types (Ãlvaro Herrera)
These obsolete data types were removed in PostgreSQL version 12, so check to make sure they aren't present in an older database before claiming it can be upgraded.
Avoid false “too many client connections†errors in pgbench on Windows (Noah Misch)
Fix vacuumdb's handling of multiple -N
switches (Nathan Bossart, Kuwamura Masaki)
Multiple -N
switches should exclude tables in multiple schemas, but in fact excluded nothing due to faulty construction of a generated query.
Fix vacuumdb to honor its --buffer-usage-limit
option in analyze-only mode (Ryoga Yoshida, David Rowley)
In contrib/amcheck
, do not report interrupted page deletion as corruption (Noah Misch)
This fix prevents false-positive reports of “the first child of leftmost target page is not leftmost of its levelâ€, “block NNNN is not leftmost†or “left link/right link pair in index XXXX not in agreementâ€. They appeared if amcheck ran after an unfinished btree index page deletion and before VACUUM
had cleaned things up.
Fix failure of contrib/btree_gin
indexes on interval
columns, when an indexscan using the <
or <=
operator is performed (Dean Rasheed)
Such an indexscan failed to return all the entries it should.
Add support for LLVM 16 and 17 (Thomas Munro, Dmitry Dolgov)
Suppress assorted build-time warnings on recent macOS (Tom Lane)
Xcode 15 (released with macOS Sonoma) changed the linker's behavior in a way that causes many duplicate-library warnings while building PostgreSQL. These were harmless, but they're annoying so avoid citing the same libraries twice. Also remove use of the -multiply_defined suppress
linker switch, which apparently has been a no-op for a long time, and is now actively complained of.
When building contrib/unaccent
's rules file, fall back to using python
if --with-python
was not given and make variable PYTHON
was not set (Japin Li)
Remove PHOT
(Phoenix Islands Time) from the default timezone abbreviations list (Tom Lane)
Presence of this abbreviation in the default list can cause failures on recent Debian and Ubuntu releases, as they no longer install the underlying tzdb entry by default. Since this is a made-up abbreviation for a zone with a total human population of about two dozen, it seems unlikely that anyone will miss it. If someone does, they can put it back via a custom abbreviations file.
Release date: 2023-09-14
PostgreSQL 16 contains many new features and enhancements, including:
Allow parallelization of FULL
and internal right OUTER
hash joins
Allow logical replication from standby servers
Allow logical replication subscribers to apply large transactions in parallel
Allow monitoring of I/O statistics using the new pg_stat_io
view
Add SQL/JSON constructors and identity functions
Improve performance of vacuum freezing
Add support for regular expression matching of user and database names in pg_hba.conf
, and user names in pg_ident.conf
The above items and other new features of PostgreSQL 16 are explained in more detail in the sections below.
A dump/restore using pg_dumpall or use of pg_upgrade or logical replication is required for those wishing to migrate data from any previous release. See Section 19.6 for general information on migrating to new major releases.
Version 16 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities:
Change assignment rules for PL/pgSQL bound cursor variables (Tom Lane)
Previously, the string value of such variables was set to match the variable name during cursor assignment; now it will be assigned during OPEN
, and will not match the variable name. To restore the previous behavior, assign the desired portal name to the cursor variable before OPEN
.
Disallow NULLS NOT DISTINCT
indexes for primary keys (Daniel Gustafsson)
Change REINDEX DATABASE
and reindexdb to not process indexes on system catalogs (Simon Riggs)
Processing such indexes is still possible using REINDEX SYSTEM
and reindexdb --system
.
Tighten GENERATED
expression restrictions on inherited and partitioned tables (Amit Langote, Tom Lane)
Columns of parent/partitioned and child/partition tables must all have the same generation status, though now the actual generation expressions can be different.
Remove pg_walinspect functions pg_get_wal_records_info_till_end_of_wal()
and pg_get_wal_stats_till_end_of_wal()
(Bharath Rupireddy)
Rename server variable force_parallel_mode
to debug_parallel_query
(David Rowley)
Remove the ability to create views manually with ON SELECT
rules (Tom Lane)
Remove the server variable vacuum_defer_cleanup_age
(Andres Freund)
This has been unnecessary since hot_standby_feedback
and replication slots were added.
Remove server variable promote_trigger_file
(Simon Riggs)
This was used to promote a standby to primary, but is now easier accomplished with pg_ctl promote
or pg_promote()
.
Remove read-only server variables lc_collate
and lc_ctype
(Peter Eisentraut)
Collations and locales can vary between databases so having them as read-only server variables was unhelpful.
Role inheritance now controls the default inheritance status of member roles added during GRANT
(Robert Haas)
The role's default inheritance behavior can be overridden with the new GRANT ... WITH INHERIT
clause. This allows inheritance of some roles and not others because the members' inheritance status is set at GRANT
time. Previously the inheritance status of member roles was controlled only by the role's inheritance status, and changes to a role's inheritance status affected all previous and future member roles.
Restrict the privileges of CREATEROLE
and its ability to modify other roles (Robert Haas)
Previously roles with CREATEROLE
privileges could change many aspects of any non-superuser role. Such changes, including adding members, now require the role requesting the change to have ADMIN OPTION
permission. For example, they can now change the CREATEDB
, REPLICATION
, and BYPASSRLS
properties only if they also have those permissions.
Remove symbolic links for the postmaster binary (Peter Eisentraut)
Below you will find a detailed account of the changes between PostgreSQL 16 and the previous major release.
Allow incremental sorts in more cases, including DISTINCT
(David Rowley)
Add the ability for aggregates having ORDER BY
or DISTINCT
to use pre-sorted data (David Rowley)
The new server variable enable_presorted_aggregate
can be used to disable this.
Allow memoize atop a UNION ALL
(Richard Guo)
Allow anti-joins to be performed with the non-nullable input as the inner relation (Richard Guo)
Allow parallelization of FULL
and internal right OUTER
hash joins (Melanie Plageman, Thomas Munro)
Improve the accuracy of GIN
index access optimizer costs (Ronan Dunklau)
Allow more efficient addition of heap and index pages (Andres Freund)
During non-freeze operations, perform page freezing where appropriate (Peter Geoghegan)
This makes full-table freeze vacuums less necessary.
Allow window functions to use the faster ROWS
mode internally when RANGE
mode is active but unnecessary (David Rowley)
Allow optimization of always-increasing window functions ntile()
, cume_dist()
and percent_rank()
(David Rowley)
Allow aggregate functions string_agg()
and array_agg()
to be parallelized (David Rowley)
Improve performance by caching RANGE
and LIST
partition lookups (Amit Langote, Hou Zhijie, David Rowley)
Allow control of the shared buffer usage by vacuum and analyze (Melanie Plageman)
The VACUUM
/ANALYZE
option is BUFFER_USAGE_LIMIT
, and the vacuumdb option is --buffer-usage-limit
. The default value is set by server variable vacuum_buffer_usage_limit
, which also controls autovacuum.
Support wal_sync_method=fdatasync
on Windows (Thomas Munro)
Allow HOT updates if only BRIN
-indexed columns are updated (Matthias van de Meent, Josef Simanek, Tomas Vondra)
Improve the speed of updating the process title (David Rowley)
Allow xid
/subxid
searches and ASCII string detection to use vector operations (Nathan Bossart, John Naylor)
ASCII detection is particularly useful for COPY FROM
. Vector operations are also used for some C array searches.
Reduce overhead of memory allocations (Andres Freund, David Rowley)
Add system view pg_stat_io
view to track I/O statistics (Melanie Plageman)
Record statistics on the last sequential and index scans on tables (Dave Page)
This information appears in pg_stat_*_tables
and pg_stat_*_indexes
.
Record statistics on the occurrence of updated rows moving to new pages (Corey Huinker)
The pg_stat_*_tables
column is n_tup_newpage_upd
.
Add speculative lock information to the pg_locks
system view (Masahiko Sawada, Noriyoshi Shinoda)
The transaction id is displayed in the transactionid
column and the speculative insertion token is displayed in the objid
column.
Add the display of prepared statement result types to the pg_prepared_statements
view (Dagfinn Ilmari Mannsåker)
Create subscription statistics entries at subscription creation time so stats_reset
is accurate (Andres Freund)
Previously entries were created only when the first statistics were reported.
Correct the I/O accounting for temp relation writes shown in pg_stat_database
(Melanie Plageman)
Add function pg_stat_get_backend_subxact()
to report on a session's subtransaction cache (Dilip Kumar)
Have pg_stat_get_backend_idset()
, pg_stat_get_backend_activity()
, and related functions use the unchanging backend id (Nathan Bossart)
Previously the index values might change during the lifetime of the session.
Report stand-alone backends with a special backend type (Melanie Plageman)
Add wait event SpinDelay
to report spinlock sleep delays (Andres Freund)
Create new wait event DSMAllocate
to indicate waiting for dynamic shared memory allocation (Thomas Munro)
Previously this type of wait was reported as DSMFillZeroWrite
, which was also used by mmap()
allocations.
Add the database name to the process title of logical WAL senders (Tatsuhiro Nakamori)
Physical WAL senders do not display a database name.
Add checkpoint and REDO LSN
information to log_checkpoints
messages (Bharath Rupireddy, Kyotaro Horiguchi)
Provide additional details during client certificate failures (Jacob Champion)
Add predefined role pg_create_subscription
with permission to create subscriptions (Robert Haas)
Allow subscriptions to not require passwords (Robert Haas)
This is accomplished with the option password_required=false
.
Simplify permissions for LOCK TABLE
(Jeff Davis)
Previously a user's ability to perform LOCK TABLE
at various lock levels was limited to the lock levels required by the commands they had permission to execute on the table. For example, someone with UPDATE
permission could perform all lock levels except ACCESS SHARE
, even though it was a lesser lock level. Now users can issue lesser lock levels if they already have permission for greater lock levels.
Allow GRANT group_name TO user_name
to be performed with ADMIN OPTION
(Robert Haas)
Previously CREATEROLE
permission was required.
Allow GRANT
to use WITH ADMIN TRUE
/FALSE
syntax (Robert Haas)
Previously only the WITH ADMIN OPTION
syntax was supported.
Allow roles that create other roles to automatically inherit the new role's rights or the ability to SET ROLE
to the new role (Robert Haas, Shi Yu)
This is controlled by server variable createrole_self_grant
.
Prevent users from changing the default privileges of non-inherited roles (Robert Haas)
This is now only allowed for inherited roles.
When granting role membership, require the granted-by role to be a role that has appropriate permissions (Robert Haas)
This is a requirement even when a non-bootstrap superuser is granting role membership.
Allow non-superusers to grant permissions using a granted-by user that is not the current user (Robert Haas)
The current user still must have sufficient permissions given by the specified granted-by user.
Add GRANT
to control permission to use SET ROLE
(Robert Haas)
This is controlled by a new GRANT ... SET
option.
Add dependency tracking to roles which have granted privileges (Robert Haas)
For example, removing ADMIN OPTION
will fail if there are privileges using that option; CASCADE
must be used to revoke dependent permissions.
Add dependency tracking of grantors for GRANT
records (Robert Haas)
This guarantees that pg_auth_members
.grantor
values are always valid.
Allow multiple role membership records (Robert Haas)
Previously a new membership grant would remove a previous matching membership grant, even if other aspects of the grant did not match.
Prevent removal of superuser privileges for the bootstrap user (Robert Haas)
Restoring such users could lead to errors.
Allow makeaclitem()
to accept multiple privilege names (Robins Tharakan)
Previously only a single privilege name, like SELECT
, was accepted.
Add support for Kerberos credential delegation (Stephen Frost)
This is enabled with server variable gss_accept_delegation
and libpq connection parameter gssdelegation
.
Allow the SCRAM iteration count to be set with server variable scram_iterations
(Daniel Gustafsson)
Improve performance of server variable management (Tom Lane)
Tighten restrictions on which server variables can be reset (Masahiko Sawada)
Previously, while certain variables, like transaction_isolation
, were not affected by RESET ALL
, they could be individually reset in inappropriate situations.
Move various postgresql.conf
items into new categories (Shinya Kato)
This also affects the categories displayed in the pg_settings
view.
Prevent configuration file recursion beyond 10 levels (Julien Rouhaud)
Allow autovacuum to more frequently honor changes to delay settings (Melanie Plageman)
Rather than honor changes only at the start of each relation, honor them at the start of each block.
Remove restrictions that archive files be durably renamed (Nathan Bossart)
The archive_command
command is now more likely to be called with already-archived files after a crash.
Prevent archive_library
and archive_command
from being set at the same time (Nathan Bossart)
Previously archive_library
would override archive_command
.
Allow the postmaster to terminate children with an abort signal (Tom Lane)
This allows collection of a core dump for a stuck child process. This is controlled by send_abort_for_crash
and send_abort_for_kill
. The postmaster's -T
switch is now the same as setting send_abort_for_crash
.
Remove the non-functional postmaster -n
option (Tom Lane)
Allow the server to reserve backend slots for roles with pg_use_reserved_connections
membership (Nathan Bossart)
The number of reserved slots is set by server variable reserved_connections
.
Allow huge pages to work on newer versions of Windows 10 (Thomas Munro)
This adds the special handling required to enable huge pages on newer versions of Windows 10.
Add debug_io_direct
setting for developer usage (Thomas Munro, Andres Freund, Bharath Rupireddy)
While primarily for developers, wal_sync_method=open_sync
/open_datasync
has been modified to not use direct I/O with wal_level=minimal
; this is now enabled with debug_io_direct=wal
.
Add function pg_split_walfile_name()
to report the segment and timeline values of WAL file names (Bharath Rupireddy)
Add support for regular expression matching on database and role entries in pg_hba.conf
(Bertrand Drouvot)
Regular expression patterns are prefixed with a slash. Database and role names that begin with slashes need to be double-quoted if referenced in pg_hba.conf
.
Improve user-column handling of pg_ident.conf
to match pg_hba.conf
(Jelte Fennema)
Specifically, add support for all
, role membership with +
, and regular expressions with a leading slash. Any user name that matches these patterns must be double-quoted.
Allow include files in pg_hba.conf
and pg_ident.conf
(Julien Rouhaud)
These are controlled by include
, include_if_exists
, and include_dir
. System views pg_hba_file_rules
and pg_ident_file_mappings
now display the file name.
Allow pg_hba.conf
tokens to be of unlimited length (Tom Lane)
Add rule and map numbers to the system view pg_hba_file_rules
(Julien Rouhaud)
Determine the default encoding from the locale when using ICU (Jeff Davis)
Previously the default was always UTF-8
.
Have CREATE DATABASE
and CREATE COLLATION
's LOCALE
options, and initdb and createdb --locale
options, control non-libc collation providers (Jeff Davis)
Previously they only controlled libc providers.
Add predefined collations unicode
and ucs_basic
(Peter Eisentraut)
This only works if ICU support is enabled.
Allow custom ICU collation rules to be created (Peter Eisentraut)
This is done using CREATE COLLATION
's new RULES
clause, as well as new options for CREATE DATABASE
, createdb, and initdb.
Allow Windows to import system locales automatically (Juan José SantamarÃa Flecha)
Previously, only ICU locales could be imported on Windows.
Allow logical decoding on standbys (Bertrand Drouvot, Andres Freund, Amit Khandekar)
Snapshot WAL records are required for logical slot creation but cannot be created on standbys. To avoid delays, the new function pg_log_standby_snapshot()
allows creation of such records.
Add server variable to control how logical decoding publishers transfer changes and how subscribers apply them (Shi Yu)
The variable is debug_logical_replication_streaming
.
Allow logical replication initial table synchronization to copy rows in binary format (Melih Mutlu)
This is only possible for subscriptions marked as binary.
Allow parallel application of logical replication (Hou Zhijie, Wang Wei, Amit Kapila)
The CREATE SUBSCRIPTION
STREAMING
option now supports parallel
to enable application of large transactions by parallel workers. The number of parallel workers is controlled by the new server variable max_parallel_apply_workers_per_subscription
. Wait events LogicalParallelApplyMain
, LogicalParallelApplyStateChange
, and LogicalApplySendData
were also added. Column leader_pid
was added to system view pg_stat_subscription
to track parallel activity.
Improve performance for logical replication apply without a primary key (Onder Kalaci, Amit Kapila)
Specifically, REPLICA IDENTITY FULL
can now use btree indexes rather than sequentially scanning the table to find matches.
Allow logical replication subscribers to process only changes that have no origin (Vignesh C, Amit Kapila)
This can be used to avoid replication loops. This is controlled by the new CREATE SUBSCRIPTION ... ORIGIN
option.
Perform logical replication SELECT
and DML actions as the table owner (Robert Haas)
This improves security and now requires subscription owners to be either superusers or to have SET ROLE
permission on all roles owning tables in the replication set. The previous behavior of performing all operations as the subscription owner can be enabled with the subscription run_as_owner
option.
Have wal_retrieve_retry_interval
operate on a per-subscription basis (Nathan Bossart)
Previously the retry time was applied globally. This also adds wait events >LogicalRepLauncherDSA
and LogicalRepLauncherHash
.
Add EXPLAIN
option GENERIC_PLAN
to display the generic plan for a parameterized query (Laurenz Albe)
Allow a COPY FROM
value to map to a column's DEFAULT
(Israel Barth Rubio)
Allow COPY
into foreign tables to add rows in batches (Andrey Lepikhov, Etsuro Fujita)
This is controlled by the postgres_fdw option batch_size
.
Allow the STORAGE
type to be specified by CREATE TABLE
(Teodor Sigaev, Aleksander Alekseev)
Previously only ALTER TABLE
could control this.
Allow truncate triggers on foreign tables (Yugo Nagata)
Allow VACUUM
and vacuumdb to only process TOAST
tables (Nathan Bossart)
This is accomplished by having VACUUM
turn off PROCESS_MAIN
or by vacuumdb using the --no-process-main
option.
Add VACUUM
options to skip or update all frozen statistics (Tom Lane, Nathan Bossart)
The options are SKIP_DATABASE_STATS
and ONLY_DATABASE_STATS
.
Change REINDEX DATABASE
and REINDEX SYSTEM
to no longer require an argument (Simon Riggs)
Previously the database name had to be specified.
Allow CREATE STATISTICS
to generate a statistics name if none is specified (Simon Riggs)
Allow non-decimal integer literals (Peter Eisentraut)
For example, 0x42F
, 0o273
, and 0b100101
.
Allow NUMERIC
to process hexadecimal, octal, and binary integers of any size (Dean Rasheed)
Previously only unquoted eight-byte integers were supported with these non-decimal bases.
Allow underscores in integer and numeric constants (Peter Eisentraut, Dean Rasheed)
This can improve readability for long strings of digits.
Accept the spelling +infinity
in datetime input (Vik Fearing)
Prevent the specification of epoch
and infinity
together with other fields in datetime strings (Joseph Koshakow)
Remove undocumented support for date input in the form Y
(Joseph Koshakow)year
Mmonth
Dday
Add functions pg_input_is_valid()
and pg_input_error_info()
to check for type conversion errors (Tom Lane)
Allow subqueries in the FROM
clause to omit aliases (Dean Rasheed)
Add support for enhanced numeric literals in SQL/JSON paths (Peter Eisentraut)
For example, allow hexadecimal, octal, and binary integers and underscores between digits.
Add SQL/JSON constructors (Nikita Glukhov, Teodor Sigaev, Oleg Bartunov, Alexander Korotkov, Amit Langote)
The new functions JSON_ARRAY()
, JSON_ARRAYAGG()
, JSON_OBJECT()
, and JSON_OBJECTAGG()
are part of the SQL standard.
Add SQL/JSON object checks (Nikita Glukhov, Teodor Sigaev, Oleg Bartunov, Alexander Korotkov, Amit Langote, Andrew Dunstan)
The IS JSON
checks include checks for values, arrays, objects, scalars, and unique keys.
Allow JSON string parsing to use vector operations (John Naylor)
Improve the handling of full text highlighting function ts_headline()
for OR
and NOT
expressions (Tom Lane)
Add functions to add, subtract, and generate timestamptz
values in a specified time zone (Przemyslaw Sztoch, Gurjeet Singh)
The functions are date_add()
, date_subtract()
, and generate_series()
.
Change date_trunc(unit, timestamptz, time_zone)
to be an immutable function (Przemyslaw Sztoch)
This allows the creation of expression indexes using this function.
Add server variable SYSTEM_USER
(Bertrand Drouvot)
This reports the authentication method and its authenticated user.
Add functions array_sample()
and array_shuffle()
(Martin Kalcher)
Add aggregate function ANY_VALUE()
which returns any value from a set (Vik Fearing)
Add function random_normal()
to supply normally-distributed random numbers (Paul Ramsey)
Add error function erf()
and its complement erfc()
(Dean Rasheed)
Improve the accuracy of numeric power()
for integer exponents (Dean Rasheed)
Add XMLSERIALIZE()
option INDENT
to pretty-print its output (Jim Jones)
Change pg_collation_actual_version()
to return a reasonable value for the default collation (Jeff Davis)
Previously it returned NULL
.
Allow pg_read_file()
and pg_read_binary_file()
to ignore missing files (Kyotaro Horiguchi)
Add byte specification (B
) to pg_size_bytes()
(Peter Eisentraut)
Allow to_reg
* functions to accept numeric OIDs as input (Tom Lane)
Add the ability to get the current function's OID in PL/pgSQL (Pavel Stehule)
This is accomplished with GET DIAGNOSTICS variable = PG_ROUTINE_OID
.
Add libpq connection option require_auth
to specify a list of acceptable authentication methods (Jacob Champion)
This can also be used to disallow certain authentication methods.
Allow multiple libpq-specified hosts to be randomly selected (Jelte Fennema)
This is enabled with load_balance_hosts=random
and can be used for load balancing.
Add libpq option sslcertmode
to control transmission of the client certificate (Jacob Champion)
The option values are disable
, allow
, and require
.
Allow libpq to use the system certificate pool for certificate verification (Jacob Champion, Thomas Habets)
This is enabled with sslrootcert=system
, which also enables sslmode=verify-full
.
Allow ECPG
variable declarations to use typedef names that match unreserved SQL keywords (Tom Lane)
This change does prevent keywords which match C typedef names from being processed as keywords in later EXEC SQL
blocks.
Allow psql to control the maximum width of header lines in expanded format (Platon Pronko)
This is controlled by xheader_width
.
Add psql command \drg
to show role membership details (Pavel Luzanov)
The Member of
output column has been removed from \du
and \dg
because this new command displays this informaion in more detail.
Allow psql's access privilege commands to show system objects (Nathan Bossart)
Add FOREIGN
designation to psql \d+
for foreign table children and partitions (Ian Lawrence Barwick)
Prevent \df+
from showing function source code (Isaac Morland)
Function bodies are more easily viewed with \sf
.
Allow psql to submit queries using the extended query protocol (Peter Eisentraut)
Passing arguments to such queries is done using the new psql \bind
command.
Allow psql \watch
to limit the number of executions (Andrey Borodin)
The \watch
options can now be named when specified.
Detect invalid values for psql \watch
, and allow zero to specify no delay (Andrey Borodin)
Allow psql scripts to obtain the exit status of shell commands and queries (Corey Huinker, Tom Lane)
The new psql control variables are SHELL_ERROR
and SHELL_EXIT_CODE
.
Various psql tab completion improvements (Vignesh C, Aleksander Alekseev, Dagfinn Ilmari Mannsåker, Shi Yu, Michael Paquier, Ken Kato, Peter Smith)
Add pg_dump control of dumping child tables and partitions (Gilles Darold)
The new options are --table-and-children
, --exclude-table-and-children
, and --exclude-table-data-and-children
.
Add LZ4 and Zstandard compression to pg_dump (Georgios Kokolatos, Justin Pryzby)
Allow pg_dump and pg_basebackup to use long
mode for compression (Justin Pryzby)
Improve pg_dump to accept a more consistent compression syntax (Georgios Kokolatos)
Options like --compress=gzip:5
.
Add initdb option to set server variables for the duration of initdb and all future server starts (Tom Lane)
The option is -c name=value
.
Add options to createuser to control more user options (Shinya Kato)
Specifically, the new options control the valid-until date, bypassing of row-level security, and role membership.
Deprecate createuser option --role
(Nathan Bossart)
This option could be easily confused with new createuser role membership options, so option --member-of
has been added with the same functionality. The --role
option can still be used.
Allow control of vacuumdb schema processing (Gilles Darold)
These are controlled by options --schema
and --exclude-schema
.
Use new VACUUM
options to improve the performance of vacuumdb (Tom Lane, Nathan Bossart)
Have pg_upgrade set the new cluster's locale and encoding (Jeff Davis)
This removes the requirement that the new cluster be created with the same locale and encoding settings.
Add pg_upgrade option to specify the default transfer mode (Peter Eisentraut)
The option is --copy
.
Improve pg_basebackup to accept numeric compression options (Georgios Kokolatos, Michael Paquier)
Options like --compress=server-5
are now supported.
Fix pg_basebackup to handle tablespaces stored in the PGDATA
directory (Robert Haas)
Add pg_waldump option --save-fullpage
to dump full page images (David Christensen)
Allow pg_waldump options -t
/--timeline
to accept hexadecimal values (Peter Eisentraut)
Add support for progress reporting to pg_verifybackup (Masahiko Sawada)
Allow pg_rewind to properly track timeline changes (Heikki Linnakangas)
Previously if pg_rewind was run after a timeline switch but before a checkpoint was issued, it might incorrectly determine that a rewind was unnecessary.
Have pg_receivewal and pg_recvlogical cleanly exit on SIGTERM
(Christoph Berg)
This signal is often used by systemd.
Build ICU support by default (Jeff Davis)
This removes build flag --with-icu
and adds flag --without-icu
.
Add support for SSE2 (Streaming SIMD Extensions 2) vector operations on x86-64 architectures (John Naylor)
Add support for Advanced SIMD (Single Instruction Multiple Data) (NEON) instructions on ARM architectures (Nathan Bossart)
Have Windows binaries built with MSVC use RandomizedBaseAddress
(ASLR) (Michael Paquier)
This was already enabled on MinGW builds.
Prevent extension libraries from exporting their symbols by default (Andres Freund, Tom Lane)
Functions that need to be called from the core backend or other extensions must now be explicitly marked PGDLLEXPORT
.
Require Windows 10 or newer versions (Michael Paquier, Juan José SantamarÃa Flecha)
Previously Windows Vista and Windows XP were supported.
Require Perl version 5.14 or later (John Naylor)
Require Bison version 2.3 or later (John Naylor)
Require Flex version 2.5.35 or later (John Naylor)
Require MIT Kerberos for GSSAPI support (Stephen Frost)
Remove support for Visual Studio 2013 (Michael Paquier)
Remove support for HP-UX (Thomas Munro)
Remove support for HP/Intel Itanium (Thomas Munro)
Remove support for M68K, M88K, M32R, and SuperH CPU architectures (Thomas Munro)
Remove libpq support for SCM credential authentication (Michael Paquier)
Backend support for this authentication method was removed in PostgresSQL 9.1.
Add meson build system (Andres Freund, Nazir Bilal Yavuz, Peter Eisentraut)
This eventually will replace the Autoconf and Windows-based MSVC build systems.
Allow control of the location of the openssl binary used by the build system (Peter Eisentraut)
Make finding openssl program a configure or meson option
Add build option to allow testing of small WAL segment sizes (Andres Freund)
The build options are --with-segsize-blocks
and -Dsegsize_blocks
.
Add pgindent options (Andrew Dunstan)
The new options are --show-diff
, --silent-diff
, --commit
, and --help
, and allow multiple --exclude
options. Also require the typedef file to be explicitly specified. Options --code-base
and --build
were also removed.
Add pg_bsd_indent source code to the main tree (Tom Lane)
Improve make_ctags and make_etags (Yugo Nagata)
Adjust pg_attribute
columns for efficiency (Peter Eisentraut)
Improve use of extension-based indexes on boolean columns (Zongliang Quan, Tom Lane)
Add support for Daitch-Mokotoff Soundex to fuzzystrmatch (Dag Lem)
Allow auto_explain to log values passed to parameterized statements (Dagfinn Ilmari Mannsåker)
This affects queries using server-side PREPARE
/EXECUTE
and client-side parse/bind. Logging is controlled by auto_explain.log_parameter_max_length
; by default query parameters will be logged with no length restriction.
Have auto_explain's log_verbose
mode honor the value of compute_query_id
(Atsushi Torikoshi)
Previously even if compute_query_id
was enabled, log_verbose
was not showing the query identifier.
Change the maximum length of ltree labels from 256 to 1000 and allow hyphens (Garen Torikian)
Have pg_stat_statements
normalize constants used in utility commands (Michael Paquier)
Previously constants appeared instead of placeholders, e.g., $1
.
Add pg_walinspect function pg_get_wal_block_info()
to report WAL block information (Michael Paquier, Melanie Plageman, Bharath Rupireddy)
Change how pg_walinspect functions pg_get_wal_records_info()
and pg_get_wal_stats()
interpret ending LSNs (Bharath Rupireddy)
Previously ending LSNs which represent nonexistent WAL locations would generate an error, while they will now be interpreted as the end of the WAL.
Add detailed descriptions of WAL records in pg_walinspect and pg_waldump (Melanie Plageman, Peter Geoghegan)
Add pageinspect function bt_multi_page_stats()
to report statistics on multiple pages (Hamid Akhtar)
This is similar to bt_page_stats()
except it can report on a range of pages.
Add empty range output column to pageinspect function brin_page_items()
(Tomas Vondra)
Redesign archive modules to be more flexible (Nathan Bossart)
Initialization changes will require modules written for older versions of Postgres to be updated.
Correct inaccurate pg_stat_statements row tracking extended query protocol statements (Sami Imseih)
Add pg_buffercache function pg_buffercache_usage_counts()
to report usage totals (Nathan Bossart)
Add pg_buffercache function pg_buffercache_summary()
to report summarized buffer statistics (Melih Mutlu)
Allow the schemas of required extensions to be referenced in extension scripts using the new syntax @extschema:referenced_extension_name@
(Regina Obe)
Allow required extensions to be marked as non-relocatable using no_relocate
(Regina Obe)
This allows @extschema:referenced_extension_name@
to be treated as a constant for the lifetime of the extension.
Allow postgres_fdw to do aborts in parallel (Etsuro Fujita)
This is enabled with postgres_fdw option parallel_abort
.
Make ANALYZE
on foreign postgres_fdw tables more efficient (Tomas Vondra)
The postgres_fdw option analyze_sampling
controls the sampling method.
Restrict shipment of reg
* type constants in postgres_fdw to those referencing built-in objects or extensions marked as shippable (Tom Lane)
Have postgres_fdw and dblink handle interrupts during connection establishment (Andres Freund)
The following individuals (in alphabetical order) have contributed to this release as patch authors, committers, reviewers, testers, or reporters of issues.
Release date: 2025-02-20
This release contains a few fixes from 15.11. For information about new features in major release 15, see Version 15.0.
A dump/restore is not required for those running 15.X.
However, if you are upgrading from a version earlier than 15.9, see Version 15.9.
Improve behavior of libpq's quoting functions (Andres Freund, Tom Lane) 📜 📜 📜
The changes made forCVE-2025-1094 or CVE-2025-1094 had one serious oversight: PQescapeLiteral()
and PQescapeIdentifier()
failed to honor their string length parameter, instead always reading to the input string's trailing null. This resulted in including unwanted text in the output, if the caller intended to truncate the string via the length parameter. With very bad luck it could cause a crash due to reading off the end of memory.
In addition, modify all these quoting functions so that when invalid encoding is detected, an invalid sequence is substituted for just the first byte of the presumed character, not all of it. This reduces the risk of problems if a calling application performs additional processing on the quoted string.
Release date: 2025-02-13
This release contains a variety of fixes from 15.10. For information about new features in major release 15, see Version 15.0.
A dump/restore is not required for those running 15.X.
However, if you are upgrading from a version earlier than 15.9, see Version 15.9.
Harden PQescapeString
and allied functions against invalidly-encoded input strings (Andres Freund, Noah Misch) 📜 📜 📜 📜 📜 📜
Data-quoting functions supplied by libpq now fully check the encoding validity of their input. If invalid characters are detected, they report an error if possible. For the ones that lack an error return convention, the output string is adjusted to ensure that the server will report invalid encoding and no intervening processing will be fooled by bytes that might happen to match single quote, backslash, etc.
The purpose of this change is to guard against SQL-injection attacks that are possible if one of these functions is used to quote crafted input. There is no hazard when the resulting string is sent directly to a PostgreSQL server (which would check its encoding anyway), but there is a risk when it is passed through psql or other client-side code. Historically such code has not carefully vetted encoding, and in many cases it's not clear what it should do if it did detect such a problem.
This fix is effective only if the data-quoting function, the server, and any intermediate processing agree on the character encoding that's being used. Applications that insert untrusted input into SQL commands should take special care to ensure that that's true.
Applications and drivers that quote untrusted input without using these libpq functions may be at risk of similar problems. They should first confirm the data is valid in the encoding expected by the server.
The PostgreSQL Project thanks Stephen Fewer for reporting this problem. CVE-2025-1094 or CVE-2025-1094)
Exclude parallel workers from connection privilege checks and limits (Tom Lane) 📜
Do not check datallowconn
, rolcanlogin
, and ACL_CONNECT
privileges when starting a parallel worker, instead assuming that it's enough for the leader process to have passed similar checks originally. This avoids, for example, unexpected failures of parallelized queries when the leader is running as a role that lacks login privilege. In the same vein, enforce ReservedConnections
, datconnlimit
, and rolconnlimit
limits only against regular backends, and count only regular backends while checking if the limits were already reached. Those limits are meant to prevent excessive consumption of process slots for regular backends --- but parallel workers and other special processes have their own pools of process slots with their own limit checks.
Fix possible re-use of stale results in window aggregates (David Rowley) 📜
A window aggregate with a “run condition†optimization and a pass-by-reference result type might incorrectly return the result from the previous partition instead of performing a fresh calculation.
Keep TransactionXmin
in sync with MyProc->xmin
(Heikki Linnakangas) 📜
This oversight could permit a process to try to access data that had already been vacuumed away. One known consequence is transient “could not access status of transaction†errors.
Fix race condition that could cause failure to add a newly-inserted catalog entry to a catalog cache list (Heikki Linnakangas) 📜
This could result, for example, in failure to use a newly-created function within an existing session.
Prevent possible catalog corruption when a system catalog is vacuumed concurrently with an update (Noah Misch) 📜
Fix data corruption when relation truncation fails (Thomas Munro) 📜 📜 📜
The filesystem calls needed to perform relation truncation could fail, leaving inconsistent state on disk (for example, effectively reviving deleted data). We can't really prevent that, but we can recover by dint of making such failures into PANICs, so that consistency is restored by replaying from WAL up to just before the attempted truncation. This isn't a hugely desirable behavior, but such failures are rare enough that it seems an acceptable solution.
Prevent checkpoints from starting during relation truncation (Robert Haas) 📜
This avoids a race condition wherein the modified file might not get fsync'd before completing the checkpoint, creating a risk of data corruption if the operating system crashes soon after.
Use rename()
not link()
/unlink()
to rename files (Nathan Bossart) 📜
The previous coding was intended to assure that the operation could not accidentally overwrite an existing file. However a failure could leave two links to the same file in existence, confusing subsequent operations and creating a risk of data corruption. In practice we do not use this functionality in places where the target filename could already exist, so it seems better to give up the no-overwrite guarantee to remove the multiple-link hazard.
Avoid possibly losing an update of pg_database
.datfrozenxid
when VACUUM
runs concurrently with a REASSIGN OWNED
that changes that database's owner (Kirill Reshke) 📜
Fix incorrect tg_updatedcols
values passed to AFTER UPDATE
triggers (Tom Lane) 📜
In some cases the tg_updatedcols
bitmap could describe the set of columns updated by an earlier command in the same transaction, fooling the trigger into doing the wrong thing.
Also, prevent memory bloat caused by making too many copies of the tg_updatedcols
bitmap.
Fix detach of a partition that has its own foreign-key constraint referencing a partitioned table (Amul Sul) 📜
In common cases, foreign keys are defined on a partitioned table's top level; but if instead one is defined on a partition and references a partitioned table, and the referencing partition is detached, the relevant pg_constraint
entries were updated incorrectly. This led to errors like “could not find ON INSERT check triggers of foreign key constraintâ€.
Fix mis-processing of to_timestamp
's FF
format codes (Tom Lane) 📜n
An integer format code immediately preceding FF
would consume all available digits, leaving none for n
FF
.n
When deparsing an XMLTABLE()
expression, ensure that XML namespace names are double-quoted when necessary (Dean Rasheed) 📜
Include the ldapscheme
option in pg_hba_file_rules()
output (Laurenz Albe) 📜 📜
Don't merge UNION
operations if their column collations aren't consistent (Tom Lane) 📜
Previously we ignored collations when deciding if it's safe to merge UNION
steps into a single N-way UNION
operation. This was arguably valid before the introduction of nondeterministic collations, but it's not anymore, since the collation in use can affect the definition of uniqueness.
Fix missed expression processing for partition pruning steps (Tom Lane) 📜
This oversight could lead to “unrecognized node type†errors, and perhaps other problems, in queries accessing partitioned tables.
Allow dshash tables to grow past 1GB (Matthias van de Meent) 📜
This avoids errors like “invalid DSA memory alloc request sizeâ€. The case can occur for example in transactions that process several million tables.
Avoid possible integer overflow in bringetbitmap()
(James Hunter, Evgeniy Gorbanyov) 📜
Since the result is only used for statistical purposes, the effects of this error were mostly cosmetic.
Prevent streaming standby servers from looping infinitely when reading a WAL record that crosses pages (Kyotaro Horiguchi, Alexander Kukushkin) 📜
This would happen when the record's continuation is on a page that needs to be read from a different WAL source.
Fix unintended promotion of FATAL errors to PANIC during early process startup (Noah Misch) 📜
This fixes some unlikely cases that would result in “PANIC: proc_exit() called in child processâ€.
Fix cases where an operator family member operator or support procedure could become a dangling reference (Tom Lane) 📜 📜
In some cases a data type could be dropped while references to its OID still remain in pg_amop
or pg_amproc
. While that caused no immediate issues, an attempt to drop the owning operator family would fail, and pg_dump would produce bogus output when dumping the operator family. This fix causes creation and modification of operator families/classes to add needed dependency entries so that dropping a data type will also drop any dependent operator family elements. That does not help vulnerable pre-existing operator families, though, so a band-aid has also been added to DROP OPERATOR FAMILY
to prevent failure when dropping a family that has dangling members.
Fix multiple memory leaks in logical decoding output (Vignesh C, Masahiko Sawada, Boyu Yang) 📜 📜 📜
Avoid low-probability crash on out-of-memory, due to missing check for failure return from malloc()
(Karina Litskevich) 📜
Avoid integer overflow while testing wal_skip_threshold
condition (Tom Lane) 📜
A transaction that created a very large relation could mistakenly decide to ensure durability by copying the relation into WAL instead of fsync'ing it, thereby negating the point of wal_skip_threshold
. (This only matters when wal_level
is set to minimal
, else a WAL copy is required anyway.)
Fix unsafe order of operations during cache lookups (Noah Misch) 📜
The only known consequence was a usually-harmless “you don't own a lock of type ExclusiveLock†warning during GRANT TABLESPACE
.
Fix possible “failed to resolve name†failures when using JIT on older ARM platforms (Thomas Munro) 📜
This could occur as a consequence of inconsistency about the default setting of -moutline-atomics
between gcc and clang. At least Debian and Ubuntu are known to ship gcc and clang compilers that target armv8-a but differ on the use of outline atomics by default.
Fix handling of Windows junction points that are not of PostgreSQL origin (Thomas Munro) 📜 📜
Previously, initdb would fail if the path to the data directory included junction points whose expansion isn't in “drive absolute†format, or whose expansion points to another junction point.
Fix assertion failure in WITH RECURSIVE ... UNION
queries (David Rowley) 📜
Avoid assertion failure in rule deparsing if a set operation leaf query contains set operations (Man Zeng, Tom Lane) 📜
Avoid edge-case assertion failure in parallel query startup (Tom Lane) 📜
Fix assertion failure at shutdown when writing out the statistics file (Michael Paquier) 📜
In NULLIF()
, avoid passing a read-write expanded object pointer to the data type's equality function (Tom Lane) 📜
The equality function could modify or delete the object if it's given a read-write pointer, which would be bad if we decide to return it as the NULLIF()
result. There is probably no problem with any built-in equality function, but it's easy to demonstrate a failure with one coded in PL/pgSQL.
Ensure that expression preprocessing is applied to a default null value in INSERT
(Tom Lane) 📜
If the target column is of a domain type, the planner must insert a coerce-to-domain step not just a null constant, and this expression missed going through some required processing steps. There is no known consequence with domains based on core data types, but in theory an error could occur with domains based on extension types.
Repair memory leaks in PL/Python (Mat Arye, Tom Lane) 📜
Repeated use of PLyPlan.execute
or plpy.cursor
resulted in memory leakage for the duration of the calling PL/Python function.
Fix PL/Tcl to compile with Tcl 9 (Peter Eisentraut) 📜
In the ecpg preprocessor, fix possible misprocessing of cursors that reference out-of-scope variables (Tom Lane) 📜
In ecpg, fix compile-time warnings about unsupported use of COPY ... FROM STDIN
(Ryo Kanbayashi) 📜
Previously, the intended warning was not issued due to a typo.
Fix psql to safely handle file path names that are encoded in SJIS (Tom Lane) 📜
Some two-byte characters in SJIS have a second byte that is equal to ASCII backslash (\
). These characters were corrupted by path name normalization, preventing access to files whose names include such characters.
Fix use of wrong version of pqsignal()
in pgbench and psql (Fujii Masao, Tom Lane) 📜
This error could lead to misbehavior when using the -T
option in pgbench or the \watch
command in psql, due to interrupted system calls not being resumed as expected.
Fix misexecution of some nested \if
constructs in pgbench (Michail Nikolaev) 📜
An \if
command appearing within a false (not-being-executed) \if
branch was incorrectly treated the same as \elif
.
In pgbench, fix possible misdisplay of progress messages during table initialization (Yushi Ogiwara, Tatsuo Ishii, Fujii Masao) 📜 📜
Make pg_controldata more robust against corrupted pg_control
files (Ilyasov Ian, Anton Voloshin) 📜
Since pg_controldata will attempt to print the contents of pg_control
even if the CRC check fails, it must take care not to misbehave for invalid field values. This patch fixes some issues triggered by invalid timestamps and apparently-negative WAL segment sizes.
Fix possible crash in pg_dump with identity sequences attached to tables that are extension members (Tom Lane) 📜
Fix pg_basebackup to correctly handle pg_wal.tar
files exceeding 2GB on Windows (Davinder Singh, Thomas Munro) 📜 📜
Update configuration probes that determine the compiler switches needed to access ARM CRC instructions (Tom Lane) 📜
On ARM platforms where the baseline CPU target lacks CRC instructions, we need to supply a -march
switch to persuade the compiler to compile such instructions. Recent versions of gcc reject the value we were trying, leading to silently falling back to software CRC.
During configure, if a C23 compiler is detected, try asking for C17 (Thomas Munro) 📜
PostgreSQL versions before v16 will not compile under C23 rules. If the chosen compiler defaults to C23 or later, try adding a -std=gnu17
switch to change that. (If this won't work for your compiler, manually specify CFLAGS
with a suitable switch.)
Update time zone data files to tzdata release 2025a for DST law changes in Paraguay, plus historical corrections for the Philippines (Tom Lane) 📜
Release date: 2024-11-21
This release contains a few fixes from 15.9. For information about new features in major release 15, see Version 15.0.
A dump/restore is not required for those running 15.X.
However, if you are upgrading from a version earlier than 15.9, see Version 15.9.
Repair ABI break for extensions that work with struct ResultRelInfo
(Tom Lane) 📜
Last week's minor releases unintentionally broke binary compatibility with timescaledb and several other extensions. Restore the affected structure to its previous size, so that such extensions need not be rebuilt.
Restore functionality of ALTER {ROLE|DATABASE} SET role
(Tom Lane, Noah Misch) 📜
The fix forCVE-2024-10978 or CVE-2024-10978 accidentally caused settings for role
to not be applied if they come from non-interactive sources, including previous ALTER {ROLE|DATABASE}
commands and the PGOPTIONS
environment variable.
Fix cases where a logical replication slot's restart_lsn
could go backwards (Masahiko Sawada) 📜
Previously, restarting logical replication could sometimes cause the slot's restart point to be recomputed as an older value than had previously been advertised in pg_replication_slots
. This is bad, since for example WAL files might have been removed on the basis of the later restart_lsn
value, in which case replication would fail to restart.
Avoid deleting still-needed WAL files during pg_rewind (Polina Bungina, Alexander Kukushkin) 📜
Previously, in unlucky cases, it was possible for pg_rewind to remove important WAL files from the rewound demoted primary. In particular this happens if those files have been marked for archival (i.e., their .ready
files were created) but not yet archived. Then the newly promoted node no longer has such files because of them having been recycled, but likely they are needed for recovery in the demoted node. If pg_rewind removes them, recovery is not possible anymore.
Fix race conditions associated with dropping shared statistics entries (Kyotaro Horiguchi, Michael Paquier) 📜
These bugs could lead to loss of statistics data, assertion failures, or “can only drop stats once†errors.
Count index scans in contrib/bloom
indexes in the statistics views, such as the pg_stat_user_indexes
.idx_scan
counter (Masahiro Ikeda) 📜
Fix crash when checking to see if an index's opclass options have changed (Alexander Korotkov) 📜
Some forms of ALTER TABLE
would fail if the table has an index with non-default operator class options.
Avoid assertion failure caused by disconnected NFA sub-graphs in regular expression parsing (Tom Lane) 📜
This bug does not appear to have any visible consequences in non-assert builds.
Release date: 2024-11-14
This release contains a variety of fixes from 15.8. For information about new features in major release 15, see Version 15.0.
A dump/restore is not required for those running 15.X.
However, if you have ever detached a partition from a partitioned table that has a foreign-key reference to another partitioned table, and not dropped the former partition, then you may have catalog and/or data corruption to repair, as detailed in the fifth changelog entry below.
Also, if you are upgrading from a version earlier than 15.7, see Version 15.7.
Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart) 📜
If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead.
The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. CVE-2024-10976 or CVE-2024-10976)
Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Champion) 📜
An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure.
The PostgreSQL Project thanks Jacob Champion for reporting this problem. CVE-2024-10977 or CVE-2024-10977)
Fix unintended interactions between SET SESSION AUTHORIZATION
and SET ROLE
(Tom Lane) 📜 📜
The SQL standard mandates that SET SESSION AUTHORIZATION
have a side-effect of doing SET ROLE NONE
. Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION
would revert ROLE
to NONE
even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction. Transiently setting session_authorization
in a function SET
clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role')
, it saw none
even when it should see something else.
The PostgreSQL Project thanks Tom Lane for reporting this problem. CVE-2024-10978 or CVE-2024-10978)
Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch) 📜 📜 📜
The ability to manipulate process environment variables such as PATH
gives an attacker opportunities to execute arbitrary code. Therefore, “trusted†PLs must not offer the ability to do that. To fix plperl
, replace %ENV
with a tied hash that rejects any modification attempt with a warning. Untrusted plperlu
retains the ability to change the environment.
The PostgreSQL Project thanks Coby Abrams for reporting this problem. CVE-2024-10979 or CVE-2024-10979)
Fix updates of catalog state for foreign-key constraints when attaching or detaching table partitions (Jehan-Guillaume de Rorthais, Tender Wang, Ãlvaro Herrera) 📜 📜
If the referenced table is partitioned, then different catalog entries are needed for a referencing table that is stand-alone versus one that is a partition. ATTACH/DETACH PARTITION
commands failed to perform this conversion correctly. In particular, after DETACH
the now stand-alone table would be missing foreign-key enforcement triggers, which could result in the table later containing rows that fail the foreign-key constraint. A subsequent re-ATTACH
could fail with surprising errors, too.
The way to fix this is to do ALTER TABLE DROP CONSTRAINT
on the now stand-alone table for each faulty constraint, and then re-add the constraint. If re-adding the constraint fails, then some erroneous data has crept in. You will need to manually re-establish consistency between the referencing and referenced tables, then re-add the constraint.
This query can be used to identify broken constraints and construct the commands needed to recreate them:
SELECT conrelid::pg_catalog.regclass AS "constrained table", conname AS constraint, confrelid::pg_catalog.regclass AS "references", pg_catalog.format('ALTER TABLE %s DROP CONSTRAINT %I;', conrelid::pg_catalog.regclass, conname) AS "drop", pg_catalog.format('ALTER TABLE %s ADD CONSTRAINT %I %s;', conrelid::pg_catalog.regclass, conname, pg_catalog.pg_get_constraintdef(oid)) AS "add" FROM pg_catalog.pg_constraint c WHERE contype = 'f' AND conparentid = 0 AND (SELECT count(*) FROM pg_catalog.pg_constraint c2 WHERE c2.conparentid = c.oid) <> (SELECT count(*) FROM pg_catalog.pg_inherits i WHERE (i.inhparent = c.conrelid OR i.inhparent = c.confrelid) AND EXISTS (SELECT 1 FROM pg_catalog.pg_partitioned_table WHERE partrelid = i.inhparent));
Since it is possible that one or more of the ADD CONSTRAINT
steps will fail, you should save the query's output in a file and then attempt to perform each step.
Avoid possible crashes and “could not open relation†errors in queries on a partitioned table occurring concurrently with a DETACH CONCURRENTLY
and immediate drop of a partition (Ãlvaro Herrera, Kuntal Gosh) 📜 📜
Disallow ALTER TABLE ATTACH PARTITION
if the table to be attached has a foreign key referencing the partitioned table (Ãlvaro Herrera) 📜 📜
This arrangement is not supported, and other ways of creating it already fail.
Don't use partitionwise joins or grouping if the query's collation for the key column doesn't match the partition key's collation (Jian He, Webbo Han) 📜 📜
Such plans could produce incorrect results.
Fix possible “could not find pathkey item to sort†error when the output of a UNION ALL
member query needs to be sorted, and the sort column is an expression (Andrei Lepikhov, Tom Lane) 📜
Allow cancellation of the second stage of index build for large hash indexes (Pavel Borisov) 📜
Fix assertion failure or confusing error message for COPY (
, when the query
) TO ...query
is rewritten by a DO INSTEAD NOTIFY
rule (Tender Wang, Tom Lane) 📜
Fix detection of skewed data during parallel hash join (Thomas Munro) 📜
After repartitioning the inner side of a hash join because one partition has accumulated too many tuples, we check to see if all the partition's tuples went into the same child partition, which suggests that they all have the same hash value and further repartitioning cannot improve matters. This check malfunctioned in some cases, allowing repeated futile repartitioning which would eventually end in a resource-exhaustion error.
Fix race condition in committing a serializable transaction (Heikki Linnakangas) 📜
Mis-processing of a recently committed transaction could lead to an assertion failure or a “could not access status of transaction†error.
Fix race condition in COMMIT PREPARED
that resulted in orphaned 2PC files (wuchengwen) 📜
A concurrent PREPARE TRANSACTION
could cause COMMIT PREPARED
to not remove the on-disk two-phase state file for the completed transaction. There was no immediate ill effect, but a subsequent crash-and-recovery could fail with “could not access status of transactionâ€, requiring manual removal of the orphaned file to restore service.
Avoid invalid memory accesses after skipping an invalid toast index during VACUUM FULL
(Tender Wang) 📜
A list tracking yet-to-be-rebuilt indexes was not properly updated in this code path, risking assertion failures or crashes later on.
Fix ways in which an “in place†catalog update could be lost (Noah Misch) 📜 📜 📜 📜 📜 📜 📜
Normal row updates write a new version of the row to preserve rollback-ability of the transaction. However, certain system catalog updates are intentionally non-transactional and are done with an in-place update of the row. These patches fix race conditions that could cause the effects of an in-place update to be lost. As an example, it was possible to forget having set pg_class
.relhasindex
to true, preventing updates of the new index and thus causing index corruption.
Reset catalog caches at end of recovery (Noah Misch) 📜
This prevents scenarios wherein an in-place catalog update could be lost due to using stale data from a catalog cache.
Avoid using parallel query while holding off interrupts (Francesco Degrassi, Noah Misch, Tom Lane) 📜 📜
This situation cannot arise normally, but it can be reached with test scenarios such as using a SQL-language function as B-tree support (which would be far too slow for production usage). If it did occur it would result in an indefinite wait.
Report the active query ID for statistics purposes at the start of processing of Bind and Execute protocol messages (Sami Imseih) 📜
This allows more of the work done in extended query protocol to be attributed to the correct query.
Guard against stack overflow in libxml2 with too-deeply-nested XML input (Tom Lane, with hat tip to Nick Wellnhofer) 📜
Use xmlXPathCtxtCompile()
rather than xmlXPathCompile()
, because the latter fails to protect itself against recursion-to-stack-overflow in libxml2 releases before 2.13.4.
Do not ignore a concurrent REINDEX CONCURRENTLY
that is working on an index with predicates or expressions (Michail Nikolaev) 📜
Normally, REINDEX CONCURRENTLY
does not need to wait for other REINDEX CONCURRENTLY
operations on other tables. However, this optimization is not applied if the other REINDEX CONCURRENTLY
is processing an index with predicates or expressions, on the chance that such expressions contain user-defined code that accesses other tables. Careless coding created a race condition such that that rule was not applied uniformly, possibly allowing inconsistent behavior.
Fix “failed to find plan for subquery/CTE†errors in EXPLAIN
(Richard Guo, Tom Lane) 📜 📜
This case arose while trying to print references to fields of a RECORD-type output of a subquery when the subquery has been optimized out of the plan altogether (which is possible at least in the case that it has a constant-false WHERE
condition). Nothing remains in the plan to identify the original field names, so fall back to printing f
for the N
N
'th record column. (That's actually the right thing anyway, if the record output arose from a ROW()
constructor.)
Disallow a USING
clause when altering the type of a generated column (Peter Eisentraut) 📜
A generated column already has an expression specifying the column contents, so including USING
doesn't make sense.
Ignore not-yet-defined Portals in the pg_cursors
view (Tom Lane) 📜
It is possible for user-defined code that inspects this view to be called while a new cursor is being set up, and if that happens a null pointer dereference would ensue. Avoid the problem by defining the view to exclude incompletely-set-up cursors.
Prevent mis-encoding of “trailing junk after numeric literal†error messages (Karina Litskevich) 📜
We do not allow identifiers to appear immediately following numeric literals (there must be some whitespace between). If a multibyte character immediately followed a numeric literal, the syntax error message about it included only the first byte of that character, causing bad-encoding problems both in the report to the client and in the postmaster log file.
Avoid “unexpected table_index_fetch_tuple call during logical decoding†error while decoding a transaction involving insertion of a column default value (Takeshi Ideriha, Hou Zhijie) 📜 📜
Reduce memory consumption of logical decoding (Masahiko Sawada) 📜
Use a smaller default block size to store tuple data received during logical replication. This reduces memory wastage, which has been reported to be severe while processing long-running transactions, even leading to out-of-memory failures.
Re-disable sending of stateless (TLSv1.2) session tickets (Daniel Gustafsson) 📜
A previous change to prevent sending of stateful (TLSv1.3) session tickets accidentally re-enabled sending of stateless ones. Thus, while we intended to prevent clients from thinking that TLS session resumption is supported, some still did.
Avoid “wrong tuple length†failure when dropping a database with many ACL (permission) entries (Ayush Tiwari) 📜 📜
Allow adjusting the session_authorization
and role
settings in parallel workers (Tom Lane) 📜
Our code intends to allow modifiable server settings to be set by function SET
clauses, but not otherwise within a parallel worker. SET
clauses failed for these two settings, though.
Fix behavior of stable functions called from a CALL
statement's argument list, when the CALL
is within a PL/pgSQL EXCEPTION
block (Tom Lane) 📜
As with a similar fix in our previous quarterly releases, this case allowed such functions to be passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.
Fix “cache lookup failed for function†errors in edge cases in PL/pgSQL's CALL
(Tom Lane) 📜
Fix thread safety of our fallback (non-OpenSSL) MD5 implementation on big-endian hardware (Heikki Linnakangas) 📜
Thread safety is not currently a concern in the server, but it is for libpq.
Parse libpq's keepalives
connection option in the same way as other integer-valued options (Yuto Sasaki) 📜
The coding used here rejected trailing whitespace in the option value, unlike other cases. This turns out to be problematic in ecpg's usage, for example.
Avoid use of pnstrdup()
in ecpglib (Jacob Champion) 📜
That function will call exit()
on out-of-memory, which is undesirable in a library. The calling code already handles allocation failures properly.
In ecpglib, fix out-of-bounds read when parsing incorrect datetime input (Bruce Momjian, Pavel Nekrasov) 📜
It was possible to try to read the location just before the start of a constant array. Real-world consequences seem minimal, though.
Fix pg_dump's handling of identity sequences that have persistence different from their owning table's persistence (Tom Lane) 📜
Since v15, it's been possible to set an identity sequence to be LOGGED when its owning table is UNLOGGED or vice versa. However, pg_dump's method for recreating that situation failed in binary-upgrade mode, causing pg_upgrade to fail when such sequences are present. Fix by introducing a new option for ADD/ALTER COLUMN GENERATED AS IDENTITY
to allow the sequence's persistence to be set correctly at creation. Note that this means a dump from a database containing such a sequence will only load into a server of this minor version or newer.
Include the source timeline history in pg_rewind's debug output (Heikki Linnakangas) 📜
This was the intention to begin with, but a coding error caused the source history to always print as empty.
Fix misbehavior with junction points on Windows, particularly in pg_rewind (Alexandra Wang) 📜 📜 📜 📜
This entailed back-patching previous fixes by Thomas Munro, Peter Eisentraut, Alexander Lakhin, and Juan José SantamarÃa Flecha. Those changes were originally not back-patched out of caution, but they have been in use in later branches for long enough to deem them safe.
Avoid trying to reindex temporary tables and indexes in vacuumdb and in parallel reindexdb (VaibhaveS, Michael Paquier, Fujii Masao, Nathan Bossart) 📜 📜 📜
Reindexing other sessions' temporary tables cannot work, but the check to skip them was missing in some code paths, leading to unwanted failures.
Allow inspection of sequence relations in relevant functions of contrib/pageinspect
and contrib/pgstattuple
(Nathan Bossart, Ayush Vatsa) 📜 📜
This had been allowed in the past, but it got broken during the introduction of non-default access methods for tables.
Fix incorrect LLVM-generated code on ARM64 platforms (Thomas Munro, Anthonin Bonnefoy) 📜
When using JIT compilation on ARM platforms, the generated code could not support relocation distances exceeding 32 bits, allowing unlucky placement of generated code to cause server crashes on large-memory systems.
Fix a few places that assumed that process start time (represented as a time_t
) will fit into a long
value (Max Johnson, Nathan Bossart) 📜
On platforms where long
is 32 bits (notably Windows), this coding would fail after Y2038. Most of the failures appear only cosmetic, but notably pg_ctl start
would hang.
Fix building with Strawberry Perl on Windows (Andrew Dunstan) 📜
Prevent “missing declaration for inet_pton†compiler warning or error when building with MinGW (Thomas Munro, Andrew Dunstan) 📜
Update time zone data files to tzdata release 2024b (Tom Lane) 📜 📜
This tzdata release changes the old System-V-compatibility zone names to duplicate the corresponding geographic zones; for example PST8PDT
is now an alias for America/Los_Angeles
. The main visible consequence is that for timestamps before the introduction of standardized time zones, the zone is considered to represent local mean solar time for the named location. For example, in PST8PDT
, timestamptz
input such as 1801-01-01 00:00
would previously have been rendered as 1801-01-01 00:00:00-08
, but now it is rendered as 1801-01-01 00:00:00-07:52:58
.
Also, historical corrections for Mexico, Mongolia, and Portugal. Notably, Asia/Choibalsan
is now an alias for Asia/Ulaanbaatar
rather than being a separate zone, mainly because the differences between those zones were found to be based on untrustworthy data.
Release date: 2024-08-08
This release contains a variety of fixes from 15.7. For information about new features in major release 15, see Version 15.0.
A dump/restore is not required for those running 15.X.
However, if you are upgrading from a version earlier than 15.7, see Version 15.7.
Prevent unauthorized code execution during pg_dump (Masahiko Sawada)
An attacker able to create and drop non-temporary objects could inject SQL code that would be executed by a concurrent pg_dump session with the privileges of the role running pg_dump (which is often a superuser). The attack involves replacing a sequence or similar object with a view or foreign table that will execute malicious code. To prevent this, introduce a new server parameter restrict_nonsystem_relation_kind
that can disable expansion of non-builtin views as well as access to foreign tables, and teach pg_dump to set it when available. Note that the attack is prevented only if both pg_dump and the server it is dumping from are new enough to have this fix.
The PostgreSQL Project thanks Noah Misch for reporting this problem. CVE-2024-7348 or CVE-2024-7348)
Prevent infinite loop in VACUUM
(Melanie Plageman)
After a disconnected standby server with an old running transaction reconnected to the primary, it was possible for VACUUM
on the primary to get confused about which tuples are removable, resulting in an infinite loop.
Fix failure after attaching a table as a partition, if the table had previously had inheritance children (Ãlvaro Herrera)
Fix ALTER TABLE DETACH PARTITION
for cases involving inconsistent index-based constraints (Ãlvaro Herrera, Tender Wang)
When a partitioned table has an index that is not associated with a constraint, but a partition has an equivalent index that is, then detaching the partition would misbehave, leaving the ex-partition's constraint with an incorrect coninhcount
value. This would cause trouble during any further manipulations of that constraint.
Fix partition pruning setup during ALTER TABLE DETACH PARTITION CONCURRENTLY
(Ãlvaro Herrera)
The executor assumed that no partition could be detached between planning and execution of a query on a partitioned table. This is no longer true since the introduction of DETACH PARTITION
's CONCURRENTLY
option, making it possible for query execution to fail transiently when that is used.
Correctly update a partitioned table's pg_class
.reltuples
field to zero after its last child partition is dropped (Noah Misch)
The first ANALYZE
on such a partitioned table must update relhassubclass
as well, and that caused the reltuples
update to be lost.
Fix handling of polymorphic output arguments for procedures (Tom Lane)
The SQL CALL
statement did not resolve the correct data types for such arguments, leading to errors such as “cannot display a value of type anyelementâ€, or even outright crashes. (But CALL
in PL/pgSQL worked correctly.)
Fix behavior of stable functions called from a CALL
statement's argument list (Tom Lane)
If the CALL
is within an atomic context (e.g. there's an outer transaction block), such functions were passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.
Detect integer overflow in money
calculations (Joseph Koshakow)
None of the arithmetic functions for the money
type checked for overflow before, so they would silently give wrong answers for overflowing cases.
Fix over-aggressive clamping of the scale argument in round(numeric)
and trunc(numeric)
(Dean Rasheed)
These functions clamped their scale argument to +/-2000, but there are valid use-cases for it to be larger; the functions returned incorrect results in such cases. Instead clamp to the actual allowed range of type numeric
.
Fix result for pg_size_pretty()
when applied to the smallest possible bigint
value (Joseph Koshakow)
Prevent pg_sequence_last_value()
from failing on unlogged sequences on standby servers and on temporary sequences of other sessions (Nathan Bossart)
Make it return NULL in these cases instead of throwing an error.
Fix parsing of ignored operators in websearch_to_tsquery()
(Tom Lane)
Per the manual, punctuation in the input of websearch_to_tsquery()
is ignored except for the special cases of dashes and quotes. However, parentheses and a few other characters appearing immediately before an or
could cause or
to be treated as a data word, rather than as an OR
operator as expected.
Detect another integer overflow case while computing new array dimensions (Joseph Koshakow)
Reject applying array dimensions [-2147483648:2147483647]
to an empty array. This is closely related toCVE-2023-5869 or CVE-2023-5869, but appears harmless since the array still ends up empty.
Detect another case of a new catalog cache entry becoming stale while detoasting its fields (Noah Misch)
An in-place update occurring while we expand out-of-line fields in a catalog tuple could be missed, leading to a catalog cache entry that lacks the in-place change but is not known to be stale. This is only possible in the pg_database
catalog, so the effects are narrow, but misbehavior is possible.
Correctly check updatability of view columns targeted by INSERT
... DEFAULT
(Tom Lane)
If such a column is non-updatable, we should give an error reporting that. But the check was missed and then later code would report an unhelpful error such as “attribute number N
not found in view targetlistâ€.
Avoid reporting an unhelpful internal error for incorrect recursive queries (Tom Lane)
Rearrange the order of error checks so that we throw an on-point error when a WITH RECURSIVE
query does not have a self-reference within the second arm of the UNION
, but does have one self-reference in some other place such as ORDER BY
.
Lock owned sequences during ALTER TABLE SET LOGGED|UNLOGGED
(Noah Misch)
These commands change the persistence of a table's owned sequences along with the table, but they failed to acquire lock on the sequences while doing so. This could result in losing the effects of concurrent nextval()
calls.
Don't throw an error if a queued AFTER
trigger no longer exists (Tom Lane)
It's possible for a transaction to execute an operation that queues a deferred AFTER
trigger for later execution, and then to drop the trigger before that happens. Formerly this led to weird errors such as “could not find trigger NNNN
â€. It seems better to silently do nothing if the trigger no longer exists at the time when it would have been executed.
Fix failure to remove pg_init_privs
entries for column-level privileges when their table is dropped (Tom Lane)
If an extension grants some column-level privileges on a table it creates, relevant catalog entries would remain behind after the extension is dropped. This was harmless until/unless the table's OID was re-used for another relation, when it could interfere with what pg_dump dumps for that relation.
Fix selection of an arbiter index for ON CONFLICT
when the desired index has expressions or predicates (Tom Lane)
If a query using ON CONFLICT
accesses the target table through an updatable view, it could fail with “there is no unique or exclusion constraint matching the ON CONFLICT specificationâ€, even though a matching index does exist.
Refuse to modify a temporary table of another session with ALTER TABLE
(Tom Lane)
Permissions checks normally would prevent this case from arising, but it is possible to reach it by altering a parent table whose child is another session's temporary table. Throw an error if we discover that such a child table belongs to another session.
Fix handling of extended statistics on expressions in CREATE TABLE LIKE STATISTICS
(Tom Lane)
The CREATE
command failed to adjust column references in statistics expressions to the possibly-different column numbering of the new table. This resulted in invalid statistics objects that would cause problems later. A typical scenario where renumbering columns is needed is when the source table contains some dropped columns.
Fix failure to recalculate sub-queries generated from MIN()
or MAX()
aggregates (Tom Lane)
In some cases the aggregate result computed at one row of the outer query could be re-used for later rows when it should not be. This has only been seen to happen when the outer query uses DISTINCT
that is implemented with hash aggregation, but other cases may exist.
Avoid crashing when a JIT-inlined backend function throws an error (Tom Lane)
The error state can include pointers into the dynamically loaded module holding the JIT-compiled code (for error location strings). In some code paths the module could get unloaded before the error report is processed, leading to SIGSEGV when the location strings are accessed.
Cope with behavioral changes in libxml2 version 2.13.x (Erik Wienhold, Tom Lane)
Notably, we now suppress “chunk is not well balanced†errors from libxml2, unless that is the only reported error. This is to make error reports consistent between 2.13.x and earlier libxml2 versions. In earlier versions, that message was almost always redundant or outright incorrect, so 2.13.x substantially reduced the number of cases in which it's reported.
Fix handling of subtransactions of prepared transactions when starting a hot standby server (Heikki Linnakangas)
When starting a standby's replay at a shutdown checkpoint WAL record, transactions that had been prepared but not yet committed on the primary are correctly understood as being still in progress. But subtransactions of a prepared transaction (created by savepoints or PL/pgSQL exception blocks) were not accounted for and would be treated as aborted. That led to inconsistency if the prepared transaction was later committed.
Prevent incorrect initialization of logical replication slots (Masahiko Sawada)
In some cases a replication slot's start point within the WAL stream could be set to a point within a transaction, leading to assertion failures or incorrect decoding results.
Avoid “can only drop stats once†error during replication slot creation and drop (Floris Van Nee)
Fix resource leakage in logical replication WAL sender (Hou Zhijie)
The walsender process leaked memory when publishing changes to a partitioned table whose partitions have row types physically different from the partitioned table's.
Avoid memory leakage after servicing a notify or sinval interrupt (Tom Lane)
The processing functions for these events could switch the current memory context to TopMemoryContext, resulting in session-lifespan leakage of any data allocated before the incorrect setting gets replaced. There were observable leaks associated with (at least) encoding conversion of incoming queries and parameters attached to Bind messages.
Prevent leakage of reference counts for the shared memory block used for statistics (Anthonin Bonnefoy)
A new backend process attaching to the statistics shared memory incremented its reference count, but failed to decrement the count when exiting. After 232 sessions had been created, the reference count would overflow to zero, causing failures in all subsequent backend process starts.
Prevent deadlocks and assertion failures during truncation of the multixact SLRU log (Heikki Linnakangas)
A process trying to delete SLRU segments could deadlock with the checkpointer process.
Avoid possibly missing end-of-input events on Windows sockets (Thomas Munro)
Windows reports an FD_CLOSE event only once after the remote end of the connection disconnects. With unlucky timing, we could miss that report and wait indefinitely, or at least until a timeout elapsed, expecting more input.
Fix buffer overread in JSON parse error reports for incomplete byte sequences (Jacob Champion)
It was possible to walk off the end of the input buffer by a few bytes when the last bytes comprise an incomplete multi-byte character. While usually harmless, in principle this could cause a crash.
Disable creation of stateful TLS session tickets by OpenSSL (Daniel Gustafsson)
This avoids possible failures with clients that think receipt of a session ticket means that TLS session resumption is supported.
When replanning a PL/pgSQL “simple expressionâ€, check it's still simple (Tom Lane)
Certain fairly-artificial cases, such as dropping a referenced function and recreating it as an aggregate, could lead to surprising failures such as “unexpected plan node typeâ€.
Fix incompatibility between PL/Perl and Perl 5.40 (Andrew Dunstan)
Fix recursive RECORD
-returning PL/Python functions (Tom Lane)
If we recurse to a new call of the same function that passes a different column definition list (AS
clause), it would fail because the inner call would overwrite the outer call's idea of what rowtype to return.
Don't corrupt PL/Python's TD
dictionary during a recursive trigger call (Tom Lane)
If a PL/Python-language trigger caused another one to be invoked, the TD
dictionary created for the inner one would overwrite the outer one's TD
dictionary.
Fix PL/Tcl's reporting of invalid list syntax in the result of a function returning tuple (Erik Wienhold, Tom Lane)
Such a case could result in a crash, or in emission of misleading context information that actually refers to the previous Tcl error.
Avoid non-thread-safe usage of strerror()
in libpq (Peter Eisentraut)
Certain error messages returned by OpenSSL could become garbled in multi-threaded applications.
Avoid memory leak within pg_dump during a binary upgrade (Daniel Gustafsson)
Ensure that pg_restore
-l
reports dependent TOC entries correctly (Tom Lane)
If -l
was specified together with selective-restore options such as -n
or -N
, dependent TOC entries such as comments would be omitted from the listing, even when an actual restore would have selected them.
Avoid “cursor can only scan forward†error in contrib/postgres_fdw
(Etsuro Fujita)
This error could occur if the remote server is v15 or later and a foreign table is mapped to a non-trivial remote view.
In contrib/postgres_fdw
, do not send FETCH FIRST WITH TIES
clauses to the remote server (Japin Li)
The remote server might not implement this clause, or might interpret it differently than we would locally, so don't risk attempting remote execution.
Avoid clashing with system-provided <regex.h>
headers (Thomas Munro)
This fixes a compilation failure on macOS version 15 and up.
Fix otherwise-harmless assertion failure in Memoize cost estimation (David Rowley)
Fix otherwise-harmless assertion failures in REINDEX CONCURRENTLY
applied to an SP-GiST index (Tom Lane)
Release date: 2024-05-09
This release contains a variety of fixes from 15.6. For information about new features in major release 15, see Version 15.0.
A dump/restore is not required for those running 15.X.
However, a security vulnerability was found in the system views pg_stats_ext
and pg_stats_ext_exprs
, potentially allowing authenticated database users to see data they shouldn't. If this is of concern in your installation, follow the steps in the first changelog entry below to rectify it.
Also, if you are upgrading from a version earlier than 15.6, see Version 15.6.
Restrict visibility of pg_stats_ext
and pg_stats_ext_exprs
entries to the table owner (Nathan Bossart)
These views failed to hide statistics for expressions that involve columns the accessing user does not have permission to read. View columns such as most_common_vals
might expose security-relevant data. The potential interactions here are not fully clear, so in the interest of erring on the side of safety, make rows in these views visible only to the owner of the associated table.
The PostgreSQL Project thanks Lukas Fittl for reporting this problem. CVE-2024-4317 or CVE-2024-4317)
By itself, this fix will only fix the behavior in newly initdb'd database clusters. If you wish to apply this change in an existing cluster, you will need to do the following:
Find the SQL script fix-CVE-2024-4317.sql
in the share
directory of the PostgreSQL installation (typically located someplace like /usr/share/postgresql/
). Be sure to use the script appropriate to your PostgreSQL major version. If you do not see this file, either your version is not vulnerable (only v14–v16 are affected) or your minor version is too old to have the fix.
In each database of the cluster, run the fix-CVE-2024-4317.sql
script as superuser. In psql this would look like
\i /usr/share/postgresql/fix-CVE-2024-4317.sql
(adjust the file path as appropriate). Any error probably indicates that you've used the wrong script version. It will not hurt to run the script more than once.
Do not forget to include the template0
and template1
databases, or the vulnerability will still exist in databases you create later. To fix template0
, you'll need to temporarily make it accept connections. Do that with
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;
and then after fixing template0
, undo it with
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;
Fix INSERT
from multiple VALUES
rows into a target column that is a domain over an array or composite type (Tom Lane)
Such cases would either fail with surprising complaints about mismatched datatypes, or insert unexpected coercions that could lead to odd results.
Require SELECT
privilege on the target table for MERGE
with a DO NOTHING
clause (Ãlvaro Herrera)
SELECT
privilege would be required in all practical cases anyway, but require it even if the query reads no columns of the target table. This avoids an edge case in which MERGE
would require no privileges whatever, which seems undesirable even when it's a do-nothing command.
Fix handling of self-modified tuples in MERGE
(Dean Rasheed)
Throw an error if a target row joins to more than one source row, as required by the SQL standard. (The previous coding could silently ignore this condition if a concurrent update was involved.) Also, throw a non-misleading error if a target row is already updated by a later command in the current transaction, thanks to a BEFORE
trigger or a volatile function used in the query.
Fix incorrect pruning of NULL partition when a table is partitioned on a boolean column and the query has a boolean IS NOT
clause (David Rowley)
A NULL value satisfies a clause such as
, so pruning away a partition containing NULLs yielded incorrect answers.boolcol
IS NOT FALSE
Make ALTER FOREIGN TABLE SET SCHEMA
move any owned sequences into the new schema (Tom Lane)
Moving a regular table to a new schema causes any sequences owned by the table to be moved to that schema too (along with indexes and constraints). This was overlooked for foreign tables, however.
Make ALTER TABLE ... ADD COLUMN
create identity/serial sequences with the same persistence as their owning tables (Peter Eisentraut)
CREATE UNLOGGED TABLE
will make any owned sequences be unlogged too. ALTER TABLE
missed that consideration, so that an added identity column would have a logged sequence, which seems pointless.
Improve ALTER TABLE ... ALTER COLUMN TYPE
's error message when there is a dependent function or publication (Tom Lane)
In CREATE DATABASE
, recognize strategy keywords case-insensitively for consistency with other options (Tomas Vondra)
Fix EXPLAIN
's counting of heap pages accessed by a bitmap heap scan (Melanie Plageman)
Previously, heap pages that contain no visible tuples were not counted; but it seems more consistent to count all pages returned by the bitmap index scan.
Fix EXPLAIN
's output for subplans in MERGE
(Dean Rasheed)
EXPLAIN
would sometimes fail to properly display subplan Params referencing variables in other parts of the plan tree.
Avoid deadlock during removal of orphaned temporary tables (Mikhail Zhilin)
If the session that creates a temporary table crashes without removing the table, autovacuum will eventually try to remove the orphaned table. However, an incoming session that's been assigned the same temporary namespace will do that too. If a temporary table has a dependency (such as an owned sequence) then a deadlock could result between these two cleanup attempts.
Avoid race condition while examining per-relation frozen-XID values (Noah Misch)
VACUUM
's computation of per-database frozen-XID values from per-relation values could get confused by a concurrent update of those values by another VACUUM
.
Fix buffer usage reporting for parallel vacuuming (Anthonin Bonnefoy)
Buffer accesses performed by parallel workers were not getting counted in the statistics reported in VERBOSE
mode.
Disallow converting a table to a view within an outer SQL command that is using that table (Tom Lane)
This avoids possible crashes.
Ensure that join conditions generated from equivalence classes are applied at the correct plan level (Tom Lane)
In versions before PostgreSQL 16, it was possible for generated conditions to be evaluated below outer joins when they should be evaluated above (after) the outer join, leading to incorrect query results. All versions have a similar hazard when considering joins to UNION ALL
trees that have constant outputs for the join column in some SELECT
arms.
Prevent potentially-incorrect optimization of some window functions (David Rowley)
Disable “run condition†optimization of ntile()
and count()
with non-constant arguments. This avoids possible misbehavior with sub-selects, typically leading to errors like “WindowFunc not found in subplan target listsâ€.
Avoid unnecessary use of moving-aggregate mode with a non-moving window frame (Vallimaharajan G)
When a plain aggregate is used as a window function, and the window frame start is specified as UNBOUNDED PRECEDING
, the frame's head cannot move so we do not need to use the special (and more expensive) moving-aggregate mode. This optimization was intended all along, but due to a coding error it never triggered.
Avoid use of already-freed data while planning partition-wise joins under GEQO (Tom Lane)
This would typically end in a crash or unexpected error message.
Avoid freeing still-in-use data in Memoize (Tender Wang, Andrei Lepikhov)
In production builds this error frequently didn't cause any problems, as the freed data would most likely not get overwritten before it was used.
Fix incorrectly-reported statistics kind codes in “requested statistics kind X
is not yet built†error messages (David Rowley)
Be more careful with RECORD
-returning functions in FROM
(Tom Lane)
The output columns of such a function call must be defined by an AS
clause that specifies the column names and data types. If the actual function output value doesn't match that, an error is supposed to be thrown at runtime. However, some code paths would examine the actual value prematurely, and potentially issue strange errors or suffer assertion failures if it doesn't match expectations.
Fix confusion about the return rowtype of SQL-language procedures (Tom Lane)
A procedure implemented in SQL language that returns a single composite-type column would cause an assertion failure or core dump.
Add protective stack depth checks to some recursive functions (Egor Chindyaskin)
Fix mis-rounding and overflow hazards in date_bin()
(Moaaz Assali)
In the case where the source timestamp is before the origin timestamp and their difference is already an exact multiple of the stride, the code incorrectly subtracted the stride anyway. Also, detect some integer-overflow cases that would have produced incorrect results.
Detect integer overflow when adding or subtracting an interval
to/from a timestamp
(Joseph Koshakow)
Some cases that should cause an out-of-range error produced an incorrect result instead.
Avoid race condition in pg_get_expr()
(Tom Lane)
If the relation referenced by the argument is dropped concurrently, the function's intention is to return NULL, but sometimes it failed instead.
Fix detection of old transaction IDs in XID status functions (Karina Litskevich)
Transaction IDs more than 231 transactions in the past could be misidentified as recent, leading to misbehavior of pg_xact_status()
or txid_status()
.
Ensure that a table's freespace map won't return a page that's past the end of the table (Ronan Dunklau)
Because the freespace map isn't WAL-logged, this was possible in edge cases involving an OS crash, a replica promote, or a PITR restore. The result would be a “could not read block†error.
Fix file descriptor leakage when an error is thrown while waiting in WaitEventSetWait
(Etsuro Fujita)
Avoid corrupting exception stack if an FDW implements async append but doesn't configure any wait conditions for the Append plan node to wait for (Alexander Pyhalov)
Throw an error if an index is accessed while it is being reindexed (Tom Lane)
Previously this was just an assertion check, but promote it into a regular runtime error. This will provide a more on-point error message when reindexing a user-defined index expression that attempts to access its own table.
Ensure that index-only scans on name
columns return a fully-padded value (David Rowley)
The value physically stored in the index is truncated, and previously a pointer to that value was returned to callers. This provoked complaints when testing under valgrind. In theory it could result in crashes, though none have been reported.
Fix race condition in deciding whether a table sync operation is needed in logical replication (Vignesh C)
An invalidation event arriving while a subscriber identifies which tables need to be synced would be forgotten about, so that any tables newly in need of syncing might not get processed in a timely fashion.
Fix crash with DSM allocations larger than 4GB (Heikki Linnakangas)
Disconnect if a new server session's client socket cannot be put into non-blocking mode (Heikki Linnakangas)
It was once theoretically possible for us to operate with a socket that's in blocking mode; but that hasn't worked fully in a long time, so fail at connection start rather than misbehave later.
Fix inadequate error reporting with OpenSSL 3.0.0 and later (Heikki Linnakangas, Tom Lane)
System-reported errors passed through by OpenSSL were reported with a numeric error code rather than anything readable.
Avoid concurrent calls to bindtextdomain()
in libpq and ecpglib (Tom Lane)
Although GNU gettext's implementation seems to be fine with concurrent calls, the version available on Windows is not.
Fix crash in ecpg's preprocessor if the program tries to redefine a macro that was defined on the preprocessor command line (Tom Lane)
In ecpg, avoid issuing false “unsupported feature will be passed to server†warnings (Tom Lane)
Ensure that the string result of ecpg's intoasc()
function is correctly zero-terminated (Oleg Tselebrovskiy)
In psql, avoid leaking a query result after the query is cancelled (Tom Lane)
This happened only when cancelling a non-last query in a query string made with \;
separators.
Fix pg_dumpall so that role comments, if present, will be dumped regardless of the setting of --no-role-passwords
(Daniel Gustafsson, Ãlvaro Herrera)
Skip files named .DS_Store
in pg_basebackup, pg_checksums, and pg_rewind (Daniel Gustafsson)
This avoids problems on macOS, where the Finder may create such files.
Fix PL/pgSQL's parsing of single-line comments (--
-style comments) following expressions (Erik Wienhold, Tom Lane)
This mistake caused parse errors if such a comment followed a WHEN
expression in a PL/pgSQL CASE
statement.
In contrib/amcheck
, don't report false match failures due to short- versus long-header values (Andrey Borodin, Michael Zhilin)
A variable-length datum in a heap tuple or index tuple could have either a short or a long header, depending on compression parameters that applied when it was made. Treat these cases as equivalent rather than complaining if there's a difference.
Fix bugs in BRIN output functions (Tomas Vondra)
These output functions are only used for displaying index entries in contrib/pageinspect
, so the errors are of limited practical concern.
In contrib/postgres_fdw
, avoid emitting requests to sort by a constant (David Rowley)
This could occur in cases involving UNION ALL
with constant-emitting subqueries. Sorting by a constant is useless of course, but it also risks being misinterpreted by the remote server, leading to “ORDER BY position N
is not in select list†errors.
Make contrib/postgres_fdw
set the remote session's time zone to GMT
not UTC
(Tom Lane)
This should have the same results for practical purposes. However, GMT
is recognized by hard-wired code in the server, while UTC
is looked up in the timezone database. So the old code could fail in the unlikely event that the remote server's timezone database is missing entries.
In contrib/xml2
, avoid use of library functions that have been deprecated in recent versions of libxml2 (Dmitry Koval)
Fix incompatibility with LLVM 18 (Thomas Munro, Dmitry Dolgov)
Allow make check
to work with the musl C library (Thomas Munro, Bruce Momjian, Tom Lane)
Release date: 2024-02-08
This release contains a variety of fixes from 15.5. For information about new features in major release 15, see Version 15.0.
A dump/restore is not required for those running 15.X.
However, one bug was fixed that could have resulted in corruption of GIN indexes during concurrent updates. If you suspect such corruption, reindex affected indexes after installing this update.
Also, if you are upgrading from a version earlier than 15.5, see Version 15.5.
Tighten security restrictions within REFRESH MATERIALIZED VIEW CONCURRENTLY
(Heikki Linnakangas)
One step of a concurrent refresh command was run under weak security restrictions. If a materialized view's owner could persuade a superuser or other high-privileged user to perform a concurrent refresh on that view, the view's owner could control code executed with the privileges of the user running REFRESH
. Fix things so that all user-determined code is run as the view's owner, as expected.
The only known exploit for this error does not work in PostgreSQL 16.0 and later, so it may be that v16 is not vulnerable in practice.
The PostgreSQL Project thanks Pedro Gallegos for reporting this problem. CVE-2024-0985 or CVE-2024-0985)
Fix memory leak when performing JIT inlining (Andres Freund, Daniel Gustafsson)
There have been multiple reports of backend processes suffering out-of-memory conditions after sufficiently many JIT compilations. This fix should resolve that.
When dequeueing from an LWLock, avoid needing to search the list of waiting processes (Andres Freund)
This fixes O (N^2) behavior when the list of waiters is long. In some use-cases this results in substantial throughput improvements.
Avoid generating incorrect partitioned-join plans (Richard Guo)
Some uncommon situations involving lateral references could create incorrect plans. Affected queries could produce wrong answers, or odd failures such as “variable not found in subplan target listâ€, or executor crashes.
Fix incorrect wrapping of subquery output expressions in PlaceHolderVars (Tom Lane)
This fixes incorrect results when a subquery is underneath an outer join and has an output column that laterally references something outside the outer join's scope. The output column might not appear as NULL when it should do so due to the action of the outer join.
Fix misprocessing of window function run conditions (Richard Guo)
This oversight could lead to “WindowFunc not found in subplan target lists†errors.
Skip inappropriate actions when MERGE
causes a cross-partition update (Dean Rasheed)
When executing a MERGE UPDATE
action on a partitioned table, if the UPDATE
is turned into a DELETE
and INSERT
due to changing a partition key column, skip firing AFTER UPDATE ROW
triggers, as well as other post-update actions such as RLS checks. These actions would typically fail, which is why a regular UPDATE
doesn't do them in such cases; MERGE
shouldn't either.
Cope with BEFORE ROW DELETE
triggers in cross-partition MERGE
updates (Dean Rasheed)
If such a trigger attempted to prevent the update by returning NULL, MERGE
would suffer an error or assertion failure.
Prevent access to a no-longer-pinned buffer in BEFORE ROW UPDATE
triggers (Alexander Lakhin, Tom Lane)
If the tuple being updated had just been updated and moved to another page by another session, there was a narrow window where we would attempt to fetch data from the new tuple version without any pin on its buffer. In principle this could result in garbage data appearing in non-updated columns of the proposed new tuple. The odds of problems in practice seem rather low, however.
Avoid requesting an oversize shared-memory area in parallel hash join (Thomas Munro, Andrei Lepikhov, Alexander Korotkov)
The limiting value was too large, allowing “invalid DSA memory alloc request size†errors to occur with sufficiently large expected hash table sizes.
Avoid assertion failures in heap_update()
and heap_delete()
when a tuple to be updated by a foreign-key enforcement trigger fails the extra visibility crosscheck (Alexander Lakhin)
This error had no impact in non-assert builds.
Fix possible failure during ALTER TABLE ADD COLUMN
on a complex inheritance tree (Tender Wang)
If a grandchild table would inherit the new column via multiple intermediate parents, the command failed with “tuple already updated by selfâ€.
Fix problems with duplicate token names in ALTER TEXT SEARCH CONFIGURATION ... MAPPING
commands (Tender Wang, Michael Paquier)
Properly lock the associated table during DROP STATISTICS
(Tomas Vondra)
Failure to acquire the lock could result in “tuple concurrently deleted†errors if the DROP
executes concurrently with ANALYZE
.
Fix function volatility checking for GENERATED
and DEFAULT
expressions (Tom Lane)
These places could fail to detect insertion of a volatile function default-argument expression, or decide that a polymorphic function is volatile although it is actually immutable on the datatype of interest. This could lead to improperly rejecting or accepting a GENERATED
clause, or to mistakenly applying the constant-default-value optimization in ALTER TABLE ADD COLUMN
.
Detect that a new catalog cache entry became stale while detoasting its fields (Tom Lane)
We expand any out-of-line fields in a catalog tuple before inserting it into the catalog caches. That involves database access which might cause invalidation of catalog cache entries — but the new entry isn't in the cache yet, so we would miss noticing that it should get invalidated. The result is a race condition in which an already-stale cache entry could get made, and then persist indefinitely. This would lead to hard-to-predict misbehavior. Fix by rechecking the tuple's visibility after detoasting.
Fix edge-case integer overflow detection bug on some platforms (Dean Rasheed)
Computing 0 - INT64_MIN
should result in an overflow error, and did on most platforms. However, platforms with neither integer overflow builtins nor 128-bit integers would fail to spot the overflow, instead returning INT64_MIN
.
Detect Julian-date overflow when adding or subtracting an interval
to/from a timestamp
(Tom Lane)
Some cases that should cause an out-of-range error produced an incorrect result instead.
Add more checks for overflow in interval_mul()
and interval_div()
(Dean Rasheed)
Some cases that should cause an out-of-range error produced an incorrect result instead.
Ensure cached statistics are discarded after a change to stats_fetch_consistency
(Shinya Kato)
In some code paths, it was possible for stale statistics to be returned.
Make the pg_file_settings
view check validity of unapplied values for settings with backend
or superuser-backend
context (Tom Lane)
Invalid values were not noted in the view as intended. This escaped detection because there are very few settings in these groups.
Match collation too when matching an existing index to a new partitioned index (Peter Eisentraut)
Previously we could accept an index that has a different collation from the corresponding element of the partition key, possibly leading to misbehavior.
Avoid failure if a child index is dropped concurrently with REINDEX INDEX
on a partitioned index (Fei Changhong)
Fix insufficient locking when cleaning up an incomplete split of a GIN index's internal page (Fei Changhong, Heikki Linnakangas)
The code tried to do this with shared rather than exclusive lock on the buffer. This could lead to index corruption if two processes attempted the cleanup concurrently.
Avoid premature release of buffer pin in GIN index insertion (Tom Lane)
If an index root page split occurs concurrently with our own insertion, the code could fail with “buffer NNNN is not owned by resource ownerâ€.
Avoid failure with partitioned SP-GiST indexes (Tom Lane)
Trying to use an index of this kind could lead to “No such file or directory†errors.
Fix ownership change reporting for large objects (Tom Lane)
A no-op ALTER LARGE OBJECT OWNER
command (that is, one selecting the existing owner) passed the wrong class ID to the PostAlterHook
, probably confusing any extension using that hook.
Fix reporting of I/O timing data in EXPLAIN (BUFFERS)
(Michael Paquier)
The numbers labeled as “shared/local†actually refer only to shared buffers, so change that label to “sharedâ€.
Ensure durability of CREATE DATABASE
(Noah Misch)
If an operating system crash occurred during or shortly after CREATE DATABASE
, recovery could fail, or subsequent connections to the new database could fail. If a base backup was taken in that window, similar problems could be observed when trying to use the backup. The symptom would be that the database directory, PG_VERSION
file, or pg_filenode.map
file was missing or empty.
Add more LOG
messages when starting and ending recovery from a backup (Andres Freund)
This change provides additional information in the postmaster log that may be useful for diagnosing recovery problems.
Prevent standby servers from incorrectly processing dead index tuples during subtransactions (Fei Changhong)
The startedInRecovery
flag was not correctly set for a subtransaction. This affects only processing of dead index tuples. It could allow a query in a subtransaction to ignore index entries that it should return (if they are already dead on the primary server, but not dead to the standby transaction), or to prematurely mark index entries as dead that are not yet dead on the primary. It is not clear that the latter case has any serious consequences, but it's not the intended behavior.
Fix integer overflow hazard in checking whether a record will fit into the WAL decoding buffer (Thomas Munro)
This bug appears to be only latent except when running a 32-bit PostgreSQL build on a 64-bit platform.
Fix deadlock between a logical replication apply worker, its tablesync worker, and a session process trying to alter the subscription (Shlok Kyal)
One edge of the deadlock loop did not involve a lock wait, so the deadlock went undetected and would persist until manual intervention.
Ensure that column default values are correctly transmitted by the pgoutput logical replication plugin (Nikhil Benesch)
ALTER TABLE ADD COLUMN
with a constant default value for the new column avoids rewriting existing tuples, instead expecting that reading code will insert the correct default into a tuple that lacks that column. If replication was subsequently initiated on the table, pgoutput would transmit NULL instead of the correct default for such a column, causing incorrect replication on the subscriber.
Fix failure of logical replication's initial sync for a table with no columns (Vignesh C)
This case generated an improperly-formatted COPY
command.
Prevent examining system catalogs with the wrong snapshot during logical decoding (Fei Changhong)
If decoding begins partway through a transaction that modifies system catalogs, the decoder may not recognize that, causing it to fail to treat that transaction as in-progress for catalog lookups. This fix deals with the case that a top-level transaction is already marked as containing catalog changes, but its subtransaction(s) are not.
Return the correct status code when a new client disconnects without responding to the server's password challenge (Liu Lang, Tom Lane)
In some cases we'd treat this as a loggable error, which was not the intention and tends to create log spam, since common clients like psql frequently do this. It may also confuse extensions that use ClientAuthentication_hook
.
Fix incompatibility with OpenSSL 3.2 (Tristan Partin, Bo Andreson)
Use the BIO “app_data†field for our private storage, instead of assuming it's okay to use the “data†field. This mistake didn't cause problems before, but with 3.2 it leads to crashes and complaints about double frees.
Be more wary about OpenSSL not setting errno
on error (Tom Lane)
If errno
isn't set, assume the cause of the reported failure is read EOF. This fixes rare cases of strange error reports like “could not accept SSL connection: Successâ€.
Fix file descriptor leakage when a foreign data wrapper's ForeignAsyncRequest
function fails (Heikki Linnakangas)
Report ENOMEM errors from file-related system calls as ERRCODE_OUT_OF_MEMORY
, not ERRCODE_INTERNAL_ERROR
(Alexander Kuzmenkov)
In PL/pgSQL, support SQL commands that are CREATE FUNCTION
/CREATE PROCEDURE
with SQL-standard bodies (Tom Lane)
Previously, such cases failed with parsing errors due to the semicolon(s) appearing in the function body.
Fix libpq's handling of errors in pipelines (Ãlvaro Herrera)
The pipeline state could get out of sync if an error is returned for reasons other than a query problem (for example, if the connection is lost). Potentially this would lead to a busy-loop in the calling application.
Make libpq's PQsendFlushRequest()
function flush the client output buffer under the same rules as other PQsend
functions (Jelte Fennema-Nio)
In pipeline mode, it may still be necessary to call PQflush()
as well; but this change removes some inconsistency.
Avoid race condition when libpq initializes OpenSSL support concurrently in two different threads (Willi Mann, Michael Paquier)
Fix timing-dependent failure in GSSAPI data transmission (Tom Lane)
When using GSSAPI encryption in non-blocking mode, libpq sometimes failed with “GSSAPI caller failed to retransmit all data needing to be retriedâ€.
In pg_dump, don't dump RLS policies or security labels for extension member objects (Tom Lane, Jacob Champion)
Previously, commands would be included in the dump to set these properties, which is really incorrect since they should be considered as internal affairs of the extension. Moreover, the restoring user might not have adequate privilege to set them, and indeed the dumping user might not have enough privilege to dump them (since dumping RLS policies requires acquiring lock on their table).
In pg_dump, don't dump an extended statistics object if its underlying table isn't being dumped (Rian McGuire, Tom Lane)
This conforms to the behavior for other dependent objects such as indexes.
Make it an error for a pgbench script to end with an open pipeline (Anthonin Bonnefoy)
Previously, pgbench would behave oddly if a \startpipeline
command lacked a matching \endpipeline
. This seems like a scripting mistake rather than a case that pgbench needs to handle nicely, so throw an error.
In contrib/bloom
, fix overly tight assertion about false_positive_rate
(Alexander Lakhin)
Fix crash in contrib/intarray
if an array with an element equal to INT_MAX
is inserted into a gist__int_ops
index (Alexander Lakhin, Tom Lane)
Report a better error when contrib/pageinspect
's hash_bitmap_info()
function is applied to a partitioned hash index (Alexander Lakhin, Michael Paquier)
Report a better error when contrib/pgstattuple
's pgstathashindex()
function is applied to a partitioned hash index (Alexander Lakhin)
On Windows, suppress autorun options when launching subprocesses in pg_ctl and pg_regress (Kyotaro Horiguchi)
When launching a child process via cmd.exe
, pass the /D
flag to prevent executing any autorun commands specified in the registry. This avoids possibly-surprising side effects.
Move is_valid_ascii()
from mb/pg_wchar.h
to utils/ascii.h
(Jubilee Young)
This change avoids the need to include <simd.h>
in pg_wchar.h
, which was causing problems for some third-party code.
Fix compilation failures with libxml2 version 2.12.0 and later (Tom Lane)
Fix compilation failure of WAL_DEBUG
code on Windows (Bharath Rupireddy)
Suppress compiler warnings from Python's header files (Peter Eisentraut, Tom Lane)
Our preferred compiler options provoke warnings about constructs appearing in recent versions of Python's header files. When using gcc, we can suppress these warnings with a pragma.
Avoid deprecation warning when compiling with LLVM 18 (Thomas Munro)
Update time zone data files to tzdata release 2024a for DST law changes in Greenland, Kazakhstan, and Palestine, plus corrections for the Antarctic stations Casey and Vostok. Also historical corrections for Vietnam, Toronto, and Miquelon.
Release date: 2023-11-09
This release contains a variety of fixes from 15.4. For information about new features in major release 15, see Version 15.0.
A dump/restore is not required for those running 15.X.
However, several mistakes have been discovered that could lead to certain types of indexes yielding wrong search results or being unnecessarily inefficient. It is advisable to REINDEX
potentially-affected indexes after installing this update. See the fourth through seventh changelog entries below.
Also, if you are upgrading from a version earlier than 15.4, see Version 15.4.
Fix handling of unknown-type arguments in DISTINCT
"any"
aggregate functions (Tom Lane)
This error led to a text
-type value being interpreted as an unknown
-type value (that is, a zero-terminated string) at runtime. This could result in disclosure of server memory following the text
value.
The PostgreSQL Project thanks Jingzhou Fu for reporting this problem. CVE-2023-5868 or CVE-2023-5868)
Detect integer overflow while computing new array dimensions (Tom Lane)
When assigning new elements to array subscripts that are outside the current array bounds, an undetected integer overflow could occur in edge cases. Memory stomps that are potentially exploitable for arbitrary code execution are possible, and so is disclosure of server memory.
The PostgreSQL Project thanks Pedro Gallegos for reporting this problem. CVE-2023-5869 or CVE-2023-5869)
Prevent the pg_signal_backend
role from signalling background workers and autovacuum processes (Noah Misch, Jelte Fennema-Nio)
The documentation says that pg_signal_backend
cannot issue signals to superuser-owned processes. It was able to signal these background processes, though, because they advertise a role OID of zero. Treat that as indicating superuser ownership. The security implications of cancelling one of these process types are fairly small so far as the core code goes (we'll just start another one), but extensions might add background workers that are more vulnerable.
Also ensure that the is_superuser
parameter is set correctly in such processes. No specific security consequences are known for that oversight, but it might be significant for some extensions.
The PostgreSQL Project thanks Hemanth Sandrana and Mahendrakar Srinivasarao for reporting this problem. CVE-2023-5870 or CVE-2023-5870)
Fix misbehavior during recursive page split in GiST index build (Heikki Linnakangas)
Fix a case where the location of a page downlink was incorrectly tracked, and introduce some logic to allow recovering from such situations rather than silently doing the wrong thing. This error could result in incorrect answers from subsequent index searches. It may be advisable to reindex all GiST indexes after installing this update.
Prevent de-duplication of btree index entries for interval
columns (Noah Misch)
There are interval
values that are distinguishable but compare equal, for example 24:00:00
and 1 day
. This breaks assumptions made by btree de-duplication, so interval
columns need to be excluded from de-duplication. This oversight can cause incorrect results from index-only scans. Moreover, after updating amcheck will report an error for almost all such indexes. Users should reindex any btree indexes on interval
columns.
Process date
values more sanely in BRIN datetime_minmax_multi_ops
indexes (Tomas Vondra)
The distance calculation for dates was backward, causing poor decisions about which entries to merge. The index still produces correct results, but is much less efficient than it should be. Reindexing BRIN minmax_multi
indexes on date
columns is advisable.
Process large timestamp
and timestamptz
values more sanely in BRIN datetime_minmax_multi_ops
indexes (Tomas Vondra)
Infinities were mistakenly treated as having distance zero rather than a large distance from other values, causing poor decisions about which entries to merge. Also, finite-but-very-large values (near the endpoints of the representable timestamp range) could result in internal overflows, again causing poor decisions. The index still produces correct results, but is much less efficient than it should be. Reindexing BRIN minmax_multi
indexes on timestamp
and timestamptz
columns is advisable if the column contains, or has contained, infinities or large finite values.
Avoid calculation overflows in BRIN interval_minmax_multi_ops
indexes with extreme interval values (Tomas Vondra)
This bug might have caused unexpected failures while trying to insert large interval values into such an index.
Fix partition step generation and runtime partition pruning for hash-partitioned tables with multiple partition keys (David Rowley)
Some cases involving an IS NULL
condition on one of the partition keys could result in a crash.
Fix inconsistent rechecking of concurrently-updated rows during MERGE
(Dean Rasheed)
In READ COMMITTED
mode, an update that finds that its target row was just updated by a concurrent transaction will recheck the query's WHERE
conditions on the updated row. MERGE
failed to ensure that the proper rows of other joined tables were used during this recheck, possibly resulting in incorrect decisions about whether the newly-updated row should be updated again by MERGE
.
Correctly identify the target table in an inherited UPDATE
/DELETE
/MERGE
even when the parent table is excluded by constraints (Amit Langote, Tom Lane)
If the initially-named table is excluded by constraints, but not all its inheritance descendants are, the first non-excluded descendant was identified as the primary target table. This would lead to firing statement-level triggers associated with that table, rather than the initially-named table as should happen. In v16, the same oversight could also lead to “invalid perminfoindex 0 in RTE with relid NNNN†errors.
Fix edge case in btree mark/restore processing of ScalarArrayOpExpr clauses (Peter Geoghegan)
When restoring an indexscan to a previously marked position, the code could miss required setup steps if the scan had advanced exactly to the end of the matches for a ScalarArrayOpExpr (that is, an indexcol = ANY (ARRAY[])
) clause. This could result in missing some rows that should have been fetched.
Fix intra-query memory leak in Memoize execution (Orlov Aleksej, David Rowley)
Fix intra-query memory leak when a set-returning function repeatedly returns zero rows (Tom Lane)
Don't crash if cursor_to_xmlschema()
is applied to a non-data-returning Portal (Boyu Yang)
Throw the intended error if pgrowlocks()
is applied to a partitioned table (David Rowley)
Previously, a not-on-point complaint “only heap AM is supported†would be raised.
Handle invalid indexes more cleanly in assorted SQL functions (Noah Misch)
Report an error if pgstatindex()
, pgstatginindex()
, pgstathashindex()
, or pgstattuple()
is applied to an invalid index. If brin_desummarize_range()
, brin_summarize_new_values()
, brin_summarize_range()
, or gin_clean_pending_list()
is applied to an invalid index, do nothing except to report a debug-level message. Formerly these functions attempted to process the index, and might fail in strange ways depending on what the failed CREATE INDEX
had left behind.
Fix pg_stat_reset_single_table_counters()
to do the right thing for a shared catalog (Masahiro Ikeda)
Previously the reset would be ineffective.
Avoid premature memory allocation failure with long inputs to to_tsvector()
(Tom Lane)
Fix over-allocation of the constructed tsvector
in tsvectorrecv()
(Denis Erokhin)
If the incoming vector includes position data, the binary receive function left wasted space (roughly equal to the size of the position data) in the finished tsvector
. In extreme cases this could lead to “maximum total lexeme length exceeded†failures for vectors that were under the length limit when emitted. In any case it could lead to wasted space on-disk.
Fix incorrect coding in gtsvector_picksplit()
(Alexander Lakhin)
This could lead to poor page-split decisions in GiST indexes on tsvector
columns.
Improve checks for corrupt PGLZ compressed data (Flavien Guedez)
In COPY FROM
, fail cleanly when an unsupported encoding conversion is needed (Tom Lane)
Recent refactoring accidentally removed the intended error check for this, such that it ended in “cache lookup failed for function 0†instead of a useful error message.
Avoid crash in EXPLAIN
if a parameter marked to be displayed by EXPLAIN
has a NULL boot-time value (Xing Guo, Aleksander Alekseev, Tom Lane)
No built-in parameter fits this description, but an extension could define such a parameter.
Ensure we have a snapshot while dropping ON COMMIT DROP
temp tables (Tom Lane)
This prevents possible misbehavior if any catalog entries for the temp tables have fields wide enough to require toasting (such as a very complex CHECK
condition).
Avoid improper response to shutdown signals in child processes just forked by system()
(Nathan Bossart)
This fix avoids a race condition in which a child process that has been forked off by system()
, but hasn't yet exec'd the intended child program, might receive and act on a signal intended for the parent server process. That would lead to duplicate cleanup actions being performed, which will not end well.
Cope with torn reads of pg_control
in frontend programs (Thomas Munro)
On some file systems, reading pg_control
may not be an atomic action when the server concurrently writes that file. This is detectable via a bad CRC. Retry a few times to see if the file becomes valid before we report error.
Avoid torn reads of pg_control
in relevant SQL functions (Thomas Munro)
Acquire the appropriate lock before reading pg_control
, to ensure we get a consistent view of that file.
Avoid integer overflow when computing size of backend activity string array (Jakub Wartak)
On 64-bit machines we will allow values of track_activity_query_size
large enough to cause 32-bit overflow when multiplied by the allowed number of connections. The code actually allocating the per-backend local array was careless about this though, and allocated the array incorrectly.
Fix briefly showing inconsistent progress statistics for ANALYZE
on inherited tables (Heikki Linnakangas)
The block-level counters should be reset to zero at the same time we update the current-relation field.
Fix the background writer to report any WAL writes it makes to the statistics counters (Nazir Bilal Yavuz)
Fix confusion about forced-flush behavior in pgstat_report_wal()
(Ryoga Yoshida, Michael Paquier)
This could result in some statistics about WAL I/O being forgotten in a shutdown.
Track the dependencies of cached CALL
statements, and re-plan them when needed (Tom Lane)
DDL commands, such as replacement of a function that has been inlined into a CALL
argument, can create the need to re-plan a CALL
that has been cached by PL/pgSQL. That was not happening, leading to misbehavior or strange errors such as “cache lookup failedâ€.
Avoid a possible pfree-a-NULL-pointer crash after an error in OpenSSL connection setup (Sergey Shinderuk)
Track nesting depth correctly when inspecting RECORD
-type Vars from outer query levels (Richard Guo)
This oversight could lead to assertion failures, core dumps, or “bogus varno†errors.
Track hash function and negator function dependencies of ScalarArrayOpExpr plan nodes (David Rowley)
In most cases this oversight was harmless, since these functions would be unlikely to disappear while the node's original operator remains present.
Fix error-handling bug in RECORD
type cache management (Thomas Munro)
An out-of-memory error occurring at just the wrong point could leave behind inconsistent state that would lead to an infinite loop.
Fix assertion failure when logical decoding is retried in the same session after an error (Hou Zhijie)
Treat out-of-memory failures as fatal while reading WAL (Michael Paquier)
Previously this would be treated as a bogus-data condition, leading to the conclusion that we'd reached the end of WAL, which is incorrect and could lead to inconsistent WAL replay.
Fix possible recovery failure due to trying to allocate memory based on a bogus WAL record length field (Thomas Munro, Michael Paquier)
Fix race condition in database dropping that could lead to the autovacuum launcher getting stuck (Andres Freund, Will Mortensen, Jacob Speidel)
The race could lead to a statistics entry for the removed database remaining present, confusing the launcher's selection of which database to process.
Fix datatype size confusion in logical tape management (Ranier Vilela)
Integer overflow was possible on platforms where long is wider than int, although it would take a multiple-terabyte temporary file to cause a problem.
Avoid unintended close of syslogger process's stdin (Heikki Linnakangas)
Avoid doing plan cache revalidation of utility statements that do not receive interesting processing during parse analysis (Tom Lane)
Aside from saving a few cycles, this prevents failure after a cache invalidation for statements that must not set a snapshot, such as SET TRANSACTION ISOLATION LEVEL
.
Keep by-reference attmissingval
values in a long-lived context while they are being used (Andrew Dunstan)
This avoids possible use of dangling pointers when a tuple slot outlives the tuple descriptor with which its value was constructed.
Recalculate the effective value of search_path
after ALTER ROLE
(Jeff Davis)
This ensures that after renaming a role, the meaning of the special string $user
is re-determined.
Fix “could not duplicate handle†error occurring on Windows when min_dynamic_shared_memory
is set above zero (Thomas Munro)
Fix order of operations in GenericXLogFinish
(Jeff Davis)
This code violated the conditions required for crash safety by writing WAL before marking changed buffers dirty. No core code uses this function, but extensions do (contrib/bloom
does, for example).
Remove incorrect assertion in PL/Python exception handling (Alexander Lakhin)
Fix assertion failure in pg_dump when it's asked to dump the pg_catalog
schema (Peter Eisentraut)
Fix pg_restore so that selective restores will include both table-level and column-level ACLs for selected tables (Euler Taveira, Tom Lane)
Formerly, only the table-level ACL would get restored if both types were present.
Add logic to pg_upgrade to check for use of abstime
, reltime
, and tinterval
data types (Ãlvaro Herrera)
These obsolete data types were removed in PostgreSQL version 12, so check to make sure they aren't present in an older database before claiming it can be upgraded.
Avoid generating invalid temporary slot names in pg_basebackup (Jelte Fennema)
This has only been seen to occur when the server connection runs through pgbouncer.
Avoid false “too many client connections†errors in pgbench on Windows (Noah Misch)
In contrib/amcheck
, do not report interrupted page deletion as corruption (Noah Misch)
This fix prevents false-positive reports of “the first child of leftmost target page is not leftmost of its levelâ€, “block NNNN is not leftmost†or “left link/right link pair in index XXXX not in agreementâ€. They appeared if amcheck ran after an unfinished btree index page deletion and before VACUUM
had cleaned things up.
Fix failure of contrib/btree_gin
indexes on interval
columns, when an indexscan using the <
or <=
operator is performed (Dean Rasheed)
Such an indexscan failed to return all the entries it should.
Add support for LLVM 16 and 17 (Thomas Munro, Dmitry Dolgov)
Suppress assorted build-time warnings on recent macOS (Tom Lane)
Xcode 15 (released with macOS Sonoma) changed the linker's behavior in a way that causes many duplicate-library warnings while building PostgreSQL. These were harmless, but they're annoying so avoid citing the same libraries twice. Also remove use of the -multiply_defined suppress
linker switch, which apparently has been a no-op for a long time, and is now actively complained of.
When building contrib/unaccent
's rules file, fall back to using python
if --with-python
was not given and make variable PYTHON
was not set (Japin Li)
Remove PHOT
(Phoenix Islands Time) from the default timezone abbreviations list (Tom Lane)
Presence of this abbreviation in the default list can cause failures on recent Debian and Ubuntu releases, as they no longer install the underlying tzdb entry by default. Since this is a made-up abbreviation for a zone with a total human population of about two dozen, it seems unlikely that anyone will miss it. If someone does, they can put it back via a custom abbreviations file.
Release date: 2023-08-10
This release contains a variety of fixes from 15.3. For information about new features in major release 15, see Version 15.0.
A dump/restore is not required for those running 15.X.
However, if you use BRIN indexes, it may be advisable to reindex them; see the third changelog entry below.
Also, if you are upgrading from a version earlier than 15.1, see Version 15.1.
Disallow substituting a schema or owner name into an extension script if the name contains a quote, backslash, or dollar sign (Noah Misch)
This restriction guards against SQL-injection hazards for trusted extensions.
The PostgreSQL Project thanks Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph Berg for reporting this problem. CVE-2023-39417 or CVE-2023-39417)
Fix MERGE
to enforce row security policies properly (Dean Rasheed)
When MERGE
performs an UPDATE
action, it should enforce any UPDATE
or SELECT
RLS policies defined on the target table, to be consistent with the way that a plain UPDATE
with a WHERE
clause works. Instead it was enforcing INSERT
RLS policies for both INSERT
and UPDATE
actions.
In addition, when MERGE
performs a DO NOTHING
action, it applied the target table's DELETE
RLS policies to existing rows, even though those rows are not being deleted. While it's not a security problem, this could result in unwanted errors.
The PostgreSQL Project thanks Dean Rasheed for reporting this problem. CVE-2023-39418 or CVE-2023-39418)
Fix confusion between empty (no rows) ranges and all-NULL ranges in BRIN indexes, as well as incorrect merging of all-NULL summaries (Tomas Vondra)
Each of these oversights could result in forgetting that a BRIN index range contains any NULL values, potentially allowing subsequent queries that should return NULL values to miss doing so.
This fix will not in itself correct faulty BRIN entries. It's recommended to REINDEX
any BRIN indexes that may be used to search for nulls.
Avoid leaving a corrupted database behind when DROP DATABASE
is interrupted (Andres Freund)
If DROP DATABASE
was interrupted after it had already begun taking irreversible steps, the target database remained accessible (because the removal of its pg_database
row would roll back), but it would have corrupt contents. Fix by marking the database as inaccessible before we begin to perform irreversible operations. A failure after that will leave the database still partially present, but nothing can be done with it except to issue another DROP DATABASE
.
Ensure that partitioned indexes are correctly marked as valid or not at creation (Michael Paquier)
If a new partitioned index matches an existing but invalid index on one of the partitions, the partitioned index could end up being marked valid prematurely. This could lead to misbehavior or assertion failures in subsequent queries on the partitioned table.
Ignore invalid child indexes when matching partitioned indexes to child indexes during ALTER TABLE ATTACH PARTITION
(Michael Paquier)
Such an index will now be ignored, and a new child index created instead.
Fix possible failure when marking a partitioned index valid after all of its partitions have been attached (Michael Paquier)
The update of the index's pg_index
entry could use stale data for other columns. One reported symptom is an “attempted to update invisible tuple†error.
Fix ALTER EXTENSION SET SCHEMA
to complain if the extension contains any objects outside the extension's schema (Michael Paquier, Heikki Linnakangas)
Erroring out if the extension contains objects in multiple schemas was always intended; but the check was mis-coded so that it would fail to detect some cases, leading to surprising behavior.
Fix tracking of tables' access method dependencies (Michael Paquier)
ALTER TABLE ... SET ACCESS METHOD
failed to update relevant pg_depend
entries when changing a table's access method. When using non-built-in access methods, this creates a risk that an access method could be dropped even though tables still depend on it. This fix corrects the logic in ALTER TABLE
, but it will not adjust any already-missing pg_depend
entries.
Don't use partial unique indexes for uniqueness proofs in the planner (David Rowley)
This could give rise to incorrect plans, since the presumed uniqueness of rows read from a table might not hold if the index in question isn't used to scan the table.
Don't Memoize lateral joins with volatile join conditions (Richard Guo)
Applying Memoize to a sub-plan that contains volatile filter conditions is likely to lead to wrong answers. The check to avoid doing this missed some cases that can arise when using LATERAL
.
Avoid producing incorrect plans for foreign joins with pseudoconstant join clauses (Etsuro Fujita)
The planner currently lacks support for attaching pseudoconstant join clauses to a pushed-down remote join, so disable generation of remote joins in such cases. (A better solution will require ABI-breaking changes of planner data structures, so it will have to wait for a future major release.)
Correctly handle sub-SELECTs in RLS policy expressions and security-barrier views when expanding rule actions (Tom Lane)
Fix race conditions in conflict detection for SERIALIZABLE
isolation mode (Thomas Munro)
Conflicts could be missed when using bitmap heap scans, when using GIN indexes, and when examining an initially-empty btree index. All these cases could lead to serializability failures due to improperly allowing conflicting transactions to commit.
Fix misbehavior of EvalPlanQual checks with inherited or partitioned target tables (Tom Lane)
This oversight could lead to update or delete actions in READ COMMITTED
isolation mode getting performed when they should have been skipped because of a conflicting concurrent update.
Fix hash join with an inner-side hash key that contains Params coming from an outer nested loop (Tom Lane)
When rescanning the join after the values of such Params have changed, we must rebuild the hash table, but neglected to do so. This could result in missing join output rows.
Fix intermittent failures when trying to update a field of a composite column (Tom Lane)
If the overall value of the composite column is wide enough to require out-of-line toasting, then an unluckily-timed cache flush could cause errors or server crashes.
Prevent query-lifespan memory leaks in some UPDATE
queries with triggers (Tomas Vondra)
Prevent query-lifespan memory leaks when an Incremental Sort plan node is rescanned (James Coleman, Laurenz Albe, Tom Lane)
Accept fractional seconds in the input to jsonpath
's datetime()
method (Tom Lane)
Prevent stack-overflow crashes with very complex text search patterns (Tom Lane)
Allow tokens up to 10240 bytes long in pg_hba.conf
and pg_ident.conf
(Tom Lane)
The previous limit of 256 bytes has been found insufficient for some use-cases.
Ensure that all existing placeholders are checked for matches when an extension declares its GUC prefix to be reserved (Karina Litskevich, Ekaterina Sokolova)
Faulty loop logic could cause some entries to be skipped.
Fix mishandling of C++ out-of-memory conditions (Heikki Linnakangas)
If JIT is in use, running out of memory in a C++ new
call would lead to a PostgreSQL FATAL error, instead of the expected C++ exception.
Fix rare null-pointer crash in plancache.c
(Tom Lane)
Avoid leaking a stats entry for a subscription when it is dropped (Masahiko Sawada)
Avoid losing track of possibly-useful shared memory segments when a page free results in coalescing ranges of free space (Dongming Liu)
Ensure that the segment is moved into the appropriate “bin†for its new amount of free space, so that it will be found by subsequent searches.
Allow VACUUM
to continue after detecting certain types of b-tree index corruption (Peter Geoghegan)
If an invalid sibling-page link is detected, log the issue and press on, rather than throwing an error as before. Nothing short of REINDEX
will fix the broken index, but preventing VACUUM
from completing until that is done risks making matters far worse.
Ensure that WrapLimitsVacuumLock
is released after VACUUM
detects invalid data in pg_database
.datfrozenxid
or pg_database
.datminmxid
(Andres Freund)
Failure to release this lock could lead to a deadlock later, although the lock would be cleaned up if the session exits or encounters some other error.
Avoid double replay of prepared transactions during crash recovery (suyu.cmj, Michael Paquier)
After a crash partway through a checkpoint with some two-phase transaction state data already flushed to disk by this checkpoint, crash recovery could attempt to replay the prepared transaction(s) twice, leading to a fatal error such as “lock is already held†in the startup process.
Ensure that a newly created, but still empty table is fsync
'ed at the next checkpoint (Heikki Linnakangas)
Without this, if there is an operating system crash causing the empty file to disappear, subsequent operations on the table might fail with “could not open file†errors.
Ensure that creation of the init fork of an unlogged index is WAL-logged (Heikki Linnakangas)
While an unlogged index's main data fork is not WAL-logged, its init fork should be, to ensure that we have a consistent state to restore the index to after a crash. This step was missed if the init fork contains no data, which is a case not used by any standard index AM; but perhaps some extension behaves that way.
Silence bogus “missing contrecord†errors (Thomas Munro)
Treat this case as plain end-of-WAL to avoid logging inaccurate complaints from pg_waldump and walsender.
Fix overly strict assertion in jsonpath
code (David Rowley)
This assertion failed if a query applied the .type()
operator to a like_regex
result. There was no bug in non-assert builds.
Avoid assertion failure when processing an empty statement via the extended query protocol in an already-aborted transaction (Tom Lane)
Avoid assertion failure when the stats_fetch_consistency
setting is changed intra-transaction (Kyotaro Horiguchi)
Fix contrib/fuzzystrmatch
's Soundex difference()
function to handle empty input sanely (Alexander Lakhin, Tom Lane)
An input string containing no alphabetic characters resulted in unpredictable output.
Tighten whitespace checks in contrib/hstore
input (Evan Jones)
In some cases, characters would be falsely recognized as whitespace and hence discarded.
Disallow oversize input arrays with contrib/intarray
's gist__int_ops
index opclass (Ankit Kumar Pandey, Alexander Lakhin)
Previously this code would report a NOTICE
but press on anyway, creating an invalid index entry that presents a risk of crashes when the index is read.
Avoid useless double decompression of GiST index entries in contrib/intarray
(Konstantin Knizhnik, Matthias van de Meent, Tom Lane)
Fix contrib/pageinspect
's gist_page_items()
function to work when there are included index columns (Alexander Lakhin, Michael Paquier)
Previously, if the index has included columns, gist_page_items()
would fail to display those values on index leaf pages, or crash outright on non-leaf pages.
In psql, ignore the PSQL_WATCH_PAGER
environment variable when stdin/stdout are not a terminal (Tom Lane)
This corresponds to the treatment of PSQL_PAGER
in commands besides \watch
.
Fix pg_dump to correctly handle new-style SQL-language functions whose bodies require parse-time dependencies on unique indexes (Tom Lane)
Such cases can arise from GROUP BY
and ON CONFLICT
clauses, for example. The function must then be postponed until after the unique index in the dump output, but pg_dump did not do that and instead printed a warning about “could not resolve dependency loopâ€.
Improve pg_dump's display of details about dependency-loop problems (Tom Lane)
Avoid crash in pgbench with an empty pipeline and prepared mode (Ãlvaro Herrera)
Ensure that pg_index
.indisreplident
is kept up-to-date in relation cache entries (Shruthi Gowda)
This value could be stale in some cases. There is no core code that relies on the relation cache's copy, so this is only a latent bug as far as Postgres itself is concerned; but there may be extensions for which it is a live bug.
Fix make_etags script to work with non-Exuberant ctags (Masahiko Sawada)
Release date: 2023-05-11
This release contains a variety of fixes from 15.2. For information about new features in major release 15, see Version 15.0.
A dump/restore is not required for those running 15.X.
However, if you are upgrading from a version earlier than 15.1, see Version 15.1.
Prevent CREATE SCHEMA
from defeating changes in search_path
(Alexander Lakhin)
Within a CREATE SCHEMA
command, objects in the prevailing search_path
, as well as those in the newly-created schema, would be visible even within a called function or script that attempted to set a secure search_path
. This could allow any user having permission to create a schema to hijack the privileges of a security definer function or extension script.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. CVE-2023-2454 or CVE-2023-2454)
Enforce row-level security policies correctly after inlining a set-returning function (Stephen Frost, Tom Lane)
If a set-returning SQL-language function refers to a table having row-level security policies, and it can be inlined into a calling query, those RLS policies would not get enforced properly in some cases involving re-using a cached plan under a different role. This could allow a user to see or modify rows that should have been invisible.
The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. CVE-2023-2455 or CVE-2023-2455)
Fix potential corruption of the template (source) database after CREATE DATABASE
with the STRATEGY WAL_LOG
option (Nathan Bossart, Ryo Matsumura)
Improper buffer handling created a risk that any later modification of the template's pg_class
catalog would be lost.
Fix memory leakage and unnecessary disk reads during CREATE DATABASE
with the STRATEGY WAL_LOG
option (Andres Freund)
Avoid crash when the new schema name is omitted in CREATE SCHEMA
(Michael Paquier)
The SQL standard allows writing CREATE SCHEMA AUTHORIZATION
, with the schema name defaulting to owner_name
owner_name
. However some code paths expected the schema name to be present and would fail.
Fix various planner failures with MERGE
commands (Tom Lane)
Planning could fail with errors like “variable not found in subplan target list†or “PlaceHolderVar found where not expectedâ€.
Fix the row count reported by MERGE
for some corner cases (Dean Rasheed)
The row count reported in the command tag counted rows that actually hadn't been modified due to a BEFORE ROW
trigger returning NULL. This is inconsistent with what happens in plain UPDATE
or DELETE
, so change it to not count such rows. Also, avoid counting a row twice when MERGE
moves it into a different partition of a partitioned table.
Fix MERGE
problems with concurrent updates (Dean Rasheed, Ãlvaro Herrera)
Some cases misbehaved if a row to be updated or deleted by MERGE
had just been updated by a concurrent transaction. This could lead to a crash, or the wrong merge action being executed, or no action at all.
Add support for decompiling MERGE
commands (Ãlvaro Herrera)
This was overlooked when MERGE
was added, but it's essential support for MERGE
in new-style SQL functions.
Fix enabling/disabling of foreign-key triggers in partitioned tables (Tom Lane)
ALTER TABLE ... ENABLE/DISABLE TRIGGER
failed if applied to a partitioned table's foreign-key enforcement triggers, because it tried to locate the clone triggers for the partitions by name, and they do not have the same name. Locate them by parent-trigger OID instead.
Disallow altering composite types that are stored in indexes (Tom Lane)
ALTER TYPE
disallows non-binary-compatible modifications of composite types if they are stored in any table columns. (Perhaps that will be allowed someday, but it hasn't happened yet; the locking implications of rewriting many tables are daunting.) We overlooked the possibility that an index might contain a composite type that doesn't also appear in its table.
Disallow system columns as elements of foreign keys (Tom Lane)
Since the removal of OID as a system column, there is no plausible use-case for this, and various bits of code no longer support it. Disallow it rather than trying to fix all the cases.
Ensure that COPY TO
from an RLS-enabled parent table does not copy any rows from child tables (Antonin Houska)
The documentation is quite clear that COPY TO
copies rows from only the named table, not any inheritance children it may have. However, if row-level security was enabled on the table then this stopped being true.
Avoid possible crash when array_position()
or array_positions()
is passed an empty array (Tom Lane)
Fix possible out-of-bounds fetch in to_char()
(Tom Lane)
With bad luck this could have resulted in a server crash.
Avoid buffer overread in translate()
function (Daniil Anisimov)
When using the deletion feature, the function might fetch the byte just after the input string, creating a small risk of crash.
Adjust text-search-related character classification logic to correctly detect whether the prevailing locale is C
(Jeff Davis)
This code got confused if the database's default collation uses ICU.
Avoid possible crash on empty input for type interval
(Tom Lane)
Re-allow exponential notation in ISO-8601 interval fields (Tom Lane)
Interval input like P0.1e10D
isn't officially sanctioned by ISO-8601, but we accepted it for a long time before version 15, so re-allow it.
Fix error cursor setting for parse errors in JSON string literals (Tom Lane)
Most cases in which a syntax error is detected in a string literal within a JSON value failed to set the error cursor appropriately. This led at least to an unhelpful error message (pointing to the token before the string, rather than the actual trouble spot), and could even result in a crash in v14 and later.
Fix data corruption due to vacuum_defer_cleanup_age
being larger than the current 64-bit xid (Andres Freund)
In v14 and later with non-default settings of vacuum_defer_cleanup_age
, it was possible to compute a very large vacuum cleanup horizon xid, leading to vacuum removing rows that are still live. v12 and v13 have a lesser form of the same problem affecting only GiST indexes, which could lead to index pages getting recycled too early.
Fix parser's failure to detect some cases of improperly-nested aggregates (Tom Lane)
This oversight could lead to executor failures for queries that should have been rejected as invalid.
Fix data structure corruption during parsing of serial SEQUENCE NAME
options (David Rowley)
This can lead to trouble if an event trigger captures the corrupted parse tree.
Correctly update plan nodes' parallel-safety markings when moving initplans from one node to another (Tom Lane)
This planner oversight could lead to “subplan was not initialized†errors at runtime.
Avoid failure with PlaceHolderVars in extended-statistics code (Tom Lane)
Use of dependency-type extended statistics could fail with “PlaceHolderVar found where not expectedâ€.
Fix incorrect tests for whether a qual clause applied to a subquery can be transformed into a window aggregate “run condition†within the subquery (David Rowley)
A SubPlan within such a clause would cause assertion failures or incorrect answers, as would some other unusual cases.
Disable the inverse-transition optimization for window aggregates when the call contains sub-SELECTs (David Rowley)
This optimization requires that the aggregate's argument expressions have repeatable results, which might not hold for a sub-SELECT.
Fix oversights in execution of nested ARRAY[]
constructs (Alexander Lakhin, Tom Lane)
Correctly detect overflow of the total space needed for the result array, avoiding a possible crash due to undersized output allocation. Also ensure that any trailing padding space in the result array is zeroed; while leaving garbage there is harmless for most purposes, it can result in odd behavior later.
Prevent crash when updating a field within an array-of-domain-over-composite-type column (Dmitry Dolgov)
Fix partition pruning logic for partitioning on boolean columns (David Rowley)
Pruning with a condition like boolcol IS NOT TRUE
was done incorrectly, leading to possibly not returning rows in which boolcol
is NULL. Also, the rather unlikely case of partitioning on NOT boolcol
was handled incorrectly.
Fix race condition in per-batch cleanup during parallel hash join (Thomas Munro, Melanie Plageman)
A crash was possible given unlucky timing and parallel_leader_participation
= off
(which is not the default).
Recalculate GENERATED
columns after an EvalPlanQual check (Tom Lane)
In READ COMMITTED
isolation mode, the effects of a row update might need to get reapplied to a newer version of the row than the query found originally. If so, we need to recompute any GENERATED
columns, in case they depend on columns that were changed by the concurrent update.
Fix memory leak in Memoize plan execution (David Rowley)
Fix buffer refcount leak when using batched inserts for a foreign table included in a partitioned tree (Alexander Pyhalov)
Restore support for sub-millisecond vacuum_cost_delay
settings (Thomas Munro)
Don't balance vacuum cost delay when a table has a per-relation vacuum_cost_delay
setting of zero (Masahiko Sawada)
Delay balancing is supposed to be disabled whenever autovacuum is processing a table with a per-relation vacuum_cost_delay
setting, but this was done only for positive settings, not zero.
Fix corner-case crashes when columns have been added to the end of a view (Tom Lane)
Repair rare failure of MULTIEXPR_SUBLINK subplans in partitioned updates (Andres Freund, Tom Lane)
Use of the syntax INSERT ... ON CONFLICT DO UPDATE SET (c1, ...) = (SELECT ...)
with a partitioned target table could result in failure if any child table is dissimilar from the parent (for example, different physical column order). This typically manifested as failure of consistency checks in the executor; but a crash or incorrect data updates are also possible.
Fix handling of DEFAULT
markers within a multi-row INSERT ... VALUES
query on a view that has a DO ALSO INSERT ... SELECT
rule (Dean Rasheed)
Such cases typically failed with “unrecognized node type†errors or assertion failures.
Support references to OLD
and NEW
within subqueries in rule actions (Dean Rasheed, Tom Lane)
Such references are really lateral references, but the server could crash if the subquery wasn't explicitly marked with LATERAL
. Arrange to do that implicitly when necessary.
When decompiling a rule or SQL function body containing INSERT
/UPDATE
/DELETE
within WITH
, take care to print the correct alias for the target table (Tom Lane)
Fix glitches in SERIALIZABLE READ ONLY
optimization (Thomas Munro)
Transactions already marked as “doomed†confused the safe-snapshot optimization for SERIALIZABLE READ ONLY
transactions. The optimization was unnecessarily skipped in some cases. In other cases an assertion failure occurred (but there was no problem in non-assert builds).
Avoid leaking cache callback slots in the pgoutput
logical decoding plugin (Shi Yu)
Multiple cycles of starting up and shutting down the plugin within a single session would eventually lead to an “out of relcache_callback_list slots†error.
Avoid unnecessary calls to custom validators for index operator class options (Alexander Korotkov)
This change fixes some cases where an unexpected error was thrown.
Avoid useless work while scanning a multi-column BRIN index with multiple scan keys (Tomas Vondra)
The existing code effectively considered only the last scan key while deciding whether a range matched, thus usually scanning more of the index than it needed to.
Fix netmask handling in BRIN inet_minmax_multi_ops opclass (Tomas Vondra)
This error triggered an assertion failure in assert-enabled builds, but is mostly harmless in production builds.
Fix dereference of dangling pointer during buffering build of a GiST index (Alexander Lakhin)
This error seems to usually be harmless in production builds, as the fetched value is noncritical; but in principle it could cause a server crash.
Ignore dropped columns and generated columns during logical replication of an update or delete action (Onder Kalaci, Shi Yu)
Replication with the REPLICA IDENTITY FULL
option failed if the table contained such columns.
Correct the name of the wait event for SLRU buffer I/O for commit timestamps (Alexander Lakhin)
This wait event is named CommitTsBuffer
according to the documentation, but the code had it as CommitTSBuffer
. Change the code to match the documentation, as that way is more consistent with the naming of related wait events.
Re-activate reporting of wait event SLRUFlushSync
(Thomas Munro)
Reporting of this type of wait was accidentally removed in code refactoring.
Avoid possible underflow when calculating how many WAL segments to keep (Kyotaro Horiguchi)
This could result in not honoring wal_keep_size
accurately.
Disable startup progress reporting overhead in standby mode (Bharath Rupireddy)
In standby mode, we don't actually report progress of recovery, but we were doing work to track it anyway.
Support RSA-PSS certificates with SCRAM-SHA-256 channel binding (Jacob Champion, Heikki Linnakangas)
This feature requires building with OpenSSL 1.1.1 or newer. Both the server and libpq are affected.
Avoid race condition with process ID tracking on Windows (Thomas Munro)
The operating system could recycle a PID before the postmaster observed that that child process was gone. This could lead to tracking more than one child with the same PID, resulting in confusion.
Fix list_copy_head()
to work correctly on an empty List (David Rowley)
This case is not known to be reached by any core PostgreSQL code, but extensions might rely on it working.
Add missing cases to SPI_result_code_string()
(Dean Rasheed)
Fix erroneous Valgrind markings in AllocSetRealloc()
(Karina Litskevich)
In the unusual case where the size of a large (>8kB) palloc chunk is decreased, a Valgrind-aware build would mismark the defined-ness state of the memory released from the chunk, possibly causing incorrect results during Valgrind testing.
Fix assertion failure for MERGE
into a partitioned table with row-level security enabled (Dean Rasheed)
Avoid assertion failure when decoding a transactional logical replication message (Tomas Vondra)
Avoid locale sensitivity when processing regular expression escapes (Jeff Davis)
A backslash followed by a non-ASCII character could sometimes cause an assertion failure, depending on the prevailing locale.
Avoid trying to write an empty WAL record in log_newpage_range()
when the last few pages in the specified range are empty (Matthias van de Meent)
It is not entirely clear whether this case is reachable in released branches, but if it is then an assertion failure could occur.
Fix session-lifespan memory leakage in plpgsql DO
blocks that use cast expressions (Ajit Awekar, Tom Lane)
Tighten array dimensionality checks when converting Perl list structures to multi-dimensional SQL arrays (Tom Lane)
plperl could misbehave when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. Such cases now produce errors, but previously they could result in a crash or garbage output.
Tighten array dimensionality checks when converting Python list structures to multi-dimensional SQL arrays (Tom Lane)
plpython could misbehave when dealing with empty sub-lists, or when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. The former should result in an empty output array, and the latter in an error. But some cases resulted in a crash, and others in unexpected output.
Fix unwinding of exception stack in plpython (Xing Guo)
Some rare failure cases could return without cleaning up the PG_TRY exception stack, risking a crash if another error was raised before the next stack level was unwound.
Fix inconsistent GSS-encryption error handling in libpq's PQconnectPoll()
(Michael Paquier)
With gssencmode
set to require
, the connection was not marked dead after a GSS initialization failure. Make it fail immediately, as the equivalent case for TLS encryption has long done.
Fix possible data corruption in ecpg programs built with the -C ORACLE
option (Kyotaro Horiguchi)
When ecpg_get_data()
is called with varcharsize
set to zero, it could write a terminating zero character into the last byte of the preceding field, truncating the data in that field.
Fix pg_dump so that partitioned tables that are hash-partitioned on an enum-type column can be restored successfully (Tom Lane)
Since the hash codes for enum values depend on the OIDs assigned to the enum, they are typically different after a dump and restore, meaning that rows often need to go into a different partition than they were in originally. Users can work around that by specifying the --load-via-partition-root
option; but since there is very little chance of success without that, teach pg_dump to apply it automatically to such tables.
Also, fix pg_restore to not try to TRUNCATE
target tables before restoring into them when --load-via-partition-root
mode is used. This avoids a hazard of deadlocks and lost data.
Correctly detect non-seekable files on Windows (Juan José SantamarÃa Flecha, Michael Paquier, Daniel Watzinger)
This bug led to misbehavior when pg_dump writes to a pipe or pg_restore reads from one.
In pgbench's “prepared†mode, prepare all the commands in a pipeline before starting the pipeline (Ãlvaro Herrera)
This avoids a failure when a pgbench script tries to start a serializable transaction inside a pipeline.
In contrib/amcheck
's heap checking code, deal correctly with tuples having zero xmin or xmax (Robert Haas)
In contrib/amcheck
, deal sanely with xids that appear to be before epoch zero (Andres Freund)
In cases of corruption we might see a wrapped-around 32-bit xid that appears to be before the first xid epoch. Promoting such a value to 64-bit form produced a value far in the future, resulting in wrong reports. Return FirstNormalFullTransactionId in such cases so that things work reasonably sanely.
In contrib/basebackup_to_shell
, properly detect failure to open a pipe (Robert Haas)
In contrib/hstore_plpython
, avoid crashing if the Python value to be transformed isn't a mapping (Dmitry Dolgov, Tom Lane)
This should give an error, but Python 3 changed some APIs in a way that caused the check to misbehave, allowing a crash to ensue.
Require the siglen
option of a GiST index on an ltree
column, if specified, to be a multiple of 4 (Alexander Korotkov)
Other values result in misaligned accesses to index content, which is harmless on Intel-compatible hardware but can cause a crash on some other architectures.
In contrib/pageinspect
, add defenses against incorrect input for the gist_page_items()
function (Dmitry Koval)
Fix misbehavior in contrib/pg_trgm
with an unsatisfiable regular expression (Tom Lane)
A regex such as $foo
is legal but unsatisfiable; the regex compiler recognizes that and produces an empty NFA graph. Attempting to optimize such a graph into a pg_trgm GIN or GiST index qualification resulted in accessing off the end of a work array, possibly leading to crashes.
Fix handling of escape sequences in contrib/postgres_fdw
's application_name
parameter (Kyotaro Horiguchi, Michael Paquier)
The code to expand these could fail if executed in a background process, as for example during auto-analyze of a foreign table.
In contrib/pg_walinspect
, limit memory usage of pg_get_wal_records_info()
(Bharath Rupireddy)
Use the --strip-unneeded
option when stripping static libraries with GNU-compatible strip (Tom Lane)
Previously, make install-strip
used the -x
option in this case. This change avoids misbehavior of llvm-strip, and gives slightly smaller output as well.
Stop recommending auto-download of DTD files for building the documentation, and indeed disable it (Aleksander Alekseev, Peter Eisentraut, Tom Lane)
It appears no longer possible to build the SGML documentation without a local installation of the DocBook DTD files. Formerly xsltproc could download those files on-the-fly from sourceforge.net; but sourceforge.net now permits only HTTPS access, and no common version of xsltproc supports that. Hence, remove the bits of our documentation suggesting that that's possible or useful, and instead add xsltproc's --nonet
option to the build recipes.
When running TAP tests in PGXS builds, use a saner location for the temporary portlock
directory (Peter Eisentraut)
Place it under tmp_check
in the build directory. With the previous coding, a PGXS build would try to place it in the installation directory, which is not necessarily writable.
Update time zone data files to tzdata release 2023c for DST law changes in Egypt, Greenland, Morocco, and Palestine.
When observing Moscow time, Europe/Kirov and Europe/Volgograd now use the abbreviations MSK/MSD instead of numeric abbreviations, for consistency with other timezones observing Moscow time. Also, America/Yellowknife is no longer distinct from America/Edmonton; this affects some pre-1948 timestamps in that area.
Release date: 2023-02-09
This release contains a variety of fixes from 15.1. For information about new features in major release 15, see Version 15.0.
A dump/restore is not required for those running 15.X.
However, if you are upgrading from a version earlier than 15.1, see Version 15.1.
libpq can leak memory contents after GSSAPI transport encryption initiation fails (Jacob Champion)
A modified server, or an unauthenticated man-in-the-middle, can send a not-zero-terminated error message during setup of GSSAPI (Kerberos) transport encryption. libpq will then copy that string, as well as following bytes in application memory up to the next zero byte, to its error report. Depending on what the calling application does with the error report, this could result in disclosure of application memory contents. There is also a small probability of a crash due to reading beyond the end of memory. Fix by properly zero-terminating the server message. CVE-2022-41862 or CVE-2022-41862)
Fix calculation of which GENERATED
columns need to be updated in child tables during an UPDATE
on a partitioned table or inheritance tree (Amit Langote, Tom Lane)
This fixes failure to update GENERATED
columns that do not exist in the parent table, or that have different dependencies than are in the parent column's generation expression.
Fix possible failure of MERGE
to compute GENERATED
columns (Dean Rasheed)
When the first row-level action of the MERGE
was an UPDATE
, any subsequent INSERT
actions would fail to compute GENERATED
columns that were deemed unnecessary to compute for the UPDATE
action (due to not depending on any of the UPDATE
target columns).
Fix MERGE
's check for unreachable WHEN
clauses (Dean Rasheed)
A WHEN
clause following an unconditional WHEN
clause should be rejected as unreachable, but this case was not always detected.
Fix MERGE
's rule-detection test (Dean Rasheed)
MERGE
is not supported on tables with rules; but it also failed on tables that once had rules but no longer do.
In MERGE
, don't count a DO NOTHING
action as a processed tuple (Ãlvaro Herrera)
This makes the code's behavior match the documentation.
Allow a WITH RECURSIVE ... CYCLE
CTE to access its output column (Tom Lane)
A reference to the SET
column from within the CTE would fail with “cache lookup failed for type 0â€.
Fix handling of pending inserts when doing a bulk insertion to a foreign table (Etsuro Fujita)
In some cases pending insertions were not flushed to the FDW soon enough, leading to logical inconsistencies, for example BEFORE ROW
triggers not seeing rows they should be able to see.
Allow REPLICA IDENTITY
to be set on an index that's not (yet) valid (Tom Lane)
When pg_dump dumps a partitioned index that's marked REPLICA IDENTITY
, it generates a command sequence that applies REPLICA IDENTITY
before the partitioned index has been marked valid, causing restore to fail. There seems no very good reason to prohibit doing it in that order, so allow it. The marking will have no effect anyway until the index becomes valid.
Fix handling of DEFAULT
markers in rules that perform an INSERT
from a multi-row VALUES
list (Dean Rasheed)
In some cases a DEFAULT
marker would not get replaced with the proper default-value expression, leading to an “unrecognized node type†error.
Reject uses of undefined variables in jsonpath
existence checks (Alexander Korotkov, David G. Johnston)
While jsonpath
match operators threw an error for an undefined variable in the path pattern, the existence operators silently treated it as a match.
Fix jsonb
subscripting to cope with toasted subscript values (Tom Lane, David G. Johnston)
Using a text value fetched directly from a table as a jsonb
subscript was likely to fail. Fetches would usually not find any matching element. Assignments could store the value with a garbage key, although keys long enough to cause that problem are probably rare in the field.
Fix edge-case data corruption in parallel hash joins (Dmitry Astapov)
If the final chunk of a large tuple being written out to a temporary file was exactly 32760 bytes, it would be corrupted due to a fencepost bug. The query would typically fail later with corrupted-data symptoms.
Honor non-default settings of checkpoint_completion_target
(Bharath Rupireddy)
Internal state was not updated after a change in checkpoint_completion_target
, possibly resulting in performing checkpoint I/O faster or slower than desired, especially if that setting was changed on-the-fly.
Log the correct ending timestamp in recovery_target_xid
mode (Tom Lane)
When ending recovery based on the recovery_target_xid
setting with recovery_target_inclusive
= off
, we printed an incorrect timestamp (always 2000-01-01) in the “recovery stopping before ... transaction†log message.
Improve error reporting for some buffered file read failures (Peter Eisentraut)
Correctly report a short read, giving the numbers of bytes desired and actually read, instead of reporting an irrelevant error code. Most places got this right already, but some recently-written replication logic did not.
Remove arbitrary limit on number of elements in int2vector
and oidvector
(Tom Lane)
The input functions for these types previously rejected more than 100 elements. With the introduction of the logical replication column list feature, it's necessary to accept int2vector
s having up to 1600 columns, otherwise long column lists cause logical-replication failures.
In extended query protocol, avoid an immediate commit after ANALYZE
if we're running a pipeline (Tom Lane)
If there's not been an explicit BEGIN TRANSACTION
, ANALYZE
would take it on itself to commit, which should not happen within a pipelined series of commands.
Reject cancel request packets having the wrong length (Andrey Borodin)
The server would process a cancel request even if its length word was too small. This led to reading beyond the end of the allocated buffer. In theory that could cause a segfault, but it seems quite unlikely to happen in practice, since the buffer would have to be very close to the end of memory. The more likely outcome was a bogus log message about wrong backend PID or cancel code. Complain about the wrong length, instead.
Fix planner preprocessing oversights for window function run-condition expressions (Richard Guo, David Rowley)
This could lead to planner errors such as “WindowFunc not found in subplan target listsâ€.
Fix possible dangling-pointer access during execution of window function run-condition expressions (David Rowley)
In practice, because the run-condition optimization is only applied to certain window functions that happen to all return int8
, this only manifested as a problem on 32-bit builds.
Add recursion and looping defenses in subquery pullup (Tom Lane)
A contrived query can result in deep recursion and unreasonable amounts of time spent trying to flatten subqueries. A proper fix for that seems unduly invasive for a back-patch, but we can at least add stack depth checks and an interrupt check to allow the query to be cancelled.
Fix planner issues when combining Memoize nodes with partitionwise joins or parameterized nestloops (Richard Guo)
These errors could lead to not using Memoize in contexts where it would be useful, or possibly to wrong query plans.
Fix partitionwise-join code to tolerate failure to produce a plan for each partition (Tom Lane)
This could result in “could not devise a query plan for the given query†errors.
Limit the amount of cleanup work done by get_actual_variable_range
(Simon Riggs)
Planner runs occurring just after deletion of a large number of tuples appearing at the end of an index could expend significant amounts of work setting the “killed†bits for those index entries. Limit the amount of work done in any one query by giving up on this process after examining 100 heap pages. All the cleanup will still happen eventually, but without so large a performance hiccup.
Prevent the statistics machinery from getting confused when a relation's relkind changes (Andres Freund)
Converting a table to a view could lead to crashes or assertion failures.
Fix under-parenthesized display of AT TIME ZONE
constructs (Tom Lane)
This could result in dump/restore failures for rules or views in which an argument of AT TIME ZONE
is itself an expression.
Prevent clobbering of cached parsetrees for utility statements in SQL functions (Tom Lane, Daniel Gustafsson)
If a SQL-language function executes the same utility command more than once within a single calling query, it could crash or report strange errors such as “unrecognized node typeâ€.
Ensure that execution of full-text-search queries can be cancelled while they are performing phrase matches (Tom Lane)
Fix memory leak in hashing strings with nondeterministic collations (Jeff Davis)
Fix deadlock between DROP DATABASE
and logical replication worker process (Hou Zhijie)
This was caused by an ill-advised choice to block interrupts while creating a logical replication slot in the worker. In version 15 that could lead to an undetected deadlock. In version 14, no deadlock has been observed, but it's still a bad idea to block interrupts while waiting for network I/O.
Clean up the libpq connection object after a failed replication connection attempt (Andres Freund)
The previous coding leaked the connection object. In background code paths that's pretty harmless because the calling process will give up and exit. But in commands such as CREATE SUBSCRIPTION
, such a failure resulted in a small session-lifespan memory leak.
In hot-standby servers, reduce processing effort for tracking XIDs known to be active on the primary (Simon Riggs, Michail Nikolaev)
Insufficiently-aggressive cleanup of the KnownAssignedXids array could lead to poor performance, particularly when max_connections
is set to a large value on the standby.
Ignore invalidated logical-replication slots while determining oldest catalog xmin (Sirisha Chamarthi)
A replication slot could prevent cleanup of dead tuples in the system catalogs even after it becomes invalidated due to exceeding max_slot_wal_keep_size
. Thus, failure of a replication consumer could lead to indefinitely-large catalog bloat.
In logical decoding, notify the remote node when a transaction is detected to have crashed (Hou Zhijie)
After a server restart, we'll re-stream the changes for transactions occurring shortly before the restart. Some of these transactions probably never completed; when we realize that one didn't we throw away the relevant decoding state locally, but we neglected to tell the subscriber about it. That led to the subscriber keeping useless streaming files until it's next restarted.
Fix uninitialized-memory usage in logical decoding (Masahiko Sawada)
In certain cases, resumption of logical decoding could try to re-use XID data that had already been freed, leading to unpredictable behavior.
Acquire spinlock while updating shared state during logical decoding context creation (Masahiko Sawada)
We neglected to acquire the appropriate lock while updating data about two-phase transactions, potentially allowing other processes to see inconsistent data.
Fix pgoutput replication plug-in to not send columns not listed in a table's replication column list (Hou Zhijie)
UPDATE
and DELETE
events did not pay attention to the configured column list, thus sending more data than expected. This did not cause a problem when the receiver is our built-in logical replication code, but it might confuse other receivers, and in any case it wasted network bandwidth.
Avoid rare “failed to acquire cleanup lock†panic during WAL replay of hash-index page split operations (Robert Haas)
Advance a heap page's LSN when setting its all-visible bit during WAL replay (Jeff Davis)
Failure to do this left the page possibly different on standby servers than the primary, and violated some other expectations about when the LSN changes. This seems only a theoretical hazard so far as PostgreSQL itself is concerned, but it could upset third-party tools.
Fix int64_div_fast_to_numeric()
to work for a wider range of inputs (Dean Rasheed)
This function misbehaved with some values of its second argument. No such usages exist in core PostgreSQL, but it's clearly a hazard for external modules, so repair.
Fix latent buffer-overrun problem in WaitEventSet
logic (Thomas Munro)
The epoll
-based and kqueue
-based implementations could ask the kernel for too many events if the size of their internal buffer was different from the size of the caller's output buffer. That case is not known to occur in released PostgreSQL versions, but this error is a hazard for external modules and future bug fixes.
Avoid nominally-undefined behavior when accessing shared memory in 32-bit builds (Andres Freund)
clang's undefined-behavior sanitizer complained about use of a pointer that was less aligned than it should be. It's very unlikely that this would cause a problem in non-debug builds, but it's worth fixing for testing purposes.
Fix assertion failure in BRIN minmax-multi opclasses (Tomas Vondra)
The assertion was overly strict, so this mistake was harmless in non-assert builds.
Remove faulty assertion in useless-RESULT-RTE optimization logic (Tom Lane)
Fix copy-and-paste errors in cache-lookup-failure messages for ACL checks (Justin Pryzby)
In principle these errors should never be reached. But if they are, some of them reported the wrong type of object.
Fix possible corruption of very large tablespace map files in pg_basebackup (Antonin Houska)
Avoid harmless warning from pg_dump in --if-exists
mode (Tom Lane)
If the public
schema has a non-default owner then use of pg_dump's --if-exists
option resulted in a warning message “warning: could not find where to insert IF EXISTS in statement "-- *not* dropping schema, since initdb creates it"â€. The dump output was okay, though.
Fix psql's \sf
and \ef
commands to handle SQL-language functions that have SQL-standard function bodies (Tom Lane)
These commands misidentified the start of the function body when it used new-style syntax.
Fix tab completion of ALTER FUNCTION/PROCEDURE/ROUTINE
... SET SCHEMA
(Dean Rasheed)
Update contrib/pageinspect
to mark its disk-accessing functions as PARALLEL RESTRICTED
(Tom Lane)
This avoids possible failure if one of these functions is used to examine a temporary table, since a session's temporary tables are not accessible from parallel workers.
Fix contrib/seg
to not crash or print garbage if an input number has more than 127 digits (Tom Lane)
Fix build on Microsoft Visual Studio 2013 (Tom Lane)
A previous patch supposed that all platforms of interest have snprintf()
, but MSVC 2013 isn't quite there yet. Revert to using sprintf()
on that platform.
Fix compile failure in building PL/Perl with MSVC when using Strawberry Perl (Andrew Dunstan)
Fix mismatch of PL/Perl built with MSVC versus a Perl library built with gcc (Andrew Dunstan)
Such combinations could previously fail with “loadable library and perl binaries are mismatched†errors.
Suppress compiler warnings from Perl's header files (Andres Freund)
Our preferred compiler options provoke warnings about constructs appearing in recent versions of Perl's header files. When using gcc, we can suppress these warnings with a pragma.
Fix pg_waldump to build on compilers that don't discard unused static-inline functions (Tom Lane)
Update time zone data files to tzdata release 2022g for DST law changes in Greenland and Mexico, plus historical corrections for northern Canada, Colombia, and Singapore.
Notably, a new timezone America/Ciudad_Juarez has been split off from America/Ojinaga.
Release date: 2022-11-10
This release contains a variety of fixes from 15.0. For information about new features in major release 15, see Version 15.0.
A dump/restore is not required for those running 15.X.
However, if you regularly create and drop tables exceeding 1GB, see the first changelog entry below.
Fix failure to remove non-first segments of large tables (Tom Lane)
PostgreSQL splits large tables into multiple files (normally with 1GB per file). The logic for dropping a table was broken and would miss removing all but the first such file, in two cases: drops of temporary tables and WAL replay of drops of regular tables. Applications that routinely create multi-gigabyte temporary tables could suffer significant disk space leakage.
Orphaned temporary-table files are removed during postmaster start, so the mere act of updating to 15.1 is sufficient to clear any leaked temporary-table storage. However, if you suffered any database crashes while using 15.0, and there might have been large tables dropped just before such crashes, it's advisable to check the database directories for files named according to the pattern
. If there is no matching file named just NNNN
.NN
(without the NNNN
.
suffix), these files should be removed manually.NN
Fix handling of DEFAULT
tokens that appear in a multi-row VALUES
clause of an INSERT
on an updatable view (Tom Lane)
This oversight could lead to “cache lookup failed for type†errors, or in older branches even to crashes.
Disallow rules named _RETURN
that are not ON SELECT
(Tom Lane)
This avoids confusion between a view's ON SELECT
rule and any other rules it may have.
Avoid failure in EXPLAIN VERBOSE
for a query using SEARCH BREADTH FIRST
with constant initial values (Tom Lane)
Prevent use of MERGE
on a partitioned table with foreign-table partitions (Ãlvaro Herrera)
The case isn't supported, and previously threw an incomprehensible error.
Fix construction of per-partition foreign key constraints while doing ALTER TABLE ATTACH PARTITION
(Jehan-Guillaume de Rorthais, Ãlvaro Herrera)
Previously, incorrect or duplicate constraints could be constructed for the newly-added partition.
Fix planner failure with extended statistics on partitioned or inherited tables (Richard Guo, Justin Pryzby)
Some cases failed with “cache lookup failed for statistics objectâ€.
Fix mis-ordering of WAL operations in fast insert path for GIN indexes (Matthias van de Meent, Zhang Mingli)
This mistake is not known to have any negative consequences within core PostgreSQL, but it did cause issues for some extensions.
Fix bugs in logical decoding when replay starts from a point between the beginning of a transaction and the beginning of its subtransaction (Masahiko Sawada, Kuroda Hayato)
These errors could lead to assertion failures in debug builds, and otherwise to memory leaks.
Accept interrupts in more places during logical decoding (Amit Kapila, Masahiko Sawada)
This ameliorates problems with slow shutdown of replication workers.
Prevent attempts to replicate into a foreign-table partition in replication workers (Shi Yu, Tom Lane)
Although partitioned tables can have foreign tables as partitions, replicating into such a partition isn't currently supported. The logical replication worker process would crash if it was attempted. Now, an error is thrown.
Avoid crash after function syntax error in replication workers (Maxim Orlov, Anton Melnikov, Masahiko Sawada, Tom Lane)
If a syntax error occurred in a SQL-language or PL/pgSQL-language CREATE FUNCTION
or DO
command executed in a logical replication worker, the worker process would crash with a null pointer dereference or assertion failure.
Avoid double call of the shutdown callback of an archiver module (Nathan Bossart, Bharath Rupireddy)
Add plan-time check for attempted access to a table that has no table access method (Tom Lane)
This prevents a crash in some catalog-corruption scenarios, for example use of a view whose ON SELECT
rule is missing.
Prevent postmaster crash when shared-memory state is corrupted (Tom Lane)
The postmaster process is supposed to survive and initiate a database restart if shared memory becomes corrupted, but one bit of code was being insufficiently cautious about that.
In libpq, handle single-row mode correctly when pipelining (Denis Laxalde)
The single-row flag was not reset at the correct time if pipeline mode was also active.
Fix psql's exit status when a command-line query is canceled (Peter Eisentraut)
psql -c
would exit successfully if the query was canceled. Fix it to exit with nonzero status, as in other error cases.query
Allow cross-platform tablespace relocation in pg_basebackup (Robert Haas)
Allow the remote path in --tablespace-mapping
to be either a Unix-style or Windows-style absolute path, since the source server could be on a different OS than the local system.
Fix pg_dump's failure to dump comments attached to some CHECK
constraints (Tom Lane)
Fix CREATE DATABASE
to allow its oid
parameter to exceed 231 (Tom Lane)
This oversight prevented pg_upgrade from succeeding when the source installation contained databases with OIDs larger than that.
In pg_stat_statements, fix access to already-freed memory (zhaoqigui)
This occurred if pg_stat_statements tracked a ROLLBACK
command issued via extended query protocol. In debug builds it consistently led to an assertion failure. In production builds there would often be no visible ill effect; but if the freed memory had already been reused, the likely result would be to store garbage for the query string.
Fix incompatibilities with LLVM 15 (Thomas Munro, Andres Freund)
Allow use of __sync_lock_test_and_set()
for spinlocks on any machine (Tom Lane)
This eases porting to new machine architectures, at least if you're using a compiler that supports this GCC builtin function.
Rename symbol REF
to REF_P
to avoid compile failure on recent macOS (Tom Lane)
Avoid using sprintf
, to avoid compile-time deprecation warnings (Tom Lane)
Update time zone data files to tzdata release 2022f for DST law changes in Chile, Fiji, Iran, Jordan, Mexico, Palestine, and Syria, plus historical corrections for Chile, Crimea, Iran, and Mexico.
Also, the Europe/Kiev zone has been renamed to Europe/Kyiv. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake and Pacific/Wallis. (This indirectly affects zones that were already links to one of these: Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.) America/Nipigon, America/Rainy_River, America/Thunder_Bay, Europe/Uzhgorod, and Europe/Zaporozhye were also merged into nearby zones after discovering that their claimed post-1970 differences from those zones seem to have been errors. In all these cases, the previous zone name remains as an alias; but the actual data is that of the zone that was merged into.
These zone mergers result in loss of pre-1970 timezone history for the merged zones, which may be troublesome for applications expecting consistency of timestamptz
display. As an example, the stored value 1944-06-01 12:00 UTC
would previously display as 1944-06-01 13:00:00+01
if the Europe/Stockholm zone is selected, but now it will read out as 1944-06-01 14:00:00+02
.
It is possible to build the time zone data files with options that will restore the older zone data, but that choice also inserts a lot of other old (and typically poorly-attested) zone data, resulting in more total changes from the previous release than accepting these upstream changes does. PostgreSQL has chosen to ship the tzdb data as-recommended, and so far as we are aware most major operating system distributions are doing likewise. However, if these changes cause significant problems for your application, a possible solution is to install a local build of the time zone data files using tzdb's backwards-compatibility options (see their PACKRATDATA
and PACKRATLIST
options).
Release date: 2022-10-13
PostgreSQL 15 contains many new features and enhancements, including:
Support for the SQL MERGE
command.
Selective publication of tables' contents within logical replication publications, through the ability to specify column lists and row filter conditions.
More options for compression, including support for Zstandard (zstd) compression. This includes support for performing compression on the server side during pg_basebackup.
Support for structured server log output using the JSON format.
Performance improvements, particularly for in-memory and on-disk sorting.
The above items and other new features of PostgreSQL 15 are explained in more detail in the sections below.
A dump/restore using pg_dumpall or use of pg_upgrade or logical replication is required for those wishing to migrate data from any previous release. See Section 19.6 for general information on migrating to new major releases.
Version 15 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities:
Remove PUBLIC
creation permission on the public
schema (Noah Misch)
The new default is one of the secure schema usage patterns that Section 5.9.6 has recommended since the security release forCVE-2018-1058 or CVE-2018-1058. The change applies to new database clusters and to newly-created databases in existing clusters. Upgrading a cluster or restoring a database dump will preserve public
's existing permissions.
For existing databases, especially those having multiple users, consider revoking CREATE
permission on the public
schema to adopt this new default. For new databases having no need to defend against insider threats, granting CREATE
permission will yield the behavior of prior releases.
Change the owner of the public
schema to be the new pg_database_owner
role (Noah Misch)
This allows each database's owner to have ownership privileges on the public
schema within their database. Previously it was owned by the bootstrap superuser, so that non-superuser database owners could not do anything with it.
This change applies to new database clusters and to newly-created databases in existing clusters. Upgrading a cluster or restoring a database dump will preserve public
's existing ownership specification.
Remove long-deprecated exclusive backup mode (David Steele, Nathan Bossart)
If the database server stops abruptly while in this mode, the server could fail to start. The non-exclusive backup mode is considered superior for all purposes. Functions pg_start_backup()
/pg_stop_backup()
have been renamed to pg_backup_start()
/pg_backup_stop()
, and the functions pg_backup_start_time()
and pg_is_in_backup()
have been removed.
Increase hash_mem_multiplier
default to 2.0 (Peter Geoghegan)
This allows query hash operations to use more work_mem
memory than other operations.
Remove server-side language plpython2u
and generic Python language plpythonu
(Andres Freund)
Python 2.x is no longer supported. While the original intent of plpythonu
was that it could eventually refer to plpython3u
, changing it now seems more likely to cause problems than solve them, so it's just been removed.
Generate an error if array_to_tsvector()
is passed an empty-string array element (Jean-Christophe Arnu)
This is prohibited because lexemes should never be empty. Users of previous Postgres releases should verify that no empty lexemes are stored because they can lead to dump/restore failures and inconsistent results.
Generate an error when chr()
is supplied with a negative argument (Peter Eisentraut)
Prevent CREATE OR REPLACE VIEW
from changing the collation of an output column (Tom Lane)
Disallow zero-length Unicode identifiers, e.g., U&""
(Peter Eisentraut)
Non-Unicode zero-length identifiers were already disallowed.
Prevent numeric literals from having non-numeric trailing characters (Peter Eisentraut)
Previously, query text like 123abc
would be interpreted as 123
followed by a separate token abc
.
Adjust JSON numeric literal processing to match the SQL/JSON-standard (Peter Eisentraut)
This accepts numeric formats like .1
and 1.
, and disallows trailing junk after numeric literals, like 1.type()
.
When interval
input provides a fractional value for a unit greater than months, round to the nearest month (Bruce Momjian)
For example, convert 1.99 years
to 2 years
, not 1 year 11 months
as before.
Improve consistency of interval
parsing with trailing periods (Tom Lane)
Numbers with trailing periods were rejected on some platforms.
Mark the interval
output function as stable, not immutable, since it depends on IntervalStyle
(Tom Lane)
This will, for example, cause creation of indexes relying on the text output of interval
values to fail.
Detect integer overflow in interval justification functions (Joe Koshakow)
The affected functions are justify_interval()
, justify_hours()
, and justify_days()
.
Change the I/O format of type "char"
for non-ASCII characters (Tom Lane)
Bytes with the high bit set are now output as a backslash and three octal digits, to avoid encoding issues.
Remove the default ADMIN OPTION
privilege a login role has on its own role membership (Robert Haas)
Previously, a login role could add/remove members of its own role, even without ADMIN OPTION
privilege.
Allow logical replication to run as the owner of the subscription (Mark Dilger)
Because row-level security policies are not checked, only superusers, roles with bypassrls
, and table owners can replicate into tables with row-level security policies.
Prevent UPDATE
and DELETE
logical replication operations on tables where the subscription owner does not have SELECT
permission on the table (Jeff Davis)
UPDATE
and DELETE
commands typically involve reading the table as well, so require the subscription owner to have table SELECT
permission.
When EXPLAIN
references the session's temporary object schema, refer to it as pg_temp
(Amul Sul)
Previously the actual schema name was reported, leading to inconsistencies across sessions.
Fix pg_statio_all_tables
to sum values for the rare case of TOAST tables with multiple indexes (Andrei Zubkov)
Previously such cases would show one row for each index.
Disallow setting custom options that match the name of an installed extension, but are not one of the extension's declared variables (Florin Irion, Tom Lane)
This change causes any such pre-existing variables to be deleted during extension load, and then prevents new ones from being created later in the session. The intent is to prevent confusion about whether a variable is associated with an extension or not.
Remove obsolete server variable stats_temp_directory
(Andres Freund, Kyotaro Horiguchi)
Improve the algorithm used to compute random()
(Fabien Coelho)
This will cause random()
's results to differ from what was emitted by prior versions, even for the same seed value.
libpq's PQsendQuery()
function is no longer supported in pipeline mode (Ãlvaro Herrera)
Applications that are using that combination will need to be modified to use PQsendQueryParams()
instead.
On non-Windows platforms, consult the HOME
environment variable to find the user's home directory (Anders Kaseorg)
If HOME
is empty or unset, fall back to the previous method of checking the <pwd.h>
database. This change affects libpq (for example, while looking up ~/.pgpass
) as well as various client application programs.
Remove pg_dump's --no-synchronized-snapshots
option (Tom Lane)
All still-supported server versions support synchronized snapshots, so there's no longer a need for this option.
After an error is detected in psql's --single-transaction
mode, change the final COMMIT
command to ROLLBACK
only if ON_ERROR_STOP
is set (Michael Paquier)
Avoid unnecessary casting of constants in queries sent by postgres_fdw (Dian Fay)
When column types are intentionally different between local and remote databases, such casts could cause errors.
Remove xml2's xml_is_well_formed()
function (Tom Lane)
This function has been implemented in the core backend since Postgres 9.1.
Allow custom scan providers to indicate if they support projections (Sven Klemm)
The default is now that custom scan providers are assumed to not support projections; those that do will need to be updated for this release.
Below you will find a detailed account of the changes between PostgreSQL 15 and the previous major release.
Record and check the collation version of each database (Peter Eisentraut)
This feature is designed to detect collation version changes to avoid index corruption. Function pg_database_collation_actual_version()
reports the underlying operating system collation version, and ALTER DATABASE ... REFRESH
sets the recorded database collation version to match the operating system collation version.
Allow ICU collations to be set as the default for clusters and databases (Peter Eisentraut)
Previously, only libc-based collations could be selected at the cluster and database levels. ICU collations could only be used via explicit COLLATE
clauses.
Add system view pg_ident_file_mappings
to report pg_ident.conf
information (Julien Rouhaud)
Improve planning time for queries referencing partitioned tables (David Rowley)
This change helps when only a few of many partitions are relevant.
Allow ordered scans of partitions to avoid sorting in more cases (David Rowley)
Previously, a partitioned table with a DEFAULT
partition or a LIST
partition containing multiple values could not be used for ordered partition scans. Now they can be used if such partitions are pruned during planning.
Improve foreign key behavior of updates on partitioned tables that move rows between partitions (Amit Langote)
Previously, such updates ran a delete action on the source partition and an insert action on the target partition. PostgreSQL will now run an update action on the partition root, providing cleaner semantics.
Allow CLUSTER
on partitioned tables (Justin Pryzby)
Fix ALTER TRIGGER RENAME
on partitioned tables to properly rename triggers on all partitions (Arne Roland, Ãlvaro Herrera)
Also prohibit cloned triggers from being renamed.
Allow btree indexes on system and TOAST tables to efficiently store duplicates (Peter Geoghegan)
Previously de-duplication was disabled for these types of indexes.
Improve lookup performance of GiST indexes that were built using sorting (Aliaksandr Kalenik, Sergei Shoulbakov, Andrey Borodin)
Allow unique constraints and indexes to treat NULL
values as not distinct (Peter Eisentraut)
Previously NULL
entries were always treated as distinct values, but this can now be changed by creating constraints and indexes using UNIQUE NULLS NOT DISTINCT
.
Allow the ^@
starts-with operator and the starts_with()
function to use btree indexes if using the C collation (Tom Lane)
Previously these could only use SP-GiST indexes.
Allow extended statistics to record statistics for a parent with all its children (Tomas Vondra, Justin Pryzby)
Regular statistics already tracked parent and parent-plus-all-children statistics separately.
Add server variable recursive_worktable_factor
to allow the user to specify the expected size of the working table of a recursive query (Simon Riggs)
Allow hash lookup for NOT IN
clauses with many constants (David Rowley, James Coleman)
Previously the code always sequentially scanned the list of values.
Allow SELECT DISTINCT
to be parallelized (David Rowley)
Speed up encoding validation of UTF-8 text by processing 16 bytes at a time (John Naylor, Heikki Linnakangas)
This will improve text-heavy operations like COPY FROM
.
Improve performance for sorts that exceed work_mem
(Heikki Linnakangas)
When the sort data no longer fits in work_mem
, switch to a batch sorting algorithm that uses more output streams than before.
Improve performance and reduce memory consumption of in-memory sorts (Ronan Dunklau, David Rowley, Thomas Munro, John Naylor)
Allow WAL full page writes to use LZ4 and Zstandard compression (Andrey Borodin, Justin Pryzby)
This is controlled by the wal_compression
server setting.
Add support for writing WAL using direct I/O on macOS (Thomas Munro)
This only works if max_wal_senders = 0
and wal_level = minimal
.
Allow vacuum to be more aggressive in setting the oldest frozen and multi transaction id (Peter Geoghegan)
Allow a query referencing multiple foreign tables to perform parallel foreign table scans in more cases (Andrey Lepikhov, Etsuro Fujita)
Improve the performance of window functions that use row_number()
, rank()
, dense_rank()
and count()
(David Rowley)
Improve the performance of spinlocks on high-core-count ARM64 systems (Geoffrey Blake)
Enable default logging of checkpoints and slow autovacuum operations (Bharath Rupireddy)
This changes the default of log_checkpoints
to on
and that of log_autovacuum_min_duration
to 10 minutes. This will cause even an idle server to generate some log output, which might cause problems on resource-constrained servers without log file rotation. These defaults should be changed in such cases.
Generate progress messages in the server log during slow server starts (Nitin Jadhav, Robert Haas)
The messages report the cause of the delay. The time interval for notification is controlled by the new server variable log_startup_progress_interval
.
Store cumulative statistics system data in shared memory (Kyotaro Horiguchi, Andres Freund, Melanie Plageman)
Previously this data was sent to a statistics collector process via UDP packets, and could only be read by sessions after transferring it via the file system. There is no longer a separate statistics collector process.
Add additional information to VACUUM VERBOSE
and autovacuum logging messages (Peter Geoghegan)
Add EXPLAIN (BUFFERS)
output for temporary file block I/O (Masahiko Sawada)
Allow log output in JSON format (Sehrope Sarkuni, Michael Paquier)
The new setting is log_destination = jsonlog
.
Allow pg_stat_reset_single_table_counters()
to reset the counters of relations shared across all databases (Sadhuprasad Patro)
Add wait events for local shell commands (Fujii Masao)
The new wait events are used when calling archive_command
, archive_cleanup_command
, restore_command
and recovery_end_command
.
Allow table accesses done by a view to optionally be controlled by privileges of the view's caller (Christoph Heiss)
Previously, view accesses were always treated as being done by the view's owner. That's still the default.
Allow members of the pg_write_server_files
predefined role to perform server-side base backups (Dagfinn Ilmari Mannsåker)
Previously only superusers could perform such backups.
Allow GRANT
to grant permissions to change individual server variables via SET
and ALTER SYSTEM
(Mark Dilger)
The new function has_parameter_privilege()
reports on this privilege.
Add predefined role pg_checkpoint
that allows members to run CHECKPOINT
(Jeff Davis)
Previously checkpoints could only be run by superusers.
Allow members of the pg_read_all_stats
predefined role to access the views pg_backend_memory_contexts
and pg_shmem_allocations
(Bharath Rupireddy)
Previously these views could only be accessed by superusers.
Allow GRANT
to grant permissions on pg_log_backend_memory_contexts()
(Jeff Davis)
Previously this function could only be run by superusers.
Add server variable shared_memory_size
to report the size of allocated shared memory (Nathan Bossart)
Add server variable shared_memory_size_in_huge_pages
to report the number of huge memory pages required (Nathan Bossart)
This is only supported on Linux.
Honor server variable shared_preload_libraries
in single-user mode (Jeff Davis)
This change supports use of shared_preload_libraries
to load custom access methods and WAL resource managers, which would be essential for database access even in single-user mode.
On Solaris, make the default setting of dynamic_shared_memory_type
be sysv
(Thomas Munro)
The previous default choice, posix
, can result in spurious failures on this platform.
Allow postgres -C
to properly report runtime-computed values (Nathan Bossart)
Previously runtime-computed values data_checksums
, wal_segment_size
, and data_directory_mode
would report values that would not be accurate on the running server. However, this does not work on a running server.
Add support for LZ4 and Zstandard compression of server-side base backups (Jeevan Ladhe, Robert Haas)
Run the checkpointer and bgwriter processes during crash recovery (Thomas Munro)
This helps to speed up long crash recoveries.
Allow WAL processing to pre-fetch needed file contents (Thomas Munro)
This is controlled by the server variable recovery_prefetch
.
Allow archiving via loadable modules (Nathan Bossart)
Previously, archiving was only done by calling shell commands. The new server variable archive_library
can be set to specify a library to be called for archiving.
No longer require IDENTIFY_SYSTEM
to be run before START_REPLICATION
(Jeff Davis)
Allow publication of all tables in a schema (Vignesh C, Hou Zhijie, Amit Kapila)
For example, this syntax is now supported: CREATE PUBLICATION pub1 FOR TABLES IN SCHEMA s1,s2
. ALTER PUBLICATION
supports a similar syntax. Tables added later to the listed schemas will also be replicated.
Allow publication content to be filtered using a WHERE
clause (Hou Zhijie, Euler Taveira, Peter Smith, Ajin Cherian, Tomas Vondra, Amit Kapila)
Rows not satisfying the WHERE
clause are not published.
Allow publication content to be restricted to specific columns (Tomas Vondra, Ãlvaro Herrera, Rahila Syed)
Allow skipping of transactions on a subscriber using ALTER SUBSCRIPTION ... SKIP
(Masahiko Sawada)
Add support for prepared (two-phase) transactions to logical replication (Peter Smith, Ajin Cherian, Amit Kapila, Nikhil Sontakke, Stas Kelvich)
The new CREATE_REPLICATION_SLOT
option is called TWO_PHASE
. pg_recvlogical now supports a new --two-phase
option during slot creation.
Prevent logical replication of empty transactions (Ajin Cherian, Hou Zhijie, Euler Taveira)
Previously, publishers would send empty transactions to subscribers if subscribed tables were not modified.
Add SQL functions to monitor the directory contents of logical replication slots (Bharath Rupireddy)
The new functions are pg_ls_logicalsnapdir()
, pg_ls_logicalmapdir()
, and pg_ls_replslotdir()
. They can be run by members of the predefined pg_monitor
role.
Allow subscribers to stop the application of logical replication changes on error (Osumi Takamichi, Mark Dilger)
This is enabled with the subscriber option disable_on_error
and avoids possible infinite error loops during stream application.
Adjust subscriber server variables to match the publisher so datetime and float8 values are interpreted consistently (Japin Li)
Some publishers might be relying on inconsistent behavior.
Add system view pg_stat_subscription_stats
to report on subscriber activity (Masahiko Sawada)
The new function pg_stat_reset_subscription_stats()
allows resetting these statistics counters.
Suppress duplicate entries in the pg_publication_tables
system view (Hou Zhijie)
In some cases a partition could appear more than once.
Add SQL MERGE
command to adjust one table to match another (Simon Riggs, Pavan Deolasee, Ãlvaro Herrera, Amit Langote)
This is similar to INSERT ... ON CONFLICT
but more batch-oriented.
Add support for HEADER
option in COPY
text format (Rémi Lapeyre)
The new option causes the column names to be output, and optionally verified on input.
Add new WAL-logged method for database creation (Dilip Kumar)
This is the new default method for copying the template database, as it avoids the need for checkpoints during database creation. However, it might be slow if the template database is large, so the old method is still available.
Allow CREATE DATABASE
to set the database OID (Shruthi Gowda, Antonin Houska)
Prevent DROP DATABASE
, DROP TABLESPACE
, and ALTER DATABASE SET TABLESPACE
from occasionally failing during concurrent use on Windows (Thomas Munro)
Allow foreign key ON DELETE SET
actions to affect only specified columns (Paul Martinez)
Previously, all of the columns in the foreign key were always affected.
Allow ALTER TABLE
to modify a table's ACCESS METHOD
(Justin Pryzby, Jeff Davis)
Properly call object access hooks when ALTER TABLE
causes table rewrites (Michael Paquier)
Allow creation of unlogged sequences (Peter Eisentraut)
Track dependencies on individual columns in the results of functions returning composite types (Tom Lane)
Previously, if a view or rule contained a reference to a specific column within the result of a composite-returning function, that was not noted as a dependency; the view or rule was only considered to depend on the composite type as a whole. This meant that dropping the individual column would be allowed, causing problems in later use of the view or rule. The column-level dependency is now also noted, so that dropping such a column will be rejected unless the view is changed or dropped.
Allow the scale of a numeric
value to be negative, or greater than its precision (Dean Rasheed, Tom Lane)
This allows rounding of values to the left of the decimal point, e.g., '1234'::numeric(4, -2)
returns 1200.
Improve overflow detection when casting values to interval (Joe Koshakow)
Change the I/O format of type "char"
for non-ASCII characters (Tom Lane)
Update the display width information of modern Unicode characters, like emojis (Jacob Champion)
Also update from Unicode 5.0 to 14.0.0. There is now an automated way to keep Postgres updated with Unicode releases.
Add multirange input to range_agg()
(Paul Jungwirth)
Add MIN()
and MAX()
aggregates for the xid8
data type (Ken Kato)
Add regular expression functions for compatibility with other relational systems (Gilles Darold, Tom Lane)
The new functions are regexp_count()
, regexp_instr()
, regexp_like()
, and regexp_substr()
. Some new optional arguments were also added to regexp_replace()
.
Add the ability to compute the distance between polygons
(Tom Lane)
Add to_char()
format codes of
, tzh
, and tzm
(Nitin Jadhav)
The upper-case equivalents of these were already supported.
When applying AT TIME ZONE
to a time with time zone
value, use the transaction start time rather than wall clock time to determine whether DST applies (Aleksander Alekseev, Tom Lane)
This allows the conversion to be considered stable rather than volatile, and it saves a kernel call per invocation.
Ignore NULL array elements in ts_delete()
and setweight()
functions with array arguments (Jean-Christophe Arnu)
These functions effectively ignore empty-string array elements (since those could never match a valid lexeme). It seems consistent to let them ignore NULL elements too, instead of failing.
Add support for petabyte units to pg_size_pretty()
and pg_size_bytes()
(David Christensen)
Change pg_event_trigger_ddl_commands()
to output references to other sessions' temporary schemas using the actual schema name (Tom Lane)
Previously this function reported all temporary schemas as pg_temp
, but it's misleading to use that for any but the current session's temporary schema.
Fix enforcement of PL/pgSQL variable CONSTANT
markings (Tom Lane)
Previously, a variable could be used as a CALL
output parameter or refcursor OPEN
variable despite being marked CONSTANT
.
Allow IP address matching against a server certificate's Subject Alternative Name (Jacob Champion)
Allow PQsslAttribute()
to report the SSL library type without requiring a libpq connection (Jacob Champion)
Change query cancellations sent by the client to use the same TCP settings as normal client connections (Jelte Fennema)
This allows configured TCP timeouts to apply to query cancel connections.
Prevent libpq event callback failures from forcing an error result (Tom Lane)
Allow pgbench to retry after serialization and deadlock failures (Yugo Nagata, Marina Polyakova)
Improve performance of psql's \copy
command, by sending data in larger chunks (Heikki Linnakangas)
Add \dconfig
command to report server variables (Mark Dilger, Tom Lane)
This is similar to the server-side SHOW
command, but it can process patterns to show multiple variables conveniently.
Add \getenv
command to assign the value of an environment variable to a psql variable (Tom Lane)
Add +
option to the \lo_list
and \dl
commands to show large-object privileges (Pavel Luzanov)
Add a pager option for the \watch
command (Pavel Stehule, Thomas Munro)
This is only supported on Unix and is controlled by the PSQL_WATCH_PAGER
environment variable.
Make psql include intra-query double-hyphen comments in queries sent to the server (Tom Lane, Greg Nancarrow)
Previously such comments were removed from the query before being sent. Double-hyphen comments that are before any query text are not sent, and are not recorded as separate psql history entries.
Adjust psql so that Readline's meta-#
command will insert a double-hyphen comment marker (Tom Lane)
Previously a pound marker was inserted, unless the user had taken the trouble to configure a non-default comment marker.
Make psql output all results when multiple queries are passed to the server at once (Fabien Coelho)
Previously, only the last query result was displayed. The old behavior can be restored by setting the SHOW_ALL_RESULTS
psql variable to off
.
After an error is detected in --single-transaction
mode, change the final COMMIT
command to ROLLBACK
only if ON_ERROR_STOP
is set (Michael Paquier)
Previously, detection of an error in a -c
command or -f
script file would lead to issuing ROLLBACK
at the end, regardless of the value of ON_ERROR_STOP
.
Improve psql's tab completion (Shinya Kato, Dagfinn Ilmari MannsÃ¥ker, Peter Smith, Koyu Tanigawa, Ken Kato, David Fetter, Haiying Tang, Peter Eisentraut, Ãlvaro Herrera, Tom Lane, Masahiko Sawada)
Limit support of psql's backslash commands to servers running PostgreSQL 9.2 or later (Tom Lane)
Remove code that was only used when running with an older server. Commands that do not require any version-specific adjustments compared to 9.2 will still work.
Make pg_dump dump public
schema ownership changes and security labels (Noah Misch)
Improve performance of dumping databases with many objects (Tom Lane)
This will also improve the performance of pg_upgrade.
Improve parallel pg_dump's performance for tables with large TOAST tables (Tom Lane)
Add dump/restore option --no-table-access-method
to force restore to only use the default table access method (Justin Pryzby)
Limit support of pg_dump and pg_dumpall to servers running PostgreSQL 9.2 or later (Tom Lane)
Add new pg_basebackup option --target
to control the base backup location (Robert Haas)
The new options are server
to write the backup locally and blackhole
to discard the backup (for testing).
Allow pg_basebackup to do server-side gzip, LZ4, and Zstandard compression and client-side LZ4 and Zstandard compression of base backup files (Dipesh Pandit, Jeevan Ladhe)
Client-side gzip
compression was already supported.
Allow pg_basebackup to compress on the server side and decompress on the client side before storage (Dipesh Pandit)
This is accomplished by specifying compression on the server side and plain output format.
Allow pg_basebackup's --compress
option to control the compression location (server or client), compression method, and compression options (Michael Paquier, Robert Haas)
Add the LZ4 compression method to pg_receivewal (Georgios Kokolatos)
This is enabled via --compress=lz4
and requires binaries to be built using --with-lz4
.
Add additional capabilities to pg_receivewal's --compress
option (Georgios Kokolatos)
Improve pg_receivewal's ability to restart at the proper WAL location (Ronan Dunklau)
Previously, pg_receivewal would start based on the WAL file stored in the local archive directory, or at the sending server's current WAL flush location. With this change, if the sending server is running Postgres 15 or later, the local archive directory is empty, and a replication slot is specified, the replication slot's restart point will be used.
Add pg_rewind option --config-file
to simplify use when server configuration files are stored outside the data directory (Gunnar Bluth)
Store pg_upgrade's log and temporary files in a subdirectory of the new cluster called pg_upgrade_output.d
(Justin Pryzby)
Previously such files were left in the current directory, requiring manual cleanup. Now they are automatically removed on successful completion of pg_upgrade.
Disable default status reporting during pg_upgrade operation if the output is not a terminal (Andres Freund)
The status reporting output can be enabled for non-tty usage by using --verbose
.
Make pg_upgrade report all databases with invalid connection settings (Jeevan Ladhe)
Previously only the first database with an invalid connection setting was reported.
Make pg_upgrade preserve tablespace and database OIDs, as well as relation relfilenode numbers (Shruthi Gowda, Antonin Houska)
Add a --no-sync
option to pg_upgrade (Michael Paquier)
This is recommended only for testing.
Limit support of pg_upgrade to old servers running PostgreSQL 9.2 or later (Tom Lane)
Allow pg_waldump output to be filtered by relation file node, block number, fork number, and full page images (David Christensen, Thomas Munro)
Make pg_waldump report statistics before an interrupted exit (Bharath Rupireddy)
For example, issuing a control-C in a terminal running pg_waldump --stats --follow
will report the current statistics before exiting. This does not work on Windows.
Improve descriptions of some transaction WAL records reported by pg_waldump (Masahiko Sawada, Michael Paquier)
Allow pg_waldump to dump information about multiple resource managers (Heikki Linnakangas)
This is enabled by specifying the --rmgr
option multiple times.
Add documentation for pg_encoding_to_char()
and pg_char_to_encoding()
(Ian Lawrence Barwick)
Document the ^@
starts-with operator (Tom Lane)
Add support for continuous integration testing using cirrus-ci (Andres Freund, Thomas Munro, Melanie Plageman)
Add configure option --with-zstd
to enable Zstandard builds (Jeevan Ladhe, Robert Haas, Michael Paquier)
Add an ABI identifier field to the magic block in loadable libraries, allowing non-community PostgreSQL distributions to identify libraries that are not compatible with other builds (Peter Eisentraut)
An ABI field mismatch will generate an error at load time.
Create a new pg_type.typcategory
value for "char"
(Tom Lane)
Some other internal-use-only types have also been assigned to this category.
Add new protocol message TARGET
to specify a new COPY
method to be used for base backups (Robert Haas)
pg_basebackup now uses this method.
Add new protocol message COMPRESSION
and COMPRESSION_DETAIL
to specify the compression method and options (Robert Haas)
Remove server support for old BASE_BACKUP
command syntax and base backup protocol (Robert Haas)
Add support for extensions to set custom backup targets (Robert Haas)
Allow extensions to define custom WAL resource managers (Jeff Davis)
Add function pg_settings_get_flags()
to get the flags of server variables (Justin Pryzby)
On Windows, export all the server's global variables using PGDLLIMPORT
markers (Robert Haas)
Previously, only specific variables were accessible to extensions on Windows.
Require GNU make version 3.81 or later to build PostgreSQL (Tom Lane)
Require OpenSSL to build the pgcrypto extension (Peter Eisentraut)
Require Perl version 5.8.3 or later (Dagfinn Ilmari Mannsåker)
Require Python version 3.2 or later (Andres Freund)
Allow amcheck to check sequences (Mark Dilger)
Improve amcheck sanity checks for TOAST tables (Mark Dilger)
Add new module basebackup_to_shell as an example of a custom backup target (Robert Haas)
Add new module basic_archive as an example of performing archiving via a library (Nathan Bossart)
Allow btree_gist indexes on boolean columns (Emre Hasegeli)
These can be used for exclusion constraints.
Fix pageinspect's page_header()
to handle 32-kilobyte page sizes (Quan Zongliang)
Previously, improper negative values could be returned in certain cases.
Add counters for temporary file block I/O to pg_stat_statements (Masahiko Sawada)
Add JIT counters to pg_stat_statements (Magnus Hagander)
Add new module pg_walinspect (Bharath Rupireddy)
This gives SQL-level output similar to pg_waldump.
Indicate the permissive/enforcing state in sepgsql log messages (Dave Page)
Allow postgres_fdw to push down CASE
expressions (Alexander Pyhalov)
Add server variable postgres_fdw.application_name
to control the application name of postgres_fdw connections (Hayato Kuroda)
Previously the remote session's application_name
could only be set on the remote server or via a postgres_fdw connection specification. postgres_fdw.application_name
supports some escape sequences for customization, making it easier to tell such connections apart on the remote server.
Allow parallel commit on postgres_fdw servers (Etsuro Fujita)
This is enabled with the CREATE SERVER
option parallel_commit
.
The following individuals (in alphabetical order) have contributed to this release as patch authors, committers, reviewers, testers, or reporters of issues.
Release date: 2025-02-20
This release contains a few fixes from 14.16. For information about new features in major release 14, see Version 14.0.
A dump/restore is not required for those running 14.X.
However, if you are upgrading from a version earlier than 14.14, see Version 14.14.
Improve behavior of libpq's quoting functions (Andres Freund, Tom Lane) 📜 📜 📜
The changes made forCVE-2025-1094 or CVE-2025-1094 had one serious oversight: PQescapeLiteral()
and PQescapeIdentifier()
failed to honor their string length parameter, instead always reading to the input string's trailing null. This resulted in including unwanted text in the output, if the caller intended to truncate the string via the length parameter. With very bad luck it could cause a crash due to reading off the end of memory.
In addition, modify all these quoting functions so that when invalid encoding is detected, an invalid sequence is substituted for just the first byte of the presumed character, not all of it. This reduces the risk of problems if a calling application performs additional processing on the quoted string.
Fix crash involving triggers on partitioned tables that make use of transition tables (Kyotaro Horiguchi) 📜
If there are both AFTER UPDATE
and AFTER DELETE
triggers, the need for transition tables was determined incorrectly, leading to a crash during cross-partition updates.
Release date: 2025-02-13
This release contains a variety of fixes from 14.15. For information about new features in major release 14, see Version 14.0.
A dump/restore is not required for those running 14.X.
However, if you are upgrading from a version earlier than 14.14, see Version 14.14.
Harden PQescapeString
and allied functions against invalidly-encoded input strings (Andres Freund, Noah Misch) 📜 📜 📜 📜 📜 📜
Data-quoting functions supplied by libpq now fully check the encoding validity of their input. If invalid characters are detected, they report an error if possible. For the ones that lack an error return convention, the output string is adjusted to ensure that the server will report invalid encoding and no intervening processing will be fooled by bytes that might happen to match single quote, backslash, etc.
The purpose of this change is to guard against SQL-injection attacks that are possible if one of these functions is used to quote crafted input. There is no hazard when the resulting string is sent directly to a PostgreSQL server (which would check its encoding anyway), but there is a risk when it is passed through psql or other client-side code. Historically such code has not carefully vetted encoding, and in many cases it's not clear what it should do if it did detect such a problem.
This fix is effective only if the data-quoting function, the server, and any intermediate processing agree on the character encoding that's being used. Applications that insert untrusted input into SQL commands should take special care to ensure that that's true.
Applications and drivers that quote untrusted input without using these libpq functions may be at risk of similar problems. They should first confirm the data is valid in the encoding expected by the server.
The PostgreSQL Project thanks Stephen Fewer for reporting this problem. CVE-2025-1094 or CVE-2025-1094)
Exclude parallel workers from connection privilege checks and limits (Tom Lane) 📜
Do not check datallowconn
, rolcanlogin
, and ACL_CONNECT
privileges when starting a parallel worker, instead assuming that it's enough for the leader process to have passed similar checks originally. This avoids, for example, unexpected failures of parallelized queries when the leader is running as a role that lacks login privilege. In the same vein, enforce ReservedConnections
, datconnlimit
, and rolconnlimit
limits only against regular backends, and count only regular backends while checking if the limits were already reached. Those limits are meant to prevent excessive consumption of process slots for regular backends --- but parallel workers and other special processes have their own pools of process slots with their own limit checks.
Keep TransactionXmin
in sync with MyProc->xmin
(Heikki Linnakangas) 📜
This oversight could permit a process to try to access data that had already been vacuumed away. One known consequence is transient “could not access status of transaction†errors.
Fix race condition that could cause failure to add a newly-inserted catalog entry to a catalog cache list (Heikki Linnakangas) 📜
This could result, for example, in failure to use a newly-created function within an existing session.
Prevent possible catalog corruption when a system catalog is vacuumed concurrently with an update (Noah Misch) 📜
Fix data corruption when relation truncation fails (Thomas Munro) 📜 📜 📜
The filesystem calls needed to perform relation truncation could fail, leaving inconsistent state on disk (for example, effectively reviving deleted data). We can't really prevent that, but we can recover by dint of making such failures into PANICs, so that consistency is restored by replaying from WAL up to just before the attempted truncation. This isn't a hugely desirable behavior, but such failures are rare enough that it seems an acceptable solution.
Prevent checkpoints from starting during relation truncation (Robert Haas) 📜
This avoids a race condition wherein the modified file might not get fsync'd before completing the checkpoint, creating a risk of data corruption if the operating system crashes soon after.
Use rename()
not link()
/unlink()
to rename files (Nathan Bossart) 📜
The previous coding was intended to assure that the operation could not accidentally overwrite an existing file. However a failure could leave two links to the same file in existence, confusing subsequent operations and creating a risk of data corruption. In practice we do not use this functionality in places where the target filename could already exist, so it seems better to give up the no-overwrite guarantee to remove the multiple-link hazard.
Avoid possibly losing an update of pg_database
.datfrozenxid
when VACUUM
runs concurrently with a REASSIGN OWNED
that changes that database's owner (Kirill Reshke) 📜
Fix incorrect tg_updatedcols
values passed to AFTER UPDATE
triggers (Tom Lane) 📜
In some cases the tg_updatedcols
bitmap could describe the set of columns updated by an earlier command in the same transaction, fooling the trigger into doing the wrong thing.
Also, prevent memory bloat caused by making too many copies of the tg_updatedcols
bitmap.
Fix mis-processing of to_timestamp
's FF
format codes (Tom Lane) 📜n
An integer format code immediately preceding FF
would consume all available digits, leaving none for n
FF
.n
When deparsing an XMLTABLE()
expression, ensure that XML namespace names are double-quoted when necessary (Dean Rasheed) 📜
Include the ldapscheme
option in pg_hba_file_rules()
output (Laurenz Albe) 📜 📜
Don't merge UNION
operations if their column collations aren't consistent (Tom Lane) 📜
Previously we ignored collations when deciding if it's safe to merge UNION
steps into a single N-way UNION
operation. This was arguably valid before the introduction of nondeterministic collations, but it's not anymore, since the collation in use can affect the definition of uniqueness.
Fix missed expression processing for partition pruning steps (Tom Lane) 📜
This oversight could lead to “unrecognized node type†errors, and perhaps other problems, in queries accessing partitioned tables.
Allow dshash tables to grow past 1GB (Matthias van de Meent) 📜
This avoids errors like “invalid DSA memory alloc request sizeâ€. The case can occur for example in transactions that process several million tables.
Avoid possible integer overflow in bringetbitmap()
(James Hunter, Evgeniy Gorbanyov) 📜
Since the result is only used for statistical purposes, the effects of this error were mostly cosmetic.
Prevent streaming standby servers from looping infinitely when reading a WAL record that crosses pages (Kyotaro Horiguchi, Alexander Kukushkin) 📜
This would happen when the record's continuation is on a page that needs to be read from a different WAL source.
Improve performance of archiver process with many status files (Nathan Bossart) 📜
This change back-patches a fix originally made in v15, in response to reports of extremely poor archiving performance leading to downtime or loss of replicas.
Fix unintended promotion of FATAL errors to PANIC during early process startup (Noah Misch) 📜
This fixes some unlikely cases that would result in “PANIC: proc_exit() called in child processâ€.
Fix cases where an operator family member operator or support procedure could become a dangling reference (Tom Lane) 📜 📜
In some cases a data type could be dropped while references to its OID still remain in pg_amop
or pg_amproc
. While that caused no immediate issues, an attempt to drop the owning operator family would fail, and pg_dump would produce bogus output when dumping the operator family. This fix causes creation and modification of operator families/classes to add needed dependency entries so that dropping a data type will also drop any dependent operator family elements. That does not help vulnerable pre-existing operator families, though, so a band-aid has also been added to DROP OPERATOR FAMILY
to prevent failure when dropping a family that has dangling members.
Fix multiple memory leaks in logical decoding output (Vignesh C, Masahiko Sawada, Boyu Yang) 📜 📜
Avoid low-probability crash on out-of-memory, due to missing check for failure return from malloc()
(Karina Litskevich) 📜
Avoid integer overflow while testing wal_skip_threshold
condition (Tom Lane) 📜
A transaction that created a very large relation could mistakenly decide to ensure durability by copying the relation into WAL instead of fsync'ing it, thereby negating the point of wal_skip_threshold
. (This only matters when wal_level
is set to minimal
, else a WAL copy is required anyway.)
Fix unsafe order of operations during cache lookups (Noah Misch) 📜
The only known consequence was a usually-harmless “you don't own a lock of type ExclusiveLock†warning during GRANT TABLESPACE
.
Fix possible “failed to resolve name†failures when using JIT on older ARM platforms (Thomas Munro) 📜
This could occur as a consequence of inconsistency about the default setting of -moutline-atomics
between gcc and clang. At least Debian and Ubuntu are known to ship gcc and clang compilers that target armv8-a but differ on the use of outline atomics by default.
Fix handling of Windows junction points that are not of PostgreSQL origin (Thomas Munro) 📜 📜
Previously, initdb would fail if the path to the data directory included junction points whose expansion isn't in “drive absolute†format, or whose expansion points to another junction point.
Fix assertion failure in WITH RECURSIVE ... UNION
queries (David Rowley) 📜
Avoid assertion failure in rule deparsing if a set operation leaf query contains set operations (Man Zeng, Tom Lane) 📜
Avoid edge-case assertion failure in parallel query startup (Tom Lane) 📜
In NULLIF()
, avoid passing a read-write expanded object pointer to the data type's equality function (Tom Lane) 📜
The equality function could modify or delete the object if it's given a read-write pointer, which would be bad if we decide to return it as the NULLIF()
result. There is probably no problem with any built-in equality function, but it's easy to demonstrate a failure with one coded in PL/pgSQL.
Ensure that expression preprocessing is applied to a default null value in INSERT
(Tom Lane) 📜
If the target column is of a domain type, the planner must insert a coerce-to-domain step not just a null constant, and this expression missed going through some required processing steps. There is no known consequence with domains based on core data types, but in theory an error could occur with domains based on extension types.
Repair memory leaks in PL/Python (Mat Arye, Tom Lane) 📜
Repeated use of PLyPlan.execute
or plpy.cursor
resulted in memory leakage for the duration of the calling PL/Python function.
Fix PL/Tcl to compile with Tcl 9 (Peter Eisentraut) 📜
In the ecpg preprocessor, fix possible misprocessing of cursors that reference out-of-scope variables (Tom Lane) 📜
In ecpg, fix compile-time warnings about unsupported use of COPY ... FROM STDIN
(Ryo Kanbayashi) 📜
Previously, the intended warning was not issued due to a typo.
Fix psql to safely handle file path names that are encoded in SJIS (Tom Lane) 📜
Some two-byte characters in SJIS have a second byte that is equal to ASCII backslash (\
). These characters were corrupted by path name normalization, preventing access to files whose names include such characters.
Fix use of wrong version of pqsignal()
in pgbench and psql (Fujii Masao, Tom Lane) 📜
This error could lead to misbehavior when using the -T
option in pgbench or the \watch
command in psql, due to interrupted system calls not being resumed as expected.
Fix misexecution of some nested \if
constructs in pgbench (Michail Nikolaev) 📜
An \if
command appearing within a false (not-being-executed) \if
branch was incorrectly treated the same as \elif
.
In pgbench, fix possible misdisplay of progress messages during table initialization (Yushi Ogiwara, Tatsuo Ishii, Fujii Masao) 📜 📜
Make pg_controldata more robust against corrupted pg_control
files (Ilyasov Ian, Anton Voloshin) 📜
Since pg_controldata will attempt to print the contents of pg_control
even if the CRC check fails, it must take care not to misbehave for invalid field values. This patch fixes some issues triggered by invalid timestamps and apparently-negative WAL segment sizes.
Fix possible crash in pg_dump with identity sequences attached to tables that are extension members (Tom Lane) 📜
Fix pg_basebackup to correctly handle pg_wal.tar
files exceeding 2GB on Windows (Davinder Singh, Thomas Munro) 📜 📜
Update configuration probes that determine the compiler switches needed to access ARM CRC instructions (Tom Lane) 📜
On ARM platforms where the baseline CPU target lacks CRC instructions, we need to supply a -march
switch to persuade the compiler to compile such instructions. Recent versions of gcc reject the value we were trying, leading to silently falling back to software CRC.
During configure, if a C23 compiler is detected, try asking for C17 (Thomas Munro) 📜
PostgreSQL versions before v16 will not compile under C23 rules. If the chosen compiler defaults to C23 or later, try adding a -std=gnu17
switch to change that. (If this won't work for your compiler, manually specify CFLAGS
with a suitable switch.)
Update time zone data files to tzdata release 2025a for DST law changes in Paraguay, plus historical corrections for the Philippines (Tom Lane) 📜
Release date: 2024-11-21
This release contains a few fixes from 14.14. For information about new features in major release 14, see Version 14.0.
A dump/restore is not required for those running 14.X.
However, if you are upgrading from a version earlier than 14.14, see Version 14.14.
Repair ABI break for extensions that work with struct ResultRelInfo
(Tom Lane) 📜
Last week's minor releases unintentionally broke binary compatibility with timescaledb and several other extensions. Restore the affected structure to its previous size, so that such extensions need not be rebuilt.
Restore functionality of ALTER {ROLE|DATABASE} SET role
(Tom Lane, Noah Misch) 📜
The fix forCVE-2024-10978 or CVE-2024-10978 accidentally caused settings for role
to not be applied if they come from non-interactive sources, including previous ALTER {ROLE|DATABASE}
commands and the PGOPTIONS
environment variable.
Fix cases where a logical replication slot's restart_lsn
could go backwards (Masahiko Sawada) 📜
Previously, restarting logical replication could sometimes cause the slot's restart point to be recomputed as an older value than had previously been advertised in pg_replication_slots
. This is bad, since for example WAL files might have been removed on the basis of the later restart_lsn
value, in which case replication would fail to restart.
Avoid deleting still-needed WAL files during pg_rewind (Polina Bungina, Alexander Kukushkin) 📜
Previously, in unlucky cases, it was possible for pg_rewind to remove important WAL files from the rewound demoted primary. In particular this happens if those files have been marked for archival (i.e., their .ready
files were created) but not yet archived. Then the newly promoted node no longer has such files because of them having been recycled, but likely they are needed for recovery in the demoted node. If pg_rewind removes them, recovery is not possible anymore.
Count index scans in contrib/bloom
indexes in the statistics views, such as the pg_stat_user_indexes
.idx_scan
counter (Masahiro Ikeda) 📜
Fix crash when checking to see if an index's opclass options have changed (Alexander Korotkov) 📜
Some forms of ALTER TABLE
would fail if the table has an index with non-default operator class options.
Avoid assertion failure caused by disconnected NFA sub-graphs in regular expression parsing (Tom Lane) 📜
This bug does not appear to have any visible consequences in non-assert builds.
Release date: 2024-11-14
This release contains a variety of fixes from 14.13. For information about new features in major release 14, see Version 14.0.
A dump/restore is not required for those running 14.X.
However, if you have ever detached a partition from a partitioned table that has a foreign-key reference to another partitioned table, and not dropped the former partition, then you may have catalog and/or data corruption to repair, as detailed in the fifth changelog entry below.
Also, if you are upgrading from a version earlier than 14.12, see Version 14.12.
Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart) 📜
If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead.
The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. CVE-2024-10976 or CVE-2024-10976)
Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Champion) 📜
An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure.
The PostgreSQL Project thanks Jacob Champion for reporting this problem. CVE-2024-10977 or CVE-2024-10977)
Fix unintended interactions between SET SESSION AUTHORIZATION
and SET ROLE
(Tom Lane) 📜 📜
The SQL standard mandates that SET SESSION AUTHORIZATION
have a side-effect of doing SET ROLE NONE
. Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION
would revert ROLE
to NONE
even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction. Transiently setting session_authorization
in a function SET
clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role')
, it saw none
even when it should see something else.
The PostgreSQL Project thanks Tom Lane for reporting this problem. CVE-2024-10978 or CVE-2024-10978)
Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch) 📜 📜 📜 📜
The ability to manipulate process environment variables such as PATH
gives an attacker opportunities to execute arbitrary code. Therefore, “trusted†PLs must not offer the ability to do that. To fix plperl
, replace %ENV
with a tied hash that rejects any modification attempt with a warning. Untrusted plperlu
retains the ability to change the environment.
The PostgreSQL Project thanks Coby Abrams for reporting this problem. CVE-2024-10979 or CVE-2024-10979)
Fix updates of catalog state for foreign-key constraints when attaching or detaching table partitions (Jehan-Guillaume de Rorthais, Tender Wang, Ãlvaro Herrera) 📜
If the referenced table is partitioned, then different catalog entries are needed for a referencing table that is stand-alone versus one that is a partition. ATTACH/DETACH PARTITION
commands failed to perform this conversion correctly. In particular, after DETACH
the now stand-alone table would be missing foreign-key enforcement triggers, which could result in the table later containing rows that fail the foreign-key constraint. A subsequent re-ATTACH
could fail with surprising errors, too.
The way to fix this is to do ALTER TABLE DROP CONSTRAINT
on the now stand-alone table for each faulty constraint, and then re-add the constraint. If re-adding the constraint fails, then some erroneous data has crept in. You will need to manually re-establish consistency between the referencing and referenced tables, then re-add the constraint.
This query can be used to identify broken constraints and construct the commands needed to recreate them:
SELECT conrelid::pg_catalog.regclass AS "constrained table", conname AS constraint, confrelid::pg_catalog.regclass AS "references", pg_catalog.format('ALTER TABLE %s DROP CONSTRAINT %I;', conrelid::pg_catalog.regclass, conname) AS "drop", pg_catalog.format('ALTER TABLE %s ADD CONSTRAINT %I %s;', conrelid::pg_catalog.regclass, conname, pg_catalog.pg_get_constraintdef(oid)) AS "add" FROM pg_catalog.pg_constraint c WHERE contype = 'f' AND conparentid = 0 AND (SELECT count(*) FROM pg_catalog.pg_constraint c2 WHERE c2.conparentid = c.oid) <> (SELECT count(*) FROM pg_catalog.pg_inherits i WHERE (i.inhparent = c.conrelid OR i.inhparent = c.confrelid) AND EXISTS (SELECT 1 FROM pg_catalog.pg_partitioned_table WHERE partrelid = i.inhparent));
Since it is possible that one or more of the ADD CONSTRAINT
steps will fail, you should save the query's output in a file and then attempt to perform each step.
Avoid possible crashes and “could not open relation†errors in queries on a partitioned table occurring concurrently with a DETACH CONCURRENTLY
and immediate drop of a partition (Ãlvaro Herrera, Kuntal Gosh) 📜 📜
Disallow ALTER TABLE ATTACH PARTITION
if the table to be attached has a foreign key referencing the partitioned table (Ãlvaro Herrera) 📜 📜
This arrangement is not supported, and other ways of creating it already fail.
Don't use partitionwise joins or grouping if the query's collation for the key column doesn't match the partition key's collation (Jian He, Webbo Han) 📜 📜
Such plans could produce incorrect results.
Fix possible “could not find pathkey item to sort†error when the output of a UNION ALL
member query needs to be sorted, and the sort column is an expression (Andrei Lepikhov, Tom Lane) 📜
Allow cancellation of the second stage of index build for large hash indexes (Pavel Borisov) 📜
Fix assertion failure or confusing error message for COPY (
, when the query
) TO ...query
is rewritten by a DO INSTEAD NOTIFY
rule (Tender Wang, Tom Lane) 📜
Fix detection of skewed data during parallel hash join (Thomas Munro) 📜
After repartitioning the inner side of a hash join because one partition has accumulated too many tuples, we check to see if all the partition's tuples went into the same child partition, which suggests that they all have the same hash value and further repartitioning cannot improve matters. This check malfunctioned in some cases, allowing repeated futile repartitioning which would eventually end in a resource-exhaustion error.
Fix race condition in committing a serializable transaction (Heikki Linnakangas) 📜
Mis-processing of a recently committed transaction could lead to an assertion failure or a “could not access status of transaction†error.
Fix race condition in COMMIT PREPARED
that resulted in orphaned 2PC files (wuchengwen) 📜
A concurrent PREPARE TRANSACTION
could cause COMMIT PREPARED
to not remove the on-disk two-phase state file for the completed transaction. There was no immediate ill effect, but a subsequent crash-and-recovery could fail with “could not access status of transactionâ€, requiring manual removal of the orphaned file to restore service.
Avoid invalid memory accesses after skipping an invalid toast index during VACUUM FULL
(Tender Wang) 📜
A list tracking yet-to-be-rebuilt indexes was not properly updated in this code path, risking assertion failures or crashes later on.
Fix ways in which an “in place†catalog update could be lost (Noah Misch) 📜 📜 📜 📜 📜 📜 📜
Normal row updates write a new version of the row to preserve rollback-ability of the transaction. However, certain system catalog updates are intentionally non-transactional and are done with an in-place update of the row. These patches fix race conditions that could cause the effects of an in-place update to be lost. As an example, it was possible to forget having set pg_class
.relhasindex
to true, preventing updates of the new index and thus causing index corruption.
Reset catalog caches at end of recovery (Noah Misch) 📜
This prevents scenarios wherein an in-place catalog update could be lost due to using stale data from a catalog cache.
Avoid using parallel query while holding off interrupts (Francesco Degrassi, Noah Misch, Tom Lane) 📜 📜
This situation cannot arise normally, but it can be reached with test scenarios such as using a SQL-language function as B-tree support (which would be far too slow for production usage). If it did occur it would result in an indefinite wait.
Report the active query ID for statistics purposes at the start of processing of Bind and Execute protocol messages (Sami Imseih) 📜
This allows more of the work done in extended query protocol to be attributed to the correct query.
Guard against stack overflow in libxml2 with too-deeply-nested XML input (Tom Lane, with hat tip to Nick Wellnhofer) 📜
Use xmlXPathCtxtCompile()
rather than xmlXPathCompile()
, because the latter fails to protect itself against recursion-to-stack-overflow in libxml2 releases before 2.13.4.
Do not ignore a concurrent REINDEX CONCURRENTLY
that is working on an index with predicates or expressions (Michail Nikolaev) 📜
Normally, REINDEX CONCURRENTLY
does not need to wait for other REINDEX CONCURRENTLY
operations on other tables. However, this optimization is not applied if the other REINDEX CONCURRENTLY
is processing an index with predicates or expressions, on the chance that such expressions contain user-defined code that accesses other tables. Careless coding created a race condition such that that rule was not applied uniformly, possibly allowing inconsistent behavior.
Fix “failed to find plan for subquery/CTE†errors in EXPLAIN
(Richard Guo, Tom Lane) 📜 📜
This case arose while trying to print references to fields of a RECORD-type output of a subquery when the subquery has been optimized out of the plan altogether (which is possible at least in the case that it has a constant-false WHERE
condition). Nothing remains in the plan to identify the original field names, so fall back to printing f
for the N
N
'th record column. (That's actually the right thing anyway, if the record output arose from a ROW()
constructor.)
Disallow a USING
clause when altering the type of a generated column (Peter Eisentraut) 📜
A generated column already has an expression specifying the column contents, so including USING
doesn't make sense.
Ignore not-yet-defined Portals in the pg_cursors
view (Tom Lane) 📜
It is possible for user-defined code that inspects this view to be called while a new cursor is being set up, and if that happens a null pointer dereference would ensue. Avoid the problem by defining the view to exclude incompletely-set-up cursors.
Avoid “unexpected table_index_fetch_tuple call during logical decoding†error while decoding a transaction involving insertion of a column default value (Takeshi Ideriha, Hou Zhijie) 📜 📜
Reduce memory consumption of logical decoding (Masahiko Sawada) 📜
Use a smaller default block size to store tuple data received during logical replication. This reduces memory wastage, which has been reported to be severe while processing long-running transactions, even leading to out-of-memory failures.
Re-disable sending of stateless (TLSv1.2) session tickets (Daniel Gustafsson) 📜
A previous change to prevent sending of stateful (TLSv1.3) session tickets accidentally re-enabled sending of stateless ones. Thus, while we intended to prevent clients from thinking that TLS session resumption is supported, some still did.
Avoid “wrong tuple length†failure when dropping a database with many ACL (permission) entries (Ayush Tiwari) 📜 📜
Allow adjusting the session_authorization
and role
settings in parallel workers (Tom Lane) 📜
Our code intends to allow modifiable server settings to be set by function SET
clauses, but not otherwise within a parallel worker. SET
clauses failed for these two settings, though.
Fix behavior of stable functions called from a CALL
statement's argument list, when the CALL
is within a PL/pgSQL EXCEPTION
block (Tom Lane) 📜
As with a similar fix in our previous quarterly releases, this case allowed such functions to be passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.
Fix “cache lookup failed for function†errors in edge cases in PL/pgSQL's CALL
(Tom Lane) 📜
Fix thread safety of our fallback (non-OpenSSL) MD5 implementation on big-endian hardware (Heikki Linnakangas) 📜
Thread safety is not currently a concern in the server, but it is for libpq.
Parse libpq's keepalives
connection option in the same way as other integer-valued options (Yuto Sasaki) 📜
The coding used here rejected trailing whitespace in the option value, unlike other cases. This turns out to be problematic in ecpg's usage, for example.
Avoid use of pnstrdup()
in ecpglib (Jacob Champion) 📜
That function will call exit()
on out-of-memory, which is undesirable in a library. The calling code already handles allocation failures properly.
In ecpglib, fix out-of-bounds read when parsing incorrect datetime input (Bruce Momjian, Pavel Nekrasov) 📜
It was possible to try to read the location just before the start of a constant array. Real-world consequences seem minimal, though.
Include the source timeline history in pg_rewind's debug output (Heikki Linnakangas) 📜
This was the intention to begin with, but a coding error caused the source history to always print as empty.
Fix misbehavior with junction points on Windows, particularly in pg_rewind (Alexandra Wang) 📜 📜 📜 📜 📜 📜
This entailed back-patching previous fixes by Thomas Munro, Peter Eisentraut, Alexander Lakhin, and Juan José SantamarÃa Flecha. Those changes were originally not back-patched out of caution, but they have been in use in later branches for long enough to deem them safe.
Avoid trying to reindex temporary tables and indexes in vacuumdb and in parallel reindexdb (VaibhaveS, Michael Paquier, Fujii Masao, Nathan Bossart) 📜 📜 📜
Reindexing other sessions' temporary tables cannot work, but the check to skip them was missing in some code paths, leading to unwanted failures.
Allow inspection of sequence relations in relevant functions of contrib/pageinspect
and contrib/pgstattuple
(Nathan Bossart, Ayush Vatsa) 📜 📜
This had been allowed in the past, but it got broken during the introduction of non-default access methods for tables.
Fix incorrect LLVM-generated code on ARM64 platforms (Thomas Munro, Anthonin Bonnefoy) 📜
When using JIT compilation on ARM platforms, the generated code could not support relocation distances exceeding 32 bits, allowing unlucky placement of generated code to cause server crashes on large-memory systems.
Fix a few places that assumed that process start time (represented as a time_t
) will fit into a long
value (Max Johnson, Nathan Bossart) 📜
On platforms where long
is 32 bits (notably Windows), this coding would fail after Y2038. Most of the failures appear only cosmetic, but notably pg_ctl start
would hang.
Prevent “nothing provides perl (PostgreSQL::Test::Utils)†failures while building RPM packages of PostgreSQL (Noah Misch) 📜
Fix building with Strawberry Perl on Windows (Andrew Dunstan) 📜
Update time zone data files to tzdata release 2024b (Tom Lane) 📜 📜
This tzdata release changes the old System-V-compatibility zone names to duplicate the corresponding geographic zones; for example PST8PDT
is now an alias for America/Los_Angeles
. The main visible consequence is that for timestamps before the introduction of standardized time zones, the zone is considered to represent local mean solar time for the named location. For example, in PST8PDT
, timestamptz
input such as 1801-01-01 00:00
would previously have been rendered as 1801-01-01 00:00:00-08
, but now it is rendered as 1801-01-01 00:00:00-07:52:58
.
Also, historical corrections for Mexico, Mongolia, and Portugal. Notably, Asia/Choibalsan
is now an alias for Asia/Ulaanbaatar
rather than being a separate zone, mainly because the differences between those zones were found to be based on untrustworthy data.
Release date: 2024-08-08
This release contains a variety of fixes from 14.12. For information about new features in major release 14, see Version 14.0.
A dump/restore is not required for those running 14.X.
However, if you are upgrading from a version earlier than 14.12, see Version 14.12.
Prevent unauthorized code execution during pg_dump (Masahiko Sawada)
An attacker able to create and drop non-temporary objects could inject SQL code that would be executed by a concurrent pg_dump session with the privileges of the role running pg_dump (which is often a superuser). The attack involves replacing a sequence or similar object with a view or foreign table that will execute malicious code. To prevent this, introduce a new server parameter restrict_nonsystem_relation_kind
that can disable expansion of non-builtin views as well as access to foreign tables, and teach pg_dump to set it when available. Note that the attack is prevented only if both pg_dump and the server it is dumping from are new enough to have this fix.
The PostgreSQL Project thanks Noah Misch for reporting this problem. CVE-2024-7348 or CVE-2024-7348)
Prevent infinite loop in VACUUM
(Melanie Plageman)
After a disconnected standby server with an old running transaction reconnected to the primary, it was possible for VACUUM
on the primary to get confused about which tuples are removable, resulting in an infinite loop.
Fix failure after attaching a table as a partition, if the table had previously had inheritance children (Ãlvaro Herrera)
Fix ALTER TABLE DETACH PARTITION
for cases involving inconsistent index-based constraints (Ãlvaro Herrera, Tender Wang)
When a partitioned table has an index that is not associated with a constraint, but a partition has an equivalent index that is, then detaching the partition would misbehave, leaving the ex-partition's constraint with an incorrect coninhcount
value. This would cause trouble during any further manipulations of that constraint.
Fix partition pruning setup during ALTER TABLE DETACH PARTITION CONCURRENTLY
(Ãlvaro Herrera)
The executor assumed that no partition could be detached between planning and execution of a query on a partitioned table. This is no longer true since the introduction of DETACH PARTITION
's CONCURRENTLY
option, making it possible for query execution to fail transiently when that is used.
Correctly update a partitioned table's pg_class
.reltuples
field to zero after its last child partition is dropped (Noah Misch)
The first ANALYZE
on such a partitioned table must update relhassubclass
as well, and that caused the reltuples
update to be lost.
Fix handling of polymorphic output arguments for procedures (Tom Lane)
The SQL CALL
statement did not resolve the correct data types for such arguments, leading to errors such as “cannot display a value of type anyelementâ€, or even outright crashes. (But CALL
in PL/pgSQL worked correctly.)
Fix behavior of stable functions called from a CALL
statement's argument list (Tom Lane)
If the CALL
is within an atomic context (e.g. there's an outer transaction block), such functions were passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.
Detect integer overflow in money
calculations (Joseph Koshakow)
None of the arithmetic functions for the money
type checked for overflow before, so they would silently give wrong answers for overflowing cases.
Fix over-aggressive clamping of the scale argument in round(numeric)
and trunc(numeric)
(Dean Rasheed)
These functions clamped their scale argument to +/-2000, but there are valid use-cases for it to be larger; the functions returned incorrect results in such cases. Instead clamp to the actual allowed range of type numeric
.
Prevent pg_sequence_last_value()
from failing on unlogged sequences on standby servers and on temporary sequences of other sessions (Nathan Bossart)
Make it return NULL in these cases instead of throwing an error.
Fix parsing of ignored operators in websearch_to_tsquery()
(Tom Lane)
Per the manual, punctuation in the input of websearch_to_tsquery()
is ignored except for the special cases of dashes and quotes. However, parentheses and a few other characters appearing immediately before an or
could cause or
to be treated as a data word, rather than as an OR
operator as expected.
Detect another integer overflow case while computing new array dimensions (Joseph Koshakow)
Reject applying array dimensions [-2147483648:2147483647]
to an empty array. This is closely related toCVE-2023-5869 or CVE-2023-5869, but appears harmless since the array still ends up empty.
Detect another case of a new catalog cache entry becoming stale while detoasting its fields (Noah Misch)
An in-place update occurring while we expand out-of-line fields in a catalog tuple could be missed, leading to a catalog cache entry that lacks the in-place change but is not known to be stale. This is only possible in the pg_database
catalog, so the effects are narrow, but misbehavior is possible.
Correctly check updatability of view columns targeted by INSERT
... DEFAULT
(Tom Lane)
If such a column is non-updatable, we should give an error reporting that. But the check was missed and then later code would report an unhelpful error such as “attribute number N
not found in view targetlistâ€.
Avoid reporting an unhelpful internal error for incorrect recursive queries (Tom Lane)
Rearrange the order of error checks so that we throw an on-point error when a WITH RECURSIVE
query does not have a self-reference within the second arm of the UNION
, but does have one self-reference in some other place such as ORDER BY
.
Don't throw an error if a queued AFTER
trigger no longer exists (Tom Lane)
It's possible for a transaction to execute an operation that queues a deferred AFTER
trigger for later execution, and then to drop the trigger before that happens. Formerly this led to weird errors such as “could not find trigger NNNN
â€. It seems better to silently do nothing if the trigger no longer exists at the time when it would have been executed.
Fix failure to remove pg_init_privs
entries for column-level privileges when their table is dropped (Tom Lane)
If an extension grants some column-level privileges on a table it creates, relevant catalog entries would remain behind after the extension is dropped. This was harmless until/unless the table's OID was re-used for another relation, when it could interfere with what pg_dump dumps for that relation.
Fix selection of an arbiter index for ON CONFLICT
when the desired index has expressions or predicates (Tom Lane)
If a query using ON CONFLICT
accesses the target table through an updatable view, it could fail with “there is no unique or exclusion constraint matching the ON CONFLICT specificationâ€, even though a matching index does exist.
Refuse to modify a temporary table of another session with ALTER TABLE
(Tom Lane)
Permissions checks normally would prevent this case from arising, but it is possible to reach it by altering a parent table whose child is another session's temporary table. Throw an error if we discover that such a child table belongs to another session.
Fix handling of extended statistics on expressions in CREATE TABLE LIKE STATISTICS
(Tom Lane)
The CREATE
command failed to adjust column references in statistics expressions to the possibly-different column numbering of the new table. This resulted in invalid statistics objects that would cause problems later. A typical scenario where renumbering columns is needed is when the source table contains some dropped columns.
Fix failure to recalculate sub-queries generated from MIN()
or MAX()
aggregates (Tom Lane)
In some cases the aggregate result computed at one row of the outer query could be re-used for later rows when it should not be. This has only been seen to happen when the outer query uses DISTINCT
that is implemented with hash aggregation, but other cases may exist.
Avoid crashing when a JIT-inlined backend function throws an error (Tom Lane)
The error state can include pointers into the dynamically loaded module holding the JIT-compiled code (for error location strings). In some code paths the module could get unloaded before the error report is processed, leading to SIGSEGV when the location strings are accessed.
Cope with behavioral changes in libxml2 version 2.13.x (Erik Wienhold, Tom Lane)
Notably, we now suppress “chunk is not well balanced†errors from libxml2, unless that is the only reported error. This is to make error reports consistent between 2.13.x and earlier libxml2 versions. In earlier versions, that message was almost always redundant or outright incorrect, so 2.13.x substantially reduced the number of cases in which it's reported.
Fix handling of subtransactions of prepared transactions when starting a hot standby server (Heikki Linnakangas)
When starting a standby's replay at a shutdown checkpoint WAL record, transactions that had been prepared but not yet committed on the primary are correctly understood as being still in progress. But subtransactions of a prepared transaction (created by savepoints or PL/pgSQL exception blocks) were not accounted for and would be treated as aborted. That led to inconsistency if the prepared transaction was later committed.
Prevent incorrect initialization of logical replication slots (Masahiko Sawada)
In some cases a replication slot's start point within the WAL stream could be set to a point within a transaction, leading to assertion failures or incorrect decoding results.
Avoid memory leakage after servicing a notify or sinval interrupt (Tom Lane)
The processing functions for these events could switch the current memory context to TopMemoryContext, resulting in session-lifespan leakage of any data allocated before the incorrect setting gets replaced. There were observable leaks associated with (at least) encoding conversion of incoming queries and parameters attached to Bind messages.
Prevent deadlocks and assertion failures during truncation of the multixact SLRU log (Heikki Linnakangas)
A process trying to delete SLRU segments could deadlock with the checkpointer process.
Avoid possibly missing end-of-input events on Windows sockets (Thomas Munro)
Windows reports an FD_CLOSE event only once after the remote end of the connection disconnects. With unlucky timing, we could miss that report and wait indefinitely, or at least until a timeout elapsed, expecting more input.
Fix buffer overread in JSON parse error reports for incomplete byte sequences (Jacob Champion)
It was possible to walk off the end of the input buffer by a few bytes when the last bytes comprise an incomplete multi-byte character. While usually harmless, in principle this could cause a crash.
Disable creation of stateful TLS session tickets by OpenSSL (Daniel Gustafsson)
This avoids possible failures with clients that think receipt of a session ticket means that TLS session resumption is supported.
When replanning a PL/pgSQL “simple expressionâ€, check it's still simple (Tom Lane)
Certain fairly-artificial cases, such as dropping a referenced function and recreating it as an aggregate, could lead to surprising failures such as “unexpected plan node typeâ€.
Fix incompatibility between PL/Perl and Perl 5.40 (Andrew Dunstan)
Fix recursive RECORD
-returning PL/Python functions (Tom Lane)
If we recurse to a new call of the same function that passes a different column definition list (AS
clause), it would fail because the inner call would overwrite the outer call's idea of what rowtype to return.
Don't corrupt PL/Python's TD
dictionary during a recursive trigger call (Tom Lane)
If a PL/Python-language trigger caused another one to be invoked, the TD
dictionary created for the inner one would overwrite the outer one's TD
dictionary.
Fix PL/Tcl's reporting of invalid list syntax in the result of a function returning tuple (Erik Wienhold, Tom Lane)
Such a case could result in a crash, or in emission of misleading context information that actually refers to the previous Tcl error.
Avoid non-thread-safe usage of strerror()
in libpq (Peter Eisentraut)
Certain error messages returned by OpenSSL could become garbled in multi-threaded applications.
Ensure that pg_restore
-l
reports dependent TOC entries correctly (Tom Lane)
If -l
was specified together with selective-restore options such as -n
or -N
, dependent TOC entries such as comments would be omitted from the listing, even when an actual restore would have selected them.
In contrib/postgres_fdw
, do not send FETCH FIRST WITH TIES
clauses to the remote server (Japin Li)
The remote server might not implement this clause, or might interpret it differently than we would locally, so don't risk attempting remote execution.
Avoid clashing with system-provided <regex.h>
headers (Thomas Munro)
This fixes a compilation failure on macOS version 15 and up.
Fix otherwise-harmless assertion failure in Memoize cost estimation (David Rowley)
Fix otherwise-harmless assertion failures in REINDEX CONCURRENTLY
applied to an SP-GiST index (Tom Lane)
Release date: 2024-05-09
This release contains a variety of fixes from 14.11. For information about new features in major release 14, see Version 14.0.
A dump/restore is not required for those running 14.X.
However, a security vulnerability was found in the system views pg_stats_ext
and pg_stats_ext_exprs
, potentially allowing authenticated database users to see data they shouldn't. If this is of concern in your installation, follow the steps in the first changelog entry below to rectify it.
Also, if you are upgrading from a version earlier than 14.11, see Version 14.11.
Restrict visibility of pg_stats_ext
and pg_stats_ext_exprs
entries to the table owner (Nathan Bossart)
These views failed to hide statistics for expressions that involve columns the accessing user does not have permission to read. View columns such as most_common_vals
might expose security-relevant data. The potential interactions here are not fully clear, so in the interest of erring on the side of safety, make rows in these views visible only to the owner of the associated table.
The PostgreSQL Project thanks Lukas Fittl for reporting this problem. CVE-2024-4317 or CVE-2024-4317)
By itself, this fix will only fix the behavior in newly initdb'd database clusters. If you wish to apply this change in an existing cluster, you will need to do the following:
Find the SQL script fix-CVE-2024-4317.sql
in the share
directory of the PostgreSQL installation (typically located someplace like /usr/share/postgresql/
). Be sure to use the script appropriate to your PostgreSQL major version. If you do not see this file, either your version is not vulnerable (only v14–v16 are affected) or your minor version is too old to have the fix.
In each database of the cluster, run the fix-CVE-2024-4317.sql
script as superuser. In psql this would look like
\i /usr/share/postgresql/fix-CVE-2024-4317.sql
(adjust the file path as appropriate). Any error probably indicates that you've used the wrong script version. It will not hurt to run the script more than once.
Do not forget to include the template0
and template1
databases, or the vulnerability will still exist in databases you create later. To fix template0
, you'll need to temporarily make it accept connections. Do that with
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;
and then after fixing template0
, undo it with
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;
Fix INSERT
from multiple VALUES
rows into a target column that is a domain over an array or composite type (Tom Lane)
Such cases would either fail with surprising complaints about mismatched datatypes, or insert unexpected coercions that could lead to odd results.
Fix incorrect pruning of NULL partition when a table is partitioned on a boolean column and the query has a boolean IS NOT
clause (David Rowley)
A NULL value satisfies a clause such as
, so pruning away a partition containing NULLs yielded incorrect answers.boolcol
IS NOT FALSE
Make ALTER FOREIGN TABLE SET SCHEMA
move any owned sequences into the new schema (Tom Lane)
Moving a regular table to a new schema causes any sequences owned by the table to be moved to that schema too (along with indexes and constraints). This was overlooked for foreign tables, however.
Improve ALTER TABLE ... ALTER COLUMN TYPE
's error message when there is a dependent function or publication (Tom Lane)
Fix EXPLAIN
's counting of heap pages accessed by a bitmap heap scan (Melanie Plageman)
Previously, heap pages that contain no visible tuples were not counted; but it seems more consistent to count all pages returned by the bitmap index scan.
Avoid deadlock during removal of orphaned temporary tables (Mikhail Zhilin)
If the session that creates a temporary table crashes without removing the table, autovacuum will eventually try to remove the orphaned table. However, an incoming session that's been assigned the same temporary namespace will do that too. If a temporary table has a dependency (such as an owned sequence) then a deadlock could result between these two cleanup attempts.
Avoid race condition while examining per-relation frozen-XID values (Noah Misch)
VACUUM
's computation of per-database frozen-XID values from per-relation values could get confused by a concurrent update of those values by another VACUUM
.
Disallow converting a table to a view within an outer SQL command that is using that table (Tom Lane)
This avoids possible crashes.
Ensure that join conditions generated from equivalence classes are applied at the correct plan level (Tom Lane)
In versions before PostgreSQL 16, it was possible for generated conditions to be evaluated below outer joins when they should be evaluated above (after) the outer join, leading to incorrect query results. All versions have a similar hazard when considering joins to UNION ALL
trees that have constant outputs for the join column in some SELECT
arms.
Avoid unnecessary use of moving-aggregate mode with a non-moving window frame (Vallimaharajan G)
When a plain aggregate is used as a window function, and the window frame start is specified as UNBOUNDED PRECEDING
, the frame's head cannot move so we do not need to use the special (and more expensive) moving-aggregate mode. This optimization was intended all along, but due to a coding error it never triggered.
Avoid use of already-freed data while planning partition-wise joins under GEQO (Tom Lane)
This would typically end in a crash or unexpected error message.
Avoid freeing still-in-use data in Memoize (Tender Wang, Andrei Lepikhov)
In production builds this error frequently didn't cause any problems, as the freed data would most likely not get overwritten before it was used.
Fix incorrectly-reported statistics kind codes in “requested statistics kind X
is not yet built†error messages (David Rowley)
Be more careful with RECORD
-returning functions in FROM
(Tom Lane)
The output columns of such a function call must be defined by an AS
clause that specifies the column names and data types. If the actual function output value doesn't match that, an error is supposed to be thrown at runtime. However, some code paths would examine the actual value prematurely, and potentially issue strange errors or suffer assertion failures if it doesn't match expectations.
Fix confusion about the return rowtype of SQL-language procedures (Tom Lane)
A procedure implemented in SQL language that returns a single composite-type column would cause an assertion failure or core dump.
Add protective stack depth checks to some recursive functions (Egor Chindyaskin)
Fix mis-rounding and overflow hazards in date_bin()
(Moaaz Assali)
In the case where the source timestamp is before the origin timestamp and their difference is already an exact multiple of the stride, the code incorrectly subtracted the stride anyway. Also, detect some integer-overflow cases that would have produced incorrect results.
Detect integer overflow when adding or subtracting an interval
to/from a timestamp
(Joseph Koshakow)
Some cases that should cause an out-of-range error produced an incorrect result instead.
Avoid race condition in pg_get_expr()
(Tom Lane)
If the relation referenced by the argument is dropped concurrently, the function's intention is to return NULL, but sometimes it failed instead.
Fix detection of old transaction IDs in XID status functions (Karina Litskevich)
Transaction IDs more than 231 transactions in the past could be misidentified as recent, leading to misbehavior of pg_xact_status()
or txid_status()
.
Ensure that a table's freespace map won't return a page that's past the end of the table (Ronan Dunklau)
Because the freespace map isn't WAL-logged, this was possible in edge cases involving an OS crash, a replica promote, or a PITR restore. The result would be a “could not read block†error.
Fix file descriptor leakage when an error is thrown while waiting in WaitEventSetWait
(Etsuro Fujita)
Avoid corrupting exception stack if an FDW implements async append but doesn't configure any wait conditions for the Append plan node to wait for (Alexander Pyhalov)
Throw an error if an index is accessed while it is being reindexed (Tom Lane)
Previously this was just an assertion check, but promote it into a regular runtime error. This will provide a more on-point error message when reindexing a user-defined index expression that attempts to access its own table.
Ensure that index-only scans on name
columns return a fully-padded value (David Rowley)
The value physically stored in the index is truncated, and previously a pointer to that value was returned to callers. This provoked complaints when testing under valgrind. In theory it could result in crashes, though none have been reported.
Fix crash with DSM allocations larger than 4GB (Heikki Linnakangas)
Disconnect if a new server session's client socket cannot be put into non-blocking mode (Heikki Linnakangas)
It was once theoretically possible for us to operate with a socket that's in blocking mode; but that hasn't worked fully in a long time, so fail at connection start rather than misbehave later.
Fix inadequate error reporting with OpenSSL 3.0.0 and later (Heikki Linnakangas, Tom Lane)
System-reported errors passed through by OpenSSL were reported with a numeric error code rather than anything readable.
Avoid concurrent calls to bindtextdomain()
in libpq and ecpglib (Tom Lane)
Although GNU gettext's implementation seems to be fine with concurrent calls, the version available on Windows is not.
Fix crash in ecpg's preprocessor if the program tries to redefine a macro that was defined on the preprocessor command line (Tom Lane)
In ecpg, avoid issuing false “unsupported feature will be passed to server†warnings (Tom Lane)
Ensure that the string result of ecpg's intoasc()
function is correctly zero-terminated (Oleg Tselebrovskiy)
Fix pg_dumpall so that role comments, if present, will be dumped regardless of the setting of --no-role-passwords
(Daniel Gustafsson, Ãlvaro Herrera)
Fix PL/pgSQL's parsing of single-line comments (--
-style comments) following expressions (Erik Wienhold, Tom Lane)
This mistake caused parse errors if such a comment followed a WHEN
expression in a PL/pgSQL CASE
statement.
In contrib/amcheck
, don't report false match failures due to short- versus long-header values (Andrey Borodin, Michael Zhilin)
A variable-length datum in a heap tuple or index tuple could have either a short or a long header, depending on compression parameters that applied when it was made. Treat these cases as equivalent rather than complaining if there's a difference.
Fix bugs in BRIN output functions (Tomas Vondra)
These output functions are only used for displaying index entries in contrib/pageinspect
, so the errors are of limited practical concern.
In contrib/postgres_fdw
, avoid emitting requests to sort by a constant (David Rowley)
This could occur in cases involving UNION ALL
with constant-emitting subqueries. Sorting by a constant is useless of course, but it also risks being misinterpreted by the remote server, leading to “ORDER BY position N
is not in select list†errors.
Make contrib/postgres_fdw
set the remote session's time zone to GMT
not UTC
(Tom Lane)
This should have the same results for practical purposes. However, GMT
is recognized by hard-wired code in the server, while UTC
is looked up in the timezone database. So the old code could fail in the unlikely event that the remote server's timezone database is missing entries.
In contrib/xml2
, avoid use of library functions that have been deprecated in recent versions of libxml2 (Dmitry Koval)
Fix incompatibility with LLVM 18 (Thomas Munro, Dmitry Dolgov)
Allow make check
to work with the musl C library (Thomas Munro, Bruce Momjian, Tom Lane)
Release date: 2024-02-08
This release contains a variety of fixes from 14.10. For information about new features in major release 14, see Version 14.0.
A dump/restore is not required for those running 14.X.
However, one bug was fixed that could have resulted in corruption of GIN indexes during concurrent updates. If you suspect such corruption, reindex affected indexes after installing this update.
Also, if you are upgrading from a version earlier than 14.10, see Version 14.10.
Tighten security restrictions within REFRESH MATERIALIZED VIEW CONCURRENTLY
(Heikki Linnakangas)
One step of a concurrent refresh command was run under weak security restrictions. If a materialized view's owner could persuade a superuser or other high-privileged user to perform a concurrent refresh on that view, the view's owner could control code executed with the privileges of the user running REFRESH
. Fix things so that all user-determined code is run as the view's owner, as expected.
The only known exploit for this error does not work in PostgreSQL 16.0 and later, so it may be that v16 is not vulnerable in practice.
The PostgreSQL Project thanks Pedro Gallegos for reporting this problem. CVE-2024-0985 or CVE-2024-0985)
Fix memory leak when performing JIT inlining (Andres Freund, Daniel Gustafsson)
There have been multiple reports of backend processes suffering out-of-memory conditions after sufficiently many JIT compilations. This fix should resolve that.
When dequeueing from an LWLock, avoid needing to search the list of waiting processes (Andres Freund)
This fixes O (N^2) behavior when the list of waiters is long. In some use-cases this results in substantial throughput improvements.
Avoid generating incorrect partitioned-join plans (Richard Guo)
Some uncommon situations involving lateral references could create incorrect plans. Affected queries could produce wrong answers, or odd failures such as “variable not found in subplan target listâ€, or executor crashes.
Fix incorrect wrapping of subquery output expressions in PlaceHolderVars (Tom Lane)
This fixes incorrect results when a subquery is underneath an outer join and has an output column that laterally references something outside the outer join's scope. The output column might not appear as NULL when it should do so due to the action of the outer join.
Prevent access to a no-longer-pinned buffer in BEFORE ROW UPDATE
triggers (Alexander Lakhin, Tom Lane)
If the tuple being updated had just been updated and moved to another page by another session, there was a narrow window where we would attempt to fetch data from the new tuple version without any pin on its buffer. In principle this could result in garbage data appearing in non-updated columns of the proposed new tuple. The odds of problems in practice seem rather low, however.
Avoid requesting an oversize shared-memory area in parallel hash join (Thomas Munro, Andrei Lepikhov, Alexander Korotkov)
The limiting value was too large, allowing “invalid DSA memory alloc request size†errors to occur with sufficiently large expected hash table sizes.
Avoid assertion failures in heap_update()
and heap_delete()
when a tuple to be updated by a foreign-key enforcement trigger fails the extra visibility crosscheck (Alexander Lakhin)
This error had no impact in non-assert builds.
Fix possible failure during ALTER TABLE ADD COLUMN
on a complex inheritance tree (Tender Wang)
If a grandchild table would inherit the new column via multiple intermediate parents, the command failed with “tuple already updated by selfâ€.
Fix problems with duplicate token names in ALTER TEXT SEARCH CONFIGURATION ... MAPPING
commands (Tender Wang, Michael Paquier)
Properly lock the associated table during DROP STATISTICS
(Tomas Vondra)
Failure to acquire the lock could result in “tuple concurrently deleted†errors if the DROP
executes concurrently with ANALYZE
.
Fix function volatility checking for GENERATED
and DEFAULT
expressions (Tom Lane)
These places could fail to detect insertion of a volatile function default-argument expression, or decide that a polymorphic function is volatile although it is actually immutable on the datatype of interest. This could lead to improperly rejecting or accepting a GENERATED
clause, or to mistakenly applying the constant-default-value optimization in ALTER TABLE ADD COLUMN
.
Detect that a new catalog cache entry became stale while detoasting its fields (Tom Lane)
We expand any out-of-line fields in a catalog tuple before inserting it into the catalog caches. That involves database access which might cause invalidation of catalog cache entries — but the new entry isn't in the cache yet, so we would miss noticing that it should get invalidated. The result is a race condition in which an already-stale cache entry could get made, and then persist indefinitely. This would lead to hard-to-predict misbehavior. Fix by rechecking the tuple's visibility after detoasting.
Fix edge-case integer overflow detection bug on some platforms (Dean Rasheed)
Computing 0 - INT64_MIN
should result in an overflow error, and did on most platforms. However, platforms with neither integer overflow builtins nor 128-bit integers would fail to spot the overflow, instead returning INT64_MIN
.
Detect Julian-date overflow when adding or subtracting an interval
to/from a timestamp
(Tom Lane)
Some cases that should cause an out-of-range error produced an incorrect result instead.
Add more checks for overflow in interval_mul()
and interval_div()
(Dean Rasheed)
Some cases that should cause an out-of-range error produced an incorrect result instead.
Make the pg_file_settings
view check validity of unapplied values for settings with backend
or superuser-backend
context (Tom Lane)
Invalid values were not noted in the view as intended. This escaped detection because there are very few settings in these groups.
Match collation too when matching an existing index to a new partitioned index (Peter Eisentraut)
Previously we could accept an index that has a different collation from the corresponding element of the partition key, possibly leading to misbehavior.
Avoid failure if a child index is dropped concurrently with REINDEX INDEX
on a partitioned index (Fei Changhong)
Fix insufficient locking when cleaning up an incomplete split of a GIN index's internal page (Fei Changhong, Heikki Linnakangas)
The code tried to do this with shared rather than exclusive lock on the buffer. This could lead to index corruption if two processes attempted the cleanup concurrently.
Avoid premature release of buffer pin in GIN index insertion (Tom Lane)
If an index root page split occurs concurrently with our own insertion, the code could fail with “buffer NNNN is not owned by resource ownerâ€.
Avoid failure with partitioned SP-GiST indexes (Tom Lane)
Trying to use an index of this kind could lead to “No such file or directory†errors.
Fix ownership change reporting for large objects (Tom Lane)
A no-op ALTER LARGE OBJECT OWNER
command (that is, one selecting the existing owner) passed the wrong class ID to the PostAlterHook
, probably confusing any extension using that hook.
Prevent standby servers from incorrectly processing dead index tuples during subtransactions (Fei Changhong)
The startedInRecovery
flag was not correctly set for a subtransaction. This affects only processing of dead index tuples. It could allow a query in a subtransaction to ignore index entries that it should return (if they are already dead on the primary server, but not dead to the standby transaction), or to prematurely mark index entries as dead that are not yet dead on the primary. It is not clear that the latter case has any serious consequences, but it's not the intended behavior.
Fix deadlock between a logical replication apply worker, its tablesync worker, and a session process trying to alter the subscription (Shlok Kyal)
One edge of the deadlock loop did not involve a lock wait, so the deadlock went undetected and would persist until manual intervention.
Prevent examining system catalogs with the wrong snapshot during logical decoding (Fei Changhong)
If decoding begins partway through a transaction that modifies system catalogs, the decoder may not recognize that, causing it to fail to treat that transaction as in-progress for catalog lookups. This fix deals with the case that a top-level transaction is already marked as containing catalog changes, but its subtransaction(s) are not.
Return the correct status code when a new client disconnects without responding to the server's password challenge (Liu Lang, Tom Lane)
In some cases we'd treat this as a loggable error, which was not the intention and tends to create log spam, since common clients like psql frequently do this. It may also confuse extensions that use ClientAuthentication_hook
.
Fix incompatibility with OpenSSL 3.2 (Tristan Partin, Bo Andreson)
Use the BIO “app_data†field for our private storage, instead of assuming it's okay to use the “data†field. This mistake didn't cause problems before, but with 3.2 it leads to crashes and complaints about double frees.
Be more wary about OpenSSL not setting errno
on error (Tom Lane)
If errno
isn't set, assume the cause of the reported failure is read EOF. This fixes rare cases of strange error reports like “could not accept SSL connection: Successâ€.
Fix file descriptor leakage when a foreign data wrapper's ForeignAsyncRequest
function fails (Heikki Linnakangas)
Report ENOMEM errors from file-related system calls as ERRCODE_OUT_OF_MEMORY
, not ERRCODE_INTERNAL_ERROR
(Alexander Kuzmenkov)
In PL/pgSQL, support SQL commands that are CREATE FUNCTION
/CREATE PROCEDURE
with SQL-standard bodies (Tom Lane)
Previously, such cases failed with parsing errors due to the semicolon(s) appearing in the function body.
Fix libpq's handling of errors in pipelines (Ãlvaro Herrera)
The pipeline state could get out of sync if an error is returned for reasons other than a query problem (for example, if the connection is lost). Potentially this would lead to a busy-loop in the calling application.
Make libpq's PQsendFlushRequest()
function flush the client output buffer under the same rules as other PQsend
functions (Jelte Fennema-Nio)
In pipeline mode, it may still be necessary to call PQflush()
as well; but this change removes some inconsistency.
Avoid race condition when libpq initializes OpenSSL support concurrently in two different threads (Willi Mann, Michael Paquier)
Fix timing-dependent failure in GSSAPI data transmission (Tom Lane)
When using GSSAPI encryption in non-blocking mode, libpq sometimes failed with “GSSAPI caller failed to retransmit all data needing to be retriedâ€.
In pg_dump, don't dump RLS policies or security labels for extension member objects (Tom Lane, Jacob Champion)
Previously, commands would be included in the dump to set these properties, which is really incorrect since they should be considered as internal affairs of the extension. Moreover, the restoring user might not have adequate privilege to set them, and indeed the dumping user might not have enough privilege to dump them (since dumping RLS policies requires acquiring lock on their table).
In pg_dump, don't dump an extended statistics object if its underlying table isn't being dumped (Rian McGuire, Tom Lane)
This conforms to the behavior for other dependent objects such as indexes.
Make it an error for a pgbench script to end with an open pipeline (Anthonin Bonnefoy)
Previously, pgbench would behave oddly if a \startpipeline
command lacked a matching \endpipeline
. This seems like a scripting mistake rather than a case that pgbench needs to handle nicely, so throw an error.
In contrib/bloom
, fix overly tight assertion about false_positive_rate
(Alexander Lakhin)
Fix crash in contrib/intarray
if an array with an element equal to INT_MAX
is inserted into a gist__int_ops
index (Alexander Lakhin, Tom Lane)
Report a better error when contrib/pageinspect
's hash_bitmap_info()
function is applied to a partitioned hash index (Alexander Lakhin, Michael Paquier)
Report a better error when contrib/pgstattuple
's pgstathashindex()
function is applied to a partitioned hash index (Alexander Lakhin)
On Windows, suppress autorun options when launching subprocesses in pg_ctl and pg_regress (Kyotaro Horiguchi)
When launching a child process via cmd.exe
, pass the /D
flag to prevent executing any autorun commands specified in the registry. This avoids possibly-surprising side effects.
Fix compilation failures with libxml2 version 2.12.0 and later (Tom Lane)
Fix compilation failure of WAL_DEBUG
code on Windows (Bharath Rupireddy)
Suppress compiler warnings from Python's header files (Peter Eisentraut, Tom Lane)
Our preferred compiler options provoke warnings about constructs appearing in recent versions of Python's header files. When using gcc, we can suppress these warnings with a pragma.
Avoid deprecation warning when compiling with LLVM 18 (Thomas Munro)
Update time zone data files to tzdata release 2024a for DST law changes in Greenland, Kazakhstan, and Palestine, plus corrections for the Antarctic stations Casey and Vostok. Also historical corrections for Vietnam, Toronto, and Miquelon.
Release date: 2023-11-09
This release contains a variety of fixes from 14.9. For information about new features in major release 14, see Version 14.0.
A dump/restore is not required for those running 14.X.
However, several mistakes have been discovered that could lead to certain types of indexes yielding wrong search results or being unnecessarily inefficient. It is advisable to REINDEX
potentially-affected indexes after installing this update. See the fourth through seventh changelog entries below.
Also, if you are upgrading from a version earlier than 14.9, see Version 14.9.
Fix handling of unknown-type arguments in DISTINCT
"any"
aggregate functions (Tom Lane)
This error led to a text
-type value being interpreted as an unknown
-type value (that is, a zero-terminated string) at runtime. This could result in disclosure of server memory following the text
value.
The PostgreSQL Project thanks Jingzhou Fu for reporting this problem. CVE-2023-5868 or CVE-2023-5868)
Detect integer overflow while computing new array dimensions (Tom Lane)
When assigning new elements to array subscripts that are outside the current array bounds, an undetected integer overflow could occur in edge cases. Memory stomps that are potentially exploitable for arbitrary code execution are possible, and so is disclosure of server memory.
The PostgreSQL Project thanks Pedro Gallegos for reporting this problem. CVE-2023-5869 or CVE-2023-5869)
Prevent the pg_signal_backend
role from signalling background workers and autovacuum processes (Noah Misch, Jelte Fennema-Nio)
The documentation says that pg_signal_backend
cannot issue signals to superuser-owned processes. It was able to signal these background processes, though, because they advertise a role OID of zero. Treat that as indicating superuser ownership. The security implications of cancelling one of these process types are fairly small so far as the core code goes (we'll just start another one), but extensions might add background workers that are more vulnerable.
Also ensure that the is_superuser
parameter is set correctly in such processes. No specific security consequences are known for that oversight, but it might be significant for some extensions.
The PostgreSQL Project thanks Hemanth Sandrana and Mahendrakar Srinivasarao for reporting this problem. CVE-2023-5870 or CVE-2023-5870)
Fix misbehavior during recursive page split in GiST index build (Heikki Linnakangas)
Fix a case where the location of a page downlink was incorrectly tracked, and introduce some logic to allow recovering from such situations rather than silently doing the wrong thing. This error could result in incorrect answers from subsequent index searches. It may be advisable to reindex all GiST indexes after installing this update.
Prevent de-duplication of btree index entries for interval
columns (Noah Misch)
There are interval
values that are distinguishable but compare equal, for example 24:00:00
and 1 day
. This breaks assumptions made by btree de-duplication, so interval
columns need to be excluded from de-duplication. This oversight can cause incorrect results from index-only scans. Moreover, after updating amcheck will report an error for almost all such indexes. Users should reindex any btree indexes on interval
columns.
Process date
values more sanely in BRIN datetime_minmax_multi_ops
indexes (Tomas Vondra)
The distance calculation for dates was backward, causing poor decisions about which entries to merge. The index still produces correct results, but is much less efficient than it should be. Reindexing BRIN minmax_multi
indexes on date
columns is advisable.
Process large timestamp
and timestamptz
values more sanely in BRIN datetime_minmax_multi_ops
indexes (Tomas Vondra)
Infinities were mistakenly treated as having distance zero rather than a large distance from other values, causing poor decisions about which entries to merge. Also, finite-but-very-large values (near the endpoints of the representable timestamp range) could result in internal overflows, again causing poor decisions. The index still produces correct results, but is much less efficient than it should be. Reindexing BRIN minmax_multi
indexes on timestamp
and timestamptz
columns is advisable if the column contains, or has contained, infinities or large finite values.
Avoid calculation overflows in BRIN interval_minmax_multi_ops
indexes with extreme interval values (Tomas Vondra)
This bug might have caused unexpected failures while trying to insert large interval values into such an index.
Fix partition step generation and runtime partition pruning for hash-partitioned tables with multiple partition keys (David Rowley)
Some cases involving an IS NULL
condition on one of the partition keys could result in a crash.
Correctly identify the target table in an inherited UPDATE
/DELETE
/MERGE
even when the parent table is excluded by constraints (Amit Langote, Tom Lane)
If the initially-named table is excluded by constraints, but not all its inheritance descendants are, the first non-excluded descendant was identified as the primary target table. This would lead to firing statement-level triggers associated with that table, rather than the initially-named table as should happen. In v16, the same oversight could also lead to “invalid perminfoindex 0 in RTE with relid NNNN†errors.
Fix edge case in btree mark/restore processing of ScalarArrayOpExpr clauses (Peter Geoghegan)
When restoring an indexscan to a previously marked position, the code could miss required setup steps if the scan had advanced exactly to the end of the matches for a ScalarArrayOpExpr (that is, an indexcol = ANY (ARRAY[])
) clause. This could result in missing some rows that should have been fetched.
Fix intra-query memory leak in Memoize execution (Orlov Aleksej, David Rowley)
Fix intra-query memory leak when a set-returning function repeatedly returns zero rows (Tom Lane)
Don't crash if cursor_to_xmlschema()
is applied to a non-data-returning Portal (Boyu Yang)
Throw the intended error if pgrowlocks()
is applied to a partitioned table (David Rowley)
Previously, a not-on-point complaint “only heap AM is supported†would be raised.
Handle invalid indexes more cleanly in assorted SQL functions (Noah Misch)
Report an error if pgstatindex()
, pgstatginindex()
, pgstathashindex()
, or pgstattuple()
is applied to an invalid index. If brin_desummarize_range()
, brin_summarize_new_values()
, brin_summarize_range()
, or gin_clean_pending_list()
is applied to an invalid index, do nothing except to report a debug-level message. Formerly these functions attempted to process the index, and might fail in strange ways depending on what the failed CREATE INDEX
had left behind.
Avoid premature memory allocation failure with long inputs to to_tsvector()
(Tom Lane)
Fix over-allocation of the constructed tsvector
in tsvectorrecv()
(Denis Erokhin)
If the incoming vector includes position data, the binary receive function left wasted space (roughly equal to the size of the position data) in the finished tsvector
. In extreme cases this could lead to “maximum total lexeme length exceeded†failures for vectors that were under the length limit when emitted. In any case it could lead to wasted space on-disk.
Fix incorrect coding in gtsvector_picksplit()
(Alexander Lakhin)
This could lead to poor page-split decisions in GiST indexes on tsvector
columns.
Improve checks for corrupt PGLZ compressed data (Flavien Guedez)
Fix COMMIT AND CHAIN
/ROLLBACK AND CHAIN
to work properly when there is an unreleased savepoint (Liu Xiang, Tom Lane)
Instead of propagating the current transaction's properties to the new transaction, they propagated some previous transaction's properties.
In COPY FROM
, fail cleanly when an unsupported encoding conversion is needed (Tom Lane)
Recent refactoring accidentally removed the intended error check for this, such that it ended in “cache lookup failed for function 0†instead of a useful error message.
Avoid crash in EXPLAIN
if a parameter marked to be displayed by EXPLAIN
has a NULL boot-time value (Xing Guo, Aleksander Alekseev, Tom Lane)
No built-in parameter fits this description, but an extension could define such a parameter.
Ensure we have a snapshot while dropping ON COMMIT DROP
temp tables (Tom Lane)
This prevents possible misbehavior if any catalog entries for the temp tables have fields wide enough to require toasting (such as a very complex CHECK
condition).
Avoid improper response to shutdown signals in child processes just forked by system()
(Nathan Bossart)
This fix avoids a race condition in which a child process that has been forked off by system()
, but hasn't yet exec'd the intended child program, might receive and act on a signal intended for the parent server process. That would lead to duplicate cleanup actions being performed, which will not end well.
Cope with torn reads of pg_control
in frontend programs (Thomas Munro)
On some file systems, reading pg_control
may not be an atomic action when the server concurrently writes that file. This is detectable via a bad CRC. Retry a few times to see if the file becomes valid before we report error.
Avoid torn reads of pg_control
in relevant SQL functions (Thomas Munro)
Acquire the appropriate lock before reading pg_control
, to ensure we get a consistent view of that file.
Avoid integer overflow when computing size of backend activity string array (Jakub Wartak)
On 64-bit machines we will allow values of track_activity_query_size
large enough to cause 32-bit overflow when multiplied by the allowed number of connections. The code actually allocating the per-backend local array was careless about this though, and allocated the array incorrectly.
Fix briefly showing inconsistent progress statistics for ANALYZE
on inherited tables (Heikki Linnakangas)
The block-level counters should be reset to zero at the same time we update the current-relation field.
Fix the background writer to report any WAL writes it makes to the statistics counters (Nazir Bilal Yavuz)
Track the dependencies of cached CALL
statements, and re-plan them when needed (Tom Lane)
DDL commands, such as replacement of a function that has been inlined into a CALL
argument, can create the need to re-plan a CALL
that has been cached by PL/pgSQL. That was not happening, leading to misbehavior or strange errors such as “cache lookup failedâ€.
Track nesting depth correctly when inspecting RECORD
-type Vars from outer query levels (Richard Guo)
This oversight could lead to assertion failures, core dumps, or “bogus varno†errors.
Track hash function and negator function dependencies of ScalarArrayOpExpr plan nodes (David Rowley)
In most cases this oversight was harmless, since these functions would be unlikely to disappear while the node's original operator remains present.
Fix error-handling bug in RECORD
type cache management (Thomas Munro)
An out-of-memory error occurring at just the wrong point could leave behind inconsistent state that would lead to an infinite loop.
Fix assertion failure when logical decoding is retried in the same session after an error (Hou Zhijie)
Treat out-of-memory failures as fatal while reading WAL (Michael Paquier)
Previously this would be treated as a bogus-data condition, leading to the conclusion that we'd reached the end of WAL, which is incorrect and could lead to inconsistent WAL replay.
Fix possible recovery failure due to trying to allocate memory based on a bogus WAL record length field (Thomas Munro, Michael Paquier)
Ensure that standby-mode WAL recovery reports an error when an invalid page header is found (Yugo Nagata, Kyotaro Horiguchi)
Fix datatype size confusion in logical tape management (Ranier Vilela)
Integer overflow was possible on platforms where long is wider than int, although it would take a multiple-terabyte temporary file to cause a problem.
Avoid unintended close of syslogger process's stdin (Heikki Linnakangas)
Avoid doing plan cache revalidation of utility statements that do not receive interesting processing during parse analysis (Tom Lane)
Aside from saving a few cycles, this prevents failure after a cache invalidation for statements that must not set a snapshot, such as SET TRANSACTION ISOLATION LEVEL
.
Keep by-reference attmissingval
values in a long-lived context while they are being used (Andrew Dunstan)
This avoids possible use of dangling pointers when a tuple slot outlives the tuple descriptor with which its value was constructed.
Recalculate the effective value of search_path
after ALTER ROLE
(Jeff Davis)
This ensures that after renaming a role, the meaning of the special string $user
is re-determined.
Fix “could not duplicate handle†error occurring on Windows when min_dynamic_shared_memory
is set above zero (Thomas Munro)
Fix order of operations in GenericXLogFinish
(Jeff Davis)
This code violated the conditions required for crash safety by writing WAL before marking changed buffers dirty. No core code uses this function, but extensions do (contrib/bloom
does, for example).
Remove incorrect assertion in PL/Python exception handling (Alexander Lakhin)
Fix pg_restore so that selective restores will include both table-level and column-level ACLs for selected tables (Euler Taveira, Tom Lane)
Formerly, only the table-level ACL would get restored if both types were present.
Add logic to pg_upgrade to check for use of abstime
, reltime
, and tinterval
data types (Ãlvaro Herrera)
These obsolete data types were removed in PostgreSQL version 12, so check to make sure they aren't present in an older database before claiming it can be upgraded.
Avoid generating invalid temporary slot names in pg_basebackup (Jelte Fennema)
This has only been seen to occur when the server connection runs through pgbouncer.
Avoid false “too many client connections†errors in pgbench on Windows (Noah Misch)
In contrib/amcheck
, do not report interrupted page deletion as corruption (Noah Misch)
This fix prevents false-positive reports of “the first child of leftmost target page is not leftmost of its levelâ€, “block NNNN is not leftmost†or “left link/right link pair in index XXXX not in agreementâ€. They appeared if amcheck ran after an unfinished btree index page deletion and before VACUUM
had cleaned things up.
Fix failure of contrib/btree_gin
indexes on interval
columns, when an indexscan using the <
or <=
operator is performed (Dean Rasheed)
Such an indexscan failed to return all the entries it should.
Add support for LLVM 16 and 17 (Thomas Munro, Dmitry Dolgov)
Suppress assorted build-time warnings on recent macOS (Tom Lane)
Xcode 15 (released with macOS Sonoma) changed the linker's behavior in a way that causes many duplicate-library warnings while building PostgreSQL. These were harmless, but they're annoying so avoid citing the same libraries twice. Also remove use of the -multiply_defined suppress
linker switch, which apparently has been a no-op for a long time, and is now actively complained of.
When building contrib/unaccent
's rules file, fall back to using python
if --with-python
was not given and make variable PYTHON
was not set (Japin Li)
Remove PHOT
(Phoenix Islands Time) from the default timezone abbreviations list (Tom Lane)
Presence of this abbreviation in the default list can cause failures on recent Debian and Ubuntu releases, as they no longer install the underlying tzdb entry by default. Since this is a made-up abbreviation for a zone with a total human population of about two dozen, it seems unlikely that anyone will miss it. If someone does, they can put it back via a custom abbreviations file.
Release date: 2023-08-10
This release contains a variety of fixes from 14.8. For information about new features in major release 14, see Version 14.0.
A dump/restore is not required for those running 14.X.
However, if you use BRIN indexes, it may be advisable to reindex them; see the second changelog entry below.
Also, if you are upgrading from a version earlier than 14.4, see Version 14.4.
Disallow substituting a schema or owner name into an extension script if the name contains a quote, backslash, or dollar sign (Noah Misch)
This restriction guards against SQL-injection hazards for trusted extensions.
The PostgreSQL Project thanks Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph Berg for reporting this problem. CVE-2023-39417 or CVE-2023-39417)
Fix confusion between empty (no rows) ranges and all-NULL ranges in BRIN indexes, as well as incorrect merging of all-NULL summaries (Tomas Vondra)
Each of these oversights could result in forgetting that a BRIN index range contains any NULL values, potentially allowing subsequent queries that should return NULL values to miss doing so.
This fix will not in itself correct faulty BRIN entries. It's recommended to REINDEX
any BRIN indexes that may be used to search for nulls.
Avoid leaving a corrupted database behind when DROP DATABASE
is interrupted (Andres Freund)
If DROP DATABASE
was interrupted after it had already begun taking irreversible steps, the target database remained accessible (because the removal of its pg_database
row would roll back), but it would have corrupt contents. Fix by marking the database as inaccessible before we begin to perform irreversible operations. A failure after that will leave the database still partially present, but nothing can be done with it except to issue another DROP DATABASE
.
Ensure that partitioned indexes are correctly marked as valid or not at creation (Michael Paquier)
If a new partitioned index matches an existing but invalid index on one of the partitions, the partitioned index could end up being marked valid prematurely. This could lead to misbehavior or assertion failures in subsequent queries on the partitioned table.
Ignore invalid child indexes when matching partitioned indexes to child indexes during ALTER TABLE ATTACH PARTITION
(Michael Paquier)
Such an index will now be ignored, and a new child index created instead.
Fix possible failure when marking a partitioned index valid after all of its partitions have been attached (Michael Paquier)
The update of the index's pg_index
entry could use stale data for other columns. One reported symptom is an “attempted to update invisible tuple†error.
Fix ALTER EXTENSION SET SCHEMA
to complain if the extension contains any objects outside the extension's schema (Michael Paquier, Heikki Linnakangas)
Erroring out if the extension contains objects in multiple schemas was always intended; but the check was mis-coded so that it would fail to detect some cases, leading to surprising behavior.
Don't use partial unique indexes for uniqueness proofs in the planner (David Rowley)
This could give rise to incorrect plans, since the presumed uniqueness of rows read from a table might not hold if the index in question isn't used to scan the table.
Don't Memoize lateral joins with volatile join conditions (Richard Guo)
Applying Memoize to a sub-plan that contains volatile filter conditions is likely to lead to wrong answers. The check to avoid doing this missed some cases that can arise when using LATERAL
.
Avoid producing incorrect plans for foreign joins with pseudoconstant join clauses (Etsuro Fujita)
The planner currently lacks support for attaching pseudoconstant join clauses to a pushed-down remote join, so disable generation of remote joins in such cases. (A better solution will require ABI-breaking changes of planner data structures, so it will have to wait for a future major release.)
Correctly handle sub-SELECTs in RLS policy expressions and security-barrier views when expanding rule actions (Tom Lane)
Fix race conditions in conflict detection for SERIALIZABLE
isolation mode (Thomas Munro)
Conflicts could be missed when using bitmap heap scans, when using GIN indexes, and when examining an initially-empty btree index. All these cases could lead to serializability failures due to improperly allowing conflicting transactions to commit.
Fix misbehavior of EvalPlanQual checks with inherited or partitioned target tables (Tom Lane)
This oversight could lead to update or delete actions in READ COMMITTED
isolation mode getting performed when they should have been skipped because of a conflicting concurrent update.
Fix hash join with an inner-side hash key that contains Params coming from an outer nested loop (Tom Lane)
When rescanning the join after the values of such Params have changed, we must rebuild the hash table, but neglected to do so. This could result in missing join output rows.
Fix intermittent failures when trying to update a field of a composite column (Tom Lane)
If the overall value of the composite column is wide enough to require out-of-line toasting, then an unluckily-timed cache flush could cause errors or server crashes.
Prevent query-lifespan memory leaks in some UPDATE
queries with triggers (Tomas Vondra)
Prevent query-lifespan memory leaks when an Incremental Sort plan node is rescanned (James Coleman, Laurenz Albe, Tom Lane)
Accept fractional seconds in the input to jsonpath
's datetime()
method (Tom Lane)
Prevent stack-overflow crashes with very complex text search patterns (Tom Lane)
Allow tokens up to 10240 bytes long in pg_hba.conf
and pg_ident.conf
(Tom Lane)
The previous limit of 256 bytes has been found insufficient for some use-cases.
Fix mishandling of C++ out-of-memory conditions (Heikki Linnakangas)
If JIT is in use, running out of memory in a C++ new
call would lead to a PostgreSQL FATAL error, instead of the expected C++ exception.
Fix rare null-pointer crash in plancache.c
(Tom Lane)
Avoid losing track of possibly-useful shared memory segments when a page free results in coalescing ranges of free space (Dongming Liu)
Ensure that the segment is moved into the appropriate “bin†for its new amount of free space, so that it will be found by subsequent searches.
Allow VACUUM
to continue after detecting certain types of b-tree index corruption (Peter Geoghegan)
If an invalid sibling-page link is detected, log the issue and press on, rather than throwing an error as before. Nothing short of REINDEX
will fix the broken index, but preventing VACUUM
from completing until that is done risks making matters far worse.
Ensure that WrapLimitsVacuumLock
is released after VACUUM
detects invalid data in pg_database
.datfrozenxid
or pg_database
.datminmxid
(Andres Freund)
Failure to release this lock could lead to a deadlock later, although the lock would be cleaned up if the session exits or encounters some other error.
Avoid double replay of prepared transactions during crash recovery (suyu.cmj, Michael Paquier)
After a crash partway through a checkpoint with some two-phase transaction state data already flushed to disk by this checkpoint, crash recovery could attempt to replay the prepared transaction(s) twice, leading to a fatal error such as “lock is already held†in the startup process.
Fix possible failure while promoting a standby server, if archiving is enabled and two-phase transactions need to be recovered (Julian Markwort)
If any required two-phase transactions were logged in the most recent (partial) log segment, promotion would fail with an incorrect complaint about “requested WAL segment has already been removedâ€.
Ensure that a newly created, but still empty table is fsync
'ed at the next checkpoint (Heikki Linnakangas)
Without this, if there is an operating system crash causing the empty file to disappear, subsequent operations on the table might fail with “could not open file†errors.
Ensure that creation of the init fork of an unlogged index is WAL-logged (Heikki Linnakangas)
While an unlogged index's main data fork is not WAL-logged, its init fork should be, to ensure that we have a consistent state to restore the index to after a crash. This step was missed if the init fork contains no data, which is a case not used by any standard index AM; but perhaps some extension behaves that way.
Fix missing reinitializations of delay-checkpoint-end flags (suyu.cmj)
This could result in unnecessary delays of checkpoints, or in assertion failures in assert-enabled builds.
Fix overly strict assertion in jsonpath
code (David Rowley)
This assertion failed if a query applied the .type()
operator to a like_regex
result. There was no bug in non-assert builds.
Avoid assertion failure when processing an empty statement via the extended query protocol in an already-aborted transaction (Tom Lane)
Fix contrib/fuzzystrmatch
's Soundex difference()
function to handle empty input sanely (Alexander Lakhin, Tom Lane)
An input string containing no alphabetic characters resulted in unpredictable output.
Tighten whitespace checks in contrib/hstore
input (Evan Jones)
In some cases, characters would be falsely recognized as whitespace and hence discarded.
Disallow oversize input arrays with contrib/intarray
's gist__int_ops
index opclass (Ankit Kumar Pandey, Alexander Lakhin)
Previously this code would report a NOTICE
but press on anyway, creating an invalid index entry that presents a risk of crashes when the index is read.
Avoid useless double decompression of GiST index entries in contrib/intarray
(Konstantin Knizhnik, Matthias van de Meent, Tom Lane)
Fix contrib/pageinspect
's gist_page_items()
function to work when there are included index columns (Alexander Lakhin, Michael Paquier)
Previously, if the index has included columns, gist_page_items()
would fail to display those values on index leaf pages, or crash outright on non-leaf pages.
Fix pg_dump to correctly handle new-style SQL-language functions whose bodies require parse-time dependencies on unique indexes (Tom Lane)
Such cases can arise from GROUP BY
and ON CONFLICT
clauses, for example. The function must then be postponed until after the unique index in the dump output, but pg_dump did not do that and instead printed a warning about “could not resolve dependency loopâ€.
Ensure that pg_index
.indisreplident
is kept up-to-date in relation cache entries (Shruthi Gowda)
This value could be stale in some cases. There is no core code that relies on the relation cache's copy, so this is only a latent bug as far as Postgres itself is concerned; but there may be extensions for which it is a live bug.
Release date: 2023-05-11
This release contains a variety of fixes from 14.7. For information about new features in major release 14, see Version 14.0.
A dump/restore is not required for those running 14.X.
However, if you are upgrading from a version earlier than 14.4, see Version 14.4.
Prevent CREATE SCHEMA
from defeating changes in search_path
(Alexander Lakhin)
Within a CREATE SCHEMA
command, objects in the prevailing search_path
, as well as those in the newly-created schema, would be visible even within a called function or script that attempted to set a secure search_path
. This could allow any user having permission to create a schema to hijack the privileges of a security definer function or extension script.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. CVE-2023-2454 or CVE-2023-2454)
Enforce row-level security policies correctly after inlining a set-returning function (Stephen Frost, Tom Lane)
If a set-returning SQL-language function refers to a table having row-level security policies, and it can be inlined into a calling query, those RLS policies would not get enforced properly in some cases involving re-using a cached plan under a different role. This could allow a user to see or modify rows that should have been invisible.
The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. CVE-2023-2455 or CVE-2023-2455)
Avoid crash when the new schema name is omitted in CREATE SCHEMA
(Michael Paquier)
The SQL standard allows writing CREATE SCHEMA AUTHORIZATION
, with the schema name defaulting to owner_name
owner_name
. However some code paths expected the schema name to be present and would fail.
Fix enabling/disabling of cloned triggers in partitioned tables (Tom Lane)
ALTER TABLE ... ENABLE/DISABLE TRIGGER USER
skipped cloned triggers, mistaking them for system triggers. Other variants of ENABLE/DISABLE TRIGGER
would process them, but only after improperly enforcing a superuserness check.
Disallow altering composite types that are stored in indexes (Tom Lane)
ALTER TYPE
disallows non-binary-compatible modifications of composite types if they are stored in any table columns. (Perhaps that will be allowed someday, but it hasn't happened yet; the locking implications of rewriting many tables are daunting.) We overlooked the possibility that an index might contain a composite type that doesn't also appear in its table.
Disallow system columns as elements of foreign keys (Tom Lane)
Since the removal of OID as a system column, there is no plausible use-case for this, and various bits of code no longer support it. Disallow it rather than trying to fix all the cases.
Ensure that COPY TO
from an RLS-enabled parent table does not copy any rows from child tables (Antonin Houska)
The documentation is quite clear that COPY TO
copies rows from only the named table, not any inheritance children it may have. However, if row-level security was enabled on the table then this stopped being true.
Avoid possible crash when array_position()
or array_positions()
is passed an empty array (Tom Lane)
Fix possible out-of-bounds fetch in to_char()
(Tom Lane)
With bad luck this could have resulted in a server crash.
Avoid buffer overread in translate()
function (Daniil Anisimov)
When using the deletion feature, the function might fetch the byte just after the input string, creating a small risk of crash.
Fix error cursor setting for parse errors in JSON string literals (Tom Lane)
Most cases in which a syntax error is detected in a string literal within a JSON value failed to set the error cursor appropriately. This led at least to an unhelpful error message (pointing to the token before the string, rather than the actual trouble spot), and could even result in a crash in v14 and later.
Fix data corruption due to vacuum_defer_cleanup_age
being larger than the current 64-bit xid (Andres Freund)
In v14 and later with non-default settings of vacuum_defer_cleanup_age
, it was possible to compute a very large vacuum cleanup horizon xid, leading to vacuum removing rows that are still live. v12 and v13 have a lesser form of the same problem affecting only GiST indexes, which could lead to index pages getting recycled too early.
Fix parser's failure to detect some cases of improperly-nested aggregates (Tom Lane)
This oversight could lead to executor failures for queries that should have been rejected as invalid.
Fix data structure corruption during parsing of serial SEQUENCE NAME
options (David Rowley)
This can lead to trouble if an event trigger captures the corrupted parse tree.
Correctly update plan nodes' parallel-safety markings when moving initplans from one node to another (Tom Lane)
This planner oversight could lead to “subplan was not initialized†errors at runtime.
Avoid failure with PlaceHolderVars in extended-statistics code (Tom Lane)
Use of dependency-type extended statistics could fail with “PlaceHolderVar found where not expectedâ€.
Disable the inverse-transition optimization for window aggregates when the call contains sub-SELECTs (David Rowley)
This optimization requires that the aggregate's argument expressions have repeatable results, which might not hold for a sub-SELECT.
Fix oversights in execution of nested ARRAY[]
constructs (Alexander Lakhin, Tom Lane)
Correctly detect overflow of the total space needed for the result array, avoiding a possible crash due to undersized output allocation. Also ensure that any trailing padding space in the result array is zeroed; while leaving garbage there is harmless for most purposes, it can result in odd behavior later.
Prevent crash when updating a field within an array-of-domain-over-composite-type column (Dmitry Dolgov)
Fix partition pruning logic for partitioning on boolean columns (David Rowley)
Pruning with a condition like boolcol IS NOT TRUE
was done incorrectly, leading to possibly not returning rows in which boolcol
is NULL. Also, the rather unlikely case of partitioning on NOT boolcol
was handled incorrectly.
Fix race condition in per-batch cleanup during parallel hash join (Thomas Munro, Melanie Plageman)
A crash was possible given unlucky timing and parallel_leader_participation
= off
(which is not the default).
Recalculate GENERATED
columns after an EvalPlanQual check (Tom Lane)
In READ COMMITTED
isolation mode, the effects of a row update might need to get reapplied to a newer version of the row than the query found originally. If so, we need to recompute any GENERATED
columns, in case they depend on columns that were changed by the concurrent update.
Fix memory leak in Memoize plan execution (David Rowley)
Fix buffer refcount leak when using batched inserts for a foreign table included in a partitioned tree (Alexander Pyhalov)
Restore support for sub-millisecond vacuum_cost_delay
settings (Thomas Munro)
Don't balance vacuum cost delay when a table has a per-relation vacuum_cost_delay
setting of zero (Masahiko Sawada)
Delay balancing is supposed to be disabled whenever autovacuum is processing a table with a per-relation vacuum_cost_delay
setting, but this was done only for positive settings, not zero.
Fix corner-case crashes when columns have been added to the end of a view (Tom Lane)
Repair rare failure of MULTIEXPR_SUBLINK subplans in partitioned updates (Andres Freund, Tom Lane)
Use of the syntax INSERT ... ON CONFLICT DO UPDATE SET (c1, ...) = (SELECT ...)
with a partitioned target table could result in failure if any child table is dissimilar from the parent (for example, different physical column order). This typically manifested as failure of consistency checks in the executor; but a crash or incorrect data updates are also possible.
Fix handling of DEFAULT
markers within a multi-row INSERT ... VALUES
query on a view that has a DO ALSO INSERT ... SELECT
rule (Dean Rasheed)
Such cases typically failed with “unrecognized node type†errors or assertion failures.
Support references to OLD
and NEW
within subqueries in rule actions (Dean Rasheed, Tom Lane)
Such references are really lateral references, but the server could crash if the subquery wasn't explicitly marked with LATERAL
. Arrange to do that implicitly when necessary.
When decompiling a rule or SQL function body containing INSERT
/UPDATE
/DELETE
within WITH
, take care to print the correct alias for the target table (Tom Lane)
Fix glitches in SERIALIZABLE READ ONLY
optimization (Thomas Munro)
Transactions already marked as “doomed†confused the safe-snapshot optimization for SERIALIZABLE READ ONLY
transactions. The optimization was unnecessarily skipped in some cases. In other cases an assertion failure occurred (but there was no problem in non-assert builds).
Avoid leaking cache callback slots in the pgoutput
logical decoding plugin (Shi Yu)
Multiple cycles of starting up and shutting down the plugin within a single session would eventually lead to an “out of relcache_callback_list slots†error.
Avoid unnecessary calls to custom validators for index operator class options (Alexander Korotkov)
This change fixes some cases where an unexpected error was thrown.
Avoid useless work while scanning a multi-column BRIN index with multiple scan keys (Tomas Vondra)
The existing code effectively considered only the last scan key while deciding whether a range matched, thus usually scanning more of the index than it needed to.
Fix netmask handling in BRIN inet_minmax_multi_ops opclass (Tomas Vondra)
This error triggered an assertion failure in assert-enabled builds, but is mostly harmless in production builds.
Fix dereference of dangling pointer during buffering build of a GiST index (Alexander Lakhin)
This error seems to usually be harmless in production builds, as the fetched value is noncritical; but in principle it could cause a server crash.
Ignore dropped columns and generated columns during logical replication of an update or delete action (Onder Kalaci, Shi Yu)
Replication with the REPLICA IDENTITY FULL
option failed if the table contained such columns.
Correct the name of the wait event for SLRU buffer I/O for commit timestamps (Alexander Lakhin)
This wait event is named CommitTsBuffer
according to the documentation, but the code had it as CommitTSBuffer
. Change the code to match the documentation, as that way is more consistent with the naming of related wait events.
Re-activate reporting of wait event SLRUFlushSync
(Thomas Munro)
Reporting of this type of wait was accidentally removed in code refactoring.
Avoid possible underflow when calculating how many WAL segments to keep (Kyotaro Horiguchi)
This could result in not honoring wal_keep_size
accurately.
Support RSA-PSS certificates with SCRAM-SHA-256 channel binding (Jacob Champion, Heikki Linnakangas)
This feature requires building with OpenSSL 1.1.1 or newer. Both the server and libpq are affected.
Avoid race condition with process ID tracking on Windows (Thomas Munro)
The operating system could recycle a PID before the postmaster observed that that child process was gone. This could lead to tracking more than one child with the same PID, resulting in confusion.
Add missing cases to SPI_result_code_string()
(Dean Rasheed)
Fix erroneous Valgrind markings in AllocSetRealloc()
(Karina Litskevich)
In the unusual case where the size of a large (>8kB) palloc chunk is decreased, a Valgrind-aware build would mismark the defined-ness state of the memory released from the chunk, possibly causing incorrect results during Valgrind testing.
Avoid assertion failure when decoding a transactional logical replication message (Tomas Vondra)
Avoid locale sensitivity when processing regular expression escapes (Jeff Davis)
A backslash followed by a non-ASCII character could sometimes cause an assertion failure, depending on the prevailing locale.
Avoid trying to write an empty WAL record in log_newpage_range()
when the last few pages in the specified range are empty (Matthias van de Meent)
It is not entirely clear whether this case is reachable in released branches, but if it is then an assertion failure could occur.
Fix session-lifespan memory leakage in plpgsql DO
blocks that use cast expressions (Ajit Awekar, Tom Lane)
Tighten array dimensionality checks when converting Perl list structures to multi-dimensional SQL arrays (Tom Lane)
plperl could misbehave when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. Such cases now produce errors, but previously they could result in a crash or garbage output.
Tighten array dimensionality checks when converting Python list structures to multi-dimensional SQL arrays (Tom Lane)
plpython could misbehave when dealing with empty sub-lists, or when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. The former should result in an empty output array, and the latter in an error. But some cases resulted in a crash, and others in unexpected output.
Fix unwinding of exception stack in plpython (Xing Guo)
Some rare failure cases could return without cleaning up the PG_TRY exception stack, risking a crash if another error was raised before the next stack level was unwound.
Fix inconsistent GSS-encryption error handling in libpq's PQconnectPoll()
(Michael Paquier)
With gssencmode
set to require
, the connection was not marked dead after a GSS initialization failure. Make it fail immediately, as the equivalent case for TLS encryption has long done.
Fix possible data corruption in ecpg programs built with the -C ORACLE
option (Kyotaro Horiguchi)
When ecpg_get_data()
is called with varcharsize
set to zero, it could write a terminating zero character into the last byte of the preceding field, truncating the data in that field.
Fix pg_dump so that partitioned tables that are hash-partitioned on an enum-type column can be restored successfully (Tom Lane)
Since the hash codes for enum values depend on the OIDs assigned to the enum, they are typically different after a dump and restore, meaning that rows often need to go into a different partition than they were in originally. Users can work around that by specifying the --load-via-partition-root
option; but since there is very little chance of success without that, teach pg_dump to apply it automatically to such tables.
Also, fix pg_restore to not try to TRUNCATE
target tables before restoring into them when --load-via-partition-root
mode is used. This avoids a hazard of deadlocks and lost data.
Correctly detect non-seekable files on Windows (Juan José SantamarÃa Flecha, Michael Paquier, Daniel Watzinger)
This bug led to misbehavior when pg_dump writes to a pipe or pg_restore reads from one.
In pgbench's “prepared†mode, prepare all the commands in a pipeline before starting the pipeline (Ãlvaro Herrera)
This avoids a failure when a pgbench script tries to start a serializable transaction inside a pipeline.
In contrib/amcheck
's heap checking code, deal correctly with tuples having zero xmin or xmax (Robert Haas)
In contrib/amcheck
, deal sanely with xids that appear to be before epoch zero (Andres Freund)
In cases of corruption we might see a wrapped-around 32-bit xid that appears to be before the first xid epoch. Promoting such a value to 64-bit form produced a value far in the future, resulting in wrong reports. Return FirstNormalFullTransactionId in such cases so that things work reasonably sanely.
In contrib/hstore_plpython
, avoid crashing if the Python value to be transformed isn't a mapping (Dmitry Dolgov, Tom Lane)
This should give an error, but Python 3 changed some APIs in a way that caused the check to misbehave, allowing a crash to ensue.
Require the siglen
option of a GiST index on an ltree
column, if specified, to be a multiple of 4 (Alexander Korotkov)
Other values result in misaligned accesses to index content, which is harmless on Intel-compatible hardware but can cause a crash on some other architectures.
In contrib/pageinspect
, add defenses against incorrect input for the gist_page_items()
function (Dmitry Koval)
Fix misbehavior in contrib/pg_trgm
with an unsatisfiable regular expression (Tom Lane)
A regex such as $foo
is legal but unsatisfiable; the regex compiler recognizes that and produces an empty NFA graph. Attempting to optimize such a graph into a pg_trgm GIN or GiST index qualification resulted in accessing off the end of a work array, possibly leading to crashes.
Use the --strip-unneeded
option when stripping static libraries with GNU-compatible strip (Tom Lane)
Previously, make install-strip
used the -x
option in this case. This change avoids misbehavior of llvm-strip, and gives slightly smaller output as well.
Stop recommending auto-download of DTD files for building the documentation, and indeed disable it (Aleksander Alekseev, Peter Eisentraut, Tom Lane)
It appears no longer possible to build the SGML documentation without a local installation of the DocBook DTD files. Formerly xsltproc could download those files on-the-fly from sourceforge.net; but sourceforge.net now permits only HTTPS access, and no common version of xsltproc supports that. Hence, remove the bits of our documentation suggesting that that's possible or useful, and instead add xsltproc's --nonet
option to the build recipes.
When running TAP tests in PGXS builds, use a saner location for the temporary portlock
directory (Peter Eisentraut)
Place it under tmp_check
in the build directory. With the previous coding, a PGXS build would try to place it in the installation directory, which is not necessarily writable.
Update time zone data files to tzdata release 2023c for DST law changes in Egypt, Greenland, Morocco, and Palestine.
When observing Moscow time, Europe/Kirov and Europe/Volgograd now use the abbreviations MSK/MSD instead of numeric abbreviations, for consistency with other timezones observing Moscow time. Also, America/Yellowknife is no longer distinct from America/Edmonton; this affects some pre-1948 timestamps in that area.
Release date: 2023-02-09
This release contains a variety of fixes from 14.6. For information about new features in major release 14, see Version 14.0.
A dump/restore is not required for those running 14.X.
However, if you are upgrading from a version earlier than 14.4, see Version 14.4.
libpq can leak memory contents after GSSAPI transport encryption initiation fails (Jacob Champion)
A modified server, or an unauthenticated man-in-the-middle, can send a not-zero-terminated error message during setup of GSSAPI (Kerberos) transport encryption. libpq will then copy that string, as well as following bytes in application memory up to the next zero byte, to its error report. Depending on what the calling application does with the error report, this could result in disclosure of application memory contents. There is also a small probability of a crash due to reading beyond the end of memory. Fix by properly zero-terminating the server message. CVE-2022-41862 or CVE-2022-41862)
Fix calculation of which GENERATED
columns need to be updated in child tables during an UPDATE
on a partitioned table or inheritance tree (Amit Langote, Tom Lane)
This fixes failure to update GENERATED
columns that do not exist in the parent table, or that have different dependencies than are in the parent column's generation expression.
Allow a WITH RECURSIVE ... CYCLE
CTE to access its output column (Tom Lane)
A reference to the SET
column from within the CTE would fail with “cache lookup failed for type 0â€.
Fix handling of pending inserts when doing a bulk insertion to a foreign table (Etsuro Fujita)
In some cases pending insertions were not flushed to the FDW soon enough, leading to logical inconsistencies, for example BEFORE ROW
triggers not seeing rows they should be able to see.
Allow REPLICA IDENTITY
to be set on an index that's not (yet) valid (Tom Lane)
When pg_dump dumps a partitioned index that's marked REPLICA IDENTITY
, it generates a command sequence that applies REPLICA IDENTITY
before the partitioned index has been marked valid, causing restore to fail. There seems no very good reason to prohibit doing it in that order, so allow it. The marking will have no effect anyway until the index becomes valid.
Fix handling of DEFAULT
markers in rules that perform an INSERT
from a multi-row VALUES
list (Dean Rasheed)
In some cases a DEFAULT
marker would not get replaced with the proper default-value expression, leading to an “unrecognized node type†error.
Reject uses of undefined variables in jsonpath
existence checks (Alexander Korotkov, David G. Johnston)
While jsonpath
match operators threw an error for an undefined variable in the path pattern, the existence operators silently treated it as a match.
Fix jsonb
subscripting to cope with toasted subscript values (Tom Lane, David G. Johnston)
Using a text value fetched directly from a table as a jsonb
subscript was likely to fail. Fetches would usually not find any matching element. Assignments could store the value with a garbage key, although keys long enough to cause that problem are probably rare in the field.
Fix edge-case data corruption in parallel hash joins (Dmitry Astapov)
If the final chunk of a large tuple being written out to a temporary file was exactly 32760 bytes, it would be corrupted due to a fencepost bug. The query would typically fail later with corrupted-data symptoms.
Honor non-default settings of checkpoint_completion_target
(Bharath Rupireddy)
Internal state was not updated after a change in checkpoint_completion_target
, possibly resulting in performing checkpoint I/O faster or slower than desired, especially if that setting was changed on-the-fly.
Log the correct ending timestamp in recovery_target_xid
mode (Tom Lane)
When ending recovery based on the recovery_target_xid
setting with recovery_target_inclusive
= off
, we printed an incorrect timestamp (always 2000-01-01) in the “recovery stopping before ... transaction†log message.
Improve error reporting for some buffered file read failures (Peter Eisentraut)
Correctly report a short read, giving the numbers of bytes desired and actually read, instead of reporting an irrelevant error code. Most places got this right already, but some recently-written replication logic did not.
In extended query protocol, avoid an immediate commit after ANALYZE
if we're running a pipeline (Tom Lane)
If there's not been an explicit BEGIN TRANSACTION
, ANALYZE
would take it on itself to commit, which should not happen within a pipelined series of commands.
Reject cancel request packets having the wrong length (Andrey Borodin)
The server would process a cancel request even if its length word was too small. This led to reading beyond the end of the allocated buffer. In theory that could cause a segfault, but it seems quite unlikely to happen in practice, since the buffer would have to be very close to the end of memory. The more likely outcome was a bogus log message about wrong backend PID or cancel code. Complain about the wrong length, instead.
Add recursion and looping defenses in subquery pullup (Tom Lane)
A contrived query can result in deep recursion and unreasonable amounts of time spent trying to flatten subqueries. A proper fix for that seems unduly invasive for a back-patch, but we can at least add stack depth checks and an interrupt check to allow the query to be cancelled.
Fix planner issues when combining Memoize nodes with partitionwise joins or parameterized nestloops (Richard Guo)
These errors could lead to not using Memoize in contexts where it would be useful, or possibly to wrong query plans.
Fix partitionwise-join code to tolerate failure to produce a plan for each partition (Tom Lane)
This could result in “could not devise a query plan for the given query†errors.
Limit the amount of cleanup work done by get_actual_variable_range
(Simon Riggs)
Planner runs occurring just after deletion of a large number of tuples appearing at the end of an index could expend significant amounts of work setting the “killed†bits for those index entries. Limit the amount of work done in any one query by giving up on this process after examining 100 heap pages. All the cleanup will still happen eventually, but without so large a performance hiccup.
Fix under-parenthesized display of AT TIME ZONE
constructs (Tom Lane)
This could result in dump/restore failures for rules or views in which an argument of AT TIME ZONE
is itself an expression.
Prevent clobbering of cached parsetrees for utility statements in SQL functions (Tom Lane, Daniel Gustafsson)
If a SQL-language function executes the same utility command more than once within a single calling query, it could crash or report strange errors such as “unrecognized node typeâ€.
Ensure that execution of full-text-search queries can be cancelled while they are performing phrase matches (Tom Lane)
Fix memory leak in hashing strings with nondeterministic collations (Jeff Davis)
Fix deadlock between DROP DATABASE
and logical replication worker process (Hou Zhijie)
This was caused by an ill-advised choice to block interrupts while creating a logical replication slot in the worker. In version 15 that could lead to an undetected deadlock. In version 14, no deadlock has been observed, but it's still a bad idea to block interrupts while waiting for network I/O.
Clean up the libpq connection object after a failed replication connection attempt (Andres Freund)
The previous coding leaked the connection object. In background code paths that's pretty harmless because the calling process will give up and exit. But in commands such as CREATE SUBSCRIPTION
, such a failure resulted in a small session-lifespan memory leak.
In hot-standby servers, reduce processing effort for tracking XIDs known to be active on the primary (Simon Riggs, Michail Nikolaev)
Insufficiently-aggressive cleanup of the KnownAssignedXids array could lead to poor performance, particularly when max_connections
is set to a large value on the standby.
Ignore invalidated logical-replication slots while determining oldest catalog xmin (Sirisha Chamarthi)
A replication slot could prevent cleanup of dead tuples in the system catalogs even after it becomes invalidated due to exceeding max_slot_wal_keep_size
. Thus, failure of a replication consumer could lead to indefinitely-large catalog bloat.
In logical decoding, notify the remote node when a transaction is detected to have crashed (Hou Zhijie)
After a server restart, we'll re-stream the changes for transactions occurring shortly before the restart. Some of these transactions probably never completed; when we realize that one didn't we throw away the relevant decoding state locally, but we neglected to tell the subscriber about it. That led to the subscriber keeping useless streaming files until it's next restarted.
Fix uninitialized-memory usage in logical decoding (Masahiko Sawada)
In certain cases, resumption of logical decoding could try to re-use XID data that had already been freed, leading to unpredictable behavior.
Avoid rare “failed to acquire cleanup lock†panic during WAL replay of hash-index page split operations (Robert Haas)
Advance a heap page's LSN when setting its all-visible bit during WAL replay (Jeff Davis)
Failure to do this left the page possibly different on standby servers than the primary, and violated some other expectations about when the LSN changes. This seems only a theoretical hazard so far as PostgreSQL itself is concerned, but it could upset third-party tools.
Prevent unsafe usage of a relation cache entry's rd_smgr
pointer (Amul Sul)
Remove various assumptions that rd_smgr
would stay valid over a series of operations, by wrapping all uses of it in a function that will recompute it if needed. This prevents bugs occurring when an unexpected cache flush occurs partway through such a series.
Fix int64_div_fast_to_numeric()
to work for a wider range of inputs (Dean Rasheed)
This function misbehaved with some values of its second argument. No such usages exist in core PostgreSQL, but it's clearly a hazard for external modules, so repair.
Fix latent buffer-overrun problem in WaitEventSet
logic (Thomas Munro)
The epoll
-based and kqueue
-based implementations could ask the kernel for too many events if the size of their internal buffer was different from the size of the caller's output buffer. That case is not known to occur in released PostgreSQL versions, but this error is a hazard for external modules and future bug fixes.
Avoid nominally-undefined behavior when accessing shared memory in 32-bit builds (Andres Freund)
clang's undefined-behavior sanitizer complained about use of a pointer that was less aligned than it should be. It's very unlikely that this would cause a problem in non-debug builds, but it's worth fixing for testing purposes.
Fix assertion failure in BRIN minmax-multi opclasses (Tomas Vondra)
The assertion was overly strict, so this mistake was harmless in non-assert builds.
Remove faulty assertion in useless-RESULT-RTE optimization logic (Tom Lane)
Fix copy-and-paste errors in cache-lookup-failure messages for ACL checks (Justin Pryzby)
In principle these errors should never be reached. But if they are, some of them reported the wrong type of object.
In pg_dump, avoid calling unsafe server functions before we have locks on the tables to be examined (Tom Lane, Gilles Darold)
pg_dump uses certain server functions that can fail if examining a table that gets dropped concurrently. Avoid this type of failure by ensuring that we obtain access share lock before inquiring too deeply into a table's properties, and that we don't apply such functions to tables we don't intend to dump at all.
Fix psql's \sf
and \ef
commands to handle SQL-language functions that have SQL-standard function bodies (Tom Lane)
These commands misidentified the start of the function body when it used new-style syntax.
Fix tab completion of ALTER FUNCTION/PROCEDURE/ROUTINE
... SET SCHEMA
(Dean Rasheed)
Fix contrib/seg
to not crash or print garbage if an input number has more than 127 digits (Tom Lane)
Fix build on Microsoft Visual Studio 2013 (Tom Lane)
A previous patch supposed that all platforms of interest have snprintf()
, but MSVC 2013 isn't quite there yet. Revert to using sprintf()
on that platform.
Fix compile failure in building PL/Perl with MSVC when using Strawberry Perl (Andrew Dunstan)
Fix mismatch of PL/Perl built with MSVC versus a Perl library built with gcc (Andrew Dunstan)
Such combinations could previously fail with “loadable library and perl binaries are mismatched†errors.
Suppress compiler warnings from Perl's header files (Andres Freund)
Our preferred compiler options provoke warnings about constructs appearing in recent versions of Perl's header files. When using gcc, we can suppress these warnings with a pragma.
Fix pg_waldump to build on compilers that don't discard unused static-inline functions (Tom Lane)
Update time zone data files to tzdata release 2022g for DST law changes in Greenland and Mexico, plus historical corrections for northern Canada, Colombia, and Singapore.
Notably, a new timezone America/Ciudad_Juarez has been split off from America/Ojinaga.
Release date: 2022-11-10
This release contains a variety of fixes from 14.5. For information about new features in major release 14, see Version 14.0.
A dump/restore is not required for those running 14.X.
However, if you are upgrading from a version earlier than 14.4, see Version 14.4.
Avoid rare PANIC during updates occurring concurrently with VACUUM
(Tom Lane, Jeff Davis)
If a concurrent VACUUM
sets the all-visible flag bit in a page that UPDATE
or DELETE
is in process of modifying, the updating command needs to clear that bit again; but some code paths failed to do so, ending in a PANIC exit and database restart.
This is known to be possible in versions 14 and 15. It may be only latent in previous branches.
Fix handling of DEFAULT
tokens that appear in a multi-row VALUES
clause of an INSERT
on an updatable view (Tom Lane)
This oversight could lead to “cache lookup failed for type†errors, or in older branches even to crashes.
Disallow rules named _RETURN
that are not ON SELECT
(Tom Lane)
This avoids confusion between a view's ON SELECT
rule and any other rules it may have.
Fix resource management bug in saving tuples for AFTER
triggers (Tom Lane)
Given the right circumstances, this manifested as a “tupdesc reference NNNN
is not owned by resource owner†error followed by a PANIC exit.
Avoid failure in EXPLAIN VERBOSE
for a query using SEARCH BREADTH FIRST
with constant initial values (Tom Lane)
Fix construction of per-partition foreign key constraints while doing ALTER TABLE ATTACH PARTITION
(Jehan-Guillaume de Rorthais, Ãlvaro Herrera)
Previously, incorrect or duplicate constraints could be constructed for the newly-added partition.
Fix generation of constraint names for per-partition foreign key constraints (Jehan-Guillaume de Rorthais)
If the initially-given name is already in use for some constraint of the partition, a new one is selected; but it wasn't being spelled as intended.
Fix incorrect matching of index expressions and predicates when creating a partitioned index (Richard Guo, Tom Lane)
While creating a partitioned index, we try to identify any existing indexes on the partitions that match the partitioned index, so that we can absorb those as child indexes instead of building new ones. Matching of expressions was not done right, so that a usable child index might be ignored, leading to creation of a duplicative index.
Prevent WAL corruption after a standby promotion (Dilip Kumar, Robert Haas)
When a PostgreSQL instance performing archive recovery (but not using standby mode) is promoted, and the last WAL segment that it attempted to read ended in a partial record, the instance would write an invalid WAL segment on the new timeline.
Fix mis-ordering of WAL operations in fast insert path for GIN indexes (Matthias van de Meent, Zhang Mingli)
This mistake is not known to have any negative consequences within core PostgreSQL, but it did cause issues for some extensions.
Fix bugs in logical decoding when replay starts from a point between the beginning of a transaction and the beginning of its subtransaction (Masahiko Sawada, Kuroda Hayato)
These errors could lead to assertion failures in debug builds, and otherwise to memory leaks.
Prevent examining system catalogs with the wrong snapshot during logical decoding (Masahiko Sawada)
If decoding begins partway through a transaction that modifies system catalogs, the decoder may not recognize that, causing it to fail to treat that transaction as in-progress for catalog lookups.
Accept interrupts in more places during logical decoding (Amit Kapila, Masahiko Sawada)
This ameliorates problems with slow shutdown of replication workers.
Prevent attempts to replicate into a foreign-table partition in replication workers (Shi Yu, Tom Lane)
Although partitioned tables can have foreign tables as partitions, replicating into such a partition isn't currently supported. The logical replication worker process would crash if it was attempted. Now, an error is thrown.
Remove pointless check on replica identity setting of partitioned tables (Hou Zhijie)
What matters is the replica identity setting of the leaf partitions, so there's no need to throw error if it's not set on the parent.
Avoid crash after function syntax error in replication workers (Maxim Orlov, Anton Melnikov, Masahiko Sawada, Tom Lane)
If a syntax error occurred in a SQL-language or PL/pgSQL-language CREATE FUNCTION
or DO
command executed in a logical replication worker, the worker process would crash with a null pointer dereference or assertion failure.
Fix handling of read-write expanded datums that are passed to SQL functions (Tom Lane)
If a non-inlined SQL function uses a parameter in more than one place, and one of those functions expects to be able to modify read-write datums in place, then later uses of the parameter would observe the wrong value. (Within core PostgreSQL, the expanded-datum mechanism is only used for array and composite-type values; but extensions might use it for other structured types.)
Fix type circle
's equality comparator to handle NaNs properly (Ranier Vilela)
If the left-hand circle had a floating-point NaN for its radius, it would be considered equal to a circle with the same center and any radius.
In Snowball dictionaries, don't try to stem excessively-long words (Olly Betts, Tom Lane)
If the input word exceeds 1000 bytes, return it as-is after case folding, rather than trying to run it through the Snowball code. This restriction protects against a known recursion-to-stack-overflow problem in the Turkish stemmer, and it seems like good insurance against any other safety or performance issues that may exist in the Snowball stemmers. Such a long string is surely not a word in any human language, so it's doubtful that the stemmer would have done anything desirable with it anyway.
Fix use-after-free hazard in string comparisons (Tom Lane)
Improper memory management in the string comparison functions could result in scribbling on no-longer-allocated buffers, potentially breaking things for whatever is using that memory now. This would only happen with fairly long strings (more than 1kB), and only if an ICU collation is in use.
Add plan-time check for attempted access to a table that has no table access method (Tom Lane)
This prevents a crash in some catalog-corruption scenarios, for example use of a view whose ON SELECT
rule is missing.
Prevent postmaster crash when shared-memory state is corrupted (Tom Lane)
The postmaster process is supposed to survive and initiate a database restart if shared memory becomes corrupted, but one bit of code was being insufficiently cautious about that.
Add some more defenses against recursion till stack overrun (Richard Guo, Tom Lane)
Avoid misbehavior when choosing hash table size with very small work_mem
and large tuples (Zhang Mingli)
Avoid long-term memory leakage in the autovacuum launcher process (Reid Thompson)
The lack of field reports suggests that this problem is only latent in pre-v15 branches; but it's not very clear why, so back-patch the fix anyway.
Improve PL/pgSQL's ability to handle parameters declared as RECORD
(Tom Lane)
Build a separate function cache entry for each concrete type passed to the RECORD
parameter during a session, much as we do for polymorphic parameters. This allows some usages to work that previously failed with errors such as “type of parameter does not match that when preparing the planâ€.
In libpq, handle single-row mode correctly when pipelining (Denis Laxalde)
The single-row flag was not reset at the correct time if pipeline mode was also active.
Add missing guards for NULL
connection pointer in libpq (Daniele Varrazzo, Tom Lane)
There's a convention that libpq functions should check for a NULL PGconn argument, and fail gracefully instead of crashing. PQflush()
and PQisnonblocking()
didn't get that memo, so fix them.
In ecpg, fix omission of variable storage classes when multiple varchar
or bytea
variables are declared in the same declaration (Andrey Sokolov)
For example, ecpg translated static varchar str1[10], str2[20], str3[30];
in such a way that only str1
was marked static
.
Allow cross-platform tablespace relocation in pg_basebackup (Robert Haas)
Allow the remote path in --tablespace-mapping
to be either a Unix-style or Windows-style absolute path, since the source server could be on a different OS than the local system.
In pg_stat_statements, fix access to already-freed memory (zhaoqigui)
This occurred if pg_stat_statements tracked a ROLLBACK
command issued via extended query protocol. In debug builds it consistently led to an assertion failure. In production builds there would often be no visible ill effect; but if the freed memory had already been reused, the likely result would be to store garbage for the query string.
In postgres_fdw, ensure that target lists constructed for EvalPlanQual plans will have all required columns (Richard Guo, Etsuro Fujita)
This avoids “variable not found in subplan target list†errors in rare cases.
Reject unwanted output from the platform's uuid_create()
function (Nazir Bilal Yavuz)
The uuid-ossp module expects libc's uuid_create()
to produce a version-1 UUID, but recent NetBSD releases produce a version-4 (random) UUID instead. Check for that, and complain if so. Drop the documentation's claim that the NetBSD implementation is usable for uuid-ossp. (If a version-4 UUID is okay for your purposes, you don't need uuid-ossp at all; just use gen_random_uuid()
.)
Include new Perl test modules in standard installations (Ãlvaro Herrera)
Add PostgreSQL/Test/Cluster.pm
and PostgreSQL/Test/Utils.pm
to the standard installation file set in pre-version-15 branches. This is for the benefit of extensions that want to use newly-written test code in older branches.
On NetBSD, force dynamic symbol resolution at postmaster start (Andres Freund, Tom Lane)
This avoids a risk of deadlock in the dynamic linker on NetBSD 10.
Fix incompatibilities with LLVM 15 (Thomas Munro, Andres Freund)
Allow use of __sync_lock_test_and_set()
for spinlocks on any machine (Tom Lane)
This eases porting to new machine architectures, at least if you're using a compiler that supports this GCC builtin function.
Rename symbol REF
to REF_P
to avoid compile failure on recent macOS (Tom Lane)
Avoid using sprintf
, to avoid compile-time deprecation warnings (Tom Lane)
Silence assorted compiler warnings from clang 15 and later (Tom Lane)
Update time zone data files to tzdata release 2022f for DST law changes in Chile, Fiji, Iran, Jordan, Mexico, Palestine, and Syria, plus historical corrections for Chile, Crimea, Iran, and Mexico.
Also, the Europe/Kiev zone has been renamed to Europe/Kyiv. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake and Pacific/Wallis. (This indirectly affects zones that were already links to one of these: Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.) America/Nipigon, America/Rainy_River, America/Thunder_Bay, Europe/Uzhgorod, and Europe/Zaporozhye were also merged into nearby zones after discovering that their claimed post-1970 differences from those zones seem to have been errors. In all these cases, the previous zone name remains as an alias; but the actual data is that of the zone that was merged into.
These zone mergers result in loss of pre-1970 timezone history for the merged zones, which may be troublesome for applications expecting consistency of timestamptz
display. As an example, the stored value 1944-06-01 12:00 UTC
would previously display as 1944-06-01 13:00:00+01
if the Europe/Stockholm zone is selected, but now it will read out as 1944-06-01 14:00:00+02
.
It is possible to build the time zone data files with options that will restore the older zone data, but that choice also inserts a lot of other old (and typically poorly-attested) zone data, resulting in more total changes from the previous release than accepting these upstream changes does. PostgreSQL has chosen to ship the tzdb data as-recommended, and so far as we are aware most major operating system distributions are doing likewise. However, if these changes cause significant problems for your application, a possible solution is to install a local build of the time zone data files using tzdb's backwards-compatibility options (see their PACKRATDATA
and PACKRATLIST
options).
Release date: 2022-08-11
This release contains a variety of fixes from 14.4. For information about new features in major release 14, see Version 14.0.
A dump/restore is not required for those running 14.X.
However, if you are upgrading from a version earlier than 14.4, see Version 14.4.
Do not let extension scripts replace objects not already belonging to the extension (Tom Lane)
This change prevents extension scripts from doing CREATE OR REPLACE
if there is an existing object that does not belong to the extension. It also prevents CREATE IF NOT EXISTS
in the same situation. This prevents a form of trojan-horse attack in which a hostile database user could become the owner of an extension object and then modify it to compromise future uses of the object by other users. As a side benefit, it also reduces the risk of accidentally replacing objects one did not mean to.
The PostgreSQL Project thanks Sven Klemm for reporting this problem. CVE-2022-2625 or CVE-2022-2625)
Fix replay of CREATE DATABASE
WAL records on standby servers (Kyotaro Horiguchi, Asim R Praveen, Paul Guo)
Standby servers may encounter missing tablespace directories when replaying database-creation WAL records. Prior to this patch, a standby would fail to recover in such a case; however, such directories could be legitimately missing. Create the tablespace (as a plain directory), then check that it has been dropped again once replay reaches a consistent state.
Support “in place†tablespaces (Thomas Munro, Michael Paquier, Ãlvaro Herrera)
Normally a Postgres tablespace is a symbolic link to a directory on some other filesystem. This change allows it to just be a plain directory. While this has no use for separating tables onto different filesystems, it is a convenient setup for testing. Moreover, it is necessary to support the CREATE DATABASE
replay fix, which transiently creates a missing tablespace as an “in place†tablespace.
Fix permissions checks in CREATE INDEX
(Nathan Bossart, Noah Misch)
The fix forCVE-2022-1552 or CVE-2022-1552 caused CREATE INDEX
to apply the table owner's permissions while performing lookups of operator classes and other objects, where formerly the calling user's permissions were used. This broke dump/restore scenarios, because pg_dump issues CREATE INDEX
before re-granting permissions.
In extended query protocol, force an immediate commit after CREATE DATABASE
and other commands that can't run in a transaction block (Tom Lane)
If the client does not send a Sync message immediately after such a command, but instead sends another command, any failure in that command would lead to rolling back the preceding command, typically leaving inconsistent state on-disk (such as a missing or extra database directory). The mechanisms intended to prevent that situation turn out to work for multiple commands in a simple-Query message, but not for a series of extended-protocol messages. To prevent inconsistency without breaking use-cases that work today, force an implicit commit after such commands.
Fix race condition when checking transaction visibility (Simon Riggs)
TransactionIdIsInProgress
could report false
before the subject transaction is considered visible, leading to various misbehaviors. The race condition window is normally very narrow, but use of synchronous replication makes it much wider, because the wait for a synchronous replica happens in that window.
Fix incorrect plans when sorting by an expression that contains a non-top-level set-returning function (Richard Guo, Tom Lane)
Fix incorrect permissions-checking code for extended statistics (Richard Guo)
If there are extended statistics on a table that the user has only partial SELECT
permissions on, some queries would fail with “unrecognized node type†errors.
Fix extended statistics machinery to handle MCV-type statistics on boolean-valued expressions (Tom Lane)
Statistics collection worked fine, but a query containing such an expression in WHERE
would fail with “unknown clause typeâ€.
Avoid planner core dump with
clauses when there are MCV-type extended statistics on the constant
= ANY(array
)array
variable (Tom Lane)
Fix ALTER TABLE ... ENABLE/DISABLE TRIGGER
to handle recursion correctly for triggers on partitioned tables (Ãlvaro Herrera, Amit Langote)
In certain cases, a “trigger does not exist†failure would occur because the command would try to adjust the trigger on a child partition that doesn't have it.
Allow cancellation of ANALYZE
while it is computing extended statistics (Tom Lane, Justin Pryzby)
In some scenarios with high statistics targets, it was possible to spend many seconds in an un-cancellable sort operation.
Improve syntax error messages for type jsonpath
(Andrew Dunstan)
Ensure that pg_stop_backup()
cleans up session state properly (Fujii Masao)
This omission could lead to assertion failures or crashes later in the session.
Fix trim_array()
to handle a zero-dimensional array argument sanely (Martin Kalcher)
Fix join alias matching in FOR [KEY] UPDATE/SHARE
clauses (Dean Rasheed)
In corner cases, a misleading error could be reported.
Reject ROW()
expressions and functions in FROM
that have too many columns (Tom Lane)
Cases with more than about 1600 columns are unsupported, and have always failed at execution. However, it emerges that some earlier code could be driven to assertion failures or crashes by queries with more than 32K columns. Add a parse-time check to prevent that.
Fix dumping of a view using a function in FROM
that returns a composite type, when column(s) of the composite type have been dropped since the view was made (Tom Lane)
This oversight could lead to dump/reload or pg_upgrade failures, as the dumped view would have too many column aliases for the function.
Disallow nested backup operations in logical replication walsenders (Fujii Masao)
Fix memory leak in logical replication subscribers (Hou Zhijie)
Fix logical replication's checking of replica identity when the target table is partitioned (Shi Yu, Hou Zhijie)
The replica identity columns have to be re-identified for the child partition.
Fix failures to update cached schema data in a logical replication subscriber after a schema change on the publisher (Shi Yu, Hou Zhijie)
Fix WAL consistency checking logic to correctly handle BRIN_EVACUATE_PAGE
flags (Haiyang Wang)
Fix erroneous assertion checks in shared hashtable management (Thomas Munro)
Avoid assertion failure when min_dynamic_shared_memory
is set to a non-default value (Thomas Munro)
Arrange to clean up after commit-time errors within SPI_commit()
, rather than expecting callers to do that (Peter Eisentraut, Tom Lane)
Proper cleanup is complicated and requires use of low-level facilities, so it's not surprising that no known caller got it right. This led to misbehaviors when a PL procedure issued COMMIT
but a failure occurred (such as a deferred constraint check). To improve matters, redefine SPI_commit()
as starting a new transaction, so that it becomes equivalent to SPI_commit_and_chain()
except that you get default transaction characteristics instead of preserving the prior transaction's characteristics. To make this somewhat transparent API-wise, redefine SPI_start_transaction()
as a no-op. All known callers of SPI_commit()
immediately call SPI_start_transaction()
, so they will not notice any change. Similar remarks apply to SPI_rollback()
.
Also fix PL/Python, which omitted any handling of such errors at all, resulting in jumping out of the Python interpreter. This is reported to crash Python 3.11. Older Python releases leak some memory but seem okay with it otherwise.
Improve libpq's handling of idle states in pipeline mode (Ãlvaro Herrera, Kyotaro Horiguchi)
This fixes “message type 0x33 arrived from server while idle†warnings, as well as possible loss of end-of-query NULL results from PQgetResult()
.
Avoid core dump in ecpglib with unexpected orders of operations (Tom Lane)
Certain operations such as EXEC SQL PREPARE
would crash (rather than reporting an error as expected) if called before establishing any database connection.
In ecpglib, avoid redundant newlocale()
calls (Noah Misch)
Allocate a C locale object once per process when first connecting, rather than creating and freeing locale objects once per query. This mitigates a libc memory leak on AIX, and may offer some performance benefit everywhere.
In psql's \watch
command, echo a newline after cancellation with control-C (Pavel Stehule)
This prevents libedit (and possibly also libreadline) from becoming confused about which column the cursor is in.
Fix pg_upgrade to detect non-upgradable usages of functions taking anyarray
(Justin Pryzby)
Version 14 changed some built-in functions to take type anycompatiblearray
instead of anyarray
. While this is mostly transparent, user-defined aggregates and operators built atop these functions have to be declared with exactly matching types. The presence of an object referencing the old signature will cause pg_upgrade to fail, so change it to detect and report such cases before beginning the upgrade.
Fix possible report of wrong error condition after clone()
failure in pg_upgrade with --clone
option (Justin Pryzby)
Fix contrib/pg_stat_statements
to avoid problems with very large query-text files on 32-bit platforms (Tom Lane)
In contrib/postgres_fdw
, prevent batch insertion when there are WITH CHECK OPTION
constraints (Etsuro Fujita)
Such constraints cannot be checked properly if more than one row is inserted at a time.
Fix contrib/postgres_fdw
to detect failure to send an asynchronous data fetch query (Fujii Masao)
Ensure that contrib/postgres_fdw
sends constants of regconfig
and other reg*
types with proper schema qualification (Tom Lane)
Block signals while allocating dynamic shared memory on Linux (Thomas Munro)
This avoids problems when a signal interrupts posix_fallocate()
.
Detect unexpected EEXIST
error from shm_open()
(Thomas Munro)
This avoids a possible crash on Solaris.
Avoid using signalfd()
on illumos systems (Thomas Munro)
This appears to trigger hangs and kernel panics, so avoid the function until a fix is available.
Release date: 2022-06-16
This release contains a variety of fixes from 14.3. For information about new features in major release 14, see Version 14.0.
A dump/restore is not required for those running 14.X.
However, if you have any indexes that were created using the CONCURRENTLY
option under 14.X, you should re-index them after updating. See the first changelog entry below.
Also, if you are upgrading from a version earlier than 14.3, see Version 14.3.
Prevent possible corruption of indexes created or rebuilt with the CONCURRENTLY
option (Ãlvaro Herrera)
An optimization added in v14 caused CREATE INDEX ... CONCURRENTLY
and REINDEX ... CONCURRENTLY
to sometimes miss indexing rows that were updated during the index build. Revert that optimization. It is recommended that any indexes made with the CONCURRENTLY
option be rebuilt after installing this update. (Alternatively, rebuild them without CONCURRENTLY
.)
Harden Memoize plan node against non-deterministic equality functions (David Rowley)
Memoize could crash if a data type's equality or hash functions gave inconsistent results across different calls. Throw a runtime error instead.
Fix incorrect cost estimates for Memoize plans (David Rowley)
This mistake could lead to Memoize being used when it isn't really the best plan, or to very long executor startup times due to initializing an overly-large hash table for a Memoize node.
Fix queries in which a “whole-row variable†references the result of a function that returns a domain over composite type (Tom Lane)
Fix “variable not found in subplan target list†planner error when pulling up a sub-SELECT
that's referenced in a GROUPING
function (Richard Guo)
Prevent pg_stat_get_subscription()
from possibly returning an extra row containing garbage values (Kuntal Ghosh)
Fix COPY FROM
's error checking in the case where the database encoding is SQL_ASCII
while the client's encoding is a multi-byte encoding (Heikki Linnakangas)
This mistake could lead to false complaints of invalidly-encoded input data.
Avoid crashing if too many column aliases are attached to an XMLTABLE
or JSON_TABLE
construct (Ãlvaro Herrera)
When decompiling a view or rule, show a SELECT
output column's AS "?column?"
alias clause if it could be referenced elsewhere (Tom Lane)
Previously, this auto-generated alias was always hidden; but there are corner cases where doing so results in a non-restorable view or rule definition.
Report implicitly-created operator families to event triggers (Masahiko Sawada)
If CREATE OPERATOR CLASS
results in the implicit creation of an operator family, that object was not reported to event triggers that should capture such events.
Fix control file updates made when a restartpoint is running during promotion of a standby server (Kyotaro Horiguchi)
Previously, when the restartpoint completed it could incorrectly update the last-checkpoint fields of the control file, potentially leading to PANIC and failure to restart if the server crashes before the next normal checkpoint completes.
Prevent triggering of standby's wal_receiver_timeout
during logical replication of large transactions (Wang Wei, Amit Kapila)
If a large transaction on the primary server sends no data to the standby (perhaps because no table it changes is published), it was possible for the standby to timeout. Fix that by ensuring we send keepalive messages periodically in such situations.
Prevent open-file leak when reading an invalid timezone abbreviation file (Kyotaro Horiguchi)
Such cases could result in harmless warning messages.
Allow custom server parameters to have short descriptions that are NULL (Steve Chavez)
Previously, although extensions could choose to create such settings, some code paths would crash while processing them.
Remove misguided SSL key file ownership check in libpq (Tom Lane)
In the previous minor releases, we copied the server's permission checking rules for SSL private key files into libpq. But we should not have also copied the server's file-ownership check. While that works in normal use-cases, it can result in an unexpected failure for clients running as root, and perhaps in other cases.
Ensure ecpg reports server connection loss sanely (Tom Lane)
Misprocessing of a libpq-generated error result, such as a report of lost connection, would lead to printing “(null)†instead of a useful error message; or in older releases it would lead to a crash.
Prevent crash after server connection loss in pg_amcheck (Tom Lane)
Misprocessing of a libpq-generated error result, such as a report of lost connection, would lead to a crash.
Adjust PL/Perl test case so it will work under Perl 5.36 (Dagfinn Ilmari Mannsåker)
Avoid incorrectly using an out-of-date libldap_r library when multiple OpenLDAP installations are present while building PostgreSQL (Tom Lane)
Release date: 2022-05-12
This release contains a variety of fixes from 14.2. For information about new features in major release 14, see Version 14.0.
A dump/restore is not required for those running 14.X.
However, if you have any GiST indexes on columns of type ltree
(supplied by the contrib/ltree
extension), you should re-index them after updating. See the second changelog entry below.
Also, if you are upgrading from a version earlier than 14.2, see Version 14.2.
Confine additional operations within “security restricted operation†sandboxes (Sergey Shinderuk, Noah Misch)
Autovacuum, CLUSTER
, CREATE INDEX
, REINDEX
, REFRESH MATERIALIZED VIEW
, and pg_amcheck activated the “security restricted operation†protection mechanism too late, or even not at all in some code paths. A user having permission to create non-temporary objects within a database could define an object that would execute arbitrary SQL code with superuser permissions the next time that autovacuum processed the object, or that some superuser ran one of the affected commands against it.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. CVE-2022-1552 or CVE-2022-1552)
Fix default signature length for gist_ltree_ops
indexes (Tomas Vondra, Alexander Korotkov)
The default signature length (hash size) for GiST indexes on ltree
columns was accidentally changed while upgrading that operator class to support operator class parameters. If any operations had been done on such an index without first upgrading the ltree
extension to version 1.2, they were done assuming that the signature length was 28 bytes rather than the intended 8. This means it is very likely that such indexes are now corrupt. For safety we recommend re-indexing all GiST indexes on ltree
columns after installing this update. (Note that GiST indexes on ltree[]
columns, that is arrays of ltree
, are not affected.)
Stop using query-provided column aliases for the columns of whole-row variables that refer to plain tables (Tom Lane)
The column names in tuples produced by a whole-row variable (such as tbl.*
in contexts other than the top level of a SELECT
list) are now always those of the associated named composite type, if there is one. We'd previously attempted to make them track any column aliases that had been applied to the FROM
entry the variable refers to. But that's semantically dubious, because really then the output of the variable is not at all of the composite type it claims to be. Previous attempts to deal with that inconsistency had bad results up to and including storing unreadable data on disk, so just give up on the whole idea.
In cases where it's important to be able to relabel such columns, a workaround is to introduce an extra level of sub-SELECT
, so that the whole-row variable is referring to the sub-SELECT
's output and not to a plain table. Then the variable is of type record
to begin with and there's no issue.
Fix incorrect roundoff when extracting epoch values from intervals (Peter Eisentraut)
The new numeric
-based code for EXTRACT()
failed to yield results equivalent to the old float
-based code, as a result of accidentally truncating the DAYS_PER_YEAR
value to an integer.
Defend against pg_stat_get_replication_slot (NULL)
(Andres Freund)
This function should be marked strict in the catalog data, but it was not in v14, so add a run-time check instead.
Fix incorrect output for types timestamptz
and timetz
in table_to_xmlschema()
and allied functions (Renan Soares Lopes)
The xmlschema output for these types included a malformed regular expression.
Avoid core dump in parser for a VALUES
clause with zero columns (Tom Lane)
Fix planner failure when a Result plan node appears immediately underneath an Append node (Etsuro Fujita)
Recently-added code to support asynchronous remote queries failed to handle this case, leading to crashes or errors about unrecognized node types.
Fix planner failure if a query using SEARCH
or CYCLE
features contains a duplicate CTE name (Tom Lane, Kyotaro Horiguchi)
When the name of the recursive WITH
query is re-used within itself, the planner could crash or report odd errors such as “could not find attribute 2 in subquery targetlistâ€.
Fix planner errors for GROUPING()
constructs that reference outer query levels (Richard Guo, Tom Lane)
Fix plan generation for index-only scans on indexes with both returnable and non-returnable columns (Tom Lane)
The previous coding could try to read non-returnable columns in addition to the returnable ones. This was fairly harmless because it didn't actually do anything with the bogus values, but it fell foul of a recently-added error check that rejected such a plan.
Avoid accessing a no-longer-pinned shared buffer while attempting to lock an outdated tuple during EvalPlanQual (Tom Lane)
The code would touch the buffer a couple more times after releasing its pin. In theory another process could recycle the buffer (or more likely, try to defragment its free space) as soon as the pin is gone, probably leading to failure to find the newer version of the tuple.
Fix query-lifespan memory leak in an IndexScan node that is performing reordering (Aliaksandr Kalenik)
Fix ALTER FUNCTION
to support changing a function's parallelism property and its SET
-variable list in the same command (Tom Lane)
The parallelism property change was lost if the same command also updated the function's SET
clause.
Tighten lookup of the index “owned by†a constraint (Tom Lane, Japin Li)
Some code paths mistook the index depended on by a foreign key constraint for one owned by a unique or primary key constraint, resulting in odd errors during certain ALTER TABLE
operations on tables having foreign key constraints.
Fix bogus errors from attempts to alter system columns of tables (Tom Lane)
The system should just tell you that you can't do it, but sometimes it would report “no owned sequence found†instead.
Fix mis-sorting of table rows when CLUSTER
ing using an index whose leading key is an expression (Peter Geoghegan, Thomas Munro)
The table would be rebuilt with the correct data, but in an order having little to do with the index order.
Prevent data loss if a system crash occurs shortly after a sorted GiST index build (Heikki Linnakangas)
The code path for building GiST indexes using sorting neglected to fsync
the file upon completion. This could result in a corrupted index if the operating system crashed shortly later.
Fix risk of deadlock failures while dropping a partitioned index (Jimmy Yih, Gaurab Dey, Tom Lane)
Ensure that the required table and index locks are taken in the standard order (parents before children, tables before indexes). The previous coding for DROP INDEX
did it differently, and so could deadlock against concurrent queries taking these locks in the standard order.
Fix race condition between DROP TABLESPACE
and checkpointing (Nathan Bossart)
The checkpoint forced by DROP TABLESPACE
could sometimes fail to remove all dead files from the tablespace's directory, leading to a bogus “tablespace is not empty†error.
Fix possible trouble in crash recovery after a TRUNCATE
command that overlaps a checkpoint (Kyotaro Horiguchi, Heikki Linnakangas, Robert Haas)
TRUNCATE
must ensure that the table's disk file is truncated before the checkpoint is allowed to complete. Otherwise, replay starting from that checkpoint might find unexpected data in the supposedly-removed pages, possibly causing replay failure.
Fix unsafe toast-data accesses during temporary object cleanup (Andres Freund)
Temporary-object deletion during server process exit could fail with “FATAL: cannot fetch toast data without an active snapshotâ€. This was usually harmless since the next use of that temporary schema would clean up successfully.
Re-allow underscore as the first character in a custom parameter name (Japin Li)
Such names were unintentionally disallowed in v14.
Add regress
option for the compute_query_id
parameter (Michael Paquier)
This is intended to facilitate testing, by allowing query IDs to be computed but not shown in EXPLAIN
output.
Improve wait logic in RegisterSyncRequest (Thomas Munro)
If we run out of space in the checkpointer sync request queue (which is hopefully rare on real systems, but is common when testing with a very small buffer pool), we wait for it to drain. While waiting, we should report that as a wait event so that users know what is going on, and also watch for postmaster death, since otherwise the loop might never terminate if the checkpointer has already exited.
Wake up for latch events when the checkpointer is waiting between writes (Thomas Munro)
This improves responsiveness to backends sending sync requests. The change also creates a proper wait event class for these waits.
Fix “PANIC: xlog flush request is not satisfied†failure during standby promotion when there is a missing WAL continuation record (Sami Imseih)
Fix possibility of self-deadlock in hot standby conflict handling (Andres Freund)
With unlucky timing, the WAL-applying process could get stuck while waiting for some other process to release a buffer lock.
Fix possible mis-identification of the correct ancestor relation to publish logical replication changes through (Tomas Vondra, Hou zj, Amit Kapila)
If publish_via_partition_root
is enabled, and there are multiple publications naming different ancestors of the currently-modified relation, the wrong ancestor might be chosen for reporting the change.
Ensure that logical replication apply workers can be restarted even when we're up against the max_sync_workers_per_subscription
limit (Amit Kapila)
Faulty coding of the limit check caused a restarted worker to exit immediately, leaving fewer workers than there should be.
Include unchanged replica identity key columns in the WAL log for an update, if they are stored out-of-line (Dilip Kumar, Amit Kapila)
Otherwise subscribers cannot see the values and will fail to replicate the update.
Cope correctly with platforms that have no support for altering the server process's display in ps(1) (Andrew Dunstan)
Few platforms are like this (the only supported one is Cygwin), so we'd managed not to notice that refactoring introduced a potential memory clobber.
Make the server more robust against missed timer interrupts (Michael Harris, Tom Lane)
An optimization added in v14 meant that if a server process somehow missed a timer interrupt, it would never again ask the kernel for another one, thus breaking timeout detection for the remainder of the session. This seems unduly fragile, so add a recovery path.
Disallow execution of SPI functions during PL/Perl function compilation (Tom Lane)
Perl can be convinced to execute user-defined code during compilation of a PL/Perl function. However, it's not okay for such code to try to invoke SQL operations via SPI. That results in a crash, and if it didn't crash it would be a security hazard, because we really don't want code execution during function validation. Put in a check to give a friendlier error message instead.
Make libpq accept root-owned SSL private key files (David Steele)
This change synchronizes libpq's rules for safe ownership and permissions of SSL key files with the rules the server has used since release 9.6. Namely, in addition to the current rules, allow the case where the key file is owned by root and has permissions rw-r-----
or less. This is helpful for system-wide management of key files.
Fix behavior of libpq's PQisBusy()
function after a connection failure (Tom Lane)
If we'd detected a write failure, PQisBusy()
would always return true, which is the wrong thing: we want input processing to carry on normally until we've read whatever is available from the server. The practical effect of this error is that applications using libpq's async-query API would typically detect connection loss only when PQconsumeInput()
returns a hard failure. With this fix, a connection loss will normally be reported via an error PGresult
object, which is a much cleaner behavior for most applications.
Re-allow database
.schema
.table
patterns in psql, pg_dump, and pg_amcheck (Mark Dilger)
Versions before v14 silently ignored all but the schema
and table
fragments of a pattern containing more than one dot. Refactoring in v14 accidentally broke that use-case. Reinstate it, but now complain if the first fragment is not the name of the current database.
Make pg_ctl recheck postmaster aliveness while waiting for stop/restart/promote actions (Tom Lane)
pg_ctl would verify that the postmaster is alive as a side-effect of sending the stop or promote signal, but then it just naively waited to see the on-disk state change. If the postmaster died uncleanly without having removed its PID file or updated the control file, pg_ctl would wait until timeout. Instead make it recheck every so often that the postmaster process is still there.
Fix error handling in pg_waldump (Kyotaro Horiguchi, Andres Freund)
While trying to read a WAL file to determine the WAL segment size, pg_waldump would report an incorrect error for the case of a too-short file. In addition, the file name reported in this and related error messages could be garbage.
Ensure that contrib/pageinspect
functions cope with all-zero pages (Michael Paquier)
This is a legitimate edge case, but the module was mostly unprepared for it. Arrange to return nulls, or no rows, as appropriate; that seems more useful than raising an error.
In contrib/pageinspect
, add defenses against incorrect page “special space†contents, tighten checks for correct page size, and add some missing checks that an index is of the expected type (Michael Paquier, Justin Pryzby, Julien Rouhaud)
These changes make it less likely that the module will crash on bad data.
In contrib/postgres_fdw
, disable batch insertion when BEFORE INSERT ... FOR EACH ROW
triggers exist on the foreign table (Etsuro Fujita)
Such a trigger might query the table it's on and expect to see previously-inserted rows. With batch insertion, those rows might not be visible yet, so disable the feature to avoid unexpected behavior.
In contrib/postgres_fdw
, verify that ORDER BY
clauses are safe to ship before requesting a remotely-ordered query, and include a USING
clause if necessary (Ronan Dunklau)
This fix prevents situations where the remote server might sort in a different order than we intend. While sometimes that would be only cosmetic, it could produce thoroughly wrong results if the remote data is used as input for a locally-performed merge join.
Fix configure to handle platforms that have sys/epoll.h
but not sys/signalfd.h
(Tom Lane)
Update JIT code to work with LLVM 14 (Thomas Munro)
Clean up assorted failures under clang's -fsanitize=undefined
checks (Tom Lane, Andres Freund, Zhihong Yu)
Most of these changes are just for pro-forma compliance with the letter of the C and POSIX standards, and are unlikely to have any effect on production builds.
Do not add OpenSSL dependencies to libpq's pkg-config
file when building without OpenSSL (Fabrice Fontaine)
Fix PL/Perl so it builds on C compilers that don't support statements nested within expressions (Tom Lane)
Fix possible build failure of pg_dumpall on Windows, when not using MSVC to build (Andres Freund)
In Windows builds, use gendef instead of pexports to build DEF files (Andrew Dunstan)
This adapts the build process to work on recent MSys tool chains.
Prevent extra expansion of shell wildcard patterns in programs built under MinGW (Andrew Dunstan)
For some reason the C library provided by MinGW will expand shell wildcard characters in a program's command-line arguments by default. This is confusing, not least because it doesn't happen under MSVC, so turn it off.
Update time zone data files to tzdata release 2022a for DST law changes in Palestine, plus historical corrections for Chile and Ukraine.
Release date: 2022-02-10
This release contains a variety of fixes from 14.1. For information about new features in major release 14, see Version 14.0.
A dump/restore is not required for those running 14.X.
However, some bugs have been found that may have resulted in corrupted indexes, as explained in the first two changelog entries. If any of those cases apply to you, it's recommended to reindex possibly-affected indexes after updating.
Also, if you are upgrading from a version earlier than 14.1, see Version 14.1.
Enforce standard locking protocol for TOAST table updates, to prevent problems with REINDEX CONCURRENTLY
(Michael Paquier)
If applied to a TOAST table or TOAST table's index, REINDEX CONCURRENTLY
tended to produce a corrupted index. This happened because sessions updating TOAST entries released their ROW EXCLUSIVE
locks immediately, rather than holding them until transaction commit as all other updates do. The fix is to make TOAST updates hold the table lock according to the normal rule. Any existing corrupted indexes can be repaired by reindexing again.
Fix corruption of HOT chains when a RECENTLY_DEAD tuple changes state to fully DEAD during page pruning (Andres Freund)
It was possible for VACUUM
to remove a recently-dead tuple while leaving behind a redirect item that pointed to it. When the tuple's item slot is later re-used by some new tuple, that tuple would be seen as part of the pre-existing HOT chain, creating a form of index corruption. If this has happened, reindexing the table should repair the damage. However, this is an extremely low-probability scenario, so we do not recommend reindexing just on the chance that it might have happened.
Fix crash in EvalPlanQual rechecks for tables with a mix of local and foreign partitions (Etsuro Fujita)
Fix dangling pointer in COPY TO
(Bharath Rupireddy)
This oversight could cause an incorrect error message or a crash after an error in COPY
.
Avoid null-pointer crash in ALTER STATISTICS
when the statistics object is dropped concurrently (Tomas Vondra)
Correctly handle alignment padding when extracting a range from a multirange (Alexander Korotkov)
This error could cause crashes when handling multiranges over variable-length data types.
Fix over-optimistic use of hashing for anonymous RECORD
data types (Tom Lane)
This prevents some cases of “could not identify a hash function for type record†errors.
Fix incorrect plan creation for parallel single-child Append nodes (David Rowley)
In some cases the Append would be simplified away when it should not be, leading to wrong query results (duplicated rows).
Fix index-only scan plans for cases where not all index columns can be returned (Tom Lane)
If an index has both returnable and non-returnable columns, and one of the non-returnable columns is an expression using a table column that appears in a returnable index column, then a query using that expression could result in an index-only scan plan that attempts to read the non-returnable column, instead of recomputing the expression from the returnable column as intended. The non-returnable column would read as NULL, resulting in wrong query results.
Fix Memoize plan nodes to handle subplans that use parameters coming from above the Memoize (David Rowley)
Fix Memoize plan nodes to work correctly with non-hashable join operators (David Rowley)
Ensure that casting to an unspecified typmod generates a RelabelType node rather than a length-coercion function call (Tom Lane)
While the coercion function should do the right thing (nothing), this translation is undesirably inefficient.
Fix checking of anycompatible
-family data type matches (Tom Lane)
In some cases the parser would think that a function or operator with anycompatible
-family polymorphic parameters matches a set of arguments that it really shouldn't match. In reported cases, that led to matching more than one operator to a call, leading to ambiguous-operator errors; but a failure later on is also possible.
Fix WAL replay failure when database consistency is reached exactly at a WAL page boundary (Ãlvaro Herrera)
Fix startup of a physical replica to tolerate transaction ID wraparound (Abhijit Menon-Sen, Tomas Vondra)
If a replica server is started while the set of active transactions on the primary crosses a wraparound boundary (so that there are some newer transactions with smaller XIDs than older ones), the replica would fail with “out-of-order XID insertion in KnownAssignedXidsâ€. The replica would retry, but could never get past that error.
In logical replication, avoid double transmission of a child table's data (Hou Zhijie)
If a publication includes both child and parent tables, and has the publish_via_partition_root
option set, subscribers uselessly initiated synchronization on both child and parent tables. Ensure that only the parent table is synchronized in such cases.
Remove lexical limitations for SQL commands issued on a logical replication connection (Tom Lane)
The walsender process would fail for a SQL command containing an unquoted semicolon, or with dollar-quoted literals containing odd numbers of single or double quote marks, or when the SQL command starts with a comment. Moreover, faulty error recovery could lead to unexpected errors in later commands too.
Ensure that replication origin timestamp is set while replicating a ROLLBACK PREPARED
operation (Masahiko Sawada)
Fix possible loss of the commit timestamp for the last subtransaction of a transaction (Alex Kingsborough, Kyotaro Horiguchi)
Be sure to fsync
the pg_logical/mappings
subdirectory during checkpoints (Nathan Bossart)
On some filesystems this oversight could lead to losing logical rewrite status files after a system crash.
Build extended statistics for partitioned tables (Justin Pryzby)
A previous bug fix disabled building of extended statistics for old-style inheritance trees, but it also prevented building them for partitioned tables, which was an unnecessary restriction. This change allows ANALYZE
to compute values for statistics objects for partitioned tables. (But note that autovacuum does not process partitioned tables as such, so you must periodically issue manual ANALYZE
on the partitioned table if you want to maintain such statistics.)
Ignore extended statistics for inheritance trees (Justin Pryzby)
Currently, extended statistics values are only computed locally for each table, not for entire inheritance trees. However the values were mistakenly consulted when planning queries across inheritance trees, possibly resulting in worse-than-default estimates.
Disallow altering data type of a partitioned table's columns when the partitioned table's row type is used as a composite type elsewhere (Tom Lane)
This restriction has long existed for regular tables, but through an oversight it was not checked for partitioned tables.
Disallow ALTER TABLE ... DROP NOT NULL
for a column that is part of a replica identity index (Haiying Tang, Hou Zhijie)
The same prohibition already existed for primary key indexes.
Correctly update cached table state during ALTER TABLE ADD PRIMARY KEY USING INDEX
(Hou Zhijie)
Concurrent sessions failed to update their opinion of whether the table has a primary key, possibly causing incorrect logical replication behavior.
Correctly update cached table state when switching REPLICA IDENTITY
index (Tang Haiying, Hou Zhijie)
Concurrent sessions failed to update their opinion of which index is the replica identity one, possibly causing incorrect logical replication behavior.
Fix failure of SP-GiST indexes when the indexed column's data type is binary-compatible with the declared input type of the operator class (Tom Lane)
Such cases should work, but failed with “compress method must be defined when leaf type is different from input typeâ€.
Allow parallel vacuuming and concurrent index building to be ignored while computing oldest xmin (Masahiko Sawada)
Non-parallelized instances of these operations were already ignored, but the logic did not work for parallelized cases. Holding back the xmin horizon has undesirable effects such as delaying vacuum cleanup.
Fix memory leak when updating expression indexes (Peter Geoghegan)
An UPDATE
affecting many rows could consume significant amounts of memory.
Avoid leaking memory during REASSIGN OWNED BY
operations that reassign ownership of many objects (Justin Pryzby)
Improve performance of walsenders sending logical changes by avoiding unnecessary cache accesses (Hou Zhijie)
Fix display of cert
authentication method's options in pg_hba_file_rules
view (Magnus Hagander)
The cert
authentication method implies clientcert=verify-full
, but the pg_hba_file_rules
view incorrectly reported clientcert=verify-ca
.
Ensure that the session targeted by pg_log_backend_memory_contexts()
sends its results only to the server's log (Fujii Masao)
Previously, a sufficiently high setting of client_min_messages
could result in the log message also being sent to the connected client. Since that client hadn't requested it, that would be surprising (and possibly a wire protocol violation).
Fix display of whole-row variables appearing in INSERT ... VALUES
rules (Tom Lane)
A whole-row variable would be printed as “var.*â€, but that allows it to be expanded to individual columns when the rule is reloaded, resulting in different semantics. Attach an explicit cast to prevent that, as we do elsewhere.
When reverse-listing a SQL-standard function body, display function parameters appropriately within INSERT ... SELECT
(Tom Lane)
Previously, they'd come out as $
even when the parameter had a name.N
Fix one-byte buffer overrun when applying Unicode string normalization to an empty string (Michael Paquier)
The practical impact of this is limited thanks to alignment considerations; but in debug builds, a warning was raised.
Fix or remove some incorrect assertions (Simon Riggs, Michael Paquier, Alexander Lakhin)
These errors should affect only debug builds, not production.
Fix race condition that could lead to failure to localize error messages that are reported early in multi-threaded use of libpq or ecpglib (Tom Lane)
Avoid calling strerror
from libpq's PQcancel
function (Tom Lane)
PQcancel
is supposed to be safe to call from a signal handler, but strerror
is not safe. The faulty usage only occurred in the unlikely event of failure to send the cancel message to the server, perhaps explaining the lack of reports.
Make psql's \password
command default to setting the password for CURRENT_USER
, not the connection's original user name (Tom Lane)
This agrees with the documented behavior, and avoids probable permissions failure if SET ROLE
or SET SESSION AUTHORIZATION
has been done since the session began. To prevent confusion, the role name to be acted on is now included in the password prompt.
Fix psql \d
command's query for identifying parent triggers (Justin Pryzby)
The previous coding failed with “more than one row returned by a subquery used as an expression†if a partition had triggers and there were unrelated statement-level triggers of the same name on some parent partitioned table.
Make psql's \d
command sort a table's extended statistics objects by name not OID (Justin Pryzby)
Fix psql's tab-completion of label values for enum types (Tom Lane)
Fix failures on Windows when using the terminal as data source or destination (Dmitry Koval, Juan José SantamarÃa Flecha, Michael Paquier)
This affects psql's \copy
command, as well as pg_recvlogical with -f -
.
In psql and some other client programs, avoid trying to invoke gettext()
from a control-C signal handler (Tom Lane)
While no reported failures have been traced to this mistake, it seems highly unlikely to be a safe thing to do.
Allow canceling the initial password prompt in pg_receivewal and pg_recvlogical (Tom Lane, Nathan Bossart)
Previously it was impossible to terminate these programs via control-C while they were prompting for a password.
Fix pg_dump's dump ordering for user-defined casts (Tom Lane)
In rare cases, the output script might refer to a user-defined cast before it had been created.
Fix pg_dump's --inserts
and --column-inserts
modes to handle tables containing both generated columns and dropped columns (Tom Lane)
Fix possible mis-reporting of errors in pg_dump and pg_basebackup (Tom Lane)
The previous code failed to check for errors from some kernel calls, and could report the wrong errno values in other cases.
Fix results of index-only scans on contrib/btree_gist
indexes on char(
columns (Tom Lane)N
)
Index-only scans returned column values with trailing spaces removed, which is not the expected behavior. That happened because that's how the data was stored in the index. This fix changes the code to store char(
values with the expected amount of space padding. The behavior of such an index will not change immediately unless you N
)REINDEX
it; otherwise space-stripped values will be gradually replaced over time during updates. Queries that do not use index-only scan plans will be unaffected in any case.
Fix edge cases in postgres_fdw
's handling of asynchronous queries (Etsuro Fujita)
These errors could lead to crashes or incorrect results when attempting to parallelize scans of foreign tables.
Change configure to use Python's sysconfig module, rather than the deprecated distutils module, to determine how to build PL/Python (Peter Eisentraut, Tom Lane, Andres Freund)
With Python 3.10, this avoids configure-time warnings about distutils being deprecated and scheduled for removal in Python 3.12. Presumably, once 3.12 is out, configure --with-python
would fail altogether. This future-proofing does come at a cost: sysconfig did not exist before Python 2.7, nor before 3.2 in the Python 3 branch, so it is no longer possible to build PL/Python against long-dead Python versions.
Re-allow cross-compilation without OpenSSL (Tom Lane)
configure should assume that /dev/urandom
will be available on the target system, but it failed instead.
Fix PL/Perl compile failure on Windows with Perl 5.28 and later (Victor Wagner)
Fix PL/Python compile failure with Python 3.11 and later (Peter Eisentraut)
Add support for building with Visual Studio 2022 (Hans Buschmann)
Allow the .bat
wrapper scripts in our MSVC build system to be called without first changing into their directory (Anton Voloshin, Andrew Dunstan)
Release date: 2021-11-11
This release contains a variety of fixes from 14.0. For information about new features in major release 14, see Version 14.0.
A dump/restore is not required for those running 14.X.
However, note that installations using physical replication should update standby servers before the primary server, as explained in the third changelog entry below.
Also, several bugs have been found that may have resulted in corrupted indexes, as explained in the next several changelog entries. If any of those cases apply to you, it's recommended to reindex possibly-affected indexes after updating.
Make the server reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)
The PostgreSQL Project thanks Jacob Champion for reporting this problem. CVE-2021-23214 or CVE-2021-23214)
Make libpq reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable toCVE-2021-23214 or CVE-2021-23214.
The PostgreSQL Project thanks Jacob Champion for reporting this problem. CVE-2021-23222 or CVE-2021-23222)
Fix physical replication for cases where the primary crashes after shipping a WAL segment that ends with a partial WAL record (Ãlvaro Herrera)
If the primary did not survive long enough to finish writing the rest of the incomplete WAL record, then the previous crash-recovery logic had it back up and overwrite WAL starting from the beginning of the incomplete WAL record. This is problematic since standby servers may already have copies of that WAL segment. They will then see an inconsistent next segment, and will not be able to recover without manual intervention. To fix, do not back up over a WAL segment boundary when restarting after a crash. Instead write a new type of WAL record at the start of the next WAL segment, informing readers that the incomplete WAL record will never be finished and must be disregarded.
When applying this update, it's best to update standby servers before the primary, so that they will be ready to handle this new WAL record type if the primary happens to crash.
Ensure that parallel VACUUM
doesn't miss any indexes (Peter Geoghegan, Masahiko Sawada)
A parallel VACUUM
would fail to process indexes that are below the min_parallel_index_scan_size
cutoff, if the table also has at least two indexes that are above that size. This could result in those indexes becoming corrupt, since they'd still contain references to any heap entries removed by the VACUUM
; subsequent queries using such indexes would be likely to return rows they shouldn't. This problem does not affect autovacuum, since it doesn't use parallel vacuuming. However, it is advisable to reindex any manually-vacuumed tables that have the right mix of index sizes.
Fix CREATE INDEX CONCURRENTLY
to wait for the latest prepared transactions (Andrey Borodin)
Rows inserted by just-prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. The previous fix for this type of problem failed to account for PREPARE TRANSACTION
commands that were still in progress when CREATE INDEX CONCURRENTLY
checked for them. As before, in installations that have enabled prepared transactions (max_prepared_transactions
> 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.
Avoid race condition that can cause backends to fail to add entries for new rows to an index being built concurrently (Noah Misch, Andrey Borodin)
While it's apparently rare in the field, this case could potentially affect any index built or reindexed with the CONCURRENTLY
option. It is recommended to reindex any such indexes to make sure they are correct.
Fix REINDEX CONCURRENTLY
to preserve operator class parameters that were attached to the target index (Michael Paquier)
Fix incorrect creation of shared dependencies when cloning a database that contains non-builtin objects (Aleksander Alekseev)
The effects of this error are probably limited in practice. In principle, it could allow a role to be dropped while it still owns objects; but most installations would never want to drop a role that had been used for objects they'd added to template1
.
Ensure that the relation cache is invalidated for a table being attached to or detached from a partitioned table (Amit Langote, Ãlvaro Herrera)
This oversight could allow misbehavior of subsequent inserts/updates addressed directly to the partition, but only in currently-existing sessions.
Fix corruption of parse tree while creating a range type (Alex Kozhemyakin, Sergey Shinderuk)
CREATE TYPE
incorrectly freed an element of the parse tree, which could cause problems for a later event trigger, or if the CREATE TYPE
command was stored in the plan cache and used again later.
Fix updates of element fields in arrays of domain over composite (Tom Lane)
A command such as UPDATE tab SET fld[1].subfld = val
failed if the array's elements were domains rather than plain composites.
Disallow the combination of FETCH FIRST WITH TIES
and FOR UPDATE SKIP LOCKED
(David Christensen)
FETCH FIRST WITH TIES
necessarily fetches one more row than requested, since it cannot stop until it finds a row that is not a tie. In our current implementation, if FOR UPDATE
is used then that row will also get locked even though it is not returned. That results in undesirable behavior if the SKIP LOCKED
option is specified. It's difficult to change this without introducing a different set of undesirable behaviors, so for now, forbid the combination.
Disallow ALTER INDEX index ALTER COLUMN col SET (options)
(Nathan Bossart, Michael Paquier)
While the parser accepted this, it's undocumented and doesn't actually work.
Fix corner-case loss of precision in numeric power()
(Dean Rasheed)
The result could be inaccurate when the first argument is very close to 1.
Avoid choosing the wrong hash equality operator for Memoize plans (David Rowley)
This error could result in crashes or incorrect query results.
Fix planner error with pulling up subquery expressions into function rangetable entries (Tom Lane)
If a function in FROM
laterally references the output of some sub-SELECT
earlier in the FROM
clause, and we are able to flatten that sub-SELECT
into the outer query, the expression(s) copied into the function expression were not fully processed. This could lead to crashes at execution.
Avoid using MCV-only statistics to estimate the range of a column (Tom Lane)
There are corner cases in which ANALYZE
will build a most-common-values (MCV) list but not a histogram, even though the MCV list does not account for all the observed values. In such cases, keep the planner from using the MCV list alone to estimate the range of column values.
Fix restoration of a Portal's snapshot inside a subtransaction (Bertrand Drouvot)
If a procedure commits or rolls back a transaction, and then its next significant action is inside a new subtransaction, snapshot management went wrong, leading to a dangling pointer and probable crash. A typical example in PL/pgSQL is a COMMIT
immediately followed by a BEGIN ... EXCEPTION
block that performs a query.
Clean up correctly if a transaction fails after exporting its snapshot (Dilip Kumar)
This oversight would only cause a problem if the same session attempted to export a snapshot again. The most likely scenario for that is creation of a replication slot (followed by rollback) and then creation of another replication slot.
Prevent wraparound of overflowed-subtransaction tracking on standby servers (Kyotaro Horiguchi, Alexander Korotkov)
This oversight could cause significant performance degradation (manifesting as excessive SubtransSLRU traffic) on standby servers.
Ensure that prepared transactions are properly accounted for during promotion of a standby server (Michael Paquier, Andres Freund)
There was a narrow window where a prepared transaction could be omitted from a snapshot taken by a concurrently-running session. If that session then used the snapshot to perform data updates, erroneous results or data corruption could occur.
Fix “could not find RecursiveUnion†error when EXPLAIN
tries to print a filter condition attached to a WorkTableScan node (Tom Lane)
Ensure that the correct lock level is used when renaming a table (Nathan Bossart, Ãlvaro Herrera)
For historical reasons, ALTER INDEX ... RENAME
can be applied to any sort of relation. The lock level required to rename an index is lower than that required to rename a table or other kind of relation, but the code got this wrong and would use the weaker lock level whenever the command is spelled ALTER INDEX
.
Avoid null-pointer-dereference crash when dropping a role that owns objects being dropped concurrently (Ãlvaro Herrera)
Prevent “snapshot reference leak†warning when lo_export()
or a related function fails (Heikki Linnakangas)
Fix inefficient code generation for CoerceToDomain expression nodes (Ranier Vilela)
Avoid O (N^2) behavior in some list-manipulation operations (Nathan Bossart, Tom Lane)
These changes fix slow processing in several scenarios, including: when a standby replays a transaction that held many exclusive locks on the primary; when many files are due to be unlinked after a checkpoint; when hash aggregation involves many batches; and when pg_trgm
extracts indexable conditions from a complex regular expression. Only the first of these scenarios has actually been reported from the field, but they all seem like plausible consequences of inefficient list deletions.
Add more defensive checks around B-tree posting list splits (Peter Geoghegan)
This change should help detect index corruption involving duplicate table TIDs.
Avoid assertion failure when inserting NaN into a BRIN float8 or float4 minmax_multi_ops index (Tomas Vondra)
In production builds, such cases would result in a somewhat inefficient, but not actually incorrect, index.
Allow the autovacuum launcher process to respond to pg_log_backend_memory_contexts()
requests more quickly (Koyu Tanigawa)
Fix memory leak in HMAC hash calculations (Sergey Shinderuk)
Disallow setting huge_pages
to on
when shared_memory_type
is sysv
(Thomas Munro)
Previously, this setting was accepted, but it did nothing for lack of any implementation.
Fix checking of query type in PL/pgSQL's RETURN QUERY
statement (Tom Lane)
RETURN QUERY
should accept any query that can return tuples, e.g. UPDATE RETURNING
. v14 accidentally disallowed anything but SELECT
; moreover, the RETURN QUERY EXECUTE
variant failed to apply any query-type check at all.
Fix pg_dump to dump non-global default privileges correctly (Neil Chen, Masahiko Sawada)
If a global (unrestricted) ALTER DEFAULT PRIVILEGES
command revoked some present-by-default privilege, for example EXECUTE
for functions, and then a restricted ALTER DEFAULT PRIVILEGES
command granted that privilege again for a selected role or schema, pg_dump failed to dump the restricted privilege grant correctly.
Make pg_dump acquire shared lock on partitioned tables that are to be dumped (Tom Lane)
This oversight was usually pretty harmless, since once pg_dump has locked any of the leaf partitions, that would suffice to prevent significant DDL on the partitioned table itself. However problems could ensue when dumping a childless partitioned table, since no relevant lock would be held.
Fix crash in pg_dump when attempting to dump trigger definitions from a pre-8.3 server (Tom Lane)
Fix incorrect filename in pg_restore's error message about an invalid large object TOC file (Daniel Gustafsson)
Ensure that pgbench exits with non-zero status after a socket-level failure (Yugo Nagata, Fabien Coelho)
The desired behavior is to finish out the run but then exit with status 2. Also, fix the reporting of such errors.
Prevent pg_amcheck from checking temporary relations, as well as indexes that are invalid or not ready (Mark Dilger)
This avoids unhelpful checks of relations that will almost certainly appear inconsistent.
Make contrib/amcheck
skip unlogged tables when running on a standby server (Mark Dilger)
It's appropriate to do this since such tables will be empty, and unlogged indexes were already handled similarly.
Change contrib/pg_stat_statements
to read its “query texts†file in units of at most 1GB (Tom Lane)
Such large query text files are very unusual, but if they do occur, the previous coding would fail on Windows 64 (which rejects individual read requests of more than 2GB).
Fix null-pointer crash when contrib/postgres_fdw
tries to report a data conversion error (Tom Lane)
Ensure that GetSharedSecurityLabel()
can be used in a newly-started session that has not yet built its critical relation cache entries (Jeff Davis)
When running a TAP test, include the module's own directory in PATH
(Andrew Dunstan)
This allows tests to find built programs that are not installed, such as custom test drivers.
Use the CLDR project's data to map Windows time zone names to IANA time zones (Tom Lane)
When running on Windows, initdb attempts to set the new cluster's timezone
parameter to the IANA time zone matching the system's prevailing time zone. We were using a mapping table that we'd generated years ago and updated only fitfully; unsurprisingly, it contained a number of errors as well as omissions of recently-added zones. It turns out that CLDR has been tracking the most appropriate mappings, so start using their data. This change will not affect any existing installation, only newly-initialized clusters.
Update time zone data files to tzdata release 2021e for DST law changes in Fiji, Jordan, Palestine, and Samoa, plus historical corrections for Barbados, Cook Islands, Guyana, Niue, Portugal, and Tonga.
Also, the Pacific/Enderbury zone has been renamed to Pacific/Kanton. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Africa/Accra, America/Atikokan, America/Blanc-Sablon, America/Creston, America/Curacao, America/Nassau, America/Port_of_Spain, Antarctica/DumontDUrville, and Antarctica/Syowa. In all these cases, the previous zone name remains as an alias.
Release date: 2021-09-30
PostgreSQL 14 contains many new features and enhancements, including:
Stored procedures can now return data via OUT
parameters.
The SQL-standard SEARCH
and CYCLE
options for common table expressions have been implemented.
Subscripting can now be applied to any data type for which it is a useful notation, not only arrays. In this release, the jsonb
and hstore
types have gained subscripting operators.
Range types have been extended by adding multiranges, allowing representation of noncontiguous data ranges.
Numerous performance improvements have been made for parallel queries, heavily-concurrent workloads, partitioned tables, logical replication, and vacuuming.
B-tree index updates are managed more efficiently, reducing index bloat.
VACUUM
automatically becomes more aggressive, and skips inessential cleanup, if the database starts to approach a transaction ID wraparound condition.
Extended statistics can now be collected on expressions, allowing better planning results for complex queries.
libpq now has the ability to pipeline multiple queries, which can boost throughput over high-latency connections.
The above items and other new features of PostgreSQL 14 are explained in more detail in the sections below.
A dump/restore using pg_dumpall or use of pg_upgrade or logical replication is required for those wishing to migrate data from any previous release. See Section 19.6 for general information on migrating to new major releases.
Version 14 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities:
User-defined objects that reference certain built-in array functions along with their argument types must be recreated (Tom Lane)
Specifically, array_append()
, array_prepend()
, array_cat()
, array_position()
, array_positions()
, array_remove()
, array_replace()
, and width_bucket()
used to take anyarray
arguments but now take anycompatiblearray
. Therefore, user-defined objects like aggregates and operators that reference those array function signatures must be dropped before upgrading, and recreated once the upgrade completes.
Remove deprecated containment operators @
and ~
for built-in geometric data types and contrib modules cube, hstore, intarray, and seg (Justin Pryzby)
The more consistently named <@
and @>
have been recommended for many years.
Fix to_tsquery()
and websearch_to_tsquery()
to properly parse query text containing discarded tokens (Alexander Korotkov)
Certain discarded tokens, like underscore, caused the output of these functions to produce incorrect tsquery output, e.g., both websearch_to_tsquery('"pg_class pg"')
and to_tsquery('pg_class <-> pg')
used to output ( 'pg' & 'class' ) <-> 'pg'
, but now both output 'pg' <-> 'class' <-> 'pg'
.
Fix websearch_to_tsquery()
to properly parse multiple adjacent discarded tokens in quotes (Alexander Korotkov)
Previously, quoted text that contained multiple adjacent discarded tokens was treated as multiple tokens, causing incorrect tsquery output, e.g., websearch_to_tsquery('"aaa: bbb"')
used to output 'aaa' <2> 'bbb'
, but now outputs 'aaa' <-> 'bbb'
.
Change EXTRACT()
to return type numeric
instead of float8
(Peter Eisentraut)
This avoids loss-of-precision issues in some usages. The old behavior can still be obtained by using the old underlying function date_part()
.
Also, EXTRACT(date)
now throws an error for units that are not part of the date
data type.
Change var_samp()
and stddev_samp()
with numeric parameters to return NULL when the input is a single NaN value (Tom Lane)
Previously NaN
was returned.
Return false for has_column_privilege()
checks on non-existent or dropped columns when using attribute numbers (Joe Conway)
Previously such attribute numbers returned an invalid-column error.
Fix handling of infinite window function ranges (Tom Lane)
Previously window frame clauses like 'inf' PRECEDING AND 'inf' FOLLOWING
returned incorrect results.
Remove factorial operators !
and !!
, as well as function numeric_fac()
(Mark Dilger)
The factorial()
function is still supported.
Disallow factorial()
of negative numbers (Peter Eisentraut)
Previously such cases returned 1.
Remove support for postfix (right-unary) operators (Mark Dilger)
pg_dump and pg_upgrade will warn if postfix operators are being dumped.
Allow \D
and \W
shorthands to match newlines in regular expression newline-sensitive mode (Tom Lane)
Previously they did not match newlines in this mode, but that disagrees with the behavior of other common regular expression engines. [^[:digit:]]
or [^[:word:]]
can be used to get the old behavior.
Disregard constraints when matching regular expression back-references (Tom Lane)
For example, in (^\d+).*\1
, the ^
constraint should be applied at the start of the string, but not when matching \1
.
Disallow \w
as a range start or end in regular expression character classes (Tom Lane)
This previously was allowed but produced unexpected results.
Require custom server parameter names to use only characters that are valid in unquoted SQL identifiers (Tom Lane)
Change the default of the password_encryption server parameter to scram-sha-256
(Peter Eisentraut)
Previously it was md5
. All new passwords will be stored as SHA256 unless this server setting is changed or the password is specified in MD5 format. Also, the legacy (and undocumented) Boolean-like values which were previously synonyms for md5
are no longer accepted.
Remove server parameter vacuum_cleanup_index_scale_factor
(Peter Geoghegan)
This setting was ignored starting in PostgreSQL version 13.3.
Remove server parameter operator_precedence_warning
(Tom Lane)
This setting was used for warning applications about PostgreSQL 9.5 changes.
Overhaul the specification of clientcert
in pg_hba.conf
(Kyotaro Horiguchi)
Values 1
/0
/no-verify
are no longer supported; only the strings verify-ca
and verify-full
can be used. Also, disallow verify-ca
if cert authentication is enabled since cert requires verify-full
checking.
Remove support for SSL compression (Daniel Gustafsson, Michael Paquier)
This was already disabled by default in previous PostgreSQL releases, and most modern OpenSSL and TLS versions no longer support it.
Remove server and libpq support for the version 2 wire protocol (Heikki Linnakangas)
This was last used as the default in PostgreSQL 7.3 (released in 2002).
Disallow single-quoting of the language name in the CREATE/DROP LANGUAGE
command (Peter Eisentraut)
Remove the composite types that were formerly created for sequences and toast tables (Tom Lane)
Process doubled quote marks in ecpg SQL command strings correctly (Tom Lane)
Previously 'abc''def'
was passed to the server as 'abc'def'
, and "abc""def"
was passed as "abc"def"
, causing syntax errors.
Prevent the containment operators (<@
and @>
) for intarray from using GiST indexes (Tom Lane)
Previously a full GiST index scan was required, so just avoid that and scan the heap, which is faster. Indexes created for this purpose should be removed.
Remove contrib program pg_standby (Justin Pryzby)
Prevent tablefunc's function normal_rand()
from accepting negative values (Ashutosh Bapat)
Negative values produced undesirable results.
Below you will find a detailed account of the changes between PostgreSQL 14 and the previous major release.
Add predefined roles pg_read_all_data
and pg_write_all_data
(Stephen Frost)
These non-login roles can be used to give read or write permission to all tables, views, and sequences.
Add predefined role pg_database_owner
that contains only the current database's owner (Noah Misch)
This is especially useful in template databases.
Remove temporary files after backend crashes (Euler Taveira)
Previously, such files were retained for debugging purposes. If necessary, deletion can be disabled with the new server parameter remove_temp_files_after_crash.
Allow long-running queries to be canceled if the client disconnects (Sergey Cherkashin, Thomas Munro)
The server parameter client_connection_check_interval allows control over whether loss of connection is checked for intra-query. (This is supported on Linux and a few other operating systems.)
Add an optional timeout parameter to pg_terminate_backend()
(Magnus Hagander)
Allow wide tuples to be always added to almost-empty heap pages (John Naylor, Floris van Nee)
Previously tuples whose insertion would have exceeded the page's fill factor were instead added to new pages.
Add Server Name Indication (SNI) in SSL connection packets (Peter Eisentraut)
This can be disabled by turning off client connection option sslsni
.
Allow vacuum to skip index vacuuming when the number of removable index entries is insignificant (Masahiko Sawada, Peter Geoghegan)
The vacuum parameter INDEX_CLEANUP
has a new default of auto
that enables this optimization.
Allow vacuum to more eagerly add deleted btree pages to the free space map (Peter Geoghegan)
Previously vacuum could only add pages to the free space map that were marked as deleted by previous vacuums.
Allow vacuum to reclaim space used by unused trailing heap line pointers (Matthias van de Meent, Peter Geoghegan)
Allow vacuum to be more aggressive in removing dead rows during minimal-locking index operations (Ãlvaro Herrera)
Specifically, CREATE INDEX CONCURRENTLY
and REINDEX CONCURRENTLY
no longer limit the dead row removal of other relations.
Speed up vacuuming of databases with many relations (Tatsuhito Kasahara)
Reduce the default value of vacuum_cost_page_miss to better reflect current hardware capabilities (Peter Geoghegan)
Add ability to skip vacuuming of TOAST tables (Nathan Bossart)
VACUUM
now has a PROCESS_TOAST
option which can be set to false to disable TOAST processing, and vacuumdb has a --no-process-toast
option.
Have COPY FREEZE
appropriately update page visibility bits (Anastasia Lubennikova, Pavan Deolasee, Jeff Janes)
Cause vacuum operations to be more aggressive if the table is near xid or multixact wraparound (Masahiko Sawada, Peter Geoghegan)
This is controlled by vacuum_failsafe_age and vacuum_multixact_failsafe_age.
Increase warning time and hard limit before transaction id and multi-transaction wraparound (Noah Misch)
This should reduce the possibility of failures that occur without having issued warnings about wraparound.
Add per-index information to autovacuum logging output (Masahiko Sawada)
Improve the performance of updates and deletes on partitioned tables with many partitions (Amit Langote, Tom Lane)
This change greatly reduces the planner's overhead for such cases, and also allows updates/deletes on partitioned tables to use execution-time partition pruning.
Allow partitions to be detached in a non-blocking manner (Ãlvaro Herrera)
The syntax is ALTER TABLE ... DETACH PARTITION ... CONCURRENTLY
, and FINALIZE
.
Ignore COLLATE
clauses in partition boundary values (Tom Lane)
Previously any such clause had to match the collation of the partition key; but it's more consistent to consider that it's automatically coerced to the collation of the partition key.
Allow btree index additions to remove expired index entries to prevent page splits (Peter Geoghegan)
This is particularly helpful for reducing index bloat on tables whose indexed columns are frequently updated.
Allow BRIN indexes to record multiple min/max values per range (Tomas Vondra)
This is useful if there are groups of values in each page range.
Allow BRIN indexes to use bloom filters (Tomas Vondra)
This allows BRIN indexes to be used effectively with data that is not well-localized in the heap.
Allow some GiST indexes to be built by presorting the data (Andrey Borodin)
Presorting happens automatically and allows for faster index creation and smaller indexes.
Allow SP-GiST indexes to contain INCLUDE
'd columns (Pavel Borisov)
Allow hash lookup for IN
clauses with many constants (James Coleman, David Rowley)
Previously the code always sequentially scanned the list of values.
Increase the number of places extended statistics can be used for OR
clause estimation (Tomas Vondra, Dean Rasheed)
Allow extended statistics on expressions (Tomas Vondra)
This allows statistics on a group of expressions and columns, rather than only columns like previously. System view pg_stats_ext_exprs
reports such statistics.
Allow efficient heap scanning of a range of TIDs
(Edmund Horner, David Rowley)
Previously a sequential scan was required for non-equality TID
specifications.
Fix EXPLAIN CREATE TABLE AS
and EXPLAIN CREATE MATERIALIZED VIEW
to honor IF NOT EXISTS
(Bharath Rupireddy)
Previously, if the object already existed, EXPLAIN
would fail.
Improve the speed of computing MVCC visibility snapshots on systems with many CPUs and high session counts (Andres Freund)
This also improves performance when there are many idle sessions.
Add executor method to memoize results from the inner side of a nested-loop join (David Rowley)
This is useful if only a small percentage of rows is checked on the inner side. It can be disabled via server parameter enable_memoize.
Allow window functions to perform incremental sorts (David Rowley)
Improve the I/O performance of parallel sequential scans (Thomas Munro, David Rowley)
This was done by allocating blocks in groups to parallel workers.
Allow a query referencing multiple foreign tables to perform foreign table scans in parallel (Robert Haas, Kyotaro Horiguchi, Thomas Munro, Etsuro Fujita)
postgres_fdw supports this type of scan if async_capable
is set.
Allow analyze to do page prefetching (Stephen Frost)
This is controlled by maintenance_io_concurrency.
Improve performance of regular expression searches (Tom Lane)
Dramatically improve Unicode normalization performance (John Naylor)
This speeds normalize()
and IS NORMALIZED
.
Add ability to use LZ4 compression on TOAST data (Dilip Kumar)
This can be set at the column level, or set as a default via server parameter default_toast_compression. The server must be compiled with --with-lz4
to support this feature. The default setting is still pglz.
If server parameter compute_query_id is enabled, display the query id in pg_stat_activity
, EXPLAIN VERBOSE
, csvlog, and optionally in log_line_prefix (Julien Rouhaud)
A query id computed by an extension will also be displayed.
Improve logging of auto-vacuum and auto-analyze (Stephen Frost, Jakub Wartak)
This reports I/O timings for auto-vacuum and auto-analyze if track_io_timing is enabled. Also, report buffer read and dirty rates for auto-analyze.
Add information about the original user name supplied by the client to the output of log_connections (Jacob Champion)
Add system view pg_stat_progress_copy
to report COPY
progress (Josef Šimánek, Matthias van de Meent)
Add system view pg_stat_wal
to report WAL activity (Masahiro Ikeda)
Add system view pg_stat_replication_slots
to report replication slot activity (Masahiko Sawada, Amit Kapila, Vignesh C)
The function pg_stat_reset_replication_slot()
resets slot statistics.
Add system view pg_backend_memory_contexts
to report session memory usage (Atsushi Torikoshi, Fujii Masao)
Add function pg_log_backend_memory_contexts()
to output the memory contexts of arbitrary backends (Atsushi Torikoshi)
Add session statistics to the pg_stat_database
system view (Laurenz Albe)
Add columns to pg_prepared_statements
to report generic and custom plan counts (Atsushi Torikoshi, Kyotaro Horiguchi)
Add lock wait start time to pg_locks
(Atsushi Torikoshi)
Make the archiver process visible in pg_stat_activity
(Kyotaro Horiguchi)
Add wait event WalReceiverExit
to report WAL receiver exit wait time (Fujii Masao)
Implement information schema view routine_column_usage
to track columns referenced by function and procedure default expressions (Peter Eisentraut)
Allow an SSL certificate's distinguished name (DN) to be matched for client certificate authentication (Andrew Dunstan)
The new pg_hba.conf
option clientname=DN
allows comparison with certificate attributes beyond the CN
and can be combined with ident maps.
Allow pg_hba.conf
and pg_ident.conf
records to span multiple lines (Fabien Coelho)
A backslash at the end of a line allows record contents to be continued on the next line.
Allow the specification of a certificate revocation list (CRL) directory (Kyotaro Horiguchi)
This is controlled by server parameter ssl_crl_dir and libpq connection option sslcrldir. Previously only single CRL files could be specified.
Allow passwords of an arbitrary length (Tom Lane, Nathan Bossart)
Add server parameter idle_session_timeout to close idle sessions (Li Japin)
This is similar to idle_in_transaction_session_timeout.
Change checkpoint_completion_target default to 0.9 (Stephen Frost)
The previous default was 0.5.
Allow %P
in log_line_prefix to report the parallel group leader's PID for a parallel worker (Justin Pryzby)
Allow unix_socket_directories to specify paths as individual, comma-separated quoted strings (Ian Lawrence Barwick)
Previously all the paths had to be in a single quoted string.
Allow startup allocation of dynamic shared memory (Thomas Munro)
This is controlled by min_dynamic_shared_memory. This allows more use of huge pages.
Add server parameter huge_page_size to control the size of huge pages used on Linux (Odin Ugedal)
Allow standby servers to be rewound via pg_rewind (Heikki Linnakangas)
Allow the restore_command setting to be changed during a server reload (Sergei Kornilov)
You can also set restore_command
to an empty string and reload to force recovery to only read from the pg_wal
directory.
Add server parameter log_recovery_conflict_waits to report long recovery conflict wait times (Bertrand Drouvot, Masahiko Sawada)
Pause recovery on a hot standby server if the primary changes its parameters in a way that prevents replay on the standby (Peter Eisentraut)
Previously the standby would shut down immediately.
Add function pg_get_wal_replay_pause_state()
to report the recovery state (Dilip Kumar)
It gives more detailed information than pg_is_wal_replay_paused()
, which still exists.
Add new read-only server parameter in_hot_standby (Haribabu Kommi, Greg Nancarrow, Tom Lane)
This allows clients to easily detect whether they are connected to a hot standby server.
Speed truncation of small tables during recovery on clusters with a large number of shared buffers (Kirk Jamison)
Allow file system sync at the start of crash recovery on Linux (Thomas Munro)
By default, PostgreSQL opens and fsyncs each data file in the database cluster at the start of crash recovery. A new setting, recovery_init_sync_method=syncfs
, instead syncs each filesystem used by the cluster. This allows for faster recovery on systems with many database files.
Add function pg_xact_commit_timestamp_origin()
to return the commit timestamp and replication origin of the specified transaction (Movead Li)
Add the replication origin to the record returned by pg_last_committed_xact()
(Movead Li)
Allow replication origin functions to be controlled using standard function permission controls (MartÃn Marqués)
Previously these functions could only be executed by superusers, and this is still the default.
Allow logical replication to stream long in-progress transactions to subscribers (Dilip Kumar, Amit Kapila, Ajin Cherian, Tomas Vondra, Nikhil Sontakke, Stas Kelvich)
Previously transactions that exceeded logical_decoding_work_mem were written to disk until the transaction completed.
Enhance the logical replication API to allow streaming large in-progress transactions (Tomas Vondra, Dilip Kumar, Amit Kapila)
The output functions begin with stream
. test_decoding also supports these.
Allow multiple transactions during table sync in logical replication (Peter Smith, Amit Kapila, Takamichi Osumi)
Immediately WAL-log subtransaction and top-level XID
association (Tomas Vondra, Dilip Kumar, Amit Kapila)
This is useful for logical decoding.
Enhance logical decoding APIs to handle two-phase commits (Ajin Cherian, Amit Kapila, Nikhil Sontakke, Stas Kelvich)
This is controlled via pg_create_logical_replication_slot()
.
Add cache invalidation messages to the WAL during command completion when using logical replication (Dilip Kumar, Tomas Vondra, Amit Kapila)
This allows logical streaming of in-progress transactions. When logical replication is disabled, invalidation messages are generated only at transaction completion.
Allow logical decoding to more efficiently process cache invalidation messages (Dilip Kumar)
This allows logical decoding to work efficiently in presence of a large amount of DDL.
Allow control over whether logical decoding messages are sent to the replication stream (David Pirotte, Euler Taveira)
Allow logical replication subscriptions to use binary transfer mode (Dave Cramer)
This is faster than text mode, but slightly less robust.
Allow logical decoding to be filtered by xid (Markus Wanner)
SELECT
, INSERT
(PG 14.0)Reduce the number of keywords that can't be used as column labels without AS
(Mark Dilger)
There are now 90% fewer restricted keywords.
Allow an alias to be specified for JOIN
's USING
clause (Peter Eisentraut)
The alias is created by writing AS
after the USING
clause. It can be used as a table qualification for the merged USING
columns.
Allow DISTINCT
to be added to GROUP BY
to remove duplicate GROUPING SET
combinations (Vik Fearing)
For example, GROUP BY CUBE (a,b), CUBE (b,c)
will generate duplicate grouping combinations without DISTINCT
.
Properly handle DEFAULT
entries in multi-row VALUES
lists in INSERT
(Dean Rasheed)
Such cases used to throw an error.
Add SQL-standard SEARCH
and CYCLE
clauses for common table expressions (Peter Eisentraut)
The same results could be accomplished using existing syntax, but much less conveniently.
Allow column names in the WHERE
clause of ON CONFLICT
to be table-qualified (Tom Lane)
Only the target table can be referenced, however.
Allow REFRESH MATERIALIZED VIEW
to use parallelism (Bharath Rupireddy)
Allow REINDEX
to change the tablespace of the new index (Alexey Kondratov, Michael Paquier, Justin Pryzby)
This is done by specifying a TABLESPACE
clause. A --tablespace
option was also added to reindexdb to control this.
Allow REINDEX
to process all child tables or indexes of a partitioned relation (Justin Pryzby, Michael Paquier)
Allow index commands using CONCURRENTLY
to avoid waiting for the completion of other operations using CONCURRENTLY
(Ãlvaro Herrera)
Improve the performance of COPY FROM
in binary mode (Bharath Rupireddy, Amit Langote)
Preserve SQL standard syntax for SQL-defined functions in view definitions (Tom Lane)
Previously, calls to SQL-standard functions such as EXTRACT()
were shown in plain function-call syntax. The original syntax is now preserved when displaying a view or rule.
Add the SQL-standard clause GRANTED BY
to GRANT
and REVOKE
(Peter Eisentraut)
Add OR REPLACE
option for CREATE TRIGGER
(Takamichi Osumi)
This allows pre-existing triggers to be conditionally replaced.
Allow TRUNCATE
to operate on foreign tables (Kazutaka Onishi, Kohei KaiGai)
The postgres_fdw module also now supports this.
Allow publications to be more easily added to and removed from a subscription (Japin Li)
The new syntax is ALTER SUBSCRIPTION ... ADD/DROP PUBLICATION
. This avoids having to specify all publications to add/remove entries.
Add primary keys, unique constraints, and foreign keys to system catalogs (Peter Eisentraut)
These changes help GUI tools analyze the system catalogs. The existing unique indexes of catalogs now have associated UNIQUE
or PRIMARY KEY
constraints. Foreign key relationships are not actually stored or implemented as constraints, but can be obtained for display from the function pg_get_catalog_foreign_keys().
Allow CURRENT_ROLE
every place CURRENT_USER
is accepted (Peter Eisentraut)
Allow extensions and built-in data types to implement subscripting (Dmitry Dolgov)
Previously subscript handling was hard-coded into the server, so that subscripting could only be applied to array types. This change allows subscript notation to be used to extract or assign portions of a value of any type for which the concept makes sense.
Allow subscripting of JSONB
(Dmitry Dolgov)
JSONB
subscripting can be used to extract and assign to portions of JSONB
documents.
Add support for multirange data types (Paul Jungwirth, Alexander Korotkov)
These are like range data types, but they allow the specification of multiple, ordered, non-overlapping ranges. An associated multirange type is automatically created for every range type.
Add support for the stemming of languages Armenian, Basque, Catalan, Hindi, Serbian, and Yiddish (Peter Eisentraut)
Allow tsearch data files to have unlimited line lengths (Tom Lane)
The previous limit was 4K bytes. Also remove function t_readline()
.
Add support for Infinity
and -Infinity
values in the numeric data type (Tom Lane)
Floating-point data types already supported these.
Add point operators <<|
and |>>
representing strictly above/below tests (Emre Hasegeli)
Previously these were called >^
and <^
, but that naming is inconsistent with other geometric data types. The old names remain available, but may someday be removed.
Add operators to add and subtract LSN
and numeric (byte) values (Fujii Masao)
Allow binary data transfer to be more forgiving of array and record OID
mismatches (Tom Lane)
Create composite array types for system catalogs (Wenjing Zeng)
User-defined relations have long had composite types associated with them, and also array types over those composite types. System catalogs now do as well. This change also fixes an inconsistency that creating a user-defined table in single-user mode would fail to create a composite array type.
Allow SQL-language functions and procedures to use SQL-standard function bodies (Peter Eisentraut)
Previously only string-literal function bodies were supported. When writing a function or procedure in SQL-standard syntax, the body is parsed immediately and stored as a parse tree. This allows better tracking of function dependencies, and can have security benefits.
Allow procedures to have OUT
parameters (Peter Eisentraut)
Allow some array functions to operate on a mix of compatible data types (Tom Lane)
The functions array_append()
, array_prepend()
, array_cat()
, array_position()
, array_positions()
, array_remove()
, array_replace()
, and width_bucket()
now take anycompatiblearray
instead of anyarray
arguments. This makes them less fussy about exact matches of argument types.
Add SQL-standard trim_array()
function (Vik Fearing)
This could already be done with array slices, but less easily.
Add bytea
equivalents of ltrim()
and rtrim()
(Joel Jacobson)
Support negative indexes in split_part()
(Nikhil Benesch)
Negative values start from the last field and count backward.
Add string_to_table()
function to split a string on delimiters (Pavel Stehule)
This is similar to the regexp_split_to_table()
function.
Add unistr()
function to allow Unicode characters to be specified as backslash-hex escapes in strings (Pavel Stehule)
This is similar to how Unicode can be specified in literal strings.
Add bit_xor()
XOR aggregate function (Alexey Bashtanov)
Add function bit_count()
to return the number of bits set in a bit or byte string (David Fetter)
Add date_bin()
function (John Naylor)
This function “bins†input timestamps, grouping them into intervals of a uniform length aligned with a specified origin.
Allow make_timestamp()
/make_timestamptz()
to accept negative years (Peter Eisentraut)
Negative values are interpreted as BC
years.
Add newer regular expression substring()
syntax (Peter Eisentraut)
The new SQL-standard syntax is SUBSTRING(text SIMILAR pattern ESCAPE escapechar)
. The previous standard syntax was SUBSTRING(text FROM pattern FOR escapechar)
, which is still accepted by PostgreSQL.
Allow complemented character class escapes \D, \S
, and \W
within regular expression brackets (Tom Lane)
Add [[:word:]]
as a regular expression character class, equivalent to \w
(Tom Lane)
Allow more flexible data types for default values of lead()
and lag()
window functions (Vik Fearing)
Make non-zero floating-point values divided by infinity return zero (Kyotaro Horiguchi)
Previously such operations produced underflow errors.
Make floating-point division of NaN by zero return NaN (Tom Lane)
Previously this returned an error.
Cause exp()
and power()
for negative-infinity exponents to return zero (Tom Lane)
Previously they often returned underflow errors.
Improve the accuracy of geometric computations involving infinity (Tom Lane)
Mark built-in type coercion functions as leakproof where possible (Tom Lane)
This allows more use of functions that require type conversion in security-sensitive situations.
Change pg_describe_object()
, pg_identify_object()
, and pg_identify_object_as_address()
to always report helpful error messages for non-existent objects (Michael Paquier)
Improve PL/pgSQL's expression and assignment parsing (Tom Lane)
This change allows assignment to array slices and nested record fields.
Allow plpgsql's RETURN QUERY
to execute its query using parallelism (Tom Lane)
Improve performance of repeated CALLs within plpgsql procedures (Pavel Stehule, Tom Lane)
Add pipeline mode to libpq (Craig Ringer, Matthieu Garrigues, Ãlvaro Herrera)
This allows multiple queries to be sent, only waiting for completion when a specific synchronization message is sent.
Enhance libpq's target_session_attrs
parameter options (Haribabu Kommi, Greg Nancarrow, Vignesh C, Tom Lane)
The new options are read-only
, primary
, standby
, and prefer-standby
.
Improve the output format of libpq's PQtrace()
(Aya Iwata, Ãlvaro Herrera)
Allow an ECPG SQL identifier to be linked to a specific connection (Hayato Kuroda)
This is done via DECLARE ... STATEMENT
.
Allow vacuumdb to skip index cleanup and truncation (Nathan Bossart)
The options are --no-index-cleanup
and --no-truncate
.
Allow pg_dump to dump only certain extensions (Guillaume Lelarge)
This is controlled by option --extension
.
Add pgbench permute()
function to randomly shuffle values (Fabien Coelho, Hironobu Suzuki, Dean Rasheed)
Include disconnection times in the reconnection overhead measured by pgbench with -C
(Yugo Nagata)
Allow multiple verbose option specifications (-v
) to increase the logging verbosity (Tom Lane)
This behavior is supported by pg_dump, pg_dumpall, and pg_restore.
Allow psql's \df
and \do
commands to specify function and operator argument types (Greg Sabino Mullane, Tom Lane)
This helps reduce the number of matches printed for overloaded names.
Add an access method column to psql's \d[i|m|t]+
output (Georgios Kokolatos)
Allow psql's \dt
and \di
to show TOAST tables and their indexes (Justin Pryzby)
Add psql command \dX
to list extended statistics objects (Tatsuro Yamada)
Fix psql's \dT
to understand array syntax and backend grammar aliases, like int
for integer
(Greg Sabino Mullane, Tom Lane)
When editing the previous query or a file with psql's \e
, or using \ef
and \ev
, ignore the results if the editor exits without saving (Laurenz Albe)
Previously, such edits would load the previous query into the query buffer, and typically execute it immediately. This was deemed to be probably not what the user wants.
Improve tab completion (Vignesh C, Michael Paquier, Justin Pryzby, Georgios Kokolatos, Julien Rouhaud)
Add command-line utility pg_amcheck to simplify running contrib/amcheck
tests on many relations (Mark Dilger)
Add --no-instructions
option to initdb (Magnus Hagander)
This suppresses the server startup instructions that are normally printed.
Stop pg_upgrade from creating analyze_new_cluster
script (Magnus Hagander)
Instead, give comparable vacuumdb instructions.
Remove support for the postmaster -o
option (Magnus Hagander)
This option was unnecessary since all passed options could already be specified directly.
Rename "Default Roles" to "Predefined Roles" (Bruce Momjian, Stephen Frost)
Add documentation for the factorial()
function (Peter Eisentraut)
With the removal of the ! operator in this release, factorial()
is the only built-in way to compute a factorial.
Add configure option --with-ssl={openssl}
to allow future choice of the SSL library to use (Daniel Gustafsson, Michael Paquier)
The spelling --with-openssl
is kept for compatibility.
Add support for abstract Unix-domain sockets (Peter Eisentraut)
This is currently supported on Linux and Windows.
Allow Windows to properly handle files larger than four gigabytes (Juan José SantamarÃa Flecha)
For example this allows COPY,
WAL files, and relation segment files to be larger than four gigabytes.
Add server parameter debug_discard_caches to control cache flushing for test purposes (Craig Ringer)
Previously this behavior could only be set at compile time. To invoke it during initdb, use the new option --discard-caches
.
Various improvements in valgrind error detection ability (Ãlvaro Herrera, Peter Geoghegan)
Add a test module for the regular expression package (Tom Lane)
Add support for LLVM version 12 (Andres Freund)
Change SHA1, SHA2, and MD5 hash computations to use the OpenSSL EVP API (Michael Paquier)
This is more modern and supports FIPS mode.
Remove separate build-time control over the choice of random number generator (Daniel Gustafsson)
This is now always determined by the choice of SSL library.
Add direct conversion routines between EUC_TW and Big5 encodings (Heikki Linnakangas)
Add collation version support for FreeBSD (Thomas Munro)
Add amadjustmembers
to the index access method API (Tom Lane)
This allows an index access method to provide validity checking during creation of a new operator class or family.
Provide feature-test macros in libpq-fe.h
for recently-added libpq features (Tom Lane, Ãlvaro Herrera)
Historically, applications have usually used compile-time checks of PG_VERSION_NUM
to test whether a feature is available. But that's normally the server version, which might not be a good guide to libpq's version. libpq-fe.h
now offers #define
symbols denoting application-visible features added in v14; the intent is to keep adding symbols for such features in future versions.
Allow subscripting of hstore values (Tom Lane, Dmitry Dolgov)
Allow GiST/GIN pg_trgm indexes to do equality lookups (Julien Rouhaud)
This is similar to LIKE
except no wildcards are honored.
Allow the cube data type to be transferred in binary mode (KaiGai Kohei)
Allow pgstattuple_approx()
to report on TOAST tables (Peter Eisentraut)
Add contrib module pg_surgery which allows changes to row visibility (Ashutosh Sharma)
This is useful for correcting database corruption.
Add contrib module old_snapshot to report the XID
/time mapping used by an active old_snapshot_threshold (Robert Haas)
Allow amcheck to also check heap pages (Mark Dilger)
Previously it only checked B-Tree index pages.
Allow pageinspect to inspect GiST indexes (Andrey Borodin, Heikki Linnakangas)
Change pageinspect block numbers to be bigints
(Peter Eisentraut)
Mark btree_gist functions as parallel safe (Steven Winfield)
Move query hash computation from pg_stat_statements to the core server (Julien Rouhaud)
The new server parameter compute_query_id's default of auto
will automatically enable query id computation when this extension is loaded.
Cause pg_stat_statements to track top and nested statements separately (Julien Rohaud)
Previously, when tracking all statements, identical top and nested statements were tracked as a single entry; but it seems more useful to separate such usages.
Add row counts for utility commands to pg_stat_statements (Fujii Masao, Katsuragi Yuta, Seino Yuki)
Add pg_stat_statements_info
system view to show pg_stat_statements activity (Katsuragi Yuta, Yuki Seino, Naoki Nakamichi)
Allow postgres_fdw to INSERT
rows in bulk (Takayuki Tsunakawa, Tomas Vondra, Amit Langote)
Allow postgres_fdw to import table partitions if specified by IMPORT FOREIGN SCHEMA ... LIMIT TO
(Matthias van de Meent)
By default, only the root of a partitioned table is imported.
Add postgres_fdw function postgres_fdw_get_connections()
to report open foreign server connections (Bharath Rupireddy)
Allow control over whether foreign servers keep connections open after transaction completion (Bharath Rupireddy)
This is controlled by keep_connections
and defaults to on.
Allow postgres_fdw to reestablish foreign server connections if necessary (Bharath Rupireddy)
Previously foreign server restarts could cause foreign table access errors.
Add postgres_fdw functions to discard cached connections (Bharath Rupireddy)
The following individuals (in alphabetical order) have contributed to this release as patch authors, committers, reviewers, testers, or reporters of issues.
Release date: 2025-02-20
This release contains a few fixes from 13.19. For information about new features in major release 13, see Version 13.0.
The PostgreSQL community will stop releasing updates for the 13.X release series in November 2025. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 13.X.
However, if you are upgrading from a version earlier than 13.17, see Version 13.17.
Improve behavior of libpq's quoting functions (Andres Freund, Tom Lane) 📜 📜 📜
The changes made forCVE-2025-1094 or CVE-2025-1094 had one serious oversight: PQescapeLiteral()
and PQescapeIdentifier()
failed to honor their string length parameter, instead always reading to the input string's trailing null. This resulted in including unwanted text in the output, if the caller intended to truncate the string via the length parameter. With very bad luck it could cause a crash due to reading off the end of memory.
In addition, modify all these quoting functions so that when invalid encoding is detected, an invalid sequence is substituted for just the first byte of the presumed character, not all of it. This reduces the risk of problems if a calling application performs additional processing on the quoted string.
Fix crash involving triggers on partitioned tables that make use of transition tables (Kyotaro Horiguchi) 📜
If there are both AFTER UPDATE
and AFTER DELETE
triggers, the need for transition tables was determined incorrectly, leading to a crash during cross-partition updates.
Release date: 2025-02-13
This release contains a variety of fixes from 13.18. For information about new features in major release 13, see Version 13.0.
The PostgreSQL community will stop releasing updates for the 13.X release series in November 2025. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 13.X.
However, if you are upgrading from a version earlier than 13.17, see Version 13.17.
Harden PQescapeString
and allied functions against invalidly-encoded input strings (Andres Freund, Noah Misch) 📜 📜 📜 📜 📜 📜 📜
Data-quoting functions supplied by libpq now fully check the encoding validity of their input. If invalid characters are detected, they report an error if possible. For the ones that lack an error return convention, the output string is adjusted to ensure that the server will report invalid encoding and no intervening processing will be fooled by bytes that might happen to match single quote, backslash, etc.
The purpose of this change is to guard against SQL-injection attacks that are possible if one of these functions is used to quote crafted input. There is no hazard when the resulting string is sent directly to a PostgreSQL server (which would check its encoding anyway), but there is a risk when it is passed through psql or other client-side code. Historically such code has not carefully vetted encoding, and in many cases it's not clear what it should do if it did detect such a problem.
This fix is effective only if the data-quoting function, the server, and any intermediate processing agree on the character encoding that's being used. Applications that insert untrusted input into SQL commands should take special care to ensure that that's true.
Applications and drivers that quote untrusted input without using these libpq functions may be at risk of similar problems. They should first confirm the data is valid in the encoding expected by the server.
The PostgreSQL Project thanks Stephen Fewer for reporting this problem. CVE-2025-1094 or CVE-2025-1094)
Exclude parallel workers from connection privilege checks and limits (Tom Lane) 📜
Do not check datallowconn
, rolcanlogin
, and ACL_CONNECT
privileges when starting a parallel worker, instead assuming that it's enough for the leader process to have passed similar checks originally. This avoids, for example, unexpected failures of parallelized queries when the leader is running as a role that lacks login privilege. In the same vein, enforce ReservedConnections
, datconnlimit
, and rolconnlimit
limits only against regular backends, and count only regular backends while checking if the limits were already reached. Those limits are meant to prevent excessive consumption of process slots for regular backends --- but parallel workers and other special processes have their own pools of process slots with their own limit checks.
Keep TransactionXmin
in sync with MyProc->xmin
(Heikki Linnakangas) 📜
This oversight could permit a process to try to access data that had already been vacuumed away. One known consequence is transient “could not access status of transaction†errors.
Fix race condition that could cause failure to add a newly-inserted catalog entry to a catalog cache list (Heikki Linnakangas) 📜
This could result, for example, in failure to use a newly-created function within an existing session.
Prevent possible catalog corruption when a system catalog is vacuumed concurrently with an update (Noah Misch) 📜
Fix data corruption when relation truncation fails (Thomas Munro) 📜 📜 📜
The filesystem calls needed to perform relation truncation could fail, leaving inconsistent state on disk (for example, effectively reviving deleted data). We can't really prevent that, but we can recover by dint of making such failures into PANICs, so that consistency is restored by replaying from WAL up to just before the attempted truncation. This isn't a hugely desirable behavior, but such failures are rare enough that it seems an acceptable solution.
Prevent checkpoints from starting during relation truncation (Robert Haas) 📜
This avoids a race condition wherein the modified file might not get fsync'd before completing the checkpoint, creating a risk of data corruption if the operating system crashes soon after.
Use rename()
not link()
/unlink()
to rename files (Nathan Bossart) 📜
The previous coding was intended to assure that the operation could not accidentally overwrite an existing file. However a failure could leave two links to the same file in existence, confusing subsequent operations and creating a risk of data corruption. In practice we do not use this functionality in places where the target filename could already exist, so it seems better to give up the no-overwrite guarantee to remove the multiple-link hazard.
Avoid possibly losing an update of pg_database
.datfrozenxid
when VACUUM
runs concurrently with a REASSIGN OWNED
that changes that database's owner (Kirill Reshke) 📜
Fix incorrect tg_updatedcols
values passed to AFTER UPDATE
triggers (Tom Lane) 📜
In some cases the tg_updatedcols
bitmap could describe the set of columns updated by an earlier command in the same transaction, fooling the trigger into doing the wrong thing.
Also, prevent memory bloat caused by making too many copies of the tg_updatedcols
bitmap.
Fix mis-processing of to_timestamp
's FF
format codes (Tom Lane) 📜n
An integer format code immediately preceding FF
would consume all available digits, leaving none for n
FF
.n
When deparsing an XMLTABLE()
expression, ensure that XML namespace names are double-quoted when necessary (Dean Rasheed) 📜
Include the ldapscheme
option in pg_hba_file_rules()
output (Laurenz Albe) 📜 📜
Don't merge UNION
operations if their column collations aren't consistent (Tom Lane) 📜
Previously we ignored collations when deciding if it's safe to merge UNION
steps into a single N-way UNION
operation. This was arguably valid before the introduction of nondeterministic collations, but it's not anymore, since the collation in use can affect the definition of uniqueness.
Fix missed expression processing for partition pruning steps (Tom Lane) 📜
This oversight could lead to “unrecognized node type†errors, and perhaps other problems, in queries accessing partitioned tables.
Allow dshash tables to grow past 1GB (Matthias van de Meent) 📜
This avoids errors like “invalid DSA memory alloc request sizeâ€. The case can occur for example in transactions that process several million tables.
Avoid possible integer overflow in bringetbitmap()
(James Hunter, Evgeniy Gorbanyov) 📜
Since the result is only used for statistical purposes, the effects of this error were mostly cosmetic.
Prevent streaming standby servers from looping infinitely when reading a WAL record that crosses pages (Kyotaro Horiguchi, Alexander Kukushkin) 📜
This would happen when the record's continuation is on a page that needs to be read from a different WAL source.
Fix unintended promotion of FATAL errors to PANIC during early process startup (Noah Misch) 📜
This fixes some unlikely cases that would result in “PANIC: proc_exit() called in child processâ€.
Fix cases where an operator family member operator or support procedure could become a dangling reference (Tom Lane) 📜 📜
In some cases a data type could be dropped while references to its OID still remain in pg_amop
or pg_amproc
. While that caused no immediate issues, an attempt to drop the owning operator family would fail, and pg_dump would produce bogus output when dumping the operator family. This fix causes creation and modification of operator families/classes to add needed dependency entries so that dropping a data type will also drop any dependent operator family elements. That does not help vulnerable pre-existing operator families, though, so a band-aid has also been added to DROP OPERATOR FAMILY
to prevent failure when dropping a family that has dangling members.
Fix multiple memory leaks in logical decoding output (Vignesh C, Masahiko Sawada, Boyu Yang) 📜 📜
Avoid low-probability crash on out-of-memory, due to missing check for failure return from malloc()
(Karina Litskevich) 📜
Avoid integer overflow while testing wal_skip_threshold
condition (Tom Lane) 📜
A transaction that created a very large relation could mistakenly decide to ensure durability by copying the relation into WAL instead of fsync'ing it, thereby negating the point of wal_skip_threshold
. (This only matters when wal_level
is set to minimal
, else a WAL copy is required anyway.)
Fix unsafe order of operations during cache lookups (Noah Misch) 📜
The only known consequence was a usually-harmless “you don't own a lock of type ExclusiveLock†warning during GRANT TABLESPACE
.
Fix possible “failed to resolve name†failures when using JIT on older ARM platforms (Thomas Munro) 📜
This could occur as a consequence of inconsistency about the default setting of -moutline-atomics
between gcc and clang. At least Debian and Ubuntu are known to ship gcc and clang compilers that target armv8-a but differ on the use of outline atomics by default.
Fix handling of Windows junction points that are not of PostgreSQL origin (Thomas Munro) 📜 📜
Previously, initdb would fail if the path to the data directory included junction points whose expansion isn't in “drive absolute†format, or whose expansion points to another junction point.
Fix assertion failure in WITH RECURSIVE ... UNION
queries (David Rowley) 📜
Avoid assertion failure in rule deparsing if a set operation leaf query contains set operations (Man Zeng, Tom Lane) 📜
Avoid edge-case assertion failure in parallel query startup (Tom Lane) 📜
Avoid rare assertion failure during relation truncation (Heikki Linnakangas) 📜
In NULLIF()
, avoid passing a read-write expanded object pointer to the data type's equality function (Tom Lane) 📜
The equality function could modify or delete the object if it's given a read-write pointer, which would be bad if we decide to return it as the NULLIF()
result. There is probably no problem with any built-in equality function, but it's easy to demonstrate a failure with one coded in PL/pgSQL.
Repair memory leaks in PL/Python (Mat Arye, Tom Lane) 📜
Repeated use of PLyPlan.execute
or plpy.cursor
resulted in memory leakage for the duration of the calling PL/Python function.
Fix PL/Tcl to compile with Tcl 9 (Peter Eisentraut) 📜
In the ecpg preprocessor, fix possible misprocessing of cursors that reference out-of-scope variables (Tom Lane) 📜
In ecpg, fix compile-time warnings about unsupported use of COPY ... FROM STDIN
(Ryo Kanbayashi) 📜
Previously, the intended warning was not issued due to a typo.
Fix psql to safely handle file path names that are encoded in SJIS (Tom Lane) 📜
Some two-byte characters in SJIS have a second byte that is equal to ASCII backslash (\
). These characters were corrupted by path name normalization, preventing access to files whose names include such characters.
Fix use of wrong version of pqsignal()
in pgbench and psql (Fujii Masao, Tom Lane) 📜
This error could lead to misbehavior when using the -T
option in pgbench or the \watch
command in psql, due to interrupted system calls not being resumed as expected.
Fix misexecution of some nested \if
constructs in pgbench (Michail Nikolaev) 📜
An \if
command appearing within a false (not-being-executed) \if
branch was incorrectly treated the same as \elif
.
In pgbench, fix possible misdisplay of progress messages during table initialization (Yushi Ogiwara, Tatsuo Ishii, Fujii Masao) 📜 📜
Make pg_controldata more robust against corrupted pg_control
files (Ilyasov Ian, Anton Voloshin) 📜
Since pg_controldata will attempt to print the contents of pg_control
even if the CRC check fails, it must take care not to misbehave for invalid field values. This patch fixes some issues triggered by invalid timestamps and apparently-negative WAL segment sizes.
Fix possible crash in pg_dump with identity sequences attached to tables that are extension members (Tom Lane) 📜
Fix pg_basebackup to correctly handle pg_wal.tar
files exceeding 2GB on Windows (Davinder Singh, Thomas Munro) 📜 📜
Update configuration probes that determine the compiler switches needed to access ARM CRC instructions (Tom Lane) 📜
On ARM platforms where the baseline CPU target lacks CRC instructions, we need to supply a -march
switch to persuade the compiler to compile such instructions. Recent versions of gcc reject the value we were trying, leading to silently falling back to software CRC.
During configure, if a C23 compiler is detected, try asking for C17 (Thomas Munro) 📜
PostgreSQL versions before v16 will not compile under C23 rules. If the chosen compiler defaults to C23 or later, try adding a -std=gnu17
switch to change that. (If this won't work for your compiler, manually specify CFLAGS
with a suitable switch.)
Update time zone data files to tzdata release 2025a for DST law changes in Paraguay, plus historical corrections for the Philippines (Tom Lane) 📜
Release date: 2024-11-21
This release contains a few fixes from 13.17. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
However, if you are upgrading from a version earlier than 13.17, see Version 13.17.
Restore functionality of ALTER {ROLE|DATABASE} SET role
(Tom Lane, Noah Misch) 📜
The fix forCVE-2024-10978 or CVE-2024-10978 accidentally caused settings for role
to not be applied if they come from non-interactive sources, including previous ALTER {ROLE|DATABASE}
commands and the PGOPTIONS
environment variable.
Fix cases where a logical replication slot's restart_lsn
could go backwards (Masahiko Sawada) 📜
Previously, restarting logical replication could sometimes cause the slot's restart point to be recomputed as an older value than had previously been advertised in pg_replication_slots
. This is bad, since for example WAL files might have been removed on the basis of the later restart_lsn
value, in which case replication would fail to restart.
Count index scans in contrib/bloom
indexes in the statistics views, such as the pg_stat_user_indexes
.idx_scan
counter (Masahiro Ikeda) 📜
Fix crash when checking to see if an index's opclass options have changed (Alexander Korotkov) 📜
Some forms of ALTER TABLE
would fail if the table has an index with non-default operator class options.
Release date: 2024-11-14
This release contains a variety of fixes from 13.16. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
However, if you have ever detached a partition from a partitioned table that has a foreign-key reference to another partitioned table, and not dropped the former partition, then you may have catalog and/or data corruption to repair, as detailed in the fifth changelog entry below.
Also, if you are upgrading from a version earlier than 13.14, see Version 13.14.
Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart) 📜
If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead.
The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. CVE-2024-10976 or CVE-2024-10976)
Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Champion) 📜
An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure.
The PostgreSQL Project thanks Jacob Champion for reporting this problem. CVE-2024-10977 or CVE-2024-10977)
Fix unintended interactions between SET SESSION AUTHORIZATION
and SET ROLE
(Tom Lane) 📜 📜
The SQL standard mandates that SET SESSION AUTHORIZATION
have a side-effect of doing SET ROLE NONE
. Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION
would revert ROLE
to NONE
even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction. Transiently setting session_authorization
in a function SET
clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role')
, it saw none
even when it should see something else.
The PostgreSQL Project thanks Tom Lane for reporting this problem. CVE-2024-10978 or CVE-2024-10978)
Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch) 📜 📜 📜 📜
The ability to manipulate process environment variables such as PATH
gives an attacker opportunities to execute arbitrary code. Therefore, “trusted†PLs must not offer the ability to do that. To fix plperl
, replace %ENV
with a tied hash that rejects any modification attempt with a warning. Untrusted plperlu
retains the ability to change the environment.
The PostgreSQL Project thanks Coby Abrams for reporting this problem. CVE-2024-10979 or CVE-2024-10979)
Fix updates of catalog state for foreign-key constraints when attaching or detaching table partitions (Jehan-Guillaume de Rorthais, Tender Wang, Ãlvaro Herrera) 📜
If the referenced table is partitioned, then different catalog entries are needed for a referencing table that is stand-alone versus one that is a partition. ATTACH/DETACH PARTITION
commands failed to perform this conversion correctly. In particular, after DETACH
the now stand-alone table would be missing foreign-key enforcement triggers, which could result in the table later containing rows that fail the foreign-key constraint. A subsequent re-ATTACH
could fail with surprising errors, too.
The way to fix this is to do ALTER TABLE DROP CONSTRAINT
on the now stand-alone table for each faulty constraint, and then re-add the constraint. If re-adding the constraint fails, then some erroneous data has crept in. You will need to manually re-establish consistency between the referencing and referenced tables, then re-add the constraint.
This query can be used to identify broken constraints and construct the commands needed to recreate them:
SELECT conrelid::pg_catalog.regclass AS "constrained table", conname AS constraint, confrelid::pg_catalog.regclass AS "references", pg_catalog.format('ALTER TABLE %s DROP CONSTRAINT %I;', conrelid::pg_catalog.regclass, conname) AS "drop", pg_catalog.format('ALTER TABLE %s ADD CONSTRAINT %I %s;', conrelid::pg_catalog.regclass, conname, pg_catalog.pg_get_constraintdef(oid)) AS "add" FROM pg_catalog.pg_constraint c WHERE contype = 'f' AND conparentid = 0 AND (SELECT count(*) FROM pg_catalog.pg_constraint c2 WHERE c2.conparentid = c.oid) <> (SELECT count(*) FROM pg_catalog.pg_inherits i WHERE (i.inhparent = c.conrelid OR i.inhparent = c.confrelid) AND EXISTS (SELECT 1 FROM pg_catalog.pg_partitioned_table WHERE partrelid = i.inhparent));
Since it is possible that one or more of the ADD CONSTRAINT
steps will fail, you should save the query's output in a file and then attempt to perform each step.
Disallow ALTER TABLE ATTACH PARTITION
if the table to be attached has a foreign key referencing the partitioned table (Ãlvaro Herrera) 📜 📜
This arrangement is not supported, and other ways of creating it already fail.
Don't use partitionwise joins or grouping if the query's collation for the key column doesn't match the partition key's collation (Jian He, Webbo Han) 📜 📜
Such plans could produce incorrect results.
Fix possible “could not find pathkey item to sort†error when the output of a UNION ALL
member query needs to be sorted, and the sort column is an expression (Andrei Lepikhov, Tom Lane) 📜
Allow cancellation of the second stage of index build for large hash indexes (Pavel Borisov) 📜
Fix assertion failure or confusing error message for COPY (
, when the query
) TO ...query
is rewritten by a DO INSTEAD NOTIFY
rule (Tender Wang, Tom Lane) 📜
Fix detection of skewed data during parallel hash join (Thomas Munro) 📜
After repartitioning the inner side of a hash join because one partition has accumulated too many tuples, we check to see if all the partition's tuples went into the same child partition, which suggests that they all have the same hash value and further repartitioning cannot improve matters. This check malfunctioned in some cases, allowing repeated futile repartitioning which would eventually end in a resource-exhaustion error.
Fix race condition in committing a serializable transaction (Heikki Linnakangas) 📜
Mis-processing of a recently committed transaction could lead to an assertion failure or a “could not access status of transaction†error.
Fix race condition in COMMIT PREPARED
that resulted in orphaned 2PC files (wuchengwen) 📜
A concurrent PREPARE TRANSACTION
could cause COMMIT PREPARED
to not remove the on-disk two-phase state file for the completed transaction. There was no immediate ill effect, but a subsequent crash-and-recovery could fail with “could not access status of transactionâ€, requiring manual removal of the orphaned file to restore service.
Avoid invalid memory accesses after skipping an invalid toast index during VACUUM FULL
(Tender Wang) 📜
A list tracking yet-to-be-rebuilt indexes was not properly updated in this code path, risking assertion failures or crashes later on.
Fix ways in which an “in place†catalog update could be lost (Noah Misch) 📜 📜 📜 📜 📜 📜 📜
Normal row updates write a new version of the row to preserve rollback-ability of the transaction. However, certain system catalog updates are intentionally non-transactional and are done with an in-place update of the row. These patches fix race conditions that could cause the effects of an in-place update to be lost. As an example, it was possible to forget having set pg_class
.relhasindex
to true, preventing updates of the new index and thus causing index corruption.
Reset catalog caches at end of recovery (Noah Misch) 📜
This prevents scenarios wherein an in-place catalog update could be lost due to using stale data from a catalog cache.
Avoid using parallel query while holding off interrupts (Francesco Degrassi, Noah Misch, Tom Lane) 📜 📜
This situation cannot arise normally, but it can be reached with test scenarios such as using a SQL-language function as B-tree support (which would be far too slow for production usage). If it did occur it would result in an indefinite wait.
Guard against stack overflow in libxml2 with too-deeply-nested XML input (Tom Lane, with hat tip to Nick Wellnhofer) 📜
Use xmlXPathCtxtCompile()
rather than xmlXPathCompile()
, because the latter fails to protect itself against recursion-to-stack-overflow in libxml2 releases before 2.13.4.
Fix “failed to find plan for subquery/CTE†errors in EXPLAIN
(Richard Guo, Tom Lane) 📜 📜
This case arose while trying to print references to fields of a RECORD-type output of a subquery when the subquery has been optimized out of the plan altogether (which is possible at least in the case that it has a constant-false WHERE
condition). Nothing remains in the plan to identify the original field names, so fall back to printing f
for the N
N
'th record column. (That's actually the right thing anyway, if the record output arose from a ROW()
constructor.)
Disallow a USING
clause when altering the type of a generated column (Peter Eisentraut) 📜
A generated column already has an expression specifying the column contents, so including USING
doesn't make sense.
Ignore not-yet-defined Portals in the pg_cursors
view (Tom Lane) 📜
It is possible for user-defined code that inspects this view to be called while a new cursor is being set up, and if that happens a null pointer dereference would ensue. Avoid the problem by defining the view to exclude incompletely-set-up cursors.
Reduce memory consumption of logical decoding (Masahiko Sawada) 📜
Use a smaller default block size to store tuple data received during logical replication. This reduces memory wastage, which has been reported to be severe while processing long-running transactions, even leading to out-of-memory failures.
Re-disable sending of stateless (TLSv1.2) session tickets (Daniel Gustafsson) 📜
A previous change to prevent sending of stateful (TLSv1.3) session tickets accidentally re-enabled sending of stateless ones. Thus, while we intended to prevent clients from thinking that TLS session resumption is supported, some still did.
Avoid “wrong tuple length†failure when dropping a database with many ACL (permission) entries (Ayush Tiwari) 📜 📜
Allow adjusting the session_authorization
and role
settings in parallel workers (Tom Lane) 📜
Our code intends to allow modifiable server settings to be set by function SET
clauses, but not otherwise within a parallel worker. SET
clauses failed for these two settings, though.
Fix behavior of stable functions called from a CALL
statement's argument list, when the CALL
is within a PL/pgSQL EXCEPTION
block (Tom Lane) 📜
As with a similar fix in our previous quarterly releases, this case allowed such functions to be passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.
Parse libpq's keepalives
connection option in the same way as other integer-valued options (Yuto Sasaki) 📜
The coding used here rejected trailing whitespace in the option value, unlike other cases. This turns out to be problematic in ecpg's usage, for example.
Avoid use of pnstrdup()
in ecpglib (Jacob Champion) 📜
That function will call exit()
on out-of-memory, which is undesirable in a library. The calling code already handles allocation failures properly.
In ecpglib, fix out-of-bounds read when parsing incorrect datetime input (Bruce Momjian, Pavel Nekrasov) 📜
It was possible to try to read the location just before the start of a constant array. Real-world consequences seem minimal, though.
Include the source timeline history in pg_rewind's debug output (Heikki Linnakangas) 📜
This was the intention to begin with, but a coding error caused the source history to always print as empty.
Fix misbehavior with junction points on Windows, particularly in pg_rewind (Alexandra Wang) 📜 📜 📜 📜 📜 📜 📜 📜 📜
This entailed back-patching previous fixes by Thomas Munro, Peter Eisentraut, Alexander Lakhin, and Juan José SantamarÃa Flecha. Those changes were originally not back-patched out of caution, but they have been in use in later branches for long enough to deem them safe.
Avoid trying to reindex temporary tables and indexes in vacuumdb and in parallel reindexdb (VaibhaveS, Michael Paquier, Fujii Masao, Nathan Bossart) 📜 📜 📜
Reindexing other sessions' temporary tables cannot work, but the check to skip them was missing in some code paths, leading to unwanted failures.
Allow inspection of sequence relations in relevant functions of contrib/pageinspect
and contrib/pgstattuple
(Nathan Bossart, Ayush Vatsa) 📜 📜
This had been allowed in the past, but it got broken during the introduction of non-default access methods for tables.
Fix incorrect LLVM-generated code on ARM64 platforms (Thomas Munro, Anthonin Bonnefoy) 📜
When using JIT compilation on ARM platforms, the generated code could not support relocation distances exceeding 32 bits, allowing unlucky placement of generated code to cause server crashes on large-memory systems.
Fix a few places that assumed that process start time (represented as a time_t
) will fit into a long
value (Max Johnson, Nathan Bossart) 📜
On platforms where long
is 32 bits (notably Windows), this coding would fail after Y2038. Most of the failures appear only cosmetic, but notably pg_ctl start
would hang.
Prevent “nothing provides perl (PostgreSQL::Test::Utils)†failures while building RPM packages of PostgreSQL (Noah Misch) 📜
Fix building with Strawberry Perl on Windows (Andrew Dunstan) 📜
Update time zone data files to tzdata release 2024b (Tom Lane) 📜 📜
This tzdata release changes the old System-V-compatibility zone names to duplicate the corresponding geographic zones; for example PST8PDT
is now an alias for America/Los_Angeles
. The main visible consequence is that for timestamps before the introduction of standardized time zones, the zone is considered to represent local mean solar time for the named location. For example, in PST8PDT
, timestamptz
input such as 1801-01-01 00:00
would previously have been rendered as 1801-01-01 00:00:00-08
, but now it is rendered as 1801-01-01 00:00:00-07:52:58
.
Also, historical corrections for Mexico, Mongolia, and Portugal. Notably, Asia/Choibalsan
is now an alias for Asia/Ulaanbaatar
rather than being a separate zone, mainly because the differences between those zones were found to be based on untrustworthy data.
Release date: 2024-08-08
This release contains a variety of fixes from 13.15. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
However, if you are upgrading from a version earlier than 13.14, see Version 13.14.
Prevent unauthorized code execution during pg_dump (Masahiko Sawada)
An attacker able to create and drop non-temporary objects could inject SQL code that would be executed by a concurrent pg_dump session with the privileges of the role running pg_dump (which is often a superuser). The attack involves replacing a sequence or similar object with a view or foreign table that will execute malicious code. To prevent this, introduce a new server parameter restrict_nonsystem_relation_kind
that can disable expansion of non-builtin views as well as access to foreign tables, and teach pg_dump to set it when available. Note that the attack is prevented only if both pg_dump and the server it is dumping from are new enough to have this fix.
The PostgreSQL Project thanks Noah Misch for reporting this problem. CVE-2024-7348 or CVE-2024-7348)
Fix failure after attaching a table as a partition, if the table had previously had inheritance children (Ãlvaro Herrera)
Fix ALTER TABLE DETACH PARTITION
for cases involving inconsistent index-based constraints (Ãlvaro Herrera, Tender Wang)
When a partitioned table has an index that is not associated with a constraint, but a partition has an equivalent index that is, then detaching the partition would misbehave, leaving the ex-partition's constraint with an incorrect coninhcount
value. This would cause trouble during any further manipulations of that constraint.
Fix handling of polymorphic output arguments for procedures (Tom Lane)
The SQL CALL
statement did not resolve the correct data types for such arguments, leading to errors such as “cannot display a value of type anyelementâ€, or even outright crashes. (But CALL
in PL/pgSQL worked correctly.)
Fix behavior of stable functions called from a CALL
statement's argument list (Tom Lane)
If the CALL
is within an atomic context (e.g. there's an outer transaction block), such functions were passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.
Detect integer overflow in money
calculations (Joseph Koshakow)
None of the arithmetic functions for the money
type checked for overflow before, so they would silently give wrong answers for overflowing cases.
Fix over-aggressive clamping of the scale argument in round(numeric)
and trunc(numeric)
(Dean Rasheed)
These functions clamped their scale argument to +/-2000, but there are valid use-cases for it to be larger; the functions returned incorrect results in such cases. Instead clamp to the actual allowed range of type numeric
.
Prevent pg_sequence_last_value()
from failing on unlogged sequences on standby servers and on temporary sequences of other sessions (Nathan Bossart)
Make it return NULL in these cases instead of throwing an error.
Fix parsing of ignored operators in websearch_to_tsquery()
(Tom Lane)
Per the manual, punctuation in the input of websearch_to_tsquery()
is ignored except for the special cases of dashes and quotes. However, parentheses and a few other characters appearing immediately before an or
could cause or
to be treated as a data word, rather than as an OR
operator as expected.
Detect another integer overflow case while computing new array dimensions (Joseph Koshakow)
Reject applying array dimensions [-2147483648:2147483647]
to an empty array. This is closely related toCVE-2023-5869 or CVE-2023-5869, but appears harmless since the array still ends up empty.
Detect another case of a new catalog cache entry becoming stale while detoasting its fields (Noah Misch)
An in-place update occurring while we expand out-of-line fields in a catalog tuple could be missed, leading to a catalog cache entry that lacks the in-place change but is not known to be stale. This is only possible in the pg_database
catalog, so the effects are narrow, but misbehavior is possible.
Correctly check updatability of view columns targeted by INSERT
... DEFAULT
(Tom Lane)
If such a column is non-updatable, we should give an error reporting that. But the check was missed and then later code would report an unhelpful error such as “attribute number N
not found in view targetlistâ€.
Avoid reporting an unhelpful internal error for incorrect recursive queries (Tom Lane)
Rearrange the order of error checks so that we throw an on-point error when a WITH RECURSIVE
query does not have a self-reference within the second arm of the UNION
, but does have one self-reference in some other place such as ORDER BY
.
Don't throw an error if a queued AFTER
trigger no longer exists (Tom Lane)
It's possible for a transaction to execute an operation that queues a deferred AFTER
trigger for later execution, and then to drop the trigger before that happens. Formerly this led to weird errors such as “could not find trigger NNNN
â€. It seems better to silently do nothing if the trigger no longer exists at the time when it would have been executed.
Fix failure to remove pg_init_privs
entries for column-level privileges when their table is dropped (Tom Lane)
If an extension grants some column-level privileges on a table it creates, relevant catalog entries would remain behind after the extension is dropped. This was harmless until/unless the table's OID was re-used for another relation, when it could interfere with what pg_dump dumps for that relation.
Fix selection of an arbiter index for ON CONFLICT
when the desired index has expressions or predicates (Tom Lane)
If a query using ON CONFLICT
accesses the target table through an updatable view, it could fail with “there is no unique or exclusion constraint matching the ON CONFLICT specificationâ€, even though a matching index does exist.
Refuse to modify a temporary table of another session with ALTER TABLE
(Tom Lane)
Permissions checks normally would prevent this case from arising, but it is possible to reach it by altering a parent table whose child is another session's temporary table. Throw an error if we discover that such a child table belongs to another session.
Fix failure to recalculate sub-queries generated from MIN()
or MAX()
aggregates (Tom Lane)
In some cases the aggregate result computed at one row of the outer query could be re-used for later rows when it should not be. This has only been seen to happen when the outer query uses DISTINCT
that is implemented with hash aggregation, but other cases may exist.
Avoid crashing when a JIT-inlined backend function throws an error (Tom Lane)
The error state can include pointers into the dynamically loaded module holding the JIT-compiled code (for error location strings). In some code paths the module could get unloaded before the error report is processed, leading to SIGSEGV when the location strings are accessed.
Cope with behavioral changes in libxml2 version 2.13.x (Erik Wienhold, Tom Lane)
Notably, we now suppress “chunk is not well balanced†errors from libxml2, unless that is the only reported error. This is to make error reports consistent between 2.13.x and earlier libxml2 versions. In earlier versions, that message was almost always redundant or outright incorrect, so 2.13.x substantially reduced the number of cases in which it's reported.
Fix handling of subtransactions of prepared transactions when starting a hot standby server (Heikki Linnakangas)
When starting a standby's replay at a shutdown checkpoint WAL record, transactions that had been prepared but not yet committed on the primary are correctly understood as being still in progress. But subtransactions of a prepared transaction (created by savepoints or PL/pgSQL exception blocks) were not accounted for and would be treated as aborted. That led to inconsistency if the prepared transaction was later committed.
Prevent incorrect initialization of logical replication slots (Masahiko Sawada)
In some cases a replication slot's start point within the WAL stream could be set to a point within a transaction, leading to assertion failures or incorrect decoding results.
Avoid memory leakage after servicing a notify or sinval interrupt (Tom Lane)
The processing functions for these events could switch the current memory context to TopMemoryContext, resulting in session-lifespan leakage of any data allocated before the incorrect setting gets replaced. There were observable leaks associated with (at least) encoding conversion of incoming queries and parameters attached to Bind messages.
Avoid possibly missing end-of-input events on Windows sockets (Thomas Munro)
Windows reports an FD_CLOSE event only once after the remote end of the connection disconnects. With unlucky timing, we could miss that report and wait indefinitely, or at least until a timeout elapsed, expecting more input.
Fix buffer overread in JSON parse error reports for incomplete byte sequences (Jacob Champion)
It was possible to walk off the end of the input buffer by a few bytes when the last bytes comprise an incomplete multi-byte character. While usually harmless, in principle this could cause a crash.
Disable creation of stateful TLS session tickets by OpenSSL (Daniel Gustafsson)
This avoids possible failures with clients that think receipt of a session ticket means that TLS session resumption is supported.
When replanning a PL/pgSQL “simple expressionâ€, check it's still simple (Tom Lane)
Certain fairly-artificial cases, such as dropping a referenced function and recreating it as an aggregate, could lead to surprising failures such as “unexpected plan node typeâ€.
Fix incompatibility between PL/Perl and Perl 5.40 (Andrew Dunstan)
Fix recursive RECORD
-returning PL/Python functions (Tom Lane)
If we recurse to a new call of the same function that passes a different column definition list (AS
clause), it would fail because the inner call would overwrite the outer call's idea of what rowtype to return.
Don't corrupt PL/Python's TD
dictionary during a recursive trigger call (Tom Lane)
If a PL/Python-language trigger caused another one to be invoked, the TD
dictionary created for the inner one would overwrite the outer one's TD
dictionary.
Fix PL/Tcl's reporting of invalid list syntax in the result of a function returning tuple (Erik Wienhold, Tom Lane)
Such a case could result in a crash, or in emission of misleading context information that actually refers to the previous Tcl error.
Avoid non-thread-safe usage of strerror()
in libpq (Peter Eisentraut)
Certain error messages returned by OpenSSL could become garbled in multi-threaded applications.
Ensure that pg_restore
-l
reports dependent TOC entries correctly (Tom Lane)
If -l
was specified together with selective-restore options such as -n
or -N
, dependent TOC entries such as comments would be omitted from the listing, even when an actual restore would have selected them.
In contrib/postgres_fdw
, do not send FETCH FIRST WITH TIES
clauses to the remote server (Japin Li)
The remote server might not implement this clause, or might interpret it differently than we would locally, so don't risk attempting remote execution.
Avoid clashing with system-provided <regex.h>
headers (Thomas Munro)
This fixes a compilation failure on macOS version 15 and up.
Fix otherwise-harmless assertion failures in REINDEX CONCURRENTLY
applied to an SP-GiST index (Tom Lane)
Release date: 2024-05-09
This release contains a variety of fixes from 13.14. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
However, if you are upgrading from a version earlier than 13.14, see Version 13.14.
Fix INSERT
from multiple VALUES
rows into a target column that is a domain over an array or composite type (Tom Lane)
Such cases would either fail with surprising complaints about mismatched datatypes, or insert unexpected coercions that could lead to odd results.
Fix incorrect pruning of NULL partition when a table is partitioned on a boolean column and the query has a boolean IS NOT
clause (David Rowley)
A NULL value satisfies a clause such as
, so pruning away a partition containing NULLs yielded incorrect answers.boolcol
IS NOT FALSE
Make ALTER FOREIGN TABLE SET SCHEMA
move any owned sequences into the new schema (Tom Lane)
Moving a regular table to a new schema causes any sequences owned by the table to be moved to that schema too (along with indexes and constraints). This was overlooked for foreign tables, however.
Fix EXPLAIN
's counting of heap pages accessed by a bitmap heap scan (Melanie Plageman)
Previously, heap pages that contain no visible tuples were not counted; but it seems more consistent to count all pages returned by the bitmap index scan.
Avoid deadlock during removal of orphaned temporary tables (Mikhail Zhilin)
If the session that creates a temporary table crashes without removing the table, autovacuum will eventually try to remove the orphaned table. However, an incoming session that's been assigned the same temporary namespace will do that too. If a temporary table has a dependency (such as an owned sequence) then a deadlock could result between these two cleanup attempts.
Avoid race condition while examining per-relation frozen-XID values (Noah Misch)
VACUUM
's computation of per-database frozen-XID values from per-relation values could get confused by a concurrent update of those values by another VACUUM
.
Disallow converting a table to a view within an outer SQL command that is using that table (Tom Lane)
This avoids possible crashes.
Ensure that join conditions generated from equivalence classes are applied at the correct plan level (Tom Lane)
In versions before PostgreSQL 16, it was possible for generated conditions to be evaluated below outer joins when they should be evaluated above (after) the outer join, leading to incorrect query results. All versions have a similar hazard when considering joins to UNION ALL
trees that have constant outputs for the join column in some SELECT
arms.
Avoid unnecessary use of moving-aggregate mode with a non-moving window frame (Vallimaharajan G)
When a plain aggregate is used as a window function, and the window frame start is specified as UNBOUNDED PRECEDING
, the frame's head cannot move so we do not need to use the special (and more expensive) moving-aggregate mode. This optimization was intended all along, but due to a coding error it never triggered.
Avoid use of already-freed data while planning partition-wise joins under GEQO (Tom Lane)
This would typically end in a crash or unexpected error message.
Fix incorrectly-reported statistics kind codes in “requested statistics kind X
is not yet built†error messages (David Rowley)
Be more careful with RECORD
-returning functions in FROM
(Tom Lane)
The output columns of such a function call must be defined by an AS
clause that specifies the column names and data types. If the actual function output value doesn't match that, an error is supposed to be thrown at runtime. However, some code paths would examine the actual value prematurely, and potentially issue strange errors or suffer assertion failures if it doesn't match expectations.
Fix confusion about the return rowtype of SQL-language procedures (Tom Lane)
A procedure implemented in SQL language that returns a single composite-type column would cause an assertion failure or core dump.
Add protective stack depth checks to some recursive functions (Egor Chindyaskin)
Detect integer overflow when adding or subtracting an interval
to/from a timestamp
(Joseph Koshakow)
Some cases that should cause an out-of-range error produced an incorrect result instead.
Avoid race condition in pg_get_expr()
(Tom Lane)
If the relation referenced by the argument is dropped concurrently, the function's intention is to return NULL, but sometimes it failed instead.
Fix detection of old transaction IDs in XID status functions (Karina Litskevich)
Transaction IDs more than 231 transactions in the past could be misidentified as recent, leading to misbehavior of pg_xact_status()
or txid_status()
.
Fix file descriptor leakage when an error is thrown while waiting in WaitEventSetWait
(Etsuro Fujita)
Throw an error if an index is accessed while it is being reindexed (Tom Lane)
Previously this was just an assertion check, but promote it into a regular runtime error. This will provide a more on-point error message when reindexing a user-defined index expression that attempts to access its own table.
Ensure that index-only scans on name
columns return a fully-padded value (David Rowley)
The value physically stored in the index is truncated, and previously a pointer to that value was returned to callers. This provoked complaints when testing under valgrind. In theory it could result in crashes, though none have been reported.
Fix crash with DSM allocations larger than 4GB (Heikki Linnakangas)
Disconnect if a new server session's client socket cannot be put into non-blocking mode (Heikki Linnakangas)
It was once theoretically possible for us to operate with a socket that's in blocking mode; but that hasn't worked fully in a long time, so fail at connection start rather than misbehave later.
Fix inadequate error reporting with OpenSSL 3.0.0 and later (Heikki Linnakangas, Tom Lane)
System-reported errors passed through by OpenSSL were reported with a numeric error code rather than anything readable.
Avoid concurrent calls to bindtextdomain()
in libpq and ecpglib (Tom Lane)
Although GNU gettext's implementation seems to be fine with concurrent calls, the version available on Windows is not.
Fix crash in ecpg's preprocessor if the program tries to redefine a macro that was defined on the preprocessor command line (Tom Lane)
In ecpg, avoid issuing false “unsupported feature will be passed to server†warnings (Tom Lane)
Ensure that the string result of ecpg's intoasc()
function is correctly zero-terminated (Oleg Tselebrovskiy)
Fix pg_dumpall so that role comments, if present, will be dumped regardless of the setting of --no-role-passwords
(Daniel Gustafsson, Ãlvaro Herrera)
Fix PL/pgSQL's parsing of single-line comments (--
-style comments) following expressions (Erik Wienhold, Tom Lane)
This mistake caused parse errors if such a comment followed a WHEN
expression in a PL/pgSQL CASE
statement.
In contrib/amcheck
, don't report false match failures due to short- versus long-header values (Andrey Borodin, Michael Zhilin)
A variable-length datum in a heap tuple or index tuple could have either a short or a long header, depending on compression parameters that applied when it was made. Treat these cases as equivalent rather than complaining if there's a difference.
In contrib/postgres_fdw
, avoid emitting requests to sort by a constant (David Rowley)
This could occur in cases involving UNION ALL
with constant-emitting subqueries. Sorting by a constant is useless of course, but it also risks being misinterpreted by the remote server, leading to “ORDER BY position N
is not in select list†errors.
Make contrib/postgres_fdw
set the remote session's time zone to GMT
not UTC
(Tom Lane)
This should have the same results for practical purposes. However, GMT
is recognized by hard-wired code in the server, while UTC
is looked up in the timezone database. So the old code could fail in the unlikely event that the remote server's timezone database is missing entries.
In contrib/xml2
, avoid use of library functions that have been deprecated in recent versions of libxml2 (Dmitry Koval)
Fix incompatibility with LLVM 18 (Thomas Munro, Dmitry Dolgov)
Allow make check
to work with the musl C library (Thomas Munro, Bruce Momjian, Tom Lane)
Release date: 2024-02-08
This release contains a variety of fixes from 13.13. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
However, one bug was fixed that could have resulted in corruption of GIN indexes during concurrent updates. If you suspect such corruption, reindex affected indexes after installing this update.
Also, if you are upgrading from a version earlier than 13.13, see Version 13.13.
Tighten security restrictions within REFRESH MATERIALIZED VIEW CONCURRENTLY
(Heikki Linnakangas)
One step of a concurrent refresh command was run under weak security restrictions. If a materialized view's owner could persuade a superuser or other high-privileged user to perform a concurrent refresh on that view, the view's owner could control code executed with the privileges of the user running REFRESH
. Fix things so that all user-determined code is run as the view's owner, as expected.
The only known exploit for this error does not work in PostgreSQL 16.0 and later, so it may be that v16 is not vulnerable in practice.
The PostgreSQL Project thanks Pedro Gallegos for reporting this problem. CVE-2024-0985 or CVE-2024-0985)
Fix memory leak when performing JIT inlining (Andres Freund, Daniel Gustafsson)
There have been multiple reports of backend processes suffering out-of-memory conditions after sufficiently many JIT compilations. This fix should resolve that.
When dequeueing from an LWLock, avoid needing to search the list of waiting processes (Andres Freund)
This fixes O (N^2) behavior when the list of waiters is long. In some use-cases this results in substantial throughput improvements.
Avoid generating incorrect partitioned-join plans (Richard Guo)
Some uncommon situations involving lateral references could create incorrect plans. Affected queries could produce wrong answers, or odd failures such as “variable not found in subplan target listâ€, or executor crashes.
Fix incorrect wrapping of subquery output expressions in PlaceHolderVars (Tom Lane)
This fixes incorrect results when a subquery is underneath an outer join and has an output column that laterally references something outside the outer join's scope. The output column might not appear as NULL when it should do so due to the action of the outer join.
Avoid requesting an oversize shared-memory area in parallel hash join (Thomas Munro, Andrei Lepikhov, Alexander Korotkov)
The limiting value was too large, allowing “invalid DSA memory alloc request size†errors to occur with sufficiently large expected hash table sizes.
Avoid assertion failures in heap_update()
and heap_delete()
when a tuple to be updated by a foreign-key enforcement trigger fails the extra visibility crosscheck (Alexander Lakhin)
This error had no impact in non-assert builds.
Fix possible failure during ALTER TABLE ADD COLUMN
on a complex inheritance tree (Tender Wang)
If a grandchild table would inherit the new column via multiple intermediate parents, the command failed with “tuple already updated by selfâ€.
Fix problems with duplicate token names in ALTER TEXT SEARCH CONFIGURATION ... MAPPING
commands (Tender Wang, Michael Paquier)
Properly lock the associated table during DROP STATISTICS
(Tomas Vondra)
Failure to acquire the lock could result in “tuple concurrently deleted†errors if the DROP
executes concurrently with ANALYZE
.
Fix function volatility checking for GENERATED
and DEFAULT
expressions (Tom Lane)
These places could fail to detect insertion of a volatile function default-argument expression, or decide that a polymorphic function is volatile although it is actually immutable on the datatype of interest. This could lead to improperly rejecting or accepting a GENERATED
clause, or to mistakenly applying the constant-default-value optimization in ALTER TABLE ADD COLUMN
.
Detect that a new catalog cache entry became stale while detoasting its fields (Tom Lane)
We expand any out-of-line fields in a catalog tuple before inserting it into the catalog caches. That involves database access which might cause invalidation of catalog cache entries — but the new entry isn't in the cache yet, so we would miss noticing that it should get invalidated. The result is a race condition in which an already-stale cache entry could get made, and then persist indefinitely. This would lead to hard-to-predict misbehavior. Fix by rechecking the tuple's visibility after detoasting.
Fix edge-case integer overflow detection bug on some platforms (Dean Rasheed)
Computing 0 - INT64_MIN
should result in an overflow error, and did on most platforms. However, platforms with neither integer overflow builtins nor 128-bit integers would fail to spot the overflow, instead returning INT64_MIN
.
Detect Julian-date overflow when adding or subtracting an interval
to/from a timestamp
(Tom Lane)
Some cases that should cause an out-of-range error produced an incorrect result instead.
Add more checks for overflow in interval_mul()
and interval_div()
(Dean Rasheed)
Some cases that should cause an out-of-range error produced an incorrect result instead.
Make the pg_file_settings
view check validity of unapplied values for settings with backend
or superuser-backend
context (Tom Lane)
Invalid values were not noted in the view as intended. This escaped detection because there are very few settings in these groups.
Match collation too when matching an existing index to a new partitioned index (Peter Eisentraut)
Previously we could accept an index that has a different collation from the corresponding element of the partition key, possibly leading to misbehavior.
Fix insufficient locking when cleaning up an incomplete split of a GIN index's internal page (Fei Changhong, Heikki Linnakangas)
The code tried to do this with shared rather than exclusive lock on the buffer. This could lead to index corruption if two processes attempted the cleanup concurrently.
Avoid premature release of buffer pin in GIN index insertion (Tom Lane)
If an index root page split occurs concurrently with our own insertion, the code could fail with “buffer NNNN is not owned by resource ownerâ€.
Avoid failure with partitioned SP-GiST indexes (Tom Lane)
Trying to use an index of this kind could lead to “No such file or directory†errors.
Fix ownership change reporting for large objects (Tom Lane)
A no-op ALTER LARGE OBJECT OWNER
command (that is, one selecting the existing owner) passed the wrong class ID to the PostAlterHook
, probably confusing any extension using that hook.
Prevent standby servers from incorrectly processing dead index tuples during subtransactions (Fei Changhong)
The startedInRecovery
flag was not correctly set for a subtransaction. This affects only processing of dead index tuples. It could allow a query in a subtransaction to ignore index entries that it should return (if they are already dead on the primary server, but not dead to the standby transaction), or to prematurely mark index entries as dead that are not yet dead on the primary. It is not clear that the latter case has any serious consequences, but it's not the intended behavior.
Fix deadlock between a logical replication apply worker, its tablesync worker, and a session process trying to alter the subscription (Shlok Kyal)
One edge of the deadlock loop did not involve a lock wait, so the deadlock went undetected and would persist until manual intervention.
Return the correct status code when a new client disconnects without responding to the server's password challenge (Liu Lang, Tom Lane)
In some cases we'd treat this as a loggable error, which was not the intention and tends to create log spam, since common clients like psql frequently do this. It may also confuse extensions that use ClientAuthentication_hook
.
Fix incompatibility with OpenSSL 3.2 (Tristan Partin, Bo Andreson)
Use the BIO “app_data†field for our private storage, instead of assuming it's okay to use the “data†field. This mistake didn't cause problems before, but with 3.2 it leads to crashes and complaints about double frees.
Be more wary about OpenSSL not setting errno
on error (Tom Lane)
If errno
isn't set, assume the cause of the reported failure is read EOF. This fixes rare cases of strange error reports like “could not accept SSL connection: Successâ€.
Report ENOMEM errors from file-related system calls as ERRCODE_OUT_OF_MEMORY
, not ERRCODE_INTERNAL_ERROR
(Alexander Kuzmenkov)
Avoid race condition when libpq initializes OpenSSL support concurrently in two different threads (Willi Mann, Michael Paquier)
Fix timing-dependent failure in GSSAPI data transmission (Tom Lane)
When using GSSAPI encryption in non-blocking mode, libpq sometimes failed with “GSSAPI caller failed to retransmit all data needing to be retriedâ€.
In pg_dump, don't dump RLS policies or security labels for extension member objects (Tom Lane, Jacob Champion)
Previously, commands would be included in the dump to set these properties, which is really incorrect since they should be considered as internal affairs of the extension. Moreover, the restoring user might not have adequate privilege to set them, and indeed the dumping user might not have enough privilege to dump them (since dumping RLS policies requires acquiring lock on their table).
In pg_dump, don't dump an extended statistics object if its underlying table isn't being dumped (Rian McGuire, Tom Lane)
This conforms to the behavior for other dependent objects such as indexes.
Fix crash in contrib/intarray
if an array with an element equal to INT_MAX
is inserted into a gist__int_ops
index (Alexander Lakhin, Tom Lane)
Report a better error when contrib/pageinspect
's hash_bitmap_info()
function is applied to a partitioned hash index (Alexander Lakhin, Michael Paquier)
Report a better error when contrib/pgstattuple
's pgstathashindex()
function is applied to a partitioned hash index (Alexander Lakhin)
On Windows, suppress autorun options when launching subprocesses in pg_ctl and pg_regress (Kyotaro Horiguchi)
When launching a child process via cmd.exe
, pass the /D
flag to prevent executing any autorun commands specified in the registry. This avoids possibly-surprising side effects.
Fix compilation failures with libxml2 version 2.12.0 and later (Tom Lane)
Fix compilation failure of WAL_DEBUG
code on Windows (Bharath Rupireddy)
Suppress compiler warnings from Python's header files (Peter Eisentraut, Tom Lane)
Our preferred compiler options provoke warnings about constructs appearing in recent versions of Python's header files. When using gcc, we can suppress these warnings with a pragma.
Avoid deprecation warning when compiling with LLVM 18 (Thomas Munro)
Update time zone data files to tzdata release 2024a for DST law changes in Greenland, Kazakhstan, and Palestine, plus corrections for the Antarctic stations Casey and Vostok. Also historical corrections for Vietnam, Toronto, and Miquelon.
Release date: 2023-11-09
This release contains a variety of fixes from 13.12. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
However, several mistakes have been discovered that could lead to certain types of indexes yielding wrong search results. It is advisable to REINDEX
potentially-affected indexes after installing this update. See the fourth and fifth changelog entries below.
Also, if you are upgrading from a version earlier than 13.12, see Version 13.12.
Fix handling of unknown-type arguments in DISTINCT
"any"
aggregate functions (Tom Lane)
This error led to a text
-type value being interpreted as an unknown
-type value (that is, a zero-terminated string) at runtime. This could result in disclosure of server memory following the text
value.
The PostgreSQL Project thanks Jingzhou Fu for reporting this problem. CVE-2023-5868 or CVE-2023-5868)
Detect integer overflow while computing new array dimensions (Tom Lane)
When assigning new elements to array subscripts that are outside the current array bounds, an undetected integer overflow could occur in edge cases. Memory stomps that are potentially exploitable for arbitrary code execution are possible, and so is disclosure of server memory.
The PostgreSQL Project thanks Pedro Gallegos for reporting this problem. CVE-2023-5869 or CVE-2023-5869)
Prevent the pg_signal_backend
role from signalling background workers and autovacuum processes (Noah Misch, Jelte Fennema-Nio)
The documentation says that pg_signal_backend
cannot issue signals to superuser-owned processes. It was able to signal these background processes, though, because they advertise a role OID of zero. Treat that as indicating superuser ownership. The security implications of cancelling one of these process types are fairly small so far as the core code goes (we'll just start another one), but extensions might add background workers that are more vulnerable.
Also ensure that the is_superuser
parameter is set correctly in such processes. No specific security consequences are known for that oversight, but it might be significant for some extensions.
The PostgreSQL Project thanks Hemanth Sandrana and Mahendrakar Srinivasarao for reporting this problem. CVE-2023-5870 or CVE-2023-5870)
Fix misbehavior during recursive page split in GiST index build (Heikki Linnakangas)
Fix a case where the location of a page downlink was incorrectly tracked, and introduce some logic to allow recovering from such situations rather than silently doing the wrong thing. This error could result in incorrect answers from subsequent index searches. It may be advisable to reindex all GiST indexes after installing this update.
Prevent de-duplication of btree index entries for interval
columns (Noah Misch)
There are interval
values that are distinguishable but compare equal, for example 24:00:00
and 1 day
. This breaks assumptions made by btree de-duplication, so interval
columns need to be excluded from de-duplication. This oversight can cause incorrect results from index-only scans. Moreover, after updating amcheck will report an error for almost all such indexes. Users should reindex any btree indexes on interval
columns.
Fix partition step generation and runtime partition pruning for hash-partitioned tables with multiple partition keys (David Rowley)
Some cases involving an IS NULL
condition on one of the partition keys could result in a crash.
Fix edge case in btree mark/restore processing of ScalarArrayOpExpr clauses (Peter Geoghegan)
When restoring an indexscan to a previously marked position, the code could miss required setup steps if the scan had advanced exactly to the end of the matches for a ScalarArrayOpExpr (that is, an indexcol = ANY (ARRAY[])
) clause. This could result in missing some rows that should have been fetched.
Fix intra-query memory leak when a set-returning function repeatedly returns zero rows (Tom Lane)
Don't crash if cursor_to_xmlschema()
is applied to a non-data-returning Portal (Boyu Yang)
Throw the intended error if pgrowlocks()
is applied to a partitioned table (David Rowley)
Previously, a not-on-point complaint “only heap AM is supported†would be raised.
Handle invalid indexes more cleanly in assorted SQL functions (Noah Misch)
Report an error if pgstatindex()
, pgstatginindex()
, pgstathashindex()
, or pgstattuple()
is applied to an invalid index. If brin_desummarize_range()
, brin_summarize_new_values()
, brin_summarize_range()
, or gin_clean_pending_list()
is applied to an invalid index, do nothing except to report a debug-level message. Formerly these functions attempted to process the index, and might fail in strange ways depending on what the failed CREATE INDEX
had left behind.
Avoid premature memory allocation failure with long inputs to to_tsvector()
(Tom Lane)
Fix over-allocation of the constructed tsvector
in tsvectorrecv()
(Denis Erokhin)
If the incoming vector includes position data, the binary receive function left wasted space (roughly equal to the size of the position data) in the finished tsvector
. In extreme cases this could lead to “maximum total lexeme length exceeded†failures for vectors that were under the length limit when emitted. In any case it could lead to wasted space on-disk.
Fix incorrect coding in gtsvector_picksplit()
(Alexander Lakhin)
This could lead to poor page-split decisions in GiST indexes on tsvector
columns.
Improve checks for corrupt PGLZ compressed data (Flavien Guedez)
Fix COMMIT AND CHAIN
/ROLLBACK AND CHAIN
to work properly when there is an unreleased savepoint (Liu Xiang, Tom Lane)
Instead of propagating the current transaction's properties to the new transaction, they propagated some previous transaction's properties.
Avoid crash in EXPLAIN
if a parameter marked to be displayed by EXPLAIN
has a NULL boot-time value (Xing Guo, Aleksander Alekseev, Tom Lane)
No built-in parameter fits this description, but an extension could define such a parameter.
Ensure we have a snapshot while dropping ON COMMIT DROP
temp tables (Tom Lane)
This prevents possible misbehavior if any catalog entries for the temp tables have fields wide enough to require toasting (such as a very complex CHECK
condition).
Avoid improper response to shutdown signals in child processes just forked by system()
(Nathan Bossart)
This fix avoids a race condition in which a child process that has been forked off by system()
, but hasn't yet exec'd the intended child program, might receive and act on a signal intended for the parent server process. That would lead to duplicate cleanup actions being performed, which will not end well.
Cope with torn reads of pg_control
in frontend programs (Thomas Munro)
On some file systems, reading pg_control
may not be an atomic action when the server concurrently writes that file. This is detectable via a bad CRC. Retry a few times to see if the file becomes valid before we report error.
Avoid torn reads of pg_control
in relevant SQL functions (Thomas Munro)
Acquire the appropriate lock before reading pg_control
, to ensure we get a consistent view of that file.
Avoid integer overflow when computing size of backend activity string array (Jakub Wartak)
On 64-bit machines we will allow values of track_activity_query_size
large enough to cause 32-bit overflow when multiplied by the allowed number of connections. The code actually allocating the per-backend local array was careless about this though, and allocated the array incorrectly.
Fix briefly showing inconsistent progress statistics for ANALYZE
on inherited tables (Heikki Linnakangas)
The block-level counters should be reset to zero at the same time we update the current-relation field.
Track the dependencies of cached CALL
statements, and re-plan them when needed (Tom Lane)
DDL commands, such as replacement of a function that has been inlined into a CALL
argument, can create the need to re-plan a CALL
that has been cached by PL/pgSQL. That was not happening, leading to misbehavior or strange errors such as “cache lookup failedâ€.
Track nesting depth correctly when inspecting RECORD
-type Vars from outer query levels (Richard Guo)
This oversight could lead to assertion failures, core dumps, or “bogus varno†errors.
Avoid “record type has not been registered†failure when deparsing a view that contains references to fields of composite constants (Tom Lane)
Fix error-handling bug in RECORD
type cache management (Thomas Munro)
An out-of-memory error occurring at just the wrong point could leave behind inconsistent state that would lead to an infinite loop.
Fix assertion failure when logical decoding is retried in the same session after an error (Hou Zhijie)
Treat out-of-memory failures as fatal while reading WAL (Michael Paquier)
Previously this would be treated as a bogus-data condition, leading to the conclusion that we'd reached the end of WAL, which is incorrect and could lead to inconsistent WAL replay.
Fix possible recovery failure due to trying to allocate memory based on a bogus WAL record length field (Thomas Munro, Michael Paquier)
Ensure that standby-mode WAL recovery reports an error when an invalid page header is found (Yugo Nagata, Kyotaro Horiguchi)
Fix datatype size confusion in logical tape management (Ranier Vilela)
Integer overflow was possible on platforms where long is wider than int, although it would take a multiple-terabyte temporary file to cause a problem.
Avoid unintended close of syslogger process's stdin (Heikki Linnakangas)
Avoid doing plan cache revalidation of utility statements that do not receive interesting processing during parse analysis (Tom Lane)
Aside from saving a few cycles, this prevents failure after a cache invalidation for statements that must not set a snapshot, such as SET TRANSACTION ISOLATION LEVEL
.
Keep by-reference attmissingval
values in a long-lived context while they are being used (Andrew Dunstan)
This avoids possible use of dangling pointers when a tuple slot outlives the tuple descriptor with which its value was constructed.
Recalculate the effective value of search_path
after ALTER ROLE
(Jeff Davis)
This ensures that after renaming a role, the meaning of the special string $user
is re-determined.
Fix order of operations in GenericXLogFinish
(Jeff Davis)
This code violated the conditions required for crash safety by writing WAL before marking changed buffers dirty. No core code uses this function, but extensions do (contrib/bloom
does, for example).
Remove incorrect assertion in PL/Python exception handling (Alexander Lakhin)
Fix pg_restore so that selective restores will include both table-level and column-level ACLs for selected tables (Euler Taveira, Tom Lane)
Formerly, only the table-level ACL would get restored if both types were present.
Add logic to pg_upgrade to check for use of abstime
, reltime
, and tinterval
data types (Ãlvaro Herrera)
These obsolete data types were removed in PostgreSQL version 12, so check to make sure they aren't present in an older database before claiming it can be upgraded.
Avoid generating invalid temporary slot names in pg_basebackup (Jelte Fennema)
This has only been seen to occur when the server connection runs through pgbouncer.
Avoid false “too many client connections†errors in pgbench on Windows (Noah Misch)
In contrib/amcheck
, do not report interrupted page deletion as corruption (Noah Misch)
This fix prevents false-positive reports of “the first child of leftmost target page is not leftmost of its levelâ€, “block NNNN is not leftmost†or “left link/right link pair in index XXXX not in agreementâ€. They appeared if amcheck ran after an unfinished btree index page deletion and before VACUUM
had cleaned things up.
Fix failure of contrib/btree_gin
indexes on interval
columns, when an indexscan using the <
or <=
operator is performed (Dean Rasheed)
Such an indexscan failed to return all the entries it should.
Add support for LLVM 16 and 17 (Thomas Munro, Dmitry Dolgov)
Suppress assorted build-time warnings on recent macOS (Tom Lane)
Xcode 15 (released with macOS Sonoma) changed the linker's behavior in a way that causes many duplicate-library warnings while building PostgreSQL. These were harmless, but they're annoying so avoid citing the same libraries twice. Also remove use of the -multiply_defined suppress
linker switch, which apparently has been a no-op for a long time, and is now actively complained of.
When building contrib/unaccent
's rules file, fall back to using python
if --with-python
was not given and make variable PYTHON
was not set (Japin Li)
Remove PHOT
(Phoenix Islands Time) from the default timezone abbreviations list (Tom Lane)
Presence of this abbreviation in the default list can cause failures on recent Debian and Ubuntu releases, as they no longer install the underlying tzdb entry by default. Since this is a made-up abbreviation for a zone with a total human population of about two dozen, it seems unlikely that anyone will miss it. If someone does, they can put it back via a custom abbreviations file.
Release date: 2023-08-10
This release contains a variety of fixes from 13.11. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
However, if you use BRIN indexes, it may be advisable to reindex them; see the second changelog entry below.
Also, if you are upgrading from a version earlier than 13.7, see Version 13.7.
Disallow substituting a schema or owner name into an extension script if the name contains a quote, backslash, or dollar sign (Noah Misch)
This restriction guards against SQL-injection hazards for trusted extensions.
The PostgreSQL Project thanks Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph Berg for reporting this problem. CVE-2023-39417 or CVE-2023-39417)
Fix confusion between empty (no rows) ranges and all-NULL ranges in BRIN indexes, as well as incorrect merging of all-NULL summaries (Tomas Vondra)
Each of these oversights could result in forgetting that a BRIN index range contains any NULL values, potentially allowing subsequent queries that should return NULL values to miss doing so.
This fix will not in itself correct faulty BRIN entries. It's recommended to REINDEX
any BRIN indexes that may be used to search for nulls.
Avoid leaving a corrupted database behind when DROP DATABASE
is interrupted (Andres Freund)
If DROP DATABASE
was interrupted after it had already begun taking irreversible steps, the target database remained accessible (because the removal of its pg_database
row would roll back), but it would have corrupt contents. Fix by marking the database as inaccessible before we begin to perform irreversible operations. A failure after that will leave the database still partially present, but nothing can be done with it except to issue another DROP DATABASE
.
Ensure that partitioned indexes are correctly marked as valid or not at creation (Michael Paquier)
If a new partitioned index matches an existing but invalid index on one of the partitions, the partitioned index could end up being marked valid prematurely. This could lead to misbehavior or assertion failures in subsequent queries on the partitioned table.
Ignore invalid child indexes when matching partitioned indexes to child indexes during ALTER TABLE ATTACH PARTITION
(Michael Paquier)
Such an index will now be ignored, and a new child index created instead.
Fix possible failure when marking a partitioned index valid after all of its partitions have been attached (Michael Paquier)
The update of the index's pg_index
entry could use stale data for other columns. One reported symptom is an “attempted to update invisible tuple†error.
Fix ALTER EXTENSION SET SCHEMA
to complain if the extension contains any objects outside the extension's schema (Michael Paquier, Heikki Linnakangas)
Erroring out if the extension contains objects in multiple schemas was always intended; but the check was mis-coded so that it would fail to detect some cases, leading to surprising behavior.
Don't use partial unique indexes for uniqueness proofs in the planner (David Rowley)
This could give rise to incorrect plans, since the presumed uniqueness of rows read from a table might not hold if the index in question isn't used to scan the table.
Avoid producing incorrect plans for foreign joins with pseudoconstant join clauses (Etsuro Fujita)
The planner currently lacks support for attaching pseudoconstant join clauses to a pushed-down remote join, so disable generation of remote joins in such cases. (A better solution will require ABI-breaking changes of planner data structures, so it will have to wait for a future major release.)
Correctly handle sub-SELECTs in RLS policy expressions and security-barrier views when expanding rule actions (Tom Lane)
Fix race conditions in conflict detection for SERIALIZABLE
isolation mode (Thomas Munro)
Conflicts could be missed when using bitmap heap scans, when using GIN indexes, and when examining an initially-empty btree index. All these cases could lead to serializability failures due to improperly allowing conflicting transactions to commit.
Fix hash join with an inner-side hash key that contains Params coming from an outer nested loop (Tom Lane)
When rescanning the join after the values of such Params have changed, we must rebuild the hash table, but neglected to do so. This could result in missing join output rows.
Fix intermittent failures when trying to update a field of a composite column (Tom Lane)
If the overall value of the composite column is wide enough to require out-of-line toasting, then an unluckily-timed cache flush could cause errors or server crashes.
Prevent query-lifespan memory leaks in some UPDATE
queries with triggers (Tomas Vondra)
Prevent query-lifespan memory leaks when an Incremental Sort plan node is rescanned (James Coleman, Laurenz Albe, Tom Lane)
Accept fractional seconds in the input to jsonpath
's datetime()
method (Tom Lane)
Prevent stack-overflow crashes with very complex text search patterns (Tom Lane)
Allow tokens up to 10240 bytes long in pg_hba.conf
and pg_ident.conf
(Tom Lane)
The previous limit of 256 bytes has been found insufficient for some use-cases.
Fix mishandling of C++ out-of-memory conditions (Heikki Linnakangas)
If JIT is in use, running out of memory in a C++ new
call would lead to a PostgreSQL FATAL error, instead of the expected C++ exception.
Fix rare null-pointer crash in plancache.c
(Tom Lane)
Avoid losing track of possibly-useful shared memory segments when a page free results in coalescing ranges of free space (Dongming Liu)
Ensure that the segment is moved into the appropriate “bin†for its new amount of free space, so that it will be found by subsequent searches.
Allow VACUUM
to continue after detecting certain types of b-tree index corruption (Peter Geoghegan)
If an invalid sibling-page link is detected, log the issue and press on, rather than throwing an error as before. Nothing short of REINDEX
will fix the broken index, but preventing VACUUM
from completing until that is done risks making matters far worse.
Ensure that WrapLimitsVacuumLock
is released after VACUUM
detects invalid data in pg_database
.datfrozenxid
or pg_database
.datminmxid
(Andres Freund)
Failure to release this lock could lead to a deadlock later, although the lock would be cleaned up if the session exits or encounters some other error.
Avoid double replay of prepared transactions during crash recovery (suyu.cmj, Michael Paquier)
After a crash partway through a checkpoint with some two-phase transaction state data already flushed to disk by this checkpoint, crash recovery could attempt to replay the prepared transaction(s) twice, leading to a fatal error such as “lock is already held†in the startup process.
Fix possible failure while promoting a standby server, if archiving is enabled and two-phase transactions need to be recovered (Julian Markwort)
If any required two-phase transactions were logged in the most recent (partial) log segment, promotion would fail with an incorrect complaint about “requested WAL segment has already been removedâ€.
Ensure that a newly created, but still empty table is fsync
'ed at the next checkpoint (Heikki Linnakangas)
Without this, if there is an operating system crash causing the empty file to disappear, subsequent operations on the table might fail with “could not open file†errors.
Ensure that creation of the init fork of an unlogged index is WAL-logged (Heikki Linnakangas)
While an unlogged index's main data fork is not WAL-logged, its init fork should be, to ensure that we have a consistent state to restore the index to after a crash. This step was missed if the init fork contains no data, which is a case not used by any standard index AM; but perhaps some extension behaves that way.
Fix missing reinitializations of delay-checkpoint-end flags (suyu.cmj)
This could result in unnecessary delays of checkpoints, or in assertion failures in assert-enabled builds.
Fix overly strict assertion in jsonpath
code (David Rowley)
This assertion failed if a query applied the .type()
operator to a like_regex
result. There was no bug in non-assert builds.
Avoid assertion failure when processing an empty statement via the extended query protocol in an already-aborted transaction (Tom Lane)
Fix contrib/fuzzystrmatch
's Soundex difference()
function to handle empty input sanely (Alexander Lakhin, Tom Lane)
An input string containing no alphabetic characters resulted in unpredictable output.
Tighten whitespace checks in contrib/hstore
input (Evan Jones)
In some cases, characters would be falsely recognized as whitespace and hence discarded.
Disallow oversize input arrays with contrib/intarray
's gist__int_ops
index opclass (Ankit Kumar Pandey, Alexander Lakhin)
Previously this code would report a NOTICE
but press on anyway, creating an invalid index entry that presents a risk of crashes when the index is read.
Avoid useless double decompression of GiST index entries in contrib/intarray
(Konstantin Knizhnik, Matthias van de Meent, Tom Lane)
Ensure that pg_index
.indisreplident
is kept up-to-date in relation cache entries (Shruthi Gowda)
This value could be stale in some cases. There is no core code that relies on the relation cache's copy, so this is only a latent bug as far as Postgres itself is concerned; but there may be extensions for which it is a live bug.
Silence deprecation warnings when compiling with OpenSSL 3.0.0 or later (Peter Eisentraut)
Release date: 2023-05-11
This release contains a variety of fixes from 13.10. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
However, if you are upgrading from a version earlier than 13.7, see Version 13.7.
Prevent CREATE SCHEMA
from defeating changes in search_path
(Alexander Lakhin)
Within a CREATE SCHEMA
command, objects in the prevailing search_path
, as well as those in the newly-created schema, would be visible even within a called function or script that attempted to set a secure search_path
. This could allow any user having permission to create a schema to hijack the privileges of a security definer function or extension script.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. CVE-2023-2454 or CVE-2023-2454)
Enforce row-level security policies correctly after inlining a set-returning function (Stephen Frost, Tom Lane)
If a set-returning SQL-language function refers to a table having row-level security policies, and it can be inlined into a calling query, those RLS policies would not get enforced properly in some cases involving re-using a cached plan under a different role. This could allow a user to see or modify rows that should have been invisible.
The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. CVE-2023-2455 or CVE-2023-2455)
Avoid crash when the new schema name is omitted in CREATE SCHEMA
(Michael Paquier)
The SQL standard allows writing CREATE SCHEMA AUTHORIZATION
, with the schema name defaulting to owner_name
owner_name
. However some code paths expected the schema name to be present and would fail.
Fix enabling/disabling of cloned triggers in partitioned tables (Tom Lane)
ALTER TABLE ... ENABLE/DISABLE TRIGGER USER
skipped cloned triggers, mistaking them for system triggers. Other variants of ENABLE/DISABLE TRIGGER
would process them, but only after improperly enforcing a superuserness check.
Disallow altering composite types that are stored in indexes (Tom Lane)
ALTER TYPE
disallows non-binary-compatible modifications of composite types if they are stored in any table columns. (Perhaps that will be allowed someday, but it hasn't happened yet; the locking implications of rewriting many tables are daunting.) We overlooked the possibility that an index might contain a composite type that doesn't also appear in its table.
Disallow system columns as elements of foreign keys (Tom Lane)
Since the removal of OID as a system column, there is no plausible use-case for this, and various bits of code no longer support it. Disallow it rather than trying to fix all the cases.
Ensure that COPY TO
from an RLS-enabled parent table does not copy any rows from child tables (Antonin Houska)
The documentation is quite clear that COPY TO
copies rows from only the named table, not any inheritance children it may have. However, if row-level security was enabled on the table then this stopped being true.
Avoid possible crash when array_position()
or array_positions()
is passed an empty array (Tom Lane)
Fix possible out-of-bounds fetch in to_char()
(Tom Lane)
With bad luck this could have resulted in a server crash.
Avoid buffer overread in translate()
function (Daniil Anisimov)
When using the deletion feature, the function might fetch the byte just after the input string, creating a small risk of crash.
Fix error cursor setting for parse errors in JSON string literals (Tom Lane)
Most cases in which a syntax error is detected in a string literal within a JSON value failed to set the error cursor appropriately. This led at least to an unhelpful error message (pointing to the token before the string, rather than the actual trouble spot), and could even result in a crash in v14 and later.
Fix data corruption due to vacuum_defer_cleanup_age
being larger than the current 64-bit xid (Andres Freund)
In v14 and later with non-default settings of vacuum_defer_cleanup_age
, it was possible to compute a very large vacuum cleanup horizon xid, leading to vacuum removing rows that are still live. v12 and v13 have a lesser form of the same problem affecting only GiST indexes, which could lead to index pages getting recycled too early.
Fix parser's failure to detect some cases of improperly-nested aggregates (Tom Lane)
This oversight could lead to executor failures for queries that should have been rejected as invalid.
Fix data structure corruption during parsing of serial SEQUENCE NAME
options (David Rowley)
This can lead to trouble if an event trigger captures the corrupted parse tree.
Correctly update plan nodes' parallel-safety markings when moving initplans from one node to another (Tom Lane)
This planner oversight could lead to “subplan was not initialized†errors at runtime.
Disable the inverse-transition optimization for window aggregates when the call contains sub-SELECTs (David Rowley)
This optimization requires that the aggregate's argument expressions have repeatable results, which might not hold for a sub-SELECT.
Fix oversights in execution of nested ARRAY[]
constructs (Alexander Lakhin, Tom Lane)
Correctly detect overflow of the total space needed for the result array, avoiding a possible crash due to undersized output allocation. Also ensure that any trailing padding space in the result array is zeroed; while leaving garbage there is harmless for most purposes, it can result in odd behavior later.
Prevent crash when updating a field within an array-of-domain-over-composite-type column (Dmitry Dolgov)
Fix partition pruning logic for partitioning on boolean columns (David Rowley)
Pruning with a condition like boolcol IS NOT TRUE
was done incorrectly, leading to possibly not returning rows in which boolcol
is NULL. Also, the rather unlikely case of partitioning on NOT boolcol
was handled incorrectly.
Fix race condition in per-batch cleanup during parallel hash join (Thomas Munro, Melanie Plageman)
A crash was possible given unlucky timing and parallel_leader_participation
= off
(which is not the default).
Recalculate GENERATED
columns after an EvalPlanQual check (Tom Lane)
In READ COMMITTED
isolation mode, the effects of a row update might need to get reapplied to a newer version of the row than the query found originally. If so, we need to recompute any GENERATED
columns, in case they depend on columns that were changed by the concurrent update.
Don't balance vacuum cost delay when a table has a per-relation vacuum_cost_delay
setting of zero (Masahiko Sawada)
Delay balancing is supposed to be disabled whenever autovacuum is processing a table with a per-relation vacuum_cost_delay
setting, but this was done only for positive settings, not zero.
Fix corner-case crashes when columns have been added to the end of a view (Tom Lane)
Repair rare failure of MULTIEXPR_SUBLINK subplans in partitioned updates (Andres Freund, Tom Lane)
Use of the syntax INSERT ... ON CONFLICT DO UPDATE SET (c1, ...) = (SELECT ...)
with a partitioned target table could result in failure if any child table is dissimilar from the parent (for example, different physical column order). This typically manifested as failure of consistency checks in the executor; but a crash or incorrect data updates are also possible.
Fix handling of DEFAULT
markers within a multi-row INSERT ... VALUES
query on a view that has a DO ALSO INSERT ... SELECT
rule (Dean Rasheed)
Such cases typically failed with “unrecognized node type†errors or assertion failures.
Support references to OLD
and NEW
within subqueries in rule actions (Dean Rasheed, Tom Lane)
Such references are really lateral references, but the server could crash if the subquery wasn't explicitly marked with LATERAL
. Arrange to do that implicitly when necessary.
When decompiling a rule or SQL function body containing INSERT
/UPDATE
/DELETE
within WITH
, take care to print the correct alias for the target table (Tom Lane)
Fix glitches in SERIALIZABLE READ ONLY
optimization (Thomas Munro)
Transactions already marked as “doomed†confused the safe-snapshot optimization for SERIALIZABLE READ ONLY
transactions. The optimization was unnecessarily skipped in some cases. In other cases an assertion failure occurred (but there was no problem in non-assert builds).
Avoid leaking cache callback slots in the pgoutput
logical decoding plugin (Shi Yu)
Multiple cycles of starting up and shutting down the plugin within a single session would eventually lead to an “out of relcache_callback_list slots†error.
Avoid unnecessary calls to custom validators for index operator class options (Alexander Korotkov)
This change fixes some cases where an unexpected error was thrown.
Fix dereference of dangling pointer during buffering build of a GiST index (Alexander Lakhin)
This error seems to usually be harmless in production builds, as the fetched value is noncritical; but in principle it could cause a server crash.
Ignore dropped columns and generated columns during logical replication of an update or delete action (Onder Kalaci, Shi Yu)
Replication with the REPLICA IDENTITY FULL
option failed if the table contained such columns.
Correct the name of the wait event for SLRU buffer I/O for commit timestamps (Alexander Lakhin)
This wait event is named CommitTsBuffer
according to the documentation, but the code had it as CommitTSBuffer
. Change the code to match the documentation, as that way is more consistent with the naming of related wait events.
Avoid possible underflow when calculating how many WAL segments to keep (Kyotaro Horiguchi)
This could result in not honoring wal_keep_size
accurately.
Support RSA-PSS certificates with SCRAM-SHA-256 channel binding (Jacob Champion, Heikki Linnakangas)
This feature requires building with OpenSSL 1.1.1 or newer. Both the server and libpq are affected.
Avoid race condition with process ID tracking on Windows (Thomas Munro)
The operating system could recycle a PID before the postmaster observed that that child process was gone. This could lead to tracking more than one child with the same PID, resulting in confusion.
Add missing cases to SPI_result_code_string()
(Dean Rasheed)
Fix erroneous Valgrind markings in AllocSetRealloc()
(Karina Litskevich)
In the unusual case where the size of a large (>8kB) palloc chunk is decreased, a Valgrind-aware build would mismark the defined-ness state of the memory released from the chunk, possibly causing incorrect results during Valgrind testing.
Avoid assertion failure when decoding a transactional logical replication message (Tomas Vondra)
Avoid locale sensitivity when processing regular expression escapes (Jeff Davis)
A backslash followed by a non-ASCII character could sometimes cause an assertion failure, depending on the prevailing locale.
Avoid trying to write an empty WAL record in log_newpage_range()
when the last few pages in the specified range are empty (Matthias van de Meent)
It is not entirely clear whether this case is reachable in released branches, but if it is then an assertion failure could occur.
Fix session-lifespan memory leakage in plpgsql DO
blocks that use cast expressions (Ajit Awekar, Tom Lane)
Tighten array dimensionality checks when converting Perl list structures to multi-dimensional SQL arrays (Tom Lane)
plperl could misbehave when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. Such cases now produce errors, but previously they could result in a crash or garbage output.
Tighten array dimensionality checks when converting Python list structures to multi-dimensional SQL arrays (Tom Lane)
plpython could misbehave when dealing with empty sub-lists, or when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. The former should result in an empty output array, and the latter in an error. But some cases resulted in a crash, and others in unexpected output.
Fix unwinding of exception stack in plpython (Xing Guo)
Some rare failure cases could return without cleaning up the PG_TRY exception stack, risking a crash if another error was raised before the next stack level was unwound.
Fix inconsistent GSS-encryption error handling in libpq's PQconnectPoll()
(Michael Paquier)
With gssencmode
set to require
, the connection was not marked dead after a GSS initialization failure. Make it fail immediately, as the equivalent case for TLS encryption has long done.
Fix possible data corruption in ecpg programs built with the -C ORACLE
option (Kyotaro Horiguchi)
When ecpg_get_data()
is called with varcharsize
set to zero, it could write a terminating zero character into the last byte of the preceding field, truncating the data in that field.
Fix pg_dump so that partitioned tables that are hash-partitioned on an enum-type column can be restored successfully (Tom Lane)
Since the hash codes for enum values depend on the OIDs assigned to the enum, they are typically different after a dump and restore, meaning that rows often need to go into a different partition than they were in originally. Users can work around that by specifying the --load-via-partition-root
option; but since there is very little chance of success without that, teach pg_dump to apply it automatically to such tables.
Also, fix pg_restore to not try to TRUNCATE
target tables before restoring into them when --load-via-partition-root
mode is used. This avoids a hazard of deadlocks and lost data.
In contrib/hstore_plpython
, avoid crashing if the Python value to be transformed isn't a mapping (Dmitry Dolgov, Tom Lane)
This should give an error, but Python 3 changed some APIs in a way that caused the check to misbehave, allowing a crash to ensue.
Require the siglen
option of a GiST index on an ltree
column, if specified, to be a multiple of 4 (Alexander Korotkov)
Other values result in misaligned accesses to index content, which is harmless on Intel-compatible hardware but can cause a crash on some other architectures.
Fix misbehavior in contrib/pg_trgm
with an unsatisfiable regular expression (Tom Lane)
A regex such as $foo
is legal but unsatisfiable; the regex compiler recognizes that and produces an empty NFA graph. Attempting to optimize such a graph into a pg_trgm GIN or GiST index qualification resulted in accessing off the end of a work array, possibly leading to crashes.
Use the --strip-unneeded
option when stripping static libraries with GNU-compatible strip (Tom Lane)
Previously, make install-strip
used the -x
option in this case. This change avoids misbehavior of llvm-strip, and gives slightly smaller output as well.
Stop recommending auto-download of DTD files for building the documentation, and indeed disable it (Aleksander Alekseev, Peter Eisentraut, Tom Lane)
It appears no longer possible to build the SGML documentation without a local installation of the DocBook DTD files. Formerly xsltproc could download those files on-the-fly from sourceforge.net; but sourceforge.net now permits only HTTPS access, and no common version of xsltproc supports that. Hence, remove the bits of our documentation suggesting that that's possible or useful, and instead add xsltproc's --nonet
option to the build recipes.
When running TAP tests in PGXS builds, use a saner location for the temporary portlock
directory (Peter Eisentraut)
Place it under tmp_check
in the build directory. With the previous coding, a PGXS build would try to place it in the installation directory, which is not necessarily writable.
Update time zone data files to tzdata release 2023c for DST law changes in Egypt, Greenland, Morocco, and Palestine.
When observing Moscow time, Europe/Kirov and Europe/Volgograd now use the abbreviations MSK/MSD instead of numeric abbreviations, for consistency with other timezones observing Moscow time. Also, America/Yellowknife is no longer distinct from America/Edmonton; this affects some pre-1948 timestamps in that area.
Release date: 2023-02-09
This release contains a variety of fixes from 13.9. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
However, if you are upgrading from a version earlier than 13.7, see Version 13.7.
libpq can leak memory contents after GSSAPI transport encryption initiation fails (Jacob Champion)
A modified server, or an unauthenticated man-in-the-middle, can send a not-zero-terminated error message during setup of GSSAPI (Kerberos) transport encryption. libpq will then copy that string, as well as following bytes in application memory up to the next zero byte, to its error report. Depending on what the calling application does with the error report, this could result in disclosure of application memory contents. There is also a small probability of a crash due to reading beyond the end of memory. Fix by properly zero-terminating the server message. CVE-2022-41862 or CVE-2022-41862)
Fix calculation of which GENERATED
columns need to be updated in child tables during an UPDATE
on a partitioned table or inheritance tree (Amit Langote, Tom Lane)
This fixes failure to update GENERATED
columns that do not exist in the parent table, or that have different dependencies than are in the parent column's generation expression.
Allow REPLICA IDENTITY
to be set on an index that's not (yet) valid (Tom Lane)
When pg_dump dumps a partitioned index that's marked REPLICA IDENTITY
, it generates a command sequence that applies REPLICA IDENTITY
before the partitioned index has been marked valid, causing restore to fail. There seems no very good reason to prohibit doing it in that order, so allow it. The marking will have no effect anyway until the index becomes valid.
Fix handling of DEFAULT
markers in rules that perform an INSERT
from a multi-row VALUES
list (Dean Rasheed)
In some cases a DEFAULT
marker would not get replaced with the proper default-value expression, leading to an “unrecognized node type†error.
Reject uses of undefined variables in jsonpath
existence checks (Alexander Korotkov, David G. Johnston)
While jsonpath
match operators threw an error for an undefined variable in the path pattern, the existence operators silently treated it as a match.
Fix edge-case data corruption in parallel hash joins (Dmitry Astapov)
If the final chunk of a large tuple being written out to a temporary file was exactly 32760 bytes, it would be corrupted due to a fencepost bug. The query would typically fail later with corrupted-data symptoms.
Honor non-default settings of checkpoint_completion_target
(Bharath Rupireddy)
Internal state was not updated after a change in checkpoint_completion_target
, possibly resulting in performing checkpoint I/O faster or slower than desired, especially if that setting was changed on-the-fly.
Log the correct ending timestamp in recovery_target_xid
mode (Tom Lane)
When ending recovery based on the recovery_target_xid
setting with recovery_target_inclusive
= off
, we printed an incorrect timestamp (always 2000-01-01) in the “recovery stopping before ... transaction†log message.
Improve error reporting for some buffered file read failures (Peter Eisentraut)
Correctly report a short read, giving the numbers of bytes desired and actually read, instead of reporting an irrelevant error code. Most places got this right already, but some recently-written replication logic did not.
Prevent “wrong tuple length†failure at the end of VACUUM
(Ashwin Agrawal, Junfeng Yang)
This occurred if VACUUM
needed to update the current database's datfrozenxid
value and the database has so many granted privileges that its datacl
value has been pushed out-of-line.
In extended query protocol, avoid an immediate commit after ANALYZE
if we're running a pipeline (Tom Lane)
If there's not been an explicit BEGIN TRANSACTION
, ANALYZE
would take it on itself to commit, which should not happen within a pipelined series of commands.
Reject cancel request packets having the wrong length (Andrey Borodin)
The server would process a cancel request even if its length word was too small. This led to reading beyond the end of the allocated buffer. In theory that could cause a segfault, but it seems quite unlikely to happen in practice, since the buffer would have to be very close to the end of memory. The more likely outcome was a bogus log message about wrong backend PID or cancel code. Complain about the wrong length, instead.
Add recursion and looping defenses in subquery pullup (Tom Lane)
A contrived query can result in deep recursion and unreasonable amounts of time spent trying to flatten subqueries. A proper fix for that seems unduly invasive for a back-patch, but we can at least add stack depth checks and an interrupt check to allow the query to be cancelled.
Fix partitionwise-join code to tolerate failure to produce a plan for each partition (Tom Lane)
This could result in “could not devise a query plan for the given query†errors.
Limit the amount of cleanup work done by get_actual_variable_range
(Simon Riggs)
Planner runs occurring just after deletion of a large number of tuples appearing at the end of an index could expend significant amounts of work setting the “killed†bits for those index entries. Limit the amount of work done in any one query by giving up on this process after examining 100 heap pages. All the cleanup will still happen eventually, but without so large a performance hiccup.
Ensure that execution of full-text-search queries can be cancelled while they are performing phrase matches (Tom Lane)
Fix memory leak in hashing strings with nondeterministic collations (Jeff Davis)
Clean up the libpq connection object after a failed replication connection attempt (Andres Freund)
The previous coding leaked the connection object. In background code paths that's pretty harmless because the calling process will give up and exit. But in commands such as CREATE SUBSCRIPTION
, such a failure resulted in a small session-lifespan memory leak.
In hot-standby servers, reduce processing effort for tracking XIDs known to be active on the primary (Simon Riggs, Michail Nikolaev)
Insufficiently-aggressive cleanup of the KnownAssignedXids array could lead to poor performance, particularly when max_connections
is set to a large value on the standby.
Ignore invalidated logical-replication slots while determining oldest catalog xmin (Sirisha Chamarthi)
A replication slot could prevent cleanup of dead tuples in the system catalogs even after it becomes invalidated due to exceeding max_slot_wal_keep_size
. Thus, failure of a replication consumer could lead to indefinitely-large catalog bloat.
Fix uninitialized-memory usage in logical decoding (Masahiko Sawada)
In certain cases, resumption of logical decoding could try to re-use XID data that had already been freed, leading to unpredictable behavior.
Avoid rare “failed to acquire cleanup lock†panic during WAL replay of hash-index page split operations (Robert Haas)
Advance a heap page's LSN when setting its all-visible bit during WAL replay (Jeff Davis)
Failure to do this left the page possibly different on standby servers than the primary, and violated some other expectations about when the LSN changes. This seems only a theoretical hazard so far as PostgreSQL itself is concerned, but it could upset third-party tools.
Prevent unsafe usage of a relation cache entry's rd_smgr
pointer (Amul Sul)
Remove various assumptions that rd_smgr
would stay valid over a series of operations, by wrapping all uses of it in a function that will recompute it if needed. This prevents bugs occurring when an unexpected cache flush occurs partway through such a series.
Fix latent buffer-overrun problem in WaitEventSet
logic (Thomas Munro)
The epoll
-based and kqueue
-based implementations could ask the kernel for too many events if the size of their internal buffer was different from the size of the caller's output buffer. That case is not known to occur in released PostgreSQL versions, but this error is a hazard for external modules and future bug fixes.
Avoid nominally-undefined behavior when accessing shared memory in 32-bit builds (Andres Freund)
clang's undefined-behavior sanitizer complained about use of a pointer that was less aligned than it should be. It's very unlikely that this would cause a problem in non-debug builds, but it's worth fixing for testing purposes.
Remove faulty assertion in useless-RESULT-RTE optimization logic (Tom Lane)
Fix copy-and-paste errors in cache-lookup-failure messages for ACL checks (Justin Pryzby)
In principle these errors should never be reached. But if they are, some of them reported the wrong type of object.
In pg_dump, avoid calling unsafe server functions before we have locks on the tables to be examined (Tom Lane, Gilles Darold)
pg_dump uses certain server functions that can fail if examining a table that gets dropped concurrently. Avoid this type of failure by ensuring that we obtain access share lock before inquiring too deeply into a table's properties, and that we don't apply such functions to tables we don't intend to dump at all.
Fix tab completion of ALTER FUNCTION/PROCEDURE/ROUTINE
... SET SCHEMA
(Dean Rasheed)
Fix contrib/seg
to not crash or print garbage if an input number has more than 127 digits (Tom Lane)
In contrib/sepgsql
, avoid deprecation warnings with recent libselinux (Michael Paquier)
Fix build on Microsoft Visual Studio 2013 (Tom Lane)
A previous patch supposed that all platforms of interest have snprintf()
, but MSVC 2013 isn't quite there yet. Revert to using sprintf()
on that platform.
Fix compile failure in building PL/Perl with MSVC when using Strawberry Perl (Andrew Dunstan)
Fix mismatch of PL/Perl built with MSVC versus a Perl library built with gcc (Andrew Dunstan)
Such combinations could previously fail with “loadable library and perl binaries are mismatched†errors.
Suppress compiler warnings from Perl's header files (Andres Freund)
Our preferred compiler options provoke warnings about constructs appearing in recent versions of Perl's header files. When using gcc, we can suppress these warnings with a pragma.
Fix pg_waldump to build on compilers that don't discard unused static-inline functions (Tom Lane)
Update time zone data files to tzdata release 2022g for DST law changes in Greenland and Mexico, plus historical corrections for northern Canada, Colombia, and Singapore.
Notably, a new timezone America/Ciudad_Juarez has been split off from America/Ojinaga.
Release date: 2022-11-10
This release contains a variety of fixes from 13.8. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
However, if you are upgrading from a version earlier than 13.7, see Version 13.7.
Avoid rare PANIC during updates occurring concurrently with VACUUM
(Tom Lane, Jeff Davis)
If a concurrent VACUUM
sets the all-visible flag bit in a page that UPDATE
or DELETE
is in process of modifying, the updating command needs to clear that bit again; but some code paths failed to do so, ending in a PANIC exit and database restart.
This is known to be possible in versions 14 and 15. It may be only latent in previous branches.
Fix VACUUM
to press on if an attempted page deletion in a btree index fails to find the page's parent downlink (Peter Geoghegan)
Rather than throwing an error, just log the issue and continue without deleting the empty page. Previously, a buggy operator class or corrupted index could indefinitely prevent completion of vacuuming of the index, eventually leading to transaction wraparound problems.
Fix handling of DEFAULT
tokens that appear in a multi-row VALUES
clause of an INSERT
on an updatable view (Tom Lane)
This oversight could lead to “cache lookup failed for type†errors, or in older branches even to crashes.
Disallow rules named _RETURN
that are not ON SELECT
(Tom Lane)
This avoids confusion between a view's ON SELECT
rule and any other rules it may have.
Fix resource management bug in saving tuples for AFTER
triggers (Tom Lane)
Given the right circumstances, this manifested as a “tupdesc reference NNNN
is not owned by resource owner†error followed by a PANIC exit.
Repair rare failure of MULTIEXPR_SUBLINK subplans in inherited updates (Tom Lane)
Use of the syntax UPDATE tab SET (c1, ...) = (SELECT ...)
with an inherited or partitioned target table could result in failure if the child tables are sufficiently dissimilar. This typically manifested as failure of consistency checks in the executor; but a crash or incorrect data updates are also possible.
Fix construction of per-partition foreign key constraints while doing ALTER TABLE ATTACH PARTITION
(Jehan-Guillaume de Rorthais, Ãlvaro Herrera)
Previously, incorrect or duplicate constraints could be constructed for the newly-added partition.
Fix generation of constraint names for per-partition foreign key constraints (Jehan-Guillaume de Rorthais)
If the initially-given name is already in use for some constraint of the partition, a new one is selected; but it wasn't being spelled as intended.
Fix incorrect matching of index expressions and predicates when creating a partitioned index (Richard Guo, Tom Lane)
While creating a partitioned index, we try to identify any existing indexes on the partitions that match the partitioned index, so that we can absorb those as child indexes instead of building new ones. Matching of expressions was not done right, so that a usable child index might be ignored, leading to creation of a duplicative index.
Prevent WAL corruption after a standby promotion (Dilip Kumar, Robert Haas)
When a PostgreSQL instance performing archive recovery (but not using standby mode) is promoted, and the last WAL segment that it attempted to read ended in a partial record, the instance would write an invalid WAL segment on the new timeline.
Fix mis-ordering of WAL operations in fast insert path for GIN indexes (Matthias van de Meent, Zhang Mingli)
This mistake is not known to have any negative consequences within core PostgreSQL, but it did cause issues for some extensions.
Fix bugs in logical decoding when replay starts from a point between the beginning of a transaction and the beginning of its subtransaction (Masahiko Sawada, Kuroda Hayato)
These errors could lead to assertion failures in debug builds, and otherwise to memory leaks.
Prevent examining system catalogs with the wrong snapshot during logical decoding (Masahiko Sawada)
If decoding begins partway through a transaction that modifies system catalogs, the decoder may not recognize that, causing it to fail to treat that transaction as in-progress for catalog lookups.
Accept interrupts in more places during logical decoding (Amit Kapila, Masahiko Sawada)
This ameliorates problems with slow shutdown of replication workers.
Prevent attempts to replicate into a foreign-table partition in replication workers (Shi Yu, Tom Lane)
Although partitioned tables can have foreign tables as partitions, replicating into such a partition isn't currently supported. The logical replication worker process would crash if it was attempted. Now, an error is thrown.
Remove pointless check on replica identity setting of partitioned tables (Hou Zhijie)
What matters is the replica identity setting of the leaf partitions, so there's no need to throw error if it's not set on the parent.
Avoid crash after function syntax error in replication workers (Maxim Orlov, Anton Melnikov, Masahiko Sawada, Tom Lane)
If a syntax error occurred in a SQL-language or PL/pgSQL-language CREATE FUNCTION
or DO
command executed in a logical replication worker, the worker process would crash with a null pointer dereference or assertion failure.
Fix handling of read-write expanded datums that are passed to SQL functions (Tom Lane)
If a non-inlined SQL function uses a parameter in more than one place, and one of those functions expects to be able to modify read-write datums in place, then later uses of the parameter would observe the wrong value. (Within core PostgreSQL, the expanded-datum mechanism is only used for array and composite-type values; but extensions might use it for other structured types.)
Fix type circle
's equality comparator to handle NaNs properly (Ranier Vilela)
If the left-hand circle had a floating-point NaN for its radius, it would be considered equal to a circle with the same center and any radius.
In Snowball dictionaries, don't try to stem excessively-long words (Olly Betts, Tom Lane)
If the input word exceeds 1000 bytes, return it as-is after case folding, rather than trying to run it through the Snowball code. This restriction protects against a known recursion-to-stack-overflow problem in the Turkish stemmer, and it seems like good insurance against any other safety or performance issues that may exist in the Snowball stemmers. Such a long string is surely not a word in any human language, so it's doubtful that the stemmer would have done anything desirable with it anyway.
Fix use-after-free hazard in string comparisons (Tom Lane)
Improper memory management in the string comparison functions could result in scribbling on no-longer-allocated buffers, potentially breaking things for whatever is using that memory now. This would only happen with fairly long strings (more than 1kB), and only if an ICU collation is in use.
Add plan-time check for attempted access to a table that has no table access method (Tom Lane)
This prevents a crash in some catalog-corruption scenarios, for example use of a view whose ON SELECT
rule is missing.
Prevent postmaster crash when shared-memory state is corrupted (Tom Lane)
The postmaster process is supposed to survive and initiate a database restart if shared memory becomes corrupted, but one bit of code was being insufficiently cautious about that.
Add some more defenses against recursion till stack overrun (Richard Guo, Tom Lane)
Avoid misbehavior when choosing hash table size with very small work_mem
and large tuples (Zhang Mingli)
Avoid long-term memory leakage in the autovacuum launcher process (Reid Thompson)
The lack of field reports suggests that this problem is only latent in pre-v15 branches; but it's not very clear why, so back-patch the fix anyway.
Improve PL/pgSQL's ability to handle parameters declared as RECORD
(Tom Lane)
Build a separate function cache entry for each concrete type passed to the RECORD
parameter during a session, much as we do for polymorphic parameters. This allows some usages to work that previously failed with errors such as “type of parameter does not match that when preparing the planâ€.
Add missing guards for NULL
connection pointer in libpq (Daniele Varrazzo, Tom Lane)
There's a convention that libpq functions should check for a NULL PGconn argument, and fail gracefully instead of crashing. PQflush()
and PQisnonblocking()
didn't get that memo, so fix them.
In ecpg, fix omission of variable storage classes when multiple varchar
or bytea
variables are declared in the same declaration (Andrey Sokolov)
For example, ecpg translated static varchar str1[10], str2[20], str3[30];
in such a way that only str1
was marked static
.
Allow cross-platform tablespace relocation in pg_basebackup (Robert Haas)
Allow the remote path in --tablespace-mapping
to be either a Unix-style or Windows-style absolute path, since the source server could be on a different OS than the local system.
In pg_stat_statements, fix access to already-freed memory (zhaoqigui)
This occurred if pg_stat_statements tracked a ROLLBACK
command issued via extended query protocol. In debug builds it consistently led to an assertion failure. In production builds there would often be no visible ill effect; but if the freed memory had already been reused, the likely result would be to store garbage for the query string.
In postgres_fdw, ensure that target lists constructed for EvalPlanQual plans will have all required columns (Richard Guo, Etsuro Fujita)
This avoids “variable not found in subplan target list†errors in rare cases.
Reject unwanted output from the platform's uuid_create()
function (Nazir Bilal Yavuz)
The uuid-ossp module expects libc's uuid_create()
to produce a version-1 UUID, but recent NetBSD releases produce a version-4 (random) UUID instead. Check for that, and complain if so. Drop the documentation's claim that the NetBSD implementation is usable for uuid-ossp. (If a version-4 UUID is okay for your purposes, you don't need uuid-ossp at all; just use gen_random_uuid()
.)
Include new Perl test modules in standard installations (Ãlvaro Herrera)
Add PostgreSQL/Test/Cluster.pm
and PostgreSQL/Test/Utils.pm
to the standard installation file set in pre-version-15 branches. This is for the benefit of extensions that want to use newly-written test code in older branches.
On NetBSD, force dynamic symbol resolution at postmaster start (Andres Freund, Tom Lane)
This avoids a risk of deadlock in the dynamic linker on NetBSD 10.
Fix incompatibilities with LLVM 15 (Thomas Munro, Andres Freund)
Allow use of __sync_lock_test_and_set()
for spinlocks on any machine (Tom Lane)
This eases porting to new machine architectures, at least if you're using a compiler that supports this GCC builtin function.
Rename symbol REF
to REF_P
to avoid compile failure on recent macOS (Tom Lane)
Avoid using sprintf
, to avoid compile-time deprecation warnings (Tom Lane)
Silence assorted compiler warnings from clang 15 and later (Tom Lane)
Update time zone data files to tzdata release 2022f for DST law changes in Chile, Fiji, Iran, Jordan, Mexico, Palestine, and Syria, plus historical corrections for Chile, Crimea, Iran, and Mexico.
Also, the Europe/Kiev zone has been renamed to Europe/Kyiv. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake and Pacific/Wallis. (This indirectly affects zones that were already links to one of these: Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.) America/Nipigon, America/Rainy_River, America/Thunder_Bay, Europe/Uzhgorod, and Europe/Zaporozhye were also merged into nearby zones after discovering that their claimed post-1970 differences from those zones seem to have been errors. In all these cases, the previous zone name remains as an alias; but the actual data is that of the zone that was merged into.
These zone mergers result in loss of pre-1970 timezone history for the merged zones, which may be troublesome for applications expecting consistency of timestamptz
display. As an example, the stored value 1944-06-01 12:00 UTC
would previously display as 1944-06-01 13:00:00+01
if the Europe/Stockholm zone is selected, but now it will read out as 1944-06-01 14:00:00+02
.
It is possible to build the time zone data files with options that will restore the older zone data, but that choice also inserts a lot of other old (and typically poorly-attested) zone data, resulting in more total changes from the previous release than accepting these upstream changes does. PostgreSQL has chosen to ship the tzdb data as-recommended, and so far as we are aware most major operating system distributions are doing likewise. However, if these changes cause significant problems for your application, a possible solution is to install a local build of the time zone data files using tzdb's backwards-compatibility options (see their PACKRATDATA
and PACKRATLIST
options).
Release date: 2022-08-11
This release contains a variety of fixes from 13.7. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
However, if you are upgrading from a version earlier than 13.7, see Version 13.7.
Do not let extension scripts replace objects not already belonging to the extension (Tom Lane)
This change prevents extension scripts from doing CREATE OR REPLACE
if there is an existing object that does not belong to the extension. It also prevents CREATE IF NOT EXISTS
in the same situation. This prevents a form of trojan-horse attack in which a hostile database user could become the owner of an extension object and then modify it to compromise future uses of the object by other users. As a side benefit, it also reduces the risk of accidentally replacing objects one did not mean to.
The PostgreSQL Project thanks Sven Klemm for reporting this problem. CVE-2022-2625 or CVE-2022-2625)
Fix replay of CREATE DATABASE
WAL records on standby servers (Kyotaro Horiguchi, Asim R Praveen, Paul Guo)
Standby servers may encounter missing tablespace directories when replaying database-creation WAL records. Prior to this patch, a standby would fail to recover in such a case; however, such directories could be legitimately missing. Create the tablespace (as a plain directory), then check that it has been dropped again once replay reaches a consistent state.
Support “in place†tablespaces (Thomas Munro, Michael Paquier, Ãlvaro Herrera)
Normally a Postgres tablespace is a symbolic link to a directory on some other filesystem. This change allows it to just be a plain directory. While this has no use for separating tables onto different filesystems, it is a convenient setup for testing. Moreover, it is necessary to support the CREATE DATABASE
replay fix, which transiently creates a missing tablespace as an “in place†tablespace.
Fix permissions checks in CREATE INDEX
(Nathan Bossart, Noah Misch)
The fix forCVE-2022-1552 or CVE-2022-1552 caused CREATE INDEX
to apply the table owner's permissions while performing lookups of operator classes and other objects, where formerly the calling user's permissions were used. This broke dump/restore scenarios, because pg_dump issues CREATE INDEX
before re-granting permissions.
In extended query protocol, force an immediate commit after CREATE DATABASE
and other commands that can't run in a transaction block (Tom Lane)
If the client does not send a Sync message immediately after such a command, but instead sends another command, any failure in that command would lead to rolling back the preceding command, typically leaving inconsistent state on-disk (such as a missing or extra database directory). The mechanisms intended to prevent that situation turn out to work for multiple commands in a simple-Query message, but not for a series of extended-protocol messages. To prevent inconsistency without breaking use-cases that work today, force an implicit commit after such commands.
Fix race condition when checking transaction visibility (Simon Riggs)
TransactionIdIsInProgress
could report false
before the subject transaction is considered visible, leading to various misbehaviors. The race condition window is normally very narrow, but use of synchronous replication makes it much wider, because the wait for a synchronous replica happens in that window.
Fix queries in which a “whole-row variable†references the result of a function that returns a domain over composite type (Tom Lane)
Fix “variable not found in subplan target list†planner error when pulling up a sub-SELECT
that's referenced in a GROUPING
function (Richard Guo)
Fix incorrect plans when sorting by an expression that contains a non-top-level set-returning function (Richard Guo, Tom Lane)
Avoid planner core dump with
clauses when there are MCV-type extended statistics on the constant
= ANY(array
)array
variable (Tom Lane)
Fix ALTER TABLE ... ENABLE/DISABLE TRIGGER
to handle recursion correctly for triggers on partitioned tables (Ãlvaro Herrera, Amit Langote)
In certain cases, a “trigger does not exist†failure would occur because the command would try to adjust the trigger on a child partition that doesn't have it.
Improve syntax error messages for type jsonpath
(Andrew Dunstan)
Prevent pg_stat_get_subscription()
from possibly returning an extra row containing garbage values (Kuntal Ghosh)
Ensure that pg_stop_backup()
cleans up session state properly (Fujii Masao)
This omission could lead to assertion failures or crashes later in the session.
Fix join alias matching in FOR [KEY] UPDATE/SHARE
clauses (Dean Rasheed)
In corner cases, a misleading error could be reported.
Avoid crashing if too many column aliases are attached to an XMLTABLE
or JSON_TABLE
construct (Ãlvaro Herrera)
Reject ROW()
expressions and functions in FROM
that have too many columns (Tom Lane)
Cases with more than about 1600 columns are unsupported, and have always failed at execution. However, it emerges that some earlier code could be driven to assertion failures or crashes by queries with more than 32K columns. Add a parse-time check to prevent that.
When decompiling a view or rule, show a SELECT
output column's AS "?column?"
alias clause if it could be referenced elsewhere (Tom Lane)
Previously, this auto-generated alias was always hidden; but there are corner cases where doing so results in a non-restorable view or rule definition.
Fix dumping of a view using a function in FROM
that returns a composite type, when column(s) of the composite type have been dropped since the view was made (Tom Lane)
This oversight could lead to dump/reload or pg_upgrade failures, as the dumped view would have too many column aliases for the function.
Report implicitly-created operator families to event triggers (Masahiko Sawada)
If CREATE OPERATOR CLASS
results in the implicit creation of an operator family, that object was not reported to event triggers that should capture such events.
Fix control file updates made when a restartpoint is running during promotion of a standby server (Kyotaro Horiguchi)
Previously, when the restartpoint completed it could incorrectly update the last-checkpoint fields of the control file, potentially leading to PANIC and failure to restart if the server crashes before the next normal checkpoint completes.
Prevent triggering of standby's wal_receiver_timeout
during logical replication of large transactions (Wang Wei, Amit Kapila)
If a large transaction on the primary server sends no data to the standby (perhaps because no table it changes is published), it was possible for the standby to timeout. Fix that by ensuring we send keepalive messages periodically in such situations.
Disallow nested backup operations in logical replication walsenders (Fujii Masao)
Fix memory leak in logical replication subscribers (Hou Zhijie)
Fix logical replication's checking of replica identity when the target table is partitioned (Shi Yu, Hou Zhijie)
The replica identity columns have to be re-identified for the child partition.
Fix failures to update cached schema data in a logical replication subscriber after a schema change on the publisher (Shi Yu, Hou Zhijie)
Prevent open-file leak when reading an invalid timezone abbreviation file (Kyotaro Horiguchi)
Such cases could result in harmless warning messages.
Allow custom server parameters to have short descriptions that are NULL (Steve Chavez)
Previously, although extensions could choose to create such settings, some code paths would crash while processing them.
Fix WAL consistency checking logic to correctly handle BRIN_EVACUATE_PAGE
flags (Haiyang Wang)
Fix erroneous assertion checks in shared hashtable management (Thomas Munro)
Arrange to clean up after commit-time errors within SPI_commit()
, rather than expecting callers to do that (Peter Eisentraut, Tom Lane)
Proper cleanup is complicated and requires use of low-level facilities, so it's not surprising that no known caller got it right. This led to misbehaviors when a PL procedure issued COMMIT
but a failure occurred (such as a deferred constraint check). To improve matters, redefine SPI_commit()
as starting a new transaction, so that it becomes equivalent to SPI_commit_and_chain()
except that you get default transaction characteristics instead of preserving the prior transaction's characteristics. To make this somewhat transparent API-wise, redefine SPI_start_transaction()
as a no-op. All known callers of SPI_commit()
immediately call SPI_start_transaction()
, so they will not notice any change. Similar remarks apply to SPI_rollback()
.
Also fix PL/Python, which omitted any handling of such errors at all, resulting in jumping out of the Python interpreter. This is reported to crash Python 3.11. Older Python releases leak some memory but seem okay with it otherwise.
Remove misguided SSL key file ownership check in libpq (Tom Lane)
In the previous minor releases, we copied the server's permission checking rules for SSL private key files into libpq. But we should not have also copied the server's file-ownership check. While that works in normal use-cases, it can result in an unexpected failure for clients running as root, and perhaps in other cases.
Ensure ecpg reports server connection loss sanely (Tom Lane)
Misprocessing of a libpq-generated error result, such as a report of lost connection, would lead to printing “(null)†instead of a useful error message; or in older releases it would lead to a crash.
Avoid core dump in ecpglib with unexpected orders of operations (Tom Lane)
Certain operations such as EXEC SQL PREPARE
would crash (rather than reporting an error as expected) if called before establishing any database connection.
In ecpglib, avoid redundant newlocale()
calls (Noah Misch)
Allocate a C locale object once per process when first connecting, rather than creating and freeing locale objects once per query. This mitigates a libc memory leak on AIX, and may offer some performance benefit everywhere.
In psql's \watch
command, echo a newline after cancellation with control-C (Pavel Stehule)
This prevents libedit (and possibly also libreadline) from becoming confused about which column the cursor is in.
Fix possible report of wrong error condition after clone()
failure in pg_upgrade with --clone
option (Justin Pryzby)
Fix contrib/pg_stat_statements
to avoid problems with very large query-text files on 32-bit platforms (Tom Lane)
Ensure that contrib/postgres_fdw
sends constants of regconfig
and other reg*
types with proper schema qualification (Tom Lane)
Block signals while allocating dynamic shared memory on Linux (Thomas Munro)
This avoids problems when a signal interrupts posix_fallocate()
.
Detect unexpected EEXIST
error from shm_open()
(Thomas Munro)
This avoids a possible crash on Solaris.
Adjust PL/Perl test case so it will work under Perl 5.36 (Dagfinn Ilmari Mannsåker)
Avoid incorrectly using an out-of-date libldap_r library when multiple OpenLDAP installations are present while building PostgreSQL (Tom Lane)
Release date: 2022-05-12
This release contains a variety of fixes from 13.6. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
However, if you have any GiST indexes on columns of type ltree
(supplied by the contrib/ltree
extension), you should re-index them after updating. See the second changelog entry below.
Also, if you are upgrading from a version earlier than 13.6, see Version 13.6.
Confine additional operations within “security restricted operation†sandboxes (Sergey Shinderuk, Noah Misch)
Autovacuum, CLUSTER
, CREATE INDEX
, REINDEX
, REFRESH MATERIALIZED VIEW
, and pg_amcheck activated the “security restricted operation†protection mechanism too late, or even not at all in some code paths. A user having permission to create non-temporary objects within a database could define an object that would execute arbitrary SQL code with superuser permissions the next time that autovacuum processed the object, or that some superuser ran one of the affected commands against it.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. CVE-2022-1552 or CVE-2022-1552)
Fix default signature length for gist_ltree_ops
indexes (Tomas Vondra, Alexander Korotkov)
The default signature length (hash size) for GiST indexes on ltree
columns was accidentally changed while upgrading that operator class to support operator class parameters. If any operations had been done on such an index without first upgrading the ltree
extension to version 1.2, they were done assuming that the signature length was 28 bytes rather than the intended 8. This means it is very likely that such indexes are now corrupt. For safety we recommend re-indexing all GiST indexes on ltree
columns after installing this update. (Note that GiST indexes on ltree[]
columns, that is arrays of ltree
, are not affected.)
Stop using query-provided column aliases for the columns of whole-row variables that refer to plain tables (Tom Lane)
The column names in tuples produced by a whole-row variable (such as tbl.*
in contexts other than the top level of a SELECT
list) are now always those of the associated named composite type, if there is one. We'd previously attempted to make them track any column aliases that had been applied to the FROM
entry the variable refers to. But that's semantically dubious, because really then the output of the variable is not at all of the composite type it claims to be. Previous attempts to deal with that inconsistency had bad results up to and including storing unreadable data on disk, so just give up on the whole idea.
In cases where it's important to be able to relabel such columns, a workaround is to introduce an extra level of sub-SELECT
, so that the whole-row variable is referring to the sub-SELECT
's output and not to a plain table. Then the variable is of type record
to begin with and there's no issue.
Fix incorrect output for types timestamptz
and timetz
in table_to_xmlschema()
and allied functions (Renan Soares Lopes)
The xmlschema output for these types included a malformed regular expression.
Avoid core dump in parser for a VALUES
clause with zero columns (Tom Lane)
Fix planner errors for GROUPING()
constructs that reference outer query levels (Richard Guo, Tom Lane)
Fix plan generation for index-only scans on indexes with both returnable and non-returnable columns (Tom Lane)
The previous coding could try to read non-returnable columns in addition to the returnable ones. This was fairly harmless because it didn't actually do anything with the bogus values, but it fell foul of a recently-added error check that rejected such a plan.
Avoid accessing a no-longer-pinned shared buffer while attempting to lock an outdated tuple during EvalPlanQual (Tom Lane)
The code would touch the buffer a couple more times after releasing its pin. In theory another process could recycle the buffer (or more likely, try to defragment its free space) as soon as the pin is gone, probably leading to failure to find the newer version of the tuple.
Fix query-lifespan memory leak in an IndexScan node that is performing reordering (Aliaksandr Kalenik)
Fix ALTER FUNCTION
to support changing a function's parallelism property and its SET
-variable list in the same command (Tom Lane)
The parallelism property change was lost if the same command also updated the function's SET
clause.
Fix bogus errors from attempts to alter system columns of tables (Tom Lane)
The system should just tell you that you can't do it, but sometimes it would report “no owned sequence found†instead.
Fix mis-sorting of table rows when CLUSTER
ing using an index whose leading key is an expression (Peter Geoghegan, Thomas Munro)
The table would be rebuilt with the correct data, but in an order having little to do with the index order.
Fix risk of deadlock failures while dropping a partitioned index (Jimmy Yih, Gaurab Dey, Tom Lane)
Ensure that the required table and index locks are taken in the standard order (parents before children, tables before indexes). The previous coding for DROP INDEX
did it differently, and so could deadlock against concurrent queries taking these locks in the standard order.
Fix race condition between DROP TABLESPACE
and checkpointing (Nathan Bossart)
The checkpoint forced by DROP TABLESPACE
could sometimes fail to remove all dead files from the tablespace's directory, leading to a bogus “tablespace is not empty†error.
Fix possible trouble in crash recovery after a TRUNCATE
command that overlaps a checkpoint (Kyotaro Horiguchi, Heikki Linnakangas, Robert Haas)
TRUNCATE
must ensure that the table's disk file is truncated before the checkpoint is allowed to complete. Otherwise, replay starting from that checkpoint might find unexpected data in the supposedly-removed pages, possibly causing replay failure.
Fix unsafe toast-data accesses during temporary object cleanup (Andres Freund)
Temporary-object deletion during server process exit could fail with “FATAL: cannot fetch toast data without an active snapshotâ€. This was usually harmless since the next use of that temporary schema would clean up successfully.
Improve wait logic in RegisterSyncRequest (Thomas Munro)
If we run out of space in the checkpointer sync request queue (which is hopefully rare on real systems, but is common when testing with a very small buffer pool), we wait for it to drain. While waiting, we should report that as a wait event so that users know what is going on, and also watch for postmaster death, since otherwise the loop might never terminate if the checkpointer has already exited.
Fix “PANIC: xlog flush request is not satisfied†failure during standby promotion when there is a missing WAL continuation record (Sami Imseih)
Fix possibility of self-deadlock in hot standby conflict handling (Andres Freund)
With unlucky timing, the WAL-applying process could get stuck while waiting for some other process to release a buffer lock.
Fix possible mis-identification of the correct ancestor relation to publish logical replication changes through (Tomas Vondra, Hou zj, Amit Kapila)
If publish_via_partition_root
is enabled, and there are multiple publications naming different ancestors of the currently-modified relation, the wrong ancestor might be chosen for reporting the change.
Ensure that logical replication apply workers can be restarted even when we're up against the max_sync_workers_per_subscription
limit (Amit Kapila)
Faulty coding of the limit check caused a restarted worker to exit immediately, leaving fewer workers than there should be.
Include unchanged replica identity key columns in the WAL log for an update, if they are stored out-of-line (Dilip Kumar, Amit Kapila)
Otherwise subscribers cannot see the values and will fail to replicate the update.
Cope correctly with platforms that have no support for altering the server process's display in ps(1) (Andrew Dunstan)
Few platforms are like this (the only supported one is Cygwin), so we'd managed not to notice that refactoring introduced a potential memory clobber.
Disallow execution of SPI functions during PL/Perl function compilation (Tom Lane)
Perl can be convinced to execute user-defined code during compilation of a PL/Perl function. However, it's not okay for such code to try to invoke SQL operations via SPI. That results in a crash, and if it didn't crash it would be a security hazard, because we really don't want code execution during function validation. Put in a check to give a friendlier error message instead.
Make libpq accept root-owned SSL private key files (David Steele)
This change synchronizes libpq's rules for safe ownership and permissions of SSL key files with the rules the server has used since release 9.6. Namely, in addition to the current rules, allow the case where the key file is owned by root and has permissions rw-r-----
or less. This is helpful for system-wide management of key files.
Fix behavior of libpq's PQisBusy()
function after a connection failure (Tom Lane)
If we'd detected a write failure, PQisBusy()
would always return true, which is the wrong thing: we want input processing to carry on normally until we've read whatever is available from the server. The practical effect of this error is that applications using libpq's async-query API would typically detect connection loss only when PQconsumeInput()
returns a hard failure. With this fix, a connection loss will normally be reported via an error PGresult
object, which is a much cleaner behavior for most applications.
Make pg_ctl recheck postmaster aliveness while waiting for stop/restart/promote actions (Tom Lane)
pg_ctl would verify that the postmaster is alive as a side-effect of sending the stop or promote signal, but then it just naively waited to see the on-disk state change. If the postmaster died uncleanly without having removed its PID file or updated the control file, pg_ctl would wait until timeout. Instead make it recheck every so often that the postmaster process is still there.
Fix error handling in pg_waldump (Kyotaro Horiguchi, Andres Freund)
While trying to read a WAL file to determine the WAL segment size, pg_waldump would report an incorrect error for the case of a too-short file. In addition, the file name reported in this and related error messages could be garbage.
Ensure that contrib/pageinspect
functions cope with all-zero pages (Michael Paquier)
This is a legitimate edge case, but the module was mostly unprepared for it. Arrange to return nulls, or no rows, as appropriate; that seems more useful than raising an error.
In contrib/pageinspect
, add defenses against incorrect page “special space†contents, tighten checks for correct page size, and add some missing checks that an index is of the expected type (Michael Paquier, Justin Pryzby, Julien Rouhaud)
These changes make it less likely that the module will crash on bad data.
In contrib/postgres_fdw
, verify that ORDER BY
clauses are safe to ship before requesting a remotely-ordered query, and include a USING
clause if necessary (Ronan Dunklau)
This fix prevents situations where the remote server might sort in a different order than we intend. While sometimes that would be only cosmetic, it could produce thoroughly wrong results if the remote data is used as input for a locally-performed merge join.
Update JIT code to work with LLVM 14 (Thomas Munro)
Clean up assorted failures under clang's -fsanitize=undefined
checks (Tom Lane, Andres Freund, Zhihong Yu)
Most of these changes are just for pro-forma compliance with the letter of the C and POSIX standards, and are unlikely to have any effect on production builds.
Fix PL/Perl so it builds on C compilers that don't support statements nested within expressions (Tom Lane)
Fix possible build failure of pg_dumpall on Windows, when not using MSVC to build (Andres Freund)
In Windows builds, use gendef instead of pexports to build DEF files (Andrew Dunstan)
This adapts the build process to work on recent MSys tool chains.
Prevent extra expansion of shell wildcard patterns in programs built under MinGW (Andrew Dunstan)
For some reason the C library provided by MinGW will expand shell wildcard characters in a program's command-line arguments by default. This is confusing, not least because it doesn't happen under MSVC, so turn it off.
Update time zone data files to tzdata release 2022a for DST law changes in Palestine, plus historical corrections for Chile and Ukraine.
Release date: 2022-02-10
This release contains a variety of fixes from 13.5. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
However, if you have applied REINDEX CONCURRENTLY
to a TOAST table's index, or observe failures to access TOAST datums, see the first changelog entry below.
Also, if you are upgrading from a version earlier than 13.5, see Version 13.5.
Enforce standard locking protocol for TOAST table updates, to prevent problems with REINDEX CONCURRENTLY
(Michael Paquier)
If applied to a TOAST table or TOAST table's index, REINDEX CONCURRENTLY
tended to produce a corrupted index. This happened because sessions updating TOAST entries released their ROW EXCLUSIVE
locks immediately, rather than holding them until transaction commit as all other updates do. The fix is to make TOAST updates hold the table lock according to the normal rule. Any existing corrupted indexes can be repaired by reindexing again.
Avoid null-pointer crash in ALTER STATISTICS
when the statistics object is dropped concurrently (Tomas Vondra)
Fix incorrect plan creation for parallel single-child Append nodes (David Rowley)
In some cases the Append would be simplified away when it should not be, leading to wrong query results (duplicated rows).
Fix index-only scan plans for cases where not all index columns can be returned (Tom Lane)
If an index has both returnable and non-returnable columns, and one of the non-returnable columns is an expression using a table column that appears in a returnable index column, then a query using that expression could result in an index-only scan plan that attempts to read the non-returnable column, instead of recomputing the expression from the returnable column as intended. The non-returnable column would read as NULL, resulting in wrong query results.
Ensure that casting to an unspecified typmod generates a RelabelType node rather than a length-coercion function call (Tom Lane)
While the coercion function should do the right thing (nothing), this translation is undesirably inefficient.
Fix checking of anycompatible
-family data type matches (Tom Lane)
In some cases the parser would think that a function or operator with anycompatible
-family polymorphic parameters matches a set of arguments that it really shouldn't match. In reported cases, that led to matching more than one operator to a call, leading to ambiguous-operator errors; but a failure later on is also possible.
Fix WAL replay failure when database consistency is reached exactly at a WAL page boundary (Ãlvaro Herrera)
Fix startup of a physical replica to tolerate transaction ID wraparound (Abhijit Menon-Sen, Tomas Vondra)
If a replica server is started while the set of active transactions on the primary crosses a wraparound boundary (so that there are some newer transactions with smaller XIDs than older ones), the replica would fail with “out-of-order XID insertion in KnownAssignedXidsâ€. The replica would retry, but could never get past that error.
In logical replication, avoid double transmission of a child table's data (Hou Zhijie)
If a publication includes both child and parent tables, and has the publish_via_partition_root
option set, subscribers uselessly initiated synchronization on both child and parent tables. Ensure that only the parent table is synchronized in such cases.
Remove lexical limitations for SQL commands issued on a logical replication connection (Tom Lane)
The walsender process would fail for a SQL command containing an unquoted semicolon, or with dollar-quoted literals containing odd numbers of single or double quote marks, or when the SQL command starts with a comment. Moreover, faulty error recovery could lead to unexpected errors in later commands too.
Fix possible loss of the commit timestamp for the last subtransaction of a transaction (Alex Kingsborough, Kyotaro Horiguchi)
Be sure to fsync
the pg_logical/mappings
subdirectory during checkpoints (Nathan Bossart)
On some filesystems this oversight could lead to losing logical rewrite status files after a system crash.
Build extended statistics for partitioned tables (Justin Pryzby)
A previous bug fix disabled building of extended statistics for old-style inheritance trees, but it also prevented building them for partitioned tables, which was an unnecessary restriction. This change allows ANALYZE
to compute values for statistics objects for partitioned tables. (But note that autovacuum does not process partitioned tables as such, so you must periodically issue manual ANALYZE
on the partitioned table if you want to maintain such statistics.)
Ignore extended statistics for inheritance trees (Justin Pryzby)
Currently, extended statistics values are only computed locally for each table, not for entire inheritance trees. However the values were mistakenly consulted when planning queries across inheritance trees, possibly resulting in worse-than-default estimates.
Disallow altering data type of a partitioned table's columns when the partitioned table's row type is used as a composite type elsewhere (Tom Lane)
This restriction has long existed for regular tables, but through an oversight it was not checked for partitioned tables.
Disallow ALTER TABLE ... DROP NOT NULL
for a column that is part of a replica identity index (Haiying Tang, Hou Zhijie)
The same prohibition already existed for primary key indexes.
Correctly update cached table state during ALTER TABLE ADD PRIMARY KEY USING INDEX
(Hou Zhijie)
Concurrent sessions failed to update their opinion of whether the table has a primary key, possibly causing incorrect logical replication behavior.
Correctly update cached table state when switching REPLICA IDENTITY
index (Tang Haiying, Hou Zhijie)
Concurrent sessions failed to update their opinion of which index is the replica identity one, possibly causing incorrect logical replication behavior.
Allow parallel vacuuming and concurrent index building to be ignored while computing oldest xmin (Masahiko Sawada)
Non-parallelized instances of these operations were already ignored, but the logic did not work for parallelized cases. Holding back the xmin horizon has undesirable effects such as delaying vacuum cleanup.
Avoid leaking memory during REASSIGN OWNED BY
operations that reassign ownership of many objects (Justin Pryzby)
Improve performance of walsenders sending logical changes by avoiding unnecessary cache accesses (Hou Zhijie)
Fix display of cert
authentication method's options in pg_hba_file_rules
view (Magnus Hagander)
The cert
authentication method implies clientcert=verify-full
, but the pg_hba_file_rules
view incorrectly reported clientcert=verify-ca
.
Fix display of whole-row variables appearing in INSERT ... VALUES
rules (Tom Lane)
A whole-row variable would be printed as “var.*â€, but that allows it to be expanded to individual columns when the rule is reloaded, resulting in different semantics. Attach an explicit cast to prevent that, as we do elsewhere.
Fix one-byte buffer overrun when applying Unicode string normalization to an empty string (Michael Paquier)
The practical impact of this is limited thanks to alignment considerations; but in debug builds, a warning was raised.
Fix or remove some incorrect assertions (Simon Riggs, Michael Paquier, Alexander Lakhin)
These errors should affect only debug builds, not production.
Fix race condition that could lead to failure to localize error messages that are reported early in multi-threaded use of libpq or ecpglib (Tom Lane)
Avoid calling strerror
from libpq's PQcancel
function (Tom Lane)
PQcancel
is supposed to be safe to call from a signal handler, but strerror
is not safe. The faulty usage only occurred in the unlikely event of failure to send the cancel message to the server, perhaps explaining the lack of reports.
Make psql's \password
command default to setting the password for CURRENT_USER
, not the connection's original user name (Tom Lane)
This agrees with the documented behavior, and avoids probable permissions failure if SET ROLE
or SET SESSION AUTHORIZATION
has been done since the session began. To prevent confusion, the role name to be acted on is now included in the password prompt.
Fix psql \d
command's query for identifying parent triggers (Justin Pryzby)
The previous coding failed with “more than one row returned by a subquery used as an expression†if a partition had triggers and there were unrelated statement-level triggers of the same name on some parent partitioned table.
Fix psql's tab-completion of label values for enum types (Tom Lane)
In psql and some other client programs, avoid trying to invoke gettext()
from a control-C signal handler (Tom Lane)
While no reported failures have been traced to this mistake, it seems highly unlikely to be a safe thing to do.
Allow canceling the initial password prompt in pg_receivewal and pg_recvlogical (Tom Lane, Nathan Bossart)
Previously it was impossible to terminate these programs via control-C while they were prompting for a password.
Fix pg_dump's dump ordering for user-defined casts (Tom Lane)
In rare cases, the output script might refer to a user-defined cast before it had been created.
Fix pg_dump's --inserts
and --column-inserts
modes to handle tables containing both generated columns and dropped columns (Tom Lane)
Fix possible mis-reporting of errors in pg_dump and pg_basebackup (Tom Lane)
The previous code failed to check for errors from some kernel calls, and could report the wrong errno values in other cases.
Fix results of index-only scans on contrib/btree_gist
indexes on char(
columns (Tom Lane)N
)
Index-only scans returned column values with trailing spaces removed, which is not the expected behavior. That happened because that's how the data was stored in the index. This fix changes the code to store char(
values with the expected amount of space padding. The behavior of such an index will not change immediately unless you N
)REINDEX
it; otherwise space-stripped values will be gradually replaced over time during updates. Queries that do not use index-only scan plans will be unaffected in any case.
Change configure to use Python's sysconfig module, rather than the deprecated distutils module, to determine how to build PL/Python (Peter Eisentraut, Tom Lane, Andres Freund)
With Python 3.10, this avoids configure-time warnings about distutils being deprecated and scheduled for removal in Python 3.12. Presumably, once 3.12 is out, configure --with-python
would fail altogether. This future-proofing does come at a cost: sysconfig did not exist before Python 2.7, nor before 3.2 in the Python 3 branch, so it is no longer possible to build PL/Python against long-dead Python versions.
Fix PL/Perl compile failure on Windows with Perl 5.28 and later (Victor Wagner)
Fix PL/Python compile failure with Python 3.11 and later (Peter Eisentraut)
Add support for building with Visual Studio 2022 (Hans Buschmann)
Allow the .bat
wrapper scripts in our MSVC build system to be called without first changing into their directory (Anton Voloshin, Andrew Dunstan)
Release date: 2021-11-11
This release contains a variety of fixes from 13.4. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
However, note that installations using physical replication should update standby servers before the primary server, as explained in the third changelog entry below.
Also, several bugs have been found that may have resulted in corrupted indexes, as explained in the next several changelog entries. If any of those cases apply to you, it's recommended to reindex possibly-affected indexes after updating.
Also, if you are upgrading from a version earlier than 13.2, see Version 13.2.
Make the server reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)
The PostgreSQL Project thanks Jacob Champion for reporting this problem. CVE-2021-23214 or CVE-2021-23214)
Make libpq reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable toCVE-2021-23214 or CVE-2021-23214.
The PostgreSQL Project thanks Jacob Champion for reporting this problem. CVE-2021-23222 or CVE-2021-23222)
Fix physical replication for cases where the primary crashes after shipping a WAL segment that ends with a partial WAL record (Ãlvaro Herrera)
If the primary did not survive long enough to finish writing the rest of the incomplete WAL record, then the previous crash-recovery logic had it back up and overwrite WAL starting from the beginning of the incomplete WAL record. This is problematic since standby servers may already have copies of that WAL segment. They will then see an inconsistent next segment, and will not be able to recover without manual intervention. To fix, do not back up over a WAL segment boundary when restarting after a crash. Instead write a new type of WAL record at the start of the next WAL segment, informing readers that the incomplete WAL record will never be finished and must be disregarded.
When applying this update, it's best to update standby servers before the primary, so that they will be ready to handle this new WAL record type if the primary happens to crash.
Fix CREATE INDEX CONCURRENTLY
to wait for the latest prepared transactions (Andrey Borodin)
Rows inserted by just-prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. The previous fix for this type of problem failed to account for PREPARE TRANSACTION
commands that were still in progress when CREATE INDEX CONCURRENTLY
checked for them. As before, in installations that have enabled prepared transactions (max_prepared_transactions
> 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.
Avoid race condition that can cause backends to fail to add entries for new rows to an index being built concurrently (Noah Misch, Andrey Borodin)
While it's apparently rare in the field, this case could potentially affect any index built or reindexed with the CONCURRENTLY
option. It is recommended to reindex any such indexes to make sure they are correct.
Fix float4
and float8
hash functions to produce uniform results for NaNs (Tom Lane)
Since PostgreSQL's floating-point types deem all NaNs to be equal, it's important for the hash functions to produce the same hash code for all bit-patterns that are NaNs according to the IEEE 754 standard. This failed to happen before, meaning that hash indexes and hash-based query plans might produce incorrect results for non-canonical NaN values. ('-NaN'::float8
is one way to produce such a value on most machines.) It is advisable to reindex hash indexes on floating-point columns, if there is any possibility that they might contain such values.
Fix REINDEX CONCURRENTLY
to preserve operator class parameters that were attached to the target index (Michael Paquier)
Prevent data loss during crash recovery of CREATE TABLESPACE
, when wal_level
= minimal
(Noah Misch)
If the server crashed between CREATE TABLESPACE
and the next checkpoint, replay would fully remove the contents of the new tablespace's directory, relying on subsequent WAL replay to restore everything within that directory. This interacts badly with optimizations that skip writing WAL (one example is COPY
into a just-created table). Such optimizations are applied only when wal_level
is minimal
, which is not the default in v10 and later.
Ensure that the relation cache is invalidated for a table being attached to or detached from a partitioned table (Amit Langote, Ãlvaro Herrera)
This oversight could allow misbehavior of subsequent inserts/updates addressed directly to the partition, but only in currently-existing sessions.
Ensure that the relation cache is invalidated for all partitions of a partitioned table that is being added to or removed from a publication (Hou Zhijie, Vignesh C)
This oversight could lead to improper replication behavior until all currently-existing sessions have exited.
Ensure that the relation cache is invalidated when creating or dropping a FOR ALL TABLES
publication (Hou Zhijie, Vignesh C)
This oversight could lead to improper replication behavior until all currently-existing sessions have exited.
Don't discard a cast to the same type with unspecified type modifier (Tom Lane)
For example, if column f1
is of type numeric(18,3)
, the parser used to simply discard a cast like f1::numeric
, on the grounds that it would have no run-time effect. That's true, but the exposed type of the expression should still be considered to be plain numeric
, not numeric(18,3)
. This is important for correctly resolving the type of larger constructs, such as recursive UNION
s.
Fix updates of element fields in arrays of domain over composite (Tom Lane)
A command such as UPDATE tab SET fld[1].subfld = val
failed if the array's elements were domains rather than plain composites.
Disallow the combination of FETCH FIRST WITH TIES
and FOR UPDATE SKIP LOCKED
(David Christensen)
FETCH FIRST WITH TIES
necessarily fetches one more row than requested, since it cannot stop until it finds a row that is not a tie. In our current implementation, if FOR UPDATE
is used then that row will also get locked even though it is not returned. That results in undesirable behavior if the SKIP LOCKED
option is specified. It's difficult to change this without introducing a different set of undesirable behaviors, so for now, forbid the combination.
Disallow creating an ICU collation if the current database's encoding won't support it (Tom Lane)
Previously this was allowed, but then the collation could not be referenced because of the way collation lookup works; you could not use the collation, nor even drop it.
Disallow ALTER INDEX index ALTER COLUMN col SET (options)
(Nathan Bossart, Michael Paquier)
While the parser accepted this, it's undocumented and doesn't actually work.
Fix corner-case loss of precision in numeric power()
(Dean Rasheed)
The result could be inaccurate when the first argument is very close to 1.
Avoid regular expression errors with capturing parentheses inside {0}
(Tom Lane)
Regular expressions like (.){0}...\1
drew “invalid backreference numberâ€. Other regexp engines such as Perl don't complain, though, and for that matter ours doesn't either in some closely related cases. Worse, it could throw an assertion failure instead. Fix it so that no error is thrown and instead the back-reference is silently deemed to never match.
Prevent regular expression back-references from sometimes matching when they shouldn't (Tom Lane)
The regexp engine was careless about clearing match data for capturing parentheses after rejecting a partial match. This could allow a later back-reference to match in places where it should fail for lack of a defined referent.
Fix regular expression performance bug with back-references inside iteration nodes (Tom Lane)
Incorrect back-tracking logic could result in exponential time spent looking for a match. Fortunately the problem is masked in most cases by other optimizations.
Fix incorrect results from AT TIME ZONE
applied to a time with time zone
value (Tom Lane)
The results were incorrect if the target time zone was specified by a dynamic timezone abbreviation (that is, one that is defined as equivalent to a full time zone name, rather than a fixed UTC offset).
Fix planner error with pulling up subquery expressions into function rangetable entries (Tom Lane)
If a function in FROM
laterally references the output of some sub-SELECT
earlier in the FROM
clause, and we are able to flatten that sub-SELECT
into the outer query, the expression(s) copied into the function expression were not fully processed. This could lead to crashes at execution.
Fix mistranslation of PlaceHolderVars to inheritance child relations (Tom Lane)
This error could result in assertion failures, or in mis-planning of queries having partitioned or inherited tables on the nullable side of an outer join.
Avoid using MCV-only statistics to estimate the range of a column (Tom Lane)
There are corner cases in which ANALYZE
will build a most-common-values (MCV) list but not a histogram, even though the MCV list does not account for all the observed values. In such cases, keep the planner from using the MCV list alone to estimate the range of column values.
Fix restoration of a Portal's snapshot inside a subtransaction (Bertrand Drouvot)
If a procedure commits or rolls back a transaction, and then its next significant action is inside a new subtransaction, snapshot management went wrong, leading to a dangling pointer and probable crash. A typical example in PL/pgSQL is a COMMIT
immediately followed by a BEGIN ... EXCEPTION
block that performs a query.
Clean up correctly if a transaction fails after exporting its snapshot (Dilip Kumar)
This oversight would only cause a problem if the same session attempted to export a snapshot again. The most likely scenario for that is creation of a replication slot (followed by rollback) and then creation of another replication slot.
Prevent wraparound of overflowed-subtransaction tracking on standby servers (Kyotaro Horiguchi, Alexander Korotkov)
This oversight could cause significant performance degradation (manifesting as excessive SubtransSLRU traffic) on standby servers.
Ensure that prepared transactions are properly accounted for during promotion of a standby server (Michael Paquier, Andres Freund)
There was a narrow window where a prepared transaction could be omitted from a snapshot taken by a concurrently-running session. If that session then used the snapshot to perform data updates, erroneous results or data corruption could occur.
Disallow LISTEN
in background workers (Tom Lane)
There's no infrastructure to support this, so if someone did it, it would only result in preventing cleanup of the NOTIFY
queue.
Send NOTIFY
signals to other backends during transaction commit, not in the server's idle loop (Artur Zakirov, Tom Lane)
This change allows notifications to be delivered immediately after an intra-procedure COMMIT
. It also allows logical replication workers to send notifications.
Refuse to rewind a cursor marked NO SCROLL
if it has been held over from a previous transaction due to the WITH HOLD
option (Tom Lane)
We have long forbidden fetching backwards from a NO SCROLL
cursor, but for historical reasons the prohibition didn't extend to cases in which we rewind the query altogether and then re-fetch forwards. That exception leads to inconsistencies, particularly for held-over cursors which may not have stored all the data necessary to rewind. Disallow rewinding for non-scrollable held-over cursors to block the worst inconsistencies. (v15 will remove the exception altogether.)
Fix possible failure while saving a WITH HOLD
cursor at transaction end, if it had already been read to completion (Tom Lane)
Fix detection of a relation that has grown to the maximum allowed length (Tom Lane)
An attempt to extend a table or index past the limit of 2^32-1 blocks was rejected, but not soon enough to prevent inconsistent internal state from being created.
Correctly track the presence of data-modifying CTEs when expanding a DO INSTEAD
rule (Greg Nancarrow, Tom Lane)
The previous failure to do this could lead to problems such as unsafely choosing a parallel plan.
Fix incorrect reporting of permissions failures on extended statistics objects (Tomas Vondra)
The code typically produced “cache lookup error†rather than the intended message.
Fix incorrect snapshot handling in parallel workers (Greg Nancarrow)
This oversight could lead to misbehavior in parallel queries if the transaction isolation level is less than REPEATABLE READ
.
Fix logical decoding to correctly ignore toast-table changes for transient tables (Bertrand Drouvot)
Logical decoding normally ignores changes in transient tables such as those created during an ALTER TABLE
heap rewrite. But that filtering wasn't applied to the associated toast table if any, leading to possible errors when rewriting a table that's being published.
Fix logical decoding's memory usage accounting to handle TOAST data correctly (Bertrand Drouvot)
Ensure that walreceiver processes create all required archive notification files before exiting (Fujii Masao)
If a walreceiver exited exactly at a WAL segment boundary, it failed to make a notification file for the last-received segment, thus delaying archiving of that segment on the standby.
Fix computation of the WAL range to include in a backup manifest when a timeline change is involved (Kyotaro Horiguchi)
Avoid trying to lock the OLD
and NEW
pseudo-relations in a rule that uses SELECT FOR UPDATE
(Masahiko Sawada, Tom Lane)
Fix parser's processing of aggregate FILTER
clauses (Tom Lane)
If the FILTER
expression is a plain boolean column, the semantic level of the aggregate could be mis-determined, leading to not-per-spec behavior. If the FILTER
expression is itself a boolean-returning aggregate, an error should be thrown but was not, likely resulting in a crash at execution.
Ensure that the correct lock level is used when renaming a table (Nathan Bossart, Ãlvaro Herrera)
For historical reasons, ALTER INDEX ... RENAME
can be applied to any sort of relation. The lock level required to rename an index is lower than that required to rename a table or other kind of relation, but the code got this wrong and would use the weaker lock level whenever the command is spelled ALTER INDEX
.
Prevent ALTER TYPE/DOMAIN/OPERATOR ... SET
from changing extension membership (Tom Lane)
ALTER ... SET
executed by an extension script would cause the target object to become a member of the extension if it was not already. In itself this isn't too troubling, since there's little reason for an extension script to touch an object not belonging to the extension. But ALTER TYPE SET
will recurse to dependent domains, thus causing them to also become extension members. This causes unwanted side-effects from extension upgrade scripts that use that command to adjust the properties of a base type belonging to the extension. Fix by redefining these ALTER
cases to never change extension membership.
Avoid trying to clean up LLVM state after an error within LLVM (Andres Freund, Justin Pryzby)
This prevents a likely crash during backend exit after a fatal LLVM error.
Avoid null-pointer-dereference crash when dropping a role that owns objects being dropped concurrently (Ãlvaro Herrera)
Prevent “snapshot reference leak†warning when lo_export()
or a related function fails (Heikki Linnakangas)
Ensure that scans of SP-GiST indexes are counted in the statistics views (Tom Lane)
Incrementing the number-of-index-scans counter was overlooked in the SP-GiST code, although per-tuple counters were advanced correctly.
Fix inefficient code generation for CoerceToDomain expression nodes (Ranier Vilela)
Recalculate relevant wait intervals if recovery_min_apply_delay
is changed during recovery (Soumyadeep Chakraborty, Ashwin Agrawal)
Fix infinite loop if a simplehash.h
hash table reaches 2^32 elements (Yura Sokolov)
It seems unlikely that this bug has been hit in practice, as it would require work_mem
settings of hundreds of gigabytes for existing uses of simplehash.h
.
Avoid O (N^2) behavior in some list-manipulation operations (Nathan Bossart, Tom Lane)
These changes fix slow processing in several scenarios, including: when a standby replays a transaction that held many exclusive locks on the primary; when many files are due to be unlinked after a checkpoint; when hash aggregation involves many batches; and when pg_trgm
extracts indexable conditions from a complex regular expression. Only the first of these scenarios has actually been reported from the field, but they all seem like plausible consequences of inefficient list deletions.
Reduce memory consumption during calculation of extended statistics (Justin Pryzby, Tomas Vondra)
Add more defensive checks around B-tree posting list splits (Peter Geoghegan)
This change should help detect index corruption involving duplicate table TIDs.
Disallow setting huge_pages
to on
when shared_memory_type
is sysv
(Thomas Munro)
Previously, this setting was accepted, but it did nothing for lack of any implementation.
Fix missing libpq functions on AIX (Tony Reix)
Code reorganization led to the following documented functions not being exported from libpq on AIX: pg_encoding_to_char()
, pg_utf_mblen()
, pg_char_to_encoding()
, pg_valid_server_encoding()
, and pg_valid_server_encoding_id()
. Restore them to visibility.
Fix ecpg to recover correctly after malloc()
failure while establishing a connection (Michael Paquier)
Fix misevaluation of stable functions called in the arguments of a PL/pgSQL CALL
statement (Tom Lane)
They were being called with an out-of-date snapshot, so that they would not see any database changes made since the start of the session's top-level command.
Allow EXIT
out of the outermost block in a PL/pgSQL routine (Tom Lane)
If the routine does not require an explicit RETURN
, this usage should be valid, but it was rejected.
Remove pg_ctl's hard-coded limits on the total length of generated commands (Phil Krylov)
For example, this removes a restriction on how many command-line options can be passed through to the postmaster. Individual path names that pg_ctl deals with, such as the postmaster executable's name or the data directory name, are still limited to MAXPGPATH
bytes in most cases.
Fix pg_dump to dump non-global default privileges correctly (Neil Chen, Masahiko Sawada)
If a global (unrestricted) ALTER DEFAULT PRIVILEGES
command revoked some present-by-default privilege, for example EXECUTE
for functions, and then a restricted ALTER DEFAULT PRIVILEGES
command granted that privilege again for a selected role or schema, pg_dump failed to dump the restricted privilege grant correctly.
Make pg_dump acquire shared lock on partitioned tables that are to be dumped (Tom Lane)
This oversight was usually pretty harmless, since once pg_dump has locked any of the leaf partitions, that would suffice to prevent significant DDL on the partitioned table itself. However problems could ensue when dumping a childless partitioned table, since no relevant lock would be held.
Improve pg_dump's performance by avoiding making per-table queries for RLS policies, and by avoiding repetitive calls to format_type()
(Tom Lane)
These changes provide only marginal improvement when dumping from a local server, but a dump from a remote server can benefit substantially due to fewer network round-trips.
Fix crash in pg_dump when attempting to dump trigger definitions from a pre-8.3 server (Tom Lane)
Fix incorrect filename in pg_restore's error message about an invalid large object TOC file (Daniel Gustafsson)
Ensure that pgbench exits with non-zero status after a socket-level failure (Yugo Nagata, Fabien Coelho)
The desired behavior is to finish out the run but then exit with status 2. Also, fix the reporting of such errors.
Fix failure of contrib/btree_gin
indexes on "char"
(not char(
) columns, when an indexscan using the n
)<
or <=
operator is performed (Tom Lane)
Such an indexscan failed to return all the entries it should.
Change contrib/pg_stat_statements
to read its “query texts†file in units of at most 1GB (Tom Lane)
Such large query text files are very unusual, but if they do occur, the previous coding would fail on Windows 64 (which rejects individual read requests of more than 2GB).
Fix null-pointer crash when contrib/postgres_fdw
tries to report a data conversion error (Tom Lane)
Add spinlock support for the RISC-V architecture (Marek Szuba)
This is essential for reasonable performance on that platform.
Support OpenSSL 3.0.0 (Peter Eisentraut, Daniel Gustafsson, Michael Paquier)
Set correct type identifier on OpenSSL BIO (I/O abstraction) objects created by PostgreSQL (Itamar Gafni)
This oversight probably only matters for code that is doing tasks like auditing the OpenSSL installation. But it's nominally a violation of the OpenSSL API, so fix it.
Fix our pkg-config
files to again support static linking of libpq (Peter Eisentraut)
Make pg_regexec()
robust against an out-of-range search_start
parameter (Tom Lane)
Return REG_NOMATCH
, instead of possibly crashing, when search_start
is past the end of the string. This case is probably unreachable within core PostgreSQL, but extensions might be more careless about the parameter value.
Ensure that GetSharedSecurityLabel()
can be used in a newly-started session that has not yet built its critical relation cache entries (Jeff Davis)
Use the CLDR project's data to map Windows time zone names to IANA time zones (Tom Lane)
When running on Windows, initdb attempts to set the new cluster's timezone
parameter to the IANA time zone matching the system's prevailing time zone. We were using a mapping table that we'd generated years ago and updated only fitfully; unsurprisingly, it contained a number of errors as well as omissions of recently-added zones. It turns out that CLDR has been tracking the most appropriate mappings, so start using their data. This change will not affect any existing installation, only newly-initialized clusters.
Update time zone data files to tzdata release 2021e for DST law changes in Fiji, Jordan, Palestine, and Samoa, plus historical corrections for Barbados, Cook Islands, Guyana, Niue, Portugal, and Tonga.
Also, the Pacific/Enderbury zone has been renamed to Pacific/Kanton. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Africa/Accra, America/Atikokan, America/Blanc-Sablon, America/Creston, America/Curacao, America/Nassau, America/Port_of_Spain, Antarctica/DumontDUrville, and Antarctica/Syowa. In all these cases, the previous zone name remains as an alias.
Release date: 2021-08-12
This release contains a variety of fixes from 13.3. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
However, if you are upgrading from a version earlier than 13.2, see Version 13.2.
Fix mis-planning of repeated application of a projection step (Tom Lane)
The planner could create an incorrect plan in cases where two ProjectionPaths were stacked on top of each other. The only known way to trigger that situation involves parallel sort operations, but there may be other instances. The result would be crashes or incorrect query results. Disclosure of server memory contents is also possible. CVE-2021-3677 or CVE-2021-3677)
Disallow SSL renegotiation more completely (Michael Paquier)
SSL renegotiation has been disabled for some time, but the server would still cooperate with a client-initiated renegotiation request. A maliciously crafted renegotiation request could result in a server crash (see OpenSSL issueCVE-2021-3449 or CVE-2021-3449). Disable the feature altogether on OpenSSL versions that permit doing so, which are 1.1.0h and newer.
Restore the Portal-level snapshot after COMMIT
or ROLLBACK
within a procedure (Tom Lane)
This change fixes cases where an attempt to fetch a toasted value immediately after COMMIT
/ROLLBACK
would fail with errors like “no known snapshots†or “missing chunk number 0 for toast valueâ€.
Some extensions may attempt to execute SQL code outside of any Portal. They are responsible for ensuring that an outer snapshot exists before doing so. Previously, not providing a snapshot might work or it might not; now it will consistently fail with “cannot execute SQL without an outer snapshot or portalâ€.
Avoid misbehavior when persisting the output of a cursor that's reading a non-stable query (Tom Lane)
Previously, we'd always rewind and re-read the whole query result, possibly getting results different from the earlier execution, causing great confusion later. For a NO SCROLL cursor, we can fix this by only storing the not-yet-read portion of the query output, which is sufficient since a NO SCROLL cursor can't be backed up. Cursors with the SCROLL option remain at hazard, but that was already documented to be an unsafe option to use with a non-stable query. Make those documentation warnings stronger.
Also force NO SCROLL mode for the implicit cursor used by a PL/pgSQL FOR-over-query loop, to avoid this type of problem when persisting such a cursor during an intra-procedure commit.
Reject SELECT ... GROUP BY GROUPING SETS (()) FOR UPDATE
(Tom Lane)
This should be disallowed, just as FOR UPDATE
with a plain GROUP BY
is disallowed, but the test for that failed to handle empty grouping sets correctly. The end result would be a null-pointer dereference in the executor.
Reject cases where a query in WITH
rewrites to just NOTIFY
(Tom Lane)
Such cases previously crashed.
In numeric
multiplication, round the result rather than failing if it would have more than 16383 digits after the decimal point (Dean Rasheed)
Fix corner-case errors and loss of precision when raising numeric
values to very large powers (Dean Rasheed)
Fix division-by-zero failure in to_char()
with EEEE
format and a numeric
input value less than 10^(-1001) (Dean Rasheed)
Fix pg_size_pretty(bigint)
to round negative values consistently with the way it rounds positive ones (and consistently with the numeric
version) (Dean Rasheed, David Rowley)
Make pg_filenode_relation(0, 0)
return NULL rather than failing (Justin Pryzby)
Make ALTER EXTENSION
lock the extension when adding or removing a member object (Tom Lane)
The previous coding allowed ALTER EXTENSION ADD/DROP
to occur concurrently with DROP EXTENSION
, leading to a crash or corrupt catalog entries.
Fix ALTER SUBSCRIPTION
to reject an empty slot name (Japin Li)
When cloning a partitioned table's triggers to a new partition, ensure that their enabled status is copied (Ãlvaro Herrera)
Avoid alias conflicts in queries generated for REFRESH MATERIALIZED VIEW CONCURRENTLY
(Tom Lane, Bharath Rupireddy)
This command failed on materialized views containing columns with certain names, notably mv
and newdata
.
Fix PREPARE TRANSACTION
to check correctly for conflicting session-lifespan and transaction-lifespan locks (Tom Lane)
A transaction cannot be prepared if it has both session-lifespan and transaction-lifespan locks on the same advisory-lock ID value. This restriction was not fully checked, which could lead to a PANIC during PREPARE TRANSACTION
.
Fix misbehavior of DROP OWNED BY
when the target role is listed more than once in an RLS policy (Tom Lane)
Skip unnecessary error tests when removing a role from an RLS policy during DROP OWNED BY
(Tom Lane)
Notably, this fixes some cases where it was necessary to be a superuser to use DROP OWNED BY
.
Re-allow old-style Windows locale names in CREATE COLLATION
commands (Thomas Munro)
Previously we were failing because the operating system can't provide version information for such locales. At some point we may decide to require version information, but no such policy exists yet, so re-allow the case for now.
Disallow whole-row variables in GENERATED
expressions (Tom Lane)
Use of a whole-row variable clearly violates the rule that a generated column cannot depend on itself, so such cases have no well-defined behavior. The actual behavior frequently included a crash.
Fix usage of tableoid
in GENERATED
expressions (Tom Lane)
Some code paths failed to provide a valid value for this system column while evaluating a GENERATED
expression.
Don't store a “fast default†when adding a column to a foreign table (Andrew Dunstan)
The fast default is useless since no local heap storage exists for such a table, but it confused subsequent operations. In addition to suppressing creation of such catalog entries in ALTER TABLE
commands, adjust the downstream code to cope when one is incorrectly present.
Allow index state flags to be updated transactionally (Michael Paquier, Andrey Lepikhov)
This avoids failures when dealing with index predicates that aren't really immutable. While that's not considered a supported case, the original reason for using a non-transactional update here is long gone, so we may as well change it.
Avoid corrupting the plan cache entry when CREATE DOMAIN
or ALTER DOMAIN
appears in a cached plan (Tom Lane)
Make walsenders show their latest replication commands in pg_stat_activity
(Tom Lane)
Previously, a walsender would show its latest SQL command, which was confusing if it's now doing some replication operation instead. Now we show replication-protocol commands on the same footing as SQL commands.
Make pg_settings
.pending_restart
show as true when the pertinent entry in postgresql.conf
has been removed (Ãlvaro Herrera)
pending_restart
correctly showed the case where an entry that cannot be changed without a postmaster restart has been modified, but not where the entry had been removed altogether.
On 64-bit Windows, allow the effective value of work_mem
times hash_mem_multiplier
to exceed 2GB (Tom Lane)
This allows hash_mem_multiplier
to be used for its intended purpose of preventing large hash aggregations from spilling to disk, even when “large†means multiple gigabytes.
Fix mis-planning of queries involving regular tables that are inheritance children of foreign tables (Amit Langote)
SELECT FOR UPDATE
and related commands would fail with assertion failures or “could not find junk column†errors in such cases.
Fix pullup of constant function-in-FROM results when the FROM item is marked LATERAL
(Tom Lane)
Fix corner-case failure of a new standby to follow a new primary (Dilip Kumar, Robert Haas)
Under a narrow combination of conditions, the standby could wind up trying to follow the wrong WAL timeline.
Update minimum recovery point when WAL replay of a transaction abort record causes file truncation (Fujii Masao)
File truncation is irreversible, so it's no longer safe to stop recovery at a point earlier than that record. The corresponding case for transaction commit was fixed years ago, but this one was overlooked.
Advance oldest-required-WAL-segment horizon properly after a replication slot is invalidated (Kyotaro Horiguchi)
If all slots were invalidated, the horizon would not move again, eventually allowing the server's WAL storage to run out of space.
In walreceivers, avoid attempting catalog lookups after an error (Masahiko Sawada, Bharath Rupireddy)
Ensure that a standby server's startup process will respond to a shutdown signal promptly while waiting for WAL to arrive (Fujii Masao, Soumyadeep Chakraborty)
Correctly clear shared state after failing to become a member of a transaction commit group (Amit Kapila)
Given the right timing, this could cause an assertion failure when some later session re-uses the same PGPROC object.
Add locking to avoid reading incorrect relmapper data in the face of a concurrent write from another process (Heikki Linnakangas)
Improve progress reporting for the sort phase of a parallel btree index build (Matthias van de Meent)
Improve checks for violations of replication protocol (Tom Lane)
Logical replication workers frequently used Asserts to check for cases that could be triggered by invalid or out-of-order replication commands. This seems unwise, so promote these tests to regular error checks.
Fix assorted crash cases in logical replication of partitioned-table updates (Amit Langote, Tom Lane)
Fix potential crash when firing AFTER triggers of partitioned tables in logical replication workers (Tom Lane)
Fix deadlock when multiple logical replication workers try to truncate the same table (Peter Smith, Haiying Tang)
Fix error cases and memory leaks in logical decoding of speculative insertions (Dilip Kumar)
Fix memory leak in logical replication output (Amit Langote)
Avoid leaving an invalid record-type hash table entry behind after an error (Sait Talha Nisanci)
This could lead to later crashes or memory leakage.
Fix plan cache reference leaks in some error cases in CREATE TABLE ... AS EXECUTE
(Tom Lane)
Fix race condition in code for sharing tuple descriptors across parallel workers (Thomas Munro)
Given the right timing, a crash could result.
Fix race condition when invalidating an obsolete replication slot concurrently with an attempt to drop or update it (Andres Freund, Ãlvaro Herrera)
Fix possible race condition when releasing BackgroundWorkerSlots (Tom Lane)
It's likely that this doesn't fix any observable bug on Intel hardware, but machines with weaker memory ordering rules could have problems.
Fix latent crash in sorting code (Ronan Dunklau)
One code path could attempt to free a null pointer. The case appears unreachable in the core server's use of sorting, but perhaps it could be triggered by extensions.
Harden B-tree posting list split code against corrupt data (Peter Geoghegan)
Throw an error, rather than crashing, for an attempt to insert an item with a TID identical to an existing entry. While that shouldn't ever happen, it has been reported to happen when the index is inconsistent with its table.
Prevent infinite loops in SP-GiST index insertion (Tom Lane)
In the event that INCLUDE columns take up enough space to prevent a leaf index tuple from ever fitting on a page, the text_ops operator class would get into an infinite loop vainly trying to make the tuple fit. While pre-v11 versions don't have INCLUDE columns, back-patch this anti-looping fix to them anyway, as it seems like a good defense against bugs in operator classes.
Ensure that SP-GiST index insertion can be terminated by a query cancel request (Tom Lane, Ãlvaro Herrera)
Fix uninitialized-variable bug that could cause PL/pgSQL to act as though an INTO
clause specified STRICT
, even though it didn't (Tom Lane)
Don't abort the process for an out-of-memory failure in libpq's printing functions (Tom Lane)
In ecpg, allow the numeric
value INT_MIN (usually -2147483648) to be converted to integer (John Naylor)
In psql and other client programs, avoid overrunning the ends of strings when dealing with invalidly-encoded data (Tom Lane)
An incorrectly-encoded multibyte character near the end of a string could cause various processing loops to run past the string's terminating NUL, with results ranging from no detectable issue to a program crash, depending on what happens to be in the following memory. This is reminiscent ofCVE-2006-2313 or CVE-2006-2313, although these particular cases do not appear to have interesting security consequences.
Fix pg_dump to correctly handle triggers on partitioned tables whose enabled status is different from their parent triggers' status (Justin Pryzby, Ãlvaro Herrera)
Avoid “invalid creation date in header†warnings observed when running pg_restore on an archive file created in a different time zone (Tom Lane)
Make pg_upgrade carry forward the old installation's oldestXID
value (Bertrand Drouvot)
Previously, the new installation's oldestXID
was set to a value old enough to (usually) force immediate anti-wraparound autovacuuming. That's not desirable from a performance standpoint; what's worse, installations using large values of autovacuum_freeze_max_age
could suffer unwanted forced shutdowns soon after an upgrade.
Extend pg_upgrade to detect and warn about extensions that should be upgraded (Bruce Momjian)
A script file is now produced containing the ALTER EXTENSION UPDATE
commands needed to bring extensions up to the versions that are considered default in the new installation.
Avoid problems when switching pg_receivewal between compressed and non-compressed WAL storage (Michael Paquier)
Fix contrib/postgres_fdw
to work usefully with generated columns (Etsuro Fujita)
postgres_fdw
will now behave reasonably with generated columns, so long as a generated column in a foreign table represents a generated column in the remote table. IMPORT FOREIGN SCHEMA
will now import generated columns that way by default.
In contrib/postgres_fdw
, avoid attempting catalog lookups after an error (Tom Lane)
While this usually worked, it's not very safe since the error might have been one that made catalog access nonfunctional. A side effect of the fix is that messages about data conversion errors will now mention the query's table and column aliases (if used) rather than the true underlying name of a foreign table or column.
Improve the isolation-test infrastructure (Tom Lane, Michael Paquier)
Allow isolation test steps to be annotated to show the expected completion order. This allows getting stable results from otherwise-racy test cases, without the long delays that we previously used (not entirely successfully) to fend off race conditions. Allow non-quoted identifiers as isolation test session/step names (formerly, all such names had to be double-quoted). Detect and warn about unused steps in isolation tests. Improve display of query results in isolation tests. Remove isolationtester's “dry-run†mode. Remove memory leaks in isolationtester itself.
Reduce overhead of cache-clobber testing (Tom Lane)
Fix PL/Python's regression tests to pass with Python 3.10 (Honza Horak)
Make printf("%s", NULL)
print (null)
instead of crashing (Tom Lane)
This should improve server robustness in corner cases, and it syncs our printf
implementation with common libraries.
Fix incorrect log message when point-in-time recovery stops at a ROLLBACK PREPARED
record (Simon Riggs)
Improve ALTER TABLE
's messages for wrong-relation-kind errors (Kyotaro Horiguchi)
Clarify error messages referring to “non-negative†values (Bharath Rupireddy)
Fix configure to work with OpenLDAP 2.5, which no longer has a separate libldap_r
library (Adrian Ho, Tom Lane)
If there is no libldap_r
library, we now silently assume that libldap
is thread-safe.
Add new make targets world-bin
and install-world-bin
(Andrew Dunstan)
These are the same as world
and install-world
respectively, except that they do not build or install the documentation.
Fix make rule for TAP tests (prove_installcheck
) to work in PGXS usage (Andrew Dunstan)
Adjust JIT code to prepare for forthcoming LLVM API change (Thomas Munro, Andres Freund)
LLVM 13 has made an incompatible API change that will cause crashing of our previous JIT compiler.
Avoid assuming that strings returned by GSSAPI libraries are null-terminated (Tom Lane)
The GSSAPI spec provides for a string pointer and length. It seems that in practice the next byte after the string is usually zero, so that our previous coding didn't actually fail; but we do have a report of AddressSanitizer complaints.
Enable building with GSSAPI on MSVC (Michael Paquier)
Fix various incompatibilities with modern Kerberos builds.
In MSVC builds, include --with-pgport
in the set of configure options reported by pg_config, if it had been specified (Andrew Dunstan)
Release date: 2021-05-13
This release contains a variety of fixes from 13.2. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
However, if you are upgrading from a version earlier than 13.2, see Version 13.2.
Prevent integer overflows in array subscripting calculations (Tom Lane)
The array code previously did not complain about cases where an array's lower bound plus length overflows an integer. This resulted in later entries in the array becoming inaccessible (since their subscripts could not be written as integers), but more importantly it confused subsequent assignment operations. This could lead to memory overwrites, with ensuing crashes or unwanted data modifications. CVE-2021-32027 or CVE-2021-32027)
Fix mishandling of “junk†columns in INSERT ... ON CONFLICT ... UPDATE
target lists (Tom Lane)
If the UPDATE
list contains any multi-column sub-selects (which give rise to junk columns in addition to the results proper), the UPDATE
path would end up storing tuples that include the values of the extra junk columns. That's fairly harmless in the short run, but if new columns are added to the table then the values would become accessible, possibly leading to malfunctions if they don't match the datatypes of the added columns.
In addition, in versions supporting cross-partition updates, a cross-partition update triggered by such a case had the reverse problem: the junk columns were removed from the target list, typically causing an immediate crash due to malfunction of the multi-column sub-select mechanism. CVE-2021-32028 or CVE-2021-32028)
Fix possibly-incorrect computation of UPDATE ... RETURNING
outputs for joined cross-partition updates (Amit Langote, Etsuro Fujita)
If an UPDATE
for a partitioned table caused a row to be moved to another partition with a physically different row type (for example, one with a different set of dropped columns), computation of RETURNING
results for that row could produce errors or wrong answers. No error is observed unless the UPDATE
involves other tables being joined to the target table. CVE-2021-32029 or CVE-2021-32029)
Fix adjustment of constraint deferrability properties in partitioned tables (Ãlvaro Herrera)
When applied to a foreign-key constraint of a partitioned table, ALTER TABLE ... ALTER CONSTRAINT
failed to adjust the DEFERRABLE
and/or INITIALLY DEFERRED
markings of the constraints and triggers of leaf partitions. This led to unexpected behavior of such constraints. After updating to this version, any misbehaving partitioned tables can be fixed by executing a new ALTER
command to set the desired properties.
This change also disallows applying such an ALTER
directly to the constraints of leaf partitions. The only supported case is for the whole partitioning hierarchy to have identical constraint properties, so such ALTER
s must be applied at the partition root.
When attaching a child table with ALTER TABLE ... INHERIT
, insist that any generated columns in the parent be generated the same way in the child (Peter Eisentraut)
Forbid marking an identity column as nullable (Vik Fearing)
GENERATED ... AS IDENTITY
implies NOT NULL
, so don't allow it to be combined with an explicit NULL
specification.
Allow ALTER ROLE/DATABASE ... SET
to set the role
, session_authorization
, and temp_buffers
parameters (Tom Lane)
Previously, over-eager validity checks might reject these commands, even if the values would have worked when used later. This created a command ordering hazard for dump/reload and upgrade scenarios.
Ensure that REINDEX CONCURRENTLY
preserves any statistics target that's been set for the index (Michael Paquier)
Fix COMMIT AND CHAIN
to work correctly when the current transaction has live savepoints (Fujii Masao)
Fix list-manipulation bug in WITH RECURSIVE
processing (Michael Paquier, Tom Lane)
Sufficiently deep nesting of WITH
constructs (at least seven levels) triggered core dumps or incorrect complaints of faulty WITH
nesting.
Fix bug with coercing the result of a COLLATE
expression to a non-collatable type (Tom Lane)
This led to a parse tree in which the COLLATE
appears to be applied to a non-collatable value. While that normally has no real impact (since COLLATE
has no effect at runtime), it was possible to construct views that would be rejected during dump/reload.
Fix use-after-free bug in saving tuples for AFTER
triggers (Amit Langote)
This could cause crashes in some situations.
Disallow calling window functions and procedures via the “fast path†wire protocol message (Tom Lane)
Only plain functions are supported here. While trying to call an aggregate function failed already, calling a window function would crash, and calling a procedure would work only if the procedure did no transaction control.
Extend pg_identify_object_as_address()
to support event triggers (Joel Jacobson)
Fix to_char()
's handling of Roman-numeral month format codes with negative intervals (Julien Rouhaud)
Previously, such cases would usually cause a crash.
Check that the argument of pg_import_system_collations()
is a valid schema OID (Tom Lane)
Fix use of uninitialized value while parsing an \{
quantifier in a BRE-mode regular expression (Tom Lane)m
,n
\}
This error could cause the quantifier to act non-greedy, that is behave like an {
quantifier would do in full regular expressions.m
,n
}?
Fix “could not find pathkey item to sort†planner errors in some situations where the sort key involves an aggregate or window function (James Coleman, Tom Lane)
Don't ignore system columns when estimating the number of groups using extended statistics (Tomas Vondra)
This led to strange estimates for queries such as SELECT ... GROUP BY a, b, ctid
.
Avoid divide-by-zero when estimating selectivity of a regular expression with a very long fixed prefix (Tom Lane)
This typically led to a NaN
selectivity value, causing assertion failures or strange planner behavior.
Fix access-off-the-end-of-the-table error in BRIN index bitmap scans (Tomas Vondra)
If the page range size used by a BRIN index isn't a power of two, there were corner cases in which a bitmap scan could try to fetch pages past the actual end of the table, leading to “could not open file†errors.
Fix potentially wrong answers from GIN tsvector
index searches, when there are many matching tuples (Tom Lane)
If the number of index matches became large enough to make the bitmap holding them become lossy (a threshold that depends on work_mem
), the code could get confused about whether rechecks are required, allowing rows to be returned that don't actually match the query.
Fix concurrency issues with WAL segment recycling on Windows (Michael Paquier)
This reverts a change that caused intermittent “could not rename file ...: Permission denied†log messages. While there were not serious consequences, the log spam was annoying.
Avoid incorrect timeline change while recovering uncommitted two-phase transactions from WAL (Soumyadeep Chakraborty, Jimmy Yih, Kevin Yeap)
This error could lead to subsequent WAL records being written under the wrong timeline ID, leading to consistency problems, or even complete failure to be able to restart the server, later on.
Ensure that locks are released while shutting down a standby server's startup process (Fujii Masao)
When a standby server is shut down while still in recovery, some locks might be left held. This causes assertion failures in debug builds; it's unclear whether any serious consequence could occur in production builds.
Fix crash when a logical replication worker does ALTER SUBSCRIPTION REFRESH
(Peter Smith)
The core code won't do this, but a replica trigger could.
Ensure we default to wal_sync_method
= fdatasync
on recent FreeBSD (Thomas Munro)
FreeBSD 13 supports open_datasync
, which would normally become the default choice. However, it's unclear whether that is actually an improvement for Postgres, so preserve the existing default for now.
Disable the vacuum_cleanup_index_scale_factor
parameter and storage option (Peter Geoghegan)
The notion of tracking “stale†index statistics proved to interact badly with the autovacuum_vacuum_insert_threshold
parameter, resulting in unnecessary full-index scans and consequent degradation of autovacuum performance. The latter mechanism seems superior, so remove the stale-statistics logic. The control parameter for that, vacuum_cleanup_index_scale_factor
, will be removed entirely in v14. In v13, it remains present to avoid breaking existing configuration files, but it no longer does anything.
Pass the correct trigger OID to object post-alter hooks during ALTER CONSTRAINT
(Ãlvaro Herrera)
When updating trigger properties during ALTER CONSTRAINT
, the post-alter hook was told that we are updating a trigger, but the constraint's OID was passed instead of the trigger's.
Ensure we finish cleaning up when interrupted while detaching a DSM segment (Thomas Munro)
This error could result in temporary files not being cleaned up promptly after a parallel query.
Fix assorted minor memory leaks in the server (Tom Lane, Andres Freund)
Fix uninitialized variable in walreceiver's statistics in shared memory (Fujii Masao)
This error was harmless on most platforms, but could cause issues on platforms lacking atomic variables and/or spinlock support.
Reduce the overhead of dtrace probes for LWLock operations, when dtrace support is compiled in but not active (Peter Eisentraut)
Fix failure when a PL/pgSQL DO
block makes use of both composite-type variables and transaction control (Tom Lane)
Previously, such cases led to errors about leaked tuple descriptors.
Prevent infinite loop in libpq if a ParameterDescription message with a corrupt length is received (Tom Lane)
When initdb prints instructions about how to start the server, make the path shown for pg_ctl use backslash separators on Windows (Nitin Jadhav)
Fix psql to restore the previous behavior of \connect service=
(Tom Lane)something
A previous bug fix caused environment variables (such as PGPORT
) to override entries in the service file in this context. Restore the previous behavior, in which the priority is the other way around.
Fix psql's ON_ERROR_ROLLBACK
feature to handle COMMIT AND CHAIN
commands correctly (Arthur Nascimento)
Previously, this case failed with “savepoint "pg_psql_temporary_savepoint" does not existâ€.
In psql, avoid repeated “could not print result table†failures after the first such error (Ãlvaro Herrera)
Fix race condition in detection of file modification by psql's \e
and related commands (Laurenz Albe)
A very fast typist could fool the code's file-timestamp-based detection of whether the temporary edit file was changed.
Fix pg_dump's dumping of generated columns in partitioned tables (Peter Eisentraut)
A fix introduced in the previous minor release should not be applied to partitioned tables, only traditionally-inherited tables.
Fix missed file version check in pg_restore (Tom Lane)
When reading a custom-format archive from a non-seekable source, pg_restore neglected to check the archive version. If it was fed a newer archive version than it can support, it would fail messily later on.
Add some more checks to pg_upgrade for user tables containing non-upgradable data types (Tom Lane)
Fix detection of some cases where a non-upgradable data type is embedded within a container type (such as an array or range). Also disallow upgrading when user tables contain columns of system-defined composite types, since those types' OIDs are not stable across versions.
Fix incorrect progress-reporting calculation in pg_checksums (Shinya Kato)
Fix pg_waldump to count XACT
records correctly when generating per-record statistics (Kyotaro Horiguchi)
Fix contrib/amcheck
to not complain about the tuple flags HEAP_XMAX_LOCK_ONLY
and HEAP_KEYS_UPDATED
both being set (Julien Rouhaud)
This is a valid state after SELECT FOR UPDATE
.
Adjust VPATH build rules to support recent Oracle Developer Studio compiler versions (Noah Misch)
Fix testing of PL/Python for Python 3 on Solaris (Noah Misch)
Release date: 2021-02-11
This release contains a variety of fixes from 13.1. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
However, see the first changelog item below concerning a possible need to update stored views. Also see the third and fourth changelog items, which describe cases in which reindexing indexes after the upgrade may be advisable.
Fix failure to check per-column SELECT
privileges in some join queries (Tom Lane)
In some cases involving joins, the parser failed to record all the columns read by a query in the column-usage bitmaps that are used for permissions checking. Although the executor would still insist on some sort of SELECT
privilege to run the query, this meant that a user having SELECT
privilege on only one column of a table could nonetheless read all its columns through a suitably crafted query.
A stored view that is subject to this problem will have incomplete column-usage bitmaps, and thus permissions will still not be enforced properly on the view after updating. In installations that depend on column-level permissions for security, it is recommended to CREATE OR REPLACE
all user-defined views to cause them to be re-parsed.
The PostgreSQL Project thanks Sven Klemm for reporting this problem. CVE-2021-20229 or CVE-2021-20229)
Fix information leakage in constraint-violation error messages (Heikki Linnakangas)
If an UPDATE
command attempts to move a row to a different partition but finds that it violates some constraint on the new partition, and the columns in that partition are in different physical positions than in the parent table, the error message could reveal the contents of columns that the user does not have SELECT
privilege on. CVE-2021-3393 or CVE-2021-3393)
Fix incorrect detection of concurrent page splits while inserting into a GiST index (Heikki Linnakangas)
Concurrent insertions could lead to a corrupt index with entries placed in the wrong pages. It's recommended to reindex any GiST index that's been subject to concurrent insertions.
Fix CREATE INDEX CONCURRENTLY
to wait for concurrent prepared transactions (Andrey Borodin)
At the point where CREATE INDEX CONCURRENTLY
waits for all concurrent transactions to complete so that it can see rows they inserted, it must also wait for all prepared transactions to complete, for the same reason. Its failure to do so meant that rows inserted by prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. In installations that have enabled prepared transactions (max_prepared_transactions
> 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.
Avoid crash when trying to rescan an aggregation plan node that has both hashed and sorted grouping sets (Jeff Davis)
Fix possible incorrect query results when a hash aggregation node spills some tuples to disk (Tom Lane)
It was possible for aggregation grouping values to be replaced by nulls when the tuples are read back in, leading to wrong answers.
Fix edge case in incremental sort (Neil Chen)
If the last tuple of a sort batch chanced to be the first tuple of the next group of already-sorted tuples, the code did the wrong thing. This could lead to “retrieved too many tuples in a bounded sort†error messages, or to silently-wrong sorting results.
Avoid crash when a CALL
or DO
statement that performs a transaction rollback is executed via extended query protocol (Thomas Munro, Tom Lane)
In PostgreSQL 13, this case reliably caused a null-pointer dereference. In earlier versions the bug seems to have no visible symptoms, but it's not quite clear that it could never cause a problem.
Avoid unnecessary errors with BEFORE UPDATE
triggers on partitioned tables (Ãlvaro Herrera)
A BEFORE UPDATE FOR EACH ROW
trigger that modified the row in any way prevented UPDATE
from moving the row to another partition when needed; but there is no longer any reason for this restriction.
Fix partition pruning logic to handle asymmetric hash partition sets (Tom Lane)
If a hash-partitioned table has unequally-sized partitions (that is, varying modulus values), or it lacks partitions for some remainder values, then the planner's pruning logic could mistakenly conclude that some partitions don't need to be scanned, leading to failure to find rows that the query should find.
Avoid incorrect results when WHERE CURRENT OF
is applied to a cursor whose plan contains a MergeAppend node (Tom Lane)
This case is unsupported (in general, a cursor using ORDER BY
is not guaranteed to be simply updatable); but the code previously did not reject it, and could silently give false matches.
Fix crash when WHERE CURRENT OF
is applied to a cursor whose plan contains a custom scan node (David Geier)
Fix planner's mishandling of placeholders whose evaluation should be delayed by an outer join (Tom Lane)
This occurs in particular with trivial subqueries containing lateral references to outer-join outputs. The mistake could result in a malformed plan. The known cases trigger a “failed to assign all NestLoopParams to plan nodes†error, but other symptoms may be possible.
Fix planner's handling of placeholders during removal of useless RESULT RTEs (Tom Lane)
This oversight could lead to “no relation entry for relid N
†planner errors.
Fix planner's handling of a placeholder that is computed at some join level and used only at that same level (Tom Lane)
This oversight could lead to “failed to build any N
-way joins†planner errors.
Consider unsorted subpaths when planning a Gather Merge operation (James Coleman)
It's possible to use such a path by adding an explicit Sort node, and in some cases that gives rise to a superior plan.
Do not consider ORDER BY
expressions involving parallel-restricted functions or set-returning functions when trying to parallelize sorts (James Coleman)
Such cases cannot safely be pushed into worker processes, but the incremental sort feature accidentally made us consider them.
Be more careful about whether index AMs support mark/restore (Andrew Gierth)
This prevents errors about missing support functions in rare edge cases.
Fix overestimate of the amount of shared memory needed for parallel queries (Takayuki Tsunakawa)
Fix ALTER DEFAULT PRIVILEGES
to handle duplicated arguments safely (Michael Paquier)
Duplicate role or schema names within the same command could lead to “tuple already updated by self†errors or unique-constraint violations.
Flush ACL-related caches when pg_authid
changes (Noah Misch)
This change ensures that permissions-related decisions will promptly reflect the results of ALTER ROLE ... [NO] INHERIT
.
Fix failure to detect “snapshot too old†conditions in tables rewritten in the current transaction (Kyotaro Horiguchi, Noah Misch)
This is only a hazard when wal_level
is set to minimal
and the rewrite is performed by ALTER TABLE SET TABLESPACE
.
Fix spurious failure of CREATE PUBLICATION
when applied to a table created or rewritten in the current transaction (Kyotaro Horiguchi)
This is only a hazard when wal_level
is set to minimal
.
Prevent misprocessing of ambiguous CREATE TABLE LIKE
clauses (Tom Lane)
A LIKE
clause is re-examined after initial creation of the new table, to handle importation of indexes and such. It was possible for this re-examination to find a different table of the same name, causing unexpected behavior; one example is where the new table is a temporary table of the same name as the LIKE
target.
Rearrange order of operations in CREATE TABLE LIKE
so that indexes are cloned before building foreign key constraints (Tom Lane)
This fixes the case where a self-referential foreign key constraint declared in the outer CREATE TABLE
depends on an index that's coming from the LIKE
clause.
Disallow CREATE STATISTICS
on system catalogs (Tomas Vondra)
Disallow converting an inheritance child table to a view (Tom Lane)
Ensure that disk space allocated for a dropped relation is released promptly at commit (Thomas Munro)
Previously, if the dropped relation spanned multiple 1GB segments, only the first segment was truncated immediately. Other segments were simply unlinked, which doesn't authorize the kernel to release the storage so long as any other backends still have the files open.
Prevent dropping a tablespace that is referenced by a partitioned relation, but is not used for any actual storage (Ãlvaro Herrera)
Previously this was allowed, but subsequent operations on the partitioned relation would fail.
Fix progress reporting for CLUSTER
(Matthias van de Meent)
Fix handling of backslash-escaped multibyte characters in COPY FROM
(Heikki Linnakangas)
A backslash followed by a multibyte character was not handled correctly. In some client character encodings, this could lead to misinterpreting part of a multibyte character as a field separator or end-of-copy-data marker.
Avoid preallocating executor hash tables in EXPLAIN
without ANALYZE
(Alexey Bashtanov)
Fix recently-introduced race condition in LISTEN
/NOTIFY
queue handling (Tom Lane)
A newly-listening backend could attempt to read SLRU pages that were in process of being truncated, possibly causing an error.
Allow the jsonb
concatenation operator to handle all combinations of JSON data types (Tom Lane)
We can concatenate two JSON objects or two JSON arrays. Handle other cases by wrapping non-array inputs in one-element arrays, then performing an array concatenation. Previously, some combinations of inputs followed this rule but others arbitrarily threw an error.
Fix use of uninitialized value while parsing a *
quantifier in a BRE-mode regular expression (Tom Lane)
This error could cause the quantifier to act non-greedy, that is behave like a *?
quantifier would do in full regular expressions.
Fix numeric power()
for the case where the exponent is exactly INT_MIN
(-2147483648) (Dean Rasheed)
Previously, a result with no significant digits was produced.
Fix integer-overflow cases in substring()
functions (Tom Lane, Pavel Stehule)
If the specified starting index and length overflow an integer when added together, substring()
misbehaved, either throwing a bogus “negative substring length†error for a case that should succeed, or failing to complain that a negative length is negative (and instead returning the whole string, in most cases).
Prevent possible data loss from incorrect detection of the wraparound point of an SLRU log (Noah Misch)
The wraparound point typically falls in the middle of a page, which must be rounded off to a page boundary, and that was not done correctly. No issue could arise unless an installation had gotten to within one page of SLRU overflow, which is unlikely in a properly-functioning system. If this did happen, it would manifest in later “apparent wraparound†or “could not access status of transaction†errors.
Fix WAL-reading logic to handle timeline switches correctly (Kyotaro Horiguchi, Fujii Masao)
Previously, if WAL archiving is enabled, a standby could fail to follow a primary running on a newer timeline, with errors like “requested WAL segment has already been removedâ€.
Fix memory leak in walsender processes while sending new snapshots for logical decoding (Amit Kapila)
Fix relation cache leak in walsender processes while sending row changes via the root of a partitioned relation during logical replication (Amit Langote, Mark Zhao)
Fix walsender to accept additional commands after terminating replication (Jeff Davis)
Ensure detection of deadlocks between hot standby backends and the startup (WAL-application) process (Fujii Masao)
The startup process did not run the deadlock detection code, so that in situations where the startup process is last to join a circular wait situation, the deadlock might never be recognized.
Fix possible failure to detect recovery conflicts while deleting an index entry that references a HOT chain (Peter Geoghegan)
The code failed to traverse the HOT chain and might thus compute a too-old XID horizon, which could lead to incorrect conflict processing in hot standby. The practical impact of this bug is limited; in most cases the correct XID horizon would be found anyway from nearby operations.
Ensure that a nonempty value of krb_server_keyfile
always overrides any setting of KRB5_KTNAME
in the server's environment (Tom Lane)
Previously, which setting took precedence depended on whether the client requests GSS encryption.
In server log messages about failing to match connections to pg_hba.conf
entries, include details about whether GSS encryption has been activated (Kyotaro Horiguchi, Tom Lane)
This is relevant data if hostgssenc
or hostnogssenc
entries exist.
Fix assorted issues in server's support for GSS encryption (Tom Lane)
Remove pointless restriction that only GSS authentication can be used on a GSS-encrypted connection. Add GSS encryption information to connection-authorized log messages. Include GSS-related space when computing the required size of shared memory (this omission could have caused problems with very high max_connections
settings). Avoid possible infinite recursion when reporting an unrecoverable GSS encryption error.
Ensure that unserviced requests for background workers are cleaned up when the postmaster begins a “smart†or “fast†shutdown sequence (Tom Lane)
Previously, there was a race condition whereby a child process that had requested a background worker just before shutdown could wait indefinitely, preventing shutdown from completing.
Fix portability problem in parsing of recovery_target_xid
values (Michael Paquier)
The target XID is potentially 64 bits wide, but it was parsed with strtoul()
, causing misbehavior on platforms where long
is 32 bits (such as Windows).
Avoid trying to use parallel index build in a standalone backend (Yulin Pei)
Allow index AMs to support included columns without necessarily supporting multiple key columns (Tom Lane)
While taking a base backup, avoid executing any SHA256 code if a backup manifest is not needed (Michael Paquier)
When using OpenSSL operating in FIPS mode, SHA256 hashing is rejected, leading to an error. This change makes it possible to take a base backup on such a platform, so long as --no-manifest
is specified.
Avoid assertion failure during parallel aggregation of an aggregate with a non-strict deserialization function (Andrew Gierth)
No such aggregate functions exist in core PostgreSQL, but some extensions such as PostGIS provide some. The mistake is harmless anyway in a non-assert build.
Avoid assertion failure in pg_get_functiondef()
when examining a function with a TRANSFORM
option (Tom Lane)
Fix data structure misallocation in PL/pgSQL's CALL
statement (Tom Lane)
A CALL
in a PL/pgSQL procedure, to another procedure that has OUT parameters, would fail if the called procedure did a COMMIT
or ROLLBACK
.
In libpq, do not skip trying SSL after GSS encryption (Tom Lane)
If we successfully made a GSS-encrypted connection, but then failed during authentication, we would fall back to an unencrypted connection rather than next trying an SSL-encrypted connection. This could lead to unexpected connection failure, or to silently getting an unencrypted connection where an encrypted one is expected. Fortunately, GSS encryption could only succeed if both client and server hold valid tickets in the same Kerberos infrastructure. It seems unlikely for that to be true in an environment that requires SSL encryption instead.
Make libpq's PQconndefaults()
function report the correct default value for channel_binding
(Daniele Varrazzo)
In psql, re-allow including a password in a connection_string
argument of a \connect
command (Tom Lane)
This used to work, but a recent bug fix caused the password to be ignored (resulting in prompting for a password).
In psql's \d
commands, don't truncate the display of column default values (Tom Lane)
Formerly, they were arbitrarily truncated at 128 characters.
Fix assorted bugs in psql's \help
command (Kyotaro Horiguchi, Tom Lane)
\help
with two argument words failed to find a command description using only the first word, for example \help reset all
should show the help for RESET
but did not. Also, \help
often failed to invoke the pager when it should. It also leaked memory.
Fix pg_dump's dumping of inherited generated columns (Peter Eisentraut)
The previous behavior resulted in (harmless) errors during restore.
In pg_dump, ensure that the restore script runs ALTER PUBLICATION ADD TABLE
commands as the owner of the publication, and similarly runs ALTER INDEX ATTACH PARTITION
commands as the owner of the partitioned index (Tom Lane)
Previously, these commands would be run by the role that started the restore script; which will usually work, but in corner cases that role might not have adequate permissions.
Fix pg_dump to handle WITH GRANT OPTION
in an extension's initial privileges (Noah Misch)
If an extension's script creates an object and grants privileges on it with grant option, then later the user revokes such privileges, pg_dump would generate incorrect SQL for reproducing the situation. (Few if any extensions do this today.)
In pg_rewind, ensure that all WAL is accounted for when rewinding a standby server (Ian Barwick, Heikki Linnakangas)
In pgbench, disallow a digit as the first character of a variable name (Fabien Coelho)
This prevents trying to substitute variables into timestamp literal values, which may contain strings like 12:34
.
Report the correct database name in connection failure error messages from some client programs (Ãlvaro Herrera)
If the database name was defaulted rather than given on the command line, pg_dumpall, pgbench, oid2name, and vacuumlo would produce misleading error messages after a connection failure.
Fix memory leak in contrib/auto_explain
(Japin Li)
Memory consumed while producing the EXPLAIN
output was not freed until the end of the current transaction (for a top-level statement) or the end of the surrounding statement (for a nested statement). This was particularly a problem with log_nested_statements
enabled.
In contrib/postgres_fdw
, avoid leaking open connections to remote servers when a user mapping or foreign server object is dropped (Bharath Rupireddy)
Open connections that depend on a dropped user mapping or foreign server can no longer be referenced, but formerly they were kept around anyway for the duration of the local session.
Fix faulty assertion in contrib/postgres_fdw
(Etsuro Fujita)
In contrib/pgcrypto
, check for error returns from OpenSSL's EVP functions (Michael Paquier)
We do not really expect errors here, but this change silences warnings from static analysis tools.
Make contrib/pg_prewarm
more robust when the cluster is shut down before prewarming is complete (Tom Lane)
Previously, autoprewarm would rewrite its status file with only the block numbers that it had managed to load so far, thus perhaps largely disabling the prewarm functionality in the next startup. Instead, suppress status file updates until the initial loading pass is complete.
In contrib/pg_trgm
's GiST index support, avoid crash in the rare case that picksplit is called on exactly two index items (Andrew Gierth, Alexander Korotkov)
Fix miscalculation of timeouts in contrib/pg_prewarm
and contrib/postgres_fdw
(Alexey Kondratov, Tom Lane)
The main loop in contrib/pg_prewarm
's autoprewarm parent process underestimated its desired sleep time by a factor of 1000, causing it to consume much more CPU than intended. When waiting for a result from a remote server, contrib/postgres_fdw
overestimated the desired timeout by a factor of 1000 (though this error had been mitigated by imposing a clamp to 60 seconds).
Both of these errors stemmed from incorrectly converting seconds-and-microseconds to milliseconds. Introduce a new API TimestampDifferenceMilliseconds()
to make it easier to get this right in the future.
Improve configure's heuristics for selecting PG_SYSROOT
on macOS (Tom Lane)
The new method is more likely to produce desirable results when Xcode is newer than the underlying operating system. Choosing a sysroot that does not match the OS version may result in nonfunctional executables.
While building on macOS, specify -isysroot
in link steps as well as compile steps (James Hilliard)
This likewise improves the results when Xcode is out of sync with the operating system.
Fix JIT compilation to be compatible with LLVM 11 and LLVM 12 (Andres Freund)
Fix potential mishandling of references to boolean variables in JIT expression compilation (Andres Freund)
No field reports attributable to this have been seen, but it seems likely that it could cause problems on some architectures.
Fix compile failure with ICU 68 and later (Tom Lane)
Avoid memcpy()
with a NULL source pointer and zero count during partitioned index creation (Ãlvaro Herrera)
While such a call is not known to cause problems in itself, some compilers assume that the arguments of memcpy()
are never NULL, which could result in incorrect optimization of nearby code.
Update time zone data files to tzdata release 2021a for DST law changes in Russia (Volgograd zone) and South Sudan, plus historical corrections for Australia, Bahamas, Belize, Bermuda, Ghana, Israel, Kenya, Nigeria, Palestine, Seychelles, and Vanuatu.
Notably, the Australia/Currie zone has been corrected to the point where it is identical to Australia/Hobart.
Release date: 2020-11-12
This release contains a variety of fixes from 13.0. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and materialized view queries (Noah Misch)
This is essentially a leak in the “security restricted operation†sandbox mechanism. An attacker having permission to create non-temporary SQL objects could parlay this leak to execute arbitrary SQL code as a superuser.
The PostgreSQL Project thanks Etienne Stalmans for reporting this problem. CVE-2020-25695 or CVE-2020-25695)
Fix usage of complex connection-string parameters in pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb (Tom Lane)
The -d
parameter of pg_dump and pg_restore, or the --maintenance-db
parameter of the other programs mentioned, can be a “connection string†containing multiple connection parameters rather than just a database name. In cases where these programs need to initiate additional connections, such as parallel processing or processing of multiple databases, the connection string was forgotten and just the basic connection parameters (database name, host, port, and username) were used for the additional connections. This could lead to connection failures if the connection string included any other essential information, such as non-default SSL or GSS parameters. Worse, the connection might succeed but not be encrypted as intended, or be vulnerable to man-in-the-middle attacks that the intended connection parameters would have prevented. CVE-2020-25694 or CVE-2020-25694)
When psql's \connect
command re-uses connection parameters, ensure that all non-overridden parameters from a previous connection string are re-used (Tom Lane)
This avoids cases where reconnection might fail due to omission of relevant parameters, such as non-default SSL or GSS options. Worse, the reconnection might succeed but not be encrypted as intended, or be vulnerable to man-in-the-middle attacks that the intended connection parameters would have prevented. This is largely the same problem as just cited for pg_dump et al, although psql's behavior is more complex since the user may intentionally override some connection parameters. CVE-2020-25694 or CVE-2020-25694)
Prevent psql's \gset
command from modifying specially-treated variables (Noah Misch)
\gset
without a prefix would overwrite whatever variables the server told it to. Thus, a compromised server could set specially-treated variables such as PROMPT1
, giving the ability to execute arbitrary shell code in the user's session.
The PostgreSQL Project thanks Nick Cleaton for reporting this problem. CVE-2020-25696 or CVE-2020-25696)
Fix unintended breakage of the replication protocol (Ãlvaro Herrera)
A walsender reports two command-completion events for START_REPLICATION
. This was undocumented and apparently unintentional; so we failed to notice that a late 13.0 change removed the duplicate event. However it turns out that walreceivers require the extra event in some code paths. The most practical fix is to decree that the extra event is part of the protocol and resume generating it.
Ensure that SLRU directories are properly fsync'd during checkpoints (Thomas Munro)
This prevents possible data loss in a subsequent operating system crash.
Fix ALTER ROLE
for users with the BYPASSRLS
attribute (Tom Lane, Stephen Frost)
The BYPASSRLS
attribute is only allowed to be changed by superusers, but other ALTER ROLE
operations, such as password changes, should be allowed with only ordinary permission checks. The previous coding erroneously restricted all changes on such a role to superusers.
Disallow ALTER TABLE ONLY ... DROP EXPRESSION
when there are child tables (Peter Eisentraut)
The current implementation cannot handle this case correctly, so just forbid it for now.
Ensure that ALTER TABLE ONLY ... ENABLE/DISABLE TRIGGER
does not recurse to child tables (Ãlvaro Herrera)
Previously the ONLY
flag was ignored.
Allow LOCK TABLE
to succeed on a self-referential view (Tom Lane)
It previously threw an error complaining about infinite recursion, but there seems no need to disallow the case.
Retain statistics about an index across REINDEX CONCURRENTLY
(Michael Paquier, FabrÃzio de Royes Mello)
Non-concurrent reindexing has always preserved such statistics.
Fix incorrect progress reporting from REINDEX CONCURRENTLY
(Matthias van de Meent, Michael Paquier)
Ensure that GENERATED
columns are updated when the column(s) they depend on are updated via a rule or an updatable view (Tom Lane)
This fix also takes care of possible failure to fire a column-specific trigger in such cases.
Fix failures with collation-dependent partition bound expressions (Tom Lane)
Support hashing of text arrays (Peter Eisentraut)
Array hashing failed if the array element type is collatable. Notably, this prevented using hash partitioning with a text array column as partition key.
Prevent internal overflows in cross-type datetime comparisons (Nikita Glukhov, Alexander Korotkov, Tom Lane)
Previously, comparing a date to a timestamp would fail if the date is past the valid range for timestamps. There were also corner cases involving overflow of close-to-the-limit timestamp values during timezone rotation.
Fix off-by-one conversion of negative years to BC dates in to_date()
and to_timestamp()
(Dar Alathar-Yemen, Tom Lane)
Also, arrange for the combination of a negative year and an explicit “BC†marker to cancel out and produce AD.
Allow the jsonpath
.datetime()
method to accept ISO 8601-format timestamps (Nikita Glukhov)
This is not required by SQL, but it seems appropriate since our to_json()
functions generate that timestamp format for Javascript compatibility.
Ensure that standby servers will archive WAL timeline history files when archive_mode
is set to always
(Grigory Smolkin, Fujii Masao)
This oversight could lead to failure of subsequent PITR recovery attempts.
Fix edge cases in detecting premature death of the postmaster on platforms that use kqueue()
(Thomas Munro)
Avoid generating an incorrect incremental-sort plan when the sort key is a volatile expression (James Coleman)
Fix possible crash when considering partition-wise joins during GEQO planning (Tom Lane)
Fix possible infinite loop or corrupted output data in TOAST decompression (Tom Lane)
Fix counting of the number of entries in B-tree indexes during cleanup-only VACUUM
s (Peter Geoghegan)
Ensure that data is detoasted before being inserted into a BRIN index (Tomas Vondra)
Index entries are not supposed to contain out-of-line TOAST pointers, but BRIN didn't get that memo. This could lead to errors like “missing chunk number 0 for toast value NNNâ€. (If you are faced with such an error from an existing index, REINDEX
should be enough to fix it.)
Fix buffered GiST index builds to work when the index has included columns (Pavel Borisov)
Fix unportable use of getnameinfo()
in pg_hba_file_rules
view (Tom Lane)
On FreeBSD 11, and possibly other platforms, the view's address
and netmask
columns were always null due to this error.
Avoid crash if debug_query_string
is NULL when starting a parallel worker (Noah Misch)
Avoid failures when a BEFORE ROW UPDATE
trigger returns the “old†row of a table having dropped or “missing†columns (Amit Langote, Tom Lane)
This method of suppressing an update could result in crashes, unexpected CHECK
constraint failures, or incorrect RETURNING
output, because “missing†columns would read as NULLs for those purposes. (A column is “missing†for this purpose if it was added by ALTER TABLE ADD COLUMN
with a non-NULL, but constant, default value.) Dropped columns could cause trouble as well.
Fix EXPLAIN
's output for incremental sort plans to have correct tag nesting in XML output mode (Daniel Gustafsson)
Avoid unnecessary failure when transferring very large payloads through shared memory queues (Markus Wanner)
Fix omission of result data type coercion in some cases in SQL-language functions (Tom Lane)
This could lead to wrong results or crashes, depending on the data types involved.
Fix incorrect handling of template function attributes in JIT code generation (Andres Freund)
This has been shown to cause crashes on s390x
, and very possibly there are other cases on other platforms.
Improve code generated for compare_exchange and fetch_add operations on PPC (Noah Misch)
Fix relation cache memory leaks with RLS policies (Tom Lane)
Fix edge-case memory leak in index_get_partition()
(Justin Pryzby)
Fix small memory leak when SIGHUP processing decides that a new GUC variable value cannot be applied without a restart (Tom Lane)
Fix memory leaks in PL/pgsql's CALL
processing (Pavel Stehule, Tom Lane)
In libpq for Windows, call WSAStartup()
once per process and WSACleanup()
not at all (Tom Lane, Alexander Lakhin)
Previously, libpq invoked WSAStartup()
at connection start and WSACleanup()
at connection cleanup. However, it appears that calling WSACleanup()
can interfere with other program operations; notably, we have observed rare failures to emit expected output to stdout. There appear to be no ill effects from omitting the call, so do that. (This also eliminates a performance issue from repeated DLL loads and unloads when a program performs a series of database connections.)
Fix ecpg library's per-thread initialization logic for Windows (Tom Lane, Alexander Lakhin)
Multi-threaded ecpg applications could suffer rare misbehavior due to incorrect locking.
Fix ecpg's mis-processing of B'...'
and X'...'
literals (Shenhao Wang)
On Windows, make psql read the output of a backtick command in text mode, not binary mode (Tom Lane)
This ensures proper handling of newlines.
Ensure that pg_dump collects per-column information about extension configuration tables (FabrÃzio de Royes Mello, Tom Lane)
Failure to do this led to crashes when specifying --inserts
, or underspecified (though usually correct) COPY
commands when using COPY
to reload the tables' data.
Make pg_upgrade check for pre-existence of tablespace directories in the target cluster (Bruce Momjian)
Fix potential memory leak in contrib/pgcrypto
(Michael Paquier)
Add check for an unlikely failure case in contrib/pgcrypto
(Daniel Gustafsson)
Fix recently-added timetz
test case so it works when the USA is not observing daylight savings time (Tom Lane)
Update time zone data files to tzdata release 2020d for DST law changes in Fiji, Morocco, Palestine, the Canadian Yukon, Macquarie Island, and Casey Station (Antarctica); plus historical corrections for France, Hungary, Monaco, and Palestine.
Sync our copy of the timezone library with IANA tzcode release 2020d (Tom Lane)
This absorbs upstream's change of zic's default output option from “fat†to “slimâ€. That's just cosmetic for our purposes, as we continue to select the “fat†mode in pre-v13 branches. This change also ensures that strftime()
does not change errno
unless it fails.
Release date: 2020-09-24
PostgreSQL 13 contains many new features and enhancements, including:
Space savings and performance gains from de-duplication of B-tree index entries
Improved performance for queries that use aggregates or partitioned tables
Better query planning when using extended statistics
Parallelized vacuuming of indexes
Incremental sorting
The above items and other new features of PostgreSQL 13 are explained in more detail in the sections below.
A dump/restore using pg_dumpall or use of pg_upgrade or logical replication is required for those wishing to migrate data from any previous release. See Section 18.6 for general information on migrating to new major releases.
Version 13 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities:
Change SIMILAR TO ... ESCAPE NULL
to return NULL
(Tom Lane)
This new behavior matches the SQL specification. Previously a null ESCAPE
value was taken to mean using the default escape string (a backslash character). This also applies to substring(
. The previous behavior has been retained in old views by keeping the original function unchanged.text
FROM pattern
ESCAPE text
)
Make json[b]_to_tsvector()
fully check the spelling of its string
option (Dominik Czarnota)
Change the way non-default effective_io_concurrency values affect concurrency (Thomas Munro)
Previously, this value was adjusted before setting the number of concurrent requests. The value is now used directly. Conversion of old values to new ones can be done using:
SELECT round(sum(OLDVALUE
/ n::float)) AS newvalue FROM generate_series(1,OLDVALUE
) s(n);
Prevent display of auxiliary processes in pg_stat_ssl and pg_stat_gssapi system views (Euler Taveira)
Queries that join these views to pg_stat_activity and wish to see auxiliary processes will need to use left joins.
Rename various wait events to improve consistency (Fujii Masao, Tom Lane)
Fix ALTER FOREIGN TABLE ... RENAME COLUMN
to return a more appropriate command tag (Fujii Masao)
Previously it returned ALTER TABLE
; now it returns ALTER FOREIGN TABLE
.
Fix ALTER MATERIALIZED VIEW ... RENAME COLUMN
to return a more appropriate command tag (Fujii Masao)
Previously it returned ALTER TABLE
; now it returns ALTER MATERIALIZED VIEW
.
Rename configuration parameter wal_keep_segments
to wal_keep_size (Fujii Masao)
This determines how much WAL to retain for standby servers. It is specified in megabytes, rather than number of files as with the old parameter. If you previously used wal_keep_segments
, the following formula will give you an approximately equivalent setting:
wal_keep_size = wal_keep_segments * wal_segment_size (typically 16MB)
Remove support for defining operator classes using pre-PostgreSQL 8.0 syntax (Daniel Gustafsson)
Remove support for defining foreign key constraints using pre-PostgreSQL 7.3 syntax (Daniel Gustafsson)
Remove support for "opaque" pseudo-types used by pre-PostgreSQL 7.3 servers (Daniel Gustafsson)
Remove support for upgrading unpackaged (pre-9.1) extensions (Tom Lane)
The FROM
option of CREATE EXTENSION
is no longer supported. Any installations still using unpackaged extensions should upgrade them to a packaged version before updating to PostgreSQL 13.
Remove support for posixrules
files in the timezone database (Tom Lane)
IANA's timezone group has deprecated this feature, meaning that it will gradually disappear from systems' timezone databases over the next few years. Rather than have a behavioral change appear unexpectedly with a timezone data update, we have removed PostgreSQL's support for this feature as of version 13. This affects only the behavior of POSIX-style time zone specifications that lack an explicit daylight savings transition rule; formerly the transition rule could be determined by installing a custom posixrules
file, but now it is hard-wired. The recommended fix for any affected installations is to start using a geographical time zone name.
In ltree, when an lquery
pattern contains adjacent asterisks with braces, e.g., *{2}.*{3}
, properly interpret that as *{5}
(Nikita Glukhov)
Fix pageinspect's bt_metap()
to return more appropriate data types that are less likely to overflow (Peter Geoghegan)
Below you will find a detailed account of the changes between PostgreSQL 13 and the previous major release.
Allow pruning of partitions to happen in more cases (Yuzuko Hosoya, Amit Langote, Ãlvaro Herrera)
Allow partitionwise joins to happen in more cases (Ashutosh Bapat, Etsuro Fujita, Amit Langote, Tom Lane)
For example, partitionwise joins can now happen between partitioned tables even when their partition bounds do not match exactly.
Support row-level BEFORE
triggers on partitioned tables (Ãlvaro Herrera)
However, such a trigger is not allowed to change which partition is the destination.
Allow partitioned tables to be logically replicated via publications (Amit Langote)
Previously, partitions had to be replicated individually. Now a partitioned table can be published explicitly, causing all its partitions to be published automatically. Addition/removal of a partition causes it to be likewise added to or removed from the publication. The CREATE PUBLICATION
option publish_via_partition_root
controls whether changes to partitions are published as their own changes or their parent's.
Allow logical replication into partitioned tables on subscribers (Amit Langote)
Previously, subscribers could only receive rows into non-partitioned tables.
Allow whole-row variables (that is, table
.*
) to be used in partitioning expressions (Amit Langote)
More efficiently store duplicates in B-tree indexes (Anastasia Lubennikova, Peter Geoghegan)
This allows efficient B-tree indexing of low-cardinality columns by storing duplicate keys only once. Users upgrading with pg_upgrade will need to use REINDEX
to make an existing index use this feature.
Allow GiST and SP-GiST indexes on box
columns to support ORDER BY
queries (Nikita Glukhov)box
<-> point
Allow GIN indexes to more efficiently handle !
(NOT) clauses in tsquery
searches (Nikita Glukhov, Alexander Korotkov, Tom Lane, Julien Rouhaud)
Allow index operator classes to take parameters (Nikita Glukhov)
Allow CREATE INDEX
to specify the GiST signature length and maximum number of integer ranges (Nikita Glukhov)
Indexes created on four and eight-byte integer array, tsvector, pg_trgm, ltree, and hstore columns can now control these GiST index parameters, rather than using the defaults.
Prevent indexes that use non-default collations from being added as a table's unique or primary key constraint (Tom Lane)
The index's collation must match that of the underlying column, but ALTER TABLE
previously failed to check this.
Improve the optimizer's selectivity estimation for containment/match operators (Tom Lane)
Allow setting the statistics target for extended statistics (Tomas Vondra)
This is controlled with the new command option ALTER STATISTICS ... SET STATISTICS
. Previously this was computed based on more general statistics target settings.
Allow use of multiple extended statistics objects in a single query (Tomas Vondra)
Allow use of extended statistics objects for OR clauses and IN/ANY
constant lists (Pierre Ducroquet, Tomas Vondra)
Allow functions in FROM
clauses to be pulled up (inlined) if they evaluate to constants (Alexander Kuzmenkov, Aleksandr Parfenov)
Implement incremental sorting (James Coleman, Alexander Korotkov, Tomas Vondra)
If an intermediate query result is known to be sorted by one or more leading keys of a required sort ordering, the additional sorting can be done considering only the remaining keys, if the rows are sorted in batches that have equal leading keys.
If necessary, this can be controlled using enable_incremental_sort.
Improve the performance of sorting inet values (Brandur Leach)
Allow hash aggregation to use disk storage for large aggregation result sets (Jeff Davis)
Previously, hash aggregation was avoided if it was expected to use more than work_mem memory. Now, a hash aggregation plan can be chosen despite that. The hash table will be spilled to disk if it exceeds work_mem
times hash_mem_multiplier.
This behavior is normally preferable to the old behavior, in which once hash aggregation had been chosen, the hash table would be kept in memory no matter how large it got — which could be very large if the planner had misestimated. If necessary, behavior similar to that can be obtained by increasing hash_mem_multiplier
.
Allow inserts, not only updates and deletes, to trigger vacuuming activity in autovacuum (Laurenz Albe, Darafei Praliaskouski)
Previously, insert-only activity would trigger auto-analyze but not auto-vacuum, on the grounds that there could not be any dead tuples to remove. However, a vacuum scan has other useful side-effects such as setting page-all-visible bits, which improves the efficiency of index-only scans. Also, allowing an insert-only table to receive periodic vacuuming helps to spread out the work of “freezing†old tuples, so that there is not suddenly a large amount of freezing work to do when the entire table reaches the anti-wraparound threshold all at once.
If necessary, this behavior can be adjusted with the new parameters autovacuum_vacuum_insert_threshold and autovacuum_vacuum_insert_scale_factor, or the equivalent table storage options.
Add maintenance_io_concurrency parameter to control I/O concurrency for maintenance operations (Thomas Munro)
Allow WAL writes to be skipped during a transaction that creates or rewrites a relation, if wal_level is minimal
(Kyotaro Horiguchi)
Relations larger than wal_skip_threshold will have their files fsync'ed rather than generating WAL. Previously this was done only for COPY
operations, but the implementation had a bug that could cause data loss during crash recovery.
Improve performance when replaying DROP DATABASE
commands when many tablespaces are in use (Fujii Masao)
Improve performance for truncation of very large relations (Kirk Jamison)
Improve retrieval of the leading bytes of TOAST'ed values (Binguo Bao, Andrey Borodin)
Previously, compressed out-of-line TOAST values were fully fetched even when it's known that only some leading bytes are needed. Now, only enough data to produce the result is fetched.
Improve performance of LISTEN
/NOTIFY
(Martijn van Oosterhout, Tom Lane)
Speed up conversions of integers to text (David Fetter)
Reduce memory usage for query strings and extension scripts that contain many SQL statements (Amit Langote)
Allow EXPLAIN
, auto_explain, autovacuum, and pg_stat_statements to track WAL usage statistics (Kirill Bychik, Julien Rouhaud)
Allow a sample of SQL statements, rather than all statements, to be logged (Adrien Nayrat)
A log_statement_sample_rate fraction of those statements taking more than log_min_duration_sample duration will be logged.
Add the backend type to csvlog and optionally log_line_prefix log output (Peter Eisentraut)
Improve control of prepared statement parameter logging (Alexey Bashtanov, Ãlvaro Herrera)
The GUC setting log_parameter_max_length controls the maximum length of parameter values output during logging of non-error statements, while log_parameter_max_length_on_error does the same for logging of statements with errors. Previously, prepared statement parameters were never logged during errors.
Allow function call backtraces to be logged after errors (Peter Eisentraut, Ãlvaro Herrera)
The new parameter backtrace_functions specifies which C functions should generate backtraces on error.
Make vacuum buffer counters 64-bits wide to avoid overflow (Ãlvaro Herrera)
Add leader_pid
to pg_stat_activity to report a parallel worker's leader process (Julien Rouhaud)
Add system view pg_stat_progress_basebackup
to report the progress of streaming base backups (Fujii Masao)
Add system view pg_stat_progress_analyze
to report ANALYZE progress (Ãlvaro Herrera, Tatsuro Yamada, Vinayak Pokale)
Add system view pg_shmem_allocations
to display shared memory usage (Andres Freund, Robert Haas)
Add system view pg_stat_slru
to monitor internal SLRU caches (Tomas Vondra)
Allow track_activity_query_size to be set as high as 1MB (Vyacheslav Makarov)
The previous maximum was 100kB.
Report a wait event while creating a DSM segment with posix_fallocate()
(Thomas Munro)
Add wait event VacuumDelay to report on cost-based vacuum delay (Justin Pryzby)
Add wait events for WAL archive and recovery pause (Fujii Masao)
The new events are BackupWaitWalArchive and RecoveryPause.
Add wait events RecoveryConflictSnapshot and RecoveryConflictTablespace to monitor recovery conflicts (Masahiko Sawada)
Improve performance of wait events on BSD-based systems (Thomas Munro)
Allow only superusers to view the ssl_passphrase_command setting (Insung Moon)
This was changed as a security precaution.
Change the server's default minimum TLS version for encrypted connections from 1.0 to 1.2 (Peter Eisentraut)
This choice can be controlled by ssl_min_protocol_version.
Tighten rules on which utility commands are allowed in read-only transaction mode (Robert Haas)
This change also increases the number of utility commands that can run in parallel queries.
Allow allow_system_table_mods to be changed after server start (Peter Eisentraut)
Disallow non-superusers from modifying system tables when allow_system_table_mods is set (Peter Eisentraut)
Previously, if allow_system_table_mods was set at server start, non-superusers could issue INSERT
/UPDATE
/DELETE
commands on system tables.
Enable support for Unix-domain sockets on Windows (Peter Eisentraut)
Allow streaming replication configuration settings to be changed by reload (Sergei Kornilov)
Previously, a server restart was required to change primary_conninfo and primary_slot_name.
Allow WAL receivers to use a temporary replication slot when a permanent one is not specified (Peter Eisentraut, Sergei Kornilov)
This behavior can be enabled using wal_receiver_create_temp_slot.
Allow WAL storage for replication slots to be limited by max_slot_wal_keep_size (Kyotaro Horiguchi)
Replication slots that would require exceeding this value are marked invalid.
Allow standby promotion to cancel any requested pause (Fujii Masao)
Previously, promotion could not happen while the standby was in paused state.
Generate an error if recovery does not reach the specified recovery target (Leif Gunnar Erlandsen, Peter Eisentraut)
Previously, a standby would promote itself upon reaching the end of WAL, even if the target was not reached.
Allow control over how much memory is used by logical decoding before it is spilled to disk (Tomas Vondra, Dilip Kumar, Amit Kapila)
This is controlled by logical_decoding_work_mem.
Allow recovery to continue even if invalid pages are referenced by WAL (Fujii Masao)
This is enabled using ignore_invalid_pages.
Allow VACUUM
to process a table's indexes in parallel (Masahiko Sawada, Amit Kapila)
The new PARALLEL
option controls this.
Allow FETCH FIRST
to use WITH TIES
to return any additional rows that match the last result row (Surafel Temesgen)
Report planning-time buffer usage in EXPLAIN
's BUFFER
output (Julien Rouhaud)
Make CREATE TABLE LIKE
propagate a CHECK
constraint's NO INHERIT
property to the created table (Ildar Musin, Chris Travers)
When using LOCK TABLE
on a partitioned table, do not check permissions on the child tables (Amit Langote)
Allow OVERRIDING USER VALUE
on inserts into identity columns (Dean Rasheed)
Add ALTER TABLE ... DROP EXPRESSION
to allow removing the GENERATED
property from a column (Peter Eisentraut)
Fix bugs in multi-step ALTER TABLE
commands (Tom Lane)
IF NOT EXISTS
clauses now work as expected, in that derived actions (such as index creation) do not execute if the column already exists. Also, certain cases of combining related actions into one ALTER TABLE
now work when they did not before.
Add ALTER VIEW
syntax to rename view columns (Fujii Masao)
Renaming view columns was already possible, but one had to write ALTER TABLE RENAME COLUMN
, which is confusing.
Add ALTER TYPE
options to modify a base type's TOAST properties and support functions (Tomas Vondra, Tom Lane)
Add CREATE DATABASE
LOCALE
option (Peter Eisentraut)
This combines the existing options LC_COLLATE
and LC_CTYPE
into a single option.
Allow DROP DATABASE
to disconnect sessions using the target database, allowing the drop to succeed (Pavel Stehule, Amit Kapila)
This is enabled by the FORCE
option.
Add structure member tg_updatedcols
to allow C-language update triggers to know which column(s) were updated (Peter Eisentraut)
Add polymorphic data types for use by functions requiring compatible arguments (Pavel Stehule)
The new data types are anycompatible
, anycompatiblearray
, anycompatiblenonarray
, and anycompatiblerange
.
Add SQL data type xid8
to expose FullTransactionId (Thomas Munro)
The existing xid
data type is only four bytes so it does not provide the transaction epoch.
Add data type regcollation
and associated functions, to represent OIDs of collation objects (Julien Rouhaud)
Use the glibc version in some cases as a collation version identifier (Thomas Munro)
If the glibc version changes, a warning will be issued about possible corruption of collation-dependent indexes.
Add support for collation versions on Windows (Thomas Munro)
Allow ROW
expressions to have their members extracted with suffix notation (Tom Lane)
For example, (ROW(4, 5.0)).f1
now returns 4.
Add alternate version of jsonb_set()
with improved NULL
handling (Andrew Dunstan)
The new function, jsonb_set_lax()
, handles a NULL
new value by either setting the specified key to a JSON null, deleting the key, raising an exception, or returning the jsonb
value unmodified, as requested.
Add jsonpath .datetime()
method (Nikita Glukhov, Teodor Sigaev, Oleg Bartunov, Alexander Korotkov)
This function allows JSON values to be converted to timestamps, which can then be processed in jsonpath
expressions. This change also adds jsonpath
functions that support time-zone-aware output.
Add SQL functions NORMALIZE
() to normalize Unicode strings, and IS NORMALIZED
to check for normalization (Peter Eisentraut)
Add min()
and max()
aggregates for pg_lsn
(FabrÃzio de Royes Mello)
These are particularly useful in monitoring queries.
Allow Unicode escapes, e.g., E'\u
or nnnn
'U&'\
, to specify any character available in the database encoding, even when the database encoding is not UTF-8 (Tom Lane)nnnn
'
Allow to_date()
and to_timestamp()
to recognize non-English month/day names (Juan José SantamarÃa Flecha, Tom Lane)
The names recognized are the same as those output by to_char()
with the same format patterns.
Add datetime format patterns FF1
– FF6
to specify input or output of 1 to 6 fractional-second digits (Alexander Korotkov, Nikita Glukhov, Teodor Sigaev, Oleg Bartunov)
These patterns can be used by to_char()
, to_timestamp()
, and jsonpath's .datetime()
.
Add SSSSS
datetime format pattern as an SQL-standard alias for SSSS
(Nikita Glukhov, Alexander Korotkov)
Add function gen_random_uuid()
to generate version-4 UUIDs (Peter Eisentraut)
Previously UUID generation functions were only available in the external modules uuid-ossp and pgcrypto.
Add greatest-common-denominator (gcd
) and least-common-multiple (lcm
) functions (Vik Fearing)
Improve the performance and accuracy of the numeric
type's square root (sqrt
) and natural log (ln
) functions (Dean Rasheed)
Add function min_scale()
that returns the number of digits to the right of the decimal point that are required to represent a numeric
value with full accuracy (Pavel Stehule)
Add function trim_scale()
to reduce the scale of a numeric
value by removing trailing zeros (Pavel Stehule)
Add commutators of distance operators (Nikita Glukhov)
For example, previously only point
<->
line
was supported, now line
<->
point
works too.
Create xid8
versions of all transaction ID functions (Thomas Munro)
The old xid
-based functions still exist, for backward compatibility.
Allow get_bit()
and set_bit()
to set bits beyond the first 256MB of a bytea
value (Movead Li)
Allow advisory-lock functions to be used in some parallel operations (Tom Lane)
Add the ability to remove an object's dependency on an extension (Ãlvaro Herrera)
The object can be a function, materialized view, index, or trigger. The syntax is ALTER .. NO DEPENDS ON
.
Improve performance of simple PL/pgSQL expressions (Tom Lane, Amit Langote)
Improve performance of PL/pgSQL functions that use immutable expressions (Konstantin Knizhnik)
Allow libpq clients to require channel binding for encrypted connections (Jeff Davis)
Using the libpq connection parameter channel_binding
forces the other end of the TLS connection to prove it knows the user's password. This prevents man-in-the-middle attacks.
Add libpq connection parameters to control the minimum and maximum TLS version allowed for an encrypted connection (Daniel Gustafsson)
The settings are ssl_min_protocol_version and ssl_max_protocol_version. By default, the minimum TLS version is 1.2 (this represents a behavioral change from previous releases).
Allow use of passwords to unlock client certificates (Craig Ringer, Andrew Dunstan)
This is enabled by libpq's sslpassword connection parameter.
Allow libpq to use DER-encoded client certificates (Craig Ringer, Andrew Dunstan)
Fix ecpg's EXEC SQL elif
directive to work correctly (Tom Lane)
Previously it behaved the same as endif
followed by ifdef
, so that a successful previous branch of the same if
construct did not prevent expansion of the elif
branch or following branches.
Add transaction status (%x
) to psql's default prompts (Vik Fearing)
Allow the secondary psql prompt to be blank but the same width as the primary prompt (Thomas Munro)
This is accomplished by setting PROMPT2
to %w
.
Allow psql's \g
and \gx
commands to change \pset output options for the duration of that single command (Tom Lane)
This feature allows syntax like \g (expand=on)
, which is equivalent to \gx
.
Add psql commands to display operator classes and operator families (Sergey Cherkashin, Nikita Glukhov, Alexander Korotkov)
The new commands are \dAc
, \dAf
, \dAo
, and \dAp
.
Show table persistence in psql's \dt+
and related commands (David Fetter)
In verbose mode, the table/index/view shows if the object is permanent, temporary, or unlogged.
Improve output of psql's \d
for TOAST tables (Justin Pryzby)
Fix redisplay after psql's \e
command (Tom Lane)
When exiting the editor, if the query doesn't end with a semicolon or \g
, the query buffer contents will now be displayed.
Add \warn
command to psql (David Fetter)
This is like \echo
except that the text is sent to stderr instead of stdout.
Add the PostgreSQL home page to command-line --help
output (Peter Eisentraut)
Allow pgbench to partition its “accounts†table (Fabien Coelho)
This allows performance testing of partitioning.
Add pgbench command \aset
, which behaves like \gset
, but for multiple queries (Fabien Coelho)
Allow pgbench to generate its initial data server-side, rather than client-side (Fabien Coelho)
Allow pgbench to show script contents using option --show-script
(Fabien Coelho)
Generate backup manifests for base backups, and verify them (Robert Haas)
A new tool pg_verifybackup can verify backups.
Have pg_basebackup estimate the total backup size by default (Fujii Masao)
This computation allows pg_stat_progress_basebackup
to show progress. If that is not needed, it can be disabled by using the --no-estimate-size
option. Previously, this computation happened only if the --progress
option was used.
Add an option to pg_rewind to configure standbys (Paul Guo, Jimmy Yih, Ashwin Agrawal)
This matches pg_basebackup's --write-recovery-conf
option.
Allow pg_rewind to use the target cluster's restore_command to retrieve needed WAL (Alexey Kondratov)
This is enabled using the -c
/--restore-target-wal
option.
Have pg_rewind automatically run crash recovery before rewinding (Paul Guo, Jimmy Yih, Ashwin Agrawal)
This can be disabled by using --no-ensure-shutdown
.
Increase the PREPARE TRANSACTION
-related information reported by pg_waldump (Fujii Masao)
Add pg_waldump option --quiet
to suppress non-error output (Andres Freund, Robert Haas)
Add pg_dump option --include-foreign-data
to dump data from foreign servers (Luis Carril)
Allow vacuum commands run by vacuumdb to operate in parallel mode (Masahiko Sawada)
This is enabled with the new --parallel
option.
Allow reindexdb to operate in parallel (Julien Rouhaud)
Parallel mode is enabled with the new --jobs
option.
Allow dropdb to disconnect sessions using the target database, allowing the drop to succeed (Pavel Stehule)
This is enabled with the -f
option.
Remove --adduser
and --no-adduser
from createuser (Alexander Lakhin)
The long-supported preferred options for this are called --superuser
and --no-superuser
.
Use the directory of the pg_upgrade program as the default --new-bindir
setting when running pg_upgrade (Daniel Gustafsson)
Add a glossary to the documentation (Corey Huinker, Jürgen Purtz, Roger Harkavy, Ãlvaro Herrera)
Reformat tables containing function and operator information for better clarity (Tom Lane)
Upgrade to use DocBook 4.5 (Peter Eisentraut)
Add support for building on Visual Studio 2019 (Haribabu Kommi)
Add build support for MSYS2 (Peter Eisentraut)
Add compare_exchange and fetch_add assembly language code for Power PC compilers (Noah Misch)
Update Snowball stemmer dictionaries used by full text search (Panagiotis Mavrogiorgos)
This adds Greek stemming and improves Danish and French stemming.
Remove support for Windows 2000 (Michael Paquier)
Remove support for non-ELF BSD systems (Peter Eisentraut)
Remove support for Python versions 2.5.X and earlier (Peter Eisentraut)
Remove support for OpenSSL 0.9.8 and 1.0.0 (Michael Paquier)
Remove configure options --disable-float8-byval
and --disable-float4-byval
(Peter Eisentraut)
These were needed for compatibility with some version-zero C functions, but those are no longer supported.
Pass the query string to planner hook functions (Pascal Legrand, Julien Rouhaud)
Add TRUNCATE
command hook (Yuli Khodorkovskiy)
Add TLS init hook (Andrew Dunstan)
Allow building with no predefined Unix-domain socket directory (Peter Eisentraut)
Reduce the probability of SysV resource key collision on Unix platforms (Tom Lane)
Use operating system functions to reliably erase memory that contains sensitive information (Peter Eisentraut)
For example, this is used for clearing passwords stored in memory.
Add headerscheck
script to test C header-file compatibility (Tom Lane)
Implement internal lists as arrays, rather than a chain of cells (Tom Lane)
This improves performance for queries that access many objects.
Change the API for TS_execute()
(Tom Lane, Pavel Borisov)
TS_execute
callbacks must now provide ternary (yes/no/maybe) logic. Calculating NOT queries accurately is now the default.
Allow extensions to be specified as trusted (Tom Lane)
Such extensions can be installed in a database by users with database-level CREATE
privileges, even if they are not superusers. This change also removes the pg_pltemplate
system catalog.
Allow non-superusers to connect to postgres_fdw foreign servers without using a password (Craig Ringer)
Specifically, allow a superuser to set password_required
to false for a user mapping. Care must still be taken to prevent non-superusers from using superuser credentials to connect to the foreign server.
Allow postgres_fdw to use certificate authentication (Craig Ringer)
Different users can use different certificates.
Allow sepgsql to control access to the TRUNCATE
command (Yuli Khodorkovskiy)
Add extension bool_plperl which transforms SQL booleans to/from PL/Perl booleans (Ivan Panchenko)
Have pg_stat_statements treat SELECT ... FOR UPDATE
commands as distinct from those without FOR UPDATE
(Andrew Gierth, Vik Fearing)
Allow pg_stat_statements to optionally track the planning time of statements (Julien Rouhaud, Pascal Legrand, Thomas Munro, Fujii Masao)
Previously only execution time was tracked.
Overhaul ltree's lquery syntax to treat NOT
(!) more logically (Filip Rembialkowski, Tom Lane, Nikita Glukhov)
Also allow non-* queries to use a numeric range ({}) of matches.
Add support for binary I/O of ltree, lquery, and ltxtquery types (Nino Floris)
Add an option to dict_int to ignore the sign of integers (Jeff Janes)
Add adminpack function pg_file_sync()
to allow fsync'ing a file (Fujii Masao)
Add pageinspect functions to output t_infomask
/t_infomask2
values in human-readable format (Craig Ringer, Sawada Masahiko, Michael Paquier)
Add B-tree index de-duplication processing columns to pageinspect output (Peter Geoghegan)
The following individuals (in alphabetical order) have contributed to this release as patch authors, committers, reviewers, testers, or reporters of issues.
Release date: 2024-11-21
This release contains a single fix from 12.21. For information about new features in major release 12, see Version 12.0.
This is expected to be the last PostgreSQL release in the 12.X series. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 12.X.
However, if you are upgrading from a version earlier than 12.18, see Version 12.18.
Restore functionality of ALTER {ROLE|DATABASE} SET role
(Tom Lane, Noah Misch) 📜
The fix forCVE-2024-10978 or CVE-2024-10978 accidentally caused settings for role
to not be applied if they come from non-interactive sources, including previous ALTER {ROLE|DATABASE}
commands and the PGOPTIONS
environment variable.
Release date: 2024-11-14
This release contains a variety of fixes from 12.20. For information about new features in major release 12, see Version 12.0.
This is expected to be the last PostgreSQL release in the 12.X series. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 12.X.
However, if you are upgrading from a version earlier than 12.18, see Version 12.18.
Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart) 📜
If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead.
The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. CVE-2024-10976 or CVE-2024-10976)
Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Champion) 📜
An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure.
The PostgreSQL Project thanks Jacob Champion for reporting this problem. CVE-2024-10977 or CVE-2024-10977)
Fix unintended interactions between SET SESSION AUTHORIZATION
and SET ROLE
(Tom Lane) 📜 📜
The SQL standard mandates that SET SESSION AUTHORIZATION
have a side-effect of doing SET ROLE NONE
. Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION
would revert ROLE
to NONE
even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction. Transiently setting session_authorization
in a function SET
clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role')
, it saw none
even when it should see something else.
The PostgreSQL Project thanks Tom Lane for reporting this problem. CVE-2024-10978 or CVE-2024-10978)
Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch) 📜 📜 📜 📜
The ability to manipulate process environment variables such as PATH
gives an attacker opportunities to execute arbitrary code. Therefore, “trusted†PLs must not offer the ability to do that. To fix plperl
, replace %ENV
with a tied hash that rejects any modification attempt with a warning. Untrusted plperlu
retains the ability to change the environment.
The PostgreSQL Project thanks Coby Abrams for reporting this problem. CVE-2024-10979 or CVE-2024-10979)
Disallow ALTER TABLE ATTACH PARTITION
if the table to be attached has a foreign key referencing the partitioned table (Ãlvaro Herrera) 📜 📜
This arrangement is not supported, and other ways of creating it already fail.
Don't use partitionwise joins or grouping if the query's collation for the key column doesn't match the partition key's collation (Jian He, Webbo Han) 📜 📜
Such plans could produce incorrect results.
Allow cancellation of the second stage of index build for large hash indexes (Pavel Borisov) 📜
Fix assertion failure or confusing error message for COPY (
, when the query
) TO ...query
is rewritten by a DO INSTEAD NOTIFY
rule (Tender Wang, Tom Lane) 📜
Fix detection of skewed data during parallel hash join (Thomas Munro) 📜
After repartitioning the inner side of a hash join because one partition has accumulated too many tuples, we check to see if all the partition's tuples went into the same child partition, which suggests that they all have the same hash value and further repartitioning cannot improve matters. This check malfunctioned in some cases, allowing repeated futile repartitioning which would eventually end in a resource-exhaustion error.
Fix race condition in committing a serializable transaction (Heikki Linnakangas) 📜
Mis-processing of a recently committed transaction could lead to an assertion failure or a “could not access status of transaction†error.
Fix race condition in COMMIT PREPARED
that resulted in orphaned 2PC files (wuchengwen) 📜
A concurrent PREPARE TRANSACTION
could cause COMMIT PREPARED
to not remove the on-disk two-phase state file for the completed transaction. There was no immediate ill effect, but a subsequent crash-and-recovery could fail with “could not access status of transactionâ€, requiring manual removal of the orphaned file to restore service.
Avoid invalid memory accesses after skipping an invalid toast index during VACUUM FULL
(Tender Wang) 📜
A list tracking yet-to-be-rebuilt indexes was not properly updated in this code path, risking assertion failures or crashes later on.
Fix ways in which an “in place†catalog update could be lost (Noah Misch) 📜 📜 📜 📜 📜 📜 📜
Normal row updates write a new version of the row to preserve rollback-ability of the transaction. However, certain system catalog updates are intentionally non-transactional and are done with an in-place update of the row. These patches fix race conditions that could cause the effects of an in-place update to be lost. As an example, it was possible to forget having set pg_class
.relhasindex
to true, preventing updates of the new index and thus causing index corruption.
Reset catalog caches at end of recovery (Noah Misch) 📜
This prevents scenarios wherein an in-place catalog update could be lost due to using stale data from a catalog cache.
Avoid using parallel query while holding off interrupts (Francesco Degrassi, Noah Misch, Tom Lane) 📜 📜
This situation cannot arise normally, but it can be reached with test scenarios such as using a SQL-language function as B-tree support (which would be far too slow for production usage). If it did occur it would result in an indefinite wait.
Guard against stack overflow in libxml2 with too-deeply-nested XML input (Tom Lane, with hat tip to Nick Wellnhofer) 📜
Use xmlXPathCtxtCompile()
rather than xmlXPathCompile()
, because the latter fails to protect itself against recursion-to-stack-overflow in libxml2 releases before 2.13.4.
Fix “failed to find plan for subquery/CTE†errors in EXPLAIN
(Richard Guo, Tom Lane) 📜
This case arose while trying to print references to fields of a RECORD-type output of a subquery when the subquery has been optimized out of the plan altogether (which is possible at least in the case that it has a constant-false WHERE
condition). Nothing remains in the plan to identify the original field names, so fall back to printing f
for the N
N
'th record column. (That's actually the right thing anyway, if the record output arose from a ROW()
constructor.)
Disallow a USING
clause when altering the type of a generated column (Peter Eisentraut) 📜
A generated column already has an expression specifying the column contents, so including USING
doesn't make sense.
Ignore not-yet-defined Portals in the pg_cursors
view (Tom Lane) 📜
It is possible for user-defined code that inspects this view to be called while a new cursor is being set up, and if that happens a null pointer dereference would ensue. Avoid the problem by defining the view to exclude incompletely-set-up cursors.
Reduce memory consumption of logical decoding (Masahiko Sawada) 📜
Use a smaller default block size to store tuple data received during logical replication. This reduces memory wastage, which has been reported to be severe while processing long-running transactions, even leading to out-of-memory failures.
Re-disable sending of stateless (TLSv1.2) session tickets (Daniel Gustafsson) 📜
A previous change to prevent sending of stateful (TLSv1.3) session tickets accidentally re-enabled sending of stateless ones. Thus, while we intended to prevent clients from thinking that TLS session resumption is supported, some still did.
Avoid “wrong tuple length†failure when dropping a database with many ACL (permission) entries (Ayush Tiwari) 📜 📜
Allow adjusting the session_authorization
and role
settings in parallel workers (Tom Lane) 📜
Our code intends to allow modifiable server settings to be set by function SET
clauses, but not otherwise within a parallel worker. SET
clauses failed for these two settings, though.
Fix behavior of stable functions called from a CALL
statement's argument list, when the CALL
is within a PL/pgSQL EXCEPTION
block (Tom Lane) 📜
As with a similar fix in our previous quarterly releases, this case allowed such functions to be passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.
Parse libpq's keepalives
connection option in the same way as other integer-valued options (Yuto Sasaki) 📜
The coding used here rejected trailing whitespace in the option value, unlike other cases. This turns out to be problematic in ecpg's usage, for example.
In ecpglib, fix out-of-bounds read when parsing incorrect datetime input (Bruce Momjian, Pavel Nekrasov) 📜
It was possible to try to read the location just before the start of a constant array. Real-world consequences seem minimal, though.
Include the source timeline history in pg_rewind's debug output (Heikki Linnakangas) 📜
This was the intention to begin with, but a coding error caused the source history to always print as empty.
Avoid trying to reindex temporary tables and indexes in vacuumdb and in parallel reindexdb (VaibhaveS, Michael Paquier, Fujii Masao, Nathan Bossart) 📜 📜
Reindexing other sessions' temporary tables cannot work, but the check to skip them was missing in some code paths, leading to unwanted failures.
Allow inspection of sequence relations in relevant functions of contrib/pageinspect
and contrib/pgstattuple
(Nathan Bossart, Ayush Vatsa) 📜 📜
This had been allowed in the past, but it got broken during the introduction of non-default access methods for tables.
Fix incorrect LLVM-generated code on ARM64 platforms (Thomas Munro, Anthonin Bonnefoy) 📜
When using JIT compilation on ARM platforms, the generated code could not support relocation distances exceeding 32 bits, allowing unlucky placement of generated code to cause server crashes on large-memory systems.
Fix a few places that assumed that process start time (represented as a time_t
) will fit into a long
value (Max Johnson, Nathan Bossart) 📜
On platforms where long
is 32 bits (notably Windows), this coding would fail after Y2038. Most of the failures appear only cosmetic, but notably pg_ctl start
would hang.
Prevent “nothing provides perl (PostgreSQL::Test::Utils)†failures while building RPM packages of PostgreSQL (Noah Misch) 📜
Fix building with Strawberry Perl on Windows (Andrew Dunstan) 📜
Update time zone data files to tzdata release 2024b (Tom Lane) 📜 📜
This tzdata release changes the old System-V-compatibility zone names to duplicate the corresponding geographic zones; for example PST8PDT
is now an alias for America/Los_Angeles
. The main visible consequence is that for timestamps before the introduction of standardized time zones, the zone is considered to represent local mean solar time for the named location. For example, in PST8PDT
, timestamptz
input such as 1801-01-01 00:00
would previously have been rendered as 1801-01-01 00:00:00-08
, but now it is rendered as 1801-01-01 00:00:00-07:52:58
.
Also, historical corrections for Mexico, Mongolia, and Portugal. Notably, Asia/Choibalsan
is now an alias for Asia/Ulaanbaatar
rather than being a separate zone, mainly because the differences between those zones were found to be based on untrustworthy data.
Release date: 2024-08-08
This release contains a variety of fixes from 12.19. For information about new features in major release 12, see Version 12.0.
The PostgreSQL community will stop releasing updates for the 12.X release series in November 2024. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 12.X.
However, if you are upgrading from a version earlier than 12.18, see Version 12.18.
Prevent unauthorized code execution during pg_dump (Masahiko Sawada)
An attacker able to create and drop non-temporary objects could inject SQL code that would be executed by a concurrent pg_dump session with the privileges of the role running pg_dump (which is often a superuser). The attack involves replacing a sequence or similar object with a view or foreign table that will execute malicious code. To prevent this, introduce a new server parameter restrict_nonsystem_relation_kind
that can disable expansion of non-builtin views as well as access to foreign tables, and teach pg_dump to set it when available. Note that the attack is prevented only if both pg_dump and the server it is dumping from are new enough to have this fix.
The PostgreSQL Project thanks Noah Misch for reporting this problem. CVE-2024-7348 or CVE-2024-7348)
Fix failure after attaching a table as a partition, if the table had previously had inheritance children (Ãlvaro Herrera)
Fix ALTER TABLE DETACH PARTITION
for cases involving inconsistent index-based constraints (Ãlvaro Herrera, Tender Wang)
When a partitioned table has an index that is not associated with a constraint, but a partition has an equivalent index that is, then detaching the partition would misbehave, leaving the ex-partition's constraint with an incorrect coninhcount
value. This would cause trouble during any further manipulations of that constraint.
Fix handling of polymorphic output arguments for procedures (Tom Lane)
The SQL CALL
statement did not resolve the correct data types for such arguments, leading to errors such as “cannot display a value of type anyelementâ€, or even outright crashes. (But CALL
in PL/pgSQL worked correctly.)
Fix behavior of stable functions called from a CALL
statement's argument list (Tom Lane)
If the CALL
is within an atomic context (e.g. there's an outer transaction block), such functions were passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.
Detect integer overflow in money
calculations (Joseph Koshakow)
None of the arithmetic functions for the money
type checked for overflow before, so they would silently give wrong answers for overflowing cases.
Fix over-aggressive clamping of the scale argument in round(numeric)
and trunc(numeric)
(Dean Rasheed)
These functions clamped their scale argument to +/-2000, but there are valid use-cases for it to be larger; the functions returned incorrect results in such cases. Instead clamp to the actual allowed range of type numeric
.
Prevent pg_sequence_last_value()
from failing on unlogged sequences on standby servers and on temporary sequences of other sessions (Nathan Bossart)
Make it return NULL in these cases instead of throwing an error.
Fix parsing of ignored operators in websearch_to_tsquery()
(Tom Lane)
Per the manual, punctuation in the input of websearch_to_tsquery()
is ignored except for the special cases of dashes and quotes. However, parentheses and a few other characters appearing immediately before an or
could cause or
to be treated as a data word, rather than as an OR
operator as expected.
Detect another integer overflow case while computing new array dimensions (Joseph Koshakow)
Reject applying array dimensions [-2147483648:2147483647]
to an empty array. This is closely related toCVE-2023-5869 or CVE-2023-5869, but appears harmless since the array still ends up empty.
Detect another case of a new catalog cache entry becoming stale while detoasting its fields (Noah Misch)
An in-place update occurring while we expand out-of-line fields in a catalog tuple could be missed, leading to a catalog cache entry that lacks the in-place change but is not known to be stale. This is only possible in the pg_database
catalog, so the effects are narrow, but misbehavior is possible.
Correctly check updatability of view columns targeted by INSERT
... DEFAULT
(Tom Lane)
If such a column is non-updatable, we should give an error reporting that. But the check was missed and then later code would report an unhelpful error such as “attribute number N
not found in view targetlistâ€.
Avoid reporting an unhelpful internal error for incorrect recursive queries (Tom Lane)
Rearrange the order of error checks so that we throw an on-point error when a WITH RECURSIVE
query does not have a self-reference within the second arm of the UNION
, but does have one self-reference in some other place such as ORDER BY
.
Don't throw an error if a queued AFTER
trigger no longer exists (Tom Lane)
It's possible for a transaction to execute an operation that queues a deferred AFTER
trigger for later execution, and then to drop the trigger before that happens. Formerly this led to weird errors such as “could not find trigger NNNN
â€. It seems better to silently do nothing if the trigger no longer exists at the time when it would have been executed.
Fix failure to remove pg_init_privs
entries for column-level privileges when their table is dropped (Tom Lane)
If an extension grants some column-level privileges on a table it creates, relevant catalog entries would remain behind after the extension is dropped. This was harmless until/unless the table's OID was re-used for another relation, when it could interfere with what pg_dump dumps for that relation.
Fix selection of an arbiter index for ON CONFLICT
when the desired index has expressions or predicates (Tom Lane)
If a query using ON CONFLICT
accesses the target table through an updatable view, it could fail with “there is no unique or exclusion constraint matching the ON CONFLICT specificationâ€, even though a matching index does exist.
Refuse to modify a temporary table of another session with ALTER TABLE
(Tom Lane)
Permissions checks normally would prevent this case from arising, but it is possible to reach it by altering a parent table whose child is another session's temporary table. Throw an error if we discover that such a child table belongs to another session.
Fix failure to recalculate sub-queries generated from MIN()
or MAX()
aggregates (Tom Lane)
In some cases the aggregate result computed at one row of the outer query could be re-used for later rows when it should not be. This has only been seen to happen when the outer query uses DISTINCT
that is implemented with hash aggregation, but other cases may exist.
Avoid crashing when a JIT-inlined backend function throws an error (Tom Lane)
The error state can include pointers into the dynamically loaded module holding the JIT-compiled code (for error location strings). In some code paths the module could get unloaded before the error report is processed, leading to SIGSEGV when the location strings are accessed.
Cope with behavioral changes in libxml2 version 2.13.x (Erik Wienhold, Tom Lane)
Notably, we now suppress “chunk is not well balanced†errors from libxml2, unless that is the only reported error. This is to make error reports consistent between 2.13.x and earlier libxml2 versions. In earlier versions, that message was almost always redundant or outright incorrect, so 2.13.x substantially reduced the number of cases in which it's reported.
Fix handling of subtransactions of prepared transactions when starting a hot standby server (Heikki Linnakangas)
When starting a standby's replay at a shutdown checkpoint WAL record, transactions that had been prepared but not yet committed on the primary are correctly understood as being still in progress. But subtransactions of a prepared transaction (created by savepoints or PL/pgSQL exception blocks) were not accounted for and would be treated as aborted. That led to inconsistency if the prepared transaction was later committed.
Prevent incorrect initialization of logical replication slots (Masahiko Sawada)
In some cases a replication slot's start point within the WAL stream could be set to a point within a transaction, leading to assertion failures or incorrect decoding results.
Avoid memory leakage after servicing a notify or sinval interrupt (Tom Lane)
The processing functions for these events could switch the current memory context to TopMemoryContext, resulting in session-lifespan leakage of any data allocated before the incorrect setting gets replaced. There were observable leaks associated with (at least) encoding conversion of incoming queries and parameters attached to Bind messages.
Avoid possibly missing end-of-input events on Windows sockets (Thomas Munro)
Windows reports an FD_CLOSE event only once after the remote end of the connection disconnects. With unlucky timing, we could miss that report and wait indefinitely, or at least until a timeout elapsed, expecting more input.
Disable creation of stateful TLS session tickets by OpenSSL (Daniel Gustafsson)
This avoids possible failures with clients that think receipt of a session ticket means that TLS session resumption is supported.
When replanning a PL/pgSQL “simple expressionâ€, check it's still simple (Tom Lane)
Certain fairly-artificial cases, such as dropping a referenced function and recreating it as an aggregate, could lead to surprising failures such as “unexpected plan node typeâ€.
Fix incompatibility between PL/Perl and Perl 5.40 (Andrew Dunstan)
Fix recursive RECORD
-returning PL/Python functions (Tom Lane)
If we recurse to a new call of the same function that passes a different column definition list (AS
clause), it would fail because the inner call would overwrite the outer call's idea of what rowtype to return.
Don't corrupt PL/Python's TD
dictionary during a recursive trigger call (Tom Lane)
If a PL/Python-language trigger caused another one to be invoked, the TD
dictionary created for the inner one would overwrite the outer one's TD
dictionary.
Fix PL/Tcl's reporting of invalid list syntax in the result of a function returning tuple (Erik Wienhold, Tom Lane)
Such a case could result in a crash, or in emission of misleading context information that actually refers to the previous Tcl error.
Avoid non-thread-safe usage of strerror()
in libpq (Peter Eisentraut)
Certain error messages returned by OpenSSL could become garbled in multi-threaded applications.
Ensure that pg_restore
-l
reports dependent TOC entries correctly (Tom Lane)
If -l
was specified together with selective-restore options such as -n
or -N
, dependent TOC entries such as comments would be omitted from the listing, even when an actual restore would have selected them.
Avoid clashing with system-provided <regex.h>
headers (Thomas Munro)
This fixes a compilation failure on macOS version 15 and up.
Fix otherwise-harmless assertion failures in REINDEX CONCURRENTLY
applied to an SP-GiST index (Tom Lane)
Release date: 2024-05-09
This release contains a variety of fixes from 12.18. For information about new features in major release 12, see Version 12.0.
The PostgreSQL community will stop releasing updates for the 12.X release series in November 2024. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 12.X.
However, if you are upgrading from a version earlier than 12.18, see Version 12.18.
Fix INSERT
from multiple VALUES
rows into a target column that is a domain over an array or composite type (Tom Lane)
Such cases would either fail with surprising complaints about mismatched datatypes, or insert unexpected coercions that could lead to odd results.
Fix incorrect pruning of NULL partition when a table is partitioned on a boolean column and the query has a boolean IS NOT
clause (David Rowley)
A NULL value satisfies a clause such as
, so pruning away a partition containing NULLs yielded incorrect answers.boolcol
IS NOT FALSE
Make ALTER FOREIGN TABLE SET SCHEMA
move any owned sequences into the new schema (Tom Lane)
Moving a regular table to a new schema causes any sequences owned by the table to be moved to that schema too (along with indexes and constraints). This was overlooked for foreign tables, however.
Fix EXPLAIN
's counting of heap pages accessed by a bitmap heap scan (Melanie Plageman)
Previously, heap pages that contain no visible tuples were not counted; but it seems more consistent to count all pages returned by the bitmap index scan.
Avoid deadlock during removal of orphaned temporary tables (Mikhail Zhilin)
If the session that creates a temporary table crashes without removing the table, autovacuum will eventually try to remove the orphaned table. However, an incoming session that's been assigned the same temporary namespace will do that too. If a temporary table has a dependency (such as an owned sequence) then a deadlock could result between these two cleanup attempts.
Avoid race condition while examining per-relation frozen-XID values (Noah Misch)
VACUUM
's computation of per-database frozen-XID values from per-relation values could get confused by a concurrent update of those values by another VACUUM
.
Disallow converting a table to a view within an outer SQL command that is using that table (Tom Lane)
This avoids possible crashes.
Ensure that join conditions generated from equivalence classes are applied at the correct plan level (Tom Lane)
In versions before PostgreSQL 16, it was possible for generated conditions to be evaluated below outer joins when they should be evaluated above (after) the outer join, leading to incorrect query results. All versions have a similar hazard when considering joins to UNION ALL
trees that have constant outputs for the join column in some SELECT
arms.
Avoid unnecessary use of moving-aggregate mode with a non-moving window frame (Vallimaharajan G)
When a plain aggregate is used as a window function, and the window frame start is specified as UNBOUNDED PRECEDING
, the frame's head cannot move so we do not need to use the special (and more expensive) moving-aggregate mode. This optimization was intended all along, but due to a coding error it never triggered.
Avoid use of already-freed data while planning partition-wise joins under GEQO (Tom Lane)
This would typically end in a crash or unexpected error message.
Fix incorrectly-reported statistics kind codes in “requested statistics kind X
is not yet built†error messages (David Rowley)
Be more careful with RECORD
-returning functions in FROM
(Tom Lane)
The output columns of such a function call must be defined by an AS
clause that specifies the column names and data types. If the actual function output value doesn't match that, an error is supposed to be thrown at runtime. However, some code paths would examine the actual value prematurely, and potentially issue strange errors or suffer assertion failures if it doesn't match expectations.
Fix confusion about the return rowtype of SQL-language procedures (Tom Lane)
A procedure implemented in SQL language that returns a single composite-type column would cause an assertion failure or core dump.
Add protective stack depth checks to some recursive functions (Egor Chindyaskin)
Detect integer overflow when adding or subtracting an interval
to/from a timestamp
(Joseph Koshakow)
Some cases that should cause an out-of-range error produced an incorrect result instead.
Avoid race condition in pg_get_expr()
(Tom Lane)
If the relation referenced by the argument is dropped concurrently, the function's intention is to return NULL, but sometimes it failed instead.
Fix detection of old transaction IDs in XID status functions (Karina Litskevich)
Transaction IDs more than 231 transactions in the past could be misidentified as recent, leading to misbehavior of pg_xact_status()
or txid_status()
.
Fix file descriptor leakage when an error is thrown while waiting in WaitEventSetWait
(Etsuro Fujita)
Throw an error if an index is accessed while it is being reindexed (Tom Lane)
Previously this was just an assertion check, but promote it into a regular runtime error. This will provide a more on-point error message when reindexing a user-defined index expression that attempts to access its own table.
Ensure that index-only scans on name
columns return a fully-padded value (David Rowley)
The value physically stored in the index is truncated, and previously a pointer to that value was returned to callers. This provoked complaints when testing under valgrind. In theory it could result in crashes, though none have been reported.
Fix crash with DSM allocations larger than 4GB (Heikki Linnakangas)
Disconnect if a new server session's client socket cannot be put into non-blocking mode (Heikki Linnakangas)
It was once theoretically possible for us to operate with a socket that's in blocking mode; but that hasn't worked fully in a long time, so fail at connection start rather than misbehave later.
Fix inadequate error reporting with OpenSSL 3.0.0 and later (Heikki Linnakangas, Tom Lane)
System-reported errors passed through by OpenSSL were reported with a numeric error code rather than anything readable.
Avoid concurrent calls to bindtextdomain()
in libpq and ecpglib (Tom Lane)
Although GNU gettext's implementation seems to be fine with concurrent calls, the version available on Windows is not.
Fix crash in ecpg's preprocessor if the program tries to redefine a macro that was defined on the preprocessor command line (Tom Lane)
In ecpg, avoid issuing false “unsupported feature will be passed to server†warnings (Tom Lane)
Ensure that the string result of ecpg's intoasc()
function is correctly zero-terminated (Oleg Tselebrovskiy)
Fix pg_dumpall so that role comments, if present, will be dumped regardless of the setting of --no-role-passwords
(Daniel Gustafsson, Ãlvaro Herrera)
Fix PL/pgSQL's parsing of single-line comments (--
-style comments) following expressions (Erik Wienhold, Tom Lane)
This mistake caused parse errors if such a comment followed a WHEN
expression in a PL/pgSQL CASE
statement.
In contrib/amcheck
, don't report false match failures due to short- versus long-header values (Andrey Borodin, Michael Zhilin)
A variable-length datum in a heap tuple or index tuple could have either a short or a long header, depending on compression parameters that applied when it was made. Treat these cases as equivalent rather than complaining if there's a difference.
In contrib/postgres_fdw
, avoid emitting requests to sort by a constant (David Rowley)
This could occur in cases involving UNION ALL
with constant-emitting subqueries. Sorting by a constant is useless of course, but it also risks being misinterpreted by the remote server, leading to “ORDER BY position N
is not in select list†errors.
Make contrib/postgres_fdw
set the remote session's time zone to GMT
not UTC
(Tom Lane)
This should have the same results for practical purposes. However, GMT
is recognized by hard-wired code in the server, while UTC
is looked up in the timezone database. So the old code could fail in the unlikely event that the remote server's timezone database is missing entries.
In contrib/xml2
, avoid use of library functions that have been deprecated in recent versions of libxml2 (Dmitry Koval)
Fix incompatibility with LLVM 18 (Thomas Munro, Dmitry Dolgov)
Allow make check
to work with the musl C library (Thomas Munro, Bruce Momjian, Tom Lane)
Release date: 2024-02-08
This release contains a variety of fixes from 12.17. For information about new features in major release 12, see Version 12.0.
The PostgreSQL community will stop releasing updates for the 12.X release series in November 2024. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 12.X.
However, one bug was fixed that could have resulted in corruption of GIN indexes during concurrent updates. If you suspect such corruption, reindex affected indexes after installing this update.
Also, if you are upgrading from a version earlier than 12.17, see Version 12.17.
Tighten security restrictions within REFRESH MATERIALIZED VIEW CONCURRENTLY
(Heikki Linnakangas)
One step of a concurrent refresh command was run under weak security restrictions. If a materialized view's owner could persuade a superuser or other high-privileged user to perform a concurrent refresh on that view, the view's owner could control code executed with the privileges of the user running REFRESH
. Fix things so that all user-determined code is run as the view's owner, as expected.
The only known exploit for this error does not work in PostgreSQL 16.0 and later, so it may be that v16 is not vulnerable in practice.
The PostgreSQL Project thanks Pedro Gallegos for reporting this problem. CVE-2024-0985 or CVE-2024-0985)
Fix memory leak when performing JIT inlining (Andres Freund, Daniel Gustafsson)
There have been multiple reports of backend processes suffering out-of-memory conditions after sufficiently many JIT compilations. This fix should resolve that.
When dequeueing from an LWLock, avoid needing to search the list of waiting processes (Andres Freund)
This fixes O (N^2) behavior when the list of waiters is long. In some use-cases this results in substantial throughput improvements.
Avoid generating incorrect partitioned-join plans (Richard Guo)
Some uncommon situations involving lateral references could create incorrect plans. Affected queries could produce wrong answers, or odd failures such as “variable not found in subplan target listâ€, or executor crashes.
Fix incorrect wrapping of subquery output expressions in PlaceHolderVars (Tom Lane)
This fixes incorrect results when a subquery is underneath an outer join and has an output column that laterally references something outside the outer join's scope. The output column might not appear as NULL when it should do so due to the action of the outer join.
Avoid requesting an oversize shared-memory area in parallel hash join (Thomas Munro, Andrei Lepikhov, Alexander Korotkov)
The limiting value was too large, allowing “invalid DSA memory alloc request size†errors to occur with sufficiently large expected hash table sizes.
Avoid assertion failures in heap_update()
and heap_delete()
when a tuple to be updated by a foreign-key enforcement trigger fails the extra visibility crosscheck (Alexander Lakhin)
This error had no impact in non-assert builds.
Fix possible failure during ALTER TABLE ADD COLUMN
on a complex inheritance tree (Tender Wang)
If a grandchild table would inherit the new column via multiple intermediate parents, the command failed with “tuple already updated by selfâ€.
Fix problems with duplicate token names in ALTER TEXT SEARCH CONFIGURATION ... MAPPING
commands (Tender Wang, Michael Paquier)
Properly lock the associated table during DROP STATISTICS
(Tomas Vondra)
Failure to acquire the lock could result in “tuple concurrently deleted†errors if the DROP
executes concurrently with ANALYZE
.
Fix function volatility checking for GENERATED
and DEFAULT
expressions (Tom Lane)
These places could fail to detect insertion of a volatile function default-argument expression, or decide that a polymorphic function is volatile although it is actually immutable on the datatype of interest. This could lead to improperly rejecting or accepting a GENERATED
clause, or to mistakenly applying the constant-default-value optimization in ALTER TABLE ADD COLUMN
.
Detect that a new catalog cache entry became stale while detoasting its fields (Tom Lane)
We expand any out-of-line fields in a catalog tuple before inserting it into the catalog caches. That involves database access which might cause invalidation of catalog cache entries — but the new entry isn't in the cache yet, so we would miss noticing that it should get invalidated. The result is a race condition in which an already-stale cache entry could get made, and then persist indefinitely. This would lead to hard-to-predict misbehavior. Fix by rechecking the tuple's visibility after detoasting.
Fix edge-case integer overflow detection bug on some platforms (Dean Rasheed)
Computing 0 - INT64_MIN
should result in an overflow error, and did on most platforms. However, platforms with neither integer overflow builtins nor 128-bit integers would fail to spot the overflow, instead returning INT64_MIN
.
Detect Julian-date overflow when adding or subtracting an interval
to/from a timestamp
(Tom Lane)
Some cases that should cause an out-of-range error produced an incorrect result instead.
Add more checks for overflow in interval_mul()
and interval_div()
(Dean Rasheed)
Some cases that should cause an out-of-range error produced an incorrect result instead.
Make the pg_file_settings
view check validity of unapplied values for settings with backend
or superuser-backend
context (Tom Lane)
Invalid values were not noted in the view as intended. This escaped detection because there are very few settings in these groups.
Match collation too when matching an existing index to a new partitioned index (Peter Eisentraut)
Previously we could accept an index that has a different collation from the corresponding element of the partition key, possibly leading to misbehavior.
Fix insufficient locking when cleaning up an incomplete split of a GIN index's internal page (Fei Changhong, Heikki Linnakangas)
The code tried to do this with shared rather than exclusive lock on the buffer. This could lead to index corruption if two processes attempted the cleanup concurrently.
Avoid premature release of buffer pin in GIN index insertion (Tom Lane)
If an index root page split occurs concurrently with our own insertion, the code could fail with “buffer NNNN is not owned by resource ownerâ€.
Avoid failure with partitioned SP-GiST indexes (Tom Lane)
Trying to use an index of this kind could lead to “No such file or directory†errors.
Fix ownership change reporting for large objects (Tom Lane)
A no-op ALTER LARGE OBJECT OWNER
command (that is, one selecting the existing owner) passed the wrong class ID to the PostAlterHook
, probably confusing any extension using that hook.
Prevent standby servers from incorrectly processing dead index tuples during subtransactions (Fei Changhong)
The startedInRecovery
flag was not correctly set for a subtransaction. This affects only processing of dead index tuples. It could allow a query in a subtransaction to ignore index entries that it should return (if they are already dead on the primary server, but not dead to the standby transaction), or to prematurely mark index entries as dead that are not yet dead on the primary. It is not clear that the latter case has any serious consequences, but it's not the intended behavior.
Fix deadlock between a logical replication apply worker, its tablesync worker, and a session process trying to alter the subscription (Shlok Kyal)
One edge of the deadlock loop did not involve a lock wait, so the deadlock went undetected and would persist until manual intervention.
Return the correct status code when a new client disconnects without responding to the server's password challenge (Liu Lang, Tom Lane)
In some cases we'd treat this as a loggable error, which was not the intention and tends to create log spam, since common clients like psql frequently do this. It may also confuse extensions that use ClientAuthentication_hook
.
Fix incompatibility with OpenSSL 3.2 (Tristan Partin, Bo Andreson)
Use the BIO “app_data†field for our private storage, instead of assuming it's okay to use the “data†field. This mistake didn't cause problems before, but with 3.2 it leads to crashes and complaints about double frees.
Be more wary about OpenSSL not setting errno
on error (Tom Lane)
If errno
isn't set, assume the cause of the reported failure is read EOF. This fixes rare cases of strange error reports like “could not accept SSL connection: Successâ€.
Report ENOMEM errors from file-related system calls as ERRCODE_OUT_OF_MEMORY
, not ERRCODE_INTERNAL_ERROR
(Alexander Kuzmenkov)
Avoid race condition when libpq initializes OpenSSL support concurrently in two different threads (Willi Mann, Michael Paquier)
Fix timing-dependent failure in GSSAPI data transmission (Tom Lane)
When using GSSAPI encryption in non-blocking mode, libpq sometimes failed with “GSSAPI caller failed to retransmit all data needing to be retriedâ€.
In pg_dump, don't dump RLS policies or security labels for extension member objects (Tom Lane, Jacob Champion)
Previously, commands would be included in the dump to set these properties, which is really incorrect since they should be considered as internal affairs of the extension. Moreover, the restoring user might not have adequate privilege to set them, and indeed the dumping user might not have enough privilege to dump them (since dumping RLS policies requires acquiring lock on their table).
In pg_dump, don't dump an extended statistics object if its underlying table isn't being dumped (Rian McGuire, Tom Lane)
This conforms to the behavior for other dependent objects such as indexes.
Fix crash in contrib/intarray
if an array with an element equal to INT_MAX
is inserted into a gist__int_ops
index (Alexander Lakhin, Tom Lane)
Report a better error when contrib/pageinspect
's hash_bitmap_info()
function is applied to a partitioned hash index (Alexander Lakhin, Michael Paquier)
Report a better error when contrib/pgstattuple
's pgstathashindex()
function is applied to a partitioned hash index (Alexander Lakhin)
On Windows, suppress autorun options when launching subprocesses in pg_ctl and pg_regress (Kyotaro Horiguchi)
When launching a child process via cmd.exe
, pass the /D
flag to prevent executing any autorun commands specified in the registry. This avoids possibly-surprising side effects.
Fix compilation failures with libxml2 version 2.12.0 and later (Tom Lane)
Suppress compiler warnings from Python's header files (Peter Eisentraut, Tom Lane)
Our preferred compiler options provoke warnings about constructs appearing in recent versions of Python's header files. When using gcc, we can suppress these warnings with a pragma.
Avoid deprecation warning when compiling with LLVM 18 (Thomas Munro)
Update time zone data files to tzdata release 2024a for DST law changes in Greenland, Kazakhstan, and Palestine, plus corrections for the Antarctic stations Casey and Vostok. Also historical corrections for Vietnam, Toronto, and Miquelon.
Release date: 2023-11-09
This release contains a variety of fixes from 12.16. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, if you use GiST indexes, it may be advisable to reindex them; see the fourth changelog entry below.
Also, if you are upgrading from a version earlier than 12.16, see Version 12.16.
Fix handling of unknown-type arguments in DISTINCT
"any"
aggregate functions (Tom Lane)
This error led to a text
-type value being interpreted as an unknown
-type value (that is, a zero-terminated string) at runtime. This could result in disclosure of server memory following the text
value.
The PostgreSQL Project thanks Jingzhou Fu for reporting this problem. CVE-2023-5868 or CVE-2023-5868)
Detect integer overflow while computing new array dimensions (Tom Lane)
When assigning new elements to array subscripts that are outside the current array bounds, an undetected integer overflow could occur in edge cases. Memory stomps that are potentially exploitable for arbitrary code execution are possible, and so is disclosure of server memory.
The PostgreSQL Project thanks Pedro Gallegos for reporting this problem. CVE-2023-5869 or CVE-2023-5869)
Prevent the pg_signal_backend
role from signalling background workers and autovacuum processes (Noah Misch, Jelte Fennema-Nio)
The documentation says that pg_signal_backend
cannot issue signals to superuser-owned processes. It was able to signal these background processes, though, because they advertise a role OID of zero. Treat that as indicating superuser ownership. The security implications of cancelling one of these process types are fairly small so far as the core code goes (we'll just start another one), but extensions might add background workers that are more vulnerable.
Also ensure that the is_superuser
parameter is set correctly in such processes. No specific security consequences are known for that oversight, but it might be significant for some extensions.
The PostgreSQL Project thanks Hemanth Sandrana and Mahendrakar Srinivasarao for reporting this problem. CVE-2023-5870 or CVE-2023-5870)
Fix misbehavior during recursive page split in GiST index build (Heikki Linnakangas)
Fix a case where the location of a page downlink was incorrectly tracked, and introduce some logic to allow recovering from such situations rather than silently doing the wrong thing. This error could result in incorrect answers from subsequent index searches. It may be advisable to reindex all GiST indexes after installing this update.
Fix partition step generation and runtime partition pruning for hash-partitioned tables with multiple partition keys (David Rowley)
Some cases involving an IS NULL
condition on one of the partition keys could result in a crash.
Fix edge case in btree mark/restore processing of ScalarArrayOpExpr clauses (Peter Geoghegan)
When restoring an indexscan to a previously marked position, the code could miss required setup steps if the scan had advanced exactly to the end of the matches for a ScalarArrayOpExpr (that is, an indexcol = ANY (ARRAY[])
) clause. This could result in missing some rows that should have been fetched.
Fix intra-query memory leak when a set-returning function repeatedly returns zero rows (Tom Lane)
Don't crash if cursor_to_xmlschema()
is applied to a non-data-returning Portal (Boyu Yang)
Throw the intended error if pgrowlocks()
is applied to a partitioned table (David Rowley)
Previously, a not-on-point complaint “only heap AM is supported†would be raised.
Handle invalid indexes more cleanly in assorted SQL functions (Noah Misch)
Report an error if pgstatindex()
, pgstatginindex()
, pgstathashindex()
, or pgstattuple()
is applied to an invalid index. If brin_desummarize_range()
, brin_summarize_new_values()
, brin_summarize_range()
, or gin_clean_pending_list()
is applied to an invalid index, do nothing except to report a debug-level message. Formerly these functions attempted to process the index, and might fail in strange ways depending on what the failed CREATE INDEX
had left behind.
Avoid premature memory allocation failure with long inputs to to_tsvector()
(Tom Lane)
Fix over-allocation of the constructed tsvector
in tsvectorrecv()
(Denis Erokhin)
If the incoming vector includes position data, the binary receive function left wasted space (roughly equal to the size of the position data) in the finished tsvector
. In extreme cases this could lead to “maximum total lexeme length exceeded†failures for vectors that were under the length limit when emitted. In any case it could lead to wasted space on-disk.
Fix incorrect coding in gtsvector_picksplit()
(Alexander Lakhin)
This could lead to poor page-split decisions in GiST indexes on tsvector
columns.
Fix COMMIT AND CHAIN
/ROLLBACK AND CHAIN
to work properly when there is an unreleased savepoint (Liu Xiang, Tom Lane)
Instead of propagating the current transaction's properties to the new transaction, they propagated some previous transaction's properties.
Avoid crash in EXPLAIN
if a parameter marked to be displayed by EXPLAIN
has a NULL boot-time value (Xing Guo, Aleksander Alekseev, Tom Lane)
No built-in parameter fits this description, but an extension could define such a parameter.
Ensure we have a snapshot while dropping ON COMMIT DROP
temp tables (Tom Lane)
This prevents possible misbehavior if any catalog entries for the temp tables have fields wide enough to require toasting (such as a very complex CHECK
condition).
Avoid improper response to shutdown signals in child processes just forked by system()
(Nathan Bossart)
This fix avoids a race condition in which a child process that has been forked off by system()
, but hasn't yet exec'd the intended child program, might receive and act on a signal intended for the parent server process. That would lead to duplicate cleanup actions being performed, which will not end well.
Cope with torn reads of pg_control
in frontend programs (Thomas Munro)
On some file systems, reading pg_control
may not be an atomic action when the server concurrently writes that file. This is detectable via a bad CRC. Retry a few times to see if the file becomes valid before we report error.
Avoid torn reads of pg_control
in relevant SQL functions (Thomas Munro)
Acquire the appropriate lock before reading pg_control
, to ensure we get a consistent view of that file.
Avoid integer overflow when computing size of backend activity string array (Jakub Wartak)
On 64-bit machines we will allow values of track_activity_query_size
large enough to cause 32-bit overflow when multiplied by the allowed number of connections. The code actually allocating the per-backend local array was careless about this though, and allocated the array incorrectly.
Track the dependencies of cached CALL
statements, and re-plan them when needed (Tom Lane)
DDL commands, such as replacement of a function that has been inlined into a CALL
argument, can create the need to re-plan a CALL
that has been cached by PL/pgSQL. That was not happening, leading to misbehavior or strange errors such as “cache lookup failedâ€.
Track nesting depth correctly when inspecting RECORD
-type Vars from outer query levels (Richard Guo)
This oversight could lead to assertion failures, core dumps, or “bogus varno†errors.
Avoid “record type has not been registered†failure when deparsing a view that contains references to fields of composite constants (Tom Lane)
Allow extracting fields from a RECORD
-type ROW()
expression (Tom Lane)
SQL code that knows that we name such fields f1
, f2
, etc can use those names to extract fields from the expression. This change was originally made in version 13, and is now being back-patched into older branches to support tests for a related bug.
Fix error-handling bug in RECORD
type cache management (Thomas Munro)
An out-of-memory error occurring at just the wrong point could leave behind inconsistent state that would lead to an infinite loop.
Fix assertion failure when logical decoding is retried in the same session after an error (Hou Zhijie)
Treat out-of-memory failures as fatal while reading WAL (Michael Paquier)
Previously this would be treated as a bogus-data condition, leading to the conclusion that we'd reached the end of WAL, which is incorrect and could lead to inconsistent WAL replay.
Fix possible recovery failure due to trying to allocate memory based on a bogus WAL record length field (Thomas Munro, Michael Paquier)
Ensure that standby-mode WAL recovery reports an error when an invalid page header is found (Yugo Nagata, Kyotaro Horiguchi)
Avoid doing plan cache revalidation of utility statements that do not receive interesting processing during parse analysis (Tom Lane)
Aside from saving a few cycles, this prevents failure after a cache invalidation for statements that must not set a snapshot, such as SET TRANSACTION ISOLATION LEVEL
.
Keep by-reference attmissingval
values in a long-lived context while they are being used (Andrew Dunstan)
This avoids possible use of dangling pointers when a tuple slot outlives the tuple descriptor with which its value was constructed.
Recalculate the effective value of search_path
after ALTER ROLE
(Jeff Davis)
This ensures that after renaming a role, the meaning of the special string $user
is re-determined.
Fix order of operations in GenericXLogFinish
(Jeff Davis)
This code violated the conditions required for crash safety by writing WAL before marking changed buffers dirty. No core code uses this function, but extensions do (contrib/bloom
does, for example).
Remove incorrect assertion in PL/Python exception handling (Alexander Lakhin)
Fix pg_restore so that selective restores will include both table-level and column-level ACLs for selected tables (Euler Taveira, Tom Lane)
Formerly, only the table-level ACL would get restored if both types were present.
Add logic to pg_upgrade to check for use of abstime
, reltime
, and tinterval
data types (Ãlvaro Herrera)
These obsolete data types were removed in PostgreSQL version 12, so check to make sure they aren't present in an older database before claiming it can be upgraded.
Avoid generating invalid temporary slot names in pg_basebackup (Jelte Fennema)
This has only been seen to occur when the server connection runs through pgbouncer.
Avoid false “too many client connections†errors in pgbench on Windows (Noah Misch)
In contrib/amcheck
, do not report interrupted page deletion as corruption (Noah Misch)
This fix prevents false-positive reports of “the first child of leftmost target page is not leftmost of its levelâ€, “block NNNN is not leftmost†or “left link/right link pair in index XXXX not in agreementâ€. They appeared if amcheck ran after an unfinished btree index page deletion and before VACUUM
had cleaned things up.
Fix failure of contrib/btree_gin
indexes on interval
columns, when an indexscan using the <
or <=
operator is performed (Dean Rasheed)
Such an indexscan failed to return all the entries it should.
Add support for LLVM 16 and 17 (Thomas Munro, Dmitry Dolgov)
Suppress assorted build-time warnings on recent macOS (Tom Lane)
Xcode 15 (released with macOS Sonoma) changed the linker's behavior in a way that causes many duplicate-library warnings while building PostgreSQL. These were harmless, but they're annoying so avoid citing the same libraries twice. Also remove use of the -multiply_defined suppress
linker switch, which apparently has been a no-op for a long time, and is now actively complained of.
Remove PHOT
(Phoenix Islands Time) from the default timezone abbreviations list (Tom Lane)
Presence of this abbreviation in the default list can cause failures on recent Debian and Ubuntu releases, as they no longer install the underlying tzdb entry by default. Since this is a made-up abbreviation for a zone with a total human population of about two dozen, it seems unlikely that anyone will miss it. If someone does, they can put it back via a custom abbreviations file.
Release date: 2023-08-10
This release contains a variety of fixes from 12.15. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, if you use BRIN indexes, it may be advisable to reindex them; see the second changelog entry below.
Also, if you are upgrading from a version earlier than 12.10, see Version 12.10.
Disallow substituting a schema or owner name into an extension script if the name contains a quote, backslash, or dollar sign (Noah Misch)
This restriction guards against SQL-injection hazards for trusted extensions.
The PostgreSQL Project thanks Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph Berg for reporting this problem. CVE-2023-39417 or CVE-2023-39417)
Fix confusion between empty (no rows) ranges and all-NULL ranges in BRIN indexes, as well as incorrect merging of all-NULL summaries (Tomas Vondra)
Each of these oversights could result in forgetting that a BRIN index range contains any NULL values, potentially allowing subsequent queries that should return NULL values to miss doing so.
This fix will not in itself correct faulty BRIN entries. It's recommended to REINDEX
any BRIN indexes that may be used to search for nulls.
Avoid leaving a corrupted database behind when DROP DATABASE
is interrupted (Andres Freund)
If DROP DATABASE
was interrupted after it had already begun taking irreversible steps, the target database remained accessible (because the removal of its pg_database
row would roll back), but it would have corrupt contents. Fix by marking the database as inaccessible before we begin to perform irreversible operations. A failure after that will leave the database still partially present, but nothing can be done with it except to issue another DROP DATABASE
.
Ensure that partitioned indexes are correctly marked as valid or not at creation (Michael Paquier)
If a new partitioned index matches an existing but invalid index on one of the partitions, the partitioned index could end up being marked valid prematurely. This could lead to misbehavior or assertion failures in subsequent queries on the partitioned table.
Ignore invalid child indexes when matching partitioned indexes to child indexes during ALTER TABLE ATTACH PARTITION
(Michael Paquier)
Such an index will now be ignored, and a new child index created instead.
Fix possible failure when marking a partitioned index valid after all of its partitions have been attached (Michael Paquier)
The update of the index's pg_index
entry could use stale data for other columns. One reported symptom is an “attempted to update invisible tuple†error.
Fix ALTER EXTENSION SET SCHEMA
to complain if the extension contains any objects outside the extension's schema (Michael Paquier, Heikki Linnakangas)
Erroring out if the extension contains objects in multiple schemas was always intended; but the check was mis-coded so that it would fail to detect some cases, leading to surprising behavior.
Don't use partial unique indexes for uniqueness proofs in the planner (David Rowley)
This could give rise to incorrect plans, since the presumed uniqueness of rows read from a table might not hold if the index in question isn't used to scan the table.
Avoid producing incorrect plans for foreign joins with pseudoconstant join clauses (Etsuro Fujita)
The planner currently lacks support for attaching pseudoconstant join clauses to a pushed-down remote join, so disable generation of remote joins in such cases. (A better solution will require ABI-breaking changes of planner data structures, so it will have to wait for a future major release.)
Correctly handle sub-SELECTs in RLS policy expressions and security-barrier views when expanding rule actions (Tom Lane)
Fix race conditions in conflict detection for SERIALIZABLE
isolation mode (Thomas Munro)
Conflicts could be missed when using bitmap heap scans, when using GIN indexes, and when examining an initially-empty btree index. All these cases could lead to serializability failures due to improperly allowing conflicting transactions to commit.
Fix hash join with an inner-side hash key that contains Params coming from an outer nested loop (Tom Lane)
When rescanning the join after the values of such Params have changed, we must rebuild the hash table, but neglected to do so. This could result in missing join output rows.
Fix intermittent failures when trying to update a field of a composite column (Tom Lane)
If the overall value of the composite column is wide enough to require out-of-line toasting, then an unluckily-timed cache flush could cause errors or server crashes.
Prevent query-lifespan memory leaks in some UPDATE
queries with triggers (Tomas Vondra)
Prevent stack-overflow crashes with very complex text search patterns (Tom Lane)
Allow tokens up to 10240 bytes long in pg_hba.conf
and pg_ident.conf
(Tom Lane)
The previous limit of 256 bytes has been found insufficient for some use-cases.
Fix mishandling of C++ out-of-memory conditions (Heikki Linnakangas)
If JIT is in use, running out of memory in a C++ new
call would lead to a PostgreSQL FATAL error, instead of the expected C++ exception.
Avoid losing track of possibly-useful shared memory segments when a page free results in coalescing ranges of free space (Dongming Liu)
Ensure that the segment is moved into the appropriate “bin†for its new amount of free space, so that it will be found by subsequent searches.
Allow VACUUM
to continue after detecting certain types of b-tree index corruption (Peter Geoghegan)
If an invalid sibling-page link is detected, log the issue and press on, rather than throwing an error as before. Nothing short of REINDEX
will fix the broken index, but preventing VACUUM
from completing until that is done risks making matters far worse.
Ensure that WrapLimitsVacuumLock
is released after VACUUM
detects invalid data in pg_database
.datfrozenxid
or pg_database
.datminmxid
(Andres Freund)
Failure to release this lock could lead to a deadlock later, although the lock would be cleaned up if the session exits or encounters some other error.
Avoid double replay of prepared transactions during crash recovery (suyu.cmj, Michael Paquier)
After a crash partway through a checkpoint with some two-phase transaction state data already flushed to disk by this checkpoint, crash recovery could attempt to replay the prepared transaction(s) twice, leading to a fatal error such as “lock is already held†in the startup process.
Ensure that a newly created, but still empty table is fsync
'ed at the next checkpoint (Heikki Linnakangas)
Without this, if there is an operating system crash causing the empty file to disappear, subsequent operations on the table might fail with “could not open file†errors.
Ensure that creation of the init fork of an unlogged index is WAL-logged (Heikki Linnakangas)
While an unlogged index's main data fork is not WAL-logged, its init fork should be, to ensure that we have a consistent state to restore the index to after a crash. This step was missed if the init fork contains no data, which is a case not used by any standard index AM; but perhaps some extension behaves that way.
Fix missing reinitializations of delay-checkpoint-end flags (suyu.cmj)
This could result in unnecessary delays of checkpoints, or in assertion failures in assert-enabled builds.
Fix overly strict assertion in jsonpath
code (David Rowley)
This assertion failed if a query applied the .type()
operator to a like_regex
result. There was no bug in non-assert builds.
Avoid assertion failure when processing an empty statement via the extended query protocol in an already-aborted transaction (Tom Lane)
Fix contrib/fuzzystrmatch
's Soundex difference()
function to handle empty input sanely (Alexander Lakhin, Tom Lane)
An input string containing no alphabetic characters resulted in unpredictable output.
Tighten whitespace checks in contrib/hstore
input (Evan Jones)
In some cases, characters would be falsely recognized as whitespace and hence discarded.
Disallow oversize input arrays with contrib/intarray
's gist__int_ops
index opclass (Ankit Kumar Pandey, Alexander Lakhin)
Previously this code would report a NOTICE
but press on anyway, creating an invalid index entry that presents a risk of crashes when the index is read.
Avoid useless double decompression of GiST index entries in contrib/intarray
(Konstantin Knizhnik, Matthias van de Meent, Tom Lane)
Ensure that pg_index
.indisreplident
is kept up-to-date in relation cache entries (Shruthi Gowda)
This value could be stale in some cases. There is no core code that relies on the relation cache's copy, so this is only a latent bug as far as Postgres itself is concerned; but there may be extensions for which it is a live bug.
Silence deprecation warnings when compiling with OpenSSL 3.0.0 or later (Peter Eisentraut)
Release date: 2023-05-11
This release contains a variety of fixes from 12.14. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, if you are upgrading from a version earlier than 12.10, see Version 12.10.
Prevent CREATE SCHEMA
from defeating changes in search_path
(Alexander Lakhin)
Within a CREATE SCHEMA
command, objects in the prevailing search_path
, as well as those in the newly-created schema, would be visible even within a called function or script that attempted to set a secure search_path
. This could allow any user having permission to create a schema to hijack the privileges of a security definer function or extension script.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. CVE-2023-2454 or CVE-2023-2454)
Enforce row-level security policies correctly after inlining a set-returning function (Stephen Frost, Tom Lane)
If a set-returning SQL-language function refers to a table having row-level security policies, and it can be inlined into a calling query, those RLS policies would not get enforced properly in some cases involving re-using a cached plan under a different role. This could allow a user to see or modify rows that should have been invisible.
The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. CVE-2023-2455 or CVE-2023-2455)
Avoid crash when the new schema name is omitted in CREATE SCHEMA
(Michael Paquier)
The SQL standard allows writing CREATE SCHEMA AUTHORIZATION
, with the schema name defaulting to owner_name
owner_name
. However some code paths expected the schema name to be present and would fail.
Disallow altering composite types that are stored in indexes (Tom Lane)
ALTER TYPE
disallows non-binary-compatible modifications of composite types if they are stored in any table columns. (Perhaps that will be allowed someday, but it hasn't happened yet; the locking implications of rewriting many tables are daunting.) We overlooked the possibility that an index might contain a composite type that doesn't also appear in its table.
Disallow system columns as elements of foreign keys (Tom Lane)
Since the removal of OID as a system column, there is no plausible use-case for this, and various bits of code no longer support it. Disallow it rather than trying to fix all the cases.
Ensure that COPY TO
from an RLS-enabled parent table does not copy any rows from child tables (Antonin Houska)
The documentation is quite clear that COPY TO
copies rows from only the named table, not any inheritance children it may have. However, if row-level security was enabled on the table then this stopped being true.
Avoid possible crash when array_position()
or array_positions()
is passed an empty array (Tom Lane)
Fix possible out-of-bounds fetch in to_char()
(Tom Lane)
With bad luck this could have resulted in a server crash.
Avoid buffer overread in translate()
function (Daniil Anisimov)
When using the deletion feature, the function might fetch the byte just after the input string, creating a small risk of crash.
Fix error cursor setting for parse errors in JSON string literals (Tom Lane)
Most cases in which a syntax error is detected in a string literal within a JSON value failed to set the error cursor appropriately. This led at least to an unhelpful error message (pointing to the token before the string, rather than the actual trouble spot), and could even result in a crash in v14 and later.
Fix data corruption due to vacuum_defer_cleanup_age
being larger than the current 64-bit xid (Andres Freund)
In v14 and later with non-default settings of vacuum_defer_cleanup_age
, it was possible to compute a very large vacuum cleanup horizon xid, leading to vacuum removing rows that are still live. v12 and v13 have a lesser form of the same problem affecting only GiST indexes, which could lead to index pages getting recycled too early.
Fix parser's failure to detect some cases of improperly-nested aggregates (Tom Lane)
This oversight could lead to executor failures for queries that should have been rejected as invalid.
Fix data structure corruption during parsing of serial SEQUENCE NAME
options (David Rowley)
This can lead to trouble if an event trigger captures the corrupted parse tree.
Correctly update plan nodes' parallel-safety markings when moving initplans from one node to another (Tom Lane)
This planner oversight could lead to “subplan was not initialized†errors at runtime.
Disable the inverse-transition optimization for window aggregates when the call contains sub-SELECTs (David Rowley)
This optimization requires that the aggregate's argument expressions have repeatable results, which might not hold for a sub-SELECT.
Fix oversights in execution of nested ARRAY[]
constructs (Alexander Lakhin, Tom Lane)
Correctly detect overflow of the total space needed for the result array, avoiding a possible crash due to undersized output allocation. Also ensure that any trailing padding space in the result array is zeroed; while leaving garbage there is harmless for most purposes, it can result in odd behavior later.
Prevent crash when updating a field within an array-of-domain-over-composite-type column (Dmitry Dolgov)
Fix partition pruning logic for partitioning on boolean columns (David Rowley)
Pruning with a condition like boolcol IS NOT TRUE
was done incorrectly, leading to possibly not returning rows in which boolcol
is NULL. Also, the rather unlikely case of partitioning on NOT boolcol
was handled incorrectly.
Fix race condition in per-batch cleanup during parallel hash join (Thomas Munro, Melanie Plageman)
A crash was possible given unlucky timing and parallel_leader_participation
= off
(which is not the default).
Recalculate GENERATED
columns after an EvalPlanQual check (Tom Lane)
In READ COMMITTED
isolation mode, the effects of a row update might need to get reapplied to a newer version of the row than the query found originally. If so, we need to recompute any GENERATED
columns, in case they depend on columns that were changed by the concurrent update.
Don't balance vacuum cost delay when a table has a per-relation vacuum_cost_delay
setting of zero (Masahiko Sawada)
Delay balancing is supposed to be disabled whenever autovacuum is processing a table with a per-relation vacuum_cost_delay
setting, but this was done only for positive settings, not zero.
Fix corner-case crashes when columns have been added to the end of a view (Tom Lane)
Repair rare failure of MULTIEXPR_SUBLINK subplans in partitioned updates (Andres Freund, Tom Lane)
Use of the syntax INSERT ... ON CONFLICT DO UPDATE SET (c1, ...) = (SELECT ...)
with a partitioned target table could result in failure if any child table is dissimilar from the parent (for example, different physical column order). This typically manifested as failure of consistency checks in the executor; but a crash or incorrect data updates are also possible.
Fix handling of DEFAULT
markers within a multi-row INSERT ... VALUES
query on a view that has a DO ALSO INSERT ... SELECT
rule (Dean Rasheed)
Such cases typically failed with “unrecognized node type†errors or assertion failures.
Support references to OLD
and NEW
within subqueries in rule actions (Dean Rasheed, Tom Lane)
Such references are really lateral references, but the server could crash if the subquery wasn't explicitly marked with LATERAL
. Arrange to do that implicitly when necessary.
When decompiling a rule or SQL function body containing INSERT
/UPDATE
/DELETE
within WITH
, take care to print the correct alias for the target table (Tom Lane)
Fix glitches in SERIALIZABLE READ ONLY
optimization (Thomas Munro)
Transactions already marked as “doomed†confused the safe-snapshot optimization for SERIALIZABLE READ ONLY
transactions. The optimization was unnecessarily skipped in some cases. In other cases an assertion failure occurred (but there was no problem in non-assert builds).
Avoid leaking cache callback slots in the pgoutput
logical decoding plugin (Shi Yu)
Multiple cycles of starting up and shutting down the plugin within a single session would eventually lead to an “out of relcache_callback_list slots†error.
Fix dereference of dangling pointer during buffering build of a GiST index (Alexander Lakhin)
This error seems to usually be harmless in production builds, as the fetched value is noncritical; but in principle it could cause a server crash.
Ignore dropped columns and generated columns during logical replication of an update or delete action (Onder Kalaci, Shi Yu)
Replication with the REPLICA IDENTITY FULL
option failed if the table contained such columns.
Support RSA-PSS certificates with SCRAM-SHA-256 channel binding (Jacob Champion, Heikki Linnakangas)
This feature requires building with OpenSSL 1.1.1 or newer. Both the server and libpq are affected.
Avoid race condition with process ID tracking on Windows (Thomas Munro)
The operating system could recycle a PID before the postmaster observed that that child process was gone. This could lead to tracking more than one child with the same PID, resulting in confusion.
Add missing cases to SPI_result_code_string()
(Dean Rasheed)
Fix erroneous Valgrind markings in AllocSetRealloc()
(Karina Litskevich)
In the unusual case where the size of a large (>8kB) palloc chunk is decreased, a Valgrind-aware build would mismark the defined-ness state of the memory released from the chunk, possibly causing incorrect results during Valgrind testing.
Avoid assertion failure when decoding a transactional logical replication message (Tomas Vondra)
Avoid locale sensitivity when processing regular expression escapes (Jeff Davis)
A backslash followed by a non-ASCII character could sometimes cause an assertion failure, depending on the prevailing locale.
Avoid trying to write an empty WAL record in log_newpage_range()
when the last few pages in the specified range are empty (Matthias van de Meent)
It is not entirely clear whether this case is reachable in released branches, but if it is then an assertion failure could occur.
Fix session-lifespan memory leakage in plpgsql DO
blocks that use cast expressions (Ajit Awekar, Tom Lane)
Tighten array dimensionality checks when converting Perl list structures to multi-dimensional SQL arrays (Tom Lane)
plperl could misbehave when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. Such cases now produce errors, but previously they could result in a crash or garbage output.
Tighten array dimensionality checks when converting Python list structures to multi-dimensional SQL arrays (Tom Lane)
plpython could misbehave when dealing with empty sub-lists, or when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. The former should result in an empty output array, and the latter in an error. But some cases resulted in a crash, and others in unexpected output.
Fix unwinding of exception stack in plpython (Xing Guo)
Some rare failure cases could return without cleaning up the PG_TRY exception stack, risking a crash if another error was raised before the next stack level was unwound.
Fix inconsistent GSS-encryption error handling in libpq's PQconnectPoll()
(Michael Paquier)
With gssencmode
set to require
, the connection was not marked dead after a GSS initialization failure. Make it fail immediately, as the equivalent case for TLS encryption has long done.
Fix possible data corruption in ecpg programs built with the -C ORACLE
option (Kyotaro Horiguchi)
When ecpg_get_data()
is called with varcharsize
set to zero, it could write a terminating zero character into the last byte of the preceding field, truncating the data in that field.
Fix pg_dump so that partitioned tables that are hash-partitioned on an enum-type column can be restored successfully (Tom Lane)
Since the hash codes for enum values depend on the OIDs assigned to the enum, they are typically different after a dump and restore, meaning that rows often need to go into a different partition than they were in originally. Users can work around that by specifying the --load-via-partition-root
option; but since there is very little chance of success without that, teach pg_dump to apply it automatically to such tables.
Also, fix pg_restore to not try to TRUNCATE
target tables before restoring into them when --load-via-partition-root
mode is used. This avoids a hazard of deadlocks and lost data.
In contrib/hstore_plpython
, avoid crashing if the Python value to be transformed isn't a mapping (Dmitry Dolgov, Tom Lane)
This should give an error, but Python 3 changed some APIs in a way that caused the check to misbehave, allowing a crash to ensue.
Fix misbehavior in contrib/pg_trgm
with an unsatisfiable regular expression (Tom Lane)
A regex such as $foo
is legal but unsatisfiable; the regex compiler recognizes that and produces an empty NFA graph. Attempting to optimize such a graph into a pg_trgm GIN or GiST index qualification resulted in accessing off the end of a work array, possibly leading to crashes.
Use the --strip-unneeded
option when stripping static libraries with GNU-compatible strip (Tom Lane)
Previously, make install-strip
used the -x
option in this case. This change avoids misbehavior of llvm-strip, and gives slightly smaller output as well.
Stop recommending auto-download of DTD files for building the documentation, and indeed disable it (Aleksander Alekseev, Peter Eisentraut, Tom Lane)
It appears no longer possible to build the SGML documentation without a local installation of the DocBook DTD files. Formerly xsltproc could download those files on-the-fly from sourceforge.net; but sourceforge.net now permits only HTTPS access, and no common version of xsltproc supports that. Hence, remove the bits of our documentation suggesting that that's possible or useful, and instead add xsltproc's --nonet
option to the build recipes.
When running TAP tests in PGXS builds, use a saner location for the temporary portlock
directory (Peter Eisentraut)
Place it under tmp_check
in the build directory. With the previous coding, a PGXS build would try to place it in the installation directory, which is not necessarily writable.
Update time zone data files to tzdata release 2023c for DST law changes in Egypt, Greenland, Morocco, and Palestine.
When observing Moscow time, Europe/Kirov and Europe/Volgograd now use the abbreviations MSK/MSD instead of numeric abbreviations, for consistency with other timezones observing Moscow time. Also, America/Yellowknife is no longer distinct from America/Edmonton; this affects some pre-1948 timestamps in that area.
Release date: 2023-02-09
This release contains a variety of fixes from 12.13. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, if you are upgrading from a version earlier than 12.10, see Version 12.10.
libpq can leak memory contents after GSSAPI transport encryption initiation fails (Jacob Champion)
A modified server, or an unauthenticated man-in-the-middle, can send a not-zero-terminated error message during setup of GSSAPI (Kerberos) transport encryption. libpq will then copy that string, as well as following bytes in application memory up to the next zero byte, to its error report. Depending on what the calling application does with the error report, this could result in disclosure of application memory contents. There is also a small probability of a crash due to reading beyond the end of memory. Fix by properly zero-terminating the server message. CVE-2022-41862 or CVE-2022-41862)
Allow REPLICA IDENTITY
to be set on an index that's not (yet) valid (Tom Lane)
When pg_dump dumps a partitioned index that's marked REPLICA IDENTITY
, it generates a command sequence that applies REPLICA IDENTITY
before the partitioned index has been marked valid, causing restore to fail. There seems no very good reason to prohibit doing it in that order, so allow it. The marking will have no effect anyway until the index becomes valid.
Fix handling of DEFAULT
markers in rules that perform an INSERT
from a multi-row VALUES
list (Dean Rasheed)
In some cases a DEFAULT
marker would not get replaced with the proper default-value expression, leading to an “unrecognized node type†error.
Reject uses of undefined variables in jsonpath
existence checks (Alexander Korotkov, David G. Johnston)
While jsonpath
match operators threw an error for an undefined variable in the path pattern, the existence operators silently treated it as a match.
Fix edge-case data corruption in parallel hash joins (Dmitry Astapov)
If the final chunk of a large tuple being written out to a temporary file was exactly 32760 bytes, it would be corrupted due to a fencepost bug. The query would typically fail later with corrupted-data symptoms.
Honor non-default settings of checkpoint_completion_target
(Bharath Rupireddy)
Internal state was not updated after a change in checkpoint_completion_target
, possibly resulting in performing checkpoint I/O faster or slower than desired, especially if that setting was changed on-the-fly.
Log the correct ending timestamp in recovery_target_xid
mode (Tom Lane)
When ending recovery based on the recovery_target_xid
setting with recovery_target_inclusive
= off
, we printed an incorrect timestamp (always 2000-01-01) in the “recovery stopping before ... transaction†log message.
Prevent “wrong tuple length†failure at the end of VACUUM
(Ashwin Agrawal, Junfeng Yang)
This occurred if VACUUM
needed to update the current database's datfrozenxid
value and the database has so many granted privileges that its datacl
value has been pushed out-of-line.
In extended query protocol, avoid an immediate commit after ANALYZE
if we're running a pipeline (Tom Lane)
If there's not been an explicit BEGIN TRANSACTION
, ANALYZE
would take it on itself to commit, which should not happen within a pipelined series of commands.
Reject cancel request packets having the wrong length (Andrey Borodin)
The server would process a cancel request even if its length word was too small. This led to reading beyond the end of the allocated buffer. In theory that could cause a segfault, but it seems quite unlikely to happen in practice, since the buffer would have to be very close to the end of memory. The more likely outcome was a bogus log message about wrong backend PID or cancel code. Complain about the wrong length, instead.
Add recursion and looping defenses in subquery pullup (Tom Lane)
A contrived query can result in deep recursion and unreasonable amounts of time spent trying to flatten subqueries. A proper fix for that seems unduly invasive for a back-patch, but we can at least add stack depth checks and an interrupt check to allow the query to be cancelled.
Fix partitionwise-join code to tolerate failure to produce a plan for each partition (Tom Lane)
This could result in “could not devise a query plan for the given query†errors.
Limit the amount of cleanup work done by get_actual_variable_range
(Simon Riggs)
Planner runs occurring just after deletion of a large number of tuples appearing at the end of an index could expend significant amounts of work setting the “killed†bits for those index entries. Limit the amount of work done in any one query by giving up on this process after examining 100 heap pages. All the cleanup will still happen eventually, but without so large a performance hiccup.
Ensure that execution of full-text-search queries can be cancelled while they are performing phrase matches (Tom Lane)
Fix memory leak in hashing strings with nondeterministic collations (Jeff Davis)
Clean up the libpq connection object after a failed replication connection attempt (Andres Freund)
The previous coding leaked the connection object. In background code paths that's pretty harmless because the calling process will give up and exit. But in commands such as CREATE SUBSCRIPTION
, such a failure resulted in a small session-lifespan memory leak.
In hot-standby servers, reduce processing effort for tracking XIDs known to be active on the primary (Simon Riggs, Michail Nikolaev)
Insufficiently-aggressive cleanup of the KnownAssignedXids array could lead to poor performance, particularly when max_connections
is set to a large value on the standby.
Fix uninitialized-memory usage in logical decoding (Masahiko Sawada)
In certain cases, resumption of logical decoding could try to re-use XID data that had already been freed, leading to unpredictable behavior.
Avoid rare “failed to acquire cleanup lock†panic during WAL replay of hash-index page split operations (Robert Haas)
Advance a heap page's LSN when setting its all-visible bit during WAL replay (Jeff Davis)
Failure to do this left the page possibly different on standby servers than the primary, and violated some other expectations about when the LSN changes. This seems only a theoretical hazard so far as PostgreSQL itself is concerned, but it could upset third-party tools.
Prevent unsafe usage of a relation cache entry's rd_smgr
pointer (Amul Sul)
Remove various assumptions that rd_smgr
would stay valid over a series of operations, by wrapping all uses of it in a function that will recompute it if needed. This prevents bugs occurring when an unexpected cache flush occurs partway through such a series.
Fix latent buffer-overrun problem in WaitEventSet
logic (Thomas Munro)
The epoll
-based and kqueue
-based implementations could ask the kernel for too many events if the size of their internal buffer was different from the size of the caller's output buffer. That case is not known to occur in released PostgreSQL versions, but this error is a hazard for external modules and future bug fixes.
Avoid nominally-undefined behavior when accessing shared memory in 32-bit builds (Andres Freund)
clang's undefined-behavior sanitizer complained about use of a pointer that was less aligned than it should be. It's very unlikely that this would cause a problem in non-debug builds, but it's worth fixing for testing purposes.
Remove faulty assertion in useless-RESULT-RTE optimization logic (Tom Lane)
Fix copy-and-paste errors in cache-lookup-failure messages for ACL checks (Justin Pryzby)
In principle these errors should never be reached. But if they are, some of them reported the wrong type of object.
In pg_dump, avoid calling unsafe server functions before we have locks on the tables to be examined (Tom Lane, Gilles Darold)
pg_dump uses certain server functions that can fail if examining a table that gets dropped concurrently. Avoid this type of failure by ensuring that we obtain access share lock before inquiring too deeply into a table's properties, and that we don't apply such functions to tables we don't intend to dump at all.
Fix tab completion of ALTER FUNCTION/PROCEDURE/ROUTINE
... SET SCHEMA
(Dean Rasheed)
Fix faulty assertion in contrib/postgres_fdw
(Etsuro Fujita)
Fix contrib/seg
to not crash or print garbage if an input number has more than 127 digits (Tom Lane)
In contrib/sepgsql
, avoid deprecation warnings with recent libselinux (Michael Paquier)
Fix build on Microsoft Visual Studio 2013 (Tom Lane)
A previous patch supposed that all platforms of interest have snprintf()
, but MSVC 2013 isn't quite there yet. Revert to using sprintf()
on that platform.
Fix compile failure in building PL/Perl with MSVC when using Strawberry Perl (Andrew Dunstan)
Fix mismatch of PL/Perl built with MSVC versus a Perl library built with gcc (Andrew Dunstan)
Such combinations could previously fail with “loadable library and perl binaries are mismatched†errors.
Suppress compiler warnings from Perl's header files (Andres Freund)
Our preferred compiler options provoke warnings about constructs appearing in recent versions of Perl's header files. When using gcc, we can suppress these warnings with a pragma.
Fix pg_waldump to build on compilers that don't discard unused static-inline functions (Tom Lane)
Update time zone data files to tzdata release 2022g for DST law changes in Greenland and Mexico, plus historical corrections for northern Canada, Colombia, and Singapore.
Notably, a new timezone America/Ciudad_Juarez has been split off from America/Ojinaga.
Release date: 2022-11-10
This release contains a variety of fixes from 12.12. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, if you are upgrading from a version earlier than 12.10, see Version 12.10.
Avoid rare PANIC during updates occurring concurrently with VACUUM
(Tom Lane, Jeff Davis)
If a concurrent VACUUM
sets the all-visible flag bit in a page that UPDATE
or DELETE
is in process of modifying, the updating command needs to clear that bit again; but some code paths failed to do so, ending in a PANIC exit and database restart.
This is known to be possible in versions 14 and 15. It may be only latent in previous branches.
Fix VACUUM
to press on if an attempted page deletion in a btree index fails to find the page's parent downlink (Peter Geoghegan)
Rather than throwing an error, just log the issue and continue without deleting the empty page. Previously, a buggy operator class or corrupted index could indefinitely prevent completion of vacuuming of the index, eventually leading to transaction wraparound problems.
Fix handling of DEFAULT
tokens that appear in a multi-row VALUES
clause of an INSERT
on an updatable view (Tom Lane)
This oversight could lead to “cache lookup failed for type†errors, or in older branches even to crashes.
Disallow rules named _RETURN
that are not ON SELECT
(Tom Lane)
This avoids confusion between a view's ON SELECT
rule and any other rules it may have.
Fix resource management bug in saving tuples for AFTER
triggers (Tom Lane)
Given the right circumstances, this manifested as a “tupdesc reference NNNN
is not owned by resource owner†error followed by a PANIC exit.
Repair rare failure of MULTIEXPR_SUBLINK subplans in inherited updates (Tom Lane)
Use of the syntax UPDATE tab SET (c1, ...) = (SELECT ...)
with an inherited or partitioned target table could result in failure if the child tables are sufficiently dissimilar. This typically manifested as failure of consistency checks in the executor; but a crash or incorrect data updates are also possible.
Fix construction of per-partition foreign key constraints while doing ALTER TABLE ATTACH PARTITION
(Jehan-Guillaume de Rorthais, Ãlvaro Herrera)
Previously, incorrect or duplicate constraints could be constructed for the newly-added partition.
Fix generation of constraint names for per-partition foreign key constraints (Jehan-Guillaume de Rorthais)
If the initially-given name is already in use for some constraint of the partition, a new one is selected; but it wasn't being spelled as intended.
Fix incorrect matching of index expressions and predicates when creating a partitioned index (Richard Guo, Tom Lane)
While creating a partitioned index, we try to identify any existing indexes on the partitions that match the partitioned index, so that we can absorb those as child indexes instead of building new ones. Matching of expressions was not done right, so that a usable child index might be ignored, leading to creation of a duplicative index.
Prevent WAL corruption after a standby promotion (Dilip Kumar, Robert Haas)
When a PostgreSQL instance performing archive recovery (but not using standby mode) is promoted, and the last WAL segment that it attempted to read ended in a partial record, the instance would write an invalid WAL segment on the new timeline.
Fix mis-ordering of WAL operations in fast insert path for GIN indexes (Matthias van de Meent, Zhang Mingli)
This mistake is not known to have any negative consequences within core PostgreSQL, but it did cause issues for some extensions.
Fix bugs in logical decoding when replay starts from a point between the beginning of a transaction and the beginning of its subtransaction (Masahiko Sawada, Kuroda Hayato)
These errors could lead to assertion failures in debug builds, and otherwise to memory leaks.
Prevent examining system catalogs with the wrong snapshot during logical decoding (Masahiko Sawada)
If decoding begins partway through a transaction that modifies system catalogs, the decoder may not recognize that, causing it to fail to treat that transaction as in-progress for catalog lookups.
Accept interrupts in more places during logical decoding (Amit Kapila, Masahiko Sawada)
This ameliorates problems with slow shutdown of replication workers.
Avoid crash after function syntax error in replication workers (Maxim Orlov, Anton Melnikov, Masahiko Sawada, Tom Lane)
If a syntax error occurred in a SQL-language or PL/pgSQL-language CREATE FUNCTION
or DO
command executed in a logical replication worker, the worker process would crash with a null pointer dereference or assertion failure.
Fix handling of read-write expanded datums that are passed to SQL functions (Tom Lane)
If a non-inlined SQL function uses a parameter in more than one place, and one of those functions expects to be able to modify read-write datums in place, then later uses of the parameter would observe the wrong value. (Within core PostgreSQL, the expanded-datum mechanism is only used for array and composite-type values; but extensions might use it for other structured types.)
Fix type circle
's equality comparator to handle NaNs properly (Ranier Vilela)
If the left-hand circle had a floating-point NaN for its radius, it would be considered equal to a circle with the same center and any radius.
In Snowball dictionaries, don't try to stem excessively-long words (Olly Betts, Tom Lane)
If the input word exceeds 1000 bytes, return it as-is after case folding, rather than trying to run it through the Snowball code. This restriction protects against a known recursion-to-stack-overflow problem in the Turkish stemmer, and it seems like good insurance against any other safety or performance issues that may exist in the Snowball stemmers. Such a long string is surely not a word in any human language, so it's doubtful that the stemmer would have done anything desirable with it anyway.
Fix use-after-free hazard in string comparisons (Tom Lane)
Improper memory management in the string comparison functions could result in scribbling on no-longer-allocated buffers, potentially breaking things for whatever is using that memory now. This would only happen with fairly long strings (more than 1kB), and only if an ICU collation is in use.
Add plan-time check for attempted access to a table that has no table access method (Tom Lane)
This prevents a crash in some catalog-corruption scenarios, for example use of a view whose ON SELECT
rule is missing.
Prevent postmaster crash when shared-memory state is corrupted (Tom Lane)
The postmaster process is supposed to survive and initiate a database restart if shared memory becomes corrupted, but one bit of code was being insufficiently cautious about that.
Add some more defenses against recursion till stack overrun (Richard Guo, Tom Lane)
Avoid long-term memory leakage in the autovacuum launcher process (Reid Thompson)
The lack of field reports suggests that this problem is only latent in pre-v15 branches; but it's not very clear why, so back-patch the fix anyway.
Improve PL/pgSQL's ability to handle parameters declared as RECORD
(Tom Lane)
Build a separate function cache entry for each concrete type passed to the RECORD
parameter during a session, much as we do for polymorphic parameters. This allows some usages to work that previously failed with errors such as “type of parameter does not match that when preparing the planâ€.
Add missing guards for NULL
connection pointer in libpq (Daniele Varrazzo, Tom Lane)
There's a convention that libpq functions should check for a NULL PGconn argument, and fail gracefully instead of crashing. PQflush()
and PQisnonblocking()
didn't get that memo, so fix them.
In ecpg, fix omission of variable storage classes when multiple varchar
or bytea
variables are declared in the same declaration (Andrey Sokolov)
For example, ecpg translated static varchar str1[10], str2[20], str3[30];
in such a way that only str1
was marked static
.
Allow cross-platform tablespace relocation in pg_basebackup (Robert Haas)
Allow the remote path in --tablespace-mapping
to be either a Unix-style or Windows-style absolute path, since the source server could be on a different OS than the local system.
In pg_stat_statements, fix access to already-freed memory (zhaoqigui)
This occurred if pg_stat_statements tracked a ROLLBACK
command issued via extended query protocol. In debug builds it consistently led to an assertion failure. In production builds there would often be no visible ill effect; but if the freed memory had already been reused, the likely result would be to store garbage for the query string.
In postgres_fdw, ensure that target lists constructed for EvalPlanQual plans will have all required columns (Richard Guo, Etsuro Fujita)
This avoids “variable not found in subplan target list†errors in rare cases.
Reject unwanted output from the platform's uuid_create()
function (Nazir Bilal Yavuz)
The uuid-ossp module expects libc's uuid_create()
to produce a version-1 UUID, but recent NetBSD releases produce a version-4 (random) UUID instead. Check for that, and complain if so. Drop the documentation's claim that the NetBSD implementation is usable for uuid-ossp. (If a version-4 UUID is okay for your purposes, you don't need uuid-ossp at all; just use gen_random_uuid()
.)
Include new Perl test modules in standard installations (Ãlvaro Herrera)
Add PostgreSQL/Test/Cluster.pm
and PostgreSQL/Test/Utils.pm
to the standard installation file set in pre-version-15 branches. This is for the benefit of extensions that want to use newly-written test code in older branches.
On NetBSD, force dynamic symbol resolution at postmaster start (Andres Freund, Tom Lane)
This avoids a risk of deadlock in the dynamic linker on NetBSD 10.
Fix incompatibilities with LLVM 15 (Thomas Munro, Andres Freund)
Allow use of __sync_lock_test_and_set()
for spinlocks on any machine (Tom Lane)
This eases porting to new machine architectures, at least if you're using a compiler that supports this GCC builtin function.
Rename symbol REF
to REF_P
to avoid compile failure on recent macOS (Tom Lane)
Avoid using sprintf
, to avoid compile-time deprecation warnings (Tom Lane)
Silence assorted compiler warnings from clang 15 and later (Tom Lane)
Update time zone data files to tzdata release 2022f for DST law changes in Chile, Fiji, Iran, Jordan, Mexico, Palestine, and Syria, plus historical corrections for Chile, Crimea, Iran, and Mexico.
Also, the Europe/Kiev zone has been renamed to Europe/Kyiv. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake and Pacific/Wallis. (This indirectly affects zones that were already links to one of these: Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.) America/Nipigon, America/Rainy_River, America/Thunder_Bay, Europe/Uzhgorod, and Europe/Zaporozhye were also merged into nearby zones after discovering that their claimed post-1970 differences from those zones seem to have been errors. In all these cases, the previous zone name remains as an alias; but the actual data is that of the zone that was merged into.
These zone mergers result in loss of pre-1970 timezone history for the merged zones, which may be troublesome for applications expecting consistency of timestamptz
display. As an example, the stored value 1944-06-01 12:00 UTC
would previously display as 1944-06-01 13:00:00+01
if the Europe/Stockholm zone is selected, but now it will read out as 1944-06-01 14:00:00+02
.
It is possible to build the time zone data files with options that will restore the older zone data, but that choice also inserts a lot of other old (and typically poorly-attested) zone data, resulting in more total changes from the previous release than accepting these upstream changes does. PostgreSQL has chosen to ship the tzdb data as-recommended, and so far as we are aware most major operating system distributions are doing likewise. However, if these changes cause significant problems for your application, a possible solution is to install a local build of the time zone data files using tzdb's backwards-compatibility options (see their PACKRATDATA
and PACKRATLIST
options).
Release date: 2022-08-11
This release contains a variety of fixes from 12.11. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, if you are upgrading from a version earlier than 12.10, see Version 12.10.
Do not let extension scripts replace objects not already belonging to the extension (Tom Lane)
This change prevents extension scripts from doing CREATE OR REPLACE
if there is an existing object that does not belong to the extension. It also prevents CREATE IF NOT EXISTS
in the same situation. This prevents a form of trojan-horse attack in which a hostile database user could become the owner of an extension object and then modify it to compromise future uses of the object by other users. As a side benefit, it also reduces the risk of accidentally replacing objects one did not mean to.
The PostgreSQL Project thanks Sven Klemm for reporting this problem. CVE-2022-2625 or CVE-2022-2625)
Fix replay of CREATE DATABASE
WAL records on standby servers (Kyotaro Horiguchi, Asim R Praveen, Paul Guo)
Standby servers may encounter missing tablespace directories when replaying database-creation WAL records. Prior to this patch, a standby would fail to recover in such a case; however, such directories could be legitimately missing. Create the tablespace (as a plain directory), then check that it has been dropped again once replay reaches a consistent state.
Support “in place†tablespaces (Thomas Munro, Michael Paquier, Ãlvaro Herrera)
Normally a Postgres tablespace is a symbolic link to a directory on some other filesystem. This change allows it to just be a plain directory. While this has no use for separating tables onto different filesystems, it is a convenient setup for testing. Moreover, it is necessary to support the CREATE DATABASE
replay fix, which transiently creates a missing tablespace as an “in place†tablespace.
Fix permissions checks in CREATE INDEX
(Nathan Bossart, Noah Misch)
The fix forCVE-2022-1552 or CVE-2022-1552 caused CREATE INDEX
to apply the table owner's permissions while performing lookups of operator classes and other objects, where formerly the calling user's permissions were used. This broke dump/restore scenarios, because pg_dump issues CREATE INDEX
before re-granting permissions.
In extended query protocol, force an immediate commit after CREATE DATABASE
and other commands that can't run in a transaction block (Tom Lane)
If the client does not send a Sync message immediately after such a command, but instead sends another command, any failure in that command would lead to rolling back the preceding command, typically leaving inconsistent state on-disk (such as a missing or extra database directory). The mechanisms intended to prevent that situation turn out to work for multiple commands in a simple-Query message, but not for a series of extended-protocol messages. To prevent inconsistency without breaking use-cases that work today, force an implicit commit after such commands.
Fix race condition when checking transaction visibility (Simon Riggs)
TransactionIdIsInProgress
could report false
before the subject transaction is considered visible, leading to various misbehaviors. The race condition window is normally very narrow, but use of synchronous replication makes it much wider, because the wait for a synchronous replica happens in that window.
Fix queries in which a “whole-row variable†references the result of a function that returns a domain over composite type (Tom Lane)
Fix “variable not found in subplan target list†planner error when pulling up a sub-SELECT
that's referenced in a GROUPING
function (Richard Guo)
Fix ALTER TABLE ... ENABLE/DISABLE TRIGGER
to handle recursion correctly for triggers on partitioned tables (Ãlvaro Herrera, Amit Langote)
In certain cases, a “trigger does not exist†failure would occur because the command would try to adjust the trigger on a child partition that doesn't have it.
Improve syntax error messages for type jsonpath
(Andrew Dunstan)
Prevent pg_stat_get_subscription()
from possibly returning an extra row containing garbage values (Kuntal Ghosh)
Ensure that pg_stop_backup()
cleans up session state properly (Fujii Masao)
This omission could lead to assertion failures or crashes later in the session.
Fix join alias matching in FOR [KEY] UPDATE/SHARE
clauses (Dean Rasheed)
In corner cases, a misleading error could be reported.
Avoid crashing if too many column aliases are attached to an XMLTABLE
or JSON_TABLE
construct (Ãlvaro Herrera)
Reject ROW()
expressions and functions in FROM
that have too many columns (Tom Lane)
Cases with more than about 1600 columns are unsupported, and have always failed at execution. However, it emerges that some earlier code could be driven to assertion failures or crashes by queries with more than 32K columns. Add a parse-time check to prevent that.
When decompiling a view or rule, show a SELECT
output column's AS "?column?"
alias clause if it could be referenced elsewhere (Tom Lane)
Previously, this auto-generated alias was always hidden; but there are corner cases where doing so results in a non-restorable view or rule definition.
Fix dumping of a view using a function in FROM
that returns a composite type, when column(s) of the composite type have been dropped since the view was made (Tom Lane)
This oversight could lead to dump/reload or pg_upgrade failures, as the dumped view would have too many column aliases for the function.
Report implicitly-created operator families to event triggers (Masahiko Sawada)
If CREATE OPERATOR CLASS
results in the implicit creation of an operator family, that object was not reported to event triggers that should capture such events.
Fix control file updates made when a restartpoint is running during promotion of a standby server (Kyotaro Horiguchi)
Previously, when the restartpoint completed it could incorrectly update the last-checkpoint fields of the control file, potentially leading to PANIC and failure to restart if the server crashes before the next normal checkpoint completes.
Prevent triggering of standby's wal_receiver_timeout
during logical replication of large transactions (Wang Wei, Amit Kapila)
If a large transaction on the primary server sends no data to the standby (perhaps because no table it changes is published), it was possible for the standby to timeout. Fix that by ensuring we send keepalive messages periodically in such situations.
Disallow nested backup operations in logical replication walsenders (Fujii Masao)
Fix memory leak in logical replication subscribers (Hou Zhijie)
Prevent open-file leak when reading an invalid timezone abbreviation file (Kyotaro Horiguchi)
Such cases could result in harmless warning messages.
Allow custom server parameters to have short descriptions that are NULL (Steve Chavez)
Previously, although extensions could choose to create such settings, some code paths would crash while processing them.
Fix WAL consistency checking logic to correctly handle BRIN_EVACUATE_PAGE
flags (Haiyang Wang)
Fix erroneous assertion checks in shared hashtable management (Thomas Munro)
Arrange to clean up after commit-time errors within SPI_commit()
, rather than expecting callers to do that (Peter Eisentraut, Tom Lane)
Proper cleanup is complicated and requires use of low-level facilities, so it's not surprising that no known caller got it right. This led to misbehaviors when a PL procedure issued COMMIT
but a failure occurred (such as a deferred constraint check). To improve matters, redefine SPI_commit()
as starting a new transaction, so that it becomes equivalent to SPI_commit_and_chain()
except that you get default transaction characteristics instead of preserving the prior transaction's characteristics. To make this somewhat transparent API-wise, redefine SPI_start_transaction()
as a no-op. All known callers of SPI_commit()
immediately call SPI_start_transaction()
, so they will not notice any change. Similar remarks apply to SPI_rollback()
.
Also fix PL/Python, which omitted any handling of such errors at all, resulting in jumping out of the Python interpreter. This is reported to crash Python 3.11. Older Python releases leak some memory but seem okay with it otherwise.
Remove misguided SSL key file ownership check in libpq (Tom Lane)
In the previous minor releases, we copied the server's permission checking rules for SSL private key files into libpq. But we should not have also copied the server's file-ownership check. While that works in normal use-cases, it can result in an unexpected failure for clients running as root, and perhaps in other cases.
Ensure ecpg reports server connection loss sanely (Tom Lane)
Misprocessing of a libpq-generated error result, such as a report of lost connection, would lead to printing “(null)†instead of a useful error message; or in older releases it would lead to a crash.
Avoid core dump in ecpglib with unexpected orders of operations (Tom Lane)
Certain operations such as EXEC SQL PREPARE
would crash (rather than reporting an error as expected) if called before establishing any database connection.
In ecpglib, avoid redundant newlocale()
calls (Noah Misch)
Allocate a C locale object once per process when first connecting, rather than creating and freeing locale objects once per query. This mitigates a libc memory leak on AIX, and may offer some performance benefit everywhere.
In psql's \watch
command, echo a newline after cancellation with control-C (Pavel Stehule)
This prevents libedit (and possibly also libreadline) from becoming confused about which column the cursor is in.
Fix possible report of wrong error condition after clone()
failure in pg_upgrade with --clone
option (Justin Pryzby)
Fix contrib/pg_stat_statements
to avoid problems with very large query-text files on 32-bit platforms (Tom Lane)
Ensure that contrib/postgres_fdw
sends constants of regconfig
and other reg*
types with proper schema qualification (Tom Lane)
Block signals while allocating dynamic shared memory on Linux (Thomas Munro)
This avoids problems when a signal interrupts posix_fallocate()
.
Detect unexpected EEXIST
error from shm_open()
(Thomas Munro)
This avoids a possible crash on Solaris.
Adjust PL/Perl test case so it will work under Perl 5.36 (Dagfinn Ilmari Mannsåker)
Avoid incorrectly using an out-of-date libldap_r library when multiple OpenLDAP installations are present while building PostgreSQL (Tom Lane)
Release date: 2022-05-12
This release contains a variety of fixes from 12.10. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, if you are upgrading from a version earlier than 12.10, see Version 12.10.
Confine additional operations within “security restricted operation†sandboxes (Sergey Shinderuk, Noah Misch)
Autovacuum, CLUSTER
, CREATE INDEX
, REINDEX
, REFRESH MATERIALIZED VIEW
, and pg_amcheck activated the “security restricted operation†protection mechanism too late, or even not at all in some code paths. A user having permission to create non-temporary objects within a database could define an object that would execute arbitrary SQL code with superuser permissions the next time that autovacuum processed the object, or that some superuser ran one of the affected commands against it.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. CVE-2022-1552 or CVE-2022-1552)
Stop using query-provided column aliases for the columns of whole-row variables that refer to plain tables (Tom Lane)
The column names in tuples produced by a whole-row variable (such as tbl.*
in contexts other than the top level of a SELECT
list) are now always those of the associated named composite type, if there is one. We'd previously attempted to make them track any column aliases that had been applied to the FROM
entry the variable refers to. But that's semantically dubious, because really then the output of the variable is not at all of the composite type it claims to be. Previous attempts to deal with that inconsistency had bad results up to and including storing unreadable data on disk, so just give up on the whole idea.
In cases where it's important to be able to relabel such columns, a workaround is to introduce an extra level of sub-SELECT
, so that the whole-row variable is referring to the sub-SELECT
's output and not to a plain table. Then the variable is of type record
to begin with and there's no issue.
Fix incorrect output for types timestamptz
and timetz
in table_to_xmlschema()
and allied functions (Renan Soares Lopes)
The xmlschema output for these types included a malformed regular expression.
Avoid core dump in parser for a VALUES
clause with zero columns (Tom Lane)
Fix planner errors for GROUPING()
constructs that reference outer query levels (Richard Guo, Tom Lane)
Fix plan generation for index-only scans on indexes with both returnable and non-returnable columns (Tom Lane)
The previous coding could try to read non-returnable columns in addition to the returnable ones. This was fairly harmless because it didn't actually do anything with the bogus values, but it fell foul of a recently-added error check that rejected such a plan.
Avoid accessing a no-longer-pinned shared buffer while attempting to lock an outdated tuple during EvalPlanQual (Tom Lane)
The code would touch the buffer a couple more times after releasing its pin. In theory another process could recycle the buffer (or more likely, try to defragment its free space) as soon as the pin is gone, probably leading to failure to find the newer version of the tuple.
Fix query-lifespan memory leak in an IndexScan node that is performing reordering (Aliaksandr Kalenik)
Fix ALTER FUNCTION
to support changing a function's parallelism property and its SET
-variable list in the same command (Tom Lane)
The parallelism property change was lost if the same command also updated the function's SET
clause.
Fix bogus errors from attempts to alter system columns of tables (Tom Lane)
The system should just tell you that you can't do it, but sometimes it would report “no owned sequence found†instead.
Fix mis-sorting of table rows when CLUSTER
ing using an index whose leading key is an expression (Peter Geoghegan, Thomas Munro)
The table would be rebuilt with the correct data, but in an order having little to do with the index order.
Fix risk of deadlock failures while dropping a partitioned index (Jimmy Yih, Gaurab Dey, Tom Lane)
Ensure that the required table and index locks are taken in the standard order (parents before children, tables before indexes). The previous coding for DROP INDEX
did it differently, and so could deadlock against concurrent queries taking these locks in the standard order.
Fix race condition between DROP TABLESPACE
and checkpointing (Nathan Bossart)
The checkpoint forced by DROP TABLESPACE
could sometimes fail to remove all dead files from the tablespace's directory, leading to a bogus “tablespace is not empty†error.
Fix possible trouble in crash recovery after a TRUNCATE
command that overlaps a checkpoint (Kyotaro Horiguchi, Heikki Linnakangas, Robert Haas)
TRUNCATE
must ensure that the table's disk file is truncated before the checkpoint is allowed to complete. Otherwise, replay starting from that checkpoint might find unexpected data in the supposedly-removed pages, possibly causing replay failure.
Fix unsafe toast-data accesses during temporary object cleanup (Andres Freund)
Temporary-object deletion during server process exit could fail with “FATAL: cannot fetch toast data without an active snapshotâ€. This was usually harmless since the next use of that temporary schema would clean up successfully.
Improve wait logic in RegisterSyncRequest (Thomas Munro)
If we run out of space in the checkpointer sync request queue (which is hopefully rare on real systems, but is common when testing with a very small buffer pool), we wait for it to drain. While waiting, we should report that as a wait event so that users know what is going on, and also watch for postmaster death, since otherwise the loop might never terminate if the checkpointer has already exited.
Fix “PANIC: xlog flush request is not satisfied†failure during standby promotion when there is a missing WAL continuation record (Sami Imseih)
Fix possibility of self-deadlock in hot standby conflict handling (Andres Freund)
With unlucky timing, the WAL-applying process could get stuck while waiting for some other process to release a buffer lock.
Ensure that logical replication apply workers can be restarted even when we're up against the max_sync_workers_per_subscription
limit (Amit Kapila)
Faulty coding of the limit check caused a restarted worker to exit immediately, leaving fewer workers than there should be.
Include unchanged replica identity key columns in the WAL log for an update, if they are stored out-of-line (Dilip Kumar, Amit Kapila)
Otherwise subscribers cannot see the values and will fail to replicate the update.
Improve logical replication subscriber's error message for an unsupported relation kind (Tom Lane)
v13 and later servers support publishing partitioned tables. Older server versions cannot handle subscribing to such a table, and they gave a very misleading error message: “table XYZ not found on publisherâ€. Arrange to deliver a more on-point message.
Disallow execution of SPI functions during PL/Perl function compilation (Tom Lane)
Perl can be convinced to execute user-defined code during compilation of a PL/Perl function. However, it's not okay for such code to try to invoke SQL operations via SPI. That results in a crash, and if it didn't crash it would be a security hazard, because we really don't want code execution during function validation. Put in a check to give a friendlier error message instead.
Make libpq accept root-owned SSL private key files (David Steele)
This change synchronizes libpq's rules for safe ownership and permissions of SSL key files with the rules the server has used since release 9.6. Namely, in addition to the current rules, allow the case where the key file is owned by root and has permissions rw-r-----
or less. This is helpful for system-wide management of key files.
Fix behavior of libpq's PQisBusy()
function after a connection failure (Tom Lane)
If we'd detected a write failure, PQisBusy()
would always return true, which is the wrong thing: we want input processing to carry on normally until we've read whatever is available from the server. The practical effect of this error is that applications using libpq's async-query API would typically detect connection loss only when PQconsumeInput()
returns a hard failure. With this fix, a connection loss will normally be reported via an error PGresult
object, which is a much cleaner behavior for most applications.
Make pg_ctl recheck postmaster aliveness while waiting for stop/restart/promote actions (Tom Lane)
pg_ctl would verify that the postmaster is alive as a side-effect of sending the stop or promote signal, but then it just naively waited to see the on-disk state change. If the postmaster died uncleanly without having removed its PID file or updated the control file, pg_ctl would wait until timeout. Instead make it recheck every so often that the postmaster process is still there.
Fix error handling in pg_waldump (Kyotaro Horiguchi, Andres Freund)
While trying to read a WAL file to determine the WAL segment size, pg_waldump would report an incorrect error for the case of a too-short file. In addition, the file name reported in this and related error messages could be garbage.
Ensure that contrib/pageinspect
functions cope with all-zero pages (Michael Paquier)
This is a legitimate edge case, but the module was mostly unprepared for it. Arrange to return nulls, or no rows, as appropriate; that seems more useful than raising an error.
In contrib/pageinspect
, add defenses against incorrect page “special space†contents, tighten checks for correct page size, and add some missing checks that an index is of the expected type (Michael Paquier, Justin Pryzby, Julien Rouhaud)
These changes make it less likely that the module will crash on bad data.
In contrib/postgres_fdw
, verify that ORDER BY
clauses are safe to ship before requesting a remotely-ordered query, and include a USING
clause if necessary (Ronan Dunklau)
This fix prevents situations where the remote server might sort in a different order than we intend. While sometimes that would be only cosmetic, it could produce thoroughly wrong results if the remote data is used as input for a locally-performed merge join.
Update JIT code to work with LLVM 14 (Thomas Munro)
Clean up assorted failures under clang's -fsanitize=undefined
checks (Tom Lane, Andres Freund, Zhihong Yu)
Most of these changes are just for pro-forma compliance with the letter of the C and POSIX standards, and are unlikely to have any effect on production builds.
Fix PL/Perl so it builds on C compilers that don't support statements nested within expressions (Tom Lane)
Fix possible build failure of pg_dumpall on Windows, when not using MSVC to build (Andres Freund)
In Windows builds, use gendef instead of pexports to build DEF files (Andrew Dunstan)
This adapts the build process to work on recent MSys tool chains.
Prevent extra expansion of shell wildcard patterns in programs built under MinGW (Andrew Dunstan)
For some reason the C library provided by MinGW will expand shell wildcard characters in a program's command-line arguments by default. This is confusing, not least because it doesn't happen under MSVC, so turn it off.
Update time zone data files to tzdata release 2022a for DST law changes in Palestine, plus historical corrections for Chile and Ukraine.
Release date: 2022-02-10
This release contains a variety of fixes from 12.9. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, if you have applied REINDEX CONCURRENTLY
to a TOAST table's index, or observe failures to access TOAST datums, see the first changelog entry below.
Also, if you are upgrading from a version earlier than 12.9, see Version 12.9.
Enforce standard locking protocol for TOAST table updates, to prevent problems with REINDEX CONCURRENTLY
(Michael Paquier)
If applied to a TOAST table or TOAST table's index, REINDEX CONCURRENTLY
tended to produce a corrupted index. This happened because sessions updating TOAST entries released their ROW EXCLUSIVE
locks immediately, rather than holding them until transaction commit as all other updates do. The fix is to make TOAST updates hold the table lock according to the normal rule. Any existing corrupted indexes can be repaired by reindexing again.
Fix incorrect plan creation for parallel single-child Append nodes (David Rowley)
In some cases the Append would be simplified away when it should not be, leading to wrong query results (duplicated rows).
Fix index-only scan plans for cases where not all index columns can be returned (Tom Lane)
If an index has both returnable and non-returnable columns, and one of the non-returnable columns is an expression using a table column that appears in a returnable index column, then a query using that expression could result in an index-only scan plan that attempts to read the non-returnable column, instead of recomputing the expression from the returnable column as intended. The non-returnable column would read as NULL, resulting in wrong query results.
Ensure that casting to an unspecified typmod generates a RelabelType node rather than a length-coercion function call (Tom Lane)
While the coercion function should do the right thing (nothing), this translation is undesirably inefficient.
Fix WAL replay failure when database consistency is reached exactly at a WAL page boundary (Ãlvaro Herrera)
Fix startup of a physical replica to tolerate transaction ID wraparound (Abhijit Menon-Sen, Tomas Vondra)
If a replica server is started while the set of active transactions on the primary crosses a wraparound boundary (so that there are some newer transactions with smaller XIDs than older ones), the replica would fail with “out-of-order XID insertion in KnownAssignedXidsâ€. The replica would retry, but could never get past that error.
Remove lexical limitations for SQL commands issued on a logical replication connection (Tom Lane)
The walsender process would fail for a SQL command containing an unquoted semicolon, or with dollar-quoted literals containing odd numbers of single or double quote marks, or when the SQL command starts with a comment. Moreover, faulty error recovery could lead to unexpected errors in later commands too.
Fix possible loss of the commit timestamp for the last subtransaction of a transaction (Alex Kingsborough, Kyotaro Horiguchi)
Be sure to fsync
the pg_logical/mappings
subdirectory during checkpoints (Nathan Bossart)
On some filesystems this oversight could lead to losing logical rewrite status files after a system crash.
Build extended statistics for partitioned tables (Justin Pryzby)
A previous bug fix disabled building of extended statistics for old-style inheritance trees, but it also prevented building them for partitioned tables, which was an unnecessary restriction. This change allows ANALYZE
to compute values for statistics objects for partitioned tables. (But note that autovacuum does not process partitioned tables as such, so you must periodically issue manual ANALYZE
on the partitioned table if you want to maintain such statistics.)
Ignore extended statistics for inheritance trees (Justin Pryzby)
Currently, extended statistics values are only computed locally for each table, not for entire inheritance trees. However the values were mistakenly consulted when planning queries across inheritance trees, possibly resulting in worse-than-default estimates.
Disallow altering data type of a partitioned table's columns when the partitioned table's row type is used as a composite type elsewhere (Tom Lane)
This restriction has long existed for regular tables, but through an oversight it was not checked for partitioned tables.
Disallow ALTER TABLE ... DROP NOT NULL
for a column that is part of a replica identity index (Haiying Tang, Hou Zhijie)
The same prohibition already existed for primary key indexes.
Correctly update cached table state during ALTER TABLE ADD PRIMARY KEY USING INDEX
(Hou Zhijie)
Concurrent sessions failed to update their opinion of whether the table has a primary key, possibly causing incorrect logical replication behavior.
Correctly update cached table state when switching REPLICA IDENTITY
index (Tang Haiying, Hou Zhijie)
Concurrent sessions failed to update their opinion of which index is the replica identity one, possibly causing incorrect logical replication behavior.
Avoid leaking memory during REASSIGN OWNED BY
operations that reassign ownership of many objects (Justin Pryzby)
Fix display of cert
authentication method's options in pg_hba_file_rules
view (Magnus Hagander)
The cert
authentication method implies clientcert=verify-full
, but the pg_hba_file_rules
view incorrectly reported clientcert=verify-ca
.
Fix display of whole-row variables appearing in INSERT ... VALUES
rules (Tom Lane)
A whole-row variable would be printed as “var.*â€, but that allows it to be expanded to individual columns when the rule is reloaded, resulting in different semantics. Attach an explicit cast to prevent that, as we do elsewhere.
Fix or remove some incorrect assertions (Simon Riggs, Michael Paquier, Alexander Lakhin)
These errors should affect only debug builds, not production.
Fix race condition that could lead to failure to localize error messages that are reported early in multi-threaded use of libpq or ecpglib (Tom Lane)
Avoid calling strerror
from libpq's PQcancel
function (Tom Lane)
PQcancel
is supposed to be safe to call from a signal handler, but strerror
is not safe. The faulty usage only occurred in the unlikely event of failure to send the cancel message to the server, perhaps explaining the lack of reports.
Make psql's \password
command default to setting the password for CURRENT_USER
, not the connection's original user name (Tom Lane)
This agrees with the documented behavior, and avoids probable permissions failure if SET ROLE
or SET SESSION AUTHORIZATION
has been done since the session began. To prevent confusion, the role name to be acted on is now included in the password prompt.
In psql and some other client programs, avoid trying to invoke gettext()
from a control-C signal handler (Tom Lane)
While no reported failures have been traced to this mistake, it seems highly unlikely to be a safe thing to do.
Allow canceling the initial password prompt in pg_receivewal and pg_recvlogical (Tom Lane, Nathan Bossart)
Previously it was impossible to terminate these programs via control-C while they were prompting for a password.
Fix pg_dump's dump ordering for user-defined casts (Tom Lane)
In rare cases, the output script might refer to a user-defined cast before it had been created.
Fix pg_dump's --inserts
and --column-inserts
modes to handle tables containing both generated columns and dropped columns (Tom Lane)
Fix possible mis-reporting of errors in pg_dump and pg_basebackup (Tom Lane)
The previous code failed to check for errors from some kernel calls, and could report the wrong errno values in other cases.
Fix results of index-only scans on contrib/btree_gist
indexes on char(
columns (Tom Lane)N
)
Index-only scans returned column values with trailing spaces removed, which is not the expected behavior. That happened because that's how the data was stored in the index. This fix changes the code to store char(
values with the expected amount of space padding. The behavior of such an index will not change immediately unless you N
)REINDEX
it; otherwise space-stripped values will be gradually replaced over time during updates. Queries that do not use index-only scan plans will be unaffected in any case.
Change configure to use Python's sysconfig module, rather than the deprecated distutils module, to determine how to build PL/Python (Peter Eisentraut, Tom Lane, Andres Freund)
With Python 3.10, this avoids configure-time warnings about distutils being deprecated and scheduled for removal in Python 3.12. Presumably, once 3.12 is out, configure --with-python
would fail altogether. This future-proofing does come at a cost: sysconfig did not exist before Python 2.7, nor before 3.2 in the Python 3 branch, so it is no longer possible to build PL/Python against long-dead Python versions.
Fix PL/Perl compile failure on Windows with Perl 5.28 and later (Victor Wagner)
Fix PL/Python compile failure with Python 3.11 and later (Peter Eisentraut)
Add support for building with Visual Studio 2022 (Hans Buschmann)
Allow the .bat
wrapper scripts in our MSVC build system to be called without first changing into their directory (Anton Voloshin, Andrew Dunstan)
Release date: 2021-11-11
This release contains a variety of fixes from 12.8. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, note that installations using physical replication should update standby servers before the primary server, as explained in the third changelog entry below.
Also, several bugs have been found that may have resulted in corrupted indexes, as explained in the next several changelog entries. If any of those cases apply to you, it's recommended to reindex possibly-affected indexes after updating.
Also, if you are upgrading from a version earlier than 12.6, see Version 12.6.
Make the server reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)
The PostgreSQL Project thanks Jacob Champion for reporting this problem. CVE-2021-23214 or CVE-2021-23214)
Make libpq reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable toCVE-2021-23214 or CVE-2021-23214.
The PostgreSQL Project thanks Jacob Champion for reporting this problem. CVE-2021-23222 or CVE-2021-23222)
Fix physical replication for cases where the primary crashes after shipping a WAL segment that ends with a partial WAL record (Ãlvaro Herrera)
If the primary did not survive long enough to finish writing the rest of the incomplete WAL record, then the previous crash-recovery logic had it back up and overwrite WAL starting from the beginning of the incomplete WAL record. This is problematic since standby servers may already have copies of that WAL segment. They will then see an inconsistent next segment, and will not be able to recover without manual intervention. To fix, do not back up over a WAL segment boundary when restarting after a crash. Instead write a new type of WAL record at the start of the next WAL segment, informing readers that the incomplete WAL record will never be finished and must be disregarded.
When applying this update, it's best to update standby servers before the primary, so that they will be ready to handle this new WAL record type if the primary happens to crash.
Fix CREATE INDEX CONCURRENTLY
to wait for the latest prepared transactions (Andrey Borodin)
Rows inserted by just-prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. The previous fix for this type of problem failed to account for PREPARE TRANSACTION
commands that were still in progress when CREATE INDEX CONCURRENTLY
checked for them. As before, in installations that have enabled prepared transactions (max_prepared_transactions
> 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.
Avoid race condition that can cause backends to fail to add entries for new rows to an index being built concurrently (Noah Misch, Andrey Borodin)
While it's apparently rare in the field, this case could potentially affect any index built or reindexed with the CONCURRENTLY
option. It is recommended to reindex any such indexes to make sure they are correct.
Fix float4
and float8
hash functions to produce uniform results for NaNs (Tom Lane)
Since PostgreSQL's floating-point types deem all NaNs to be equal, it's important for the hash functions to produce the same hash code for all bit-patterns that are NaNs according to the IEEE 754 standard. This failed to happen before, meaning that hash indexes and hash-based query plans might produce incorrect results for non-canonical NaN values. ('-NaN'::float8
is one way to produce such a value on most machines.) It is advisable to reindex hash indexes on floating-point columns, if there is any possibility that they might contain such values.
Prevent data loss during crash recovery of CREATE TABLESPACE
, when wal_level
= minimal
(Noah Misch)
If the server crashed between CREATE TABLESPACE
and the next checkpoint, replay would fully remove the contents of the new tablespace's directory, relying on subsequent WAL replay to restore everything within that directory. This interacts badly with optimizations that skip writing WAL (one example is COPY
into a just-created table). Such optimizations are applied only when wal_level
is minimal
, which is not the default in v10 and later.
Ensure that the relation cache is invalidated for a table being attached to or detached from a partitioned table (Amit Langote, Ãlvaro Herrera)
This oversight could allow misbehavior of subsequent inserts/updates addressed directly to the partition, but only in currently-existing sessions.
Ensure that the relation cache is invalidated when creating or dropping a FOR ALL TABLES
publication (Hou Zhijie, Vignesh C)
This oversight could lead to improper replication behavior until all currently-existing sessions have exited.
Don't discard a cast to the same type with unspecified type modifier (Tom Lane)
For example, if column f1
is of type numeric(18,3)
, the parser used to simply discard a cast like f1::numeric
, on the grounds that it would have no run-time effect. That's true, but the exposed type of the expression should still be considered to be plain numeric
, not numeric(18,3)
. This is important for correctly resolving the type of larger constructs, such as recursive UNION
s.
Fix updates of element fields in arrays of domain over composite (Tom Lane)
A command such as UPDATE tab SET fld[1].subfld = val
failed if the array's elements were domains rather than plain composites.
Disallow creating an ICU collation if the current database's encoding won't support it (Tom Lane)
Previously this was allowed, but then the collation could not be referenced because of the way collation lookup works; you could not use the collation, nor even drop it.
Fix corner-case loss of precision in numeric power()
(Dean Rasheed)
The result could be inaccurate when the first argument is very close to 1.
Avoid regular expression errors with capturing parentheses inside {0}
(Tom Lane)
Regular expressions like (.){0}...\1
drew “invalid backreference numberâ€. Other regexp engines such as Perl don't complain, though, and for that matter ours doesn't either in some closely related cases. Worse, it could throw an assertion failure instead. Fix it so that no error is thrown and instead the back-reference is silently deemed to never match.
Prevent regular expression back-references from sometimes matching when they shouldn't (Tom Lane)
The regexp engine was careless about clearing match data for capturing parentheses after rejecting a partial match. This could allow a later back-reference to match in places where it should fail for lack of a defined referent.
Fix regular expression performance bug with back-references inside iteration nodes (Tom Lane)
Incorrect back-tracking logic could result in exponential time spent looking for a match. Fortunately the problem is masked in most cases by other optimizations.
Fix incorrect results from AT TIME ZONE
applied to a time with time zone
value (Tom Lane)
The results were incorrect if the target time zone was specified by a dynamic timezone abbreviation (that is, one that is defined as equivalent to a full time zone name, rather than a fixed UTC offset).
Fix mistranslation of PlaceHolderVars to inheritance child relations (Tom Lane)
This error could result in assertion failures, or in mis-planning of queries having partitioned or inherited tables on the nullable side of an outer join.
Avoid using MCV-only statistics to estimate the range of a column (Tom Lane)
There are corner cases in which ANALYZE
will build a most-common-values (MCV) list but not a histogram, even though the MCV list does not account for all the observed values. In such cases, keep the planner from using the MCV list alone to estimate the range of column values.
Fix restoration of a Portal's snapshot inside a subtransaction (Bertrand Drouvot)
If a procedure commits or rolls back a transaction, and then its next significant action is inside a new subtransaction, snapshot management went wrong, leading to a dangling pointer and probable crash. A typical example in PL/pgSQL is a COMMIT
immediately followed by a BEGIN ... EXCEPTION
block that performs a query.
Clean up correctly if a transaction fails after exporting its snapshot (Dilip Kumar)
This oversight would only cause a problem if the same session attempted to export a snapshot again. The most likely scenario for that is creation of a replication slot (followed by rollback) and then creation of another replication slot.
Prevent wraparound of overflowed-subtransaction tracking on standby servers (Kyotaro Horiguchi, Alexander Korotkov)
This oversight could cause significant performance degradation (manifesting as excessive SubtransSLRU traffic) on standby servers.
Ensure that prepared transactions are properly accounted for during promotion of a standby server (Michael Paquier, Andres Freund)
There was a narrow window where a prepared transaction could be omitted from a snapshot taken by a concurrently-running session. If that session then used the snapshot to perform data updates, erroneous results or data corruption could occur.
Refuse to rewind a cursor marked NO SCROLL
if it has been held over from a previous transaction due to the WITH HOLD
option (Tom Lane)
We have long forbidden fetching backwards from a NO SCROLL
cursor, but for historical reasons the prohibition didn't extend to cases in which we rewind the query altogether and then re-fetch forwards. That exception leads to inconsistencies, particularly for held-over cursors which may not have stored all the data necessary to rewind. Disallow rewinding for non-scrollable held-over cursors to block the worst inconsistencies. (v15 will remove the exception altogether.)
Fix possible failure while saving a WITH HOLD
cursor at transaction end, if it had already been read to completion (Tom Lane)
Fix detection of a relation that has grown to the maximum allowed length (Tom Lane)
An attempt to extend a table or index past the limit of 2^32-1 blocks was rejected, but not soon enough to prevent inconsistent internal state from being created.
Correctly track the presence of data-modifying CTEs when expanding a DO INSTEAD
rule (Greg Nancarrow, Tom Lane)
The previous failure to do this could lead to problems such as unsafely choosing a parallel plan.
Fix incorrect reporting of permissions failures on extended statistics objects (Tomas Vondra)
The code typically produced “cache lookup error†rather than the intended message.
Fix incorrect snapshot handling in parallel workers (Greg Nancarrow)
This oversight could lead to misbehavior in parallel queries if the transaction isolation level is less than REPEATABLE READ
.
Fix logical decoding to correctly ignore toast-table changes for transient tables (Bertrand Drouvot)
Logical decoding normally ignores changes in transient tables such as those created during an ALTER TABLE
heap rewrite. But that filtering wasn't applied to the associated toast table if any, leading to possible errors when rewriting a table that's being published.
Ensure that walreceiver processes create all required archive notification files before exiting (Fujii Masao)
If a walreceiver exited exactly at a WAL segment boundary, it failed to make a notification file for the last-received segment, thus delaying archiving of that segment on the standby.
Avoid trying to lock the OLD
and NEW
pseudo-relations in a rule that uses SELECT FOR UPDATE
(Masahiko Sawada, Tom Lane)
Fix parser's processing of aggregate FILTER
clauses (Tom Lane)
If the FILTER
expression is a plain boolean column, the semantic level of the aggregate could be mis-determined, leading to not-per-spec behavior. If the FILTER
expression is itself a boolean-returning aggregate, an error should be thrown but was not, likely resulting in a crash at execution.
Ensure that the correct lock level is used when renaming a table (Nathan Bossart, Ãlvaro Herrera)
For historical reasons, ALTER INDEX ... RENAME
can be applied to any sort of relation. The lock level required to rename an index is lower than that required to rename a table or other kind of relation, but the code got this wrong and would use the weaker lock level whenever the command is spelled ALTER INDEX
.
Avoid trying to clean up LLVM state after an error within LLVM (Andres Freund, Justin Pryzby)
This prevents a likely crash during backend exit after a fatal LLVM error.
Avoid null-pointer-dereference crash when dropping a role that owns objects being dropped concurrently (Ãlvaro Herrera)
Prevent “snapshot reference leak†warning when lo_export()
or a related function fails (Heikki Linnakangas)
Ensure that scans of SP-GiST indexes are counted in the statistics views (Tom Lane)
Incrementing the number-of-index-scans counter was overlooked in the SP-GiST code, although per-tuple counters were advanced correctly.
Recalculate relevant wait intervals if recovery_min_apply_delay
is changed during recovery (Soumyadeep Chakraborty, Ashwin Agrawal)
Fix infinite loop if a simplehash.h
hash table reaches 2^32 elements (Yura Sokolov)
It seems unlikely that this bug has been hit in practice, as it would require work_mem
settings of hundreds of gigabytes for existing uses of simplehash.h
.
Reduce memory consumption during calculation of extended statistics (Justin Pryzby, Tomas Vondra)
Disallow setting huge_pages
to on
when shared_memory_type
is sysv
(Thomas Munro)
Previously, this setting was accepted, but it did nothing for lack of any implementation.
Fix ecpg to recover correctly after malloc()
failure while establishing a connection (Michael Paquier)
Fix misevaluation of stable functions called in the arguments of a PL/pgSQL CALL
statement (Tom Lane)
They were being called with an out-of-date snapshot, so that they would not see any database changes made since the start of the session's top-level command.
Allow EXIT
out of the outermost block in a PL/pgSQL routine (Tom Lane)
If the routine does not require an explicit RETURN
, this usage should be valid, but it was rejected.
Remove pg_ctl's hard-coded limits on the total length of generated commands (Phil Krylov)
For example, this removes a restriction on how many command-line options can be passed through to the postmaster. Individual path names that pg_ctl deals with, such as the postmaster executable's name or the data directory name, are still limited to MAXPGPATH
bytes in most cases.
Fix pg_dump to dump non-global default privileges correctly (Neil Chen, Masahiko Sawada)
If a global (unrestricted) ALTER DEFAULT PRIVILEGES
command revoked some present-by-default privilege, for example EXECUTE
for functions, and then a restricted ALTER DEFAULT PRIVILEGES
command granted that privilege again for a selected role or schema, pg_dump failed to dump the restricted privilege grant correctly.
Make pg_dump acquire shared lock on partitioned tables that are to be dumped (Tom Lane)
This oversight was usually pretty harmless, since once pg_dump has locked any of the leaf partitions, that would suffice to prevent significant DDL on the partitioned table itself. However problems could ensue when dumping a childless partitioned table, since no relevant lock would be held.
Improve pg_dump's performance by avoiding making per-table queries for RLS policies, and by avoiding repetitive calls to format_type()
(Tom Lane)
These changes provide only marginal improvement when dumping from a local server, but a dump from a remote server can benefit substantially due to fewer network round-trips.
Fix crash in pg_dump when attempting to dump trigger definitions from a pre-8.3 server (Tom Lane)
Fix incorrect filename in pg_restore's error message about an invalid large object TOC file (Daniel Gustafsson)
Ensure that pgbench exits with non-zero status after a socket-level failure (Yugo Nagata, Fabien Coelho)
The desired behavior is to finish out the run but then exit with status 2. Also, fix the reporting of such errors.
Fix failure of contrib/btree_gin
indexes on "char"
(not char(
) columns, when an indexscan using the n
)<
or <=
operator is performed (Tom Lane)
Such an indexscan failed to return all the entries it should.
Change contrib/pg_stat_statements
to read its “query texts†file in units of at most 1GB (Tom Lane)
Such large query text files are very unusual, but if they do occur, the previous coding would fail on Windows 64 (which rejects individual read requests of more than 2GB).
Fix null-pointer crash when contrib/postgres_fdw
tries to report a data conversion error (Tom Lane)
Add spinlock support for the RISC-V architecture (Marek Szuba)
This is essential for reasonable performance on that platform.
Support OpenSSL 3.0.0 (Peter Eisentraut, Daniel Gustafsson, Michael Paquier)
Set correct type identifier on OpenSSL BIO (I/O abstraction) objects created by PostgreSQL (Itamar Gafni)
This oversight probably only matters for code that is doing tasks like auditing the OpenSSL installation. But it's nominally a violation of the OpenSSL API, so fix it.
Fix our pkg-config
files to again support static linking of libpq (Peter Eisentraut)
Make pg_regexec()
robust against an out-of-range search_start
parameter (Tom Lane)
Return REG_NOMATCH
, instead of possibly crashing, when search_start
is past the end of the string. This case is probably unreachable within core PostgreSQL, but extensions might be more careless about the parameter value.
Ensure that GetSharedSecurityLabel()
can be used in a newly-started session that has not yet built its critical relation cache entries (Jeff Davis)
Use the CLDR project's data to map Windows time zone names to IANA time zones (Tom Lane)
When running on Windows, initdb attempts to set the new cluster's timezone
parameter to the IANA time zone matching the system's prevailing time zone. We were using a mapping table that we'd generated years ago and updated only fitfully; unsurprisingly, it contained a number of errors as well as omissions of recently-added zones. It turns out that CLDR has been tracking the most appropriate mappings, so start using their data. This change will not affect any existing installation, only newly-initialized clusters.
Update time zone data files to tzdata release 2021e for DST law changes in Fiji, Jordan, Palestine, and Samoa, plus historical corrections for Barbados, Cook Islands, Guyana, Niue, Portugal, and Tonga.
Also, the Pacific/Enderbury zone has been renamed to Pacific/Kanton. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Africa/Accra, America/Atikokan, America/Blanc-Sablon, America/Creston, America/Curacao, America/Nassau, America/Port_of_Spain, Antarctica/DumontDUrville, and Antarctica/Syowa. In all these cases, the previous zone name remains as an alias.
Release date: 2021-08-12
This release contains a variety of fixes from 12.7. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, if you are upgrading from a version earlier than 12.6, see Version 12.6.
Fix mis-planning of repeated application of a projection step (Tom Lane)
The planner could create an incorrect plan in cases where two ProjectionPaths were stacked on top of each other. The only known way to trigger that situation involves parallel sort operations, but there may be other instances. The result would be crashes or incorrect query results. Disclosure of server memory contents is also possible. CVE-2021-3677 or CVE-2021-3677)
Disallow SSL renegotiation more completely (Michael Paquier)
SSL renegotiation has been disabled for some time, but the server would still cooperate with a client-initiated renegotiation request. A maliciously crafted renegotiation request could result in a server crash (see OpenSSL issueCVE-2021-3449 or CVE-2021-3449). Disable the feature altogether on OpenSSL versions that permit doing so, which are 1.1.0h and newer.
Restore the Portal-level snapshot after COMMIT
or ROLLBACK
within a procedure (Tom Lane)
This change fixes cases where an attempt to fetch a toasted value immediately after COMMIT
/ROLLBACK
would fail with errors like “no known snapshots†or “missing chunk number 0 for toast valueâ€.
Some extensions may attempt to execute SQL code outside of any Portal. They are responsible for ensuring that an outer snapshot exists before doing so. Previously, not providing a snapshot might work or it might not; now it will consistently fail with “cannot execute SQL without an outer snapshot or portalâ€.
Avoid misbehavior when persisting the output of a cursor that's reading a non-stable query (Tom Lane)
Previously, we'd always rewind and re-read the whole query result, possibly getting results different from the earlier execution, causing great confusion later. For a NO SCROLL cursor, we can fix this by only storing the not-yet-read portion of the query output, which is sufficient since a NO SCROLL cursor can't be backed up. Cursors with the SCROLL option remain at hazard, but that was already documented to be an unsafe option to use with a non-stable query. Make those documentation warnings stronger.
Also force NO SCROLL mode for the implicit cursor used by a PL/pgSQL FOR-over-query loop, to avoid this type of problem when persisting such a cursor during an intra-procedure commit.
Reject SELECT ... GROUP BY GROUPING SETS (()) FOR UPDATE
(Tom Lane)
This should be disallowed, just as FOR UPDATE
with a plain GROUP BY
is disallowed, but the test for that failed to handle empty grouping sets correctly. The end result would be a null-pointer dereference in the executor.
Reject cases where a query in WITH
rewrites to just NOTIFY
(Tom Lane)
Such cases previously crashed.
In numeric
multiplication, round the result rather than failing if it would have more than 16383 digits after the decimal point (Dean Rasheed)
Fix corner-case errors and loss of precision when raising numeric
values to very large powers (Dean Rasheed)
Fix division-by-zero failure in to_char()
with EEEE
format and a numeric
input value less than 10^(-1001) (Dean Rasheed)
Fix pg_size_pretty(bigint)
to round negative values consistently with the way it rounds positive ones (and consistently with the numeric
version) (Dean Rasheed, David Rowley)
Make pg_filenode_relation(0, 0)
return NULL rather than failing (Justin Pryzby)
Make ALTER EXTENSION
lock the extension when adding or removing a member object (Tom Lane)
The previous coding allowed ALTER EXTENSION ADD/DROP
to occur concurrently with DROP EXTENSION
, leading to a crash or corrupt catalog entries.
Fix ALTER SUBSCRIPTION
to reject an empty slot name (Japin Li)
When cloning a partitioned table's triggers to a new partition, ensure that their enabled status is copied (Ãlvaro Herrera)
Avoid alias conflicts in queries generated for REFRESH MATERIALIZED VIEW CONCURRENTLY
(Tom Lane, Bharath Rupireddy)
This command failed on materialized views containing columns with certain names, notably mv
and newdata
.
Fix PREPARE TRANSACTION
to check correctly for conflicting session-lifespan and transaction-lifespan locks (Tom Lane)
A transaction cannot be prepared if it has both session-lifespan and transaction-lifespan locks on the same advisory-lock ID value. This restriction was not fully checked, which could lead to a PANIC during PREPARE TRANSACTION
.
Fix misbehavior of DROP OWNED BY
when the target role is listed more than once in an RLS policy (Tom Lane)
Skip unnecessary error tests when removing a role from an RLS policy during DROP OWNED BY
(Tom Lane)
Notably, this fixes some cases where it was necessary to be a superuser to use DROP OWNED BY
.
Disallow whole-row variables in GENERATED
expressions (Tom Lane)
Use of a whole-row variable clearly violates the rule that a generated column cannot depend on itself, so such cases have no well-defined behavior. The actual behavior frequently included a crash.
Fix usage of tableoid
in GENERATED
expressions (Tom Lane)
Some code paths failed to provide a valid value for this system column while evaluating a GENERATED
expression.
Don't store a “fast default†when adding a column to a foreign table (Andrew Dunstan)
The fast default is useless since no local heap storage exists for such a table, but it confused subsequent operations. In addition to suppressing creation of such catalog entries in ALTER TABLE
commands, adjust the downstream code to cope when one is incorrectly present.
Allow index state flags to be updated transactionally (Michael Paquier, Andrey Lepikhov)
This avoids failures when dealing with index predicates that aren't really immutable. While that's not considered a supported case, the original reason for using a non-transactional update here is long gone, so we may as well change it.
Avoid corrupting the plan cache entry when CREATE DOMAIN
or ALTER DOMAIN
appears in a cached plan (Tom Lane)
Make walsenders show their latest replication commands in pg_stat_activity
(Tom Lane)
Previously, a walsender would show its latest SQL command, which was confusing if it's now doing some replication operation instead. Now we show replication-protocol commands on the same footing as SQL commands.
Make pg_settings
.pending_restart
show as true when the pertinent entry in postgresql.conf
has been removed (Ãlvaro Herrera)
pending_restart
correctly showed the case where an entry that cannot be changed without a postmaster restart has been modified, but not where the entry had been removed altogether.
Fix mis-planning of queries involving regular tables that are inheritance children of foreign tables (Amit Langote)
SELECT FOR UPDATE
and related commands would fail with assertion failures or “could not find junk column†errors in such cases.
Fix corner-case failure of a new standby to follow a new primary (Dilip Kumar, Robert Haas)
Under a narrow combination of conditions, the standby could wind up trying to follow the wrong WAL timeline.
Update minimum recovery point when WAL replay of a transaction abort record causes file truncation (Fujii Masao)
File truncation is irreversible, so it's no longer safe to stop recovery at a point earlier than that record. The corresponding case for transaction commit was fixed years ago, but this one was overlooked.
In walreceivers, avoid attempting catalog lookups after an error (Masahiko Sawada, Bharath Rupireddy)
Ensure that a standby server's startup process will respond to a shutdown signal promptly while waiting for WAL to arrive (Fujii Masao, Soumyadeep Chakraborty)
Correctly clear shared state after failing to become a member of a transaction commit group (Amit Kapila)
Given the right timing, this could cause an assertion failure when some later session re-uses the same PGPROC object.
Add locking to avoid reading incorrect relmapper data in the face of a concurrent write from another process (Heikki Linnakangas)
Improve progress reporting for the sort phase of a parallel btree index build (Matthias van de Meent)
Improve checks for violations of replication protocol (Tom Lane)
Logical replication workers frequently used Asserts to check for cases that could be triggered by invalid or out-of-order replication commands. This seems unwise, so promote these tests to regular error checks.
Fix deadlock when multiple logical replication workers try to truncate the same table (Peter Smith, Haiying Tang)
Fix error cases and memory leaks in logical decoding of speculative insertions (Dilip Kumar)
Avoid leaving an invalid record-type hash table entry behind after an error (Sait Talha Nisanci)
This could lead to later crashes or memory leakage.
Fix plan cache reference leaks in some error cases in CREATE TABLE ... AS EXECUTE
(Tom Lane)
Fix race condition in code for sharing tuple descriptors across parallel workers (Thomas Munro)
Given the right timing, a crash could result.
Fix possible race condition when releasing BackgroundWorkerSlots (Tom Lane)
It's likely that this doesn't fix any observable bug on Intel hardware, but machines with weaker memory ordering rules could have problems.
Fix latent crash in sorting code (Ronan Dunklau)
One code path could attempt to free a null pointer. The case appears unreachable in the core server's use of sorting, but perhaps it could be triggered by extensions.
Prevent infinite loops in SP-GiST index insertion (Tom Lane)
In the event that INCLUDE columns take up enough space to prevent a leaf index tuple from ever fitting on a page, the text_ops operator class would get into an infinite loop vainly trying to make the tuple fit. While pre-v11 versions don't have INCLUDE columns, back-patch this anti-looping fix to them anyway, as it seems like a good defense against bugs in operator classes.
Ensure that SP-GiST index insertion can be terminated by a query cancel request (Tom Lane, Ãlvaro Herrera)
Fix uninitialized-variable bug that could cause PL/pgSQL to act as though an INTO
clause specified STRICT
, even though it didn't (Tom Lane)
Don't abort the process for an out-of-memory failure in libpq's printing functions (Tom Lane)
In ecpg, allow the numeric
value INT_MIN (usually -2147483648) to be converted to integer (John Naylor)
In psql and other client programs, avoid overrunning the ends of strings when dealing with invalidly-encoded data (Tom Lane)
An incorrectly-encoded multibyte character near the end of a string could cause various processing loops to run past the string's terminating NUL, with results ranging from no detectable issue to a program crash, depending on what happens to be in the following memory. This is reminiscent ofCVE-2006-2313 or CVE-2006-2313, although these particular cases do not appear to have interesting security consequences.
Fix pg_dump to correctly handle triggers on partitioned tables whose enabled status is different from their parent triggers' status (Justin Pryzby, Ãlvaro Herrera)
Avoid “invalid creation date in header†warnings observed when running pg_restore on an archive file created in a different time zone (Tom Lane)
Make pg_upgrade carry forward the old installation's oldestXID
value (Bertrand Drouvot)
Previously, the new installation's oldestXID
was set to a value old enough to (usually) force immediate anti-wraparound autovacuuming. That's not desirable from a performance standpoint; what's worse, installations using large values of autovacuum_freeze_max_age
could suffer unwanted forced shutdowns soon after an upgrade.
Extend pg_upgrade to detect and warn about extensions that should be upgraded (Bruce Momjian)
A script file is now produced containing the ALTER EXTENSION UPDATE
commands needed to bring extensions up to the versions that are considered default in the new installation.
Avoid problems when switching pg_receivewal between compressed and non-compressed WAL storage (Michael Paquier)
Fix contrib/postgres_fdw
to work usefully with generated columns (Etsuro Fujita)
postgres_fdw
will now behave reasonably with generated columns, so long as a generated column in a foreign table represents a generated column in the remote table. IMPORT FOREIGN SCHEMA
will now import generated columns that way by default.
In contrib/postgres_fdw
, avoid attempting catalog lookups after an error (Tom Lane)
While this usually worked, it's not very safe since the error might have been one that made catalog access nonfunctional. A side effect of the fix is that messages about data conversion errors will now mention the query's table and column aliases (if used) rather than the true underlying name of a foreign table or column.
Improve the isolation-test infrastructure (Tom Lane, Michael Paquier)
Allow isolation test steps to be annotated to show the expected completion order. This allows getting stable results from otherwise-racy test cases, without the long delays that we previously used (not entirely successfully) to fend off race conditions. Allow non-quoted identifiers as isolation test session/step names (formerly, all such names had to be double-quoted). Detect and warn about unused steps in isolation tests. Improve display of query results in isolation tests. Remove isolationtester's “dry-run†mode. Remove memory leaks in isolationtester itself.
Reduce overhead of cache-clobber testing (Tom Lane)
Fix PL/Python's regression tests to pass with Python 3.10 (Honza Horak)
Make printf("%s", NULL)
print (null)
instead of crashing (Tom Lane)
This should improve server robustness in corner cases, and it syncs our printf
implementation with common libraries.
Fix incorrect log message when point-in-time recovery stops at a ROLLBACK PREPARED
record (Simon Riggs)
Improve ALTER TABLE
's messages for wrong-relation-kind errors (Kyotaro Horiguchi)
Clarify error messages referring to “non-negative†values (Bharath Rupireddy)
Fix configure to work with OpenLDAP 2.5, which no longer has a separate libldap_r
library (Adrian Ho, Tom Lane)
If there is no libldap_r
library, we now silently assume that libldap
is thread-safe.
Add new make targets world-bin
and install-world-bin
(Andrew Dunstan)
These are the same as world
and install-world
respectively, except that they do not build or install the documentation.
Fix make rule for TAP tests (prove_installcheck
) to work in PGXS usage (Andrew Dunstan)
Adjust JIT code to prepare for forthcoming LLVM API change (Thomas Munro, Andres Freund)
LLVM 13 has made an incompatible API change that will cause crashing of our previous JIT compiler.
Avoid assuming that strings returned by GSSAPI libraries are null-terminated (Tom Lane)
The GSSAPI spec provides for a string pointer and length. It seems that in practice the next byte after the string is usually zero, so that our previous coding didn't actually fail; but we do have a report of AddressSanitizer complaints.
Enable building with GSSAPI on MSVC (Michael Paquier)
Fix various incompatibilities with modern Kerberos builds.
In MSVC builds, include --with-pgport
in the set of configure options reported by pg_config, if it had been specified (Andrew Dunstan)
Release date: 2021-05-13
This release contains a variety of fixes from 12.6. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, if you are upgrading from a version earlier than 12.6, see Version 12.6.
Prevent integer overflows in array subscripting calculations (Tom Lane)
The array code previously did not complain about cases where an array's lower bound plus length overflows an integer. This resulted in later entries in the array becoming inaccessible (since their subscripts could not be written as integers), but more importantly it confused subsequent assignment operations. This could lead to memory overwrites, with ensuing crashes or unwanted data modifications. CVE-2021-32027 or CVE-2021-32027)
Fix mishandling of “junk†columns in INSERT ... ON CONFLICT ... UPDATE
target lists (Tom Lane)
If the UPDATE
list contains any multi-column sub-selects (which give rise to junk columns in addition to the results proper), the UPDATE
path would end up storing tuples that include the values of the extra junk columns. That's fairly harmless in the short run, but if new columns are added to the table then the values would become accessible, possibly leading to malfunctions if they don't match the datatypes of the added columns.
In addition, in versions supporting cross-partition updates, a cross-partition update triggered by such a case had the reverse problem: the junk columns were removed from the target list, typically causing an immediate crash due to malfunction of the multi-column sub-select mechanism. CVE-2021-32028 or CVE-2021-32028)
Fix possibly-incorrect computation of UPDATE ... RETURNING
outputs for joined cross-partition updates (Amit Langote, Etsuro Fujita)
If an UPDATE
for a partitioned table caused a row to be moved to another partition with a physically different row type (for example, one with a different set of dropped columns), computation of RETURNING
results for that row could produce errors or wrong answers. No error is observed unless the UPDATE
involves other tables being joined to the target table. CVE-2021-32029 or CVE-2021-32029)
Fix adjustment of constraint deferrability properties in partitioned tables (Ãlvaro Herrera)
When applied to a foreign-key constraint of a partitioned table, ALTER TABLE ... ALTER CONSTRAINT
failed to adjust the DEFERRABLE
and/or INITIALLY DEFERRED
markings of the constraints and triggers of leaf partitions. This led to unexpected behavior of such constraints. After updating to this version, any misbehaving partitioned tables can be fixed by executing a new ALTER
command to set the desired properties.
This change also disallows applying such an ALTER
directly to the constraints of leaf partitions. The only supported case is for the whole partitioning hierarchy to have identical constraint properties, so such ALTER
s must be applied at the partition root.
When attaching a child table with ALTER TABLE ... INHERIT
, insist that any generated columns in the parent be generated the same way in the child (Peter Eisentraut)
Forbid marking an identity column as nullable (Vik Fearing)
GENERATED ... AS IDENTITY
implies NOT NULL
, so don't allow it to be combined with an explicit NULL
specification.
Allow ALTER ROLE/DATABASE ... SET
to set the role
, session_authorization
, and temp_buffers
parameters (Tom Lane)
Previously, over-eager validity checks might reject these commands, even if the values would have worked when used later. This created a command ordering hazard for dump/reload and upgrade scenarios.
Ensure that REINDEX CONCURRENTLY
preserves any statistics target that's been set for the index (Michael Paquier)
Fix COMMIT AND CHAIN
to work correctly when the current transaction has live savepoints (Fujii Masao)
Fix bug with coercing the result of a COLLATE
expression to a non-collatable type (Tom Lane)
This led to a parse tree in which the COLLATE
appears to be applied to a non-collatable value. While that normally has no real impact (since COLLATE
has no effect at runtime), it was possible to construct views that would be rejected during dump/reload.
Fix use-after-free bug in saving tuples for AFTER
triggers (Amit Langote)
This could cause crashes in some situations.
Disallow calling window functions and procedures via the “fast path†wire protocol message (Tom Lane)
Only plain functions are supported here. While trying to call an aggregate function failed already, calling a window function would crash, and calling a procedure would work only if the procedure did no transaction control.
Extend pg_identify_object_as_address()
to support event triggers (Joel Jacobson)
Fix to_char()
's handling of Roman-numeral month format codes with negative intervals (Julien Rouhaud)
Previously, such cases would usually cause a crash.
Check that the argument of pg_import_system_collations()
is a valid schema OID (Tom Lane)
Fix use of uninitialized value while parsing an \{
quantifier in a BRE-mode regular expression (Tom Lane)m
,n
\}
This error could cause the quantifier to act non-greedy, that is behave like an {
quantifier would do in full regular expressions.m
,n
}?
Don't ignore system columns when estimating the number of groups using extended statistics (Tomas Vondra)
This led to strange estimates for queries such as SELECT ... GROUP BY a, b, ctid
.
Avoid divide-by-zero when estimating selectivity of a regular expression with a very long fixed prefix (Tom Lane)
This typically led to a NaN
selectivity value, causing assertion failures or strange planner behavior.
Fix access-off-the-end-of-the-table error in BRIN index bitmap scans (Tomas Vondra)
If the page range size used by a BRIN index isn't a power of two, there were corner cases in which a bitmap scan could try to fetch pages past the actual end of the table, leading to “could not open file†errors.
Avoid incorrect timeline change while recovering uncommitted two-phase transactions from WAL (Soumyadeep Chakraborty, Jimmy Yih, Kevin Yeap)
This error could lead to subsequent WAL records being written under the wrong timeline ID, leading to consistency problems, or even complete failure to be able to restart the server, later on.
Ensure that locks are released while shutting down a standby server's startup process (Fujii Masao)
When a standby server is shut down while still in recovery, some locks might be left held. This causes assertion failures in debug builds; it's unclear whether any serious consequence could occur in production builds.
Fix crash when a logical replication worker does ALTER SUBSCRIPTION REFRESH
(Peter Smith)
The core code won't do this, but a replica trigger could.
Ensure we default to wal_sync_method
= fdatasync
on recent FreeBSD (Thomas Munro)
FreeBSD 13 supports open_datasync
, which would normally become the default choice. However, it's unclear whether that is actually an improvement for Postgres, so preserve the existing default for now.
Pass the correct trigger OID to object post-alter hooks during ALTER CONSTRAINT
(Ãlvaro Herrera)
When updating trigger properties during ALTER CONSTRAINT
, the post-alter hook was told that we are updating a trigger, but the constraint's OID was passed instead of the trigger's.
Ensure we finish cleaning up when interrupted while detaching a DSM segment (Thomas Munro)
This error could result in temporary files not being cleaned up promptly after a parallel query.
Fix memory leak while initializing server's SSL parameters (Michael Paquier)
This is ordinarily insignificant, but if the postmaster is repeatedly sent SIGHUP signals, the leak can build up over time.
Fix assorted minor memory leaks in the server (Tom Lane, Andres Freund)
Fix failure when a PL/pgSQL DO
block makes use of both composite-type variables and transaction control (Tom Lane)
Previously, such cases led to errors about leaked tuple descriptors.
Prevent infinite loop in libpq if a ParameterDescription message with a corrupt length is received (Tom Lane)
When initdb prints instructions about how to start the server, make the path shown for pg_ctl use backslash separators on Windows (Nitin Jadhav)
Fix psql to restore the previous behavior of \connect service=
(Tom Lane)something
A previous bug fix caused environment variables (such as PGPORT
) to override entries in the service file in this context. Restore the previous behavior, in which the priority is the other way around.
Fix psql's ON_ERROR_ROLLBACK
feature to handle COMMIT AND CHAIN
commands correctly (Arthur Nascimento)
Previously, this case failed with “savepoint "pg_psql_temporary_savepoint" does not existâ€.
Fix race condition in detection of file modification by psql's \e
and related commands (Laurenz Albe)
A very fast typist could fool the code's file-timestamp-based detection of whether the temporary edit file was changed.
Fix pg_dump's dumping of generated columns in partitioned tables (Peter Eisentraut)
A fix introduced in the previous minor release should not be applied to partitioned tables, only traditionally-inherited tables.
Fix missed file version check in pg_restore (Tom Lane)
When reading a custom-format archive from a non-seekable source, pg_restore neglected to check the archive version. If it was fed a newer archive version than it can support, it would fail messily later on.
Add some more checks to pg_upgrade for user tables containing non-upgradable data types (Tom Lane)
Fix detection of some cases where a non-upgradable data type is embedded within a container type (such as an array or range). Also disallow upgrading when user tables contain columns of system-defined composite types, since those types' OIDs are not stable across versions.
Fix incorrect progress-reporting calculation in pg_checksums (Shinya Kato)
Fix pg_waldump to count XACT
records correctly when generating per-record statistics (Kyotaro Horiguchi)
Fix contrib/amcheck
to not complain about the tuple flags HEAP_XMAX_LOCK_ONLY
and HEAP_KEYS_UPDATED
both being set (Julien Rouhaud)
This is a valid state after SELECT FOR UPDATE
.
Adjust VPATH build rules to support recent Oracle Developer Studio compiler versions (Noah Misch)
Fix testing of PL/Python for Python 3 on Solaris (Noah Misch)
Release date: 2021-02-11
This release contains a variety of fixes from 12.5. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, see the second and third changelog items below, which describe cases in which reindexing indexes after the upgrade may be advisable.
Also, if you are upgrading from a version earlier than 12.2, see Version 12.2.
Fix information leakage in constraint-violation error messages (Heikki Linnakangas)
If an UPDATE
command attempts to move a row to a different partition but finds that it violates some constraint on the new partition, and the columns in that partition are in different physical positions than in the parent table, the error message could reveal the contents of columns that the user does not have SELECT
privilege on. CVE-2021-3393 or CVE-2021-3393)
Fix incorrect detection of concurrent page splits while inserting into a GiST index (Heikki Linnakangas)
Concurrent insertions could lead to a corrupt index with entries placed in the wrong pages. It's recommended to reindex any GiST index that's been subject to concurrent insertions.
Fix CREATE INDEX CONCURRENTLY
to wait for concurrent prepared transactions (Andrey Borodin)
At the point where CREATE INDEX CONCURRENTLY
waits for all concurrent transactions to complete so that it can see rows they inserted, it must also wait for all prepared transactions to complete, for the same reason. Its failure to do so meant that rows inserted by prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. In installations that have enabled prepared transactions (max_prepared_transactions
> 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.
Avoid crash when a CALL
or DO
statement that performs a transaction rollback is executed via extended query protocol (Thomas Munro, Tom Lane)
In PostgreSQL 13, this case reliably caused a null-pointer dereference. In earlier versions the bug seems to have no visible symptoms, but it's not quite clear that it could never cause a problem.
Fix partition pruning logic to handle asymmetric hash partition sets (Tom Lane)
If a hash-partitioned table has unequally-sized partitions (that is, varying modulus values), or it lacks partitions for some remainder values, then the planner's pruning logic could mistakenly conclude that some partitions don't need to be scanned, leading to failure to find rows that the query should find.
Avoid incorrect results when WHERE CURRENT OF
is applied to a cursor whose plan contains a MergeAppend node (Tom Lane)
This case is unsupported (in general, a cursor using ORDER BY
is not guaranteed to be simply updatable); but the code previously did not reject it, and could silently give false matches.
Fix crash when WHERE CURRENT OF
is applied to a cursor whose plan contains a custom scan node (David Geier)
Fix planner's mishandling of placeholders whose evaluation should be delayed by an outer join (Tom Lane)
This occurs in particular with trivial subqueries containing lateral references to outer-join outputs. The mistake could result in a malformed plan. The known cases trigger a “failed to assign all NestLoopParams to plan nodes†error, but other symptoms may be possible.
Fix planner's handling of placeholders during removal of useless RESULT RTEs (Tom Lane)
This oversight could lead to “no relation entry for relid N
†planner errors.
Fix planner's handling of a placeholder that is computed at some join level and used only at that same level (Tom Lane)
This oversight could lead to “failed to build any N
-way joins†planner errors.
Be more careful about whether index AMs support mark/restore (Andrew Gierth)
This prevents errors about missing support functions in rare edge cases.
Adjust settings to make it more difficult to run out of DSM slots during heavy usage of parallel queries (Thomas Munro)
Fix overestimate of the amount of shared memory needed for parallel queries (Takayuki Tsunakawa)
Fix ALTER DEFAULT PRIVILEGES
to handle duplicated arguments safely (Michael Paquier)
Duplicate role or schema names within the same command could lead to “tuple already updated by self†errors or unique-constraint violations.
Flush ACL-related caches when pg_authid
changes (Noah Misch)
This change ensures that permissions-related decisions will promptly reflect the results of ALTER ROLE ... [NO] INHERIT
.
Prevent misprocessing of ambiguous CREATE TABLE LIKE
clauses (Tom Lane)
A LIKE
clause is re-examined after initial creation of the new table, to handle importation of indexes and such. It was possible for this re-examination to find a different table of the same name, causing unexpected behavior; one example is where the new table is a temporary table of the same name as the LIKE
target.
Rearrange order of operations in CREATE TABLE LIKE
so that indexes are cloned before building foreign key constraints (Tom Lane)
This fixes the case where a self-referential foreign key constraint declared in the outer CREATE TABLE
depends on an index that's coming from the LIKE
clause.
Disallow CREATE STATISTICS
on system catalogs (Tomas Vondra)
Disallow converting an inheritance child table to a view (Tom Lane)
Ensure that disk space allocated for a dropped relation is released promptly at commit (Thomas Munro)
Previously, if the dropped relation spanned multiple 1GB segments, only the first segment was truncated immediately. Other segments were simply unlinked, which doesn't authorize the kernel to release the storage so long as any other backends still have the files open.
Prevent dropping a tablespace that is referenced by a partitioned relation, but is not used for any actual storage (Ãlvaro Herrera)
Previously this was allowed, but subsequent operations on the partitioned relation would fail.
Fix progress reporting for CLUSTER
(Matthias van de Meent)
Fix handling of backslash-escaped multibyte characters in COPY FROM
(Heikki Linnakangas)
A backslash followed by a multibyte character was not handled correctly. In some client character encodings, this could lead to misinterpreting part of a multibyte character as a field separator or end-of-copy-data marker.
Avoid preallocating executor hash tables in EXPLAIN
without ANALYZE
(Alexey Bashtanov)
Fix recently-introduced race conditions in LISTEN
/NOTIFY
queue handling (Tom Lane)
A newly-listening backend could attempt to read SLRU pages that were in process of being truncated, possibly causing an error.
The queue tail pointer could become set to a value that's not equal to the queue position of any backend, resulting in effective disabling of the queue truncation logic. Continued use of NOTIFY
then led to queue-fill warnings, and eventually to inability to send any more notifies until the server is restarted.
Allow the jsonb
concatenation operator to handle all combinations of JSON data types (Tom Lane)
We can concatenate two JSON objects or two JSON arrays. Handle other cases by wrapping non-array inputs in one-element arrays, then performing an array concatenation. Previously, some combinations of inputs followed this rule but others arbitrarily threw an error.
Fix use of uninitialized value while parsing a *
quantifier in a BRE-mode regular expression (Tom Lane)
This error could cause the quantifier to act non-greedy, that is behave like a *?
quantifier would do in full regular expressions.
Fix numeric power()
for the case where the exponent is exactly INT_MIN
(-2147483648) (Dean Rasheed)
Previously, a result with no significant digits was produced.
Fix integer-overflow cases in substring()
functions (Tom Lane, Pavel Stehule)
If the specified starting index and length overflow an integer when added together, substring()
misbehaved, either throwing a bogus “negative substring length†error for a case that should succeed, or failing to complain that a negative length is negative (and instead returning the whole string, in most cases).
Prevent possible data loss from incorrect detection of the wraparound point of an SLRU log (Noah Misch)
The wraparound point typically falls in the middle of a page, which must be rounded off to a page boundary, and that was not done correctly. No issue could arise unless an installation had gotten to within one page of SLRU overflow, which is unlikely in a properly-functioning system. If this did happen, it would manifest in later “apparent wraparound†or “could not access status of transaction†errors.
Fix memory leak in walsender processes while sending new snapshots for logical decoding (Amit Kapila)
Fix walsender to accept additional commands after terminating replication (Jeff Davis)
Ensure detection of deadlocks between hot standby backends and the startup (WAL-application) process (Fujii Masao)
The startup process did not run the deadlock detection code, so that in situations where the startup process is last to join a circular wait situation, the deadlock might never be recognized.
Fix possible failure to detect recovery conflicts while deleting an index entry that references a HOT chain (Peter Geoghegan)
The code failed to traverse the HOT chain and might thus compute a too-old XID horizon, which could lead to incorrect conflict processing in hot standby. The practical impact of this bug is limited; in most cases the correct XID horizon would be found anyway from nearby operations.
Ensure that a nonempty value of krb_server_keyfile
always overrides any setting of KRB5_KTNAME
in the server's environment (Tom Lane)
Previously, which setting took precedence depended on whether the client requests GSS encryption.
In server log messages about failing to match connections to pg_hba.conf
entries, include details about whether GSS encryption has been activated (Kyotaro Horiguchi, Tom Lane)
This is relevant data if hostgssenc
or hostnogssenc
entries exist.
Fix assorted issues in server's support for GSS encryption (Tom Lane)
Remove pointless restriction that only GSS authentication can be used on a GSS-encrypted connection. Add GSS encryption information to connection-authorized log messages. Include GSS-related space when computing the required size of shared memory (this omission could have caused problems with very high max_connections
settings). Avoid possible infinite recursion when reporting an unrecoverable GSS encryption error.
Ensure that unserviced requests for background workers are cleaned up when the postmaster begins a “smart†or “fast†shutdown sequence (Tom Lane)
Previously, there was a race condition whereby a child process that had requested a background worker just before shutdown could wait indefinitely, preventing shutdown from completing.
Fix portability problem in parsing of recovery_target_xid
values (Michael Paquier)
The target XID is potentially 64 bits wide, but it was parsed with strtoul()
, causing misbehavior on platforms where long
is 32 bits (such as Windows).
Avoid trying to use parallel index build in a standalone backend (Yulin Pei)
Allow index AMs to support included columns without necessarily supporting multiple key columns (Tom Lane)
Avoid assertion failure during parallel aggregation of an aggregate with a non-strict deserialization function (Andrew Gierth)
No such aggregate functions exist in core PostgreSQL, but some extensions such as PostGIS provide some. The mistake is harmless anyway in a non-assert build.
Avoid assertion failure in pg_get_functiondef()
when examining a function with a TRANSFORM
option (Tom Lane)
Fix data structure misallocation in PL/pgSQL's CALL
statement (Tom Lane)
A CALL
in a PL/pgSQL procedure, to another procedure that has OUT parameters, would fail if the called procedure did a COMMIT
or ROLLBACK
.
In libpq, do not skip trying SSL after GSS encryption (Tom Lane)
If we successfully made a GSS-encrypted connection, but then failed during authentication, we would fall back to an unencrypted connection rather than next trying an SSL-encrypted connection. This could lead to unexpected connection failure, or to silently getting an unencrypted connection where an encrypted one is expected. Fortunately, GSS encryption could only succeed if both client and server hold valid tickets in the same Kerberos infrastructure. It seems unlikely for that to be true in an environment that requires SSL encryption instead.
In psql, re-allow including a password in a connection_string
argument of a \connect
command (Tom Lane)
This used to work, but a recent bug fix caused the password to be ignored (resulting in prompting for a password).
In psql's \d
commands, don't truncate the display of column default values (Tom Lane)
Formerly, they were arbitrarily truncated at 128 characters.
Fix assorted bugs in psql's \help
command (Kyotaro Horiguchi, Tom Lane)
\help
with two argument words failed to find a command description using only the first word, for example \help reset all
should show the help for RESET
but did not. Also, \help
often failed to invoke the pager when it should. It also leaked memory.
Fix pg_dump's dumping of inherited generated columns (Peter Eisentraut)
The previous behavior resulted in (harmless) errors during restore.
In pg_dump, ensure that the restore script runs ALTER PUBLICATION ADD TABLE
commands as the owner of the publication, and similarly runs ALTER INDEX ATTACH PARTITION
commands as the owner of the partitioned index (Tom Lane)
Previously, these commands would be run by the role that started the restore script; which will usually work, but in corner cases that role might not have adequate permissions.
Fix pg_dump to handle WITH GRANT OPTION
in an extension's initial privileges (Noah Misch)
If an extension's script creates an object and grants privileges on it with grant option, then later the user revokes such privileges, pg_dump would generate incorrect SQL for reproducing the situation. (Few if any extensions do this today.)
In pg_rewind, ensure that all WAL is accounted for when rewinding a standby server (Ian Barwick, Heikki Linnakangas)
In pgbench, disallow a digit as the first character of a variable name (Fabien Coelho)
This prevents trying to substitute variables into timestamp literal values, which may contain strings like 12:34
.
Report the correct database name in connection failure error messages from some client programs (Ãlvaro Herrera)
If the database name was defaulted rather than given on the command line, pg_dumpall, pgbench, oid2name, and vacuumlo would produce misleading error messages after a connection failure.
Fix memory leak in contrib/auto_explain
(Japin Li)
Memory consumed while producing the EXPLAIN
output was not freed until the end of the current transaction (for a top-level statement) or the end of the surrounding statement (for a nested statement). This was particularly a problem with log_nested_statements
enabled.
In contrib/postgres_fdw
, avoid leaking open connections to remote servers when a user mapping or foreign server object is dropped (Bharath Rupireddy)
Open connections that depend on a dropped user mapping or foreign server can no longer be referenced, but formerly they were kept around anyway for the duration of the local session.
In contrib/pgcrypto
, check for error returns from OpenSSL's EVP functions (Michael Paquier)
We do not really expect errors here, but this change silences warnings from static analysis tools.
Make contrib/pg_prewarm
more robust when the cluster is shut down before prewarming is complete (Tom Lane)
Previously, autoprewarm would rewrite its status file with only the block numbers that it had managed to load so far, thus perhaps largely disabling the prewarm functionality in the next startup. Instead, suppress status file updates until the initial loading pass is complete.
In contrib/pg_trgm
's GiST index support, avoid crash in the rare case that picksplit is called on exactly two index items (Andrew Gierth, Alexander Korotkov)
Fix miscalculation of timeouts in contrib/pg_prewarm
and contrib/postgres_fdw
(Alexey Kondratov, Tom Lane)
The main loop in contrib/pg_prewarm
's autoprewarm parent process underestimated its desired sleep time by a factor of 1000, causing it to consume much more CPU than intended. When waiting for a result from a remote server, contrib/postgres_fdw
overestimated the desired timeout by a factor of 1000 (though this error had been mitigated by imposing a clamp to 60 seconds).
Both of these errors stemmed from incorrectly converting seconds-and-microseconds to milliseconds. Introduce a new API TimestampDifferenceMilliseconds()
to make it easier to get this right in the future.
Improve configure's heuristics for selecting PG_SYSROOT
on macOS (Tom Lane)
The new method is more likely to produce desirable results when Xcode is newer than the underlying operating system. Choosing a sysroot that does not match the OS version may result in nonfunctional executables.
While building on macOS, specify -isysroot
in link steps as well as compile steps (James Hilliard)
This likewise improves the results when Xcode is out of sync with the operating system.
Fix JIT compilation to be compatible with LLVM 11 and LLVM 12 (Andres Freund)
Fix potential mishandling of references to boolean variables in JIT expression compilation (Andres Freund)
No field reports attributable to this have been seen, but it seems likely that it could cause problems on some architectures.
Fix compile failure with ICU 68 and later (Tom Lane)
Avoid memcpy()
with a NULL source pointer and zero count during partitioned index creation (Ãlvaro Herrera)
While such a call is not known to cause problems in itself, some compilers assume that the arguments of memcpy()
are never NULL, which could result in incorrect optimization of nearby code.
Update time zone data files to tzdata release 2021a for DST law changes in Russia (Volgograd zone) and South Sudan, plus historical corrections for Australia, Bahamas, Belize, Bermuda, Ghana, Israel, Kenya, Nigeria, Palestine, Seychelles, and Vanuatu.
Notably, the Australia/Currie zone has been corrected to the point where it is identical to Australia/Hobart.
Release date: 2020-11-12
This release contains a variety of fixes from 12.4. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, if you are upgrading from a version earlier than 12.2, see Version 12.2.
Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and materialized view queries (Noah Misch)
This is essentially a leak in the “security restricted operation†sandbox mechanism. An attacker having permission to create non-temporary SQL objects could parlay this leak to execute arbitrary SQL code as a superuser.
The PostgreSQL Project thanks Etienne Stalmans for reporting this problem. CVE-2020-25695 or CVE-2020-25695)
Fix usage of complex connection-string parameters in pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb (Tom Lane)
The -d
parameter of pg_dump and pg_restore, or the --maintenance-db
parameter of the other programs mentioned, can be a “connection string†containing multiple connection parameters rather than just a database name. In cases where these programs need to initiate additional connections, such as parallel processing or processing of multiple databases, the connection string was forgotten and just the basic connection parameters (database name, host, port, and username) were used for the additional connections. This could lead to connection failures if the connection string included any other essential information, such as non-default SSL or GSS parameters. Worse, the connection might succeed but not be encrypted as intended, or be vulnerable to man-in-the-middle attacks that the intended connection parameters would have prevented. CVE-2020-25694 or CVE-2020-25694)
When psql's \connect
command re-uses connection parameters, ensure that all non-overridden parameters from a previous connection string are re-used (Tom Lane)
This avoids cases where reconnection might fail due to omission of relevant parameters, such as non-default SSL or GSS options. Worse, the reconnection might succeed but not be encrypted as intended, or be vulnerable to man-in-the-middle attacks that the intended connection parameters would have prevented. This is largely the same problem as just cited for pg_dump et al, although psql's behavior is more complex since the user may intentionally override some connection parameters. CVE-2020-25694 or CVE-2020-25694)
Prevent psql's \gset
command from modifying specially-treated variables (Noah Misch)
\gset
without a prefix would overwrite whatever variables the server told it to. Thus, a compromised server could set specially-treated variables such as PROMPT1
, giving the ability to execute arbitrary shell code in the user's session.
The PostgreSQL Project thanks Nick Cleaton for reporting this problem. CVE-2020-25696 or CVE-2020-25696)
Prevent possible data loss from concurrent truncations of SLRU logs (Noah Misch)
This rare problem would manifest in later “apparent wraparound†or “could not access status of transaction†errors.
Ensure that SLRU directories are properly fsync'd during checkpoints (Thomas Munro)
This prevents possible data loss in a subsequent operating system crash.
Fix ALTER ROLE
for users with the BYPASSRLS
attribute (Tom Lane, Stephen Frost)
The BYPASSRLS
attribute is only allowed to be changed by superusers, but other ALTER ROLE
operations, such as password changes, should be allowed with only ordinary permission checks. The previous coding erroneously restricted all changes on such a role to superusers.
Ensure that ALTER TABLE ONLY ... ENABLE/DISABLE TRIGGER
does not recurse to child tables (Ãlvaro Herrera)
Previously the ONLY
flag was ignored.
Avoid unnecessary recursion to partitions in ALTER TABLE SET NOT NULL
, when the target column is already marked NOT NULL
(Tom Lane)
This avoids a potential deadlock in parallel pg_restore.
Fix handling of expressions in CREATE TABLE LIKE
with inheritance (Tom Lane)
If a CREATE TABLE
command uses both LIKE
and traditional inheritance, column references in CHECK
constraints and expression indexes that came from a LIKE
parent table tended to get mis-numbered, resulting in wrong answers and/or bizarre error messages. The same could happen in GENERATED
expressions, in branches that have that feature.
Disallow DROP INDEX CONCURRENTLY
on a partitioned table (Ãlvaro Herrera, Michael Paquier)
This case failed anyway, but with a confusing error message.
Allow LOCK TABLE
to succeed on a self-referential view (Tom Lane)
It previously threw an error complaining about infinite recursion, but there seems no need to disallow the case.
Retain statistics about an index across REINDEX CONCURRENTLY
(Michael Paquier, FabrÃzio de Royes Mello)
Non-concurrent reindexing has always preserved such statistics.
Fix incorrect progress reporting from REINDEX CONCURRENTLY
(Matthias van de Meent, Michael Paquier)
Ensure that GENERATED
columns are updated when the column(s) they depend on are updated via a rule or an updatable view (Tom Lane)
This fix also takes care of possible failure to fire a column-specific trigger in such cases.
Recheck default partition constraints while routing an inserted or updated tuple to the correct partition (Amit Langote, Ãlvaro Herrera)
This fixes race conditions when partitions are added concurrently with the insertion.
Fix failures with collation-dependent partition bound expressions (Tom Lane)
Support hashing of text arrays (Peter Eisentraut)
Array hashing failed if the array element type is collatable. Notably, this prevented using hash partitioning with a text array column as partition key.
Fix off-by-one conversion of negative years to BC dates in to_date()
and to_timestamp()
(Dar Alathar-Yemen, Tom Lane)
Also, arrange for the combination of a negative year and an explicit “BC†marker to cancel out and produce AD.
Ensure that standby servers will archive WAL timeline history files when archive_mode
is set to always
(Grigory Smolkin, Fujii Masao)
This oversight could lead to failure of subsequent PITR recovery attempts.
Fix “cache lookup failed for relation 0†failures in logical replication workers (Tom Lane)
The real-world impact is small, since the failure is unlikely, and if it does happen the worker would just exit and be restarted.
Prevent logical replication workers from sending redundant ping requests (Tom Lane)
During “smart†shutdown, don't terminate background processes until all client (foreground) sessions are done (Tom Lane)
The previous behavior broke parallel query processing, since the postmaster would terminate parallel workers and refuse to launch any new ones. It also caused autovacuum to cease functioning, which could have dire long-term effects if the surviving client sessions make a lot of data changes.
Avoid recursive consumption of stack space while processing signals in the postmaster (Tom Lane)
Heavy use of parallel processing has been observed to cause postmaster crashes due to too many concurrent signals requesting creation of a parallel worker process.
Avoid running atexit handlers when exiting due to SIGQUIT (Kyotaro Horiguchi, Tom Lane)
Most server processes followed this practice already, but the archiver process was overlooked. Backends that were still waiting for a client startup packet got it wrong, too.
Avoid misoptimization of subquery qualifications that reference apparently-constant grouping columns (Tom Lane)
A “constant†subquery output column isn't really constant if it is a grouping column that appears in only some of the grouping sets.
Fix possible crash when considering partition-wise joins during GEQO planning (Tom Lane)
Avoid failure when SQL function inlining changes the shape of a potentially-hashable subplan comparison expression (Tom Lane)
While building or re-building an index, tolerate the appearance of new HOT chains due to concurrent updates (Anastasia Lubennikova, Ãlvaro Herrera)
This oversight could lead to “failed to find parent tuple for heap-only tuple†errors.
Fix failure of parallel B-tree index scans when the index condition is unsatisfiable (James Hunter)
Ensure that data is detoasted before being inserted into a BRIN index (Tomas Vondra)
Index entries are not supposed to contain out-of-line TOAST pointers, but BRIN didn't get that memo. This could lead to errors like “missing chunk number 0 for toast value NNNâ€. (If you are faced with such an error from an existing index, REINDEX
should be enough to fix it.)
Handle concurrent desummarization correctly during BRIN index scans (Alexander Lakhin, Ãlvaro Herrera)
Previously, if a page range was desummarized at just the wrong time, an index scan might falsely raise an error indicating index corruption.
Fix rare “lost saved point in index†errors in scans of multicolumn GIN indexes (Tom Lane)
Fix buffered GiST index builds to work when the index has included columns (Pavel Borisov)
Fix unportable use of getnameinfo()
in pg_hba_file_rules
view (Tom Lane)
On FreeBSD 11, and possibly other platforms, the view's address
and netmask
columns were always null due to this error.
Avoid crash if debug_query_string
is NULL when starting a parallel worker (Noah Misch)
Fix use-after-free hazard when an event trigger monitors an ALTER TABLE
operation (Jehan-Guillaume de Rorthais)
Avoid failures when a BEFORE ROW UPDATE
trigger returns the “old†row of a table having dropped or “missing†columns (Amit Langote, Tom Lane)
This method of suppressing an update could result in crashes, unexpected CHECK
constraint failures, or incorrect RETURNING
output, because “missing†columns would read as NULLs for those purposes. (A column is “missing†for this purpose if it was added by ALTER TABLE ADD COLUMN
with a non-NULL, but constant, default value.) Dropped columns could cause trouble as well.
Fix incorrect error message about inconsistent moving-aggregate data types (Jeff Janes)
Avoid lockup when a parallel worker reports a very long error message (Vignesh C)
Avoid unnecessary failure when transferring very large payloads through shared memory queues (Markus Wanner)
Fix incorrect handling of template function attributes in JIT code generation (Andres Freund)
This has been shown to cause crashes on s390x
, and very possibly there are other cases on other platforms.
Fix relation cache memory leaks with RLS policies (Tom Lane)
Fix edge-case memory leak in index_get_partition()
(Justin Pryzby)
Fix small memory leak when SIGHUP processing decides that a new GUC variable value cannot be applied without a restart (Tom Lane)
Fix memory leaks in PL/pgsql's CALL
processing (Pavel Stehule, Tom Lane)
Make libpq support arbitrary-length lines in .pgpass
files (Tom Lane)
This is mostly useful to allow using very long security tokens as passwords.
In libpq for Windows, call WSAStartup()
once per process and WSACleanup()
not at all (Tom Lane, Alexander Lakhin)
Previously, libpq invoked WSAStartup()
at connection start and WSACleanup()
at connection cleanup. However, it appears that calling WSACleanup()
can interfere with other program operations; notably, we have observed rare failures to emit expected output to stdout. There appear to be no ill effects from omitting the call, so do that. (This also eliminates a performance issue from repeated DLL loads and unloads when a program performs a series of database connections.)
Fix ecpg library's per-thread initialization logic for Windows (Tom Lane, Alexander Lakhin)
Multi-threaded ecpg applications could suffer rare misbehavior due to incorrect locking.
On Windows, make psql read the output of a backtick command in text mode, not binary mode (Tom Lane)
This ensures proper handling of newlines.
Ensure that pg_dump collects per-column information about extension configuration tables (FabrÃzio de Royes Mello, Tom Lane)
Failure to do this led to crashes when specifying --inserts
, or underspecified (though usually correct) COPY
commands when using COPY
to reload the tables' data.
Ensure that parallel pg_restore processes foreign keys referencing partitioned tables in the correct order (Ãlvaro Herrera)
Previously, it might try to restore a foreign key constraint before the required indexes were all in place, leading to an error.
Make pg_upgrade check for pre-existence of tablespace directories in the target cluster (Bruce Momjian)
Fix potential memory leak in contrib/pgcrypto
(Michael Paquier)
Add check for an unlikely failure case in contrib/pgcrypto
(Daniel Gustafsson)
Fix recently-added timetz
test case so it works when the USA is not observing daylight savings time (Tom Lane)
Update time zone data files to tzdata release 2020d for DST law changes in Fiji, Morocco, Palestine, the Canadian Yukon, Macquarie Island, and Casey Station (Antarctica); plus historical corrections for France, Hungary, Monaco, and Palestine.
Sync our copy of the timezone library with IANA tzcode release 2020d (Tom Lane)
This absorbs upstream's change of zic's default output option from “fat†to “slimâ€. That's just cosmetic for our purposes, as we continue to select the “fat†mode in pre-v13 branches. This change also ensures that strftime()
does not change errno
unless it fails.
Release date: 2020-08-13
This release contains a variety of fixes from 12.3. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, if you are upgrading from a version earlier than 12.2, see Version 12.2.
Set a secure search_path
in logical replication walsenders and apply workers (Noah Misch)
A malicious user of either the publisher or subscriber database could potentially cause execution of arbitrary SQL code by the role running replication, which is often a superuser. Some of the risks here are equivalent to those described inCVE-2018-1058 or CVE-2018-1058, and are mitigated in this patch by ensuring that the replication sender and receiver execute with empty search_path
settings. (As withCVE-2018-1058 or CVE-2018-1058, that change might cause problems for under-qualified names used in replicated tables' DDL.) Other risks are inherent in replicating objects that belong to untrusted roles; the most we can do is document that there is a hazard to consider. CVE-2020-14349 or CVE-2020-14349)
Make contrib modules' installation scripts more secure (Tom Lane)
Attacks similar to those described inCVE-2018-1058 or CVE-2018-1058 could be carried out against an extension installation script, if the attacker can create objects in either the extension's target schema or the schema of some prerequisite extension. Since extensions often require superuser privilege to install, this can open a path to obtaining superuser privilege. To mitigate this risk, be more careful about the search_path
used to run an installation script; disable check_function_bodies
within the script; and fix catalog-adjustment queries used in some contrib modules to ensure they are secure. Also provide documentation to help third-party extension authors make their installation scripts secure. This is not a complete solution; extensions that depend on other extensions can still be at risk if installed carelessly. CVE-2020-14350 or CVE-2020-14350)
Fix edge cases in partition pruning (Etsuro Fujita, Dmitry Dolgov)
When there are multiple partition key columns, generation of pruning tests could misbehave if some columns had no constraining WHERE
clauses or multiple constraining clauses. This could lead to server crashes, incorrect query results, or assertion failures.
Fix construction of parameterized BitmapAnd and BitmapOr index scans on the inside of partition-wise nestloop joins (Tom Lane)
A plan in which such a scan needed to use a value from the outside of the join would usually crash at execution.
Fix incorrect plan execution when a partitioned table is subject to both static and run-time partition pruning in the same query, and a new partition is added concurrently with the query (Amit Langote, Tom Lane)
In logical replication walsender, fix failure to send feedback messages after sending a keepalive message (Ãlvaro Herrera)
This is a relatively minor problem when using built-in logical replication, because the built-in walreceiver will send a feedback reply (which clears the incorrect state) fairly frequently anyway. But with some other replication systems, such as pglogical, it causes significant performance issues.
Fix firing of column-specific UPDATE
triggers in logical replication subscribers (Tom Lane)
The code neglected to account for the possibility of column numbers being different between the publisher and subscriber tables, so that if those were indeed different, wrong decisions might be made about which triggers to fire.
Update oldest xmin and LSN values during pg_replication_slot_advance()
(Michael Paquier)
This function previously failed to do that, possibly preventing resource cleanup (such as removal of no-longer-needed WAL segments) after manual advancement of a replication slot.
Fix slow execution of ts_headline()
(Tom Lane)
The phrase-search fix added in our previous set of minor releases could cause ts_headline()
to take unreasonable amounts of time for long documents; to make matters worse, the query was not cancellable within the troublesome loop.
Ensure the repeat()
function can be interrupted by query cancel (Joe Conway)
Fix pg_current_logfile()
to not include a carriage return (\r
) in its result on Windows (Tom Lane)
Ensure that pg_read_file()
and related functions read until EOF is reached (Joe Conway)
Previously, if not given a specific data length to read, these functions would stop at whatever file length was reported by stat()
. That's unhelpful for pipes and other sorts of virtual files.
Forbid numeric NaN
values in jsonpath
computations (Alexander Korotkov)
Neither SQL nor JSON have the concept of NaN
(not-a-number), but the jsonpath
code attempted to allow such values anyway. This necessarily leads to nonstandard behavior, so it seems better to reject such values at the outset.
Handle single Inf
or NaN
inputs correctly in floating-point aggregates (Tom Lane)
The affected aggregates are corr()
, covar_pop()
, regr_intercept()
, regr_r2()
, regr_slope()
, regr_sxx()
, regr_sxy()
, regr_syy()
, stddev_pop()
, and var_pop()
. The correct answer in such cases is NaN
, but an algorithmic change introduced in PostgreSQL v12 had caused these aggregates to produce zero instead.
Fix mis-handling of NaN
inputs during parallel aggregation on numeric
-type columns (Tom Lane)
If some partial aggregation workers found only NaN
s while others found only non-NaN
s, the results were combined incorrectly, possibly leading to the wrong overall result (i.e., not NaN
when it should be).
Reject time-of-day values greater than 24 hours (Tom Lane)
The intention of the datetime input code is to allow “24:00:00†or equivalently “23:59:60â€, but no larger value. However, the range check was miscoded so that it would accept “23:59:60.nnn
†with nonzero fractional-second nnn
. In timestamp values this would result in wrapping into the first second of the next day. In time
and timetz
values, the stored value would actually be more than 24 hours, causing dump/reload failures and possibly other misbehavior.
Undo double-quoting of index names in EXPLAIN
's non-text output formats (Tom Lane, Euler Taveira)
Fix EXPLAIN
's accounting for resource usage, particularly buffer accesses, in parallel workers in a plan using Gather Merge
nodes (Jehan-Guillaume de Rorthais)
Fix timing of constraint revalidation in ALTER TABLE
(David Rowley)
If ALTER TABLE
needs to fully rewrite the table's contents (for example, due to change of a column's data type) and also needs to scan the table to re-validate foreign keys or CHECK
constraints, it sometimes did things in the wrong order, leading to odd errors such as “could not read block 0 in file "base/nnnnn/nnnnn": read only 0 of 8192 bytesâ€.
Fix REINDEX CONCURRENTLY
to preserve the index's replication identity flag (Michael Paquier)
Previously, reindexing a table's replica identity index caused the setting to be lost, preventing old tuple values from being included in future logical-decoding output.
Work around incorrect not-null markings for pg_subscription
.subslotname
and pg_subscription_rel
.srsublsn
(Tom Lane)
The bootstrap catalog data incorrectly marks these two catalog columns as always non-null. There's no easy way to correct that mistake in existing installations (though v13 and later will have the correct markings). The main place that depends on that marking being correct is JIT-enabled tuple deconstruction, so teach it to explicitly ignore the marking for these two columns. Also adjust some C code that accessed srsublsn
without checking to see if it's null; a crash from that is improbable but perhaps not impossible.
Cope with LATERAL
references in restriction clauses attached to an un-flattened sub-SELECT
in the FROM
clause (Tom Lane)
This oversight could result in assertion failures or crashes at query execution.
Use the query-specified collation for operators invoked during selectivity estimation (Tom Lane)
Previously, the collation of the underlying database column was used. But using the query's collation is arguably more correct. More importantly, now that we have nondeterministic collations, there are cases where an operator will fail outright if given a nondeterministic collation. We don't want planning to fail in cases where the query itself would work, so this means that we must use the query's collation when invoking operators for estimation purposes.
Avoid believing that a never-analyzed foreign table has zero tuples (Tom Lane)
This primarily affected the planner's estimate of the number of groups that would be obtained by GROUP BY
.
Remove bogus warning about “leftover placeholder tuple†in BRIN index de-summarization (Ãlvaro Herrera)
The case can occur legitimately after a cancelled vacuum, so warning about it is overly noisy.
Fix selection of tablespaces for “shared fileset†temporary files (Magnus Hagander, Tom Lane)
If temp_tablespaces
is empty or explicitly names the database's primary tablespace, such files got placed into the pg_default
tablespace rather than the database's primary tablespace as expected.
Fix corner-case error in masking of SP-GiST index pages during WAL consistency checking (Alexander Korotkov)
This could cause false failure reports when wal_consistency_checking
is enabled.
Improve error handling in the server's buffile
module (Thomas Munro)
Fix some cases where I/O errors were indistinguishable from reaching EOF, or were not reported at all. Also add details such as block numbers and byte counts where appropriate.
Fix conflict-checking anomalies in SERIALIZABLE
isolation mode (Peter Geoghegan)
If a concurrently-inserted tuple was updated by a different concurrent transaction, and neither tuple version was visible to the current transaction's snapshot, serialization conflict checking could draw the wrong conclusions about whether the tuple was relevant to the results of the current transaction. This could allow a serializable transaction to commit when it should have failed with a serialization error.
Avoid repeated marking of dead btree index entries as dead (Masahiko Sawada)
While functionally harmless, this led to useless WAL traffic when checksums are enabled or wal_log_hints
is on.
Fix checkpointer process to discard file sync requests when fsync
is off (Heikki Linnakangas)
Such requests are treated as no-ops if fsync
is off, but we forgot to remove them from the checkpointer's table of pending actions. This would lead to bloat of that table, as well as possible assertion failures if fsync
is later re-enabled.
Avoid trouble during cleanup of a non-exclusive backup when JIT compilation has been activated during the backup (Robert Haas)
Fix failure of some code paths to acquire the correct lock before modifying pg_control
(Nathan Bossart, Fujii Masao)
This oversight could allow pg_control
to be written out with an inconsistent checksum, possibly causing trouble later, including inability to restart the database if it crashed before the next pg_control
update.
Fix errors in currtid()
and currtid2()
(Michael Paquier)
These functions (which are undocumented and used only by ancient versions of the ODBC driver) contained coding errors that could result in crashes, or in confusing error messages such as “could not open file†when applied to a relation having no storage.
Avoid calling elog()
or palloc()
while holding a spinlock (Michael Paquier, Tom Lane)
Logic associated with replication slots had several violations of this coding rule. While the odds of trouble are quite low, an error in the called function would lead to a stuck spinlock.
Fix assertion in logical replication subscriber to allow use of REPLICA IDENTITY FULL
(Euler Taveira)
This was just an incorrect assertion, so it has no impact on standard production builds.
Ensure that libpq continues to try to read from the database connection socket after a write failure (Tom Lane)
This is important not only to ensure that we collect any final error message from a dying server process, but because we do not consider the connection lost until we see a read failure. This oversight allowed libpq to continue trying to send COPY
data indefinitely after a mid-transfer loss of connection, rather than reporting failure to the application.
Fix bugs in libpq's management of GSS encryption state (Tom Lane)
A connection using GSS encryption could freeze up when attempting to reset it after a server restart, or when moving on to the next one of a list of candidate servers.
Fix ecpg crash with bytea
and cursor variables (Jehan-Guillaume de Rorthais)
Report out-of-disk-space errors properly in pg_dump and pg_basebackup (Justin Pryzby, Tom Lane, Ãlvaro Herrera)
Some code paths could produce silly reports like “could not write file: Successâ€.
Make pg_restore cope with data-offset-less custom-format archive files when it needs to restore data items out of order (David Gilman, Tom Lane)
pg_dump will produce such files if it cannot seek its output (for example, if the output is piped to something). This fix primarily improves the ability to do a parallel restore from such a file.
Fix parallel restore of tables having both table-level privileges and per-column privileges (Tom Lane)
The table-level privilege grants have to be applied first, but a parallel restore did not reliably order them that way; this could lead to “tuple concurrently updated†errors, or to disappearance of some per-column privilege grants. The fix for this is to include dependency links between such entries in the archive file, meaning that a new dump has to be taken with a corrected pg_dump to ensure that the problem will not recur.
Ensure that pg_upgrade runs with vacuum_defer_cleanup_age
set to zero in the target cluster (Bruce Momjian)
If the target cluster's configuration has been modified to set vacuum_defer_cleanup_age
to a nonzero value, that prevented freezing of the system catalogs from working properly, which caused the upgrade to fail in confusing ways. Ensure that any such setting is overridden for the duration of the upgrade.
Fix pg_recvlogical to drain pending messages before exiting (Noah Misch)
Without this, the replication sender might detect a send failure and exit without making the expected final update to the replication slot's LSN position. That led to re-transmitting data after the next connection. It was also possible to miss error messages sent after the last data that pg_recvlogical wants to consume.
Fix pg_rewind's handling of just-deleted files in the source data directory (Justin Pryzby, Michael Paquier)
When working with an on-line source database, concurrent file deletions are possible, but pg_rewind would get confused if deletion happened between seeing a file's directory entry and examining it with stat()
.
Make pg_test_fsync use binary I/O mode on Windows (Michael Paquier)
Previously it wrote the test file in text mode, which is not an accurate reflection of PostgreSQL's actual usage.
Fix contrib/amcheck
to not complain about deleted index pages that are empty (Alexander Korotkov)
This state of affairs is normal during WAL replay.
Fix failure to initialize local state correctly in contrib/dblink
(Joe Conway)
With the right combination of circumstances, this could lead to dblink_close()
issuing an unexpected remote COMMIT
.
Fix contrib/pgcrypto
's misuse of deflate()
(Tom Lane)
The pgp_sym_encrypt
functions could produce incorrect compressed data due to mishandling of zlib's API requirements. We have no reports of this error manifesting with stock zlib, but it can be seen when using IBM's zlibNX implementation.
Fix corner case in decompression logic in contrib/pgcrypto
's pgp_sym_decrypt
functions (Kyotaro Horiguchi, Michael Paquier)
A compressed stream can validly end with an empty packet, but the decompressor failed to handle this and would complain about corrupt data.
Support building our NLS code with Microsoft Visual Studio 2015 or later (Juan José SantamarÃa Flecha, Davinder Singh, Amit Kapila)
Avoid possible failure of our MSVC install script when there is a file named configure
several levels above the source code tree (Arnold Müller)
This could confuse some logic that looked for configure
to identify the top level of the source tree.
Release date: 2020-05-14
This release contains a variety of fixes from 12.2. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, if you are upgrading from a version earlier than 12.2, see Version 12.2.
Fix possible failure with GENERATED
columns (David Rowley)
If a GENERATED
column's value is an exact copy of another column of the table (and it is a pass-by-reference data type), it was possible to crash or insert corrupted data into the table. While it would be rather pointless for a GENERATED
expression to just duplicate another column, an expression using a function that sometimes returns its input unchanged could create the situation.
Handle inheritance of generated columns better (Peter Eisentraut)
When a table column is inherited during CREATE TABLE ... INHERITS
, disallow changing any generation properties when the parent column is already marked GENERATED
; but allow a child column to be marked GENERATED
when its parent is not.
Fix cross-column references in CREATE TABLE LIKE INCLUDING GENERATED
(Peter Eisentraut)
CREATE TABLE ... LIKE
failed when trying to copy a GENERATED
expression that references a physically-later column.
Propagate ALTER TABLE ... SET STORAGE
to indexes (Peter Eisentraut)
Non-expression index columns have always copied the attstorage
property of their table column at creation. Update them when ALTER TABLE ... SET STORAGE
is done, to maintain consistency.
Preserve the indisclustered
setting of indexes rewritten by ALTER TABLE
(Amit Langote, Justin Pryzby)
Previously, ALTER TABLE
lost track of which index had been used for CLUSTER
.
Preserve the replica identity properties of indexes rewritten by ALTER TABLE
(Quan Zongliang, Peter Eisentraut)
Preserve the indisclustered
setting of indexes rebuilt by REINDEX CONCURRENTLY
(Justin Pryzby)
Lock objects sooner during DROP OWNED BY
(Ãlvaro Herrera)
This avoids failures in race-condition cases where another session is deleting some of the same objects.
Fix error-case processing for CREATE ROLE ... IN ROLE
(Andrew Gierth)
Some error cases would be reported as “unexpected node type†or the like, instead of the intended message.
Ensure that when a partition is detached, any triggers cloned from its formerly-parent table are removed (Justin Pryzby)
Fix crash when COLLATE
is applied to a non-collatable type in a partition bound expression (Dmitry Dolgov)
Ensure that unique indexes over partitioned tables match the equality semantics of the partitioning key (Guancheng Luo)
This would only be an issue with index opclasses that have unusual notions of equality, but it's wrong in theory, so check.
Ensure that members of the pg_read_all_stats
role can read all statistics views, as expected (Magnus Hagander)
The functions underlying the pg_stat_progress_*
views had not gotten this memo.
Repair performance regression in information_schema
.triggers
view (Tom Lane)
This patch redefines that view so that an outer WHERE
clause constraining the table name can be pushed down into the view, allowing its calculations to be done only for triggers belonging to the table of interest rather than all triggers in the database. In a database with many triggers this would make a significant speed difference for queries of that form. Since things worked that way before v11, this is a potential performance regression. Users who find this to be a problem can fix it by replacing the view definition (or, perhaps, just deleting and reinstalling the whole information_schema
schema).
Repair performance regression in floating point overflow/underflow detection (Emre Hasegeli)
Previous refactoring had resulted in isinf()
being called extra times in some hot code paths.
Fix full text search to handle NOT above a phrase search correctly (Tom Lane)
Queries such as !(foo<->bar)
failed to find matching rows when implemented as a GiST or GIN index search.
Fix full text search for cases where a phrase search includes an item with both prefix matching and a weight restriction (Tom Lane)
Fix ts_headline()
to make better headline selections when working with phrase queries (Tom Lane)
Fix bugs in gin_fuzzy_search_limit
processing (Adé Heyward, Tom Lane)
A small value of gin_fuzzy_search_limit
could result in unexpected slowness due to unintentionally rescanning the same index page many times. Another code path failed to apply the intended filtering at all, possibly returning too many values.
Allow input of type circle
to accept the format “(
†as the documentation says it does (David Zhang)x
,y
),r
Make the get_bit()
and set_bit()
functions cope with bytea
strings longer than 256MB (Movead Li)
Since the bit number argument is only int4
, it's impossible to use these functions to access bits beyond the first 256MB of a long bytea
. We'll widen the argument to int8
in v13, but in the meantime, allow these functions to work on the initial substring of a long bytea
.
Ignore file-not-found errors in pg_ls_waldir()
and allied functions (Tom Lane)
This prevents a race condition failure if a file is removed between when we see its directory entry and when we attempt to stat()
it.
Avoid possibly leaking an open-file descriptor for a directory in pg_ls_dir()
, pg_timezone_names()
, pg_tablespace_databases()
, and allied functions (Justin Pryzby)
Fix polymorphic-function type resolution to correctly infer the actual type of an anyarray
output when given only an anyrange
input (Tom Lane)
Fix server's connection-startup logic for case where a GSSAPI connection is rejected because support is not compiled in, and the client then tries SSL instead (Andrew Gierth)
This led to a bogus “unsupported frontend protocol†failure.
Fix memory leakage during GSSAPI encryption (Tom Lane)
Both the backend and libpq would leak memory equivalent to the total amount of data sent during the session, if GSSAPI encryption is in use.
Fix query-lifespan memory leak for a set-returning function used in a query's FROM
clause (Andres Freund)
Avoid leakage of a hashed subplan's hash tables across multiple executions (Andreas Karlsson, Tom Lane)
This mistake could result in severe memory bloat if a query re-executed a hashed subplan enough times.
Improve planner's handling of no-op domain coercions (Tom Lane)
Fix some cases where a domain coercion that does nothing was not completely removed from expressions.
Avoid unlikely crash when REINDEX
is terminated by a session-shutdown signal (Tom Lane)
Prevent printout of possibly-incorrect hash join table statistics in EXPLAIN
(Konstantin Knizhnik, Tom Lane, Thomas Munro)
Fix reporting of elapsed time for heap truncation steps in VACUUM VERBOSE
(Tatsuhito Kasahara)
Fix possible undercounting of deleted B-tree index pages in VACUUM VERBOSE
output (Peter Geoghegan)
Fix wrong bookkeeping for oldest deleted page in a B-tree index (Peter Geoghegan)
This could cause subtly wrong decisions about when VACUUM
can skip an index cleanup scan; although it appears there may be no significant user-visible effects from that.
Ensure that TimelineHistoryRead and TimelineHistoryWrite wait states are reported in all code paths that read or write timeline history files (Masahiro Ikeda)
Avoid possibly showing “waiting†twice in a process's PS status (Masahiko Sawada)
Avoid race condition when ANALYZE
replaces the catalog tuple for extended statistics data (Dean Rasheed)
Remove ill-considered skip of “redundant†anti-wraparound vacuums (Michael Paquier)
This avoids a corner case where autovacuum could get into a loop of repeatedly trying and then skipping the same vacuum job.
Ensure INCLUDE'd columns are always removed from B-tree pivot tuples (Peter Geoghegan)
This mistake wasted space in some rare cases, but was otherwise harmless.
Cope with invalid TOAST indexes that could be left over after a failed REINDEX CONCURRENTLY
(Julien Rouhaud)
Ensure that valid index dependencies are left behind after a failed REINDEX CONCURRENTLY
(Michael Paquier)
Previously the old index could be left with no pg_depend
links at all, so that for example it would not get dropped if the parent table is dropped.
Avoid failure if autovacuum tries to access a just-dropped temporary schema (Tom Lane)
This hazard only arises if a superuser manually drops a temporary schema; which isn't normal practice, but should work.
Avoid premature recycling of WAL segments during crash recovery (Jehan-Guillaume de Rorthais)
WAL segments that become ready to be archived during crash recovery were potentially recycled without being archived.
Avoid scanning irrelevant timelines during archive recovery (Kyotaro Horiguchi)
This can eliminate many attempts to fetch non-existent WAL files from archive storage, which is helpful if archive access is slow.
Remove bogus “subtransaction logged without previous top-level txn record†error check in logical decoding (Arseny Sher, Amit Kapila)
This condition is legitimately reachable in various scenarios, so remove the check.
Avoid possible failure after a replication slot copy, due to premature removal of WAL data (Masahiko Sawada, Arseny Sher)
Ensure that a replication slot's io_in_progress_lock
is released in failure code paths (Pavan Deolasee)
This could result in a walsender later becoming stuck waiting for the lock.
Ensure that generated columns are correctly handled during updates issued by logical replication (Peter Eisentraut)
Fix race conditions in synchronous standby management (Tom Lane)
During a change in the synchronous_standby_names
setting, there was a window in which wrong decisions could be made about whether it is OK to release transactions that are waiting for synchronous commit. Another hazard for similarly wrong decisions existed if a walsender process exited and was immediately replaced by another.
Add missing SQLSTATE values to a few error reports (Sawada Masahiko)
Fix PL/pgSQL to reliably refuse to execute an event trigger function as a plain function (Tom Lane)
Fix memory leak in libpq when using sslmode=verify-full
(Roman Peshkurov)
Certificate verification during connection startup could leak some memory. This would become an issue if a client process opened many database connections during its lifetime.
Fix ecpg to treat an argument of just “-
†as meaning “read from stdin†on all platforms (Tom Lane)
Fix crash in psql when attempting to re-establish a failed connection (Michael Paquier)
Allow tab-completion of the filename argument to psql's \gx
command (Vik Fearing)
Add pg_dump support for ALTER ... DEPENDS ON EXTENSION
(Ãlvaro Herrera)
pg_dump previously ignored dependencies added this way, causing them to be forgotten during dump/restore or pg_upgrade.
Fix pg_dump to dump comments on RLS policy objects (Tom Lane)
In pg_dump, postpone restore of event triggers till the end (FabrÃzio de Royes Mello, Hamid Akhtar, Tom Lane)
This minimizes the risk that an event trigger could interfere with the restoration of other objects.
Ensure that pg_basebackup generates valid tar files (Robert Haas)
In some cases a partial block of zeroes would be added to the end of the file. While this seems to be harmless with common versions of tar, it's not OK per the POSIX file format spec.
Make pg_checksums skip tablespace subdirectories that belong to a different PostgreSQL major version (Michael Banck, Bernd Helmle)
Such subdirectories don't really belong to our database cluster, and so must not be processed.
Ignore temporary copies of pg_internal.init
in pg_checksums and related programs (Michael Paquier)
Fix quoting of --encoding
, --lc-ctype
and --lc-collate
values in createdb utility (Michael Paquier)
contrib/lo
's lo_manage()
function crashed if called directly rather than as a trigger (Tom Lane)
In contrib/ltree
, protect against overflow of ltree
and lquery
length fields (Nikita Glukhov)
Work around failure in contrib/pageinspect
's bt_metap()
function when an oldest_xact value exceeds 2^31-1 (Peter Geoghegan)
Such XIDs will now be reported as negative integers, which isn't great but it beats throwing an error. v13 will widen the output argument to int8
to provide saner reporting.
Fix cache reference leak in contrib/sepgsql
(Michael Luo)
On Windows, avoid premature creation of postmaster's log file during pg_ctl start
(Alexander Lakhin)
The previous coding could allow the file to be created with permissions that wouldn't allow the postmaster to write on it.
Avoid failures when dealing with Unix-style locale names on Windows (Juan José SantamarÃa Flecha)
On Windows, set console VT100 compatibility mode in programs that support PG_COLOR
colorization (Juan José SantamarÃa Flecha)
Without this, the colorization option doesn't actually work.
Stop requiring extra parentheses in ereport()
calls (Andres Freund, Tom Lane)
Use pkg-config, if available, to locate libxml2 during configure (Hugh McMaster, Tom Lane, Peter Eisentraut)
If pkg-config is not present or lacks knowledge of libxml2, we still query xml2-config as before.
This change could break build processes that try to make PostgreSQL use a non-default version of libxml2 by putting that version's xml2-config into the PATH
. Instead, set XML2_CONFIG
to point to the non-default xml2-config. That method will work with either older or newer PostgreSQL releases.
Fix Makefile dependencies for libpq and ecpg (Dagfinn Ilmari Mannsåker)
In MSVC builds, cope with spaces in the path name for Python (Victor Wagner)
In MSVC builds, fix detection of Visual Studio version to work with more language settings (Andrew Dunstan)
In MSVC builds, use -Wno-deprecated
with bison versions newer than 3.0, as non-Windows builds already do (Andrew Dunstan)
Update time zone data files to tzdata release 2020a for DST law changes in Morocco and the Canadian Yukon, plus historical corrections for Shanghai.
The America/Godthab zone has been renamed to America/Nuuk to reflect current English usage; however, the old name remains available as a compatibility link.
Also, update initdb's list of known Windows time zone names to include recent additions, improving the odds that it will correctly translate the system time zone setting on that platform.
Release date: 2020-02-13
This release contains a variety of fixes from 12.1. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, if you have any foreign key constraints referencing partitioned tables, see the two entries below about bugs in that feature.
Add missing permissions checks for ALTER ... DEPENDS ON EXTENSION
(Ãlvaro Herrera)
Marking an object as dependent on an extension did not have any privilege check whatsoever. This oversight allowed any user to mark routines, triggers, materialized views, or indexes as droppable by anyone able to drop an extension. Require that the calling user own the specified object (and hence have privilege to drop it). CVE-2020-1720 or CVE-2020-1720)
Fix TRUNCATE ... CASCADE
to ensure all relevant partitions are truncated (Jehan-Guillaume de Rorthais)
If a partition of a partitioned table is truncated with the CASCADE
option, and the partitioned table has a foreign-key reference from another table, that table must also be truncated. The need to check this was missed if the referencing table was itself partitioned, possibly allowing rows to survive that violate the foreign-key constraint.
Hence, if you have foreign key constraints between partitioned tables, and you have done any partition-level TRUNCATE
on the referenced table, you should check to see if any foreign key violations exist. The simplest way is to add a new instance of the foreign key constraint (and, once that succeeds, drop it or the original constraint). That may be prohibitive from a locking standpoint, however, in which case you might prefer to manually query for unmatched rows.
Fix failure to attach foreign key constraints to sub-partitions (Jehan-Guillaume de Rorthais)
When adding a partition to a level below the first level of a multi-level partitioned table, foreign key constraints referencing the top partitioned table were not cloned to the new partition, leading to possible constraint violations later. Detaching and re-attaching the new partition is the cheapest way to fix this. However, if there are many partitions to be fixed, adding a new instance of the foreign key constraint might be preferable.
Fix possible crash during concurrent update on a partitioned table or inheritance tree (Tom Lane)
Ensure that row triggers on partitioned tables are correctly cloned to sub-partitions when appropriate (Ãlvaro Herrera)
User-defined triggers (but not triggers for foreign key or deferred unique constraints) might be missed when creating or attaching a partition.
Fix logical replication subscriber code to execute per-column UPDATE
triggers when appropriate (Peter Eisentraut)
Avoid failure in logical decoding when a large transaction must be spilled into many separate temporary files (Amit Khandekar)
Fix possible crash or data corruption when a logical replication subscriber processes a row update (Tom Lane, Tomas Vondra)
This bug caused visible problems only if the subscriber's table contained columns that were not being copied from the publisher and had pass-by-reference data types.
Fix crash in logical replication subscriber after DDL changes on a subscribed relation (Jehan-Guillaume de Rorthais, Vignesh C)
Fix failure in logical replication publisher after a database crash and restart (Vignesh C)
Ensure that the effect of pg_replication_slot_advance()
on a physical replication slot will persist across restarts (Alexey Kondratov, Michael Paquier)
Improve efficiency of logical replication with REPLICA IDENTITY FULL
(Konstantin Knizhnik)
When searching for an existing tuple during an update or delete operation, return the first matching tuple not the last one.
Fix base backup to handle database OIDs larger than INT32_MAX
(Peter Eisentraut)
Ensure parallel plans are always shut down at the correct time (Kyotaro Horiguchi)
This oversight is known to result in “temporary file leak†warnings from multi-batch parallel hash joins.
Prevent premature shutdown of a Gather or GatherMerge plan node that is underneath a Limit node (Amit Kapila)
This avoids failure if such a plan node needs to be scanned more than once, as for instance if it is on the inside of a nestloop.
Improve efficiency of parallel hash join on CPUs with many cores (Gang Deng, Thomas Munro)
Avoid crash in parallel CREATE INDEX
when there are no free dynamic shared memory slots (Thomas Munro)
Fall back to a non-parallel index build, instead.
Avoid memory leak when there are no free dynamic shared memory slots (Thomas Munro)
Ignore the CONCURRENTLY
option when performing an index creation, drop, or rebuild on a temporary table (Michael Paquier, Heikki Linnakangas, Andres Freund)
This avoids strange failures if the temporary table has an ON COMMIT
action. There is no benefit in using CONCURRENTLY
for a temporary table anyway, since other sessions cannot access the table, making the extra processing pointless.
Fix possible failure when resetting expression indexes on temporary tables that are marked ON COMMIT DELETE ROWS
(Tom Lane)
Fix possible crash in BRIN index operations with box
, range
and inet
data types (Heikki Linnakangas)
Fix crash during recursive page split in GiST index build (Heikki Linnakangas)
Fix handling of deleted pages in GIN indexes (Alexander Korotkov)
Avoid possible deadlocks, incorrect updates of a deleted page's state, and failure to traverse through a recently-deleted page.
Fix possible crash with a SubPlan (sub-SELECT
) within a multi-row VALUES
list (Tom Lane)
Fix failure in ALTER TABLE
when a column referenced in a GENERATED
expression has been added or changed in type earlier in the same ALTER
command (Tom Lane)
Fix failure to insert default values for “missing†attributes during tuple conversion (Vik Fearing, Andrew Gierth)
This could result in values incorrectly reading as NULL, when they come from columns that had been added by ALTER TABLE ADD COLUMN
with a constant default.
Fix unlikely panic in the checkpointer process, caused by opening relation segments that might already have been removed (Thomas Munro)
Fix crash after FileClose() failure (Noah Misch)
This issue could only be observed with data_sync_retry
enabled, since otherwise FileClose() failure would be reported as a PANIC.
Fix handling of multiple AFTER ROW
triggers on a foreign table (Etsuro Fujita)
Fix unlikely crash with pass-by-reference aggregate transition states (Andres Freund, Teodor Sigaev)
Improve error reporting in to_date()
and to_timestamp()
(Tom Lane, Ãlvaro Herrera)
Reports about incorrect month or day names in input strings could truncate the input in the middle of a multi-byte character, leading to an improperly encoded error message that could cause follow-on failures. Truncate at the next whitespace instead.
Fix off-by-one result for EXTRACT (ISOYEAR FROM
for BC dates (Tom Lane)timestamp
)
Ensure that the <>
operator for type char
reports indeterminate-collation errors as such, rather than as “cache lookup failed for collation 0†(Tom Lane)
Avoid treating TID scans as sequential scans (Tatsuhito Kasahara)
A refactoring oversight caused TID scans (selection by CTID) to be counted as sequential scans in the statistics views, and to take whole-table predicate locks as sequential scans do. The latter behavior could cause unnecessary serialization errors in serializable transaction mode.
Avoid stack overflow in information_schema
views when a self-referential view exists in the system catalogs (Tom Lane)
A self-referential view can't work; it will always result in infinite recursion. We handled that situation correctly when trying to execute the view, but not when inquiring whether it is automatically updatable.
Ensure that walsender processes always show NULL for transaction start time in pg_stat_activity
(Ãlvaro Herrera)
Previously, the xact_start
column would sometimes show the process start time.
Improve performance of hash joins with very large inner relations (Thomas Munro)
Reduce spinlock contention when there are many active walsender processes (Pierre Ducroquet)
Fix placement of “Subplans Removed†field in EXPLAIN
output (Daniel Gustafsson, Tom Lane)
In non-text output formats, this field was emitted inside the “Plans†sub-group, resulting in syntactically invalid output. Attach it to the parent Append or MergeAppend plan node as intended. This causes the field to change position in text output format too: if there are any InitPlans attached to the same plan node, “Subplans Removed†will now appear before those.
Fix EXPLAIN
's SETTINGS
option to print as empty in non-text output formats (Tom Lane)
In the non-text output formats, fields are supposed to appear when requested, even if they have empty or zero values.
Allow the planner to apply potentially-leaky tests to child-table statistics, if the user can read the corresponding column of the table that's actually named in the query (Dilip Kumar, Amit Langote)
This change fixes a performance problem for partitioned tables that was created by the fix forCVE-2017-7484 or CVE-2017-7484. That security fix disallowed applying leaky operators to statistics for columns that the current user doesn't have permission to read directly. However, it's somewhat common to grant permissions only on the parent partitioned table and not bother to do so on individual partitions. In such cases, the user can read the column via the parent, so there's no point in this security restriction; it only results in poorer planner estimates than necessary.
Fix planner errors induced by overly-aggressive collapsing of joins to single-row subqueries (Tom Lane)
This mistake led to errors such as “failed to construct the join relationâ€.
Fix “no = operator for opfamily NNNN
†planner error when trying to match a LIKE
or regex pattern-match operator to a binary-compatible index opclass (Tom Lane)
Fix edge-case crashes and misestimations in selectivity calculations for the <@
and @>
range operators (Michael Paquier, Andrey Borodin, Tom Lane)
Fix incorrect estimation for OR
clauses when using most-common-value extended statistics (Tomas Vondra)
Ignore system columns when applying most-common-value extended statistics (Tomas Vondra)
This prevents “negative bitmapset member not allowed†planner errors for affected queries.
Fix BRIN index logic to support hypothetical BRIN indexes (Julien Rouhaud, Heikki Linnakangas)
Previously, if an “index adviser†extension tried to get the planner to produce a plan involving a hypothetical BRIN index, that would fail, because the BRIN cost estimation code would always try to physically access the index's metapage. Now it checks to see if the index is only hypothetical, and uses default assumptions about the index parameters if so.
Improve error reporting for attempts to use automatic updating of views with conditional INSTEAD
rules (Dean Rasheed)
This has never been supported, but previously the error was thrown only at execution time, so that it could be masked by planner errors.
Prevent a composite type from being included in itself indirectly via a range type (Tom Lane, Julien Rouhaud)
Disallow partition key expressions that return pseudo-types, such as record
(Tom Lane)
Fix error reporting for index expressions of prohibited types (Amit Langote)
Fix dumping of views that contain only a VALUES
list to handle cases where a view output column has been renamed (Tom Lane)
Ensure that data types and collations used in XMLTABLE
constructs are accounted for when computing dependencies of a view or rule (Tom Lane)
Previously it was possible to break a view using XMLTABLE
by dropping a type, if the type was not otherwise referenced in the view. This fix does not correct the dependencies already recorded for existing views, only for newly-created ones.
Prevent unwanted downcasing and truncation of RADIUS authentication parameters (Marcos David Hartwig)
The pg_hba.conf
parser mistakenly treated these fields as SQL identifiers, which in general they aren't.
Transmit incoming NOTIFY
messages to the client before sending ReadyForQuery
, rather than after (Tom Lane)
This change ensures that, with libpq and other client libraries that act similarly to it, any notifications received during a transaction will be available by the time the client thinks the transaction is complete. This probably makes no difference in practical applications (which would need to cope with asynchronous notifications in any case); but it makes it easier to build test cases with reproducible behavior.
Fix bugs in handling of non-blocking I/O when using GSSAPI encryption (Tom Lane)
These errors could result in dropping data (usually leading to subsequent wire-protocol-violation errors) or in a “livelock†situation where a sending process goes to sleep although not all its data has been sent. Moreover, libpq failed to keep separate encryption state for each connection, creating the possibility for failures in applications using multiple encrypted database connections.
Allow libpq to parse all GSS-related connection parameters even when the GSSAPI code hasn't been compiled in (Tom Lane)
This makes the behavior similar to our SSL support, where it was long ago deemed to be a good idea to always accept all the related parameters, even if some are ignored or restricted due to lack of the feature in a particular build.
Fix incorrect handling of %b
and %B
format codes in ecpg's PGTYPEStimestamp_fmt_asc()
function (Tomas Vondra)
Due to an off-by-one error, these codes would print the wrong month name, or possibly crash.
Avoid crash after an out-of-memory failure in ecpglib (Tom Lane)
Fix parallel pg_dump/pg_restore to more gracefully handle failure to create worker processes (Tom Lane)
Prevent possible crash or lockup when attempting to terminate a parallel pg_dump/pg_restore run via a signal (Tom Lane)
In pg_upgrade, look inside arrays and ranges while searching for non-upgradable data types in tables (Tom Lane)
Apply more thorough syntax checking to createuser's --connection-limit
option (Ãlvaro Herrera)
Cope with changes of the specific type referenced by a PL/pgSQL composite-type variable in more cases (Ashutosh Sharma, Tom Lane)
Dropping and re-creating the composite type referenced by a PL/pgSQL variable could lead to “could not open relation with OID NNNN
†errors.
Avoid crash in postgres_fdw
when trying to send a command like UPDATE remote_tab SET (x,y) = (SELECT ...)
to the remote server (Tom Lane)
In contrib/dict_int
, reject maxlen
settings less than one (Tomas Vondra)
This prevents a possible crash with silly settings for that parameter.
Disallow NULL category values in contrib/tablefunc
's crosstab()
function (Joe Conway)
This case never worked usefully, and it would crash on some platforms.
Fix configure's probe for OpenSSL's SSL_clear_options()
function so that it works with OpenSSL versions before 1.1.0 (Michael Paquier, Daniel Gustafsson)
This problem could lead to failure to set the SSL compression option as desired, when PostgreSQL is built against an old version of OpenSSL.
Mark some timeout and statistics-tracking GUC variables as PGDLLIMPORT
, to allow extensions to access them on Windows (Pascal Legrand)
This applies to idle_in_transaction_session_timeout
, lock_timeout
, statement_timeout
, track_activities
, track_counts
, and track_functions
.
Avoid memory leak in sanity checks for “slab†memory contexts (Tomas Vondra)
This isn't an issue for production builds, since they wouldn't ordinarily have memory context checking enabled; but the leak could be quite severe in a debug build.
Fix multiple statistics entries reported by the LWLock statistics mechanism (Fujii Masao)
The LWLock statistics code (which is not built by default; it requires compiling with -DLWLOCK_STATS
) could report multiple entries for the same LWLock and backend process, as a result of faulty hashtable key creation.
Fix race condition that led to delayed delivery of interprocess signals on Windows (Amit Kapila)
This caused visible timing oddities in NOTIFY
, and perhaps other misbehavior.
Fix handling of a corner-case error result from Windows' ReadFile()
function (Thomas Munro, Juan José SantamarÃa Flecha)
So far as is known, this oversight just resulted in noisy log messages, not any actual query misbehavior.
On Windows, retry a few times after an ERROR_ACCESS_DENIED
file access failure (Alexander Lakhin, Tom Lane)
This helps cope with cases where a file open attempt fails because the targeted file is flagged for deletion but not yet actually gone. pg_ctl, for example, frequently failed with such an error when probing to see if the postmaster had shut down yet.
On Windows, work around sharing violations for the postmaster's log file when pg_ctl is used to start the postmaster very shortly after it's been stopped, for example by pg_ctl restart
(Alexander Lakhin)
Release date: 2019-11-14
This release contains a variety of fixes from 12.0. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
Fix crash when ALTER TABLE
adds a column without a default value along with making other changes that require a table rewrite (Andres Freund)
Fix lock handling in REINDEX CONCURRENTLY
(Michael Paquier)
REINDEX CONCURRENTLY
neglected to take a session-level lock on the new index version, potentially allowing other sessions to manipulate it too soon. Also, a query-cancel or session-termination interrupt arriving at the wrong time could result in failure to release the session-level locks that REINDEX CONCURRENTLY
does hold.
Avoid crash due to race condition when reporting the progress of a CREATE INDEX CONCURRENTLY
or REINDEX CONCURRENTLY
command (Ãlvaro Herrera)
Avoid creating duplicate dependency entries during REINDEX CONCURRENTLY
(Michael Paquier)
This bug resulted in bloat in pg_depend
, but no worse consequences than that.
Prevent VACUUM
from trying to freeze an old multixact ID involving a still-running transaction (Nathan Bossart, Jeremy Schneider)
This case would lead to VACUUM
failing until the old transaction terminates.
Fix “wrong type of slot†error when trying to CLUSTER
on an expression index (Andres Freund)
SET CONSTRAINTS ... DEFERRED
failed on partitioned tables, incorrectly complaining about lack of triggers (Ãlvaro Herrera)
Fix failure when creating indexes for a partition, if the parent partitioned table contains any dropped columns (Michael Paquier)
Fix dropping of indexed columns in partitioned tables (Amit Langote, Michael Paquier)
Previously this might fail with an error message complaining about the dependencies of the indexes. It should automatically drop the indexes, instead.
Ensure that a partition index can be dropped after a failure to reindex it concurrently (Michael Paquier)
The index's pg_class
.relispartition
flag was left in the wrong state in such a case, causing DROP INDEX
to fail.
Fix handling of equivalence class members for partition-wise joins (Amit Langote)
This oversight could lead either to failure to use a feasible partition-wise join plan, or to a “could not find pathkey item to sort†planner failure.
Ensure that offset expressions in WINDOW
clauses are processed when a query's expressions are manipulated (Andrew Gierth)
This oversight could result in assorted failures when the offsets are nontrivial expressions. One example is that a function parameter reference in such an expression would fail if the function was inlined.
Avoid postmaster failure if a parallel query requests a background worker when no postmaster child process array slots remain free (Tom Lane)
Fix crash triggered by an EvalPlanQual recheck on a table with a BEFORE UPDATE
trigger (Andres Freund)
Fix “unexpected relkind†error when a query tries to access a TOAST table (John Hsu, Michael Paquier, Tom Lane)
The error should say that permission is denied, but this case got broken during code refactoring.
Provide a relevant error context line when an error occurs while setting GUC parameters during parallel worker startup (Thomas Munro)
Ensure that fsync()
is applied only to files that are opened read/write (Andres Freund, Michael Paquier)
Some code paths tried to do this after opening a file read-only, but on some platforms that causes “bad file descriptor†or similar errors.
Allow encoding conversion to succeed on longer strings than before (Ãlvaro Herrera, Tom Lane)
Previously, there was a hard limit of 0.25GB on the input string, but now it will work as long as the converted output is not over 1GB.
Avoid creating unnecessarily-bulky tuple stores for window functions (Andrew Gierth)
In some cases the tuple storage would include all columns of the source table(s), not just the ones that are needed by the query.
Allow repalloc()
to give back space when a large chunk is reduced in size (Tom Lane)
Ensure that temporary WAL and history files are removed at the end of archive recovery (Sawada Masahiko)
Avoid failure in archive recovery if recovery_min_apply_delay
is enabled (Fujii Masao)
recovery_min_apply_delay
is not typically used in this configuration, but it should work.
Ignore restore_command
, recovery_end_command
, and recovery_min_apply_delay
settings during crash recovery (Fujii Masao)
Now that these settings can be specified in postgresql.conf
, they could be turned on during crash recovery, but honoring them then is undesirable. Ignore these settings until crash recovery is complete.
Fix logical replication failure when publisher and subscriber have different ideas about a table's replica identity columns (Jehan-Guillaume de Rorthais, Peter Eisentraut)
Declaring a column as part of the replica identity on the subscriber, when it does not exist at all on the publisher, led to “negative bitmapset member not allowed†errors.
Avoid unwanted delay during shutdown of a logical replication walsender (Craig Ringer, Ãlvaro Herrera)
Fix timeout handling in logical replication walreceiver processes (Julien Rouhaud)
Erroneous logic prevented wal_receiver_timeout
from working in logical replication deployments.
Correctly time-stamp replication messages for logical decoding (Jeff Janes)
This oversight resulted, for example, in pg_stat_subscription
.last_msg_send_time
usually reading as NULL.
Fix race condition during backend exit, when the backend process has previously waited for synchronous replication to occur (Dongming Liu)
Avoid logging complaints about abandoned connections when using PAM authentication (Tom Lane)
libpq-based clients will typically make two connection attempts when a password is required, since they don't prompt their user for a password until their first connection attempt fails. Therefore the server is coded not to generate useless log spam when a client closes the connection upon being asked for a password. However, the PAM authentication code hadn't gotten that memo, and would generate several messages about a phantom authentication failure.
Fix misbehavior of bitshiftright()
(Tom Lane)
The bitstring right shift operator failed to zero out padding space that exists in the last byte of the result when the bitstring length is not a multiple of 8. While invisible to most operations, any nonzero bits there would result in unexpected comparison behavior, since bitstring comparisons don't bother to ignore the extra bits, expecting them to always be zero.
If you have inconsistent data as a result of saving the output of bitshiftright()
in a table, it's possible to fix it with something like
UPDATE mytab SET bitcol = ~(~bitcol) WHERE bitcol != ~(~bitcol);
Fix result of text position()
function (also known as strpos()
) for an empty search string (Tom Lane)
Historically, and per the SQL standard, the result should be one in such cases, but 12.0 returned zero.
Fix detection of edge-case integer overflow in interval multiplication (Yuya Watari)
Avoid crashes if ispell
text search dictionaries contain wrong affix data (Arthur Zakirov)
Avoid memory leak while vacuuming a GiST index (Dilip Kumar)
On Windows, recognize additional spellings of the “Norwegian (Bokmål)†locale name (Tom Lane)
Fix libpq to allow trailing whitespace in the string values of integer parameters (Michael Paquier)
Version 12 tightened libpq's validation of integer parameters, but disallowing trailing whitespace seems undesirable.
In libpq, correctly report CONNECTION_BAD
connection status after a failure caused by a syntactically invalid connect_timeout
parameter value (Lars Kanis)
Avoid compile failure if an ECPG client includes ecpglib.h
while having ENABLE_NLS
defined (Tom Lane)
This risk was created by a misplaced declaration: ecpg_gettext()
should not be visible to client code.
Fix scheduling of parallel restore of a foreign key constraint on a partitioned table (Ãlvaro Herrera)
pg_dump failed to emit full dependency information for partitioned tables' foreign keys. This could allow parallel pg_restore to try to recreate a foreign key constraint too soon.
In pg_dump, ensure stable output order for similarly-named triggers and row-level-security policy objects (Benjie Gillam)
Previously, if two triggers on different tables had the same names, they would be sorted in OID-based order, which is less desirable than sorting them by table name. Likewise for RLS policies.
In pg_upgrade, reject tables with columns of type sql_identifier
, as that has changed representation in version 12 (Tomas Vondra)
Improve pg_upgrade's checks for the use of a data type that has changed representation, such as line
(Tomas Vondra)
The previous coding could be fooled by cases where the data type of interest underlies a stored column of a domain or composite type.
In pg_rewind with the --dry-run
option, avoid updating pg_control
(Alexey Kondratov)
This could lead to failures in subsequent pg_rewind attempts.
Fix failure in pg_waldump with the -s
option, when a continuation WAL record ends exactly at a page boundary (Andrey Lepikhov)
In pg_waldump with the --bkp-details
option, avoid emitting extra newlines for WAL records involving full-page writes (Andres Freund)
Fix small memory leak in pg_waldump (Andres Freund)
Put back pqsignal()
as an exported libpq symbol (Tom Lane)
This function was removed on the grounds that no clients should be using it, but that turns out to break usage of current libpq with very old versions of psql, and perhaps other applications.
Fix configure's test for presence of libperl so that it works on recent Red Hat releases (Tom Lane)
Previously, it could fail if the user sets CFLAGS
to -O0
.
Ensure correct code generation for spinlocks on PowerPC (Noah Misch)
The previous spinlock coding allowed the compiler to select register zero for use with an assembly instruction that does not accept that register, causing a build failure. We have seen only one long-ago report that matches this bug, but it could cause problems for people trying to build modified PostgreSQL code or use atypical compiler options.
On AIX, don't use the compiler option -qsrcmsg
(Noah Misch)
This avoids an internal compiler error with xlc v16.1.0, with little consequence other than changing the format of compiler error messages.
Fix MSVC build process to cope with spaces in the file path of OpenSSL (Andrew Dunstan)
Release date: 2019-10-03
Major enhancements in PostgreSQL 12 include:
General performance improvements, including:
Optimizations to space utilization and read/write performance for B-tree indexes
Partitioning performance enhancements, including improved query performance on tables with thousands of partitions, improved insertion performance with INSERT and COPY, and the ability to execute ALTER TABLE ATTACH PARTITION
without blocking queries
Automatic (but overridable) inlining of common table expressions (CTEs)
Reduction of WAL overhead for creation of GiST, GIN, and SP-GiST indexes
Multi-column most-common-value (MCV) statistics can be defined via CREATE STATISTICS, to support better plans for queries that test several non-uniformly-distributed columns
Enhancements to administrative functionality, including:
REINDEX CONCURRENTLY
can rebuild an index without blocking writes to its table
pg_checksums can enable/disable page checksums (used for detecting data corruption) in an offline cluster
Progress reporting statistics for CREATE INDEX, REINDEX, CLUSTER, VACUUM FULL, and pg_checksums
Support for the SQL/JSON path language
Stored generated columns
Nondeterministic ICU collations, enabling case-insensitive and accent-insensitive grouping and ordering
New authentication features, including:
Encryption of TCP/IP connections when using GSSAPI authentication
Discovery of LDAP servers using DNS SRV records
Multi-factor authentication, using the clientcert=verify-full
option combined with an additional authentication method in pg_hba.conf
The above items are explained in more detail in the sections below.
A dump/restore using pg_dumpall or use of pg_upgrade or logical replication is required for those wishing to migrate data from any previous release. See Section 18.6 for general information on migrating to new major releases.
Version 12 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities:
Remove the special behavior of oid columns (Andres Freund, John Naylor)
Previously, a normally-invisible oid
column could be specified during table creation using WITH OIDS
; that ability has been removed. Columns can still be explicitly declared as type oid
. Operations on tables that have columns created using WITH OIDS
will need adjustment.
The system catalogs that previously had hidden oid
columns now have ordinary oid
columns. Hence, SELECT *
will now output those columns, whereas previously they would be displayed only if selected explicitly.
Remove data types abstime
, reltime
, and tinterval
(Andres Freund)
These are obsoleted by SQL-standard types such as timestamp
.
Remove the timetravel
extension (Andres Freund)
Move recovery.conf
settings into postgresql.conf
(Masao Fujii, Simon Riggs, Abhijit Menon-Sen, Sergei Kornilov)
recovery.conf
is no longer used, and the server will not start if that file exists. recovery.signal and standby.signal
files are now used to switch into non-primary mode. The trigger_file
setting has been renamed to promote_trigger_file. The standby_mode
setting has been removed.
Do not allow multiple conflicting recovery_target
* specifications (Peter Eisentraut)
Specifically, only allow one of recovery_target, recovery_target_lsn, recovery_target_name, recovery_target_time, and recovery_target_xid. Previously, multiple different instances of these parameters could be specified, and the last one was honored. Now, only one can be specified, though the same one can be specified multiple times and the last specification is honored.
Cause recovery to advance to the latest timeline by default (Peter Eisentraut)
Specifically, recovery_target_timeline now defaults to latest
. Previously, it defaulted to current
.
Refactor code for geometric functions and operators (Emre Hasegeli)
This could lead to more accurate, but slightly different, results compared to previous releases. Notably, cases involving NaN, underflow, overflow, and division by zero are handled more consistently than before.
Improve performance by using a new algorithm for output of real
and double precision
values (Andrew Gierth)
Previously, displayed floating-point values were rounded to 6 (for real
) or 15 (for double precision
) digits by default, adjusted by the value of extra_float_digits. Now, whenever extra_float_digits
is more than zero (as it now is by default), only the minimum number of digits required to preserve the exact binary value are output. The behavior is the same as before when extra_float_digits
is set to zero or less.
Also, formatting of floating-point exponents is now uniform across platforms: two digits are used unless three are necessary. In previous releases, Windows builds always printed three digits.
random()
and setseed()
now behave uniformly across platforms (Tom Lane)
The sequence of random()
values generated following a setseed()
call with a particular seed value is likely to be different now than before. However, it will also be repeatable, which was not previously guaranteed because of interference from other uses of random numbers inside the server. The SQL random()
function now has its own private per-session state to forestall that.
Change SQL-style substring()
to have standard-compliant greediness behavior (Tom Lane)
In cases where the pattern can be matched in more than one way, the initial sub-pattern is now treated as matching the least possible amount of text rather than the greatest; for example, a pattern such as %#"aa*#"%
now selects the first group of a
's from the input, not the last group.
Do not pretty-print the result of xpath()
or the XMLTABLE
construct (Tom Lane)
In some cases, these functions would insert extra whitespace (newlines and/or spaces) in nodeset values. This is undesirable since depending on usage, the whitespace might be considered semantically significant.
Rename command-line tool pg_verify_checksums to pg_checksums (Michaël Paquier)
In pg_restore, require specification of -f -
to send the dump contents to standard output (Euler Taveira)
Previously, this happened by default if no destination was specified, but that was deemed to be unfriendly.
Disallow non-unique abbreviations in psql's \pset format
command (Daniel Vérité)
Previously, for example, \pset format a
chose aligned
; it will now fail since that could equally well mean asciidoc
.
In new btree indexes, the maximum index entry length is reduced by eight bytes, to improve handling of duplicate entries (Peter Geoghegan)
This means that a REINDEX operation on an index pg_upgrade'd from a previous release could potentially fail.
Cause DROP IF EXISTS FUNCTION
/PROCEDURE
/AGGREGATE
/ROUTINE
to generate an error if no argument list is supplied and there are multiple matching objects (David Rowley)
Also improve the error message in such cases.
Split the pg_statistic_ext
catalog into two catalogs, and add the pg_stats_ext
view of it (Dean Rasheed, Tomas Vondra)
This change supports hiding potentially-sensitive statistics data from unprivileged users.
Remove obsolete pg_constraint
.consrc
column (Peter Eisentraut)
This column has been deprecated for a long time, because it did not update in response to other catalog changes (such as column renamings). The recommended way to get a text version of a check constraint's expression from pg_constraint
is pg_get_expr(conbin, conrelid)
. pg_get_constraintdef()
is also a useful alternative.
Remove obsolete pg_attrdef
.adsrc
column (Peter Eisentraut)
This column has been deprecated for a long time, because it did not update in response to other catalog changes (such as column renamings). The recommended way to get a text version of a default-value expression from pg_attrdef
is pg_get_expr(adbin, adrelid)
.
Mark table columns of type name as having “C†collation by default (Tom Lane, Daniel Vérité)
The comparison operators for data type name
can now use any collation, rather than always using “C†collation. To preserve the previous semantics of queries, columns of type name
are now explicitly marked as having “C†collation. A side effect of this is that regular-expression operators on name
columns will now use the “C†collation by default, not the database collation, to determine the behavior of locale-dependent regular expression patterns (such as \w
). If you want non-C behavior for a regular expression on a name
column, attach an explicit COLLATE
clause. (For user-defined name
columns, another possibility is to specify a different collation at table creation time; but that just moves the non-backwards-compatibility to the comparison operators.)
Treat object-name columns in the information_schema
views as being of type name
, not varchar
(Tom Lane)
Per the SQL standard, object-name columns in the information_schema
views are declared as being of domain type sql_identifier
. In PostgreSQL, the underlying catalog columns are really of type name
. This change makes sql_identifier
be a domain over name
, rather than varchar
as before. This eliminates a semantic mismatch in comparison and sorting behavior, which can greatly improve the performance of queries on information_schema
views that restrict an object-name column. Note however that inequality restrictions, for example
SELECT ... FROM information_schema.tables WHERE table_name < 'foo';
will now use “Câ€-locale comparison semantics by default, rather than the database's default collation as before. Sorting on these columns will also follow “C†ordering rules. The previous behavior (and inefficiency) can be enforced by adding a COLLATE "default"
clause.
Remove the ability to disable dynamic shared memory (Kyotaro Horiguchi)
Specifically, dynamic_shared_memory_type can no longer be set to none
.
Parse libpq integer connection parameters more strictly (Fabien Coelho)
In previous releases, using an incorrect integer value for connection parameters connect_timeout
, keepalives
, keepalives_count
, keepalives_idle
, keepalives_interval
and port
resulted in libpq either ignoring those values or failing with incorrect error messages.
Below you will find a detailed account of the changes between PostgreSQL 12 and the previous major release.
Improve performance of many operations on partitioned tables (Amit Langote, David Rowley, Tom Lane, Ãlvaro Herrera)
Allow tables with thousands of child partitions to be processed efficiently by operations that only affect a small number of partitions.
Allow foreign keys to reference partitioned tables (Ãlvaro Herrera)
Improve speed of COPY
into partitioned tables (David Rowley)
Allow partition bounds to be any expression (Kyotaro Horiguchi, Tom Lane, Amit Langote)
Such expressions are evaluated at partitioned-table creation time. Previously, only simple constants were allowed as partition bounds.
Allow CREATE TABLE
's tablespace specification for a partitioned table to affect the tablespace of its children (David Rowley, Ãlvaro Herrera)
Avoid sorting when partitions are already being scanned in the necessary order (David Rowley)
ALTER TABLE ATTACH PARTITION
is now performed with reduced locking requirements (Robert Haas)
Add partition introspection functions (Michaël Paquier, Ãlvaro Herrera, Amit Langote)
The new function pg_partition_root()
returns the top-most parent of a partition tree, pg_partition_ancestors()
reports all ancestors of a partition, and pg_partition_tree()
displays information about partitions.
Include partitioned indexes in the system view pg_indexes
(Suraj Kharage)
Add psql command \dP
to list partitioned tables and indexes (Pavel Stehule)
Improve psql \d
and \z
display of partitioned tables (Pavel Stehule, Michaël Paquier, Ãlvaro Herrera)
Fix bugs that could cause ALTER TABLE DETACH PARTITION
to leave behind incorrect dependency state, allowing subsequent operations to misbehave, for example by not dropping a former partition child index when its table is dropped (Tom Lane)
Improve performance and space utilization of btree indexes with many duplicates (Peter Geoghegan, Heikki Linnakangas)
Previously, duplicate index entries were stored unordered within their duplicate groups. This caused overhead during index inserts, wasted space due to excessive page splits, and it reduced VACUUM
's ability to recycle entire pages. Duplicate index entries are now sorted in heap-storage order.
Indexes pg_upgrade'd from previous releases will not have these benefits.
Allow multi-column btree indexes to be smaller (Peter Geoghegan, Heikki Linnakangas)
Internal pages and min/max leaf page indicators now only store index keys until the change key, rather than all indexed keys. This also improves the locality of index access.
Indexes pg_upgrade'd from previous releases will not have these benefits.
Improve speed of btree index insertions by reducing locking overhead (Alexander Korotkov)
Add support for nearest-neighbor (KNN) searches of SP-GiST indexes (Nikita Glukhov, Alexander Korotkov, Vlad Sterzhanov)
Reduce the WAL write overhead of GiST, GIN, and SP-GiST index creation (Anastasia Lubennikova, Andrey V. Lepikhov)
Allow index-only scans to be more efficient on indexes with many columns (Konstantin Knizhnik)
Improve the performance of vacuum scans of GiST indexes (Andrey Borodin, Konstantin Kuznetsov, Heikki Linnakangas)
Delete empty leaf pages during GiST VACUUM
(Andrey Borodin)
Reduce locking requirements for index renaming (Peter Eisentraut)
Allow CREATE STATISTICS to create most-common-value statistics for multiple columns (Tomas Vondra)
This improves optimization for queries that test several columns, requiring an estimate of the combined effect of several WHERE
clauses. If the columns are correlated and have non-uniform distributions then multi-column statistics will allow much better estimates.
Allow common table expressions (CTEs) to be inlined into the outer query (Andreas Karlsson, Andrew Gierth, David Fetter, Tom Lane)
Specifically, CTEs are automatically inlined if they have no side-effects, are not recursive, and are referenced only once in the query. Inlining can be prevented by specifying MATERIALIZED
, or forced for multiply-referenced CTEs by specifying NOT MATERIALIZED
. Previously, CTEs were never inlined and were always evaluated before the rest of the query.
Allow control over when generic plans are used for prepared statements (Pavel Stehule)
This is controlled by the plan_cache_mode server parameter.
Improve optimization of partition and UNION ALL
queries that have only a single child (David Rowley)
Improve processing of domains that have no check constraints (Tom Lane)
Domains that are being used purely as type aliases no longer cause optimization difficulties.
Pre-evaluate calls of LEAST
and GREATEST
when their arguments are constants (Vik Fearing)
Improve optimizer's ability to verify that partial indexes with IS NOT NULL
conditions are usable in queries (Tom Lane, James Coleman)
Usability can now be recognized in more cases where the calling query involves casts or large
clauses.x
IN (array
)
Compute ANALYZE
statistics using the collation defined for each column (Tom Lane)
Previously, the database's default collation was used for all statistics. This potentially gives better optimizer behavior for columns with non-default collations.
Improve selectivity estimates for inequality comparisons on ctid
columns (Edmund Horner)
Improve optimization of joins on columns of type tid
(Tom Lane)
These changes primarily improve the efficiency of self-joins on ctid
columns.
Fix the leakproofness designations of some btree comparison operators and support functions (Tom Lane)
This allows some optimizations that previously would not have been applied in the presence of security barrier views or row-level security.
Enable Just-in-Time (JIT) compilation by default, if the server has been built with support for it (Andres Freund)
Note that this support is not built by default, but has to be selected explicitly while configuring the build.
Speed up keyword lookup (John Naylor, Joerg Sonnenberger, Tom Lane)
Improve search performance for multi-byte characters in position()
and related functions (Heikki Linnakangas)
Allow toasted values to be minimally decompressed (Paul Ramsey)
This is useful for routines that only need to examine the initial portion of a toasted field.
Allow ALTER TABLE ... SET NOT NULL
to avoid unnecessary table scans (Sergei Kornilov)
This can be optimized when the table's column constraints can be recognized as disallowing nulls.
Allow ALTER TABLE ... SET DATA TYPE
changing between timestamp
and timestamptz
to avoid a table rewrite when the session time zone is UTC (Noah Misch)
In the UTC time zone, these two data types are binary compatible.
Improve speed in converting strings to int2
or int4
integers (Andres Freund)
Allow parallelized queries when in SERIALIZABLE
isolation mode (Thomas Munro)
Previously, parallelism was disabled when in this mode.
Use pread()
and pwrite()
for random I/O (Oskari Saarenmaa, Thomas Munro)
This reduces the number of system calls required for I/O.
Improve the speed of setting the process title on FreeBSD (Thomas Munro)
Allow logging of statements from only a percentage of transactions (Adrien Nayrat)
The parameter log_transaction_sample_rate controls this.
Add progress reporting to CREATE INDEX
and REINDEX
operations (Ãlvaro Herrera, Peter Eisentraut)
Progress is reported in the pg_stat_progress_create_index
system view.
Add progress reporting to CLUSTER
and VACUUM FULL
(Tatsuro Yamada)
Progress is reported in the pg_stat_progress_cluster
system view.
Add progress reporting to pg_checksums (Michael Banck, Bernd Helmle)
This is enabled with the option --progress
.
Add counter of checksum failures to pg_stat_database
(Magnus Hagander)
Add tracking of global objects in system view pg_stat_database
(Julien Rouhaud)
Global objects are shown with a pg_stat_database
.datid
value of zero.
Add the ability to list the contents of the archive directory (Christoph Moench-Tegeder)
The function is pg_ls_archive_statusdir()
.
Add the ability to list the contents of temporary directories (Nathan Bossart)
The function, pg_ls_tmpdir()
, optionally allows specification of a tablespace.
Add information about the client certificate to the system view pg_stat_ssl
(Peter Eisentraut)
The new columns are client_serial
and issuer_dn
. Column clientdn
has been renamed to client_dn
for clarity.
Restrict visibility of rows in pg_stat_ssl
for unprivileged users (Peter Eisentraut)
At server start, emit a log message including the server version number (Christoph Berg)
Prevent logging “incomplete startup packet†if a new connection is immediately closed (Tom Lane)
This avoids log spam from certain forms of monitoring.
Include the application_name, if set, in log_connections log messages (Don Seiler)
Make the walreceiver set its application name to the cluster name, if set (Peter Eisentraut)
Add the timestamp of the last received standby message to pg_stat_replication
(Lim Myungkyu)
Add a wait event for fsync of WAL segments (Konstantin Knizhnik)
Add GSSAPI encryption support (Robbie Harwood, Stephen Frost)
This feature allows TCP/IP connections to be encrypted when using GSSAPI authentication, without having to set up a separate encryption facility such as SSL. In support of this, add hostgssenc
and hostnogssenc
record types in pg_hba.conf
for selecting connections that do or do not use GSSAPI encryption, corresponding to the existing hostssl
and hostnossl
record types. There is also a new gssencmode libpq option, and a pg_stat_gssapi system view.
Allow the clientcert
pg_hba.conf
option to check that the database user name matches the client certificate's common name (Julian Markwort, Marius Timmer)
This new check is enabled with clientcert=verify-full
.
Allow discovery of an LDAP server using DNS SRV records (Thomas Munro)
This avoids the requirement of specifying ldapserver
. It is only supported if PostgreSQL is compiled with OpenLDAP.
Add ability to enable/disable cluster checksums using pg_checksums (Michael Banck, Michaël Paquier)
The cluster must be shut down for these operations.
Reduce the default value of autovacuum_vacuum_cost_delay to 2ms (Tom Lane)
This allows autovacuum operations to proceed faster by default.
Allow vacuum_cost_delay to specify sub-millisecond delays, by accepting fractional values (Tom Lane)
Allow time-based server parameters to use units of microseconds (us
) (Tom Lane)
Allow fractional input for integer server parameters (Tom Lane)
For example, SET work_mem = '30.1GB'
is now allowed, even though work_mem
is an integer parameter. The value will be rounded to an integer after any required units conversion.
Allow units to be defined for floating-point server parameters (Tom Lane)
Add wal_recycle and wal_init_zero server parameters to control WAL file recycling (Jerry Jelinek)
Avoiding file recycling can be beneficial on copy-on-write file systems like ZFS.
Add server parameter tcp_user_timeout to control the server's TCP timeout (Ryohei Nagaura)
Allow control of the minimum and maximum SSL protocol versions (Peter Eisentraut)
The server parameters are ssl_min_protocol_version and ssl_max_protocol_version.
Add server parameter ssl_library to report the SSL library version used by the server (Peter Eisentraut)
Add server parameter shared_memory_type to control the type of shared memory to use (Andres Freund)
This allows selection of System V shared memory, if desired.
Allow some recovery parameters to be changed with reload (Peter Eisentraut)
These parameters are archive_cleanup_command, promote_trigger_file, recovery_end_command, and recovery_min_apply_delay.
Allow the streaming replication timeout (wal_sender_timeout) to be set per connection (Takayuki Tsunakawa)
Previously, this could only be set cluster-wide.
Add function pg_promote()
to promote standbys to primaries (Laurenz Albe, Michaël Paquier)
Previously, this operation was only possible by using pg_ctl or creating a trigger file.
Allow replication slots to be copied (Masahiko Sawada)
The functions for this are pg_copy_physical_replication_slot()
and pg_copy_logical_replication_slot()
.
Make max_wal_senders not count as part of max_connections (Alexander Kukushkin)
Add an explicit value of current
for recovery_target_timeline (Peter Eisentraut)
Make recovery fail if a two-phase transaction status file is corrupt (Michaël Paquier)
Previously, a warning was logged and recovery continued, allowing the transaction to be lost.
Add REINDEX CONCURRENTLY
option to allow reindexing without locking out writes (Michaël Paquier, Andreas Karlsson, Peter Eisentraut)
This is also controlled by the reindexdb application's --concurrently
option.
Add support for generated columns (Peter Eisentraut)
The content of generated columns are computed from expressions (including references to other columns in the same table) rather than being specified by INSERT
or UPDATE
commands.
Add a WHERE
clause to COPY FROM
to control which rows are accepted (Surafel Temesgen)
This provides a simple way to filter incoming data.
Allow enumerated values to be added more flexibly (Andrew Dunstan, Tom Lane, Thomas Munro)
Previously, ALTER TYPE ... ADD VALUE
could not be called in a transaction block, unless it was part of the same transaction that created the enumerated type. Now it can be called in a later transaction, so long as the new enumerated value is not referenced until after it is committed.
Add commands to end a transaction and start a new one (Peter Eisentraut)
The commands are COMMIT AND CHAIN
and ROLLBACK AND CHAIN
.
Add VACUUM and CREATE TABLE
options to prevent VACUUM
from truncating trailing empty pages (Takayuki Tsunakawa)
These options are vacuum_truncate
and toast.vacuum_truncate
. Use of these options reduces VACUUM
's locking requirements, but prevents returning disk space to the operating system.
Allow VACUUM
to skip index cleanup (Masahiko Sawada)
This change adds a VACUUM
command option INDEX_CLEANUP
as well as a table storage option vacuum_index_cleanup
. Use of this option reduces the ability to reclaim space and can lead to index bloat, but it is helpful when the main goal is to freeze old tuples.
Add the ability to skip VACUUM
and ANALYZE
operations on tables that cannot be locked immediately (Nathan Bossart)
This option is called SKIP_LOCKED
.
Allow VACUUM
and ANALYZE
to take optional Boolean argument specifications (Masahiko Sawada)
Prevent TRUNCATE, VACUUM
and ANALYZE
from requesting a lock on tables for which the user lacks permission (Michaël Paquier)
This prevents unauthorized locking, which could interfere with user queries.
Add EXPLAIN option SETTINGS
to output non-default optimizer settings (Tomas Vondra)
This output can also be obtained when using auto_explain by setting auto_explain.log_settings
.
Add OR REPLACE
option to CREATE AGGREGATE (Andrew Gierth)
Allow modifications of system catalogs' options using ALTER TABLE (Peter Eisentraut)
Modifications of catalogs' reloptions
and autovacuum settings are now supported. (Setting allow_system_table_mods is still required.)
Use all key columns' names when selecting default constraint names for foreign keys (Peter Eisentraut)
Previously, only the first column name was included in the constraint name, resulting in ambiguity for multi-column foreign keys.
Update assorted knowledge about Unicode to match Unicode 12.1.0 (Peter Eisentraut)
This fixes, for example, cases where psql would misformat output involving combining characters.
Update Snowball stemmer dictionaries with support for new languages (Arthur Zakirov)
This adds word stemming support for Arabic, Indonesian, Irish, Lithuanian, Nepali, and Tamil to full text search.
Allow creation of collations that report string equality for strings that are not bit-wise equal (Peter Eisentraut)
This feature supports “nondeterministic†collations that can define case- and accent-agnostic equality comparisons. Thus, for example, a case-insensitive uniqueness constraint on a text column can be made more easily than before. This is only supported for ICU collations.
Add support for ICU collation attributes on older ICU versions (Peter Eisentraut)
This allows customization of the collation rules in a consistent way across all ICU versions.
Allow data type name to more seamlessly be compared to other text types (Tom Lane)
Type name
now behaves much like a domain over type text
that has default collation “Câ€. This allows cross-type comparisons to be processed more efficiently.
Add support for the SQL/JSON path language (Nikita Glukhov, Teodor Sigaev, Alexander Korotkov, Oleg Bartunov, Liudmila Mantrova)
This allows execution of complex queries on JSON
values using an SQL-standard language.
Add support for hyperbolic functions (Lætitia Avrot)
Also add log10()
as an alias for log()
, for standards compliance.
Improve the accuracy of statistical aggregates like variance()
by using more precise algorithms (Dean Rasheed)
Allow date_trunc()
to have an additional argument to control the time zone (Vik Fearing, Tom Lane)
This is faster and simpler than using the AT TIME ZONE
clause.
Adjust to_timestamp()
/to_date()
functions to be more forgiving of template mismatches (Artur Zakirov, Alexander Korotkov, Liudmila Mantrova)
This new behavior more closely matches the Oracle functions of the same name.
Fix assorted bugs in XML functions (Pavel Stehule, Markus Winand, Chapman Flack)
Specifically, in XMLTABLE
, xpath()
, and xmlexists()
, fix some cases where nothing was output for a node, or an unexpected error was thrown, or necessary escaping of XML special characters was omitted.
Allow the BY VALUE
clause in XMLEXISTS
and XMLTABLE
(Chapman Flack)
This SQL-standard clause has no effect in PostgreSQL's implementation, but it was unnecessarily being rejected.
Prevent current_schema()
and current_schemas()
from being run by parallel workers, as they are not parallel-safe (Michaël Paquier)
Allow RECORD
and RECORD[]
to be used as column types in a query's column definition list for a table function that is declared to return RECORD
(Elvis Pranskevichus)
Allow SQL commands and variables with the same names as those commands to be used in the same PL/pgSQL function (Tom Lane)
For example, allow a variable called comment
to exist in a function that calls the COMMENT
SQL command. Previously this combination caused a parse error.
Add new optional warning and error checks to PL/pgSQL (Pavel Stehule)
The new checks allow for run-time validation of INTO
column counts and single-row results.
Add connection parameter tcp_user_timeout to control libpq's TCP timeout (Ryohei Nagaura)
Allow libpq (and thus psql) to report only the SQLSTATE
value in error messages (Didier Gautheron)
Add libpq function PQresultMemorySize()
to report the memory used by a query result (Lars Kanis, Tom Lane)
Remove the no-display/debug flag from libpq's options
connection parameter (Peter Eisentraut)
This allows this parameter to be set by postgres_fdw.
Allow ecpg to create variables of data type bytea
(Ryo Matsumura)
This allows ECPG clients to interact with bytea
data directly, rather than using an encoded form.
Add PREPARE AS
support to ECPG (Ryo Matsumura)
Allow vacuumdb to select tables for vacuum based on their wraparound horizon (Nathan Bossart)
The options are --min-xid-age
and --min-mxid-age
.
Allow vacuumdb to disable waiting for locks or skipping all-visible pages (Nathan Bossart)
The options are --skip-locked
and --disable-page-skipping
.
Add colorization to the output of command-line utilities (Peter Eisentraut)
This is enabled by setting the environment variable PG_COLOR
to always
or auto
. The specific colors used can be adjusted by setting the environment variable PG_COLORS
, using ANSI escape codes for colors. For example, the default behavior is equivalent to PG_COLORS="error=01;31:warning=01;35:locus=01"
.
Add CSV table output mode in psql (Daniel Vérité)
This is controlled by \pset format csv
or the command-line --csv
option.
Show the manual page URL in psql's \help
output for a SQL command (Peter Eisentraut)
Display the IP address in psql's \conninfo
(Fabien Coelho)
Improve tab completion of CREATE TABLE
, CREATE TRIGGER
, CREATE EVENT TRIGGER
, ANALYZE
, EXPLAIN
, VACUUM
, ALTER TABLE
, ALTER INDEX
, ALTER DATABASE
, and ALTER INDEX ALTER COLUMN
(Dagfinn Ilmari Mannsåker, Tatsuro Yamada, Michaël Paquier, Tom Lane, Justin Pryzby)
Allow values produced by queries to be assigned to pgbench variables (Fabien Coelho, Ãlvaro Herrera)
The command for this is \gset
.
Improve precision of pgbench's --rate
option (Tom Lane)
Improve pgbench's error reporting with clearer messages and return codes (Peter Eisentraut)
Allow control of log file rotation via pg_ctl (Kyotaro Horiguchi, Alexander Kuzmenkov, Alexander Korotkov)
Previously, this was only possible via an SQL function or a process signal.
Properly detach the new server process during pg_ctl start
(Paul Guo)
This prevents the server from being shut down if the shell script that invoked pg_ctl is interrupted later.
Allow pg_upgrade to use the file system's cloning feature, if there is one (Peter Eisentraut)
The --clone
option has the advantages of --link
, while preventing the old cluster from being changed after the new cluster has started.
Allow specification of the socket directory to use in pg_upgrade (Daniel Gustafsson)
This is controlled by --socketdir
; the default is the current directory.
Allow pg_checksums to disable fsync operations (Michaël Paquier)
This is controlled by the --no-sync
option.
Allow pg_rewind to disable fsync operations (Michaël Paquier)
Fix pg_test_fsync to report accurate open_datasync
durations on Windows (Laurenz Albe)
When pg_dump emits data with INSERT
commands rather than COPY
, allow more than one data row to be included in each INSERT
(Surafel Temesgen, David Rowley)
The option controlling this is --rows-per-insert
.
Allow pg_dump to emit INSERT ... ON CONFLICT DO NOTHING
(Surafel Temesgen)
This avoids conflict failures during restore. The option is --on-conflict-do-nothing
.
Decouple the order of operations in a parallel pg_dump from the order used by a subsequent parallel pg_restore (Tom Lane)
This allows pg_restore to perform more-fully-parallelized parallel restores, especially in cases where the original dump was not done in parallel. Scheduling of a parallel pg_dump is also somewhat improved.
Allow the extra_float_digits setting to be specified for pg_dump and pg_dumpall (Andrew Dunstan)
This is primarily useful for making dumps that are exactly comparable across different source server versions. It is not recommended for normal use, as it may result in loss of precision when the dump is restored.
Add --exclude-database
option to pg_dumpall (Andrew Dunstan)
Add CREATE ACCESS METHOD command to create new table types (Andres Freund, Haribabu Kommi, Ãlvaro Herrera, Alexander Korotkov, Dmitry Dolgov)
This enables the development of new table access methods, which can optimize storage for different use cases. The existing heap
access method remains the default.
Add planner support function interfaces to improve optimizer estimates, inlining, and indexing for functions (Tom Lane)
This allows extensions to create planner support functions that can provide function-specific selectivity, cost, and row-count estimates that can depend on the function's arguments. Support functions can also supply simplified representations and index conditions, greatly expanding optimization possibilities.
Simplify renumbering manually-assigned OIDs, and establish a new project policy for management of such OIDs (John Naylor, Tom Lane)
Patches that manually assign OIDs for new built-in objects (such as new functions) should now randomly choose OIDs in the range 8000—9999. At the end of a development cycle, the OIDs used by committed patches will be renumbered down to lower numbers, currently somewhere in the 4xxx
range, using the new renumber_oids.pl
script. This approach should greatly reduce the odds of OID collisions between different in-process patches.
While there is no specific policy reserving any OIDs for external use, it is recommended that forks and other projects needing private manually-assigned OIDs use numbers in the high 7xxx
range. This will avoid conflicts with recently-merged patches, and it should be a long time before the core project reaches that range.
Build Cygwin binaries using dynamic instead of static libraries (Marco Atzeri)
Remove configure switch --disable-strong-random
(Michaël Paquier)
A strong random-number source is now required.
printf
-family functions, as well as strerror
and strerror_r
, now behave uniformly across platforms within Postgres code (Tom Lane)
Notably, printf
understands %m
everywhere; on Windows, strerror
copes with Winsock error codes (it used to do so in backend but not frontend code); and strerror_r
always follows the GNU return convention.
Require a C99-compliant compiler, and MSVC 2013 or later on Windows (Andres Freund)
Use pandoc, not lynx, for generating plain-text documentation output files (Peter Eisentraut)
This affects only the INSTALL
file generated during make dist
and the seldom-used plain-text postgres.txt
output file. Pandoc produces better output than lynx and avoids some locale/encoding issues. Pandoc version 1.13 or later is required.
Support use of images in the PostgreSQL documentation (Jürgen Purtz)
Allow ORDER BY
sorts and LIMIT
clauses to be pushed to postgres_fdw foreign servers in more cases (Etsuro Fujita)
Improve optimizer cost accounting for postgres_fdw queries (Etsuro Fujita)
Properly honor WITH CHECK OPTION
on views that reference postgres_fdw tables (Etsuro Fujita)
While CHECK OPTION
s on postgres_fdw tables are ignored (because the reference is foreign), views on such tables are considered local, so this change enforces CHECK OPTION
s on them. Previously, only INSERT
s and UPDATE
s with RETURNING
clauses that returned CHECK OPTION
values were validated.
Allow pg_stat_statements_reset()
to be more granular (Haribabu Kommi, Amit Kapila)
The function now allows reset of statistics for specific databases, users, and queries.
Allow control of the auto_explain log level (Tom Dunstan, Andrew Dunstan)
The default is LOG
.
Update unaccent rules with new punctuation and symbols (Hugh Ranalli, Michaël Paquier)
Allow unaccent to handle some accents encoded as combining characters (Hugh Ranalli)
Allow unaccent to remove accents from Greek characters (Tasos Maschalidis)
Add a parameter to amcheck's bt_index_parent_check()
function to check each index tuple from the root of the tree (Peter Geoghegan)
Improve oid2name and vacuumlo option handling to match other commands (Tatsuro Yamada)
The following individuals (in alphabetical order) have contributed to this release as patch authors, committers, reviewers, testers, or reporters of issues.
Release date: 2023-11-09
This release contains a variety of fixes from 11.21. For information about new features in major release 11, see Version 11.0.
This is expected to be the last PostgreSQL release in the 11.X series. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 11.X.
However, if you are upgrading from a version earlier than 11.21, see Version 11.21.
Fix handling of unknown-type arguments in DISTINCT
"any"
aggregate functions (Tom Lane)
This error led to a text
-type value being interpreted as an unknown
-type value (that is, a zero-terminated string) at runtime. This could result in disclosure of server memory following the text
value.
The PostgreSQL Project thanks Jingzhou Fu for reporting this problem. CVE-2023-5868 or CVE-2023-5868)
Detect integer overflow while computing new array dimensions (Tom Lane)
When assigning new elements to array subscripts that are outside the current array bounds, an undetected integer overflow could occur in edge cases. Memory stomps that are potentially exploitable for arbitrary code execution are possible, and so is disclosure of server memory.
The PostgreSQL Project thanks Pedro Gallegos for reporting this problem. CVE-2023-5869 or CVE-2023-5869)
Prevent the pg_signal_backend
role from signalling background workers and autovacuum processes (Noah Misch, Jelte Fennema-Nio)
The documentation says that pg_signal_backend
cannot issue signals to superuser-owned processes. It was able to signal these background processes, though, because they advertise a role OID of zero. Treat that as indicating superuser ownership. The security implications of cancelling one of these process types are fairly small so far as the core code goes (we'll just start another one), but extensions might add background workers that are more vulnerable.
Also ensure that the is_superuser
parameter is set correctly in such processes. No specific security consequences are known for that oversight, but it might be significant for some extensions.
The PostgreSQL Project thanks Hemanth Sandrana and Mahendrakar Srinivasarao for reporting this problem. CVE-2023-5870 or CVE-2023-5870)
Fix partition step generation and runtime partition pruning for hash-partitioned tables with multiple partition keys (David Rowley)
Some cases involving an IS NULL
condition on one of the partition keys could result in a crash.
Fix edge case in btree mark/restore processing of ScalarArrayOpExpr clauses (Peter Geoghegan)
When restoring an indexscan to a previously marked position, the code could miss required setup steps if the scan had advanced exactly to the end of the matches for a ScalarArrayOpExpr (that is, an indexcol = ANY (ARRAY[])
) clause. This could result in missing some rows that should have been fetched.
Fix intra-query memory leak when a set-returning function repeatedly returns zero rows (Tom Lane)
Don't crash if cursor_to_xmlschema()
is applied to a non-data-returning Portal (Boyu Yang)
Handle invalid indexes more cleanly in assorted SQL functions (Noah Misch)
Report an error if pgstatindex()
, pgstatginindex()
, pgstathashindex()
, or pgstattuple()
is applied to an invalid index. If brin_desummarize_range()
, brin_summarize_new_values()
, brin_summarize_range()
, or gin_clean_pending_list()
is applied to an invalid index, do nothing except to report a debug-level message. Formerly these functions attempted to process the index, and might fail in strange ways depending on what the failed CREATE INDEX
had left behind.
Avoid premature memory allocation failure with long inputs to to_tsvector()
(Tom Lane)
Fix over-allocation of the constructed tsvector
in tsvectorrecv()
(Denis Erokhin)
If the incoming vector includes position data, the binary receive function left wasted space (roughly equal to the size of the position data) in the finished tsvector
. In extreme cases this could lead to “maximum total lexeme length exceeded†failures for vectors that were under the length limit when emitted. In any case it could lead to wasted space on-disk.
Fix incorrect coding in gtsvector_picksplit()
(Alexander Lakhin)
This could lead to poor page-split decisions in GiST indexes on tsvector
columns.
Ensure we have a snapshot while dropping ON COMMIT DROP
temp tables (Tom Lane)
This prevents possible misbehavior if any catalog entries for the temp tables have fields wide enough to require toasting (such as a very complex CHECK
condition).
Avoid improper response to shutdown signals in child processes just forked by system()
(Nathan Bossart)
This fix avoids a race condition in which a child process that has been forked off by system()
, but hasn't yet exec'd the intended child program, might receive and act on a signal intended for the parent server process. That would lead to duplicate cleanup actions being performed, which will not end well.
Avoid torn reads of pg_control
in relevant SQL functions (Thomas Munro)
Acquire the appropriate lock before reading pg_control
, to ensure we get a consistent view of that file.
Track the dependencies of cached CALL
statements, and re-plan them when needed (Tom Lane)
DDL commands, such as replacement of a function that has been inlined into a CALL
argument, can create the need to re-plan a CALL
that has been cached by PL/pgSQL. That was not happening, leading to misbehavior or strange errors such as “cache lookup failedâ€.
Track nesting depth correctly when inspecting RECORD
-type Vars from outer query levels (Richard Guo)
This oversight could lead to assertion failures, core dumps, or “bogus varno†errors.
Avoid “record type has not been registered†failure when deparsing a view that contains references to fields of composite constants (Tom Lane)
Allow extracting fields from a RECORD
-type ROW()
expression (Tom Lane)
SQL code that knows that we name such fields f1
, f2
, etc can use those names to extract fields from the expression. This change was originally made in version 13, and is now being back-patched into older branches to support tests for a related bug.
Fix error-handling bug in RECORD
type cache management (Thomas Munro)
An out-of-memory error occurring at just the wrong point could leave behind inconsistent state that would lead to an infinite loop.
Fix assertion failure when logical decoding is retried in the same session after an error (Hou Zhijie)
Avoid doing plan cache revalidation of utility statements that do not receive interesting processing during parse analysis (Tom Lane)
Aside from saving a few cycles, this prevents failure after a cache invalidation for statements that must not set a snapshot, such as SET TRANSACTION ISOLATION LEVEL
.
Keep by-reference attmissingval
values in a long-lived context while they are being used (Andrew Dunstan)
This avoids possible use of dangling pointers when a tuple slot outlives the tuple descriptor with which its value was constructed.
Recalculate the effective value of search_path
after ALTER ROLE
(Jeff Davis)
This ensures that after renaming a role, the meaning of the special string $user
is re-determined.
Fix order of operations in GenericXLogFinish
(Jeff Davis)
This code violated the conditions required for crash safety by writing WAL before marking changed buffers dirty. No core code uses this function, but extensions do (contrib/bloom
does, for example).
Remove incorrect assertion in PL/Python exception handling (Alexander Lakhin)
Fix pg_restore so that selective restores will include both table-level and column-level ACLs for selected tables (Euler Taveira, Tom Lane)
Formerly, only the table-level ACL would get restored if both types were present.
Avoid generating invalid temporary slot names in pg_basebackup (Jelte Fennema)
This has only been seen to occur when the server connection runs through pgbouncer.
In contrib/amcheck
, do not report interrupted page deletion as corruption (Noah Misch)
This fix prevents false-positive reports of “the first child of leftmost target page is not leftmost of its levelâ€, “block NNNN is not leftmost†or “left link/right link pair in index XXXX not in agreementâ€. They appeared if amcheck ran after an unfinished btree index page deletion and before VACUUM
had cleaned things up.
Fix failure of contrib/btree_gin
indexes on interval
columns, when an indexscan using the <
or <=
operator is performed (Dean Rasheed)
Such an indexscan failed to return all the entries it should.
Suppress assorted build-time warnings on recent macOS (Tom Lane)
Xcode 15 (released with macOS Sonoma) changed the linker's behavior in a way that causes many duplicate-library warnings while building PostgreSQL. These were harmless, but they're annoying so avoid citing the same libraries twice. Also remove use of the -multiply_defined suppress
linker switch, which apparently has been a no-op for a long time, and is now actively complained of.
Remove PHOT
(Phoenix Islands Time) from the default timezone abbreviations list (Tom Lane)
Presence of this abbreviation in the default list can cause failures on recent Debian and Ubuntu releases, as they no longer install the underlying tzdb entry by default. Since this is a made-up abbreviation for a zone with a total human population of about two dozen, it seems unlikely that anyone will miss it. If someone does, they can put it back via a custom abbreviations file.
Release date: 2023-08-10
This release contains a variety of fixes from 11.20. For information about new features in major release 11, see Version 11.0.
The PostgreSQL community will stop releasing updates for the 11.X release series in November 2023. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 11.X.
However, if you use BRIN indexes, it may be advisable to reindex them; see the second changelog entry below.
Also, if you are upgrading from a version earlier than 11.14, see Version 11.14.
Disallow substituting a schema or owner name into an extension script if the name contains a quote, backslash, or dollar sign (Noah Misch)
This restriction guards against SQL-injection hazards for trusted extensions.
The PostgreSQL Project thanks Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph Berg for reporting this problem. CVE-2023-39417 or CVE-2023-39417)
Fix confusion between empty (no rows) ranges and all-NULL ranges in BRIN indexes, as well as incorrect merging of all-NULL summaries (Tomas Vondra)
Each of these oversights could result in forgetting that a BRIN index range contains any NULL values, potentially allowing subsequent queries that should return NULL values to miss doing so.
This fix will not in itself correct faulty BRIN entries. It's recommended to REINDEX
any BRIN indexes that may be used to search for nulls.
Avoid leaving a corrupted database behind when DROP DATABASE
is interrupted (Andres Freund)
If DROP DATABASE
was interrupted after it had already begun taking irreversible steps, the target database remained accessible (because the removal of its pg_database
row would roll back), but it would have corrupt contents. Fix by marking the database as inaccessible before we begin to perform irreversible operations. A failure after that will leave the database still partially present, but nothing can be done with it except to issue another DROP DATABASE
.
Ensure that partitioned indexes are correctly marked as valid or not at creation (Michael Paquier)
If a new partitioned index matches an existing but invalid index on one of the partitions, the partitioned index could end up being marked valid prematurely. This could lead to misbehavior or assertion failures in subsequent queries on the partitioned table.
Ignore invalid child indexes when matching partitioned indexes to child indexes during ALTER TABLE ATTACH PARTITION
(Michael Paquier)
Such an index will now be ignored, and a new child index created instead.
Fix possible failure when marking a partitioned index valid after all of its partitions have been attached (Michael Paquier)
The update of the index's pg_index
entry could use stale data for other columns. One reported symptom is an “attempted to update invisible tuple†error.
Fix ALTER EXTENSION SET SCHEMA
to complain if the extension contains any objects outside the extension's schema (Michael Paquier, Heikki Linnakangas)
Erroring out if the extension contains objects in multiple schemas was always intended; but the check was mis-coded so that it would fail to detect some cases, leading to surprising behavior.
Don't use partial unique indexes for uniqueness proofs in the planner (David Rowley)
This could give rise to incorrect plans, since the presumed uniqueness of rows read from a table might not hold if the index in question isn't used to scan the table.
Avoid producing incorrect plans for foreign joins with pseudoconstant join clauses (Etsuro Fujita)
The planner currently lacks support for attaching pseudoconstant join clauses to a pushed-down remote join, so disable generation of remote joins in such cases. (A better solution will require ABI-breaking changes of planner data structures, so it will have to wait for a future major release.)
Correctly handle sub-SELECTs in RLS policy expressions and security-barrier views when expanding rule actions (Tom Lane)
Fix race conditions in conflict detection for SERIALIZABLE
isolation mode (Thomas Munro)
Conflicts could be missed when using bitmap heap scans, when using GIN indexes, and when examining an initially-empty btree index. All these cases could lead to serializability failures due to improperly allowing conflicting transactions to commit.
Fix intermittent failures when trying to update a field of a composite column (Tom Lane)
If the overall value of the composite column is wide enough to require out-of-line toasting, then an unluckily-timed cache flush could cause errors or server crashes.
Prevent stack-overflow crashes with very complex text search patterns (Tom Lane)
Allow tokens up to 10240 bytes long in pg_hba.conf
and pg_ident.conf
(Tom Lane)
The previous limit of 256 bytes has been found insufficient for some use-cases.
Fix mishandling of C++ out-of-memory conditions (Heikki Linnakangas)
If JIT is in use, running out of memory in a C++ new
call would lead to a PostgreSQL FATAL error, instead of the expected C++ exception.
Avoid losing track of possibly-useful shared memory segments when a page free results in coalescing ranges of free space (Dongming Liu)
Ensure that the segment is moved into the appropriate “bin†for its new amount of free space, so that it will be found by subsequent searches.
Allow VACUUM
to continue after detecting certain types of b-tree index corruption (Peter Geoghegan)
If an invalid sibling-page link is detected, log the issue and press on, rather than throwing an error as before. Nothing short of REINDEX
will fix the broken index, but preventing VACUUM
from completing until that is done risks making matters far worse.
Ensure that WrapLimitsVacuumLock
is released after VACUUM
detects invalid data in pg_database
.datfrozenxid
or pg_database
.datminmxid
(Andres Freund)
Failure to release this lock could lead to a deadlock later, although the lock would be cleaned up if the session exits or encounters some other error.
Avoid double replay of prepared transactions during crash recovery (suyu.cmj, Michael Paquier)
After a crash partway through a checkpoint with some two-phase transaction state data already flushed to disk by this checkpoint, crash recovery could attempt to replay the prepared transaction(s) twice, leading to a fatal error such as “lock is already held†in the startup process.
Ensure that a newly created, but still empty table is fsync
'ed at the next checkpoint (Heikki Linnakangas)
Without this, if there is an operating system crash causing the empty file to disappear, subsequent operations on the table might fail with “could not open file†errors.
Ensure that creation of the init fork of an unlogged index is WAL-logged (Heikki Linnakangas)
While an unlogged index's main data fork is not WAL-logged, its init fork should be, to ensure that we have a consistent state to restore the index to after a crash. This step was missed if the init fork contains no data, which is a case not used by any standard index AM; but perhaps some extension behaves that way.
Fix missing reinitializations of delay-checkpoint-end flags (suyu.cmj)
This could result in unnecessary delays of checkpoints, or in assertion failures in assert-enabled builds.
Avoid assertion failure when processing an empty statement via the extended query protocol in an already-aborted transaction (Tom Lane)
Fix contrib/fuzzystrmatch
's Soundex difference()
function to handle empty input sanely (Alexander Lakhin, Tom Lane)
An input string containing no alphabetic characters resulted in unpredictable output.
Tighten whitespace checks in contrib/hstore
input (Evan Jones)
In some cases, characters would be falsely recognized as whitespace and hence discarded.
Disallow oversize input arrays with contrib/intarray
's gist__int_ops
index opclass (Ankit Kumar Pandey, Alexander Lakhin)
Previously this code would report a NOTICE
but press on anyway, creating an invalid index entry that presents a risk of crashes when the index is read.
Avoid useless double decompression of GiST index entries in contrib/intarray
(Konstantin Knizhnik, Matthias van de Meent, Tom Lane)
Ensure that pg_index
.indisreplident
is kept up-to-date in relation cache entries (Shruthi Gowda)
This value could be stale in some cases. There is no core code that relies on the relation cache's copy, so this is only a latent bug as far as Postgres itself is concerned; but there may be extensions for which it is a live bug.
Silence deprecation warnings when compiling with OpenSSL 3.0.0 or later (Peter Eisentraut)
Release date: 2023-05-11
This release contains a variety of fixes from 11.19. For information about new features in major release 11, see Version 11.0.
The PostgreSQL community will stop releasing updates for the 11.X release series in November 2023. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 11.X.
However, if you are upgrading from a version earlier than 11.14, see Version 11.14.
Prevent CREATE SCHEMA
from defeating changes in search_path
(Alexander Lakhin)
Within a CREATE SCHEMA
command, objects in the prevailing search_path
, as well as those in the newly-created schema, would be visible even within a called function or script that attempted to set a secure search_path
. This could allow any user having permission to create a schema to hijack the privileges of a security definer function or extension script.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. CVE-2023-2454 or CVE-2023-2454)
Enforce row-level security policies correctly after inlining a set-returning function (Stephen Frost, Tom Lane)
If a set-returning SQL-language function refers to a table having row-level security policies, and it can be inlined into a calling query, those RLS policies would not get enforced properly in some cases involving re-using a cached plan under a different role. This could allow a user to see or modify rows that should have been invisible.
The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. CVE-2023-2455 or CVE-2023-2455)
Avoid crash when the new schema name is omitted in CREATE SCHEMA
(Michael Paquier)
The SQL standard allows writing CREATE SCHEMA AUTHORIZATION
, with the schema name defaulting to owner_name
owner_name
. However some code paths expected the schema name to be present and would fail.
Disallow altering composite types that are stored in indexes (Tom Lane)
ALTER TYPE
disallows non-binary-compatible modifications of composite types if they are stored in any table columns. (Perhaps that will be allowed someday, but it hasn't happened yet; the locking implications of rewriting many tables are daunting.) We overlooked the possibility that an index might contain a composite type that doesn't also appear in its table.
Ensure that COPY TO
from an RLS-enabled parent table does not copy any rows from child tables (Antonin Houska)
The documentation is quite clear that COPY TO
copies rows from only the named table, not any inheritance children it may have. However, if row-level security was enabled on the table then this stopped being true.
Avoid possible crash when array_position()
or array_positions()
is passed an empty array (Tom Lane)
Fix possible out-of-bounds fetch in to_char()
(Tom Lane)
With bad luck this could have resulted in a server crash.
Avoid buffer overread in translate()
function (Daniil Anisimov)
When using the deletion feature, the function might fetch the byte just after the input string, creating a small risk of crash.
Fix error cursor setting for parse errors in JSON string literals (Tom Lane)
Most cases in which a syntax error is detected in a string literal within a JSON value failed to set the error cursor appropriately. This led at least to an unhelpful error message (pointing to the token before the string, rather than the actual trouble spot), and could even result in a crash in v14 and later.
Fix parser's failure to detect some cases of improperly-nested aggregates (Tom Lane)
This oversight could lead to executor failures for queries that should have been rejected as invalid.
Fix data structure corruption during parsing of serial SEQUENCE NAME
options (David Rowley)
This can lead to trouble if an event trigger captures the corrupted parse tree.
Correctly update plan nodes' parallel-safety markings when moving initplans from one node to another (Tom Lane)
This planner oversight could lead to “subplan was not initialized†errors at runtime.
Disable the inverse-transition optimization for window aggregates when the call contains sub-SELECTs (David Rowley)
This optimization requires that the aggregate's argument expressions have repeatable results, which might not hold for a sub-SELECT.
Fix oversights in execution of nested ARRAY[]
constructs (Alexander Lakhin, Tom Lane)
Correctly detect overflow of the total space needed for the result array, avoiding a possible crash due to undersized output allocation. Also ensure that any trailing padding space in the result array is zeroed; while leaving garbage there is harmless for most purposes, it can result in odd behavior later.
Fix partition pruning logic for partitioning on boolean columns (David Rowley)
Pruning with a condition like boolcol IS NOT TRUE
was done incorrectly, leading to possibly not returning rows in which boolcol
is NULL. Also, the rather unlikely case of partitioning on NOT boolcol
was handled incorrectly.
Fix race condition in per-batch cleanup during parallel hash join (Thomas Munro, Melanie Plageman)
A crash was possible given unlucky timing and parallel_leader_participation
= off
(which is not the default).
Don't balance vacuum cost delay when a table has a per-relation vacuum_cost_delay
setting of zero (Masahiko Sawada)
Delay balancing is supposed to be disabled whenever autovacuum is processing a table with a per-relation vacuum_cost_delay
setting, but this was done only for positive settings, not zero.
Fix corner-case crashes when columns have been added to the end of a view (Tom Lane)
Repair rare failure of MULTIEXPR_SUBLINK subplans in partitioned updates (Andres Freund, Tom Lane)
Use of the syntax INSERT ... ON CONFLICT DO UPDATE SET (c1, ...) = (SELECT ...)
with a partitioned target table could result in failure if any child table is dissimilar from the parent (for example, different physical column order). This typically manifested as failure of consistency checks in the executor; but a crash or incorrect data updates are also possible.
Fix handling of DEFAULT
markers within a multi-row INSERT ... VALUES
query on a view that has a DO ALSO INSERT ... SELECT
rule (Dean Rasheed)
Such cases typically failed with “unrecognized node type†errors or assertion failures.
Support references to OLD
and NEW
within subqueries in rule actions (Dean Rasheed, Tom Lane)
Such references are really lateral references, but the server could crash if the subquery wasn't explicitly marked with LATERAL
. Arrange to do that implicitly when necessary.
When decompiling a rule or SQL function body containing INSERT
/UPDATE
/DELETE
within WITH
, take care to print the correct alias for the target table (Tom Lane)
Fix glitches in SERIALIZABLE READ ONLY
optimization (Thomas Munro)
Transactions already marked as “doomed†confused the safe-snapshot optimization for SERIALIZABLE READ ONLY
transactions. The optimization was unnecessarily skipped in some cases. In other cases an assertion failure occurred (but there was no problem in non-assert builds).
Avoid leaking cache callback slots in the pgoutput
logical decoding plugin (Shi Yu)
Multiple cycles of starting up and shutting down the plugin within a single session would eventually lead to an “out of relcache_callback_list slots†error.
Fix dereference of dangling pointer during buffering build of a GiST index (Alexander Lakhin)
This error seems to usually be harmless in production builds, as the fetched value is noncritical; but in principle it could cause a server crash.
Ignore dropped columns during logical replication of an update or delete action (Onder Kalaci, Shi Yu)
Replication with the REPLICA IDENTITY FULL
option failed if the table contained such columns.
Support RSA-PSS certificates with SCRAM-SHA-256 channel binding (Jacob Champion, Heikki Linnakangas)
This feature requires building with OpenSSL 1.1.1 or newer. Both the server and libpq are affected.
Avoid race condition with process ID tracking on Windows (Thomas Munro)
The operating system could recycle a PID before the postmaster observed that that child process was gone. This could lead to tracking more than one child with the same PID, resulting in confusion.
Add missing cases to SPI_result_code_string()
(Dean Rasheed)
Fix erroneous Valgrind markings in AllocSetRealloc()
(Karina Litskevich)
In the unusual case where the size of a large (>8kB) palloc chunk is decreased, a Valgrind-aware build would mismark the defined-ness state of the memory released from the chunk, possibly causing incorrect results during Valgrind testing.
Avoid assertion failure when decoding a transactional logical replication message (Tomas Vondra)
Avoid locale sensitivity when processing regular expression escapes (Jeff Davis)
A backslash followed by a non-ASCII character could sometimes cause an assertion failure, depending on the prevailing locale.
Avoid trying to write an empty WAL record in log_newpage_range()
when the last few pages in the specified range are empty (Matthias van de Meent)
It is not entirely clear whether this case is reachable in released branches, but if it is then an assertion failure could occur.
Tighten array dimensionality checks when converting Perl list structures to multi-dimensional SQL arrays (Tom Lane)
plperl could misbehave when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. Such cases now produce errors, but previously they could result in a crash or garbage output.
Tighten array dimensionality checks when converting Python list structures to multi-dimensional SQL arrays (Tom Lane)
plpython could misbehave when dealing with empty sub-lists, or when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. The former should result in an empty output array, and the latter in an error. But some cases resulted in a crash, and others in unexpected output.
Fix unwinding of exception stack in plpython (Xing Guo)
Some rare failure cases could return without cleaning up the PG_TRY exception stack, risking a crash if another error was raised before the next stack level was unwound.
Fix possible data corruption in ecpg programs built with the -C ORACLE
option (Kyotaro Horiguchi)
When ecpg_get_data()
is called with varcharsize
set to zero, it could write a terminating zero character into the last byte of the preceding field, truncating the data in that field.
Fix pg_dump so that partitioned tables that are hash-partitioned on an enum-type column can be restored successfully (Tom Lane)
Since the hash codes for enum values depend on the OIDs assigned to the enum, they are typically different after a dump and restore, meaning that rows often need to go into a different partition than they were in originally. Users can work around that by specifying the --load-via-partition-root
option; but since there is very little chance of success without that, teach pg_dump to apply it automatically to such tables.
Also, fix pg_restore to not try to TRUNCATE
target tables before restoring into them when --load-via-partition-root
mode is used. This avoids a hazard of deadlocks and lost data.
In contrib/hstore_plpython
, avoid crashing if the Python value to be transformed isn't a mapping (Dmitry Dolgov, Tom Lane)
This should give an error, but Python 3 changed some APIs in a way that caused the check to misbehave, allowing a crash to ensue.
Fix misbehavior in contrib/pg_trgm
with an unsatisfiable regular expression (Tom Lane)
A regex such as $foo
is legal but unsatisfiable; the regex compiler recognizes that and produces an empty NFA graph. Attempting to optimize such a graph into a pg_trgm GIN or GiST index qualification resulted in accessing off the end of a work array, possibly leading to crashes.
Use the --strip-unneeded
option when stripping static libraries with GNU-compatible strip (Tom Lane)
Previously, make install-strip
used the -x
option in this case. This change avoids misbehavior of llvm-strip, and gives slightly smaller output as well.
Stop recommending auto-download of DTD files for building the documentation, and indeed disable it (Aleksander Alekseev, Peter Eisentraut, Tom Lane)
It appears no longer possible to build the SGML documentation without a local installation of the DocBook DTD files. Formerly xsltproc could download those files on-the-fly from sourceforge.net; but sourceforge.net now permits only HTTPS access, and no common version of xsltproc supports that. Hence, remove the bits of our documentation suggesting that that's possible or useful, and instead add xsltproc's --nonet
option to the build recipes.
When running TAP tests in PGXS builds, use a saner location for the temporary portlock
directory (Peter Eisentraut)
Place it under tmp_check
in the build directory. With the previous coding, a PGXS build would try to place it in the installation directory, which is not necessarily writable.
Update time zone data files to tzdata release 2023c for DST law changes in Egypt, Greenland, Morocco, and Palestine.
When observing Moscow time, Europe/Kirov and Europe/Volgograd now use the abbreviations MSK/MSD instead of numeric abbreviations, for consistency with other timezones observing Moscow time. Also, America/Yellowknife is no longer distinct from America/Edmonton; this affects some pre-1948 timestamps in that area.
Release date: 2023-02-09
This release contains a variety of fixes from 11.18. For information about new features in major release 11, see Version 11.0.
The PostgreSQL community will stop releasing updates for the 11.X release series in November 2023. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 11.X.
However, if you are upgrading from a version earlier than 11.14, see Version 11.14.
Allow REPLICA IDENTITY
to be set on an index that's not (yet) valid (Tom Lane)
When pg_dump dumps a partitioned index that's marked REPLICA IDENTITY
, it generates a command sequence that applies REPLICA IDENTITY
before the partitioned index has been marked valid, causing restore to fail. There seems no very good reason to prohibit doing it in that order, so allow it. The marking will have no effect anyway until the index becomes valid.
Fix handling of DEFAULT
markers in rules that perform an INSERT
from a multi-row VALUES
list (Dean Rasheed)
In some cases a DEFAULT
marker would not get replaced with the proper default-value expression, leading to an “unrecognized node type†error.
Fix edge-case data corruption in parallel hash joins (Dmitry Astapov)
If the final chunk of a large tuple being written out to a temporary file was exactly 32760 bytes, it would be corrupted due to a fencepost bug. The query would typically fail later with corrupted-data symptoms.
Honor non-default settings of checkpoint_completion_target
(Bharath Rupireddy)
Internal state was not updated after a change in checkpoint_completion_target
, possibly resulting in performing checkpoint I/O faster or slower than desired, especially if that setting was changed on-the-fly.
Log the correct ending timestamp in recovery_target_xid
mode (Tom Lane)
When ending recovery based on the recovery_target_xid
setting with recovery_target_inclusive
= off
, we printed an incorrect timestamp (always 2000-01-01) in the “recovery stopping before ... transaction†log message.
In extended query protocol, avoid an immediate commit after ANALYZE
if we're running a pipeline (Tom Lane)
If there's not been an explicit BEGIN TRANSACTION
, ANALYZE
would take it on itself to commit, which should not happen within a pipelined series of commands.
Reject cancel request packets having the wrong length (Andrey Borodin)
The server would process a cancel request even if its length word was too small. This led to reading beyond the end of the allocated buffer. In theory that could cause a segfault, but it seems quite unlikely to happen in practice, since the buffer would have to be very close to the end of memory. The more likely outcome was a bogus log message about wrong backend PID or cancel code. Complain about the wrong length, instead.
Add recursion and looping defenses in subquery pullup (Tom Lane)
A contrived query can result in deep recursion and unreasonable amounts of time spent trying to flatten subqueries. A proper fix for that seems unduly invasive for a back-patch, but we can at least add stack depth checks and an interrupt check to allow the query to be cancelled.
Fix partitionwise-join code to tolerate failure to produce a plan for each partition (Tom Lane)
This could result in “could not devise a query plan for the given query†errors.
Limit the amount of cleanup work done by get_actual_variable_range
(Simon Riggs)
Planner runs occurring just after deletion of a large number of tuples appearing at the end of an index could expend significant amounts of work setting the “killed†bits for those index entries. Limit the amount of work done in any one query by giving up on this process after examining 100 heap pages. All the cleanup will still happen eventually, but without so large a performance hiccup.
Ensure that execution of full-text-search queries can be cancelled while they are performing phrase matches (Tom Lane)
Clean up the libpq connection object after a failed replication connection attempt (Andres Freund)
The previous coding leaked the connection object. In background code paths that's pretty harmless because the calling process will give up and exit. But in commands such as CREATE SUBSCRIPTION
, such a failure resulted in a small session-lifespan memory leak.
In hot-standby servers, reduce processing effort for tracking XIDs known to be active on the primary (Simon Riggs, Michail Nikolaev)
Insufficiently-aggressive cleanup of the KnownAssignedXids array could lead to poor performance, particularly when max_connections
is set to a large value on the standby.
Fix uninitialized-memory usage in logical decoding (Masahiko Sawada)
In certain cases, resumption of logical decoding could try to re-use XID data that had already been freed, leading to unpredictable behavior.
Avoid rare “failed to acquire cleanup lock†panic during WAL replay of hash-index page split operations (Robert Haas)
Advance a heap page's LSN when setting its all-visible bit during WAL replay (Jeff Davis)
Failure to do this left the page possibly different on standby servers than the primary, and violated some other expectations about when the LSN changes. This seems only a theoretical hazard so far as PostgreSQL itself is concerned, but it could upset third-party tools.
Prevent unsafe usage of a relation cache entry's rd_smgr
pointer (Amul Sul)
Remove various assumptions that rd_smgr
would stay valid over a series of operations, by wrapping all uses of it in a function that will recompute it if needed. This prevents bugs occurring when an unexpected cache flush occurs partway through such a series.
Fix latent buffer-overrun problem in WaitEventSet
logic (Thomas Munro)
The epoll
-based and kqueue
-based implementations could ask the kernel for too many events if the size of their internal buffer was different from the size of the caller's output buffer. That case is not known to occur in released PostgreSQL versions, but this error is a hazard for external modules and future bug fixes.
Avoid nominally-undefined behavior when accessing shared memory in 32-bit builds (Andres Freund)
clang's undefined-behavior sanitizer complained about use of a pointer that was less aligned than it should be. It's very unlikely that this would cause a problem in non-debug builds, but it's worth fixing for testing purposes.
Fix copy-and-paste errors in cache-lookup-failure messages for ACL checks (Justin Pryzby)
In principle these errors should never be reached. But if they are, some of them reported the wrong type of object.
In pg_dump, avoid calling unsafe server functions before we have locks on the tables to be examined (Tom Lane, Gilles Darold)
pg_dump uses certain server functions that can fail if examining a table that gets dropped concurrently. Avoid this type of failure by ensuring that we obtain access share lock before inquiring too deeply into a table's properties, and that we don't apply such functions to tables we don't intend to dump at all.
Fix tab completion of ALTER FUNCTION/PROCEDURE/ROUTINE
... SET SCHEMA
(Dean Rasheed)
Fix contrib/seg
to not crash or print garbage if an input number has more than 127 digits (Tom Lane)
In contrib/sepgsql
, avoid deprecation warnings with recent libselinux (Michael Paquier)
Fix compile failure in building PL/Perl with MSVC when using Strawberry Perl (Andrew Dunstan)
Fix mismatch of PL/Perl built with MSVC versus a Perl library built with gcc (Andrew Dunstan)
Such combinations could previously fail with “loadable library and perl binaries are mismatched†errors.
Suppress compiler warnings from Perl's header files (Andres Freund)
Our preferred compiler options provoke warnings about constructs appearing in recent versions of Perl's header files. When using gcc, we can suppress these warnings with a pragma.
Fix pg_waldump to build on compilers that don't discard unused static-inline functions (Tom Lane)
Update time zone data files to tzdata release 2022g for DST law changes in Greenland and Mexico, plus historical corrections for northern Canada, Colombia, and Singapore.
Notably, a new timezone America/Ciudad_Juarez has been split off from America/Ojinaga.
Release date: 2022-11-10
This release contains a variety of fixes from 11.17. For information about new features in major release 11, see Version 11.0.
A dump/restore is not required for those running 11.X.
However, if you are upgrading from a version earlier than 11.14, see Version 11.14.
Fix VACUUM
to press on if an attempted page deletion in a btree index fails to find the page's parent downlink (Peter Geoghegan)
Rather than throwing an error, just log the issue and continue without deleting the empty page. Previously, a buggy operator class or corrupted index could indefinitely prevent completion of vacuuming of the index, eventually leading to transaction wraparound problems.
Fix handling of DEFAULT
tokens that appear in a multi-row VALUES
clause of an INSERT
on an updatable view (Tom Lane)
This oversight could lead to “cache lookup failed for type†errors, or in older branches even to crashes.
Disallow rules named _RETURN
that are not ON SELECT
(Tom Lane)
This avoids confusion between a view's ON SELECT
rule and any other rules it may have.
Repair rare failure of MULTIEXPR_SUBLINK subplans in inherited updates (Tom Lane)
Use of the syntax UPDATE tab SET (c1, ...) = (SELECT ...)
with an inherited or partitioned target table could result in failure if the child tables are sufficiently dissimilar. This typically manifested as failure of consistency checks in the executor; but a crash or incorrect data updates are also possible.
Fix incorrect matching of index expressions and predicates when creating a partitioned index (Richard Guo, Tom Lane)
While creating a partitioned index, we try to identify any existing indexes on the partitions that match the partitioned index, so that we can absorb those as child indexes instead of building new ones. Matching of expressions was not done right, so that a usable child index might be ignored, leading to creation of a duplicative index.
Avoid flattening FROM
-less subqueries when the outer query has grouping sets (Tom Lane)
This oversight could lead to assertion failures or planner errors such as “variable not found in subplan target listâ€.
Prevent WAL corruption after a standby promotion (Dilip Kumar, Robert Haas)
When a PostgreSQL instance performing archive recovery (but not using standby mode) is promoted, and the last WAL segment that it attempted to read ended in a partial record, the instance would write an invalid WAL segment on the new timeline.
Fix mis-ordering of WAL operations in fast insert path for GIN indexes (Matthias van de Meent, Zhang Mingli)
This mistake is not known to have any negative consequences within core PostgreSQL, but it did cause issues for some extensions.
Fix bugs in logical decoding when replay starts from a point between the beginning of a transaction and the beginning of its subtransaction (Masahiko Sawada, Kuroda Hayato)
These errors could lead to assertion failures in debug builds, and otherwise to memory leaks.
Prevent examining system catalogs with the wrong snapshot during logical decoding (Masahiko Sawada)
If decoding begins partway through a transaction that modifies system catalogs, the decoder may not recognize that, causing it to fail to treat that transaction as in-progress for catalog lookups.
Accept interrupts in more places during logical decoding (Amit Kapila, Masahiko Sawada)
This ameliorates problems with slow shutdown of replication workers.
Avoid crash after function syntax error in replication workers (Maxim Orlov, Anton Melnikov, Masahiko Sawada, Tom Lane)
If a syntax error occurred in a SQL-language or PL/pgSQL-language CREATE FUNCTION
or DO
command executed in a logical replication worker, the worker process would crash with a null pointer dereference or assertion failure.
Fix handling of read-write expanded datums that are passed to SQL functions (Tom Lane)
If a non-inlined SQL function uses a parameter in more than one place, and one of those functions expects to be able to modify read-write datums in place, then later uses of the parameter would observe the wrong value. (Within core PostgreSQL, the expanded-datum mechanism is only used for array and composite-type values; but extensions might use it for other structured types.)
In Snowball dictionaries, don't try to stem excessively-long words (Olly Betts, Tom Lane)
If the input word exceeds 1000 bytes, return it as-is after case folding, rather than trying to run it through the Snowball code. This restriction protects against a known recursion-to-stack-overflow problem in the Turkish stemmer, and it seems like good insurance against any other safety or performance issues that may exist in the Snowball stemmers. Such a long string is surely not a word in any human language, so it's doubtful that the stemmer would have done anything desirable with it anyway.
Fix use-after-free hazard in string comparisons (Tom Lane)
Improper memory management in the string comparison functions could result in scribbling on no-longer-allocated buffers, potentially breaking things for whatever is using that memory now. This would only happen with fairly long strings (more than 1kB), and only if an ICU collation is in use.
Prevent postmaster crash when shared-memory state is corrupted (Tom Lane)
The postmaster process is supposed to survive and initiate a database restart if shared memory becomes corrupted, but one bit of code was being insufficiently cautious about that.
Add some more defenses against recursion till stack overrun (Richard Guo, Tom Lane)
Avoid long-term memory leakage in the autovacuum launcher process (Reid Thompson)
The lack of field reports suggests that this problem is only latent in pre-v15 branches; but it's not very clear why, so back-patch the fix anyway.
Improve PL/pgSQL's ability to handle parameters declared as RECORD
(Tom Lane)
Build a separate function cache entry for each concrete type passed to the RECORD
parameter during a session, much as we do for polymorphic parameters. This allows some usages to work that previously failed with errors such as “type of parameter does not match that when preparing the planâ€.
Add missing guards for NULL
connection pointer in libpq (Daniele Varrazzo, Tom Lane)
There's a convention that libpq functions should check for a NULL PGconn argument, and fail gracefully instead of crashing. PQflush()
and PQisnonblocking()
didn't get that memo, so fix them.
In ecpg, fix omission of variable storage classes when multiple varchar
or bytea
variables are declared in the same declaration (Andrey Sokolov)
For example, ecpg translated static varchar str1[10], str2[20], str3[30];
in such a way that only str1
was marked static
.
Allow cross-platform tablespace relocation in pg_basebackup (Robert Haas)
Allow the remote path in --tablespace-mapping
to be either a Unix-style or Windows-style absolute path, since the source server could be on a different OS than the local system.
In pg_stat_statements, fix access to already-freed memory (zhaoqigui)
This occurred if pg_stat_statements tracked a ROLLBACK
command issued via extended query protocol. In debug builds it consistently led to an assertion failure. In production builds there would often be no visible ill effect; but if the freed memory had already been reused, the likely result would be to store garbage for the query string.
In postgres_fdw, ensure that target lists constructed for EvalPlanQual plans will have all required columns (Richard Guo, Etsuro Fujita)
This avoids “variable not found in subplan target list†errors in rare cases.
Reject unwanted output from the platform's uuid_create()
function (Nazir Bilal Yavuz)
The uuid-ossp module expects libc's uuid_create()
to produce a version-1 UUID, but recent NetBSD releases produce a version-4 (random) UUID instead. Check for that, and complain if so. Drop the documentation's claim that the NetBSD implementation is usable for uuid-ossp. (If a version-4 UUID is okay for your purposes, you don't need uuid-ossp at all; just use gen_random_uuid()
.)
Include new Perl test modules in standard installations (Ãlvaro Herrera)
Add PostgreSQL/Test/Cluster.pm
and PostgreSQL/Test/Utils.pm
to the standard installation file set in pre-version-15 branches. This is for the benefit of extensions that want to use newly-written test code in older branches.
On NetBSD, force dynamic symbol resolution at postmaster start (Andres Freund, Tom Lane)
This avoids a risk of deadlock in the dynamic linker on NetBSD 10.
Fix incompatibilities with LLVM 15 (Thomas Munro, Andres Freund)
Allow use of __sync_lock_test_and_set()
for spinlocks on any machine (Tom Lane)
This eases porting to new machine architectures, at least if you're using a compiler that supports this GCC builtin function.
Rename symbol REF
to REF_P
to avoid compile failure on recent macOS (Tom Lane)
Silence assorted compiler warnings from clang 15 and later (Tom Lane)
Update time zone data files to tzdata release 2022f for DST law changes in Chile, Fiji, Iran, Jordan, Mexico, Palestine, and Syria, plus historical corrections for Chile, Crimea, Iran, and Mexico.
Also, the Europe/Kiev zone has been renamed to Europe/Kyiv. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake and Pacific/Wallis. (This indirectly affects zones that were already links to one of these: Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.) America/Nipigon, America/Rainy_River, America/Thunder_Bay, Europe/Uzhgorod, and Europe/Zaporozhye were also merged into nearby zones after discovering that their claimed post-1970 differences from those zones seem to have been errors. In all these cases, the previous zone name remains as an alias; but the actual data is that of the zone that was merged into.
These zone mergers result in loss of pre-1970 timezone history for the merged zones, which may be troublesome for applications expecting consistency of timestamptz
display. As an example, the stored value 1944-06-01 12:00 UTC
would previously display as 1944-06-01 13:00:00+01
if the Europe/Stockholm zone is selected, but now it will read out as 1944-06-01 14:00:00+02
.
It is possible to build the time zone data files with options that will restore the older zone data, but that choice also inserts a lot of other old (and typically poorly-attested) zone data, resulting in more total changes from the previous release than accepting these upstream changes does. PostgreSQL has chosen to ship the tzdb data as-recommended, and so far as we are aware most major operating system distributions are doing likewise. However, if these changes cause significant problems for your application, a possible solution is to install a local build of the time zone data files using tzdb's backwards-compatibility options (see their PACKRATDATA
and PACKRATLIST
options).
Release date: 2022-08-11
This release contains a variety of fixes from 11.16. For information about new features in major release 11, see Version 11.0.
A dump/restore is not required for those running 11.X.
However, if you are upgrading from a version earlier than 11.14, see Version 11.14.
Do not let extension scripts replace objects not already belonging to the extension (Tom Lane)
This change prevents extension scripts from doing CREATE OR REPLACE
if there is an existing object that does not belong to the extension. It also prevents CREATE IF NOT EXISTS
in the same situation. This prevents a form of trojan-horse attack in which a hostile database user could become the owner of an extension object and then modify it to compromise future uses of the object by other users. As a side benefit, it also reduces the risk of accidentally replacing objects one did not mean to.
The PostgreSQL Project thanks Sven Klemm for reporting this problem. CVE-2022-2625 or CVE-2022-2625)
Fix replay of CREATE DATABASE
WAL records on standby servers (Kyotaro Horiguchi, Asim R Praveen, Paul Guo)
Standby servers may encounter missing tablespace directories when replaying database-creation WAL records. Prior to this patch, a standby would fail to recover in such a case; however, such directories could be legitimately missing. Create the tablespace (as a plain directory), then check that it has been dropped again once replay reaches a consistent state.
Support “in place†tablespaces (Thomas Munro, Michael Paquier, Ãlvaro Herrera)
Normally a Postgres tablespace is a symbolic link to a directory on some other filesystem. This change allows it to just be a plain directory. While this has no use for separating tables onto different filesystems, it is a convenient setup for testing. Moreover, it is necessary to support the CREATE DATABASE
replay fix, which transiently creates a missing tablespace as an “in place†tablespace.
Fix permissions checks in CREATE INDEX
(Nathan Bossart, Noah Misch)
The fix forCVE-2022-1552 or CVE-2022-1552 caused CREATE INDEX
to apply the table owner's permissions while performing lookups of operator classes and other objects, where formerly the calling user's permissions were used. This broke dump/restore scenarios, because pg_dump issues CREATE INDEX
before re-granting permissions.
In extended query protocol, force an immediate commit after CREATE DATABASE
and other commands that can't run in a transaction block (Tom Lane)
If the client does not send a Sync message immediately after such a command, but instead sends another command, any failure in that command would lead to rolling back the preceding command, typically leaving inconsistent state on-disk (such as a missing or extra database directory). The mechanisms intended to prevent that situation turn out to work for multiple commands in a simple-Query message, but not for a series of extended-protocol messages. To prevent inconsistency without breaking use-cases that work today, force an implicit commit after such commands.
Fix race condition when checking transaction visibility (Simon Riggs)
TransactionIdIsInProgress
could report false
before the subject transaction is considered visible, leading to various misbehaviors. The race condition window is normally very narrow, but use of synchronous replication makes it much wider, because the wait for a synchronous replica happens in that window.
Fix queries in which a “whole-row variable†references the result of a function that returns a domain over composite type (Tom Lane)
Fix “variable not found in subplan target list†planner error when pulling up a sub-SELECT
that's referenced in a GROUPING
function (Richard Guo)
Fix ALTER TABLE ... ENABLE/DISABLE TRIGGER
to handle recursion correctly for triggers on partitioned tables (Ãlvaro Herrera, Amit Langote)
In certain cases, a “trigger does not exist†failure would occur because the command would try to adjust the trigger on a child partition that doesn't have it.
Prevent pg_stat_get_subscription()
from possibly returning an extra row containing garbage values (Kuntal Ghosh)
Ensure that pg_stop_backup()
cleans up session state properly (Fujii Masao)
This omission could lead to assertion failures or crashes later in the session.
Fix join alias matching in FOR [KEY] UPDATE/SHARE
clauses (Dean Rasheed)
In corner cases, a misleading error could be reported.
Avoid crashing if too many column aliases are attached to an XMLTABLE
or JSON_TABLE
construct (Ãlvaro Herrera)
Reject ROW()
expressions and functions in FROM
that have too many columns (Tom Lane)
Cases with more than about 1600 columns are unsupported, and have always failed at execution. However, it emerges that some earlier code could be driven to assertion failures or crashes by queries with more than 32K columns. Add a parse-time check to prevent that.
When decompiling a view or rule, show a SELECT
output column's AS "?column?"
alias clause if it could be referenced elsewhere (Tom Lane)
Previously, this auto-generated alias was always hidden; but there are corner cases where doing so results in a non-restorable view or rule definition.
Fix dumping of a view using a function in FROM
that returns a composite type, when column(s) of the composite type have been dropped since the view was made (Tom Lane)
This oversight could lead to dump/reload or pg_upgrade failures, as the dumped view would have too many column aliases for the function.
Report implicitly-created operator families to event triggers (Masahiko Sawada)
If CREATE OPERATOR CLASS
results in the implicit creation of an operator family, that object was not reported to event triggers that should capture such events.
Fix control file updates made when a restartpoint is running during promotion of a standby server (Kyotaro Horiguchi)
Previously, when the restartpoint completed it could incorrectly update the last-checkpoint fields of the control file, potentially leading to PANIC and failure to restart if the server crashes before the next normal checkpoint completes.
Prevent triggering of standby's wal_receiver_timeout
during logical replication of large transactions (Wang Wei, Amit Kapila)
If a large transaction on the primary server sends no data to the standby (perhaps because no table it changes is published), it was possible for the standby to timeout. Fix that by ensuring we send keepalive messages periodically in such situations.
Disallow nested backup operations in logical replication walsenders (Fujii Masao)
Fix memory leak in logical replication subscribers (Hou Zhijie)
Prevent open-file leak when reading an invalid timezone abbreviation file (Kyotaro Horiguchi)
Such cases could result in harmless warning messages.
Allow custom server parameters to have short descriptions that are NULL (Steve Chavez)
Previously, although extensions could choose to create such settings, some code paths would crash while processing them.
Fix WAL consistency checking logic to correctly handle BRIN_EVACUATE_PAGE
flags (Haiyang Wang)
Fix erroneous assertion checks in shared hashtable management (Thomas Munro)
Arrange to clean up after commit-time errors within SPI_commit()
, rather than expecting callers to do that (Peter Eisentraut, Tom Lane)
Proper cleanup is complicated and requires use of low-level facilities, so it's not surprising that no known caller got it right. This led to misbehaviors when a PL procedure issued COMMIT
but a failure occurred (such as a deferred constraint check). To improve matters, redefine SPI_commit()
as starting a new transaction, so that it becomes equivalent to SPI_commit_and_chain()
except that you get default transaction characteristics instead of preserving the prior transaction's characteristics. To make this somewhat transparent API-wise, redefine SPI_start_transaction()
as a no-op. All known callers of SPI_commit()
immediately call SPI_start_transaction()
, so they will not notice any change. Similar remarks apply to SPI_rollback()
.
Also fix PL/Python, which omitted any handling of such errors at all, resulting in jumping out of the Python interpreter. This is reported to crash Python 3.11. Older Python releases leak some memory but seem okay with it otherwise.
Remove misguided SSL key file ownership check in libpq (Tom Lane)
In the previous minor releases, we copied the server's permission checking rules for SSL private key files into libpq. But we should not have also copied the server's file-ownership check. While that works in normal use-cases, it can result in an unexpected failure for clients running as root, and perhaps in other cases.
Ensure ecpg reports server connection loss sanely (Tom Lane)
Misprocessing of a libpq-generated error result, such as a report of lost connection, would lead to printing “(null)†instead of a useful error message; or in older releases it would lead to a crash.
Avoid core dump in ecpglib with unexpected orders of operations (Tom Lane)
Certain operations such as EXEC SQL PREPARE
would crash (rather than reporting an error as expected) if called before establishing any database connection.
In ecpglib, avoid redundant newlocale()
calls (Noah Misch)
Allocate a C locale object once per process when first connecting, rather than creating and freeing locale objects once per query. This mitigates a libc memory leak on AIX, and may offer some performance benefit everywhere.
In psql's \watch
command, echo a newline after cancellation with control-C (Pavel Stehule)
This prevents libedit (and possibly also libreadline) from becoming confused about which column the cursor is in.
Fix contrib/pg_stat_statements
to avoid problems with very large query-text files on 32-bit platforms (Tom Lane)
Ensure that contrib/postgres_fdw
sends constants of regconfig
and other reg*
types with proper schema qualification (Tom Lane)
Block signals while allocating dynamic shared memory on Linux (Thomas Munro)
This avoids problems when a signal interrupts posix_fallocate()
.
Detect unexpected EEXIST
error from shm_open()
(Thomas Munro)
This avoids a possible crash on Solaris.
Adjust PL/Perl test case so it will work under Perl 5.36 (Dagfinn Ilmari Mannsåker)
Avoid incorrectly using an out-of-date libldap_r library when multiple OpenLDAP installations are present while building PostgreSQL (Tom Lane)
Release date: 2022-05-12
This release contains a variety of fixes from 11.15. For information about new features in major release 11, see Version 11.0.
A dump/restore is not required for those running 11.X.
However, if you are upgrading from a version earlier than 11.14, see Version 11.14.
Confine additional operations within “security restricted operation†sandboxes (Sergey Shinderuk, Noah Misch)
Autovacuum, CLUSTER
, CREATE INDEX
, REINDEX
, REFRESH MATERIALIZED VIEW
, and pg_amcheck activated the “security restricted operation†protection mechanism too late, or even not at all in some code paths. A user having permission to create non-temporary objects within a database could define an object that would execute arbitrary SQL code with superuser permissions the next time that autovacuum processed the object, or that some superuser ran one of the affected commands against it.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. CVE-2022-1552 or CVE-2022-1552)
Stop using query-provided column aliases for the columns of whole-row variables that refer to plain tables (Tom Lane)
The column names in tuples produced by a whole-row variable (such as tbl.*
in contexts other than the top level of a SELECT
list) are now always those of the associated named composite type, if there is one. We'd previously attempted to make them track any column aliases that had been applied to the FROM
entry the variable refers to. But that's semantically dubious, because really then the output of the variable is not at all of the composite type it claims to be. Previous attempts to deal with that inconsistency had bad results up to and including storing unreadable data on disk, so just give up on the whole idea.
In cases where it's important to be able to relabel such columns, a workaround is to introduce an extra level of sub-SELECT
, so that the whole-row variable is referring to the sub-SELECT
's output and not to a plain table. Then the variable is of type record
to begin with and there's no issue.
Fix incorrect output for types timestamptz
and timetz
in table_to_xmlschema()
and allied functions (Renan Soares Lopes)
The xmlschema output for these types included a malformed regular expression.
Avoid core dump in parser for a VALUES
clause with zero columns (Tom Lane)
Fix planner errors for GROUPING()
constructs that reference outer query levels (Richard Guo, Tom Lane)
Fix plan generation for index-only scans on indexes with both returnable and non-returnable columns (Tom Lane)
The previous coding could try to read non-returnable columns in addition to the returnable ones. This was fairly harmless because it didn't actually do anything with the bogus values, but it fell foul of a recently-added error check that rejected such a plan.
Fix query-lifespan memory leak in an IndexScan node that is performing reordering (Aliaksandr Kalenik)
Fix ALTER FUNCTION
to support changing a function's parallelism property and its SET
-variable list in the same command (Tom Lane)
The parallelism property change was lost if the same command also updated the function's SET
clause.
Fix mis-sorting of table rows when CLUSTER
ing using an index whose leading key is an expression (Peter Geoghegan, Thomas Munro)
The table would be rebuilt with the correct data, but in an order having little to do with the index order.
Fix risk of deadlock failures while dropping a partitioned index (Jimmy Yih, Gaurab Dey, Tom Lane)
Ensure that the required table and index locks are taken in the standard order (parents before children, tables before indexes). The previous coding for DROP INDEX
did it differently, and so could deadlock against concurrent queries taking these locks in the standard order.
Fix race condition between DROP TABLESPACE
and checkpointing (Nathan Bossart)
The checkpoint forced by DROP TABLESPACE
could sometimes fail to remove all dead files from the tablespace's directory, leading to a bogus “tablespace is not empty†error.
Fix possible trouble in crash recovery after a TRUNCATE
command that overlaps a checkpoint (Kyotaro Horiguchi, Heikki Linnakangas, Robert Haas)
TRUNCATE
must ensure that the table's disk file is truncated before the checkpoint is allowed to complete. Otherwise, replay starting from that checkpoint might find unexpected data in the supposedly-removed pages, possibly causing replay failure.
Fix unsafe toast-data accesses during temporary object cleanup (Andres Freund)
Temporary-object deletion during server process exit could fail with “FATAL: cannot fetch toast data without an active snapshotâ€. This was usually harmless since the next use of that temporary schema would clean up successfully.
Fix “PANIC: xlog flush request is not satisfied†failure during standby promotion when there is a missing WAL continuation record (Sami Imseih)
Fix possibility of self-deadlock in hot standby conflict handling (Andres Freund)
With unlucky timing, the WAL-applying process could get stuck while waiting for some other process to release a buffer lock.
Ensure that logical replication apply workers can be restarted even when we're up against the max_sync_workers_per_subscription
limit (Amit Kapila)
Faulty coding of the limit check caused a restarted worker to exit immediately, leaving fewer workers than there should be.
Include unchanged replica identity key columns in the WAL log for an update, if they are stored out-of-line (Dilip Kumar, Amit Kapila)
Otherwise subscribers cannot see the values and will fail to replicate the update.
Improve logical replication subscriber's error message for an unsupported relation kind (Tom Lane)
v13 and later servers support publishing partitioned tables. Older server versions cannot handle subscribing to such a table, and they gave a very misleading error message: “table XYZ not found on publisherâ€. Arrange to deliver a more on-point message.
Disallow execution of SPI functions during PL/Perl function compilation (Tom Lane)
Perl can be convinced to execute user-defined code during compilation of a PL/Perl function. However, it's not okay for such code to try to invoke SQL operations via SPI. That results in a crash, and if it didn't crash it would be a security hazard, because we really don't want code execution during function validation. Put in a check to give a friendlier error message instead.
Make libpq accept root-owned SSL private key files (David Steele)
This change synchronizes libpq's rules for safe ownership and permissions of SSL key files with the rules the server has used since release 9.6. Namely, in addition to the current rules, allow the case where the key file is owned by root and has permissions rw-r-----
or less. This is helpful for system-wide management of key files.
Make pg_ctl recheck postmaster aliveness while waiting for stop/restart/promote actions (Tom Lane)
pg_ctl would verify that the postmaster is alive as a side-effect of sending the stop or promote signal, but then it just naively waited to see the on-disk state change. If the postmaster died uncleanly without having removed its PID file or updated the control file, pg_ctl would wait until timeout. Instead make it recheck every so often that the postmaster process is still there.
Fix error handling in pg_waldump (Kyotaro Horiguchi, Andres Freund)
While trying to read a WAL file to determine the WAL segment size, pg_waldump would report an incorrect error for the case of a too-short file. In addition, the file name reported in this and related error messages could be garbage.
Ensure that contrib/pageinspect
functions cope with all-zero pages (Michael Paquier)
This is a legitimate edge case, but the module was mostly unprepared for it. Arrange to return nulls, or no rows, as appropriate; that seems more useful than raising an error.
In contrib/pageinspect
, add defenses against incorrect page “special space†contents, tighten checks for correct page size, and add some missing checks that an index is of the expected type (Michael Paquier, Justin Pryzby, Julien Rouhaud)
These changes make it less likely that the module will crash on bad data.
In contrib/postgres_fdw
, verify that ORDER BY
clauses are safe to ship before requesting a remotely-ordered query, and include a USING
clause if necessary (Ronan Dunklau)
This fix prevents situations where the remote server might sort in a different order than we intend. While sometimes that would be only cosmetic, it could produce thoroughly wrong results if the remote data is used as input for a locally-performed merge join.
Update JIT code to work with LLVM 14 (Thomas Munro)
Clean up assorted failures under clang's -fsanitize=undefined
checks (Tom Lane, Andres Freund, Zhihong Yu)
Most of these changes are just for pro-forma compliance with the letter of the C and POSIX standards, and are unlikely to have any effect on production builds.
Fix PL/Perl so it builds on C compilers that don't support statements nested within expressions (Tom Lane)
Fix possible build failure of pg_dumpall on Windows, when not using MSVC to build (Andres Freund)
In Windows builds, use gendef instead of pexports to build DEF files (Andrew Dunstan)
This adapts the build process to work on recent MSys tool chains.
Prevent extra expansion of shell wildcard patterns in programs built under MinGW (Andrew Dunstan)
For some reason the C library provided by MinGW will expand shell wildcard characters in a program's command-line arguments by default. This is confusing, not least because it doesn't happen under MSVC, so turn it off.
Update time zone data files to tzdata release 2022a for DST law changes in Palestine, plus historical corrections for Chile and Ukraine.
Release date: 2022-02-10
This release contains a variety of fixes from 11.14. For information about new features in major release 11, see Version 11.0.
A dump/restore is not required for those running 11.X.
However, if you are upgrading from a version earlier than 11.14, see Version 11.14.
Fix index-only scan plans for cases where not all index columns can be returned (Tom Lane)
If an index has both returnable and non-returnable columns, and one of the non-returnable columns is an expression using a table column that appears in a returnable index column, then a query using that expression could result in an index-only scan plan that attempts to read the non-returnable column, instead of recomputing the expression from the returnable column as intended. The non-returnable column would read as NULL, resulting in wrong query results.
Ensure that casting to an unspecified typmod generates a RelabelType node rather than a length-coercion function call (Tom Lane)
While the coercion function should do the right thing (nothing), this translation is undesirably inefficient.
Fix WAL replay failure when database consistency is reached exactly at a WAL page boundary (Ãlvaro Herrera)
Fix startup of a physical replica to tolerate transaction ID wraparound (Abhijit Menon-Sen, Tomas Vondra)
If a replica server is started while the set of active transactions on the primary crosses a wraparound boundary (so that there are some newer transactions with smaller XIDs than older ones), the replica would fail with “out-of-order XID insertion in KnownAssignedXidsâ€. The replica would retry, but could never get past that error.
Remove lexical limitations for SQL commands issued on a logical replication connection (Tom Lane)
The walsender process would fail for a SQL command containing an unquoted semicolon, or with dollar-quoted literals containing odd numbers of single or double quote marks, or when the SQL command starts with a comment. Moreover, faulty error recovery could lead to unexpected errors in later commands too.
Fix possible loss of the commit timestamp for the last subtransaction of a transaction (Alex Kingsborough, Kyotaro Horiguchi)
Be sure to fsync
the pg_logical/mappings
subdirectory during checkpoints (Nathan Bossart)
On some filesystems this oversight could lead to losing logical rewrite status files after a system crash.
Build extended statistics for partitioned tables (Justin Pryzby)
A previous bug fix disabled building of extended statistics for old-style inheritance trees, but it also prevented building them for partitioned tables, which was an unnecessary restriction. This change allows ANALYZE
to compute values for statistics objects for partitioned tables. (But note that autovacuum does not process partitioned tables as such, so you must periodically issue manual ANALYZE
on the partitioned table if you want to maintain such statistics.)
Ignore extended statistics for inheritance trees (Justin Pryzby)
Currently, extended statistics values are only computed locally for each table, not for entire inheritance trees. However the values were mistakenly consulted when planning queries across inheritance trees, possibly resulting in worse-than-default estimates.
Disallow altering data type of a partitioned table's columns when the partitioned table's row type is used as a composite type elsewhere (Tom Lane)
This restriction has long existed for regular tables, but through an oversight it was not checked for partitioned tables.
Disallow ALTER TABLE ... DROP NOT NULL
for a column that is part of a replica identity index (Haiying Tang, Hou Zhijie)
The same prohibition already existed for primary key indexes.
Correctly update cached table state during ALTER TABLE ADD PRIMARY KEY USING INDEX
(Hou Zhijie)
Concurrent sessions failed to update their opinion of whether the table has a primary key, possibly causing incorrect logical replication behavior.
Correctly update cached table state when switching REPLICA IDENTITY
index (Tang Haiying, Hou Zhijie)
Concurrent sessions failed to update their opinion of which index is the replica identity one, possibly causing incorrect logical replication behavior.
Avoid leaking memory during REASSIGN OWNED BY
operations that reassign ownership of many objects (Justin Pryzby)
Fix display of whole-row variables appearing in INSERT ... VALUES
rules (Tom Lane)
A whole-row variable would be printed as “var.*â€, but that allows it to be expanded to individual columns when the rule is reloaded, resulting in different semantics. Attach an explicit cast to prevent that, as we do elsewhere.
Fix or remove some incorrect assertions (Simon Riggs, Michael Paquier, Alexander Lakhin)
These errors should affect only debug builds, not production.
Fix race condition that could lead to failure to localize error messages that are reported early in multi-threaded use of libpq or ecpglib (Tom Lane)
Avoid calling strerror
from libpq's PQcancel
function (Tom Lane)
PQcancel
is supposed to be safe to call from a signal handler, but strerror
is not safe. The faulty usage only occurred in the unlikely event of failure to send the cancel message to the server, perhaps explaining the lack of reports.
Make psql's \password
command default to setting the password for CURRENT_USER
, not the connection's original user name (Tom Lane)
This agrees with the documented behavior, and avoids probable permissions failure if SET ROLE
or SET SESSION AUTHORIZATION
has been done since the session began. To prevent confusion, the role name to be acted on is now included in the password prompt.
In psql and some other client programs, avoid trying to invoke gettext()
from a control-C signal handler (Tom Lane)
While no reported failures have been traced to this mistake, it seems highly unlikely to be a safe thing to do.
Allow canceling the initial password prompt in pg_receivewal and pg_recvlogical (Tom Lane, Nathan Bossart)
Previously it was impossible to terminate these programs via control-C while they were prompting for a password.
Fix pg_dump's dump ordering for user-defined casts (Tom Lane)
In rare cases, the output script might refer to a user-defined cast before it had been created.
Fix possible mis-reporting of errors in pg_dump and pg_basebackup (Tom Lane)
The previous code failed to check for errors from some kernel calls, and could report the wrong errno values in other cases.
Fix results of index-only scans on contrib/btree_gist
indexes on char(
columns (Tom Lane)N
)
Index-only scans returned column values with trailing spaces removed, which is not the expected behavior. That happened because that's how the data was stored in the index. This fix changes the code to store char(
values with the expected amount of space padding. The behavior of such an index will not change immediately unless you N
)REINDEX
it; otherwise space-stripped values will be gradually replaced over time during updates. Queries that do not use index-only scan plans will be unaffected in any case.
Change configure to use Python's sysconfig module, rather than the deprecated distutils module, to determine how to build PL/Python (Peter Eisentraut, Tom Lane, Andres Freund)
With Python 3.10, this avoids configure-time warnings about distutils being deprecated and scheduled for removal in Python 3.12. Presumably, once 3.12 is out, configure --with-python
would fail altogether. This future-proofing does come at a cost: sysconfig did not exist before Python 2.7, nor before 3.2 in the Python 3 branch, so it is no longer possible to build PL/Python against long-dead Python versions.
Fix PL/Perl compile failure on Windows with Perl 5.28 and later (Victor Wagner)
Fix PL/Python compile failure with Python 3.11 and later (Peter Eisentraut)
Add support for building with Visual Studio 2022 (Hans Buschmann)
Allow the .bat
wrapper scripts in our MSVC build system to be called without first changing into their directory (Anton Voloshin, Andrew Dunstan)
Release date: 2021-11-11
This release contains a variety of fixes from 11.13. For information about new features in major release 11, see Version 11.0.
A dump/restore is not required for those running 11.X.
However, note that installations using physical replication should update standby servers before the primary server, as explained in the third changelog entry below.
Also, several bugs have been found that may have resulted in corrupted indexes, as explained in the next several changelog entries. If any of those cases apply to you, it's recommended to reindex possibly-affected indexes after updating.
Also, if you are upgrading from a version earlier than 11.11, see Version 11.11.
Make the server reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)
The PostgreSQL Project thanks Jacob Champion for reporting this problem. CVE-2021-23214 or CVE-2021-23214)
Make libpq reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable toCVE-2021-23214 or CVE-2021-23214.
The PostgreSQL Project thanks Jacob Champion for reporting this problem. CVE-2021-23222 or CVE-2021-23222)
Fix physical replication for cases where the primary crashes after shipping a WAL segment that ends with a partial WAL record (Ãlvaro Herrera)
If the primary did not survive long enough to finish writing the rest of the incomplete WAL record, then the previous crash-recovery logic had it back up and overwrite WAL starting from the beginning of the incomplete WAL record. This is problematic since standby servers may already have copies of that WAL segment. They will then see an inconsistent next segment, and will not be able to recover without manual intervention. To fix, do not back up over a WAL segment boundary when restarting after a crash. Instead write a new type of WAL record at the start of the next WAL segment, informing readers that the incomplete WAL record will never be finished and must be disregarded.
When applying this update, it's best to update standby servers before the primary, so that they will be ready to handle this new WAL record type if the primary happens to crash.
Fix CREATE INDEX CONCURRENTLY
to wait for the latest prepared transactions (Andrey Borodin)
Rows inserted by just-prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. The previous fix for this type of problem failed to account for PREPARE TRANSACTION
commands that were still in progress when CREATE INDEX CONCURRENTLY
checked for them. As before, in installations that have enabled prepared transactions (max_prepared_transactions
> 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.
Avoid race condition that can cause backends to fail to add entries for new rows to an index being built concurrently (Noah Misch, Andrey Borodin)
While it's apparently rare in the field, this case could potentially affect any index built or reindexed with the CONCURRENTLY
option. It is recommended to reindex any such indexes to make sure they are correct.
Fix float4
and float8
hash functions to produce uniform results for NaNs (Tom Lane)
Since PostgreSQL's floating-point types deem all NaNs to be equal, it's important for the hash functions to produce the same hash code for all bit-patterns that are NaNs according to the IEEE 754 standard. This failed to happen before, meaning that hash indexes and hash-based query plans might produce incorrect results for non-canonical NaN values. ('-NaN'::float8
is one way to produce such a value on most machines.) It is advisable to reindex hash indexes on floating-point columns, if there is any possibility that they might contain such values.
Prevent data loss during crash recovery of CREATE TABLESPACE
, when wal_level
= minimal
(Noah Misch)
If the server crashed between CREATE TABLESPACE
and the next checkpoint, replay would fully remove the contents of the new tablespace's directory, relying on subsequent WAL replay to restore everything within that directory. This interacts badly with optimizations that skip writing WAL (one example is COPY
into a just-created table). Such optimizations are applied only when wal_level
is minimal
, which is not the default in v10 and later.
Ensure that the relation cache is invalidated for a table being attached to or detached from a partitioned table (Amit Langote, Ãlvaro Herrera)
This oversight could allow misbehavior of subsequent inserts/updates addressed directly to the partition, but only in currently-existing sessions.
Ensure that the relation cache is invalidated when creating or dropping a FOR ALL TABLES
publication (Hou Zhijie, Vignesh C)
This oversight could lead to improper replication behavior until all currently-existing sessions have exited.
Don't discard a cast to the same type with unspecified type modifier (Tom Lane)
For example, if column f1
is of type numeric(18,3)
, the parser used to simply discard a cast like f1::numeric
, on the grounds that it would have no run-time effect. That's true, but the exposed type of the expression should still be considered to be plain numeric
, not numeric(18,3)
. This is important for correctly resolving the type of larger constructs, such as recursive UNION
s.
Fix updates of element fields in arrays of domain over composite (Tom Lane)
A command such as UPDATE tab SET fld[1].subfld = val
failed if the array's elements were domains rather than plain composites.
Disallow creating an ICU collation if the current database's encoding won't support it (Tom Lane)
Previously this was allowed, but then the collation could not be referenced because of the way collation lookup works; you could not use the collation, nor even drop it.
Fix corner-case loss of precision in numeric power()
(Dean Rasheed)
The result could be inaccurate when the first argument is very close to 1.
Avoid regular expression errors with capturing parentheses inside {0}
(Tom Lane)
Regular expressions like (.){0}...\1
drew “invalid backreference numberâ€. Other regexp engines such as Perl don't complain, though, and for that matter ours doesn't either in some closely related cases. Worse, it could throw an assertion failure instead. Fix it so that no error is thrown and instead the back-reference is silently deemed to never match.
Prevent regular expression back-references from sometimes matching when they shouldn't (Tom Lane)
The regexp engine was careless about clearing match data for capturing parentheses after rejecting a partial match. This could allow a later back-reference to match in places where it should fail for lack of a defined referent.
Fix regular expression performance bug with back-references inside iteration nodes (Tom Lane)
Incorrect back-tracking logic could result in exponential time spent looking for a match. Fortunately the problem is masked in most cases by other optimizations.
Fix incorrect results from AT TIME ZONE
applied to a time with time zone
value (Tom Lane)
The results were incorrect if the target time zone was specified by a dynamic timezone abbreviation (that is, one that is defined as equivalent to a full time zone name, rather than a fixed UTC offset).
Avoid using MCV-only statistics to estimate the range of a column (Tom Lane)
There are corner cases in which ANALYZE
will build a most-common-values (MCV) list but not a histogram, even though the MCV list does not account for all the observed values. In such cases, keep the planner from using the MCV list alone to estimate the range of column values.
Fix restoration of a Portal's snapshot inside a subtransaction (Bertrand Drouvot)
If a procedure commits or rolls back a transaction, and then its next significant action is inside a new subtransaction, snapshot management went wrong, leading to a dangling pointer and probable crash. A typical example in PL/pgSQL is a COMMIT
immediately followed by a BEGIN ... EXCEPTION
block that performs a query.
Clean up correctly if a transaction fails after exporting its snapshot (Dilip Kumar)
This oversight would only cause a problem if the same session attempted to export a snapshot again. The most likely scenario for that is creation of a replication slot (followed by rollback) and then creation of another replication slot.
Prevent wraparound of overflowed-subtransaction tracking on standby servers (Kyotaro Horiguchi, Alexander Korotkov)
This oversight could cause significant performance degradation (manifesting as excessive SubtransSLRU traffic) on standby servers.
Ensure that prepared transactions are properly accounted for during promotion of a standby server (Michael Paquier, Andres Freund)
There was a narrow window where a prepared transaction could be omitted from a snapshot taken by a concurrently-running session. If that session then used the snapshot to perform data updates, erroneous results or data corruption could occur.
Refuse to rewind a cursor marked NO SCROLL
if it has been held over from a previous transaction due to the WITH HOLD
option (Tom Lane)
We have long forbidden fetching backwards from a NO SCROLL
cursor, but for historical reasons the prohibition didn't extend to cases in which we rewind the query altogether and then re-fetch forwards. That exception leads to inconsistencies, particularly for held-over cursors which may not have stored all the data necessary to rewind. Disallow rewinding for non-scrollable held-over cursors to block the worst inconsistencies. (v15 will remove the exception altogether.)
Fix possible failure while saving a WITH HOLD
cursor at transaction end, if it had already been read to completion (Tom Lane)
Fix detection of a relation that has grown to the maximum allowed length (Tom Lane)
An attempt to extend a table or index past the limit of 2^32-1 blocks was rejected, but not soon enough to prevent inconsistent internal state from being created.
Correctly track the presence of data-modifying CTEs when expanding a DO INSTEAD
rule (Greg Nancarrow, Tom Lane)
The previous failure to do this could lead to problems such as unsafely choosing a parallel plan.
Fix incorrect reporting of permissions failures on extended statistics objects (Tomas Vondra)
The code typically produced “cache lookup error†rather than the intended message.
Fix incorrect snapshot handling in parallel workers (Greg Nancarrow)
This oversight could lead to misbehavior in parallel queries if the transaction isolation level is less than REPEATABLE READ
.
Fix logical decoding to correctly ignore toast-table changes for transient tables (Bertrand Drouvot)
Logical decoding normally ignores changes in transient tables such as those created during an ALTER TABLE
heap rewrite. But that filtering wasn't applied to the associated toast table if any, leading to possible errors when rewriting a table that's being published.
Ensure that walreceiver processes create all required archive notification files before exiting (Fujii Masao)
If a walreceiver exited exactly at a WAL segment boundary, it failed to make a notification file for the last-received segment, thus delaying archiving of that segment on the standby.
Avoid trying to lock the OLD
and NEW
pseudo-relations in a rule that uses SELECT FOR UPDATE
(Masahiko Sawada, Tom Lane)
Fix parser's processing of aggregate FILTER
clauses (Tom Lane)
If the FILTER
expression is a plain boolean column, the semantic level of the aggregate could be mis-determined, leading to not-per-spec behavior. If the FILTER
expression is itself a boolean-returning aggregate, an error should be thrown but was not, likely resulting in a crash at execution.
Avoid trying to clean up LLVM state after an error within LLVM (Andres Freund, Justin Pryzby)
This prevents a likely crash during backend exit after a fatal LLVM error.
Avoid null-pointer-dereference crash when dropping a role that owns objects being dropped concurrently (Ãlvaro Herrera)
Prevent “snapshot reference leak†warning when lo_export()
or a related function fails (Heikki Linnakangas)
Ensure that scans of SP-GiST indexes are counted in the statistics views (Tom Lane)
Incrementing the number-of-index-scans counter was overlooked in the SP-GiST code, although per-tuple counters were advanced correctly.
Recalculate relevant wait intervals if recovery_min_apply_delay
is changed during recovery (Soumyadeep Chakraborty, Ashwin Agrawal)
Fix infinite loop if a simplehash.h
hash table reaches 2^32 elements (Yura Sokolov)
It seems unlikely that this bug has been hit in practice, as it would require work_mem
settings of hundreds of gigabytes for existing uses of simplehash.h
.
Reduce memory consumption during calculation of extended statistics (Justin Pryzby, Tomas Vondra)
Fix ecpg to recover correctly after malloc()
failure while establishing a connection (Michael Paquier)
Fix misevaluation of stable functions called in the arguments of a PL/pgSQL CALL
statement (Tom Lane)
They were being called with an out-of-date snapshot, so that they would not see any database changes made since the start of the session's top-level command.
Allow EXIT
out of the outermost block in a PL/pgSQL routine (Tom Lane)
If the routine does not require an explicit RETURN
, this usage should be valid, but it was rejected.
Remove pg_ctl's hard-coded limits on the total length of generated commands (Phil Krylov)
For example, this removes a restriction on how many command-line options can be passed through to the postmaster. Individual path names that pg_ctl deals with, such as the postmaster executable's name or the data directory name, are still limited to MAXPGPATH
bytes in most cases.
Fix pg_dump to dump non-global default privileges correctly (Neil Chen, Masahiko Sawada)
If a global (unrestricted) ALTER DEFAULT PRIVILEGES
command revoked some present-by-default privilege, for example EXECUTE
for functions, and then a restricted ALTER DEFAULT PRIVILEGES
command granted that privilege again for a selected role or schema, pg_dump failed to dump the restricted privilege grant correctly.
Make pg_dump acquire shared lock on partitioned tables that are to be dumped (Tom Lane)
This oversight was usually pretty harmless, since once pg_dump has locked any of the leaf partitions, that would suffice to prevent significant DDL on the partitioned table itself. However problems could ensue when dumping a childless partitioned table, since no relevant lock would be held.
Improve pg_dump's performance by avoiding making per-table queries for RLS policies, and by avoiding repetitive calls to format_type()
(Tom Lane)
These changes provide only marginal improvement when dumping from a local server, but a dump from a remote server can benefit substantially due to fewer network round-trips.
Fix crash in pg_dump when attempting to dump trigger definitions from a pre-8.3 server (Tom Lane)
Fix incorrect filename in pg_restore's error message about an invalid large object TOC file (Daniel Gustafsson)
Fix failure of contrib/btree_gin
indexes on "char"
(not char(
) columns, when an indexscan using the n
)<
or <=
operator is performed (Tom Lane)
Such an indexscan failed to return all the entries it should.
Change contrib/pg_stat_statements
to read its “query texts†file in units of at most 1GB (Tom Lane)
Such large query text files are very unusual, but if they do occur, the previous coding would fail on Windows 64 (which rejects individual read requests of more than 2GB).
Fix null-pointer crash when contrib/postgres_fdw
tries to report a data conversion error (Tom Lane)
Add spinlock support for the RISC-V architecture (Marek Szuba)
This is essential for reasonable performance on that platform.
Support OpenSSL 3.0.0 (Peter Eisentraut, Daniel Gustafsson, Michael Paquier)
Set correct type identifier on OpenSSL BIO (I/O abstraction) objects created by PostgreSQL (Itamar Gafni)
This oversight probably only matters for code that is doing tasks like auditing the OpenSSL installation. But it's nominally a violation of the OpenSSL API, so fix it.
Make pg_regexec()
robust against an out-of-range search_start
parameter (Tom Lane)
Return REG_NOMATCH
, instead of possibly crashing, when search_start
is past the end of the string. This case is probably unreachable within core PostgreSQL, but extensions might be more careless about the parameter value.
Ensure that GetSharedSecurityLabel()
can be used in a newly-started session that has not yet built its critical relation cache entries (Jeff Davis)
Use the CLDR project's data to map Windows time zone names to IANA time zones (Tom Lane)
When running on Windows, initdb attempts to set the new cluster's timezone
parameter to the IANA time zone matching the system's prevailing time zone. We were using a mapping table that we'd generated years ago and updated only fitfully; unsurprisingly, it contained a number of errors as well as omissions of recently-added zones. It turns out that CLDR has been tracking the most appropriate mappings, so start using their data. This change will not affect any existing installation, only newly-initialized clusters.
Update time zone data files to tzdata release 2021e for DST law changes in Fiji, Jordan, Palestine, and Samoa, plus historical corrections for Barbados, Cook Islands, Guyana, Niue, Portugal, and Tonga.
Also, the Pacific/Enderbury zone has been renamed to Pacific/Kanton. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Africa/Accra, America/Atikokan, America/Blanc-Sablon, America/Creston, America/Curacao, America/Nassau, America/Port_of_Spain, Antarctica/DumontDUrville, and Antarctica/Syowa. In all these cases, the previous zone name remains as an alias.
Release date: 2021-08-12
This release contains a variety of fixes from 11.12. For information about new features in major release 11, see Version 11.0.
A dump/restore is not required for those running 11.X.
However, if you are upgrading from a version earlier than 11.11, see Version 11.11.
Fix mis-planning of repeated application of a projection step (Tom Lane)
The planner could create an incorrect plan in cases where two ProjectionPaths were stacked on top of each other. The only known way to trigger that situation involves parallel sort operations, but there may be other instances. The result would be crashes or incorrect query results. Disclosure of server memory contents is also possible. CVE-2021-3677 or CVE-2021-3677)
Disallow SSL renegotiation more completely (Michael Paquier)
SSL renegotiation has been disabled for some time, but the server would still cooperate with a client-initiated renegotiation request. A maliciously crafted renegotiation request could result in a server crash (see OpenSSL issueCVE-2021-3449 or CVE-2021-3449). Disable the feature altogether on OpenSSL versions that permit doing so, which are 1.1.0h and newer.
Restore the Portal-level snapshot after COMMIT
or ROLLBACK
within a procedure (Tom Lane)
This change fixes cases where an attempt to fetch a toasted value immediately after COMMIT
/ROLLBACK
would fail with errors like “no known snapshots†or “missing chunk number 0 for toast valueâ€.
Some extensions may attempt to execute SQL code outside of any Portal. They are responsible for ensuring that an outer snapshot exists before doing so. Previously, not providing a snapshot might work or it might not; now it will consistently fail with “cannot execute SQL without an outer snapshot or portalâ€.
Avoid misbehavior when persisting the output of a cursor that's reading a non-stable query (Tom Lane)
Previously, we'd always rewind and re-read the whole query result, possibly getting results different from the earlier execution, causing great confusion later. For a NO SCROLL cursor, we can fix this by only storing the not-yet-read portion of the query output, which is sufficient since a NO SCROLL cursor can't be backed up. Cursors with the SCROLL option remain at hazard, but that was already documented to be an unsafe option to use with a non-stable query. Make those documentation warnings stronger.
Also force NO SCROLL mode for the implicit cursor used by a PL/pgSQL FOR-over-query loop, to avoid this type of problem when persisting such a cursor during an intra-procedure commit.
Reject SELECT ... GROUP BY GROUPING SETS (()) FOR UPDATE
(Tom Lane)
This should be disallowed, just as FOR UPDATE
with a plain GROUP BY
is disallowed, but the test for that failed to handle empty grouping sets correctly. The end result would be a null-pointer dereference in the executor.
Reject cases where a query in WITH
rewrites to just NOTIFY
(Tom Lane)
Such cases previously crashed.
In numeric
multiplication, round the result rather than failing if it would have more than 16383 digits after the decimal point (Dean Rasheed)
Fix corner-case errors and loss of precision when raising numeric
values to very large powers (Dean Rasheed)
Fix division-by-zero failure in to_char()
with EEEE
format and a numeric
input value less than 10^(-1001) (Dean Rasheed)
Fix pg_size_pretty(bigint)
to round negative values consistently with the way it rounds positive ones (and consistently with the numeric
version) (Dean Rasheed, David Rowley)
Make pg_filenode_relation(0, 0)
return NULL rather than failing (Justin Pryzby)
Make ALTER EXTENSION
lock the extension when adding or removing a member object (Tom Lane)
The previous coding allowed ALTER EXTENSION ADD/DROP
to occur concurrently with DROP EXTENSION
, leading to a crash or corrupt catalog entries.
Fix ALTER SUBSCRIPTION
to reject an empty slot name (Japin Li)
When cloning a partitioned table's triggers to a new partition, ensure that their enabled status is copied (Ãlvaro Herrera)
Avoid alias conflicts in queries generated for REFRESH MATERIALIZED VIEW CONCURRENTLY
(Tom Lane, Bharath Rupireddy)
This command failed on materialized views containing columns with certain names, notably mv
and newdata
.
Fix PREPARE TRANSACTION
to check correctly for conflicting session-lifespan and transaction-lifespan locks (Tom Lane)
A transaction cannot be prepared if it has both session-lifespan and transaction-lifespan locks on the same advisory-lock ID value. This restriction was not fully checked, which could lead to a PANIC during PREPARE TRANSACTION
.
Fix misbehavior of DROP OWNED BY
when the target role is listed more than once in an RLS policy (Tom Lane)
Skip unnecessary error tests when removing a role from an RLS policy during DROP OWNED BY
(Tom Lane)
Notably, this fixes some cases where it was necessary to be a superuser to use DROP OWNED BY
.
Don't store a “fast default†when adding a column to a foreign table (Andrew Dunstan)
The fast default is useless since no local heap storage exists for such a table, but it confused subsequent operations. In addition to suppressing creation of such catalog entries in ALTER TABLE
commands, adjust the downstream code to cope when one is incorrectly present.
Allow index state flags to be updated transactionally (Michael Paquier, Andrey Lepikhov)
This avoids failures when dealing with index predicates that aren't really immutable. While that's not considered a supported case, the original reason for using a non-transactional update here is long gone, so we may as well change it.
Avoid corrupting the plan cache entry when CREATE DOMAIN
or ALTER DOMAIN
appears in a cached plan (Tom Lane)
Make walsenders show their latest replication commands in pg_stat_activity
(Tom Lane)
Previously, a walsender would show its latest SQL command, which was confusing if it's now doing some replication operation instead. Now we show replication-protocol commands on the same footing as SQL commands.
Make pg_settings
.pending_restart
show as true when the pertinent entry in postgresql.conf
has been removed (Ãlvaro Herrera)
pending_restart
correctly showed the case where an entry that cannot be changed without a postmaster restart has been modified, but not where the entry had been removed altogether.
Fix corner-case failure of a new standby to follow a new primary (Dilip Kumar, Robert Haas)
Under a narrow combination of conditions, the standby could wind up trying to follow the wrong WAL timeline.
Update minimum recovery point when WAL replay of a transaction abort record causes file truncation (Fujii Masao)
File truncation is irreversible, so it's no longer safe to stop recovery at a point earlier than that record. The corresponding case for transaction commit was fixed years ago, but this one was overlooked.
In walreceivers, avoid attempting catalog lookups after an error (Masahiko Sawada, Bharath Rupireddy)
Ensure that a standby server's startup process will respond to a shutdown signal promptly while waiting for WAL to arrive (Fujii Masao, Soumyadeep Chakraborty)
Correctly clear shared state after failing to become a member of a transaction commit group (Amit Kapila)
Given the right timing, this could cause an assertion failure when some later session re-uses the same PGPROC object.
Add locking to avoid reading incorrect relmapper data in the face of a concurrent write from another process (Heikki Linnakangas)
Improve checks for violations of replication protocol (Tom Lane)
Logical replication workers frequently used Asserts to check for cases that could be triggered by invalid or out-of-order replication commands. This seems unwise, so promote these tests to regular error checks.
Fix deadlock when multiple logical replication workers try to truncate the same table (Peter Smith, Haiying Tang)
Fix error cases and memory leaks in logical decoding of speculative insertions (Dilip Kumar)
Avoid leaving an invalid record-type hash table entry behind after an error (Sait Talha Nisanci)
This could lead to later crashes or memory leakage.
Fix plan cache reference leaks in some error cases in CREATE TABLE ... AS EXECUTE
(Tom Lane)
Fix race condition in code for sharing tuple descriptors across parallel workers (Thomas Munro)
Given the right timing, a crash could result.
Fix possible race condition when releasing BackgroundWorkerSlots (Tom Lane)
It's likely that this doesn't fix any observable bug on Intel hardware, but machines with weaker memory ordering rules could have problems.
Fix latent crash in sorting code (Ronan Dunklau)
One code path could attempt to free a null pointer. The case appears unreachable in the core server's use of sorting, but perhaps it could be triggered by extensions.
Prevent infinite loops in SP-GiST index insertion (Tom Lane)
In the event that INCLUDE columns take up enough space to prevent a leaf index tuple from ever fitting on a page, the text_ops operator class would get into an infinite loop vainly trying to make the tuple fit. While pre-v11 versions don't have INCLUDE columns, back-patch this anti-looping fix to them anyway, as it seems like a good defense against bugs in operator classes.
Ensure that SP-GiST index insertion can be terminated by a query cancel request (Tom Lane, Ãlvaro Herrera)
Fix uninitialized-variable bug that could cause PL/pgSQL to act as though an INTO
clause specified STRICT
, even though it didn't (Tom Lane)
Don't abort the process for an out-of-memory failure in libpq's printing functions (Tom Lane)
In ecpg, allow the numeric
value INT_MIN (usually -2147483648) to be converted to integer (John Naylor)
In psql and other client programs, avoid overrunning the ends of strings when dealing with invalidly-encoded data (Tom Lane)
An incorrectly-encoded multibyte character near the end of a string could cause various processing loops to run past the string's terminating NUL, with results ranging from no detectable issue to a program crash, depending on what happens to be in the following memory. This is reminiscent ofCVE-2006-2313 or CVE-2006-2313, although these particular cases do not appear to have interesting security consequences.
Fix pg_dump to correctly handle triggers on partitioned tables whose enabled status is different from their parent triggers' status (Justin Pryzby, Ãlvaro Herrera)
Avoid “invalid creation date in header†warnings observed when running pg_restore on an archive file created in a different time zone (Tom Lane)
Make pg_upgrade carry forward the old installation's oldestXID
value (Bertrand Drouvot)
Previously, the new installation's oldestXID
was set to a value old enough to (usually) force immediate anti-wraparound autovacuuming. That's not desirable from a performance standpoint; what's worse, installations using large values of autovacuum_freeze_max_age
could suffer unwanted forced shutdowns soon after an upgrade.
Extend pg_upgrade to detect and warn about extensions that should be upgraded (Bruce Momjian)
A script file is now produced containing the ALTER EXTENSION UPDATE
commands needed to bring extensions up to the versions that are considered default in the new installation.
Avoid problems when switching pg_receivewal between compressed and non-compressed WAL storage (Michael Paquier)
In contrib/postgres_fdw
, avoid attempting catalog lookups after an error (Tom Lane)
While this usually worked, it's not very safe since the error might have been one that made catalog access nonfunctional. A side effect of the fix is that messages about data conversion errors will now mention the query's table and column aliases (if used) rather than the true underlying name of a foreign table or column.
Improve the isolation-test infrastructure (Tom Lane, Michael Paquier)
Allow isolation test steps to be annotated to show the expected completion order. This allows getting stable results from otherwise-racy test cases, without the long delays that we previously used (not entirely successfully) to fend off race conditions. Allow non-quoted identifiers as isolation test session/step names (formerly, all such names had to be double-quoted). Detect and warn about unused steps in isolation tests. Improve display of query results in isolation tests. Remove isolationtester's “dry-run†mode. Remove memory leaks in isolationtester itself.
Reduce overhead of cache-clobber testing (Tom Lane)
Fix PL/Python's regression tests to pass with Python 3.10 (Honza Horak)
Make printf("%s", NULL)
print (null)
instead of crashing (Tom Lane)
This should improve server robustness in corner cases, and it syncs our printf
implementation with common libraries.
Fix incorrect log message when point-in-time recovery stops at a ROLLBACK PREPARED
record (Simon Riggs)
Improve ALTER TABLE
's messages for wrong-relation-kind errors (Kyotaro Horiguchi)
Clarify error messages referring to “non-negative†values (Bharath Rupireddy)
Fix configure to work with OpenLDAP 2.5, which no longer has a separate libldap_r
library (Adrian Ho, Tom Lane)
If there is no libldap_r
library, we now silently assume that libldap
is thread-safe.
Add new make targets world-bin
and install-world-bin
(Andrew Dunstan)
These are the same as world
and install-world
respectively, except that they do not build or install the documentation.
Fix make rule for TAP tests (prove_installcheck
) to work in PGXS usage (Andrew Dunstan)
Adjust JIT code to prepare for forthcoming LLVM API change (Thomas Munro, Andres Freund)
LLVM 13 has made an incompatible API change that will cause crashing of our previous JIT compiler.
Avoid assuming that strings returned by GSSAPI libraries are null-terminated (Tom Lane)
The GSSAPI spec provides for a string pointer and length. It seems that in practice the next byte after the string is usually zero, so that our previous coding didn't actually fail; but we do have a report of AddressSanitizer complaints.
Enable building with GSSAPI on MSVC (Michael Paquier)
Fix various incompatibilities with modern Kerberos builds.
In MSVC builds, include --with-pgport
in the set of configure options reported by pg_config, if it had been specified (Andrew Dunstan)
Release date: 2021-05-13
This release contains a variety of fixes from 11.11. For information about new features in major release 11, see Version 11.0.
A dump/restore is not required for those running 11.X.
However, if you are upgrading from a version earlier than 11.11, see Version 11.11.
Prevent integer overflows in array subscripting calculations (Tom Lane)
The array code previously did not complain about cases where an array's lower bound plus length overflows an integer. This resulted in later entries in the array becoming inaccessible (since their subscripts could not be written as integers), but more importantly it confused subsequent assignment operations. This could lead to memory overwrites, with ensuing crashes or unwanted data modifications. CVE-2021-32027 or CVE-2021-32027)
Fix mishandling of “junk†columns in INSERT ... ON CONFLICT ... UPDATE
target lists (Tom Lane)
If the UPDATE
list contains any multi-column sub-selects (which give rise to junk columns in addition to the results proper), the UPDATE
path would end up storing tuples that include the values of the extra junk columns. That's fairly harmless in the short run, but if new columns are added to the table then the values would become accessible, possibly leading to malfunctions if they don't match the datatypes of the added columns.
In addition, in versions supporting cross-partition updates, a cross-partition update triggered by such a case had the reverse problem: the junk columns were removed from the target list, typically causing an immediate crash due to malfunction of the multi-column sub-select mechanism. CVE-2021-32028 or CVE-2021-32028)
Fix possibly-incorrect computation of UPDATE ... RETURNING
outputs for joined cross-partition updates (Amit Langote, Etsuro Fujita)
If an UPDATE
for a partitioned table caused a row to be moved to another partition with a physically different row type (for example, one with a different set of dropped columns), computation of RETURNING
results for that row could produce errors or wrong answers. No error is observed unless the UPDATE
involves other tables being joined to the target table. CVE-2021-32029 or CVE-2021-32029)
Fix adjustment of constraint deferrability properties in partitioned tables (Ãlvaro Herrera)
When applied to a foreign-key constraint of a partitioned table, ALTER TABLE ... ALTER CONSTRAINT
failed to adjust the DEFERRABLE
and/or INITIALLY DEFERRED
markings of the constraints and triggers of leaf partitions. This led to unexpected behavior of such constraints. After updating to this version, any misbehaving partitioned tables can be fixed by executing a new ALTER
command to set the desired properties.
This change also disallows applying such an ALTER
directly to the constraints of leaf partitions. The only supported case is for the whole partitioning hierarchy to have identical constraint properties, so such ALTER
s must be applied at the partition root.
Forbid marking an identity column as nullable (Vik Fearing)
GENERATED ... AS IDENTITY
implies NOT NULL
, so don't allow it to be combined with an explicit NULL
specification.
Allow ALTER ROLE/DATABASE ... SET
to set the role
, session_authorization
, and temp_buffers
parameters (Tom Lane)
Previously, over-eager validity checks might reject these commands, even if the values would have worked when used later. This created a command ordering hazard for dump/reload and upgrade scenarios.
Fix bug with coercing the result of a COLLATE
expression to a non-collatable type (Tom Lane)
This led to a parse tree in which the COLLATE
appears to be applied to a non-collatable value. While that normally has no real impact (since COLLATE
has no effect at runtime), it was possible to construct views that would be rejected during dump/reload.
Disallow calling window functions and procedures via the “fast path†wire protocol message (Tom Lane)
Only plain functions are supported here. While trying to call an aggregate function failed already, calling a window function would crash, and calling a procedure would work only if the procedure did no transaction control.
Extend pg_identify_object_as_address()
to support event triggers (Joel Jacobson)
Fix to_char()
's handling of Roman-numeral month format codes with negative intervals (Julien Rouhaud)
Previously, such cases would usually cause a crash.
Check that the argument of pg_import_system_collations()
is a valid schema OID (Tom Lane)
Fix use of uninitialized value while parsing an \{
quantifier in a BRE-mode regular expression (Tom Lane)m
,n
\}
This error could cause the quantifier to act non-greedy, that is behave like an {
quantifier would do in full regular expressions.m
,n
}?
Don't ignore system columns when estimating the number of groups using extended statistics (Tomas Vondra)
This led to strange estimates for queries such as SELECT ... GROUP BY a, b, ctid
.
Avoid divide-by-zero when estimating selectivity of a regular expression with a very long fixed prefix (Tom Lane)
This typically led to a NaN
selectivity value, causing assertion failures or strange planner behavior.
Fix access-off-the-end-of-the-table error in BRIN index bitmap scans (Tomas Vondra)
If the page range size used by a BRIN index isn't a power of two, there were corner cases in which a bitmap scan could try to fetch pages past the actual end of the table, leading to “could not open file†errors.
Avoid incorrect timeline change while recovering uncommitted two-phase transactions from WAL (Soumyadeep Chakraborty, Jimmy Yih, Kevin Yeap)
This error could lead to subsequent WAL records being written under the wrong timeline ID, leading to consistency problems, or even complete failure to be able to restart the server, later on.
Ensure that locks are released while shutting down a standby server's startup process (Fujii Masao)
When a standby server is shut down while still in recovery, some locks might be left held. This causes assertion failures in debug builds; it's unclear whether any serious consequence could occur in production builds.
Fix crash when a logical replication worker does ALTER SUBSCRIPTION REFRESH
(Peter Smith)
The core code won't do this, but a replica trigger could.
Ensure we default to wal_sync_method
= fdatasync
on recent FreeBSD (Thomas Munro)
FreeBSD 13 supports open_datasync
, which would normally become the default choice. However, it's unclear whether that is actually an improvement for Postgres, so preserve the existing default for now.
Ensure we finish cleaning up when interrupted while detaching a DSM segment (Thomas Munro)
This error could result in temporary files not being cleaned up promptly after a parallel query.
Fix memory leak while initializing server's SSL parameters (Michael Paquier)
This is ordinarily insignificant, but if the postmaster is repeatedly sent SIGHUP signals, the leak can build up over time.
Fix assorted minor memory leaks in the server (Tom Lane, Andres Freund)
Fix failure when a PL/pgSQL DO
block makes use of both composite-type variables and transaction control (Tom Lane)
Previously, such cases led to errors about leaked tuple descriptors.
Prevent infinite loop in libpq if a ParameterDescription message with a corrupt length is received (Tom Lane)
When initdb prints instructions about how to start the server, make the path shown for pg_ctl use backslash separators on Windows (Nitin Jadhav)
Fix psql to restore the previous behavior of \connect service=
(Tom Lane)something
A previous bug fix caused environment variables (such as PGPORT
) to override entries in the service file in this context. Restore the previous behavior, in which the priority is the other way around.
Fix race condition in detection of file modification by psql's \e
and related commands (Laurenz Albe)
A very fast typist could fool the code's file-timestamp-based detection of whether the temporary edit file was changed.
Fix missed file version check in pg_restore (Tom Lane)
When reading a custom-format archive from a non-seekable source, pg_restore neglected to check the archive version. If it was fed a newer archive version than it can support, it would fail messily later on.
Add some more checks to pg_upgrade for user tables containing non-upgradable data types (Tom Lane)
Fix detection of some cases where a non-upgradable data type is embedded within a container type (such as an array or range). Also disallow upgrading when user tables contain columns of system-defined composite types, since those types' OIDs are not stable across versions.
Fix pg_waldump to count XACT
records correctly when generating per-record statistics (Kyotaro Horiguchi)
Fix contrib/amcheck
to not complain about the tuple flags HEAP_XMAX_LOCK_ONLY
and HEAP_KEYS_UPDATED
both being set (Julien Rouhaud)
This is a valid state after SELECT FOR UPDATE
.
Adjust VPATH build rules to support recent Oracle Developer Studio compiler versions (Noah Misch)
Fix testing of PL/Python for Python 3 on Solaris (Noah Misch)
Release date: 2021-02-11
This release contains a variety of fixes from 11.10. For information about new features in major release 11, see Version 11.0.
A dump/restore is not required for those running 11.X.
However, see the second changelog item below, which describes cases in which reindexing indexes after the upgrade may be advisable.
Also, if you are upgrading from a version earlier than 11.6, see Version 11.6.
Fix information leakage in constraint-violation error messages (Heikki Linnakangas)
If an UPDATE
command attempts to move a row to a different partition but finds that it violates some constraint on the new partition, and the columns in that partition are in different physical positions than in the parent table, the error message could reveal the contents of columns that the user does not have SELECT
privilege on. CVE-2021-3393 or CVE-2021-3393)
Fix CREATE INDEX CONCURRENTLY
to wait for concurrent prepared transactions (Andrey Borodin)
At the point where CREATE INDEX CONCURRENTLY
waits for all concurrent transactions to complete so that it can see rows they inserted, it must also wait for all prepared transactions to complete, for the same reason. Its failure to do so meant that rows inserted by prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. In installations that have enabled prepared transactions (max_prepared_transactions
> 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.
Avoid crash when a CALL
or DO
statement that performs a transaction rollback is executed via extended query protocol (Thomas Munro, Tom Lane)
In PostgreSQL 13, this case reliably caused a null-pointer dereference. In earlier versions the bug seems to have no visible symptoms, but it's not quite clear that it could never cause a problem.
Fix partition pruning logic to handle asymmetric hash partition sets (Tom Lane)
If a hash-partitioned table has unequally-sized partitions (that is, varying modulus values), or it lacks partitions for some remainder values, then the planner's pruning logic could mistakenly conclude that some partitions don't need to be scanned, leading to failure to find rows that the query should find.
Avoid incorrect results when WHERE CURRENT OF
is applied to a cursor whose plan contains a MergeAppend node (Tom Lane)
This case is unsupported (in general, a cursor using ORDER BY
is not guaranteed to be simply updatable); but the code previously did not reject it, and could silently give false matches.
Fix crash when WHERE CURRENT OF
is applied to a cursor whose plan contains a custom scan node (David Geier)
Fix planner's handling of a placeholder that is computed at some join level and used only at that same level (Tom Lane)
This oversight could lead to “failed to build any N
-way joins†planner errors.
Be more careful about whether index AMs support mark/restore (Andrew Gierth)
This prevents errors about missing support functions in rare edge cases.
Adjust settings to make it more difficult to run out of DSM slots during heavy usage of parallel queries (Thomas Munro)
Fix overestimate of the amount of shared memory needed for parallel queries (Takayuki Tsunakawa)
Fix ALTER DEFAULT PRIVILEGES
to handle duplicated arguments safely (Michael Paquier)
Duplicate role or schema names within the same command could lead to “tuple already updated by self†errors or unique-constraint violations.
Flush ACL-related caches when pg_authid
changes (Noah Misch)
This change ensures that permissions-related decisions will promptly reflect the results of ALTER ROLE ... [NO] INHERIT
.
Prevent misprocessing of ambiguous CREATE TABLE LIKE
clauses (Tom Lane)
A LIKE
clause is re-examined after initial creation of the new table, to handle importation of indexes and such. It was possible for this re-examination to find a different table of the same name, causing unexpected behavior; one example is where the new table is a temporary table of the same name as the LIKE
target.
Rearrange order of operations in CREATE TABLE LIKE
so that indexes are cloned before building foreign key constraints (Tom Lane)
This fixes the case where a self-referential foreign key constraint declared in the outer CREATE TABLE
depends on an index that's coming from the LIKE
clause.
Disallow CREATE STATISTICS
on system catalogs (Tomas Vondra)
Disallow converting an inheritance child table to a view (Tom Lane)
Ensure that disk space allocated for a dropped relation is released promptly at commit (Thomas Munro)
Previously, if the dropped relation spanned multiple 1GB segments, only the first segment was truncated immediately. Other segments were simply unlinked, which doesn't authorize the kernel to release the storage so long as any other backends still have the files open.
Prevent dropping a tablespace that is referenced by a partitioned relation, but is not used for any actual storage (Ãlvaro Herrera)
Previously this was allowed, but subsequent operations on the partitioned relation would fail.
Fix handling of backslash-escaped multibyte characters in COPY FROM
(Heikki Linnakangas)
A backslash followed by a multibyte character was not handled correctly. In some client character encodings, this could lead to misinterpreting part of a multibyte character as a field separator or end-of-copy-data marker.
Avoid preallocating executor hash tables in EXPLAIN
without ANALYZE
(Alexey Bashtanov)
Fix recently-introduced race conditions in LISTEN
/NOTIFY
queue handling (Tom Lane)
A newly-listening backend could attempt to read SLRU pages that were in process of being truncated, possibly causing an error.
The queue tail pointer could become set to a value that's not equal to the queue position of any backend, resulting in effective disabling of the queue truncation logic. Continued use of NOTIFY
then led to queue-fill warnings, and eventually to inability to send any more notifies until the server is restarted.
Allow the jsonb
concatenation operator to handle all combinations of JSON data types (Tom Lane)
We can concatenate two JSON objects or two JSON arrays. Handle other cases by wrapping non-array inputs in one-element arrays, then performing an array concatenation. Previously, some combinations of inputs followed this rule but others arbitrarily threw an error.
Fix use of uninitialized value while parsing a *
quantifier in a BRE-mode regular expression (Tom Lane)
This error could cause the quantifier to act non-greedy, that is behave like a *?
quantifier would do in full regular expressions.
Fix numeric power()
for the case where the exponent is exactly INT_MIN
(-2147483648) (Dean Rasheed)
Previously, a result with no significant digits was produced.
Fix integer-overflow cases in substring()
functions (Tom Lane, Pavel Stehule)
If the specified starting index and length overflow an integer when added together, substring()
misbehaved, either throwing a bogus “negative substring length†error for a case that should succeed, or failing to complain that a negative length is negative (and instead returning the whole string, in most cases).
Prevent possible data loss from incorrect detection of the wraparound point of an SLRU log (Noah Misch)
The wraparound point typically falls in the middle of a page, which must be rounded off to a page boundary, and that was not done correctly. No issue could arise unless an installation had gotten to within one page of SLRU overflow, which is unlikely in a properly-functioning system. If this did happen, it would manifest in later “apparent wraparound†or “could not access status of transaction†errors.
Fix memory leak in walsender processes while sending new snapshots for logical decoding (Amit Kapila)
Fix walsender to accept additional commands after terminating replication (Jeff Davis)
Ensure detection of deadlocks between hot standby backends and the startup (WAL-application) process (Fujii Masao)
The startup process did not run the deadlock detection code, so that in situations where the startup process is last to join a circular wait situation, the deadlock might never be recognized.
Ensure that unserviced requests for background workers are cleaned up when the postmaster begins a “smart†or “fast†shutdown sequence (Tom Lane)
Previously, there was a race condition whereby a child process that had requested a background worker just before shutdown could wait indefinitely, preventing shutdown from completing.
Fix portability problem in parsing of recovery_target_xid
values (Michael Paquier)
The target XID is potentially 64 bits wide, but it was parsed with strtoul()
, causing misbehavior on platforms where long
is 32 bits (such as Windows).
Avoid trying to use parallel index build in a standalone backend (Yulin Pei)
Allow index AMs to support included columns without necessarily supporting multiple key columns (Tom Lane)
Avoid assertion failure during parallel aggregation of an aggregate with a non-strict deserialization function (Andrew Gierth)
No such aggregate functions exist in core PostgreSQL, but some extensions such as PostGIS provide some. The mistake is harmless anyway in a non-assert build.
Avoid assertion failure in pg_get_functiondef()
when examining a function with a TRANSFORM
option (Tom Lane)
Fix data structure misallocation in PL/pgSQL's CALL
statement (Tom Lane)
A CALL
in a PL/pgSQL procedure, to another procedure that has OUT parameters, would fail if the called procedure did a COMMIT
or ROLLBACK
.
In psql, re-allow including a password in a connection_string
argument of a \connect
command (Tom Lane)
This used to work, but a recent bug fix caused the password to be ignored (resulting in prompting for a password).
Fix assorted bugs in psql's \help
command (Kyotaro Horiguchi, Tom Lane)
\help
with two argument words failed to find a command description using only the first word, for example \help reset all
should show the help for RESET
but did not. Also, \help
often failed to invoke the pager when it should. It also leaked memory.
In pg_dump, ensure that the restore script runs ALTER PUBLICATION ADD TABLE
commands as the owner of the publication, and similarly runs ALTER INDEX ATTACH PARTITION
commands as the owner of the partitioned index (Tom Lane)
Previously, these commands would be run by the role that started the restore script; which will usually work, but in corner cases that role might not have adequate permissions.
Fix pg_dump to handle WITH GRANT OPTION
in an extension's initial privileges (Noah Misch)
If an extension's script creates an object and grants privileges on it with grant option, then later the user revokes such privileges, pg_dump would generate incorrect SQL for reproducing the situation. (Few if any extensions do this today.)
In pg_rewind, ensure that all WAL is accounted for when rewinding a standby server (Ian Barwick, Heikki Linnakangas)
In pgbench, disallow a digit as the first character of a variable name (Fabien Coelho)
This prevents trying to substitute variables into timestamp literal values, which may contain strings like 12:34
.
Report the correct database name in connection failure error messages from some client programs (Ãlvaro Herrera)
If the database name was defaulted rather than given on the command line, pg_dumpall, pgbench, oid2name, and vacuumlo would produce misleading error messages after a connection failure.
Fix memory leak in contrib/auto_explain
(Japin Li)
Memory consumed while producing the EXPLAIN
output was not freed until the end of the current transaction (for a top-level statement) or the end of the surrounding statement (for a nested statement). This was particularly a problem with log_nested_statements
enabled.
In contrib/postgres_fdw
, avoid leaking open connections to remote servers when a user mapping or foreign server object is dropped (Bharath Rupireddy)
Open connections that depend on a dropped user mapping or foreign server can no longer be referenced, but formerly they were kept around anyway for the duration of the local session.
In contrib/pgcrypto
, check for error returns from OpenSSL's EVP functions (Michael Paquier)
We do not really expect errors here, but this change silences warnings from static analysis tools.
Make contrib/pg_prewarm
more robust when the cluster is shut down before prewarming is complete (Tom Lane)
Previously, autoprewarm would rewrite its status file with only the block numbers that it had managed to load so far, thus perhaps largely disabling the prewarm functionality in the next startup. Instead, suppress status file updates until the initial loading pass is complete.
In contrib/pg_trgm
's GiST index support, avoid crash in the rare case that picksplit is called on exactly two index items (Andrew Gierth, Alexander Korotkov)
Fix miscalculation of timeouts in contrib/pg_prewarm
and contrib/postgres_fdw
(Alexey Kondratov, Tom Lane)
The main loop in contrib/pg_prewarm
's autoprewarm parent process underestimated its desired sleep time by a factor of 1000, causing it to consume much more CPU than intended. When waiting for a result from a remote server, contrib/postgres_fdw
overestimated the desired timeout by a factor of 1000 (though this error had been mitigated by imposing a clamp to 60 seconds).
Both of these errors stemmed from incorrectly converting seconds-and-microseconds to milliseconds. Introduce a new API TimestampDifferenceMilliseconds()
to make it easier to get this right in the future.
Improve configure's heuristics for selecting PG_SYSROOT
on macOS (Tom Lane)
The new method is more likely to produce desirable results when Xcode is newer than the underlying operating system. Choosing a sysroot that does not match the OS version may result in nonfunctional executables.
While building on macOS, specify -isysroot
in link steps as well as compile steps (James Hilliard)
This likewise improves the results when Xcode is out of sync with the operating system.
Fix JIT compilation to be compatible with LLVM 11 and LLVM 12 (Andres Freund)
Fix potential mishandling of references to boolean variables in JIT expression compilation (Andres Freund)
No field reports attributable to this have been seen, but it seems likely that it could cause problems on some architectures.
Fix compile failure with ICU 68 and later (Tom Lane)
Avoid memcpy()
with a NULL source pointer and zero count during partitioned index creation (Ãlvaro Herrera)
While such a call is not known to cause problems in itself, some compilers assume that the arguments of memcpy()
are never NULL, which could result in incorrect optimization of nearby code.
Update time zone data files to tzdata release 2021a for DST law changes in Russia (Volgograd zone) and South Sudan, plus historical corrections for Australia, Bahamas, Belize, Bermuda, Ghana, Israel, Kenya, Nigeria, Palestine, Seychelles, and Vanuatu.
Notably, the Australia/Currie zone has been corrected to the point where it is identical to Australia/Hobart.
Release date: 2020-11-12
This release contains a variety of fixes from 11.9. For information about new features in major release 11, see Version 11.0.
A dump/restore is not required for those running 11.X.
However, if you are upgrading from a version earlier than 11.6, see Version 11.6.
Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and materialized view queries (Noah Misch)
This is essentially a leak in the “security restricted operation†sandbox mechanism. An attacker having permission to create non-temporary SQL objects could parlay this leak to execute arbitrary SQL code as a superuser.
The PostgreSQL Project thanks Etienne Stalmans for reporting this problem. CVE-2020-25695 or CVE-2020-25695)
Fix usage of complex connection-string parameters in pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb (Tom Lane)
The -d
parameter of pg_dump and pg_restore, or the --maintenance-db
parameter of the other programs mentioned, can be a “connection string†containing multiple connection parameters rather than just a database name. In cases where these programs need to initiate additional connections, such as parallel processing or processing of multiple databases, the connection string was forgotten and just the basic connection parameters (database name, host, port, and username) were used for the additional connections. This could lead to connection failures if the connection string included any other essential information, such as non-default SSL or GSS parameters. Worse, the connection might succeed but not be encrypted as intended, or be vulnerable to man-in-the-middle attacks that the intended connection parameters would have prevented. CVE-2020-25694 or CVE-2020-25694)
When psql's \connect
command re-uses connection parameters, ensure that all non-overridden parameters from a previous connection string are re-used (Tom Lane)
This avoids cases where reconnection might fail due to omission of relevant parameters, such as non-default SSL or GSS options. Worse, the reconnection might succeed but not be encrypted as intended, or be vulnerable to man-in-the-middle attacks that the intended connection parameters would have prevented. This is largely the same problem as just cited for pg_dump et al, although psql's behavior is more complex since the user may intentionally override some connection parameters. CVE-2020-25694 or CVE-2020-25694)
Prevent psql's \gset
command from modifying specially-treated variables (Noah Misch)
\gset
without a prefix would overwrite whatever variables the server told it to. Thus, a compromised server could set specially-treated variables such as PROMPT1
, giving the ability to execute arbitrary shell code in the user's session.
The PostgreSQL Project thanks Nick Cleaton for reporting this problem. CVE-2020-25696 or CVE-2020-25696)
Prevent possible data loss from concurrent truncations of SLRU logs (Noah Misch)
This rare problem would manifest in later “apparent wraparound†or “could not access status of transaction†errors.
Ensure that SLRU directories are properly fsync'd during checkpoints (Thomas Munro)
This prevents possible data loss in a subsequent operating system crash.
Fix ALTER ROLE
for users with the BYPASSRLS
attribute (Tom Lane, Stephen Frost)
The BYPASSRLS
attribute is only allowed to be changed by superusers, but other ALTER ROLE
operations, such as password changes, should be allowed with only ordinary permission checks. The previous coding erroneously restricted all changes on such a role to superusers.
Ensure that ALTER TABLE ONLY ... ENABLE/DISABLE TRIGGER
does not recurse to child tables (Ãlvaro Herrera)
Previously the ONLY
flag was ignored.
Fix handling of expressions in CREATE TABLE LIKE
with inheritance (Tom Lane)
If a CREATE TABLE
command uses both LIKE
and traditional inheritance, column references in CHECK
constraints and expression indexes that came from a LIKE
parent table tended to get mis-numbered, resulting in wrong answers and/or bizarre error messages. The same could happen in GENERATED
expressions, in branches that have that feature.
Disallow DROP INDEX CONCURRENTLY
on a partitioned table (Ãlvaro Herrera, Michael Paquier)
This case failed anyway, but with a confusing error message.
Allow LOCK TABLE
to succeed on a self-referential view (Tom Lane)
It previously threw an error complaining about infinite recursion, but there seems no need to disallow the case.
Fix off-by-one conversion of negative years to BC dates in to_date()
and to_timestamp()
(Dar Alathar-Yemen, Tom Lane)
Also, arrange for the combination of a negative year and an explicit “BC†marker to cancel out and produce AD.
Ensure that standby servers will archive WAL timeline history files when archive_mode
is set to always
(Grigory Smolkin, Fujii Masao)
This oversight could lead to failure of subsequent PITR recovery attempts.
Fix “cache lookup failed for relation 0†failures in logical replication workers (Tom Lane)
The real-world impact is small, since the failure is unlikely, and if it does happen the worker would just exit and be restarted.
Prevent logical replication workers from sending redundant ping requests (Tom Lane)
During “smart†shutdown, don't terminate background processes until all client (foreground) sessions are done (Tom Lane)
The previous behavior broke parallel query processing, since the postmaster would terminate parallel workers and refuse to launch any new ones. It also caused autovacuum to cease functioning, which could have dire long-term effects if the surviving client sessions make a lot of data changes.
Avoid recursive consumption of stack space while processing signals in the postmaster (Tom Lane)
Heavy use of parallel processing has been observed to cause postmaster crashes due to too many concurrent signals requesting creation of a parallel worker process.
Avoid running atexit handlers when exiting due to SIGQUIT (Kyotaro Horiguchi, Tom Lane)
Most server processes followed this practice already, but the archiver process was overlooked. Backends that were still waiting for a client startup packet got it wrong, too.
Avoid misoptimization of subquery qualifications that reference apparently-constant grouping columns (Tom Lane)
A “constant†subquery output column isn't really constant if it is a grouping column that appears in only some of the grouping sets.
Avoid failure when SQL function inlining changes the shape of a potentially-hashable subplan comparison expression (Tom Lane)
While building or re-building an index, tolerate the appearance of new HOT chains due to concurrent updates (Anastasia Lubennikova, Ãlvaro Herrera)
This oversight could lead to “failed to find parent tuple for heap-only tuple†errors.
Fix failure of parallel B-tree index scans when the index condition is unsatisfiable (James Hunter)
Ensure that data is detoasted before being inserted into a BRIN index (Tomas Vondra)
Index entries are not supposed to contain out-of-line TOAST pointers, but BRIN didn't get that memo. This could lead to errors like “missing chunk number 0 for toast value NNNâ€. (If you are faced with such an error from an existing index, REINDEX
should be enough to fix it.)
Handle concurrent desummarization correctly during BRIN index scans (Alexander Lakhin, Ãlvaro Herrera)
Previously, if a page range was desummarized at just the wrong time, an index scan might falsely raise an error indicating index corruption.
Fix rare “lost saved point in index†errors in scans of multicolumn GIN indexes (Tom Lane)
Fix unportable use of getnameinfo()
in pg_hba_file_rules
view (Tom Lane)
On FreeBSD 11, and possibly other platforms, the view's address
and netmask
columns were always null due to this error.
Avoid crash if debug_query_string
is NULL when starting a parallel worker (Noah Misch)
Fix use-after-free hazard when an event trigger monitors an ALTER TABLE
operation (Jehan-Guillaume de Rorthais)
Fix incorrect error message about inconsistent moving-aggregate data types (Jeff Janes)
Avoid lockup when a parallel worker reports a very long error message (Vignesh C)
Avoid unnecessary failure when transferring very large payloads through shared memory queues (Markus Wanner)
Fix incorrect handling of template function attributes in JIT code generation (Andres Freund)
This has been shown to cause crashes on s390x
, and very possibly there are other cases on other platforms.
Fix relation cache memory leaks with RLS policies (Tom Lane)
Fix small memory leak when SIGHUP processing decides that a new GUC variable value cannot be applied without a restart (Tom Lane)
Fix memory leaks in PL/pgsql's CALL
processing (Pavel Stehule, Tom Lane)
Make libpq support arbitrary-length lines in .pgpass
files (Tom Lane)
This is mostly useful to allow using very long security tokens as passwords.
In libpq for Windows, call WSAStartup()
once per process and WSACleanup()
not at all (Tom Lane, Alexander Lakhin)
Previously, libpq invoked WSAStartup()
at connection start and WSACleanup()
at connection cleanup. However, it appears that calling WSACleanup()
can interfere with other program operations; notably, we have observed rare failures to emit expected output to stdout. There appear to be no ill effects from omitting the call, so do that. (This also eliminates a performance issue from repeated DLL loads and unloads when a program performs a series of database connections.)
Fix ecpg library's per-thread initialization logic for Windows (Tom Lane, Alexander Lakhin)
Multi-threaded ecpg applications could suffer rare misbehavior due to incorrect locking.
On Windows, make psql read the output of a backtick command in text mode, not binary mode (Tom Lane)
This ensures proper handling of newlines.
Ensure that pg_dump collects per-column information about extension configuration tables (FabrÃzio de Royes Mello, Tom Lane)
Failure to do this led to crashes when specifying --inserts
, or underspecified (though usually correct) COPY
commands when using COPY
to reload the tables' data.
Make pg_upgrade check for pre-existence of tablespace directories in the target cluster (Bruce Momjian)
Fix potential memory leak in contrib/pgcrypto
(Michael Paquier)
Add check for an unlikely failure case in contrib/pgcrypto
(Daniel Gustafsson)
Fix recently-added timetz
test case so it works when the USA is not observing daylight savings time (Tom Lane)
Update time zone data files to tzdata release 2020d for DST law changes in Fiji, Morocco, Palestine, the Canadian Yukon, Macquarie Island, and Casey Station (Antarctica); plus historical corrections for France, Hungary, Monaco, and Palestine.
Sync our copy of the timezone library with IANA tzcode release 2020d (Tom Lane)
This absorbs upstream's change of zic's default output option from “fat†to “slimâ€. That's just cosmetic for our purposes, as we continue to select the “fat†mode in pre-v13 branches. This change also ensures that strftime()
does not change errno
unless it fails.
Release date: 2020-08-13
This release contains a variety of fixes from 11.8. For information about new features in major release 11, see Version 11.0.
A dump/restore is not required for those running 11.X.
However, if you are upgrading from a version earlier than 11.6, see Version 11.6.
Set a secure search_path
in logical replication walsenders and apply workers (Noah Misch)
A malicious user of either the publisher or subscriber database could potentially cause execution of arbitrary SQL code by the role running replication, which is often a superuser. Some of the risks here are equivalent to those described inCVE-2018-1058 or CVE-2018-1058, and are mitigated in this patch by ensuring that the replication sender and receiver execute with empty search_path
settings. (As withCVE-2018-1058 or CVE-2018-1058, that change might cause problems for under-qualified names used in replicated tables' DDL.) Other risks are inherent in replicating objects that belong to untrusted roles; the most we can do is document that there is a hazard to consider. CVE-2020-14349 or CVE-2020-14349)
Make contrib modules' installation scripts more secure (Tom Lane)
Attacks similar to those described inCVE-2018-1058 or CVE-2018-1058 could be carried out against an extension installation script, if the attacker can create objects in either the extension's target schema or the schema of some prerequisite extension. Since extensions often require superuser privilege to install, this can open a path to obtaining superuser privilege. To mitigate this risk, be more careful about the search_path
used to run an installation script; disable check_function_bodies
within the script; and fix catalog-adjustment queries used in some contrib modules to ensure they are secure. Also provide documentation to help third-party extension authors make their installation scripts secure. This is not a complete solution; extensions that depend on other extensions can still be at risk if installed carelessly. CVE-2020-14350 or CVE-2020-14350)
Fix edge cases in partition pruning (Etsuro Fujita, Dmitry Dolgov)
When there are multiple partition key columns, generation of pruning tests could misbehave if some columns had no constraining WHERE
clauses or multiple constraining clauses. This could lead to server crashes, incorrect query results, or assertion failures.
Fix construction of parameterized BitmapAnd and BitmapOr index scans on the inside of partition-wise nestloop joins (Tom Lane)
A plan in which such a scan needed to use a value from the outside of the join would usually crash at execution.
In logical replication walsender, fix failure to send feedback messages after sending a keepalive message (Ãlvaro Herrera)
This is a relatively minor problem when using built-in logical replication, because the built-in walreceiver will send a feedback reply (which clears the incorrect state) fairly frequently anyway. But with some other replication systems, such as pglogical, it causes significant performance issues.
Fix firing of column-specific UPDATE
triggers in logical replication subscribers (Tom Lane)
The code neglected to account for the possibility of column numbers being different between the publisher and subscriber tables, so that if those were indeed different, wrong decisions might be made about which triggers to fire.
Update oldest xmin and LSN values during pg_replication_slot_advance()
(Michael Paquier)
This function previously failed to do that, possibly preventing resource cleanup (such as removal of no-longer-needed WAL segments) after manual advancement of a replication slot.
Fix slow execution of ts_headline()
(Tom Lane)
The phrase-search fix added in our previous set of minor releases could cause ts_headline()
to take unreasonable amounts of time for long documents; to make matters worse, the query was not cancellable within the troublesome loop.
Ensure the repeat()
function can be interrupted by query cancel (Joe Conway)
Fix pg_current_logfile()
to not include a carriage return (\r
) in its result on Windows (Tom Lane)
Ensure that pg_read_file()
and related functions read until EOF is reached (Joe Conway)
Previously, if not given a specific data length to read, these functions would stop at whatever file length was reported by stat()
. That's unhelpful for pipes and other sorts of virtual files.
Fix mis-handling of NaN
inputs during parallel aggregation on numeric
-type columns (Tom Lane)
If some partial aggregation workers found only NaN
s while others found only non-NaN
s, the results were combined incorrectly, possibly leading to the wrong overall result (i.e., not NaN
when it should be).
Reject time-of-day values greater than 24 hours (Tom Lane)
The intention of the datetime input code is to allow “24:00:00†or equivalently “23:59:60â€, but no larger value. However, the range check was miscoded so that it would accept “23:59:60.nnn
†with nonzero fractional-second nnn
. In timestamp values this would result in wrapping into the first second of the next day. In time
and timetz
values, the stored value would actually be more than 24 hours, causing dump/reload failures and possibly other misbehavior.
Undo double-quoting of index names in EXPLAIN
's non-text output formats (Tom Lane, Euler Taveira)
Fix EXPLAIN
's accounting for resource usage, particularly buffer accesses, in parallel workers in a plan using Gather Merge
nodes (Jehan-Guillaume de Rorthais)
Fix timing of constraint revalidation in ALTER TABLE
(David Rowley)
If ALTER TABLE
needs to fully rewrite the table's contents (for example, due to change of a column's data type) and also needs to scan the table to re-validate foreign keys or CHECK
constraints, it sometimes did things in the wrong order, leading to odd errors such as “could not read block 0 in file "base/nnnnn/nnnnn": read only 0 of 8192 bytesâ€.
Work around incorrect not-null markings for pg_subscription
.subslotname
and pg_subscription_rel
.srsublsn
(Tom Lane)
The bootstrap catalog data incorrectly marks these two catalog columns as always non-null. There's no easy way to correct that mistake in existing installations (though v13 and later will have the correct markings). The main place that depends on that marking being correct is JIT-enabled tuple deconstruction, so teach it to explicitly ignore the marking for these two columns. Also adjust some C code that accessed srsublsn
without checking to see if it's null; a crash from that is improbable but perhaps not impossible.
Cope with LATERAL
references in restriction clauses attached to an un-flattened sub-SELECT
in the FROM
clause (Tom Lane)
This oversight could result in assertion failures or crashes at query execution.
Avoid believing that a never-analyzed foreign table has zero tuples (Tom Lane)
This primarily affected the planner's estimate of the number of groups that would be obtained by GROUP BY
.
Remove bogus warning about “leftover placeholder tuple†in BRIN index de-summarization (Ãlvaro Herrera)
The case can occur legitimately after a cancelled vacuum, so warning about it is overly noisy.
Fix selection of tablespaces for “shared fileset†temporary files (Magnus Hagander, Tom Lane)
If temp_tablespaces
is empty or explicitly names the database's primary tablespace, such files got placed into the pg_default
tablespace rather than the database's primary tablespace as expected.
Fix corner-case error in masking of SP-GiST index pages during WAL consistency checking (Alexander Korotkov)
This could cause false failure reports when wal_consistency_checking
is enabled.
Improve error handling in the server's buffile
module (Thomas Munro)
Fix some cases where I/O errors were indistinguishable from reaching EOF, or were not reported at all. Also add details such as block numbers and byte counts where appropriate.
Fix conflict-checking anomalies in SERIALIZABLE
isolation mode (Peter Geoghegan)
If a concurrently-inserted tuple was updated by a different concurrent transaction, and neither tuple version was visible to the current transaction's snapshot, serialization conflict checking could draw the wrong conclusions about whether the tuple was relevant to the results of the current transaction. This could allow a serializable transaction to commit when it should have failed with a serialization error.
Avoid repeated marking of dead btree index entries as dead (Masahiko Sawada)
While functionally harmless, this led to useless WAL traffic when checksums are enabled or wal_log_hints
is on.
Avoid trouble during cleanup of a non-exclusive backup when JIT compilation has been activated during the backup (Robert Haas)
Fix failure of some code paths to acquire the correct lock before modifying pg_control
(Nathan Bossart, Fujii Masao)
This oversight could allow pg_control
to be written out with an inconsistent checksum, possibly causing trouble later, including inability to restart the database if it crashed before the next pg_control
update.
Fix errors in currtid()
and currtid2()
(Michael Paquier)
These functions (which are undocumented and used only by ancient versions of the ODBC driver) contained coding errors that could result in crashes, or in confusing error messages such as “could not open file†when applied to a relation having no storage.
Avoid calling elog()
or palloc()
while holding a spinlock (Michael Paquier, Tom Lane)
Logic associated with replication slots had several violations of this coding rule. While the odds of trouble are quite low, an error in the called function would lead to a stuck spinlock.
Fix assertion in logical replication subscriber to allow use of REPLICA IDENTITY FULL
(Euler Taveira)
This was just an incorrect assertion, so it has no impact on standard production builds.
Report out-of-disk-space errors properly in pg_dump and pg_basebackup (Justin Pryzby, Tom Lane, Ãlvaro Herrera)
Some code paths could produce silly reports like “could not write file: Successâ€.
Fix parallel restore of tables having both table-level privileges and per-column privileges (Tom Lane)
The table-level privilege grants have to be applied first, but a parallel restore did not reliably order them that way; this could lead to “tuple concurrently updated†errors, or to disappearance of some per-column privilege grants. The fix for this is to include dependency links between such entries in the archive file, meaning that a new dump has to be taken with a corrected pg_dump to ensure that the problem will not recur.
Ensure that pg_upgrade runs with vacuum_defer_cleanup_age
set to zero in the target cluster (Bruce Momjian)
If the target cluster's configuration has been modified to set vacuum_defer_cleanup_age
to a nonzero value, that prevented freezing of the system catalogs from working properly, which caused the upgrade to fail in confusing ways. Ensure that any such setting is overridden for the duration of the upgrade.
Fix pg_recvlogical to drain pending messages before exiting (Noah Misch)
Without this, the replication sender might detect a send failure and exit without making the expected final update to the replication slot's LSN position. That led to re-transmitting data after the next connection. It was also possible to miss error messages sent after the last data that pg_recvlogical wants to consume.
Fix pg_rewind's handling of just-deleted files in the source data directory (Justin Pryzby, Michael Paquier)
When working with an on-line source database, concurrent file deletions are possible, but pg_rewind would get confused if deletion happened between seeing a file's directory entry and examining it with stat()
.
Make pg_test_fsync use binary I/O mode on Windows (Michael Paquier)
Previously it wrote the test file in text mode, which is not an accurate reflection of PostgreSQL's actual usage.
Fix contrib/amcheck
to not complain about deleted index pages that are empty (Alexander Korotkov)
This state of affairs is normal during WAL replay.
Fix failure to initialize local state correctly in contrib/dblink
(Joe Conway)
With the right combination of circumstances, this could lead to dblink_close()
issuing an unexpected remote COMMIT
.
Fix contrib/pgcrypto
's misuse of deflate()
(Tom Lane)
The pgp_sym_encrypt
functions could produce incorrect compressed data due to mishandling of zlib's API requirements. We have no reports of this error manifesting with stock zlib, but it can be seen when using IBM's zlibNX implementation.
Fix corner case in decompression logic in contrib/pgcrypto
's pgp_sym_decrypt
functions (Kyotaro Horiguchi, Michael Paquier)
A compressed stream can validly end with an empty packet, but the decompressor failed to handle this and would complain about corrupt data.
Use POSIX-standard strsignal()
in place of the BSD-ish sys_siglist[]
(Tom Lane)
This avoids build failures with very recent versions of glibc.
Support building our NLS code with Microsoft Visual Studio 2015 or later (Juan José SantamarÃa Flecha, Davinder Singh, Amit Kapila)
Avoid possible failure of our MSVC install script when there is a file named configure
several levels above the source code tree (Arnold Müller)
This could confuse some logic that looked for configure
to identify the top level of the source tree.
Release date: 2020-05-14
This release contains a variety of fixes from 11.7. For information about new features in major release 11, see Version 11.0.
A dump/restore is not required for those running 11.X.
However, if you are upgrading from a version earlier than 11.6, see Version 11.6.
Propagate ALTER TABLE ... SET STORAGE
to indexes (Peter Eisentraut)
Non-expression index columns have always copied the attstorage
property of their table column at creation. Update them when ALTER TABLE ... SET STORAGE
is done, to maintain consistency.
Preserve the indisclustered
setting of indexes rewritten by ALTER TABLE
(Amit Langote, Justin Pryzby)
Previously, ALTER TABLE
lost track of which index had been used for CLUSTER
.
Preserve the replica identity properties of indexes rewritten by ALTER TABLE
(Quan Zongliang, Peter Eisentraut)
Lock objects sooner during DROP OWNED BY
(Ãlvaro Herrera)
This avoids failures in race-condition cases where another session is deleting some of the same objects.
Fix error-case processing for CREATE ROLE ... IN ROLE
(Andrew Gierth)
Some error cases would be reported as “unexpected node type†or the like, instead of the intended message.
Ensure that when a partition is detached, any triggers cloned from its formerly-parent table are removed (Justin Pryzby)
Ensure that unique indexes over partitioned tables match the equality semantics of the partitioning key (Guancheng Luo)
This would only be an issue with index opclasses that have unusual notions of equality, but it's wrong in theory, so check.
Ensure that members of the pg_read_all_stats
role can read all statistics views, as expected (Magnus Hagander)
The functions underlying the pg_stat_progress_*
views had not gotten this memo.
Repair performance regression in information_schema
.triggers
view (Tom Lane)
This patch redefines that view so that an outer WHERE
clause constraining the table name can be pushed down into the view, allowing its calculations to be done only for triggers belonging to the table of interest rather than all triggers in the database. In a database with many triggers this would make a significant speed difference for queries of that form. Since things worked that way before v11, this is a potential performance regression. Users who find this to be a problem can fix it by replacing the view definition (or, perhaps, just deleting and reinstalling the whole information_schema
schema).
Fix full text search to handle NOT above a phrase search correctly (Tom Lane)
Queries such as !(foo<->bar)
failed to find matching rows when implemented as a GiST or GIN index search.
Fix full text search for cases where a phrase search includes an item with both prefix matching and a weight restriction (Tom Lane)
Fix ts_headline()
to make better headline selections when working with phrase queries (Tom Lane)
Fix bugs in gin_fuzzy_search_limit
processing (Adé Heyward, Tom Lane)
A small value of gin_fuzzy_search_limit
could result in unexpected slowness due to unintentionally rescanning the same index page many times. Another code path failed to apply the intended filtering at all, possibly returning too many values.
Allow input of type circle
to accept the format “(
†as the documentation says it does (David Zhang)x
,y
),r
Make the get_bit()
and set_bit()
functions cope with bytea
strings longer than 256MB (Movead Li)
Since the bit number argument is only int4
, it's impossible to use these functions to access bits beyond the first 256MB of a long bytea
. We'll widen the argument to int8
in v13, but in the meantime, allow these functions to work on the initial substring of a long bytea
.
Ignore file-not-found errors in pg_ls_waldir()
and allied functions (Tom Lane)
This prevents a race condition failure if a file is removed between when we see its directory entry and when we attempt to stat()
it.
Avoid possibly leaking an open-file descriptor for a directory in pg_ls_dir()
, pg_timezone_names()
, pg_tablespace_databases()
, and allied functions (Justin Pryzby)
Fix polymorphic-function type resolution to correctly infer the actual type of an anyarray
output when given only an anyrange
input (Tom Lane)
Avoid leakage of a hashed subplan's hash tables across multiple executions (Andreas Karlsson, Tom Lane)
This mistake could result in severe memory bloat if a query re-executed a hashed subplan enough times.
Avoid unlikely crash when REINDEX
is terminated by a session-shutdown signal (Tom Lane)
Fix low-probability crash after constraint violation errors in partitioned tables (Andres Freund)
Prevent printout of possibly-incorrect hash join table statistics in EXPLAIN
(Konstantin Knizhnik, Tom Lane, Thomas Munro)
Fix reporting of elapsed time for heap truncation steps in VACUUM VERBOSE
(Tatsuhito Kasahara)
Fix possible undercounting of deleted B-tree index pages in VACUUM VERBOSE
output (Peter Geoghegan)
Fix wrong bookkeeping for oldest deleted page in a B-tree index (Peter Geoghegan)
This could cause subtly wrong decisions about when VACUUM
can skip an index cleanup scan; although it appears there may be no significant user-visible effects from that.
Ensure that TimelineHistoryRead and TimelineHistoryWrite wait states are reported in all code paths that read or write timeline history files (Masahiro Ikeda)
Avoid possibly showing “waiting†twice in a process's PS status (Masahiko Sawada)
Avoid failure if autovacuum tries to access a just-dropped temporary schema (Tom Lane)
This hazard only arises if a superuser manually drops a temporary schema; which isn't normal practice, but should work.
Avoid premature recycling of WAL segments during crash recovery (Jehan-Guillaume de Rorthais)
WAL segments that become ready to be archived during crash recovery were potentially recycled without being archived.
Avoid scanning irrelevant timelines during archive recovery (Kyotaro Horiguchi)
This can eliminate many attempts to fetch non-existent WAL files from archive storage, which is helpful if archive access is slow.
Remove bogus “subtransaction logged without previous top-level txn record†error check in logical decoding (Arseny Sher, Amit Kapila)
This condition is legitimately reachable in various scenarios, so remove the check.
Ensure that a replication slot's io_in_progress_lock
is released in failure code paths (Pavan Deolasee)
This could result in a walsender later becoming stuck waiting for the lock.
Fix race conditions in synchronous standby management (Tom Lane)
During a change in the synchronous_standby_names
setting, there was a window in which wrong decisions could be made about whether it is OK to release transactions that are waiting for synchronous commit. Another hazard for similarly wrong decisions existed if a walsender process exited and was immediately replaced by another.
Ensure nextXid
can't go backwards on a standby server (Eka Palamadai)
This race condition could allow incorrect hot standby feedback messages to be sent back to the primary server, potentially allowing VACUUM
to run too soon on the primary.
Add missing SQLSTATE values to a few error reports (Sawada Masahiko)
Fix PL/pgSQL to reliably refuse to execute an event trigger function as a plain function (Tom Lane)
Fix memory leak in libpq when using sslmode=verify-full
(Roman Peshkurov)
Certificate verification during connection startup could leak some memory. This would become an issue if a client process opened many database connections during its lifetime.
Fix ecpg to treat an argument of just “-
†as meaning “read from stdin†on all platforms (Tom Lane)
Allow tab-completion of the filename argument to psql's \gx
command (Vik Fearing)
Add pg_dump support for ALTER ... DEPENDS ON EXTENSION
(Ãlvaro Herrera)
pg_dump previously ignored dependencies added this way, causing them to be forgotten during dump/restore or pg_upgrade.
Fix pg_dump to dump comments on RLS policy objects (Tom Lane)
In pg_dump, postpone restore of event triggers till the end (FabrÃzio de Royes Mello, Hamid Akhtar, Tom Lane)
This minimizes the risk that an event trigger could interfere with the restoration of other objects.
Make pg_verify_checksums skip tablespace subdirectories that belong to a different PostgreSQL major version (Michael Banck, Bernd Helmle)
Such subdirectories don't really belong to our database cluster, and so must not be processed.
Ignore temporary copies of pg_internal.init
in pg_verify_checksums and related programs (Michael Paquier)
Fix quoting of --encoding
, --lc-ctype
and --lc-collate
values in createdb utility (Michael Paquier)
contrib/lo
's lo_manage()
function crashed if called directly rather than as a trigger (Tom Lane)
In contrib/ltree
, protect against overflow of ltree
and lquery
length fields (Nikita Glukhov)
Work around failure in contrib/pageinspect
's bt_metap()
function when an oldest_xact value exceeds 2^31-1 (Peter Geoghegan)
Such XIDs will now be reported as negative integers, which isn't great but it beats throwing an error. v13 will widen the output argument to int8
to provide saner reporting.
Fix cache reference leak in contrib/sepgsql
(Michael Luo)
Avoid failures when dealing with Unix-style locale names on Windows (Juan José SantamarÃa Flecha)
Use pkg-config, if available, to locate libxml2 during configure (Hugh McMaster, Tom Lane, Peter Eisentraut)
If pkg-config is not present or lacks knowledge of libxml2, we still query xml2-config as before.
This change could break build processes that try to make PostgreSQL use a non-default version of libxml2 by putting that version's xml2-config into the PATH
. Instead, set XML2_CONFIG
to point to the non-default xml2-config. That method will work with either older or newer PostgreSQL releases.
In MSVC builds, cope with spaces in the path name for Python (Victor Wagner)
In MSVC builds, fix detection of Visual Studio version to work with more language settings (Andrew Dunstan)
In MSVC builds, use -Wno-deprecated
with bison versions newer than 3.0, as non-Windows builds already do (Andrew Dunstan)
Update time zone data files to tzdata release 2020a for DST law changes in Morocco and the Canadian Yukon, plus historical corrections for Shanghai.
The America/Godthab zone has been renamed to America/Nuuk to reflect current English usage; however, the old name remains available as a compatibility link.
Also, update initdb's list of known Windows time zone names to include recent additions, improving the odds that it will correctly translate the system time zone setting on that platform.
Release date: 2020-02-13
This release contains a variety of fixes from 11.6. For information about new features in major release 11, see Version 11.0.
A dump/restore is not required for those running 11.X.
However, if you are upgrading from a version earlier than 11.6, see Version 11.6.
Add missing permissions checks for ALTER ... DEPENDS ON EXTENSION
(Ãlvaro Herrera)
Marking an object as dependent on an extension did not have any privilege check whatsoever. This oversight allowed any user to mark routines, triggers, materialized views, or indexes as droppable by anyone able to drop an extension. Require that the calling user own the specified object (and hence have privilege to drop it). CVE-2020-1720 or CVE-2020-1720)
Ensure that row triggers on partitioned tables are correctly cloned to sub-partitions when appropriate (Ãlvaro Herrera)
User-defined triggers (but not triggers for foreign key or deferred unique constraints) might be missed when creating or attaching a partition.
Fix logical replication subscriber code to execute per-column UPDATE
triggers when appropriate (Peter Eisentraut)
Avoid failure in logical decoding when a large transaction must be spilled into many separate temporary files (Amit Khandekar)
Fix possible crash or data corruption when a logical replication subscriber processes a row update (Tom Lane, Tomas Vondra)
This bug caused visible problems only if the subscriber's table contained columns that were not being copied from the publisher and had pass-by-reference data types.
Fix crash in logical replication subscriber after DDL changes on a subscribed relation (Jehan-Guillaume de Rorthais, Vignesh C)
Fix failure in logical replication publisher after a database crash and restart (Vignesh C)
Ensure that the effect of pg_replication_slot_advance()
on a physical replication slot will persist across restarts (Alexey Kondratov, Michael Paquier)
Improve efficiency of logical replication with REPLICA IDENTITY FULL
(Konstantin Knizhnik)
When searching for an existing tuple during an update or delete operation, return the first matching tuple not the last one.
Ensure parallel plans are always shut down at the correct time (Kyotaro Horiguchi)
This oversight is known to result in “temporary file leak†warnings from multi-batch parallel hash joins.
Prevent premature shutdown of a Gather or GatherMerge plan node that is underneath a Limit node (Amit Kapila)
This avoids failure if such a plan node needs to be scanned more than once, as for instance if it is on the inside of a nestloop.
Improve efficiency of parallel hash join on CPUs with many cores (Gang Deng, Thomas Munro)
Avoid crash in parallel CREATE INDEX
when there are no free dynamic shared memory slots (Thomas Munro)
Fall back to a non-parallel index build, instead.
Avoid memory leak when there are no free dynamic shared memory slots (Thomas Munro)
Ignore the CONCURRENTLY
option when performing an index creation, drop, or rebuild on a temporary table (Michael Paquier, Heikki Linnakangas, Andres Freund)
This avoids strange failures if the temporary table has an ON COMMIT
action. There is no benefit in using CONCURRENTLY
for a temporary table anyway, since other sessions cannot access the table, making the extra processing pointless.
Fix possible failure when resetting expression indexes on temporary tables that are marked ON COMMIT DELETE ROWS
(Tom Lane)
Fix possible crash in BRIN index operations with box
, range
and inet
data types (Heikki Linnakangas)
Fix handling of deleted pages in GIN indexes (Alexander Korotkov)
Avoid possible deadlocks, incorrect updates of a deleted page's state, and failure to traverse through a recently-deleted page.
Fix possible crash with a SubPlan (sub-SELECT
) within a multi-row VALUES
list (Tom Lane)
Fix failure to insert default values for “missing†attributes during tuple conversion (Vik Fearing, Andrew Gierth)
This could result in values incorrectly reading as NULL, when they come from columns that had been added by ALTER TABLE ADD COLUMN
with a constant default.
Fix crash after FileClose() failure (Noah Misch)
This issue could only be observed with data_sync_retry
enabled, since otherwise FileClose() failure would be reported as a PANIC.
Fix unlikely crash with pass-by-reference aggregate transition states (Andres Freund, Teodor Sigaev)
Improve error reporting in to_date()
and to_timestamp()
(Tom Lane, Ãlvaro Herrera)
Reports about incorrect month or day names in input strings could truncate the input in the middle of a multi-byte character, leading to an improperly encoded error message that could cause follow-on failures. Truncate at the next whitespace instead.
Fix off-by-one result for EXTRACT (ISOYEAR FROM
for BC dates (Tom Lane)timestamp
)
Avoid stack overflow in information_schema
views when a self-referential view exists in the system catalogs (Tom Lane)
A self-referential view can't work; it will always result in infinite recursion. We handled that situation correctly when trying to execute the view, but not when inquiring whether it is automatically updatable.
Ensure that walsender processes always show NULL for transaction start time in pg_stat_activity
(Ãlvaro Herrera)
Previously, the xact_start
column would sometimes show the process start time.
Improve performance of hash joins with very large inner relations (Thomas Munro)
Fix placement of “Subplans Removed†field in EXPLAIN
output (Daniel Gustafsson, Tom Lane)
In non-text output formats, this field was emitted inside the “Plans†sub-group, resulting in syntactically invalid output. Attach it to the parent Append or MergeAppend plan node as intended. This causes the field to change position in text output format too: if there are any InitPlans attached to the same plan node, “Subplans Removed†will now appear before those.
Allow the planner to apply potentially-leaky tests to child-table statistics, if the user can read the corresponding column of the table that's actually named in the query (Dilip Kumar, Amit Langote)
This change fixes a performance problem for partitioned tables that was created by the fix forCVE-2017-7484 or CVE-2017-7484. That security fix disallowed applying leaky operators to statistics for columns that the current user doesn't have permission to read directly. However, it's somewhat common to grant permissions only on the parent partitioned table and not bother to do so on individual partitions. In such cases, the user can read the column via the parent, so there's no point in this security restriction; it only results in poorer planner estimates than necessary.
Fix edge-case crashes and misestimations in selectivity calculations for the <@
and @>
range operators (Michael Paquier, Andrey Borodin, Tom Lane)
Ignore system columns when applying most-common-value extended statistics (Tomas Vondra)
This prevents “negative bitmapset member not allowed†planner errors for affected queries.
Fix BRIN index logic to support hypothetical BRIN indexes (Julien Rouhaud, Heikki Linnakangas)
Previously, if an “index adviser†extension tried to get the planner to produce a plan involving a hypothetical BRIN index, that would fail, because the BRIN cost estimation code would always try to physically access the index's metapage. Now it checks to see if the index is only hypothetical, and uses default assumptions about the index parameters if so.
Improve error reporting for attempts to use automatic updating of views with conditional INSTEAD
rules (Dean Rasheed)
This has never been supported, but previously the error was thrown only at execution time, so that it could be masked by planner errors.
Prevent a composite type from being included in itself indirectly via a range type (Tom Lane, Julien Rouhaud)
Disallow partition key expressions that return pseudo-types, such as record
(Tom Lane)
Fix error reporting for index expressions of prohibited types (Amit Langote)
Fix dumping of views that contain only a VALUES
list to handle cases where a view output column has been renamed (Tom Lane)
Ensure that data types and collations used in XMLTABLE
constructs are accounted for when computing dependencies of a view or rule (Tom Lane)
Previously it was possible to break a view using XMLTABLE
by dropping a type, if the type was not otherwise referenced in the view. This fix does not correct the dependencies already recorded for existing views, only for newly-created ones.
Prevent unwanted downcasing and truncation of RADIUS authentication parameters (Marcos David Hartwig)
The pg_hba.conf
parser mistakenly treated these fields as SQL identifiers, which in general they aren't.
Transmit incoming NOTIFY
messages to the client before sending ReadyForQuery
, rather than after (Tom Lane)
This change ensures that, with libpq and other client libraries that act similarly to it, any notifications received during a transaction will be available by the time the client thinks the transaction is complete. This probably makes no difference in practical applications (which would need to cope with asynchronous notifications in any case); but it makes it easier to build test cases with reproducible behavior.
Allow libpq to parse all GSS-related connection parameters even when the GSSAPI code hasn't been compiled in (Tom Lane)
This makes the behavior similar to our SSL support, where it was long ago deemed to be a good idea to always accept all the related parameters, even if some are ignored or restricted due to lack of the feature in a particular build.
Fix incorrect handling of %b
and %B
format codes in ecpg's PGTYPEStimestamp_fmt_asc()
function (Tomas Vondra)
Due to an off-by-one error, these codes would print the wrong month name, or possibly crash.
Fix parallel pg_dump/pg_restore to more gracefully handle failure to create worker processes (Tom Lane)
Prevent possible crash or lockup when attempting to terminate a parallel pg_dump/pg_restore run via a signal (Tom Lane)
In pg_upgrade, look inside arrays and ranges while searching for non-upgradable data types in tables (Tom Lane)
Apply more thorough syntax checking to createuser's --connection-limit
option (Ãlvaro Herrera)
Cope with changes of the specific type referenced by a PL/pgSQL composite-type variable in more cases (Ashutosh Sharma, Tom Lane)
Dropping and re-creating the composite type referenced by a PL/pgSQL variable could lead to “could not open relation with OID NNNN
†errors.
Avoid crash in postgres_fdw
when trying to send a command like UPDATE remote_tab SET (x,y) = (SELECT ...)
to the remote server (Tom Lane)
In contrib/dict_int
, reject maxlen
settings less than one (Tomas Vondra)
This prevents a possible crash with silly settings for that parameter.
Disallow NULL category values in contrib/tablefunc
's crosstab()
function (Joe Conway)
This case never worked usefully, and it would crash on some platforms.
Fix configure's probe for OpenSSL's SSL_clear_options()
function so that it works with OpenSSL versions before 1.1.0 (Michael Paquier, Daniel Gustafsson)
This problem could lead to failure to set the SSL compression option as desired, when PostgreSQL is built against an old version of OpenSSL.
Mark some timeout and statistics-tracking GUC variables as PGDLLIMPORT
, to allow extensions to access them on Windows (Pascal Legrand)
This applies to idle_in_transaction_session_timeout
, lock_timeout
, statement_timeout
, track_activities
, track_counts
, and track_functions
.
Avoid memory leak in sanity checks for “slab†memory contexts (Tomas Vondra)
This isn't an issue for production builds, since they wouldn't ordinarily have memory context checking enabled; but the leak could be quite severe in a debug build.
Fix multiple statistics entries reported by the LWLock statistics mechanism (Fujii Masao)
The LWLock statistics code (which is not built by default; it requires compiling with -DLWLOCK_STATS
) could report multiple entries for the same LWLock and backend process, as a result of faulty hashtable key creation.
Fix race condition that led to delayed delivery of interprocess signals on Windows (Amit Kapila)
This caused visible timing oddities in NOTIFY
, and perhaps other misbehavior.
On Windows, retry a few times after an ERROR_ACCESS_DENIED
file access failure (Alexander Lakhin, Tom Lane)
This helps cope with cases where a file open attempt fails because the targeted file is flagged for deletion but not yet actually gone. pg_ctl, for example, frequently failed with such an error when probing to see if the postmaster had shut down yet.
Release date: 2019-11-14
This release contains a variety of fixes from 11.5. For information about new features in major release 11, see Version 11.0.
A dump/restore is not required for those running 11.X.
However, if you use the contrib/intarray
extension with a GiST index, and you rely on indexed searches for the <@
operator, see the entry below about that.
Also, if you are upgrading from a version earlier than 11.1, see Version 11.1.
Fix failure of ALTER TABLE SET
with a custom relation option (Michael Paquier)
Disallow changing a multiply-inherited column's type if not all parent tables were changed (Tom Lane)
Previously, this was allowed, whereupon queries on the now-out-of-sync parent would fail.
Avoid failure if the same target table is specified twice in an ANALYZE
command inside a transaction block (Tom Lane)
Prevent VACUUM
from trying to freeze an old multixact ID involving a still-running transaction (Nathan Bossart, Jeremy Schneider)
This case would lead to VACUUM
failing until the old transaction terminates.
SET CONSTRAINTS ... DEFERRED
failed on partitioned tables, incorrectly complaining about lack of triggers (Ãlvaro Herrera)
Fix failure when creating indexes for a partition, if the parent partitioned table contains any dropped columns (Michael Paquier)
Fix planner's test for case-foldable characters in ILIKE
with an ICU collation (Tom Lane)
This mistake caused the planner to treat too much of the pattern as being a fixed prefix, so that indexscans derived from an ILIKE
clause might miss entries that they should find.
Ensure that offset expressions in WINDOW
clauses are processed when a query's expressions are manipulated (Andrew Gierth)
This oversight could result in assorted failures when the offsets are nontrivial expressions. One example is that a function parameter reference in such an expression would fail if the function was inlined.
Fix handling of whole-row variables in WITH CHECK OPTION
expressions and row-level-security policy expressions (Andres Freund)
Previously, such usage might result in bogus errors about row type mismatches.
Avoid postmaster failure if a parallel query requests a background worker when no postmaster child process array slots remain free (Tom Lane)
Prevent possible double-free if a BEFORE UPDATE
trigger returns the old tuple as-is, and it is not the last such trigger (Thomas Munro)
Fix crash if
, or related operations, contains a constant-null array (Tom Lane)x
= ANY (array
)
Fix “unexpected relkind†error when a query tries to access a TOAST table (John Hsu, Michael Paquier, Tom Lane)
The error should say that permission is denied, but this case got broken during code refactoring.
Provide a relevant error context line when an error occurs while setting GUC parameters during parallel worker startup (Thomas Munro)
In serializable mode, ensure that row-level predicate locks are acquired on the correct version of the row (Thomas Munro, Heikki Linnakangas)
If the visible version of the row is HOT-updated, the lock might be taken on its now-dead predecessor, resulting in subtle failures to guarantee serialization.
Ensure that fsync()
is applied only to files that are opened read/write (Andres Freund, Michael Paquier)
Some code paths tried to do this after opening a file read-only, but on some platforms that causes “bad file descriptor†or similar errors.
Allow encoding conversion to succeed on longer strings than before (Ãlvaro Herrera, Tom Lane)
Previously, there was a hard limit of 0.25GB on the input string, but now it will work as long as the converted output is not over 1GB.
Avoid an unnecessary catalog lookup during heap page pruning (Thomas Munro)
It's no longer necessary to check for unlogged indexes here, and the check caused significant performance problems in some workloads. There was also at least a theoretical possibility of deadlock.
Avoid creating unnecessarily-bulky tuple stores for window functions (Andrew Gierth)
In some cases the tuple storage would include all columns of the source table(s), not just the ones that are needed by the query.
Fix failure to JIT-compile equality comparisons for grouping hash tables, leading to performance loss (Andres Freund)
Allow repalloc()
to give back space when a large chunk is reduced in size (Tom Lane)
Ensure that temporary WAL and history files are removed at the end of archive recovery (Sawada Masahiko)
Avoid failure in archive recovery if recovery_min_apply_delay
is enabled (Fujii Masao)
recovery_min_apply_delay
is not typically used in this configuration, but it should work.
Fix logical replication failure when publisher and subscriber have different ideas about a table's replica identity columns (Jehan-Guillaume de Rorthais, Peter Eisentraut)
Declaring a column as part of the replica identity on the subscriber, when it does not exist at all on the publisher, led to “negative bitmapset member not allowed†errors.
Avoid unwanted delay during shutdown of a logical replication walsender (Craig Ringer, Ãlvaro Herrera)
Fix timeout handling in logical replication walreceiver processes (Julien Rouhaud)
Erroneous logic prevented wal_receiver_timeout
from working in logical replication deployments.
Correctly time-stamp replication messages for logical decoding (Jeff Janes)
This oversight resulted, for example, in pg_stat_subscription
.last_msg_send_time
usually reading as NULL.
In logical decoding, ensure that sub-transactions are correctly accounted for when reconstructing a snapshot (Masahiko Sawada)
This error leads to assertion failures; it's unclear whether any bad effects exist in production builds.
Fix race condition during backend exit, when the backend process has previously waited for synchronous replication to occur (Dongming Liu)
Fix ALTER SYSTEM
to cope with duplicate entries in postgresql.auto.conf
(Ian Barwick)
ALTER SYSTEM
itself will not generate such a state, but external tools that modify postgresql.auto.conf
could do so. Duplicate entries for the target variable will now be removed, and then the new setting (if any) will be appended at the end.
Reject include directives with empty file names in configuration files, and report include-file recursion more clearly (Ian Barwick, Tom Lane)
Avoid logging complaints about abandoned connections when using PAM authentication (Tom Lane)
libpq-based clients will typically make two connection attempts when a password is required, since they don't prompt their user for a password until their first connection attempt fails. Therefore the server is coded not to generate useless log spam when a client closes the connection upon being asked for a password. However, the PAM authentication code hadn't gotten that memo, and would generate several messages about a phantom authentication failure.
Fix some cases where an incomplete date specification is not detected in time with time zone
input (Alexander Lakhin)
If a time zone with a time-varying UTC offset is specified, then a date must be as well, so that the offset can be resolved. Depending on the syntax used, this check was not enforced in some cases, allowing bogus output to be produced.
Fix misbehavior of bitshiftright()
(Tom Lane)
The bitstring right shift operator failed to zero out padding space that exists in the last byte of the result when the bitstring length is not a multiple of 8. While invisible to most operations, any nonzero bits there would result in unexpected comparison behavior, since bitstring comparisons don't bother to ignore the extra bits, expecting them to always be zero.
If you have inconsistent data as a result of saving the output of bitshiftright()
in a table, it's possible to fix it with something like
UPDATE mytab SET bitcol = ~(~bitcol) WHERE bitcol != ~(~bitcol);
Restore the ability to take type information from an AS
clause in json[b]_populate_record()
and json[b]_populate_recordset()
(Tom Lane)
If the record argument is NULL and has no declared composite type, try to use the AS
clause instead. This isn't recommended usage, but it used to work, and now does again.
Avoid crash when selecting a namespace node in XMLTABLE
(Chapman Flack)
Fix detection of edge-case integer overflow in interval multiplication (Yuya Watari)
Fix memory leaks in lower()
, upper()
, and initcap()
functions when using ICU collations (Konstantin Knizhnik)
Avoid crashes if ispell
text search dictionaries contain wrong affix data (Arthur Zakirov)
Fix incorrect compression logic for GIN posting lists (Heikki Linnakangas)
A GIN posting list item can require 7 bytes if the distance between adjacent indexed TIDs exceeds 16TB. One step in the logic was out of sync with that, and might try to write the value into a 6-byte buffer. In principle this could cause a stack overrun, but on most architectures it's likely that the next byte would be unused alignment padding, making the bug harmless. In any case the bug would be very difficult to hit.
Fix handling of infinity, NaN, and NULL values in KNN-GiST (Alexander Korotkov)
The query's output order could be wrong (different from a plain sort's result) if some distances computed for non-null column values are infinity or NaN.
Fix handling of searches for NULL in KNN-SP-GiST (Nikita Glukhov)
On Windows, recognize additional spellings of the “Norwegian (Bokmål)†locale name (Tom Lane)
Avoid compile failure if an ECPG client includes ecpglib.h
while having ENABLE_NLS
defined (Tom Lane)
This risk was created by a misplaced declaration: ecpg_gettext()
should not be visible to client code.
In psql, resynchronize internal state about the server after an unexpected connection loss and successful reconnection (Peter Billen, Tom Lane)
Ordinarily this is unnecessary since the state would be the same anyway. But it can matter in corner cases, such as where the connection might lead to one of several servers. This change causes psql to re-issue any interactive messages that it would have issued at startup, for example about whether SSL is in use.
Avoid platform-specific null pointer dereference in psql (Quentin Rameau)
In pg_dump, ensure stable output order for similarly-named triggers and row-level-security policy objects (Benjie Gillam)
Previously, if two triggers on different tables had the same names, they would be sorted in OID-based order, which is less desirable than sorting them by table name. Likewise for RLS policies.
Fix pg_dump to work again with pre-8.3 source servers (Tom Lane)
A previous fix caused pg_dump to always try to query pg_opfamily
, but that catalog doesn't exist before version 8.3.
In pg_restore, treat -f -
as meaning “output to stdout†(Ãlvaro Herrera)
This synchronizes pg_restore's behavior with some other applications, and in particular makes pre-v12 branches act similarly to version 12's pg_restore, simplifying creation of dump/restore scripts that work across multiple PostgreSQL versions. Before this change, pg_restore interpreted such a switch as meaning “output to a file named -
â€, but few people would want that.
Improve pg_upgrade's checks for the use of a data type that has changed representation, such as line
(Tomas Vondra)
The previous coding could be fooled by cases where the data type of interest underlies a stored column of a domain or composite type.
Detect file read errors during pg_basebackup (Jeevan Chalke)
In pg_basebackup, don't fsync output files until the end of backup (Michael Paquier)
The previous coding could result in timeout failures if fsync was slow.
In pg_rewind with an online source cluster, disable timeouts, much as pg_dump does (Alexander Kukushkin)
Fix failure in pg_waldump with the -s
option, when a continuation WAL record ends exactly at a page boundary (Andrey Lepikhov)
In pg_waldump, include the newitemoff
field in btree page split records (Peter Geoghegan)
In pg_waldump with the --bkp-details
option, avoid emitting extra newlines for WAL records involving full-page writes (Andres Freund)
Fix small memory leak in pg_waldump (Andres Freund)
Fix vacuumdb with a high --jobs
option to handle running out of file descriptors better (Michael Paquier)
Fix PL/pgSQL to handle replacements of composite types better (Tom Lane)
Cover the case where a composite type is dropped entirely, and then a new type of the same name is created, between executions of a PL/pgSQL function. Variables of the composite type will now update to match the new definition.
Fix contrib/amcheck
to skip unlogged indexes during hot standby (Andrey Borodin, Peter Geoghegan)
An unlogged index won't necessarily contain valid data in this context, so don't try to check it.
Fix contrib/intarray
's GiST opclasses to not fail for empty arrays with <@
(Tom Lane)
A clause like
is considered indexable, but the index search may not find empty array values; of course, such entries should trivially match the search.array_column
<@ constant_array
The only practical back-patchable fix for this requires making <@
index searches scan the whole index, which is what this patch does. This is unfortunate: it means that the query performance is likely worse than a plain sequential scan would be.
Applications whose performance is adversely impacted by this change have a couple of options. They could switch to a GIN index, which doesn't have this bug, or they could replace
with array_column
<@ constant_array
. That will provide about the same performance as before, and it will find all non-empty subsets of the given constant array, which is all that could reliably be expected of the query before.array_column
<@ constant_array
AND array_column
&& constant_array
Fix configure's test for presence of libperl so that it works on recent Red Hat releases (Tom Lane)
Previously, it could fail if the user sets CFLAGS
to -O0
.
Ensure correct code generation for spinlocks on PowerPC (Noah Misch)
The previous spinlock coding allowed the compiler to select register zero for use with an assembly instruction that does not accept that register, causing a build failure. We have seen only one long-ago report that matches this bug, but it could cause problems for people trying to build modified PostgreSQL code or use atypical compiler options.
On PowerPC, avoid depending on the xlc compiler's __fetch_and_add()
function (Noah Misch)
xlc 13 and newer interpret this function in a way incompatible with our usage, resulting in an unusable build of PostgreSQL. Fix by using custom assembly code instead.
On AIX, don't use the compiler option -qsrcmsg
(Noah Misch)
This avoids an internal compiler error with xlc v16.1.0, with little consequence other than changing the format of compiler error messages.
Fix MSVC build process to cope with spaces in the file path of OpenSSL (Andrew Dunstan)
Update time zone data files to tzdata release 2019c for DST law changes in Fiji and Norfolk Island, plus historical corrections for Alberta, Austria, Belgium, British Columbia, Cambodia, Hong Kong, Indiana (Perry County), Kaliningrad, Kentucky, Michigan, Norfolk Island, South Korea, and Turkey.
Release date: 2019-08-08
This release contains a variety of fixes from 11.4. For information about new features in major release 11, see Version 11.0.
A dump/restore is not required for those running 11.X.
However, if you are upgrading from a version earlier than 11.1, see Version 11.1.
Require schema qualification to cast to a temporary type when using functional cast syntax (Noah Misch)
We have long required invocations of temporary functions to explicitly specify the temporary schema, that is pg_temp.
. Require this as well for casting to temporary types using functional notation, for example func_name
(args
)pg_temp.
. Otherwise it's possible to capture a function call using a temporary object, allowing privilege escalation in much the same ways that we blocked inCVE-2007-2138 or CVE-2007-2138. CVE-2019-10208 or CVE-2019-10208)type_name
(arg
)
Fix execution of hashed subplans that require cross-type comparison (Tom Lane, Andreas Seltenreich)
Hashed subplans used the outer query's original comparison operator to compare entries of the hash table. This is the wrong thing if that operator is cross-type, since all the hash table entries will be of the subquery's output type. For the set of hashable cross-type operators in core PostgreSQL, this mistake seems nearly harmless on 64-bit machines, but it can result in crashes or perhaps unauthorized disclosure of server memory on 32-bit machines. Extensions might provide hashable cross-type operators that create larger risks. CVE-2019-10209 or CVE-2019-10209)
Fix failure of ALTER TABLE ... ALTER COLUMN TYPE
when altering multiple columns' types in one command (Tom Lane)
This fixes a regression introduced in the most recent minor releases: indexes using the altered columns were not processed correctly, leading to strange failures during ALTER TABLE
.
Prevent dropping a partitioned table's trigger if there are pending trigger events in child partitions (Ãlvaro Herrera)
This notably applies to foreign key constraints, since those are implemented by triggers.
Include user-specified trigger arguments when copying a trigger definition from a partitioned table to one of its partitions (Patrick McHardy)
Install dependencies to prevent dropping partition key columns (Tom Lane)
ALTER TABLE ... DROP COLUMN
will refuse to drop a column that is a partition key column. However, indirect drops (such as a cascade from dropping a key column's data type) had no such check, allowing the deletion of a key column. This resulted in a badly broken partitioned table that could neither be accessed nor dropped.
This fix adds pg_depend
entries that enforce that the whole partitioned table, not just the key column, will be dropped if a cascaded drop forces removal of the key column. However, such entries will only be created when a partitioned table is created; so this fix does not remove the risk for pre-existing partitioned tables. The issue can only arise for partition key columns of non-built-in data types, so it seems not to be a hazard for most users.
Ensure that column numbers are correctly mapped between a partitioned table and its default partition (Amit Langote)
Some operations misbehaved if the mapping wasn't exactly one-to-one, for example if there were dropped columns in one table and not the other.
Ignore partitions that are foreign tables when creating indexes on partitioned tables (Ãlvaro Herrera)
Previously an error was thrown on encountering a foreign-table partition, but that's unhelpful and doesn't protect against any actual problem.
Prune a partitioned table's default partition (that is, avoid uselessly scanning it) in more cases (Yuzuko Hosoya)
Fix possible failure to prune partitions when there are multiple partition key columns of boolean
type (David Rowley)
Don't optimize away GROUP BY
columns when the table involved is an inheritance parent (David Rowley)
Normally, if a table's primary key column(s) are included in GROUP BY
, it's safe to drop any other grouping columns, since the primary key columns are enough to make the groups unique. This rule does not work if the query is also reading inheritance child tables, though; the parent's uniqueness does not extend to the children.
Avoid incorrect use of parallel hash join for semi-join queries (Thomas Munro)
This error resulted in duplicate result rows from some EXISTS
queries.
Avoid using unnecessary sort steps for some queries with GROUPING SETS
(Andrew Gierth, Richard Guo)
Fix possible failure of planner's index endpoint probes (Tom Lane)
When using a recently-created index to determine the minimum or maximum value of a column, the planner could select a recently-dead tuple that does not actually contain the endpoint value. In the worst case the tuple might contain a null, resulting in a visible error “found unexpected null value in indexâ€; more likely we would just end up using the wrong value, degrading the quality of planning estimates.
Fix failure to access trigger transition tables during EvalPlanQual
rechecks (Alex Aktsipetrov)
Triggers that rely on transition tables sometimes failed in the presence of concurrent updates.
Fix mishandling of multi-column foreign keys when rebuilding a foreign key constraint (Tom Lane)
ALTER TABLE
could make an incorrect decision about whether revalidation of a foreign key is necessary, if not all columns of the key are of the same type. It seems likely that the error would always have been in the conservative direction, that is revalidating unnecessarily.
Don't build extended statistics for inheritance trees (Tomas Vondra)
This avoids a “tuple already updated by self†error during ANALYZE
.
Avoid spurious deadlock errors when upgrading a tuple lock (Oleksii Kliukin)
When two or more transactions are waiting for a transaction T1 to release a tuple-level lock, and T1 upgrades its lock to a higher level, a spurious deadlock among the waiting transactions could be reported when T1 finishes.
Fix failure to resolve deadlocks involving multiple parallel worker processes (Rui Hai Jiang)
It is not clear whether this bug is reachable with non-artificial queries, but if it did happen, the queries involved in an otherwise-resolvable deadlock would block until canceled.
Prevent incorrect canonicalization of date ranges with infinity
endpoints (Laurenz Albe)
It's incorrect to try to convert an open range to a closed one or vice versa by incrementing or decrementing the endpoint value, if the endpoint is infinite; so leave the range alone in such cases.
Fix loss of fractional digits when converting very large money
values to numeric
(Tom Lane)
Fix printing of BTREE_META_CLEANUP
WAL records (Michael Paquier)
Prevent assertion failures due to mishandling of version-2 btree metapages (Peter Geoghegan)
Fix spinlock assembly code for MIPS CPUs so that it works on MIPS r6 (YunQiang Su)
Ensure that a record or row value returned from a PL/pgSQL function is marked with the function's declared composite type (Tom Lane)
This avoids problems if the result is stored directly into a table.
Make libpq ignore carriage return (\r
) in connection service files (Tom Lane, Michael Paquier)
In some corner cases, service files containing Windows-style newlines could be mis-parsed, resulting in connection failures.
In psql, avoid offering incorrect tab completion options after SET
(Tom Lane)variable
=
Fix a small memory leak in psql's \d
command (Tom Lane)
Fix pg_dump to ensure that custom operator classes are dumped in the right order (Tom Lane)
If a user-defined opclass is the subtype opclass of a user-defined range type, related objects were dumped in the wrong order, producing an unrestorable dump. (The underlying failure to handle opclass dependencies might manifest in other cases too, but this is the only known case.)
Fix possible lockup in pgbench when using -R
option (Fabien Coelho)
Improve reliability of contrib/amcheck
's index verification (Peter Geoghegan)
Fix handling of Perl undef
values in contrib/jsonb_plperl
(Ivan Panchenko)
Fix contrib/passwordcheck
to coexist with other users of check_password_hook
(Michael Paquier)
Fix contrib/sepgsql
tests to work under recent SELinux releases (Mike Palmiotto)
Improve stability of src/test/kerberos
and src/test/ldap
regression tests (Thomas Munro, Tom Lane)
Improve stability of src/test/recovery
regression tests (Michael Paquier)
Reduce stderr output from pg_upgrade's test script (Tom Lane)
Fix pgbench regression tests to work on Windows (Fabien Coelho)
Fix TAP tests to work with msys Perl, in cases where the build directory is on a non-root msys mount point (Noah Misch)
Support building Postgres with Microsoft Visual Studio 2019 (Haribabu Kommi)
In Visual Studio builds, honor WindowsSDKVersion
environment variable, if that's set (Peifeng Qiu)
This fixes build failures in some configurations.
Support OpenSSL 1.1.0 and newer in Visual Studio builds (Juan José SantamarÃa Flecha, Michael Paquier)
Allow make options to be passed down to gmake when non-GNU make is invoked at the top level (Thomas Munro)
Avoid choosing localtime
or posixrules
as TimeZone
during initdb (Tom Lane)
In some cases initdb would choose one of these artificial zone names over the “real†zone name. Prefer any other match to the C library's timezone behavior over these two.
Adjust pg_timezone_names
view to show the Factory
time zone if and only if it has a short abbreviation (Tom Lane)
Historically, IANA set up this artificial zone with an “abbreviation†like Local time zone must be set--see zic manual page
. Modern versions of the tzdb database show -00
instead, but some platforms alter the data to show one or another of the historical phrases. Show this zone only if it uses the modern abbreviation.
Sync our copy of the timezone library with IANA tzcode release 2019b (Tom Lane)
This adds support for zic's new -b slim
option to reduce the size of the installed zone files. We are not currently using that, but may enable it in future.
Update time zone data files to tzdata release 2019b for DST law changes in Brazil, plus historical corrections for Hong Kong, Italy, and Palestine.
Release date: 2019-06-20
This release contains a variety of fixes from 11.3. For information about new features in major release 11, see Version 11.0.
A dump/restore is not required for those running 11.X.
However, if you are upgrading from a version earlier than 11.1, see Version 11.1.
Fix buffer-overflow hazards in SCRAM verifier parsing (Jonathan Katz, Heikki Linnakangas, Michael Paquier)
Any authenticated user could cause a stack-based buffer overflow by changing their own password to a purpose-crafted value. In addition to the ability to crash the PostgreSQL server, this could suffice for executing arbitrary code as the PostgreSQL operating system account.
A similar overflow hazard existed in libpq, which could allow a rogue server to crash a client or perhaps execute arbitrary code as the client's operating system account.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. CVE-2019-10164 or CVE-2019-10164)
Fix assorted errors in run-time partition pruning logic (Tom Lane, Amit Langote, David Rowley)
These mistakes could lead to wrong answers in queries on partitioned tables, if the comparison value used for pruning is dynamically determined, or if multiple range-partitioned columns are involved in pruning decisions, or if stable (not immutable) comparison operators are involved.
Fix possible crash while trying to copy trigger definitions to a new partition (Tom Lane)
Fix failure of ALTER TABLE ... ALTER COLUMN TYPE
when the table has a partial exclusion constraint (Tom Lane)
Fix failure of COMMENT
command for comments on domain constraints (Daniel Gustafsson, Michael Paquier)
Prevent possible memory clobber when there are duplicate columns in a hash aggregate's hash key list (Andrew Gierth)
Fix incorrect argument null-ness checking during partial aggregation of aggregates with zero or multiple arguments (David Rowley, Kyotaro Horiguchi, Andres Freund)
Fix faulty generation of merge-append plans (Tom Lane)
This mistake could lead to “could not find pathkey item to sort†errors.
Fix incorrect printing of queries with duplicate join names (Philip Dubé)
This oversight caused a dump/restore failure for views containing such queries.
Fix conversion of JSON string literals to JSON-type output columns in json_to_record()
and json_populate_record()
(Tom Lane)
Such cases should produce the literal as a standalone JSON value, but the code misbehaved if the literal contained any characters requiring escaping.
Fix misoptimization of {1,1}
quantifiers in regular expressions (Tom Lane)
Such quantifiers were treated as no-ops and optimized away; but the documentation specifies that they impose greediness, or non-greediness in the case of the non-greedy variant {1,1}?
, on the subexpression they're attached to, and this did not happen. The misbehavior occurred only if the subexpression contained capturing parentheses or a back-reference.
Avoid writing an invalid empty btree index page in the unlikely case that a failure occurs while processing INCLUDEd columns during a page split (Peter Geoghegan)
The invalid page would not affect normal index operations, but it might cause failures in subsequent VACUUMs. If that has happened to one of your indexes, recover by reindexing the index.
Avoid possible failures while initializing a new process's pg_stat_activity
data (Tom Lane)
Certain operations that could fail, such as converting strings extracted from an SSL certificate into the database encoding, were being performed inside a critical section. Failure there would result in database-wide lockup due to violating the access protocol for shared pg_stat_activity
data.
Fix race condition in check to see whether a pre-existing shared memory segment is still in use by a conflicting postmaster (Tom Lane)
Fix unsafe coding in walreceiver's signal handler (Tom Lane)
This avoids rare problems in which the walreceiver process would crash or deadlock when commanded to shut down.
Avoid attempting to do database accesses for parameter checking in processes that are not connected to a specific database (Vignesh C, Andres Freund)
This error could result in failures like “cannot read pg_class without having selected a databaseâ€.
Avoid possible hang in libpq if using SSL and OpenSSL's pending-data buffer contains an exact multiple of 256 bytes (David Binderman)
Improve initdb's handling of multiple equivalent names for the system time zone (Tom Lane, Andrew Gierth)
Make initdb examine the /etc/localtime
symbolic link, if that exists, to break ties between equivalent names for the system time zone. This makes initdb more likely to select the time zone name that the user would expect when multiple identical time zones exist. It will not change the behavior if /etc/localtime
is not a symlink to a zone data file, nor if the time zone is determined from the TZ
environment variable.
Separately, prefer UTC
over other spellings of that time zone, when neither TZ
nor /etc/localtime
provide a hint. This fixes an annoyance introduced by tzdata 2019a's change to make the UCT
and UTC
zone names equivalent: initdb was then preferring UCT
, which almost nobody wants.
Fix ordering of GRANT
commands emitted by pg_dump and pg_dumpall for databases and tablespaces (Nathan Bossart, Michael Paquier)
If cascading grants had been issued, restore might fail due to the GRANT
commands being given in an order that didn't respect their interdependencies.
Make pg_dump recreate table partitions using CREATE TABLE
then ATTACH PARTITION
, rather than including PARTITION OF
in the creation command (Ãlvaro Herrera, David Rowley)
This avoids problems with the partition's column order possibly being changed to match the parent's. Also, a partition is now restorable from the dump (as a standalone table) even if its parent table isn't restored; the ATTACH
will fail, but that can just be ignored.
Fix misleading error reports from reindexdb (Julien Rouhaud)
Ensure that vacuumdb returns correct status if an error occurs while using parallel jobs (Julien Rouhaud)
Fix contrib/auto_explain
to not cause problems in parallel queries (Tom Lane)
Previously, a parallel worker might try to log its query even if the parent query were not being logged by auto_explain
. This would work sometimes, but it's confusing, and in some cases it resulted in failures like “could not find key N in shm TOCâ€.
Also, fix an off-by-one error that resulted in not necessarily logging every query even when the sampling rate is set to 1.0.
In contrib/postgres_fdw
, account for possible data modifications by local BEFORE ROW UPDATE
triggers (Shohei Mochizuki)
If a trigger modified a column that was otherwise not changed by the UPDATE
, the new value was not transmitted to the remote server.
On Windows, avoid failure when the database encoding is set to SQL_ASCII and we attempt to log a non-ASCII string (Noah Misch)
The code had been assuming that such strings must be in UTF-8, and would throw an error if they didn't appear to be validly encoded. Now, just transmit the untranslated bytes to the log.
Make PL/pgSQL's header files C++-safe (George Tarasov)
Release date: 2019-05-09
This release contains a variety of fixes from 11.2. For information about new features in major release 11, see Version 11.0.
A dump/restore is not required for those running 11.X.
However, if you are upgrading from a version earlier than 11.1, see Version 11.1.
Prevent row-level security policies from being bypassed via selectivity estimators (Dean Rasheed)
Some of the planner's selectivity estimators apply user-defined operators to values found in pg_statistic
(e.g., most-common values). A leaky operator therefore can disclose some of the entries in a data column, even if the calling user lacks permission to read that column. InCVE-2017-7484 or CVE-2017-7484 we added restrictions to forestall that, but we failed to consider the effects of row-level security. A user who has SQL permission to read a column, but who is forbidden to see certain rows due to RLS policy, might still learn something about those rows' contents via a leaky operator. This patch further tightens the rules, allowing leaky operators to be applied to statistics data only when there is no relevant RLS policy. CVE-2019-10130 or CVE-2019-10130)
Avoid access to already-freed memory during partition routing error reports (Michael Paquier)
This mistake could lead to a crash, and in principle it might be possible to use it to disclose server memory contents. CVE-2019-10129 or CVE-2019-10129)
Avoid catalog corruption when an ALTER TABLE
on a partitioned table finds that a partitioned index is reusable (Amit Langote, Tom Lane)
This occurs, for example, when ALTER COLUMN TYPE
finds that no physical table rewrite is required.
Avoid catalog corruption when a temporary table with ON COMMIT DROP
and an identity column is created in a single-statement transaction (Peter Eisentraut)
This hazard was overlooked because the case is not actually useful, since the temporary table would be dropped immediately after creation.
Fix failure in ALTER INDEX ... ATTACH PARTITION
if the partitioned table contains more dropped columns than its partition does (Ãlvaro Herrera)
Fix failure to attach a partition's existing index to a newly-created partitioned index in some cases (Amit Langote, Ãlvaro Herrera)
This would lead to errors such as “index ... not found in partition†in subsequent DDL that uses the partitioned index.
Avoid crash when an EPQ recheck is performed for a partitioned query result relation (Amit Langote)
This occurs when using READ COMMITTED
isolation level and another session has concurrently updated some of the target row(s).
Fix tuple routing in multi-level partitioned tables that have dropped attributes (Amit Langote, Michael Paquier)
Fix failure when the slow path of foreign key constraint initial validation is applied to partitioned tables (Hadi Moshayedi, Tom Lane, Andres Freund)
This didn't manifest except in the uncommon cases where the fast path can't be used (such as permissions problems).
Fix behavior for an UPDATE
or DELETE
on an inheritance tree or partitioned table in which every table can be excluded (Amit Langote, Tom Lane)
In such cases, the query did not report the correct set of output columns when a RETURNING
clause was present, and if there were any statement-level triggers that should be fired, it didn't fire them.
When accessing a partition directly, and constraint_exclusion
is set to on
, use the partition's partition constraint as well as any CHECK
constraints for exclusion checking (Amit Langote, Tom Lane)
This change restores the behavior to what it was in v10.
Avoid server crash when an error occurs while trying to persist a cursor query across a transaction commit (Tom Lane)
If a procedure attempts to commit while it has an open explicit or implicit cursor (for example, a PL/pgSQL FOR
-loop query), the cursor must be executed to completion and its results saved before the transaction commit can be performed. An error occurring during such execution led to a crash.
Avoid throwing incorrect errors for updates of temporary tables and unlogged tables when a FOR ALL TABLES
publication exists (Peter Eisentraut)
Such tables should be ignored for publication purposes, but some parts of the code failed to do so.
Fix handling of explicit DEFAULT
items in an INSERT ... VALUES
command with multiple VALUES
rows, if the target relation is an updatable view (Amit Langote, Dean Rasheed)
When the updatable view has no default for the column but its underlying table has one, a single-row INSERT ... VALUES
will use the underlying table's default. In the multi-row case, however, NULL was always used. Correct it to act like the single-row case.
Fix CREATE VIEW
to allow zero-column views (Ashutosh Sharma)
We should allow this for consistency with allowing zero-column tables. Since a table can be converted to a view, zero-column views could be created even with the restriction in place, leading to dump/reload failures.
Add missing support for CREATE TABLE IF NOT EXISTS ... AS EXECUTE ...
(Andreas Karlsson)
The combination of IF NOT EXISTS
and EXECUTE
should work, but the grammar omitted it.
Ensure that sub-SELECT
s appearing in row-level-security policy expressions are executed with the correct user's permissions (Dean Rasheed)
Previously, if the table having the RLS policy was accessed via a view, such checks might be executed as the user calling the view, not as the view owner as they should be.
Accept XML documents as valid values of type xml
when xmloption
is set to content
, as required by SQL:2006 and later (Chapman Flack)
Previously PostgreSQL followed the SQL:2003 definition, which doesn't allow this. But that creates a serious problem for dump/restore: there is no setting of xmloption
that will accept all valid XML data. Hence, switch to the 2006 definition.
pg_dump is also modified to emit SET xmloption = content
while restoring data, ensuring that dump/restore works even if the prevailing setting is document
.
Improve server's startup-time checks for whether a pre-existing shared memory segment is still in use (Noah Misch)
The postmaster is now more likely to detect that there are still active processes from a previous postmaster incarnation, even if the postmaster.pid
file has been removed.
Avoid possible division-by-zero in btree index vacuum logic (Piotr Stefaniak, Alexander Korotkov)
This could lead to incorrect decisions about whether index cleanup is needed.
Avoid counting parallel workers' transactions as separate transactions (Haribabu Kommi)
Fix incompatibility of GIN-index WAL records (Alexander Korotkov)
A fix applied in February's minor releases was not sufficiently careful about backwards compatibility, leading to problems if a standby server of that vintage reads GIN page-deletion WAL records generated by a primary server of a previous minor release.
Fix possible crash while executing a SHOW
command in a replication connection (Michael Paquier)
Avoid server memory leak when fetching rows from a portal one at a time (Tom Lane)
Avoid memory leak when a partition's relation cache entry is rebuilt (Amit Langote, Tom Lane)
Tolerate EINVAL
and ENOSYS
error results, where appropriate, for fsync
and sync_file_range
calls (Thomas Munro, James Sewell)
The previous change to panic on file synchronization failures turns out to have been excessively paranoid for certain cases where a failure is predictable and essentially means “operation not supportedâ€.
Report correct relation name in autovacuum's pg_stat_activity
display during BRIN summarize operations (Ãlvaro Herrera)
Avoid crash when trying to plan a partition-wise join when GEQO is active (Tom Lane)
Fix “failed to build any N
-way joins†planner failures with lateral references leading out of FULL
outer joins (Tom Lane)
Fix misplanning of queries in which a set-returning function is applied to a relation that is provably empty (Tom Lane, Julien Rouhaud)
In v10, this oversight only led to slightly inefficient plans, but in v11 it could cause “set-valued function called in context that cannot accept a set†errors.
Check the appropriate user's permissions when enforcing rules about letting a leaky operator see pg_statistic
data (Dean Rasheed)
When an underlying table is being accessed via a view, consider the privileges of the view owner while deciding whether leaky operators may be applied to the table's statistics data, rather than the privileges of the user making the query. This makes the planner's rules about what data is visible match up with the executor's, avoiding unnecessarily-poor plans.
Fix planner's parallel-safety assessment for grouped queries (Etsuro Fujita)
Previously, target-list evaluation work that could have been parallelized might not be.
Fix mishandling of “included†index columns in planner's unique-index logic (Tom Lane)
This could result in failing to recognize that a unique index with included columns proves uniqueness of a query result, leading to a poor plan.
Fix incorrect strictness check for array coercion expressions (Tom Lane)
This might allow, for example, incorrect inlining of a strict SQL function, leading to non-enforcement of the strictness condition.
Speed up planning when there are many equality conditions and many potentially-relevant foreign key constraints (David Rowley)
Avoid O (N^2) performance issue when rolling back a transaction that created many tables (Tomas Vondra)
Fix corner-case server crashes in dynamic shared memory allocation (Thomas Munro, Robert Haas)
Fix race conditions in management of dynamic shared memory (Thomas Munro)
These could lead to “dsa_area could not attach to segment†or “cannot unpin a segment that is not pinned†errors.
Fix race condition in which a hot-standby postmaster could fail to shut down after receiving a smart-shutdown request (Tom Lane)
Fix possible crash when pg_identify_object_as_address()
is given invalid input (Ãlvaro Herrera)
Fix possible “could not access status of transaction†failures in txid_status()
(Thomas Munro)
Fix authentication failure when attempting to use SCRAM authentication with mixed OpenSSL library versions (Michael Paquier, Peter Eisentraut)
If libpq is using OpenSSL 1.0.1 or older while the server is using OpenSSL 1.0.2 or newer, the negotiation of which SASL mechanism to use went wrong, leading to a confusing “channel binding not supported by this build†error message.
Tighten validation of encoded SCRAM-SHA-256 and MD5 passwords (Jonathan Katz)
A password string that had the right initial characters could be mistaken for one that is correctly hashed into SCRAM-SHA-256 or MD5 format. The password would be accepted but would be unusable later.
Fix handling of lc_time
settings that imply an encoding different from the database's encoding (Juan José SantamarÃa Flecha, Tom Lane)
Localized month or day names that include non-ASCII characters previously caused unexpected errors or wrong output in such locales.
Create the current_logfiles
file with the same permissions as other files in the server's data directory (Haribabu Kommi)
Previously it used the permissions specified by log_file_mode
, but that can cause problems for backup utilities.
Fix incorrect operator_precedence_warning
checks involving unary minus operators (Rikard Falkeborn)
Disallow NaN
as a value for floating-point server parameters (Tom Lane)
Rearrange REINDEX
processing to avoid assertion failures when reindexing individual indexes of pg_class
(Andres Freund, Tom Lane)
Fix planner assertion failure for parameterized dummy paths (Tom Lane)
Insert correct test function in the result of SnapBuildInitialSnapshot()
(Antonin Houska)
No core code cares about this, but some extensions do.
Fix intermittent “could not reattach to shared memory†session startup failures on Windows (Noah Misch)
A previously unrecognized source of these failures is creation of thread stacks for a process's default thread pool. Arrange for such stacks to be allocated in a different memory region.
Fix error detection in directory scanning on Windows (Konstantin Knizhnik)
Errors, such as lack of permissions to read the directory, were not detected or reported correctly; instead the code silently acted as though the directory were empty.
Fix grammar problems in ecpg (Tom Lane)
A missing semicolon led to mistranslation of SET
(but not variable
= DEFAULTSET
) in ecpg programs, producing syntactically invalid output that the server would reject. Additionally, in a variable
TO DEFAULTDROP TYPE
or DROP DOMAIN
command that listed multiple type names, only the first type name was actually processed.
Sync ecpg's syntax for CREATE TABLE AS
with the server's (Daisuke Higuchi)
Fix possible buffer overruns in ecpg's processing of include filenames (Liu Huailing, Fei Wu)
Fix pg_rewind failures due to failure to remove some transient files in the target data directory (Michael Paquier)
Make pg_verify_checksums verify that the data directory it's pointed at is of the right PostgreSQL version (Michael Paquier)
Avoid crash in contrib/postgres_fdw
when a query using remote grouping or aggregation has a SELECT
-list item that is an uncorrelated sub-select, outer reference, or parameter symbol (Tom Lane)
Change contrib/postgres_fdw
to report an error when a remote partition chosen to insert a routed row into is also an UPDATE
subplan target that will be updated later in the same command (Amit Langote, Etsuro Fujita)
Previously, such situations led to server crashes or incorrect results of the UPDATE
. Allowing such cases to work correctly is a matter for future work.
In contrib/pg_prewarm
, avoid indefinitely respawning background worker processes if prewarming fails for some reason (Mithun Cy)
Avoid crash in contrib/vacuumlo
if an lo_unlink()
call failed (Tom Lane)
Sync our copy of the timezone library with IANA tzcode release 2019a (Tom Lane)
This corrects a small bug in zic that caused it to output an incorrect year-2440 transition in the Africa/Casablanca
zone, and adds support for zic's new -r
option.
Update time zone data files to tzdata release 2019a for DST law changes in Palestine and Metlakatla, plus historical corrections for Israel.
Etc/UCT
is now a backward-compatibility link to Etc/UTC
, instead of being a separate zone that generates the abbreviation UCT
, which nowadays is typically a typo. PostgreSQL will still accept UCT
as an input zone abbreviation, but it won't output it.
Release date: 2019-02-14
This release contains a variety of fixes from 11.1. For information about new features in major release 11, see Version 11.0.
A dump/restore is not required for those running 11.X.
However, if you are upgrading from a version earlier than 11.1, see Version 11.1.
By default, panic instead of retrying after fsync()
failure, to avoid possible data corruption (Craig Ringer, Thomas Munro)
Some popular operating systems discard kernel data buffers when unable to write them out, reporting this as fsync()
failure. If we reissue the fsync()
request it will succeed, but in fact the data has been lost, so continuing risks database corruption. By raising a panic condition instead, we can replay from WAL, which may contain the only remaining copy of the data in such a situation. While this is surely ugly and inefficient, there are few alternatives, and fortunately the case happens very rarely.
A new server parameter data_sync_retry has been added to control this; if you are certain that your kernel does not discard dirty data buffers in such scenarios, you can set data_sync_retry
to on
to restore the old behavior.
Include each major release branch's release notes in the documentation for only that branch, rather than that branch and all later ones (Tom Lane)
The duplication induced by the previous policy was getting out of hand. Our plan is to provide a full archive of release notes on the project's web site, but not duplicate it within each release.
Fix handling of unique indexes with INCLUDE
columns on partitioned tables (Ãlvaro Herrera)
The uniqueness condition was not checked properly in such cases.
Ensure that NOT NULL
constraints of a partitioned table are honored within its partitions (Ãlvaro Herrera, Amit Langote)
Update catalog state correctly for partition table constraints when detaching their partition (Amit Langote, Ãlvaro Herrera)
Previously, the pg_constraint
.conislocal
field for such a constraint might improperly be left as false
, rendering it undroppable. A dump/restore or pg_upgrade would cure the problem, but if necessary, the catalog field can be adjusted manually.
Create or delete foreign key enforcement triggers correctly when attaching or detaching a partition in a partitioned table that has a foreign-key constraint (Amit Langote, Ãlvaro Herrera)
Avoid useless creation of duplicate foreign key constraints in partitioned tables (Ãlvaro Herrera)
When an index is created on a partitioned table using ONLY
, and there are no partitions yet, mark it valid immediately (Ãlvaro Herrera)
Otherwise there is no way to make it become valid.
Use a safe table lock level when detaching a partition (Ãlvaro Herrera)
The previous locking level was too weak and might allow concurrent DDL on the table, with bad results.
Fix problems with applying ON COMMIT DROP
and ON COMMIT DELETE ROWS
to partitioned tables and tables with inheritance children (Michael Paquier)
Disallow COPY FREEZE
on partitioned tables (David Rowley)
This should eventually be made to work, but it may require a patch that's too complicated to risk back-patching.
Fix possible index corruption when the indexed column has a “fast default†(that is, it was added by ALTER TABLE ADD COLUMN
with a constant non-NULL default value specified, after the table already contained some rows) (Andres Freund)
Correctly adjust “fast default†values during ALTER TABLE ... ALTER COLUMN TYPE
(Andrew Dunstan)
Avoid possible deadlock when acquiring multiple buffer locks (Nishant Fnu)
Avoid deadlock between GIN vacuuming and concurrent index insertions (Alexander Korotkov, Andrey Borodin, Peter Geoghegan)
This change partially reverts a performance improvement, introduced in version 10.0, that attempted to reduce the number of index pages locked during deletion of a GIN posting tree page. That's now been found to lead to deadlocks, so we've removed it pending closer analysis.
Avoid deadlock between hot-standby queries and replay of GIN index page deletion (Alexander Korotkov)
Fix possible crashes in logical replication when index expressions or predicates are in use (Peter Eisentraut)
Avoid useless and expensive logical decoding of TOAST data during a table rewrite (Tomas Vondra)
Fix logic for stopping a subset of WAL senders when synchronous replication is enabled (Paul Guo, Michael Paquier)
Avoid possibly writing an incorrect replica identity field in a tuple deletion WAL record (Stas Kelvich)
Prevent incorrect use of WAL-skipping optimization during COPY
to a view or foreign table (Amit Langote, Michael Paquier)
Make the archiver prioritize WAL history files over WAL data files while choosing which file to archive next (David Steele)
Fix possible crash in UPDATE
with a multiple SET
clause using a sub-SELECT
as source (Tom Lane)
Fix crash when zero rows are fed to json[b]_populate_recordset()
or json[b]_to_recordset()
(Tom Lane)
Avoid crash if libxml2 returns a null error message (Sergio Conde Gómez)
Fix incorrect JIT tuple deforming code for tables with many columns (more than approximately 800) (Andres Freund)
Fix performance and memory leakage issues in hash-based grouping (Andres Freund)
Fix spurious grouping-related parser errors caused by inconsistent handling of collation assignment (Andrew Gierth)
In some cases, expressions that should be considered to match were not seen as matching, if they included operations on collatable data types.
Fix parsing of collation-sensitive expressions in the arguments of a CALL
statement (Peter Eisentraut)
Ensure proper cleanup after detecting an error in the argument list of a CALL
statement (Tom Lane)
Check whether the comparison function underlying LEAST()
or GREATEST()
is leakproof, rather than just assuming it is (Tom Lane)
Actual information leaks from btree comparison functions are typically hard to provoke, but in principle they could happen.
Fix incorrect planning of queries involving nested loops both above and below a Gather plan node (Tom Lane)
If both levels of nestloop needed to pass the same variable into their right-hand sides, an incorrect plan would be generated.
Fix incorrect planning of queries in which a lateral reference must be evaluated at a foreign table scan (Tom Lane)
Fix planner failure when the first column of a row comparison matches an index column, but later column(s) do not, and the index has included (non-key) columns (Tom Lane)
Fix corner-case underestimation of the cost of a merge join (Tom Lane)
The planner could prefer a merge join when the outer key range is much smaller than the inner key range, even if there are so many duplicate keys on the inner side that this is a poor choice.
Avoid O (N^2) planning time growth when a query contains many thousand indexable clauses (Tom Lane)
Improve planning speed for large inheritance or partitioning table groups (Amit Langote, Etsuro Fujita)
Improve ANALYZE
's handling of concurrently-updated rows (Jeff Janes, Tom Lane)
Previously, rows deleted by an in-progress transaction were omitted from ANALYZE
's sample, but this has been found to lead to more inconsistency than including them would do. In effect, the sample now corresponds to an MVCC snapshot as of ANALYZE
's start time.
Make TRUNCATE
ignore inheritance child tables that are temporary tables of other sessions (Amit Langote, Michael Paquier)
This brings TRUNCATE
into line with the behavior of other commands. Previously, such cases usually ended in failure.
Fix TRUNCATE
to update the statistics counters for the right table (Tom Lane)
If the truncated table had a TOAST table, that table's counters were reset instead.
Process ALTER TABLE ONLY ADD COLUMN IF NOT EXISTS
correctly (Greg Stark)
Allow UNLISTEN
in hot-standby mode (Shay Rojansky)
This is necessarily a no-op, because LISTEN
isn't allowed in hot-standby mode; but allowing the dummy operation simplifies session-state-reset logic in clients.
Fix missing role dependencies in some schema and data type permissions lists (Tom Lane)
In some cases it was possible to drop a role to which permissions had been granted. This caused no immediate problem, but a subsequent dump/reload or upgrade would fail, with symptoms involving attempts to grant privileges to all-numeric role names.
Prevent use of a session's temporary schema within a two-phase transaction (Michael Paquier)
Accessing a temporary table within such a transaction has been forbidden for a long time, but it was still possible to cause problems with other operations on temporary objects.
Ensure relation caches are updated properly after adding or removing foreign key constraints (Ãlvaro Herrera)
This oversight could result in existing sessions failing to enforce a newly-created constraint, or continuing to enforce a dropped one.
Ensure relation caches are updated properly after renaming constraints (Amit Langote)
Fix replay of GiST index micro-vacuum operations so that concurrent hot-standby queries do not see inconsistent state (Alexander Korotkov)
Prevent empty GIN index pages from being reclaimed too quickly, causing failures of concurrent searches (Andrey Borodin, Alexander Korotkov)
Fix edge-case failures in float-to-integer coercions (Andrew Gierth, Tom Lane)
Values very slightly above the maximum valid integer value might not be rejected, and then would overflow, producing the minimum valid integer instead. Also, values that should round to the minimum or maximum integer value might be incorrectly rejected.
Fix parsing of space-separated lists of host names in the ldapserver
parameter of LDAP authentication entries in pg_hba.conf
(Thomas Munro)
When making a PAM authentication request, don't set the PAM_RHOST
variable if the connection is via a Unix socket (Thomas Munro)
Previously that variable would be set to [local]
, which is at best unhelpful, since it's supposed to be a host name.
Disallow setting client_min_messages
higher than ERROR
(Jonah Harris, Tom Lane)
Previously, it was possible to set this variable to FATAL
or PANIC
, which had the effect of suppressing transmission of ordinary error messages to the client. However, that's contrary to guarantees that are given in the PostgreSQL wire protocol specification, and it caused some clients to become very confused. In released branches, fix this by silently treating such settings as meaning ERROR
instead. Version 12 and later will reject those alternatives altogether.
Fix ecpglib to use uselocale()
or _configthreadlocale()
in preference to setlocale()
(Michael Meskes, Tom Lane)
Since setlocale()
is not thread-local, and might not even be thread-safe, the previous coding caused problems in multi-threaded ecpg applications.
Fix incorrect results for numeric data passed through an ecpg SQLDA (SQL Descriptor Area) (Daisuke Higuchi)
Values with leading zeroes were not copied correctly.
Fix psql's \g
target
meta-command to work with COPY TO STDOUT
(Daniel Vérité)
Previously, the target
option was ignored, so that the copy data always went to the current query output target.
Make psql's LaTeX output formats render special characters properly (Tom Lane)
Backslash and some other ASCII punctuation characters were not rendered correctly, leading to document syntax errors or wrong characters in the output.
Make pgbench's random number generation fully deterministic and platform-independent when --random-seed=
is specified (Fabien Coelho, Tom Lane)N
On any specific platform, the sequence obtained with a particular value of N
will probably be different from what it was before this patch.
Fix pg_basebackup and pg_verify_checksums to ignore temporary files appropriately (Michael Banck, Michael Paquier)
Fix pg_dump's handling of materialized views with indirect dependencies on primary keys (Tom Lane)
This led to mis-labeling of such views' dump archive entries, causing harmless warnings about “archive items not in correct section orderâ€; less harmlessly, selective-restore options depending on those labels, such as --section
, might misbehave.
Make pg_dump include ALTER INDEX SET STATISTICS
commands (Michael Paquier)
When the ability to attach statistics targets to index expressions was added, we forgot to teach pg_dump about it, so that such settings were lost in dump/reload.
Fix pg_dump's dumping of tables that have OIDs (Peter Eisentraut)
The WITH OIDS
clause was omitted if it needed to be applied to the first table to be dumped.
Avoid null-pointer-dereference crash on some platforms when pg_dump or pg_restore tries to report an error (Tom Lane)
Prevent false index-corruption reports from contrib/amcheck
caused by inline-compressed data (Peter Geoghegan)
Properly disregard SIGPIPE
errors if COPY FROM PROGRAM
stops reading the program's output early (Tom Lane)
This case isn't actually reachable directly with COPY
, but it can happen when using contrib/file_fdw
.
Fix contrib/hstore
to calculate correct hash values for empty hstore
values that were created in version 8.4 or before (Andrew Gierth)
The previous coding did not give the same result as for an empty hstore
value created by a newer version, thus potentially causing wrong results in hash joins or hash aggregation. It is advisable to reindex any hash indexes built on hstore
columns, if the table might contain data that was originally stored as far back as 8.4 and was never dumped/reloaded since then.
Avoid crashes and excessive runtime with large inputs to contrib/intarray
's gist__int_ops
index support (Andrew Gierth)
In configure, look for python3
and then python2
if python
isn't found (Peter Eisentraut)
This allows PL/Python to be configured without explicitly specifying PYTHON
on platforms that no longer provide an unversioned python
executable.
Include JIT-related headers in the installed set of header files (Donald Dong)
Support new Makefile variables PG_CFLAGS
, PG_CXXFLAGS
, and PG_LDFLAGS
in pgxs builds (Christoph Berg)
This simplifies customization of extension build processes.
Fix Perl-coded build scripts to not assume “.
†is in the search path, since recent Perl versions don't include that (Andrew Dunstan)
Fix server command-line option parsing problems on OpenBSD (Tom Lane)
Relocate call of set_rel_pathlist_hook
so that extensions can use it to supply partial paths for parallel queries (KaiGai Kohei)
This is not expected to affect existing use-cases.
Update time zone data files to tzdata release 2018i for DST law changes in Kazakhstan, Metlakatla, and Sao Tome and Principe. Kazakhstan's Qyzylorda zone is split in two, creating a new zone Asia/Qostanay, as some areas did not change UTC offset. Historical corrections for Hong Kong and numerous Pacific islands.
Release date: 2018-11-08
This release contains a variety of fixes from 11.0. For information about new features in major release 11, see Version 11.0.
A dump/restore is not required for those running 11.X.
However, if you use the pg_stat_statements
extension, see the changelog entry below about that.
Ensure proper quoting of transition table names when pg_dump emits CREATE TRIGGER ... REFERENCING
commands (Tom Lane)
This oversight could be exploited by an unprivileged user to gain superuser privileges during the next dump/reload or pg_upgrade run. CVE-2018-16850 or CVE-2018-16850)
Apply the tablespace specified for a partitioned index when creating a child index (Ãlvaro Herrera)
Previously, child indexes were always created in the default tablespace.
Fix NULL handling in parallel hashed multi-batch left joins (Andrew Gierth, Thomas Munro)
Outer-relation rows with null values of the hash key were omitted from the join result.
Fix incorrect processing of an array-type coercion expression appearing within a CASE
clause that has a constant test expression (Tom Lane)
Fix incorrect expansion of tuples lacking recently-added columns (Andrew Dunstan, Amit Langote)
This is known to lead to crashes in triggers on tables with recently-added columns, and could have other symptoms as well.
Fix bugs with named or defaulted arguments in CALL
argument lists (Tom Lane, Pavel Stehule)
Fix strictness check for strict aggregates with ORDER BY
columns (Andrew Gierth, Andres Freund)
The strictness logic incorrectly ignored rows for which the ORDER BY
value(s) were null.
Disable recheck_on_update
optimization (Tom Lane)
This new-in-v11 feature turns out not to have been ready for prime time. Disable it until something can be done about it.
Prevent creation of a partition in a trigger attached to its parent table (Amit Langote)
Ideally we'd allow that, but for the moment it has to be blocked to avoid crashes.
Fix problems with applying ON COMMIT DELETE ROWS
to a partitioned temporary table (Amit Langote)
Fix character-class checks to not fail on Windows for Unicode characters above U+FFFF (Tom Lane, Kenji Uno)
This bug affected full-text-search operations, as well as contrib/ltree
and contrib/pg_trgm
.
Ensure that the server will process already-received NOTIFY
and SIGTERM
interrupts before waiting for client input (Jeff Janes, Tom Lane)
Fix memory leak in repeated SP-GiST index scans (Tom Lane)
This is only known to amount to anything significant in cases where an exclusion constraint using SP-GiST receives many new index entries in a single command.
Prevent starting the server with wal_level
set to too low a value to support an existing replication slot (Andres Freund)
Fix psql, as well as documentation examples, to call PQconsumeInput()
before each PQnotifies()
call (Tom Lane)
This fixes cases in which psql would not report receipt of a NOTIFY
message until after the next command.
Fix pg_verify_checksums's determination of which files to check the checksums of (Michael Paquier)
In some cases it complained about files that are not expected to have checksums.
In contrib/pg_stat_statements
, disallow the pg_read_all_stats
role from executing pg_stat_statements_reset()
(Haribabu Kommi)
pg_read_all_stats
is only meant to grant permission to read statistics, not to change them, so this grant was incorrect.
To cause this change to take effect, run ALTER EXTENSION pg_stat_statements UPDATE
in each database where pg_stat_statements
has been installed. (A database freshly created in 11.0 should not need this, but a database upgraded from a previous release probably still contains the old version of pg_stat_statements
. The UPDATE
command is harmless if the module was already updated.)
Rename red-black tree support functions to use rbt
prefix not rb
prefix (Tom Lane)
This avoids name collisions with Ruby functions, which broke PL/Ruby. It's hoped that there are no other affected extensions.
Fix build problems on macOS 10.14 (Mojave) (Tom Lane)
Adjust configure to add an -isysroot
switch to CPPFLAGS
; without this, PL/Perl and PL/Tcl fail to configure or build on macOS 10.14. The specific sysroot used can be overridden at configure time or build time by setting the PG_SYSROOT
variable in the arguments of configure or make.
It is now recommended that Perl-related extensions write $(perl_includespec)
rather than -I$(perl_archlibexp)/CORE
in their compiler flags. The latter continues to work on most platforms, but not recent macOS.
Also, it should no longer be necessary to specify --with-tclconfig
manually to get PL/Tcl to build on recent macOS releases.
Fix MSVC build and regression-test scripts to work on recent Perl versions (Andrew Dunstan)
Perl no longer includes the current directory in its search path by default; work around that.
On Windows, allow the regression tests to be run by an Administrator account (Andrew Dunstan)
To do this safely, pg_regress now gives up any such privileges at startup.
Update time zone data files to tzdata release 2018g for DST law changes in Chile, Fiji, Morocco, and Russia (Volgograd), plus historical corrections for China, Hawaii, Japan, Macau, and North Korea.
Release date: 2018-10-18
Major enhancements in PostgreSQL 11 include:
Improvements to partitioning functionality, including:
Add support for partitioning by a hash key
Add support for PRIMARY KEY
, FOREIGN KEY
, indexes, and triggers on partitioned tables
Allow creation of a “default†partition for storing data that does not match any of the remaining partitions
UPDATE
statements that change a partition key column now cause affected rows to be moved to the appropriate partitions
Improve SELECT
performance through enhanced partition elimination strategies during query planning and execution
Improvements to parallelism, including:
CREATE INDEX
can now use parallel processing while building a B-tree index
Parallelization is now possible in CREATE TABLE ... AS
, CREATE MATERIALIZED VIEW
, and certain queries using UNION
Parallelized hash joins and parallelized sequential scans now perform better
SQL stored procedures that support embedded transactions
Optional Just-in-Time (JIT) compilation for some SQL code, speeding evaluation of expressions
Window functions now support all framing options shown in the SQL:2011 standard, including RANGE
, distance
PRECEDING/FOLLOWINGGROUPS
mode, and frame exclusion options
Covering indexes can now be created, using the INCLUDE
clause of CREATE INDEX
Many other useful performance improvements, including the ability to avoid a table rewrite for ALTER TABLE ... ADD COLUMN
with a non-null column default
The above items are explained in more detail in the sections below.
A dump/restore using pg_dumpall or use of pg_upgrade or logical replication is required for those wishing to migrate data from any previous release. See Section 18.6 for general information on migrating to new major releases.
Version 11 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities:
Make pg_dump dump the properties of a database, not just its contents (Haribabu Kommi)
Previously, attributes of the database itself, such as database-level GRANT
/REVOKE
permissions and ALTER DATABASE SET
variable settings, were only dumped by pg_dumpall. Now pg_dump --create
and pg_restore --create
will restore these database properties in addition to the objects within the database. pg_dumpall -g
now only dumps role- and tablespace-related attributes. pg_dumpall's complete output (without -g
) is unchanged.
pg_dump and pg_restore, without --create
, no longer dump/restore database-level comments and security labels; those are now treated as properties of the database.
pg_dumpall's output script will now always create databases with their original locale and encoding, and hence will fail if the locale or encoding name is unknown to the destination system. Previously, CREATE DATABASE
would be emitted without these specifications if the database locale and encoding matched the old cluster's defaults.
pg_dumpall --clean
now restores the original locale and encoding settings of the postgres
and template1
databases, as well as those of user-created databases.
Consider syntactic form when disambiguating function versus column references (Tom Lane)
When x
is a table name or composite column, PostgreSQL has traditionally considered the syntactic forms
and f
(x
)
to be equivalent, allowing tricks such as writing a function and then using it as though it were a computed-on-demand column. However, if both interpretations are feasible, the column interpretation was always chosen, leading to surprising results if the user intended the function interpretation. Now, if there is ambiguity, the interpretation that matches the syntactic form is chosen.x
.f
Fully enforce uniqueness of table and domain constraint names (Tom Lane)
PostgreSQL expects the names of a table's constraints to be distinct, and likewise for the names of a domain's constraints. However, there was not rigid enforcement of this, and previously there were corner cases where duplicate names could be created.
Make power(numeric, numeric)
and power(float8, float8)
handle NaN
inputs according to the POSIX standard (Tom Lane, Dang Minh Huong)
POSIX says that NaN ^ 0 = 1
and 1 ^ NaN = 1
, but all other cases with NaN
input(s) should return NaN
. power(numeric, numeric)
just returned NaN
in all such cases; now it honors the two exceptions. power(float8, float8)
followed the standard if the C library does; but on some old Unix platforms the library doesn't, and there were also problems on some versions of Windows.
Prevent to_number()
from consuming characters when the template separator does not match (Oliver Ford)
Specifically, SELECT to_number('1234', '9,999')
used to return 134
. It will now return 1234
. L
and TH
now only consume characters that are not digits, positive/negative signs, decimal points, or commas.
Fix to_date()
, to_number()
, and to_timestamp()
to skip a character for each template character (Tom Lane)
Previously, they skipped one byte for each byte of template character, resulting in strange behavior if either string contained multibyte characters.
Adjust the handling of backslashes inside double-quotes in template strings for to_char()
, to_number()
, and to_timestamp()
.
Such a backslash now escapes the character after it, particularly a double-quote or another backslash.
Correctly handle relative path expressions in xmltable()
, xpath()
, and other XML-handling functions (Markus Winand)
Per the SQL standard, relative paths start from the document node of the XML input document, not the root node as these functions previously did.
In the extended query protocol, make statement_timeout
apply to each Execute message separately, not to all commands before Sync (Tatsuo Ishii, Andres Freund)
Remove the relhaspkey
column from system catalog pg_class
(Peter Eisentraut)
Applications needing to check for a primary key should consult pg_index
.
Replace system catalog pg_proc
's proisagg
and proiswindow
columns with prokind
(Peter Eisentraut)
This new column more clearly distinguishes functions, procedures, aggregates, and window functions.
Correct information schema column tables
.table_type
to return FOREIGN
instead of FOREIGN TABLE
(Peter Eisentraut)
This new output matches the SQL standard.
Change the ps process display labels for background workers to match the pg_stat_activity
.backend_type
labels (Peter Eisentraut)
Cause large object permission checks to happen during large object open, lo_open()
, not when a read or write is attempted (Tom Lane, Michael Paquier)
If write access is requested and not available, an error will now be thrown even if the large object is never written to.
Prevent non-superusers from reindexing shared catalogs (Michael Paquier, Robert Haas)
Previously, database owners were also allowed to do this, but now it is considered outside the bounds of their privileges.
Remove deprecated adminpack
functions pg_file_read()
, pg_file_length()
, and pg_logfile_rotate()
(Stephen Frost)
Equivalent functionality is now present in the core backend. Existing adminpack
installs will continue to have access to these functions until they are updated via ALTER EXTENSION ... UPDATE
.
Honor the capitalization of double-quoted command options (Daniel Gustafsson)
Previously, option names in certain SQL commands were forcibly lower-cased even if entered with double quotes; thus for example "FillFactor"
would be accepted as an index storage option, though properly its name is lower-case. Such cases will now generate an error.
Remove server parameter replacement_sort_tuples
(Peter Geoghegan)
Replacement sorts were determined to be no longer useful.
Remove WITH
clause in CREATE FUNCTION
(Michael Paquier)
PostgreSQL has long supported a more standard-compliant syntax for this capability.
In PL/pgSQL trigger functions, the OLD
and NEW
variables now read as NULL when not assigned (Tom Lane)
Previously, references to these variables could be parsed but not executed.
Below you will find a detailed account of the changes between PostgreSQL 11 and the previous major release.
Allow the creation of partitions based on hashing a key column (Amul Sul)
Support indexes on partitioned tables (Ãlvaro Herrera, Amit Langote)
An “index†on a partitioned table is not a physical index across the whole partitioned table, but rather a template for automatically creating similar indexes on each partition of the table.
If the partition key is part of the index's column set, a partitioned index may be declared UNIQUE
. It will represent a valid uniqueness constraint across the whole partitioned table, even though each physical index only enforces uniqueness within its own partition.
The new command ALTER INDEX ATTACH PARTITION
causes an existing index on a partition to be associated with a matching index template for its partitioned table. This provides flexibility in setting up a new partitioned index for an existing partitioned table.
Allow foreign keys on partitioned tables (Ãlvaro Herrera)
Allow FOR EACH ROW
triggers on partitioned tables (Ãlvaro Herrera)
Creation of a trigger on a partitioned table automatically creates triggers on all existing and future partitions. This also allows deferred unique constraints on partitioned tables.
Allow partitioned tables to have a default partition (Jeevan Ladhe, Beena Emerson, Ashutosh Bapat, Rahila Syed, Robert Haas)
The default partition will store rows that don't match any of the other defined partitions, and is searched accordingly.
UPDATE
statements that change a partition key column now cause affected rows to be moved to the appropriate partitions (Amit Khandekar)
Allow INSERT
, UPDATE
, and COPY
on partitioned tables to properly route rows to foreign partitions (Etsuro Fujita, Amit Langote)
This is supported by postgres_fdw
foreign tables. Since the ExecForeignInsert
callback function is called for this in a different way than it used to be, foreign data wrappers must be modified to cope with this change.
Allow faster partition elimination during query processing (Amit Langote, David Rowley, Dilip Kumar)
This speeds access to partitioned tables with many partitions.
Allow partition elimination during query execution (David Rowley, Beena Emerson)
Previously, partition elimination only happened at planning time, meaning many joins and prepared queries could not use partition elimination.
In an equality join between partitioned tables, allow matching partitions to be joined directly (Ashutosh Bapat)
This feature is disabled by default but can be enabled by changing enable_partitionwise_join
.
Allow aggregate functions on partitioned tables to be evaluated separately for each partition, subsequently merging the results (Jeevan Chalke, Ashutosh Bapat, Robert Haas)
This feature is disabled by default but can be enabled by changing enable_partitionwise_aggregate
.
Allow postgres_fdw
to push down aggregates to foreign tables that are partitions (Jeevan Chalke)
Allow parallel building of a btree index (Peter Geoghegan, Rushabh Lathia, Heikki Linnakangas)
Allow hash joins to be performed in parallel using a shared hash table (Thomas Munro)
Allow UNION
to run each SELECT
in parallel if the individual SELECT
s cannot be parallelized (Amit Khandekar, Robert Haas, Amul Sul)
Allow partition scans to more efficiently use parallel workers (Amit Khandekar, Robert Haas, Amul Sul)
Allow LIMIT
to be passed to parallel workers (Robert Haas, Tom Lane)
This allows workers to reduce returned results and use targeted index scans.
Allow single-evaluation queries, e.g., WHERE
clause aggregate queries, and functions in the target list to be parallelized (Amit Kapila, Robert Haas)
Add server parameter parallel_leader_participation
to control whether the leader also executes subplans (Thomas Munro)
The default is enabled, meaning the leader will execute subplans.
Allow parallelization of commands CREATE TABLE ... AS
, SELECT INTO
, and CREATE MATERIALIZED VIEW
(Haribabu Kommi)
Improve performance of sequential scans with many parallel workers (David Rowley)
Add reporting of parallel workers' sort activity in EXPLAIN
(Robert Haas, Tom Lane)
Allow B-tree indexes to include columns that are not part of the search key or unique constraint, but are available to be read by index-only scans (Anastasia Lubennikova, Alexander Korotkov, Teodor Sigaev)
This is enabled by the new INCLUDE
clause of CREATE INDEX
. It facilitates building “covering indexes†that optimize specific types of queries. Columns can be included even if their data types don't have B-tree support.
Improve performance of monotonically increasing index additions (Pavan Deolasee, Peter Geoghegan)
Improve performance of hash index scans (Ashutosh Sharma)
Add predicate locking for hash, GiST and GIN indexes (Shubham Barai)
This reduces the likelihood of serialization conflicts in serializable-mode transactions.
Add prefix-match operator text
^@
text
, which is supported by SP-GiST (Ildus Kurbangaliev)
This is similar to using var
LIKE 'word%'
with a btree index, but it is more efficient.
Allow polygons to be indexed with SP-GiST (Nikita Glukhov, Alexander Korotkov)
Allow SP-GiST to use lossy representation of leaf keys (Teodor Sigaev, Heikki Linnakangas, Alexander Korotkov, Nikita Glukhov)
Improve selection of the most common values for statistics (Jeff Janes, Dean Rasheed)
Previously, the most common values (MCVs) were identified based on their frequency compared to all column values. Now, MCVs are chosen based on their frequency compared to the non-MCV values. This improves the robustness of the algorithm for both uniform and non-uniform distributions.
Improve selectivity estimates for >=
and <=
(Tom Lane)
Previously, such cases used the same selectivity estimates as >
and <
, respectively, unless the comparison constants are MCVs. This change is particularly helpful for queries involving BETWEEN
with small ranges.
Reduce var
=
var
to var
IS NOT NULL
where equivalent (Tom Lane)
This leads to better selectivity estimates.
Improve optimizer's row count estimates for EXISTS
and NOT EXISTS
queries (Tom Lane)
Make the optimizer account for evaluation costs and selectivity of HAVING
clauses (Tom Lane)
Add Just-in-Time (JIT) compilation of some parts of query plans to improve execution speed (Andres Freund)
This feature requires LLVM to be available. It is not currently enabled by default, even in builds that support it.
Allow bitmap scans to perform index-only scans when possible (Alexander Kuzmenkov)
Update the free space map during VACUUM
(Claudio Freire)
This allows free space to be reused more quickly.
Allow VACUUM
to avoid unnecessary index scans (Masahiko Sawada, Alexander Korotkov)
Improve performance of committing multiple concurrent transactions (Amit Kapila)
Reduce memory usage for queries using set-returning functions in their target lists (Andres Freund)
Improve the speed of aggregate computations (Andres Freund)
Allow postgres_fdw
to push UPDATE
s and DELETE
s using joins to foreign servers (Etsuro Fujita)
Previously, only non-join UPDATE
s and DELETE
s were pushed.
Add support for large pages on Windows (Takayuki Tsunakawa, Thomas Munro)
This is controlled by the huge_pages configuration parameter.
Show memory usage in output from log_statement_stats
, log_parser_stats
, log_planner_stats
, and log_executor_stats
(Justin Pryzby, Peter Eisentraut)
Add column pg_stat_activity
.backend_type
to show the type of a background worker (Peter Eisentraut)
The type is also visible in ps output.
Make log_autovacuum_min_duration
log skipped tables that are concurrently being dropped (Nathan Bossart)
Add information_schema
columns related to table constraints and triggers (Peter Eisentraut)
Specifically, triggers
.action_order
, triggers
.action_reference_old_table
, and triggers
.action_reference_new_table
are now populated, where before they were always null. Also, table_constraints
.enforced
now exists but is not yet usefully populated.
Allow the server to specify more complex LDAP specifications in search+bind mode (Thomas Munro)
Specifically, ldapsearchfilter
allows pattern matching using combinations of LDAP attributes.
Allow LDAP authentication to use encrypted LDAP (Thomas Munro)
We already supported LDAP over TLS by using ldaptls=1
. This new TLS LDAP method for encrypted LDAP is enabled with ldapscheme=ldaps
or ldapurl=ldaps://
.
Improve logging of LDAP errors (Thomas Munro)
Add default roles that enable file system access (Stephen Frost)
Specifically, the new roles are: pg_read_server_files
, pg_write_server_files
, and pg_execute_server_program
. These roles now also control who can use server-side COPY
and the file_fdw
extension. Previously, only superusers could use these functions, and that is still the default behavior.
Allow access to file system functions to be controlled by GRANT
/REVOKE
permissions, rather than superuser checks (Stephen Frost)
Specifically, these functions were modified: pg_ls_dir()
, pg_read_file()
, pg_read_binary_file()
, pg_stat_file()
.
Use GRANT
/REVOKE
to control access to lo_import()
and lo_export()
(Michael Paquier, Tom Lane)
Previously, only superusers were granted access to these functions.
The compile-time option ALLOW_DANGEROUS_LO_FUNCTIONS
has been removed.
Use view owner not session owner when preventing non-password access to postgres_fdw
tables (Robert Haas)
PostgreSQL only allows superusers to access postgres_fdw
tables without passwords, e.g., via peer
. Previously, the session owner had to be a superuser to allow such access; now the view owner is checked instead.
Fix invalid locking permission check in SELECT FOR UPDATE
on views (Tom Lane)
Add server setting ssl_passphrase_command
to allow supplying of the passphrase for SSL key files (Peter Eisentraut)
Also add ssl_passphrase_command_supports_reload
to specify whether the SSL configuration should be reloaded and ssl_passphrase_command
called during a server configuration reload.
Add storage parameter toast_tuple_target
to control the minimum tuple length before TOAST storage will be considered (Simon Riggs)
The default TOAST threshold has not been changed.
Allow server options related to memory and file sizes to be specified in units of bytes (Beena Emerson)
The new unit suffix is “Bâ€. This is in addition to the existing units “kBâ€, “MBâ€, “GB†and “TBâ€.
Allow the WAL file size to be set during initdb (Beena Emerson)
Previously, the 16MB default could only be changed at compile time.
Retain WAL data for only a single checkpoint (Simon Riggs)
Previously, WAL was retained for two checkpoints.
Fill the unused portion of force-switched WAL segment files with zeros for improved compressibility (Chapman Flack)
Replicate TRUNCATE
activity when using logical replication (Simon Riggs, Marco Nenciarini, Peter Eisentraut)
Pass prepared transaction information to logical replication subscribers (Nikhil Sontakke, Stas Kelvich)
Exclude unlogged tables, temporary tables, and pg_internal.init
files from streaming base backups (David Steele)
There is no need to copy such files.
Allow checksums of heap pages to be verified during streaming base backup (Michael Banck)
Allow replication slots to be advanced programmatically, rather than be consumed by subscribers (Petr Jelinek)
This allows efficient advancement of replication slots when the contents do not need to be consumed. This is performed by pg_replication_slot_advance()
.
Add timeline information to the backup_label
file (Michael Paquier)
Also add a check that the WAL timeline matches the backup_label
file's timeline.
Add host and port connection information to the pg_stat_wal_receiver
system view (Haribabu Kommi)
Allow ALTER TABLE
to add a column with a non-null default without doing a table rewrite (Andrew Dunstan, Serge Rielau)
This is enabled when the default value is a constant.
Allow views to be locked by locking the underlying tables (Yugo Nagata)
Allow ALTER INDEX
to set statistics-gathering targets for expression indexes (Alexander Korotkov, Adrien Nayrat)
In psql, \d+
now shows the statistics target for indexes.
Allow multiple tables to be specified in one VACUUM
or ANALYZE
command (Nathan Bossart)
Also, if any table mentioned in VACUUM
uses a column list, then the ANALYZE
keyword must be supplied; previously, ANALYZE
was implied in such cases.
Add parenthesized options syntax to ANALYZE
(Nathan Bossart)
This is similar to the syntax supported by VACUUM
.
Add CREATE AGGREGATE
option to specify the behavior of the aggregate's finalization function (Tom Lane)
This is helpful for allowing user-defined aggregate functions to be optimized and to work as window functions.
Allow the creation of arrays of domains (Tom Lane)
This also allows array_agg()
to be used on domains.
Support domains over composite types (Tom Lane)
Also allow PL/Perl, PL/Python, and PL/Tcl to handle composite-domain function arguments and results. Also improve PL/Python domain handling.
Add casts from JSONB
scalars to numeric and boolean data types (Anastasia Lubennikova)
Add all window function framing options specified by SQL:2011 (Oliver Ford, Tom Lane)
Specifically, allow RANGE
mode to use PRECEDING
and FOLLOWING
to select rows having grouping values within plus or minus the specified offset. Add GROUPS
mode to include plus or minus the number of peer groups. Frame exclusion syntax was also added.
Add SHA-2 family of hash functions (Peter Eisentraut)
Specifically, sha224()
, sha256()
, sha384()
, sha512()
were added.
Add support for 64-bit non-cryptographic hash functions (Robert Haas, Amul Sul)
Allow to_char()
and to_timestamp()
to specify the time zone's offset from UTC in hours and minutes (Nikita Glukhov, Andrew Dunstan)
This is done with format specifications TZH
and TZM
.
Add text search function websearch_to_tsquery()
that supports a query syntax similar to that used by web search engines (Victor Drobny, Dmitry Ivanov)
Add functions json(b)_to_tsvector()
to create a text search query for matching JSON
/JSONB
values (Dmitry Dolgov)
Add SQL-level procedures, which can start and commit their own transactions (Peter Eisentraut)
They are created with the new CREATE PROCEDURE
command and invoked via CALL
.
The new ALTER
/DROP ROUTINE
commands allow altering/dropping of all routine-like objects, including procedures, functions, and aggregates.
Also, writing FUNCTION
is now preferred over writing PROCEDURE
in CREATE OPERATOR
and CREATE TRIGGER
, because the referenced object must be a function not a procedure. However, the old syntax is still accepted for compatibility.
Add transaction control to PL/pgSQL, PL/Perl, PL/Python, PL/Tcl, and SPI server-side languages (Peter Eisentraut)
Transaction control is only available within top-transaction-level procedures and nested DO
and CALL
blocks that only contain other DO
and CALL
blocks.
Add the ability to define PL/pgSQL composite-type variables as not null, constant, or with initial values (Tom Lane)
Allow PL/pgSQL to handle changes to composite types (e.g., record, row) that happen between the first and later function executions in the same session (Tom Lane)
Previously, such circumstances generated errors.
Add extension jsonb_plpython
to transform JSONB
to/from PL/Python types (Anthony Bykov)
Add extension jsonb_plperl
to transform JSONB
to/from PL/Perl types (Anthony Bykov)
Change libpq to disable compression by default (Peter Eisentraut)
Compression is already disabled in modern OpenSSL versions, so that the libpq setting had no effect with such libraries.
Add DO CONTINUE
option to ecpg's WHENEVER
statement (Vinayak Pokale)
This generates a C continue
statement, causing a return to the top of the contained loop when the specified condition occurs.
Add an ecpg mode to enable Oracle Pro*C-style handling of char arrays.
This mode is enabled with -C
.
Add psql command \gdesc
to display the names and types of the columns in a query result (Pavel Stehule)
Add psql variables to report query activity and errors (Fabien Coelho)
Specifically, the new variables are ERROR
, SQLSTATE
, ROW_COUNT
, LAST_ERROR_MESSAGE
, and LAST_ERROR_SQLSTATE
.
Allow psql to test for the existence of a variable (Fabien Coelho)
Specifically, the syntax :{?variable_name}
allows a variable's existence to be tested in an \if
statement.
Allow environment variable PSQL_PAGER
to control psql's pager (Pavel Stehule)
This allows psql's default pager to be specified as a separate environment variable from the pager for other applications. PAGER
is still honored if PSQL_PAGER
is not set.
Make psql's \d+
command always show the table's partitioning information (Amit Langote, Ashutosh Bapat)
Previously, partition information would not be displayed for a partitioned table if it had no partitions. Also indicate which partitions are themselves partitioned.
Ensure that psql reports the proper user name when prompting for a password (Tom Lane)
Previously, combinations of -U
and a user name embedded in a URI caused incorrect reporting. Also suppress the user name before the password prompt when --password
is specified.
Allow quit
and exit
to exit psql when given with no prior input (Bruce Momjian)
Also print hints about how to exit when quit
and exit
are used alone on a line while the input buffer is not empty. Add a similar hint for help
.
Make psql hint at using control-D when \q
is entered alone on a line but ignored (Bruce Momjian)
For example, \q
does not exit when supplied in character strings.
Improve tab completion for ALTER INDEX RESET
/SET
(Masahiko Sawada)
Add infrastructure to allow psql to adapt its tab completion queries based on the server version (Tom Lane)
Previously, tab completion queries could fail against older servers.
Add pgbench expression support for NULLs, booleans, and some functions and operators (Fabien Coelho)
Add \if
conditional support to pgbench (Fabien Coelho)
Allow the use of non-ASCII characters in pgbench variable names (Fabien Coelho)
Add pgbench option --init-steps
to control the initialization steps performed (Masahiko Sawada)
Add an approximately Zipfian-distributed random generator to pgbench (Alik Khilazhev)
Allow the random seed to be set in pgbench (Fabien Coelho)
Allow pgbench to do exponentiation with pow()
and power()
(Raúl MarÃn RodrÃguez)
Add hashing functions to pgbench (Ildar Musin)
Make pgbench statistics more accurate when using --latency-limit
and --rate
(Fabien Coelho)
Add an option to pg_basebackup that creates a named replication slot (Michael Banck)
The option --create-slot
creates the named replication slot (--slot
) when the WAL streaming method (--wal-method=stream
) is used.
Allow initdb to set group read access to the data directory (David Steele)
This is accomplished with the new initdb option --allow-group-access
. Administrators can also set group permissions on the empty data directory before running initdb. Server variable data_directory_mode
allows reading of data directory group permissions.
Add pg_verify_checksums tool to verify database checksums while offline (Magnus Hagander)
Allow pg_resetwal to change the WAL segment size via --wal-segsize
(Nathan Bossart)
Add long options to pg_resetwal and pg_controldata (Nathan Bossart, Peter Eisentraut)
Add pg_receivewal option --no-sync
to prevent synchronous WAL writes, for testing (Michael Paquier)
Add pg_receivewal option --endpos
to specify when WAL receiving should stop (Michael Paquier)
Allow pg_ctl to send the SIGKILL
signal to processes (Andres Freund)
This was previously unsupported due to concerns over possible misuse.
Reduce the number of files copied by pg_rewind (Michael Paquier)
Prevent pg_rewind from running as root
(Michael Paquier)
Add pg_dumpall option --encoding
to control output encoding (Michael Paquier)
pg_dump already had this option.
Add pg_dump option --load-via-partition-root
to force loading of data into the partition's root table, rather than the original partition (Rushabh Lathia)
This is useful if the system to be loaded to has different collation definitions or endianness, possibly requiring rows to be stored in different partitions than previously.
Add an option to suppress dumping and restoring database object comments (Robins Tharakan)
The new pg_dump, pg_dumpall, and pg_restore option is --no-comments
.
Add PGXS support for installing include files (Andrew Gierth)
This supports creating extension modules that depend on other modules. Formerly there was no easy way for the dependent module to find the referenced one's include files. Several existing contrib
modules that define data types have been adjusted to install relevant files. Also, PL/Perl and PL/Python now install their include files, to support creation of transform modules for those languages.
Install errcodes.txt
to allow extensions to access the list of error codes known to PostgreSQL (Thomas Munro)
Convert documentation to DocBook XML (Peter Eisentraut, Alexander Lakhin, Jürgen Purtz)
The file names still use an sgml
extension for compatibility with back branches.
Use stdbool.h
to define type bool
on platforms where it's suitable, which is most (Peter Eisentraut)
This eliminates a coding hazard for extension modules that need to include stdbool.h
.
Overhaul the way that initial system catalog contents are defined (John Naylor)
The initial data is now represented in Perl data structures, making it much easier to manipulate mechanically.
Prevent extensions from creating custom server parameters that take a quoted list of values (Tom Lane)
This cannot be supported at present because knowledge of the parameter's property would be required even before the extension is loaded.
Add ability to use channel binding when using SCRAM authentication (Michael Paquier)
Channel binding is intended to prevent man-in-the-middle attacks, but SCRAM cannot prevent them unless it can be forced to be active. Unfortunately, there is no way to do that in libpq. Support for it is expected in future versions of libpq and in interfaces not built using libpq, e.g., JDBC.
Allow background workers to attach to databases that normally disallow connections (Magnus Hagander)
Add support for hardware CRC calculations on ARMv8 (Yuqi Gu, Heikki Linnakangas, Thomas Munro)
Speed up lookups of built-in functions by OID (Andres Freund)
The previous binary search has been replaced by a lookup array.
Speed up construction of query results (Andres Freund)
Improve speed of access to system caches (Andres Freund)
Add a generational memory allocator which is optimized for serial allocation/deallocation (Tomas Vondra)
This reduces memory usage for logical decoding.
Make the computation of pg_class
.reltuples
by VACUUM
consistent with its computation by ANALYZE
(Tomas Vondra)
Update to use perltidy version 20170521
(Tom Lane, Peter Eisentraut)
Allow extension pg_prewarm
to restore the previous shared buffer contents on startup (Mithun Cy, Robert Haas)
This is accomplished by having pg_prewarm
store the shared buffers' relation and block number data to disk occasionally during server operation, and at shutdown.
Add pg_trgm
function strict_word_similarity()
to compute the similarity of whole words (Alexander Korotkov)
The function word_similarity()
already existed for this purpose, but it was designed to find similar parts of words, while strict_word_similarity()
computes the similarity to whole words.
Allow btree_gin
to index bool
, bpchar
, name
and uuid
data types (Matheus Oliveira)
Allow cube
and seg
extensions to perform index-only scans using GiST indexes (Andrey Borodin)
Allow retrieval of negative cube coordinates using the ~>
operator (Alexander Korotkov)
This is useful for KNN-GiST searches when looking for coordinates in descending order.
Add Vietnamese letter handling to the unaccent
extension (Dang Minh Huong, Michael Paquier)
Enhance amcheck
to check that each heap tuple has an index entry (Peter Geoghegan)
Have adminpack
use the new default file system access roles (Stephen Frost)
Previously, only superusers could call adminpack
functions; now role permissions are checked.
Widen pg_stat_statement
's query ID to 64 bits (Robert Haas)
This greatly reduces the chance of query ID hash collisions. The query ID can now potentially display as a negative value.
Remove the contrib/start-scripts/osx
scripts since they are no longer recommended (use contrib/start-scripts/macos
instead) (Tom Lane)
Remove the chkpass
extension (Peter Eisentraut)
This extension is no longer considered to be a usable security tool or example of how to write an extension.
The following individuals (in alphabetical order) have contributed to this release as patch authors, committers, reviewers, testers, or reporters of issues.
Release date: 2022-11-10
This release contains a variety of fixes from 10.22. For information about new features in major release 10, see Version 10.0.
This is expected to be the last PostgreSQL release in the 10.X series. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 10.X.
However, if you are upgrading from a version earlier than 10.19, see Version 10.19.
Fix VACUUM
to press on if an attempted page deletion in a btree index fails to find the page's parent downlink (Peter Geoghegan)
Rather than throwing an error, just log the issue and continue without deleting the empty page. Previously, a buggy operator class or corrupted index could indefinitely prevent completion of vacuuming of the index, eventually leading to transaction wraparound problems.
Fix handling of DEFAULT
tokens that appear in a multi-row VALUES
clause of an INSERT
on an updatable view (Tom Lane)
This oversight could lead to “cache lookup failed for type†errors, or in older branches even to crashes.
Disallow rules named _RETURN
that are not ON SELECT
(Tom Lane)
This avoids confusion between a view's ON SELECT
rule and any other rules it may have.
Repair rare failure of MULTIEXPR_SUBLINK subplans in inherited updates (Tom Lane)
Use of the syntax UPDATE tab SET (c1, ...) = (SELECT ...)
with an inherited or partitioned target table could result in failure if the child tables are sufficiently dissimilar. This typically manifested as failure of consistency checks in the executor; but a crash or incorrect data updates are also possible.
Avoid flattening FROM
-less subqueries when the outer query has grouping sets (Tom Lane)
This oversight could lead to assertion failures or planner errors such as “variable not found in subplan target listâ€.
Prevent WAL corruption after a standby promotion (Dilip Kumar, Robert Haas)
When a PostgreSQL instance performing archive recovery (but not using standby mode) is promoted, and the last WAL segment that it attempted to read ended in a partial record, the instance would write an invalid WAL segment on the new timeline.
Fix mis-ordering of WAL operations in fast insert path for GIN indexes (Matthias van de Meent, Zhang Mingli)
This mistake is not known to have any negative consequences within core PostgreSQL, but it did cause issues for some extensions.
Fix bugs in logical decoding when replay starts from a point between the beginning of a transaction and the beginning of its subtransaction (Masahiko Sawada, Kuroda Hayato)
These errors could lead to assertion failures in debug builds, and otherwise to memory leaks.
Prevent examining system catalogs with the wrong snapshot during logical decoding (Masahiko Sawada)
If decoding begins partway through a transaction that modifies system catalogs, the decoder may not recognize that, causing it to fail to treat that transaction as in-progress for catalog lookups.
Accept interrupts in more places during logical decoding (Amit Kapila, Masahiko Sawada)
This ameliorates problems with slow shutdown of replication workers.
Avoid crash after function syntax error in replication workers (Maxim Orlov, Anton Melnikov, Masahiko Sawada, Tom Lane)
If a syntax error occurred in a SQL-language or PL/pgSQL-language CREATE FUNCTION
or DO
command executed in a logical replication worker, the worker process would crash with a null pointer dereference or assertion failure.
Fix handling of read-write expanded datums that are passed to SQL functions (Tom Lane)
If a non-inlined SQL function uses a parameter in more than one place, and one of those functions expects to be able to modify read-write datums in place, then later uses of the parameter would observe the wrong value. (Within core PostgreSQL, the expanded-datum mechanism is only used for array and composite-type values; but extensions might use it for other structured types.)
In Snowball dictionaries, don't try to stem excessively-long words (Olly Betts, Tom Lane)
If the input word exceeds 1000 bytes, return it as-is after case folding, rather than trying to run it through the Snowball code. This restriction protects against a known recursion-to-stack-overflow problem in the Turkish stemmer, and it seems like good insurance against any other safety or performance issues that may exist in the Snowball stemmers. Such a long string is surely not a word in any human language, so it's doubtful that the stemmer would have done anything desirable with it anyway.
Fix use-after-free hazard in string comparisons (Tom Lane)
Improper memory management in the string comparison functions could result in scribbling on no-longer-allocated buffers, potentially breaking things for whatever is using that memory now. This would only happen with fairly long strings (more than 1kB), and only if an ICU collation is in use.
Prevent postmaster crash when shared-memory state is corrupted (Tom Lane)
The postmaster process is supposed to survive and initiate a database restart if shared memory becomes corrupted, but one bit of code was being insufficiently cautious about that.
Add some more defenses against recursion till stack overrun (Richard Guo, Tom Lane)
Avoid long-term memory leakage in the autovacuum launcher process (Reid Thompson)
The lack of field reports suggests that this problem is only latent in pre-v15 branches; but it's not very clear why, so back-patch the fix anyway.
Add missing guards for NULL
connection pointer in libpq (Daniele Varrazzo, Tom Lane)
There's a convention that libpq functions should check for a NULL PGconn argument, and fail gracefully instead of crashing. PQflush()
and PQisnonblocking()
didn't get that memo, so fix them.
In ecpg, fix omission of variable storage classes when multiple varchar
or bytea
variables are declared in the same declaration (Andrey Sokolov)
For example, ecpg translated static varchar str1[10], str2[20], str3[30];
in such a way that only str1
was marked static
.
Allow cross-platform tablespace relocation in pg_basebackup (Robert Haas)
Allow the remote path in --tablespace-mapping
to be either a Unix-style or Windows-style absolute path, since the source server could be on a different OS than the local system.
In pg_stat_statements, fix access to already-freed memory (zhaoqigui)
This occurred if pg_stat_statements tracked a ROLLBACK
command issued via extended query protocol. In debug builds it consistently led to an assertion failure. In production builds there would often be no visible ill effect; but if the freed memory had already been reused, the likely result would be to store garbage for the query string.
In postgres_fdw, ensure that target lists constructed for EvalPlanQual plans will have all required columns (Richard Guo, Etsuro Fujita)
This avoids “variable not found in subplan target list†errors in rare cases.
Reject unwanted output from the platform's uuid_create()
function (Nazir Bilal Yavuz)
The uuid-ossp module expects libc's uuid_create()
to produce a version-1 UUID, but recent NetBSD releases produce a version-4 (random) UUID instead. Check for that, and complain if so. Drop the documentation's claim that the NetBSD implementation is usable for uuid-ossp. (If a version-4 UUID is okay for your purposes, you don't need uuid-ossp at all; just use gen_random_uuid()
.)
Include new Perl test modules in standard installations (Ãlvaro Herrera)
Add PostgreSQL/Test/Cluster.pm
and PostgreSQL/Test/Utils.pm
to the standard installation file set in pre-version-15 branches. This is for the benefit of extensions that want to use newly-written test code in older branches.
On NetBSD, force dynamic symbol resolution at postmaster start (Andres Freund, Tom Lane)
This avoids a risk of deadlock in the dynamic linker on NetBSD 10.
Allow use of __sync_lock_test_and_set()
for spinlocks on any machine (Tom Lane)
This eases porting to new machine architectures, at least if you're using a compiler that supports this GCC builtin function.
Rename symbol REF
to REF_P
to avoid compile failure on recent macOS (Tom Lane)
Silence assorted compiler warnings from clang 15 and later (Tom Lane)
Update time zone data files to tzdata release 2022f for DST law changes in Chile, Fiji, Iran, Jordan, Mexico, Palestine, and Syria, plus historical corrections for Chile, Crimea, Iran, and Mexico.
Also, the Europe/Kiev zone has been renamed to Europe/Kyiv. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake and Pacific/Wallis. (This indirectly affects zones that were already links to one of these: Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.) America/Nipigon, America/Rainy_River, America/Thunder_Bay, Europe/Uzhgorod, and Europe/Zaporozhye were also merged into nearby zones after discovering that their claimed post-1970 differences from those zones seem to have been errors. In all these cases, the previous zone name remains as an alias; but the actual data is that of the zone that was merged into.
These zone mergers result in loss of pre-1970 timezone history for the merged zones, which may be troublesome for applications expecting consistency of timestamptz
display. As an example, the stored value 1944-06-01 12:00 UTC
would previously display as 1944-06-01 13:00:00+01
if the Europe/Stockholm zone is selected, but now it will read out as 1944-06-01 14:00:00+02
.
It is possible to build the time zone data files with options that will restore the older zone data, but that choice also inserts a lot of other old (and typically poorly-attested) zone data, resulting in more total changes from the previous release than accepting these upstream changes does. PostgreSQL has chosen to ship the tzdb data as-recommended, and so far as we are aware most major operating system distributions are doing likewise. However, if these changes cause significant problems for your application, a possible solution is to install a local build of the time zone data files using tzdb's backwards-compatibility options (see their PACKRATDATA
and PACKRATLIST
options).
Release date: 2022-08-11
This release contains a variety of fixes from 10.21. For information about new features in major release 10, see Version 10.0.
The PostgreSQL community will stop releasing updates for the 10.X release series in November 2022. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 10.X.
However, if you are upgrading from a version earlier than 10.19, see Version 10.19.
Do not let extension scripts replace objects not already belonging to the extension (Tom Lane)
This change prevents extension scripts from doing CREATE OR REPLACE
if there is an existing object that does not belong to the extension. It also prevents CREATE IF NOT EXISTS
in the same situation. This prevents a form of trojan-horse attack in which a hostile database user could become the owner of an extension object and then modify it to compromise future uses of the object by other users. As a side benefit, it also reduces the risk of accidentally replacing objects one did not mean to.
The PostgreSQL Project thanks Sven Klemm for reporting this problem. CVE-2022-2625 or CVE-2022-2625)
Fix replay of CREATE DATABASE
WAL records on standby servers (Kyotaro Horiguchi, Asim R Praveen, Paul Guo)
Standby servers may encounter missing tablespace directories when replaying database-creation WAL records. Prior to this patch, a standby would fail to recover in such a case; however, such directories could be legitimately missing. Create the tablespace (as a plain directory), then check that it has been dropped again once replay reaches a consistent state.
Support “in place†tablespaces (Thomas Munro, Michael Paquier, Ãlvaro Herrera)
Normally a Postgres tablespace is a symbolic link to a directory on some other filesystem. This change allows it to just be a plain directory. While this has no use for separating tables onto different filesystems, it is a convenient setup for testing. Moreover, it is necessary to support the CREATE DATABASE
replay fix, which transiently creates a missing tablespace as an “in place†tablespace.
Fix permissions checks in CREATE INDEX
(Nathan Bossart, Noah Misch)
The fix forCVE-2022-1552 or CVE-2022-1552 caused CREATE INDEX
to apply the table owner's permissions while performing lookups of operator classes and other objects, where formerly the calling user's permissions were used. This broke dump/restore scenarios, because pg_dump issues CREATE INDEX
before re-granting permissions.
In extended query protocol, force an immediate commit after CREATE DATABASE
and other commands that can't run in a transaction block (Tom Lane)
If the client does not send a Sync message immediately after such a command, but instead sends another command, any failure in that command would lead to rolling back the preceding command, typically leaving inconsistent state on-disk (such as a missing or extra database directory). The mechanisms intended to prevent that situation turn out to work for multiple commands in a simple-Query message, but not for a series of extended-protocol messages. To prevent inconsistency without breaking use-cases that work today, force an implicit commit after such commands.
Fix race condition when checking transaction visibility (Simon Riggs)
TransactionIdIsInProgress
could report false
before the subject transaction is considered visible, leading to various misbehaviors. The race condition window is normally very narrow, but use of synchronous replication makes it much wider, because the wait for a synchronous replica happens in that window.
Fix “variable not found in subplan target list†planner error when pulling up a sub-SELECT
that's referenced in a GROUPING
function (Richard Guo)
Prevent pg_stat_get_subscription()
from possibly returning an extra row containing garbage values (Kuntal Ghosh)
Ensure that pg_stop_backup()
cleans up session state properly (Fujii Masao)
This omission could lead to assertion failures or crashes later in the session.
Fix join alias matching in FOR [KEY] UPDATE/SHARE
clauses (Dean Rasheed)
In corner cases, a misleading error could be reported.
Avoid crashing if too many column aliases are attached to an XMLTABLE
or JSON_TABLE
construct (Ãlvaro Herrera)
Reject ROW()
expressions and functions in FROM
that have too many columns (Tom Lane)
Cases with more than about 1600 columns are unsupported, and have always failed at execution. However, it emerges that some earlier code could be driven to assertion failures or crashes by queries with more than 32K columns. Add a parse-time check to prevent that.
When decompiling a view or rule, show a SELECT
output column's AS "?column?"
alias clause if it could be referenced elsewhere (Tom Lane)
Previously, this auto-generated alias was always hidden; but there are corner cases where doing so results in a non-restorable view or rule definition.
Fix dumping of a view using a function in FROM
that returns a composite type, when column(s) of the composite type have been dropped since the view was made (Tom Lane)
This oversight could lead to dump/reload or pg_upgrade failures, as the dumped view would have too many column aliases for the function.
Report implicitly-created operator families to event triggers (Masahiko Sawada)
If CREATE OPERATOR CLASS
results in the implicit creation of an operator family, that object was not reported to event triggers that should capture such events.
Fix control file updates made when a restartpoint is running during promotion of a standby server (Kyotaro Horiguchi)
Previously, when the restartpoint completed it could incorrectly update the last-checkpoint fields of the control file, potentially leading to PANIC and failure to restart if the server crashes before the next normal checkpoint completes.
Prevent triggering of standby's wal_receiver_timeout
during logical replication of large transactions (Wang Wei, Amit Kapila)
If a large transaction on the primary server sends no data to the standby (perhaps because no table it changes is published), it was possible for the standby to timeout. Fix that by ensuring we send keepalive messages periodically in such situations.
Disallow nested backup operations in logical replication walsenders (Fujii Masao)
Fix memory leak in logical replication subscribers (Hou Zhijie)
Ignore heap-rewrite temporary tables for materialized views in logical replication (Euler Taveira)
A FOR ALL TABLES
publication will try to publish temporary tables if left to its own devices. There is a heuristic to suppress these, but it failed to cover internal temporary tables created while rewriting a materialized view. This created a risk of “logical replication target relation ... does not exist†failures during REFRESH MATERIALIZED VIEW
.
Prevent open-file leak when reading an invalid timezone abbreviation file (Kyotaro Horiguchi)
Such cases could result in harmless warning messages.
Allow custom server parameters to have short descriptions that are NULL (Steve Chavez)
Previously, although extensions could choose to create such settings, some code paths would crash while processing them.
Fix WAL consistency checking logic to correctly handle BRIN_EVACUATE_PAGE
flags (Haiyang Wang)
Remove misguided SSL key file ownership check in libpq (Tom Lane)
In the previous minor releases, we copied the server's permission checking rules for SSL private key files into libpq. But we should not have also copied the server's file-ownership check. While that works in normal use-cases, it can result in an unexpected failure for clients running as root, and perhaps in other cases.
Ensure ecpg reports server connection loss sanely (Tom Lane)
Misprocessing of a libpq-generated error result, such as a report of lost connection, would lead to printing “(null)†instead of a useful error message; or in older releases it would lead to a crash.
Avoid core dump in ecpglib with unexpected orders of operations (Tom Lane)
Certain operations such as EXEC SQL PREPARE
would crash (rather than reporting an error as expected) if called before establishing any database connection.
In ecpglib, avoid redundant newlocale()
calls (Noah Misch)
Allocate a C locale object once per process when first connecting, rather than creating and freeing locale objects once per query. This mitigates a libc memory leak on AIX, and may offer some performance benefit everywhere.
In psql's \watch
command, echo a newline after cancellation with control-C (Pavel Stehule)
This prevents libedit (and possibly also libreadline) from becoming confused about which column the cursor is in.
Fix contrib/pg_stat_statements
to avoid problems with very large query-text files on 32-bit platforms (Tom Lane)
Ensure that contrib/postgres_fdw
sends constants of regconfig
and other reg*
types with proper schema qualification (Tom Lane)
Block signals while allocating dynamic shared memory on Linux (Thomas Munro)
This avoids problems when a signal interrupts posix_fallocate()
.
Detect unexpected EEXIST
error from shm_open()
(Thomas Munro)
This avoids a possible crash on Solaris.
Adjust PL/Perl test case so it will work under Perl 5.36 (Dagfinn Ilmari Mannsåker)
Avoid incorrectly using an out-of-date libldap_r library when multiple OpenLDAP installations are present while building PostgreSQL (Tom Lane)
Release date: 2022-05-12
This release contains a variety of fixes from 10.20. For information about new features in major release 10, see Version 10.0.
The PostgreSQL community will stop releasing updates for the 10.X release series in November 2022. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 10.X.
However, if you are upgrading from a version earlier than 10.19, see Version 10.19.
Confine additional operations within “security restricted operation†sandboxes (Sergey Shinderuk, Noah Misch)
Autovacuum, CLUSTER
, CREATE INDEX
, REINDEX
, REFRESH MATERIALIZED VIEW
, and pg_amcheck activated the “security restricted operation†protection mechanism too late, or even not at all in some code paths. A user having permission to create non-temporary objects within a database could define an object that would execute arbitrary SQL code with superuser permissions the next time that autovacuum processed the object, or that some superuser ran one of the affected commands against it.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. CVE-2022-1552 or CVE-2022-1552)
Stop using query-provided column aliases for the columns of whole-row variables that refer to plain tables (Tom Lane)
The column names in tuples produced by a whole-row variable (such as tbl.*
in contexts other than the top level of a SELECT
list) are now always those of the associated named composite type, if there is one. We'd previously attempted to make them track any column aliases that had been applied to the FROM
entry the variable refers to. But that's semantically dubious, because really then the output of the variable is not at all of the composite type it claims to be. Previous attempts to deal with that inconsistency had bad results up to and including storing unreadable data on disk, so just give up on the whole idea.
In cases where it's important to be able to relabel such columns, a workaround is to introduce an extra level of sub-SELECT
, so that the whole-row variable is referring to the sub-SELECT
's output and not to a plain table. Then the variable is of type record
to begin with and there's no issue.
Fix incorrect output for types timestamptz
and timetz
in table_to_xmlschema()
and allied functions (Renan Soares Lopes)
The xmlschema output for these types included a malformed regular expression.
Avoid core dump in parser for a VALUES
clause with zero columns (Tom Lane)
Fix planner errors for GROUPING()
constructs that reference outer query levels (Richard Guo, Tom Lane)
Fix plan generation for index-only scans on indexes with both returnable and non-returnable columns (Tom Lane)
The previous coding could try to read non-returnable columns in addition to the returnable ones. This was fairly harmless because it didn't actually do anything with the bogus values, but it fell foul of a recently-added error check that rejected such a plan.
Fix query-lifespan memory leak in an IndexScan node that is performing reordering (Aliaksandr Kalenik)
Fix ALTER FUNCTION
to support changing a function's parallelism property and its SET
-variable list in the same command (Tom Lane)
The parallelism property change was lost if the same command also updated the function's SET
clause.
Fix mis-sorting of table rows when CLUSTER
ing using an index whose leading key is an expression (Peter Geoghegan, Thomas Munro)
The table would be rebuilt with the correct data, but in an order having little to do with the index order.
Fix race condition between DROP TABLESPACE
and checkpointing (Nathan Bossart)
The checkpoint forced by DROP TABLESPACE
could sometimes fail to remove all dead files from the tablespace's directory, leading to a bogus “tablespace is not empty†error.
Fix possible trouble in crash recovery after a TRUNCATE
command that overlaps a checkpoint (Kyotaro Horiguchi, Heikki Linnakangas, Robert Haas)
TRUNCATE
must ensure that the table's disk file is truncated before the checkpoint is allowed to complete. Otherwise, replay starting from that checkpoint might find unexpected data in the supposedly-removed pages, possibly causing replay failure.
Fix unsafe toast-data accesses during temporary object cleanup (Andres Freund)
Temporary-object deletion during server process exit could fail with “FATAL: cannot fetch toast data without an active snapshotâ€. This was usually harmless since the next use of that temporary schema would clean up successfully.
Fix “PANIC: xlog flush request is not satisfied†failure during standby promotion when there is a missing WAL continuation record (Sami Imseih)
Fix possibility of self-deadlock in hot standby conflict handling (Andres Freund)
With unlucky timing, the WAL-applying process could get stuck while waiting for some other process to release a buffer lock.
Ensure that logical replication apply workers can be restarted even when we're up against the max_sync_workers_per_subscription
limit (Amit Kapila)
Faulty coding of the limit check caused a restarted worker to exit immediately, leaving fewer workers than there should be.
Include unchanged replica identity key columns in the WAL log for an update, if they are stored out-of-line (Dilip Kumar, Amit Kapila)
Otherwise subscribers cannot see the values and will fail to replicate the update.
Improve logical replication subscriber's error message for an unsupported relation kind (Tom Lane)
v13 and later servers support publishing partitioned tables. Older server versions cannot handle subscribing to such a table, and they gave a very misleading error message: “table XYZ not found on publisherâ€. Arrange to deliver a more on-point message.
Disallow execution of SPI functions during PL/Perl function compilation (Tom Lane)
Perl can be convinced to execute user-defined code during compilation of a PL/Perl function. However, it's not okay for such code to try to invoke SQL operations via SPI. That results in a crash, and if it didn't crash it would be a security hazard, because we really don't want code execution during function validation. Put in a check to give a friendlier error message instead.
Make libpq accept root-owned SSL private key files (David Steele)
This change synchronizes libpq's rules for safe ownership and permissions of SSL key files with the rules the server has used since release 9.6. Namely, in addition to the current rules, allow the case where the key file is owned by root and has permissions rw-r-----
or less. This is helpful for system-wide management of key files.
Make pg_ctl recheck postmaster aliveness while waiting for stop/restart/promote actions (Tom Lane)
pg_ctl would verify that the postmaster is alive as a side-effect of sending the stop or promote signal, but then it just naively waited to see the on-disk state change. If the postmaster died uncleanly without having removed its PID file or updated the control file, pg_ctl would wait until timeout. Instead make it recheck every so often that the postmaster process is still there.
Ensure that contrib/pageinspect
functions cope with all-zero pages (Michael Paquier)
This is a legitimate edge case, but the module was mostly unprepared for it. Arrange to return nulls, or no rows, as appropriate; that seems more useful than raising an error.
In contrib/pageinspect
, add defenses against incorrect page “special space†contents, tighten checks for correct page size, and add some missing checks that an index is of the expected type (Michael Paquier, Justin Pryzby, Julien Rouhaud)
These changes make it less likely that the module will crash on bad data.
In contrib/postgres_fdw
, verify that ORDER BY
clauses are safe to ship before requesting a remotely-ordered query, and include a USING
clause if necessary (Ronan Dunklau)
This fix prevents situations where the remote server might sort in a different order than we intend. While sometimes that would be only cosmetic, it could produce thoroughly wrong results if the remote data is used as input for a locally-performed merge join.
Clean up assorted failures under clang's -fsanitize=undefined
checks (Tom Lane, Andres Freund, Zhihong Yu)
Most of these changes are just for pro-forma compliance with the letter of the C and POSIX standards, and are unlikely to have any effect on production builds.
Fix PL/Perl so it builds on C compilers that don't support statements nested within expressions (Tom Lane)
Fix possible build failure of pg_dumpall on Windows, when not using MSVC to build (Andres Freund)
In Windows builds, use gendef instead of pexports to build DEF files (Andrew Dunstan)
This adapts the build process to work on recent MSys tool chains.
Prevent extra expansion of shell wildcard patterns in programs built under MinGW (Andrew Dunstan)
For some reason the C library provided by MinGW will expand shell wildcard characters in a program's command-line arguments by default. This is confusing, not least because it doesn't happen under MSVC, so turn it off.
Update time zone data files to tzdata release 2022a for DST law changes in Palestine, plus historical corrections for Chile and Ukraine.
Release date: 2022-02-10
This release contains a variety of fixes from 10.19. For information about new features in major release 10, see Version 10.0.
The PostgreSQL community will stop releasing updates for the 10.X release series in November 2022. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 10.X.
However, if you are upgrading from a version earlier than 10.19, see Version 10.19.
Fix index-only scan plans for cases where not all index columns can be returned (Tom Lane)
If an index has both returnable and non-returnable columns, and one of the non-returnable columns is an expression using a table column that appears in a returnable index column, then a query using that expression could result in an index-only scan plan that attempts to read the non-returnable column, instead of recomputing the expression from the returnable column as intended. The non-returnable column would read as NULL, resulting in wrong query results.
Ensure that casting to an unspecified typmod generates a RelabelType node rather than a length-coercion function call (Tom Lane)
While the coercion function should do the right thing (nothing), this translation is undesirably inefficient.
Fix WAL replay failure when database consistency is reached exactly at a WAL page boundary (Ãlvaro Herrera)
Fix startup of a physical replica to tolerate transaction ID wraparound (Abhijit Menon-Sen, Tomas Vondra)
If a replica server is started while the set of active transactions on the primary crosses a wraparound boundary (so that there are some newer transactions with smaller XIDs than older ones), the replica would fail with “out-of-order XID insertion in KnownAssignedXidsâ€. The replica would retry, but could never get past that error.
Remove lexical limitations for SQL commands issued on a logical replication connection (Tom Lane)
The walsender process would fail for a SQL command containing an unquoted semicolon, or with dollar-quoted literals containing odd numbers of single or double quote marks, or when the SQL command starts with a comment. Moreover, faulty error recovery could lead to unexpected errors in later commands too.
Fix possible loss of the commit timestamp for the last subtransaction of a transaction (Alex Kingsborough, Kyotaro Horiguchi)
Be sure to fsync
the pg_logical/mappings
subdirectory during checkpoints (Nathan Bossart)
On some filesystems this oversight could lead to losing logical rewrite status files after a system crash.
Build extended statistics for partitioned tables (Justin Pryzby)
A previous bug fix disabled building of extended statistics for old-style inheritance trees, but it also prevented building them for partitioned tables, which was an unnecessary restriction. This change allows ANALYZE
to compute values for statistics objects for partitioned tables. (But note that autovacuum does not process partitioned tables as such, so you must periodically issue manual ANALYZE
on the partitioned table if you want to maintain such statistics.)
Ignore extended statistics for inheritance trees (Justin Pryzby)
Currently, extended statistics values are only computed locally for each table, not for entire inheritance trees. However the values were mistakenly consulted when planning queries across inheritance trees, possibly resulting in worse-than-default estimates.
Disallow altering data type of a partitioned table's columns when the partitioned table's row type is used as a composite type elsewhere (Tom Lane)
This restriction has long existed for regular tables, but through an oversight it was not checked for partitioned tables.
Disallow ALTER TABLE ... DROP NOT NULL
for a column that is part of a replica identity index (Haiying Tang, Hou Zhijie)
The same prohibition already existed for primary key indexes.
Correctly update cached table state when switching REPLICA IDENTITY
index (Tang Haiying, Hou Zhijie)
Concurrent sessions failed to update their opinion of which index is the replica identity one, possibly causing incorrect logical replication behavior.
Avoid leaking memory during REASSIGN OWNED BY
operations that reassign ownership of many objects (Justin Pryzby)
Fix display of whole-row variables appearing in INSERT ... VALUES
rules (Tom Lane)
A whole-row variable would be printed as “var.*â€, but that allows it to be expanded to individual columns when the rule is reloaded, resulting in different semantics. Attach an explicit cast to prevent that, as we do elsewhere.
Fix or remove some incorrect assertions (Simon Riggs, Michael Paquier, Alexander Lakhin)
These errors should affect only debug builds, not production.
Fix race condition that could lead to failure to localize error messages that are reported early in multi-threaded use of libpq or ecpglib (Tom Lane)
Avoid calling strerror
from libpq's PQcancel
function (Tom Lane)
PQcancel
is supposed to be safe to call from a signal handler, but strerror
is not safe. The faulty usage only occurred in the unlikely event of failure to send the cancel message to the server, perhaps explaining the lack of reports.
Make psql's \password
command default to setting the password for CURRENT_USER
, not the connection's original user name (Tom Lane)
This agrees with the documented behavior, and avoids probable permissions failure if SET ROLE
or SET SESSION AUTHORIZATION
has been done since the session began. To prevent confusion, the role name to be acted on is now included in the password prompt.
In psql and some other client programs, avoid trying to invoke gettext()
from a control-C signal handler (Tom Lane)
While no reported failures have been traced to this mistake, it seems highly unlikely to be a safe thing to do.
Allow canceling the initial password prompt in pg_receivewal and pg_recvlogical (Tom Lane, Nathan Bossart)
Previously it was impossible to terminate these programs via control-C while they were prompting for a password.
Fix pg_dump's dump ordering for user-defined casts (Tom Lane)
In rare cases, the output script might refer to a user-defined cast before it had been created.
Fix possible mis-reporting of errors in pg_dump and pg_basebackup (Tom Lane)
The previous code failed to check for errors from some kernel calls, and could report the wrong errno values in other cases.
Fix results of index-only scans on contrib/btree_gist
indexes on char(
columns (Tom Lane)N
)
Index-only scans returned column values with trailing spaces removed, which is not the expected behavior. That happened because that's how the data was stored in the index. This fix changes the code to store char(
values with the expected amount of space padding. The behavior of such an index will not change immediately unless you N
)REINDEX
it; otherwise space-stripped values will be gradually replaced over time during updates. Queries that do not use index-only scan plans will be unaffected in any case.
Change configure to use Python's sysconfig module, rather than the deprecated distutils module, to determine how to build PL/Python (Peter Eisentraut, Tom Lane, Andres Freund)
With Python 3.10, this avoids configure-time warnings about distutils being deprecated and scheduled for removal in Python 3.12. Presumably, once 3.12 is out, configure --with-python
would fail altogether. This future-proofing does come at a cost: sysconfig did not exist before Python 2.7, nor before 3.2 in the Python 3 branch, so it is no longer possible to build PL/Python against long-dead Python versions.
Fix PL/Perl compile failure on Windows with Perl 5.28 and later (Victor Wagner)
Fix PL/Python compile failure with Python 3.11 and later (Peter Eisentraut)
Add support for building with Visual Studio 2022 (Hans Buschmann)
Allow the .bat
wrapper scripts in our MSVC build system to be called without first changing into their directory (Anton Voloshin, Andrew Dunstan)
Release date: 2021-11-11
This release contains a variety of fixes from 10.18. For information about new features in major release 10, see Version 10.0.
A dump/restore is not required for those running 10.X.
However, note that installations using physical replication should update standby servers before the primary server, as explained in the third changelog entry below.
Also, several bugs have been found that may have resulted in corrupted indexes, as explained in the next several changelog entries. If any of those cases apply to you, it's recommended to reindex possibly-affected indexes after updating.
Also, if you are upgrading from a version earlier than 10.16, see Version 10.16.
Make the server reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)
The PostgreSQL Project thanks Jacob Champion for reporting this problem. CVE-2021-23214 or CVE-2021-23214)
Make libpq reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable toCVE-2021-23214 or CVE-2021-23214.
The PostgreSQL Project thanks Jacob Champion for reporting this problem. CVE-2021-23222 or CVE-2021-23222)
Fix physical replication for cases where the primary crashes after shipping a WAL segment that ends with a partial WAL record (Ãlvaro Herrera)
If the primary did not survive long enough to finish writing the rest of the incomplete WAL record, then the previous crash-recovery logic had it back up and overwrite WAL starting from the beginning of the incomplete WAL record. This is problematic since standby servers may already have copies of that WAL segment. They will then see an inconsistent next segment, and will not be able to recover without manual intervention. To fix, do not back up over a WAL segment boundary when restarting after a crash. Instead write a new type of WAL record at the start of the next WAL segment, informing readers that the incomplete WAL record will never be finished and must be disregarded.
When applying this update, it's best to update standby servers before the primary, so that they will be ready to handle this new WAL record type if the primary happens to crash.
Fix CREATE INDEX CONCURRENTLY
to wait for the latest prepared transactions (Andrey Borodin)
Rows inserted by just-prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. The previous fix for this type of problem failed to account for PREPARE TRANSACTION
commands that were still in progress when CREATE INDEX CONCURRENTLY
checked for them. As before, in installations that have enabled prepared transactions (max_prepared_transactions
> 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.
Avoid race condition that can cause backends to fail to add entries for new rows to an index being built concurrently (Noah Misch, Andrey Borodin)
While it's apparently rare in the field, this case could potentially affect any index built or reindexed with the CONCURRENTLY
option. It is recommended to reindex any such indexes to make sure they are correct.
Fix float4
and float8
hash functions to produce uniform results for NaNs (Tom Lane)
Since PostgreSQL's floating-point types deem all NaNs to be equal, it's important for the hash functions to produce the same hash code for all bit-patterns that are NaNs according to the IEEE 754 standard. This failed to happen before, meaning that hash indexes and hash-based query plans might produce incorrect results for non-canonical NaN values. ('-NaN'::float8
is one way to produce such a value on most machines.) It is advisable to reindex hash indexes on floating-point columns, if there is any possibility that they might contain such values.
Prevent data loss during crash recovery of CREATE TABLESPACE
, when wal_level
= minimal
(Noah Misch)
If the server crashed between CREATE TABLESPACE
and the next checkpoint, replay would fully remove the contents of the new tablespace's directory, relying on subsequent WAL replay to restore everything within that directory. This interacts badly with optimizations that skip writing WAL (one example is COPY
into a just-created table). Such optimizations are applied only when wal_level
is minimal
, which is not the default in v10 and later.
Ensure that the relation cache is invalidated for a table being attached to or detached from a partitioned table (Amit Langote, Ãlvaro Herrera)
This oversight could allow misbehavior of subsequent inserts/updates addressed directly to the partition, but only in currently-existing sessions.
Ensure that the relation cache is invalidated when creating or dropping a FOR ALL TABLES
publication (Hou Zhijie, Vignesh C)
This oversight could lead to improper replication behavior until all currently-existing sessions have exited.
Don't discard a cast to the same type with unspecified type modifier (Tom Lane)
For example, if column f1
is of type numeric(18,3)
, the parser used to simply discard a cast like f1::numeric
, on the grounds that it would have no run-time effect. That's true, but the exposed type of the expression should still be considered to be plain numeric
, not numeric(18,3)
. This is important for correctly resolving the type of larger constructs, such as recursive UNION
s.
Disallow creating an ICU collation if the current database's encoding won't support it (Tom Lane)
Previously this was allowed, but then the collation could not be referenced because of the way collation lookup works; you could not use the collation, nor even drop it.
Fix corner-case loss of precision in numeric power()
(Dean Rasheed)
The result could be inaccurate when the first argument is very close to 1.
Avoid regular expression errors with capturing parentheses inside {0}
(Tom Lane)
Regular expressions like (.){0}...\1
drew “invalid backreference numberâ€. Other regexp engines such as Perl don't complain, though, and for that matter ours doesn't either in some closely related cases. Worse, it could throw an assertion failure instead. Fix it so that no error is thrown and instead the back-reference is silently deemed to never match.
Prevent regular expression back-references from sometimes matching when they shouldn't (Tom Lane)
The regexp engine was careless about clearing match data for capturing parentheses after rejecting a partial match. This could allow a later back-reference to match in places where it should fail for lack of a defined referent.
Fix regular expression performance bug with back-references inside iteration nodes (Tom Lane)
Incorrect back-tracking logic could result in exponential time spent looking for a match. Fortunately the problem is masked in most cases by other optimizations.
Fix incorrect results from AT TIME ZONE
applied to a time with time zone
value (Tom Lane)
The results were incorrect if the target time zone was specified by a dynamic timezone abbreviation (that is, one that is defined as equivalent to a full time zone name, rather than a fixed UTC offset).
Avoid using MCV-only statistics to estimate the range of a column (Tom Lane)
There are corner cases in which ANALYZE
will build a most-common-values (MCV) list but not a histogram, even though the MCV list does not account for all the observed values. In such cases, keep the planner from using the MCV list alone to estimate the range of column values.
Clean up correctly if a transaction fails after exporting its snapshot (Dilip Kumar)
This oversight would only cause a problem if the same session attempted to export a snapshot again. The most likely scenario for that is creation of a replication slot (followed by rollback) and then creation of another replication slot.
Prevent wraparound of overflowed-subtransaction tracking on standby servers (Kyotaro Horiguchi, Alexander Korotkov)
This oversight could cause significant performance degradation (manifesting as excessive SubtransSLRU traffic) on standby servers.
Ensure that prepared transactions are properly accounted for during promotion of a standby server (Michael Paquier, Andres Freund)
There was a narrow window where a prepared transaction could be omitted from a snapshot taken by a concurrently-running session. If that session then used the snapshot to perform data updates, erroneous results or data corruption could occur.
Fix detection of a relation that has grown to the maximum allowed length (Tom Lane)
An attempt to extend a table or index past the limit of 2^32-1 blocks was rejected, but not soon enough to prevent inconsistent internal state from being created.
Correctly track the presence of data-modifying CTEs when expanding a DO INSTEAD
rule (Greg Nancarrow, Tom Lane)
The previous failure to do this could lead to problems such as unsafely choosing a parallel plan.
Fix incorrect reporting of permissions failures on extended statistics objects (Tomas Vondra)
The code typically produced “cache lookup error†rather than the intended message.
Fix incorrect snapshot handling in parallel workers (Greg Nancarrow)
This oversight could lead to misbehavior in parallel queries if the transaction isolation level is less than REPEATABLE READ
.
Ensure that walreceiver processes create all required archive notification files before exiting (Fujii Masao)
If a walreceiver exited exactly at a WAL segment boundary, it failed to make a notification file for the last-received segment, thus delaying archiving of that segment on the standby.
Avoid trying to lock the OLD
and NEW
pseudo-relations in a rule that uses SELECT FOR UPDATE
(Masahiko Sawada, Tom Lane)
Fix parser's processing of aggregate FILTER
clauses (Tom Lane)
If the FILTER
expression is a plain boolean column, the semantic level of the aggregate could be mis-determined, leading to not-per-spec behavior. If the FILTER
expression is itself a boolean-returning aggregate, an error should be thrown but was not, likely resulting in a crash at execution.
Avoid null-pointer-dereference crash when dropping a role that owns objects being dropped concurrently (Ãlvaro Herrera)
Prevent “snapshot reference leak†warning when lo_export()
or a related function fails (Heikki Linnakangas)
Ensure that scans of SP-GiST indexes are counted in the statistics views (Tom Lane)
Incrementing the number-of-index-scans counter was overlooked in the SP-GiST code, although per-tuple counters were advanced correctly.
Recalculate relevant wait intervals if recovery_min_apply_delay
is changed during recovery (Soumyadeep Chakraborty, Ashwin Agrawal)
Fix infinite loop if a simplehash.h
hash table reaches 2^32 elements (Yura Sokolov)
It seems unlikely that this bug has been hit in practice, as it would require work_mem
settings of hundreds of gigabytes for existing uses of simplehash.h
.
Reduce memory consumption during calculation of extended statistics (Justin Pryzby, Tomas Vondra)
Fix ecpg to recover correctly after malloc()
failure while establishing a connection (Michael Paquier)
Allow EXIT
out of the outermost block in a PL/pgSQL routine (Tom Lane)
If the routine does not require an explicit RETURN
, this usage should be valid, but it was rejected.
Remove pg_ctl's hard-coded limits on the total length of generated commands (Phil Krylov)
For example, this removes a restriction on how many command-line options can be passed through to the postmaster. Individual path names that pg_ctl deals with, such as the postmaster executable's name or the data directory name, are still limited to MAXPGPATH
bytes in most cases.
Fix pg_dump to dump non-global default privileges correctly (Neil Chen, Masahiko Sawada)
If a global (unrestricted) ALTER DEFAULT PRIVILEGES
command revoked some present-by-default privilege, for example EXECUTE
for functions, and then a restricted ALTER DEFAULT PRIVILEGES
command granted that privilege again for a selected role or schema, pg_dump failed to dump the restricted privilege grant correctly.
Make pg_dump acquire shared lock on partitioned tables that are to be dumped (Tom Lane)
This oversight was usually pretty harmless, since once pg_dump has locked any of the leaf partitions, that would suffice to prevent significant DDL on the partitioned table itself. However problems could ensue when dumping a childless partitioned table, since no relevant lock would be held.
Improve pg_dump's performance by avoiding making per-table queries for RLS policies, and by avoiding repetitive calls to format_type()
(Tom Lane)
These changes provide only marginal improvement when dumping from a local server, but a dump from a remote server can benefit substantially due to fewer network round-trips.
Fix incorrect filename in pg_restore's error message about an invalid large object TOC file (Daniel Gustafsson)
Fix failure of contrib/btree_gin
indexes on "char"
(not char(
) columns, when an indexscan using the n
)<
or <=
operator is performed (Tom Lane)
Such an indexscan failed to return all the entries it should.
Change contrib/pg_stat_statements
to read its “query texts†file in units of at most 1GB (Tom Lane)
Such large query text files are very unusual, but if they do occur, the previous coding would fail on Windows 64 (which rejects individual read requests of more than 2GB).
Fix null-pointer crash when contrib/postgres_fdw
tries to report a data conversion error (Tom Lane)
Add spinlock support for the RISC-V architecture (Marek Szuba)
This is essential for reasonable performance on that platform.
Support OpenSSL 3.0.0 (Peter Eisentraut, Daniel Gustafsson, Michael Paquier)
Set correct type identifier on OpenSSL BIO (I/O abstraction) objects created by PostgreSQL (Itamar Gafni)
This oversight probably only matters for code that is doing tasks like auditing the OpenSSL installation. But it's nominally a violation of the OpenSSL API, so fix it.
Make pg_regexec()
robust against an out-of-range search_start
parameter (Tom Lane)
Return REG_NOMATCH
, instead of possibly crashing, when search_start
is past the end of the string. This case is probably unreachable within core PostgreSQL, but extensions might be more careless about the parameter value.
Ensure that GetSharedSecurityLabel()
can be used in a newly-started session that has not yet built its critical relation cache entries (Jeff Davis)
Use the CLDR project's data to map Windows time zone names to IANA time zones (Tom Lane)
When running on Windows, initdb attempts to set the new cluster's timezone
parameter to the IANA time zone matching the system's prevailing time zone. We were using a mapping table that we'd generated years ago and updated only fitfully; unsurprisingly, it contained a number of errors as well as omissions of recently-added zones. It turns out that CLDR has been tracking the most appropriate mappings, so start using their data. This change will not affect any existing installation, only newly-initialized clusters.
Update time zone data files to tzdata release 2021e for DST law changes in Fiji, Jordan, Palestine, and Samoa, plus historical corrections for Barbados, Cook Islands, Guyana, Niue, Portugal, and Tonga.
Also, the Pacific/Enderbury zone has been renamed to Pacific/Kanton. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Africa/Accra, America/Atikokan, America/Blanc-Sablon, America/Creston, America/Curacao, America/Nassau, America/Port_of_Spain, Antarctica/DumontDUrville, and Antarctica/Syowa. In all these cases, the previous zone name remains as an alias.
Release date: 2021-08-12
This release contains a variety of fixes from 10.17. For information about new features in major release 10, see Version 10.0.
A dump/restore is not required for those running 10.X.
However, if you are upgrading from a version earlier than 10.16, see Version 10.16.
Disallow SSL renegotiation more completely (Michael Paquier)
SSL renegotiation has been disabled for some time, but the server would still cooperate with a client-initiated renegotiation request. A maliciously crafted renegotiation request could result in a server crash (see OpenSSL issueCVE-2021-3449 or CVE-2021-3449). Disable the feature altogether on OpenSSL versions that permit doing so, which are 1.1.0h and newer.
Reject SELECT ... GROUP BY GROUPING SETS (()) FOR UPDATE
(Tom Lane)
This should be disallowed, just as FOR UPDATE
with a plain GROUP BY
is disallowed, but the test for that failed to handle empty grouping sets correctly. The end result would be a null-pointer dereference in the executor.
Reject cases where a query in WITH
rewrites to just NOTIFY
(Tom Lane)
Such cases previously crashed.
In numeric
multiplication, round the result rather than failing if it would have more than 16383 digits after the decimal point (Dean Rasheed)
Fix corner-case errors and loss of precision when raising numeric
values to very large powers (Dean Rasheed)
Fix division-by-zero failure in to_char()
with EEEE
format and a numeric
input value less than 10^(-1001) (Dean Rasheed)
Fix pg_size_pretty(bigint)
to round negative values consistently with the way it rounds positive ones (and consistently with the numeric
version) (Dean Rasheed, David Rowley)
Make pg_filenode_relation(0, 0)
return NULL rather than failing (Justin Pryzby)
Make ALTER EXTENSION
lock the extension when adding or removing a member object (Tom Lane)
The previous coding allowed ALTER EXTENSION ADD/DROP
to occur concurrently with DROP EXTENSION
, leading to a crash or corrupt catalog entries.
Fix ALTER SUBSCRIPTION
to reject an empty slot name (Japin Li)
Avoid alias conflicts in queries generated for REFRESH MATERIALIZED VIEW CONCURRENTLY
(Tom Lane, Bharath Rupireddy)
This command failed on materialized views containing columns with certain names, notably mv
and newdata
.
Fix PREPARE TRANSACTION
to check correctly for conflicting session-lifespan and transaction-lifespan locks (Tom Lane)
A transaction cannot be prepared if it has both session-lifespan and transaction-lifespan locks on the same advisory-lock ID value. This restriction was not fully checked, which could lead to a PANIC during PREPARE TRANSACTION
.
Fix misbehavior of DROP OWNED BY
when the target role is listed more than once in an RLS policy (Tom Lane)
Skip unnecessary error tests when removing a role from an RLS policy during DROP OWNED BY
(Tom Lane)
Notably, this fixes some cases where it was necessary to be a superuser to use DROP OWNED BY
.
Allow index state flags to be updated transactionally (Michael Paquier, Andrey Lepikhov)
This avoids failures when dealing with index predicates that aren't really immutable. While that's not considered a supported case, the original reason for using a non-transactional update here is long gone, so we may as well change it.
Avoid corrupting the plan cache entry when CREATE DOMAIN
or ALTER DOMAIN
appears in a cached plan (Tom Lane)
Make walsenders show their latest replication commands in pg_stat_activity
(Tom Lane)
Previously, a walsender would show its latest SQL command, which was confusing if it's now doing some replication operation instead. Now we show replication-protocol commands on the same footing as SQL commands.
Make pg_settings
.pending_restart
show as true when the pertinent entry in postgresql.conf
has been removed (Ãlvaro Herrera)
pending_restart
correctly showed the case where an entry that cannot be changed without a postmaster restart has been modified, but not where the entry had been removed altogether.
Fix corner-case failure of a new standby to follow a new primary (Dilip Kumar, Robert Haas)
Under a narrow combination of conditions, the standby could wind up trying to follow the wrong WAL timeline.
Update minimum recovery point when WAL replay of a transaction abort record causes file truncation (Fujii Masao)
File truncation is irreversible, so it's no longer safe to stop recovery at a point earlier than that record. The corresponding case for transaction commit was fixed years ago, but this one was overlooked.
In walreceivers, avoid attempting catalog lookups after an error (Masahiko Sawada, Bharath Rupireddy)
Ensure that a standby server's startup process will respond to a shutdown signal promptly while waiting for WAL to arrive (Fujii Masao, Soumyadeep Chakraborty)
Add locking to avoid reading incorrect relmapper data in the face of a concurrent write from another process (Heikki Linnakangas)
Improve checks for violations of replication protocol (Tom Lane)
Logical replication workers frequently used Asserts to check for cases that could be triggered by invalid or out-of-order replication commands. This seems unwise, so promote these tests to regular error checks.
Fix error cases and memory leaks in logical decoding of speculative insertions (Dilip Kumar)
Fix plan cache reference leaks in some error cases in CREATE TABLE ... AS EXECUTE
(Tom Lane)
Fix possible race condition when releasing BackgroundWorkerSlots (Tom Lane)
It's likely that this doesn't fix any observable bug on Intel hardware, but machines with weaker memory ordering rules could have problems.
Fix latent crash in sorting code (Ronan Dunklau)
One code path could attempt to free a null pointer. The case appears unreachable in the core server's use of sorting, but perhaps it could be triggered by extensions.
Prevent infinite loops in SP-GiST index insertion (Tom Lane)
In the event that INCLUDE columns take up enough space to prevent a leaf index tuple from ever fitting on a page, the text_ops operator class would get into an infinite loop vainly trying to make the tuple fit. While pre-v11 versions don't have INCLUDE columns, back-patch this anti-looping fix to them anyway, as it seems like a good defense against bugs in operator classes.
Ensure that SP-GiST index insertion can be terminated by a query cancel request (Tom Lane, Ãlvaro Herrera)
Fix uninitialized-variable bug that could cause PL/pgSQL to act as though an INTO
clause specified STRICT
, even though it didn't (Tom Lane)
Don't abort the process for an out-of-memory failure in libpq's printing functions (Tom Lane)
In ecpg, allow the numeric
value INT_MIN (usually -2147483648) to be converted to integer (John Naylor)
In psql and other client programs, avoid overrunning the ends of strings when dealing with invalidly-encoded data (Tom Lane)
An incorrectly-encoded multibyte character near the end of a string could cause various processing loops to run past the string's terminating NUL, with results ranging from no detectable issue to a program crash, depending on what happens to be in the following memory. This is reminiscent ofCVE-2006-2313 or CVE-2006-2313, although these particular cases do not appear to have interesting security consequences.
Avoid “invalid creation date in header†warnings observed when running pg_restore on an archive file created in a different time zone (Tom Lane)
Make pg_upgrade carry forward the old installation's oldestXID
value (Bertrand Drouvot)
Previously, the new installation's oldestXID
was set to a value old enough to (usually) force immediate anti-wraparound autovacuuming. That's not desirable from a performance standpoint; what's worse, installations using large values of autovacuum_freeze_max_age
could suffer unwanted forced shutdowns soon after an upgrade.
Extend pg_upgrade to detect and warn about extensions that should be upgraded (Bruce Momjian)
A script file is now produced containing the ALTER EXTENSION UPDATE
commands needed to bring extensions up to the versions that are considered default in the new installation.
Avoid problems when switching pg_receivewal between compressed and non-compressed WAL storage (Michael Paquier)
In contrib/postgres_fdw
, avoid attempting catalog lookups after an error (Tom Lane)
While this usually worked, it's not very safe since the error might have been one that made catalog access nonfunctional. A side effect of the fix is that messages about data conversion errors will now mention the query's table and column aliases (if used) rather than the true underlying name of a foreign table or column.
Improve the isolation-test infrastructure (Tom Lane, Michael Paquier)
Allow isolation test steps to be annotated to show the expected completion order. This allows getting stable results from otherwise-racy test cases, without the long delays that we previously used (not entirely successfully) to fend off race conditions. Allow non-quoted identifiers as isolation test session/step names (formerly, all such names had to be double-quoted). Detect and warn about unused steps in isolation tests. Improve display of query results in isolation tests. Remove isolationtester's “dry-run†mode. Remove memory leaks in isolationtester itself.
Reduce overhead of cache-clobber testing (Tom Lane)
Fix PL/Python's regression tests to pass with Python 3.10 (Honza Horak)
Make printf("%s", NULL)
print (null)
instead of crashing (Tom Lane)
This should improve server robustness in corner cases, and it syncs our printf
implementation with common libraries.
Fix incorrect log message when point-in-time recovery stops at a ROLLBACK PREPARED
record (Simon Riggs)
Clarify error messages referring to “non-negative†values (Bharath Rupireddy)
Fix configure to work with OpenLDAP 2.5, which no longer has a separate libldap_r
library (Adrian Ho, Tom Lane)
If there is no libldap_r
library, we now silently assume that libldap
is thread-safe.
Add new make targets world-bin
and install-world-bin
(Andrew Dunstan)
These are the same as world
and install-world
respectively, except that they do not build or install the documentation.
Fix make rule for TAP tests (prove_installcheck
) to work in PGXS usage (Andrew Dunstan)
Allow PostgreSQL version 10 to build with ICU 69 and newer (Peter Eisentraut)
Avoid assuming that strings returned by GSSAPI libraries are null-terminated (Tom Lane)
The GSSAPI spec provides for a string pointer and length. It seems that in practice the next byte after the string is usually zero, so that our previous coding didn't actually fail; but we do have a report of AddressSanitizer complaints.
Enable building with GSSAPI on MSVC (Michael Paquier)
Fix various incompatibilities with modern Kerberos builds.
In MSVC builds, include --with-pgport
in the set of configure options reported by pg_config, if it had been specified (Andrew Dunstan)
Release date: 2021-05-13
This release contains a variety of fixes from 10.16. For information about new features in major release 10, see Version 10.0.
A dump/restore is not required for those running 10.X.
However, if you are upgrading from a version earlier than 10.16, see Version 10.16.
Prevent integer overflows in array subscripting calculations (Tom Lane)
The array code previously did not complain about cases where an array's lower bound plus length overflows an integer. This resulted in later entries in the array becoming inaccessible (since their subscripts could not be written as integers), but more importantly it confused subsequent assignment operations. This could lead to memory overwrites, with ensuing crashes or unwanted data modifications. CVE-2021-32027 or CVE-2021-32027)
Fix mishandling of “junk†columns in INSERT ... ON CONFLICT ... UPDATE
target lists (Tom Lane)
If the UPDATE
list contains any multi-column sub-selects (which give rise to junk columns in addition to the results proper), the UPDATE
path would end up storing tuples that include the values of the extra junk columns. That's fairly harmless in the short run, but if new columns are added to the table then the values would become accessible, possibly leading to malfunctions if they don't match the datatypes of the added columns.
In addition, in versions supporting cross-partition updates, a cross-partition update triggered by such a case had the reverse problem: the junk columns were removed from the target list, typically causing an immediate crash due to malfunction of the multi-column sub-select mechanism. CVE-2021-32028 or CVE-2021-32028)
Forbid marking an identity column as nullable (Vik Fearing)
GENERATED ... AS IDENTITY
implies NOT NULL
, so don't allow it to be combined with an explicit NULL
specification.
Allow ALTER ROLE/DATABASE ... SET
to set the role
, session_authorization
, and temp_buffers
parameters (Tom Lane)
Previously, over-eager validity checks might reject these commands, even if the values would have worked when used later. This created a command ordering hazard for dump/reload and upgrade scenarios.
Fix bug with coercing the result of a COLLATE
expression to a non-collatable type (Tom Lane)
This led to a parse tree in which the COLLATE
appears to be applied to a non-collatable value. While that normally has no real impact (since COLLATE
has no effect at runtime), it was possible to construct views that would be rejected during dump/reload.
Disallow calling window functions and procedures via the “fast path†wire protocol message (Tom Lane)
Only plain functions are supported here. While trying to call an aggregate function failed already, calling a window function would crash, and calling a procedure would work only if the procedure did no transaction control.
Extend pg_identify_object_as_address()
to support event triggers (Joel Jacobson)
Fix to_char()
's handling of Roman-numeral month format codes with negative intervals (Julien Rouhaud)
Previously, such cases would usually cause a crash.
Check that the argument of pg_import_system_collations()
is a valid schema OID (Tom Lane)
Fix use of uninitialized value while parsing an \{
quantifier in a BRE-mode regular expression (Tom Lane)m
,n
\}
This error could cause the quantifier to act non-greedy, that is behave like an {
quantifier would do in full regular expressions.m
,n
}?
Don't ignore system columns when estimating the number of groups using extended statistics (Tomas Vondra)
This led to strange estimates for queries such as SELECT ... GROUP BY a, b, ctid
.
Avoid divide-by-zero when estimating selectivity of a regular expression with a very long fixed prefix (Tom Lane)
This typically led to a NaN
selectivity value, causing assertion failures or strange planner behavior.
Fix access-off-the-end-of-the-table error in BRIN index bitmap scans (Tomas Vondra)
If the page range size used by a BRIN index isn't a power of two, there were corner cases in which a bitmap scan could try to fetch pages past the actual end of the table, leading to “could not open file†errors.
Avoid incorrect timeline change while recovering uncommitted two-phase transactions from WAL (Soumyadeep Chakraborty, Jimmy Yih, Kevin Yeap)
This error could lead to subsequent WAL records being written under the wrong timeline ID, leading to consistency problems, or even complete failure to be able to restart the server, later on.
Ensure that locks are released while shutting down a standby server's startup process (Fujii Masao)
When a standby server is shut down while still in recovery, some locks might be left held. This causes assertion failures in debug builds; it's unclear whether any serious consequence could occur in production builds.
Fix crash when a logical replication worker does ALTER SUBSCRIPTION REFRESH
(Peter Smith)
The core code won't do this, but a replica trigger could.
Ensure we default to wal_sync_method
= fdatasync
on recent FreeBSD (Thomas Munro)
FreeBSD 13 supports open_datasync
, which would normally become the default choice. However, it's unclear whether that is actually an improvement for Postgres, so preserve the existing default for now.
Ensure we finish cleaning up when interrupted while detaching a DSM segment (Thomas Munro)
This error could result in temporary files not being cleaned up promptly after a parallel query.
Fix memory leak while initializing server's SSL parameters (Michael Paquier)
This is ordinarily insignificant, but if the postmaster is repeatedly sent SIGHUP signals, the leak can build up over time.
Fix assorted minor memory leaks in the server (Tom Lane, Andres Freund)
Prevent infinite loop in libpq if a ParameterDescription message with a corrupt length is received (Tom Lane)
When initdb prints instructions about how to start the server, make the path shown for pg_ctl use backslash separators on Windows (Nitin Jadhav)
Fix psql to restore the previous behavior of \connect service=
(Tom Lane)something
A previous bug fix caused environment variables (such as PGPORT
) to override entries in the service file in this context. Restore the previous behavior, in which the priority is the other way around.
Fix race condition in detection of file modification by psql's \e
and related commands (Laurenz Albe)
A very fast typist could fool the code's file-timestamp-based detection of whether the temporary edit file was changed.
Fix missed file version check in pg_restore (Tom Lane)
When reading a custom-format archive from a non-seekable source, pg_restore neglected to check the archive version. If it was fed a newer archive version than it can support, it would fail messily later on.
Add some more checks to pg_upgrade for user tables containing non-upgradable data types (Tom Lane)
Fix detection of some cases where a non-upgradable data type is embedded within a container type (such as an array or range). Also disallow upgrading when user tables contain columns of system-defined composite types, since those types' OIDs are not stable across versions.
Fix pg_waldump to count XACT
records correctly when generating per-record statistics (Kyotaro Horiguchi)
Fix contrib/amcheck
to not complain about the tuple flags HEAP_XMAX_LOCK_ONLY
and HEAP_KEYS_UPDATED
both being set (Julien Rouhaud)
This is a valid state after SELECT FOR UPDATE
.
Adjust VPATH build rules to support recent Oracle Developer Studio compiler versions (Noah Misch)
Fix testing of PL/Python for Python 3 on Solaris (Noah Misch)
Release date: 2021-02-11
This release contains a variety of fixes from 10.15. For information about new features in major release 10, see Version 10.0.
A dump/restore is not required for those running 10.X.
However, see the first changelog item below, which describes cases in which reindexing indexes after the upgrade may be advisable.
Also, if you are upgrading from a version earlier than 10.11, see Version 10.11.
Fix CREATE INDEX CONCURRENTLY
to wait for concurrent prepared transactions (Andrey Borodin)
At the point where CREATE INDEX CONCURRENTLY
waits for all concurrent transactions to complete so that it can see rows they inserted, it must also wait for all prepared transactions to complete, for the same reason. Its failure to do so meant that rows inserted by prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. In installations that have enabled prepared transactions (max_prepared_transactions
> 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.
Avoid incorrect results when WHERE CURRENT OF
is applied to a cursor whose plan contains a MergeAppend node (Tom Lane)
This case is unsupported (in general, a cursor using ORDER BY
is not guaranteed to be simply updatable); but the code previously did not reject it, and could silently give false matches.
Fix crash when WHERE CURRENT OF
is applied to a cursor whose plan contains a custom scan node (David Geier)
Fix planner's handling of a placeholder that is computed at some join level and used only at that same level (Tom Lane)
This oversight could lead to “failed to build any N
-way joins†planner errors.
Be more careful about whether index AMs support mark/restore (Andrew Gierth)
This prevents errors about missing support functions in rare edge cases.
Adjust settings to make it more difficult to run out of DSM slots during heavy usage of parallel queries (Thomas Munro)
Fix ALTER DEFAULT PRIVILEGES
to handle duplicated arguments safely (Michael Paquier)
Duplicate role or schema names within the same command could lead to “tuple already updated by self†errors or unique-constraint violations.
Flush ACL-related caches when pg_authid
changes (Noah Misch)
This change ensures that permissions-related decisions will promptly reflect the results of ALTER ROLE ... [NO] INHERIT
.
Prevent misprocessing of ambiguous CREATE TABLE LIKE
clauses (Tom Lane)
A LIKE
clause is re-examined after initial creation of the new table, to handle importation of indexes and such. It was possible for this re-examination to find a different table of the same name, causing unexpected behavior; one example is where the new table is a temporary table of the same name as the LIKE
target.
Rearrange order of operations in CREATE TABLE LIKE
so that indexes are cloned before building foreign key constraints (Tom Lane)
This fixes the case where a self-referential foreign key constraint declared in the outer CREATE TABLE
depends on an index that's coming from the LIKE
clause.
Disallow CREATE STATISTICS
on system catalogs (Tomas Vondra)
Disallow converting an inheritance child table to a view (Tom Lane)
Ensure that disk space allocated for a dropped relation is released promptly at commit (Thomas Munro)
Previously, if the dropped relation spanned multiple 1GB segments, only the first segment was truncated immediately. Other segments were simply unlinked, which doesn't authorize the kernel to release the storage so long as any other backends still have the files open.
Fix handling of backslash-escaped multibyte characters in COPY FROM
(Heikki Linnakangas)
A backslash followed by a multibyte character was not handled correctly. In some client character encodings, this could lead to misinterpreting part of a multibyte character as a field separator or end-of-copy-data marker.
Avoid preallocating executor hash tables in EXPLAIN
without ANALYZE
(Alexey Bashtanov)
Fix recently-introduced race conditions in LISTEN
/NOTIFY
queue handling (Tom Lane)
A newly-listening backend could attempt to read SLRU pages that were in process of being truncated, possibly causing an error.
The queue tail pointer could become set to a value that's not equal to the queue position of any backend, resulting in effective disabling of the queue truncation logic. Continued use of NOTIFY
then led to queue-fill warnings, and eventually to inability to send any more notifies until the server is restarted.
Allow the jsonb
concatenation operator to handle all combinations of JSON data types (Tom Lane)
We can concatenate two JSON objects or two JSON arrays. Handle other cases by wrapping non-array inputs in one-element arrays, then performing an array concatenation. Previously, some combinations of inputs followed this rule but others arbitrarily threw an error.
Fix use of uninitialized value while parsing a *
quantifier in a BRE-mode regular expression (Tom Lane)
This error could cause the quantifier to act non-greedy, that is behave like a *?
quantifier would do in full regular expressions.
Fix numeric power()
for the case where the exponent is exactly INT_MIN
(-2147483648) (Dean Rasheed)
Previously, a result with no significant digits was produced.
Prevent possible data loss from incorrect detection of the wraparound point of an SLRU log (Noah Misch)
The wraparound point typically falls in the middle of a page, which must be rounded off to a page boundary, and that was not done correctly. No issue could arise unless an installation had gotten to within one page of SLRU overflow, which is unlikely in a properly-functioning system. If this did happen, it would manifest in later “apparent wraparound†or “could not access status of transaction†errors.
Fix memory leak in walsender processes while sending new snapshots for logical decoding (Amit Kapila)
Fix walsender to accept additional commands after terminating replication (Jeff Davis)
Ensure detection of deadlocks between hot standby backends and the startup (WAL-application) process (Fujii Masao)
The startup process did not run the deadlock detection code, so that in situations where the startup process is last to join a circular wait situation, the deadlock might never be recognized.
Ensure that unserviced requests for background workers are cleaned up when the postmaster begins a “smart†or “fast†shutdown sequence (Tom Lane)
Previously, there was a race condition whereby a child process that had requested a background worker just before shutdown could wait indefinitely, preventing shutdown from completing.
Fix portability problem in parsing of recovery_target_xid
values (Michael Paquier)
The target XID is potentially 64 bits wide, but it was parsed with strtoul()
, causing misbehavior on platforms where long
is 32 bits (such as Windows).
Avoid assertion failure in pg_get_functiondef()
when examining a function with a TRANSFORM
option (Tom Lane)
In psql, re-allow including a password in a connection_string
argument of a \connect
command (Tom Lane)
This used to work, but a recent bug fix caused the password to be ignored (resulting in prompting for a password).
Fix assorted bugs in psql's \help
command (Kyotaro Horiguchi, Tom Lane)
\help
with two argument words failed to find a command description using only the first word, for example \help reset all
should show the help for RESET
but did not. Also, \help
often failed to invoke the pager when it should. It also leaked memory.
In pg_dump, ensure that the restore script runs ALTER PUBLICATION ADD TABLE
commands as the owner of the publication (Tom Lane)
Previously, these commands would be run by the role that started the restore script; which will usually work, but in corner cases that role might not have adequate permissions.
Fix pg_dump to handle WITH GRANT OPTION
in an extension's initial privileges (Noah Misch)
If an extension's script creates an object and grants privileges on it with grant option, then later the user revokes such privileges, pg_dump would generate incorrect SQL for reproducing the situation. (Few if any extensions do this today.)
In pg_rewind, ensure that all WAL is accounted for when rewinding a standby server (Ian Barwick, Heikki Linnakangas)
Report the correct database name in connection failure error messages from some client programs (Ãlvaro Herrera)
If the database name was defaulted rather than given on the command line, pg_dumpall, pgbench, oid2name, and vacuumlo would produce misleading error messages after a connection failure.
Fix memory leak in contrib/auto_explain
(Japin Li)
Memory consumed while producing the EXPLAIN
output was not freed until the end of the current transaction (for a top-level statement) or the end of the surrounding statement (for a nested statement). This was particularly a problem with log_nested_statements
enabled.
In contrib/postgres_fdw
, avoid leaking open connections to remote servers when a user mapping or foreign server object is dropped (Bharath Rupireddy)
Open connections that depend on a dropped user mapping or foreign server can no longer be referenced, but formerly they were kept around anyway for the duration of the local session.
In contrib/pgcrypto
, check for error returns from OpenSSL's EVP functions (Michael Paquier)
We do not really expect errors here, but this change silences warnings from static analysis tools.
In contrib/pg_trgm
's GiST index support, avoid crash in the rare case that picksplit is called on exactly two index items (Andrew Gierth, Alexander Korotkov)
Fix miscalculation of timeouts in contrib/pg_prewarm
and contrib/postgres_fdw
(Alexey Kondratov, Tom Lane)
The main loop in contrib/pg_prewarm
's autoprewarm parent process underestimated its desired sleep time by a factor of 1000, causing it to consume much more CPU than intended. When waiting for a result from a remote server, contrib/postgres_fdw
overestimated the desired timeout by a factor of 1000 (though this error had been mitigated by imposing a clamp to 60 seconds).
Both of these errors stemmed from incorrectly converting seconds-and-microseconds to milliseconds. Introduce a new API TimestampDifferenceMilliseconds()
to make it easier to get this right in the future.
Improve configure's heuristics for selecting PG_SYSROOT
on macOS (Tom Lane)
The new method is more likely to produce desirable results when Xcode is newer than the underlying operating system. Choosing a sysroot that does not match the OS version may result in nonfunctional executables.
While building on macOS, specify -isysroot
in link steps as well as compile steps (James Hilliard)
This likewise improves the results when Xcode is out of sync with the operating system.
Update time zone data files to tzdata release 2021a for DST law changes in Russia (Volgograd zone) and South Sudan, plus historical corrections for Australia, Bahamas, Belize, Bermuda, Ghana, Israel, Kenya, Nigeria, Palestine, Seychelles, and Vanuatu.
Notably, the Australia/Currie zone has been corrected to the point where it is identical to Australia/Hobart.
Release date: 2020-11-12
This release contains a variety of fixes from 10.14. For information about new features in major release 10, see Version 10.0.
A dump/restore is not required for those running 10.X.
However, if you are upgrading from a version earlier than 10.11, see Version 10.11.
Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and materialized view queries (Noah Misch)
This is essentially a leak in the “security restricted operation†sandbox mechanism. An attacker having permission to create non-temporary SQL objects could parlay this leak to execute arbitrary SQL code as a superuser.
The PostgreSQL Project thanks Etienne Stalmans for reporting this problem. CVE-2020-25695 or CVE-2020-25695)
Fix usage of complex connection-string parameters in pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb (Tom Lane)
The -d
parameter of pg_dump and pg_restore, or the --maintenance-db
parameter of the other programs mentioned, can be a “connection string†containing multiple connection parameters rather than just a database name. In cases where these programs need to initiate additional connections, such as parallel processing or processing of multiple databases, the connection string was forgotten and just the basic connection parameters (database name, host, port, and username) were used for the additional connections. This could lead to connection failures if the connection string included any other essential information, such as non-default SSL or GSS parameters. Worse, the connection might succeed but not be encrypted as intended, or be vulnerable to man-in-the-middle attacks that the intended connection parameters would have prevented. CVE-2020-25694 or CVE-2020-25694)
When psql's \connect
command re-uses connection parameters, ensure that all non-overridden parameters from a previous connection string are re-used (Tom Lane)
This avoids cases where reconnection might fail due to omission of relevant parameters, such as non-default SSL or GSS options. Worse, the reconnection might succeed but not be encrypted as intended, or be vulnerable to man-in-the-middle attacks that the intended connection parameters would have prevented. This is largely the same problem as just cited for pg_dump et al, although psql's behavior is more complex since the user may intentionally override some connection parameters. CVE-2020-25694 or CVE-2020-25694)
Prevent psql's \gset
command from modifying specially-treated variables (Noah Misch)
\gset
without a prefix would overwrite whatever variables the server told it to. Thus, a compromised server could set specially-treated variables such as PROMPT1
, giving the ability to execute arbitrary shell code in the user's session.
The PostgreSQL Project thanks Nick Cleaton for reporting this problem. CVE-2020-25696 or CVE-2020-25696)
Prevent possible data loss from concurrent truncations of SLRU logs (Noah Misch)
This rare problem would manifest in later “apparent wraparound†or “could not access status of transaction†errors.
Ensure that SLRU directories are properly fsync'd during checkpoints (Thomas Munro)
This prevents possible data loss in a subsequent operating system crash.
Fix ALTER ROLE
for users with the BYPASSRLS
attribute (Tom Lane, Stephen Frost)
The BYPASSRLS
attribute is only allowed to be changed by superusers, but other ALTER ROLE
operations, such as password changes, should be allowed with only ordinary permission checks. The previous coding erroneously restricted all changes on such a role to superusers.
Fix handling of expressions in CREATE TABLE LIKE
with inheritance (Tom Lane)
If a CREATE TABLE
command uses both LIKE
and traditional inheritance, column references in CHECK
constraints and expression indexes that came from a LIKE
parent table tended to get mis-numbered, resulting in wrong answers and/or bizarre error messages. The same could happen in GENERATED
expressions, in branches that have that feature.
Fix off-by-one conversion of negative years to BC dates in to_date()
and to_timestamp()
(Dar Alathar-Yemen, Tom Lane)
Also, arrange for the combination of a negative year and an explicit “BC†marker to cancel out and produce AD.
Ensure that standby servers will archive WAL timeline history files when archive_mode
is set to always
(Grigory Smolkin, Fujii Masao)
This oversight could lead to failure of subsequent PITR recovery attempts.
Fix “cache lookup failed for relation 0†failures in logical replication workers (Tom Lane)
The real-world impact is small, since the failure is unlikely, and if it does happen the worker would just exit and be restarted.
Prevent logical replication workers from sending redundant ping requests (Tom Lane)
During “smart†shutdown, don't terminate background processes until all client (foreground) sessions are done (Tom Lane)
The previous behavior broke parallel query processing, since the postmaster would terminate parallel workers and refuse to launch any new ones. It also caused autovacuum to cease functioning, which could have dire long-term effects if the surviving client sessions make a lot of data changes.
Avoid recursive consumption of stack space while processing signals in the postmaster (Tom Lane)
Heavy use of parallel processing has been observed to cause postmaster crashes due to too many concurrent signals requesting creation of a parallel worker process.
Avoid running atexit handlers when exiting due to SIGQUIT (Kyotaro Horiguchi, Tom Lane)
Most server processes followed this practice already, but the archiver process was overlooked. Backends that were still waiting for a client startup packet got it wrong, too.
Avoid misoptimization of subquery qualifications that reference apparently-constant grouping columns (Tom Lane)
A “constant†subquery output column isn't really constant if it is a grouping column that appears in only some of the grouping sets.
Avoid failure when SQL function inlining changes the shape of a potentially-hashable subplan comparison expression (Tom Lane)
While building or re-building an index, tolerate the appearance of new HOT chains due to concurrent updates (Anastasia Lubennikova, Ãlvaro Herrera)
This oversight could lead to “failed to find parent tuple for heap-only tuple†errors.
Fix failure of parallel B-tree index scans when the index condition is unsatisfiable (James Hunter)
Ensure that data is detoasted before being inserted into a BRIN index (Tomas Vondra)
Index entries are not supposed to contain out-of-line TOAST pointers, but BRIN didn't get that memo. This could lead to errors like “missing chunk number 0 for toast value NNNâ€. (If you are faced with such an error from an existing index, REINDEX
should be enough to fix it.)
Handle concurrent desummarization correctly during BRIN index scans (Alexander Lakhin, Ãlvaro Herrera)
Previously, if a page range was desummarized at just the wrong time, an index scan might falsely raise an error indicating index corruption.
Fix rare “lost saved point in index†errors in scans of multicolumn GIN indexes (Tom Lane)
Fix unportable use of getnameinfo()
in pg_hba_file_rules
view (Tom Lane)
On FreeBSD 11, and possibly other platforms, the view's address
and netmask
columns were always null due to this error.
Fix use-after-free hazard when an event trigger monitors an ALTER TABLE
operation (Jehan-Guillaume de Rorthais)
Fix incorrect error message about inconsistent moving-aggregate data types (Jeff Janes)
Avoid lockup when a parallel worker reports a very long error message (Vignesh C)
Avoid unnecessary failure when transferring very large payloads through shared memory queues (Markus Wanner)
Fix relation cache memory leaks with RLS policies (Tom Lane)
Fix small memory leak when SIGHUP processing decides that a new GUC variable value cannot be applied without a restart (Tom Lane)
Make libpq support arbitrary-length lines in .pgpass
files (Tom Lane)
This is mostly useful to allow using very long security tokens as passwords.
In libpq for Windows, call WSAStartup()
once per process and WSACleanup()
not at all (Tom Lane, Alexander Lakhin)
Previously, libpq invoked WSAStartup()
at connection start and WSACleanup()
at connection cleanup. However, it appears that calling WSACleanup()
can interfere with other program operations; notably, we have observed rare failures to emit expected output to stdout. There appear to be no ill effects from omitting the call, so do that. (This also eliminates a performance issue from repeated DLL loads and unloads when a program performs a series of database connections.)
Fix ecpg library's per-thread initialization logic for Windows (Tom Lane, Alexander Lakhin)
Multi-threaded ecpg applications could suffer rare misbehavior due to incorrect locking.
On Windows, make psql read the output of a backtick command in text mode, not binary mode (Tom Lane)
This ensures proper handling of newlines.
Ensure that pg_dump collects per-column information about extension configuration tables (FabrÃzio de Royes Mello, Tom Lane)
Failure to do this led to crashes when specifying --inserts
, or underspecified (though usually correct) COPY
commands when using COPY
to reload the tables' data.
Make pg_upgrade check for pre-existence of tablespace directories in the target cluster (Bruce Momjian)
Fix potential memory leak in contrib/pgcrypto
(Michael Paquier)
Add check for an unlikely failure case in contrib/pgcrypto
(Daniel Gustafsson)
Fix recently-added timetz
test case so it works when the USA is not observing daylight savings time (Tom Lane)
Update time zone data files to tzdata release 2020d for DST law changes in Fiji, Morocco, Palestine, the Canadian Yukon, Macquarie Island, and Casey Station (Antarctica); plus historical corrections for France, Hungary, Monaco, and Palestine.
Sync our copy of the timezone library with IANA tzcode release 2020d (Tom Lane)
This absorbs upstream's change of zic's default output option from “fat†to “slimâ€. That's just cosmetic for our purposes, as we continue to select the “fat†mode in pre-v13 branches. This change also ensures that strftime()
does not change errno
unless it fails.
Release date: 2020-08-13
This release contains a variety of fixes from 10.13. For information about new features in major release 10, see Version 10.0.
A dump/restore is not required for those running 10.X.
However, if you are upgrading from a version earlier than 10.11, see Version 10.11.
Set a secure search_path
in logical replication walsenders and apply workers (Noah Misch)
A malicious user of either the publisher or subscriber database could potentially cause execution of arbitrary SQL code by the role running replication, which is often a superuser. Some of the risks here are equivalent to those described inCVE-2018-1058 or CVE-2018-1058, and are mitigated in this patch by ensuring that the replication sender and receiver execute with empty search_path
settings. (As withCVE-2018-1058 or CVE-2018-1058, that change might cause problems for under-qualified names used in replicated tables' DDL.) Other risks are inherent in replicating objects that belong to untrusted roles; the most we can do is document that there is a hazard to consider. CVE-2020-14349 or CVE-2020-14349)
Make contrib modules' installation scripts more secure (Tom Lane)
Attacks similar to those described inCVE-2018-1058 or CVE-2018-1058 could be carried out against an extension installation script, if the attacker can create objects in either the extension's target schema or the schema of some prerequisite extension. Since extensions often require superuser privilege to install, this can open a path to obtaining superuser privilege. To mitigate this risk, be more careful about the search_path
used to run an installation script; disable check_function_bodies
within the script; and fix catalog-adjustment queries used in some contrib modules to ensure they are secure. Also provide documentation to help third-party extension authors make their installation scripts secure. This is not a complete solution; extensions that depend on other extensions can still be at risk if installed carelessly. CVE-2020-14350 or CVE-2020-14350)
In logical replication walsender, fix failure to send feedback messages after sending a keepalive message (Ãlvaro Herrera)
This is a relatively minor problem when using built-in logical replication, because the built-in walreceiver will send a feedback reply (which clears the incorrect state) fairly frequently anyway. But with some other replication systems, such as pglogical, it causes significant performance issues.
Fix firing of column-specific UPDATE
triggers in logical replication subscribers (Tom Lane)
The code neglected to account for the possibility of column numbers being different between the publisher and subscriber tables, so that if those were indeed different, wrong decisions might be made about which triggers to fire.
Fix slow execution of ts_headline()
(Tom Lane)
The phrase-search fix added in our previous set of minor releases could cause ts_headline()
to take unreasonable amounts of time for long documents; to make matters worse, the query was not cancellable within the troublesome loop.
Ensure the repeat()
function can be interrupted by query cancel (Joe Conway)
Fix pg_current_logfile()
to not include a carriage return (\r
) in its result on Windows (Tom Lane)
Fix mis-handling of NaN
inputs during parallel aggregation on numeric
-type columns (Tom Lane)
If some partial aggregation workers found only NaN
s while others found only non-NaN
s, the results were combined incorrectly, possibly leading to the wrong overall result (i.e., not NaN
when it should be).
Reject time-of-day values greater than 24 hours (Tom Lane)
The intention of the datetime input code is to allow “24:00:00†or equivalently “23:59:60â€, but no larger value. However, the range check was miscoded so that it would accept “23:59:60.nnn
†with nonzero fractional-second nnn
. In timestamp values this would result in wrapping into the first second of the next day. In time
and timetz
values, the stored value would actually be more than 24 hours, causing dump/reload failures and possibly other misbehavior.
Undo double-quoting of index names in EXPLAIN
's non-text output formats (Tom Lane, Euler Taveira)
Fix EXPLAIN
's accounting for resource usage, particularly buffer accesses, in parallel workers in a plan using Gather Merge
nodes (Jehan-Guillaume de Rorthais)
Fix timing of constraint revalidation in ALTER TABLE
(David Rowley)
If ALTER TABLE
needs to fully rewrite the table's contents (for example, due to change of a column's data type) and also needs to scan the table to re-validate foreign keys or CHECK
constraints, it sometimes did things in the wrong order, leading to odd errors such as “could not read block 0 in file "base/nnnnn/nnnnn": read only 0 of 8192 bytesâ€.
Work around incorrect not-null markings for pg_subscription
.subslotname
and pg_subscription_rel
.srsublsn
(Tom Lane)
The bootstrap catalog data incorrectly marks these two catalog columns as always non-null. There's no easy way to correct that mistake in existing installations (though v13 and later will have the correct markings). The main place that depends on that marking being correct is JIT-enabled tuple deconstruction, so teach it to explicitly ignore the marking for these two columns. Also adjust some C code that accessed srsublsn
without checking to see if it's null; a crash from that is improbable but perhaps not impossible.
Cope with LATERAL
references in restriction clauses attached to an un-flattened sub-SELECT
in the FROM
clause (Tom Lane)
This oversight could result in assertion failures or crashes at query execution.
Avoid believing that a never-analyzed foreign table has zero tuples (Tom Lane)
This primarily affected the planner's estimate of the number of groups that would be obtained by GROUP BY
.
Remove bogus warning about “leftover placeholder tuple†in BRIN index de-summarization (Ãlvaro Herrera)
The case can occur legitimately after a cancelled vacuum, so warning about it is overly noisy.
Improve error handling in the server's buffile
module (Thomas Munro)
Fix some cases where I/O errors were indistinguishable from reaching EOF, or were not reported at all. Also add details such as block numbers and byte counts where appropriate.
Fix conflict-checking anomalies in SERIALIZABLE
isolation mode (Peter Geoghegan)
If a concurrently-inserted tuple was updated by a different concurrent transaction, and neither tuple version was visible to the current transaction's snapshot, serialization conflict checking could draw the wrong conclusions about whether the tuple was relevant to the results of the current transaction. This could allow a serializable transaction to commit when it should have failed with a serialization error.
Avoid repeated marking of dead btree index entries as dead (Masahiko Sawada)
While functionally harmless, this led to useless WAL traffic when checksums are enabled or wal_log_hints
is on.
Fix failure of some code paths to acquire the correct lock before modifying pg_control
(Nathan Bossart, Fujii Masao)
This oversight could allow pg_control
to be written out with an inconsistent checksum, possibly causing trouble later, including inability to restart the database if it crashed before the next pg_control
update.
Fix errors in currtid()
and currtid2()
(Michael Paquier)
These functions (which are undocumented and used only by ancient versions of the ODBC driver) contained coding errors that could result in crashes, or in confusing error messages such as “could not open file†when applied to a relation having no storage.
Avoid calling elog()
or palloc()
while holding a spinlock (Michael Paquier, Tom Lane)
Logic associated with replication slots had several violations of this coding rule. While the odds of trouble are quite low, an error in the called function would lead to a stuck spinlock.
Fix assertion in logical replication subscriber to allow use of REPLICA IDENTITY FULL
(Euler Taveira)
This was just an incorrect assertion, so it has no impact on standard production builds.
Report out-of-disk-space errors properly in pg_dump and pg_basebackup (Justin Pryzby, Tom Lane, Ãlvaro Herrera)
Some code paths could produce silly reports like “could not write file: Successâ€.
Fix parallel restore of tables having both table-level privileges and per-column privileges (Tom Lane)
The table-level privilege grants have to be applied first, but a parallel restore did not reliably order them that way; this could lead to “tuple concurrently updated†errors, or to disappearance of some per-column privilege grants. The fix for this is to include dependency links between such entries in the archive file, meaning that a new dump has to be taken with a corrected pg_dump to ensure that the problem will not recur.
Ensure that pg_upgrade runs with vacuum_defer_cleanup_age
set to zero in the target cluster (Bruce Momjian)
If the target cluster's configuration has been modified to set vacuum_defer_cleanup_age
to a nonzero value, that prevented freezing of the system catalogs from working properly, which caused the upgrade to fail in confusing ways. Ensure that any such setting is overridden for the duration of the upgrade.
Fix pg_recvlogical to drain pending messages before exiting (Noah Misch)
Without this, the replication sender might detect a send failure and exit without making the expected final update to the replication slot's LSN position. That led to re-transmitting data after the next connection. It was also possible to miss error messages sent after the last data that pg_recvlogical wants to consume.
Fix pg_rewind's handling of just-deleted files in the source data directory (Justin Pryzby, Michael Paquier)
When working with an on-line source database, concurrent file deletions are possible, but pg_rewind would get confused if deletion happened between seeing a file's directory entry and examining it with stat()
.
Make pg_test_fsync use binary I/O mode on Windows (Michael Paquier)
Previously it wrote the test file in text mode, which is not an accurate reflection of PostgreSQL's actual usage.
Fix failure to initialize local state correctly in contrib/dblink
(Joe Conway)
With the right combination of circumstances, this could lead to dblink_close()
issuing an unexpected remote COMMIT
.
Fix contrib/pgcrypto
's misuse of deflate()
(Tom Lane)
The pgp_sym_encrypt
functions could produce incorrect compressed data due to mishandling of zlib's API requirements. We have no reports of this error manifesting with stock zlib, but it can be seen when using IBM's zlibNX implementation.
Fix corner case in decompression logic in contrib/pgcrypto
's pgp_sym_decrypt
functions (Kyotaro Horiguchi, Michael Paquier)
A compressed stream can validly end with an empty packet, but the decompressor failed to handle this and would complain about corrupt data.
Use POSIX-standard strsignal()
in place of the BSD-ish sys_siglist[]
(Tom Lane)
This avoids build failures with very recent versions of glibc.
Support building our NLS code with Microsoft Visual Studio 2015 or later (Juan José SantamarÃa Flecha, Davinder Singh, Amit Kapila)
Avoid possible failure of our MSVC install script when there is a file named configure
several levels above the source code tree (Arnold Müller)
This could confuse some logic that looked for configure
to identify the top level of the source tree.
Release date: 2020-05-14
This release contains a variety of fixes from 10.12. For information about new features in major release 10, see Version 10.0.
A dump/restore is not required for those running 10.X.
However, if you are upgrading from a version earlier than 10.11, see Version 10.11.
Preserve the indisclustered
setting of indexes rewritten by ALTER TABLE
(Amit Langote, Justin Pryzby)
Previously, ALTER TABLE
lost track of which index had been used for CLUSTER
.
Preserve the replica identity properties of indexes rewritten by ALTER TABLE
(Quan Zongliang, Peter Eisentraut)
Lock objects sooner during DROP OWNED BY
(Ãlvaro Herrera)
This avoids failures in race-condition cases where another session is deleting some of the same objects.
Fix error-case processing for CREATE ROLE ... IN ROLE
(Andrew Gierth)
Some error cases would be reported as “unexpected node type†or the like, instead of the intended message.
Ensure that members of the pg_read_all_stats
role can read all statistics views, as expected (Magnus Hagander)
The functions underlying the pg_stat_progress_*
views had not gotten this memo.
Fix full text search to handle NOT above a phrase search correctly (Tom Lane)
Queries such as !(foo<->bar)
failed to find matching rows when implemented as a GiST or GIN index search.
Fix full text search for cases where a phrase search includes an item with both prefix matching and a weight restriction (Tom Lane)
Fix ts_headline()
to make better headline selections when working with phrase queries (Tom Lane)
Fix bugs in gin_fuzzy_search_limit
processing (Adé Heyward, Tom Lane)
A small value of gin_fuzzy_search_limit
could result in unexpected slowness due to unintentionally rescanning the same index page many times. Another code path failed to apply the intended filtering at all, possibly returning too many values.
Allow input of type circle
to accept the format “(
†as the documentation says it does (David Zhang)x
,y
),r
Make the get_bit()
and set_bit()
functions cope with bytea
strings longer than 256MB (Movead Li)
Since the bit number argument is only int4
, it's impossible to use these functions to access bits beyond the first 256MB of a long bytea
. We'll widen the argument to int8
in v13, but in the meantime, allow these functions to work on the initial substring of a long bytea
.
Ignore file-not-found errors in pg_ls_waldir()
and allied functions (Tom Lane)
This prevents a race condition failure if a file is removed between when we see its directory entry and when we attempt to stat()
it.
Avoid possibly leaking an open-file descriptor for a directory in pg_ls_dir()
, pg_timezone_names()
, pg_tablespace_databases()
, and allied functions (Justin Pryzby)
Fix polymorphic-function type resolution to correctly infer the actual type of an anyarray
output when given only an anyrange
input (Tom Lane)
Avoid unlikely crash when REINDEX
is terminated by a session-shutdown signal (Tom Lane)
Fix low-probability crash after constraint violation errors in partitioned tables (Andres Freund)
Prevent printout of possibly-incorrect hash join table statistics in EXPLAIN
(Konstantin Knizhnik, Tom Lane, Thomas Munro)
Fix reporting of elapsed time for heap truncation steps in VACUUM VERBOSE
(Tatsuhito Kasahara)
Ensure that TimelineHistoryRead and TimelineHistoryWrite wait states are reported in all code paths that read or write timeline history files (Masahiro Ikeda)
Avoid possibly showing “waiting†twice in a process's PS status (Masahiko Sawada)
Avoid premature recycling of WAL segments during crash recovery (Jehan-Guillaume de Rorthais)
WAL segments that become ready to be archived during crash recovery were potentially recycled without being archived.
Avoid scanning irrelevant timelines during archive recovery (Kyotaro Horiguchi)
This can eliminate many attempts to fetch non-existent WAL files from archive storage, which is helpful if archive access is slow.
Remove bogus “subtransaction logged without previous top-level txn record†error check in logical decoding (Arseny Sher, Amit Kapila)
This condition is legitimately reachable in various scenarios, so remove the check.
Ensure that a replication slot's io_in_progress_lock
is released in failure code paths (Pavan Deolasee)
This could result in a walsender later becoming stuck waiting for the lock.
Fix race conditions in synchronous standby management (Tom Lane)
During a change in the synchronous_standby_names
setting, there was a window in which wrong decisions could be made about whether it is OK to release transactions that are waiting for synchronous commit. Another hazard for similarly wrong decisions existed if a walsender process exited and was immediately replaced by another.
Ensure nextXid
can't go backwards on a standby server (Eka Palamadai)
This race condition could allow incorrect hot standby feedback messages to be sent back to the primary server, potentially allowing VACUUM
to run too soon on the primary.
Add missing SQLSTATE values to a few error reports (Sawada Masahiko)
Fix PL/pgSQL to reliably refuse to execute an event trigger function as a plain function (Tom Lane)
Fix memory leak in libpq when using sslmode=verify-full
(Roman Peshkurov)
Certificate verification during connection startup could leak some memory. This would become an issue if a client process opened many database connections during its lifetime.
Fix ecpg to treat an argument of just “-
†as meaning “read from stdin†on all platforms (Tom Lane)
Allow tab-completion of the filename argument to psql's \gx
command (Vik Fearing)
Add pg_dump support for ALTER ... DEPENDS ON EXTENSION
(Ãlvaro Herrera)
pg_dump previously ignored dependencies added this way, causing them to be forgotten during dump/restore or pg_upgrade.
Fix pg_dump to dump comments on RLS policy objects (Tom Lane)
In pg_dump, postpone restore of event triggers till the end (FabrÃzio de Royes Mello, Hamid Akhtar, Tom Lane)
This minimizes the risk that an event trigger could interfere with the restoration of other objects.
Fix quoting of --encoding
, --lc-ctype
and --lc-collate
values in createdb utility (Michael Paquier)
contrib/lo
's lo_manage()
function crashed if called directly rather than as a trigger (Tom Lane)
In contrib/ltree
, protect against overflow of ltree
and lquery
length fields (Nikita Glukhov)
Fix cache reference leak in contrib/sepgsql
(Michael Luo)
Avoid failures when dealing with Unix-style locale names on Windows (Juan José SantamarÃa Flecha)
Use pkg-config, if available, to locate libxml2 during configure (Hugh McMaster, Tom Lane, Peter Eisentraut)
If pkg-config is not present or lacks knowledge of libxml2, we still query xml2-config as before.
This change could break build processes that try to make PostgreSQL use a non-default version of libxml2 by putting that version's xml2-config into the PATH
. Instead, set XML2_CONFIG
to point to the non-default xml2-config. That method will work with either older or newer PostgreSQL releases.
Include CFLAGS_SL
in CXXFLAGS
when building a shared library (Oleksii Kliukin)
This ensures that C++ source files are compiled correctly, for example by adding -fPIC
when needed.
In MSVC builds, cope with spaces in the path name for Python (Victor Wagner)
In MSVC builds, fix detection of Visual Studio version to work with more language settings (Andrew Dunstan)
In MSVC builds, use -Wno-deprecated
with bison versions newer than 3.0, as non-Windows builds already do (Andrew Dunstan)
Update time zone data files to tzdata release 2020a for DST law changes in Morocco and the Canadian Yukon, plus historical corrections for Shanghai.
The America/Godthab zone has been renamed to America/Nuuk to reflect current English usage; however, the old name remains available as a compatibility link.
Also, update initdb's list of known Windows time zone names to include recent additions, improving the odds that it will correctly translate the system time zone setting on that platform.
Release date: 2020-02-13
This release contains a variety of fixes from 10.11. For information about new features in major release 10, see Version 10.0.
A dump/restore is not required for those running 10.X.
However, if you are upgrading from a version earlier than 10.11, see Version 10.11.
Add missing permissions checks for ALTER ... DEPENDS ON EXTENSION
(Ãlvaro Herrera)
Marking an object as dependent on an extension did not have any privilege check whatsoever. This oversight allowed any user to mark routines, triggers, materialized views, or indexes as droppable by anyone able to drop an extension. Require that the calling user own the specified object (and hence have privilege to drop it). CVE-2020-1720 or CVE-2020-1720)
Fix logical replication subscriber code to execute per-column UPDATE
triggers when appropriate (Peter Eisentraut)
Avoid failure in logical decoding when a large transaction must be spilled into many separate temporary files (Amit Khandekar)
Fix possible crash or data corruption when a logical replication subscriber processes a row update (Tom Lane, Tomas Vondra)
This bug caused visible problems only if the subscriber's table contained columns that were not being copied from the publisher and had pass-by-reference data types.
Fix crash in logical replication subscriber after DDL changes on a subscribed relation (Jehan-Guillaume de Rorthais, Vignesh C)
Fix failure in logical replication publisher after a database crash and restart (Vignesh C)
Improve efficiency of logical replication with REPLICA IDENTITY FULL
(Konstantin Knizhnik)
When searching for an existing tuple during an update or delete operation, return the first matching tuple not the last one.
Prevent premature shutdown of a Gather or GatherMerge plan node that is underneath a Limit node (Amit Kapila)
This avoids failure if such a plan node needs to be scanned more than once, as for instance if it is on the inside of a nestloop.
Avoid memory leak when there are no free dynamic shared memory slots (Thomas Munro)
Ignore the CONCURRENTLY
option when performing an index creation, drop, or rebuild on a temporary table (Michael Paquier, Heikki Linnakangas, Andres Freund)
This avoids strange failures if the temporary table has an ON COMMIT
action. There is no benefit in using CONCURRENTLY
for a temporary table anyway, since other sessions cannot access the table, making the extra processing pointless.
Fix possible failure when resetting expression indexes on temporary tables that are marked ON COMMIT DELETE ROWS
(Tom Lane)
Fix possible crash in BRIN index operations with box
, range
and inet
data types (Heikki Linnakangas)
Fix handling of deleted pages in GIN indexes (Alexander Korotkov)
Avoid possible deadlocks, incorrect updates of a deleted page's state, and failure to traverse through a recently-deleted page.
Fix possible crash with a SubPlan (sub-SELECT
) within a multi-row VALUES
list (Tom Lane)
Fix crash after FileClose() failure (Noah Misch)
This issue could only be observed with data_sync_retry
enabled, since otherwise FileClose() failure would be reported as a PANIC.
Fix unlikely crash with pass-by-reference aggregate transition states (Andres Freund, Teodor Sigaev)
Improve error reporting in to_date()
and to_timestamp()
(Tom Lane, Ãlvaro Herrera)
Reports about incorrect month or day names in input strings could truncate the input in the middle of a multi-byte character, leading to an improperly encoded error message that could cause follow-on failures. Truncate at the next whitespace instead.
Fix off-by-one result for EXTRACT (ISOYEAR FROM
for BC dates (Tom Lane)timestamp
)
Avoid stack overflow in information_schema
views when a self-referential view exists in the system catalogs (Tom Lane)
A self-referential view can't work; it will always result in infinite recursion. We handled that situation correctly when trying to execute the view, but not when inquiring whether it is automatically updatable.
Ensure that walsender processes always show NULL for transaction start time in pg_stat_activity
(Ãlvaro Herrera)
Previously, the xact_start
column would sometimes show the process start time.
Improve performance of hash joins with very large inner relations (Thomas Munro)
Fix edge-case crashes and misestimations in selectivity calculations for the <@
and @>
range operators (Michael Paquier, Andrey Borodin, Tom Lane)
Ignore system columns when applying most-common-value extended statistics (Tomas Vondra)
This prevents “negative bitmapset member not allowed†planner errors for affected queries.
Fix BRIN index logic to support hypothetical BRIN indexes (Julien Rouhaud, Heikki Linnakangas)
Previously, if an “index adviser†extension tried to get the planner to produce a plan involving a hypothetical BRIN index, that would fail, because the BRIN cost estimation code would always try to physically access the index's metapage. Now it checks to see if the index is only hypothetical, and uses default assumptions about the index parameters if so.
Improve error reporting for attempts to use automatic updating of views with conditional INSTEAD
rules (Dean Rasheed)
This has never been supported, but previously the error was thrown only at execution time, so that it could be masked by planner errors.
Prevent a composite type from being included in itself indirectly via a range type (Tom Lane, Julien Rouhaud)
Disallow partition key expressions that return pseudo-types, such as record
(Tom Lane)
Fix error reporting for index expressions of prohibited types (Amit Langote)
Fix dumping of views that contain only a VALUES
list to handle cases where a view output column has been renamed (Tom Lane)
Ensure that data types and collations used in XMLTABLE
constructs are accounted for when computing dependencies of a view or rule (Tom Lane)
Previously it was possible to break a view using XMLTABLE
by dropping a type, if the type was not otherwise referenced in the view. This fix does not correct the dependencies already recorded for existing views, only for newly-created ones.
Prevent unwanted downcasing and truncation of RADIUS authentication parameters (Marcos David Hartwig)
The pg_hba.conf
parser mistakenly treated these fields as SQL identifiers, which in general they aren't.
Transmit incoming NOTIFY
messages to the client before sending ReadyForQuery
, rather than after (Tom Lane)
This change ensures that, with libpq and other client libraries that act similarly to it, any notifications received during a transaction will be available by the time the client thinks the transaction is complete. This probably makes no difference in practical applications (which would need to cope with asynchronous notifications in any case); but it makes it easier to build test cases with reproducible behavior.
Allow libpq to parse all GSS-related connection parameters even when the GSSAPI code hasn't been compiled in (Tom Lane)
This makes the behavior similar to our SSL support, where it was long ago deemed to be a good idea to always accept all the related parameters, even if some are ignored or restricted due to lack of the feature in a particular build.
Fix incorrect handling of %b
and %B
format codes in ecpg's PGTYPEStimestamp_fmt_asc()
function (Tomas Vondra)
Due to an off-by-one error, these codes would print the wrong month name, or possibly crash.
Fix parallel pg_dump/pg_restore to more gracefully handle failure to create worker processes (Tom Lane)
Prevent possible crash or lockup when attempting to terminate a parallel pg_dump/pg_restore run via a signal (Tom Lane)
In pg_upgrade, look inside arrays and ranges while searching for non-upgradable data types in tables (Tom Lane)
Apply more thorough syntax checking to createuser's --connection-limit
option (Ãlvaro Herrera)
Avoid crash in postgres_fdw
when trying to send a command like UPDATE remote_tab SET (x,y) = (SELECT ...)
to the remote server (Tom Lane)
In contrib/dict_int
, reject maxlen
settings less than one (Tomas Vondra)
This prevents a possible crash with silly settings for that parameter.
Disallow NULL category values in contrib/tablefunc
's crosstab()
function (Joe Conway)
This case never worked usefully, and it would crash on some platforms.
Mark some timeout and statistics-tracking GUC variables as PGDLLIMPORT
, to allow extensions to access them on Windows (Pascal Legrand)
This applies to idle_in_transaction_session_timeout
, lock_timeout
, statement_timeout
, track_activities
, track_counts
, and track_functions
.
Avoid memory leak in sanity checks for “slab†memory contexts (Tomas Vondra)
This isn't an issue for production builds, since they wouldn't ordinarily have memory context checking enabled; but the leak could be quite severe in a debug build.
Fix multiple statistics entries reported by the LWLock statistics mechanism (Fujii Masao)
The LWLock statistics code (which is not built by default; it requires compiling with -DLWLOCK_STATS
) could report multiple entries for the same LWLock and backend process, as a result of faulty hashtable key creation.
Fix race condition that led to delayed delivery of interprocess signals on Windows (Amit Kapila)
This caused visible timing oddities in NOTIFY
, and perhaps other misbehavior.
On Windows, retry a few times after an ERROR_ACCESS_DENIED
file access failure (Alexander Lakhin, Tom Lane)
This helps cope with cases where a file open attempt fails because the targeted file is flagged for deletion but not yet actually gone. pg_ctl, for example, frequently failed with such an error when probing to see if the postmaster had shut down yet.
Release date: 2019-11-14
This release contains a variety of fixes from 10.10. For information about new features in major release 10, see Version 10.0.
A dump/restore is not required for those running 10.X.
However, if you use the contrib/intarray
extension with a GiST index, and you rely on indexed searches for the <@
operator, see the entry below about that.
Also, if you are upgrading from a version earlier than 10.6, see Version 10.6.
Fix failure of ALTER TABLE SET
with a custom relation option (Michael Paquier)
Disallow changing a multiply-inherited column's type if not all parent tables were changed (Tom Lane)
Previously, this was allowed, whereupon queries on the now-out-of-sync parent would fail.
Prevent VACUUM
from trying to freeze an old multixact ID involving a still-running transaction (Nathan Bossart, Jeremy Schneider)
This case would lead to VACUUM
failing until the old transaction terminates.
Fix planner's test for case-foldable characters in ILIKE
with an ICU collation (Tom Lane)
This mistake caused the planner to treat too much of the pattern as being a fixed prefix, so that indexscans derived from an ILIKE
clause might miss entries that they should find.
Ensure that offset expressions in WINDOW
clauses are processed when a query's expressions are manipulated (Andrew Gierth)
This oversight could result in assorted failures when the offsets are nontrivial expressions. One example is that a function parameter reference in such an expression would fail if the function was inlined.
Fix handling of whole-row variables in WITH CHECK OPTION
expressions and row-level-security policy expressions (Andres Freund)
Previously, such usage might result in bogus errors about row type mismatches.
Avoid postmaster failure if a parallel query requests a background worker when no postmaster child process array slots remain free (Tom Lane)
Prevent possible double-free if a BEFORE UPDATE
trigger returns the old tuple as-is, and it is not the last such trigger (Thomas Munro)
Provide a relevant error context line when an error occurs while setting GUC parameters during parallel worker startup (Thomas Munro)
In serializable mode, ensure that row-level predicate locks are acquired on the correct version of the row (Thomas Munro, Heikki Linnakangas)
If the visible version of the row is HOT-updated, the lock might be taken on its now-dead predecessor, resulting in subtle failures to guarantee serialization.
Ensure that fsync()
is applied only to files that are opened read/write (Andres Freund, Michael Paquier)
Some code paths tried to do this after opening a file read-only, but on some platforms that causes “bad file descriptor†or similar errors.
Allow encoding conversion to succeed on longer strings than before (Ãlvaro Herrera, Tom Lane)
Previously, there was a hard limit of 0.25GB on the input string, but now it will work as long as the converted output is not over 1GB.
Avoid an unnecessary catalog lookup during heap page pruning (Thomas Munro)
It's no longer necessary to check for unlogged indexes here, and the check caused significant performance problems in some workloads. There was also at least a theoretical possibility of deadlock.
Avoid creating unnecessarily-bulky tuple stores for window functions (Andrew Gierth)
In some cases the tuple storage would include all columns of the source table(s), not just the ones that are needed by the query.
Allow repalloc()
to give back space when a large chunk is reduced in size (Tom Lane)
Ensure that temporary WAL and history files are removed at the end of archive recovery (Sawada Masahiko)
Avoid failure in archive recovery if recovery_min_apply_delay
is enabled (Fujii Masao)
recovery_min_apply_delay
is not typically used in this configuration, but it should work.
Fix logical replication failure when publisher and subscriber have different ideas about a table's replica identity columns (Jehan-Guillaume de Rorthais, Peter Eisentraut)
Declaring a column as part of the replica identity on the subscriber, when it does not exist at all on the publisher, led to “negative bitmapset member not allowed†errors.
Avoid unwanted delay during shutdown of a logical replication walsender (Craig Ringer, Ãlvaro Herrera)
Fix timeout handling in logical replication walreceiver processes (Julien Rouhaud)
Erroneous logic prevented wal_receiver_timeout
from working in logical replication deployments.
Correctly time-stamp replication messages for logical decoding (Jeff Janes)
This oversight resulted, for example, in pg_stat_subscription
.last_msg_send_time
usually reading as NULL.
In logical decoding, ensure that sub-transactions are correctly accounted for when reconstructing a snapshot (Masahiko Sawada)
This error leads to assertion failures; it's unclear whether any bad effects exist in production builds.
Fix race condition during backend exit, when the backend process has previously waited for synchronous replication to occur (Dongming Liu)
Fix ALTER SYSTEM
to cope with duplicate entries in postgresql.auto.conf
(Ian Barwick)
ALTER SYSTEM
itself will not generate such a state, but external tools that modify postgresql.auto.conf
could do so. Duplicate entries for the target variable will now be removed, and then the new setting (if any) will be appended at the end.
Reject include directives with empty file names in configuration files, and report include-file recursion more clearly (Ian Barwick, Tom Lane)
Avoid logging complaints about abandoned connections when using PAM authentication (Tom Lane)
libpq-based clients will typically make two connection attempts when a password is required, since they don't prompt their user for a password until their first connection attempt fails. Therefore the server is coded not to generate useless log spam when a client closes the connection upon being asked for a password. However, the PAM authentication code hadn't gotten that memo, and would generate several messages about a phantom authentication failure.
Fix some cases where an incomplete date specification is not detected in time with time zone
input (Alexander Lakhin)
If a time zone with a time-varying UTC offset is specified, then a date must be as well, so that the offset can be resolved. Depending on the syntax used, this check was not enforced in some cases, allowing bogus output to be produced.
Fix misbehavior of bitshiftright()
(Tom Lane)
The bitstring right shift operator failed to zero out padding space that exists in the last byte of the result when the bitstring length is not a multiple of 8. While invisible to most operations, any nonzero bits there would result in unexpected comparison behavior, since bitstring comparisons don't bother to ignore the extra bits, expecting them to always be zero.
If you have inconsistent data as a result of saving the output of bitshiftright()
in a table, it's possible to fix it with something like
UPDATE mytab SET bitcol = ~(~bitcol) WHERE bitcol != ~(~bitcol);
Avoid crash when selecting a namespace node in XMLTABLE
(Chapman Flack)
Fix detection of edge-case integer overflow in interval multiplication (Yuya Watari)
Fix memory leaks in lower()
, upper()
, and initcap()
functions when using ICU collations (Konstantin Knizhnik)
Avoid crashes if ispell
text search dictionaries contain wrong affix data (Arthur Zakirov)
Fix incorrect compression logic for GIN posting lists (Heikki Linnakangas)
A GIN posting list item can require 7 bytes if the distance between adjacent indexed TIDs exceeds 16TB. One step in the logic was out of sync with that, and might try to write the value into a 6-byte buffer. In principle this could cause a stack overrun, but on most architectures it's likely that the next byte would be unused alignment padding, making the bug harmless. In any case the bug would be very difficult to hit.
Fix handling of infinity, NaN, and NULL values in KNN-GiST (Alexander Korotkov)
The query's output order could be wrong (different from a plain sort's result) if some distances computed for non-null column values are infinity or NaN.
Fix handling of searches for NULL in KNN-SP-GiST (Nikita Glukhov)
On Windows, recognize additional spellings of the “Norwegian (Bokmål)†locale name (Tom Lane)
Avoid compile failure if an ECPG client includes ecpglib.h
while having ENABLE_NLS
defined (Tom Lane)
This risk was created by a misplaced declaration: ecpg_gettext()
should not be visible to client code.
In psql, resynchronize internal state about the server after an unexpected connection loss and successful reconnection (Peter Billen, Tom Lane)
Ordinarily this is unnecessary since the state would be the same anyway. But it can matter in corner cases, such as where the connection might lead to one of several servers. This change causes psql to re-issue any interactive messages that it would have issued at startup, for example about whether SSL is in use.
Avoid platform-specific null pointer dereference in psql (Quentin Rameau)
In pg_dump, ensure stable output order for similarly-named triggers and row-level-security policy objects (Benjie Gillam)
Previously, if two triggers on different tables had the same names, they would be sorted in OID-based order, which is less desirable than sorting them by table name. Likewise for RLS policies.
Fix pg_dump to work again with pre-8.3 source servers (Tom Lane)
A previous fix caused pg_dump to always try to query pg_opfamily
, but that catalog doesn't exist before version 8.3.
In pg_restore, treat -f -
as meaning “output to stdout†(Ãlvaro Herrera)
This synchronizes pg_restore's behavior with some other applications, and in particular makes pre-v12 branches act similarly to version 12's pg_restore, simplifying creation of dump/restore scripts that work across multiple PostgreSQL versions. Before this change, pg_restore interpreted such a switch as meaning “output to a file named -
â€, but few people would want that.
Improve pg_upgrade's checks for the use of a data type that has changed representation, such as line
(Tomas Vondra)
The previous coding could be fooled by cases where the data type of interest underlies a stored column of a domain or composite type.
Detect file read errors during pg_basebackup (Jeevan Chalke)
In pg_basebackup, don't fsync output files until the end of backup (Michael Paquier)
The previous coding could result in timeout failures if fsync was slow.
In pg_rewind with an online source cluster, disable timeouts, much as pg_dump does (Alexander Kukushkin)
Fix failure in pg_waldump with the -s
option, when a continuation WAL record ends exactly at a page boundary (Andrey Lepikhov)
In pg_waldump, include the newitemoff
field in btree page split records (Peter Geoghegan)
In pg_waldump with the --bkp-details
option, avoid emitting extra newlines for WAL records involving full-page writes (Andres Freund)
Fix small memory leak in pg_waldump (Andres Freund)
Fix vacuumdb with a high --jobs
option to handle running out of file descriptors better (Michael Paquier)
Fix contrib/amcheck
to skip unlogged indexes during hot standby (Andrey Borodin, Peter Geoghegan)
An unlogged index won't necessarily contain valid data in this context, so don't try to check it.
Fix contrib/intarray
's GiST opclasses to not fail for empty arrays with <@
(Tom Lane)
A clause like
is considered indexable, but the index search may not find empty array values; of course, such entries should trivially match the search.array_column
<@ constant_array
The only practical back-patchable fix for this requires making <@
index searches scan the whole index, which is what this patch does. This is unfortunate: it means that the query performance is likely worse than a plain sequential scan would be.
Applications whose performance is adversely impacted by this change have a couple of options. They could switch to a GIN index, which doesn't have this bug, or they could replace
with array_column
<@ constant_array
. That will provide about the same performance as before, and it will find all non-empty subsets of the given constant array, which is all that could reliably be expected of the query before.array_column
<@ constant_array
AND array_column
&& constant_array
Fix configure's test for presence of libperl so that it works on recent Red Hat releases (Tom Lane)
Previously, it could fail if the user sets CFLAGS
to -O0
.
Ensure correct code generation for spinlocks on PowerPC (Noah Misch)
The previous spinlock coding allowed the compiler to select register zero for use with an assembly instruction that does not accept that register, causing a build failure. We have seen only one long-ago report that matches this bug, but it could cause problems for people trying to build modified PostgreSQL code or use atypical compiler options.
On PowerPC, avoid depending on the xlc compiler's __fetch_and_add()
function (Noah Misch)
xlc 13 and newer interpret this function in a way incompatible with our usage, resulting in an unusable build of PostgreSQL. Fix by using custom assembly code instead.
On AIX, don't use the compiler option -qsrcmsg
(Noah Misch)
This avoids an internal compiler error with xlc v16.1.0, with little consequence other than changing the format of compiler error messages.
Fix MSVC build process to cope with spaces in the file path of OpenSSL (Andrew Dunstan)
Update time zone data files to tzdata release 2019c for DST law changes in Fiji and Norfolk Island, plus historical corrections for Alberta, Austria, Belgium, British Columbia, Cambodia, Hong Kong, Indiana (Perry County), Kaliningrad, Kentucky, Michigan, Norfolk Island, South Korea, and Turkey.
Release date: 2019-08-08
This release contains a variety of fixes from 10.9. For information about new features in major release 10, see Version 10.0.
A dump/restore is not required for those running 10.X.
However, if you are upgrading from a version earlier than 10.6, see Version 10.6.
Require schema qualification to cast to a temporary type when using functional cast syntax (Noah Misch)
We have long required invocations of temporary functions to explicitly specify the temporary schema, that is pg_temp.
. Require this as well for casting to temporary types using functional notation, for example func_name
(args
)pg_temp.
. Otherwise it's possible to capture a function call using a temporary object, allowing privilege escalation in much the same ways that we blocked inCVE-2007-2138 or CVE-2007-2138. CVE-2019-10208 or CVE-2019-10208)type_name
(arg
)
Fix failure of ALTER TABLE ... ALTER COLUMN TYPE
when altering multiple columns' types in one command (Tom Lane)
This fixes a regression introduced in the most recent minor releases: indexes using the altered columns were not processed correctly, leading to strange failures during ALTER TABLE
.
Install dependencies to prevent dropping partition key columns (Tom Lane)
ALTER TABLE ... DROP COLUMN
will refuse to drop a column that is a partition key column. However, indirect drops (such as a cascade from dropping a key column's data type) had no such check, allowing the deletion of a key column. This resulted in a badly broken partitioned table that could neither be accessed nor dropped.
This fix adds pg_depend
entries that enforce that the whole partitioned table, not just the key column, will be dropped if a cascaded drop forces removal of the key column. However, such entries will only be created when a partitioned table is created; so this fix does not remove the risk for pre-existing partitioned tables. The issue can only arise for partition key columns of non-built-in data types, so it seems not to be a hazard for most users.
Don't optimize away GROUP BY
columns when the table involved is an inheritance parent (David Rowley)
Normally, if a table's primary key column(s) are included in GROUP BY
, it's safe to drop any other grouping columns, since the primary key columns are enough to make the groups unique. This rule does not work if the query is also reading inheritance child tables, though; the parent's uniqueness does not extend to the children.
Avoid using unnecessary sort steps for some queries with GROUPING SETS
(Andrew Gierth, Richard Guo)
Fix failure to access trigger transition tables during EvalPlanQual
rechecks (Alex Aktsipetrov)
Triggers that rely on transition tables sometimes failed in the presence of concurrent updates.
Fix mishandling of multi-column foreign keys when rebuilding a foreign key constraint (Tom Lane)
ALTER TABLE
could make an incorrect decision about whether revalidation of a foreign key is necessary, if not all columns of the key are of the same type. It seems likely that the error would always have been in the conservative direction, that is revalidating unnecessarily.
Don't build extended statistics for inheritance trees (Tomas Vondra)
This avoids a “tuple already updated by self†error during ANALYZE
.
Avoid spurious deadlock errors when upgrading a tuple lock (Oleksii Kliukin)
When two or more transactions are waiting for a transaction T1 to release a tuple-level lock, and T1 upgrades its lock to a higher level, a spurious deadlock among the waiting transactions could be reported when T1 finishes.
Fix failure to resolve deadlocks involving multiple parallel worker processes (Rui Hai Jiang)
It is not clear whether this bug is reachable with non-artificial queries, but if it did happen, the queries involved in an otherwise-resolvable deadlock would block until canceled.
Prevent incorrect canonicalization of date ranges with infinity
endpoints (Laurenz Albe)
It's incorrect to try to convert an open range to a closed one or vice versa by incrementing or decrementing the endpoint value, if the endpoint is infinite; so leave the range alone in such cases.
Fix loss of fractional digits when converting very large money
values to numeric
(Tom Lane)
Fix spinlock assembly code for MIPS CPUs so that it works on MIPS r6 (YunQiang Su)
Make libpq ignore carriage return (\r
) in connection service files (Tom Lane, Michael Paquier)
In some corner cases, service files containing Windows-style newlines could be mis-parsed, resulting in connection failures.
In psql, avoid offering incorrect tab completion options after SET
(Tom Lane)variable
=
Fix a small memory leak in psql's \d
command (Tom Lane)
Fix pg_dump to ensure that custom operator classes are dumped in the right order (Tom Lane)
If a user-defined opclass is the subtype opclass of a user-defined range type, related objects were dumped in the wrong order, producing an unrestorable dump. (The underlying failure to handle opclass dependencies might manifest in other cases too, but this is the only known case.)
Fix possible lockup in pgbench when using -R
option (Fabien Coelho)
Fix contrib/passwordcheck
to coexist with other users of check_password_hook
(Michael Paquier)
Fix contrib/sepgsql
tests to work under recent SELinux releases (Mike Palmiotto)
Improve stability of src/test/recovery
regression tests (Michael Paquier)
Reduce stderr output from pg_upgrade's test script (Tom Lane)
Fix TAP tests to work with msys Perl, in cases where the build directory is on a non-root msys mount point (Noah Misch)
Support building Postgres with Microsoft Visual Studio 2019 (Haribabu Kommi)
In Visual Studio builds, honor WindowsSDKVersion
environment variable, if that's set (Peifeng Qiu)
This fixes build failures in some configurations.
Support OpenSSL 1.1.0 and newer in Visual Studio builds (Juan José SantamarÃa Flecha, Michael Paquier)
Allow make options to be passed down to gmake when non-GNU make is invoked at the top level (Thomas Munro)
Avoid choosing localtime
or posixrules
as TimeZone
during initdb (Tom Lane)
In some cases initdb would choose one of these artificial zone names over the “real†zone name. Prefer any other match to the C library's timezone behavior over these two.
Adjust pg_timezone_names
view to show the Factory
time zone if and only if it has a short abbreviation (Tom Lane)
Historically, IANA set up this artificial zone with an “abbreviation†like Local time zone must be set--see zic manual page
. Modern versions of the tzdb database show -00
instead, but some platforms alter the data to show one or another of the historical phrases. Show this zone only if it uses the modern abbreviation.
Sync our copy of the timezone library with IANA tzcode release 2019b (Tom Lane)
This adds support for zic's new -b slim
option to reduce the size of the installed zone files. We are not currently using that, but may enable it in future.
Update time zone data files to tzdata release 2019b for DST law changes in Brazil, plus historical corrections for Hong Kong, Italy, and Palestine.
Release date: 2019-06-20
This release contains a variety of fixes from 10.8. For information about new features in major release 10, see Version 10.0.
A dump/restore is not required for those running 10.X.
However, if you are upgrading from a version earlier than 10.6, see Version 10.6.
Fix buffer-overflow hazards in SCRAM verifier parsing (Jonathan Katz, Heikki Linnakangas, Michael Paquier)
Any authenticated user could cause a stack-based buffer overflow by changing their own password to a purpose-crafted value. In addition to the ability to crash the PostgreSQL server, this could suffice for executing arbitrary code as the PostgreSQL operating system account.
A similar overflow hazard existed in libpq, which could allow a rogue server to crash a client or perhaps execute arbitrary code as the client's operating system account.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. CVE-2019-10164 or CVE-2019-10164)
Fix failure of ALTER TABLE ... ALTER COLUMN TYPE
when the table has a partial exclusion constraint (Tom Lane)
Fix failure of COMMENT
command for comments on domain constraints (Daniel Gustafsson, Michael Paquier)
Prevent possible memory clobber when there are duplicate columns in a hash aggregate's hash key list (Andrew Gierth)
Fix faulty generation of merge-append plans (Tom Lane)
This mistake could lead to “could not find pathkey item to sort†errors.
Fix incorrect printing of queries with duplicate join names (Philip Dubé)
This oversight caused a dump/restore failure for views containing such queries.
Fix conversion of JSON string literals to JSON-type output columns in json_to_record()
and json_populate_record()
(Tom Lane)
Such cases should produce the literal as a standalone JSON value, but the code misbehaved if the literal contained any characters requiring escaping.
Fix misoptimization of {1,1}
quantifiers in regular expressions (Tom Lane)
Such quantifiers were treated as no-ops and optimized away; but the documentation specifies that they impose greediness, or non-greediness in the case of the non-greedy variant {1,1}?
, on the subexpression they're attached to, and this did not happen. The misbehavior occurred only if the subexpression contained capturing parentheses or a back-reference.
Avoid possible failures while initializing a new process's pg_stat_activity
data (Tom Lane)
Certain operations that could fail, such as converting strings extracted from an SSL certificate into the database encoding, were being performed inside a critical section. Failure there would result in database-wide lockup due to violating the access protocol for shared pg_stat_activity
data.
Fix race condition in check to see whether a pre-existing shared memory segment is still in use by a conflicting postmaster (Tom Lane)
Fix unsafe coding in walreceiver's signal handler (Tom Lane)
This avoids rare problems in which the walreceiver process would crash or deadlock when commanded to shut down.
Avoid attempting to do database accesses for parameter checking in processes that are not connected to a specific database (Vignesh C, Andres Freund)
This error could result in failures like “cannot read pg_class without having selected a databaseâ€.
Avoid possible hang in libpq if using SSL and OpenSSL's pending-data buffer contains an exact multiple of 256 bytes (David Binderman)
Improve initdb's handling of multiple equivalent names for the system time zone (Tom Lane, Andrew Gierth)
Make initdb examine the /etc/localtime
symbolic link, if that exists, to break ties between equivalent names for the system time zone. This makes initdb more likely to select the time zone name that the user would expect when multiple identical time zones exist. It will not change the behavior if /etc/localtime
is not a symlink to a zone data file, nor if the time zone is determined from the TZ
environment variable.
Separately, prefer UTC
over other spellings of that time zone, when neither TZ
nor /etc/localtime
provide a hint. This fixes an annoyance introduced by tzdata 2019a's change to make the UCT
and UTC
zone names equivalent: initdb was then preferring UCT
, which almost nobody wants.
Fix ordering of GRANT
commands emitted by pg_dump and pg_dumpall for databases and tablespaces (Nathan Bossart, Michael Paquier)
If cascading grants had been issued, restore might fail due to the GRANT
commands being given in an order that didn't respect their interdependencies.
Make pg_dump recreate table partitions using CREATE TABLE
then ATTACH PARTITION
, rather than including PARTITION OF
in the creation command (Ãlvaro Herrera, David Rowley)
This avoids problems with the partition's column order possibly being changed to match the parent's. Also, a partition is now restorable from the dump (as a standalone table) even if its parent table isn't restored; the ATTACH
will fail, but that can just be ignored.
Fix misleading error reports from reindexdb (Julien Rouhaud)
Ensure that vacuumdb returns correct status if an error occurs while using parallel jobs (Julien Rouhaud)
Fix contrib/auto_explain
to not cause problems in parallel queries (Tom Lane)
Previously, a parallel worker might try to log its query even if the parent query were not being logged by auto_explain
. This would work sometimes, but it's confusing, and in some cases it resulted in failures like “could not find key N in shm TOCâ€.
Also, fix an off-by-one error that resulted in not necessarily logging every query even when the sampling rate is set to 1.0.
In contrib/postgres_fdw
, account for possible data modifications by local BEFORE ROW UPDATE
triggers (Shohei Mochizuki)
If a trigger modified a column that was otherwise not changed by the UPDATE
, the new value was not transmitted to the remote server.
On Windows, avoid failure when the database encoding is set to SQL_ASCII and we attempt to log a non-ASCII string (Noah Misch)
The code had been assuming that such strings must be in UTF-8, and would throw an error if they didn't appear to be validly encoded. Now, just transmit the untranslated bytes to the log.
Make PL/pgSQL's header files C++-safe (George Tarasov)
Release date: 2019-05-09
This release contains a variety of fixes from 10.7. For information about new features in major release 10, see Version 10.0.
A dump/restore is not required for those running 10.X.
However, if you are upgrading from a version earlier than 10.6, see Version 10.6.
Prevent row-level security policies from being bypassed via selectivity estimators (Dean Rasheed)
Some of the planner's selectivity estimators apply user-defined operators to values found in pg_statistic
(e.g., most-common values). A leaky operator therefore can disclose some of the entries in a data column, even if the calling user lacks permission to read that column. InCVE-2017-7484 or CVE-2017-7484 we added restrictions to forestall that, but we failed to consider the effects of row-level security. A user who has SQL permission to read a column, but who is forbidden to see certain rows due to RLS policy, might still learn something about those rows' contents via a leaky operator. This patch further tightens the rules, allowing leaky operators to be applied to statistics data only when there is no relevant RLS policy. CVE-2019-10130 or CVE-2019-10130)
Avoid catalog corruption when a temporary table with ON COMMIT DROP
and an identity column is created in a single-statement transaction (Peter Eisentraut)
This hazard was overlooked because the case is not actually useful, since the temporary table would be dropped immediately after creation.
Avoid crash when an EPQ recheck is performed for a partitioned query result relation (Amit Langote)
This occurs when using READ COMMITTED
isolation level and another session has concurrently updated some of the target row(s).
Fix behavior for an UPDATE
or DELETE
on an inheritance tree or partitioned table in which every table can be excluded (Amit Langote, Tom Lane)
In such cases, the query did not report the correct set of output columns when a RETURNING
clause was present, and if there were any statement-level triggers that should be fired, it didn't fire them.
Avoid throwing incorrect errors for updates of temporary tables and unlogged tables when a FOR ALL TABLES
publication exists (Peter Eisentraut)
Such tables should be ignored for publication purposes, but some parts of the code failed to do so.
Fix handling of explicit DEFAULT
items in an INSERT ... VALUES
command with multiple VALUES
rows, if the target relation is an updatable view (Amit Langote, Dean Rasheed)
When the updatable view has no default for the column but its underlying table has one, a single-row INSERT ... VALUES
will use the underlying table's default. In the multi-row case, however, NULL was always used. Correct it to act like the single-row case.
Fix CREATE VIEW
to allow zero-column views (Ashutosh Sharma)
We should allow this for consistency with allowing zero-column tables. Since a table can be converted to a view, zero-column views could be created even with the restriction in place, leading to dump/reload failures.
Add missing support for CREATE TABLE IF NOT EXISTS ... AS EXECUTE ...
(Andreas Karlsson)
The combination of IF NOT EXISTS
and EXECUTE
should work, but the grammar omitted it.
Ensure that sub-SELECT
s appearing in row-level-security policy expressions are executed with the correct user's permissions (Dean Rasheed)
Previously, if the table having the RLS policy was accessed via a view, such checks might be executed as the user calling the view, not as the view owner as they should be.
Accept XML documents as valid values of type xml
when xmloption
is set to content
, as required by SQL:2006 and later (Chapman Flack)
Previously PostgreSQL followed the SQL:2003 definition, which doesn't allow this. But that creates a serious problem for dump/restore: there is no setting of xmloption
that will accept all valid XML data. Hence, switch to the 2006 definition.
pg_dump is also modified to emit SET xmloption = content
while restoring data, ensuring that dump/restore works even if the prevailing setting is document
.
Improve server's startup-time checks for whether a pre-existing shared memory segment is still in use (Noah Misch)
The postmaster is now more likely to detect that there are still active processes from a previous postmaster incarnation, even if the postmaster.pid
file has been removed.
Avoid counting parallel workers' transactions as separate transactions (Haribabu Kommi)
Fix incompatibility of GIN-index WAL records (Alexander Korotkov)
A fix applied in February's minor releases was not sufficiently careful about backwards compatibility, leading to problems if a standby server of that vintage reads GIN page-deletion WAL records generated by a primary server of a previous minor release.
Fix possible crash while executing a SHOW
command in a replication connection (Michael Paquier)
Avoid memory leak when a partition's relation cache entry is rebuilt (Amit Langote, Tom Lane)
Tolerate EINVAL
and ENOSYS
error results, where appropriate, for fsync
and sync_file_range
calls (Thomas Munro, James Sewell)
The previous change to panic on file synchronization failures turns out to have been excessively paranoid for certain cases where a failure is predictable and essentially means “operation not supportedâ€.
Report correct relation name in autovacuum's pg_stat_activity
display during BRIN summarize operations (Ãlvaro Herrera)
Fix “failed to build any N
-way joins†planner failures with lateral references leading out of FULL
outer joins (Tom Lane)
Fix misplanning of queries in which a set-returning function is applied to a relation that is provably empty (Tom Lane, Julien Rouhaud)
In v10, this oversight only led to slightly inefficient plans, but in v11 it could cause “set-valued function called in context that cannot accept a set†errors.
Check the appropriate user's permissions when enforcing rules about letting a leaky operator see pg_statistic
data (Dean Rasheed)
When an underlying table is being accessed via a view, consider the privileges of the view owner while deciding whether leaky operators may be applied to the table's statistics data, rather than the privileges of the user making the query. This makes the planner's rules about what data is visible match up with the executor's, avoiding unnecessarily-poor plans.
Speed up planning when there are many equality conditions and many potentially-relevant foreign key constraints (David Rowley)
Avoid O (N^2) performance issue when rolling back a transaction that created many tables (Tomas Vondra)
Fix corner-case server crashes in dynamic shared memory allocation (Thomas Munro, Robert Haas)
Fix race conditions in management of dynamic shared memory (Thomas Munro)
These could lead to “dsa_area could not attach to segment†or “cannot unpin a segment that is not pinned†errors.
Fix race condition in which a hot-standby postmaster could fail to shut down after receiving a smart-shutdown request (Tom Lane)
Fix possible crash when pg_identify_object_as_address()
is given invalid input (Ãlvaro Herrera)
Fix possible “could not access status of transaction†failures in txid_status()
(Thomas Munro)
Tighten validation of encoded SCRAM-SHA-256 and MD5 passwords (Jonathan Katz)
A password string that had the right initial characters could be mistaken for one that is correctly hashed into SCRAM-SHA-256 or MD5 format. The password would be accepted but would be unusable later.
Fix handling of lc_time
settings that imply an encoding different from the database's encoding (Juan José SantamarÃa Flecha, Tom Lane)
Localized month or day names that include non-ASCII characters previously caused unexpected errors or wrong output in such locales.
Fix incorrect operator_precedence_warning
checks involving unary minus operators (Rikard Falkeborn)
Disallow NaN
as a value for floating-point server parameters (Tom Lane)
Rearrange REINDEX
processing to avoid assertion failures when reindexing individual indexes of pg_class
(Andres Freund, Tom Lane)
Fix planner assertion failure for parameterized dummy paths (Tom Lane)
Insert correct test function in the result of SnapBuildInitialSnapshot()
(Antonin Houska)
No core code cares about this, but some extensions do.
Fix intermittent “could not reattach to shared memory†session startup failures on Windows (Noah Misch)
A previously unrecognized source of these failures is creation of thread stacks for a process's default thread pool. Arrange for such stacks to be allocated in a different memory region.
Fix error detection in directory scanning on Windows (Konstantin Knizhnik)
Errors, such as lack of permissions to read the directory, were not detected or reported correctly; instead the code silently acted as though the directory were empty.
Fix grammar problems in ecpg (Tom Lane)
A missing semicolon led to mistranslation of SET
(but not variable
= DEFAULTSET
) in ecpg programs, producing syntactically invalid output that the server would reject. Additionally, in a variable
TO DEFAULTDROP TYPE
or DROP DOMAIN
command that listed multiple type names, only the first type name was actually processed.
Sync ecpg's syntax for CREATE TABLE AS
with the server's (Daisuke Higuchi)
Fix possible buffer overruns in ecpg's processing of include filenames (Liu Huailing, Fei Wu)
Avoid crash in contrib/postgres_fdw
when a query using remote grouping or aggregation has a SELECT
-list item that is an uncorrelated sub-select, outer reference, or parameter symbol (Tom Lane)
Avoid crash in contrib/vacuumlo
if an lo_unlink()
call failed (Tom Lane)
Sync our copy of the timezone library with IANA tzcode release 2019a (Tom Lane)
This corrects a small bug in zic that caused it to output an incorrect year-2440 transition in the Africa/Casablanca
zone, and adds support for zic's new -r
option.
Update time zone data files to tzdata release 2019a for DST law changes in Palestine and Metlakatla, plus historical corrections for Israel.
Etc/UCT
is now a backward-compatibility link to Etc/UTC
, instead of being a separate zone that generates the abbreviation UCT
, which nowadays is typically a typo. PostgreSQL will still accept UCT
as an input zone abbreviation, but it won't output it.
Release date: 2019-02-14
This release contains a variety of fixes from 10.6. For information about new features in major release 10, see Version 10.0.
A dump/restore is not required for those running 10.X.
However, if you are upgrading from a version earlier than 10.6, see Version 10.6.
By default, panic instead of retrying after fsync()
failure, to avoid possible data corruption (Craig Ringer, Thomas Munro)
Some popular operating systems discard kernel data buffers when unable to write them out, reporting this as fsync()
failure. If we reissue the fsync()
request it will succeed, but in fact the data has been lost, so continuing risks database corruption. By raising a panic condition instead, we can replay from WAL, which may contain the only remaining copy of the data in such a situation. While this is surely ugly and inefficient, there are few alternatives, and fortunately the case happens very rarely.
A new server parameter data_sync_retry has been added to control this; if you are certain that your kernel does not discard dirty data buffers in such scenarios, you can set data_sync_retry
to on
to restore the old behavior.
Include each major release branch's release notes in the documentation for only that branch, rather than that branch and all later ones (Tom Lane)
The duplication induced by the previous policy was getting out of hand. Our plan is to provide a full archive of release notes on the project's web site, but not duplicate it within each release.
Ensure that NOT NULL
constraints of a partitioned table are honored within its partitions (Ãlvaro Herrera, Amit Langote)
Use a safe table lock level when detaching a partition (Ãlvaro Herrera)
The previous locking level was too weak and might allow concurrent DDL on the table, with bad results.
Fix problems with applying ON COMMIT DROP
and ON COMMIT DELETE ROWS
to partitioned tables and tables with inheritance children (Michael Paquier)
Disallow COPY FREEZE
on partitioned tables (David Rowley)
This should eventually be made to work, but it may require a patch that's too complicated to risk back-patching.
Avoid possible deadlock when acquiring multiple buffer locks (Nishant Fnu)
Avoid deadlock between GIN vacuuming and concurrent index insertions (Alexander Korotkov, Andrey Borodin, Peter Geoghegan)
This change partially reverts a performance improvement, introduced in version 10.0, that attempted to reduce the number of index pages locked during deletion of a GIN posting tree page. That's now been found to lead to deadlocks, so we've removed it pending closer analysis.
Avoid deadlock between hot-standby queries and replay of GIN index page deletion (Alexander Korotkov)
Fix possible crashes in logical replication when index expressions or predicates are in use (Peter Eisentraut)
Avoid useless and expensive logical decoding of TOAST data during a table rewrite (Tomas Vondra)
Fix logic for stopping a subset of WAL senders when synchronous replication is enabled (Paul Guo, Michael Paquier)
Avoid possibly writing an incorrect replica identity field in a tuple deletion WAL record (Stas Kelvich)
Prevent incorrect use of WAL-skipping optimization during COPY
to a view or foreign table (Amit Langote, Michael Paquier)
Make the archiver prioritize WAL history files over WAL data files while choosing which file to archive next (David Steele)
Fix possible crash in UPDATE
with a multiple SET
clause using a sub-SELECT
as source (Tom Lane)
Avoid crash if libxml2 returns a null error message (Sergio Conde Gómez)
Fix spurious grouping-related parser errors caused by inconsistent handling of collation assignment (Andrew Gierth)
In some cases, expressions that should be considered to match were not seen as matching, if they included operations on collatable data types.
Check whether the comparison function underlying LEAST()
or GREATEST()
is leakproof, rather than just assuming it is (Tom Lane)
Actual information leaks from btree comparison functions are typically hard to provoke, but in principle they could happen.
Fix incorrect planning of queries involving nested loops both above and below a Gather plan node (Tom Lane)
If both levels of nestloop needed to pass the same variable into their right-hand sides, an incorrect plan would be generated.
Fix incorrect planning of queries in which a lateral reference must be evaluated at a foreign table scan (Tom Lane)
Fix corner-case underestimation of the cost of a merge join (Tom Lane)
The planner could prefer a merge join when the outer key range is much smaller than the inner key range, even if there are so many duplicate keys on the inner side that this is a poor choice.
Avoid O (N^2) planning time growth when a query contains many thousand indexable clauses (Tom Lane)
Improve ANALYZE
's handling of concurrently-updated rows (Jeff Janes, Tom Lane)
Previously, rows deleted by an in-progress transaction were omitted from ANALYZE
's sample, but this has been found to lead to more inconsistency than including them would do. In effect, the sample now corresponds to an MVCC snapshot as of ANALYZE
's start time.
Make TRUNCATE
ignore inheritance child tables that are temporary tables of other sessions (Amit Langote, Michael Paquier)
This brings TRUNCATE
into line with the behavior of other commands. Previously, such cases usually ended in failure.
Fix TRUNCATE
to update the statistics counters for the right table (Tom Lane)
If the truncated table had a TOAST table, that table's counters were reset instead.
Process ALTER TABLE ONLY ADD COLUMN IF NOT EXISTS
correctly (Greg Stark)
Allow UNLISTEN
in hot-standby mode (Shay Rojansky)
This is necessarily a no-op, because LISTEN
isn't allowed in hot-standby mode; but allowing the dummy operation simplifies session-state-reset logic in clients.
Fix missing role dependencies in some schema and data type permissions lists (Tom Lane)
In some cases it was possible to drop a role to which permissions had been granted. This caused no immediate problem, but a subsequent dump/reload or upgrade would fail, with symptoms involving attempts to grant privileges to all-numeric role names.
Prevent use of a session's temporary schema within a two-phase transaction (Michael Paquier)
Accessing a temporary table within such a transaction has been forbidden for a long time, but it was still possible to cause problems with other operations on temporary objects.
Ensure relation caches are updated properly after adding or removing foreign key constraints (Ãlvaro Herrera)
This oversight could result in existing sessions failing to enforce a newly-created constraint, or continuing to enforce a dropped one.
Ensure relation caches are updated properly after renaming constraints (Amit Langote)
Make autovacuum more aggressive about removing leftover temporary tables, and also remove leftover temporary tables during DISCARD TEMP
(Ãlvaro Herrera)
This helps ensure that remnants from a crashed session are cleaned up more promptly.
Fix replay of GiST index micro-vacuum operations so that concurrent hot-standby queries do not see inconsistent state (Alexander Korotkov)
Prevent empty GIN index pages from being reclaimed too quickly, causing failures of concurrent searches (Andrey Borodin, Alexander Korotkov)
Fix edge-case failures in float-to-integer coercions (Andrew Gierth, Tom Lane)
Values very slightly above the maximum valid integer value might not be rejected, and then would overflow, producing the minimum valid integer instead. Also, values that should round to the minimum or maximum integer value might be incorrectly rejected.
When making a PAM authentication request, don't set the PAM_RHOST
variable if the connection is via a Unix socket (Thomas Munro)
Previously that variable would be set to [local]
, which is at best unhelpful, since it's supposed to be a host name.
Disallow setting client_min_messages
higher than ERROR
(Jonah Harris, Tom Lane)
Previously, it was possible to set this variable to FATAL
or PANIC
, which had the effect of suppressing transmission of ordinary error messages to the client. However, that's contrary to guarantees that are given in the PostgreSQL wire protocol specification, and it caused some clients to become very confused. In released branches, fix this by silently treating such settings as meaning ERROR
instead. Version 12 and later will reject those alternatives altogether.
Fix ecpglib to use uselocale()
or _configthreadlocale()
in preference to setlocale()
(Michael Meskes, Tom Lane)
Since setlocale()
is not thread-local, and might not even be thread-safe, the previous coding caused problems in multi-threaded ecpg applications.
Fix incorrect results for numeric data passed through an ecpg SQLDA (SQL Descriptor Area) (Daisuke Higuchi)
Values with leading zeroes were not copied correctly.
Fix psql's \g
target
meta-command to work with COPY TO STDOUT
(Daniel Vérité)
Previously, the target
option was ignored, so that the copy data always went to the current query output target.
Make psql's LaTeX output formats render special characters properly (Tom Lane)
Backslash and some other ASCII punctuation characters were not rendered correctly, leading to document syntax errors or wrong characters in the output.
Fix pg_dump's handling of materialized views with indirect dependencies on primary keys (Tom Lane)
This led to mis-labeling of such views' dump archive entries, causing harmless warnings about “archive items not in correct section orderâ€; less harmlessly, selective-restore options depending on those labels, such as --section
, might misbehave.
Avoid null-pointer-dereference crash on some platforms when pg_dump or pg_restore tries to report an error (Tom Lane)
Properly disregard SIGPIPE
errors if COPY FROM PROGRAM
stops reading the program's output early (Tom Lane)
This case isn't actually reachable directly with COPY
, but it can happen when using contrib/file_fdw
.
Fix contrib/hstore
to calculate correct hash values for empty hstore
values that were created in version 8.4 or before (Andrew Gierth)
The previous coding did not give the same result as for an empty hstore
value created by a newer version, thus potentially causing wrong results in hash joins or hash aggregation. It is advisable to reindex any hash indexes built on hstore
columns, if the table might contain data that was originally stored as far back as 8.4 and was never dumped/reloaded since then.
Avoid crashes and excessive runtime with large inputs to contrib/intarray
's gist__int_ops
index support (Andrew Gierth)
In configure, look for python3
and then python2
if python
isn't found (Peter Eisentraut)
This allows PL/Python to be configured without explicitly specifying PYTHON
on platforms that no longer provide an unversioned python
executable.
Support new Makefile variables PG_CFLAGS
, PG_CXXFLAGS
, and PG_LDFLAGS
in pgxs builds (Christoph Berg)
This simplifies customization of extension build processes.
Fix Perl-coded build scripts to not assume “.
†is in the search path, since recent Perl versions don't include that (Andrew Dunstan)
Fix server command-line option parsing problems on OpenBSD (Tom Lane)
Relocate call of set_rel_pathlist_hook
so that extensions can use it to supply partial paths for parallel queries (KaiGai Kohei)
This is not expected to affect existing use-cases.
Rename red-black tree support functions to use rbt
prefix not rb
prefix (Tom Lane)
This avoids name collisions with Ruby functions, which broke PL/Ruby. It's hoped that there are no other affected extensions.
Update time zone data files to tzdata release 2018i for DST law changes in Kazakhstan, Metlakatla, and Sao Tome and Principe. Kazakhstan's Qyzylorda zone is split in two, creating a new zone Asia/Qostanay, as some areas did not change UTC offset. Historical corrections for Hong Kong and numerous Pacific islands.
Release date: 2018-11-08
This release contains a variety of fixes from 10.5. For information about new features in major release 10, see Version 10.0.
A dump/restore is not required for those running 10.X.
However, if you use the pg_stat_statements
extension, see the changelog entry below about that.
Also, if you are upgrading from a version earlier than 10.4, see Version 10.4.
Ensure proper quoting of transition table names when pg_dump emits CREATE TRIGGER ... REFERENCING
commands (Tom Lane)
This oversight could be exploited by an unprivileged user to gain superuser privileges during the next dump/reload or pg_upgrade run. CVE-2018-16850 or CVE-2018-16850)
Fix corner-case failures in has_
family of functions (Tom Lane)foo
_privilege()
Return NULL rather than throwing an error when an invalid object OID is provided. Some of these functions got that right already, but not all. has_column_privilege()
was additionally capable of crashing on some platforms.
Fix pg_get_partition_constraintdef()
to return NULL rather than fail when passed an invalid relation OID (Tom Lane)
Avoid O (N^2) slowdown in regular expression match/split functions on long strings (Andrew Gierth)
Fix parsing of standard multi-character operators that are immediately followed by a comment or +
or -
(Andrew Gierth)
This oversight could lead to parse errors, or to incorrect assignment of precedence.
Avoid O (N^3) slowdown in lexer for long strings of +
or -
characters (Andrew Gierth)
Fix mis-execution of SubPlans when the outer query is being scanned backwards (Andrew Gierth)
Fix failure of UPDATE/DELETE ... WHERE CURRENT OF ...
after rewinding the referenced cursor (Tom Lane)
A cursor that scans multiple relations (particularly an inheritance tree) could produce wrong behavior if rewound to an earlier relation.
Fix EvalPlanQual
to handle conditionally-executed InitPlans properly (Andrew Gierth, Tom Lane)
This resulted in hard-to-reproduce crashes or wrong answers in concurrent updates, if they contained code such as an uncorrelated sub-SELECT
inside a CASE
construct.
Prevent creation of a partition in a trigger attached to its parent table (Amit Langote)
Ideally we'd allow that, but for the moment it has to be blocked to avoid crashes.
Fix problems with applying ON COMMIT DELETE ROWS
to a partitioned temporary table (Amit Langote)
Fix character-class checks to not fail on Windows for Unicode characters above U+FFFF (Tom Lane, Kenji Uno)
This bug affected full-text-search operations, as well as contrib/ltree
and contrib/pg_trgm
.
Disallow pushing sub-SELECT
s containing window functions, LIMIT
, or OFFSET
to parallel workers (Amit Kapila)
Such cases could result in inconsistent behavior due to different workers getting different answers, as a result of indeterminacy due to row-ordering variations.
Ensure that sequences owned by a foreign table are processed by ALTER OWNER
on the table (Peter Eisentraut)
The ownership change should propagate to such sequences as well, but this was missed for foreign tables.
Ensure that the server will process already-received NOTIFY
and SIGTERM
interrupts before waiting for client input (Jeff Janes, Tom Lane)
Fix over-allocation of space for array_out()
's result string (Keiichi Hirobe)
Avoid query-lifetime memory leak in XMLTABLE
(Andrew Gierth)
Fix memory leak in repeated SP-GiST index scans (Tom Lane)
This is only known to amount to anything significant in cases where an exclusion constraint using SP-GiST receives many new index entries in a single command.
Ensure that ApplyLogicalMappingFile()
closes the mapping file when done with it (Tomas Vondra)
Previously, the file descriptor was leaked, eventually resulting in failures during logical decoding.
Fix logical decoding to handle cases where a mapped catalog table is repeatedly rewritten, e.g., by VACUUM FULL
(Andres Freund)
Prevent starting the server with wal_level
set to too low a value to support an existing replication slot (Andres Freund)
Avoid crash if a utility command causes infinite recursion (Tom Lane)
When initializing a hot standby, cope with duplicate XIDs caused by two-phase transactions on the master (Michael Paquier, Konstantin Knizhnik)
Fix event triggers to handle nested ALTER TABLE
commands (Michael Paquier, Ãlvaro Herrera)
Propagate parent process's transaction and statement start timestamps to parallel workers (Konstantin Knizhnik)
This prevents misbehavior of functions such as transaction_timestamp()
when executed in a worker.
Fix transfer of expanded datums to parallel workers so that alignment is preserved, preventing crashes on alignment-picky platforms (Tom Lane, Amit Kapila)
Fix WAL file recycling logic to work correctly on standby servers (Michael Paquier)
Depending on the setting of archive_mode
, a standby might fail to remove some WAL files that could be removed.
Fix handling of commit-timestamp tracking during recovery (Masahiko Sawada, Michael Paquier)
If commit timestamp tracking has been turned on or off, recovery might fail due to trying to fetch the commit timestamp for a transaction that did not record it.
Randomize the random()
seed in bootstrap and standalone backends, and in initdb (Noah Misch)
The main practical effect of this change is that it avoids a scenario where initdb might mistakenly conclude that POSIX shared memory is not available, due to name collisions caused by always using the same random seed.
Fix possible shared-memory corruption in DSA logic (Thomas Munro)
Allow DSM allocation to be interrupted (Chris Travers)
Avoid failure in a parallel worker when loading an extension that tries to access system caches within its init function (Thomas Munro)
We don't consider that to be good extension coding practice, but it mostly worked before parallel query, so continue to support it for now.
Properly handle turning full_page_writes
on dynamically (Kyotaro Horiguchi)
Fix possible crash due to double free()
during SP-GiST rescan (Andrew Gierth)
Prevent mis-linking of src/port and src/common functions on ELF-based BSD platforms, as well as HP-UX and Solaris (Andrew Gierth, Tom Lane)
Shared libraries loaded into a backend's address space could use the backend's versions of these functions, rather than their own copies as intended. Since the behavior of the two sets of functions isn't quite the same, this led to failures.
Avoid possible buffer overrun when replaying GIN page recompression from WAL (Alexander Korotkov, Sivasubramanian Ramasubramanian)
Avoid overrun of a hash index's metapage when BLCKSZ
is smaller than default (Dilip Kumar)
Fix missed page checksum updates in hash indexes (Amit Kapila)
Fix missed fsync of a replication slot's directory (Konstantin Knizhnik, Michael Paquier)
Fix unexpected timeouts when using wal_sender_timeout
on a slow server (Noah Misch)
Ensure that hot standby processes use the correct WAL consistency point (Alexander Kukushkin, Michael Paquier)
This prevents possible misbehavior just after a standby server has reached a consistent database state during WAL replay.
Ensure background workers are stopped properly when the postmaster receives a fast-shutdown request before completing database startup (Alexander Kukushkin)
Update the free space map during WAL replay of page all-visible/frozen flag changes (Ãlvaro Herrera)
Previously we were not careful about this, reasoning that the FSM is not critical data anyway. However, if it's sufficiently out of date, that can result in significant performance degradation after a standby has been promoted to primary. The FSM will eventually be healed by updates, but we'd like it to be good sooner, so work harder at maintaining it during WAL replay.
Avoid premature release of parallel-query resources when query end or tuple count limit is reached (Amit Kapila)
It's only okay to shut down the executor at this point if the caller cannot demand backwards scan afterwards.
Don't run atexit callbacks when servicing SIGQUIT
(Heikki Linnakangas)
Don't record foreign-server user mappings as members of extensions (Tom Lane)
If CREATE USER MAPPING
is executed in an extension script, an extension dependency was created for the user mapping, which is unexpected. Roles can't be extension members, so user mappings shouldn't be either.
Make syslogger more robust against failures in opening CSV log files (Tom Lane)
When libpq is given multiple target host names, do the DNS lookups one at a time, not all at once (Tom Lane)
This prevents unnecessary failures or slow connections when a connection is successfully made to one of the earlier servers in the list.
Fix libpq's handling of connection timeouts so that they are properly applied per host name or IP address (Tom Lane)
Previously, some code paths failed to restart the timer when switching to a new target host, possibly resulting in premature timeout.
Fix psql, as well as documentation examples, to call PQconsumeInput()
before each PQnotifies()
call (Tom Lane)
This fixes cases in which psql would not report receipt of a NOTIFY
message until after the next command.
Fix pg_dump's --no-publications
option to also ignore publication tables (Gilles Darold)
In pg_dump, exclude identity sequences when their parent table is excluded from the dump (David Rowley)
Fix possible inconsistency in pg_dump's sorting of dissimilar object names (Jacob Champion)
Ensure that pg_restore will schema-qualify the table name when emitting DISABLE
/ENABLE TRIGGER
commands (Tom Lane)
This avoids failures due to the new policy of running restores with restrictive search path.
Fix pg_upgrade to handle event triggers in extensions correctly (Haribabu Kommi)
pg_upgrade failed to preserve an event trigger's extension-membership status.
Fix pg_upgrade's cluster state check to work correctly on a standby server (Bruce Momjian)
Enforce type cube
's dimension limit in all contrib/cube
functions (Andrey Borodin)
Previously, some cube-related functions could construct values that would be rejected by cube_in()
, leading to dump/reload failures.
In contrib/pg_stat_statements
, disallow the pg_read_all_stats
role from executing pg_stat_statements_reset()
(Haribabu Kommi)
pg_read_all_stats
is only meant to grant permission to read statistics, not to change them, so this grant was incorrect.
To cause this change to take effect, run ALTER EXTENSION pg_stat_statements UPDATE
in each database where pg_stat_statements
has been installed.
In contrib/postgres_fdw
, don't try to ship a variable-free ORDER BY
clause to the remote server (Andrew Gierth)
Fix contrib/unaccent
's unaccent()
function to use the unaccent
text search dictionary that is in the same schema as the function (Tom Lane)
Previously it tried to look up the dictionary using the search path, which could fail if the search path has a restrictive value.
Fix build problems on macOS 10.14 (Mojave) (Tom Lane)
Adjust configure to add an -isysroot
switch to CPPFLAGS
; without this, PL/Perl and PL/Tcl fail to configure or build on macOS 10.14. The specific sysroot used can be overridden at configure time or build time by setting the PG_SYSROOT
variable in the arguments of configure or make.
It is now recommended that Perl-related extensions write $(perl_includespec)
rather than -I$(perl_archlibexp)/CORE
in their compiler flags. The latter continues to work on most platforms, but not recent macOS.
Also, it should no longer be necessary to specify --with-tclconfig
manually to get PL/Tcl to build on recent macOS releases.
Fix MSVC build and regression-test scripts to work on recent Perl versions (Andrew Dunstan)
Perl no longer includes the current directory in its search path by default; work around that.
On Windows, allow the regression tests to be run by an Administrator account (Andrew Dunstan)
To do this safely, pg_regress now gives up any such privileges at startup.
Allow btree comparison functions to return INT_MIN
(Tom Lane)
Up to now, we've forbidden datatype-specific comparison functions from returning INT_MIN
, which allows callers to invert the sort order just by negating the comparison result. However, this was never safe for comparison functions that directly return the result of memcmp()
, strcmp()
, etc, as POSIX doesn't place any such restriction on those functions. At least some recent versions of memcmp()
can return INT_MIN
, causing incorrect sort ordering. Hence, we've removed this restriction. Callers must now use the INVERT_COMPARE_RESULT()
macro if they wish to invert the sort order.
Fix recursion hazard in shared-invalidation message processing (Tom Lane)
This error could, for example, result in failure to access a system catalog or index that had just been processed by VACUUM FULL
.
This change adds a new result code for LockAcquire
, which might possibly affect external callers of that function, though only very unusual usage patterns would have an issue with it. The API of LockAcquireExtended
is also changed.
Save and restore SPI's global variables during SPI_connect()
and SPI_finish()
(Chapman Flack, Tom Lane)
This prevents possible interference when one SPI-using function calls another.
Avoid using potentially-under-aligned page buffers (Tom Lane)
Invent new union types PGAlignedBlock
and PGAlignedXLogBlock
, and use these in place of plain char arrays, ensuring that the compiler can't place the buffer at a misaligned start address. This fixes potential core dumps on alignment-picky platforms, and may improve performance even on platforms that allow misalignment.
Make src/port/snprintf.c
follow the C99 standard's definition of snprintf()
's result value (Tom Lane)
On platforms where this code is used (mostly Windows), its pre-C99 behavior could lead to failure to detect buffer overrun, if the calling code assumed C99 semantics.
When building on i386 with the clang compiler, require -msse2
to be used (Andres Freund)
This avoids problems with missed floating point overflow checks.
Fix configure's detection of the result type of strerror_r()
(Tom Lane)
The previous coding got the wrong answer when building with icc on Linux (and perhaps in other cases), leading to libpq not returning useful error messages for system-reported errors.
Update time zone data files to tzdata release 2018g for DST law changes in Chile, Fiji, Morocco, and Russia (Volgograd), plus historical corrections for China, Hawaii, Japan, Macau, and North Korea.
Release date: 2018-08-09
This release contains a variety of fixes from 10.4. For information about new features in major release 10, see Version 10.0.
A dump/restore is not required for those running 10.X.
However, if you are upgrading from a version earlier than 10.4, see Version 10.4.
Fix failure to reset libpq's state fully between connection attempts (Tom Lane)
An unprivileged user of dblink
or postgres_fdw
could bypass the checks intended to prevent use of server-side credentials, such as a ~/.pgpass
file owned by the operating-system user running the server. Servers allowing peer authentication on local connections are particularly vulnerable. Other attacks such as SQL injection into a postgres_fdw
session are also possible. Attacking postgres_fdw
in this way requires the ability to create a foreign server object with selected connection parameters, but any user with access to dblink
could exploit the problem. In general, an attacker with the ability to select the connection parameters for a libpq-using application could cause mischief, though other plausible attack scenarios are harder to think of. Our thanks to Andrew Krasichkov for reporting this issue. CVE-2018-10915 or CVE-2018-10915)
Fix INSERT ... ON CONFLICT UPDATE
through a view that isn't just SELECT * FROM ...
(Dean Rasheed, Amit Langote)
Erroneous expansion of an updatable view could lead to crashes or “attribute ... has the wrong type†errors, if the view's SELECT
list doesn't match one-to-one with the underlying table's columns. Furthermore, this bug could be leveraged to allow updates of columns that an attacking user lacks UPDATE
privilege for, if that user has INSERT
and UPDATE
privileges for some other column(s) of the table. Any user could also use it for disclosure of server memory. CVE-2018-10925 or CVE-2018-10925)
Ensure that updates to the relfrozenxid
and relminmxid
values for “nailed†system catalogs are processed in a timely fashion (Andres Freund)
Overoptimistic caching rules could prevent these updates from being seen by other sessions, leading to spurious errors and/or data corruption. The problem was significantly worse for shared catalogs, such as pg_authid
, because the stale cache data could persist into new sessions as well as existing ones.
Fix case where a freshly-promoted standby crashes before having completed its first post-recovery checkpoint (Michael Paquier, Kyotaro Horiguchi, Pavan Deolasee, Ãlvaro Herrera)
This led to a situation where the server did not think it had reached a consistent database state during subsequent WAL replay, preventing restart.
Avoid emitting a bogus WAL record when recycling an all-zero btree page (Amit Kapila)
This mistake has been seen to cause assertion failures, and potentially it could result in unnecessary query cancellations on hot standby servers.
During WAL replay, guard against corrupted record lengths exceeding 1GB (Michael Paquier)
Treat such a case as corrupt data. Previously, the code would try to allocate space and get a hard error, making recovery impossible.
When ending recovery, delay writing the timeline history file as long as possible (Heikki Linnakangas)
This avoids some situations where a failure during recovery cleanup (such as a problem with a two-phase state file) led to inconsistent timeline state on-disk.
Improve performance of WAL replay for transactions that drop many relations (Fujii Masao)
This change reduces the number of times that shared buffers are scanned, so that it is of most benefit when that setting is large.
Improve performance of lock releasing in standby server WAL replay (Thomas Munro)
Make logical WAL senders report streaming state correctly (Simon Riggs, Sawada Masahiko)
The code previously mis-detected whether or not it had caught up with the upstream server.
Ensure that a snapshot is provided when executing data type input functions in logical replication subscribers (Minh-Quan Tran, Ãlvaro Herrera)
This omission led to failures in some cases, such as domains with constraints using SQL-language functions.
Fix bugs in snapshot handling during logical decoding, allowing wrong decoding results in rare cases (Arseny Sher, Ãlvaro Herrera)
Add subtransaction handling in logical-replication table synchronization workers (Amit Khandekar, Robert Haas)
Previously, table synchronization could misbehave if any subtransactions were aborted after modifying a table being synchronized.
Ensure a table's cached index list is correctly rebuilt after an index creation fails partway through (Peter Geoghegan)
Previously, the failed index's OID could remain in the list, causing problems later in the same session.
Fix mishandling of empty uncompressed posting list pages in GIN indexes (Sivasubramanian Ramasubramanian, Alexander Korotkov)
This could result in an assertion failure after pg_upgrade of a pre-9.4 GIN index (9.4 and later will not create such pages).
Pad arrays of unnamed POSIX semaphores to reduce cache line sharing (Thomas Munro)
This reduces contention on many-CPU systems, fixing a performance regression (compared to previous releases) on Linux and FreeBSD.
Ensure that a process doing a parallel index scan will respond to signals (Amit Kapila)
Previously, parallel workers could get stuck waiting for a lock on an index page, and not notice requests to abort the query.
Ensure that VACUUM
will respond to signals within btree page deletion loops (Andres Freund)
Corrupted btree indexes could result in an infinite loop here, and that previously wasn't interruptible without forcing a crash.
Fix hash-join costing mistake introduced with inner_unique optimization (David Rowley)
This could lead to bad plan choices in situations where that optimization was applicable.
Fix misoptimization of equivalence classes involving composite-type columns (Tom Lane)
This resulted in failure to recognize that an index on a composite column could provide the sort order needed for a mergejoin on that column.
Fix planner to avoid “ORDER/GROUP BY expression not found in targetlist†errors in some queries with set-returning functions (Tom Lane)
Fix handling of partition keys whose data type uses a polymorphic btree operator class, such as arrays (Amit Langote, Ãlvaro Herrera)
Fix SQL-standard FETCH FIRST
syntax to allow parameters ($
), as the standard expects (Andrew Gierth)n
Remove undocumented restriction against duplicate partition key columns (Yugo Nagata)
Disallow temporary tables from being partitions of non-temporary tables (Amit Langote, Michael Paquier)
While previously allowed, this case didn't work reliably.
Fix EXPLAIN
's accounting for resource usage, particularly buffer accesses, in parallel workers (Amit Kapila, Robert Haas)
Fix SHOW ALL
to show all settings to roles that are members of pg_read_all_settings
, and also allow such roles to see source filename and line number in the pg_settings
view (Laurenz Albe, Ãlvaro Herrera)
Fix failure to schema-qualify some object names in getObjectDescription
and getObjectIdentity
output (Kyotaro Horiguchi, Tom Lane)
Names of collations, conversions, text search objects, publication relations, and extended statistics objects were not schema-qualified when they should be.
Fix CREATE AGGREGATE
type checking so that parallelism support functions can be attached to variadic aggregates (Alexey Bashtanov)
Widen COPY FROM
's current-line-number counter from 32 to 64 bits (David Rowley)
This avoids two problems with input exceeding 4G lines: COPY FROM WITH HEADER
would drop a line every 4G lines, not only the first line, and error reports could show a wrong line number.
Allow replication slots to be dropped in single-user mode (Ãlvaro Herrera)
This use-case was accidentally broken in release 10.0.
Fix incorrect results from variance(int4)
and related aggregates when run in parallel aggregation mode (David Rowley)
Process TEXT
and CDATA
nodes correctly in xmltable()
column expressions (Markus Winand)
Cope with possible failure of OpenSSL's RAND_bytes()
function (Dean Rasheed, Michael Paquier)
Under rare circumstances, this oversight could result in “could not generate random cancel key†failures that could only be resolved by restarting the postmaster.
Fix libpq's handling of some cases where hostaddr
is specified (Hari Babu, Tom Lane, Robert Haas)
PQhost()
gave misleading or incorrect results in some cases. Now, it uniformly returns the host name if specified, or the host address if only that is specified, or the default host name (typically /tmp
or localhost
) if both parameters are omitted.
Also, the wrong value might be compared to the server name when verifying an SSL certificate.
Also, the wrong value might be compared to the host name field in ~/.pgpass
. Now, that field is compared to the host name if specified, or the host address if only that is specified, or localhost
if both parameters are omitted.
Also, an incorrect error message was reported for an unparseable hostaddr
value.
Also, when the host
, hostaddr
, or port
parameters contain comma-separated lists, libpq is now more careful to treat empty elements of a list as selecting the default behavior.
Add a string freeing function to ecpg's pgtypes
library, so that cross-module memory management problems can be avoided on Windows (Takayuki Tsunakawa)
On Windows, crashes can ensue if the free
call for a given chunk of memory is not made from the same DLL that malloc
'ed the memory. The pgtypes
library sometimes returns strings that it expects the caller to free, making it impossible to follow this rule. Add a PGTYPESchar_free()
function that just wraps free
, allowing applications to follow this rule.
Fix ecpg's support for long long
variables on Windows, as well as other platforms that declare strtoll
/strtoull
nonstandardly or not at all (Dang Minh Huong, Tom Lane)
Fix misidentification of SQL statement type in PL/pgSQL, when a rule change causes a change in the semantics of a statement intra-session (Tom Lane)
This error led to assertion failures, or in rare cases, failure to enforce the INTO STRICT
option as expected.
Fix password prompting in client programs so that echo is properly disabled on Windows when stdin
is not the terminal (Matthew Stickney)
Further fix mis-quoting of values for list-valued GUC variables in dumps (Tom Lane)
The previous fix for quoting of search_path
and other list-valued variables in pg_dump output turned out to misbehave for empty-string list elements, and it risked truncation of long file paths.
Fix pg_dump's failure to dump REPLICA IDENTITY
properties for constraint indexes (Tom Lane)
Manually created unique indexes were properly marked, but not those created by declaring UNIQUE
or PRIMARY KEY
constraints.
Make pg_upgrade check that the old server was shut down cleanly (Bruce Momjian)
The previous check could be fooled by an immediate-mode shutdown.
Fix contrib/hstore_plperl
to look through Perl scalar references, and to not crash if it doesn't find a hash reference where it expects one (Tom Lane)
Fix crash in contrib/ltree
's lca()
function when the input array is empty (Pierre Ducroquet)
Fix various error-handling code paths in which an incorrect error code might be reported (Michael Paquier, Tom Lane, Magnus Hagander)
Rearrange makefiles to ensure that programs link to freshly-built libraries (such as libpq.so
) rather than ones that might exist in the system library directories (Tom Lane)
This avoids problems when building on platforms that supply old copies of PostgreSQL libraries.
Update time zone data files to tzdata release 2018e for DST law changes in North Korea, plus historical corrections for Czechoslovakia.
This update includes a redefinition of “daylight savings†in Ireland, as well as for some past years in Namibia and Czechoslovakia. In those jurisdictions, legally standard time is observed in summer, and daylight savings time in winter, so that the daylight savings offset is one hour behind standard time not one hour ahead. This does not affect either the actual UTC offset or the timezone abbreviations in use; the only known effect is that the is_dst
column in the pg_timezone_names
view will now be true in winter and false in summer in these cases.
Release date: 2018-05-10
This release contains a variety of fixes from 10.3. For information about new features in major release 10, see Version 10.0.
A dump/restore is not required for those running 10.X.
However, if you use the adminpack
extension, you should update it as per the first changelog entry below.
Also, if the function marking mistakes mentioned in the second and third changelog entries below affect you, you will want to take steps to correct your database catalogs.
Also, if you are upgrading from a version earlier than 10.3, see Version 10.3.
Remove public execute privilege from contrib/adminpack
's pg_logfile_rotate()
function (Stephen Frost)
pg_logfile_rotate()
is a deprecated wrapper for the core function pg_rotate_logfile()
. When that function was changed to rely on SQL privileges for access control rather than a hard-coded superuser check, pg_logfile_rotate()
should have been updated as well, but the need for this was missed. Hence, if adminpack
is installed, any user could request a logfile rotation, creating a minor security issue.
After installing this update, administrators should update adminpack
by performing ALTER EXTENSION adminpack UPDATE
in each database in which adminpack
is installed. CVE-2018-1115 or CVE-2018-1115)
Fix incorrect volatility markings on a few built-in functions (Thomas Munro, Tom Lane)
The functions query_to_xml
, cursor_to_xml
, cursor_to_xmlschema
, query_to_xmlschema
, and query_to_xml_and_xmlschema
should be marked volatile because they execute user-supplied queries that might contain volatile operations. They were not, leading to a risk of incorrect query optimization. This has been repaired for new installations by correcting the initial catalog data, but existing installations will continue to contain the incorrect markings. Practical use of these functions seems to pose little hazard, but in case of trouble, it can be fixed by manually updating these functions' pg_proc
entries, for example ALTER FUNCTION pg_catalog.query_to_xml(text, boolean, boolean, text) VOLATILE
. (Note that that will need to be done in each database of the installation.) Another option is to pg_upgrade the database to a version containing the corrected initial data.
Fix incorrect parallel-safety markings on a few built-in functions (Thomas Munro, Tom Lane)
The functions brin_summarize_new_values
, brin_summarize_range
, brin_desummarize_range
, gin_clean_pending_list
, cursor_to_xml
, cursor_to_xmlschema
, ts_rewrite
, ts_stat
, binary_upgrade_create_empty_extension
, and pg_import_system_collations
should be marked parallel-unsafe; some because they perform database modifications directly, and others because they execute user-supplied queries that might do so. They were marked parallel-restricted instead, leading to a risk of unexpected query errors. This has been repaired for new installations by correcting the initial catalog data, but existing installations will continue to contain the incorrect markings. Practical use of these functions seems to pose little hazard unless force_parallel_mode
is turned on. In case of trouble, it can be fixed by manually updating these functions' pg_proc
entries, for example ALTER FUNCTION pg_catalog.brin_summarize_new_values(regclass) PARALLEL UNSAFE
. (Note that that will need to be done in each database of the installation.) Another option is to pg_upgrade the database to a version containing the corrected initial data.
Avoid re-using TOAST value OIDs that match dead-but-not-yet-vacuumed TOAST entries (Pavan Deolasee)
Once the OID counter has wrapped around, it's possible to assign a TOAST value whose OID matches a previously deleted entry in the same TOAST table. If that entry were not yet vacuumed away, this resulted in “unexpected chunk number 0 (expected 1) for toast value nnnnn
†errors, which would persist until the dead entry was removed by VACUUM
. Fix by not selecting such OIDs when creating a new TOAST entry.
Correctly enforce any CHECK
constraints on individual partitions during COPY
to a partitioned table (Etsuro Fujita)
Previously, only constraints declared for the partitioned table as a whole were checked.
Accept TRUE
and FALSE
as partition bound values (Amit Langote)
Previously, only string-literal values were accepted for a boolean partitioning column. But then pg_dump would print such values as TRUE
or FALSE
, leading to dump/reload failures.
Fix memory management for partition key comparison functions (Ãlvaro Herrera, Amit Langote)
This error could lead to crashes when using user-defined operator classes for partition keys.
Fix possible crash when a query inserts tuples in several partitions of a partitioned table, and those partitions don't have identical row types (Etsuro Fujita, Amit Langote)
Change ANALYZE
's algorithm for updating pg_class
.reltuples
(David Gould)
Previously, pages not actually scanned by ANALYZE
were assumed to retain their old tuple density. In a large table where ANALYZE
samples only a small fraction of the pages, this meant that the overall tuple density estimate could not change very much, so that reltuples
would change nearly proportionally to changes in the table's physical size (relpages
) regardless of what was actually happening in the table. This has been observed to result in reltuples
becoming so much larger than reality as to effectively shut off autovacuuming. To fix, assume that ANALYZE
's sample is a statistically unbiased sample of the table (as it should be), and just extrapolate the density observed within those pages to the whole table.
Include extended-statistics objects in the set of table properties duplicated by CREATE TABLE ... LIKE ... INCLUDING ALL
(David Rowley)
Also add an INCLUDING STATISTICS
option, to allow finer-grained control over whether this happens.
Fix CREATE TABLE ... LIKE
with bigint
identity columns (Peter Eisentraut)
On platforms where long
is 32 bits (which includes 64-bit Windows as well as most 32-bit machines), copied sequence parameters would be truncated to 32 bits.
Avoid deadlocks in concurrent CREATE INDEX CONCURRENTLY
commands that are run under SERIALIZABLE
or REPEATABLE READ
transaction isolation (Tom Lane)
Fix possible slow execution of REFRESH MATERIALIZED VIEW CONCURRENTLY
(Thomas Munro)
Fix UPDATE/DELETE ... WHERE CURRENT OF
to not fail when the referenced cursor uses an index-only-scan plan (Yugo Nagata, Tom Lane)
Fix incorrect planning of join clauses pushed into parameterized paths (Andrew Gierth, Tom Lane)
This error could result in misclassifying a condition as a “join filter†for an outer join when it should be a plain “filter†condition, leading to incorrect join output.
Fix possibly incorrect generation of an index-only-scan plan when the same table column appears in multiple index columns, and only some of those index columns use operator classes that can return the column value (Kyotaro Horiguchi)
Fix misoptimization of CHECK
constraints having provably-NULL subclauses of top-level AND
/OR
conditions (Tom Lane, Dean Rasheed)
This could, for example, allow constraint exclusion to exclude a child table that should not be excluded from a query.
Prevent planner crash when a query has multiple GROUPING SETS
, none of which can be implemented by sorting (Andrew Gierth)
Fix executor crash due to double free in some GROUPING SETS
usages (Peter Geoghegan)
Fix misexecution of self-joins on transition tables (Thomas Munro)
Avoid crash if a table rewrite event trigger is added concurrently with a command that could call such a trigger (Ãlvaro Herrera, Andrew Gierth, Tom Lane)
Avoid failure if a query-cancel or session-termination interrupt occurs while committing a prepared transaction (Stas Kelvich)
Fix query-lifespan memory leakage in repeatedly executed hash joins (Tom Lane)
Fix possible leak or double free of visibility map buffer pins (Amit Kapila)
Avoid spuriously marking pages as all-visible (Dan Wood, Pavan Deolasee, Ãlvaro Herrera)
This could happen if some tuples were locked (but not deleted). While queries would still function correctly, vacuum would normally ignore such pages, with the long-term effect that the tuples were never frozen. In recent releases this would eventually result in errors such as “found multixact nnnnn
from before relminmxid nnnnn
â€.
Fix overly strict sanity check in heap_prepare_freeze_tuple
(Ãlvaro Herrera)
This could result in incorrect “cannot freeze committed xmax†failures in databases that have been pg_upgrade'd from 9.2 or earlier.
Prevent dangling-pointer dereference when a C-coded before-update row trigger returns the “old†tuple (Rushabh Lathia)
Reduce locking during autovacuum worker scheduling (Jeff Janes)
The previous behavior caused drastic loss of potential worker concurrency in databases with many tables.
Ensure client hostname is copied while copying pg_stat_activity
data to local memory (Edmund Horner)
Previously the supposedly-local snapshot contained a pointer into shared memory, allowing the client hostname column to change unexpectedly if any existing session disconnected.
Handle pg_stat_activity
information for auxiliary processes correctly (Edmund Horner)
The application_name
, client_hostname
, and query
fields might show incorrect data for such processes.
Fix incorrect processing of multiple compound affixes in ispell
dictionaries (Arthur Zakirov)
Fix collation-aware searches (that is, indexscans using inequality operators) in SP-GiST indexes on text columns (Tom Lane)
Such searches would return the wrong set of rows in most non-C locales.
Prevent query-lifespan memory leakage with SP-GiST operator classes that use traversal values (Anton Dignös)
Count the number of index tuples correctly during initial build of an SP-GiST index (Tomas Vondra)
Previously, the tuple count was reported to be the same as that of the underlying table, which is wrong if the index is partial.
Count the number of index tuples correctly during vacuuming of a GiST index (Andrey Borodin)
Previously it reported the estimated number of heap tuples, which might be inaccurate, and is certainly wrong if the index is partial.
Fix a corner case where a streaming standby gets stuck at a WAL continuation record (Kyotaro Horiguchi)
In logical decoding, avoid possible double processing of WAL data when a walsender restarts (Craig Ringer)
Fix logical replication to not assume that type OIDs match between the local and remote servers (Masahiko Sawada)
Allow scalarltsel
and scalargtsel
to be used on non-core datatypes (Tomas Vondra)
Reduce libpq's memory consumption when a server error is reported after a large amount of query output has been collected (Tom Lane)
Discard the previous output before, not after, processing the error message. On some platforms, notably Linux, this can make a difference in the application's subsequent memory footprint.
Fix double-free crashes in ecpg (Patrick Krecker, Jeevan Ladhe)
Fix ecpg to handle long long int
variables correctly in MSVC builds (Michael Meskes, Andrew Gierth)
Fix mis-quoting of values for list-valued GUC variables in dumps (Michael Paquier, Tom Lane)
The local_preload_libraries
, session_preload_libraries
, shared_preload_libraries
, and temp_tablespaces
variables were not correctly quoted in pg_dump output. This would cause problems if settings for these variables appeared in CREATE FUNCTION ... SET
or ALTER DATABASE/ROLE ... SET
clauses.
Fix pg_recvlogical to not fail against pre-v10 PostgreSQL servers (Michael Paquier)
A previous fix caused pg_recvlogical to issue a command regardless of server version, but it should only be issued to v10 and later servers.
Ensure that pg_rewind deletes files on the target server if they are deleted from the source server during the run (Takayuki Tsunakawa)
Failure to do this could result in data inconsistency on the target, particularly if the file in question is a WAL segment.
Fix pg_rewind to handle tables in non-default tablespaces correctly (Takayuki Tsunakawa)
Fix overflow handling in PL/pgSQL integer FOR
loops (Tom Lane)
The previous coding failed to detect overflow of the loop variable on some non-gcc compilers, leading to an infinite loop.
Adjust PL/Python regression tests to pass under Python 3.7 (Peter Eisentraut)
Support testing PL/Python and related modules when building with Python 3 and MSVC (Andrew Dunstan)
Fix errors in initial build of contrib/bloom
indexes (Tomas Vondra, Tom Lane)
Fix possible omission of the table's last tuple from the index. Count the number of index tuples correctly, in case it is a partial index.
Rename internal b64_encode
and b64_decode
functions to avoid conflict with Solaris 11.4 built-in functions (Rainer Orth)
Sync our copy of the timezone library with IANA tzcode release 2018e (Tom Lane)
This fixes the zic timezone data compiler to cope with negative daylight-savings offsets. While the PostgreSQL project will not immediately ship such timezone data, zic might be used with timezone data obtained directly from IANA, so it seems prudent to update zic now.
Update time zone data files to tzdata release 2018d for DST law changes in Palestine and Antarctica (Casey Station), plus historical corrections for Portugal and its colonies, as well as Enderbury, Jamaica, Turks & Caicos Islands, and Uruguay.
Release date: 2018-03-01
This release contains a variety of fixes from 10.2. For information about new features in major release 10, see Version 10.0.
A dump/restore is not required for those running 10.X.
However, if you run an installation in which not all users are mutually trusting, or if you maintain an application or extension that is intended for use in arbitrary situations, it is strongly recommended that you read the documentation changes described in the first changelog entry below, and take suitable steps to ensure that your installation or code is secure.
Also, the changes described in the second changelog entry below may cause functions used in index expressions or materialized views to fail during auto-analyze, or when reloading from a dump. After upgrading, monitor the server logs for such problems, and fix affected functions.
Also, if you are upgrading from a version earlier than 10.2, see Version 10.2.
Document how to configure installations and applications to guard against search-path-dependent trojan-horse attacks from other users (Noah Misch)
Using a search_path
setting that includes any schemas writable by a hostile user enables that user to capture control of queries and then run arbitrary SQL code with the permissions of the attacked user. While it is possible to write queries that are proof against such hijacking, it is notationally tedious, and it's very easy to overlook holes. Therefore, we now recommend configurations in which no untrusted schemas appear in one's search path. Relevant documentation appears in Section 5.8.6 (for database administrators and users), Section 33.1 (for application authors), Section 37.15.6 (for extension authors), and CREATE FUNCTION (for authors of SECURITY DEFINER
functions). CVE-2018-1058 or CVE-2018-1058)
Avoid use of insecure search_path
settings in pg_dump and other client programs (Noah Misch, Tom Lane)
pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications were themselves vulnerable to the type of hijacking described in the previous changelog entry; since these applications are commonly run by superusers, they present particularly attractive targets. To make them secure whether or not the installation as a whole has been secured, modify them to include only the pg_catalog
schema in their search_path
settings. Autovacuum worker processes now do the same, as well.
In cases where user-provided functions are indirectly executed by these programs — for example, user-provided functions in index expressions — the tighter search_path
may result in errors, which will need to be corrected by adjusting those user-provided functions to not assume anything about what search path they are invoked under. That has always been good practice, but now it will be necessary for correct behavior. CVE-2018-1058 or CVE-2018-1058)
Prevent logical replication from trying to ship changes for unpublishable relations (Peter Eisentraut)
A publication marked FOR ALL TABLES
would incorrectly ship changes in materialized views and information_schema
tables, which are supposed to be omitted from the change stream.
Fix misbehavior of concurrent-update rechecks with CTE references appearing in subplans (Tom Lane)
If a CTE (WITH
clause reference) is used in an InitPlan or SubPlan, and the query requires a recheck due to trying to update or lock a concurrently-updated row, incorrect results could be obtained.
Fix planner failures with overlapping mergejoin clauses in an outer join (Tom Lane)
These mistakes led to “left and right pathkeys do not match in mergejoin†or “outer pathkeys do not match mergeclauses†planner errors in corner cases.
Repair pg_upgrade's failure to preserve relfrozenxid
for materialized views (Tom Lane, Andres Freund)
This oversight could lead to data corruption in materialized views after an upgrade, manifesting as “could not access status of transaction†or “found xmin from before relfrozenxid†errors. The problem would be more likely to occur in seldom-refreshed materialized views, or ones that were maintained only with REFRESH MATERIALIZED VIEW CONCURRENTLY
.
If such corruption is observed, it can be repaired by refreshing the materialized view (without CONCURRENTLY
).
Fix incorrect pg_dump output for some non-default sequence limit values (Alexey Bashtanov)
Fix pg_dump's mishandling of STATISTICS
objects (Tom Lane)
An extended statistics object's schema was mislabeled in the dump's table of contents, possibly leading to the wrong results in a schema-selective restore. Its ownership was not correctly restored, either. Also, change the logic so that statistics objects are dumped/restored, or not, as independent objects rather than tying them to the dump/restore decision for the table they are on. The original definition could not scale to the planned future extension to cross-table statistics.
Fix incorrect reporting of PL/Python function names in error CONTEXT
stacks (Tom Lane)
An error occurring within a nested PL/Python function call (that is, one reached via a SPI query from another PL/Python function) would result in a stack trace showing the inner function's name twice, rather than the expected results. Also, an error in a nested PL/Python DO
block could result in a null pointer dereference crash on some platforms.
Allow contrib/auto_explain
's log_min_duration
setting to range up to INT_MAX
, or about 24 days instead of 35 minutes (Tom Lane)
Mark assorted GUC variables as PGDLLIMPORT
, to ease porting extension modules to Windows (Metin Doslu)
Release date: 2018-02-08
This release contains a variety of fixes from 10.1. For information about new features in major release 10, see Version 10.0.
A dump/restore is not required for those running 10.X.
However, if you use contrib/cube
's ~>
operator, see the entry below about that.
Also, if you are upgrading from a version earlier than 10.1, see Version 10.1.
Fix processing of partition keys containing multiple expressions (Ãlvaro Herrera, David Rowley)
This error led to crashes or, with carefully crafted input, disclosure of arbitrary backend memory. CVE-2018-1052 or CVE-2018-1052)
Ensure that all temporary files made by pg_upgrade are non-world-readable (Tom Lane, Noah Misch)
pg_upgrade normally restricts its temporary files to be readable and writable only by the calling user. But the temporary file containing pg_dumpall -g
output would be group- or world-readable, or even writable, if the user's umask
setting allows. In typical usage on multi-user machines, the umask
and/or the working directory's permissions would be tight enough to prevent problems; but there may be people using pg_upgrade in scenarios where this oversight would permit disclosure of database passwords to unfriendly eyes. CVE-2018-1053 or CVE-2018-1053)
Fix vacuuming of tuples that were updated while key-share locked (Andres Freund, Ãlvaro Herrera)
In some cases VACUUM
would fail to remove such tuples even though they are now dead, leading to assorted data corruption scenarios.
Fix failure to mark a hash index's metapage dirty after adding a new overflow page, potentially leading to index corruption (Lixian Zou, Amit Kapila)
Ensure that vacuum will always clean up the pending-insertions list of a GIN index (Masahiko Sawada)
This is necessary to ensure that dead index entries get removed. The old code got it backwards, allowing vacuum to skip the cleanup if some other process were running cleanup concurrently, thus risking invalid entries being left behind in the index.
Fix inadequate buffer locking in some LSN fetches (Jacob Champion, Asim Praveen, Ashwin Agrawal)
These errors could result in misbehavior under concurrent load. The potential consequences have not been characterized fully.
Fix incorrect query results from cases involving flattening of subqueries whose outputs are used in GROUPING SETS
(Heikki Linnakangas)
Fix handling of list partitioning constraints for partition keys of boolean or array types (Amit Langote)
Avoid unnecessary failure in a query on an inheritance tree that occurs concurrently with some child table being removed from the tree by ALTER TABLE NO INHERIT
(Tom Lane)
Fix spurious deadlock failures when multiple sessions are running CREATE INDEX CONCURRENTLY
(Jeff Janes)
During VACUUM FULL
, update the table's size fields in pg_class
sooner (Amit Kapila)
This prevents poor behavior when rebuilding hash indexes on the table, since those use the pg_class
statistics to govern the initial hash size.
Fix UNION
/INTERSECT
/EXCEPT
over zero columns (Tom Lane)
Disallow identity columns on typed tables and partitions (Michael Paquier)
These cases will be treated as unsupported features for now.
Fix assorted failures to apply the correct default value when inserting into an identity column (Michael Paquier, Peter Eisentraut)
In several contexts, notably COPY
and ALTER TABLE ADD COLUMN
, the expected default value was not applied and instead a null value was inserted.
Fix failures when an inheritance tree contains foreign child tables (Etsuro Fujita)
A mix of regular and foreign tables in an inheritance tree resulted in creation of incorrect plans for UPDATE
and DELETE
queries. This led to visible failures in some cases, notably when there are row-level triggers on a foreign child table.
Repair failure with correlated sub-SELECT
inside VALUES
inside a LATERAL
subquery (Tom Lane)
Fix “could not devise a query plan for the given query†planner failure for some cases involving nested UNION ALL
inside a lateral subquery (Tom Lane)
Allow functional dependency statistics to be used for boolean columns (Tom Lane)
Previously, although extended statistics could be declared and collected on boolean columns, the planner failed to apply them.
Avoid underestimating the number of groups emitted by subqueries containing set-returning functions in their grouping columns (Tom Lane)
Cases similar to SELECT DISTINCT unnest(foo)
got a lower output rowcount estimate in 10.0 than they did in earlier releases, possibly resulting in unfavorable plan choices. Restore the prior estimation behavior.
Fix use of triggers in logical replication workers (Petr Jelinek)
Fix logical decoding to correctly clean up disk files for crashed transactions (Atsushi Torikoshi)
Logical decoding may spill WAL records to disk for transactions generating many WAL records. Normally these files are cleaned up after the transaction's commit or abort record arrives; but if no such record is ever seen, the removal code misbehaved.
Fix walsender timeout failure and failure to respond to interrupts when processing a large transaction (Petr Jelinek)
Fix race condition during replication origin drop that could allow the dropping process to wait indefinitely (Tom Lane)
Allow members of the pg_read_all_stats
role to see walsender statistics in the pg_stat_replication
view (Feike Steenbergen)
Show walsenders that are sending base backups as active in the pg_stat_activity
view (Magnus Hagander)
Fix reporting of scram-sha-256
authentication method in the pg_hba_file_rules
view (Michael Paquier)
Previously this was printed as scram-sha256
, possibly confusing users as to the correct spelling.
Fix has_sequence_privilege()
to support WITH GRANT OPTION
tests, as other privilege-testing functions do (Joe Conway)
In databases using UTF8 encoding, ignore any XML declaration that asserts a different encoding (Pavel Stehule, Noah Misch)
We always store XML strings in the database encoding, so allowing libxml to act on a declaration of another encoding gave wrong results. In encodings other than UTF8, we don't promise to support non-ASCII XML data anyway, so retain the previous behavior for bug compatibility. This change affects only xpath()
and related functions; other XML code paths already acted this way.
Provide for forward compatibility with future minor protocol versions (Robert Haas, Badrul Chowdhury)
Up to now, PostgreSQL servers simply rejected requests to use protocol versions newer than 3.0, so that there was no functional difference between the major and minor parts of the protocol version number. Allow clients to request versions 3.x without failing, sending back a message showing that the server only understands 3.0. This makes no difference at the moment, but back-patching this change should allow speedier introduction of future minor protocol upgrades.
Allow a client that supports SCRAM channel binding (such as v11 or later libpq) to connect to a v10 server (Michael Paquier)
v10 does not have this feature, and the connection-time negotiation about whether to use it was done incorrectly.
Avoid live-lock in ConditionVariableBroadcast()
(Tom Lane, Thomas Munro)
Given repeatedly-unlucky timing, a process attempting to awaken all waiters for a condition variable could loop indefinitely. Due to the limited usage of condition variables in v10, this affects only parallel index scans and some operations on replication slots.
Clean up waits for condition variables correctly during subtransaction abort (Robert Haas)
Ensure that child processes that are waiting for a condition variable will exit promptly if the postmaster process dies (Tom Lane)
Fix crashes in parallel queries using more than one Gather node (Thomas Munro)
Fix hang in parallel index scan when processing a deleted or half-dead index page (Amit Kapila)
Avoid crash if parallel bitmap heap scan is unable to allocate a shared memory segment (Robert Haas)
Cope with failure to start a parallel worker process (Amit Kapila, Robert Haas)
Parallel query previously tended to hang indefinitely if a worker could not be started, as the result of fork()
failure or other low-probability problems.
Avoid unnecessary failure when no parallel workers can be obtained during parallel query startup (Robert Haas)
Fix collection of EXPLAIN
statistics from parallel workers (Amit Kapila, Thomas Munro)
Ensure that query strings passed to parallel workers are correctly null-terminated (Thomas Munro)
This prevents emitting garbage in postmaster log output from such workers.
Avoid unsafe alignment assumptions when working with __int128
(Tom Lane)
Typically, compilers assume that __int128
variables are aligned on 16-byte boundaries, but our memory allocation infrastructure isn't prepared to guarantee that, and increasing the setting of MAXALIGN seems infeasible for multiple reasons. Adjust the code to allow use of __int128
only when we can tell the compiler to assume lesser alignment. The only known symptom of this problem so far is crashes in some parallel aggregation queries.
Prevent stack-overflow crashes when planning extremely deeply nested set operations (UNION
/INTERSECT
/EXCEPT
) (Tom Lane)
Avoid crash during an EvalPlanQual recheck of an indexscan that is the inner child of a merge join (Tom Lane)
This could only happen during an update or SELECT FOR UPDATE
of a join, when there is a concurrent update of some selected row.
Fix crash in autovacuum when extended statistics are defined for a table but can't be computed (Ãlvaro Herrera)
Fix null-pointer crashes for some types of LDAP URLs appearing in pg_hba.conf
(Thomas Munro)
Prevent out-of-memory failures due to excessive growth of simple hash tables (Tomas Vondra, Andres Freund)
Fix sample INSTR()
functions in the PL/pgSQL documentation (Yugo Nagata, Tom Lane)
These functions are stated to be Oracle® compatible, but they weren't exactly. In particular, there was a discrepancy in the interpretation of a negative third parameter: Oracle thinks that a negative value indicates the last place where the target substring can begin, whereas our functions took it as the last place where the target can end. Also, Oracle throws an error for a zero or negative fourth parameter, whereas our functions returned zero.
The sample code has been adjusted to match Oracle's behavior more precisely. Users who have copied this code into their applications may wish to update their copies.
Fix pg_dump to make ACL (permissions), comment, and security label entries reliably identifiable in archive output formats (Tom Lane)
The “tag†portion of an ACL archive entry was usually just the name of the associated object. Make it start with the object type instead, bringing ACLs into line with the convention already used for comment and security label archive entries. Also, fix the comment and security label entries for the whole database, if present, to make their tags start with DATABASE
so that they also follow this convention. This prevents false matches in code that tries to identify large-object-related entries by seeing if the tag starts with LARGE OBJECT
. That could have resulted in misclassifying entries as data rather than schema, with undesirable results in a schema-only or data-only dump.
Note that this change has user-visible results in the output of pg_restore --list
.
Rename pg_rewind's copy_file_range
function to avoid conflict with new Linux system call of that name (Andres Freund)
This change prevents build failures with newer glibc versions.
In ecpg, detect indicator arrays that do not have the correct length and report an error (David Rader)
Change the behavior of contrib/cube
's cube
~>
int
operator to make it compatible with KNN search (Alexander Korotkov)
The meaning of the second argument (the dimension selector) has been changed to make it predictable which value is selected even when dealing with cubes of varying dimensionalities.
This is an incompatible change, but since the point of the operator was to be used in KNN searches, it seems rather useless as-is. After installing this update, any expression indexes or materialized views using this operator will need to be reindexed/refreshed.
Avoid triggering a libc assertion in contrib/hstore
, due to use of memcpy()
with equal source and destination pointers (Tomas Vondra)
Fix incorrect display of tuples' null bitmaps in contrib/pageinspect
(Maksim Milyutin)
Fix incorrect output from contrib/pageinspect
's hash_page_items()
function (Masahiko Sawada)
In contrib/postgres_fdw
, avoid “outer pathkeys do not match mergeclauses†planner error when constructing a plan involving a remote join (Robert Haas)
In contrib/postgres_fdw
, avoid planner failure when there are duplicate GROUP BY
entries (Jeevan Chalke)
Provide modern examples of how to auto-start Postgres on macOS (Tom Lane)
The scripts in contrib/start-scripts/osx
use infrastructure that's been deprecated for over a decade, and which no longer works at all in macOS releases of the last couple of years. Add a new subdirectory contrib/start-scripts/macos
containing scripts that use the newer launchd infrastructure.
Fix incorrect selection of configuration-specific libraries for OpenSSL on Windows (Andrew Dunstan)
Support linking to MinGW-built versions of libperl (Noah Misch)
This allows building PL/Perl with some common Perl distributions for Windows.
Fix MSVC build to test whether 32-bit libperl needs -D_USE_32BIT_TIME_T
(Noah Misch)
Available Perl distributions are inconsistent about what they expect, and lack any reliable means of reporting it, so resort to a build-time test on what the library being used actually does.
On Windows, install the crash dump handler earlier in postmaster startup (Takayuki Tsunakawa)
This may allow collection of a core dump for some early-startup failures that did not produce a dump before.
On Windows, avoid encoding-conversion-related crashes when emitting messages very early in postmaster startup (Takayuki Tsunakawa)
Use our existing Motorola 68K spinlock code on OpenBSD as well as NetBSD (David Carlier)
Add support for spinlocks on Motorola 88K (David Carlier)
Update time zone data files to tzdata release 2018c for DST law changes in Brazil, Sao Tome and Principe, plus historical corrections for Bolivia, Japan, and South Sudan. The US/Pacific-New
zone has been removed (it was only an alias for America/Los_Angeles
anyway).
Release date: 2017-11-09
This release contains a variety of fixes from 10.0. For information about new features in major release 10, see Version 10.0.
A dump/restore is not required for those running 10.X.
However, if you use BRIN indexes, see the fourth changelog entry below.
Ensure that INSERT ... ON CONFLICT DO UPDATE
checks table permissions and RLS policies in all cases (Dean Rasheed)
The update path of INSERT ... ON CONFLICT DO UPDATE
requires SELECT
permission on the columns of the arbiter index, but it failed to check for that in the case of an arbiter specified by constraint name. In addition, for a table with row level security enabled, it failed to check updated rows against the table's SELECT
policies (regardless of how the arbiter index was specified). CVE-2017-15099 or CVE-2017-15099)
Fix crash due to rowtype mismatch in json{b}_populate_recordset()
(Michael Paquier, Tom Lane)
These functions used the result rowtype specified in the FROM ... AS
clause without checking that it matched the actual rowtype of the supplied tuple value. If it didn't, that would usually result in a crash, though disclosure of server memory contents seems possible as well. CVE-2017-15098 or CVE-2017-15098)
Fix sample server-start scripts to become $PGUSER
before opening $PGLOG
(Noah Misch)
Previously, the postmaster log file was opened while still running as root. The database owner could therefore mount an attack against another system user by making $PGLOG
be a symbolic link to some other file, which would then become corrupted by appending log messages.
By default, these scripts are not installed anywhere. Users who have made use of them will need to manually recopy them, or apply the same changes to their modified versions. If the existing $PGLOG
file is root-owned, it will need to be removed or renamed out of the way before restarting the server with the corrected script. CVE-2017-12172 or CVE-2017-12172)
Fix BRIN index summarization to handle concurrent table extension correctly (Ãlvaro Herrera)
Previously, a race condition allowed some table rows to be omitted from the index. It may be necessary to reindex existing BRIN indexes to recover from past occurrences of this problem.
Fix possible failures during concurrent updates of a BRIN index (Tom Lane)
These race conditions could result in errors like “invalid index offnum†or “inconsistent range mapâ€.
Prevent logical replication from setting non-replicated columns to nulls when replicating an UPDATE
(Petr Jelinek)
Fix logical replication to fire BEFORE ROW DELETE
triggers when expected (Masahiko Sawada)
Previously, that failed to happen unless the table also had a BEFORE ROW UPDATE
trigger.
Fix crash when logical decoding is invoked from a SPI-using function, in particular any function written in a PL language (Tom Lane)
Ignore CTEs when looking up the target table for INSERT
/UPDATE
/DELETE
, and prevent matching schema-qualified target table names to trigger transition table names (Thomas Munro)
This restores the pre-v10 behavior for CTEs attached to DML commands.
Avoid evaluating an aggregate function's argument expression(s) at rows where its FILTER
test fails (Tom Lane)
This restores the pre-v10 (and SQL-standard) behavior.
Fix incorrect query results when multiple GROUPING SETS
columns contain the same simple variable (Tom Lane)
Fix query-lifespan memory leakage while evaluating a set-returning function in a SELECT
's target list (Tom Lane)
Allow parallel execution of prepared statements with generic plans (Amit Kapila, Kuntal Ghosh)
Fix incorrect parallelization decisions for nested queries (Amit Kapila, Kuntal Ghosh)
Fix parallel query handling to not fail when a recently-used role is dropped (Amit Kapila)
Fix crash in parallel execution of a bitmap scan having a BitmapAnd plan node below a BitmapOr node (Dilip Kumar)
Fix json_build_array()
, json_build_object()
, and their jsonb
equivalents to handle explicit VARIADIC
arguments correctly (Michael Paquier)
Fix autovacuum's “work item†logic to prevent possible crashes and silent loss of work items (Ãlvaro Herrera)
Fix corner-case crashes when columns have been added to the end of a view (Tom Lane)
Record proper dependencies when a view or rule contains FieldSelect
or FieldStore
expression nodes (Tom Lane)
Lack of these dependencies could allow a column or data type DROP
to go through when it ought to fail, thereby causing later uses of the view or rule to get errors. This patch does not do anything to protect existing views/rules, only ones created in the future.
Correctly detect hashability of range data types (Tom Lane)
The planner mistakenly assumed that any range type could be hashed for use in hash joins or hash aggregation, but actually it must check whether the range's subtype has hash support. This does not affect any of the built-in range types, since they're all hashable anyway.
Correctly ignore RelabelType
expression nodes when examining functional-dependency statistics (David Rowley)
This allows, e.g., extended statistics on varchar
columns to be used properly.
Prevent sharing transition states between ordered-set aggregates (David Rowley)
This causes a crash with the built-in ordered-set aggregates, and probably with user-written ones as well. v11 and later will include provisions for dealing with such cases safely, but in released branches, just disable the optimization.
Prevent idle_in_transaction_session_timeout
from being ignored when a statement_timeout
occurred earlier (Lukas Fittl)
Fix low-probability loss of NOTIFY
messages due to XID wraparound (Marko Tiikkaja, Tom Lane)
If a session executed no queries, but merely listened for notifications, for more than 2 billion transactions, it started to miss some notifications from concurrently-committing transactions.
Reduce the frequency of data flush requests during bulk file copies to avoid performance problems on macOS, particularly with its new APFS file system (Tom Lane)
Allow COPY
's FREEZE
option to work when the transaction isolation level is REPEATABLE READ
or higher (Noah Misch)
This case was unintentionally broken by a previous bug fix.
Fix AggGetAggref()
to return the correct Aggref
nodes to aggregate final functions whose transition calculations have been merged (Tom Lane)
Fix insufficient schema-qualification in some new queries in pg_dump and psql (Vitaly Burovoy, Tom Lane, Noah Misch)
Avoid use of @>
operator in psql's queries for \d
(Tom Lane)
This prevents problems when the parray_gin extension is installed, since that defines a conflicting operator.
Fix pg_basebackup's matching of tablespace paths to canonicalize both paths before comparing (Michael Paquier)
This is particularly helpful on Windows.
Fix libpq to not require user's home directory to exist (Tom Lane)
In v10, failure to find the home directory while trying to read ~/.pgpass
was treated as a hard error, but it should just cause that file to not be found. Both v10 and previous release branches made the same mistake when reading ~/.pg_service.conf
, though this was less obvious since that file is not sought unless a service name is specified.
In ecpglib, correctly handle backslashes in string literals depending on whether standard_conforming_strings
is set (Tsunakawa Takayuki)
Make ecpglib's Informix-compatibility mode ignore fractional digits in integer input strings, as expected (Gao Zengqi, Michael Meskes)
Fix missing temp-install prerequisites for check
-like Make targets (Noah Misch)
Some non-default test procedures that are meant to work like make check
failed to ensure that the temporary installation was up to date.
Update time zone data files to tzdata release 2017c for DST law changes in Fiji, Namibia, Northern Cyprus, Sudan, Tonga, and Turks & Caicos Islands, plus historical corrections for Alaska, Apia, Burma, Calcutta, Detroit, Ireland, Namibia, and Pago Pago.
In the documentation, restore HTML anchors to being upper-case strings (Peter Eisentraut)
Due to a toolchain change, the 10.0 user manual had lower-case strings for intrapage anchors, thus breaking some external links into our website documentation. Return to our previous convention of using upper-case strings.
Release date: 2017-10-05
Major enhancements in PostgreSQL 10 include:
Logical replication using publish/subscribe
Declarative table partitioning
Improved query parallelism
Significant general performance improvements
Stronger password authentication based on SCRAM-SHA-256
Improved monitoring and control
The above items are explained in more detail in the sections below.
A dump/restore using pg_dumpall or use of pg_upgrade or logical replication is required for those wishing to migrate data from any previous release. See Section 18.6 for general information on migrating to new major releases.
Version 10 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities:
Hash indexes must be rebuilt after pg_upgrade-ing from any previous major PostgreSQL version (Mithun Cy, Robert Haas, Amit Kapila)
Major hash index improvements necessitated this requirement. pg_upgrade will create a script to assist with this.
Rename write-ahead log directory pg_xlog
to pg_wal
, and rename transaction status directory pg_clog
to pg_xact
(Michael Paquier)
Users have occasionally thought that these directories contained only inessential log files, and proceeded to remove write-ahead log files or transaction status files manually, causing irrecoverable data loss. These name changes are intended to discourage such errors in future.
Rename SQL functions, tools, and options that reference “xlog†to “wal†(Robert Haas)
For example, pg_switch_xlog()
becomes pg_switch_wal()
, pg_receivexlog becomes pg_receivewal, and --xlogdir
becomes --waldir
. This is for consistency with the change of the pg_xlog
directory name; in general, the “xlog†terminology is no longer used in any user-facing places.
Rename WAL-related functions and views to use lsn
instead of location
(David Rowley)
There was previously an inconsistent mixture of the two terminologies.
Change the implementation of set-returning functions appearing in a query's SELECT
list (Andres Freund)
Set-returning functions are now evaluated before evaluation of scalar expressions in the SELECT
list, much as though they had been placed in a LATERAL FROM
-clause item. This allows saner semantics for cases where multiple set-returning functions are present. If they return different numbers of rows, the shorter results are extended to match the longest result by adding nulls. Previously the results were cycled until they all terminated at the same time, producing a number of rows equal to the least common multiple of the functions' periods. In addition, set-returning functions are now disallowed within CASE
and COALESCE
constructs. For more information see Section 37.4.8.
Use standard row constructor syntax in UPDATE ... SET (
(Tom Lane)column_list
) = row_constructor
The row_constructor
can now begin with the keyword ROW
; previously that had to be omitted. If just one column name appears in the column_list
, then the row_constructor
now must use the ROW
keyword, since otherwise it is not a valid row constructor but just a parenthesized expression. Also, an occurrence of
within the table_name
.*row_constructor
is now expanded into multiple columns, as occurs in other uses of row_constructor
s.
When ALTER TABLE ... ADD PRIMARY KEY
marks columns NOT NULL
, that change now propagates to inheritance child tables as well (Michael Paquier)
Prevent statement-level triggers from firing more than once per statement (Tom Lane)
Cases involving writable CTEs updating the same table updated by the containing statement, or by another writable CTE, fired BEFORE STATEMENT
or AFTER STATEMENT
triggers more than once. Also, if there were statement-level triggers on a table affected by a foreign key enforcement action (such as ON DELETE CASCADE
), they could fire more than once per outer SQL statement. This is contrary to the SQL standard, so change it.
Move sequences' metadata fields into a new pg_sequence
system catalog (Peter Eisentraut)
A sequence relation now stores only the fields that can be modified by nextval()
, that is last_value
, log_cnt
, and is_called
. Other sequence properties, such as the starting value and increment, are kept in a corresponding row of the pg_sequence
catalog. ALTER SEQUENCE
updates are now fully transactional, implying that the sequence is locked until commit. The nextval()
and setval()
functions remain nontransactional.
The main incompatibility introduced by this change is that selecting from a sequence relation now returns only the three fields named above. To obtain the sequence's other properties, applications must look into pg_sequence
. The new system view pg_sequences
can also be used for this purpose; it provides column names that are more compatible with existing code.
Also, sequences created for SERIAL
columns now generate positive 32-bit wide values, whereas previous versions generated 64-bit wide values. This has no visible effect if the values are only stored in a column.
The output of psql's \d
command for a sequence has been redesigned, too.
Make pg_basebackup stream the WAL needed to restore the backup by default (Magnus Hagander)
This changes pg_basebackup's -X
/--wal-method
default to stream
. An option value none
has been added to reproduce the old behavior. The pg_basebackup option -x
has been removed (instead, use -X fetch
).
Change how logical replication uses pg_hba.conf
(Peter Eisentraut)
In previous releases, a logical replication connection required the replication
keyword in the database column. As of this release, logical replication matches a normal entry with a database name or keywords such as all
. Physical replication continues to use the replication
keyword. Since built-in logical replication is new in this release, this change only affects users of third-party logical replication plugins.
Make all pg_ctl actions wait for completion by default (Peter Eisentraut)
Previously some pg_ctl actions didn't wait for completion, and required the use of -w
to do so.
Change the default value of the log_directory server parameter from pg_log
to log
(Andreas Karlsson)
Add configuration option ssl_dh_params_file to specify file name for custom OpenSSL DH parameters (Heikki Linnakangas)
This replaces the hardcoded, undocumented file name dh1024.pem
. Note that dh1024.pem
is no longer examined by default; you must set this option if you want to use custom DH parameters.
Increase the size of the default DH parameters used for OpenSSL ephemeral DH ciphers to 2048 bits (Heikki Linnakangas)
The size of the compiled-in DH parameters has been increased from 1024 to 2048 bits, making DH key exchange more resistant to brute-force attacks. However, some old SSL implementations, notably some revisions of Java Runtime Environment version 6, will not accept DH parameters longer than 1024 bits, and hence will not be able to connect over SSL. If it's necessary to support such old clients, you can use custom 1024-bit DH parameters instead of the compiled-in defaults. See ssl_dh_params_file.
Remove the ability to store unencrypted passwords on the server (Heikki Linnakangas)
The password_encryption server parameter no longer supports off
or plain
. The UNENCRYPTED
option is no longer supported in CREATE/ALTER USER ... PASSWORD
. Similarly, the --unencrypted
option has been removed from createuser. Unencrypted passwords migrated from older versions will be stored encrypted in this release. The default setting for password_encryption
is still md5
.
Add min_parallel_table_scan_size and min_parallel_index_scan_size server parameters to control parallel queries (Amit Kapila, Robert Haas)
These replace min_parallel_relation_size
, which was found to be too generic.
Don't downcase unquoted text within shared_preload_libraries and related server parameters (QL Zhuo)
These settings are really lists of file names, but they were previously treated as lists of SQL identifiers, which have different parsing rules.
Remove sql_inheritance
server parameter (Robert Haas)
Changing this setting from the default value caused queries referencing parent tables to not include child tables. The SQL standard requires them to be included, however, and this has been the default since PostgreSQL 7.1.
Allow multi-dimensional arrays to be passed into PL/Python functions, and returned as nested Python lists (Alexey Grishchenko, Dave Cramer, Heikki Linnakangas)
This feature requires a backwards-incompatible change to the handling of arrays of composite types in PL/Python. Previously, you could return an array of composite values by writing, e.g., [[col1, col2], [col1, col2]]
; but now that is interpreted as a two-dimensional array. Composite types in arrays must now be written as Python tuples, not lists, to resolve the ambiguity; that is, write [(col1, col2), (col1, col2)]
instead.
Remove PL/Tcl's “module†auto-loading facility (Tom Lane)
This functionality has been replaced by new server parameters pltcl.start_proc and pltclu.start_proc, which are easier to use and more similar to features available in other PLs.
Remove pg_dump/pg_dumpall support for dumping from pre-8.0 servers (Tom Lane)
Users needing to dump from pre-8.0 servers will need to use dump programs from PostgreSQL 9.6 or earlier. The resulting output should still load successfully into newer servers.
Remove support for floating-point timestamps and intervals (Tom Lane)
This removes configure's --disable-integer-datetimes
option. Floating-point timestamps have few advantages and have not been the default since PostgreSQL 8.3.
Remove server support for client/server protocol version 1.0 (Tom Lane)
This protocol hasn't had client support since PostgreSQL 6.3.
Remove contrib/tsearch2
module (Robert Haas)
This module provided compatibility with the version of full text search that shipped in pre-8.3 PostgreSQL releases.
Remove createlang and droplang command-line applications (Peter Eisentraut)
These had been deprecated since PostgreSQL 9.1. Instead, use CREATE EXTENSION
and DROP EXTENSION
directly.
Remove support for version-0 function calling conventions (Andres Freund)
Extensions providing C-coded functions must now conform to version 1 calling conventions. Version 0 has been deprecated since 2001.
Below you will find a detailed account of the changes between PostgreSQL 10 and the previous major release.
Support parallel B-tree index scans (Rahila Syed, Amit Kapila, Robert Haas, Rafia Sabih)
This change allows B-tree index pages to be searched by separate parallel workers.
Support parallel bitmap heap scans (Dilip Kumar)
This allows a single index scan to dispatch parallel workers to process different areas of the heap.
Allow merge joins to be performed in parallel (Dilip Kumar)
Allow non-correlated subqueries to be run in parallel (Amit Kapila)
Improve ability of parallel workers to return pre-sorted data (Rushabh Lathia)
Increase parallel query usage in procedural language functions (Robert Haas, Rafia Sabih)
Add max_parallel_workers server parameter to limit the number of worker processes that can be used for query parallelism (Julien Rouhaud)
This parameter can be set lower than max_worker_processes to reserve worker processes for purposes other than parallel queries.
Enable parallelism by default by changing the default setting of max_parallel_workers_per_gather to 2
.
Add write-ahead logging support to hash indexes (Amit Kapila)
This makes hash indexes crash-safe and replicatable. The former warning message about their use is removed.
Improve hash index performance (Amit Kapila, Mithun Cy, Ashutosh Sharma)
Add SP-GiST index support for INET
and CIDR
data types (Emre Hasegeli)
Add option to allow BRIN index summarization to happen more aggressively (Ãlvaro Herrera)
A new CREATE INDEX
option enables auto-summarization of the previous BRIN page range when a new page range is created.
Add functions to remove and re-add BRIN summarization for BRIN index ranges (Ãlvaro Herrera)
The new SQL function brin_summarize_range()
updates BRIN index summarization for a specified range and brin_desummarize_range()
removes it. This is helpful to update summarization of a range that is now smaller due to UPDATE
s and DELETE
s.
Improve accuracy in determining if a BRIN index scan is beneficial (David Rowley, Emre Hasegeli)
Allow faster GiST inserts and updates by reusing index space more efficiently (Andrey Borodin)
Reduce page locking during vacuuming of GIN indexes (Andrey Borodin)
Reduce locking required to change table parameters (Simon Riggs, FabrÃzio Mello)
For example, changing a table's effective_io_concurrency setting can now be done with a more lightweight lock.
Allow tuning of predicate lock promotion thresholds (Dagfinn Ilmari Mannsåker)
Lock promotion can now be controlled through two new server parameters, max_pred_locks_per_relation and max_pred_locks_per_page.
Add multi-column optimizer statistics to compute the correlation ratio and number of distinct values (Tomas Vondra, David Rowley, Ãlvaro Herrera)
New commands are CREATE STATISTICS
, ALTER STATISTICS
, and DROP STATISTICS
. This feature is helpful in estimating query memory usage and when combining the statistics from individual columns.
Improve performance of queries affected by row-level security restrictions (Tom Lane)
The optimizer now has more knowledge about where it can place RLS filter conditions, allowing better plans to be generated while still enforcing the RLS conditions safely.
Speed up aggregate functions that calculate a running sum using numeric
-type arithmetic, including some variants of SUM()
, AVG()
, and STDDEV()
(Heikki Linnakangas)
Improve performance of character encoding conversions by using radix trees (Kyotaro Horiguchi, Heikki Linnakangas)
Reduce expression evaluation overhead during query execution, as well as plan node calling overhead (Andres Freund)
This is particularly helpful for queries that process many rows.
Allow hashed aggregation to be used with grouping sets (Andrew Gierth)
Use uniqueness guarantees to optimize certain join types (David Rowley)
Improve sort performance of the macaddr
data type (Brandur Leach)
Reduce statistics tracking overhead in sessions that reference many thousands of relations (Aleksander Alekseev)
Allow explicit control over EXPLAIN
's display of planning and execution time (Ashutosh Bapat)
By default planning and execution time are displayed by EXPLAIN ANALYZE
and are not displayed in other cases. The new EXPLAIN
option SUMMARY
allows explicit control of this.
Add default monitoring roles (Dave Page)
New roles pg_monitor
, pg_read_all_settings
, pg_read_all_stats
, and pg_stat_scan_tables
allow simplified permission configuration.
Properly update the statistics collector during REFRESH MATERIALIZED VIEW
(Jim Mlodgenski)
Change the default value of log_line_prefix to include current timestamp (with milliseconds) and the process ID in each line of postmaster log output (Christoph Berg)
The previous default was an empty prefix.
Add functions to return the log and WAL directory contents (Dave Page)
The new functions are pg_ls_logdir()
and pg_ls_waldir()
and can be executed by non-superusers with the proper permissions.
Add function pg_current_logfile()
to read logging collector's current stderr and csvlog output file names (Gilles Darold)
Report the address and port number of each listening socket in the server log during postmaster startup (Tom Lane)
Also, when logging failure to bind a listening socket, include the specific address we attempted to bind to.
Reduce log chatter about the starting and stopping of launcher subprocesses (Tom Lane)
These are now DEBUG1
-level messages.
Reduce message verbosity of lower-numbered debug levels controlled by log_min_messages (Robert Haas)
This also changes the verbosity of client_min_messages debug levels.
pg_stat_activity
(PG 10.0)Add pg_stat_activity
reporting of low-level wait states (Michael Paquier, Robert Haas, Rushabh Lathia)
This change enables reporting of numerous low-level wait conditions, including latch waits, file reads/writes/fsyncs, client reads/writes, and synchronous replication.
Show auxiliary processes, background workers, and walsender processes in pg_stat_activity
(Kuntal Ghosh, Michael Paquier)
This simplifies monitoring. A new column backend_type
identifies the process type.
Allow pg_stat_activity
to show the SQL query being executed by parallel workers (Rafia Sabih)
Rename pg_stat_activity
.wait_event_type
values LWLockTranche
and LWLockNamed
to LWLock
(Robert Haas)
This makes the output more consistent.
Add SCRAM-SHA-256 support for password negotiation and storage (Michael Paquier, Heikki Linnakangas)
This provides better security than the existing md5
negotiation and storage method.
Change the password_encryption server parameter from boolean
to enum
(Michael Paquier)
This was necessary to support additional password hashing options.
Add view pg_hba_file_rules
to display the contents of pg_hba.conf
(Haribabu Kommi)
This shows the file contents, not the currently active settings.
Support multiple RADIUS servers (Magnus Hagander)
All the RADIUS related parameters are now plural and support a comma-separated list of servers.
Allow SSL configuration to be updated during configuration reload (Andreas Karlsson, Tom Lane)
This allows SSL to be reconfigured without a server restart, by using pg_ctl reload
, SELECT pg_reload_conf()
, or sending a SIGHUP
signal. However, reloading the SSL configuration does not work if the server's SSL key requires a passphrase, as there is no way to re-prompt for the passphrase. The original configuration will apply for the life of the postmaster in that case.
Make the maximum value of bgwriter_lru_maxpages effectively unlimited (Jim Nasby)
After creating or unlinking files, perform an fsync on their parent directory (Michael Paquier)
This reduces the risk of data loss after a power failure.
Prevent unnecessary checkpoints and WAL archiving on otherwise-idle systems (Michael Paquier)
Add wal_consistency_checking server parameter to add details to WAL that can be sanity-checked on the standby (Kuntal Ghosh, Robert Haas)
Any sanity-check failure generates a fatal error on the standby.
Increase the maximum configurable WAL segment size to one gigabyte (Beena Emerson)
A larger WAL segment size allows for fewer archive_command invocations and fewer WAL files to manage.
Add the ability to logically replicate tables to standby servers (Petr Jelinek)
Logical replication allows more flexibility than physical replication does, including replication between different major versions of PostgreSQL and selective replication.
Allow waiting for commit acknowledgment from standby servers irrespective of the order they appear in synchronous_standby_names (Masahiko Sawada)
Previously the server always waited for the active standbys that appeared first in synchronous_standby_names
. The new synchronous_standby_names
keyword ANY
allows waiting for any number of standbys irrespective of their ordering. This is known as quorum commit.
Reduce configuration changes necessary to perform streaming backup and replication (Magnus Hagander, Dang Minh Huong)
Specifically, the defaults were changed for wal_level, max_wal_senders, max_replication_slots, and hot_standby to make them suitable for these usages out-of-the-box.
Enable replication from localhost connections by default in pg_hba.conf
(Michael Paquier)
Previously pg_hba.conf
's replication connection lines were commented out by default. This is particularly useful for pg_basebackup.
Add columns to pg_stat_replication
to report replication delay times (Thomas Munro)
The new columns are write_lag
, flush_lag
, and replay_lag
.
Allow specification of the recovery stopping point by Log Sequence Number (LSN) in recovery.conf
(Michael Paquier)
Previously the stopping point could only be selected by timestamp or XID.
Allow users to disable pg_stop_backup()
's waiting for all WAL to be archived (David Steele)
An optional second argument to pg_stop_backup()
controls that behavior.
Allow creation of temporary replication slots (Petr Jelinek)
Temporary slots are automatically removed on session exit or error.
Improve performance of hot standby replay with better tracking of Access Exclusive locks (Simon Riggs, David Rowley)
Speed up two-phase commit recovery performance (Stas Kelvich, Nikhil Sontakke, Michael Paquier)
Add XMLTABLE
function that converts XML
-formatted data into a row set (Pavel Stehule, Ãlvaro Herrera)
Fix regular expressions' character class handling for large character codes, particularly Unicode characters above U+7FF
(Tom Lane)
Previously, such characters were never recognized as belonging to locale-dependent character classes such as [[:alpha:]]
.
Add table partitioning syntax that automatically creates partition constraints and handles routing of tuple insertions and updates (Amit Langote)
The syntax supports range and list partitioning.
Add AFTER
trigger transition tables to record changed rows (Kevin Grittner, Thomas Munro)
Transition tables are accessible from triggers written in server-side languages.
Allow restrictive row-level security policies (Stephen Frost)
Previously all security policies were permissive, meaning that any matching policy allowed access. A restrictive policy must match for access to be granted. These policy types can be combined.
When creating a foreign-key constraint, check for REFERENCES
permission on only the referenced table (Tom Lane)
Previously REFERENCES
permission on the referencing table was also required. This appears to have stemmed from a misreading of the SQL standard. Since creating a foreign key (or any other type of) constraint requires ownership privilege on the constrained table, additionally requiring REFERENCES
permission seems rather pointless.
Allow default permissions on schemas (Matheus Oliveira)
This is done using the ALTER DEFAULT PRIVILEGES
command.
Add CREATE SEQUENCE AS
command to create a sequence matching an integer data type (Peter Eisentraut)
This simplifies the creation of sequences matching the range of base columns.
Allow COPY
on views with view
FROM source
INSTEAD INSERT
triggers (Haribabu Kommi)
The triggers are fed the data rows read by COPY
.
Allow the specification of a function name without arguments in DDL commands, if it is unique (Peter Eisentraut)
For example, allow DROP FUNCTION
on a function name without arguments if there is only one function with that name. This behavior is required by the SQL standard.
Allow multiple functions, operators, and aggregates to be dropped with a single DROP
command (Peter Eisentraut)
Support IF NOT EXISTS
in CREATE SERVER
, CREATE USER MAPPING
, and CREATE COLLATION
(Anastasia Lubennikova, Peter Eisentraut)
Make VACUUM VERBOSE
report the number of skipped frozen pages and oldest xmin (Masahiko Sawada, Simon Riggs)
This information is also included in log_autovacuum_min_duration output.
Improve speed of VACUUM
's removal of trailing empty heap pages (Claudio Freire, Ãlvaro Herrera)
Add full text search support for JSON
and JSONB
(Dmitry Dolgov)
The functions ts_headline()
and to_tsvector()
can now be used on these data types.
Add support for EUI-64 MAC addresses, as a new data type macaddr8
(Haribabu Kommi)
This complements the existing support for EUI-48 MAC addresses (type macaddr
).
Add identity columns for assigning a numeric value to columns on insert (Peter Eisentraut)
These are similar to SERIAL
columns, but are SQL standard compliant.
Allow ENUM
values to be renamed (Dagfinn Ilmari Mannsåker)
This uses the syntax ALTER TYPE ... RENAME VALUE
.
Properly treat array pseudotypes (anyarray
) as arrays in to_json()
and to_jsonb()
(Andrew Dunstan)
Previously columns declared as anyarray
(particularly those in the pg_stats
view) were converted to JSON
strings rather than arrays.
Add operators for multiplication and division of money
values with int8
values (Peter Eisentraut)
Previously such cases would result in converting the int8
values to float8
and then using the money
-and-float8
operators. The new behavior avoids possible precision loss. But note that division of money
by int8
now truncates the quotient, like other integer-division cases, while the previous behavior would have rounded.
Check for overflow in the money
type's input function (Peter Eisentraut)
Add simplified regexp_match()
function (Emre Hasegeli)
This is similar to regexp_matches()
, but it only returns results from the first match so it does not need to return a set, making it easier to use for simple cases.
Add a version of jsonb
's delete operator that takes an array of keys to delete (Magnus Hagander)
Make json_populate_record()
and related functions process JSON arrays and objects recursively (Nikita Glukhov)
With this change, array-type fields in the destination SQL type are properly converted from JSON arrays, and composite-type fields are properly converted from JSON objects. Previously, such cases would fail because the text representation of the JSON value would be fed to array_in()
or record_in()
, and its syntax would not match what those input functions expect.
Add function txid_current_if_assigned()
to return the current transaction ID or NULL
if no transaction ID has been assigned (Craig Ringer)
This is different from txid_current()
, which always returns a transaction ID, assigning one if necessary. Unlike that function, this function can be run on standby servers.
Add function txid_status()
to check if a transaction was committed (Craig Ringer)
This is useful for checking after an abrupt disconnection whether your previous transaction committed and you just didn't receive the acknowledgment.
Allow make_date()
to interpret negative years as BC years (Ãlvaro Herrera)
Make to_timestamp()
and to_date()
reject out-of-range input fields (Artur Zakirov)
For example, previously to_date('2009-06-40','YYYY-MM-DD')
was accepted and returned 2009-07-10
. It will now generate an error.
Allow PL/Python's cursor()
and execute()
functions to be called as methods of their plan-object arguments (Peter Eisentraut)
This allows a more object-oriented programming style.
Allow PL/pgSQL's GET DIAGNOSTICS
statement to retrieve values into array elements (Tom Lane)
Previously, a syntactic restriction prevented the target variable from being an array element.
Allow PL/Tcl functions to return composite types and sets (Karl Lehenbauer)
Add a subtransaction command to PL/Tcl (Victor Wagner)
This allows PL/Tcl queries to fail without aborting the entire function.
Add server parameters pltcl.start_proc and pltclu.start_proc, to allow initialization functions to be called on PL/Tcl startup (Tom Lane)
Allow specification of multiple host names or addresses in libpq connection strings and URIs (Robert Haas, Heikki Linnakangas)
libpq will connect to the first responsive server in the list.
Allow libpq connection strings and URIs to request a read/write host, that is a master server rather than a standby server (Victor Wagner, Mithun Cy)
This is useful when multiple host names are specified. It is controlled by libpq connection parameter target_session_attrs
.
Allow the password file name to be specified as a libpq connection parameter (Julian Markwort)
Previously this could only be specified via an environment variable.
Add function PQencryptPasswordConn()
to allow creation of more types of encrypted passwords on the client side (Michael Paquier, Heikki Linnakangas)
Previously only MD5
-encrypted passwords could be created using PQencryptPassword()
. This new function can also create SCRAM-SHA-256
-encrypted passwords.
Change ecpg preprocessor version from 4.12 to 10 (Tom Lane)
Henceforth the ecpg version will match the PostgreSQL distribution version number.
Add conditional branch support to psql (Corey Huinker)
This feature adds psql meta-commands \if
, \elif
, \else
, and \endif
. This is primarily helpful for scripting.
Add psql \gx
meta-command to execute (\g
) a query in expanded mode (\x
) (Christoph Berg)
Expand psql variable references in backtick-executed strings (Tom Lane)
This is particularly useful in the new psql conditional branch commands.
Prevent psql's special variables from being set to invalid values (Daniel Vérité, Tom Lane)
Previously, setting one of psql's special variables to an invalid value silently resulted in the default behavior. \set
on a special variable now fails if the proposed new value is invalid. As a special exception, \set
with an empty or omitted new value, on a boolean-valued special variable, still has the effect of setting the variable to on
; but now it actually acquires that value rather than an empty string. \unset
on a special variable now explicitly sets the variable to its default value, which is also the value it acquires at startup. In sum, a control variable now always has a displayable value that reflects what psql is actually doing.
Add variables showing server version and psql version (Fabien Coelho)
Improve psql's \d
(display relation) and \dD
(display domain) commands to show collation, nullable, and default properties in separate columns (Peter Eisentraut)
Previously they were shown in a single “Modifiers†column.
Make the various \d
commands handle no-matching-object cases more consistently (Daniel Gustafsson)
They now all print the message about that to stderr, not stdout, and the message wording is more consistent.
Improve psql's tab completion (Jeff Janes, Ian Barwick, Andreas Karlsson, Sehrope Sarkuni, Thomas Munro, Kevin Grittner, Dagfinn Ilmari Mannsåker)
Add pgbench option --log-prefix
to control the log file prefix (Masahiko Sawada)
Allow pgbench's meta-commands to span multiple lines (Fabien Coelho)
A meta-command can now be continued onto the next line by writing backslash-return.
Remove restriction on placement of -M
option relative to other command line options (Tom Lane)
Add pg_receivewal option -Z
/--compress
to specify compression (Michael Paquier)
Add pg_recvlogical option --endpos
to specify the ending position (Craig Ringer)
This complements the existing --startpos
option.
Rename initdb options --noclean
and --nosync
to be spelled --no-clean
and --no-sync
(Vik Fearing, Peter Eisentraut)
The old spellings are still supported.
Allow pg_restore to exclude schemas (Michael Banck)
This adds a new -N
/--exclude-schema
option.
Add --no-blobs
option to pg_dump (Guillaume Lelarge)
This suppresses dumping of large objects.
Add pg_dumpall option --no-role-passwords
to omit role passwords (Robins Tharakan, Simon Riggs)
This allows use of pg_dumpall by non-superusers; without this option, it fails due to inability to read passwords.
Support using synchronized snapshots when dumping from a standby server (Petr Jelinek)
Issue fsync()
on the output files generated by pg_dump and pg_dumpall (Michael Paquier)
This provides more security that the output is safely stored on disk before the program exits. This can be disabled with the new --no-sync
option.
Allow pg_basebackup to stream write-ahead log in tar mode (Magnus Hagander)
The WAL will be stored in a separate tar file from the base backup.
Make pg_basebackup use temporary replication slots (Magnus Hagander)
Temporary replication slots will be used by default when pg_basebackup uses WAL streaming with default options.
Be more careful about fsync'ing in all required places in pg_basebackup and pg_receivewal (Michael Paquier)
Add pg_basebackup option --no-sync
to disable fsync (Michael Paquier)
Improve pg_basebackup's handling of which directories to skip (David Steele)
Add wait option for pg_ctl's promote operation (Peter Eisentraut)
Add long options for pg_ctl wait (--wait
) and no-wait (--no-wait
) (Vik Fearing)
Add long option for pg_ctl server options (--options
) (Peter Eisentraut)
Make pg_ctl start --wait
detect server-ready by watching postmaster.pid
, not by attempting connections (Tom Lane)
The postmaster has been changed to report its ready-for-connections status in postmaster.pid
, and pg_ctl now examines that file to detect whether startup is complete. This is more efficient and reliable than the old method, and it eliminates postmaster log entries about rejected connection attempts during startup.
Reduce pg_ctl's reaction time when waiting for postmaster start/stop (Tom Lane)
pg_ctl now probes ten times per second when waiting for a postmaster state change, rather than once per second.
Ensure that pg_ctl exits with nonzero status if an operation being waited for does not complete within the timeout (Peter Eisentraut)
The start
and promote
operations now return exit status 1, not 0, in such cases. The stop
operation has always done that.
Change to two-part release version numbering (Peter Eisentraut, Tom Lane)
Release numbers will now have two parts (e.g., 10.1
) rather than three (e.g., 9.6.3
). Major versions will now increase just the first number, and minor releases will increase just the second number. Release branches will be referred to by single numbers (e.g., 10
rather than 9.6
). This change is intended to reduce user confusion about what is a major or minor release of PostgreSQL.
Improve behavior of pgindent (Piotr Stefaniak, Tom Lane)
We have switched to a new version of pg_bsd_indent based on recent improvements made by the FreeBSD project. This fixes numerous small bugs that led to odd C code formatting decisions. Most notably, lines within parentheses (such as in a multi-line function call) are now uniformly indented to match the opening paren, even if that would result in code extending past the right margin.
Allow the ICU library to optionally be used for collation support (Peter Eisentraut)
The ICU library has versioning that allows detection of collation changes between versions. It is enabled via configure option --with-icu
. The default still uses the operating system's native collation library.
Automatically mark all PG_FUNCTION_INFO_V1
functions as DLLEXPORT
-ed on Windows (Laurenz Albe)
If third-party code is using extern
function declarations, they should also add DLLEXPORT
markers to those declarations.
Remove SPI functions SPI_push()
, SPI_pop()
, SPI_push_conditional()
, SPI_pop_conditional()
, and SPI_restore_connection()
as unnecessary (Tom Lane)
Their functionality now happens automatically. There are now no-op macros by these names so that external modules don't need to be updated immediately, but eventually such calls should be removed.
A side effect of this change is that SPI_palloc()
and allied functions now require an active SPI connection; they do not degenerate to simple palloc()
if there is none. That previous behavior was not very useful and posed risks of unexpected memory leaks.
Allow shared memory to be dynamically allocated (Thomas Munro, Robert Haas)
Add slab-like memory allocator for efficient fixed-size allocations (Tomas Vondra)
Use POSIX semaphores rather than SysV semaphores on Linux and FreeBSD (Tom Lane)
This avoids platform-specific limits on SysV semaphore usage.
Improve support for 64-bit atomics (Andres Freund)
Enable 64-bit atomic operations on ARM64 (Roman Shaposhnik)
Switch to using clock_gettime()
, if available, for duration measurements (Tom Lane)
gettimeofday()
is still used if clock_gettime()
is not available.
Add more robust random number generators to be used for cryptographically secure uses (Magnus Hagander, Michael Paquier, Heikki Linnakangas)
If no strong random number generator can be found, configure will fail unless the --disable-strong-random
option is used. However, with this option, pgcrypto functions requiring a strong random number generator will be disabled.
Allow WaitLatchOrSocket()
to wait for socket connection on Windows (Andres Freund)
tupconvert.c
functions no longer convert tuples just to embed a different composite-type OID in them (Ashutosh Bapat, Tom Lane)
The majority of callers don't care about the composite-type OID; but if the result tuple is to be used as a composite Datum, steps should be taken to make sure the correct OID is inserted in it.
Remove SCO and Unixware ports (Tom Lane)
Overhaul documentation build process (Alexander Lakhin)
Use XSLT to build the PostgreSQL documentation (Peter Eisentraut)
Previously Jade, DSSSL, and JadeTex were used.
Build HTML documentation using XSLT stylesheets by default (Peter Eisentraut)
Allow file_fdw to read from program output as well as files (Corey Huinker, Adam Gomaa)
In postgres_fdw, push aggregate functions to the remote server, when possible (Jeevan Chalke, Ashutosh Bapat)
This reduces the amount of data that must be passed from the remote server, and offloads aggregate computation from the requesting server.
In postgres_fdw, push joins to the remote server in more cases (David Rowley, Ashutosh Bapat, Etsuro Fujita)
Properly support OID
columns in postgres_fdw tables (Etsuro Fujita)
Previously OID
columns always returned zeros.
Allow btree_gist and btree_gin to index enum types (Andrew Dunstan)
This allows enums to be used in exclusion constraints.
Add indexing support to btree_gist for the UUID
data type (Paul Jungwirth)
Add amcheck which can check the validity of B-tree indexes (Peter Geoghegan)
Show ignored constants as $N
rather than ?
in pg_stat_statements (Lukas Fittl)
Improve cube's handling of zero-dimensional cubes (Tom Lane)
This also improves handling of infinite
and NaN
values.
Allow pg_buffercache to run with fewer locks (Ivan Kartyshov)
This makes it less disruptive when run on production systems.
Add pgstattuple function pgstathashindex()
to view hash index statistics (Ashutosh Sharma)
Use GRANT
permissions to control pgstattuple function usage (Stephen Frost)
This allows DBAs to allow non-superusers to run these functions.
Reduce locking when pgstattuple examines hash indexes (Amit Kapila)
Add pageinspect function page_checksum()
to show a page's checksum (Tomas Vondra)
Add pageinspect function bt_page_items()
to print page items from a page image (Tomas Vondra)
Add hash index support to pageinspect (Jesper Pedersen, Ashutosh Sharma)
The following individuals (in alphabetical order) have contributed to this release as patch authors, committers, reviewers, testers, or reporters of issues.
Release date: 2021-11-11
This release contains a variety of fixes from 9.6.23. For information about new features in the 9.6 major release, see Version 9.6.0.
This is expected to be the last PostgreSQL release in the 9.6.X series. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.6.X.
However, note that installations using physical replication should update standby servers before the primary server, as explained in the third changelog entry below.
Also, several bugs have been found that may have resulted in corrupted indexes, as explained in the next several changelog entries. If any of those cases apply to you, it's recommended to reindex possibly-affected indexes after updating.
Also, if you are upgrading from a version earlier than 9.6.21, see Version 9.6.21.
(9.6.24) Make the server reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)
The PostgreSQL Project thanks Jacob Champion for reporting this problem. CVE-2021-23214 or CVE-2021-23214)
(9.6.24) Make libpq reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable toCVE-2021-23214 or CVE-2021-23214.
The PostgreSQL Project thanks Jacob Champion for reporting this problem. CVE-2021-23222 or CVE-2021-23222)
(9.6.24) Fix physical replication for cases where the primary crashes after shipping a WAL segment that ends with a partial WAL record (Ãlvaro Herrera)
If the primary did not survive long enough to finish writing the rest of the incomplete WAL record, then the previous crash-recovery logic had it back up and overwrite WAL starting from the beginning of the incomplete WAL record. This is problematic since standby servers may already have copies of that WAL segment. They will then see an inconsistent next segment, and will not be able to recover without manual intervention. To fix, do not back up over a WAL segment boundary when restarting after a crash. Instead write a new type of WAL record at the start of the next WAL segment, informing readers that the incomplete WAL record will never be finished and must be disregarded.
When applying this update, it's best to update standby servers before the primary, so that they will be ready to handle this new WAL record type if the primary happens to crash.
(9.6.24) Fix CREATE INDEX CONCURRENTLY to wait for the latest prepared transactions (Andrey Borodin)
Rows inserted by just-prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. The previous fix for this type of problem failed to account for PREPARE TRANSACTION commands that were still in progress when CREATE INDEX CONCURRENTLY checked for them. As before, in installations that have enabled prepared transactions (max_prepared_transactions > 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.
(9.6.24) Avoid race condition that can cause backends to fail to add entries for new rows to an index being built concurrently (Noah Misch, Andrey Borodin)
While it's apparently rare in the field, this case could potentially affect any index built or reindexed with the CONCURRENTLY option. It is recommended to reindex any such indexes to make sure they are correct.
(9.6.24) Fix float4 and float8 hash functions to produce uniform results for NaNs (Tom Lane)
Since PostgreSQL's floating-point types deem all NaNs to be equal, it's important for the hash functions to produce the same hash code for all bit-patterns that are NaNs according to the IEEE 754 standard. This failed to happen before, meaning that hash indexes and hash-based query plans might produce incorrect results for non-canonical NaN values. ('-NaN'::float8 is one way to produce such a value on most machines.) It is advisable to reindex hash indexes on floating-point columns, if there is any possibility that they might contain such values.
(9.6.24) Prevent data loss during crash recovery of CREATE TABLESPACE, when wal_level = minimal (Noah Misch)
If the server crashed between CREATE TABLESPACE and the next checkpoint, replay would fully remove the contents of the new tablespace's directory, relying on subsequent WAL replay to restore everything within that directory. This interacts badly with optimizations that skip writing WAL (one example is COPY into a just-created table). Such optimizations are applied only when wal_level is minimal, which is not the default in v10 and later.
(9.6.24) Don't discard a cast to the same type with unspecified type modifier (Tom Lane)
For example, if column f1 is of type numeric(18,3), the parser used to simply discard a cast like f1::numeric, on the grounds that it would have no run-time effect. That's true, but the exposed type of the expression should still be considered to be plain numeric, not numeric(18,3). This is important for correctly resolving the type of larger constructs, such as recursive UNIONs.
(9.6.24) Fix corner-case loss of precision in numeric power()
(Dean Rasheed)
The result could be inaccurate when the first argument is very close to 1.
(9.6.24) Avoid regular expression errors with capturing parentheses inside {0} (Tom Lane)
Regular expressions like (.){0}...\1 drew "invalid backreference number". Other regexp engines such as Perl don't complain, though, and for that matter ours doesn't either in some closely related cases. Worse, it could throw an assertion failure instead. Fix it so that no error is thrown and instead the back-reference is silently deemed to never match.
(9.6.24) Prevent regular expression back-references from sometimes matching when they shouldn't (Tom Lane)
The regexp engine was careless about clearing match data for capturing parentheses after rejecting a partial match. This could allow a later back-reference to match in places where it should fail for lack of a defined referent.
(9.6.24) Fix regular expression performance bug with back-references inside iteration nodes (Tom Lane)
Incorrect back-tracking logic could result in exponential time spent looking for a match. Fortunately the problem is masked in most cases by other optimizations.
(9.6.24) Fix incorrect results from AT TIME ZONE applied to a time with time zone value (Tom Lane)
The results were incorrect if the target time zone was specified by a dynamic timezone abbreviation (that is, one that is defined as equivalent to a full time zone name, rather than a fixed UTC offset).
(9.6.24) Clean up correctly if a transaction fails after exporting its snapshot (Dilip Kumar)
This oversight would only cause a problem if the same session attempted to export a snapshot again. The most likely scenario for that is creation of a replication slot (followed by rollback) and then creation of another replication slot.
(9.6.24) Prevent wraparound of overflowed-subtransaction tracking on standby servers (Kyotaro Horiguchi, Alexander Korotkov)
This oversight could cause significant performance degradation (manifesting as excessive SubtransSLRU traffic) on standby servers.
(9.6.24) Ensure that prepared transactions are properly accounted for during promotion of a standby server (Michael Paquier, Andres Freund)
There was a narrow window where a prepared transaction could be omitted from a snapshot taken by a concurrently-running session. If that session then used the snapshot to perform data updates, erroneous results or data corruption could occur.
(9.6.24) Fix detection of a relation that has grown to the maximum allowed length (Tom Lane)
An attempt to extend a table or index past the limit of 2^32-1 blocks was rejected, but not soon enough to prevent inconsistent internal state from being created.
(9.6.24) Correctly track the presence of data-modifying CTEs when expanding a DO INSTEAD rule (Greg Nancarrow, Tom Lane)
The previous failure to do this could lead to problems such as unsafely choosing a parallel plan.
(9.6.24) Ensure that walreceiver processes create all required archive notification files before exiting (Fujii Masao)
If a walreceiver exited exactly at a WAL segment boundary, it failed to make a notification file for the last-received segment, thus delaying archiving of that segment on the standby.
(9.6.24) Avoid trying to lock the OLD and NEW pseudo-relations in a rule that uses SELECT FOR UPDATE (Masahiko Sawada, Tom Lane)
(9.6.24) Fix parser's processing of aggregate FILTER clauses (Tom Lane)
If the FILTER expression is a plain boolean column, the semantic level of the aggregate could be mis-determined, leading to not-per-spec behavior. If the FILTER expression is itself a boolean-returning aggregate, an error should be thrown but was not, likely resulting in a crash at execution.
(9.6.24) Avoid null-pointer-dereference crash when dropping a role that owns objects being dropped concurrently (Ãlvaro Herrera)
(9.6.24) Prevent "snapshot reference leak" warning when lo_export()
or a related function fails (Heikki Linnakangas)
(9.6.24) Ensure that scans of SP-GiST indexes are counted in the statistics views (Tom Lane)
Incrementing the number-of-index-scans counter was overlooked in the SP-GiST code, although per-tuple counters were advanced correctly.
(9.6.24) Recalculate relevant wait intervals if recovery_min_apply_delay is changed during recovery (Soumyadeep Chakraborty, Ashwin Agrawal)
(9.6.24) Fix ecpg to recover correctly after malloc()
failure while establishing a connection (Michael Paquier)
(9.6.24) Allow EXIT out of the outermost block in a PL/pgSQL routine (Tom Lane)
If the routine does not require an explicit RETURN, this usage should be valid, but it was rejected.
(9.6.24) Remove pg_ctl's hard-coded limits on the total length of generated commands (Phil Krylov)
For example, this removes a restriction on how many command-line options can be passed through to the postmaster. Individual path names that pg_ctl deals with, such as the postmaster executable's name or the data directory name, are still limited to MAXPGPATH bytes in most cases.
(9.6.24) Fix pg_dump to dump non-global default privileges correctly (Neil Chen, Masahiko Sawada)
If a global (unrestricted) ALTER DEFAULT PRIVILEGES command revoked some present-by-default privilege, for example EXECUTE for functions, and then a restricted ALTER DEFAULT PRIVILEGES command granted that privilege again for a selected role or schema, pg_dump failed to dump the restricted privilege grant correctly.
(9.6.24) Improve pg_dump's performance by avoiding making per-table queries for RLS policies, and by avoiding repetitive calls to format_type()
(Tom Lane)
These changes provide only marginal improvement when dumping from a local server, but a dump from a remote server can benefit substantially due to fewer network round-trips.
(9.6.24) Fix incorrect filename in pg_restore's error message about an invalid large object TOC file (Daniel Gustafsson)
(9.6.24) Fix failure of contrib/btree_gin indexes on "char" (not char(n)) columns, when an indexscan using the < or <= operator is performed (Tom Lane)
Such an indexscan failed to return all the entries it should.
(9.6.24) Change contrib/pg_stat_statements to read its "query texts" file in units of at most 1GB (Tom Lane)
Such large query text files are very unusual, but if they do occur, the previous coding would fail on Windows 64 (which rejects individual read requests of more than 2GB).
(9.6.24) Fix null-pointer crash when contrib/postgres_fdw tries to report a data conversion error (Tom Lane)
(9.6.24) Add spinlock support for the RISC-V architecture (Marek Szuba)
This is essential for reasonable performance on that platform.
(9.6.24) Set correct type identifier on OpenSSL BIO (I/O abstraction) objects created by PostgreSQL (Itamar Gafni)
This oversight probably only matters for code that is doing tasks like auditing the OpenSSL installation. But it's nominally a violation of the OpenSSL API, so fix it.
(9.6.24) Make pg_regexec()
robust against an out-of-range search_start parameter (Tom Lane)
Return REG_NOMATCH, instead of possibly crashing, when search_start is past the end of the string. This case is probably unreachable within core PostgreSQL, but extensions might be more careless about the parameter value.
(9.6.24) Ensure that GetSharedSecurityLabel()
can be used in a newly-started session that has not yet built its critical relation cache entries (Jeff Davis)
(9.6.24) Use the CLDR project's data to map Windows time zone names to IANA time zones (Tom Lane)
When running on Windows, initdb attempts to set the new cluster's timezone parameter to the IANA time zone matching the system's prevailing time zone. We were using a mapping table that we'd generated years ago and updated only fitfully; unsurprisingly, it contained a number of errors as well as omissions of recently-added zones. It turns out that CLDR has been tracking the most appropriate mappings, so start using their data. This change will not affect any existing installation, only newly-initialized clusters.
(9.6.24) Update time zone data files to tzdata release 2021e for DST law changes in Fiji, Jordan, Palestine, and Samoa, plus historical corrections for Barbados, Cook Islands, Guyana, Niue, Portugal, and Tonga.
Also, the Pacific/Enderbury zone has been renamed to Pacific/Kanton. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Africa/Accra, America/Atikokan, America/Blanc-Sablon, America/Creston, America/Curacao, America/Nassau, America/Port_of_Spain, Antarctica/DumontDUrville, and Antarctica/Syowa. In all these cases, the previous zone name remains as an alias.
Release date: 2021-08-12
This release contains a variety of fixes from 9.6.22. For information about new features in the 9.6 major release, see Version 9.6.0.
The PostgreSQL community will stop releasing updates for the 9.6.X release series in November 2021. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.6.X.
However, if you are upgrading from a version earlier than 9.6.21, see Version 9.6.21.
(9.6.23) Disallow SSL renegotiation more completely (Michael Paquier)
SSL renegotiation has been disabled for some time, but the server would still cooperate with a client-initiated renegotiation request. A maliciously crafted renegotiation request could result in a server crash (see OpenSSL issueCVE-2021-3449 or CVE-2021-3449). Disable the feature altogether on OpenSSL versions that permit doing so, which are 1.1.0h and newer.
(9.6.23) Reject SELECT ... GROUP BY GROUPING SETS (()) FOR UPDATE (Tom Lane)
This should be disallowed, just as FOR UPDATE with a plain GROUP BY is disallowed, but the test for that failed to handle empty grouping sets correctly. The end result would be a null-pointer dereference in the executor.
(9.6.23) Reject cases where a query in WITH rewrites to just NOTIFY (Tom Lane)
Such cases previously crashed.
(9.6.23) In numeric multiplication, round the result rather than failing if it would have more than 16383 digits after the decimal point (Dean Rasheed)
(9.6.23) Fix corner-case errors and loss of precision when raising numeric values to very large powers (Dean Rasheed)
(9.6.23) Fix division-by-zero failure in to_char()
with EEEE format and a numeric input value less than 10^(-1001) (Dean Rasheed)
(9.6.23) Fix pg_size_pretty(bigint)
to round negative values consistently with the way it rounds positive ones (and consistently with the numeric version) (Dean Rasheed, David Rowley)
(9.6.23) Make pg_filenode_relation(0, 0) return NULL rather than failing (Justin Pryzby)
(9.6.23) Make ALTER EXTENSION lock the extension when adding or removing a member object (Tom Lane)
The previous coding allowed ALTER EXTENSION ADD/DROP to occur concurrently with DROP EXTENSION, leading to a crash or corrupt catalog entries.
(9.6.23) Avoid alias conflicts in queries generated for REFRESH MATERIALIZED VIEW CONCURRENTLY (Tom Lane, Bharath Rupireddy)
This command failed on materialized views containing columns with certain names, notably mv and newdata.
(9.6.23) Fix PREPARE TRANSACTION to check correctly for conflicting session-lifespan and transaction-lifespan locks (Tom Lane)
A transaction cannot be prepared if it has both session-lifespan and transaction-lifespan locks on the same advisory-lock ID value. This restriction was not fully checked, which could lead to a PANIC during PREPARE TRANSACTION.
(9.6.23) Fix misbehavior of DROP OWNED BY when the target role is listed more than once in an RLS policy (Tom Lane)
(9.6.23) Skip unnecessary error tests when removing a role from an RLS policy during DROP OWNED BY (Tom Lane)
Notably, this fixes some cases where it was necessary to be a superuser to use DROP OWNED BY.
(9.6.23) Allow index state flags to be updated transactionally (Michael Paquier, Andrey Lepikhov)
This avoids failures when dealing with index predicates that aren't really immutable. While that's not considered a supported case, the original reason for using a non-transactional update here is long gone, so we may as well change it.
(9.6.23) Avoid corrupting the plan cache entry when CREATE DOMAIN or ALTER DOMAIN appears in a cached plan (Tom Lane)
(9.6.23) Make pg_settings.pending_restart show as true when the pertinent entry in postgresql.conf has been removed (Ãlvaro Herrera)
pending_restart correctly showed the case where an entry that cannot be changed without a postmaster restart has been modified, but not where the entry had been removed altogether.
(9.6.23) Fix corner-case failure of a new standby to follow a new primary (Dilip Kumar, Robert Haas)
Under a narrow combination of conditions, the standby could wind up trying to follow the wrong WAL timeline.
(9.6.23) Update minimum recovery point when WAL replay of a transaction abort record causes file truncation (Fujii Masao)
File truncation is irreversible, so it's no longer safe to stop recovery at a point earlier than that record. The corresponding case for transaction commit was fixed years ago, but this one was overlooked.
(9.6.23) Ensure that a standby server's startup process will respond to a shutdown signal promptly while waiting for WAL to arrive (Fujii Masao, Soumyadeep Chakraborty)
(9.6.23) Add locking to avoid reading incorrect relmapper data in the face of a concurrent write from another process (Heikki Linnakangas)
(9.6.23) Fix error cases and memory leaks in logical decoding of speculative insertions (Dilip Kumar)
(9.6.23) Fix plan cache reference leaks in some error cases in CREATE TABLE ... AS EXECUTE (Tom Lane)
(9.6.23) Fix possible race condition when releasing BackgroundWorkerSlots (Tom Lane)
It's likely that this doesn't fix any observable bug on Intel hardware, but machines with weaker memory ordering rules could have problems.
(9.6.23) Fix latent crash in sorting code (Ronan Dunklau)
One code path could attempt to free a null pointer. The case appears unreachable in the core server's use of sorting, but perhaps it could be triggered by extensions.
(9.6.23) Prevent infinite loops in SP-GiST index insertion (Tom Lane)
In the event that INCLUDE columns take up enough space to prevent a leaf index tuple from ever fitting on a page, the text_ops operator class would get into an infinite loop vainly trying to make the tuple fit. While pre-v11 versions don't have INCLUDE columns, back-patch this anti-looping fix to them anyway, as it seems like a good defense against bugs in operator classes.
(9.6.23) Ensure that SP-GiST index insertion can be terminated by a query cancel request (Tom Lane, Ãlvaro Herrera)
(9.6.23) Fix uninitialized-variable bug that could cause PL/pgSQL to act as though an INTO clause specified STRICT, even though it didn't (Tom Lane)
(9.6.23) Don't abort the process for an out-of-memory failure in libpq's printing functions (Tom Lane)
(9.6.23) In ecpg, allow the numeric value INT_MIN (usually -2147483648) to be converted to integer (John Naylor)
(9.6.23) In psql and other client programs, avoid overrunning the ends of strings when dealing with invalidly-encoded data (Tom Lane)
An incorrectly-encoded multibyte character near the end of a string could cause various processing loops to run past the string's terminating NUL, with results ranging from no detectable issue to a program crash, depending on what happens to be in the following memory. This is reminiscent ofCVE-2006-2313 or CVE-2006-2313, although these particular cases do not appear to have interesting security consequences.
(9.6.23) Avoid "invalid creation date in header" warnings observed when running pg_restore on an archive file created in a different time zone (Tom Lane)
(9.6.23) Make pg_upgrade carry forward the old installation's oldestXID value (Bertrand Drouvot)
Previously, the new installation's oldestXID was set to a value old enough to (usually) force immediate anti-wraparound autovacuuming. That's not desirable from a performance standpoint; what's worse, installations using large values of autovacuum_freeze_max_age could suffer unwanted forced shutdowns soon after an upgrade.
(9.6.23) Extend pg_upgrade to detect and warn about extensions that should be upgraded (Bruce Momjian)
A script file is now produced containing the ALTER EXTENSION UPDATE commands needed to bring extensions up to the versions that are considered default in the new installation.
(9.6.23) In contrib/postgres_fdw, avoid attempting catalog lookups after an error (Tom Lane)
While this usually worked, it's not very safe since the error might have been one that made catalog access nonfunctional. A side effect of the fix is that messages about data conversion errors will now mention the query's table and column aliases (if used) rather than the true underlying name of a foreign table or column.
(9.6.23) In contrib/pgcrypto, avoid symbol name conflicts with OpenSSL (Tom Lane)
Operations using SHA224 hashing could show failures under valgrind checking. It appears that this is only a stomp of alignment-padding bytes and so has no real consequences, but let's fix it to be sure.
(9.6.23) Improve the isolation-test infrastructure (Tom Lane, Michael Paquier)
Allow isolation test steps to be annotated to show the expected completion order. This allows getting stable results from otherwise-racy test cases, without the long delays that we previously used (not entirely successfully) to fend off race conditions. Allow non-quoted identifiers as isolation test session/step names (formerly, all such names had to be double-quoted). Detect and warn about unused steps in isolation tests. Improve display of query results in isolation tests. Remove isolationtester's "dry-run" mode. Remove memory leaks in isolationtester itself.
(9.6.23) Reduce overhead of cache-clobber testing (Tom Lane)
(9.6.23) Fix PL/Python's regression tests to pass with Python 3.10 (Honza Horak)
(9.6.23) Make printf("%s", NULL) print (null) instead of crashing (Tom Lane)
This should improve server robustness in corner cases, and it syncs our printf
implementation with common libraries.
(9.6.23) Fix incorrect log message when point-in-time recovery stops at a ROLLBACK PREPARED record (Simon Riggs)
(9.6.23) Clarify error messages referring to "non-negative" values (Bharath Rupireddy)
(9.6.23) Fix configure to work with OpenLDAP 2.5, which no longer has a separate libldap_r library (Adrian Ho, Tom Lane)
If there is no libldap_r library, we now silently assume that libldap is thread-safe.
(9.6.23) Add new make targets world-bin and install-world-bin (Andrew Dunstan)
These are the same as world and install-world respectively, except that they do not build or install the documentation.
(9.6.23) Fix make rule for TAP tests (prove_installcheck) to work in PGXS usage (Andrew Dunstan)
(9.6.23) Avoid assuming that strings returned by GSSAPI libraries are null-terminated (Tom Lane)
The GSSAPI spec provides for a string pointer and length. It seems that in practice the next byte after the string is usually zero, so that our previous coding didn't actually fail; but we do have a report of AddressSanitizer complaints.
(9.6.23) Enable building with GSSAPI on MSVC (Michael Paquier)
Fix various incompatibilities with modern Kerberos builds.
(9.6.23) In MSVC builds, include --with-pgport in the set of configure options reported by pg_config, if it had been specified (Andrew Dunstan)
Release date: 2021-05-13
This release contains a variety of fixes from 9.6.21. For information about new features in the 9.6 major release, see Version 9.6.0.
The PostgreSQL community will stop releasing updates for the 9.6.X release series in November 2021. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.6.X.
However, if you are upgrading from a version earlier than 9.6.21, see Version 9.6.21.
(9.6.22) Prevent integer overflows in array subscripting calculations (Tom Lane)
The array code previously did not complain about cases where an array's lower bound plus length overflows an integer. This resulted in later entries in the array becoming inaccessible (since their subscripts could not be written as integers), but more importantly it confused subsequent assignment operations. This could lead to memory overwrites, with ensuing crashes or unwanted data modifications. CVE-2021-32027 or CVE-2021-32027)
(9.6.22) Fix mishandling of "junk" columns in INSERT ... ON CONFLICT ... UPDATE target lists (Tom Lane)
If the UPDATE list contains any multi-column sub-selects (which give rise to junk columns in addition to the results proper), the UPDATE path would end up storing tuples that include the values of the extra junk columns. That's fairly harmless in the short run, but if new columns are added to the table then the values would become accessible, possibly leading to malfunctions if they don't match the datatypes of the added columns.
In addition, in versions supporting cross-partition updates, a cross-partition update triggered by such a case had the reverse problem: the junk columns were removed from the target list, typically causing an immediate crash due to malfunction of the multi-column sub-select mechanism. CVE-2021-32028 or CVE-2021-32028)
(9.6.22) Allow ALTER ROLE/DATABASE ... SET to set the role, session_authorization, and temp_buffers parameters (Tom Lane)
Previously, over-eager validity checks might reject these commands, even if the values would have worked when used later. This created a command ordering hazard for dump/reload and upgrade scenarios.
(9.6.22) Fix bug with coercing the result of a COLLATE expression to a non-collatable type (Tom Lane)
This led to a parse tree in which the COLLATE appears to be applied to a non-collatable value. While that normally has no real impact (since COLLATE has no effect at runtime), it was possible to construct views that would be rejected during dump/reload.
(9.6.22) Disallow calling window functions and procedures via the "fast path" wire protocol message (Tom Lane)
Only plain functions are supported here. While trying to call an aggregate function failed already, calling a window function would crash, and calling a procedure would work only if the procedure did no transaction control.
(9.6.22) Extend pg_identify_object_as_address()
to support event triggers (Joel Jacobson)
(9.6.22) Fix to_char()
's handling of Roman-numeral month format codes with negative intervals (Julien Rouhaud)
Previously, such cases would usually cause a crash.
(9.6.22) Fix use of uninitialized value while parsing an \{m,n\} quantifier in a BRE-mode regular expression (Tom Lane)
This error could cause the quantifier to act non-greedy, that is behave like an {m,n}? quantifier would do in full regular expressions.
(9.6.22) Avoid divide-by-zero when estimating selectivity of a regular expression with a very long fixed prefix (Tom Lane)
This typically led to a NaN selectivity value, causing assertion failures or strange planner behavior.
(9.6.22) Fix access-off-the-end-of-the-table error in BRIN index bitmap scans (Tomas Vondra)
If the page range size used by a BRIN index isn't a power of two, there were corner cases in which a bitmap scan could try to fetch pages past the actual end of the table, leading to "could not open file" errors.
(9.6.22) Ensure that locks are released while shutting down a standby server's startup process (Fujii Masao)
When a standby server is shut down while still in recovery, some locks might be left held. This causes assertion failures in debug builds; it's unclear whether any serious consequence could occur in production builds.
(9.6.22) Ensure we default to wal_sync_method = fdatasync on recent FreeBSD (Thomas Munro)
FreeBSD 13 supports open_datasync, which would normally become the default choice. However, it's unclear whether that is actually an improvement for Postgres, so preserve the existing default for now.
(9.6.22) Ensure we finish cleaning up when interrupted while detaching a DSM segment (Thomas Munro)
This error could result in temporary files not being cleaned up promptly after a parallel query.
(9.6.22) Fix assorted minor memory leaks in the server (Tom Lane, Andres Freund)
(9.6.22) Prevent infinite loop in libpq if a ParameterDescription message with a corrupt length is received (Tom Lane)
(9.6.22) Fix psql to restore the previous behavior of \connect service=something (Tom Lane)
A previous bug fix caused environment variables (such as PGPORT) to override entries in the service file in this context. Restore the previous behavior, in which the priority is the other way around.
(9.6.22) Fix race condition in detection of file modification by psql's \e and related commands (Laurenz Albe)
A very fast typist could fool the code's file-timestamp-based detection of whether the temporary edit file was changed.
(9.6.22) Fix missed file version check in pg_restore (Tom Lane)
When reading a custom-format archive from a non-seekable source, pg_restore neglected to check the archive version. If it was fed a newer archive version than it can support, it would fail messily later on.
(9.6.22) Add some more checks to pg_upgrade for user tables containing non-upgradable data types (Tom Lane)
Fix detection of some cases where a non-upgradable data type is embedded within a container type (such as an array or range). Also disallow upgrading when user tables contain columns of system-defined composite types, since those types' OIDs are not stable across versions.
(9.6.22) Fix pg_waldump to count XACT records correctly when generating per-record statistics (Kyotaro Horiguchi)
(9.6.22) Fix contrib/amcheck to not complain about the tuple flags HEAP_XMAX_LOCK_ONLY and HEAP_KEYS_UPDATED both being set (Julien Rouhaud)
This is a valid state after SELECT FOR UPDATE.
(9.6.22) Adjust VPATH build rules to support recent Oracle Developer Studio compiler versions (Noah Misch)
(9.6.22) Fix testing of PL/Python for Python 3 on Solaris (Noah Misch)
Release date: 2021-02-11
This release contains a variety of fixes from 9.6.20. For information about new features in the 9.6 major release, see Version 9.6.0.
The PostgreSQL community will stop releasing updates for the 9.6.X release series in November 2021. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.6.X.
However, see the first changelog item below, which describes cases in which reindexing indexes after the upgrade may be advisable.
Also, if you are upgrading from a version earlier than 9.6.16, see Version 9.6.16.
(9.6.21,9.5.25) Fix CREATE INDEX CONCURRENTLY to wait for concurrent prepared transactions (Andrey Borodin)
At the point where CREATE INDEX CONCURRENTLY waits for all concurrent transactions to complete so that it can see rows they inserted, it must also wait for all prepared transactions to complete, for the same reason. Its failure to do so meant that rows inserted by prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. In installations that have enabled prepared transactions (max_prepared_transactions > 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.
(9.6.21,9.5.25) Avoid incorrect results when WHERE CURRENT OF is applied to a cursor whose plan contains a MergeAppend node (Tom Lane)
This case is unsupported (in general, a cursor using ORDER BY is not guaranteed to be simply updatable); but the code previously did not reject it, and could silently give false matches.
(9.6.21,9.5.25) Fix crash when WHERE CURRENT OF is applied to a cursor whose plan contains a custom scan node (David Geier)
(9.6.21,9.5.25) Fix planner's handling of a placeholder that is computed at some join level and used only at that same level (Tom Lane)
This oversight could lead to "failed to build any N-way joins" planner errors.
(9.6.21,9.5.25) Be more careful about whether index AMs support mark/restore (Andrew Gierth)
This prevents errors about missing support functions in rare edge cases.
(9.6.21,9.5.25) Fix ALTER DEFAULT PRIVILEGES to handle duplicated arguments safely (Michael Paquier)
Duplicate role or schema names within the same command could lead to "tuple already updated by self" errors or unique-constraint violations.
(9.6.21,9.5.25) Flush ACL-related caches when pg_authid changes (Noah Misch)
This change ensures that permissions-related decisions will promptly reflect the results of ALTER ROLE ... [NO] INHERIT.
(9.6.21,9.5.25) Prevent misprocessing of ambiguous CREATE TABLE LIKE clauses (Tom Lane)
A LIKE clause is re-examined after initial creation of the new table, to handle importation of indexes and such. It was possible for this re-examination to find a different table of the same name, causing unexpected behavior; one example is where the new table is a temporary table of the same name as the LIKE target.
(9.6.21,9.5.25) Rearrange order of operations in CREATE TABLE LIKE so that indexes are cloned before building foreign key constraints (Tom Lane)
This fixes the case where a self-referential foreign key constraint declared in the outer CREATE TABLE depends on an index that's coming from the LIKE clause.
(9.6.21,9.5.25) Disallow converting an inheritance child table to a view (Tom Lane)
(9.6.21,9.5.25) Ensure that disk space allocated for a dropped relation is released promptly at commit (Thomas Munro)
Previously, if the dropped relation spanned multiple 1GB segments, only the first segment was truncated immediately. Other segments were simply unlinked, which doesn't authorize the kernel to release the storage so long as any other backends still have the files open.
(9.6.21,9.5.25) Fix handling of backslash-escaped multibyte characters in COPY FROM (Heikki Linnakangas)
A backslash followed by a multibyte character was not handled correctly. In some client character encodings, this could lead to misinterpreting part of a multibyte character as a field separator or end-of-copy-data marker.
(9.6.21,9.5.25) Avoid preallocating executor hash tables in EXPLAIN without ANALYZE (Alexey Bashtanov)
(9.6.21,9.5.25) Fix recently-introduced race conditions in LISTEN/NOTIFY queue handling (Tom Lane)
A newly-listening backend could attempt to read SLRU pages that were in process of being truncated, possibly causing an error.
The queue tail pointer could become set to a value that's not equal to the queue position of any backend, resulting in effective disabling of the queue truncation logic. Continued use of NOTIFY then led to queue-fill warnings, and eventually to inability to send any more notifies until the server is restarted.
(9.6.21,9.5.25) Allow the jsonb concatenation operator to handle all combinations of JSON data types (Tom Lane)
We can concatenate two JSON objects or two JSON arrays. Handle other cases by wrapping non-array inputs in one-element arrays, then performing an array concatenation. Previously, some combinations of inputs followed this rule but others arbitrarily threw an error.
(9.6.21,9.5.25) Fix use of uninitialized value while parsing a * quantifier in a BRE-mode regular expression (Tom Lane)
This error could cause the quantifier to act non-greedy, that is behave like a *? quantifier would do in full regular expressions.
(9.6.21) Fix numeric power()
for the case where the exponent is exactly INT_MIN (-2147483648) (Dean Rasheed)
Previously, a result with no significant digits was produced.
(9.6.21,9.5.25) Prevent possible data loss from incorrect detection of the wraparound point of an SLRU log (Noah Misch)
The wraparound point typically falls in the middle of a page, which must be rounded off to a page boundary, and that was not done correctly. No issue could arise unless an installation had gotten to within one page of SLRU overflow, which is unlikely in a properly-functioning system. If this did happen, it would manifest in later "apparent wraparound" or "could not access status of transaction" errors.
(9.6.21,9.5.25) Fix memory leak in walsender processes while sending new snapshots for logical decoding (Amit Kapila)
(9.6.21,9.5.25) Fix walsender to accept additional commands after terminating replication (Jeff Davis)
(9.6.21) Ensure detection of deadlocks between hot standby backends and the startup (WAL-application) process (Fujii Masao)
The startup process did not run the deadlock detection code, so that in situations where the startup process is last to join a circular wait situation, the deadlock might never be recognized.
(9.6.21) Fix portability problem in parsing of recovery_target_xid values (Michael Paquier)
The target XID is potentially 64 bits wide, but it was parsed with strtoul()
, causing misbehavior on platforms where long is 32 bits (such as Windows).
(9.6.21,9.5.25) Avoid assertion failure in pg_get_functiondef()
when examining a function with a TRANSFORM option (Tom Lane)
(9.6.21,9.5.25) In psql, re-allow including a password in a connection_string argument of a \connect command (Tom Lane)
This used to work, but a recent bug fix caused the password to be ignored (resulting in prompting for a password).
(9.6.21,9.5.25) Fix assorted bugs in psql's \help command (Kyotaro Horiguchi, Tom Lane)
\help with two argument words failed to find a command description using only the first word, for example \help reset all should show the help for RESET but did not. Also, \help often failed to invoke the pager when it should. It also leaked memory.
(9.6.21) Fix pg_dump to handle WITH GRANT OPTION in an extension's initial privileges (Noah Misch)
If an extension's script creates an object and grants privileges on it with grant option, then later the user revokes such privileges, pg_dump would generate incorrect SQL for reproducing the situation. (Few if any extensions do this today.)
(9.6.21,9.5.25) In pg_rewind, ensure that all WAL is accounted for when rewinding a standby server (Ian Barwick, Heikki Linnakangas)
(9.6.21,9.5.25) Report the correct database name in connection failure error messages from some client programs (Ãlvaro Herrera)
If the database name was defaulted rather than given on the command line, pg_dumpall, pgbench, oid2name, and vacuumlo would produce misleading error messages after a connection failure.
(9.6.21,9.5.25) Fix memory leak in contrib/auto_explain (Japin Li)
Memory consumed while producing the EXPLAIN output was not freed until the end of the current transaction (for a top-level statement) or the end of the surrounding statement (for a nested statement). This was particularly a problem with log_nested_statements enabled.
(9.6.21,9.5.25) In contrib/postgres_fdw, avoid leaking open connections to remote servers when a user mapping or foreign server object is dropped (Bharath Rupireddy)
Open connections that depend on a dropped user mapping or foreign server can no longer be referenced, but formerly they were kept around anyway for the duration of the local session.
(9.6.21,9.5.25) In contrib/pgcrypto, check for error returns from OpenSSL's EVP functions (Michael Paquier)
We do not really expect errors here, but this change silences warnings from static analysis tools.
(9.6.21,9.5.25) In contrib/pg_trgm's GiST index support, avoid crash in the rare case that picksplit is called on exactly two index items (Andrew Gierth, Alexander Korotkov)
(9.6.21,9.5.25) Fix miscalculation of timeouts in contrib/pg_prewarm and contrib/postgres_fdw (Alexey Kondratov, Tom Lane)
The main loop in contrib/pg_prewarm's autoprewarm parent process underestimated its desired sleep time by a factor of 1000, causing it to consume much more CPU than intended. When waiting for a result from a remote server, contrib/postgres_fdw overestimated the desired timeout by a factor of 1000 (though this error had been mitigated by imposing a clamp to 60 seconds).
Both of these errors stemmed from incorrectly converting seconds-and-microseconds to milliseconds. Introduce a new API TimestampDifferenceMilliseconds()
to make it easier to get this right in the future.
(9.6.21,9.5.25) Improve configure's heuristics for selecting PG_SYSROOT on macOS (Tom Lane)
The new method is more likely to produce desirable results when Xcode is newer than the underlying operating system. Choosing a sysroot that does not match the OS version may result in nonfunctional executables.
(9.6.21,9.5.25) While building on macOS, specify -isysroot in link steps as well as compile steps (James Hilliard)
This likewise improves the results when Xcode is out of sync with the operating system.
(9.6.21,9.5.25) Update time zone data files to tzdata release 2021a for DST law changes in Russia (Volgograd zone) and South Sudan, plus historical corrections for Australia, Bahamas, Belize, Bermuda, Ghana, Israel, Kenya, Nigeria, Palestine, Seychelles, and Vanuatu.
Notably, the Australia/Currie zone has been corrected to the point where it is identical to Australia/Hobart.
Release date: 2020-11-12
This release contains a variety of fixes from 9.6.19. For information about new features in the 9.6 major release, see Version 9.6.0.
A dump/restore is not required for those running 9.6.X.
However, if you are upgrading from a version earlier than 9.6.16, see Version 9.6.16.
(9.6.20,9.5.24) Block DECLARE CURSOR ... WITH HOLD and firing of deferred triggers within index expressions and materialized view queries (Noah Misch)
This is essentially a leak in the "security restricted operation" sandbox mechanism. An attacker having permission to create non-temporary SQL objects could parlay this leak to execute arbitrary SQL code as a superuser.
The PostgreSQL Project thanks Etienne Stalmans for reporting this problem. CVE-2020-25695 or CVE-2020-25695)
(9.6.20,9.5.24) Fix usage of complex connection-string parameters in pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb (Tom Lane)
The -d parameter of pg_dump and pg_restore, or the --maintenance-db parameter of the other programs mentioned, can be a "connection string" containing multiple connection parameters rather than just a database name. In cases where these programs need to initiate additional connections, such as parallel processing or processing of multiple databases, the connection string was forgotten and just the basic connection parameters (database name, host, port, and username) were used for the additional connections. This could lead to connection failures if the connection string included any other essential information, such as non-default SSL or GSS parameters. Worse, the connection might succeed but not be encrypted as intended, or be vulnerable to man-in-the-middle attacks that the intended connection parameters would have prevented. CVE-2020-25694 or CVE-2020-25694)
(9.6.20,9.5.24) When psql's \connect command re-uses connection parameters, ensure that all non-overridden parameters from a previous connection string are re-used (Tom Lane)
This avoids cases where reconnection might fail due to omission of relevant parameters, such as non-default SSL or GSS options. Worse, the reconnection might succeed but not be encrypted as intended, or be vulnerable to man-in-the-middle attacks that the intended connection parameters would have prevented. This is largely the same problem as just cited for pg_dump et al, although psql's behavior is more complex since the user may intentionally override some connection parameters. CVE-2020-25694 or CVE-2020-25694)
(9.6.20,9.5.24) Prevent psql's \gset command from modifying specially-treated variables (Noah Misch)
\gset without a prefix would overwrite whatever variables the server told it to. Thus, a compromised server could set specially-treated variables such as PROMPT1, giving the ability to execute arbitrary shell code in the user's session.
The PostgreSQL Project thanks Nick Cleaton for reporting this problem. CVE-2020-25696 or CVE-2020-25696)
(9.6.20,9.5.24) Prevent possible data loss from concurrent truncations of SLRU logs (Noah Misch)
This rare problem would manifest in later "apparent wraparound" or "could not access status of transaction" errors.
(9.6.20,9.5.24) Ensure that SLRU directories are properly fsync'd during checkpoints (Thomas Munro)
This prevents possible data loss in a subsequent operating system crash.
(9.6.20,9.5.24) Fix ALTER ROLE for users with the BYPASSRLS attribute (Tom Lane, Stephen Frost)
The BYPASSRLS attribute is only allowed to be changed by superusers, but other ALTER ROLE operations, such as password changes, should be allowed with only ordinary permission checks. The previous coding erroneously restricted all changes on such a role to superusers.
(9.6.20,9.5.24) Fix handling of expressions in CREATE TABLE LIKE with inheritance (Tom Lane)
If a CREATE TABLE command uses both LIKE and traditional inheritance, column references in CHECK constraints and expression indexes that came from a LIKE parent table tended to get mis-numbered, resulting in wrong answers and/or bizarre error messages. The same could happen in GENERATED expressions, in branches that have that feature.
(9.6.20,9.5.24) Fix off-by-one conversion of negative years to BC dates in to_date()
and to_timestamp()
(Dar Alathar-Yemen, Tom Lane)
Also, arrange for the combination of a negative year and an explicit "BC" marker to cancel out and produce AD.
(9.6.20,9.5.24) Ensure that standby servers will archive WAL timeline history files when archive_mode is set to always (Grigory Smolkin, Fujii Masao)
This oversight could lead to failure of subsequent PITR recovery attempts.
(9.6.20) During "smart" shutdown, don't terminate background processes until all client (foreground) sessions are done (Tom Lane)
The previous behavior broke parallel query processing, since the postmaster would terminate parallel workers and refuse to launch any new ones. It also caused autovacuum to cease functioning, which could have dire long-term effects if the surviving client sessions make a lot of data changes.
(9.6.20) Avoid recursive consumption of stack space while processing signals in the postmaster (Tom Lane)
Heavy use of parallel processing has been observed to cause postmaster crashes due to too many concurrent signals requesting creation of a parallel worker process.
(9.6.20,9.5.24) Avoid running atexit handlers when exiting due to SIGQUIT (Kyotaro Horiguchi, Tom Lane)
Most server processes followed this practice already, but the archiver process was overlooked. Backends that were still waiting for a client startup packet got it wrong, too.
(9.6.20,9.5.24) Avoid misoptimization of subquery qualifications that reference apparently-constant grouping columns (Tom Lane)
A "constant" subquery output column isn't really constant if it is a grouping column that appears in only some of the grouping sets.
(9.6.20,9.5.24) Avoid failure when SQL function inlining changes the shape of a potentially-hashable subplan comparison expression (Tom Lane)
(9.6.20,9.5.24) While building or re-building an index, tolerate the appearance of new HOT chains due to concurrent updates (Anastasia Lubennikova, Ãlvaro Herrera)
This oversight could lead to "failed to find parent tuple for heap-only tuple" errors.
(9.6.20,9.5.24) Ensure that data is detoasted before being inserted into a BRIN index (Tomas Vondra)
Index entries are not supposed to contain out-of-line TOAST pointers, but BRIN didn't get that memo. This could lead to errors like "missing chunk number 0 for toast value NNN". (If you are faced with such an error from an existing index, REINDEX should be enough to fix it.)
(9.6.20,9.5.24) Handle concurrent desummarization correctly during BRIN index scans (Alexander Lakhin, Ãlvaro Herrera)
Previously, if a page range was desummarized at just the wrong time, an index scan might falsely raise an error indicating index corruption.
(9.6.20,9.5.24) Fix rare "lost saved point in index" errors in scans of multicolumn GIN indexes (Tom Lane)
(9.6.20,9.5.24) Fix use-after-free hazard when an event trigger monitors an ALTER TABLE operation (Jehan-Guillaume de Rorthais)
(9.6.20,9.5.24) Fix incorrect error message about inconsistent moving-aggregate data types (Jeff Janes)
(9.6.20,9.5.24) Avoid lockup when a parallel worker reports a very long error message (Vignesh C)
(9.6.20,9.5.24) Avoid unnecessary failure when transferring very large payloads through shared memory queues (Markus Wanner)
(9.6.20,9.5.24) Fix relation cache memory leaks with RLS policies (Tom Lane)
(9.6.20,9.5.24) Fix small memory leak when SIGHUP processing decides that a new GUC variable value cannot be applied without a restart (Tom Lane)
(9.6.20,9.5.24) Make libpq support arbitrary-length lines in .pgpass files (Tom Lane)
This is mostly useful to allow using very long security tokens as passwords.
(9.6.20,9.5.24) In libpq for Windows, call WSAStartup()
once per process and WSACleanup()
not at all (Tom Lane, Alexander Lakhin)
Previously, libpq invoked WSAStartup()
at connection start and WSACleanup()
at connection cleanup. However, it appears that calling WSACleanup()
can interfere with other program operations; notably, we have observed rare failures to emit expected output to stdout. There appear to be no ill effects from omitting the call, so do that. (This also eliminates a performance issue from repeated DLL loads and unloads when a program performs a series of database connections.)
(9.6.20,9.5.24) Fix ecpg library's per-thread initialization logic for Windows (Tom Lane, Alexander Lakhin)
Multi-threaded ecpg applications could suffer rare misbehavior due to incorrect locking.
(9.6.20,9.5.24) On Windows, make psql read the output of a backtick command in text mode, not binary mode (Tom Lane)
This ensures proper handling of newlines.
(9.6.20,9.5.24) Ensure that pg_dump collects per-column information about extension configuration tables (FabrÃzio de Royes Mello, Tom Lane)
Failure to do this led to crashes when specifying --inserts, or underspecified (though usually correct) COPY commands when using COPY to reload the tables' data.
(9.6.20,9.5.24) Make pg_upgrade check for pre-existence of tablespace directories in the target cluster (Bruce Momjian)
(9.6.20,9.5.24) Fix potential memory leak in contrib/pgcrypto (Michael Paquier)
(9.6.20,9.5.24) Add check for an unlikely failure case in contrib/pgcrypto (Daniel Gustafsson)
(9.6.20,9.5.24) Use return not exit() in configure's test programs (Peter Eisentraut)
This avoids failures with pickier compilers.
(9.6.20,9.5.24) Update time zone data files to tzdata release 2020d for DST law changes in Fiji, Morocco, Palestine, the Canadian Yukon, Macquarie Island, and Casey Station (Antarctica); plus historical corrections for France, Hungary, Monaco, and Palestine.
(9.6.20,9.5.24) Sync our copy of the timezone library with IANA tzcode release 2020d (Tom Lane)
This absorbs upstream's change of zic's default output option from "fat" to "slim". That's just cosmetic for our purposes, as we continue to select the "fat" mode in pre-v13 branches. This change also ensures that strftime()
does not change errno unless it fails.
Release date: 2020-08-13
This release contains a variety of fixes from 9.6.18. For information about new features in the 9.6 major release, see Version 9.6.0.
A dump/restore is not required for those running 9.6.X.
However, if you are upgrading from a version earlier than 9.6.16, see Version 9.6.16.
(9.6.19,9.5.23) Make contrib modules' installation scripts more secure (Tom Lane)
Attacks similar to those described inCVE-2018-1058 or CVE-2018-1058 could be carried out against an extension installation script, if the attacker can create objects in either the extension's target schema or the schema of some prerequisite extension. Since extensions often require superuser privilege to install, this can open a path to obtaining superuser privilege. To mitigate this risk, be more careful about the search_path used to run an installation script; disable check_function_bodies within the script; and fix catalog-adjustment queries used in some contrib modules to ensure they are secure. Also provide documentation to help third-party extension authors make their installation scripts secure. This is not a complete solution; extensions that depend on other extensions can still be at risk if installed carelessly. CVE-2020-14350 or CVE-2020-14350)
(9.6.19,9.5.23) In logical replication walsender, fix failure to send feedback messages after sending a keepalive message (Ãlvaro Herrera)
This is a relatively minor problem when using built-in logical replication, because the built-in walreceiver will send a feedback reply (which clears the incorrect state) fairly frequently anyway. But with some other replication systems, such as pglogical, it causes significant performance issues.
(9.6.19) Fix slow execution of ts_headline()
(Tom Lane)
The phrase-search fix added in our previous set of minor releases could cause ts_headline()
to take unreasonable amounts of time for long documents; to make matters worse, the query was not cancellable within the troublesome loop.
(9.6.19,9.5.23) Ensure the repeat()
function can be interrupted by query cancel (Joe Conway)
(9.6.19) Fix mis-handling of NaN inputs during parallel aggregation on numeric-type columns (Tom Lane)
If some partial aggregation workers found only NaNs while others found only non-NaNs, the results were combined incorrectly, possibly leading to the wrong overall result (i.e., not NaN when it should be).
(9.6.19,9.5.23) Undo double-quoting of index names in EXPLAIN's non-text output formats (Tom Lane, Euler Taveira)
(9.6.19,9.5.23) Fix timing of constraint revalidation in ALTER TABLE (David Rowley)
If ALTER TABLE needs to fully rewrite the table's contents (for example, due to change of a column's data type) and also needs to scan the table to re-validate foreign keys or CHECK constraints, it sometimes did things in the wrong order, leading to odd errors such as "could not read block 0 in file "base/nnnnn/nnnnn": read only 0 of 8192 bytes".
(9.6.19,9.5.23) Cope with LATERAL references in restriction clauses attached to an un-flattened sub-SELECT in the FROM clause (Tom Lane)
This oversight could result in assertion failures or crashes at query execution.
(9.6.19,9.5.23) Avoid believing that a never-analyzed foreign table has zero tuples (Tom Lane)
This primarily affected the planner's estimate of the number of groups that would be obtained by GROUP BY.
(9.6.19,9.5.23) Improve error handling in the server's buffile module (Thomas Munro)
Fix some cases where I/O errors were indistinguishable from reaching EOF, or were not reported at all. Also add details such as block numbers and byte counts where appropriate.
(9.6.19,9.5.23) Fix conflict-checking anomalies in SERIALIZABLE isolation mode (Peter Geoghegan)
If a concurrently-inserted tuple was updated by a different concurrent transaction, and neither tuple version was visible to the current transaction's snapshot, serialization conflict checking could draw the wrong conclusions about whether the tuple was relevant to the results of the current transaction. This could allow a serializable transaction to commit when it should have failed with a serialization error.
(9.6.19,9.5.23) Avoid repeated marking of dead btree index entries as dead (Masahiko Sawada)
While functionally harmless, this led to useless WAL traffic when checksums are enabled or wal_log_hints is on.
(9.6.19,9.5.23) Fix failure of some code paths to acquire the correct lock before modifying pg_control (Nathan Bossart, Fujii Masao)
This oversight could allow pg_control to be written out with an inconsistent checksum, possibly causing trouble later, including inability to restart the database if it crashed before the next pg_control update.
(9.6.19,9.5.23) Fix errors in currtid()
and currtid2()
(Michael Paquier)
These functions (which are undocumented and used only by ancient versions of the ODBC driver) contained coding errors that could result in crashes, or in confusing error messages such as "could not open file" when applied to a relation having no storage.
(9.6.19,9.5.23) Avoid calling elog()
or palloc()
while holding a spinlock (Michael Paquier, Tom Lane)
Logic associated with replication slots had several violations of this coding rule. While the odds of trouble are quite low, an error in the called function would lead to a stuck spinlock.
(9.6.19,9.5.23) Report out-of-disk-space errors properly in pg_dump and pg_basebackup (Justin Pryzby, Tom Lane, Ãlvaro Herrera)
Some code paths could produce silly reports like "could not write file: Success".
(9.6.19,9.5.23) Fix parallel restore of tables having both table-level privileges and per-column privileges (Tom Lane)
The table-level privilege grants have to be applied first, but a parallel restore did not reliably order them that way; this could lead to "tuple concurrently updated" errors, or to disappearance of some per-column privilege grants. The fix for this is to include dependency links between such entries in the archive file, meaning that a new dump has to be taken with a corrected pg_dump to ensure that the problem will not recur.
(9.6.19,9.5.23) Ensure that pg_upgrade runs with vacuum_defer_cleanup_age set to zero in the target cluster (Bruce Momjian)
If the target cluster's configuration has been modified to set vacuum_defer_cleanup_age to a nonzero value, that prevented freezing of the system catalogs from working properly, which caused the upgrade to fail in confusing ways. Ensure that any such setting is overridden for the duration of the upgrade.
(9.6.19,9.5.23) Fix pg_recvlogical to drain pending messages before exiting (Noah Misch)
Without this, the replication sender might detect a send failure and exit without making the expected final update to the replication slot's LSN position. That led to re-transmitting data after the next connection. It was also possible to miss error messages sent after the last data that pg_recvlogical wants to consume.
(9.6.19,9.5.23) Fix pg_rewind's handling of just-deleted files in the source data directory (Justin Pryzby, Michael Paquier)
When working with an on-line source database, concurrent file deletions are possible, but pg_rewind would get confused if deletion happened between seeing a file's directory entry and examining it with stat()
.
(9.6.19,9.5.23) Make pg_test_fsync use binary I/O mode on Windows (Michael Paquier)
Previously it wrote the test file in text mode, which is not an accurate reflection of PostgreSQL's actual usage.
(9.6.19,9.5.23) Fix failure to initialize local state correctly in contrib/dblink (Joe Conway)
With the right combination of circumstances, this could lead to dblink_close()
issuing an unexpected remote COMMIT.
(9.6.19,9.5.23) Fix contrib/pgcrypto's misuse of deflate()
(Tom Lane)
The pgp_sym_encrypt
functions could produce incorrect compressed data due to mishandling of zlib's API requirements. We have no reports of this error manifesting with stock zlib, but it can be seen when using IBM's zlibNX implementation.
(9.6.19,9.5.23) Fix corner case in decompression logic in contrib/pgcrypto's pgp_sym_decrypt
functions (Kyotaro Horiguchi, Michael Paquier)
A compressed stream can validly end with an empty packet, but the decompressor failed to handle this and would complain about corrupt data.
(9.6.19,9.5.23) Use POSIX-standard strsignal()
in place of the BSD-ish sys_siglist[] (Tom Lane)
This avoids build failures with very recent versions of glibc.
(9.6.19,9.5.23) Support building our NLS code with Microsoft Visual Studio 2015 or later (Juan José SantamarÃa Flecha, Davinder Singh, Amit Kapila)
(9.6.19,9.5.23) Avoid possible failure of our MSVC install script when there is a file named configure several levels above the source code tree (Arnold Müller)
This could confuse some logic that looked for configure to identify the top level of the source tree.
Release date: 2020-05-14
This release contains a variety of fixes from 9.6.17. For information about new features in the 9.6 major release, see Version 9.6.0.
A dump/restore is not required for those running 9.6.X.
However, if you are upgrading from a version earlier than 9.6.16, see Version 9.6.16.
(9.6.18,9.5.22) Preserve the indisclustered setting of indexes rewritten by ALTER TABLE (Amit Langote, Justin Pryzby)
Previously, ALTER TABLE lost track of which index had been used for CLUSTER.
(9.6.18,9.5.22) Preserve the replica identity properties of indexes rewritten by ALTER TABLE (Quan Zongliang, Peter Eisentraut)
(9.6.18,9.5.22) Lock objects sooner during DROP OWNED BY (Ãlvaro Herrera)
This avoids failures in race-condition cases where another session is deleting some of the same objects.
(9.6.18,9.5.22) Fix error-case processing for CREATE ROLE ... IN ROLE (Andrew Gierth)
Some error cases would be reported as "unexpected node type" or the like, instead of the intended message.
(9.6.18) Fix full text search to handle NOT above a phrase search correctly (Tom Lane)
Queries such as !(foo<->bar) failed to find matching rows when implemented as a GiST or GIN index search.
(9.6.18) Fix full text search for cases where a phrase search includes an item with both prefix matching and a weight restriction (Tom Lane)
(9.6.18) Fix ts_headline()
to make better headline selections when working with phrase queries (Tom Lane)
(9.6.18,9.5.22) Fix bugs in gin_fuzzy_search_limit processing (Adé Heyward, Tom Lane)
A small value of gin_fuzzy_search_limit could result in unexpected slowness due to unintentionally rescanning the same index page many times. Another code path failed to apply the intended filtering at all, possibly returning too many values.
(9.6.18,9.5.22) Allow input of type circle to accept the format "(x,y),r" as the documentation says it does (David Zhang)
(9.6.18,9.5.22) Make the get_bit()
and set_bit()
functions cope with bytea strings longer than 256MB (Movead Li)
Since the bit number argument is only int4, it's impossible to use these functions to access bits beyond the first 256MB of a long bytea. We'll widen the argument to int8 in v13, but in the meantime, allow these functions to work on the initial substring of a long bytea.
(9.6.18,9.5.22) Avoid possibly leaking an open-file descriptor for a directory in pg_ls_dir()
, pg_timezone_names()
, pg_tablespace_databases()
, and allied functions (Justin Pryzby)
(9.6.18,9.5.22) Fix polymorphic-function type resolution to correctly infer the actual type of an anyarray output when given only an anyrange input (Tom Lane)
(9.6.18,9.5.22) Avoid unlikely crash when REINDEX is terminated by a session-shutdown signal (Tom Lane)
(9.6.18,9.5.22) Prevent printout of possibly-incorrect hash join table statistics in EXPLAIN (Konstantin Knizhnik, Tom Lane, Thomas Munro)
(9.6.18,9.5.22) Fix reporting of elapsed time for heap truncation steps in VACUUM VERBOSE (Tatsuhito Kasahara)
(9.6.18,9.5.22) Avoid possibly showing "waiting" twice in a process's PS status (Masahiko Sawada)
(9.6.18,9.5.22) Avoid premature recycling of WAL segments during crash recovery (Jehan-Guillaume de Rorthais)
WAL segments that become ready to be archived during crash recovery were potentially recycled without being archived.
(9.6.18,9.5.22) Avoid scanning irrelevant timelines during archive recovery (Kyotaro Horiguchi)
This can eliminate many attempts to fetch non-existent WAL files from archive storage, which is helpful if archive access is slow.
(9.6.18,9.5.22) Remove bogus "subtransaction logged without previous top-level txn record" error check in logical decoding (Arseny Sher, Amit Kapila)
This condition is legitimately reachable in various scenarios, so remove the check.
(9.6.18,9.5.22) Ensure that a replication slot's io_in_progress_lock is released in failure code paths (Pavan Deolasee)
This could result in a walsender later becoming stuck waiting for the lock.
(9.6.18) Fix race conditions in synchronous standby management (Tom Lane)
During a change in the synchronous_standby_names setting, there was a window in which wrong decisions could be made about whether it is OK to release transactions that are waiting for synchronous commit. Another hazard for similarly wrong decisions existed if a walsender process exited and was immediately replaced by another.
(9.6.18,9.5.22) Ensure nextXid can't go backwards on a standby server (Eka Palamadai)
This race condition could allow incorrect hot standby feedback messages to be sent back to the primary server, potentially allowing VACUUM to run too soon on the primary.
(9.6.18,9.5.22) Add missing SQLSTATE values to a few error reports (Sawada Masahiko)
(9.6.18,9.5.22) Fix PL/pgSQL to reliably refuse to execute an event trigger function as a plain function (Tom Lane)
(9.6.18,9.5.22) Fix memory leak in libpq when using sslmode=verify-full (Roman Peshkurov)
Certificate verification during connection startup could leak some memory. This would become an issue if a client process opened many database connections during its lifetime.
(9.6.18,9.5.22) Fix ecpg to treat an argument of just "-" as meaning "read from stdin" on all platforms (Tom Lane)
(9.6.18) Add pg_dump support for ALTER ... DEPENDS ON EXTENSION (Ãlvaro Herrera)
pg_dump previously ignored dependencies added this way, causing them to be forgotten during dump/restore or pg_upgrade.
(9.6.18,9.5.22) Fix pg_dump to dump comments on RLS policy objects (Tom Lane)
(9.6.18,9.5.22) In pg_dump, postpone restore of event triggers till the end (FabrÃzio de Royes Mello, Hamid Akhtar, Tom Lane)
This minimizes the risk that an event trigger could interfere with the restoration of other objects.
(9.6.18,9.5.22) Fix quoting of --encoding, --lc-ctype and --lc-collate values in createdb utility (Michael Paquier)
(9.6.18,9.5.22) contrib/lo's lo_manage()
function crashed if called directly rather than as a trigger (Tom Lane)
(9.6.18,9.5.22) In contrib/ltree, protect against overflow of ltree and lquery length fields (Nikita Glukhov)
(9.6.18,9.5.22) Fix cache reference leak in contrib/sepgsql (Michael Luo)
(9.6.18,9.5.22) Avoid failures when dealing with Unix-style locale names on Windows (Juan José SantamarÃa Flecha)
(9.6.18,9.5.22) In MSVC builds, cope with spaces in the path name for Python (Victor Wagner)
(9.6.18,9.5.22) In MSVC builds, fix detection of Visual Studio version to work with more language settings (Andrew Dunstan)
(9.6.18,9.5.22) In MSVC builds, use -Wno-deprecated with bison versions newer than 3.0, as non-Windows builds already do (Andrew Dunstan)
(9.6.18,9.5.22) Update time zone data files to tzdata release 2020a for DST law changes in Morocco and the Canadian Yukon, plus historical corrections for Shanghai.
The America/Godthab zone has been renamed to America/Nuuk to reflect current English usage; however, the old name remains available as a compatibility link.
Also, update initdb's list of known Windows time zone names to include recent additions, improving the odds that it will correctly translate the system time zone setting on that platform.
Release date: 2020-02-13
This release contains a variety of fixes from 9.6.16. For information about new features in the 9.6 major release, see Version 9.6.0.
A dump/restore is not required for those running 9.6.X.
However, if you are upgrading from a version earlier than 9.6.16, see Version 9.6.16.
(9.6.17) Add missing permissions checks for ALTER ... DEPENDS ON EXTENSION (Ãlvaro Herrera)
Marking an object as dependent on an extension did not have any privilege check whatsoever. This oversight allowed any user to mark routines, triggers, materialized views, or indexes as droppable by anyone able to drop an extension. Require that the calling user own the specified object (and hence have privilege to drop it). CVE-2020-1720 or CVE-2020-1720)
(9.6.17,9.5.21,9.4.26) Avoid failure in logical decoding when a large transaction must be spilled into many separate temporary files (Amit Khandekar)
(9.6.17,9.5.21,9.4.26) Fix failure in logical replication publisher after a database crash and restart (Vignesh C)
(9.6.17) Prevent premature shutdown of a Gather or GatherMerge plan node that is underneath a Limit node (Amit Kapila)
This avoids failure if such a plan node needs to be scanned more than once, as for instance if it is on the inside of a nestloop.
(9.6.17,9.5.21,9.4.26) Avoid memory leak when there are no free dynamic shared memory slots (Thomas Munro)
(9.6.17,9.5.21,9.4.26) Ignore the CONCURRENTLY option when performing an index creation, drop, or rebuild on a temporary table (Michael Paquier, Heikki Linnakangas, Andres Freund)
This avoids strange failures if the temporary table has an ON COMMIT action. There is no benefit in using CONCURRENTLY for a temporary table anyway, since other sessions cannot access the table, making the extra processing pointless.
(9.6.17,9.5.21,9.4.26) Fix possible failure when resetting expression indexes on temporary tables that are marked ON COMMIT DELETE ROWS (Tom Lane)
(9.6.17,9.5.21) Fix possible crash in BRIN index operations with box, range and inet data types (Heikki Linnakangas)
(9.6.17,9.5.21,9.4.26) Fix handling of deleted pages in GIN indexes (Alexander Korotkov)
Avoid possible deadlocks, incorrect updates of a deleted page's state, and failure to traverse through a recently-deleted page.
(9.6.17,9.5.21,9.4.26) Fix possible crash with a SubPlan (sub-SELECT) within a multi-row VALUES list (Tom Lane)
(9.6.17,9.5.21,9.4.26) Fix unlikely crash with pass-by-reference aggregate transition states (Andres Freund, Teodor Sigaev)
(9.6.17,9.5.21,9.4.26) Improve error reporting in to_date()
and to_timestamp()
(Tom Lane, Ãlvaro Herrera)
Reports about incorrect month or day names in input strings could truncate the input in the middle of a multi-byte character, leading to an improperly encoded error message that could cause follow-on failures. Truncate at the next whitespace instead.
(9.6.17,9.5.21,9.4.26) Fix off-by-one result for EXTRACT (ISOYEAR FROM timestamp) for BC dates (Tom Lane)
(9.6.17,9.5.21,9.4.26) Avoid stack overflow in information_schema views when a self-referential view exists in the system catalogs (Tom Lane)
A self-referential view can't work; it will always result in infinite recursion. We handled that situation correctly when trying to execute the view, but not when inquiring whether it is automatically updatable.
(9.6.17,9.5.21,9.4.26) Improve performance of hash joins with very large inner relations (Thomas Munro)
(9.6.17,9.5.21,9.4.26) Fix edge-case crashes and misestimations in selectivity calculations for the <@ and @> range operators (Michael Paquier, Andrey Borodin, Tom Lane)
(9.6.17,9.5.21,9.4.26) Improve error reporting for attempts to use automatic updating of views with conditional INSTEAD rules (Dean Rasheed)
This has never been supported, but previously the error was thrown only at execution time, so that it could be masked by planner errors.
(9.6.17,9.5.21,9.4.26) Prevent a composite type from being included in itself indirectly via a range type (Tom Lane, Julien Rouhaud)
(9.6.17,9.5.21,9.4.26) Fix error reporting for index expressions of prohibited types (Amit Langote)
(9.6.17,9.5.21,9.4.26) Fix dumping of views that contain only a VALUES list to handle cases where a view output column has been renamed (Tom Lane)
(9.6.17) Transmit incoming NOTIFY messages to the client before sending ReadyForQuery, rather than after (Tom Lane)
This change ensures that, with libpq and other client libraries that act similarly to it, any notifications received during a transaction will be available by the time the client thinks the transaction is complete. This probably makes no difference in practical applications (which would need to cope with asynchronous notifications in any case); but it makes it easier to build test cases with reproducible behavior.
(9.6.17,9.5.21,9.4.26) Allow libpq to parse all GSS-related connection parameters even when the GSSAPI code hasn't been compiled in (Tom Lane)
This makes the behavior similar to our SSL support, where it was long ago deemed to be a good idea to always accept all the related parameters, even if some are ignored or restricted due to lack of the feature in a particular build.
(9.6.17,9.5.21,9.4.26) Fix incorrect handling of %b and %B format codes in ecpg's PGTYPEStimestamp_fmt_asc()
function (Tomas Vondra)
Due to an off-by-one error, these codes would print the wrong month name, or possibly crash.
(9.6.17,9.5.21,9.4.26) Fix parallel pg_dump/pg_restore to more gracefully handle failure to create worker processes (Tom Lane)
(9.6.17,9.5.21,9.4.26) Prevent possible crash or lockup when attempting to terminate a parallel pg_dump/pg_restore run via a signal (Tom Lane)
(9.6.17,9.5.21,9.4.26) In pg_upgrade, look inside arrays and ranges while searching for non-upgradable data types in tables (Tom Lane)
(9.6.17,9.5.21,9.4.26) Apply more thorough syntax checking to createuser's --connection-limit option (Ãlvaro Herrera)
(9.6.17) Avoid crash in postgres_fdw when trying to send a command like UPDATE remote_tab SET (x,y) = (SELECT ...) to the remote server (Tom Lane)
(9.6.17,9.5.21,9.4.26) In contrib/dict_int, reject maxlen settings less than one (Tomas Vondra)
This prevents a possible crash with silly settings for that parameter.
(9.6.17,9.5.21,9.4.26) Disallow NULL category values in contrib/tablefunc's crosstab()
function (Joe Conway)
This case never worked usefully, and it would crash on some platforms.
(9.6.17,9.4.26) Mark some timeout and statistics-tracking GUC variables as PGDLLIMPORT, to allow extensions to access them on Windows (Pascal Legrand)
This applies to idle_in_transaction_session_timeout, lock_timeout, statement_timeout, track_activities, track_counts, and track_functions.
(9.6.17,9.5.21,9.4.26) Fix race condition that led to delayed delivery of interprocess signals on Windows (Amit Kapila)
This caused visible timing oddities in NOTIFY, and perhaps other misbehavior.
(9.6.17,9.5.21,9.4.26) On Windows, retry a few times after an ERROR_ACCESS_DENIED file access failure (Alexander Lakhin, Tom Lane)
This helps cope with cases where a file open attempt fails because the targeted file is flagged for deletion but not yet actually gone. pg_ctl, for example, frequently failed with such an error when probing to see if the postmaster had shut down yet.
Release date: 2019-11-14
This release contains a variety of fixes from 9.6.15. For information about new features in the 9.6 major release, see Version 9.6.0.
A dump/restore is not required for those running 9.6.X.
However, if you use the contrib/intarray extension with a GiST index, and you rely on indexed searches for the <@ operator, see the entry below about that.
Also, if you are upgrading from a version earlier than 9.6.9, see Version 9.6.9.
(9.6.16) Fix failure of ALTER TABLE SET with a custom relation option (Michael Paquier)
(9.6.16,9.5.20) Disallow changing a multiply-inherited column's type if not all parent tables were changed (Tom Lane)
Previously, this was allowed, whereupon queries on the now-out-of-sync parent would fail.
(9.6.16,9.5.20,9.4.25) Prevent VACUUM from trying to freeze an old multixact ID involving a still-running transaction (Nathan Bossart, Jeremy Schneider)
This case would lead to VACUUM failing until the old transaction terminates.
(9.6.16,9.5.20,9.4.25) Ensure that offset expressions in WINDOW clauses are processed when a query's expressions are manipulated (Andrew Gierth)
This oversight could result in assorted failures when the offsets are nontrivial expressions. One example is that a function parameter reference in such an expression would fail if the function was inlined.
(9.6.16,9.5.20,9.4.25) Fix handling of whole-row variables in WITH CHECK OPTION expressions and row-level-security policy expressions (Andres Freund)
Previously, such usage might result in bogus errors about row type mismatches.
(9.6.16,9.5.20) Avoid postmaster failure if a parallel query requests a background worker when no postmaster child process array slots remain free (Tom Lane)
(9.6.16,9.5.20,9.4.25) Prevent possible double-free if a BEFORE UPDATE trigger returns the old tuple as-is, and it is not the last such trigger (Thomas Munro)
(9.6.16,9.5.20) Provide a relevant error context line when an error occurs while setting GUC parameters during parallel worker startup (Thomas Munro)
(9.6.16,9.5.20,9.4.25) In serializable mode, ensure that row-level predicate locks are acquired on the correct version of the row (Thomas Munro, Heikki Linnakangas)
If the visible version of the row is HOT-updated, the lock might be taken on its now-dead predecessor, resulting in subtle failures to guarantee serialization.
(9.6.16,9.5.20,9.4.25) Ensure that fsync()
is applied only to files that are opened read/write (Andres Freund, Michael Paquier)
Some code paths tried to do this after opening a file read-only, but on some platforms that causes "bad file descriptor" or similar errors.
(9.6.16,9.5.20,9.4.25) Allow encoding conversion to succeed on longer strings than before (Ãlvaro Herrera, Tom Lane)
Previously, there was a hard limit of 0.25GB on the input string, but now it will work as long as the converted output is not over 1GB.
(9.6.16) Avoid creating unnecessarily-bulky tuple stores for window functions (Andrew Gierth)
In some cases the tuple storage would include all columns of the source table(s), not just the ones that are needed by the query.
(9.6.16,9.5.20,9.4.25) Allow repalloc()
to give back space when a large chunk is reduced in size (Tom Lane)
(9.6.16,9.5.20) Ensure that temporary WAL and history files are removed at the end of archive recovery (Sawada Masahiko)
(9.6.16,9.5.20,9.4.25) Avoid failure in archive recovery if recovery_min_apply_delay is enabled (Fujii Masao)
recovery_min_apply_delay is not typically used in this configuration, but it should work.
(9.6.16,9.5.20,9.4.25) Avoid unwanted delay during shutdown of a logical replication walsender (Craig Ringer, Ãlvaro Herrera)
(9.6.16,9.5.20,9.4.25) Correctly time-stamp replication messages for logical decoding (Jeff Janes)
This oversight resulted, for example, in pg_stat_subscription.last_msg_send_time usually reading as NULL.
(9.6.16,9.5.20,9.4.25) In logical decoding, ensure that sub-transactions are correctly accounted for when reconstructing a snapshot (Masahiko Sawada)
This error leads to assertion failures; it's unclear whether any bad effects exist in production builds.
(9.6.16,9.5.20,9.4.25) Fix race condition during backend exit, when the backend process has previously waited for synchronous replication to occur (Dongming Liu)
(9.6.16,9.5.20,9.4.25) Fix ALTER SYSTEM to cope with duplicate entries in postgresql.auto.conf (Ian Barwick)
ALTER SYSTEM itself will not generate such a state, but external tools that modify postgresql.auto.conf could do so. Duplicate entries for the target variable will now be removed, and then the new setting (if any) will be appended at the end.
(9.6.16,9.5.20) Reject include directives with empty file names in configuration files, and report include-file recursion more clearly (Ian Barwick, Tom Lane)
(9.6.16,9.5.20,9.4.25) Avoid logging complaints about abandoned connections when using PAM authentication (Tom Lane)
libpq-based clients will typically make two connection attempts when a password is required, since they don't prompt their user for a password until their first connection attempt fails. Therefore the server is coded not to generate useless log spam when a client closes the connection upon being asked for a password. However, the PAM authentication code hadn't gotten that memo, and would generate several messages about a phantom authentication failure.
(9.6.16,9.5.20,9.4.25) Fix some cases where an incomplete date specification is not detected in time with time zone input (Alexander Lakhin)
If a time zone with a time-varying UTC offset is specified, then a date must be as well, so that the offset can be resolved. Depending on the syntax used, this check was not enforced in some cases, allowing bogus output to be produced.
(9.6.16,9.5.20,9.4.25) Fix misbehavior of bitshiftright()
(Tom Lane)
The bitstring right shift operator failed to zero out padding space that exists in the last byte of the result when the bitstring length is not a multiple of 8. While invisible to most operations, any nonzero bits there would result in unexpected comparison behavior, since bitstring comparisons don't bother to ignore the extra bits, expecting them to always be zero.
If you have inconsistent data as a result of saving the output of bitshiftright()
in a table, it's possible to fix it with something like
UPDATE mytab SET bitcol = ~(~bitcol) WHERE bitcol != ~(~bitcol);
(9.6.16,9.5.20,9.4.25) Fix detection of edge-case integer overflow in interval multiplication (Yuya Watari)
(9.6.16) Avoid crashes if ispell text search dictionaries contain wrong affix data (Arthur Zakirov)
(9.6.16,9.5.20,9.4.25) Fix incorrect compression logic for GIN posting lists (Heikki Linnakangas)
A GIN posting list item can require 7 bytes if the distance between adjacent indexed TIDs exceeds 16TB. One step in the logic was out of sync with that, and might try to write the value into a 6-byte buffer. In principle this could cause a stack overrun, but on most architectures it's likely that the next byte would be unused alignment padding, making the bug harmless. In any case the bug would be very difficult to hit.
(9.6.16,9.5.20,9.4.25) Fix handling of infinity, NaN, and NULL values in KNN-GiST (Alexander Korotkov)
The query's output order could be wrong (different from a plain sort's result) if some distances computed for non-null column values are infinity or NaN.
(9.6.16,9.5.20,9.4.25) Fix handling of searches for NULL in KNN-SP-GiST (Nikita Glukhov)
(9.6.16,9.5.20,9.4.25) On Windows, recognize additional spellings of the "Norwegian (Bokmål)" locale name (Tom Lane)
(9.6.16,9.5.20,9.4.25) Avoid compile failure if an ECPG client includes ecpglib.h while having ENABLE_NLS defined (Tom Lane)
This risk was created by a misplaced declaration: ecpg_gettext()
should not be visible to client code.
(9.6.16,9.5.20,9.4.25) In psql, resynchronize internal state about the server after an unexpected connection loss and successful reconnection (Peter Billen, Tom Lane)
Ordinarily this is unnecessary since the state would be the same anyway. But it can matter in corner cases, such as where the connection might lead to one of several servers. This change causes psql to re-issue any interactive messages that it would have issued at startup, for example about whether SSL is in use.
(9.6.16,9.5.20,9.4.25) Avoid platform-specific null pointer dereference in psql (Quentin Rameau)
(9.6.16,9.5.20,9.4.25) Fix pg_dump's handling of circular dependencies in views (Tom Lane)
In some cases a view may depend on an object that pg_dump needs to dump later than the view; the most common example is that a query using GROUP BY on a primary-key column may be semantically invalid without the primary key. This is now handled by emitting a dummy CREATE VIEW command that just establishes the view's column names and types, and then later emitting CREATE OR REPLACE VIEW with the full view definition. Previously, the dummy definition was actually a CREATE TABLE command, and this was automagically converted to a view by a later CREATE RULE command. The new approach has been used successfully in PostgreSQL version 10 and later. We are back-patching it into older releases now because of reports that the previous method causes bogus error messages about the view's replica identity status. This change also avoids problems when trying to use the --clean option during a restore involving such a view.
(9.6.16,9.5.20,9.4.25) In pg_dump, ensure stable output order for similarly-named triggers and row-level-security policy objects (Benjie Gillam)
Previously, if two triggers on different tables had the same names, they would be sorted in OID-based order, which is less desirable than sorting them by table name. Likewise for RLS policies.
(9.6.16,9.5.20,9.4.25) Fix pg_dump to work again with pre-8.3 source servers (Tom Lane)
A previous fix caused pg_dump to always try to query pg_opfamily, but that catalog doesn't exist before version 8.3.
(9.6.16,9.5.20,9.4.25) In pg_restore, treat -f - as meaning "output to stdout" (Ãlvaro Herrera)
This synchronizes pg_restore's behavior with some other applications, and in particular makes pre-v12 branches act similarly to version 12's pg_restore, simplifying creation of dump/restore scripts that work across multiple PostgreSQL versions. Before this change, pg_restore interpreted such a switch as meaning "output to a file named -", but few people would want that.
(9.6.16,9.5.20,9.4.25) Improve pg_upgrade's checks for the use of a data type that has changed representation, such as line (Tomas Vondra)
The previous coding could be fooled by cases where the data type of interest underlies a stored column of a domain or composite type.
(9.6.16,9.5.20,9.4.25) Detect file read errors during pg_basebackup (Jeevan Chalke)
(9.6.16,9.5.20) In pg_rewind with an online source cluster, disable timeouts, much as pg_dump does (Alexander Kukushkin)
(9.6.16,9.5.20,9.4.25) Fix failure in pg_waldump with the -s option, when a continuation WAL record ends exactly at a page boundary (Andrey Lepikhov)
(9.6.16,9.5.20) In pg_waldump, include the newitemoff field in btree page split records (Peter Geoghegan)
(9.6.16,9.5.20) In pg_waldump with the --bkp-details option, avoid emitting extra newlines for WAL records involving full-page writes (Andres Freund)
(9.6.16,9.5.20) Fix small memory leak in pg_waldump (Andres Freund)
(9.6.16,9.5.20) Fix vacuumdb with a high --jobs option to handle running out of file descriptors better (Michael Paquier)
(9.6.16,9.5.20,9.4.25) Fix contrib/intarray's GiST opclasses to not fail for empty arrays with <@ (Tom Lane)
A clause like array_column <@ constant_array is considered indexable, but the index search may not find empty array values; of course, such entries should trivially match the search.
The only practical back-patchable fix for this requires making <@ index searches scan the whole index, which is what this patch does. This is unfortunate: it means that the query performance is likely worse than a plain sequential scan would be.
Applications whose performance is adversely impacted by this change have a couple of options. They could switch to a GIN index, which doesn't have this bug, or they could replace array_column <@ constant_array with array_column <@ constant_array AND array_column && constant_array. That will provide about the same performance as before, and it will find all non-empty subsets of the given constant array, which is all that could reliably be expected of the query before.
(9.6.16,9.5.20,9.4.25) Allow configure --with-python to succeed when only python3 or only python2 can be found (Peter Eisentraut, Tom Lane)
Search for python, then python3, then python2, so that configure can succeed in the increasingly-more-common situation where there is no executable named simply python. It's still possible to override this choice by setting the PYTHON environment variable.
(9.6.16,9.5.20,9.4.25) Fix configure's test for presence of libperl so that it works on recent Red Hat releases (Tom Lane)
Previously, it could fail if the user sets CFLAGS to -O0.
(9.6.16,9.5.20,9.4.25) Ensure correct code generation for spinlocks on PowerPC (Noah Misch)
The previous spinlock coding allowed the compiler to select register zero for use with an assembly instruction that does not accept that register, causing a build failure. We have seen only one long-ago report that matches this bug, but it could cause problems for people trying to build modified PostgreSQL code or use atypical compiler options.
(9.6.16,9.5.20) On PowerPC, avoid depending on the xlc compiler's __fetch_and_add()
function (Noah Misch)
xlc 13 and newer interpret this function in a way incompatible with our usage, resulting in an unusable build of PostgreSQL. Fix by using custom assembly code instead.
(9.6.16,9.5.20,9.4.25) On AIX, don't use the compiler option -qsrcmsg (Noah Misch)
This avoids an internal compiler error with xlc v16.1.0, with little consequence other than changing the format of compiler error messages.
(9.6.16,9.5.20,9.4.25) Fix MSVC build process to cope with spaces in the file path of OpenSSL (Andrew Dunstan)
(9.6.16,9.5.20,9.4.25) Update time zone data files to tzdata release 2019c for DST law changes in Fiji and Norfolk Island, plus historical corrections for Alberta, Austria, Belgium, British Columbia, Cambodia, Hong Kong, Indiana (Perry County), Kaliningrad, Kentucky, Michigan, Norfolk Island, South Korea, and Turkey.
Release date: 2019-08-08
This release contains a variety of fixes from 9.6.14. For information about new features in the 9.6 major release, see Version 9.6.0.
A dump/restore is not required for those running 9.6.X.
However, if you are upgrading from a version earlier than 9.6.9, see Version 9.6.9.
(9.6.15,9.5.19,9.4.24) Require schema qualification to cast to a temporary type when using functional cast syntax (Noah Misch)
We have long required invocations of temporary functions to explicitly specify the temporary schema, that is pg_temp.func_name(args). Require this as well for casting to temporary types using functional notation, for example pg_temp.type_name(arg). Otherwise it's possible to capture a function call using a temporary object, allowing privilege escalation in much the same ways that we blocked inCVE-2007-2138 or CVE-2007-2138. CVE-2019-10208 or CVE-2019-10208)
(9.6.15,9.5.19,9.4.24) Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when altering multiple columns' types in one command (Tom Lane)
This fixes a regression introduced in the most recent minor releases: indexes using the altered columns were not processed correctly, leading to strange failures during ALTER TABLE.
(9.6.15) Don't optimize away GROUP BY columns when the table involved is an inheritance parent (David Rowley)
Normally, if a table's primary key column(s) are included in GROUP BY, it's safe to drop any other grouping columns, since the primary key columns are enough to make the groups unique. This rule does not work if the query is also reading inheritance child tables, though; the parent's uniqueness does not extend to the children.
(9.6.15,9.5.19) Avoid using unnecessary sort steps for some queries with GROUPING SETS (Andrew Gierth, Richard Guo)
(9.6.15,9.5.19,9.4.24) Fix mishandling of multi-column foreign keys when rebuilding a foreign key constraint (Tom Lane)
ALTER TABLE could make an incorrect decision about whether revalidation of a foreign key is necessary, if not all columns of the key are of the same type. It seems likely that the error would always have been in the conservative direction, that is revalidating unnecessarily.
(9.6.15) Avoid spurious deadlock errors when upgrading a tuple lock (Oleksii Kliukin)
When two or more transactions are waiting for a transaction T1 to release a tuple-level lock, and T1 upgrades its lock to a higher level, a spurious deadlock among the waiting transactions could be reported when T1 finishes.
(9.6.15) Fix failure to resolve deadlocks involving multiple parallel worker processes (Rui Hai Jiang)
It is not clear whether this bug is reachable with non-artificial queries, but if it did happen, the queries involved in an otherwise-resolvable deadlock would block until canceled.
(9.6.15,9.5.19,9.4.24) Prevent incorrect canonicalization of date ranges with infinity endpoints (Laurenz Albe)
It's incorrect to try to convert an open range to a closed one or vice versa by incrementing or decrementing the endpoint value, if the endpoint is infinite; so leave the range alone in such cases.
(9.6.15,9.5.19,9.4.24) Fix loss of fractional digits when converting very large money values to numeric (Tom Lane)
(9.6.15,9.5.19,9.4.24) Fix spinlock assembly code for MIPS CPUs so that it works on MIPS r6 (YunQiang Su)
(9.6.15,9.5.19,9.4.24) Make libpq ignore carriage return (\r) in connection service files (Tom Lane, Michael Paquier)
In some corner cases, service files containing Windows-style newlines could be mis-parsed, resulting in connection failures.
(9.6.15) In psql, avoid offering incorrect tab completion options after SET variable = (Tom Lane)
(9.6.15,9.5.19,9.4.24) Fix pg_dump to ensure that custom operator classes are dumped in the right order (Tom Lane)
If a user-defined opclass is the subtype opclass of a user-defined range type, related objects were dumped in the wrong order, producing an unrestorable dump. (The underlying failure to handle opclass dependencies might manifest in other cases too, but this is the only known case.)
(9.6.15,9.5.19,9.4.24) Fix contrib/passwordcheck to coexist with other users of check_password_hook (Michael Paquier)
(9.6.15,9.5.19,9.4.24) Fix contrib/sepgsql tests to work under recent SELinux releases (Mike Palmiotto)
(9.6.15) Improve stability of src/test/recovery regression tests (Michael Paquier)
(9.6.15,9.5.19,9.4.24) Reduce stderr output from pg_upgrade's test script (Tom Lane)
(9.6.15) Fix TAP tests to work with msys Perl, in cases where the build directory is on a non-root msys mount point (Noah Misch)
(9.6.15,9.5.19,9.4.24) Support building Postgres with Microsoft Visual Studio 2019 (Haribabu Kommi)
(9.6.15,9.5.19,9.4.24) In Visual Studio builds, honor WindowsSDKVersion environment variable, if that's set (Peifeng Qiu)
This fixes build failures in some configurations.
(9.6.15,9.5.19,9.4.24) Support OpenSSL 1.1.0 and newer in Visual Studio builds (Juan José SantamarÃa Flecha, Michael Paquier)
(9.6.15,9.5.19) Allow make options to be passed down to gmake when non-GNU make is invoked at the top level (Thomas Munro)
(9.6.15,9.5.19,9.4.24) Avoid choosing localtime or posixrules as TimeZone during initdb (Tom Lane)
In some cases initdb would choose one of these artificial zone names over the "real" zone name. Prefer any other match to the C library's timezone behavior over these two.
(9.6.15,9.5.19,9.4.24) Adjust pg_timezone_names view to show the Factory time zone if and only if it has a short abbreviation (Tom Lane)
Historically, IANA set up this artificial zone with an "abbreviation" like Local time zone must be set--see zic manual page. Modern versions of the tzdb database show -00 instead, but some platforms alter the data to show one or another of the historical phrases. Show this zone only if it uses the modern abbreviation.
(9.6.15,9.5.19,9.4.24) Sync our copy of the timezone library with IANA tzcode release 2019b (Tom Lane)
This adds support for zic's new -b slim option to reduce the size of the installed zone files. We are not currently using that, but may enable it in future.
(9.6.15,9.5.19,9.4.24) Update time zone data files to tzdata release 2019b for DST law changes in Brazil, plus historical corrections for Hong Kong, Italy, and Palestine.
Release date: 2019-06-20
This release contains a variety of fixes from 9.6.13. For information about new features in the 9.6 major release, see Version 9.6.0.
A dump/restore is not required for those running 9.6.X.
However, if you are upgrading from a version earlier than 9.6.9, see Version 9.6.9.
(9.6.14,9.5.18,9.4.23) Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when the table has a partial exclusion constraint (Tom Lane)
(9.6.14,9.5.18) Fix failure of COMMENT command for comments on domain constraints (Daniel Gustafsson, Michael Paquier)
(9.6.14) Fix faulty generation of merge-append plans (Tom Lane)
This mistake could lead to "could not find pathkey item to sort" errors.
(9.6.14,9.5.18,9.4.23) Fix incorrect printing of queries with duplicate join names (Philip Dubé)
This oversight caused a dump/restore failure for views containing such queries.
(9.6.14,9.5.18,9.4.23) Fix misoptimization of {1,1} quantifiers in regular expressions (Tom Lane)
Such quantifiers were treated as no-ops and optimized away; but the documentation specifies that they impose greediness, or non-greediness in the case of the non-greedy variant {1,1}?, on the subexpression they're attached to, and this did not happen. The misbehavior occurred only if the subexpression contained capturing parentheses or a back-reference.
(9.6.14,9.5.18) Avoid possible failures while initializing a new process's pg_stat_activity data (Tom Lane)
Certain operations that could fail, such as converting strings extracted from an SSL certificate into the database encoding, were being performed inside a critical section. Failure there would result in database-wide lockup due to violating the access protocol for shared pg_stat_activity data.
(9.6.14,9.5.18,9.4.23) Fix race condition in check to see whether a pre-existing shared memory segment is still in use by a conflicting postmaster (Tom Lane)
(9.6.14,9.5.18,9.4.23) Avoid attempting to do database accesses for parameter checking in processes that are not connected to a specific database (Vignesh C, Andres Freund)
This error could result in failures like "cannot read pg_class without having selected a database".
(9.6.14,9.5.18) Avoid possible hang in libpq if using SSL and OpenSSL's pending-data buffer contains an exact multiple of 256 bytes (David Binderman)
(9.6.14,9.5.18,9.4.23) Improve initdb's handling of multiple equivalent names for the system time zone (Tom Lane, Andrew Gierth)
Make initdb examine the /etc/localtime symbolic link, if that exists, to break ties between equivalent names for the system time zone. This makes initdb more likely to select the time zone name that the user would expect when multiple identical time zones exist. It will not change the behavior if /etc/localtime is not a symlink to a zone data file, nor if the time zone is determined from the TZ environment variable.
Separately, prefer UTC over other spellings of that time zone, when neither TZ nor /etc/localtime provide a hint. This fixes an annoyance introduced by tzdata 2019a's change to make the UCT and UTC zone names equivalent: initdb was then preferring UCT, which almost nobody wants.
(9.6.14) Fix ordering of GRANT commands emitted by pg_dump and pg_dumpall for databases and tablespaces (Nathan Bossart, Michael Paquier)
If cascading grants had been issued, restore might fail due to the GRANT commands being given in an order that didn't respect their interdependencies.
(9.6.14,9.5.18,9.4.23) Fix misleading error reports from reindexdb (Julien Rouhaud)
(9.6.14,9.5.18) Ensure that vacuumdb returns correct status if an error occurs while using parallel jobs (Julien Rouhaud)
(9.6.14) Fix contrib/auto_explain to not cause problems in parallel queries (Tom Lane)
Previously, a parallel worker might try to log its query even if the parent query were not being logged by auto_explain. This would work sometimes, but it's confusing, and in some cases it resulted in failures like "could not find key N in shm TOC".
Also, fix an off-by-one error that resulted in not necessarily logging every query even when the sampling rate is set to 1.0.
(9.6.14,9.5.18,9.4.23) In contrib/postgres_fdw, account for possible data modifications by local BEFORE ROW UPDATE triggers (Shohei Mochizuki)
If a trigger modified a column that was otherwise not changed by the UPDATE, the new value was not transmitted to the remote server.
(9.6.14,9.5.18,9.4.23) On Windows, avoid failure when the database encoding is set to SQL_ASCII and we attempt to log a non-ASCII string (Noah Misch)
The code had been assuming that such strings must be in UTF-8, and would throw an error if they didn't appear to be validly encoded. Now, just transmit the untranslated bytes to the log.
(9.6.14,9.5.18,9.4.23) Make PL/pgSQL's header files C++-safe (George Tarasov)
Release date: 2019-05-09
This release contains a variety of fixes from 9.6.12. For information about new features in the 9.6 major release, see Version 9.6.0.
A dump/restore is not required for those running 9.6.X.
However, if you are upgrading from a version earlier than 9.6.9, see Version 9.6.9.
(9.6.13,9.5.17) Prevent row-level security policies from being bypassed via selectivity estimators (Dean Rasheed)
Some of the planner's selectivity estimators apply user-defined operators to values found in pg_statistic (e.g., most-common values). A leaky operator therefore can disclose some of the entries in a data column, even if the calling user lacks permission to read that column. InCVE-2017-7484 or CVE-2017-7484 we added restrictions to forestall that, but we failed to consider the effects of row-level security. A user who has SQL permission to read a column, but who is forbidden to see certain rows due to RLS policy, might still learn something about those rows' contents via a leaky operator. This patch further tightens the rules, allowing leaky operators to be applied to statistics data only when there is no relevant RLS policy. CVE-2019-10130 or CVE-2019-10130)
(9.6.13,9.5.17,9.4.22) Fix behavior for an UPDATE or DELETE on an inheritance tree or partitioned table in which every table can be excluded (Amit Langote, Tom Lane)
In such cases, the query did not report the correct set of output columns when a RETURNING clause was present, and if there were any statement-level triggers that should be fired, it didn't fire them.
(9.6.13,9.5.17,9.4.22) Fix handling of explicit DEFAULT items in an INSERT ... VALUES command with multiple VALUES rows, if the target relation is an updatable view (Amit Langote, Dean Rasheed)
When the updatable view has no default for the column but its underlying table has one, a single-row INSERT ... VALUES will use the underlying table's default. In the multi-row case, however, NULL was always used. Correct it to act like the single-row case.
(9.6.13,9.5.17,9.4.22) Fix CREATE VIEW to allow zero-column views (Ashutosh Sharma)
We should allow this for consistency with allowing zero-column tables. Since a table can be converted to a view, zero-column views could be created even with the restriction in place, leading to dump/reload failures.
(9.6.13,9.5.17) Add missing support for CREATE TABLE IF NOT EXISTS ... AS EXECUTE ... (Andreas Karlsson)
The combination of IF NOT EXISTS and EXECUTE should work, but the grammar omitted it.
(9.6.13,9.5.17) Ensure that sub-SELECTs appearing in row-level-security policy expressions are executed with the correct user's permissions (Dean Rasheed)
Previously, if the table having the RLS policy was accessed via a view, such checks might be executed as the user calling the view, not as the view owner as they should be.
(9.6.13,9.5.17,9.4.22) Accept XML documents as valid values of type xml when xmloption is set to content, as required by SQL:2006 and later (Chapman Flack)
Previously PostgreSQL followed the SQL:2003 definition, which doesn't allow this. But that creates a serious problem for dump/restore: there is no setting of xmloption that will accept all valid XML data. Hence, switch to the 2006 definition.
pg_dump is also modified to emit SET xmloption = content while restoring data, ensuring that dump/restore works even if the prevailing setting is document.
(9.6.13,9.5.17,9.4.22) Improve server's startup-time checks for whether a pre-existing shared memory segment is still in use (Noah Misch)
The postmaster is now more likely to detect that there are still active processes from a previous postmaster incarnation, even if the postmaster.pid file has been removed.
(9.6.13) Avoid counting parallel workers' transactions as separate transactions (Haribabu Kommi)
(9.6.13,9.5.17,9.4.22) Fix incompatibility of GIN-index WAL records (Alexander Korotkov)
A fix applied in February's minor releases was not sufficiently careful about backwards compatibility, leading to problems if a standby server of that vintage reads GIN page-deletion WAL records generated by a primary server of a previous minor release.
(9.6.13,9.5.17,9.4.22) Tolerate EINVAL and ENOSYS error results, where appropriate, for fsync
and sync_file_range
calls (Thomas Munro, James Sewell)
The previous change to panic on file synchronization failures turns out to have been excessively paranoid for certain cases where a failure is predictable and essentially means "operation not supported".
(9.6.13,9.5.17,9.4.22) Fix "failed to build any N-way joins" planner failures with lateral references leading out of FULL outer joins (Tom Lane)
(9.6.13,9.5.17,9.4.22) Check the appropriate user's permissions when enforcing rules about letting a leaky operator see pg_statistic data (Dean Rasheed)
When an underlying table is being accessed via a view, consider the privileges of the view owner while deciding whether leaky operators may be applied to the table's statistics data, rather than the privileges of the user making the query. This makes the planner's rules about what data is visible match up with the executor's, avoiding unnecessarily-poor plans.
(9.6.13) Speed up planning when there are many equality conditions and many potentially-relevant foreign key constraints (David Rowley)
(9.6.13,9.5.17,9.4.22) Avoid O (N^2) performance issue when rolling back a transaction that created many tables (Tomas Vondra)
(9.6.13,9.5.17,9.4.22) Fix race conditions in management of dynamic shared memory (Thomas Munro)
These could lead to "dsa_area could not attach to segment" or "cannot unpin a segment that is not pinned" errors.
(9.6.13,9.5.17,9.4.22) Fix race condition in which a hot-standby postmaster could fail to shut down after receiving a smart-shutdown request (Tom Lane)
(9.6.13,9.5.17) Fix possible crash when pg_identify_object_as_address()
is given invalid input (Ãlvaro Herrera)
(9.6.13,9.5.17,9.4.22) Tighten validation of encoded SCRAM-SHA-256 and MD5 passwords (Jonathan Katz)
A password string that had the right initial characters could be mistaken for one that is correctly hashed into SCRAM-SHA-256 or MD5 format. The password would be accepted but would be unusable later.
(9.6.13,9.5.17,9.4.22) Fix handling of lc_time settings that imply an encoding different from the database's encoding (Juan José SantamarÃa Flecha, Tom Lane)
Localized month or day names that include non-ASCII characters previously caused unexpected errors or wrong output in such locales.
(9.6.13,9.5.17) Fix incorrect operator_precedence_warning checks involving unary minus operators (Rikard Falkeborn)
(9.6.13,9.5.17,9.4.22) Disallow NaN as a value for floating-point server parameters (Tom Lane)
(9.6.13,9.5.17,9.4.22) Rearrange REINDEX processing to avoid assertion failures when reindexing individual indexes of pg_class (Andres Freund, Tom Lane)
(9.6.13,9.5.17,9.4.22) Fix planner assertion failure for parameterized dummy paths (Tom Lane)
(9.6.13,9.5.17,9.4.22) Insert correct test function in the result of SnapBuildInitialSnapshot()
(Antonin Houska)
No core code cares about this, but some extensions do.
(9.6.13,9.5.17,9.4.22) Fix intermittent "could not reattach to shared memory" session startup failures on Windows (Noah Misch)
A previously unrecognized source of these failures is creation of thread stacks for a process's default thread pool. Arrange for such stacks to be allocated in a different memory region.
(9.6.13,9.5.17,9.4.22) Fix error detection in directory scanning on Windows (Konstantin Knizhnik)
Errors, such as lack of permissions to read the directory, were not detected or reported correctly; instead the code silently acted as though the directory were empty.
(9.6.13,9.5.17,9.4.22) Fix grammar problems in ecpg (Tom Lane)
A missing semicolon led to mistranslation of SET variable = DEFAULT (but not SET variable TO DEFAULT) in ecpg programs, producing syntactically invalid output that the server would reject. Additionally, in a DROP TYPE or DROP DOMAIN command that listed multiple type names, only the first type name was actually processed.
(9.6.13,9.5.17) Sync ecpg's syntax for CREATE TABLE AS with the server's (Daisuke Higuchi)
(9.6.13,9.5.17,9.4.22) Fix possible buffer overruns in ecpg's processing of include filenames (Liu Huailing, Fei Wu)
(9.6.13,9.5.17,9.4.22) Avoid crash in contrib/vacuumlo if an lo_unlink()
call failed (Tom Lane)
(9.6.13,9.5.17,9.4.22) Sync our copy of the timezone library with IANA tzcode release 2019a (Tom Lane)
This corrects a small bug in zic that caused it to output an incorrect year-2440 transition in the Africa/Casablanca zone, and adds support for zic's new -r option.
(9.6.13,9.5.17,9.4.22) Update time zone data files to tzdata release 2019a for DST law changes in Palestine and Metlakatla, plus historical corrections for Israel.
Etc/UCT is now a backward-compatibility link to Etc/UTC, instead of being a separate zone that generates the abbreviation UCT, which nowadays is typically a typo. PostgreSQL will still accept UCT as an input zone abbreviation, but it won't output it.
Release date: 2019-02-14
This release contains a variety of fixes from 9.6.11. For information about new features in the 9.6 major release, see Version 9.6.0.
A dump/restore is not required for those running 9.6.X.
However, if you are upgrading from a version earlier than 9.6.9, see Version 9.6.9.
(9.6.12,9.5.16,9.4.21) By default, panic instead of retrying after fsync()
failure, to avoid possible data corruption (Craig Ringer, Thomas Munro)
Some popular operating systems discard kernel data buffers when unable to write them out, reporting this as fsync()
failure. If we reissue the fsync()
request it will succeed, but in fact the data has been lost, so continuing risks database corruption. By raising a panic condition instead, we can replay from WAL, which may contain the only remaining copy of the data in such a situation. While this is surely ugly and inefficient, there are few alternatives, and fortunately the case happens very rarely.
A new server parameter data_sync_retry has been added to control this; if you are certain that your kernel does not discard dirty data buffers in such scenarios, you can set data_sync_retry to on to restore the old behavior.
(9.6.12,9.5.16,9.4.21) Include each major release branch's release notes in the documentation for only that branch, rather than that branch and all later ones (Tom Lane)
The duplication induced by the previous policy was getting out of hand. Our plan is to provide a full archive of release notes on the project's web site, but not duplicate it within each release.
(9.6.12,9.5.16,9.4.21) Avoid possible deadlock when acquiring multiple buffer locks (Nishant Fnu)
(9.6.12,9.5.16,9.4.21) Avoid deadlock between hot-standby queries and replay of GIN index page deletion (Alexander Korotkov)
(9.6.12,9.5.16,9.4.21) Fix possible crashes in logical replication when index expressions or predicates are in use (Peter Eisentraut)
(9.6.12,9.5.16,9.4.21) Avoid useless and expensive logical decoding of TOAST data during a table rewrite (Tomas Vondra)
(9.6.12,9.5.16,9.4.21) Fix logic for stopping a subset of WAL senders when synchronous replication is enabled (Paul Guo, Michael Paquier)
(9.6.12,9.5.16,9.4.21) Avoid possibly writing an incorrect replica identity field in a tuple deletion WAL record (Stas Kelvich)
(9.6.12,9.5.16) Make the archiver prioritize WAL history files over WAL data files while choosing which file to archive next (David Steele)
(9.6.12,9.5.16) Fix possible crash in UPDATE with a multiple SET clause using a sub-SELECT as source (Tom Lane)
(9.6.12,9.5.16,9.4.21) Avoid crash if libxml2 returns a null error message (Sergio Conde Gómez)
(9.6.12,9.5.16,9.4.21) Fix spurious grouping-related parser errors caused by inconsistent handling of collation assignment (Andrew Gierth)
In some cases, expressions that should be considered to match were not seen as matching, if they included operations on collatable data types.
(9.6.12,9.5.16,9.4.21) Check whether the comparison function underlying LEAST()
or GREATEST()
is leakproof, rather than just assuming it is (Tom Lane)
Actual information leaks from btree comparison functions are typically hard to provoke, but in principle they could happen.
(9.6.12) Fix incorrect planning of queries involving nested loops both above and below a Gather plan node (Tom Lane)
If both levels of nestloop needed to pass the same variable into their right-hand sides, an incorrect plan would be generated.
(9.6.12,9.5.16,9.4.21) Fix incorrect planning of queries in which a lateral reference must be evaluated at a foreign table scan (Tom Lane)
(9.6.12,9.5.16,9.4.21) Fix corner-case underestimation of the cost of a merge join (Tom Lane)
The planner could prefer a merge join when the outer key range is much smaller than the inner key range, even if there are so many duplicate keys on the inner side that this is a poor choice.
(9.6.12,9.5.16,9.4.21) Avoid O (N^2) planning time growth when a query contains many thousand indexable clauses (Tom Lane)
(9.6.12,9.5.16,9.4.21) Improve ANALYZE's handling of concurrently-updated rows (Jeff Janes, Tom Lane)
Previously, rows deleted by an in-progress transaction were omitted from ANALYZE's sample, but this has been found to lead to more inconsistency than including them would do. In effect, the sample now corresponds to an MVCC snapshot as of ANALYZE's start time.
(9.6.12,9.5.16,9.4.21) Make TRUNCATE ignore inheritance child tables that are temporary tables of other sessions (Amit Langote, Michael Paquier)
This brings TRUNCATE into line with the behavior of other commands. Previously, such cases usually ended in failure.
(9.6.12,9.5.16) Fix TRUNCATE to update the statistics counters for the right table (Tom Lane)
If the truncated table had a TOAST table, that table's counters were reset instead.
(9.6.12) Process ALTER TABLE ONLY ADD COLUMN IF NOT EXISTS correctly (Greg Stark)
(9.6.12,9.5.16,9.4.21) Allow UNLISTEN in hot-standby mode (Shay Rojansky)
This is necessarily a no-op, because LISTEN isn't allowed in hot-standby mode; but allowing the dummy operation simplifies session-state-reset logic in clients.
(9.6.12,9.5.16,9.4.21) Fix missing role dependencies in some schema and data type permissions lists (Tom Lane)
In some cases it was possible to drop a role to which permissions had been granted. This caused no immediate problem, but a subsequent dump/reload or upgrade would fail, with symptoms involving attempts to grant privileges to all-numeric role names.
(9.6.12) Ensure relation caches are updated properly after adding or removing foreign key constraints (Ãlvaro Herrera)
This oversight could result in existing sessions failing to enforce a newly-created constraint, or continuing to enforce a dropped one.
(9.6.12,9.5.16,9.4.21) Ensure relation caches are updated properly after renaming constraints (Amit Langote)
(9.6.12,9.5.16,9.4.21) Make autovacuum more aggressive about removing leftover temporary tables, and also remove leftover temporary tables during DISCARD TEMP (Ãlvaro Herrera)
This helps ensure that remnants from a crashed session are cleaned up more promptly.
(9.6.12) Fix replay of GiST index micro-vacuum operations so that concurrent hot-standby queries do not see inconsistent state (Alexander Korotkov)
(9.6.12,9.5.16,9.4.21) Prevent empty GIN index pages from being reclaimed too quickly, causing failures of concurrent searches (Andrey Borodin, Alexander Korotkov)
(9.6.12,9.5.16,9.4.21) Fix edge-case failures in float-to-integer coercions (Andrew Gierth, Tom Lane)
Values very slightly above the maximum valid integer value might not be rejected, and then would overflow, producing the minimum valid integer instead. Also, values that should round to the minimum or maximum integer value might be incorrectly rejected.
(9.6.12) When making a PAM authentication request, don't set the PAM_RHOST variable if the connection is via a Unix socket (Thomas Munro)
Previously that variable would be set to [local], which is at best unhelpful, since it's supposed to be a host name.
(9.6.12,9.5.16,9.4.21) Disallow setting client_min_messages higher than ERROR (Jonah Harris, Tom Lane)
Previously, it was possible to set this variable to FATAL or PANIC, which had the effect of suppressing transmission of ordinary error messages to the client. However, that's contrary to guarantees that are given in the PostgreSQL wire protocol specification, and it caused some clients to become very confused. In released branches, fix this by silently treating such settings as meaning ERROR instead. Version 12 and later will reject those alternatives altogether.
(9.6.12,9.5.16,9.4.21) Fix ecpglib to use uselocale()
or _configthreadlocale()
in preference to setlocale()
(Michael Meskes, Tom Lane)
Since setlocale()
is not thread-local, and might not even be thread-safe, the previous coding caused problems in multi-threaded ecpg applications.
(9.6.12,9.5.16,9.4.21) Fix incorrect results for numeric data passed through an ecpg SQLDA (SQL Descriptor Area) (Daisuke Higuchi)
Values with leading zeroes were not copied correctly.
(9.6.12,9.5.16) Fix psql's \g target meta-command to work with COPY TO STDOUT (Daniel Vérité)
Previously, the target option was ignored, so that the copy data always went to the current query output target.
(9.6.12,9.5.16,9.4.21) Make psql's LaTeX output formats render special characters properly (Tom Lane)
Backslash and some other ASCII punctuation characters were not rendered correctly, leading to document syntax errors or wrong characters in the output.
(9.6.12,9.5.16,9.4.21) Fix pg_dump's handling of materialized views with indirect dependencies on primary keys (Tom Lane)
This led to mis-labeling of such views' dump archive entries, causing harmless warnings about "archive items not in correct section order"; less harmlessly, selective-restore options depending on those labels, such as --section, might misbehave.
(9.6.12,9.5.16,9.4.21) Avoid null-pointer-dereference crash on some platforms when pg_dump or pg_restore tries to report an error (Tom Lane)
(9.6.12,9.5.16,9.4.21) Fix contrib/hstore to calculate correct hash values for empty hstore values that were created in version 8.4 or before (Andrew Gierth)
The previous coding did not give the same result as for an empty hstore value created by a newer version, thus potentially causing wrong results in hash joins or hash aggregation. It is advisable to reindex any hash indexes built on hstore columns, if the table might contain data that was originally stored as far back as 8.4 and was never dumped/reloaded since then.
(9.6.12,9.5.16,9.4.21) Avoid crashes and excessive runtime with large inputs to contrib/intarray's gist__int_ops index support (Andrew Gierth)
(9.6.12,9.5.16,9.4.21) Support new Makefile variables PG_CFLAGS, PG_CXXFLAGS, and PG_LDFLAGS in pgxs builds (Christoph Berg)
This simplifies customization of extension build processes.
(9.6.12,9.5.16,9.4.21) Fix Perl-coded build scripts to not assume "." is in the search path, since recent Perl versions don't include that (Andrew Dunstan)
(9.6.12,9.5.16,9.4.21) Fix server command-line option parsing problems on OpenBSD (Tom Lane)
(9.6.12) Relocate call of set_rel_pathlist_hook so that extensions can use it to supply partial paths for parallel queries (KaiGai Kohei)
This is not expected to affect existing use-cases.
(9.6.12,9.5.16,9.4.21) Update time zone data files to tzdata release 2018i for DST law changes in Kazakhstan, Metlakatla, and Sao Tome and Principe. Kazakhstan's Qyzylorda zone is split in two, creating a new zone Asia/Qostanay, as some areas did not change UTC offset. Historical corrections for Hong Kong and numerous Pacific islands.
Release date: 2018-11-08
This release contains a variety of fixes from 9.6.10. For information about new features in the 9.6 major release, see Version 9.6.0.
A dump/restore is not required for those running 9.6.X.
However, if you are upgrading from a version earlier than 9.6.9, see Version 9.6.9.
(9.6.11,9.5.15,9.4.20) Fix corner-case failures in has_foo_privilege()
family of functions (Tom Lane)
Return NULL rather than throwing an error when an invalid object OID is provided. Some of these functions got that right already, but not all. has_column_privilege()
was additionally capable of crashing on some platforms.
(9.6.11,9.5.15,9.4.20) Avoid O (N^2) slowdown in regular expression match/split functions on long strings (Andrew Gierth)
(9.6.11,9.5.15) Fix parsing of standard multi-character operators that are immediately followed by a comment or + or - (Andrew Gierth)
This oversight could lead to parse errors, or to incorrect assignment of precedence.
(9.6.11,9.5.15,9.4.20) Avoid O (N^3) slowdown in lexer for long strings of + or - characters (Andrew Gierth)
(9.6.11,9.5.15,9.4.20) Fix mis-execution of SubPlans when the outer query is being scanned backwards (Andrew Gierth)
(9.6.11,9.5.15,9.4.20) Fix failure of UPDATE/DELETE ... WHERE CURRENT OF ... after rewinding the referenced cursor (Tom Lane)
A cursor that scans multiple relations (particularly an inheritance tree) could produce wrong behavior if rewound to an earlier relation.
(9.6.11,9.5.15,9.4.20) Fix EvalPlanQual
to handle conditionally-executed InitPlans properly (Andrew Gierth, Tom Lane)
This resulted in hard-to-reproduce crashes or wrong answers in concurrent updates, if they contained code such as an uncorrelated sub-SELECT inside a CASE construct.
(9.6.11,9.5.15,9.4.20) Fix character-class checks to not fail on Windows for Unicode characters above U+FFFF (Tom Lane, Kenji Uno)
This bug affected full-text-search operations, as well as contrib/ltree and contrib/pg_trgm.
(9.6.11) Disallow pushing sub-SELECTs containing window functions, LIMIT, or OFFSET to parallel workers (Amit Kapila)
Such cases could result in inconsistent behavior due to different workers getting different answers, as a result of indeterminacy due to row-ordering variations.
(9.6.11,9.5.15,9.4.20) Ensure that sequences owned by a foreign table are processed by ALTER OWNER on the table (Peter Eisentraut)
The ownership change should propagate to such sequences as well, but this was missed for foreign tables.
(9.6.11,9.5.15) Ensure that the server will process already-received NOTIFY and SIGTERM interrupts before waiting for client input (Jeff Janes, Tom Lane)
(9.6.11,9.5.15,9.4.20) Fix over-allocation of space for array_out()
's result string (Keiichi Hirobe)
(9.6.11,9.5.15,9.4.20) Fix memory leak in repeated SP-GiST index scans (Tom Lane)
This is only known to amount to anything significant in cases where an exclusion constraint using SP-GiST receives many new index entries in a single command.
(9.6.11,9.5.15,9.4.20) Ensure that ApplyLogicalMappingFile()
closes the mapping file when done with it (Tomas Vondra)
Previously, the file descriptor was leaked, eventually resulting in failures during logical decoding.
(9.6.11,9.5.15) Fix logical decoding to handle cases where a mapped catalog table is repeatedly rewritten, e.g., by VACUUM FULL (Andres Freund)
(9.6.11,9.5.15,9.4.20) Prevent starting the server with wal_level set to too low a value to support an existing replication slot (Andres Freund)
(9.6.11,9.5.15,9.4.20) Avoid crash if a utility command causes infinite recursion (Tom Lane)
(9.6.11,9.5.15,9.4.20) When initializing a hot standby, cope with duplicate XIDs caused by two-phase transactions on the master (Michael Paquier, Konstantin Knizhnik)
(9.6.11,9.5.15) Fix event triggers to handle nested ALTER TABLE commands (Michael Paquier, Ãlvaro Herrera)
(9.6.11,9.5.15) Propagate parent process's transaction and statement start timestamps to parallel workers (Konstantin Knizhnik)
This prevents misbehavior of functions such as transaction_timestamp()
when executed in a worker.
(9.6.11) Fix transfer of expanded datums to parallel workers so that alignment is preserved, preventing crashes on alignment-picky platforms (Tom Lane, Amit Kapila)
(9.6.11,9.5.15) Fix WAL file recycling logic to work correctly on standby servers (Michael Paquier)
Depending on the setting of archive_mode, a standby might fail to remove some WAL files that could be removed.
(9.6.11,9.5.15) Fix handling of commit-timestamp tracking during recovery (Masahiko Sawada, Michael Paquier)
If commit timestamp tracking has been turned on or off, recovery might fail due to trying to fetch the commit timestamp for a transaction that did not record it.
(9.6.11,9.5.15,9.4.20) Randomize the random()
seed in bootstrap and standalone backends, and in initdb (Noah Misch)
The main practical effect of this change is that it avoids a scenario where initdb might mistakenly conclude that POSIX shared memory is not available, due to name collisions caused by always using the same random seed.
(9.6.11,9.5.15,9.4.20) Allow DSM allocation to be interrupted (Chris Travers)
(9.6.11) Avoid failure in a parallel worker when loading an extension that tries to access system caches within its init function (Thomas Munro)
We don't consider that to be good extension coding practice, but it mostly worked before parallel query, so continue to support it for now.
(9.6.11,9.5.15) Properly handle turning full_page_writes on dynamically (Kyotaro Horiguchi)
(9.6.11) Fix possible crash due to double free()
during SP-GiST rescan (Andrew Gierth)
(9.6.11,9.5.15,9.4.20) Avoid possible buffer overrun when replaying GIN page recompression from WAL (Alexander Korotkov, Sivasubramanian Ramasubramanian)
(9.6.11,9.5.15,9.4.20) Fix missed fsync of a replication slot's directory (Konstantin Knizhnik, Michael Paquier)
(9.6.11,9.5.15,9.4.20) Fix unexpected timeouts when using wal_sender_timeout on a slow server (Noah Misch)
(9.6.11,9.5.15,9.4.20) Ensure that hot standby processes use the correct WAL consistency point (Alexander Kukushkin, Michael Paquier)
This prevents possible misbehavior just after a standby server has reached a consistent database state during WAL replay.
(9.6.11,9.5.15) Ensure background workers are stopped properly when the postmaster receives a fast-shutdown request before completing database startup (Alexander Kukushkin)
(9.6.11) Update the free space map during WAL replay of page all-visible/frozen flag changes (Ãlvaro Herrera)
Previously we were not careful about this, reasoning that the FSM is not critical data anyway. However, if it's sufficiently out of date, that can result in significant performance degradation after a standby has been promoted to primary. The FSM will eventually be healed by updates, but we'd like it to be good sooner, so work harder at maintaining it during WAL replay.
(9.6.11) Avoid premature release of parallel-query resources when query end or tuple count limit is reached (Amit Kapila)
It's only okay to shut down the executor at this point if the caller cannot demand backwards scan afterwards.
(9.6.11,9.5.15,9.4.20) Don't run atexit callbacks when servicing SIGQUIT (Heikki Linnakangas)
(9.6.11,9.5.15,9.4.20) Don't record foreign-server user mappings as members of extensions (Tom Lane)
If CREATE USER MAPPING is executed in an extension script, an extension dependency was created for the user mapping, which is unexpected. Roles can't be extension members, so user mappings shouldn't be either.
(9.6.11,9.5.15,9.4.20) Make syslogger more robust against failures in opening CSV log files (Tom Lane)
(9.6.11,9.5.15) Fix psql, as well as documentation examples, to call PQconsumeInput()
before each PQnotifies()
call (Tom Lane)
This fixes cases in which psql would not report receipt of a NOTIFY message until after the next command.
(9.6.11,9.5.15,9.4.20) Fix possible inconsistency in pg_dump's sorting of dissimilar object names (Jacob Champion)
(9.6.11,9.5.15,9.4.20) Ensure that pg_restore will schema-qualify the table name when emitting DISABLE/ENABLE TRIGGER commands (Tom Lane)
This avoids failures due to the new policy of running restores with restrictive search path.
(9.6.11,9.5.15,9.4.20) Fix pg_upgrade to handle event triggers in extensions correctly (Haribabu Kommi)
pg_upgrade failed to preserve an event trigger's extension-membership status.
(9.6.11,9.5.15,9.4.20) Fix pg_upgrade's cluster state check to work correctly on a standby server (Bruce Momjian)
(9.6.11,9.5.15,9.4.20) Enforce type cube's dimension limit in all contrib/cube functions (Andrey Borodin)
Previously, some cube-related functions could construct values that would be rejected by cube_in()
, leading to dump/reload failures.
(9.6.11) In contrib/postgres_fdw, don't try to ship a variable-free ORDER BY clause to the remote server (Andrew Gierth)
(9.6.11,9.5.15,9.4.20) Fix contrib/unaccent's unaccent()
function to use the unaccent text search dictionary that is in the same schema as the function (Tom Lane)
Previously it tried to look up the dictionary using the search path, which could fail if the search path has a restrictive value.
(9.6.11,9.5.15,9.4.20) Fix build problems on macOS 10.14 (Mojave) (Tom Lane)
Adjust configure to add an -isysroot switch to CPPFLAGS; without this, PL/Perl and PL/Tcl fail to configure or build on macOS 10.14. The specific sysroot used can be overridden at configure time or build time by setting the PG_SYSROOT variable in the arguments of configure or make.
It is now recommended that Perl-related extensions write $(perl_includespec) rather than -I$(perl_archlibexp)/CORE in their compiler flags. The latter continues to work on most platforms, but not recent macOS.
Also, it should no longer be necessary to specify --with-tclconfig manually to get PL/Tcl to build on recent macOS releases.
(9.6.11,9.5.15,9.4.20) Fix MSVC build and regression-test scripts to work on recent Perl versions (Andrew Dunstan)
Perl no longer includes the current directory in its search path by default; work around that.
(9.6.11,9.5.15) On Windows, allow the regression tests to be run by an Administrator account (Andrew Dunstan)
To do this safely, pg_regress now gives up any such privileges at startup.
(9.6.11,9.5.15,9.4.20) Allow btree comparison functions to return INT_MIN (Tom Lane)
Up to now, we've forbidden datatype-specific comparison functions from returning INT_MIN, which allows callers to invert the sort order just by negating the comparison result. However, this was never safe for comparison functions that directly return the result of memcmp()
, strcmp()
, etc, as POSIX doesn't place any such restriction on those functions. At least some recent versions of memcmp()
can return INT_MIN, causing incorrect sort ordering. Hence, we've removed this restriction. Callers must now use the INVERT_COMPARE_RESULT() macro if they wish to invert the sort order.
(9.6.11,9.5.15,9.4.20) Fix recursion hazard in shared-invalidation message processing (Tom Lane)
This error could, for example, result in failure to access a system catalog or index that had just been processed by VACUUM FULL.
This change adds a new result code for LockAcquire
, which might possibly affect external callers of that function, though only very unusual usage patterns would have an issue with it. The API of LockAcquireExtended
is also changed.
(9.6.11,9.5.15,9.4.20) Save and restore SPI's global variables during SPI_connect()
and SPI_finish()
(Chapman Flack, Tom Lane)
This prevents possible interference when one SPI-using function calls another.
(9.6.11,9.5.15,9.4.20) Avoid using potentially-under-aligned page buffers (Tom Lane)
Invent new union types PGAlignedBlock and PGAlignedXLogBlock, and use these in place of plain char arrays, ensuring that the compiler can't place the buffer at a misaligned start address. This fixes potential core dumps on alignment-picky platforms, and may improve performance even on platforms that allow misalignment.
(9.6.11,9.5.15,9.4.20) Make src/port/snprintf.c follow the C99 standard's definition of snprintf()
's result value (Tom Lane)
On platforms where this code is used (mostly Windows), its pre-C99 behavior could lead to failure to detect buffer overrun, if the calling code assumed C99 semantics.
(9.6.11,9.5.15,9.4.20) When building on i386 with the clang compiler, require -msse2 to be used (Andres Freund)
This avoids problems with missed floating point overflow checks.
(9.6.11,9.5.15,9.4.20) Fix configure's detection of the result type of strerror_r()
(Tom Lane)
The previous coding got the wrong answer when building with icc on Linux (and perhaps in other cases), leading to libpq not returning useful error messages for system-reported errors.
(9.6.11,9.5.15,9.4.20) Update time zone data files to tzdata release 2018g for DST law changes in Chile, Fiji, Morocco, and Russia (Volgograd), plus historical corrections for China, Hawaii, Japan, Macau, and North Korea.
Release date: 2018-08-09
This release contains a variety of fixes from 9.6.9. For information about new features in the 9.6 major release, see Version 9.6.0.
A dump/restore is not required for those running 9.6.X.
However, if you are upgrading from a version earlier than 9.6.9, see Version 9.6.9.
(9.6.10,9.5.14,9.4.19) Fix failure to reset libpq's state fully between connection attempts (Tom Lane)
An unprivileged user of dblink or postgres_fdw could bypass the checks intended to prevent use of server-side credentials, such as a ~/.pgpass file owned by the operating-system user running the server. Servers allowing peer authentication on local connections are particularly vulnerable. Other attacks such as SQL injection into a postgres_fdw session are also possible. Attacking postgres_fdw in this way requires the ability to create a foreign server object with selected connection parameters, but any user with access to dblink could exploit the problem. In general, an attacker with the ability to select the connection parameters for a libpq-using application could cause mischief, though other plausible attack scenarios are harder to think of. Our thanks to Andrew Krasichkov for reporting this issue. CVE-2018-10915 or CVE-2018-10915)
(9.6.10,9.5.14) Fix INSERT ... ON CONFLICT UPDATE through a view that isn't just SELECT * FROM ... (Dean Rasheed, Amit Langote)
Erroneous expansion of an updatable view could lead to crashes or "attribute ... has the wrong type" errors, if the view's SELECT list doesn't match one-to-one with the underlying table's columns. Furthermore, this bug could be leveraged to allow updates of columns that an attacking user lacks UPDATE privilege for, if that user has INSERT and UPDATE privileges for some other column(s) of the table. Any user could also use it for disclosure of server memory. CVE-2018-10925 or CVE-2018-10925)
(9.6.10,9.5.14,9.4.19) Ensure that updates to the relfrozenxid and relminmxid values for "nailed" system catalogs are processed in a timely fashion (Andres Freund)
Overoptimistic caching rules could prevent these updates from being seen by other sessions, leading to spurious errors and/or data corruption. The problem was significantly worse for shared catalogs, such as pg_authid, because the stale cache data could persist into new sessions as well as existing ones.
(9.6.10,9.5.14,9.4.19) Fix case where a freshly-promoted standby crashes before having completed its first post-recovery checkpoint (Michael Paquier, Kyotaro Horiguchi, Pavan Deolasee, Ãlvaro Herrera)
This led to a situation where the server did not think it had reached a consistent database state during subsequent WAL replay, preventing restart.
(9.6.10,9.5.14,9.4.19) Avoid emitting a bogus WAL record when recycling an all-zero btree page (Amit Kapila)
This mistake has been seen to cause assertion failures, and potentially it could result in unnecessary query cancellations on hot standby servers.
(9.6.10,9.5.14) During WAL replay, guard against corrupted record lengths exceeding 1GB (Michael Paquier)
Treat such a case as corrupt data. Previously, the code would try to allocate space and get a hard error, making recovery impossible.
(9.6.10,9.5.14) When ending recovery, delay writing the timeline history file as long as possible (Heikki Linnakangas)
This avoids some situations where a failure during recovery cleanup (such as a problem with a two-phase state file) led to inconsistent timeline state on-disk.
(9.6.10,9.5.14,9.4.19) Improve performance of WAL replay for transactions that drop many relations (Fujii Masao)
This change reduces the number of times that shared buffers are scanned, so that it is of most benefit when that setting is large.
(9.6.10,9.5.14,9.4.19) Improve performance of lock releasing in standby server WAL replay (Thomas Munro)
(9.6.10,9.5.14,9.4.19) Make logical WAL senders report streaming state correctly (Simon Riggs, Sawada Masahiko)
The code previously mis-detected whether or not it had caught up with the upstream server.
(9.6.10,9.5.14,9.4.19) Fix bugs in snapshot handling during logical decoding, allowing wrong decoding results in rare cases (Arseny Sher, Ãlvaro Herrera)
(9.6.10,9.5.14,9.4.19) Ensure a table's cached index list is correctly rebuilt after an index creation fails partway through (Peter Geoghegan)
Previously, the failed index's OID could remain in the list, causing problems later in the same session.
(9.6.10,9.5.14,9.4.19) Fix mishandling of empty uncompressed posting list pages in GIN indexes (Sivasubramanian Ramasubramanian, Alexander Korotkov)
This could result in an assertion failure after pg_upgrade of a pre-9.4 GIN index (9.4 and later will not create such pages).
(9.6.10,9.5.14,9.4.19) Ensure that VACUUM will respond to signals within btree page deletion loops (Andres Freund)
Corrupted btree indexes could result in an infinite loop here, and that previously wasn't interruptible without forcing a crash.
(9.6.10,9.5.14,9.4.19) Fix misoptimization of equivalence classes involving composite-type columns (Tom Lane)
This resulted in failure to recognize that an index on a composite column could provide the sort order needed for a mergejoin on that column.
(9.6.10) Fix planner to avoid "ORDER/GROUP BY expression not found in targetlist" errors in some queries with set-returning functions (Tom Lane)
(9.6.10,9.5.14,9.4.19) Fix SQL-standard FETCH FIRST syntax to allow parameters ($n), as the standard expects (Andrew Gierth)
(9.6.10) Fix EXPLAIN's accounting for resource usage, particularly buffer accesses, in parallel workers (Amit Kapila, Robert Haas)
(9.6.10,9.5.14,9.4.19) Fix failure to schema-qualify some object names in getObjectDescription
output (Kyotaro Horiguchi, Tom Lane)
Names of collations, conversions, and text search objects were not schema-qualified when they should be.
(9.6.10) Fix CREATE AGGREGATE type checking so that parallelism support functions can be attached to variadic aggregates (Alexey Bashtanov)
(9.6.10,9.5.14,9.4.19) Widen COPY FROM's current-line-number counter from 32 to 64 bits (David Rowley)
This avoids two problems with input exceeding 4G lines: COPY FROM WITH HEADER would drop a line every 4G lines, not only the first line, and error reports could show a wrong line number.
(9.6.10,9.5.14,9.4.19) Add a string freeing function to ecpg's pgtypes library, so that cross-module memory management problems can be avoided on Windows (Takayuki Tsunakawa)
On Windows, crashes can ensue if the free
call for a given chunk of memory is not made from the same DLL that malloc
'ed the memory. The pgtypes library sometimes returns strings that it expects the caller to free, making it impossible to follow this rule. Add a PGTYPESchar_free()
function that just wraps free
, allowing applications to follow this rule.
(9.6.10,9.5.14,9.4.19) Fix ecpg's support for long long variables on Windows, as well as other platforms that declare strtoll
/strtoull
nonstandardly or not at all (Dang Minh Huong, Tom Lane)
(9.6.10,9.5.14,9.4.19) Fix misidentification of SQL statement type in PL/pgSQL, when a rule change causes a change in the semantics of a statement intra-session (Tom Lane)
This error led to assertion failures, or in rare cases, failure to enforce the INTO STRICT option as expected.
(9.6.10,9.5.14,9.4.19) Fix password prompting in client programs so that echo is properly disabled on Windows when stdin is not the terminal (Matthew Stickney)
(9.6.10,9.5.14,9.4.19) Further fix mis-quoting of values for list-valued GUC variables in dumps (Tom Lane)
The previous fix for quoting of search_path and other list-valued variables in pg_dump output turned out to misbehave for empty-string list elements, and it risked truncation of long file paths.
(9.6.10,9.5.14,9.4.19) Fix pg_dump's failure to dump REPLICA IDENTITY properties for constraint indexes (Tom Lane)
Manually created unique indexes were properly marked, but not those created by declaring UNIQUE or PRIMARY KEY constraints.
(9.6.10,9.5.14,9.4.19) Make pg_upgrade check that the old server was shut down cleanly (Bruce Momjian)
The previous check could be fooled by an immediate-mode shutdown.
(9.6.10,9.5.14) Fix contrib/hstore_plperl to look through Perl scalar references, and to not crash if it doesn't find a hash reference where it expects one (Tom Lane)
(9.6.10,9.5.14,9.4.19) Fix crash in contrib/ltree's lca()
function when the input array is empty (Pierre Ducroquet)
(9.6.10,9.5.14,9.4.19) Fix various error-handling code paths in which an incorrect error code might be reported (Michael Paquier, Tom Lane, Magnus Hagander)
(9.6.10,9.5.14,9.4.19) Rearrange makefiles to ensure that programs link to freshly-built libraries (such as libpq.so) rather than ones that might exist in the system library directories (Tom Lane)
This avoids problems when building on platforms that supply old copies of PostgreSQL libraries.
(9.6.10,9.5.14,9.4.19) Update time zone data files to tzdata release 2018e for DST law changes in North Korea, plus historical corrections for Czechoslovakia.
This update includes a redefinition of "daylight savings" in Ireland, as well as for some past years in Namibia and Czechoslovakia. In those jurisdictions, legally standard time is observed in summer, and daylight savings time in winter, so that the daylight savings offset is one hour behind standard time not one hour ahead. This does not affect either the actual UTC offset or the timezone abbreviations in use; the only known effect is that the is_dst column in the pg_timezone_names view will now be true in winter and false in summer in these cases.
Release date: 2018-05-10
This release contains a variety of fixes from 9.6.8. For information about new features in the 9.6 major release, see Version 9.6.0.
A dump/restore is not required for those running 9.6.X.
However, if you use the adminpack extension, you should update it as per the first changelog entry below.
Also, if the function marking mistakes mentioned in the second and third changelog entries below affect you, you will want to take steps to correct your database catalogs.
Also, if you are upgrading from a version earlier than 9.6.8, see Version 9.6.8.
(9.6.9) Remove public execute privilege from contrib/adminpack's pg_logfile_rotate()
function (Stephen Frost)
pg_logfile_rotate()
is a deprecated wrapper for the core function pg_rotate_logfile()
. When that function was changed to rely on SQL privileges for access control rather than a hard-coded superuser check, pg_logfile_rotate()
should have been updated as well, but the need for this was missed. Hence, if adminpack is installed, any user could request a logfile rotation, creating a minor security issue.
After installing this update, administrators should update adminpack by performing ALTER EXTENSION adminpack UPDATE in each database in which adminpack is installed. CVE-2018-1115 or CVE-2018-1115)
(9.6.9,9.5.13,9.4.18) Fix incorrect volatility markings on a few built-in functions (Thomas Munro, Tom Lane)
The functions query_to_xml
, cursor_to_xml
, cursor_to_xmlschema
, query_to_xmlschema
, and query_to_xml_and_xmlschema
should be marked volatile because they execute user-supplied queries that might contain volatile operations. They were not, leading to a risk of incorrect query optimization. This has been repaired for new installations by correcting the initial catalog data, but existing installations will continue to contain the incorrect markings. Practical use of these functions seems to pose little hazard, but in case of trouble, it can be fixed by manually updating these functions' pg_proc entries, for example ALTER FUNCTION pg_catalog.query_to_xml(text, boolean, boolean, text) VOLATILE. (Note that that will need to be done in each database of the installation.) Another option is to pg_upgrade the database to a version containing the corrected initial data.
(9.6.9) Fix incorrect parallel-safety markings on a few built-in functions (Thomas Munro, Tom Lane)
The functions brin_summarize_new_values
, gin_clean_pending_list
, cursor_to_xml
, cursor_to_xmlschema
, ts_rewrite
, ts_stat
, and binary_upgrade_create_empty_extension
should be marked parallel-unsafe; some because they perform database modifications directly, and others because they execute user-supplied queries that might do so. They were marked parallel-restricted instead, leading to a risk of unexpected query errors. This has been repaired for new installations by correcting the initial catalog data, but existing installations will continue to contain the incorrect markings. Practical use of these functions seems to pose little hazard unless force_parallel_mode is turned on. In case of trouble, it can be fixed by manually updating these functions' pg_proc entries, for example ALTER FUNCTION pg_catalog.brin_summarize_new_values(regclass) PARALLEL UNSAFE. (Note that that will need to be done in each database of the installation.) Another option is to pg_upgrade the database to a version containing the corrected initial data.
(9.6.9,9.5.13,9.4.18) Avoid re-using TOAST value OIDs that match dead-but-not-yet-vacuumed TOAST entries (Pavan Deolasee)
Once the OID counter has wrapped around, it's possible to assign a TOAST value whose OID matches a previously deleted entry in the same TOAST table. If that entry were not yet vacuumed away, this resulted in "unexpected chunk number 0 (expected 1) for toast value nnnnn" errors, which would persist until the dead entry was removed by VACUUM. Fix by not selecting such OIDs when creating a new TOAST entry.
(9.6.9,9.5.13,9.4.18) Change ANALYZE's algorithm for updating pg_class.reltuples (David Gould)
Previously, pages not actually scanned by ANALYZE were assumed to retain their old tuple density. In a large table where ANALYZE samples only a small fraction of the pages, this meant that the overall tuple density estimate could not change very much, so that reltuples would change nearly proportionally to changes in the table's physical size (relpages) regardless of what was actually happening in the table. This has been observed to result in reltuples becoming so much larger than reality as to effectively shut off autovacuuming. To fix, assume that ANALYZE's sample is a statistically unbiased sample of the table (as it should be), and just extrapolate the density observed within those pages to the whole table.
(9.6.9,9.5.13,9.4.18) Avoid deadlocks in concurrent CREATE INDEX CONCURRENTLY commands that are run under SERIALIZABLE or REPEATABLE READ transaction isolation (Tom Lane)
(9.6.9,9.5.13,9.4.18) Fix possible slow execution of REFRESH MATERIALIZED VIEW CONCURRENTLY (Thomas Munro)
(9.6.9,9.5.13,9.4.18) Fix UPDATE/DELETE ... WHERE CURRENT OF to not fail when the referenced cursor uses an index-only-scan plan (Yugo Nagata, Tom Lane)
(9.6.9,9.5.13,9.4.18) Fix incorrect planning of join clauses pushed into parameterized paths (Andrew Gierth, Tom Lane)
This error could result in misclassifying a condition as a "join filter" for an outer join when it should be a plain "filter" condition, leading to incorrect join output.
(9.6.9,9.5.13) Fix possibly incorrect generation of an index-only-scan plan when the same table column appears in multiple index columns, and only some of those index columns use operator classes that can return the column value (Kyotaro Horiguchi)
(9.6.9,9.5.13,9.4.18) Fix misoptimization of CHECK constraints having provably-NULL subclauses of top-level AND/OR conditions (Tom Lane, Dean Rasheed)
This could, for example, allow constraint exclusion to exclude a child table that should not be excluded from a query.
(9.6.9,9.5.13) Fix executor crash due to double free in some GROUPING SET usages (Peter Geoghegan)
(9.6.9,9.5.13) Avoid crash if a table rewrite event trigger is added concurrently with a command that could call such a trigger (Ãlvaro Herrera, Andrew Gierth, Tom Lane)
(9.6.9,9.5.13,9.4.18) Avoid failure if a query-cancel or session-termination interrupt occurs while committing a prepared transaction (Stas Kelvich)
(9.6.9,9.5.13,9.4.18) Fix query-lifespan memory leakage in repeatedly executed hash joins (Tom Lane)
(9.6.9) Fix possible leak or double free of visibility map buffer pins (Amit Kapila)
(9.6.9) Avoid spuriously marking pages as all-visible (Dan Wood, Pavan Deolasee, Ãlvaro Herrera)
This could happen if some tuples were locked (but not deleted). While queries would still function correctly, vacuum would normally ignore such pages, with the long-term effect that the tuples were never frozen. In recent releases this would eventually result in errors such as "found multixact nnnnn from before relminmxid nnnnn".
(9.6.9,9.5.13,9.4.18) Fix overly strict sanity check in heap_prepare_freeze_tuple
(Ãlvaro Herrera)
This could result in incorrect "cannot freeze committed xmax" failures in databases that have been pg_upgrade'd from 9.2 or earlier.
(9.6.9,9.5.13,9.4.18) Prevent dangling-pointer dereference when a C-coded before-update row trigger returns the "old" tuple (Rushabh Lathia)
(9.6.9,9.5.13,9.4.18) Reduce locking during autovacuum worker scheduling (Jeff Janes)
The previous behavior caused drastic loss of potential worker concurrency in databases with many tables.
(9.6.9,9.5.13,9.4.18) Ensure client hostname is copied while copying pg_stat_activity data to local memory (Edmund Horner)
Previously the supposedly-local snapshot contained a pointer into shared memory, allowing the client hostname column to change unexpectedly if any existing session disconnected.
(9.6.9,9.5.13,9.4.18) Fix incorrect processing of multiple compound affixes in ispell dictionaries (Arthur Zakirov)
(9.6.9,9.5.13,9.4.18) Fix collation-aware searches (that is, indexscans using inequality operators) in SP-GiST indexes on text columns (Tom Lane)
Such searches would return the wrong set of rows in most non-C locales.
(9.6.9) Prevent query-lifespan memory leakage with SP-GiST operator classes that use traversal values (Anton Dignös)
(9.6.9,9.5.13,9.4.18) Count the number of index tuples correctly during initial build of an SP-GiST index (Tomas Vondra)
Previously, the tuple count was reported to be the same as that of the underlying table, which is wrong if the index is partial.
(9.6.9,9.5.13,9.4.18) Count the number of index tuples correctly during vacuuming of a GiST index (Andrey Borodin)
Previously it reported the estimated number of heap tuples, which might be inaccurate, and is certainly wrong if the index is partial.
(9.6.9,9.5.13,9.4.18) Fix a corner case where a streaming standby gets stuck at a WAL continuation record (Kyotaro Horiguchi)
(9.6.9,9.5.13,9.4.18) In logical decoding, avoid possible double processing of WAL data when a walsender restarts (Craig Ringer)
(9.6.9,9.5.13,9.4.18) Allow scalarltsel
and scalargtsel
to be used on non-core datatypes (Tomas Vondra)
(9.6.9,9.5.13,9.4.18) Reduce libpq's memory consumption when a server error is reported after a large amount of query output has been collected (Tom Lane)
Discard the previous output before, not after, processing the error message. On some platforms, notably Linux, this can make a difference in the application's subsequent memory footprint.
(9.6.9,9.5.13,9.4.18) Fix double-free crashes in ecpg (Patrick Krecker, Jeevan Ladhe)
(9.6.9,9.5.13,9.4.18) Fix ecpg to handle long long int variables correctly in MSVC builds (Michael Meskes, Andrew Gierth)
(9.6.9,9.5.13,9.4.18) Fix mis-quoting of values for list-valued GUC variables in dumps (Michael Paquier, Tom Lane)
The local_preload_libraries, session_preload_libraries, shared_preload_libraries, and temp_tablespaces variables were not correctly quoted in pg_dump output. This would cause problems if settings for these variables appeared in CREATE FUNCTION ... SET or ALTER DATABASE/ROLE ... SET clauses.
(9.6.9,9.5.13,9.4.18) Fix pg_recvlogical to not fail against pre-v10 PostgreSQL servers (Michael Paquier)
A previous fix caused pg_recvlogical to issue a command regardless of server version, but it should only be issued to v10 and later servers.
(9.6.9,9.5.13) Ensure that pg_rewind deletes files on the target server if they are deleted from the source server during the run (Takayuki Tsunakawa)
Failure to do this could result in data inconsistency on the target, particularly if the file in question is a WAL segment.
(9.6.9,9.5.13) Fix pg_rewind to handle tables in non-default tablespaces correctly (Takayuki Tsunakawa)
(9.6.9,9.5.13,9.4.18) Fix overflow handling in PL/pgSQL integer FOR loops (Tom Lane)
The previous coding failed to detect overflow of the loop variable on some non-gcc compilers, leading to an infinite loop.
(9.6.9,9.5.13,9.4.18) Adjust PL/Python regression tests to pass under Python 3.7 (Peter Eisentraut)
(9.6.9,9.5.13,9.4.18) Support testing PL/Python and related modules when building with Python 3 and MSVC (Andrew Dunstan)
(9.6.9) Fix errors in initial build of contrib/bloom indexes (Tomas Vondra, Tom Lane)
Fix possible omission of the table's last tuple from the index. Count the number of index tuples correctly, in case it is a partial index.
(9.6.9,9.5.13,9.4.18) Rename internal b64_encode
and b64_decode
functions to avoid conflict with Solaris 11.4 built-in functions (Rainer Orth)
(9.6.9,9.5.13,9.4.18) Sync our copy of the timezone library with IANA tzcode release 2018e (Tom Lane)
This fixes the zic timezone data compiler to cope with negative daylight-savings offsets. While the PostgreSQL project will not immediately ship such timezone data, zic might be used with timezone data obtained directly from IANA, so it seems prudent to update zic now.
(9.6.9,9.5.13,9.4.18) Update time zone data files to tzdata release 2018d for DST law changes in Palestine and Antarctica (Casey Station), plus historical corrections for Portugal and its colonies, as well as Enderbury, Jamaica, Turks & Caicos Islands, and Uruguay.
Release date: 2018-03-01
This release contains a variety of fixes from 9.6.7. For information about new features in the 9.6 major release, see Version 9.6.0.
A dump/restore is not required for those running 9.6.X.
However, if you run an installation in which not all users are mutually trusting, or if you maintain an application or extension that is intended for use in arbitrary situations, it is strongly recommended that you read the documentation changes described in the first changelog entry below, and take suitable steps to ensure that your installation or code is secure.
Also, the changes described in the second changelog entry below may cause functions used in index expressions or materialized views to fail during auto-analyze, or when reloading from a dump. After upgrading, monitor the server logs for such problems, and fix affected functions.
Also, if you are upgrading from a version earlier than 9.6.7, see Version 9.6.7.
(9.6.8) Document how to configure installations and applications to guard against search-path-dependent trojan-horse attacks from other users (Noah Misch)
Using a search_path setting that includes any schemas writable by a hostile user enables that user to capture control of queries and then run arbitrary SQL code with the permissions of the attacked user. While it is possible to write queries that are proof against such hijacking, it is notationally tedious, and it's very easy to overlook holes. Therefore, we now recommend configurations in which no untrusted schemas appear in one's search path. Relevant documentation appears in Section 5.8.6 (for database administrators and users), Section 32.1 (for application authors), Section 36.15.5 (for extension authors), and CREATE FUNCTION (for authors of SECURITY DEFINER functions). CVE-2018-1058 or CVE-2018-1058)
(9.6.8,9.5.12,9.4.17) Avoid use of insecure search_path settings in pg_dump and other client programs (Noah Misch, Tom Lane)
pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications were themselves vulnerable to the type of hijacking described in the previous changelog entry; since these applications are commonly run by superusers, they present particularly attractive targets. To make them secure whether or not the installation as a whole has been secured, modify them to include only the pg_catalog schema in their search_path settings. Autovacuum worker processes now do the same, as well.
In cases where user-provided functions are indirectly executed by these programs — for example, user-provided functions in index expressions — the tighter search_path may result in errors, which will need to be corrected by adjusting those user-provided functions to not assume anything about what search path they are invoked under. That has always been good practice, but now it will be necessary for correct behavior. CVE-2018-1058 or CVE-2018-1058)
(9.6.8,9.5.12,9.4.17) Fix misbehavior of concurrent-update rechecks with CTE references appearing in subplans (Tom Lane)
If a CTE (WITH clause reference) is used in an InitPlan or SubPlan, and the query requires a recheck due to trying to update or lock a concurrently-updated row, incorrect results could be obtained.
(9.6.8,9.5.12,9.4.17) Fix planner failures with overlapping mergejoin clauses in an outer join (Tom Lane)
These mistakes led to "left and right pathkeys do not match in mergejoin" or "outer pathkeys do not match mergeclauses" planner errors in corner cases.
(9.6.8,9.5.12,9.4.17) Repair pg_upgrade's failure to preserve relfrozenxid for materialized views (Tom Lane, Andres Freund)
This oversight could lead to data corruption in materialized views after an upgrade, manifesting as "could not access status of transaction" or "found xmin from before relfrozenxid" errors. The problem would be more likely to occur in seldom-refreshed materialized views, or ones that were maintained only with REFRESH MATERIALIZED VIEW CONCURRENTLY.
If such corruption is observed, it can be repaired by refreshing the materialized view (without CONCURRENTLY).
(9.6.8,9.5.12,9.4.17) Fix incorrect reporting of PL/Python function names in error CONTEXT stacks (Tom Lane)
An error occurring within a nested PL/Python function call (that is, one reached via a SPI query from another PL/Python function) would result in a stack trace showing the inner function's name twice, rather than the expected results. Also, an error in a nested PL/Python DO block could result in a null pointer dereference crash on some platforms.
(9.6.8,9.5.12,9.4.17) Allow contrib/auto_explain's log_min_duration setting to range up to INT_MAX, or about 24 days instead of 35 minutes (Tom Lane)
(9.6.8) Mark assorted GUC variables as PGDLLIMPORT, to ease porting extension modules to Windows (Metin Doslu)
Release date: 2018-02-08
This release contains a variety of fixes from 9.6.6. For information about new features in the 9.6 major release, see Version 9.6.0.
A dump/restore is not required for those running 9.6.X.
However, if you use contrib/cube's ~> operator, see the entry below about that.
Also, if you are upgrading from a version earlier than 9.6.6, see Version 9.6.6.
(9.6.7,9.5.11,9.4.16) Ensure that all temporary files made by pg_upgrade are non-world-readable (Tom Lane, Noah Misch)
pg_upgrade normally restricts its temporary files to be readable and writable only by the calling user. But the temporary file containing pg_dumpall -g output would be group- or world-readable, or even writable, if the user's umask setting allows. In typical usage on multi-user machines, the umask and/or the working directory's permissions would be tight enough to prevent problems; but there may be people using pg_upgrade in scenarios where this oversight would permit disclosure of database passwords to unfriendly eyes. CVE-2018-1053 or CVE-2018-1053)
(9.6.7,9.5.11,9.4.16) Fix vacuuming of tuples that were updated while key-share locked (Andres Freund, Ãlvaro Herrera)
In some cases VACUUM would fail to remove such tuples even though they are now dead, leading to assorted data corruption scenarios.
(9.6.7) Ensure that vacuum will always clean up the pending-insertions list of a GIN index (Masahiko Sawada)
This is necessary to ensure that dead index entries get removed. The old code got it backwards, allowing vacuum to skip the cleanup if some other process were running cleanup concurrently, thus risking invalid entries being left behind in the index.
(9.6.7,9.5.11,9.4.16) Fix inadequate buffer locking in some LSN fetches (Jacob Champion, Asim Praveen, Ashwin Agrawal)
These errors could result in misbehavior under concurrent load. The potential consequences have not been characterized fully.
(9.6.7,9.5.11) Fix incorrect query results from cases involving flattening of subqueries whose outputs are used in GROUPING SETS (Heikki Linnakangas)
(9.6.7,9.5.11,9.4.16) Avoid unnecessary failure in a query on an inheritance tree that occurs concurrently with some child table being removed from the tree by ALTER TABLE NO INHERIT (Tom Lane)
(9.6.7,9.5.11,9.4.16) Fix spurious deadlock failures when multiple sessions are running CREATE INDEX CONCURRENTLY (Jeff Janes)
(9.6.7,9.5.11) Fix failures when an inheritance tree contains foreign child tables (Etsuro Fujita)
A mix of regular and foreign tables in an inheritance tree resulted in creation of incorrect plans for UPDATE and DELETE queries. This led to visible failures in some cases, notably when there are row-level triggers on a foreign child table.
(9.6.7,9.5.11,9.4.16) Repair failure with correlated sub-SELECT inside VALUES inside a LATERAL subquery (Tom Lane)
(9.6.7,9.5.11,9.4.16) Fix "could not devise a query plan for the given query" planner failure for some cases involving nested UNION ALL inside a lateral subquery (Tom Lane)
(9.6.7,9.5.11,9.4.16) Fix logical decoding to correctly clean up disk files for crashed transactions (Atsushi Torikoshi)
Logical decoding may spill WAL records to disk for transactions generating many WAL records. Normally these files are cleaned up after the transaction's commit or abort record arrives; but if no such record is ever seen, the removal code misbehaved.
(9.6.7,9.5.11,9.4.16) Fix walsender timeout failure and failure to respond to interrupts when processing a large transaction (Petr Jelinek)
(9.6.7,9.5.11,9.4.16) Fix has_sequence_privilege()
to support WITH GRANT OPTION tests, as other privilege-testing functions do (Joe Conway)
(9.6.7,9.5.11,9.4.16) In databases using UTF8 encoding, ignore any XML declaration that asserts a different encoding (Pavel Stehule, Noah Misch)
We always store XML strings in the database encoding, so allowing libxml to act on a declaration of another encoding gave wrong results. In encodings other than UTF8, we don't promise to support non-ASCII XML data anyway, so retain the previous behavior for bug compatibility. This change affects only xpath()
and related functions; other XML code paths already acted this way.
(9.6.7,9.5.11,9.4.16) Provide for forward compatibility with future minor protocol versions (Robert Haas, Badrul Chowdhury)
Up to now, PostgreSQL servers simply rejected requests to use protocol versions newer than 3.0, so that there was no functional difference between the major and minor parts of the protocol version number. Allow clients to request versions 3.x without failing, sending back a message showing that the server only understands 3.0. This makes no difference at the moment, but back-patching this change should allow speedier introduction of future minor protocol upgrades.
(9.6.7,9.5.11,9.4.16) Cope with failure to start a parallel worker process (Amit Kapila, Robert Haas)
Parallel query previously tended to hang indefinitely if a worker could not be started, as the result of fork() failure or other low-probability problems.
(9.6.7) Fix collection of EXPLAIN statistics from parallel workers (Amit Kapila, Thomas Munro)
(9.6.7,9.5.11) Avoid unsafe alignment assumptions when working with __int128 (Tom Lane)
Typically, compilers assume that __int128 variables are aligned on 16-byte boundaries, but our memory allocation infrastructure isn't prepared to guarantee that, and increasing the setting of MAXALIGN seems infeasible for multiple reasons. Adjust the code to allow use of __int128 only when we can tell the compiler to assume lesser alignment. The only known symptom of this problem so far is crashes in some parallel aggregation queries.
(9.6.7,9.5.11,9.4.16) Prevent stack-overflow crashes when planning extremely deeply nested set operations (UNION/INTERSECT/EXCEPT) (Tom Lane)
(9.6.7,9.5.11,9.4.16) Fix null-pointer crashes for some types of LDAP URLs appearing in pg_hba.conf (Thomas Munro)
(9.6.7,9.5.11,9.4.16) Fix sample INSTR()
functions in the PL/pgSQL documentation (Yugo Nagata, Tom Lane)
These functions are stated to be Oracle® compatible, but they weren't exactly. In particular, there was a discrepancy in the interpretation of a negative third parameter: Oracle thinks that a negative value indicates the last place where the target substring can begin, whereas our functions took it as the last place where the target can end. Also, Oracle throws an error for a zero or negative fourth parameter, whereas our functions returned zero.
The sample code has been adjusted to match Oracle's behavior more precisely. Users who have copied this code into their applications may wish to update their copies.
(9.6.7,9.5.11,9.4.16) Fix pg_dump to make ACL (permissions), comment, and security label entries reliably identifiable in archive output formats (Tom Lane)
The "tag" portion of an ACL archive entry was usually just the name of the associated object. Make it start with the object type instead, bringing ACLs into line with the convention already used for comment and security label archive entries. Also, fix the comment and security label entries for the whole database, if present, to make their tags start with DATABASE so that they also follow this convention. This prevents false matches in code that tries to identify large-object-related entries by seeing if the tag starts with LARGE OBJECT. That could have resulted in misclassifying entries as data rather than schema, with undesirable results in a schema-only or data-only dump.
Note that this change has user-visible results in the output of pg_restore --list.
(9.6.7,9.5.11) Rename pg_rewind's copy_file_range
function to avoid conflict with new Linux system call of that name (Andres Freund)
This change prevents build failures with newer glibc versions.
(9.6.7,9.5.11,9.4.16) In ecpg, detect indicator arrays that do not have the correct length and report an error (David Rader)
(9.6.7) Change the behavior of contrib/cube's cube ~> int operator to make it compatible with KNN search (Alexander Korotkov)
The meaning of the second argument (the dimension selector) has been changed to make it predictable which value is selected even when dealing with cubes of varying dimensionalities.
This is an incompatible change, but since the point of the operator was to be used in KNN searches, it seems rather useless as-is. After installing this update, any expression indexes or materialized views using this operator will need to be reindexed/refreshed.
(9.6.7,9.5.11,9.4.16) Avoid triggering a libc assertion in contrib/hstore, due to use of memcpy()
with equal source and destination pointers (Tomas Vondra)
(9.6.7) Fix incorrect display of tuples' null bitmaps in contrib/pageinspect (Maksim Milyutin)
(9.6.7) In contrib/postgres_fdw, avoid "outer pathkeys do not match mergeclauses" planner error when constructing a plan involving a remote join (Robert Haas)
(9.6.7,9.5.11,9.4.16) Provide modern examples of how to auto-start Postgres on macOS (Tom Lane)
The scripts in contrib/start-scripts/osx use infrastructure that's been deprecated for over a decade, and which no longer works at all in macOS releases of the last couple of years. Add a new subdirectory contrib/start-scripts/macos containing scripts that use the newer launchd infrastructure.
(9.6.7,9.5.11,9.4.16) Fix incorrect selection of configuration-specific libraries for OpenSSL on Windows (Andrew Dunstan)
(9.6.7,9.5.11,9.4.16) Support linking to MinGW-built versions of libperl (Noah Misch)
This allows building PL/Perl with some common Perl distributions for Windows.
(9.6.7,9.5.11,9.4.16) Fix MSVC build to test whether 32-bit libperl needs -D_USE_32BIT_TIME_T (Noah Misch)
Available Perl distributions are inconsistent about what they expect, and lack any reliable means of reporting it, so resort to a build-time test on what the library being used actually does.
(9.6.7,9.5.11,9.4.16) On Windows, install the crash dump handler earlier in postmaster startup (Takayuki Tsunakawa)
This may allow collection of a core dump for some early-startup failures that did not produce a dump before.
(9.6.7,9.5.11,9.4.16) On Windows, avoid encoding-conversion-related crashes when emitting messages very early in postmaster startup (Takayuki Tsunakawa)
(9.6.7,9.5.11,9.4.16) Use our existing Motorola 68K spinlock code on OpenBSD as well as NetBSD (David Carlier)
(9.6.7,9.5.11,9.4.16,9.3.21) Add support for spinlocks on Motorola 88K (David Carlier)
(9.6.7,9.5.11,9.4.16) Update time zone data files to tzdata release 2018c for DST law changes in Brazil, Sao Tome and Principe, plus historical corrections for Bolivia, Japan, and South Sudan. The US/Pacific-New zone has been removed (it was only an alias for America/Los_Angeles anyway).
Release date: 2017-11-09
This release contains a variety of fixes from 9.6.5. For information about new features in the 9.6 major release, see Version 9.6.0.
A dump/restore is not required for those running 9.6.X.
However, if you use BRIN indexes, see the fourth changelog entry below.
Also, if you are upgrading from a version earlier than 9.6.4, see Version 9.6.4.
(9.6.6,9.5.10) Ensure that INSERT ... ON CONFLICT DO UPDATE checks table permissions and RLS policies in all cases (Dean Rasheed)
The update path of INSERT ... ON CONFLICT DO UPDATE requires SELECT permission on the columns of the arbiter index, but it failed to check for that in the case of an arbiter specified by constraint name. In addition, for a table with row level security enabled, it failed to check updated rows against the table's SELECT policies (regardless of how the arbiter index was specified). CVE-2017-15099 or CVE-2017-15099)
(9.6.6,9.5.10,9.4.15) Fix crash due to rowtype mismatch in json{b}_populate_recordset()
(Michael Paquier, Tom Lane)
These functions used the result rowtype specified in the FROM ... AS clause without checking that it matched the actual rowtype of the supplied tuple value. If it didn't, that would usually result in a crash, though disclosure of server memory contents seems possible as well. CVE-2017-15098 or CVE-2017-15098)
(9.6.6,9.5.10,9.4.15) Fix sample server-start scripts to become $PGUSER before opening $PGLOG (Noah Misch)
Previously, the postmaster log file was opened while still running as root. The database owner could therefore mount an attack against another system user by making $PGLOG be a symbolic link to some other file, which would then become corrupted by appending log messages.
By default, these scripts are not installed anywhere. Users who have made use of them will need to manually recopy them, or apply the same changes to their modified versions. If the existing $PGLOG file is root-owned, it will need to be removed or renamed out of the way before restarting the server with the corrected script. CVE-2017-12172 or CVE-2017-12172)
(9.6.6,9.5.10) Fix BRIN index summarization to handle concurrent table extension correctly (Ãlvaro Herrera)
Previously, a race condition allowed some table rows to be omitted from the index. It may be necessary to reindex existing BRIN indexes to recover from past occurrences of this problem.
(9.6.6,9.5.10) Fix possible failures during concurrent updates of a BRIN index (Tom Lane)
These race conditions could result in errors like "invalid index offnum" or "inconsistent range map".
(9.6.6,9.5.10,9.4.15) Fix crash when logical decoding is invoked from a SPI-using function, in particular any function written in a PL language (Tom Lane)
(9.6.6) Fix incorrect query results when multiple GROUPING SETS columns contain the same simple variable (Tom Lane)
(9.6.6) Fix incorrect parallelization decisions for nested queries (Amit Kapila, Kuntal Ghosh)
(9.6.6) Fix parallel query handling to not fail when a recently-used role is dropped (Amit Kapila)
(9.6.6,9.5.10,9.4.15) Fix json_build_array()
, json_build_object()
, and their jsonb equivalents to handle explicit VARIADIC arguments correctly (Michael Paquier)
(9.6.6,9.5.10,9.4.15) Properly reject attempts to convert infinite float values to type numeric (Tom Lane, KaiGai Kohei)
Previously the behavior was platform-dependent.
(9.6.6,9.5.10,9.4.15) Fix corner-case crashes when columns have been added to the end of a view (Tom Lane)
(9.6.6,9.5.10,9.4.15) Record proper dependencies when a view or rule contains FieldSelect or FieldStore expression nodes (Tom Lane)
Lack of these dependencies could allow a column or data type DROP to go through when it ought to fail, thereby causing later uses of the view or rule to get errors. This patch does not do anything to protect existing views/rules, only ones created in the future.
(9.6.6,9.5.10,9.4.15) Correctly detect hashability of range data types (Tom Lane)
The planner mistakenly assumed that any range type could be hashed for use in hash joins or hash aggregation, but actually it must check whether the range's subtype has hash support. This does not affect any of the built-in range types, since they're all hashable anyway.
(9.6.6,9.5.10) Correctly ignore RelabelType expression nodes when determining relation distinctness (David Rowley)
This allows the intended optimization to occur when a subquery has a result column of type varchar.
(9.6.6) Prevent sharing transition states between ordered-set aggregates (David Rowley)
This causes a crash with the built-in ordered-set aggregates, and probably with user-written ones as well. v11 and later will include provisions for dealing with such cases safely, but in released branches, just disable the optimization.
(9.6.6) Prevent idle_in_transaction_session_timeout from being ignored when a statement_timeout occurred earlier (Lukas Fittl)
(9.6.6,9.5.10,9.4.15) Fix low-probability loss of NOTIFY messages due to XID wraparound (Marko Tiikkaja, Tom Lane)
If a session executed no queries, but merely listened for notifications, for more than 2 billion transactions, it started to miss some notifications from concurrently-committing transactions.
(9.6.6,9.5.10,9.4.15) Avoid SIGBUS crash on Linux when a DSM memory request exceeds the space available in tmpfs (Thomas Munro)
(9.6.6) Reduce the frequency of data flush requests during bulk file copies to avoid performance problems on macOS, particularly with its new APFS file system (Tom Lane)
(9.6.6,9.5.10,9.4.15) Prevent low-probability crash in processing of nested trigger firings (Tom Lane)
(9.6.6,9.5.10,9.4.15) Allow COPY's FREEZE option to work when the transaction isolation level is REPEATABLE READ or higher (Noah Misch)
This case was unintentionally broken by a previous bug fix.
(9.6.6,9.5.10,9.4.15) Correctly restore the umask setting when file creation fails in COPY or lo_export()
(Peter Eisentraut)
(9.6.6,9.5.10,9.4.15) Give a better error message for duplicate column names in ANALYZE (Nathan Bossart)
(9.6.6) Add missing cases in GetCommandLogLevel()
, preventing errors when certain SQL commands are used while log_statement is set to ddl (Michael Paquier)
(9.6.6,9.5.10,9.4.15) Fix mis-parsing of the last line in a non-newline-terminated pg_hba.conf file (Tom Lane)
(9.6.6) Fix AggGetAggref()
to return the correct Aggref nodes to aggregate final functions whose transition calculations have been merged (Tom Lane)
(9.6.6) Fix pg_dump to ensure that it emits GRANT commands in a valid order (Stephen Frost)
(9.6.6,9.5.10) Fix pg_basebackup's matching of tablespace paths to canonicalize both paths before comparing (Michael Paquier)
This is particularly helpful on Windows.
(9.6.6,9.5.10,9.4.15) Fix libpq to not require user's home directory to exist (Tom Lane)
In v10, failure to find the home directory while trying to read ~/.pgpass was treated as a hard error, but it should just cause that file to not be found. Both v10 and previous release branches made the same mistake when reading ~/.pg_service.conf, though this was less obvious since that file is not sought unless a service name is specified.
(9.6.6,9.5.10,9.4.15) Fix libpq to guard against integer overflow in the row count of a PGresult (Michael Paquier)
(9.6.6,9.5.10,9.4.15) Fix ecpg's handling of out-of-scope cursor declarations with pointer or array variables (Michael Meskes)
(9.6.6,9.5.10,9.4.15) In ecpglib, correctly handle backslashes in string literals depending on whether standard_conforming_strings is set (Tsunakawa Takayuki)
(9.6.6,9.5.10,9.4.15) Make ecpglib's Informix-compatibility mode ignore fractional digits in integer input strings, as expected (Gao Zengqi, Michael Meskes)
(9.6.6) Fix ecpg's regression tests to work reliably on Windows (Christian Ullrich, Michael Meskes)
(9.6.6,9.5.10) Fix missing temp-install prerequisites for check-like Make targets (Noah Misch)
Some non-default test procedures that are meant to work like make check failed to ensure that the temporary installation was up to date.
(9.6.6,9.5.10,9.4.15) Sync our copy of the timezone library with IANA release tzcode2017c (Tom Lane)
This fixes various issues; the only one likely to be user-visible is that the default DST rules for a POSIX-style zone name, if no posixrules file exists in the timezone data directory, now match current US law rather than what it was a dozen years ago.
(9.6.6,9.5.10,9.4.15) Update time zone data files to tzdata release 2017c for DST law changes in Fiji, Namibia, Northern Cyprus, Sudan, Tonga, and Turks & Caicos Islands, plus historical corrections for Alaska, Apia, Burma, Calcutta, Detroit, Ireland, Namibia, and Pago Pago.
Release date: 2017-08-31
This release contains a small number of fixes from 9.6.4. For information about new features in the 9.6 major release, see Version 9.6.0.
A dump/restore is not required for those running 9.6.X.
However, if you are upgrading from a version earlier than 9.6.4, see Version 9.6.4.
(9.6.5,9.5.9,9.4.14) Show foreign tables in information_schema.table_privileges view (Peter Eisentraut)
All other relevant information_schema views include foreign tables, but this one ignored them.
Since this view definition is installed by initdb, merely upgrading will not fix the problem. If you need to fix this in an existing installation, you can, as a superuser, do this in psql:
SET search_path TO information_schema; CREATE OR REPLACE VIEW table_privileges AS SELECT CAST(u_grantor.rolname AS sql_identifier) AS grantor, CAST(grantee.rolname AS sql_identifier) AS grantee, CAST(current_database() AS sql_identifier) AS table_catalog, CAST(nc.nspname AS sql_identifier) AS table_schema, CAST(c.relname AS sql_identifier) AS table_name, CAST(c.prtype AS character_data) AS privilege_type, CAST( CASE WHEN -- object owner always has grant options pg_has_role(grantee.oid, c.relowner, 'USAGE') OR c.grantable THEN 'YES' ELSE 'NO' END AS yes_or_no) AS is_grantable, CAST (CASE WHEN c.prtype = 'SELECT' THEN 'YES' ELSE 'NO' END AS yes_or_no) AS with_hierarchy FROM ( SELECT oid, relname, relnamespace, relkind, relowner, (aclexplode(coalesce(relacl, acldefault('r', relowner)))).* FROM pg_class ) AS c (oid, relname, relnamespace, relkind, relowner, grantor, grantee, prtype, grantable), pg_namespace nc, pg_authid u_grantor, ( SELECT oid, rolname FROM pg_authid UNION ALL SELECT 0::oid, 'PUBLIC' ) AS grantee (oid, rolname) WHERE c.relnamespace = nc.oid AND c.relkind IN ('r', 'v', 'f') AND c.grantee = grantee.oid AND c.grantor = u_grantor.oid AND c.prtype IN ('INSERT', 'SELECT', 'UPDATE', 'DELETE', 'TRUNCATE', 'REFERENCES', 'TRIGGER') AND (pg_has_role(u_grantor.oid, 'USAGE') OR pg_has_role(grantee.oid, 'USAGE') OR grantee.rolname = 'PUBLIC');
This must be repeated in each database to be fixed, including template0.
(9.6.5,9.5.9,9.4.14) Clean up handling of a fatal exit (e.g., due to receipt of SIGTERM) that occurs while trying to execute a ROLLBACK of a failed transaction (Tom Lane)
This situation could result in an assertion failure. In production builds, the exit would still occur, but it would log an unexpected message about "cannot drop active portal".
(9.6.5,9.5.9,9.4.14) Remove assertion that could trigger during a fatal exit (Tom Lane)
(9.6.5,9.5.9,9.4.14) Correctly identify columns that are of a range type or domain type over a composite type or domain type being searched for (Tom Lane)
Certain ALTER commands that change the definition of a composite type or domain type are supposed to fail if there are any stored values of that type in the database, because they lack the infrastructure needed to update or check such values. Previously, these checks could miss relevant values that are wrapped inside range types or sub-domains, possibly allowing the database to become inconsistent.
(9.6.5) Prevent crash when passing fixed-length pass-by-reference data types to parallel worker processes (Tom Lane)
(9.6.5,9.5.9,9.4.14) Fix crash in pg_restore when using parallel mode and using a list file to select a subset of items to restore (FabrÃzio de Royes Mello)
(9.6.5,9.5.9,9.4.14) Change ecpg's parser to allow RETURNING clauses without attached C variables (Michael Meskes)
This allows ecpg programs to contain SQL constructs that use RETURNING internally (for example, inside a CTE) rather than using it to define values to be returned to the client.
(9.6.5) Change ecpg's parser to recognize backslash continuation of C preprocessor command lines (Michael Meskes)
(9.6.5,9.5.9,9.4.14) Improve selection of compiler flags for PL/Perl on Windows (Tom Lane)
This fix avoids possible crashes of PL/Perl due to inconsistent assumptions about the width of time_t values. A side-effect that may be visible to extension developers is that _USE_32BIT_TIME_T is no longer defined globally in PostgreSQL Windows builds. This is not expected to cause problems, because type time_t is not used in any PostgreSQL API definitions.
(9.6.5,9.5.9) Fix make check to behave correctly when invoked via a non-GNU make program (Thomas Munro)
Release date: 2017-08-10
This release contains a variety of fixes from 9.6.3. For information about new features in the 9.6 major release, see Version 9.6.0.
A dump/restore is not required for those running 9.6.X.
However, if you use foreign data servers that make use of user passwords for authentication, see the first changelog entry below.
Also, if you are upgrading from a version earlier than 9.6.3, see Version 9.6.3.
(9.6.4,9.5.8,9.4.13) Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options (Noah Misch)
The fix forCVE-2017-7486 or CVE-2017-7486 was incorrect: it allowed a user to see the options in her own user mapping, even if she did not have USAGE permission on the associated foreign server. Such options might include a password that had been provided by the server owner rather than the user herself. Since information_schema.user_mapping_options does not show the options in such cases, pg_user_mappings should not either. CVE-2017-7547 or CVE-2017-7547)
By itself, this patch will only fix the behavior in newly initdb'd databases. If you wish to apply this change in an existing database, you will need to do the following:
Restart the postmaster after adding allow_system_table_mods = true to postgresql.conf. (In versions supporting ALTER SYSTEM, you can use that to make the configuration change, but you'll still need a restart.)
In each database of the cluster, run the following commands as superuser:
SET search_path = pg_catalog; CREATE OR REPLACE VIEW pg_user_mappings AS SELECT U.oid AS umid, S.oid AS srvid, S.srvname AS srvname, U.umuser AS umuser, CASE WHEN U.umuser = 0 THEN 'public' ELSE A.rolname END AS usename, CASE WHEN (U.umuser <> 0 AND A.rolname = current_user AND (pg_has_role (S.srvowner, 'USAGE') OR has_server_privilege (S.oid, 'USAGE'))) OR (U.umuser = 0 AND pg_has_role (S.srvowner, 'USAGE')) OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user) THEN U.umoptions ELSE NULL END AS umoptions FROM pg_user_mapping U LEFT JOIN pg_authid A ON (A.oid = U.umuser) JOIN pg_foreign_server S ON (U.umserver = S.oid);
Do not forget to include the template0 and template1 databases, or the vulnerability will still exist in databases you create later. To fix template0, you'll need to temporarily make it accept connections. In PostgreSQL 9.5 and later, you can use
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;
and then after fixing template0, undo that with
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;
In prior versions, instead use
UPDATE pg_database SET datallowconn = true WHERE datname = 'template0'; UPDATE pg_database SET datallowconn = false WHERE datname = 'template0';
Finally, remove the allow_system_table_mods configuration setting, and again restart the postmaster.
(9.6.4,9.5.8,9.4.13) Disallow empty passwords in all password-based authentication methods (Heikki Linnakangas)
libpq ignores empty password specifications, and does not transmit them to the server. So, if a user's password has been set to the empty string, it's impossible to log in with that password via psql or other libpq-based clients. An administrator might therefore believe that setting the password to empty is equivalent to disabling password login. However, with a modified or non-libpq-based client, logging in could be possible, depending on which authentication method is configured. In particular the most common method, md5, accepted empty passwords. Change the server to reject empty passwords in all cases. CVE-2017-7546 or CVE-2017-7546)
(9.6.4,9.5.8,9.4.13) Make lo_put()
check for UPDATE privilege on the target large object (Tom Lane, Michael Paquier)
lo_put()
should surely require the same permissions as lowrite()
, but the check was missing, allowing any user to change the data in a large object. CVE-2017-7548 or CVE-2017-7548)
(9.6.4,9.5.8) Correct the documentation about the process for upgrading standby servers with pg_upgrade (Bruce Momjian)
The previous documentation instructed users to start/stop the primary server after running pg_upgrade but before syncing the standby servers. This sequence is unsafe.
(9.6.4,9.5.8,9.4.13) Fix concurrent locking of tuple update chains (Ãlvaro Herrera)
If several sessions concurrently lock a tuple update chain with nonconflicting lock modes using an old snapshot, and they all succeed, it was possible for some of them to nonetheless fail (and conclude there is no live tuple version) due to a race condition. This had consequences such as foreign-key checks failing to see a tuple that definitely exists but is being updated concurrently.
(9.6.4,9.5.8,9.4.13) Fix potential data corruption when freezing a tuple whose XMAX is a multixact with exactly one still-interesting member (Teodor Sigaev)
(9.6.4,9.5.8,9.4.13) Avoid integer overflow and ensuing crash when sorting more than one billion tuples in-memory (Sergey Koposov)
(9.6.4,9.5.8,9.4.13) On Windows, retry process creation if we fail to reserve the address range for our shared memory in the new process (Tom Lane, Amit Kapila)
This is expected to fix infrequent child-process-launch failures that are probably due to interference from antivirus products.
(9.6.4,9.5.8,9.4.13) Fix low-probability corruption of shared predicate-lock hash table in Windows builds (Thomas Munro, Tom Lane)
(9.6.4,9.5.8,9.4.13) Avoid logging clean closure of an SSL connection as though it were a connection reset (Michael Paquier)
(9.6.4,9.5.8,9.4.13) Prevent sending SSL session tickets to clients (Tom Lane)
This fix prevents reconnection failures with ticket-aware client-side SSL code.
(9.6.4,9.5.8,9.4.13) Fix code for setting tcp_keepalives_idle on Solaris (Tom Lane)
(9.6.4,9.5.8,9.4.13) Fix statistics collector to honor inquiry messages issued just after a postmaster shutdown and immediate restart (Tom Lane)
Statistics inquiries issued within half a second of the previous postmaster shutdown were effectively ignored.
(9.6.4,9.5.8,9.4.13) Ensure that the statistics collector's receive buffer size is at least 100KB (Tom Lane)
This reduces the risk of dropped statistics data on older platforms whose default receive buffer size is less than that.
(9.6.4,9.5.8,9.4.13) Fix possible creation of an invalid WAL segment when a standby is promoted just after it processes an XLOG_SWITCH WAL record (Andres Freund)
(9.6.4,9.5.8,9.4.13) Fix walsender to exit promptly when client requests shutdown (Tom Lane)
(9.6.4,9.5.8,9.4.13) Fix SIGHUP and SIGUSR1 handling in walsender processes (Petr Jelinek, Andres Freund)
(9.6.4,9.5.8,9.4.13) Prevent walsender-triggered panics during shutdown checkpoints (Andres Freund, Michael Paquier)
(9.6.4,9.5.8,9.4.13) Fix unnecessarily slow restarts of walreceiver processes due to race condition in postmaster (Tom Lane)
(9.6.4,9.5.8,9.4.13) Fix leakage of small subtransactions spilled to disk during logical decoding (Andres Freund)
This resulted in temporary files consuming excessive disk space.
(9.6.4,9.5.8,9.4.13) Reduce the work needed to build snapshots during creation of logical-decoding slots (Andres Freund, Petr Jelinek)
The previous algorithm was infeasibly expensive on a server with a lot of open transactions.
(9.6.4,9.5.8,9.4.13) Fix race condition that could indefinitely delay creation of logical-decoding slots (Andres Freund, Petr Jelinek)
(9.6.4,9.5.8,9.4.13) Reduce overhead in processing syscache invalidation events (Tom Lane)
This is particularly helpful for logical decoding, which triggers frequent cache invalidation.
(9.6.4) Remove incorrect heuristic used in some cases to estimate join selectivity based on the presence of foreign-key constraints (David Rowley)
In some cases where a multi-column foreign key constraint existed but did not exactly match a query's join structure, the planner used an estimation heuristic that turns out not to work well at all. Revert such cases to the way they were estimated before 9.6.
(9.6.4,9.5.8,9.4.13) Fix cases where an INSERT or UPDATE assigns to more than one element of a column that is of domain-over-array type (Tom Lane)
(9.6.4,9.5.8,9.4.13) Allow window functions to be used in sub-SELECTs that are within the arguments of an aggregate function (Tom Lane)
(9.6.4) Ensure that a view's CHECK OPTIONS clause is enforced properly when the underlying table is a foreign table (Etsuro Fujita)
Previously, the update might get pushed entirely to the foreign server, but the need to verify the view conditions was missed if so.
(9.6.4,9.5.8,9.4.13) Move autogenerated array types out of the way during ALTER ... RENAME (Vik Fearing)
Previously, we would rename a conflicting autogenerated array type out of the way during CREATE; this fix extends that behavior to renaming operations.
(9.6.4,9.5.8) Fix dangling pointer in ALTER TABLE when there is a comment on a constraint belonging to the table (David Rowley)
Re-applying the comment to the reconstructed constraint could fail with a weird error message, or even crash.
(9.6.4,9.5.8,9.4.13) Ensure that ALTER USER ... SET accepts all the syntax variants that ALTER ROLE ... SET does (Peter Eisentraut)
(9.6.4) Allow a foreign table's CHECK constraints to be initially NOT VALID (Amit Langote)
CREATE TABLE silently drops NOT VALID specifiers for CHECK constraints, reasoning that the table must be empty so the constraint can be validated immediately. But this is wrong for CREATE FOREIGN TABLE, where there's no reason to suppose that the underlying table is empty, and even if it is it's no business of ours to decide that the constraint can be treated as valid going forward. Skip this "optimization" for foreign tables.
(9.6.4,9.5.8,9.4.13) Properly update dependency info when changing a datatype I/O function's argument or return type from opaque to the correct type (Heikki Linnakangas)
CREATE TYPE updates I/O functions declared in this long-obsolete style, but it forgot to record a dependency on the type, allowing a subsequent DROP TYPE to leave broken function definitions behind.
(9.6.4) Allow parallelism in the query plan when COPY copies from a query's result (Andres Freund)
(9.6.4,9.5.8,9.4.13) Reduce memory usage when ANALYZE processes a tsvector column (Heikki Linnakangas)
(9.6.4,9.5.8,9.4.13) Fix unnecessary precision loss and sloppy rounding when multiplying or dividing money values by integers or floats (Tom Lane)
(9.6.4,9.5.8,9.4.13) Tighten checks for whitespace in functions that parse identifiers, such as regprocedurein()
(Tom Lane)
Depending on the prevailing locale, these functions could misinterpret fragments of multibyte characters as whitespace.
(9.6.4,9.5.8,9.4.13) Use relevant #define symbols from Perl while compiling PL/Perl (Ashutosh Sharma, Tom Lane)
This avoids portability problems, typically manifesting as a "handshake" mismatch during library load, when working with recent Perl versions.
(9.6.4,9.5.8,9.4.13) In libpq, reset GSS/SASL and SSPI authentication state properly after a failed connection attempt (Michael Paquier)
Failure to do this meant that when falling back from SSL to non-SSL connections, a GSS/SASL failure in the SSL attempt would always cause the non-SSL attempt to fail. SSPI did not fail, but it leaked memory.
(9.6.4,9.5.8,9.4.13) In psql, fix failure when COPY FROM STDIN is ended with a keyboard EOF signal and then another COPY FROM STDIN is attempted (Thomas Munro)
This misbehavior was observed on BSD-derived platforms (including macOS), but not on most others.
(9.6.4,9.5.8,9.4.13) Fix pg_dump and pg_restore to emit REFRESH MATERIALIZED VIEW commands last (Tom Lane)
This prevents errors during dump/restore when a materialized view refers to tables owned by a different user.
(9.6.4,9.5.8,9.4.13) Improve pg_dump/pg_restore's reporting of error conditions originating in zlib (Vladimir Kunschikov, Ãlvaro Herrera)
(9.6.4,9.5.8,9.4.13) Fix pg_dump with the --clean option to drop event triggers as expected (Tom Lane)
It also now correctly assigns ownership of event triggers; before, they were restored as being owned by the superuser running the restore script.
(9.6.4) Fix pg_dump with the --clean option to not fail when the public schema doesn't exist (Stephen Frost)
(9.6.4,9.5.8,9.4.13) Fix pg_dump to not emit invalid SQL for an empty operator class (Daniel Gustafsson)
(9.6.4,9.5.8,9.4.13) Fix pg_dump output to stdout on Windows (Kuntal Ghosh)
A compressed plain-text dump written to stdout would contain corrupt data due to failure to put the file descriptor into binary mode.
(9.6.4,9.5.8,9.4.13) Fix pg_get_ruledef()
to print correct output for the ON SELECT rule of a view whose columns have been renamed (Tom Lane)
In some corner cases, pg_dump relies on pg_get_ruledef()
to dump views, so that this error could result in dump/reload failures.
(9.6.4,9.5.8,9.4.13) Fix dumping of outer joins with empty constraints, such as the result of a NATURAL LEFT JOIN with no common columns (Tom Lane)
(9.6.4,9.5.8,9.4.13) Fix dumping of function expressions in the FROM clause in cases where the expression does not deparse into something that looks like a function call (Tom Lane)
(9.6.4,9.5.8,9.4.13) Fix pg_basebackup output to stdout on Windows (Haribabu Kommi)
A backup written to stdout would contain corrupt data due to failure to put the file descriptor into binary mode.
(9.6.4,9.5.8) Fix pg_rewind to correctly handle files exceeding 2GB (Kuntal Ghosh, Michael Paquier)
Ordinarily such files won't appear in PostgreSQL data directories, but they could be present in some cases.
(9.6.4,9.5.8,9.4.13) Fix pg_upgrade to ensure that the ending WAL record does not have wal_level = minimum (Bruce Momjian)
This condition could prevent upgraded standby servers from reconnecting.
(9.6.4,9.5.8) Fix pg_xlogdump's computation of WAL record length (Andres Freund)
(9.6.4,9.5.8,9.4.13) In postgres_fdw, re-establish connections to remote servers after ALTER SERVER or ALTER USER MAPPING commands (Kyotaro Horiguchi)
This ensures that option changes affecting connection parameters will be applied promptly.
(9.6.4,9.5.8,9.4.13) In postgres_fdw, allow cancellation of remote transaction control commands (Robert Haas, Rafia Sabih)
This change allows us to quickly escape a wait for an unresponsive remote server in many more cases than previously.
(9.6.4,9.5.8,9.4.13) Increase MAX_SYSCACHE_CALLBACKS to provide more room for extensions (Tom Lane)
(9.6.4,9.5.8,9.4.13) Always use -fPIC, not -fpic, when building shared libraries with gcc (Tom Lane)
This supports larger extension libraries on platforms where it makes a difference.
(9.6.4,9.5.8,9.4.13) In MSVC builds, handle the case where the openssl library is not within a VC subdirectory (Andrew Dunstan)
(9.6.4,9.5.8,9.4.13) In MSVC builds, add proper include path for libxml2 header files (Andrew Dunstan)
This fixes a former need to move things around in standard Windows installations of libxml2.
(9.6.4,9.5.8,9.4.13) In MSVC builds, recognize a Tcl library that is named tcl86.lib (Noah Misch)
(9.6.4,9.5.8,9.4.13) In MSVC builds, honor PROVE_FLAGS settings on vcregress.pl's command line (Andrew Dunstan)
Release date: 2017-05-11
This release contains a variety of fixes from 9.6.2. For information about new features in the 9.6 major release, see Version 9.6.0.
A dump/restore is not required for those running 9.6.X.
However, if you use foreign data servers that make use of user passwords for authentication, see the first changelog entry below.
Also, if you are using third-party replication tools that depend on "logical decoding", see the fourth changelog entry below.
Also, if you are upgrading from a version earlier than 9.6.2, see Version 9.6.2.
(9.6.3) Restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options (Michael Paquier, Feike Steenbergen)
The previous coding allowed the owner of a foreign server object, or anyone he has granted server USAGE permission to, to see the options for all user mappings associated with that server. This might well include passwords for other users. Adjust the view definition to match the behavior of information_schema.user_mapping_options, namely that these options are visible to the user being mapped, or if the mapping is for PUBLIC and the current user is the server owner, or if the current user is a superuser. CVE-2017-7486 or CVE-2017-7486)
By itself, this patch will only fix the behavior in newly initdb'd databases. If you wish to apply this change in an existing database, follow the corrected procedure shown in the changelog entry forCVE-2017-7547 or CVE-2017-7547, in Version 9.6.4.
(9.6.3,9.5.7,9.4.12) Prevent exposure of statistical information via leaky operators (Peter Eisentraut)
Some selectivity estimation functions in the planner will apply user-defined operators to values obtained from pg_statistic, such as most common values and histogram entries. This occurs before table permissions are checked, so a nefarious user could exploit the behavior to obtain these values for table columns he does not have permission to read. To fix, fall back to a default estimate if the operator's implementation function is not certified leak-proof and the calling user does not have permission to read the table column whose statistics are needed. At least one of these criteria is satisfied in most cases in practice. CVE-2017-7484 or CVE-2017-7484)
(9.6.3,9.5.7,9.4.12) Restore libpq's recognition of the PGREQUIRESSL environment variable (Daniel Gustafsson)
Processing of this environment variable was unintentionally dropped in PostgreSQL 9.3, but its documentation remained. This creates a security hazard, since users might be relying on the environment variable to force SSL-encrypted connections, but that would no longer be guaranteed. Restore handling of the variable, but give it lower priority than PGSSLMODE, to avoid breaking configurations that work correctly with post-9.3 code. CVE-2017-7485 or CVE-2017-7485)
(9.6.3,9.5.7,9.4.12) Fix possibly-invalid initial snapshot during logical decoding (Petr Jelinek, Andres Freund)
The initial snapshot created for a logical decoding replication slot was potentially incorrect. This could cause third-party tools that use logical decoding to copy incomplete/inconsistent initial data. This was more likely to happen if the source server was busy at the time of slot creation, or if another logical slot already existed.
If you are using a replication tool that depends on logical decoding, and it should have copied a nonempty data set at the start of replication, it is advisable to recreate the replica after installing this update, or to verify its contents against the source server.
(9.6.3,9.5.7,9.4.12) Fix possible corruption of "init forks" of unlogged indexes (Robert Haas, Michael Paquier)
This could result in an unlogged index being set to an invalid state after a crash and restart. Such a problem would persist until the index was dropped and rebuilt.
(9.6.3,9.5.7,9.4.12) Fix incorrect reconstruction of pg_subtrans entries when a standby server replays a prepared but uncommitted two-phase transaction (Tom Lane)
In most cases this turned out to have no visible ill effects, but in corner cases it could result in circular references in pg_subtrans, potentially causing infinite loops in queries that examine rows modified by the two-phase transaction.
(9.6.3,9.5.7,9.4.12) Avoid possible crash in walsender due to failure to initialize a string buffer (Stas Kelvich, Fujii Masao)
(9.6.3,9.5.7) Fix possible crash when rescanning a nearest-neighbor index-only scan on a GiST index (Tom Lane)
(9.6.3) Prevent delays in postmaster's launching of multiple parallel worker processes (Tom Lane)
There could be a significant delay (up to tens of seconds) before satisfying a query's request for more than one worker process, or when multiple queries requested workers simultaneously. On most platforms this required unlucky timing, but on some it was the typical case.
(9.6.3,9.5.7,9.4.12) Fix postmaster's handling of fork()
failure for a background worker process (Tom Lane)
Previously, the postmaster updated portions of its state as though the process had been launched successfully, resulting in subsequent confusion.
(9.6.3) Fix possible "no relation entry for relid 0" error when planning nested set operations (Tom Lane)
(9.6.3) Fix assorted minor issues in planning of parallel queries (Robert Haas)
(9.6.3,9.5.7) Avoid applying "physical targetlist" optimization to custom scans (Dmitry Ivanov, Tom Lane)
This optimization supposed that retrieving all columns of a tuple is inexpensive, which is true for ordinary Postgres tuples; but it might not be the case for a custom scan provider.
(9.6.3,9.5.7) Use the correct sub-expression when applying a FOR ALL row-level-security policy (Stephen Frost)
In some cases the WITH CHECK restriction would be applied when the USING restriction is more appropriate.
(9.6.3,9.5.7,9.4.12) Ensure parsing of queries in extension scripts sees the results of immediately-preceding DDL (Julien Rouhaud, Tom Lane)
Due to lack of a cache flush step between commands in an extension script file, non-utility queries might not see the effects of an immediately preceding catalog change, such as ALTER TABLE ... RENAME.
(9.6.3,9.5.7,9.4.12) Skip tablespace privilege checks when ALTER TABLE ... ALTER COLUMN TYPE rebuilds an existing index (Noah Misch)
The command failed if the calling user did not currently have CREATE privilege for the tablespace containing the index. That behavior seems unhelpful, so skip the check, allowing the index to be rebuilt where it is.
(9.6.3,9.5.7,9.4.12) Fix ALTER TABLE ... VALIDATE CONSTRAINT to not recurse to child tables when the constraint is marked NO INHERIT (Amit Langote)
This fix prevents unwanted "constraint does not exist" failures when no matching constraint is present in the child tables.
(9.6.3,9.5.7) Avoid dangling pointer in COPY ... TO when row-level security is active for the source table (Tom Lane)
Usually this had no ill effects, but sometimes it would cause unexpected errors or crashes.
(9.6.3,9.5.7) Avoid accessing an already-closed relcache entry in CLUSTER and VACUUM FULL (Tom Lane)
With some bad luck, this could lead to indexes on the target relation getting rebuilt with the wrong persistence setting.
(9.6.3,9.5.7,9.4.12) Fix VACUUM to account properly for pages that could not be scanned due to conflicting page pins (Andrew Gierth)
This tended to lead to underestimation of the number of tuples in the table. In the worst case of a small heavily-contended table, VACUUM could incorrectly report that the table contained no tuples, leading to very bad planning choices.
(9.6.3,9.5.7,9.4.12) Ensure that bulk-tuple-transfer loops within a hash join are interruptible by query cancel requests (Tom Lane, Thomas Munro)
(9.6.3) Fix incorrect support for certain box operators in SP-GiST (Nikita Glukhov)
SP-GiST index scans using the operators &< &> &<| and |&> would yield incorrect answers.
(9.6.3,9.5.7,9.4.12) Fix integer-overflow problems in interval comparison (Kyotaro Horiguchi, Tom Lane)
The comparison operators for type interval could yield wrong answers for intervals larger than about 296000 years. Indexes on columns containing such large values should be reindexed, since they may be corrupt.
(9.6.3,9.5.7,9.4.12) Fix cursor_to_xml()
to produce valid output with tableforest = false (Thomas Munro, Peter Eisentraut)
Previously it failed to produce a wrapping <table> element.
(9.6.3,9.5.7,9.4.12) Fix roundoff problems in float8_timestamptz()
and make_interval()
(Tom Lane)
These functions truncated, rather than rounded, when converting a floating-point value to integer microseconds; that could cause unexpectedly off-by-one results.
(9.6.3,9.5.7) Fix pg_get_object_address()
to handle members of operator families correctly (Ãlvaro Herrera)
(9.6.3) Fix cancelling of pg_stop_backup()
when attempting to stop a non-exclusive backup (Michael Paquier, David Steele)
If pg_stop_backup()
was cancelled while waiting for a non-exclusive backup to end, related state was left inconsistent; a new exclusive backup could not be started, and there were other minor problems.
(9.6.3,9.5.7,9.4.12) Improve performance of pg_timezone_names view (Tom Lane, David Rowley)
(9.6.3,9.5.7,9.4.12) Reduce memory management overhead for contexts containing many large blocks (Tom Lane)
(9.6.3,9.5.7,9.4.12) Fix sloppy handling of corner-case errors from lseek()
and close()
(Tom Lane)
Neither of these system calls are likely to fail in typical situations, but if they did, fd.c could get quite confused.
(9.6.3,9.5.7,9.4.12) Fix incorrect check for whether postmaster is running as a Windows service (Michael Paquier)
This could result in attempting to write to the event log when that isn't accessible, so that no logging happens at all.
(9.6.3,9.5.7,9.4.12) Fix ecpg to support COMMIT PREPARED and ROLLBACK PREPARED (Masahiko Sawada)
(9.6.3,9.5.7,9.4.12) Fix a double-free error when processing dollar-quoted string literals in ecpg (Michael Meskes)
(9.6.3) Fix pgbench to handle the combination of --connect and --rate options correctly (Fabien Coelho)
(9.6.3) Fix pgbench to honor the long-form option spelling --builtin, as per its documentation (Tom Lane)
(9.6.3) Fix pg_dump/pg_restore to correctly handle privileges for the public schema when using --clean option (Stephen Frost)
Other schemas start out with no privileges granted, but public does not; this requires special-case treatment when it is dropped and restored due to the --clean option.
(9.6.3,9.5.7,9.4.12) In pg_dump, fix incorrect schema and owner marking for comments and security labels of some types of database objects (Giuseppe Broccolo, Tom Lane)
In simple cases this caused no ill effects; but for example, a schema-selective restore might omit comments it should include, because they were not marked as belonging to the schema of their associated object.
(9.6.3) Fix typo in pg_dump's query for initial privileges of a procedural language (Peter Eisentraut)
This resulted in pg_dump always believing that the language had no initial privileges. Since that's true for most procedural languages, ill effects from this bug are probably rare.
(9.6.3,9.5.7,9.4.12) Avoid emitting an invalid list file in pg_restore -l when SQL object names contain newlines (Tom Lane)
Replace newlines by spaces, which is sufficient to make the output valid for pg_restore -L's purposes.
(9.6.3,9.5.7,9.4.12) Fix pg_upgrade to transfer comments and security labels attached to "large objects" (blobs) (Stephen Frost)
Previously, blobs were correctly transferred to the new database, but any comments or security labels attached to them were lost.
(9.6.3,9.5.7,9.4.12) Improve error handling in contrib/adminpack's pg_file_write()
function (Noah Misch)
Notably, it failed to detect errors reported by fclose()
.
(9.6.3,9.5.7,9.4.12) In contrib/dblink, avoid leaking the previous unnamed connection when establishing a new unnamed connection (Joe Conway)
(9.6.3,9.5.7,9.4.12) Fix contrib/pg_trgm's extraction of trigrams from regular expressions (Tom Lane)
In some cases it would produce a broken data structure that could never match anything, leading to GIN or GiST indexscans that use a trigram index not finding any matches to the regular expression.
(9.6.3) In contrib/postgres_fdw, allow join conditions that contain shippable extension-provided functions to be pushed to the remote server (David Rowley, Ashutosh Bapat)
(9.6.3,9.5.7,9.4.12,9.3.17,9.2.21) Support Tcl 8.6 in MSVC builds (Ãlvaro Herrera)
(9.6.3,9.5.7,9.4.12) Sync our copy of the timezone library with IANA release tzcode2017b (Tom Lane)
This fixes a bug affecting some DST transitions in January 2038.
(9.6.3,9.5.7,9.4.12) Update time zone data files to tzdata release 2017b for DST law changes in Chile, Haiti, and Mongolia, plus historical corrections for Ecuador, Kazakhstan, Liberia, and Spain. Switch to numeric abbreviations for numerous time zones in South America, the Pacific and Indian oceans, and some Asian and Middle Eastern countries.
The IANA time zone database previously provided textual abbreviations for all time zones, sometimes making up abbreviations that have little or no currency among the local population. They are in process of reversing that policy in favor of using numeric UTC offsets in zones where there is no evidence of real-world use of an English abbreviation. At least for the time being, PostgreSQL will continue to accept such removed abbreviations for timestamp input. But they will not be shown in the pg_timezone_names view nor used for output.
(9.6.3,9.5.7,9.4.12) Use correct daylight-savings rules for POSIX-style time zone names in MSVC builds (David Rowley)
The Microsoft MSVC build scripts neglected to install the posixrules file in the timezone directory tree. This resulted in the timezone code falling back to its built-in rule about what DST behavior to assume for a POSIX-style time zone name. For historical reasons that still corresponds to the DST rules the USA was using before 2007 (i.e., change on first Sunday in April and last Sunday in October). With this fix, a POSIX-style zone name will use the current and historical DST transition dates of the US/Eastern zone. If you don't want that, remove the posixrules file, or replace it with a copy of some other zone file (see Section 8.5.3). Note that due to caching, you may need to restart the server to get such changes to take effect.
Release date: 2017-02-09
This release contains a variety of fixes from 9.6.1. For information about new features in the 9.6 major release, see Version 9.6.0.
A dump/restore is not required for those running 9.6.X.
However, if your installation has been affected by the bug described in the first changelog entry below, then after updating you may need to take action to repair corrupted indexes.
Also, if you are upgrading from a version earlier than 9.6.1, see Version 9.6.1.
(9.6.2,9.5.6,9.4.11) Fix a race condition that could cause indexes built with CREATE INDEX CONCURRENTLY to be corrupt (Pavan Deolasee, Tom Lane)
If CREATE INDEX CONCURRENTLY was used to build an index that depends on a column not previously indexed, then rows updated by transactions that ran concurrently with the CREATE INDEX command could have received incorrect index entries. If you suspect this may have happened, the most reliable solution is to rebuild affected indexes after installing this update.
(9.6.2,9.5.6,9.4.11) Ensure that the special snapshot used for catalog scans is not invalidated by premature data pruning (Tom Lane)
Backends failed to account for this snapshot when advertising their oldest xmin, potentially allowing concurrent vacuuming operations to remove data that was still needed. This led to transient failures along the lines of "cache lookup failed for relation 1255".
(9.6.2,9.5.6) Fix incorrect WAL logging for BRIN indexes (Kuntal Ghosh)
The WAL record emitted for a BRIN "revmap" page when moving an index tuple to a different page was incorrect. Replay would make the related portion of the index useless, forcing it to be recomputed.
(9.6.2,9.5.6,9.4.11) Unconditionally WAL-log creation of the "init fork" for an unlogged table (Michael Paquier)
Previously, this was skipped when wal_level = minimal, but actually it's necessary even in that case to ensure that the unlogged table is properly reset to empty after a crash.
(9.6.2,9.5.6,9.4.11) If the stats collector dies during hot standby, restart it (Takayuki Tsunakawa)
(9.6.2,9.5.6,9.4.11) Ensure that hot standby feedback works correctly when it's enabled at standby server start (Ants Aasma, Craig Ringer)
(9.6.2,9.5.6,9.4.11) Check for interrupts while hot standby is waiting for a conflicting query (Simon Riggs)
(9.6.2,9.5.6,9.4.11) Avoid constantly respawning the autovacuum launcher in a corner case (Amit Khandekar)
This fix avoids problems when autovacuum is nominally off and there are some tables that require freezing, but all such tables are already being processed by autovacuum workers.
(9.6.2) Disallow setting the num_sync field to zero in synchronous_standby_names (Fujii Masao)
The correct way to disable synchronous standby is to set the whole value to an empty string.
(9.6.2) Don't count background worker processes against a user's connection limit (David Rowley)
(9.6.2,9.5.6,9.4.11) Fix check for when an extension member object can be dropped (Tom Lane)
Extension upgrade scripts should be able to drop member objects, but this was disallowed for serial-column sequences, and possibly other cases.
(9.6.2) Fix tracking of initial privileges for extension member objects so that it works correctly with ALTER EXTENSION ... ADD/DROP (Stephen Frost)
An object's current privileges at the time it is added to the extension will now be considered its default privileges; only later changes in its privileges will be dumped by subsequent pg_dump runs.
(9.6.2,9.5.6,9.4.11) Make sure ALTER TABLE preserves index tablespace assignments when rebuilding indexes (Tom Lane, Michael Paquier)
Previously, non-default settings of default_tablespace could result in broken indexes.
(9.6.2,9.5.6,9.4.11) Fix incorrect updating of trigger function properties when changing a foreign-key constraint's deferrability properties with ALTER TABLE ... ALTER CONSTRAINT (Tom Lane)
This led to odd failures during subsequent exercise of the foreign key, as the triggers were fired at the wrong times.
(9.6.2,9.5.6,9.4.11) Prevent dropping a foreign-key constraint if there are pending trigger events for the referenced relation (Tom Lane)
This avoids "could not find trigger NNN" or "relation NNN has no triggers" errors.
(9.6.2,9.5.6) Fix ALTER TABLE ... SET DATA TYPE ... USING when child table has different column ordering than the parent (Ãlvaro Herrera)
Failure to adjust the column numbering in the USING expression led to errors, typically "attribute N has wrong type".
(9.6.2,9.5.6,9.4.11) Fix processing of OID column when a table with OIDs is associated to a parent with OIDs via ALTER TABLE ... INHERIT (Amit Langote)
The OID column should be treated the same as regular user columns in this case, but it wasn't, leading to odd behavior in later inheritance changes.
(9.6.2) Ensure that CREATE TABLE ... LIKE ... WITH OIDS creates a table with OIDs, whether or not the LIKE-referenced table(s) have OIDs (Tom Lane)
(9.6.2,9.5.6,9.4.11) Fix CREATE OR REPLACE VIEW to update the view query before attempting to apply the new view options (Dean Rasheed)
Previously the command would fail if the new options were inconsistent with the old view definition.
(9.6.2,9.5.6,9.4.11) Report correct object identity during ALTER TEXT SEARCH CONFIGURATION (Artur Zakirov)
The wrong catalog OID was reported to extensions such as logical decoding.
(9.6.2,9.5.6) Fix commit timestamp mechanism to not fail when queried about the special XIDs FrozenTransactionId and BootstrapTransactionId (Craig Ringer)
(9.6.2,9.5.6) Fix incorrect use of view reloptions as regular table reloptions (Tom Lane)
The symptom was spurious "ON CONFLICT is not supported on table ... used as a catalog table" errors when the target of INSERT ... ON CONFLICT is a view with cascade option.
(9.6.2,9.5.6) Fix incorrect "target lists can have at most N entries" complaint when using ON CONFLICT with wide tables (Tom Lane)
(9.6.2) Fix spurious "query provides a value for a dropped column" errors during INSERT or UPDATE on a table with a dropped column (Tom Lane)
(9.6.2,9.5.6,9.4.11) Prevent multicolumn expansion of foo.* in an UPDATE source expression (Tom Lane)
This led to "UPDATE target count mismatch --- internal error". Now the syntax is understood as a whole-row variable, as it would be in other contexts.
(9.6.2,9.5.6,9.4.11) Ensure that column typmods are determined accurately for multi-row VALUES constructs (Tom Lane)
This fixes problems occurring when the first value in a column has a determinable typmod (e.g., length for a varchar value) but later values don't share the same limit.
(9.6.2,9.5.6,9.4.11) Throw error for an unfinished Unicode surrogate pair at the end of a Unicode string (Tom Lane)
Normally, a Unicode surrogate leading character must be followed by a Unicode surrogate trailing character, but the check for this was missed if the leading character was the last character in a Unicode string literal (U&'...') or Unicode identifier (U&"...").
(9.6.2) Fix execution of DISTINCT and ordered aggregates when multiple such aggregates are able to share the same transition state (Heikki Linnakangas)
(9.6.2) Fix implementation of phrase search operators in tsquery (Tom Lane)
Remove incorrect, and inconsistently-applied, rewrite rules that tried to transform away AND/OR/NOT operators appearing below a PHRASE operator; instead upgrade the execution engine to handle such cases correctly. This fixes assorted strange behavior and possible crashes for text search queries containing such combinations. Also fix nested PHRASE operators to work sanely in combinations other than simple left-deep trees, correct the behavior when removing stopwords from a phrase search clause, and make sure that index searches behave consistently with simple sequential-scan application of such queries.
(9.6.2,9.5.6,9.4.11) Ensure that a purely negative text search query, such as !foo, matches empty tsvectors (Tom Dunstan)
Such matches were found by GIN index searches, but not by sequential scans or GiST index searches.
(9.6.2,9.5.6,9.4.11) Prevent crash when ts_rewrite()
replaces a non-top-level subtree with an empty query (Artur Zakirov)
(9.6.2,9.5.6,9.4.11) Fix performance problems in ts_rewrite()
(Tom Lane)
(9.6.2,9.5.6,9.4.11) Fix ts_rewrite()
's handling of nested NOT operators (Tom Lane)
(9.6.2,9.5.6) Improve speed of user-defined aggregates that use array_append()
as transition function (Tom Lane)
(9.6.2,9.5.6,9.4.11) Fix array_fill()
to handle empty arrays properly (Tom Lane)
(9.6.2,9.5.6) Fix possible crash in array_position()
or array_positions()
when processing arrays of records (Junseok Yang)
(9.6.2,9.5.6,9.4.11) Fix one-byte buffer overrun in quote_literal_cstr()
(Heikki Linnakangas)
The overrun occurred only if the input consisted entirely of single quotes and/or backslashes.
(9.6.2,9.5.6,9.4.11) Prevent multiple calls of pg_start_backup()
and pg_stop_backup()
from running concurrently (Michael Paquier)
This avoids an assertion failure, and possibly worse things, if someone tries to run these functions in parallel.
(9.6.2,9.5.6) Disable transform that attempted to remove no-op AT TIME ZONE conversions (Tom Lane)
This resulted in wrong answers when the simplified expression was used in an index condition.
(9.6.2,9.5.6,9.4.11) Avoid discarding interval-to-interval casts that aren't really no-ops (Tom Lane)
In some cases, a cast that should result in zeroing out low-order interval fields was mistakenly deemed to be a no-op and discarded. An example is that casting from INTERVAL MONTH to INTERVAL YEAR failed to clear the months field.
(9.6.2) Fix crash if the number of workers available to a parallel query decreases during a rescan (Andreas Seltenreich)
(9.6.2,9.5.6) Fix bugs in transmitting GUC parameter values to parallel workers (Michael Paquier, Tom Lane)
(9.6.2) Allow statements prepared with PREPARE to be given parallel plans (Amit Kapila, Tobias Bussmann)
(9.6.2) Fix incorrect generation of parallel plans for semi-joins (Tom Lane)
(9.6.2) Fix planner's cardinality estimates for parallel joins (Robert Haas)
Ensure that these estimates reflect the number of rows predicted to be seen by each worker, rather than the total.
(9.6.2) Fix planner to avoid trying to parallelize plan nodes containing initplans or subplans (Tom Lane, Amit Kapila)
(9.6.2,9.5.6,9.4.11) Ensure that cached plans are invalidated by changes in foreign-table options (Amit Langote, Etsuro Fujita, Ashutosh Bapat)
(9.6.2) Fix the plan generated for sorted partial aggregation with a constant GROUP BY clause (Tom Lane)
(9.6.2) Fix "could not find plan for CTE" planner error when dealing with a UNION ALL containing CTE references (Tom Lane)
(9.6.2) Fix mishandling of initplans when forcibly adding a Material node to a subplan (Tom Lane)
The typical consequence of this mistake was a "plan should not reference subplan's variable" error.
(9.6.2) Fix foreign-key-based join selectivity estimation for semi-joins and anti-joins, as well as inheritance cases (Tom Lane)
The new code for taking the existence of a foreign key relationship into account did the wrong thing in these cases, making the estimates worse not better than the pre-9.6 code.
(9.6.2) Fix pg_dump to emit the data of a sequence that is marked as an extension configuration table (Michael Paquier)
(9.6.2) Fix mishandling of ALTER DEFAULT PRIVILEGES ... REVOKE in pg_dump (Stephen Frost)
pg_dump missed issuing the required REVOKE commands in cases where ALTER DEFAULT PRIVILEGES had been used to reduce privileges to less than they would normally be.
(9.6.2,9.5.6,9.4.11) Fix pg_dump to dump user-defined casts and transforms that use built-in functions (Stephen Frost)
(9.6.2,9.5.6,9.4.11) Fix pg_restore with --create --if-exists to behave more sanely if an archive contains unrecognized DROP commands (Tom Lane)
This doesn't fix any live bug, but it may improve the behavior in future if pg_restore is used with an archive generated by a later pg_dump version.
(9.6.2,9.5.6,9.4.11) Fix pg_basebackup's rate limiting in the presence of slow I/O (Antonin Houska)
If disk I/O was transiently much slower than the specified rate limit, the calculation overflowed, effectively disabling the rate limit for the rest of the run.
(9.6.2,9.5.6,9.4.11) Fix pg_basebackup's handling of symlinked pg_stat_tmp and pg_replslot subdirectories (Magnus Hagander, Michael Paquier)
(9.6.2,9.5.6,9.4.11) Fix possible pg_basebackup failure on standby server when including WAL files (Amit Kapila, Robert Haas)
(9.6.2) Improve initdb to insert the correct platform-specific default values for the xxx_flush_after parameters into postgresql.conf (Fabien Coelho, Tom Lane)
This is a cleaner way of documenting the default values than was used previously.
(9.6.2,9.5.6) Fix possible mishandling of expanded arrays in domain check constraints and CASE execution (Tom Lane)
It was possible for a PL/pgSQL function invoked in these contexts to modify or even delete an array value that needs to be preserved for additional operations.
(9.6.2,9.5.6) Fix nested uses of PL/pgSQL functions in contexts such as domain check constraints evaluated during assignment to a PL/pgSQL variable (Tom Lane)
(9.6.2,9.5.6,9.4.11) Ensure that the Python exception objects we create for PL/Python are properly reference-counted (Rafa de la Torre, Tom Lane)
This avoids failures if the objects are used after a Python garbage collection cycle has occurred.
(9.6.2,9.5.6,9.4.11) Fix PL/Tcl to support triggers on tables that have .tupno as a column name (Tom Lane)
This matches the (previously undocumented) behavior of PL/Tcl's spi_exec and spi_execp commands, namely that a magic .tupno column is inserted only if there isn't a real column named that.
(9.6.2,9.5.6,9.4.11) Allow DOS-style line endings in ~/.pgpass files, even on Unix (Vik Fearing)
This change simplifies use of the same password file across Unix and Windows machines.
(9.6.2,9.5.6,9.4.11) Fix one-byte buffer overrun if ecpg is given a file name that ends with a dot (Takayuki Tsunakawa)
(9.6.2) Fix incorrect error reporting for duplicate data in psql's \crosstabview (Tom Lane)
psql sometimes quoted the wrong row and/or column values when complaining about multiple entries for the same crosstab cell.
(9.6.2,9.5.6,9.4.11) Fix psql's tab completion for ALTER DEFAULT PRIVILEGES (Gilles Darold, Stephen Frost)
(9.6.2) Fix psql's tab completion for ALTER TABLE t ALTER c DROP ... (Kyotaro Horiguchi)
(9.6.2,9.5.6,9.4.11) In psql, treat an empty or all-blank setting of the PAGER environment variable as meaning "no pager" (Tom Lane)
Previously, such a setting caused output intended for the pager to vanish entirely.
(9.6.2,9.5.6,9.4.11) Improve contrib/dblink's reporting of low-level libpq errors, such as out-of-memory (Joe Conway)
(9.6.2,9.5.6,9.4.11) Teach contrib/dblink to ignore irrelevant server options when it uses a contrib/postgres_fdw foreign server as the source of connection options (Corey Huinker)
Previously, if the foreign server object had options that were not also libpq connection options, an error occurred.
(9.6.2,9.5.6) Fix portability problems in contrib/pageinspect's functions for GIN indexes (Peter Eisentraut, Tom Lane)
(9.6.2) Fix possible miss of socket read events while waiting on Windows (Amit Kapila)
This error was harmless for most uses, but it is known to cause hangs when trying to use the pldebugger extension.
(9.6.2,9.5.6,9.4.11) On Windows, ensure that environment variable changes are propagated to DLLs built with debug options (Christian Ullrich)
(9.6.2,9.5.6,9.4.11) Sync our copy of the timezone library with IANA release tzcode2016j (Tom Lane)
This fixes various issues, most notably that timezone data installation failed if the target directory didn't support hard links.
(9.6.2,9.5.6,9.4.11) Update time zone data files to tzdata release 2016j for DST law changes in northern Cyprus (adding a new zone Asia/Famagusta), Russia (adding a new zone Europe/Saratov), Tonga, and Antarctica/Casey. Historical corrections for Italy, Kazakhstan, Malta, and Palestine. Switch to preferring numeric zone abbreviations for Tonga.
Release date: 2016-10-27
This release contains a variety of fixes from 9.6.0. For information about new features in the 9.6 major release, see Version 9.6.0.
A dump/restore is not required for those running 9.6.X.
However, if your installation has been affected by the bugs described in the first two changelog entries below, then after updating you may need to take action to repair corrupted free space maps and/or visibility maps.
(9.6.1,9.5.5,9.4.10) Fix WAL-logging of truncation of relation free space maps and visibility maps (Pavan Deolasee, Heikki Linnakangas)
It was possible for these files to not be correctly restored during crash recovery, or to be written incorrectly on a standby server. Bogus entries in a free space map could lead to attempts to access pages that have been truncated away from the relation itself, typically producing errors like "could not read block XXX: read only 0 of 8192 bytes". Checksum failures in the visibility map are also possible, if checksumming is enabled.
Procedures for determining whether there is a problem and repairing it if so are discussed at https://wiki.postgresql.org/wiki/Free_Space_Map_Problems.
(9.6.1) Fix possible data corruption when pg_upgrade rewrites a relation visibility map into 9.6 format (Tom Lane)
On big-endian machines, bytes of the new visibility map were written in the wrong order, leading to a completely incorrect map. On Windows, the old map was read using text mode, leading to incorrect results if the map happened to contain consecutive bytes that matched a carriage return/line feed sequence. The latter error would almost always lead to a pg_upgrade failure due to the map file appearing to be the wrong length.
If you are using a big-endian machine (many non-Intel architectures are big-endian) and have used pg_upgrade to upgrade from a pre-9.6 release, you should assume that all visibility maps are incorrect and need to be regenerated. It is sufficient to truncate each relation's visibility map with contrib/pg_visibility's pg_truncate_visibility_map()
function. For more information see https://wiki.postgresql.org/wiki/Visibility_Map_Problems.
(9.6.1,9.5.5) Don't throw serialization errors for self-conflicting insertions in INSERT ... ON CONFLICT (Thomas Munro, Peter Geoghegan)
(9.6.1) Fix use-after-free hazard in execution of aggregate functions using DISTINCT (Peter Geoghegan)
This could lead to a crash or incorrect query results.
(9.6.1) Fix incorrect handling of polymorphic aggregates used as window functions (Tom Lane)
The aggregate's transition function was told that its first argument and result were of the aggregate's output type, rather than the state type. This led to errors or crashes with polymorphic transition functions.
(9.6.1,9.5.5) Fix COPY with a column name list from a table that has row-level security enabled (Adam Brightwell)
(9.6.1,9.5.5,9.4.10) Fix EXPLAIN to emit valid XML when track_io_timing is on (Markus Winand)
Previously the XML output-format option produced syntactically invalid tags such as <I/O-Read-Time>. That is now rendered as <I-O-Read-Time>.
(9.6.1,9.5.5) Fix statistics update for TRUNCATE in a prepared transaction (Stas Kelvich)
(9.6.1,9.5.5,9.4.10) Fix bugs in merging inherited CHECK constraints while creating or altering a table (Tom Lane, Amit Langote)
Allow identical CHECK constraints to be added to a parent and child table in either order. Prevent merging of a valid constraint from the parent table with a NOT VALID constraint on the child. Likewise, prevent merging of a NO INHERIT child constraint with an inherited constraint.
(9.6.1,9.5.5) Show a sensible value in pg_settings.unit for min_wal_size and max_wal_size (Tom Lane)
(9.6.1) Fix replacement of array elements in jsonb_set()
(Tom Lane)
If the target is an existing JSON array element, it got deleted instead of being replaced with a new value.
(9.6.1,9.5.5,9.4.10) Avoid very-low-probability data corruption due to testing tuple visibility without holding buffer lock (Thomas Munro, Peter Geoghegan, Tom Lane)
(9.6.1,9.5.5) Preserve commit timestamps across server restart (Julien Rouhaud, Craig Ringer)
With track_commit_timestamp turned on, old commit timestamps became inaccessible after a clean server restart.
(9.6.1,9.5.5,9.4.10) Fix logical WAL decoding to work properly when a subtransaction's WAL output is large enough to spill to disk (Andres Freund)
(9.6.1) Fix dangling-pointer problem in logical WAL decoding (Stas Kelvich)
(9.6.1,9.5.5,9.4.10) Round shared-memory allocation request to a multiple of the actual huge page size when attempting to use huge pages on Linux (Tom Lane)
This avoids possible failures during munmap()
on systems with atypical default huge page sizes. Except in crash-recovery cases, there were no ill effects other than a log message.
(9.6.1,9.5.5,9.4.10) Don't try to share SSL contexts across multiple connections in libpq (Heikki Linnakangas)
This led to assorted corner-case bugs, particularly when trying to use different SSL parameters for different connections.
(9.6.1,9.5.5,9.4.10) Avoid corner-case memory leak in libpq (Tom Lane)
The reported problem involved leaking an error report during PQreset()
, but there might be related cases.
(9.6.1,9.5.5) In pg_upgrade, check library loadability in name order (Tom Lane)
This is a workaround to deal with cross-extension dependencies from language transform modules to their base language and data type modules.
(9.6.1) Fix pg_upgrade to work correctly for extensions containing index access methods (Tom Lane)
To allow this, the server has been extended to support ALTER EXTENSION ADD/DROP ACCESS METHOD. That functionality should have been included in the original patch to support dynamic creation of access methods, but it was overlooked.
(9.6.1) Improve error reporting in pg_upgrade's file copying/linking/rewriting steps (Tom Lane, Ãlvaro Herrera)
(9.6.1) Fix pg_dump to work against pre-7.4 servers (Amit Langote, Tom Lane)
(9.6.1,9.5.5) Disallow specifying both --source-server and --source-target options to pg_rewind (Michael Banck)
(9.6.1,9.5.5) Make pg_rewind turn off synchronous_commit in its session on the source server (Michael Banck, Michael Paquier)
This allows pg_rewind to work even when the source server is using synchronous replication that is not working for some reason.
(9.6.1,9.5.5,9.4.10) In pg_xlogdump, retry opening new WAL segments when using --follow option (Magnus Hagander)
This allows for a possible delay in the server's creation of the next segment.
(9.6.1) Fix contrib/pg_visibility to report the correct TID for a corrupt tuple that has been the subject of a rolled-back update (Tom Lane)
(9.6.1) Fix makefile dependencies so that parallel make of PL/Python by itself will succeed reliably (Pavel Raiskup)
(9.6.1,9.5.5,9.4.10) Update time zone data files to tzdata release 2016h for DST law changes in Palestine and Turkey, plus historical corrections for Turkey and some regions of Russia. Switch to numeric abbreviations for some time zones in Antarctica, the former Soviet Union, and Sri Lanka.
The IANA time zone database previously provided textual abbreviations for all time zones, sometimes making up abbreviations that have little or no currency among the local population. They are in process of reversing that policy in favor of using numeric UTC offsets in zones where there is no evidence of real-world use of an English abbreviation. At least for the time being, PostgreSQL will continue to accept such removed abbreviations for timestamp input. But they will not be shown in the pg_timezone_names view nor used for output.
In this update, AMT is no longer shown as being in use to mean Armenia Time. Therefore, we have changed the Default abbreviation set to interpret it as Amazon Time, thus UTC-4 not UTC+4.
Release date: 2016-09-29
Major enhancements in PostgreSQL 9.6 include:
(9.6.0) Parallel execution of sequential scans, joins and aggregates
(9.6.0) Avoid scanning pages unnecessarily during vacuum freeze operations
(9.6.0) Synchronous replication now allows multiple standby servers for increased reliability
(9.6.0) Full-text search can now search for phrases (multiple adjacent words)
(9.6.0) postgres_fdw now supports remote joins, sorts, UPDATEs, and DELETEs
(9.6.0) Substantial performance improvements, especially in the area of scalability on multi-CPU-socket servers
The above items are explained in more detail in the sections below.
A dump/restore using pg_dumpall, or use of pg_upgrade, is required for those wishing to migrate data from any previous release.
Version 9.6 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities:
(9.6.0) Improve the pg_stat_activity view's information about what a process is waiting for (Amit Kapila, Ildus Kurbangaliev)
Historically a process has only been shown as waiting if it was waiting for a heavyweight lock. Now waits for lightweight locks and buffer pins are also shown in pg_stat_activity. Also, the type of lock being waited for is now visible. These changes replace the waiting column with wait_event_type and wait_event.
(9.6.0) In to_char()
, do not count a minus sign (when needed) as part of the field width for time-related fields (Bruce Momjian)
For example, to_char('-4 years'::interval, 'YY') now returns -04, rather than -4.
(9.6.0) Make extract()
behave more reasonably with infinite inputs (Vitaly Burovoy)
Historically the extract()
function just returned zero given an infinite timestamp, regardless of the given field name. Make it return infinity or -infinity as appropriate when the requested field is one that is monotonically increasing (e.g, year, epoch), or NULL when it is not (e.g., day, hour). Also, throw the expected error for bad field names.
(9.6.0) Remove PL/pgSQL's "feature" that suppressed the innermost line of CONTEXT for messages emitted by RAISE commands (Pavel Stehule)
This ancient backwards-compatibility hack was agreed to have outlived its usefulness.
(9.6.0) Fix the default text search parser to allow leading digits in email and host tokens (Artur Zakirov)
In most cases this will result in few changes in the parsing of text. But if you have data where such addresses occur frequently, it may be worth rebuilding dependent tsvector columns and indexes so that addresses of this form will be found properly by text searches.
(9.6.0) Extend contrib/unaccent's standard unaccent.rules file to handle all diacritics known to Unicode, and to expand ligatures correctly (Thomas Munro, Léonard Benedetti)
The previous version neglected to convert some less-common letters with diacritic marks. Also, ligatures are now expanded into separate letters. Installations that use this rules file may wish to rebuild tsvector columns and indexes that depend on the result.
(9.6.0) Remove the long-deprecated CREATEUSER/NOCREATEUSER options from CREATE ROLE and allied commands (Tom Lane)
CREATEUSER actually meant SUPERUSER, for ancient backwards-compatibility reasons. This has been a constant source of confusion for people who (reasonably) expect it to mean CREATEROLE. It has been deprecated for ten years now, so fix the problem by removing it.
(9.6.0) Treat role names beginning with pg_ as reserved (Stephen Frost)
User creation of such role names is now disallowed. This prevents conflicts with built-in roles created by initdb.
(9.6.0) Change a column name in the information_schema.routines view from result_cast_character_set_name to result_cast_char_set_name (Clément Prévost)
The SQL:2011 standard specifies the longer name, but that appears to be a mistake, because adjacent column names use the shorter style, as do other information_schema views.
(9.6.0) psql's -c option no longer implies --no-psqlrc (Pavel Stehule, Catalin Iacob)
Write --no-psqlrc (or its abbreviation -X) explicitly to obtain the old behavior. Scripts so modified will still work with old versions of psql.
(9.6.0) Improve pg_restore's -t option to match all types of relations, not only plain tables (Craig Ringer)
(9.6.0) Change the display format used for NextXID in pg_controldata and related places (Joe Conway, Bruce Momjian)
Display epoch-and-transaction-ID values in the format number:number. The previous format number/number was confusingly similar to that used for LSNs.
(9.6.0) Update extension functions to be marked parallel-safe where appropriate (Andreas Karlsson)
Many of the standard extensions have been updated to allow their functions to be executed within parallel query worker processes. These changes will not take effect in databases pg_upgrade'd from prior versions unless you apply ALTER EXTENSION UPDATE to each such extension (in each database of a cluster).
Below you will find a detailed account of the changes between PostgreSQL 9.6 and the previous major release.
(9.6.0) Parallel queries (Robert Haas, Amit Kapila, David Rowley, many others)
With 9.6, PostgreSQL introduces initial support for parallel execution of large queries. Only strictly read-only queries where the driving table is accessed via a sequential scan can be parallelized. Hash joins and nested loops can be performed in parallel, as can aggregation (for supported aggregates). Much remains to be done, but this is already a useful set of features.
Parallel query execution is not (yet) enabled by default. To allow it, set the new configuration parameter max_parallel_workers_per_gather to a value larger than zero. Additional control over use of parallelism is available through other new configuration parameters force_parallel_mode, parallel_setup_cost, parallel_tuple_cost, and min_parallel_relation_size.
(9.6.0) Provide infrastructure for marking the parallel-safety status of functions (Robert Haas, Amit Kapila)
(9.6.0) Allow GIN index builds to make effective use of maintenance_work_mem settings larger than 1 GB (Robert Abraham, Teodor Sigaev)
(9.6.0) Add pages deleted from a GIN index's pending list to the free space map immediately (Jeff Janes, Teodor Sigaev)
This reduces bloat if the table is not vacuumed often.
(9.6.0) Add gin_clean_pending_list()
function to allow manual invocation of pending-list cleanup for a GIN index (Jeff Janes)
Formerly, such cleanup happened only as a byproduct of vacuuming or analyzing the parent table.
(9.6.0) Improve handling of dead index tuples in GiST indexes (Anastasia Lubennikova)
Dead index tuples are now marked as such when an index scan notices that the corresponding heap tuple is dead. When inserting tuples, marked-dead tuples will be removed if needed to make space on the page.
(9.6.0) Add an SP-GiST operator class for type box (Alexander Lebedev)
(9.6.0) Improve sorting performance by using quicksort, not replacement selection sort, when performing external sort steps (Peter Geoghegan)
The new approach makes better use of the CPU cache for typical cache sizes and data volumes. Where necessary, the behavior can be adjusted via the new configuration parameter replacement_sort_tuples.
(9.6.0) Speed up text sorts where the same string occurs multiple times (Peter Geoghegan)
(9.6.0) Speed up sorting of uuid, bytea, and char(n) fields by using "abbreviated" keys (Peter Geoghegan)
Support for abbreviated keys has also been added to the non-default operator classes text_pattern_ops, varchar_pattern_ops, and bpchar_pattern_ops. Processing of ordered-set aggregates can also now exploit abbreviated keys.
(9.6.0) Speed up CREATE INDEX CONCURRENTLY by treating TIDs as 64-bit integers during sorting (Peter Geoghegan)
(9.6.0) Reduce contention for the ProcArrayLock (Amit Kapila, Robert Haas)
(9.6.0) Improve performance by moving buffer content locks into the buffer descriptors (Andres Freund, Simon Riggs)
(9.6.0) Replace shared-buffer header spinlocks with atomic operations to improve scalability (Alexander Korotkov, Andres Freund)
(9.6.0) Use atomic operations, rather than a spinlock, to protect an LWLock's wait queue (Andres Freund)
(9.6.0) Partition the shared hash table freelist to reduce contention on multi-CPU-socket servers (Aleksander Alekseev)
(9.6.0,9.5.6,9.4.11) Reduce interlocking on standby servers during the replay of btree index vacuuming operations (Simon Riggs)
This change avoids substantial replication delays that sometimes occurred while replaying such operations.
(9.6.0) Improve ANALYZE's estimates for columns with many nulls (Tomas Vondra, Alex Shulgin)
Previously ANALYZE tended to underestimate the number of non-NULL distinct values in a column with many NULLs, and was also inaccurate in computing the most-common values.
(9.6.0) Improve planner's estimate of the number of distinct values in a query result (Tomas Vondra)
(9.6.0) Use foreign key relationships to infer selectivity for join predicates (Tomas Vondra, David Rowley)
If a table t has a foreign key restriction, say (a,b) REFERENCES r (x,y), then a WHERE condition such as t.a = r.x AND t.b = r.y cannot select more than one r row per t row. The planner formerly considered these AND conditions to be independent and would often drastically misestimate selectivity as a result. Now it compares the WHERE conditions to applicable foreign key constraints and produces better estimates.
(9.6.0) Avoid re-vacuuming pages containing only frozen tuples (Masahiko Sawada, Robert Haas, Andres Freund)
Formerly, anti-wraparound vacuum had to visit every page of a table, even pages where there was nothing to do. Now, pages containing only already-frozen tuples are identified in the table's visibility map, and can be skipped by vacuum even when doing transaction wraparound prevention. This should greatly reduce the cost of maintaining large tables containing mostly-unchanging data.
If necessary, vacuum can be forced to process all-frozen pages using the new DISABLE_PAGE_SKIPPING option. Normally this should never be needed, but it might help in recovering from visibility-map corruption.
(9.6.0) Avoid useless heap-truncation attempts during VACUUM (Jeff Janes, Tom Lane)
This change avoids taking an exclusive table lock in some cases where no truncation is possible. The main benefit comes from avoiding unnecessary query cancellations on standby servers.
(9.6.0) Allow old MVCC snapshots to be invalidated after a configurable timeout (Kevin Grittner)
Normally, deleted tuples cannot be physically removed by vacuuming until the last transaction that could "see" them is gone. A transaction that stays open for a long time can thus cause considerable table bloat because space cannot be recycled. This feature allows setting a time-based limit, via the new configuration parameter old_snapshot_threshold, on how long an MVCC snapshot is guaranteed to be valid. After that, dead tuples are candidates for removal. A transaction using an outdated snapshot will get an error if it attempts to read a page that potentially could have contained such data.
(9.6.0) Ignore GROUP BY columns that are functionally dependent on other columns (David Rowley)
If a GROUP BY clause includes all columns of a non-deferred primary key, as well as other columns of the same table, those other columns are redundant and can be dropped from the grouping. This saves computation in many common cases.
(9.6.0) Allow use of an index-only scan on a partial index when the index's WHERE clause references columns that are not indexed (Tomas Vondra, Kyotaro Horiguchi)
For example, an index defined by CREATE INDEX tidx_partial ON t(b) WHERE a > 0 can now be used for an index-only scan by a query that specifies WHERE a > 0 and does not otherwise use a. Previously this was disallowed because a is not listed as an index column.
(9.6.0) Perform checkpoint writes in sorted order (Fabien Coelho, Andres Freund)
Previously, checkpoints wrote out dirty pages in whatever order they happen to appear in shared buffers, which usually is nearly random. That performs poorly, especially on rotating media. This change causes checkpoint-driven writes to be done in order by file and block number, and to be balanced across tablespaces.
(9.6.0) Where feasible, trigger kernel writeback after a configurable number of writes, to prevent accumulation of dirty data in kernel disk buffers (Fabien Coelho, Andres Freund)
PostgreSQL writes data to the kernel's disk cache, from where it will be flushed to physical storage in due time. Many operating systems are not smart about managing this and allow large amounts of dirty data to accumulate before deciding to flush it all at once, causing long delays for new I/O requests until the flushing finishes. This change attempts to alleviate this problem by explicitly requesting data flushes after a configurable interval.
On Linux, sync_file_range()
is used for this purpose, and the feature is on by default on Linux because that function has few downsides. This flushing capability is also available on other platforms if they have msync()
or posix_fadvise()
, but those interfaces have some undesirable side-effects so the feature is disabled by default on non-Linux platforms.
The new configuration parameters backend_flush_after, bgwriter_flush_after, checkpoint_flush_after, and wal_writer_flush_after control this behavior.
(9.6.0) Improve aggregate-function performance by sharing calculations across multiple aggregates if they have the same arguments and transition functions (David Rowley)
For example, SELECT AVG(x), VARIANCE(x) FROM tab can use a single per-row computation for both aggregates.
(9.6.0) Speed up visibility tests for recently-created tuples by checking the current transaction's snapshot, not pg_clog, to decide if the source transaction should be considered committed (Jeff Janes, Tom Lane)
(9.6.0) Allow tuple hint bits to be set sooner than before (Andres Freund)
(9.6.0) Improve performance of short-lived prepared transactions (Stas Kelvich, Simon Riggs, Pavan Deolasee)
Two-phase commit information is now written only to WAL during PREPARE TRANSACTION, and will be read back from WAL during COMMIT PREPARED if that happens soon thereafter. A separate state file is created only if the pending transaction does not get committed or aborted by the time of the next checkpoint.
(9.6.0) Improve performance of memory context destruction (Jan Wieck)
(9.6.0) Improve performance of resource owners with many tracked objects (Aleksander Alekseev)
(9.6.0) Improve speed of the output functions for timestamp, time, and date data types (David Rowley, Andres Freund)
(9.6.0) Avoid some unnecessary cancellations of hot-standby queries during replay of actions that take AccessExclusive locks (Jeff Janes)
(9.6.0) Extend relations multiple blocks at a time when there is contention for the relation's extension lock (Dilip Kumar)
This improves scalability by decreasing contention.
(9.6.0) Increase the number of clog buffers for better scalability (Amit Kapila, Andres Freund)
(9.6.0) Speed up expression evaluation in PL/pgSQL by keeping ParamListInfo entries for simple variables valid at all times (Tom Lane)
(9.6.0) Avoid reducing the SO_SNDBUF setting below its default on recent Windows versions (Chen Huajun)
(9.6.0) Disable update_process_title by default on Windows (Takayuki Tsunakawa)
The overhead of updating the process title is much larger on Windows than most other platforms, and it is also less useful to do it since most Windows users do not have tools that can display process titles.
(9.6.0) Add pg_stat_progress_vacuum system view to provide progress reporting for VACUUM operations (Amit Langote, Robert Haas, Vinayak Pokale, Rahila Syed)
(9.6.0) Add pg_control_system()
, pg_control_checkpoint()
, pg_control_recovery()
, and pg_control_init()
functions to expose fields of pg_control to SQL (Joe Conway, Michael Paquier)
(9.6.0) Add pg_config system view (Joe Conway)
This view exposes the same information available from the pg_config command-line utility, namely assorted compile-time configuration information for PostgreSQL.
(9.6.0) Add a confirmed_flush_lsn column to the pg_replication_slots system view (Marko Tiikkaja)
(9.6.0) Add pg_stat_wal_receiver system view to provide information about the state of a hot-standby server's WAL receiver process (Michael Paquier)
(9.6.0) Add pg_blocking_pids()
function to reliably identify which sessions block which others (Tom Lane)
This function returns an array of the process IDs of any sessions that are blocking the session with the given process ID. Historically users have obtained such information using a self-join on the pg_locks view. However, it is unreasonably tedious to do it that way with any modicum of correctness, and the addition of parallel queries has made the old approach entirely impractical, since locks might be held or awaited by child worker processes rather than the session's main process.
(9.6.0) Add function pg_current_xlog_flush_location()
to expose the current transaction log flush location (Tomas Vondra)
(9.6.0) Add function pg_notification_queue_usage()
to report how full the NOTIFY queue is (Brendan Jurd)
(9.6.0) Limit the verbosity of memory context statistics dumps (Tom Lane)
The memory usage dump that is output to the postmaster log during an out-of-memory failure now summarizes statistics when there are a large number of memory contexts, rather than possibly generating a very large report. There is also a "grand total" summary line now.
(9.6.0) Add a BSD authentication method to allow use of the BSD Authentication service for PostgreSQL client authentication (Marisa Emerson)
BSD Authentication is currently only available on OpenBSD.
(9.6.0) When using PAM authentication, provide the client IP address or host name to PAM modules via the PAM_RHOST item (Grzegorz Sampolski)
(9.6.0) Provide detail in the postmaster log for more types of password authentication failure (Tom Lane)
All ordinarily-reachable password authentication failure cases should now provide specific DETAIL fields in the log.
(9.6.0) Support RADIUS passwords up to 128 characters long (Marko Tiikkaja)
(9.6.0) Add new SSPI authentication parameters compat_realm and upn_username to control whether NetBIOS or Kerberos realm names and user names are used during SSPI authentication (Christian Ullrich)
(9.6.0) Allow sessions to be terminated automatically if they are in idle-in-transaction state for too long (Vik Fearing)
This behavior is controlled by the new configuration parameter idle_in_transaction_session_timeout. It can be useful to prevent forgotten transactions from holding locks or preventing vacuum cleanup for too long.
(9.6.0) Raise the maximum allowed value of checkpoint_timeout to 24 hours (Simon Riggs)
(9.6.0) Allow effective_io_concurrency to be set per-tablespace to support cases where different tablespaces have different I/O characteristics (Julien Rouhaud)
(9.6.0) Add log_line_prefix option %n to print the current time in Unix epoch form, with milliseconds (Tomas Vondra, Jeff Davis)
(9.6.0) Add syslog_sequence_numbers and syslog_split_messages configuration parameters to provide more control over the message format when logging to syslog (Peter Eisentraut)
(9.6.0) Merge the archive and hot_standby values of the wal_level configuration parameter into a single new value replica (Peter Eisentraut)
Making a distinction between these settings is no longer useful, and merging them is a step towards a planned future simplification of replication setup. The old names are still accepted but are converted to replica internally.
(9.6.0) Add configure option --with-systemd to enable calling sd_notify()
at server start and stop (Peter Eisentraut)
This allows the use of systemd service units of type notify, which greatly simplifies the management of PostgreSQL under systemd.
(9.6.0) Allow the server's SSL key file to have group read access if it is owned by root (Christoph Berg)
Formerly, we insisted the key file be owned by the user running the PostgreSQL server, but that is inconvenient on some systems (such as Debian) that are configured to manage certificates centrally. Therefore, allow the case where the key file is owned by root and has group read access. It is up to the operating system administrator to ensure that the group does not include any untrusted users.
(9.6.0) Force backends to exit if the postmaster dies (Rajeev Rastogi, Robert Haas)
Under normal circumstances the postmaster should always outlive its child processes. If for some reason the postmaster dies, force backend sessions to exit with an error. Formerly, existing backends would continue to run until their clients disconnect, but that is unsafe and inefficient. It also prevents a new postmaster from being started until the last old backend has exited. Backends will detect postmaster death when waiting for client I/O, so the exit will not be instantaneous, but it should happen no later than the end of the current query.
(9.6.0,9.5.6,9.4.11) Check for serializability conflicts before reporting constraint-violation failures (Thomas Munro)
When using serializable transaction isolation, it is desirable that any error due to concurrent transactions should manifest as a serialization failure, thereby cueing the application that a retry might succeed. Unfortunately, this does not reliably happen for duplicate-key failures caused by concurrent insertions. This change ensures that such an error will be reported as a serialization error if the application explicitly checked for the presence of a conflicting key (and did not find it) earlier in the transaction.
(9.6.0) Ensure that invalidation messages are recorded in WAL even when issued by a transaction that has no XID assigned (Andres Freund)
This fixes some corner cases in which transactions on standby servers failed to notice changes, such as new indexes.
(9.6.0) Prevent multiple processes from trying to clean a GIN index's pending list concurrently (Teodor Sigaev, Jeff Janes)
This had been intentionally allowed, but it causes race conditions that can result in vacuum missing index entries it needs to delete.
(9.6.0) Allow synchronous replication to support multiple simultaneous synchronous standby servers, not just one (Masahiko Sawada, Beena Emerson, Michael Paquier, Fujii Masao, Kyotaro Horiguchi)
The number of standby servers that must acknowledge a commit before it is considered complete is now configurable as part of the synchronous_standby_names parameter.
(9.6.0) Add new setting remote_apply for configuration parameter synchronous_commit (Thomas Munro)
In this mode, the master waits for the transaction to be applied on the standby server, not just written to disk. That means that you can count on a transaction started on the standby to see all commits previously acknowledged by the master.
(9.6.0) Add a feature to the replication protocol, and a corresponding option to pg_create_physical_replication_slot()
, to allow reserving WAL immediately when creating a replication slot (Gurjeet Singh, Michael Paquier)
This allows the creation of a replication slot to guarantee that all the WAL needed for a base backup will be available.
(9.6.0) Add a --slot option to pg_basebackup (Peter Eisentraut)
This lets pg_basebackup use a replication slot defined for WAL streaming. After the base backup completes, selecting the same slot for regular streaming replication allows seamless startup of the new standby server.
(9.6.0) Extend pg_start_backup()
and pg_stop_backup()
to support non-exclusive backups (Magnus Hagander)
(9.6.0) Allow functions that return sets of tuples to return simple NULLs (Andrew Gierth, Tom Lane)
In the context of SELECT FROM function(...), a function that returned a set of composite values was previously not allowed to return a plain NULL value as part of the set. Now that is allowed and interpreted as a row of NULLs. This avoids corner-case errors with, for example, unnesting an array of composite values.
(9.6.0) Fully support array subscripts and field selections in the target column list of an INSERT with multiple VALUES rows (Tom Lane)
Previously, such cases failed if the same target column was mentioned more than once, e.g., INSERT INTO tab (x[1], x[2]) VALUES (...).
(9.6.0) When appropriate, postpone evaluation of SELECT output expressions until after an ORDER BY sort (Konstantin Knizhnik)
This change ensures that volatile or expensive functions in the output list are executed in the order suggested by ORDER BY, and that they are not evaluated more times than required when there is a LIMIT clause. Previously, these properties held if the ordering was performed by an index scan or pre-merge-join sort, but not if it was performed by a top-level sort.
(9.6.0) Widen counters recording the number of tuples processed to 64 bits (Andreas Scherbaum)
This change allows command tags, e.g., SELECT, to correctly report tuple counts larger than 4 billion. This also applies to PL/pgSQL's GET DIAGNOSTICS ... ROW_COUNT command.
(9.6.0) Avoid doing encoding conversions by converting through the MULE_INTERNAL encoding (Tom Lane)
Previously, many conversions for Cyrillic and Central European single-byte encodings were done by converting to a related MULE_INTERNAL coding scheme and then to the destination encoding. Aside from being inefficient, this meant that when the conversion encountered an untranslatable character, the error message would confusingly complain about failure to convert to or from MULE_INTERNAL, rather than the user-visible encoding.
(9.6.0) Consider performing joins of foreign tables remotely only when the tables will be accessed under the same role ID (Shigeru Hanada, Ashutosh Bapat, Etsuro Fujita)
Previously, the foreign join pushdown infrastructure left the question of security entirely up to individual foreign data wrappers, but that made it too easy for an FDW to inadvertently create subtle security holes. So, make it the core code's job to determine which role ID will access each table, and do not attempt join pushdown unless the role is the same for all relevant relations.
(9.6.0) Allow COPY to copy the output of an INSERT/UPDATE/DELETE ... RETURNING query (Marko Tiikkaja)
Previously, an intermediate CTE had to be written to get this result.
(9.6.0) Introduce ALTER object DEPENDS ON EXTENSION (Abhijit Menon-Sen)
This command allows a database object to be marked as depending on an extension, so that it will be dropped automatically if the extension is dropped (without needing CASCADE). However, the object is not part of the extension, and thus will be dumped separately by pg_dump.
(9.6.0) Make ALTER object SET SCHEMA do nothing when the object is already in the requested schema, rather than throwing an error as it historically has for most object types (Marti Raudsepp)
(9.6.0) Add options to ALTER OPERATOR to allow changing the selectivity functions associated with an existing operator (Yury Zhuravlev)
(9.6.0) Add an IF NOT EXISTS option to ALTER TABLE ADD COLUMN (FabrÃzio de Royes Mello)
(9.6.0) Reduce the lock strength needed by ALTER TABLE when setting fillfactor and autovacuum-related relation options (FabrÃzio de Royes Mello, Simon Riggs)
(9.6.0) Introduce CREATE ACCESS METHOD to allow extensions to create index access methods (Alexander Korotkov, Petr JelÃnek)
(9.6.0) Add a CASCADE option to CREATE EXTENSION to automatically create any extensions the requested one depends on (Petr JelÃnek)
(9.6.0) Make CREATE TABLE ... LIKE include an OID column if any source table has one (Bruce Momjian)
(9.6.0) If a CHECK constraint is declared NOT VALID in a table creation command, automatically mark it as valid (Amit Langote, Amul Sul)
This is safe because the table has no existing rows. This matches the longstanding behavior of FOREIGN KEY constraints.
(9.6.0) Fix DROP OPERATOR to clear pg_operator.oprcom and pg_operator.oprnegate links to the dropped operator (Roma Sokolov)
Formerly such links were left as-is, which could pose a problem in the somewhat unlikely event that the dropped operator's OID was reused for another operator.
(9.6.0) Do not show the same subplan twice in EXPLAIN output (Tom Lane)
In certain cases, typically involving SubPlan nodes in index conditions, EXPLAIN would print data for the same subplan twice.
(9.6.0) Disallow creation of indexes on system columns, except for OID columns (David Rowley)
Such indexes were never considered supported, and would very possibly misbehave since the system might change the system-column fields of a tuple without updating indexes. However, previously there were no error checks to prevent them from being created.
(9.6.0) Use the privilege system to manage access to sensitive functions (Stephen Frost)
Formerly, many security-sensitive functions contained hard-wired checks that would throw an error if they were called by a non-superuser. This forced the use of superuser roles for some relatively pedestrian tasks. The hard-wired error checks are now gone in favor of making initdb revoke the default public EXECUTE privilege on these functions. This allows installations to choose to grant usage of such functions to trusted roles that do not need all superuser privileges.
(9.6.0) Create some built-in roles that can be used to grant access to what were previously superuser-only functions (Stephen Frost)
Currently the only such role is pg_signal_backend, but more are expected to be added in future.
(9.6.0) Improve full-text search to support searching for phrases, that is, lexemes appearing adjacent to each other in a specific order, or with a specified distance between them (Teodor Sigaev, Oleg Bartunov, Dmitry Ivanov)
A phrase-search query can be specified in tsquery input using the new operators <-> and <N>. The former means that the lexemes before and after it must appear adjacent to each other in that order. The latter means they must be exactly N lexemes apart.
(9.6.0) Allow omitting one or both boundaries in an array slice specifier, e.g., array_col[3:] (Yury Zhuravlev)
Omitted boundaries are taken as the upper or lower limit of the corresponding array subscript. This allows simpler specification for many common use-cases.
(9.6.0) Be more careful about out-of-range dates and timestamps (Vitaly Burovoy)
This change prevents unexpected out-of-range errors for timestamp with time zone values very close to the implementation limits. Previously, the "same" value might be accepted or not depending on the timezone setting, meaning that a dump and reload could fail on a value that had been accepted when presented. Now the limits are enforced according to the equivalent UTC time, not local time, so as to be independent of timezone.
Also, PostgreSQL is now more careful to detect overflow in operations that compute new date or timestamp values, such as date + integer.
(9.6.0) For geometric data types, make sure infinity and NaN component values are treated consistently during input and output (Tom Lane)
Such values will now always print the same as they would in a simple float8 column, and be accepted the same way on input. Previously the behavior was platform-dependent.
(9.6.0) Upgrade the ispell dictionary type to handle modern Hunspell files and support more languages (Artur Zakirov)
(9.6.0) Implement look-behind constraints in regular expressions (Tom Lane)
A look-behind constraint is like a lookahead constraint in that it consumes no text; but it checks for existence (or nonexistence) of a match ending at the current point in the string, rather than one starting at the current point. Similar features exist in many other regular-expression engines.
(9.6.0) In regular expressions, if an apparent three-digit octal escape \nnn would exceed 377 (255 decimal), assume it is a two-digit octal escape instead (Tom Lane)
This makes the behavior match current Tcl releases.
(9.6.0) Add transaction ID operators xid <> xid and xid <> int4, for consistency with the corresponding equality operators (Michael Paquier)
(9.6.0) Add jsonb_insert()
function to insert a new element into a jsonb array, or a not-previously-existing key into a jsonb object (Dmitry Dolgov)
(9.6.0) Improve the accuracy of the ln()
, log()
, exp()
, and pow()
functions for type numeric (Dean Rasheed)
(9.6.0) Add a scale(numeric)
function to extract the display scale of a numeric value (Marko Tiikkaja)
(9.6.0) Add trigonometric functions that work in degrees (Dean Rasheed)
For example, sind()
measures its argument in degrees, whereas sin()
measures in radians. These functions go to some lengths to deliver exact results for values where an exact result can be expected, for instance sind(30) = 0.5.
(9.6.0) Ensure that trigonometric functions handle infinity and NaN inputs per the POSIX standard (Dean Rasheed)
The POSIX standard says that these functions should return NaN for NaN input, and should throw an error for out-of-range inputs including infinity. Previously our behavior varied across platforms.
(9.6.0) Make to_timestamp(float8)
convert float infinity to timestamp infinity (Vitaly Burovoy)
Formerly it just failed on an infinite input.
(9.6.0) Add new functions for tsvector data (Stas Kelvich)
The new functions are ts_delete()
, ts_filter()
, unnest()
, tsvector_to_array()
, array_to_tsvector()
, and a variant of setweight()
that sets the weight only for specified lexeme(s).
(9.6.0) Allow ts_stat()
and tsvector_update_trigger()
to operate on values that are of types binary-compatible with the expected argument type, not just exactly that type; for example allow citext where text is expected (Teodor Sigaev)
(9.6.0) Add variadic functions num_nulls()
and num_nonnulls()
that count the number of their arguments that are null or non-null (Marko Tiikkaja)
An example usage is CHECK(num_nonnulls(a,b,c) = 1) which asserts that exactly one of a,b,c is not NULL. These functions can also be used to count the number of null or nonnull elements in an array.
(9.6.0) Add function parse_ident()
to split a qualified, possibly quoted SQL identifier into its parts (Pavel Stehule)
(9.6.0) In to_number()
, interpret a V format code as dividing by 10 to the power of the number of digits following V (Bruce Momjian)
This makes it operate in an inverse fashion to to_char()
.
(9.6.0) Make the to_reg*()
functions accept type text not cstring (Petr Korobeinikov)
This avoids the need to write an explicit cast in most cases where the argument is not a simple literal constant.
(9.6.0) Add pg_size_bytes()
function to convert human-readable size strings to numbers (Pavel Stehule, Vitaly Burovoy, Dean Rasheed)
This function converts strings like those produced by pg_size_pretty()
into bytes. An example usage is SELECT oid::regclass FROM pg_class WHERE pg_total_relation_size(oid) > pg_size_bytes('10 GB').
(9.6.0) In pg_size_pretty()
, format negative numbers similarly to positive ones (Adrian Vondendriesch)
Previously, negative numbers were never abbreviated, just printed in bytes.
(9.6.0) Add an optional missing_ok argument to the current_setting()
function (David Christensen)
This allows avoiding an error for an unrecognized parameter name, instead returning a NULL.
(9.6.0) Change various catalog-inspection functions to return NULL for invalid input (Michael Paquier)
pg_get_viewdef()
now returns NULL if given an invalid view OID, and several similar functions likewise return NULL for bad input. Previously, such cases usually led to "cache lookup failed" errors, which are not meant to occur in user-facing cases.
(9.6.0) Fix pg_replication_origin_xact_reset()
to not have any arguments (Fujii Masao)
The documentation said that it has no arguments, and the C code did not expect any arguments, but the entry in pg_proc mistakenly specified two arguments.
(9.6.0) In PL/pgSQL, detect mismatched CONTINUE and EXIT statements while compiling a function, rather than at execution time (Jim Nasby)
(9.6.0) Extend PL/Python's error-reporting and message-reporting functions to allow specifying additional message fields besides the primary error message (Pavel Stehule)
(9.6.0) Allow PL/Python functions to call themselves recursively via SPI, and fix the behavior when multiple set-returning PL/Python functions are called within one query (Alexey Grishchenko, Tom Lane)
(9.6.0) Fix session-lifespan memory leaks in PL/Python (Heikki Linnakangas, Haribabu Kommi, Tom Lane)
(9.6.0) Modernize PL/Tcl to use Tcl's "object" APIs instead of simple strings (Jim Nasby, Karl Lehenbauer)
This can improve performance substantially in some cases. Note that PL/Tcl now requires Tcl 8.4 or later.
(9.6.0) In PL/Tcl, make database-reported errors return additional information in Tcl's errorCode global variable (Jim Nasby, Tom Lane)
This feature follows the Tcl convention for returning auxiliary data about an error.
(9.6.0) Fix PL/Tcl to perform encoding conversion between the database encoding and UTF-8, which is what Tcl expects (Tom Lane)
Previously, strings were passed through without conversion, leading to misbehavior with non-ASCII characters when the database encoding was not UTF-8.
(9.6.0) Add a nonlocalized version of the severity field in error and notice messages (Tom Lane)
This change allows client code to determine severity of an error or notice without having to worry about localized variants of the severity strings.
(9.6.0) Introduce a feature in libpq whereby the CONTEXT field of messages can be suppressed, either always or only for non-error messages (Pavel Stehule)
The default behavior of PQerrorMessage()
is now to print CONTEXT only for errors. The new function PQsetErrorContextVisibility()
can be used to adjust this.
(9.6.0) Add support in libpq for regenerating an error message with a different verbosity level (Alex Shulgin)
This is done with the new function PQresultVerboseErrorMessage()
. This supports psql's new \errverbose feature, and may be useful for other clients as well.
(9.6.0) Improve libpq's PQhost()
function to return useful data for default Unix-socket connections (Tom Lane)
Previously it would return NULL if no explicit host specification had been given; now it returns the default socket directory path.
(9.6.0) Fix ecpg's lexer to handle line breaks within comments starting on preprocessor directive lines (Michael Meskes)
(9.6.0) Add a --strict-names option to pg_dump and pg_restore (Pavel Stehule)
This option causes the program to complain if there is no match for a -t or -n option, rather than silently doing nothing.
(9.6.0) In pg_dump, dump locally-made changes of privilege assignments for system objects (Stephen Frost)
While it has always been possible for a superuser to change the privilege assignments for built-in or extension-created objects, such changes were formerly lost in a dump and reload. Now, pg_dump recognizes and dumps such changes. (This works only when dumping from a 9.6 or later server, however.)
(9.6.0) Allow pg_dump to dump non-extension-owned objects that are within an extension-owned schema (MartÃn Marqués)
Previously such objects were ignored because they were mistakenly assumed to belong to the extension owning their schema.
(9.6.0) In pg_dump output, include the table name in object tags for object types that are only uniquely named per-table (for example, triggers) (Peter Eisentraut)
(9.6.0) Support multiple -c and -f command-line options (Pavel Stehule, Catalin Iacob)
The specified operations are carried out in the order in which the options are given, and then psql terminates.
(9.6.0) Add a \crosstabview command that prints the results of a query in a cross-tabulated display (Daniel Vérité)
In the crosstab display, data values from one query result column are placed in a grid whose column and row headers come from other query result columns.
(9.6.0) Add an \errverbose command that shows the last server error at full verbosity (Alex Shulgin)
This is useful after getting an unexpected error — you no longer need to adjust the VERBOSITY variable and recreate the failure in order to see error fields that are not shown by default.
(9.6.0) Add \ev and \sv commands for editing and showing view definitions (Petr Korobeinikov)
These are parallel to the existing \ef and \sf commands for functions.
(9.6.0) Add a \gexec command that executes a query and re-submits the result(s) as new queries (Corey Huinker)
(9.6.0) Allow \pset C string to set the table title, for consistency with \C string (Bruce Momjian)
(9.6.0) In \pset expanded auto mode, do not use expanded format for query results with only one column (Andreas Karlsson, Robert Haas)
(9.6.0) Improve the headers output by the \watch command (Michael Paquier, Tom Lane)
Include the \pset title string if one has been set, and shorten the prefabricated part of the header to be timestamp (every Ns). Also, the timestamp format now obeys psql's locale environment.
(9.6.0) Improve tab-completion logic to consider the entire input query, not only the current line (Tom Lane)
Previously, breaking a command into multiple lines defeated any tab completion rules that needed to see words on earlier lines.
(9.6.0) Numerous minor improvements in tab-completion behavior (Peter Eisentraut, Vik Fearing, Kevin Grittner, Kyotaro Horiguchi, Jeff Janes, Andreas Karlsson, Fujii Masao, Thomas Munro, Masahiko Sawada, Pavel Stehule)
(9.6.0) Add a PROMPT option %p to insert the process ID of the connected backend (Julien Rouhaud)
(9.6.0) Introduce a feature whereby the CONTEXT field of messages can be suppressed, either always or only for non-error messages (Pavel Stehule)
Printing CONTEXT only for errors is now the default behavior. This can be changed by setting the special variable SHOW_CONTEXT.
(9.6.0) Make \df+ show function access privileges and parallel-safety attributes (Michael Paquier)
(9.6.0) SQL commands in pgbench scripts are now ended by semicolons, not newlines (Kyotaro Horiguchi, Tom Lane)
This change allows SQL commands in scripts to span multiple lines. Existing custom scripts will need to be modified to add a semicolon at the end of each line that does not have one already. (Doing so does not break the script for use with older versions of pgbench.)
(9.6.0) Support floating-point arithmetic, as well as some built-in functions, in expressions in backslash commands (Fabien Coelho)
(9.6.0) Replace \setrandom with built-in functions (Fabien Coelho)
The new built-in functions include random()
, random_exponential()
, and random_gaussian()
, which perform the same work as \setrandom, but are easier to use since they can be embedded in larger expressions. Since these additions have made \setrandom obsolete, remove it.
(9.6.0) Allow invocation of multiple copies of the built-in scripts, not only custom scripts (Fabien Coelho)
This is done with the new -b switch, which works similarly to -f for custom scripts.
(9.6.0) Allow changing the selection probabilities (weights) for scripts (Fabien Coelho)
When multiple scripts are specified, each pgbench transaction randomly chooses one to execute. Formerly this was always done with uniform probability, but now different selection probabilities can be specified for different scripts.
(9.6.0) Collect statistics for each script in a multi-script run (Fabien Coelho)
This feature adds an intermediate level of detail to existing global and per-command statistics printouts.
(9.6.0) Add a --progress-timestamp option to report progress with Unix epoch timestamps, instead of time since the run started (Fabien Coelho)
(9.6.0) Allow the number of client connections (-c) to not be an exact multiple of the number of threads (-j) (Fabien Coelho)
(9.6.0) When the -T option is used, stop promptly at the end of the specified time (Fabien Coelho)
Previously, specifying a low transaction rate could cause pgbench to wait significantly longer than specified.
(9.6.0) Improve error reporting during initdb's post-bootstrap phase (Tom Lane)
Previously, an error here led to reporting the entire input file as the "failing query"; now just the current query is reported. To get the desired behavior, queries in initdb's input files must be separated by blank lines.
(9.6.0) Speed up initdb by using just one standalone-backend session for all the post-bootstrap steps (Tom Lane)
(9.6.0) Improve pg_rewind so that it can work when the target timeline changes (Alexander Korotkov)
This allows, for example, rewinding a promoted standby back to some state of the old master's timeline.
(9.6.0) Remove obsolete heap_formtuple
/heap_modifytuple
/heap_deformtuple
functions (Peter Geoghegan)
(9.6.0) Add macros to make AllocSetContextCreate()
calls simpler and safer (Tom Lane)
Writing out the individual sizing parameters for a memory context is now deprecated in favor of using one of the new macros ALLOCSET_DEFAULT_SIZES, ALLOCSET_SMALL_SIZES, or ALLOCSET_START_SMALL_SIZES. Existing code continues to work, however.
(9.6.0) Unconditionally use static inline functions in header files (Andres Freund)
This may result in warnings and/or wasted code space with very old compilers, but the notational improvement seems worth it.
(9.6.0) Improve TAP testing infrastructure (Michael Paquier, Craig Ringer, Ãlvaro Herrera, Stephen Frost)
Notably, it is now possible to test recovery scenarios using this infrastructure.
(9.6.0) Make trace_lwlocks identify individual locks by name (Robert Haas)
(9.6.0) Improve psql's tab-completion code infrastructure (Thomas Munro, Michael Paquier)
Tab-completion rules are now considerably easier to write, and more compact.
(9.6.0) Nail the pg_shseclabel system catalog into cache, so that it is available for access during connection authentication (Adam Brightwell)
The core code does not use this catalog for authentication, but extensions might wish to consult it.
(9.6.0) Restructure index access method API to hide most of it at the C level (Alexander Korotkov, Andrew Gierth)
This change modernizes the index AM API to look more like the designs we have adopted for foreign data wrappers and tablesample handlers. This simplifies the C code and makes it much more practical to define index access methods in installable extensions. A consequence is that most of the columns of the pg_am system catalog have disappeared. New inspection functions have been added to allow SQL queries to determine index AM properties that used to be discoverable from pg_am.
(9.6.0) Add pg_init_privs system catalog to hold original privileges of initdb-created and extension-created objects (Stephen Frost)
This infrastructure allows pg_dump to dump changes that an installation may have made in privileges attached to system objects. Formerly, such changes would be lost in a dump and reload, but now they are preserved.
(9.6.0) Change the way that extensions allocate custom LWLocks (Amit Kapila, Robert Haas)
The RequestAddinLWLocks()
function is removed, and replaced by RequestNamedLWLockTranche()
. This allows better identification of custom LWLocks, and is less error-prone.
(9.6.0) Improve the isolation tester to allow multiple sessions to wait concurrently, allowing testing of deadlock scenarios (Robert Haas)
(9.6.0) Introduce extensible node types (KaiGai Kohei)
This change allows FDWs or custom scan providers to store data in a plan tree in a more convenient format than was previously possible.
(9.6.0) Make the planner deal with post-scan/join query steps by generating and comparing Paths, replacing a lot of ad-hoc logic (Tom Lane)
This change provides only marginal user-visible improvements today, but it enables future work on a lot of upper-planner improvements that were impractical to tackle using the old code structure.
(9.6.0) Support partial aggregation (David Rowley, Simon Riggs)
This change allows the computation of an aggregate function to be split into separate parts, for example so that parallel worker processes can cooperate on computing an aggregate. In future it might allow aggregation across local and remote data to occur partially on the remote end.
(9.6.0) Add a generic command progress reporting facility (Vinayak Pokale, Rahila Syed, Amit Langote, Robert Haas)
(9.6.0) Separate out psql's flex lexer to make it usable by other client programs (Tom Lane, Kyotaro Horiguchi)
This eliminates code duplication for programs that need to be able to parse SQL commands well enough to identify command boundaries. Doing that in full generality is more painful than one could wish, and up to now only psql has really gotten it right among our supported client programs.
A new source-code subdirectory src/fe_utils/ has been created to hold this and other code that is shared across our client programs. Formerly such sharing was accomplished by symbolic linking or copying source files at build time, which was ugly and required duplicate compilation.
(9.6.0) Introduce WaitEventSet API to allow efficient waiting for event sets that usually do not change from one wait to the next (Andres Freund, Amit Kapila)
(9.6.0) Add a generic interface for writing WAL records (Alexander Korotkov, Petr JelÃnek, Markus Nullmeier)
This change allows extensions to write WAL records for changes to pages using a standard layout. The problem of needing to replay WAL without access to the extension is solved by having generic replay code. This allows extensions to implement, for example, index access methods and have WAL support for them.
(9.6.0) Support generic WAL messages for logical decoding (Petr JelÃnek, Andres Freund)
This feature allows extensions to insert data into the WAL stream that can be read by logical-decoding plugins, but is not connected to physical data restoration.
(9.6.0) Allow SP-GiST operator classes to store an arbitrary "traversal value" while descending the index (Alexander Lebedev, Teodor Sigaev)
This is somewhat like the "reconstructed value", but it could be any arbitrary chunk of data, not necessarily of the same data type as the indexed column.
(9.6.0) Introduce a LOG_SERVER_ONLY message level for ereport()
(David Steele)
This level acts like LOG except that the message is never sent to the client. It is meant for use in auditing and similar applications.
(9.6.0) Provide a Makefile target to build all generated headers (Michael Paquier, Tom Lane)
submake-generated-headers can now be invoked to ensure that generated backend header files are up-to-date. This is useful in subdirectories that might be built "standalone".
(9.6.0) Support OpenSSL 1.1.0 (Andreas Karlsson, Heikki Linnakangas)
(9.6.0) Add configuration parameter auto_explain.sample_rate to allow contrib/auto_explain to capture just a configurable fraction of all queries (Craig Ringer, Julien Rouhaud)
This allows reduction of overhead for heavy query traffic, while still getting useful information on average.
(9.6.0) Add contrib/bloom module that implements an index access method based on Bloom filtering (Teodor Sigaev, Alexander Korotkov)
This is primarily a proof-of-concept for non-core index access methods, but it could be useful in its own right for queries that search many columns.
(9.6.0) In contrib/cube, introduce distance operators for cubes, and support kNN-style searches in GiST indexes on cube columns (Stas Kelvich)
(9.6.0) Make contrib/hstore's hstore_to_jsonb_loose()
and hstore_to_json_loose()
functions agree on what is a number (Tom Lane)
Previously, hstore_to_jsonb_loose()
would convert numeric-looking strings to JSON numbers, rather than strings, even if they did not exactly match the JSON syntax specification for numbers. This was inconsistent with hstore_to_json_loose()
, so tighten the test to match the JSON syntax.
(9.6.0) Add selectivity estimation functions for contrib/intarray operators to improve plans for queries using those operators (Yury Zhuravlev, Alexander Korotkov)
(9.6.0) Make contrib/pageinspect's heap_page_items()
function show the raw data in each tuple, and add new functions tuple_data_split()
and heap_page_item_attrs()
for inspection of individual tuple fields (Nikolay Shaplov)
(9.6.0) Add an optional S2K iteration count parameter to contrib/pgcrypto's pgp_sym_encrypt()
function (Jeff Janes)
(9.6.0) Add support for "word similarity" to contrib/pg_trgm (Alexander Korotkov, Artur Zakirov)
These functions and operators measure the similarity between one string and the most similar single word of another string.
(9.6.0) Add configuration parameter pg_trgm.similarity_threshold for contrib/pg_trgm's similarity threshold (Artur Zakirov)
This threshold has always been configurable, but formerly it was controlled by special-purpose functions set_limit()
and show_limit()
. Those are now deprecated.
(9.6.0) Improve contrib/pg_trgm's GIN operator class to speed up index searches in which both common and rare keys appear (Jeff Janes)
(9.6.0) Improve performance of similarity searches in contrib/pg_trgm GIN indexes (Christophe Fornaroli)
(9.6.0) Add contrib/pg_visibility module to allow examining table visibility maps (Robert Haas)
(9.6.0) Add ssl_extension_info()
function to contrib/sslinfo, to print information about SSL extensions present in the X509 certificate used for the current connection (Dmitry Voronin)
(9.6.0) Allow extension-provided operators and functions to be sent for remote execution, if the extension is whitelisted in the foreign server's options (Paul Ramsey)
Users can enable this feature when the extension is known to exist in a compatible version in the remote database. It allows more efficient execution of queries involving extension operators.
(9.6.0) Consider performing sorts on the remote server (Ashutosh Bapat)
(9.6.0) Consider performing joins on the remote server (Shigeru Hanada, Ashutosh Bapat)
(9.6.0) When feasible, perform UPDATE or DELETE entirely on the remote server (Etsuro Fujita)
Formerly, remote updates involved sending a SELECT FOR UPDATE command and then updating or deleting the selected rows one-by-one. While that is still necessary if the operation requires any local processing, it can now be done remotely if all elements of the query are safe to send to the remote server.
(9.6.0) Allow the fetch size to be set as a server or table option (Corey Huinker)
Formerly, postgres_fdw always fetched 100 rows at a time from remote queries; now that behavior is configurable.
(9.6.0) Use a single foreign-server connection for local user IDs that all map to the same remote user (Ashutosh Bapat)
(9.6.0) Transmit query cancellation requests to the remote server (Michael Paquier, Etsuro Fujita)
Previously, a local query cancellation request did not cause an already-sent remote query to terminate early.
Release date: 2021-02-11
This release contains a variety of fixes from 9.5.24. For information about new features in the 9.5 major release, see Version 9.5.0.
This is expected to be the last PostgreSQL release in the 9.5.X series. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.5.X.
However, see the first changelog item below, which describes cases in which reindexing indexes after the upgrade may be advisable.
Also, if you are upgrading from a version earlier than 9.5.20, see Version 9.5.20.
(9.5.25,9.6.21) Fix CREATE INDEX CONCURRENTLY to wait for concurrent prepared transactions (Andrey Borodin)
At the point where CREATE INDEX CONCURRENTLY waits for all concurrent transactions to complete so that it can see rows they inserted, it must also wait for all prepared transactions to complete, for the same reason. Its failure to do so meant that rows inserted by prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. In installations that have enabled prepared transactions (max_prepared_transactions > 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.
(9.5.25,9.6.21) Avoid incorrect results when WHERE CURRENT OF is applied to a cursor whose plan contains a MergeAppend node (Tom Lane)
This case is unsupported (in general, a cursor using ORDER BY is not guaranteed to be simply updatable); but the code previously did not reject it, and could silently give false matches.
(9.5.25,9.6.21) Fix crash when WHERE CURRENT OF is applied to a cursor whose plan contains a custom scan node (David Geier)
(9.5.25,9.6.21) Fix planner's handling of a placeholder that is computed at some join level and used only at that same level (Tom Lane)
This oversight could lead to "failed to build any N-way joins" planner errors.
(9.5.25,9.6.21) Be more careful about whether index AMs support mark/restore (Andrew Gierth)
This prevents errors about missing support functions in rare edge cases.
(9.5.25,9.6.21) Fix ALTER DEFAULT PRIVILEGES to handle duplicated arguments safely (Michael Paquier)
Duplicate role or schema names within the same command could lead to "tuple already updated by self" errors or unique-constraint violations.
(9.5.25,9.6.21) Flush ACL-related caches when pg_authid changes (Noah Misch)
This change ensures that permissions-related decisions will promptly reflect the results of ALTER ROLE ... [NO] INHERIT.
(9.5.25,9.6.21) Prevent misprocessing of ambiguous CREATE TABLE LIKE clauses (Tom Lane)
A LIKE clause is re-examined after initial creation of the new table, to handle importation of indexes and such. It was possible for this re-examination to find a different table of the same name, causing unexpected behavior; one example is where the new table is a temporary table of the same name as the LIKE target.
(9.5.25,9.6.21) Rearrange order of operations in CREATE TABLE LIKE so that indexes are cloned before building foreign key constraints (Tom Lane)
This fixes the case where a self-referential foreign key constraint declared in the outer CREATE TABLE depends on an index that's coming from the LIKE clause.
(9.5.25,9.6.21) Disallow converting an inheritance child table to a view (Tom Lane)
(9.5.25,9.6.21) Ensure that disk space allocated for a dropped relation is released promptly at commit (Thomas Munro)
Previously, if the dropped relation spanned multiple 1GB segments, only the first segment was truncated immediately. Other segments were simply unlinked, which doesn't authorize the kernel to release the storage so long as any other backends still have the files open.
(9.5.25,9.6.21) Fix handling of backslash-escaped multibyte characters in COPY FROM (Heikki Linnakangas)
A backslash followed by a multibyte character was not handled correctly. In some client character encodings, this could lead to misinterpreting part of a multibyte character as a field separator or end-of-copy-data marker.
(9.5.25,9.6.21) Avoid preallocating executor hash tables in EXPLAIN without ANALYZE (Alexey Bashtanov)
(9.5.25,9.6.21) Fix recently-introduced race conditions in LISTEN/NOTIFY queue handling (Tom Lane)
A newly-listening backend could attempt to read SLRU pages that were in process of being truncated, possibly causing an error.
The queue tail pointer could become set to a value that's not equal to the queue position of any backend, resulting in effective disabling of the queue truncation logic. Continued use of NOTIFY then led to queue-fill warnings, and eventually to inability to send any more notifies until the server is restarted.
(9.5.25,9.6.21) Allow the jsonb concatenation operator to handle all combinations of JSON data types (Tom Lane)
We can concatenate two JSON objects or two JSON arrays. Handle other cases by wrapping non-array inputs in one-element arrays, then performing an array concatenation. Previously, some combinations of inputs followed this rule but others arbitrarily threw an error.
(9.5.25,9.6.21) Fix use of uninitialized value while parsing a * quantifier in a BRE-mode regular expression (Tom Lane)
This error could cause the quantifier to act non-greedy, that is behave like a *? quantifier would do in full regular expressions.
(9.5.25,9.6.21) Prevent possible data loss from incorrect detection of the wraparound point of an SLRU log (Noah Misch)
The wraparound point typically falls in the middle of a page, which must be rounded off to a page boundary, and that was not done correctly. No issue could arise unless an installation had gotten to within one page of SLRU overflow, which is unlikely in a properly-functioning system. If this did happen, it would manifest in later "apparent wraparound" or "could not access status of transaction" errors.
(9.5.25,9.6.21) Fix memory leak in walsender processes while sending new snapshots for logical decoding (Amit Kapila)
(9.5.25,9.6.21) Fix walsender to accept additional commands after terminating replication (Jeff Davis)
(9.5.25,9.6.21) Avoid assertion failure in pg_get_functiondef()
when examining a function with a TRANSFORM option (Tom Lane)
(9.5.25,9.6.21) In psql, re-allow including a password in a connection_string argument of a \connect command (Tom Lane)
This used to work, but a recent bug fix caused the password to be ignored (resulting in prompting for a password).
(9.5.25,9.6.21) Fix assorted bugs in psql's \help command (Kyotaro Horiguchi, Tom Lane)
\help with two argument words failed to find a command description using only the first word, for example \help reset all should show the help for RESET but did not. Also, \help often failed to invoke the pager when it should. It also leaked memory.
(9.5.25,9.6.21) In pg_rewind, ensure that all WAL is accounted for when rewinding a standby server (Ian Barwick, Heikki Linnakangas)
(9.5.25,9.6.21) Report the correct database name in connection failure error messages from some client programs (Ãlvaro Herrera)
If the database name was defaulted rather than given on the command line, pg_dumpall, pgbench, oid2name, and vacuumlo would produce misleading error messages after a connection failure.
(9.5.25,9.6.21) Fix memory leak in contrib/auto_explain (Japin Li)
Memory consumed while producing the EXPLAIN output was not freed until the end of the current transaction (for a top-level statement) or the end of the surrounding statement (for a nested statement). This was particularly a problem with log_nested_statements enabled.
(9.5.25,9.6.21) In contrib/postgres_fdw, avoid leaking open connections to remote servers when a user mapping or foreign server object is dropped (Bharath Rupireddy)
Open connections that depend on a dropped user mapping or foreign server can no longer be referenced, but formerly they were kept around anyway for the duration of the local session.
(9.5.25,9.6.21) In contrib/pgcrypto, check for error returns from OpenSSL's EVP functions (Michael Paquier)
We do not really expect errors here, but this change silences warnings from static analysis tools.
(9.5.25,9.6.21) In contrib/pg_trgm's GiST index support, avoid crash in the rare case that picksplit is called on exactly two index items (Andrew Gierth, Alexander Korotkov)
(9.5.25,9.6.21) Fix miscalculation of timeouts in contrib/pg_prewarm and contrib/postgres_fdw (Alexey Kondratov, Tom Lane)
The main loop in contrib/pg_prewarm's autoprewarm parent process underestimated its desired sleep time by a factor of 1000, causing it to consume much more CPU than intended. When waiting for a result from a remote server, contrib/postgres_fdw overestimated the desired timeout by a factor of 1000 (though this error had been mitigated by imposing a clamp to 60 seconds).
Both of these errors stemmed from incorrectly converting seconds-and-microseconds to milliseconds. Introduce a new API TimestampDifferenceMilliseconds()
to make it easier to get this right in the future.
(9.5.25,9.6.21) Improve configure's heuristics for selecting PG_SYSROOT on macOS (Tom Lane)
The new method is more likely to produce desirable results when Xcode is newer than the underlying operating system. Choosing a sysroot that does not match the OS version may result in nonfunctional executables.
(9.5.25,9.6.21) While building on macOS, specify -isysroot in link steps as well as compile steps (James Hilliard)
This likewise improves the results when Xcode is out of sync with the operating system.
(9.5.25,9.6.21) Update time zone data files to tzdata release 2021a for DST law changes in Russia (Volgograd zone) and South Sudan, plus historical corrections for Australia, Bahamas, Belize, Bermuda, Ghana, Israel, Kenya, Nigeria, Palestine, Seychelles, and Vanuatu.
Notably, the Australia/Currie zone has been corrected to the point where it is identical to Australia/Hobart.
Release date: 2020-11-12
This release contains a variety of fixes from 9.5.23. For information about new features in the 9.5 major release, see Version 9.5.0.
The PostgreSQL community will stop releasing updates for the 9.5.X release series in February 2021. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.5.X.
However, if you are upgrading from a version earlier than 9.5.20, see Version 9.5.20.
(9.5.24,9.6.20) Block DECLARE CURSOR ... WITH HOLD and firing of deferred triggers within index expressions and materialized view queries (Noah Misch)
This is essentially a leak in the "security restricted operation" sandbox mechanism. An attacker having permission to create non-temporary SQL objects could parlay this leak to execute arbitrary SQL code as a superuser.
The PostgreSQL Project thanks Etienne Stalmans for reporting this problem. CVE-2020-25695 or CVE-2020-25695)
(9.5.24,9.6.20) Fix usage of complex connection-string parameters in pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb (Tom Lane)
The -d parameter of pg_dump and pg_restore, or the --maintenance-db parameter of the other programs mentioned, can be a "connection string" containing multiple connection parameters rather than just a database name. In cases where these programs need to initiate additional connections, such as parallel processing or processing of multiple databases, the connection string was forgotten and just the basic connection parameters (database name, host, port, and username) were used for the additional connections. This could lead to connection failures if the connection string included any other essential information, such as non-default SSL or GSS parameters. Worse, the connection might succeed but not be encrypted as intended, or be vulnerable to man-in-the-middle attacks that the intended connection parameters would have prevented. CVE-2020-25694 or CVE-2020-25694)
(9.5.24,9.6.20) When psql's \connect command re-uses connection parameters, ensure that all non-overridden parameters from a previous connection string are re-used (Tom Lane)
This avoids cases where reconnection might fail due to omission of relevant parameters, such as non-default SSL or GSS options. Worse, the reconnection might succeed but not be encrypted as intended, or be vulnerable to man-in-the-middle attacks that the intended connection parameters would have prevented. This is largely the same problem as just cited for pg_dump et al, although psql's behavior is more complex since the user may intentionally override some connection parameters. CVE-2020-25694 or CVE-2020-25694)
(9.5.24,9.6.20) Prevent psql's \gset command from modifying specially-treated variables (Noah Misch)
\gset without a prefix would overwrite whatever variables the server told it to. Thus, a compromised server could set specially-treated variables such as PROMPT1, giving the ability to execute arbitrary shell code in the user's session.
The PostgreSQL Project thanks Nick Cleaton for reporting this problem. CVE-2020-25696 or CVE-2020-25696)
(9.5.24,9.6.20) Prevent possible data loss from concurrent truncations of SLRU logs (Noah Misch)
This rare problem would manifest in later "apparent wraparound" or "could not access status of transaction" errors.
(9.5.24,9.6.20) Ensure that SLRU directories are properly fsync'd during checkpoints (Thomas Munro)
This prevents possible data loss in a subsequent operating system crash.
(9.5.24,9.6.20) Fix ALTER ROLE for users with the BYPASSRLS attribute (Tom Lane, Stephen Frost)
The BYPASSRLS attribute is only allowed to be changed by superusers, but other ALTER ROLE operations, such as password changes, should be allowed with only ordinary permission checks. The previous coding erroneously restricted all changes on such a role to superusers.
(9.5.24,9.6.20) Fix handling of expressions in CREATE TABLE LIKE with inheritance (Tom Lane)
If a CREATE TABLE command uses both LIKE and traditional inheritance, column references in CHECK constraints and expression indexes that came from a LIKE parent table tended to get mis-numbered, resulting in wrong answers and/or bizarre error messages. The same could happen in GENERATED expressions, in branches that have that feature.
(9.5.24,9.6.20) Fix off-by-one conversion of negative years to BC dates in to_date()
and to_timestamp()
(Dar Alathar-Yemen, Tom Lane)
Also, arrange for the combination of a negative year and an explicit "BC" marker to cancel out and produce AD.
(9.5.24,9.6.20) Ensure that standby servers will archive WAL timeline history files when archive_mode is set to always (Grigory Smolkin, Fujii Masao)
This oversight could lead to failure of subsequent PITR recovery attempts.
(9.5.24,9.6.20) Avoid running atexit handlers when exiting due to SIGQUIT (Kyotaro Horiguchi, Tom Lane)
Most server processes followed this practice already, but the archiver process was overlooked. Backends that were still waiting for a client startup packet got it wrong, too.
(9.5.24,9.6.20) Avoid misoptimization of subquery qualifications that reference apparently-constant grouping columns (Tom Lane)
A "constant" subquery output column isn't really constant if it is a grouping column that appears in only some of the grouping sets.
(9.5.24,9.6.20) Avoid failure when SQL function inlining changes the shape of a potentially-hashable subplan comparison expression (Tom Lane)
(9.5.24,9.6.20) While building or re-building an index, tolerate the appearance of new HOT chains due to concurrent updates (Anastasia Lubennikova, Ãlvaro Herrera)
This oversight could lead to "failed to find parent tuple for heap-only tuple" errors.
(9.5.24,9.6.20) Ensure that data is detoasted before being inserted into a BRIN index (Tomas Vondra)
Index entries are not supposed to contain out-of-line TOAST pointers, but BRIN didn't get that memo. This could lead to errors like "missing chunk number 0 for toast value NNN". (If you are faced with such an error from an existing index, REINDEX should be enough to fix it.)
(9.5.24,9.6.20) Handle concurrent desummarization correctly during BRIN index scans (Alexander Lakhin, Ãlvaro Herrera)
Previously, if a page range was desummarized at just the wrong time, an index scan might falsely raise an error indicating index corruption.
(9.5.24,9.6.20) Fix rare "lost saved point in index" errors in scans of multicolumn GIN indexes (Tom Lane)
(9.5.24,9.6.20) Fix use-after-free hazard when an event trigger monitors an ALTER TABLE operation (Jehan-Guillaume de Rorthais)
(9.5.24,9.6.20) Fix incorrect error message about inconsistent moving-aggregate data types (Jeff Janes)
(9.5.24,9.6.20) Avoid lockup when a parallel worker reports a very long error message (Vignesh C)
(9.5.24,9.6.20) Avoid unnecessary failure when transferring very large payloads through shared memory queues (Markus Wanner)
(9.5.24,9.6.20) Fix relation cache memory leaks with RLS policies (Tom Lane)
(9.5.24,9.6.20) Fix small memory leak when SIGHUP processing decides that a new GUC variable value cannot be applied without a restart (Tom Lane)
(9.5.24,9.6.20) Make libpq support arbitrary-length lines in .pgpass files (Tom Lane)
This is mostly useful to allow using very long security tokens as passwords.
(9.5.24,9.6.20) In libpq for Windows, call WSAStartup()
once per process and WSACleanup()
not at all (Tom Lane, Alexander Lakhin)
Previously, libpq invoked WSAStartup()
at connection start and WSACleanup()
at connection cleanup. However, it appears that calling WSACleanup()
can interfere with other program operations; notably, we have observed rare failures to emit expected output to stdout. There appear to be no ill effects from omitting the call, so do that. (This also eliminates a performance issue from repeated DLL loads and unloads when a program performs a series of database connections.)
(9.5.24,9.6.20) Fix ecpg library's per-thread initialization logic for Windows (Tom Lane, Alexander Lakhin)
Multi-threaded ecpg applications could suffer rare misbehavior due to incorrect locking.
(9.5.24,9.6.20) On Windows, make psql read the output of a backtick command in text mode, not binary mode (Tom Lane)
This ensures proper handling of newlines.
(9.5.24,9.6.20) Ensure that pg_dump collects per-column information about extension configuration tables (FabrÃzio de Royes Mello, Tom Lane)
Failure to do this led to crashes when specifying --inserts, or underspecified (though usually correct) COPY commands when using COPY to reload the tables' data.
(9.5.24,9.6.20) Make pg_upgrade check for pre-existence of tablespace directories in the target cluster (Bruce Momjian)
(9.5.24,9.6.20) Fix potential memory leak in contrib/pgcrypto (Michael Paquier)
(9.5.24,9.6.20) Add check for an unlikely failure case in contrib/pgcrypto (Daniel Gustafsson)
(9.5.24,9.6.20) Use return not exit() in configure's test programs (Peter Eisentraut)
This avoids failures with pickier compilers.
(9.5.24,9.6.20) Update time zone data files to tzdata release 2020d for DST law changes in Fiji, Morocco, Palestine, the Canadian Yukon, Macquarie Island, and Casey Station (Antarctica); plus historical corrections for France, Hungary, Monaco, and Palestine.
(9.5.24,9.6.20) Sync our copy of the timezone library with IANA tzcode release 2020d (Tom Lane)
This absorbs upstream's change of zic's default output option from "fat" to "slim". That's just cosmetic for our purposes, as we continue to select the "fat" mode in pre-v13 branches. This change also ensures that strftime()
does not change errno unless it fails.
Release date: 2020-08-13
This release contains a variety of fixes from 9.5.22. For information about new features in the 9.5 major release, see Version 9.5.0.
The PostgreSQL community will stop releasing updates for the 9.5.X release series in February 2021. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.5.X.
However, if you are upgrading from a version earlier than 9.5.20, see Version 9.5.20.
(9.5.23,9.6.19) Make contrib modules' installation scripts more secure (Tom Lane)
Attacks similar to those described inCVE-2018-1058 or CVE-2018-1058 could be carried out against an extension installation script, if the attacker can create objects in either the extension's target schema or the schema of some prerequisite extension. Since extensions often require superuser privilege to install, this can open a path to obtaining superuser privilege. To mitigate this risk, be more careful about the search_path used to run an installation script; disable check_function_bodies within the script; and fix catalog-adjustment queries used in some contrib modules to ensure they are secure. Also provide documentation to help third-party extension authors make their installation scripts secure. This is not a complete solution; extensions that depend on other extensions can still be at risk if installed carelessly. CVE-2020-14350 or CVE-2020-14350)
(9.5.23,9.6.19) In logical replication walsender, fix failure to send feedback messages after sending a keepalive message (Ãlvaro Herrera)
This is a relatively minor problem when using built-in logical replication, because the built-in walreceiver will send a feedback reply (which clears the incorrect state) fairly frequently anyway. But with some other replication systems, such as pglogical, it causes significant performance issues.
(9.5.23,9.6.19) Ensure the repeat()
function can be interrupted by query cancel (Joe Conway)
(9.5.23,9.6.19) Undo double-quoting of index names in EXPLAIN's non-text output formats (Tom Lane, Euler Taveira)
(9.5.23,9.6.19) Fix timing of constraint revalidation in ALTER TABLE (David Rowley)
If ALTER TABLE needs to fully rewrite the table's contents (for example, due to change of a column's data type) and also needs to scan the table to re-validate foreign keys or CHECK constraints, it sometimes did things in the wrong order, leading to odd errors such as "could not read block 0 in file "base/nnnnn/nnnnn": read only 0 of 8192 bytes".
(9.5.23,9.6.19) Cope with LATERAL references in restriction clauses attached to an un-flattened sub-SELECT in the FROM clause (Tom Lane)
This oversight could result in assertion failures or crashes at query execution.
(9.5.23,9.6.19) Avoid believing that a never-analyzed foreign table has zero tuples (Tom Lane)
This primarily affected the planner's estimate of the number of groups that would be obtained by GROUP BY.
(9.5.23,9.6.19) Improve error handling in the server's buffile module (Thomas Munro)
Fix some cases where I/O errors were indistinguishable from reaching EOF, or were not reported at all. Also add details such as block numbers and byte counts where appropriate.
(9.5.23,9.6.19) Fix conflict-checking anomalies in SERIALIZABLE isolation mode (Peter Geoghegan)
If a concurrently-inserted tuple was updated by a different concurrent transaction, and neither tuple version was visible to the current transaction's snapshot, serialization conflict checking could draw the wrong conclusions about whether the tuple was relevant to the results of the current transaction. This could allow a serializable transaction to commit when it should have failed with a serialization error.
(9.5.23,9.6.19) Avoid repeated marking of dead btree index entries as dead (Masahiko Sawada)
While functionally harmless, this led to useless WAL traffic when checksums are enabled or wal_log_hints is on.
(9.5.23,9.6.19) Fix failure of some code paths to acquire the correct lock before modifying pg_control (Nathan Bossart, Fujii Masao)
This oversight could allow pg_control to be written out with an inconsistent checksum, possibly causing trouble later, including inability to restart the database if it crashed before the next pg_control update.
(9.5.23,9.6.19) Fix errors in currtid()
and currtid2()
(Michael Paquier)
These functions (which are undocumented and used only by ancient versions of the ODBC driver) contained coding errors that could result in crashes, or in confusing error messages such as "could not open file" when applied to a relation having no storage.
(9.5.23,9.6.19) Avoid calling elog()
or palloc()
while holding a spinlock (Michael Paquier, Tom Lane)
Logic associated with replication slots had several violations of this coding rule. While the odds of trouble are quite low, an error in the called function would lead to a stuck spinlock.
(9.5.23,9.6.19) Report out-of-disk-space errors properly in pg_dump and pg_basebackup (Justin Pryzby, Tom Lane, Ãlvaro Herrera)
Some code paths could produce silly reports like "could not write file: Success".
(9.5.23,9.6.19) Fix parallel restore of tables having both table-level privileges and per-column privileges (Tom Lane)
The table-level privilege grants have to be applied first, but a parallel restore did not reliably order them that way; this could lead to "tuple concurrently updated" errors, or to disappearance of some per-column privilege grants. The fix for this is to include dependency links between such entries in the archive file, meaning that a new dump has to be taken with a corrected pg_dump to ensure that the problem will not recur.
(9.5.23,9.6.19) Ensure that pg_upgrade runs with vacuum_defer_cleanup_age set to zero in the target cluster (Bruce Momjian)
If the target cluster's configuration has been modified to set vacuum_defer_cleanup_age to a nonzero value, that prevented freezing of the system catalogs from working properly, which caused the upgrade to fail in confusing ways. Ensure that any such setting is overridden for the duration of the upgrade.
(9.5.23,9.6.19) Fix pg_recvlogical to drain pending messages before exiting (Noah Misch)
Without this, the replication sender might detect a send failure and exit without making the expected final update to the replication slot's LSN position. That led to re-transmitting data after the next connection. It was also possible to miss error messages sent after the last data that pg_recvlogical wants to consume.
(9.5.23,9.6.19) Fix pg_rewind's handling of just-deleted files in the source data directory (Justin Pryzby, Michael Paquier)
When working with an on-line source database, concurrent file deletions are possible, but pg_rewind would get confused if deletion happened between seeing a file's directory entry and examining it with stat()
.
(9.5.23,9.6.19) Make pg_test_fsync use binary I/O mode on Windows (Michael Paquier)
Previously it wrote the test file in text mode, which is not an accurate reflection of PostgreSQL's actual usage.
(9.5.23,9.6.19) Fix failure to initialize local state correctly in contrib/dblink (Joe Conway)
With the right combination of circumstances, this could lead to dblink_close()
issuing an unexpected remote COMMIT.
(9.5.23,9.6.19) Fix contrib/pgcrypto's misuse of deflate()
(Tom Lane)
The pgp_sym_encrypt
functions could produce incorrect compressed data due to mishandling of zlib's API requirements. We have no reports of this error manifesting with stock zlib, but it can be seen when using IBM's zlibNX implementation.
(9.5.23,9.6.19) Fix corner case in decompression logic in contrib/pgcrypto's pgp_sym_decrypt
functions (Kyotaro Horiguchi, Michael Paquier)
A compressed stream can validly end with an empty packet, but the decompressor failed to handle this and would complain about corrupt data.
(9.5.23,9.6.19) Use POSIX-standard strsignal()
in place of the BSD-ish sys_siglist[] (Tom Lane)
This avoids build failures with very recent versions of glibc.
(9.5.23,9.6.19) Support building our NLS code with Microsoft Visual Studio 2015 or later (Juan José SantamarÃa Flecha, Davinder Singh, Amit Kapila)
(9.5.23,9.6.19) Avoid possible failure of our MSVC install script when there is a file named configure several levels above the source code tree (Arnold Müller)
This could confuse some logic that looked for configure to identify the top level of the source tree.
Release date: 2020-05-14
This release contains a variety of fixes from 9.5.21. For information about new features in the 9.5 major release, see Version 9.5.0.
The PostgreSQL community will stop releasing updates for the 9.5.X release series in February 2021. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.5.X.
However, if you are upgrading from a version earlier than 9.5.20, see Version 9.5.20.
(9.5.22,9.6.18) Preserve the indisclustered setting of indexes rewritten by ALTER TABLE (Amit Langote, Justin Pryzby)
Previously, ALTER TABLE lost track of which index had been used for CLUSTER.
(9.5.22,9.6.18) Preserve the replica identity properties of indexes rewritten by ALTER TABLE (Quan Zongliang, Peter Eisentraut)
(9.5.22,9.6.18) Lock objects sooner during DROP OWNED BY (Ãlvaro Herrera)
This avoids failures in race-condition cases where another session is deleting some of the same objects.
(9.5.22,9.6.18) Fix error-case processing for CREATE ROLE ... IN ROLE (Andrew Gierth)
Some error cases would be reported as "unexpected node type" or the like, instead of the intended message.
(9.5.22,9.6.18) Fix bugs in gin_fuzzy_search_limit processing (Adé Heyward, Tom Lane)
A small value of gin_fuzzy_search_limit could result in unexpected slowness due to unintentionally rescanning the same index page many times. Another code path failed to apply the intended filtering at all, possibly returning too many values.
(9.5.22,9.6.18) Allow input of type circle to accept the format "(x,y),r" as the documentation says it does (David Zhang)
(9.5.22,9.6.18) Make the get_bit()
and set_bit()
functions cope with bytea strings longer than 256MB (Movead Li)
Since the bit number argument is only int4, it's impossible to use these functions to access bits beyond the first 256MB of a long bytea. We'll widen the argument to int8 in v13, but in the meantime, allow these functions to work on the initial substring of a long bytea.
(9.5.22,9.6.18) Avoid possibly leaking an open-file descriptor for a directory in pg_ls_dir()
, pg_timezone_names()
, pg_tablespace_databases()
, and allied functions (Justin Pryzby)
(9.5.22,9.6.18) Fix polymorphic-function type resolution to correctly infer the actual type of an anyarray output when given only an anyrange input (Tom Lane)
(9.5.22,9.6.18) Avoid unlikely crash when REINDEX is terminated by a session-shutdown signal (Tom Lane)
(9.5.22,9.6.18) Prevent printout of possibly-incorrect hash join table statistics in EXPLAIN (Konstantin Knizhnik, Tom Lane, Thomas Munro)
(9.5.22,9.6.18) Fix reporting of elapsed time for heap truncation steps in VACUUM VERBOSE (Tatsuhito Kasahara)
(9.5.22,9.6.18) Avoid possibly showing "waiting" twice in a process's PS status (Masahiko Sawada)
(9.5.22,9.6.18) Avoid premature recycling of WAL segments during crash recovery (Jehan-Guillaume de Rorthais)
WAL segments that become ready to be archived during crash recovery were potentially recycled without being archived.
(9.5.22,9.6.18) Avoid scanning irrelevant timelines during archive recovery (Kyotaro Horiguchi)
This can eliminate many attempts to fetch non-existent WAL files from archive storage, which is helpful if archive access is slow.
(9.5.22,9.6.18) Remove bogus "subtransaction logged without previous top-level txn record" error check in logical decoding (Arseny Sher, Amit Kapila)
This condition is legitimately reachable in various scenarios, so remove the check.
(9.5.22,9.6.18) Ensure that a replication slot's io_in_progress_lock is released in failure code paths (Pavan Deolasee)
This could result in a walsender later becoming stuck waiting for the lock.
(9.5.22,9.6.18) Ensure nextXid can't go backwards on a standby server (Eka Palamadai)
This race condition could allow incorrect hot standby feedback messages to be sent back to the primary server, potentially allowing VACUUM to run too soon on the primary.
(9.5.22,9.6.18) Add missing SQLSTATE values to a few error reports (Sawada Masahiko)
(9.5.22,9.6.18) Fix PL/pgSQL to reliably refuse to execute an event trigger function as a plain function (Tom Lane)
(9.5.22,9.6.18) Fix memory leak in libpq when using sslmode=verify-full (Roman Peshkurov)
Certificate verification during connection startup could leak some memory. This would become an issue if a client process opened many database connections during its lifetime.
(9.5.22,9.6.18) Fix ecpg to treat an argument of just "-" as meaning "read from stdin" on all platforms (Tom Lane)
(9.5.22,9.6.18) Fix pg_dump to dump comments on RLS policy objects (Tom Lane)
(9.5.22,9.6.18) In pg_dump, postpone restore of event triggers till the end (FabrÃzio de Royes Mello, Hamid Akhtar, Tom Lane)
This minimizes the risk that an event trigger could interfere with the restoration of other objects.
(9.5.22,9.6.18) Fix quoting of --encoding, --lc-ctype and --lc-collate values in createdb utility (Michael Paquier)
(9.5.22,9.6.18) contrib/lo's lo_manage()
function crashed if called directly rather than as a trigger (Tom Lane)
(9.5.22,9.6.18) In contrib/ltree, protect against overflow of ltree and lquery length fields (Nikita Glukhov)
(9.5.22,9.6.18) Fix cache reference leak in contrib/sepgsql (Michael Luo)
(9.5.22,9.6.18) Avoid failures when dealing with Unix-style locale names on Windows (Juan José SantamarÃa Flecha)
(9.5.22,9.6.18) In MSVC builds, cope with spaces in the path name for Python (Victor Wagner)
(9.5.22,9.6.18) In MSVC builds, fix detection of Visual Studio version to work with more language settings (Andrew Dunstan)
(9.5.22,9.6.18) In MSVC builds, use -Wno-deprecated with bison versions newer than 3.0, as non-Windows builds already do (Andrew Dunstan)
(9.5.22,9.6.18) Update time zone data files to tzdata release 2020a for DST law changes in Morocco and the Canadian Yukon, plus historical corrections for Shanghai.
The America/Godthab zone has been renamed to America/Nuuk to reflect current English usage; however, the old name remains available as a compatibility link.
Also, update initdb's list of known Windows time zone names to include recent additions, improving the odds that it will correctly translate the system time zone setting on that platform.
Release date: 2020-02-13
This release contains a variety of fixes from 9.5.20. For information about new features in the 9.5 major release, see Version 9.5.0.
A dump/restore is not required for those running 9.5.X.
However, if you are upgrading from a version earlier than 9.5.20, see Version 9.5.20.
(9.5.21,9.6.17,9.4.26) Avoid failure in logical decoding when a large transaction must be spilled into many separate temporary files (Amit Khandekar)
(9.5.21,9.6.17,9.4.26) Fix failure in logical replication publisher after a database crash and restart (Vignesh C)
(9.5.21,9.6.17,9.4.26) Avoid memory leak when there are no free dynamic shared memory slots (Thomas Munro)
(9.5.21,9.6.17,9.4.26) Ignore the CONCURRENTLY option when performing an index creation, drop, or rebuild on a temporary table (Michael Paquier, Heikki Linnakangas, Andres Freund)
This avoids strange failures if the temporary table has an ON COMMIT action. There is no benefit in using CONCURRENTLY for a temporary table anyway, since other sessions cannot access the table, making the extra processing pointless.
(9.5.21,9.6.17,9.4.26) Fix possible failure when resetting expression indexes on temporary tables that are marked ON COMMIT DELETE ROWS (Tom Lane)
(9.5.21,9.6.17) Fix possible crash in BRIN index operations with box, range and inet data types (Heikki Linnakangas)
(9.5.21,9.6.17,9.4.26) Fix handling of deleted pages in GIN indexes (Alexander Korotkov)
Avoid possible deadlocks, incorrect updates of a deleted page's state, and failure to traverse through a recently-deleted page.
(9.5.21,9.6.17,9.4.26) Fix possible crash with a SubPlan (sub-SELECT) within a multi-row VALUES list (Tom Lane)
(9.5.21,9.6.17,9.4.26) Fix unlikely crash with pass-by-reference aggregate transition states (Andres Freund, Teodor Sigaev)
(9.5.21,9.6.17,9.4.26) Improve error reporting in to_date()
and to_timestamp()
(Tom Lane, Ãlvaro Herrera)
Reports about incorrect month or day names in input strings could truncate the input in the middle of a multi-byte character, leading to an improperly encoded error message that could cause follow-on failures. Truncate at the next whitespace instead.
(9.5.21,9.6.17,9.4.26) Fix off-by-one result for EXTRACT (ISOYEAR FROM timestamp) for BC dates (Tom Lane)
(9.5.21,9.6.17,9.4.26) Avoid stack overflow in information_schema views when a self-referential view exists in the system catalogs (Tom Lane)
A self-referential view can't work; it will always result in infinite recursion. We handled that situation correctly when trying to execute the view, but not when inquiring whether it is automatically updatable.
(9.5.21,9.6.17,9.4.26) Improve performance of hash joins with very large inner relations (Thomas Munro)
(9.5.21,9.6.17,9.4.26) Fix edge-case crashes and misestimations in selectivity calculations for the <@ and @> range operators (Michael Paquier, Andrey Borodin, Tom Lane)
(9.5.21,9.6.17,9.4.26) Improve error reporting for attempts to use automatic updating of views with conditional INSTEAD rules (Dean Rasheed)
This has never been supported, but previously the error was thrown only at execution time, so that it could be masked by planner errors.
(9.5.21,9.6.17,9.4.26) Prevent a composite type from being included in itself indirectly via a range type (Tom Lane, Julien Rouhaud)
(9.5.21,9.6.17,9.4.26) Fix error reporting for index expressions of prohibited types (Amit Langote)
(9.5.21,9.6.17,9.4.26) Fix dumping of views that contain only a VALUES list to handle cases where a view output column has been renamed (Tom Lane)
(9.5.21,9.6.17,9.4.26) Allow libpq to parse all GSS-related connection parameters even when the GSSAPI code hasn't been compiled in (Tom Lane)
This makes the behavior similar to our SSL support, where it was long ago deemed to be a good idea to always accept all the related parameters, even if some are ignored or restricted due to lack of the feature in a particular build.
(9.5.21,9.6.17,9.4.26) Fix incorrect handling of %b and %B format codes in ecpg's PGTYPEStimestamp_fmt_asc()
function (Tomas Vondra)
Due to an off-by-one error, these codes would print the wrong month name, or possibly crash.
(9.5.21,9.6.17,9.4.26) Fix parallel pg_dump/pg_restore to more gracefully handle failure to create worker processes (Tom Lane)
(9.5.21,9.6.17,9.4.26) Prevent possible crash or lockup when attempting to terminate a parallel pg_dump/pg_restore run via a signal (Tom Lane)
(9.5.21,9.6.17,9.4.26) In pg_upgrade, look inside arrays and ranges while searching for non-upgradable data types in tables (Tom Lane)
(9.5.21,9.6.17,9.4.26) Apply more thorough syntax checking to createuser's --connection-limit option (Ãlvaro Herrera)
(9.5.21,9.6.17,9.4.26) In contrib/dict_int, reject maxlen settings less than one (Tomas Vondra)
This prevents a possible crash with silly settings for that parameter.
(9.5.21,9.6.17,9.4.26) Disallow NULL category values in contrib/tablefunc's crosstab()
function (Joe Conway)
This case never worked usefully, and it would crash on some platforms.
(9.5.21) Mark some timeout and statistics-tracking GUC variables as PGDLLIMPORT, to allow extensions to access them on Windows (Pascal Legrand)
This applies to lock_timeout, statement_timeout, track_activities, track_counts, and track_functions.
(9.5.21,9.6.17,9.4.26) Fix race condition that led to delayed delivery of interprocess signals on Windows (Amit Kapila)
This caused visible timing oddities in NOTIFY, and perhaps other misbehavior.
(9.5.21,9.6.17,9.4.26) On Windows, retry a few times after an ERROR_ACCESS_DENIED file access failure (Alexander Lakhin, Tom Lane)
This helps cope with cases where a file open attempt fails because the targeted file is flagged for deletion but not yet actually gone. pg_ctl, for example, frequently failed with such an error when probing to see if the postmaster had shut down yet.
Release date: 2019-11-14
This release contains a variety of fixes from 9.5.19. For information about new features in the 9.5 major release, see Version 9.5.0.
A dump/restore is not required for those running 9.5.X.
However, if you use the contrib/intarray extension with a GiST index, and you rely on indexed searches for the <@ operator, see the entry below about that.
Also, if you are upgrading from a version earlier than 9.5.13, see Version 9.5.13.
(9.5.20,9.6.16) Disallow changing a multiply-inherited column's type if not all parent tables were changed (Tom Lane)
Previously, this was allowed, whereupon queries on the now-out-of-sync parent would fail.
(9.5.20,9.6.16,9.4.25) Prevent VACUUM from trying to freeze an old multixact ID involving a still-running transaction (Nathan Bossart, Jeremy Schneider)
This case would lead to VACUUM failing until the old transaction terminates.
(9.5.20,9.6.16,9.4.25) Ensure that offset expressions in WINDOW clauses are processed when a query's expressions are manipulated (Andrew Gierth)
This oversight could result in assorted failures when the offsets are nontrivial expressions. One example is that a function parameter reference in such an expression would fail if the function was inlined.
(9.5.20,9.6.16,9.4.25) Fix handling of whole-row variables in WITH CHECK OPTION expressions and row-level-security policy expressions (Andres Freund)
Previously, such usage might result in bogus errors about row type mismatches.
(9.5.20,9.6.16) Avoid postmaster failure if a parallel query requests a background worker when no postmaster child process array slots remain free (Tom Lane)
(9.5.20,9.6.16,9.4.25) Prevent possible double-free if a BEFORE UPDATE trigger returns the old tuple as-is, and it is not the last such trigger (Thomas Munro)
(9.5.20,9.6.16) Provide a relevant error context line when an error occurs while setting GUC parameters during parallel worker startup (Thomas Munro)
(9.5.20,9.6.16,9.4.25) In serializable mode, ensure that row-level predicate locks are acquired on the correct version of the row (Thomas Munro, Heikki Linnakangas)
If the visible version of the row is HOT-updated, the lock might be taken on its now-dead predecessor, resulting in subtle failures to guarantee serialization.
(9.5.20,9.6.16,9.4.25) Ensure that fsync()
is applied only to files that are opened read/write (Andres Freund, Michael Paquier)
Some code paths tried to do this after opening a file read-only, but on some platforms that causes "bad file descriptor" or similar errors.
(9.5.20,9.6.16,9.4.25) Allow encoding conversion to succeed on longer strings than before (Ãlvaro Herrera, Tom Lane)
Previously, there was a hard limit of 0.25GB on the input string, but now it will work as long as the converted output is not over 1GB.
(9.5.20,9.6.16,9.4.25) Allow repalloc()
to give back space when a large chunk is reduced in size (Tom Lane)
(9.5.20,9.6.16) Ensure that temporary WAL and history files are removed at the end of archive recovery (Sawada Masahiko)
(9.5.20,9.6.16,9.4.25) Avoid failure in archive recovery if recovery_min_apply_delay is enabled (Fujii Masao)
recovery_min_apply_delay is not typically used in this configuration, but it should work.
(9.5.20,9.6.16,9.4.25) Avoid unwanted delay during shutdown of a logical replication walsender (Craig Ringer, Ãlvaro Herrera)
(9.5.20,9.6.16,9.4.25) Correctly time-stamp replication messages for logical decoding (Jeff Janes)
This oversight resulted, for example, in pg_stat_subscription.last_msg_send_time usually reading as NULL.
(9.5.20,9.6.16,9.4.25) In logical decoding, ensure that sub-transactions are correctly accounted for when reconstructing a snapshot (Masahiko Sawada)
This error leads to assertion failures; it's unclear whether any bad effects exist in production builds.
(9.5.20,9.6.16,9.4.25) Fix race condition during backend exit, when the backend process has previously waited for synchronous replication to occur (Dongming Liu)
(9.5.20,9.6.16,9.4.25) Fix ALTER SYSTEM to cope with duplicate entries in postgresql.auto.conf (Ian Barwick)
ALTER SYSTEM itself will not generate such a state, but external tools that modify postgresql.auto.conf could do so. Duplicate entries for the target variable will now be removed, and then the new setting (if any) will be appended at the end.
(9.5.20,9.6.16) Reject include directives with empty file names in configuration files, and report include-file recursion more clearly (Ian Barwick, Tom Lane)
(9.5.20,9.6.16,9.4.25) Avoid logging complaints about abandoned connections when using PAM authentication (Tom Lane)
libpq-based clients will typically make two connection attempts when a password is required, since they don't prompt their user for a password until their first connection attempt fails. Therefore the server is coded not to generate useless log spam when a client closes the connection upon being asked for a password. However, the PAM authentication code hadn't gotten that memo, and would generate several messages about a phantom authentication failure.
(9.5.20,9.6.16,9.4.25) Fix some cases where an incomplete date specification is not detected in time with time zone input (Alexander Lakhin)
If a time zone with a time-varying UTC offset is specified, then a date must be as well, so that the offset can be resolved. Depending on the syntax used, this check was not enforced in some cases, allowing bogus output to be produced.
(9.5.20,9.6.16,9.4.25) Fix misbehavior of bitshiftright()
(Tom Lane)
The bitstring right shift operator failed to zero out padding space that exists in the last byte of the result when the bitstring length is not a multiple of 8. While invisible to most operations, any nonzero bits there would result in unexpected comparison behavior, since bitstring comparisons don't bother to ignore the extra bits, expecting them to always be zero.
If you have inconsistent data as a result of saving the output of bitshiftright()
in a table, it's possible to fix it with something like
UPDATE mytab SET bitcol = ~(~bitcol) WHERE bitcol != ~(~bitcol);
(9.5.20,9.6.16,9.4.25) Fix detection of edge-case integer overflow in interval multiplication (Yuya Watari)
(9.5.20,9.6.16,9.4.25) Fix incorrect compression logic for GIN posting lists (Heikki Linnakangas)
A GIN posting list item can require 7 bytes if the distance between adjacent indexed TIDs exceeds 16TB. One step in the logic was out of sync with that, and might try to write the value into a 6-byte buffer. In principle this could cause a stack overrun, but on most architectures it's likely that the next byte would be unused alignment padding, making the bug harmless. In any case the bug would be very difficult to hit.
(9.5.20,9.6.16,9.4.25) Fix handling of infinity, NaN, and NULL values in KNN-GiST (Alexander Korotkov)
The query's output order could be wrong (different from a plain sort's result) if some distances computed for non-null column values are infinity or NaN.
(9.5.20,9.6.16,9.4.25) Fix handling of searches for NULL in KNN-SP-GiST (Nikita Glukhov)
(9.5.20,9.6.16,9.4.25) On Windows, recognize additional spellings of the "Norwegian (Bokmål)" locale name (Tom Lane)
(9.5.20,9.6.16,9.4.25) Avoid compile failure if an ECPG client includes ecpglib.h while having ENABLE_NLS defined (Tom Lane)
This risk was created by a misplaced declaration: ecpg_gettext()
should not be visible to client code.
(9.5.20,9.6.16,9.4.25) In psql, resynchronize internal state about the server after an unexpected connection loss and successful reconnection (Peter Billen, Tom Lane)
Ordinarily this is unnecessary since the state would be the same anyway. But it can matter in corner cases, such as where the connection might lead to one of several servers. This change causes psql to re-issue any interactive messages that it would have issued at startup, for example about whether SSL is in use.
(9.5.20,9.6.16,9.4.25) Avoid platform-specific null pointer dereference in psql (Quentin Rameau)
(9.5.20,9.6.16,9.4.25) Fix pg_dump's handling of circular dependencies in views (Tom Lane)
In some cases a view may depend on an object that pg_dump needs to dump later than the view; the most common example is that a query using GROUP BY on a primary-key column may be semantically invalid without the primary key. This is now handled by emitting a dummy CREATE VIEW command that just establishes the view's column names and types, and then later emitting CREATE OR REPLACE VIEW with the full view definition. Previously, the dummy definition was actually a CREATE TABLE command, and this was automagically converted to a view by a later CREATE RULE command. The new approach has been used successfully in PostgreSQL version 10 and later. We are back-patching it into older releases now because of reports that the previous method causes bogus error messages about the view's replica identity status. This change also avoids problems when trying to use the --clean option during a restore involving such a view.
(9.5.20,9.6.16,9.4.25) In pg_dump, ensure stable output order for similarly-named triggers and row-level-security policy objects (Benjie Gillam)
Previously, if two triggers on different tables had the same names, they would be sorted in OID-based order, which is less desirable than sorting them by table name. Likewise for RLS policies.
(9.5.20,9.6.16,9.4.25) Fix pg_dump to work again with pre-8.3 source servers (Tom Lane)
A previous fix caused pg_dump to always try to query pg_opfamily, but that catalog doesn't exist before version 8.3.
(9.5.20,9.6.16,9.4.25) In pg_restore, treat -f - as meaning "output to stdout" (Ãlvaro Herrera)
This synchronizes pg_restore's behavior with some other applications, and in particular makes pre-v12 branches act similarly to version 12's pg_restore, simplifying creation of dump/restore scripts that work across multiple PostgreSQL versions. Before this change, pg_restore interpreted such a switch as meaning "output to a file named -", but few people would want that.
(9.5.20,9.6.16,9.4.25) Improve pg_upgrade's checks for the use of a data type that has changed representation, such as line (Tomas Vondra)
The previous coding could be fooled by cases where the data type of interest underlies a stored column of a domain or composite type.
(9.5.20,9.6.16,9.4.25) Detect file read errors during pg_basebackup (Jeevan Chalke)
(9.5.20,9.6.16) In pg_rewind with an online source cluster, disable timeouts, much as pg_dump does (Alexander Kukushkin)
(9.5.20,9.6.16,9.4.25) Fix failure in pg_waldump with the -s option, when a continuation WAL record ends exactly at a page boundary (Andrey Lepikhov)
(9.5.20,9.6.16) In pg_waldump, include the newitemoff field in btree page split records (Peter Geoghegan)
(9.5.20,9.6.16) In pg_waldump with the --bkp-details option, avoid emitting extra newlines for WAL records involving full-page writes (Andres Freund)
(9.5.20,9.6.16) Fix small memory leak in pg_waldump (Andres Freund)
(9.5.20,9.6.16) Fix vacuumdb with a high --jobs option to handle running out of file descriptors better (Michael Paquier)
(9.5.20,9.6.16,9.4.25) Fix contrib/intarray's GiST opclasses to not fail for empty arrays with <@ (Tom Lane)
A clause like array_column <@ constant_array is considered indexable, but the index search may not find empty array values; of course, such entries should trivially match the search.
The only practical back-patchable fix for this requires making <@ index searches scan the whole index, which is what this patch does. This is unfortunate: it means that the query performance is likely worse than a plain sequential scan would be.
Applications whose performance is adversely impacted by this change have a couple of options. They could switch to a GIN index, which doesn't have this bug, or they could replace array_column <@ constant_array with array_column <@ constant_array AND array_column && constant_array. That will provide about the same performance as before, and it will find all non-empty subsets of the given constant array, which is all that could reliably be expected of the query before.
(9.5.20,9.6.16,9.4.25) Allow configure --with-python to succeed when only python3 or only python2 can be found (Peter Eisentraut, Tom Lane)
Search for python, then python3, then python2, so that configure can succeed in the increasingly-more-common situation where there is no executable named simply python. It's still possible to override this choice by setting the PYTHON environment variable.
(9.5.20,9.6.16,9.4.25) Fix configure's test for presence of libperl so that it works on recent Red Hat releases (Tom Lane)
Previously, it could fail if the user sets CFLAGS to -O0.
(9.5.20,9.6.16,9.4.25) Ensure correct code generation for spinlocks on PowerPC (Noah Misch)
The previous spinlock coding allowed the compiler to select register zero for use with an assembly instruction that does not accept that register, causing a build failure. We have seen only one long-ago report that matches this bug, but it could cause problems for people trying to build modified PostgreSQL code or use atypical compiler options.
(9.5.20,9.6.16) On PowerPC, avoid depending on the xlc compiler's __fetch_and_add()
function (Noah Misch)
xlc 13 and newer interpret this function in a way incompatible with our usage, resulting in an unusable build of PostgreSQL. Fix by using custom assembly code instead.
(9.5.20,9.6.16,9.4.25) On AIX, don't use the compiler option -qsrcmsg (Noah Misch)
This avoids an internal compiler error with xlc v16.1.0, with little consequence other than changing the format of compiler error messages.
(9.5.20,9.6.16,9.4.25) Fix MSVC build process to cope with spaces in the file path of OpenSSL (Andrew Dunstan)
(9.5.20,9.6.16,9.4.25) Update time zone data files to tzdata release 2019c for DST law changes in Fiji and Norfolk Island, plus historical corrections for Alberta, Austria, Belgium, British Columbia, Cambodia, Hong Kong, Indiana (Perry County), Kaliningrad, Kentucky, Michigan, Norfolk Island, South Korea, and Turkey.
Release date: 2019-08-08
This release contains a variety of fixes from 9.5.18. For information about new features in the 9.5 major release, see Version 9.5.0.
A dump/restore is not required for those running 9.5.X.
However, if you are upgrading from a version earlier than 9.5.13, see Version 9.5.13.
(9.5.19,9.6.15,9.4.24) Require schema qualification to cast to a temporary type when using functional cast syntax (Noah Misch)
We have long required invocations of temporary functions to explicitly specify the temporary schema, that is pg_temp.func_name(args). Require this as well for casting to temporary types using functional notation, for example pg_temp.type_name(arg). Otherwise it's possible to capture a function call using a temporary object, allowing privilege escalation in much the same ways that we blocked inCVE-2007-2138 or CVE-2007-2138. CVE-2019-10208 or CVE-2019-10208)
(9.5.19,9.6.15,9.4.24) Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when altering multiple columns' types in one command (Tom Lane)
This fixes a regression introduced in the most recent minor releases: indexes using the altered columns were not processed correctly, leading to strange failures during ALTER TABLE.
(9.5.19,9.6.15) Avoid using unnecessary sort steps for some queries with GROUPING SETS (Andrew Gierth, Richard Guo)
(9.5.19,9.6.15,9.4.24) Fix mishandling of multi-column foreign keys when rebuilding a foreign key constraint (Tom Lane)
ALTER TABLE could make an incorrect decision about whether revalidation of a foreign key is necessary, if not all columns of the key are of the same type. It seems likely that the error would always have been in the conservative direction, that is revalidating unnecessarily.
(9.5.19,9.6.15,9.4.24) Prevent incorrect canonicalization of date ranges with infinity endpoints (Laurenz Albe)
It's incorrect to try to convert an open range to a closed one or vice versa by incrementing or decrementing the endpoint value, if the endpoint is infinite; so leave the range alone in such cases.
(9.5.19,9.6.15,9.4.24) Fix loss of fractional digits when converting very large money values to numeric (Tom Lane)
(9.5.19,9.6.15,9.4.24) Fix spinlock assembly code for MIPS CPUs so that it works on MIPS r6 (YunQiang Su)
(9.5.19,9.6.15,9.4.24) Make libpq ignore carriage return (\r) in connection service files (Tom Lane, Michael Paquier)
In some corner cases, service files containing Windows-style newlines could be mis-parsed, resulting in connection failures.
(9.5.19,9.6.15,9.4.24) Fix pg_dump to ensure that custom operator classes are dumped in the right order (Tom Lane)
If a user-defined opclass is the subtype opclass of a user-defined range type, related objects were dumped in the wrong order, producing an unrestorable dump. (The underlying failure to handle opclass dependencies might manifest in other cases too, but this is the only known case.)
(9.5.19,9.6.15,9.4.24) Fix contrib/passwordcheck to coexist with other users of check_password_hook (Michael Paquier)
(9.5.19,9.6.15,9.4.24) Fix contrib/sepgsql tests to work under recent SELinux releases (Mike Palmiotto)
(9.5.19,9.6.15,9.4.24) Reduce stderr output from pg_upgrade's test script (Tom Lane)
(9.5.19,9.6.15,9.4.24) Support building Postgres with Microsoft Visual Studio 2019 (Haribabu Kommi)
(9.5.19,9.6.15,9.4.24) In Visual Studio builds, honor WindowsSDKVersion environment variable, if that's set (Peifeng Qiu)
This fixes build failures in some configurations.
(9.5.19,9.6.15,9.4.24) Support OpenSSL 1.1.0 and newer in Visual Studio builds (Juan José SantamarÃa Flecha, Michael Paquier)
(9.5.19,9.6.15) Allow make options to be passed down to gmake when non-GNU make is invoked at the top level (Thomas Munro)
(9.5.19,9.6.15,9.4.24) Avoid choosing localtime or posixrules as TimeZone during initdb (Tom Lane)
In some cases initdb would choose one of these artificial zone names over the "real" zone name. Prefer any other match to the C library's timezone behavior over these two.
(9.5.19,9.6.15,9.4.24) Adjust pg_timezone_names view to show the Factory time zone if and only if it has a short abbreviation (Tom Lane)
Historically, IANA set up this artificial zone with an "abbreviation" like Local time zone must be set--see zic manual page. Modern versions of the tzdb database show -00 instead, but some platforms alter the data to show one or another of the historical phrases. Show this zone only if it uses the modern abbreviation.
(9.5.19,9.6.15,9.4.24) Sync our copy of the timezone library with IANA tzcode release 2019b (Tom Lane)
This adds support for zic's new -b slim option to reduce the size of the installed zone files. We are not currently using that, but may enable it in future.
(9.5.19,9.6.15,9.4.24) Update time zone data files to tzdata release 2019b for DST law changes in Brazil, plus historical corrections for Hong Kong, Italy, and Palestine.
Release date: 2019-06-20
This release contains a variety of fixes from 9.5.17. For information about new features in the 9.5 major release, see Version 9.5.0.
A dump/restore is not required for those running 9.5.X.
However, if you are upgrading from a version earlier than 9.5.13, see Version 9.5.13.
(9.5.18,9.6.14,9.4.23) Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when the table has a partial exclusion constraint (Tom Lane)
(9.5.18,9.6.14) Fix failure of COMMENT command for comments on domain constraints (Daniel Gustafsson, Michael Paquier)
(9.5.18,9.6.14,9.4.23) Fix incorrect printing of queries with duplicate join names (Philip Dubé)
This oversight caused a dump/restore failure for views containing such queries.
(9.5.18,9.6.14,9.4.23) Fix misoptimization of {1,1} quantifiers in regular expressions (Tom Lane)
Such quantifiers were treated as no-ops and optimized away; but the documentation specifies that they impose greediness, or non-greediness in the case of the non-greedy variant {1,1}?, on the subexpression they're attached to, and this did not happen. The misbehavior occurred only if the subexpression contained capturing parentheses or a back-reference.
(9.5.18,9.6.14) Avoid possible failures while initializing a new process's pg_stat_activity data (Tom Lane)
Certain operations that could fail, such as converting strings extracted from an SSL certificate into the database encoding, were being performed inside a critical section. Failure there would result in database-wide lockup due to violating the access protocol for shared pg_stat_activity data.
(9.5.18,9.6.14,9.4.23) Fix race condition in check to see whether a pre-existing shared memory segment is still in use by a conflicting postmaster (Tom Lane)
(9.5.18,9.6.14,9.4.23) Avoid attempting to do database accesses for parameter checking in processes that are not connected to a specific database (Vignesh C, Andres Freund)
This error could result in failures like "cannot read pg_class without having selected a database".
(9.5.18,9.6.14) Avoid possible hang in libpq if using SSL and OpenSSL's pending-data buffer contains an exact multiple of 256 bytes (David Binderman)
(9.5.18,9.6.14,9.4.23) Improve initdb's handling of multiple equivalent names for the system time zone (Tom Lane, Andrew Gierth)
Make initdb examine the /etc/localtime symbolic link, if that exists, to break ties between equivalent names for the system time zone. This makes initdb more likely to select the time zone name that the user would expect when multiple identical time zones exist. It will not change the behavior if /etc/localtime is not a symlink to a zone data file, nor if the time zone is determined from the TZ environment variable.
Separately, prefer UTC over other spellings of that time zone, when neither TZ nor /etc/localtime provide a hint. This fixes an annoyance introduced by tzdata 2019a's change to make the UCT and UTC zone names equivalent: initdb was then preferring UCT, which almost nobody wants.
(9.5.18,9.6.14,9.4.23) Fix misleading error reports from reindexdb (Julien Rouhaud)
(9.5.18,9.6.14) Ensure that vacuumdb returns correct status if an error occurs while using parallel jobs (Julien Rouhaud)
(9.5.18,9.6.14,9.4.23) In contrib/postgres_fdw, account for possible data modifications by local BEFORE ROW UPDATE triggers (Shohei Mochizuki)
If a trigger modified a column that was otherwise not changed by the UPDATE, the new value was not transmitted to the remote server.
(9.5.18,9.6.14,9.4.23) On Windows, avoid failure when the database encoding is set to SQL_ASCII and we attempt to log a non-ASCII string (Noah Misch)
The code had been assuming that such strings must be in UTF-8, and would throw an error if they didn't appear to be validly encoded. Now, just transmit the untranslated bytes to the log.
(9.5.18,9.6.14,9.4.23) Make PL/pgSQL's header files C++-safe (George Tarasov)
Release date: 2019-05-09
This release contains a variety of fixes from 9.5.16. For information about new features in the 9.5 major release, see Version 9.5.0.
A dump/restore is not required for those running 9.5.X.
However, if you are upgrading from a version earlier than 9.5.13, see Version 9.5.13.
(9.5.17,9.6.13) Prevent row-level security policies from being bypassed via selectivity estimators (Dean Rasheed)
Some of the planner's selectivity estimators apply user-defined operators to values found in pg_statistic (e.g., most-common values). A leaky operator therefore can disclose some of the entries in a data column, even if the calling user lacks permission to read that column. InCVE-2017-7484 or CVE-2017-7484 we added restrictions to forestall that, but we failed to consider the effects of row-level security. A user who has SQL permission to read a column, but who is forbidden to see certain rows due to RLS policy, might still learn something about those rows' contents via a leaky operator. This patch further tightens the rules, allowing leaky operators to be applied to statistics data only when there is no relevant RLS policy. CVE-2019-10130 or CVE-2019-10130)
(9.5.17,9.6.13,9.4.22) Fix behavior for an UPDATE or DELETE on an inheritance tree or partitioned table in which every table can be excluded (Amit Langote, Tom Lane)
In such cases, the query did not report the correct set of output columns when a RETURNING clause was present, and if there were any statement-level triggers that should be fired, it didn't fire them.
(9.5.17,9.6.13,9.4.22) Fix handling of explicit DEFAULT items in an INSERT ... VALUES command with multiple VALUES rows, if the target relation is an updatable view (Amit Langote, Dean Rasheed)
When the updatable view has no default for the column but its underlying table has one, a single-row INSERT ... VALUES will use the underlying table's default. In the multi-row case, however, NULL was always used. Correct it to act like the single-row case.
(9.5.17,9.6.13,9.4.22) Fix CREATE VIEW to allow zero-column views (Ashutosh Sharma)
We should allow this for consistency with allowing zero-column tables. Since a table can be converted to a view, zero-column views could be created even with the restriction in place, leading to dump/reload failures.
(9.5.17,9.6.13) Add missing support for CREATE TABLE IF NOT EXISTS ... AS EXECUTE ... (Andreas Karlsson)
The combination of IF NOT EXISTS and EXECUTE should work, but the grammar omitted it.
(9.5.17,9.6.13) Ensure that sub-SELECTs appearing in row-level-security policy expressions are executed with the correct user's permissions (Dean Rasheed)
Previously, if the table having the RLS policy was accessed via a view, such checks might be executed as the user calling the view, not as the view owner as they should be.
(9.5.17,9.6.13,9.4.22) Accept XML documents as valid values of type xml when xmloption is set to content, as required by SQL:2006 and later (Chapman Flack)
Previously PostgreSQL followed the SQL:2003 definition, which doesn't allow this. But that creates a serious problem for dump/restore: there is no setting of xmloption that will accept all valid XML data. Hence, switch to the 2006 definition.
pg_dump is also modified to emit SET xmloption = content while restoring data, ensuring that dump/restore works even if the prevailing setting is document.
(9.5.17,9.6.13,9.4.22) Improve server's startup-time checks for whether a pre-existing shared memory segment is still in use (Noah Misch)
The postmaster is now more likely to detect that there are still active processes from a previous postmaster incarnation, even if the postmaster.pid file has been removed.
(9.5.17,9.6.13,9.4.22) Fix incompatibility of GIN-index WAL records (Alexander Korotkov)
A fix applied in February's minor releases was not sufficiently careful about backwards compatibility, leading to problems if a standby server of that vintage reads GIN page-deletion WAL records generated by a primary server of a previous minor release.
(9.5.17,9.6.13,9.4.22) Tolerate EINVAL and ENOSYS error results, where appropriate, for fsync
and sync_file_range
calls (Thomas Munro, James Sewell)
The previous change to panic on file synchronization failures turns out to have been excessively paranoid for certain cases where a failure is predictable and essentially means "operation not supported".
(9.5.17,9.6.13,9.4.22) Fix "failed to build any N-way joins" planner failures with lateral references leading out of FULL outer joins (Tom Lane)
(9.5.17,9.6.13,9.4.22) Check the appropriate user's permissions when enforcing rules about letting a leaky operator see pg_statistic data (Dean Rasheed)
When an underlying table is being accessed via a view, consider the privileges of the view owner while deciding whether leaky operators may be applied to the table's statistics data, rather than the privileges of the user making the query. This makes the planner's rules about what data is visible match up with the executor's, avoiding unnecessarily-poor plans.
(9.5.17,9.6.13,9.4.22) Avoid O (N^2) performance issue when rolling back a transaction that created many tables (Tomas Vondra)
(9.5.17,9.6.13,9.4.22) Fix race conditions in management of dynamic shared memory (Thomas Munro)
These could lead to "dsa_area could not attach to segment" or "cannot unpin a segment that is not pinned" errors.
(9.5.17,9.6.13,9.4.22) Fix race condition in which a hot-standby postmaster could fail to shut down after receiving a smart-shutdown request (Tom Lane)
(9.5.17,9.6.13) Fix possible crash when pg_identify_object_as_address()
is given invalid input (Ãlvaro Herrera)
(9.5.17,9.6.13,9.4.22) Tighten validation of encoded SCRAM-SHA-256 and MD5 passwords (Jonathan Katz)
A password string that had the right initial characters could be mistaken for one that is correctly hashed into SCRAM-SHA-256 or MD5 format. The password would be accepted but would be unusable later.
(9.5.17,9.6.13,9.4.22) Fix handling of lc_time settings that imply an encoding different from the database's encoding (Juan José SantamarÃa Flecha, Tom Lane)
Localized month or day names that include non-ASCII characters previously caused unexpected errors or wrong output in such locales.
(9.5.17,9.6.13) Fix incorrect operator_precedence_warning checks involving unary minus operators (Rikard Falkeborn)
(9.5.17,9.6.13,9.4.22) Disallow NaN as a value for floating-point server parameters (Tom Lane)
(9.5.17,9.6.13,9.4.22) Rearrange REINDEX processing to avoid assertion failures when reindexing individual indexes of pg_class (Andres Freund, Tom Lane)
(9.5.17,9.6.13,9.4.22) Fix planner assertion failure for parameterized dummy paths (Tom Lane)
(9.5.17,9.6.13,9.4.22) Insert correct test function in the result of SnapBuildInitialSnapshot()
(Antonin Houska)
No core code cares about this, but some extensions do.
(9.5.17,9.6.13,9.4.22) Fix intermittent "could not reattach to shared memory" session startup failures on Windows (Noah Misch)
A previously unrecognized source of these failures is creation of thread stacks for a process's default thread pool. Arrange for such stacks to be allocated in a different memory region.
(9.5.17,9.6.13,9.4.22) Fix error detection in directory scanning on Windows (Konstantin Knizhnik)
Errors, such as lack of permissions to read the directory, were not detected or reported correctly; instead the code silently acted as though the directory were empty.
(9.5.17,9.6.13,9.4.22) Fix grammar problems in ecpg (Tom Lane)
A missing semicolon led to mistranslation of SET variable = DEFAULT (but not SET variable TO DEFAULT) in ecpg programs, producing syntactically invalid output that the server would reject. Additionally, in a DROP TYPE or DROP DOMAIN command that listed multiple type names, only the first type name was actually processed.
(9.5.17,9.6.13) Sync ecpg's syntax for CREATE TABLE AS with the server's (Daisuke Higuchi)
(9.5.17,9.6.13,9.4.22) Fix possible buffer overruns in ecpg's processing of include filenames (Liu Huailing, Fei Wu)
(9.5.17,9.6.13,9.4.22) Avoid crash in contrib/vacuumlo if an lo_unlink()
call failed (Tom Lane)
(9.5.17,9.6.13,9.4.22) Sync our copy of the timezone library with IANA tzcode release 2019a (Tom Lane)
This corrects a small bug in zic that caused it to output an incorrect year-2440 transition in the Africa/Casablanca zone, and adds support for zic's new -r option.
(9.5.17,9.6.13,9.4.22) Update time zone data files to tzdata release 2019a for DST law changes in Palestine and Metlakatla, plus historical corrections for Israel.
Etc/UCT is now a backward-compatibility link to Etc/UTC, instead of being a separate zone that generates the abbreviation UCT, which nowadays is typically a typo. PostgreSQL will still accept UCT as an input zone abbreviation, but it won't output it.
Release date: 2019-02-14
This release contains a variety of fixes from 9.5.15. For information about new features in the 9.5 major release, see Version 9.5.0.
A dump/restore is not required for those running 9.5.X.
However, if you are upgrading from a version earlier than 9.5.13, see Version 9.5.13.
(9.5.16,9.6.12,9.4.21) By default, panic instead of retrying after fsync()
failure, to avoid possible data corruption (Craig Ringer, Thomas Munro)
Some popular operating systems discard kernel data buffers when unable to write them out, reporting this as fsync()
failure. If we reissue the fsync()
request it will succeed, but in fact the data has been lost, so continuing risks database corruption. By raising a panic condition instead, we can replay from WAL, which may contain the only remaining copy of the data in such a situation. While this is surely ugly and inefficient, there are few alternatives, and fortunately the case happens very rarely.
A new server parameter data_sync_retry has been added to control this; if you are certain that your kernel does not discard dirty data buffers in such scenarios, you can set data_sync_retry to on to restore the old behavior.
(9.5.16,9.6.12,9.4.21) Include each major release branch's release notes in the documentation for only that branch, rather than that branch and all later ones (Tom Lane)
The duplication induced by the previous policy was getting out of hand. Our plan is to provide a full archive of release notes on the project's web site, but not duplicate it within each release.
(9.5.16,9.6.12,9.4.21) Avoid possible deadlock when acquiring multiple buffer locks (Nishant Fnu)
(9.5.16,9.6.12,9.4.21) Avoid deadlock between hot-standby queries and replay of GIN index page deletion (Alexander Korotkov)
(9.5.16,9.6.12,9.4.21) Fix possible crashes in logical replication when index expressions or predicates are in use (Peter Eisentraut)
(9.5.16,9.6.12,9.4.21) Avoid useless and expensive logical decoding of TOAST data during a table rewrite (Tomas Vondra)
(9.5.16,9.6.12,9.4.21) Fix logic for stopping a subset of WAL senders when synchronous replication is enabled (Paul Guo, Michael Paquier)
(9.5.16,9.6.12,9.4.21) Avoid possibly writing an incorrect replica identity field in a tuple deletion WAL record (Stas Kelvich)
(9.5.16,9.6.12) Make the archiver prioritize WAL history files over WAL data files while choosing which file to archive next (David Steele)
(9.5.16,9.6.12) Fix possible crash in UPDATE with a multiple SET clause using a sub-SELECT as source (Tom Lane)
(9.5.16,9.6.12,9.4.21) Avoid crash if libxml2 returns a null error message (Sergio Conde Gómez)
(9.5.16,9.6.12,9.4.21) Fix spurious grouping-related parser errors caused by inconsistent handling of collation assignment (Andrew Gierth)
In some cases, expressions that should be considered to match were not seen as matching, if they included operations on collatable data types.
(9.5.16,9.6.12,9.4.21) Check whether the comparison function underlying LEAST()
or GREATEST()
is leakproof, rather than just assuming it is (Tom Lane)
Actual information leaks from btree comparison functions are typically hard to provoke, but in principle they could happen.
(9.5.16,9.6.12,9.4.21) Fix incorrect planning of queries in which a lateral reference must be evaluated at a foreign table scan (Tom Lane)
(9.5.16,9.6.12,9.4.21) Fix corner-case underestimation of the cost of a merge join (Tom Lane)
The planner could prefer a merge join when the outer key range is much smaller than the inner key range, even if there are so many duplicate keys on the inner side that this is a poor choice.
(9.5.16,9.6.12,9.4.21) Avoid O (N^2) planning time growth when a query contains many thousand indexable clauses (Tom Lane)
(9.5.16,9.6.12,9.4.21) Improve ANALYZE's handling of concurrently-updated rows (Jeff Janes, Tom Lane)
Previously, rows deleted by an in-progress transaction were omitted from ANALYZE's sample, but this has been found to lead to more inconsistency than including them would do. In effect, the sample now corresponds to an MVCC snapshot as of ANALYZE's start time.
(9.5.16,9.6.12,9.4.21) Make TRUNCATE ignore inheritance child tables that are temporary tables of other sessions (Amit Langote, Michael Paquier)
This brings TRUNCATE into line with the behavior of other commands. Previously, such cases usually ended in failure.
(9.5.16,9.6.12) Fix TRUNCATE to update the statistics counters for the right table (Tom Lane)
If the truncated table had a TOAST table, that table's counters were reset instead.
(9.5.16,9.6.12,9.4.21) Allow UNLISTEN in hot-standby mode (Shay Rojansky)
This is necessarily a no-op, because LISTEN isn't allowed in hot-standby mode; but allowing the dummy operation simplifies session-state-reset logic in clients.
(9.5.16,9.6.12,9.4.21) Fix missing role dependencies in some schema and data type permissions lists (Tom Lane)
In some cases it was possible to drop a role to which permissions had been granted. This caused no immediate problem, but a subsequent dump/reload or upgrade would fail, with symptoms involving attempts to grant privileges to all-numeric role names.
(9.5.16,9.6.12,9.4.21) Ensure relation caches are updated properly after renaming constraints (Amit Langote)
(9.5.16,9.6.12,9.4.21) Make autovacuum more aggressive about removing leftover temporary tables, and also remove leftover temporary tables during DISCARD TEMP (Ãlvaro Herrera)
This helps ensure that remnants from a crashed session are cleaned up more promptly.
(9.5.16,9.6.12,9.4.21) Prevent empty GIN index pages from being reclaimed too quickly, causing failures of concurrent searches (Andrey Borodin, Alexander Korotkov)
(9.5.16,9.6.12,9.4.21) Fix edge-case failures in float-to-integer coercions (Andrew Gierth, Tom Lane)
Values very slightly above the maximum valid integer value might not be rejected, and then would overflow, producing the minimum valid integer instead. Also, values that should round to the minimum or maximum integer value might be incorrectly rejected.
(9.5.16,9.6.12,9.4.21) Disallow setting client_min_messages higher than ERROR (Jonah Harris, Tom Lane)
Previously, it was possible to set this variable to FATAL or PANIC, which had the effect of suppressing transmission of ordinary error messages to the client. However, that's contrary to guarantees that are given in the PostgreSQL wire protocol specification, and it caused some clients to become very confused. In released branches, fix this by silently treating such settings as meaning ERROR instead. Version 12 and later will reject those alternatives altogether.
(9.5.16,9.6.12,9.4.21) Fix ecpglib to use uselocale()
or _configthreadlocale()
in preference to setlocale()
(Michael Meskes, Tom Lane)
Since setlocale()
is not thread-local, and might not even be thread-safe, the previous coding caused problems in multi-threaded ecpg applications.
(9.5.16,9.6.12,9.4.21) Fix incorrect results for numeric data passed through an ecpg SQLDA (SQL Descriptor Area) (Daisuke Higuchi)
Values with leading zeroes were not copied correctly.
(9.5.16,9.6.12) Fix psql's \g target meta-command to work with COPY TO STDOUT (Daniel Vérité)
Previously, the target option was ignored, so that the copy data always went to the current query output target.
(9.5.16,9.6.12,9.4.21) Make psql's LaTeX output formats render special characters properly (Tom Lane)
Backslash and some other ASCII punctuation characters were not rendered correctly, leading to document syntax errors or wrong characters in the output.
(9.5.16,9.6.12,9.4.21) Fix pg_dump's handling of materialized views with indirect dependencies on primary keys (Tom Lane)
This led to mis-labeling of such views' dump archive entries, causing harmless warnings about "archive items not in correct section order"; less harmlessly, selective-restore options depending on those labels, such as --section, might misbehave.
(9.5.16,9.6.12,9.4.21) Avoid null-pointer-dereference crash on some platforms when pg_dump or pg_restore tries to report an error (Tom Lane)
(9.5.16,9.6.12,9.4.21) Fix contrib/hstore to calculate correct hash values for empty hstore values that were created in version 8.4 or before (Andrew Gierth)
The previous coding did not give the same result as for an empty hstore value created by a newer version, thus potentially causing wrong results in hash joins or hash aggregation. It is advisable to reindex any hash indexes built on hstore columns, if the table might contain data that was originally stored as far back as 8.4 and was never dumped/reloaded since then.
(9.5.16,9.6.12,9.4.21) Avoid crashes and excessive runtime with large inputs to contrib/intarray's gist__int_ops index support (Andrew Gierth)
(9.5.16,9.4.21) Adjust configure's selection of threading-related compiler flags and libraries to match what later PostgreSQL releases do (Tom Lane)
The coding previously used in the 9.4 and 9.5 branches fails outright on some newer platforms, so sync it with what 9.6 and later have been doing.
(9.5.16,9.6.12,9.4.21) Support new Makefile variables PG_CFLAGS, PG_CXXFLAGS, and PG_LDFLAGS in pgxs builds (Christoph Berg)
This simplifies customization of extension build processes.
(9.5.16,9.6.12,9.4.21) Fix Perl-coded build scripts to not assume "." is in the search path, since recent Perl versions don't include that (Andrew Dunstan)
(9.5.16,9.6.12,9.4.21) Fix server command-line option parsing problems on OpenBSD (Tom Lane)
(9.5.16,9.6.12,9.4.21) Update time zone data files to tzdata release 2018i for DST law changes in Kazakhstan, Metlakatla, and Sao Tome and Principe. Kazakhstan's Qyzylorda zone is split in two, creating a new zone Asia/Qostanay, as some areas did not change UTC offset. Historical corrections for Hong Kong and numerous Pacific islands.
Release date: 2018-11-08
This release contains a variety of fixes from 9.5.14. For information about new features in the 9.5 major release, see Version 9.5.0.
A dump/restore is not required for those running 9.5.X.
However, if you are upgrading from a version earlier than 9.5.13, see Version 9.5.13.
(9.5.15,9.6.11,9.4.20) Fix corner-case failures in has_foo_privilege()
family of functions (Tom Lane)
Return NULL rather than throwing an error when an invalid object OID is provided. Some of these functions got that right already, but not all. has_column_privilege()
was additionally capable of crashing on some platforms.
(9.5.15,9.6.11,9.4.20) Avoid O (N^2) slowdown in regular expression match/split functions on long strings (Andrew Gierth)
(9.5.15,9.6.11) Fix parsing of standard multi-character operators that are immediately followed by a comment or + or - (Andrew Gierth)
This oversight could lead to parse errors, or to incorrect assignment of precedence.
(9.5.15,9.6.11,9.4.20) Avoid O (N^3) slowdown in lexer for long strings of + or - characters (Andrew Gierth)
(9.5.15,9.6.11,9.4.20) Fix mis-execution of SubPlans when the outer query is being scanned backwards (Andrew Gierth)
(9.5.15,9.6.11,9.4.20) Fix failure of UPDATE/DELETE ... WHERE CURRENT OF ... after rewinding the referenced cursor (Tom Lane)
A cursor that scans multiple relations (particularly an inheritance tree) could produce wrong behavior if rewound to an earlier relation.
(9.5.15,9.6.11,9.4.20) Fix EvalPlanQual
to handle conditionally-executed InitPlans properly (Andrew Gierth, Tom Lane)
This resulted in hard-to-reproduce crashes or wrong answers in concurrent updates, if they contained code such as an uncorrelated sub-SELECT inside a CASE construct.
(9.5.15,9.6.11,9.4.20) Fix character-class checks to not fail on Windows for Unicode characters above U+FFFF (Tom Lane, Kenji Uno)
This bug affected full-text-search operations, as well as contrib/ltree and contrib/pg_trgm.
(9.5.15,9.6.11,9.4.20) Ensure that sequences owned by a foreign table are processed by ALTER OWNER on the table (Peter Eisentraut)
The ownership change should propagate to such sequences as well, but this was missed for foreign tables.
(9.5.15,9.6.11) Ensure that the server will process already-received NOTIFY and SIGTERM interrupts before waiting for client input (Jeff Janes, Tom Lane)
(9.5.15,9.6.11,9.4.20) Fix over-allocation of space for array_out()
's result string (Keiichi Hirobe)
(9.5.15,9.6.11,9.4.20) Fix memory leak in repeated SP-GiST index scans (Tom Lane)
This is only known to amount to anything significant in cases where an exclusion constraint using SP-GiST receives many new index entries in a single command.
(9.5.15,9.6.11,9.4.20) Ensure that ApplyLogicalMappingFile()
closes the mapping file when done with it (Tomas Vondra)
Previously, the file descriptor was leaked, eventually resulting in failures during logical decoding.
(9.5.15,9.6.11) Fix logical decoding to handle cases where a mapped catalog table is repeatedly rewritten, e.g., by VACUUM FULL (Andres Freund)
(9.5.15,9.6.11,9.4.20) Prevent starting the server with wal_level set to too low a value to support an existing replication slot (Andres Freund)
(9.5.15,9.6.11,9.4.20) Avoid crash if a utility command causes infinite recursion (Tom Lane)
(9.5.15,9.6.11,9.4.20) When initializing a hot standby, cope with duplicate XIDs caused by two-phase transactions on the master (Michael Paquier, Konstantin Knizhnik)
(9.5.15,9.6.11) Fix event triggers to handle nested ALTER TABLE commands (Michael Paquier, Ãlvaro Herrera)
(9.5.15,9.6.11) Propagate parent process's transaction and statement start timestamps to parallel workers (Konstantin Knizhnik)
This prevents misbehavior of functions such as transaction_timestamp()
when executed in a worker.
(9.5.15,9.6.11) Fix WAL file recycling logic to work correctly on standby servers (Michael Paquier)
Depending on the setting of archive_mode, a standby might fail to remove some WAL files that could be removed.
(9.5.15,9.6.11) Fix handling of commit-timestamp tracking during recovery (Masahiko Sawada, Michael Paquier)
If commit timestamp tracking has been turned on or off, recovery might fail due to trying to fetch the commit timestamp for a transaction that did not record it.
(9.5.15,9.6.11,9.4.20) Randomize the random()
seed in bootstrap and standalone backends, and in initdb (Noah Misch)
The main practical effect of this change is that it avoids a scenario where initdb might mistakenly conclude that POSIX shared memory is not available, due to name collisions caused by always using the same random seed.
(9.5.15,9.6.11,9.4.20) Allow DSM allocation to be interrupted (Chris Travers)
(9.5.15,9.6.11) Properly handle turning full_page_writes on dynamically (Kyotaro Horiguchi)
(9.5.15,9.6.11,9.4.20) Avoid possible buffer overrun when replaying GIN page recompression from WAL (Alexander Korotkov, Sivasubramanian Ramasubramanian)
(9.5.15,9.6.11,9.4.20) Fix missed fsync of a replication slot's directory (Konstantin Knizhnik, Michael Paquier)
(9.5.15,9.6.11,9.4.20) Fix unexpected timeouts when using wal_sender_timeout on a slow server (Noah Misch)
(9.5.15,9.6.11,9.4.20) Ensure that hot standby processes use the correct WAL consistency point (Alexander Kukushkin, Michael Paquier)
This prevents possible misbehavior just after a standby server has reached a consistent database state during WAL replay.
(9.5.15,9.6.11) Ensure background workers are stopped properly when the postmaster receives a fast-shutdown request before completing database startup (Alexander Kukushkin)
(9.5.15,9.6.11,9.4.20) Don't run atexit callbacks when servicing SIGQUIT (Heikki Linnakangas)
(9.5.15,9.6.11,9.4.20) Don't record foreign-server user mappings as members of extensions (Tom Lane)
If CREATE USER MAPPING is executed in an extension script, an extension dependency was created for the user mapping, which is unexpected. Roles can't be extension members, so user mappings shouldn't be either.
(9.5.15,9.6.11,9.4.20) Make syslogger more robust against failures in opening CSV log files (Tom Lane)
(9.5.15,9.6.11) Fix psql, as well as documentation examples, to call PQconsumeInput()
before each PQnotifies()
call (Tom Lane)
This fixes cases in which psql would not report receipt of a NOTIFY message until after the next command.
(9.5.15,9.6.11,9.4.20) Fix possible inconsistency in pg_dump's sorting of dissimilar object names (Jacob Champion)
(9.5.15,9.6.11,9.4.20) Ensure that pg_restore will schema-qualify the table name when emitting DISABLE/ENABLE TRIGGER commands (Tom Lane)
This avoids failures due to the new policy of running restores with restrictive search path.
(9.5.15,9.6.11,9.4.20) Fix pg_upgrade to handle event triggers in extensions correctly (Haribabu Kommi)
pg_upgrade failed to preserve an event trigger's extension-membership status.
(9.5.15,9.6.11,9.4.20) Fix pg_upgrade's cluster state check to work correctly on a standby server (Bruce Momjian)
(9.5.15,9.6.11,9.4.20) Enforce type cube's dimension limit in all contrib/cube functions (Andrey Borodin)
Previously, some cube-related functions could construct values that would be rejected by cube_in()
, leading to dump/reload failures.
(9.5.15,9.6.11,9.4.20) Fix contrib/unaccent's unaccent()
function to use the unaccent text search dictionary that is in the same schema as the function (Tom Lane)
Previously it tried to look up the dictionary using the search path, which could fail if the search path has a restrictive value.
(9.5.15,9.6.11,9.4.20) Fix build problems on macOS 10.14 (Mojave) (Tom Lane)
Adjust configure to add an -isysroot switch to CPPFLAGS; without this, PL/Perl and PL/Tcl fail to configure or build on macOS 10.14. The specific sysroot used can be overridden at configure time or build time by setting the PG_SYSROOT variable in the arguments of configure or make.
It is now recommended that Perl-related extensions write $(perl_includespec) rather than -I$(perl_archlibexp)/CORE in their compiler flags. The latter continues to work on most platforms, but not recent macOS.
Also, it should no longer be necessary to specify --with-tclconfig manually to get PL/Tcl to build on recent macOS releases.
(9.5.15,9.6.11,9.4.20) Fix MSVC build and regression-test scripts to work on recent Perl versions (Andrew Dunstan)
Perl no longer includes the current directory in its search path by default; work around that.
(9.5.15,9.6.11) On Windows, allow the regression tests to be run by an Administrator account (Andrew Dunstan)
To do this safely, pg_regress now gives up any such privileges at startup.
(9.5.15,9.4.20) Support building on Windows with Visual Studio 2015 or Visual Studio 2017 (Michael Paquier, Haribabu Kommi)
(9.5.15,9.6.11,9.4.20) Allow btree comparison functions to return INT_MIN (Tom Lane)
Up to now, we've forbidden datatype-specific comparison functions from returning INT_MIN, which allows callers to invert the sort order just by negating the comparison result. However, this was never safe for comparison functions that directly return the result of memcmp()
, strcmp()
, etc, as POSIX doesn't place any such restriction on those functions. At least some recent versions of memcmp()
can return INT_MIN, causing incorrect sort ordering. Hence, we've removed this restriction. Callers must now use the INVERT_COMPARE_RESULT() macro if they wish to invert the sort order.
(9.5.15,9.6.11,9.4.20) Fix recursion hazard in shared-invalidation message processing (Tom Lane)
This error could, for example, result in failure to access a system catalog or index that had just been processed by VACUUM FULL.
This change adds a new result code for LockAcquire
, which might possibly affect external callers of that function, though only very unusual usage patterns would have an issue with it. The API of LockAcquireExtended
is also changed.
(9.5.15,9.6.11,9.4.20) Save and restore SPI's global variables during SPI_connect()
and SPI_finish()
(Chapman Flack, Tom Lane)
This prevents possible interference when one SPI-using function calls another.
(9.5.15,9.4.20) Provide ALLOCSET_DEFAULT_SIZES and sibling macros in back branches (Tom Lane)
These macros have existed since 9.6, but there were requests to add them to older branches to allow extensions to rely on them without branch-specific coding.
(9.5.15,9.6.11,9.4.20) Avoid using potentially-under-aligned page buffers (Tom Lane)
Invent new union types PGAlignedBlock and PGAlignedXLogBlock, and use these in place of plain char arrays, ensuring that the compiler can't place the buffer at a misaligned start address. This fixes potential core dumps on alignment-picky platforms, and may improve performance even on platforms that allow misalignment.
(9.5.15,9.6.11,9.4.20) Make src/port/snprintf.c follow the C99 standard's definition of snprintf()
's result value (Tom Lane)
On platforms where this code is used (mostly Windows), its pre-C99 behavior could lead to failure to detect buffer overrun, if the calling code assumed C99 semantics.
(9.5.15,9.6.11,9.4.20) When building on i386 with the clang compiler, require -msse2 to be used (Andres Freund)
This avoids problems with missed floating point overflow checks.
(9.5.15,9.6.11,9.4.20) Fix configure's detection of the result type of strerror_r()
(Tom Lane)
The previous coding got the wrong answer when building with icc on Linux (and perhaps in other cases), leading to libpq not returning useful error messages for system-reported errors.
(9.5.15,9.6.11,9.4.20) Update time zone data files to tzdata release 2018g for DST law changes in Chile, Fiji, Morocco, and Russia (Volgograd), plus historical corrections for China, Hawaii, Japan, Macau, and North Korea.
Release date: 2018-08-09
This release contains a variety of fixes from 9.5.13. For information about new features in the 9.5 major release, see Version 9.5.0.
A dump/restore is not required for those running 9.5.X.
However, if you are upgrading from a version earlier than 9.5.13, see Version 9.5.13.
(9.5.14,9.6.10,9.4.19) Fix failure to reset libpq's state fully between connection attempts (Tom Lane)
An unprivileged user of dblink or postgres_fdw could bypass the checks intended to prevent use of server-side credentials, such as a ~/.pgpass file owned by the operating-system user running the server. Servers allowing peer authentication on local connections are particularly vulnerable. Other attacks such as SQL injection into a postgres_fdw session are also possible. Attacking postgres_fdw in this way requires the ability to create a foreign server object with selected connection parameters, but any user with access to dblink could exploit the problem. In general, an attacker with the ability to select the connection parameters for a libpq-using application could cause mischief, though other plausible attack scenarios are harder to think of. Our thanks to Andrew Krasichkov for reporting this issue. CVE-2018-10915 or CVE-2018-10915)
(9.5.14,9.6.10) Fix INSERT ... ON CONFLICT UPDATE through a view that isn't just SELECT * FROM ... (Dean Rasheed, Amit Langote)
Erroneous expansion of an updatable view could lead to crashes or "attribute ... has the wrong type" errors, if the view's SELECT list doesn't match one-to-one with the underlying table's columns. Furthermore, this bug could be leveraged to allow updates of columns that an attacking user lacks UPDATE privilege for, if that user has INSERT and UPDATE privileges for some other column(s) of the table. Any user could also use it for disclosure of server memory. CVE-2018-10925 or CVE-2018-10925)
(9.5.14,9.6.10,9.4.19) Ensure that updates to the relfrozenxid and relminmxid values for "nailed" system catalogs are processed in a timely fashion (Andres Freund)
Overoptimistic caching rules could prevent these updates from being seen by other sessions, leading to spurious errors and/or data corruption. The problem was significantly worse for shared catalogs, such as pg_authid, because the stale cache data could persist into new sessions as well as existing ones.
(9.5.14,9.6.10,9.4.19) Fix case where a freshly-promoted standby crashes before having completed its first post-recovery checkpoint (Michael Paquier, Kyotaro Horiguchi, Pavan Deolasee, Ãlvaro Herrera)
This led to a situation where the server did not think it had reached a consistent database state during subsequent WAL replay, preventing restart.
(9.5.14,9.6.10,9.4.19) Avoid emitting a bogus WAL record when recycling an all-zero btree page (Amit Kapila)
This mistake has been seen to cause assertion failures, and potentially it could result in unnecessary query cancellations on hot standby servers.
(9.5.14,9.6.10) During WAL replay, guard against corrupted record lengths exceeding 1GB (Michael Paquier)
Treat such a case as corrupt data. Previously, the code would try to allocate space and get a hard error, making recovery impossible.
(9.5.14,9.6.10) When ending recovery, delay writing the timeline history file as long as possible (Heikki Linnakangas)
This avoids some situations where a failure during recovery cleanup (such as a problem with a two-phase state file) led to inconsistent timeline state on-disk.
(9.5.14,9.6.10,9.4.19) Improve performance of WAL replay for transactions that drop many relations (Fujii Masao)
This change reduces the number of times that shared buffers are scanned, so that it is of most benefit when that setting is large.
(9.5.14,9.6.10,9.4.19) Improve performance of lock releasing in standby server WAL replay (Thomas Munro)
(9.5.14,9.6.10,9.4.19) Make logical WAL senders report streaming state correctly (Simon Riggs, Sawada Masahiko)
The code previously mis-detected whether or not it had caught up with the upstream server.
(9.5.14,9.6.10,9.4.19) Fix bugs in snapshot handling during logical decoding, allowing wrong decoding results in rare cases (Arseny Sher, Ãlvaro Herrera)
(9.5.14,9.6.10,9.4.19) Ensure a table's cached index list is correctly rebuilt after an index creation fails partway through (Peter Geoghegan)
Previously, the failed index's OID could remain in the list, causing problems later in the same session.
(9.5.14,9.6.10,9.4.19) Fix mishandling of empty uncompressed posting list pages in GIN indexes (Sivasubramanian Ramasubramanian, Alexander Korotkov)
This could result in an assertion failure after pg_upgrade of a pre-9.4 GIN index (9.4 and later will not create such pages).
(9.5.14,9.6.10,9.4.19) Ensure that VACUUM will respond to signals within btree page deletion loops (Andres Freund)
Corrupted btree indexes could result in an infinite loop here, and that previously wasn't interruptible without forcing a crash.
(9.5.14,9.6.10,9.4.19) Fix misoptimization of equivalence classes involving composite-type columns (Tom Lane)
This resulted in failure to recognize that an index on a composite column could provide the sort order needed for a mergejoin on that column.
(9.5.14,9.6.10,9.4.19) Fix SQL-standard FETCH FIRST syntax to allow parameters ($n), as the standard expects (Andrew Gierth)
(9.5.14,9.6.10,9.4.19) Fix failure to schema-qualify some object names in getObjectDescription
output (Kyotaro Horiguchi, Tom Lane)
Names of collations, conversions, and text search objects were not schema-qualified when they should be.
(9.5.14,9.6.10,9.4.19) Widen COPY FROM's current-line-number counter from 32 to 64 bits (David Rowley)
This avoids two problems with input exceeding 4G lines: COPY FROM WITH HEADER would drop a line every 4G lines, not only the first line, and error reports could show a wrong line number.
(9.5.14,9.6.10,9.4.19) Add a string freeing function to ecpg's pgtypes library, so that cross-module memory management problems can be avoided on Windows (Takayuki Tsunakawa)
On Windows, crashes can ensue if the free
call for a given chunk of memory is not made from the same DLL that malloc
'ed the memory. The pgtypes library sometimes returns strings that it expects the caller to free, making it impossible to follow this rule. Add a PGTYPESchar_free()
function that just wraps free
, allowing applications to follow this rule.
(9.5.14,9.6.10,9.4.19) Fix ecpg's support for long long variables on Windows, as well as other platforms that declare strtoll
/strtoull
nonstandardly or not at all (Dang Minh Huong, Tom Lane)
(9.5.14,9.6.10,9.4.19) Fix misidentification of SQL statement type in PL/pgSQL, when a rule change causes a change in the semantics of a statement intra-session (Tom Lane)
This error led to assertion failures, or in rare cases, failure to enforce the INTO STRICT option as expected.
(9.5.14,9.6.10,9.4.19) Fix password prompting in client programs so that echo is properly disabled on Windows when stdin is not the terminal (Matthew Stickney)
(9.5.14,9.6.10,9.4.19) Further fix mis-quoting of values for list-valued GUC variables in dumps (Tom Lane)
The previous fix for quoting of search_path and other list-valued variables in pg_dump output turned out to misbehave for empty-string list elements, and it risked truncation of long file paths.
(9.5.14,9.6.10,9.4.19) Fix pg_dump's failure to dump REPLICA IDENTITY properties for constraint indexes (Tom Lane)
Manually created unique indexes were properly marked, but not those created by declaring UNIQUE or PRIMARY KEY constraints.
(9.5.14,9.6.10,9.4.19) Make pg_upgrade check that the old server was shut down cleanly (Bruce Momjian)
The previous check could be fooled by an immediate-mode shutdown.
(9.5.14,9.6.10) Fix contrib/hstore_plperl to look through Perl scalar references, and to not crash if it doesn't find a hash reference where it expects one (Tom Lane)
(9.5.14,9.6.10,9.4.19) Fix crash in contrib/ltree's lca()
function when the input array is empty (Pierre Ducroquet)
(9.5.14,9.6.10,9.4.19) Fix various error-handling code paths in which an incorrect error code might be reported (Michael Paquier, Tom Lane, Magnus Hagander)
(9.5.14,9.6.10,9.4.19) Rearrange makefiles to ensure that programs link to freshly-built libraries (such as libpq.so) rather than ones that might exist in the system library directories (Tom Lane)
This avoids problems when building on platforms that supply old copies of PostgreSQL libraries.
(9.5.14,9.6.10,9.4.19) Update time zone data files to tzdata release 2018e for DST law changes in North Korea, plus historical corrections for Czechoslovakia.
This update includes a redefinition of "daylight savings" in Ireland, as well as for some past years in Namibia and Czechoslovakia. In those jurisdictions, legally standard time is observed in summer, and daylight savings time in winter, so that the daylight savings offset is one hour behind standard time not one hour ahead. This does not affect either the actual UTC offset or the timezone abbreviations in use; the only known effect is that the is_dst column in the pg_timezone_names view will now be true in winter and false in summer in these cases.
Release date: 2018-05-10
This release contains a variety of fixes from 9.5.12. For information about new features in the 9.5 major release, see Version 9.5.0.
A dump/restore is not required for those running 9.5.X.
However, if the function marking mistakes mentioned in the first changelog entry below affect you, you will want to take steps to correct your database catalogs.
Also, if you are upgrading from a version earlier than 9.5.12, see Version 9.5.12.
(9.5.13,9.6.9,9.4.18) Fix incorrect volatility markings on a few built-in functions (Thomas Munro, Tom Lane)
The functions query_to_xml
, cursor_to_xml
, cursor_to_xmlschema
, query_to_xmlschema
, and query_to_xml_and_xmlschema
should be marked volatile because they execute user-supplied queries that might contain volatile operations. They were not, leading to a risk of incorrect query optimization. This has been repaired for new installations by correcting the initial catalog data, but existing installations will continue to contain the incorrect markings. Practical use of these functions seems to pose little hazard, but in case of trouble, it can be fixed by manually updating these functions' pg_proc entries, for example ALTER FUNCTION pg_catalog.query_to_xml(text, boolean, boolean, text) VOLATILE. (Note that that will need to be done in each database of the installation.) Another option is to pg_upgrade the database to a version containing the corrected initial data.
(9.5.13,9.6.9,9.4.18) Avoid re-using TOAST value OIDs that match dead-but-not-yet-vacuumed TOAST entries (Pavan Deolasee)
Once the OID counter has wrapped around, it's possible to assign a TOAST value whose OID matches a previously deleted entry in the same TOAST table. If that entry were not yet vacuumed away, this resulted in "unexpected chunk number 0 (expected 1) for toast value nnnnn" errors, which would persist until the dead entry was removed by VACUUM. Fix by not selecting such OIDs when creating a new TOAST entry.
(9.5.13,9.6.9,9.4.18) Change ANALYZE's algorithm for updating pg_class.reltuples (David Gould)
Previously, pages not actually scanned by ANALYZE were assumed to retain their old tuple density. In a large table where ANALYZE samples only a small fraction of the pages, this meant that the overall tuple density estimate could not change very much, so that reltuples would change nearly proportionally to changes in the table's physical size (relpages) regardless of what was actually happening in the table. This has been observed to result in reltuples becoming so much larger than reality as to effectively shut off autovacuuming. To fix, assume that ANALYZE's sample is a statistically unbiased sample of the table (as it should be), and just extrapolate the density observed within those pages to the whole table.
(9.5.13,9.6.9,9.4.18) Avoid deadlocks in concurrent CREATE INDEX CONCURRENTLY commands that are run under SERIALIZABLE or REPEATABLE READ transaction isolation (Tom Lane)
(9.5.13,9.6.9,9.4.18) Fix possible slow execution of REFRESH MATERIALIZED VIEW CONCURRENTLY (Thomas Munro)
(9.5.13,9.6.9,9.4.18) Fix UPDATE/DELETE ... WHERE CURRENT OF to not fail when the referenced cursor uses an index-only-scan plan (Yugo Nagata, Tom Lane)
(9.5.13,9.6.9,9.4.18) Fix incorrect planning of join clauses pushed into parameterized paths (Andrew Gierth, Tom Lane)
This error could result in misclassifying a condition as a "join filter" for an outer join when it should be a plain "filter" condition, leading to incorrect join output.
(9.5.13,9.6.9) Fix possibly incorrect generation of an index-only-scan plan when the same table column appears in multiple index columns, and only some of those index columns use operator classes that can return the column value (Kyotaro Horiguchi)
(9.5.13,9.6.9,9.4.18) Fix misoptimization of CHECK constraints having provably-NULL subclauses of top-level AND/OR conditions (Tom Lane, Dean Rasheed)
This could, for example, allow constraint exclusion to exclude a child table that should not be excluded from a query.
(9.5.13,9.6.9) Fix executor crash due to double free in some GROUPING SET usages (Peter Geoghegan)
(9.5.13,9.6.9) Avoid crash if a table rewrite event trigger is added concurrently with a command that could call such a trigger (Ãlvaro Herrera, Andrew Gierth, Tom Lane)
(9.5.13,9.6.9,9.4.18) Avoid failure if a query-cancel or session-termination interrupt occurs while committing a prepared transaction (Stas Kelvich)
(9.5.13,9.6.9,9.4.18) Fix query-lifespan memory leakage in repeatedly executed hash joins (Tom Lane)
(9.5.13,9.6.9,9.4.18) Fix overly strict sanity check in heap_prepare_freeze_tuple
(Ãlvaro Herrera)
This could result in incorrect "cannot freeze committed xmax" failures in databases that have been pg_upgrade'd from 9.2 or earlier.
(9.5.13,9.6.9,9.4.18) Prevent dangling-pointer dereference when a C-coded before-update row trigger returns the "old" tuple (Rushabh Lathia)
(9.5.13,9.6.9,9.4.18) Reduce locking during autovacuum worker scheduling (Jeff Janes)
The previous behavior caused drastic loss of potential worker concurrency in databases with many tables.
(9.5.13,9.6.9,9.4.18) Ensure client hostname is copied while copying pg_stat_activity data to local memory (Edmund Horner)
Previously the supposedly-local snapshot contained a pointer into shared memory, allowing the client hostname column to change unexpectedly if any existing session disconnected.
(9.5.13,9.6.9,9.4.18) Fix incorrect processing of multiple compound affixes in ispell dictionaries (Arthur Zakirov)
(9.5.13,9.6.9,9.4.18) Fix collation-aware searches (that is, indexscans using inequality operators) in SP-GiST indexes on text columns (Tom Lane)
Such searches would return the wrong set of rows in most non-C locales.
(9.5.13,9.6.9,9.4.18) Count the number of index tuples correctly during initial build of an SP-GiST index (Tomas Vondra)
Previously, the tuple count was reported to be the same as that of the underlying table, which is wrong if the index is partial.
(9.5.13,9.6.9,9.4.18) Count the number of index tuples correctly during vacuuming of a GiST index (Andrey Borodin)
Previously it reported the estimated number of heap tuples, which might be inaccurate, and is certainly wrong if the index is partial.
(9.5.13,9.6.9,9.4.18) Fix a corner case where a streaming standby gets stuck at a WAL continuation record (Kyotaro Horiguchi)
(9.5.13,9.6.9,9.4.18) In logical decoding, avoid possible double processing of WAL data when a walsender restarts (Craig Ringer)
(9.5.13,9.6.9,9.4.18) Allow scalarltsel
and scalargtsel
to be used on non-core datatypes (Tomas Vondra)
(9.5.13,9.6.9,9.4.18) Reduce libpq's memory consumption when a server error is reported after a large amount of query output has been collected (Tom Lane)
Discard the previous output before, not after, processing the error message. On some platforms, notably Linux, this can make a difference in the application's subsequent memory footprint.
(9.5.13,9.6.9,9.4.18) Fix double-free crashes in ecpg (Patrick Krecker, Jeevan Ladhe)
(9.5.13,9.6.9,9.4.18) Fix ecpg to handle long long int variables correctly in MSVC builds (Michael Meskes, Andrew Gierth)
(9.5.13,9.6.9,9.4.18) Fix mis-quoting of values for list-valued GUC variables in dumps (Michael Paquier, Tom Lane)
The local_preload_libraries, session_preload_libraries, shared_preload_libraries, and temp_tablespaces variables were not correctly quoted in pg_dump output. This would cause problems if settings for these variables appeared in CREATE FUNCTION ... SET or ALTER DATABASE/ROLE ... SET clauses.
(9.5.13,9.6.9,9.4.18) Fix pg_recvlogical to not fail against pre-v10 PostgreSQL servers (Michael Paquier)
A previous fix caused pg_recvlogical to issue a command regardless of server version, but it should only be issued to v10 and later servers.
(9.5.13,9.6.9) Ensure that pg_rewind deletes files on the target server if they are deleted from the source server during the run (Takayuki Tsunakawa)
Failure to do this could result in data inconsistency on the target, particularly if the file in question is a WAL segment.
(9.5.13,9.6.9) Fix pg_rewind to handle tables in non-default tablespaces correctly (Takayuki Tsunakawa)
(9.5.13,9.6.9,9.4.18) Fix overflow handling in PL/pgSQL integer FOR loops (Tom Lane)
The previous coding failed to detect overflow of the loop variable on some non-gcc compilers, leading to an infinite loop.
(9.5.13,9.6.9,9.4.18) Adjust PL/Python regression tests to pass under Python 3.7 (Peter Eisentraut)
(9.5.13,9.6.9,9.4.18) Support testing PL/Python and related modules when building with Python 3 and MSVC (Andrew Dunstan)
(9.5.13) Support building with Microsoft Visual Studio 2015 (Michael Paquier)
Various fixes needed for VS2015 compatibility were previously back-patched into the 9.5 branch, but this one was missed.
(9.5.13,9.6.9,9.4.18) Rename internal b64_encode
and b64_decode
functions to avoid conflict with Solaris 11.4 built-in functions (Rainer Orth)
(9.5.13,9.6.9,9.4.18) Sync our copy of the timezone library with IANA tzcode release 2018e (Tom Lane)
This fixes the zic timezone data compiler to cope with negative daylight-savings offsets. While the PostgreSQL project will not immediately ship such timezone data, zic might be used with timezone data obtained directly from IANA, so it seems prudent to update zic now.
(9.5.13,9.6.9,9.4.18) Update time zone data files to tzdata release 2018d for DST law changes in Palestine and Antarctica (Casey Station), plus historical corrections for Portugal and its colonies, as well as Enderbury, Jamaica, Turks & Caicos Islands, and Uruguay.
Release date: 2018-03-01
This release contains a variety of fixes from 9.5.11. For information about new features in the 9.5 major release, see Version 9.5.0.
A dump/restore is not required for those running 9.5.X.
However, if you run an installation in which not all users are mutually trusting, or if you maintain an application or extension that is intended for use in arbitrary situations, it is strongly recommended that you read the documentation changes described in the first changelog entry below, and take suitable steps to ensure that your installation or code is secure.
Also, the changes described in the second changelog entry below may cause functions used in index expressions or materialized views to fail during auto-analyze, or when reloading from a dump. After upgrading, monitor the server logs for such problems, and fix affected functions.
Also, if you are upgrading from a version earlier than 9.5.10, see Version 9.5.10.
(9.5.12) Document how to configure installations and applications to guard against search-path-dependent trojan-horse attacks from other users (Noah Misch)
Using a search_path setting that includes any schemas writable by a hostile user enables that user to capture control of queries and then run arbitrary SQL code with the permissions of the attacked user. While it is possible to write queries that are proof against such hijacking, it is notationally tedious, and it's very easy to overlook holes. Therefore, we now recommend configurations in which no untrusted schemas appear in one's search path. Relevant documentation appears in Section 5.8.6 (for database administrators and users), Section 31.1 (for application authors), Section 35.15.5 (for extension authors), and CREATE FUNCTION (for authors of SECURITY DEFINER functions). CVE-2018-1058 or CVE-2018-1058)
(9.5.12,9.6.8,9.4.17) Avoid use of insecure search_path settings in pg_dump and other client programs (Noah Misch, Tom Lane)
pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications were themselves vulnerable to the type of hijacking described in the previous changelog entry; since these applications are commonly run by superusers, they present particularly attractive targets. To make them secure whether or not the installation as a whole has been secured, modify them to include only the pg_catalog schema in their search_path settings. Autovacuum worker processes now do the same, as well.
In cases where user-provided functions are indirectly executed by these programs — for example, user-provided functions in index expressions — the tighter search_path may result in errors, which will need to be corrected by adjusting those user-provided functions to not assume anything about what search path they are invoked under. That has always been good practice, but now it will be necessary for correct behavior. CVE-2018-1058 or CVE-2018-1058)
(9.5.12,9.6.8,9.4.17) Fix misbehavior of concurrent-update rechecks with CTE references appearing in subplans (Tom Lane)
If a CTE (WITH clause reference) is used in an InitPlan or SubPlan, and the query requires a recheck due to trying to update or lock a concurrently-updated row, incorrect results could be obtained.
(9.5.12,9.6.8,9.4.17) Fix planner failures with overlapping mergejoin clauses in an outer join (Tom Lane)
These mistakes led to "left and right pathkeys do not match in mergejoin" or "outer pathkeys do not match mergeclauses" planner errors in corner cases.
(9.5.12,9.6.8,9.4.17) Repair pg_upgrade's failure to preserve relfrozenxid for materialized views (Tom Lane, Andres Freund)
This oversight could lead to data corruption in materialized views after an upgrade, manifesting as "could not access status of transaction" or "found xmin from before relfrozenxid" errors. The problem would be more likely to occur in seldom-refreshed materialized views, or ones that were maintained only with REFRESH MATERIALIZED VIEW CONCURRENTLY.
If such corruption is observed, it can be repaired by refreshing the materialized view (without CONCURRENTLY).
(9.5.12,9.6.8,9.4.17) Fix incorrect reporting of PL/Python function names in error CONTEXT stacks (Tom Lane)
An error occurring within a nested PL/Python function call (that is, one reached via a SPI query from another PL/Python function) would result in a stack trace showing the inner function's name twice, rather than the expected results. Also, an error in a nested PL/Python DO block could result in a null pointer dereference crash on some platforms.
(9.5.12,9.6.8,9.4.17) Allow contrib/auto_explain's log_min_duration setting to range up to INT_MAX, or about 24 days instead of 35 minutes (Tom Lane)
Release date: 2018-02-08
This release contains a variety of fixes from 9.5.10. For information about new features in the 9.5 major release, see Version 9.5.0.
A dump/restore is not required for those running 9.5.X.
However, if you are upgrading from a version earlier than 9.5.10, see Version 9.5.10.
(9.5.11,9.6.7,9.4.16) Ensure that all temporary files made by pg_upgrade are non-world-readable (Tom Lane, Noah Misch)
pg_upgrade normally restricts its temporary files to be readable and writable only by the calling user. But the temporary file containing pg_dumpall -g output would be group- or world-readable, or even writable, if the user's umask setting allows. In typical usage on multi-user machines, the umask and/or the working directory's permissions would be tight enough to prevent problems; but there may be people using pg_upgrade in scenarios where this oversight would permit disclosure of database passwords to unfriendly eyes. CVE-2018-1053 or CVE-2018-1053)
(9.5.11,9.6.7,9.4.16) Fix vacuuming of tuples that were updated while key-share locked (Andres Freund, Ãlvaro Herrera)
In some cases VACUUM would fail to remove such tuples even though they are now dead, leading to assorted data corruption scenarios.
(9.5.11,9.6.7,9.4.16) Fix inadequate buffer locking in some LSN fetches (Jacob Champion, Asim Praveen, Ashwin Agrawal)
These errors could result in misbehavior under concurrent load. The potential consequences have not been characterized fully.
(9.5.11,9.6.7) Fix incorrect query results from cases involving flattening of subqueries whose outputs are used in GROUPING SETS (Heikki Linnakangas)
(9.5.11,9.6.7,9.4.16) Avoid unnecessary failure in a query on an inheritance tree that occurs concurrently with some child table being removed from the tree by ALTER TABLE NO INHERIT (Tom Lane)
(9.5.11,9.6.7,9.4.16) Fix spurious deadlock failures when multiple sessions are running CREATE INDEX CONCURRENTLY (Jeff Janes)
(9.5.11,9.6.7) Fix failures when an inheritance tree contains foreign child tables (Etsuro Fujita)
A mix of regular and foreign tables in an inheritance tree resulted in creation of incorrect plans for UPDATE and DELETE queries. This led to visible failures in some cases, notably when there are row-level triggers on a foreign child table.
(9.5.11,9.6.7,9.4.16) Repair failure with correlated sub-SELECT inside VALUES inside a LATERAL subquery (Tom Lane)
(9.5.11,9.6.7,9.4.16) Fix "could not devise a query plan for the given query" planner failure for some cases involving nested UNION ALL inside a lateral subquery (Tom Lane)
(9.5.11,9.6.7,9.4.16) Fix logical decoding to correctly clean up disk files for crashed transactions (Atsushi Torikoshi)
Logical decoding may spill WAL records to disk for transactions generating many WAL records. Normally these files are cleaned up after the transaction's commit or abort record arrives; but if no such record is ever seen, the removal code misbehaved.
(9.5.11,9.6.7,9.4.16) Fix walsender timeout failure and failure to respond to interrupts when processing a large transaction (Petr Jelinek)
(9.5.11,9.6.7,9.4.16) Fix has_sequence_privilege()
to support WITH GRANT OPTION tests, as other privilege-testing functions do (Joe Conway)
(9.5.11,9.6.7,9.4.16) In databases using UTF8 encoding, ignore any XML declaration that asserts a different encoding (Pavel Stehule, Noah Misch)
We always store XML strings in the database encoding, so allowing libxml to act on a declaration of another encoding gave wrong results. In encodings other than UTF8, we don't promise to support non-ASCII XML data anyway, so retain the previous behavior for bug compatibility. This change affects only xpath()
and related functions; other XML code paths already acted this way.
(9.5.11,9.6.7,9.4.16) Provide for forward compatibility with future minor protocol versions (Robert Haas, Badrul Chowdhury)
Up to now, PostgreSQL servers simply rejected requests to use protocol versions newer than 3.0, so that there was no functional difference between the major and minor parts of the protocol version number. Allow clients to request versions 3.x without failing, sending back a message showing that the server only understands 3.0. This makes no difference at the moment, but back-patching this change should allow speedier introduction of future minor protocol upgrades.
(9.5.11,9.6.7,9.4.16) Cope with failure to start a parallel worker process (Amit Kapila, Robert Haas)
Parallel query previously tended to hang indefinitely if a worker could not be started, as the result of fork() failure or other low-probability problems.
(9.5.11,9.6.7) Avoid unsafe alignment assumptions when working with __int128 (Tom Lane)
Typically, compilers assume that __int128 variables are aligned on 16-byte boundaries, but our memory allocation infrastructure isn't prepared to guarantee that, and increasing the setting of MAXALIGN seems infeasible for multiple reasons. Adjust the code to allow use of __int128 only when we can tell the compiler to assume lesser alignment. The only known symptom of this problem so far is crashes in some parallel aggregation queries.
(9.5.11,9.6.7,9.4.16) Prevent stack-overflow crashes when planning extremely deeply nested set operations (UNION/INTERSECT/EXCEPT) (Tom Lane)
(9.5.11,9.6.7,9.4.16) Fix null-pointer crashes for some types of LDAP URLs appearing in pg_hba.conf (Thomas Munro)
(9.5.11,9.6.7,9.4.16) Fix sample INSTR()
functions in the PL/pgSQL documentation (Yugo Nagata, Tom Lane)
These functions are stated to be Oracle® compatible, but they weren't exactly. In particular, there was a discrepancy in the interpretation of a negative third parameter: Oracle thinks that a negative value indicates the last place where the target substring can begin, whereas our functions took it as the last place where the target can end. Also, Oracle throws an error for a zero or negative fourth parameter, whereas our functions returned zero.
The sample code has been adjusted to match Oracle's behavior more precisely. Users who have copied this code into their applications may wish to update their copies.
(9.5.11,9.6.7,9.4.16) Fix pg_dump to make ACL (permissions), comment, and security label entries reliably identifiable in archive output formats (Tom Lane)
The "tag" portion of an ACL archive entry was usually just the name of the associated object. Make it start with the object type instead, bringing ACLs into line with the convention already used for comment and security label archive entries. Also, fix the comment and security label entries for the whole database, if present, to make their tags start with DATABASE so that they also follow this convention. This prevents false matches in code that tries to identify large-object-related entries by seeing if the tag starts with LARGE OBJECT. That could have resulted in misclassifying entries as data rather than schema, with undesirable results in a schema-only or data-only dump.
Note that this change has user-visible results in the output of pg_restore --list.
(9.5.11,9.6.7) Rename pg_rewind's copy_file_range
function to avoid conflict with new Linux system call of that name (Andres Freund)
This change prevents build failures with newer glibc versions.
(9.5.11,9.6.7,9.4.16) In ecpg, detect indicator arrays that do not have the correct length and report an error (David Rader)
(9.5.11,9.6.7,9.4.16) Avoid triggering a libc assertion in contrib/hstore, due to use of memcpy()
with equal source and destination pointers (Tomas Vondra)
(9.5.11,9.6.7,9.4.16) Provide modern examples of how to auto-start Postgres on macOS (Tom Lane)
The scripts in contrib/start-scripts/osx use infrastructure that's been deprecated for over a decade, and which no longer works at all in macOS releases of the last couple of years. Add a new subdirectory contrib/start-scripts/macos containing scripts that use the newer launchd infrastructure.
(9.5.11,9.6.7,9.4.16) Fix incorrect selection of configuration-specific libraries for OpenSSL on Windows (Andrew Dunstan)
(9.5.11,9.6.7,9.4.16) Support linking to MinGW-built versions of libperl (Noah Misch)
This allows building PL/Perl with some common Perl distributions for Windows.
(9.5.11,9.6.7,9.4.16) Fix MSVC build to test whether 32-bit libperl needs -D_USE_32BIT_TIME_T (Noah Misch)
Available Perl distributions are inconsistent about what they expect, and lack any reliable means of reporting it, so resort to a build-time test on what the library being used actually does.
(9.5.11,9.6.7,9.4.16) On Windows, install the crash dump handler earlier in postmaster startup (Takayuki Tsunakawa)
This may allow collection of a core dump for some early-startup failures that did not produce a dump before.
(9.5.11,9.6.7,9.4.16) On Windows, avoid encoding-conversion-related crashes when emitting messages very early in postmaster startup (Takayuki Tsunakawa)
(9.5.11,9.6.7,9.4.16) Use our existing Motorola 68K spinlock code on OpenBSD as well as NetBSD (David Carlier)
(9.5.11,9.6.7,9.4.16,9.3.21) Add support for spinlocks on Motorola 88K (David Carlier)
(9.5.11,9.6.7,9.4.16) Update time zone data files to tzdata release 2018c for DST law changes in Brazil, Sao Tome and Principe, plus historical corrections for Bolivia, Japan, and South Sudan. The US/Pacific-New zone has been removed (it was only an alias for America/Los_Angeles anyway).
Release date: 2017-11-09
This release contains a variety of fixes from 9.5.9. For information about new features in the 9.5 major release, see Version 9.5.0.
A dump/restore is not required for those running 9.5.X.
However, if you use BRIN indexes, see the fourth changelog entry below.
Also, if you are upgrading from a version earlier than 9.5.8, see Version 9.5.8.
(9.5.10,9.6.6) Ensure that INSERT ... ON CONFLICT DO UPDATE checks table permissions and RLS policies in all cases (Dean Rasheed)
The update path of INSERT ... ON CONFLICT DO UPDATE requires SELECT permission on the columns of the arbiter index, but it failed to check for that in the case of an arbiter specified by constraint name. In addition, for a table with row level security enabled, it failed to check updated rows against the table's SELECT policies (regardless of how the arbiter index was specified). CVE-2017-15099 or CVE-2017-15099)
(9.5.10,9.6.6,9.4.15) Fix crash due to rowtype mismatch in json{b}_populate_recordset()
(Michael Paquier, Tom Lane)
These functions used the result rowtype specified in the FROM ... AS clause without checking that it matched the actual rowtype of the supplied tuple value. If it didn't, that would usually result in a crash, though disclosure of server memory contents seems possible as well. CVE-2017-15098 or CVE-2017-15098)
(9.5.10,9.6.6,9.4.15) Fix sample server-start scripts to become $PGUSER before opening $PGLOG (Noah Misch)
Previously, the postmaster log file was opened while still running as root. The database owner could therefore mount an attack against another system user by making $PGLOG be a symbolic link to some other file, which would then become corrupted by appending log messages.
By default, these scripts are not installed anywhere. Users who have made use of them will need to manually recopy them, or apply the same changes to their modified versions. If the existing $PGLOG file is root-owned, it will need to be removed or renamed out of the way before restarting the server with the corrected script. CVE-2017-12172 or CVE-2017-12172)
(9.5.10,9.6.6) Fix BRIN index summarization to handle concurrent table extension correctly (Ãlvaro Herrera)
Previously, a race condition allowed some table rows to be omitted from the index. It may be necessary to reindex existing BRIN indexes to recover from past occurrences of this problem.
(9.5.10,9.6.6) Fix possible failures during concurrent updates of a BRIN index (Tom Lane)
These race conditions could result in errors like "invalid index offnum" or "inconsistent range map".
(9.5.10,9.6.6,9.4.15) Fix crash when logical decoding is invoked from a SPI-using function, in particular any function written in a PL language (Tom Lane)
(9.5.10,9.6.6,9.4.15) Fix json_build_array()
, json_build_object()
, and their jsonb equivalents to handle explicit VARIADIC arguments correctly (Michael Paquier)
(9.5.10,9.6.6,9.4.15) Properly reject attempts to convert infinite float values to type numeric (Tom Lane, KaiGai Kohei)
Previously the behavior was platform-dependent.
(9.5.10,9.6.6,9.4.15) Fix corner-case crashes when columns have been added to the end of a view (Tom Lane)
(9.5.10,9.6.6,9.4.15) Record proper dependencies when a view or rule contains FieldSelect or FieldStore expression nodes (Tom Lane)
Lack of these dependencies could allow a column or data type DROP to go through when it ought to fail, thereby causing later uses of the view or rule to get errors. This patch does not do anything to protect existing views/rules, only ones created in the future.
(9.5.10,9.6.6,9.4.15) Correctly detect hashability of range data types (Tom Lane)
The planner mistakenly assumed that any range type could be hashed for use in hash joins or hash aggregation, but actually it must check whether the range's subtype has hash support. This does not affect any of the built-in range types, since they're all hashable anyway.
(9.5.10,9.6.6) Correctly ignore RelabelType expression nodes when determining relation distinctness (David Rowley)
This allows the intended optimization to occur when a subquery has a result column of type varchar.
(9.5.10,9.6.6,9.4.15) Fix low-probability loss of NOTIFY messages due to XID wraparound (Marko Tiikkaja, Tom Lane)
If a session executed no queries, but merely listened for notifications, for more than 2 billion transactions, it started to miss some notifications from concurrently-committing transactions.
(9.5.10,9.6.6,9.4.15) Avoid SIGBUS crash on Linux when a DSM memory request exceeds the space available in tmpfs (Thomas Munro)
(9.5.10,9.6.6,9.4.15) Prevent low-probability crash in processing of nested trigger firings (Tom Lane)
(9.5.10,9.6.6,9.4.15) Allow COPY's FREEZE option to work when the transaction isolation level is REPEATABLE READ or higher (Noah Misch)
This case was unintentionally broken by a previous bug fix.
(9.5.10,9.6.6,9.4.15) Correctly restore the umask setting when file creation fails in COPY or lo_export()
(Peter Eisentraut)
(9.5.10,9.6.6,9.4.15) Give a better error message for duplicate column names in ANALYZE (Nathan Bossart)
(9.5.10,9.6.6,9.4.15) Fix mis-parsing of the last line in a non-newline-terminated pg_hba.conf file (Tom Lane)
(9.5.10,9.6.6) Fix pg_basebackup's matching of tablespace paths to canonicalize both paths before comparing (Michael Paquier)
This is particularly helpful on Windows.
(9.5.10,9.6.6,9.4.15) Fix libpq to not require user's home directory to exist (Tom Lane)
In v10, failure to find the home directory while trying to read ~/.pgpass was treated as a hard error, but it should just cause that file to not be found. Both v10 and previous release branches made the same mistake when reading ~/.pg_service.conf, though this was less obvious since that file is not sought unless a service name is specified.
(9.5.10,9.6.6,9.4.15) Fix libpq to guard against integer overflow in the row count of a PGresult (Michael Paquier)
(9.5.10,9.6.6,9.4.15) Fix ecpg's handling of out-of-scope cursor declarations with pointer or array variables (Michael Meskes)
(9.5.10,9.6.6,9.4.15) In ecpglib, correctly handle backslashes in string literals depending on whether standard_conforming_strings is set (Tsunakawa Takayuki)
(9.5.10,9.6.6,9.4.15) Make ecpglib's Informix-compatibility mode ignore fractional digits in integer input strings, as expected (Gao Zengqi, Michael Meskes)
(9.5.10,9.6.6) Fix missing temp-install prerequisites for check-like Make targets (Noah Misch)
Some non-default test procedures that are meant to work like make check failed to ensure that the temporary installation was up to date.
(9.5.10,9.6.6,9.4.15) Sync our copy of the timezone library with IANA release tzcode2017c (Tom Lane)
This fixes various issues; the only one likely to be user-visible is that the default DST rules for a POSIX-style zone name, if no posixrules file exists in the timezone data directory, now match current US law rather than what it was a dozen years ago.
(9.5.10,9.6.6,9.4.15) Update time zone data files to tzdata release 2017c for DST law changes in Fiji, Namibia, Northern Cyprus, Sudan, Tonga, and Turks & Caicos Islands, plus historical corrections for Alaska, Apia, Burma, Calcutta, Detroit, Ireland, Namibia, and Pago Pago.
Release date: 2017-08-31
This release contains a small number of fixes from 9.5.8. For information about new features in the 9.5 major release, see Version 9.5.0.
A dump/restore is not required for those running 9.5.X.
However, if you are upgrading from a version earlier than 9.5.8, see Version 9.5.8.
(9.5.9,9.6.5,9.4.14) Show foreign tables in information_schema.table_privileges view (Peter Eisentraut)
All other relevant information_schema views include foreign tables, but this one ignored them.
Since this view definition is installed by initdb, merely upgrading will not fix the problem. If you need to fix this in an existing installation, you can, as a superuser, do this in psql:
SET search_path TO information_schema; CREATE OR REPLACE VIEW table_privileges AS SELECT CAST(u_grantor.rolname AS sql_identifier) AS grantor, CAST(grantee.rolname AS sql_identifier) AS grantee, CAST(current_database() AS sql_identifier) AS table_catalog, CAST(nc.nspname AS sql_identifier) AS table_schema, CAST(c.relname AS sql_identifier) AS table_name, CAST(c.prtype AS character_data) AS privilege_type, CAST( CASE WHEN -- object owner always has grant options pg_has_role(grantee.oid, c.relowner, 'USAGE') OR c.grantable THEN 'YES' ELSE 'NO' END AS yes_or_no) AS is_grantable, CAST (CASE WHEN c.prtype = 'SELECT' THEN 'YES' ELSE 'NO' END AS yes_or_no) AS with_hierarchy FROM ( SELECT oid, relname, relnamespace, relkind, relowner, (aclexplode(coalesce(relacl, acldefault('r', relowner)))).* FROM pg_class ) AS c (oid, relname, relnamespace, relkind, relowner, grantor, grantee, prtype, grantable), pg_namespace nc, pg_authid u_grantor, ( SELECT oid, rolname FROM pg_authid UNION ALL SELECT 0::oid, 'PUBLIC' ) AS grantee (oid, rolname) WHERE c.relnamespace = nc.oid AND c.relkind IN ('r', 'v', 'f') AND c.grantee = grantee.oid AND c.grantor = u_grantor.oid AND c.prtype IN ('INSERT', 'SELECT', 'UPDATE', 'DELETE', 'TRUNCATE', 'REFERENCES', 'TRIGGER') AND (pg_has_role(u_grantor.oid, 'USAGE') OR pg_has_role(grantee.oid, 'USAGE') OR grantee.rolname = 'PUBLIC');
This must be repeated in each database to be fixed, including template0.
(9.5.9,9.6.5,9.4.14) Clean up handling of a fatal exit (e.g., due to receipt of SIGTERM) that occurs while trying to execute a ROLLBACK of a failed transaction (Tom Lane)
This situation could result in an assertion failure. In production builds, the exit would still occur, but it would log an unexpected message about "cannot drop active portal".
(9.5.9,9.6.5,9.4.14) Remove assertion that could trigger during a fatal exit (Tom Lane)
(9.5.9,9.6.5,9.4.14) Correctly identify columns that are of a range type or domain type over a composite type or domain type being searched for (Tom Lane)
Certain ALTER commands that change the definition of a composite type or domain type are supposed to fail if there are any stored values of that type in the database, because they lack the infrastructure needed to update or check such values. Previously, these checks could miss relevant values that are wrapped inside range types or sub-domains, possibly allowing the database to become inconsistent.
(9.5.9,9.6.5,9.4.14) Fix crash in pg_restore when using parallel mode and using a list file to select a subset of items to restore (FabrÃzio de Royes Mello)
(9.5.9,9.6.5,9.4.14) Change ecpg's parser to allow RETURNING clauses without attached C variables (Michael Meskes)
This allows ecpg programs to contain SQL constructs that use RETURNING internally (for example, inside a CTE) rather than using it to define values to be returned to the client.
(9.5.9,9.6.5,9.4.14) Improve selection of compiler flags for PL/Perl on Windows (Tom Lane)
This fix avoids possible crashes of PL/Perl due to inconsistent assumptions about the width of time_t values. A side-effect that may be visible to extension developers is that _USE_32BIT_TIME_T is no longer defined globally in PostgreSQL Windows builds. This is not expected to cause problems, because type time_t is not used in any PostgreSQL API definitions.
(9.5.9,9.6.5) Fix make check to behave correctly when invoked via a non-GNU make program (Thomas Munro)
Release date: 2017-08-10
This release contains a variety of fixes from 9.5.7. For information about new features in the 9.5 major release, see Version 9.5.0.
A dump/restore is not required for those running 9.5.X.
However, if you use foreign data servers that make use of user passwords for authentication, see the first changelog entry below.
Also, if you are upgrading from a version earlier than 9.5.7, see Version 9.5.7.
(9.5.8,9.6.4,9.4.13) Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options (Noah Misch)
The fix forCVE-2017-7486 or CVE-2017-7486 was incorrect: it allowed a user to see the options in her own user mapping, even if she did not have USAGE permission on the associated foreign server. Such options might include a password that had been provided by the server owner rather than the user herself. Since information_schema.user_mapping_options does not show the options in such cases, pg_user_mappings should not either. CVE-2017-7547 or CVE-2017-7547)
By itself, this patch will only fix the behavior in newly initdb'd databases. If you wish to apply this change in an existing database, you will need to do the following:
Restart the postmaster after adding allow_system_table_mods = true to postgresql.conf. (In versions supporting ALTER SYSTEM, you can use that to make the configuration change, but you'll still need a restart.)
In each database of the cluster, run the following commands as superuser:
SET search_path = pg_catalog; CREATE OR REPLACE VIEW pg_user_mappings AS SELECT U.oid AS umid, S.oid AS srvid, S.srvname AS srvname, U.umuser AS umuser, CASE WHEN U.umuser = 0 THEN 'public' ELSE A.rolname END AS usename, CASE WHEN (U.umuser <> 0 AND A.rolname = current_user AND (pg_has_role (S.srvowner, 'USAGE') OR has_server_privilege (S.oid, 'USAGE'))) OR (U.umuser = 0 AND pg_has_role (S.srvowner, 'USAGE')) OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user) THEN U.umoptions ELSE NULL END AS umoptions FROM pg_user_mapping U LEFT JOIN pg_authid A ON (A.oid = U.umuser) JOIN pg_foreign_server S ON (U.umserver = S.oid);
Do not forget to include the template0 and template1 databases, or the vulnerability will still exist in databases you create later. To fix template0, you'll need to temporarily make it accept connections. In PostgreSQL 9.5 and later, you can use
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;
and then after fixing template0, undo that with
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;
In prior versions, instead use
UPDATE pg_database SET datallowconn = true WHERE datname = 'template0'; UPDATE pg_database SET datallowconn = false WHERE datname = 'template0';
Finally, remove the allow_system_table_mods configuration setting, and again restart the postmaster.
(9.5.8,9.6.4,9.4.13) Disallow empty passwords in all password-based authentication methods (Heikki Linnakangas)
libpq ignores empty password specifications, and does not transmit them to the server. So, if a user's password has been set to the empty string, it's impossible to log in with that password via psql or other libpq-based clients. An administrator might therefore believe that setting the password to empty is equivalent to disabling password login. However, with a modified or non-libpq-based client, logging in could be possible, depending on which authentication method is configured. In particular the most common method, md5, accepted empty passwords. Change the server to reject empty passwords in all cases. CVE-2017-7546 or CVE-2017-7546)
(9.5.8,9.6.4,9.4.13) Make lo_put()
check for UPDATE privilege on the target large object (Tom Lane, Michael Paquier)
lo_put()
should surely require the same permissions as lowrite()
, but the check was missing, allowing any user to change the data in a large object. CVE-2017-7548 or CVE-2017-7548)
(9.5.8,9.6.4) Correct the documentation about the process for upgrading standby servers with pg_upgrade (Bruce Momjian)
The previous documentation instructed users to start/stop the primary server after running pg_upgrade but before syncing the standby servers. This sequence is unsafe.
(9.5.8,9.6.4,9.4.13) Fix concurrent locking of tuple update chains (Ãlvaro Herrera)
If several sessions concurrently lock a tuple update chain with nonconflicting lock modes using an old snapshot, and they all succeed, it was possible for some of them to nonetheless fail (and conclude there is no live tuple version) due to a race condition. This had consequences such as foreign-key checks failing to see a tuple that definitely exists but is being updated concurrently.
(9.5.8,9.6.4,9.4.13) Fix potential data corruption when freezing a tuple whose XMAX is a multixact with exactly one still-interesting member (Teodor Sigaev)
(9.5.8,9.6.4,9.4.13) Avoid integer overflow and ensuing crash when sorting more than one billion tuples in-memory (Sergey Koposov)
(9.5.8,9.6.4,9.4.13) On Windows, retry process creation if we fail to reserve the address range for our shared memory in the new process (Tom Lane, Amit Kapila)
This is expected to fix infrequent child-process-launch failures that are probably due to interference from antivirus products.
(9.5.8,9.6.4,9.4.13) Fix low-probability corruption of shared predicate-lock hash table in Windows builds (Thomas Munro, Tom Lane)
(9.5.8,9.6.4,9.4.13) Avoid logging clean closure of an SSL connection as though it were a connection reset (Michael Paquier)
(9.5.8,9.6.4,9.4.13) Prevent sending SSL session tickets to clients (Tom Lane)
This fix prevents reconnection failures with ticket-aware client-side SSL code.
(9.5.8,9.6.4,9.4.13) Fix code for setting tcp_keepalives_idle on Solaris (Tom Lane)
(9.5.8,9.6.4,9.4.13) Fix statistics collector to honor inquiry messages issued just after a postmaster shutdown and immediate restart (Tom Lane)
Statistics inquiries issued within half a second of the previous postmaster shutdown were effectively ignored.
(9.5.8,9.6.4,9.4.13) Ensure that the statistics collector's receive buffer size is at least 100KB (Tom Lane)
This reduces the risk of dropped statistics data on older platforms whose default receive buffer size is less than that.
(9.5.8,9.6.4,9.4.13) Fix possible creation of an invalid WAL segment when a standby is promoted just after it processes an XLOG_SWITCH WAL record (Andres Freund)
(9.5.8,9.6.4,9.4.13) Fix walsender to exit promptly when client requests shutdown (Tom Lane)
(9.5.8,9.6.4,9.4.13) Fix SIGHUP and SIGUSR1 handling in walsender processes (Petr Jelinek, Andres Freund)
(9.5.8,9.6.4,9.4.13) Prevent walsender-triggered panics during shutdown checkpoints (Andres Freund, Michael Paquier)
(9.5.8,9.6.4,9.4.13) Fix unnecessarily slow restarts of walreceiver processes due to race condition in postmaster (Tom Lane)
(9.5.8,9.6.4,9.4.13) Fix leakage of small subtransactions spilled to disk during logical decoding (Andres Freund)
This resulted in temporary files consuming excessive disk space.
(9.5.8,9.6.4,9.4.13) Reduce the work needed to build snapshots during creation of logical-decoding slots (Andres Freund, Petr Jelinek)
The previous algorithm was infeasibly expensive on a server with a lot of open transactions.
(9.5.8,9.6.4,9.4.13) Fix race condition that could indefinitely delay creation of logical-decoding slots (Andres Freund, Petr Jelinek)
(9.5.8,9.6.4,9.4.13) Reduce overhead in processing syscache invalidation events (Tom Lane)
This is particularly helpful for logical decoding, which triggers frequent cache invalidation.
(9.5.8,9.6.4,9.4.13) Fix cases where an INSERT or UPDATE assigns to more than one element of a column that is of domain-over-array type (Tom Lane)
(9.5.8,9.6.4,9.4.13) Allow window functions to be used in sub-SELECTs that are within the arguments of an aggregate function (Tom Lane)
(9.5.8,9.6.4,9.4.13) Move autogenerated array types out of the way during ALTER ... RENAME (Vik Fearing)
Previously, we would rename a conflicting autogenerated array type out of the way during CREATE; this fix extends that behavior to renaming operations.
(9.5.8,9.6.4) Fix dangling pointer in ALTER TABLE when there is a comment on a constraint belonging to the table (David Rowley)
Re-applying the comment to the reconstructed constraint could fail with a weird error message, or even crash.
(9.5.8,9.6.4,9.4.13) Ensure that ALTER USER ... SET accepts all the syntax variants that ALTER ROLE ... SET does (Peter Eisentraut)
(9.5.8,9.6.4,9.4.13) Properly update dependency info when changing a datatype I/O function's argument or return type from opaque to the correct type (Heikki Linnakangas)
CREATE TYPE updates I/O functions declared in this long-obsolete style, but it forgot to record a dependency on the type, allowing a subsequent DROP TYPE to leave broken function definitions behind.
(9.5.8,9.6.4,9.4.13) Reduce memory usage when ANALYZE processes a tsvector column (Heikki Linnakangas)
(9.5.8,9.6.4,9.4.13) Fix unnecessary precision loss and sloppy rounding when multiplying or dividing money values by integers or floats (Tom Lane)
(9.5.8,9.6.4,9.4.13) Tighten checks for whitespace in functions that parse identifiers, such as regprocedurein()
(Tom Lane)
Depending on the prevailing locale, these functions could misinterpret fragments of multibyte characters as whitespace.
(9.5.8,9.6.4,9.4.13) Use relevant #define symbols from Perl while compiling PL/Perl (Ashutosh Sharma, Tom Lane)
This avoids portability problems, typically manifesting as a "handshake" mismatch during library load, when working with recent Perl versions.
(9.5.8,9.6.4,9.4.13) In libpq, reset GSS/SASL and SSPI authentication state properly after a failed connection attempt (Michael Paquier)
Failure to do this meant that when falling back from SSL to non-SSL connections, a GSS/SASL failure in the SSL attempt would always cause the non-SSL attempt to fail. SSPI did not fail, but it leaked memory.
(9.5.8,9.6.4,9.4.13) In psql, fix failure when COPY FROM STDIN is ended with a keyboard EOF signal and then another COPY FROM STDIN is attempted (Thomas Munro)
This misbehavior was observed on BSD-derived platforms (including macOS), but not on most others.
(9.5.8,9.6.4,9.4.13) Fix pg_dump and pg_restore to emit REFRESH MATERIALIZED VIEW commands last (Tom Lane)
This prevents errors during dump/restore when a materialized view refers to tables owned by a different user.
(9.5.8,9.6.4,9.4.13) Improve pg_dump/pg_restore's reporting of error conditions originating in zlib (Vladimir Kunschikov, Ãlvaro Herrera)
(9.5.8,9.6.4,9.4.13) Fix pg_dump with the --clean option to drop event triggers as expected (Tom Lane)
It also now correctly assigns ownership of event triggers; before, they were restored as being owned by the superuser running the restore script.
(9.5.8,9.6.4,9.4.13) Fix pg_dump to not emit invalid SQL for an empty operator class (Daniel Gustafsson)
(9.5.8,9.6.4,9.4.13) Fix pg_dump output to stdout on Windows (Kuntal Ghosh)
A compressed plain-text dump written to stdout would contain corrupt data due to failure to put the file descriptor into binary mode.
(9.5.8,9.6.4,9.4.13) Fix pg_get_ruledef()
to print correct output for the ON SELECT rule of a view whose columns have been renamed (Tom Lane)
In some corner cases, pg_dump relies on pg_get_ruledef()
to dump views, so that this error could result in dump/reload failures.
(9.5.8,9.6.4,9.4.13) Fix dumping of outer joins with empty constraints, such as the result of a NATURAL LEFT JOIN with no common columns (Tom Lane)
(9.5.8,9.6.4,9.4.13) Fix dumping of function expressions in the FROM clause in cases where the expression does not deparse into something that looks like a function call (Tom Lane)
(9.5.8,9.6.4,9.4.13) Fix pg_basebackup output to stdout on Windows (Haribabu Kommi)
A backup written to stdout would contain corrupt data due to failure to put the file descriptor into binary mode.
(9.5.8,9.6.4) Fix pg_rewind to correctly handle files exceeding 2GB (Kuntal Ghosh, Michael Paquier)
Ordinarily such files won't appear in PostgreSQL data directories, but they could be present in some cases.
(9.5.8,9.6.4,9.4.13) Fix pg_upgrade to ensure that the ending WAL record does not have wal_level = minimum (Bruce Momjian)
This condition could prevent upgraded standby servers from reconnecting.
(9.5.8,9.6.4) Fix pg_xlogdump's computation of WAL record length (Andres Freund)
(9.5.8,9.6.4,9.4.13) In postgres_fdw, re-establish connections to remote servers after ALTER SERVER or ALTER USER MAPPING commands (Kyotaro Horiguchi)
This ensures that option changes affecting connection parameters will be applied promptly.
(9.5.8,9.6.4,9.4.13) In postgres_fdw, allow cancellation of remote transaction control commands (Robert Haas, Rafia Sabih)
This change allows us to quickly escape a wait for an unresponsive remote server in many more cases than previously.
(9.5.8,9.6.4,9.4.13) Increase MAX_SYSCACHE_CALLBACKS to provide more room for extensions (Tom Lane)
(9.5.8,9.6.4,9.4.13) Always use -fPIC, not -fpic, when building shared libraries with gcc (Tom Lane)
This supports larger extension libraries on platforms where it makes a difference.
(9.5.8,9.4.13) Fix unescaped-braces issue in our build scripts for Microsoft MSVC, to avoid a warning or error from recent Perl versions (Andrew Dunstan)
(9.5.8,9.6.4,9.4.13) In MSVC builds, handle the case where the openssl library is not within a VC subdirectory (Andrew Dunstan)
(9.5.8,9.6.4,9.4.13) In MSVC builds, add proper include path for libxml2 header files (Andrew Dunstan)
This fixes a former need to move things around in standard Windows installations of libxml2.
(9.5.8,9.6.4,9.4.13) In MSVC builds, recognize a Tcl library that is named tcl86.lib (Noah Misch)
(9.5.8,9.6.4,9.4.13) In MSVC builds, honor PROVE_FLAGS settings on vcregress.pl's command line (Andrew Dunstan)
Release date: 2017-05-11
This release contains a variety of fixes from 9.5.6. For information about new features in the 9.5 major release, see Version 9.5.0.
A dump/restore is not required for those running 9.5.X.
However, if you use foreign data servers that make use of user passwords for authentication, see the first changelog entry below.
Also, if you are using third-party replication tools that depend on "logical decoding", see the fourth changelog entry below.
Also, if you are upgrading from a version earlier than 9.5.6, see Version 9.5.6.
(9.5.7) Restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options (Michael Paquier, Feike Steenbergen)
The previous coding allowed the owner of a foreign server object, or anyone he has granted server USAGE permission to, to see the options for all user mappings associated with that server. This might well include passwords for other users. Adjust the view definition to match the behavior of information_schema.user_mapping_options, namely that these options are visible to the user being mapped, or if the mapping is for PUBLIC and the current user is the server owner, or if the current user is a superuser. CVE-2017-7486 or CVE-2017-7486)
By itself, this patch will only fix the behavior in newly initdb'd databases. If you wish to apply this change in an existing database, follow the corrected procedure shown in the changelog entry forCVE-2017-7547 or CVE-2017-7547, in Version 9.5.8.
(9.5.7,9.6.3,9.4.12) Prevent exposure of statistical information via leaky operators (Peter Eisentraut)
Some selectivity estimation functions in the planner will apply user-defined operators to values obtained from pg_statistic, such as most common values and histogram entries. This occurs before table permissions are checked, so a nefarious user could exploit the behavior to obtain these values for table columns he does not have permission to read. To fix, fall back to a default estimate if the operator's implementation function is not certified leak-proof and the calling user does not have permission to read the table column whose statistics are needed. At least one of these criteria is satisfied in most cases in practice. CVE-2017-7484 or CVE-2017-7484)
(9.5.7,9.6.3,9.4.12) Restore libpq's recognition of the PGREQUIRESSL environment variable (Daniel Gustafsson)
Processing of this environment variable was unintentionally dropped in PostgreSQL 9.3, but its documentation remained. This creates a security hazard, since users might be relying on the environment variable to force SSL-encrypted connections, but that would no longer be guaranteed. Restore handling of the variable, but give it lower priority than PGSSLMODE, to avoid breaking configurations that work correctly with post-9.3 code. CVE-2017-7485 or CVE-2017-7485)
(9.5.7,9.6.3,9.4.12) Fix possibly-invalid initial snapshot during logical decoding (Petr Jelinek, Andres Freund)
The initial snapshot created for a logical decoding replication slot was potentially incorrect. This could cause third-party tools that use logical decoding to copy incomplete/inconsistent initial data. This was more likely to happen if the source server was busy at the time of slot creation, or if another logical slot already existed.
If you are using a replication tool that depends on logical decoding, and it should have copied a nonempty data set at the start of replication, it is advisable to recreate the replica after installing this update, or to verify its contents against the source server.
(9.5.7,9.6.3,9.4.12) Fix possible corruption of "init forks" of unlogged indexes (Robert Haas, Michael Paquier)
This could result in an unlogged index being set to an invalid state after a crash and restart. Such a problem would persist until the index was dropped and rebuilt.
(9.5.7,9.6.3,9.4.12) Fix incorrect reconstruction of pg_subtrans entries when a standby server replays a prepared but uncommitted two-phase transaction (Tom Lane)
In most cases this turned out to have no visible ill effects, but in corner cases it could result in circular references in pg_subtrans, potentially causing infinite loops in queries that examine rows modified by the two-phase transaction.
(9.5.7,9.6.3,9.4.12) Avoid possible crash in walsender due to failure to initialize a string buffer (Stas Kelvich, Fujii Masao)
(9.5.7,9.6.3) Fix possible crash when rescanning a nearest-neighbor index-only scan on a GiST index (Tom Lane)
(9.5.7,9.6.3,9.4.12) Fix postmaster's handling of fork()
failure for a background worker process (Tom Lane)
Previously, the postmaster updated portions of its state as though the process had been launched successfully, resulting in subsequent confusion.
(9.5.7) Fix crash or wrong answers when a GROUPING SETS column's data type is hashable but not sortable (Pavan Deolasee)
(9.5.7,9.6.3) Avoid applying "physical targetlist" optimization to custom scans (Dmitry Ivanov, Tom Lane)
This optimization supposed that retrieving all columns of a tuple is inexpensive, which is true for ordinary Postgres tuples; but it might not be the case for a custom scan provider.
(9.5.7,9.6.3) Use the correct sub-expression when applying a FOR ALL row-level-security policy (Stephen Frost)
In some cases the WITH CHECK restriction would be applied when the USING restriction is more appropriate.
(9.5.7,9.6.3,9.4.12) Ensure parsing of queries in extension scripts sees the results of immediately-preceding DDL (Julien Rouhaud, Tom Lane)
Due to lack of a cache flush step between commands in an extension script file, non-utility queries might not see the effects of an immediately preceding catalog change, such as ALTER TABLE ... RENAME.
(9.5.7,9.6.3,9.4.12) Skip tablespace privilege checks when ALTER TABLE ... ALTER COLUMN TYPE rebuilds an existing index (Noah Misch)
The command failed if the calling user did not currently have CREATE privilege for the tablespace containing the index. That behavior seems unhelpful, so skip the check, allowing the index to be rebuilt where it is.
(9.5.7,9.6.3,9.4.12) Fix ALTER TABLE ... VALIDATE CONSTRAINT to not recurse to child tables when the constraint is marked NO INHERIT (Amit Langote)
This fix prevents unwanted "constraint does not exist" failures when no matching constraint is present in the child tables.
(9.5.7,9.6.3) Avoid dangling pointer in COPY ... TO when row-level security is active for the source table (Tom Lane)
Usually this had no ill effects, but sometimes it would cause unexpected errors or crashes.
(9.5.7,9.6.3) Avoid accessing an already-closed relcache entry in CLUSTER and VACUUM FULL (Tom Lane)
With some bad luck, this could lead to indexes on the target relation getting rebuilt with the wrong persistence setting.
(9.5.7,9.6.3,9.4.12) Fix VACUUM to account properly for pages that could not be scanned due to conflicting page pins (Andrew Gierth)
This tended to lead to underestimation of the number of tuples in the table. In the worst case of a small heavily-contended table, VACUUM could incorrectly report that the table contained no tuples, leading to very bad planning choices.
(9.5.7,9.6.3,9.4.12) Ensure that bulk-tuple-transfer loops within a hash join are interruptible by query cancel requests (Tom Lane, Thomas Munro)
(9.5.7,9.6.3,9.4.12) Fix integer-overflow problems in interval comparison (Kyotaro Horiguchi, Tom Lane)
The comparison operators for type interval could yield wrong answers for intervals larger than about 296000 years. Indexes on columns containing such large values should be reindexed, since they may be corrupt.
(9.5.7,9.6.3,9.4.12) Fix cursor_to_xml()
to produce valid output with tableforest = false (Thomas Munro, Peter Eisentraut)
Previously it failed to produce a wrapping <table> element.
(9.5.7,9.6.3,9.4.12) Fix roundoff problems in float8_timestamptz()
and make_interval()
(Tom Lane)
These functions truncated, rather than rounded, when converting a floating-point value to integer microseconds; that could cause unexpectedly off-by-one results.
(9.5.7,9.6.3) Fix pg_get_object_address()
to handle members of operator families correctly (Ãlvaro Herrera)
(9.5.7,9.6.3,9.4.12) Improve performance of pg_timezone_names view (Tom Lane, David Rowley)
(9.5.7,9.6.3,9.4.12) Reduce memory management overhead for contexts containing many large blocks (Tom Lane)
(9.5.7,9.6.3,9.4.12) Fix sloppy handling of corner-case errors from lseek()
and close()
(Tom Lane)
Neither of these system calls are likely to fail in typical situations, but if they did, fd.c could get quite confused.
(9.5.7,9.6.3,9.4.12) Fix incorrect check for whether postmaster is running as a Windows service (Michael Paquier)
This could result in attempting to write to the event log when that isn't accessible, so that no logging happens at all.
(9.5.7,9.6.3,9.4.12) Fix ecpg to support COMMIT PREPARED and ROLLBACK PREPARED (Masahiko Sawada)
(9.5.7,9.6.3,9.4.12) Fix a double-free error when processing dollar-quoted string literals in ecpg (Michael Meskes)
(9.5.7,9.6.3,9.4.12) In pg_dump, fix incorrect schema and owner marking for comments and security labels of some types of database objects (Giuseppe Broccolo, Tom Lane)
In simple cases this caused no ill effects; but for example, a schema-selective restore might omit comments it should include, because they were not marked as belonging to the schema of their associated object.
(9.5.7,9.6.3,9.4.12) Avoid emitting an invalid list file in pg_restore -l when SQL object names contain newlines (Tom Lane)
Replace newlines by spaces, which is sufficient to make the output valid for pg_restore -L's purposes.
(9.5.7,9.6.3,9.4.12) Fix pg_upgrade to transfer comments and security labels attached to "large objects" (blobs) (Stephen Frost)
Previously, blobs were correctly transferred to the new database, but any comments or security labels attached to them were lost.
(9.5.7,9.6.3,9.4.12) Improve error handling in contrib/adminpack's pg_file_write()
function (Noah Misch)
Notably, it failed to detect errors reported by fclose()
.
(9.5.7,9.6.3,9.4.12) In contrib/dblink, avoid leaking the previous unnamed connection when establishing a new unnamed connection (Joe Conway)
(9.5.7,9.6.3,9.4.12) Fix contrib/pg_trgm's extraction of trigrams from regular expressions (Tom Lane)
In some cases it would produce a broken data structure that could never match anything, leading to GIN or GiST indexscans that use a trigram index not finding any matches to the regular expression.
(9.5.7,9.4.12) In contrib/postgres_fdw, transmit query cancellation requests to the remote server (Michael Paquier, Etsuro Fujita)
Previously, a local query cancellation request did not cause an already-sent remote query to terminate early. This is a back-patch of work originally done for 9.6.
(9.5.7,9.6.3,9.4.12,9.3.17,9.2.21) Support Tcl 8.6 in MSVC builds (Ãlvaro Herrera)
(9.5.7,9.6.3,9.4.12) Sync our copy of the timezone library with IANA release tzcode2017b (Tom Lane)
This fixes a bug affecting some DST transitions in January 2038.
(9.5.7,9.6.3,9.4.12) Update time zone data files to tzdata release 2017b for DST law changes in Chile, Haiti, and Mongolia, plus historical corrections for Ecuador, Kazakhstan, Liberia, and Spain. Switch to numeric abbreviations for numerous time zones in South America, the Pacific and Indian oceans, and some Asian and Middle Eastern countries.
The IANA time zone database previously provided textual abbreviations for all time zones, sometimes making up abbreviations that have little or no currency among the local population. They are in process of reversing that policy in favor of using numeric UTC offsets in zones where there is no evidence of real-world use of an English abbreviation. At least for the time being, PostgreSQL will continue to accept such removed abbreviations for timestamp input. But they will not be shown in the pg_timezone_names view nor used for output.
(9.5.7,9.6.3,9.4.12) Use correct daylight-savings rules for POSIX-style time zone names in MSVC builds (David Rowley)
The Microsoft MSVC build scripts neglected to install the posixrules file in the timezone directory tree. This resulted in the timezone code falling back to its built-in rule about what DST behavior to assume for a POSIX-style time zone name. For historical reasons that still corresponds to the DST rules the USA was using before 2007 (i.e., change on first Sunday in April and last Sunday in October). With this fix, a POSIX-style zone name will use the current and historical DST transition dates of the US/Eastern zone. If you don't want that, remove the posixrules file, or replace it with a copy of some other zone file (see Section 8.5.3). Note that due to caching, you may need to restart the server to get such changes to take effect.
Release date: 2017-02-09
This release contains a variety of fixes from 9.5.5. For information about new features in the 9.5 major release, see Version 9.5.0.
A dump/restore is not required for those running 9.5.X.
However, if your installation has been affected by the bug described in the first changelog entry below, then after updating you may need to take action to repair corrupted indexes.
Also, if you are upgrading from a version earlier than 9.5.5, see Version 9.5.5.
(9.5.6,9.6.2,9.4.11) Fix a race condition that could cause indexes built with CREATE INDEX CONCURRENTLY to be corrupt (Pavan Deolasee, Tom Lane)
If CREATE INDEX CONCURRENTLY was used to build an index that depends on a column not previously indexed, then rows updated by transactions that ran concurrently with the CREATE INDEX command could have received incorrect index entries. If you suspect this may have happened, the most reliable solution is to rebuild affected indexes after installing this update.
(9.5.6,9.6.2,9.4.11) Ensure that the special snapshot used for catalog scans is not invalidated by premature data pruning (Tom Lane)
Backends failed to account for this snapshot when advertising their oldest xmin, potentially allowing concurrent vacuuming operations to remove data that was still needed. This led to transient failures along the lines of "cache lookup failed for relation 1255".
(9.5.6,9.6.2) Fix incorrect WAL logging for BRIN indexes (Kuntal Ghosh)
The WAL record emitted for a BRIN "revmap" page when moving an index tuple to a different page was incorrect. Replay would make the related portion of the index useless, forcing it to be recomputed.
(9.5.6,9.6.2,9.4.11) Unconditionally WAL-log creation of the "init fork" for an unlogged table (Michael Paquier)
Previously, this was skipped when wal_level = minimal, but actually it's necessary even in that case to ensure that the unlogged table is properly reset to empty after a crash.
(9.5.6,9.6.0,9.4.11) Reduce interlocking on standby servers during the replay of btree index vacuuming operations (Simon Riggs)
This change avoids substantial replication delays that sometimes occurred while replaying such operations.
(9.5.6,9.6.2,9.4.11) If the stats collector dies during hot standby, restart it (Takayuki Tsunakawa)
(9.5.6,9.6.2,9.4.11) Ensure that hot standby feedback works correctly when it's enabled at standby server start (Ants Aasma, Craig Ringer)
(9.5.6,9.6.2,9.4.11) Check for interrupts while hot standby is waiting for a conflicting query (Simon Riggs)
(9.5.6,9.6.2,9.4.11) Avoid constantly respawning the autovacuum launcher in a corner case (Amit Khandekar)
This fix avoids problems when autovacuum is nominally off and there are some tables that require freezing, but all such tables are already being processed by autovacuum workers.
(9.5.6,9.6.2,9.4.11) Fix check for when an extension member object can be dropped (Tom Lane)
Extension upgrade scripts should be able to drop member objects, but this was disallowed for serial-column sequences, and possibly other cases.
(9.5.6,9.6.2,9.4.11) Make sure ALTER TABLE preserves index tablespace assignments when rebuilding indexes (Tom Lane, Michael Paquier)
Previously, non-default settings of default_tablespace could result in broken indexes.
(9.5.6,9.6.2,9.4.11) Fix incorrect updating of trigger function properties when changing a foreign-key constraint's deferrability properties with ALTER TABLE ... ALTER CONSTRAINT (Tom Lane)
This led to odd failures during subsequent exercise of the foreign key, as the triggers were fired at the wrong times.
(9.5.6,9.6.2,9.4.11) Prevent dropping a foreign-key constraint if there are pending trigger events for the referenced relation (Tom Lane)
This avoids "could not find trigger NNN" or "relation NNN has no triggers" errors.
(9.5.6,9.6.2) Fix ALTER TABLE ... SET DATA TYPE ... USING when child table has different column ordering than the parent (Ãlvaro Herrera)
Failure to adjust the column numbering in the USING expression led to errors, typically "attribute N has wrong type".
(9.5.6,9.6.2,9.4.11) Fix processing of OID column when a table with OIDs is associated to a parent with OIDs via ALTER TABLE ... INHERIT (Amit Langote)
The OID column should be treated the same as regular user columns in this case, but it wasn't, leading to odd behavior in later inheritance changes.
(9.5.6,9.6.2,9.4.11) Fix CREATE OR REPLACE VIEW to update the view query before attempting to apply the new view options (Dean Rasheed)
Previously the command would fail if the new options were inconsistent with the old view definition.
(9.5.6,9.6.2,9.4.11) Report correct object identity during ALTER TEXT SEARCH CONFIGURATION (Artur Zakirov)
The wrong catalog OID was reported to extensions such as logical decoding.
(9.5.6,9.6.2) Fix commit timestamp mechanism to not fail when queried about the special XIDs FrozenTransactionId and BootstrapTransactionId (Craig Ringer)
(9.5.6,9.6.0,9.4.11) Check for serializability conflicts before reporting constraint-violation failures (Thomas Munro)
When using serializable transaction isolation, it is desirable that any error due to concurrent transactions should manifest as a serialization failure, thereby cueing the application that a retry might succeed. Unfortunately, this does not reliably happen for duplicate-key failures caused by concurrent insertions. This change ensures that such an error will be reported as a serialization error if the application explicitly checked for the presence of a conflicting key (and did not find it) earlier in the transaction.
(9.5.6,9.6.2) Fix incorrect use of view reloptions as regular table reloptions (Tom Lane)
The symptom was spurious "ON CONFLICT is not supported on table ... used as a catalog table" errors when the target of INSERT ... ON CONFLICT is a view with cascade option.
(9.5.6,9.6.2) Fix incorrect "target lists can have at most N entries" complaint when using ON CONFLICT with wide tables (Tom Lane)
(9.5.6,9.6.2,9.4.11) Prevent multicolumn expansion of foo.* in an UPDATE source expression (Tom Lane)
This led to "UPDATE target count mismatch --- internal error". Now the syntax is understood as a whole-row variable, as it would be in other contexts.
(9.5.6,9.6.2,9.4.11) Ensure that column typmods are determined accurately for multi-row VALUES constructs (Tom Lane)
This fixes problems occurring when the first value in a column has a determinable typmod (e.g., length for a varchar value) but later values don't share the same limit.
(9.5.6,9.6.2,9.4.11) Throw error for an unfinished Unicode surrogate pair at the end of a Unicode string (Tom Lane)
Normally, a Unicode surrogate leading character must be followed by a Unicode surrogate trailing character, but the check for this was missed if the leading character was the last character in a Unicode string literal (U&'...') or Unicode identifier (U&"...").
(9.5.6,9.6.2,9.4.11) Ensure that a purely negative text search query, such as !foo, matches empty tsvectors (Tom Dunstan)
Such matches were found by GIN index searches, but not by sequential scans or GiST index searches.
(9.5.6,9.6.2,9.4.11) Prevent crash when ts_rewrite()
replaces a non-top-level subtree with an empty query (Artur Zakirov)
(9.5.6,9.6.2,9.4.11) Fix performance problems in ts_rewrite()
(Tom Lane)
(9.5.6,9.6.2,9.4.11) Fix ts_rewrite()
's handling of nested NOT operators (Tom Lane)
(9.5.6,9.6.2) Improve speed of user-defined aggregates that use array_append()
as transition function (Tom Lane)
(9.5.6,9.6.2,9.4.11) Fix array_fill()
to handle empty arrays properly (Tom Lane)
(9.5.6,9.6.2) Fix possible crash in array_position()
or array_positions()
when processing arrays of records (Junseok Yang)
(9.5.6,9.6.2,9.4.11) Fix one-byte buffer overrun in quote_literal_cstr()
(Heikki Linnakangas)
The overrun occurred only if the input consisted entirely of single quotes and/or backslashes.
(9.5.6,9.6.2,9.4.11) Prevent multiple calls of pg_start_backup()
and pg_stop_backup()
from running concurrently (Michael Paquier)
This avoids an assertion failure, and possibly worse things, if someone tries to run these functions in parallel.
(9.5.6,9.6.2) Disable transform that attempted to remove no-op AT TIME ZONE conversions (Tom Lane)
This resulted in wrong answers when the simplified expression was used in an index condition.
(9.5.6,9.6.2,9.4.11) Avoid discarding interval-to-interval casts that aren't really no-ops (Tom Lane)
In some cases, a cast that should result in zeroing out low-order interval fields was mistakenly deemed to be a no-op and discarded. An example is that casting from INTERVAL MONTH to INTERVAL YEAR failed to clear the months field.
(9.5.6,9.6.2) Fix bugs in transmitting GUC parameter values to parallel workers (Michael Paquier, Tom Lane)
(9.5.6,9.6.2,9.4.11) Ensure that cached plans are invalidated by changes in foreign-table options (Amit Langote, Etsuro Fujita, Ashutosh Bapat)
(9.5.6,9.6.2,9.4.11) Fix pg_dump to dump user-defined casts and transforms that use built-in functions (Stephen Frost)
(9.5.6,9.6.2,9.4.11) Fix pg_restore with --create --if-exists to behave more sanely if an archive contains unrecognized DROP commands (Tom Lane)
This doesn't fix any live bug, but it may improve the behavior in future if pg_restore is used with an archive generated by a later pg_dump version.
(9.5.6,9.6.2,9.4.11) Fix pg_basebackup's rate limiting in the presence of slow I/O (Antonin Houska)
If disk I/O was transiently much slower than the specified rate limit, the calculation overflowed, effectively disabling the rate limit for the rest of the run.
(9.5.6,9.6.2,9.4.11) Fix pg_basebackup's handling of symlinked pg_stat_tmp and pg_replslot subdirectories (Magnus Hagander, Michael Paquier)
(9.5.6,9.6.2,9.4.11) Fix possible pg_basebackup failure on standby server when including WAL files (Amit Kapila, Robert Haas)
(9.5.6,9.6.2) Fix possible mishandling of expanded arrays in domain check constraints and CASE execution (Tom Lane)
It was possible for a PL/pgSQL function invoked in these contexts to modify or even delete an array value that needs to be preserved for additional operations.
(9.5.6,9.6.2) Fix nested uses of PL/pgSQL functions in contexts such as domain check constraints evaluated during assignment to a PL/pgSQL variable (Tom Lane)
(9.5.6,9.6.2,9.4.11) Ensure that the Python exception objects we create for PL/Python are properly reference-counted (Rafa de la Torre, Tom Lane)
This avoids failures if the objects are used after a Python garbage collection cycle has occurred.
(9.5.6,9.6.2,9.4.11) Fix PL/Tcl to support triggers on tables that have .tupno as a column name (Tom Lane)
This matches the (previously undocumented) behavior of PL/Tcl's spi_exec and spi_execp commands, namely that a magic .tupno column is inserted only if there isn't a real column named that.
(9.5.6,9.6.2,9.4.11) Allow DOS-style line endings in ~/.pgpass files, even on Unix (Vik Fearing)
This change simplifies use of the same password file across Unix and Windows machines.
(9.5.6,9.6.2,9.4.11) Fix one-byte buffer overrun if ecpg is given a file name that ends with a dot (Takayuki Tsunakawa)
(9.5.6,9.6.2,9.4.11) Fix psql's tab completion for ALTER DEFAULT PRIVILEGES (Gilles Darold, Stephen Frost)
(9.5.6,9.6.2,9.4.11) In psql, treat an empty or all-blank setting of the PAGER environment variable as meaning "no pager" (Tom Lane)
Previously, such a setting caused output intended for the pager to vanish entirely.
(9.5.6,9.6.2,9.4.11) Improve contrib/dblink's reporting of low-level libpq errors, such as out-of-memory (Joe Conway)
(9.5.6,9.6.2,9.4.11) Teach contrib/dblink to ignore irrelevant server options when it uses a contrib/postgres_fdw foreign server as the source of connection options (Corey Huinker)
Previously, if the foreign server object had options that were not also libpq connection options, an error occurred.
(9.5.6,9.6.2) Fix portability problems in contrib/pageinspect's functions for GIN indexes (Peter Eisentraut, Tom Lane)
(9.5.6,9.6.2,9.4.11) On Windows, ensure that environment variable changes are propagated to DLLs built with debug options (Christian Ullrich)
(9.5.6,9.6.2,9.4.11) Sync our copy of the timezone library with IANA release tzcode2016j (Tom Lane)
This fixes various issues, most notably that timezone data installation failed if the target directory didn't support hard links.
(9.5.6,9.6.2,9.4.11) Update time zone data files to tzdata release 2016j for DST law changes in northern Cyprus (adding a new zone Asia/Famagusta), Russia (adding a new zone Europe/Saratov), Tonga, and Antarctica/Casey. Historical corrections for Italy, Kazakhstan, Malta, and Palestine. Switch to preferring numeric zone abbreviations for Tonga.
Release date: 2016-10-27
This release contains a variety of fixes from 9.5.4. For information about new features in the 9.5 major release, see Version 9.5.0.
A dump/restore is not required for those running 9.5.X.
However, if your installation has been affected by the bug described in the first changelog entry below, then after updating you may need to take action to repair corrupted free space maps.
Also, if you are upgrading from a version earlier than 9.5.2, see Version 9.5.2.
(9.5.5,9.6.1,9.4.10) Fix WAL-logging of truncation of relation free space maps and visibility maps (Pavan Deolasee, Heikki Linnakangas)
It was possible for these files to not be correctly restored during crash recovery, or to be written incorrectly on a standby server. Bogus entries in a free space map could lead to attempts to access pages that have been truncated away from the relation itself, typically producing errors like "could not read block XXX: read only 0 of 8192 bytes". Checksum failures in the visibility map are also possible, if checksumming is enabled.
Procedures for determining whether there is a problem and repairing it if so are discussed at https://wiki.postgresql.org/wiki/Free_Space_Map_Problems.
(9.5.5,9.4.10) Fix incorrect creation of GIN index WAL records on big-endian machines (Tom Lane)
The typical symptom was "unexpected GIN leaf action" errors during WAL replay.
(9.5.5,9.4.10) Fix SELECT FOR UPDATE/SHARE to correctly lock tuples that have been updated by a subsequently-aborted transaction (Ãlvaro Herrera)
In 9.5 and later, the SELECT would sometimes fail to return such tuples at all. A failure has not been proven to occur in earlier releases, but might be possible with concurrent updates.
(9.5.5,9.4.10) Fix EvalPlanQual rechecks involving CTE scans (Tom Lane)
The recheck would always see the CTE as returning no rows, typically leading to failure to update rows that were recently updated.
(9.5.5) Fix deletion of speculatively inserted TOAST tuples when backing out of INSERT ... ON CONFLICT (Oskari Saarenmaa)
In the race condition where two transactions try to insert conflicting tuples at about the same time, the loser would fail with an "attempted to delete invisible tuple" error if its insertion included any TOAST'ed fields.
(9.5.5,9.6.1) Don't throw serialization errors for self-conflicting insertions in INSERT ... ON CONFLICT (Thomas Munro, Peter Geoghegan)
(9.5.5,9.4.10) Fix improper repetition of previous results from hashed aggregation in a subquery (Andrew Gierth)
The test to see if we can reuse a previously-computed hash table of the aggregate state values neglected the possibility of an outer query reference appearing in an aggregate argument expression. A change in the value of such a reference should lead to recalculating the hash table, but did not.
(9.5.5,9.4.10) Fix query-lifespan memory leak in a bulk UPDATE on a table with a PRIMARY KEY or REPLICA IDENTITY index (Tom Lane)
(9.5.5,9.6.1) Fix COPY with a column name list from a table that has row-level security enabled (Adam Brightwell)
(9.5.5,9.6.1,9.4.10) Fix EXPLAIN to emit valid XML when track_io_timing is on (Markus Winand)
Previously the XML output-format option produced syntactically invalid tags such as <I/O-Read-Time>. That is now rendered as <I-O-Read-Time>.
(9.5.5,9.4.10) Suppress printing of zeroes for unmeasured times in EXPLAIN (Maksim Milyutin)
Certain option combinations resulted in printing zero values for times that actually aren't ever measured in that combination. Our general policy in EXPLAIN is not to print such fields at all, so do that consistently in all cases.
(9.5.5,9.6.1) Fix statistics update for TRUNCATE in a prepared transaction (Stas Kelvich)
(9.5.5,9.4.10) Fix timeout length when VACUUM is waiting for exclusive table lock so that it can truncate the table (Simon Riggs)
The timeout was meant to be 50 milliseconds, but it was actually only 50 microseconds, causing VACUUM to give up on truncation much more easily than intended. Set it to the intended value.
(9.5.5,9.6.1,9.4.10) Fix bugs in merging inherited CHECK constraints while creating or altering a table (Tom Lane, Amit Langote)
Allow identical CHECK constraints to be added to a parent and child table in either order. Prevent merging of a valid constraint from the parent table with a NOT VALID constraint on the child. Likewise, prevent merging of a NO INHERIT child constraint with an inherited constraint.
(9.5.5,9.6.1) Show a sensible value in pg_settings.unit for min_wal_size and max_wal_size (Tom Lane)
(9.5.5,9.4.10) Remove artificial restrictions on the values accepted by numeric_in()
and numeric_recv()
(Tom Lane)
We allow numeric values up to the limit of the storage format (more than 1e100000), so it seems fairly pointless that numeric_in()
rejected scientific-notation exponents above 1000. Likewise, it was silly for numeric_recv()
to reject more than 1000 digits in an input value.
(9.5.5,9.6.1,9.4.10) Avoid very-low-probability data corruption due to testing tuple visibility without holding buffer lock (Thomas Munro, Peter Geoghegan, Tom Lane)
(9.5.5,9.6.1) Preserve commit timestamps across server restart (Julien Rouhaud, Craig Ringer)
With track_commit_timestamp turned on, old commit timestamps became inaccessible after a clean server restart.
(9.5.5,9.6.1,9.4.10) Fix logical WAL decoding to work properly when a subtransaction's WAL output is large enough to spill to disk (Andres Freund)
(9.5.5) Fix possible sorting error when aborting use of abbreviated keys (Peter Geoghegan)
In the worst case, this could result in a corrupt btree index, which would need to be rebuilt using REINDEX. However, the situation is believed to be rare.
(9.5.5,9.4.10) Fix file descriptor leakage when truncating a temporary relation of more than 1GB (Andres Freund)
(9.5.5,9.4.10) Disallow starting a standalone backend with standby_mode turned on (Michael Paquier)
This can't do anything useful, since there will be no WAL receiver process to fetch more WAL data; and it could result in misbehavior in code that wasn't designed with this situation in mind.
(9.5.5,9.4.10) Properly initialize replication slot state when recycling a previously-used slot (Michael Paquier)
This failure to reset all of the fields of the slot could prevent VACUUM from removing dead tuples.
(9.5.5,9.6.1,9.4.10) Round shared-memory allocation request to a multiple of the actual huge page size when attempting to use huge pages on Linux (Tom Lane)
This avoids possible failures during munmap()
on systems with atypical default huge page sizes. Except in crash-recovery cases, there were no ill effects other than a log message.
(9.5.5,9.4.10) Use a more random value for the dynamic shared memory control segment's ID (Robert Haas, Tom Lane)
Previously, the same value would be chosen every time, because it was derived from random()
but srandom()
had not yet been called. While relatively harmless, this was not the intended behavior.
(9.5.5,9.4.10) On Windows, retry creation of the dynamic shared memory control segment after an access-denied error (Kyotaro Horiguchi, Amit Kapila)
Windows sometimes returns ERROR_ACCESS_DENIED rather than ERROR_ALREADY_EXISTS when there is an existing segment. This led to postmaster startup failure due to believing that the former was an unrecoverable error.
(9.5.5) Fix PL/pgSQL to not misbehave with parameters and local variables of type int2vector or oidvector (Tom Lane)
(9.5.5,9.6.1,9.4.10) Don't try to share SSL contexts across multiple connections in libpq (Heikki Linnakangas)
This led to assorted corner-case bugs, particularly when trying to use different SSL parameters for different connections.
(9.5.5,9.6.1,9.4.10) Avoid corner-case memory leak in libpq (Tom Lane)
The reported problem involved leaking an error report during PQreset()
, but there might be related cases.
(9.5.5,9.4.10) Make ecpg's --help and --version options work consistently with our other executables (Haribabu Kommi)
(9.5.5,9.4.10) Fix pgbench's calculation of average latency (Fabien Coelho)
The calculation was incorrect when there were \sleep commands in the script, or when the test duration was specified in number of transactions rather than total time.
(9.5.5,9.6.1) In pg_upgrade, check library loadability in name order (Tom Lane)
This is a workaround to deal with cross-extension dependencies from language transform modules to their base language and data type modules.
(9.5.5,9.4.10) In pg_dump, never dump range constructor functions (Tom Lane)
This oversight led to pg_upgrade failures with extensions containing range types, due to duplicate creation of the constructor functions.
(9.5.5) In pg_dump with -C, suppress TABLESPACE clause of CREATE DATABASE if --no-tablespaces is specified (Tom Lane)
(9.5.5) Make pg_receivexlog work correctly with --synchronous without slots (Gabriele Bartolini)
(9.5.5,9.6.1) Disallow specifying both --source-server and --source-target options to pg_rewind (Michael Banck)
(9.5.5,9.6.1) Make pg_rewind turn off synchronous_commit in its session on the source server (Michael Banck, Michael Paquier)
This allows pg_rewind to work even when the source server is using synchronous replication that is not working for some reason.
(9.5.5,9.6.1,9.4.10) In pg_xlogdump, retry opening new WAL segments when using --follow option (Magnus Hagander)
This allows for a possible delay in the server's creation of the next segment.
(9.5.5,9.4.10) Fix pg_xlogdump to cope with a WAL file that begins with a continuation record spanning more than one page (Pavan Deolasee)
(9.5.5,9.4.10) Fix contrib/pg_buffercache to work when shared_buffers exceeds 256GB (KaiGai Kohei)
(9.5.5,9.4.10) Fix contrib/intarray/bench/bench.pl to print the results of the EXPLAIN it does when given the -e option (Daniel Gustafsson)
(9.5.5) Support OpenSSL 1.1.0 (Heikki Linnakangas)
(9.5.5,9.4.10) Install TAP test infrastructure so that it's available for extension testing (Craig Ringer)
When PostgreSQL has been configured with --enable-tap-tests, "make install" will now install the Perl support files for TAP testing where PGXS can find them. This allows non-core extensions to use $(prove_check) without extra tests.
(9.5.5,9.4.10) In MSVC builds, include pg_recvlogical in a client-only installation (MauMau)
(9.5.5,9.4.10) Update Windows time zone mapping to recognize some time zone names added in recent Windows versions (Michael Paquier)
(9.5.5,9.4.10) Prevent failure of obsolete dynamic time zone abbreviations (Tom Lane)
If a dynamic time zone abbreviation does not match any entry in the referenced time zone, treat it as equivalent to the time zone name. This avoids unexpected failures when IANA removes abbreviations from their time zone database, as they did in tzdata release 2016f and seem likely to do again in the future. The consequences were not limited to not recognizing the individual abbreviation; any mismatch caused the pg_timezone_abbrevs view to fail altogether.
(9.5.5,9.6.1,9.4.10) Update time zone data files to tzdata release 2016h for DST law changes in Palestine and Turkey, plus historical corrections for Turkey and some regions of Russia. Switch to numeric abbreviations for some time zones in Antarctica, the former Soviet Union, and Sri Lanka.
The IANA time zone database previously provided textual abbreviations for all time zones, sometimes making up abbreviations that have little or no currency among the local population. They are in process of reversing that policy in favor of using numeric UTC offsets in zones where there is no evidence of real-world use of an English abbreviation. At least for the time being, PostgreSQL will continue to accept such removed abbreviations for timestamp input. But they will not be shown in the pg_timezone_names view nor used for output.
In this update, AMT is no longer shown as being in use to mean Armenia Time. Therefore, we have changed the Default abbreviation set to interpret it as Amazon Time, thus UTC-4 not UTC+4.
Release date: 2016-08-11
This release contains a variety of fixes from 9.5.3. For information about new features in the 9.5 major release, see Version 9.5.0.
A dump/restore is not required for those running 9.5.X.
However, if you are upgrading from a version earlier than 9.5.2, see Version 9.5.2.
(9.5.4,9.4.9) Fix possible mis-evaluation of nested CASE-WHEN expressions (Heikki Linnakangas, Michael Paquier, Tom Lane)
A CASE expression appearing within the test value subexpression of another CASE could become confused about whether its own test value was null or not. Also, inlining of a SQL function implementing the equality operator used by a CASE expression could result in passing the wrong test value to functions called within a CASE expression in the SQL function's body. If the test values were of different data types, a crash might result; moreover such situations could be abused to allow disclosure of portions of server memory. CVE-2016-5423 or CVE-2016-5423)
(9.5.4,9.4.9) Fix client programs' handling of special characters in database and role names (Noah Misch, Nathan Bossart, Michael Paquier)
Numerous places in vacuumdb and other client programs could become confused by database and role names containing double quotes or backslashes. Tighten up quoting rules to make that safe. Also, ensure that when a conninfo string is used as a database name parameter to these programs, it is correctly treated as such throughout.
Fix handling of paired double quotes in psql's \connect and \password commands to match the documentation.
Introduce a new -reuse-previous option in psql's \connect command to allow explicit control of whether to re-use connection parameters from a previous connection. (Without this, the choice is based on whether the database name looks like a conninfo string, as before.) This allows secure handling of database names containing special characters in pg_dumpall scripts.
pg_dumpall now refuses to deal with database and role names containing carriage returns or newlines, as it seems impractical to quote those characters safely on Windows. In future we may reject such names on the server side, but that step has not been taken yet.
These are considered security fixes because crafted object names containing special characters could have been used to execute commands with superuser privileges the next time a superuser executes pg_dumpall or other routine maintenance operations. CVE-2016-5424 or CVE-2016-5424)
(9.5.4,9.4.9) Fix corner-case misbehaviors for IS NULL/IS NOT NULL applied to nested composite values (Andrew Gierth, Tom Lane)
The SQL standard specifies that IS NULL should return TRUE for a row of all null values (thus ROW (NULL,NULL) IS NULL yields TRUE), but this is not meant to apply recursively (thus ROW (NULL, ROW (NULL,NULL)) IS NULL yields FALSE). The core executor got this right, but certain planner optimizations treated the test as recursive (thus producing TRUE in both cases), and contrib/postgres_fdw could produce remote queries that misbehaved similarly.
(9.5.4) Fix "unrecognized node type" error for INSERT ... ON CONFLICT within a recursive CTE (a WITH item) (Peter Geoghegan)
(9.5.4) Fix INSERT ... ON CONFLICT to successfully match index expressions or index predicates that are simplified during the planner's expression preprocessing phase (Tom Lane)
(9.5.4) Correctly handle violations of exclusion constraints that apply to the target table of an INSERT ... ON CONFLICT command, but are not one of the selected arbiter indexes (Tom Lane)
Such a case should raise a normal constraint-violation error, but it got into an infinite loop instead.
(9.5.4) Fix INSERT ... ON CONFLICT to not fail if the target table has a unique index on OID (Tom Lane)
(9.5.4,9.4.9) Make the inet and cidr data types properly reject IPv6 addresses with too many colon-separated fields (Tom Lane)
(9.5.4,9.4.9) Prevent crash in close_ps()
(the point ## lseg operator) for NaN input coordinates (Tom Lane)
Make it return NULL instead of crashing.
(9.5.4,9.4.9) Avoid possible crash in pg_get_expr()
when inconsistent values are passed to it (Michael Paquier, Thomas Munro)
(9.5.4,9.4.9) Fix several one-byte buffer over-reads in to_number()
(Peter Eisentraut)
In several cases the to_number()
function would read one more character than it should from the input string. There is a small chance of a crash, if the input happens to be adjacent to the end of memory.
(9.5.4,9.4.9) Do not run the planner on the query contained in CREATE MATERIALIZED VIEW or CREATE TABLE AS when WITH NO DATA is specified (Michael Paquier, Tom Lane)
This avoids some unnecessary failure conditions, for example if a stable function invoked by the materialized view depends on a table that doesn't exist yet.
(9.5.4,9.4.9) Avoid unsafe intermediate state during expensive paths through heap_update()
(Masahiko Sawada, Andres Freund)
Previously, these cases locked the target tuple (by setting its XMAX) but did not WAL-log that action, thus risking data integrity problems if the page were spilled to disk and then a database crash occurred before the tuple update could be completed.
(9.5.4,9.4.9) Fix hint bit update during WAL replay of row locking operations (Andres Freund)
The only known consequence of this problem is that row locks held by a prepared, but uncommitted, transaction might fail to be enforced after a crash and restart.
(9.5.4,9.4.9) Avoid unnecessary "could not serialize access" errors when acquiring FOR KEY SHARE row locks in serializable mode (Ãlvaro Herrera)
(9.5.4) Make sure "expanded" datums returned by a plan node are read-only (Tom Lane)
This avoids failures in some cases where the result of a lower plan node is referenced in multiple places in upper nodes. So far as core PostgreSQL is concerned, only array values returned by PL/pgSQL functions are at risk; but extensions might use expanded datums for other things.
(9.5.4,9.4.9) Avoid crash in postgres -C when the specified variable has a null string value (Michael Paquier)
(9.5.4) Prevent unintended waits for the receiver in WAL sender processes (Kyotaro Horiguchi)
(9.5.4,9.4.9) Fix possible loss of large subtransactions in logical decoding (Petru-Florin Mihancea)
(9.5.4,9.4.9) Fix failure of logical decoding when a subtransaction contains no actual changes (Marko Tiikkaja, Andrew Gierth)
(9.5.4,9.4.9) Ensure that backends see up-to-date statistics for shared catalogs (Tom Lane)
The statistics collector failed to update the statistics file for shared catalogs after a request from a regular backend. This problem was partially masked because the autovacuum launcher regularly makes requests that did cause such updates; however, it became obvious with autovacuum disabled.
(9.5.4,9.4.9) Avoid redundant writes of the statistics files when multiple backends request updates close together (Tom Lane, Tomas Vondra)
(9.5.4,9.4.9) Avoid consuming a transaction ID during VACUUM (Alexander Korotkov)
Some cases in VACUUM unnecessarily caused an XID to be assigned to the current transaction. Normally this is negligible, but if one is up against the XID wraparound limit, consuming more XIDs during anti-wraparound vacuums is a very bad thing.
(9.5.4,9.4.9) Prevent possible failure when vacuuming multixact IDs in an installation that has been pg_upgrade'd from pre-9.3 (Andrew Gierth, Ãlvaro Herrera)
The usual symptom of this bug is errors like "MultiXactId NNN has not been created yet -- apparent wraparound".
(9.5.4,9.4.9) When a manual ANALYZE specifies a column list, don't reset the table's changes_since_analyze counter (Tom Lane)
If we're only analyzing some columns, we should not prevent routine auto-analyze from happening for the other columns.
(9.5.4,9.4.9) Fix ANALYZE's overestimation of n_distinct for a unique or nearly-unique column with many null entries (Tom Lane)
The nulls could get counted as though they were themselves distinct values, leading to serious planner misestimates in some types of queries.
(9.5.4,9.4.9) Prevent autovacuum from starting multiple workers for the same shared catalog (Ãlvaro Herrera)
Normally this isn't much of a problem because the vacuum doesn't take long anyway; but in the case of a severely bloated catalog, it could result in all but one worker uselessly waiting instead of doing useful work on other tables.
(9.5.4) Fix bug in b-tree mark/restore processing (Kevin Grittner)
This error could lead to incorrect join results or assertion failures in a merge join whose inner source node is a b-tree indexscan.
(9.5.4,9.4.9) Avoid duplicate buffer lock release when abandoning a b-tree index page deletion attempt (Tom Lane)
This mistake prevented VACUUM from completing in some cases involving corrupt b-tree indexes.
(9.5.4) Fix building of large (bigger than shared_buffers) hash indexes (Tom Lane)
The code path used for large indexes contained a bug causing incorrect hash values to be inserted into the index, so that subsequent index searches always failed, except for tuples inserted into the index after the initial build.
(9.5.4,9.4.9) Prevent infinite loop in GiST index build for geometric columns containing NaN component values (Tom Lane)
(9.5.4) Fix possible crash during a nearest-neighbor (ORDER BY distance) indexscan on a contrib/btree_gist index on an interval column (Peter Geoghegan)
(9.5.4) Fix "PANIC: failed to add BRIN tuple" error when attempting to update a BRIN index entry (Ãlvaro Herrera)
(9.5.4) Fix possible crash during background worker shutdown (Dmitry Ivanov)
(9.5.4) Fix PL/pgSQL's handling of the INTO clause within IMPORT FOREIGN SCHEMA commands (Tom Lane)
(9.5.4,9.4.9) Fix contrib/btree_gin to handle the smallest possible bigint value correctly (Peter Eisentraut)
(9.5.4,9.4.9) Teach libpq to correctly decode server version from future servers (Peter Eisentraut)
It's planned to switch to two-part instead of three-part server version numbers for releases after 9.6. Make sure that PQserverVersion()
returns the correct value for such cases.
(9.5.4,9.4.9) Fix ecpg's code for unsigned long long array elements (Michael Meskes)
(9.5.4,9.4.9) In pg_dump with both -c and -C options, avoid emitting an unwanted CREATE SCHEMA public command (David Johnston, Tom Lane)
(9.5.4,9.4.9) Improve handling of SIGTERM/control-C in parallel pg_dump and pg_restore (Tom Lane)
Make sure that the worker processes will exit promptly, and also arrange to send query-cancel requests to the connected backends, in case they are doing something long-running such as a CREATE INDEX.
(9.5.4,9.4.9) Fix error reporting in parallel pg_dump and pg_restore (Tom Lane)
Previously, errors reported by pg_dump or pg_restore worker processes might never make it to the user's console, because the messages went through the master process, and there were various deadlock scenarios that would prevent the master process from passing on the messages. Instead, just print everything to stderr. In some cases this will result in duplicate messages (for instance, if all the workers report a server shutdown), but that seems better than no message.
(9.5.4,9.4.9) Ensure that parallel pg_dump or pg_restore on Windows will shut down properly after an error (Kyotaro Horiguchi)
Previously, it would report the error, but then just sit until manually stopped by the user.
(9.5.4) Make parallel pg_dump fail cleanly when run against a standby server (Magnus Hagander)
This usage is not supported unless --no-synchronized-snapshots is specified, but the error was not handled very well.
(9.5.4,9.4.9) Make pg_dump behave better when built without zlib support (Kyotaro Horiguchi)
It didn't work right for parallel dumps, and emitted some rather pointless warnings in other cases.
(9.5.4,9.4.9) Make pg_basebackup accept -Z 0 as specifying no compression (Fujii Masao)
(9.5.4,9.4.9) Fix makefiles' rule for building AIX shared libraries to be safe for parallel make (Noah Misch)
(9.5.4,9.4.9) Fix TAP tests and MSVC scripts to work when build directory's path name contains spaces (Michael Paquier, Kyotaro Horiguchi)
(9.5.4,9.4.9) Be more predictable about reporting "statement timeout" versus "lock timeout" (Tom Lane)
On heavily loaded machines, the regression tests sometimes failed due to reporting "lock timeout" even though the statement timeout should have occurred first.
(9.5.4,9.4.9) Make regression tests safe for Danish and Welsh locales (Jeff Janes, Tom Lane)
Change some test data that triggered the unusual sorting rules of these locales.
(9.5.4,9.4.9) Update our copy of the timezone code to match IANA's tzcode release 2016c (Tom Lane)
This is needed to cope with anticipated future changes in the time zone data files. It also fixes some corner-case bugs in coping with unusual time zones.
(9.5.4,9.4.9) Update time zone data files to tzdata release 2016f for DST law changes in Kemerovo and Novosibirsk, plus historical corrections for Azerbaijan, Belarus, and Morocco.
Release date: 2016-05-12
This release contains a variety of fixes from 9.5.2. For information about new features in the 9.5 major release, see Version 9.5.0.
A dump/restore is not required for those running 9.5.X.
However, if you are upgrading from a version earlier than 9.5.2, see Version 9.5.2.
(9.5.3,9.4.8) Clear the OpenSSL error queue before OpenSSL calls, rather than assuming it's clear already; and make sure we leave it clear afterwards (Peter Geoghegan, Dave Vitek, Peter Eisentraut)
This change prevents problems when there are multiple connections using OpenSSL within a single process and not all the code involved follows the same rules for when to clear the error queue. Failures have been reported specifically when a client application uses SSL connections in libpq concurrently with SSL connections using the PHP, Python, or Ruby wrappers for OpenSSL. It's possible for similar problems to arise within the server as well, if an extension module establishes an outgoing SSL connection.
(9.5.3,9.4.8) Fix "failed to build any N-way joins" planner error with a full join enclosed in the right-hand side of a left join (Tom Lane)
(9.5.3,9.4.8) Fix incorrect handling of equivalence-class tests in multilevel nestloop plans (Tom Lane)
Given a three-or-more-way equivalence class of variables, such as X.X = Y.Y = Z.Z, it was possible for the planner to omit some of the tests needed to enforce that all the variables are actually equal, leading to join rows being output that didn't satisfy the WHERE clauses. For various reasons, erroneous plans were seldom selected in practice, so that this bug has gone undetected for a long time.
(9.5.3) Fix corner-case parser failures occurring when operator_precedence_warning is turned on (Tom Lane)
An example is that SELECT (ARRAY[])::text[] gave an error, though it worked without the parentheses.
(9.5.3,9.4.8) Fix query-lifespan memory leak in GIN index scans (Julien Rouhaud)
(9.5.3,9.4.8) Fix query-lifespan memory leak and potential index corruption hazard in GIN index insertion (Tom Lane)
The memory leak would typically not amount to much in simple queries, but it could be very substantial during a large GIN index build with high maintenance_work_mem.
(9.5.3,9.4.8) Fix possible misbehavior of TH, th, and Y,YYY format codes in to_timestamp()
(Tom Lane)
These could advance off the end of the input string, causing subsequent format codes to read garbage.
(9.5.3,9.4.8) Fix dumping of rules and views in which the array argument of a value operator ANY (array) construct is a sub-SELECT (Tom Lane)
(9.5.3,9.4.8) Disallow newlines in ALTER SYSTEM parameter values (Tom Lane)
The configuration-file parser doesn't support embedded newlines in string literals, so we mustn't allow them in values to be inserted by ALTER SYSTEM.
(9.5.3,9.4.8) Fix ALTER TABLE ... REPLICA IDENTITY USING INDEX to work properly if an index on OID is selected (David Rowley)
(9.5.3) Avoid possible misbehavior after failing to remove a tablespace symlink (Tom Lane)
(9.5.3,9.4.8) Fix crash in logical decoding on alignment-picky platforms (Tom Lane, Andres Freund)
The failure occurred only with a transaction large enough to spill to disk and a primary-key change within that transaction.
(9.5.3,9.4.8) Avoid repeated requests for feedback from receiver while shutting down walsender (Nick Cleaton)
(9.5.3,9.4.8) Make pg_regress use a startup timeout from the PGCTLTIMEOUT environment variable, if that's set (Tom Lane)
This is for consistency with a behavior recently added to pg_ctl; it eases automated testing on slow machines.
(9.5.3,9.4.8) Fix pg_upgrade to correctly restore extension membership for operator families containing only one operator class (Tom Lane)
In such a case, the operator family was restored into the new database, but it was no longer marked as part of the extension. This had no immediate ill effects, but would cause later pg_dump runs to emit output that would cause (harmless) errors on restore.
(9.5.3,9.4.8) Fix pg_upgrade to not fail when new-cluster TOAST rules differ from old (Tom Lane)
pg_upgrade had special-case code to handle the situation where the new PostgreSQL version thinks that a table should have a TOAST table while the old version did not. That code was broken, so remove it, and instead do nothing in such cases; there seems no reason to believe that we can't get along fine without a TOAST table if that was okay according to the old version's rules.
(9.5.3) Fix atomic operations for PPC when using IBM's XLC compiler (Noah Misch)
(9.5.3,9.4.8) Reduce the number of SysV semaphores used by a build configured with --disable-spinlocks (Tom Lane)
(9.5.3,9.4.8) Rename internal function strtoi()
to strtoint()
to avoid conflict with a NetBSD library function (Thomas Munro)
(9.5.3,9.4.8) Fix reporting of errors from bind()
and listen()
system calls on Windows (Tom Lane)
(9.5.3,9.4.8) Reduce verbosity of compiler output when building with Microsoft Visual Studio (Christian Ullrich)
(9.5.3) Support building with Visual Studio 2015 (Michael Paquier, Petr JelÃnek)
Note that builds made with VS2015 will not run on Windows versions before Windows Vista.
(9.5.3,9.4.8) Fix putenv()
to work properly with Visual Studio 2013 (Michael Paquier)
(9.5.3,9.4.8) Avoid possibly-unsafe use of Windows' FormatMessage()
function (Christian Ullrich)
Use the FORMAT_MESSAGE_IGNORE_INSERTS flag where appropriate. No live bug is known to exist here, but it seems like a good idea to be careful.
(9.5.3,9.4.8) Update time zone data files to tzdata release 2016d for DST law changes in Russia and Venezuela. There are new zone names Europe/Kirov and Asia/Tomsk to reflect the fact that these regions now have different time zone histories from adjacent regions.
Release date: 2016-03-31
This release contains a variety of fixes from 9.5.1. For information about new features in the 9.5 major release, see Version 9.5.0.
A dump/restore is not required for those running 9.5.X.
However, you may need to REINDEX some indexes after applying the update, as per the first changelog entry below.
(9.5.2) Disable abbreviated keys for string sorting in non-C locales (Robert Haas)
PostgreSQL 9.5 introduced logic for speeding up comparisons of string data types by using the standard C library function strxfrm()
as a substitute for strcoll()
. It now emerges that most versions of glibc (Linux's implementation of the C library) have buggy implementations of strxfrm()
that, in some locales, can produce string comparison results that do not match strcoll()
. Until this problem can be better characterized, disable the optimization in all non-C locales. (C locale is safe since it uses neither strcoll()
nor strxfrm()
.)
Unfortunately, this problem affects not only sorting but also entry ordering in B-tree indexes, which means that B-tree indexes on text, varchar, or char columns may now be corrupt if they sort according to an affected locale and were built or modified under PostgreSQL 9.5.0 or 9.5.1. Users should REINDEX indexes that might be affected.
It is not possible at this time to give an exhaustive list of known-affected locales. C locale is known safe, and there is no evidence of trouble in English-based locales such as en_US, but some other popular locales such as de_DE are affected in most glibc versions.
(9.5.2) Maintain row-security status properly in cached plans (Stephen Frost)
In a session that performs queries as more than one role, the plan cache might incorrectly re-use a plan that was generated for another role ID, thus possibly applying the wrong set of policies when row-level security (RLS) is in use. CVE-2016-2193 or CVE-2016-2193)
(9.5.2) Add must-be-superuser checks to some new contrib/pageinspect functions (Andreas Seltenreich)
Most functions in the pageinspect extension that inspect bytea values disallow calls by non-superusers, but brin_page_type()
and brin_metapage_info()
failed to do so. Passing contrived bytea values to them might crash the server or disclose a few bytes of server memory. Add the missing permissions checks to prevent misuse. CVE-2016-3065 or CVE-2016-3065)
(9.5.2) Fix incorrect handling of indexed ROW() comparisons (Simon Riggs)
Flaws in a minor optimization introduced in 9.5 caused incorrect results if the ROW() comparison matches the index ordering partially but not exactly (for example, differing column order, or the index contains both ASC and DESC columns). Pending a better solution, the optimization has been removed.
(9.5.2,9.4.7) Fix incorrect handling of NULL index entries in indexed ROW() comparisons (Tom Lane)
An index search using a row comparison such as ROW(a, b) > ROW('x', 'y') would stop upon reaching a NULL entry in the b column, ignoring the fact that there might be non-NULL b values associated with later values of a.
(9.5.2,9.4.7) Avoid unlikely data-loss scenarios due to renaming files without adequate fsync()
calls before and after (Michael Paquier, Tomas Vondra, Andres Freund)
(9.5.2) Fix incorrect behavior when rechecking a just-modified row in a query that does SELECT FOR UPDATE/SHARE and contains some relations that need not be locked (Tom Lane)
Rows from non-locked relations were incorrectly treated as containing all NULLs during the recheck, which could result in incorrectly deciding that the updated row no longer passes the WHERE condition, or in incorrectly outputting NULLs.
(9.5.2,9.4.7) Fix bug in json_to_record()
when a field of its input object contains a sub-object with a field name matching one of the requested output column names (Tom Lane)
(9.5.2) Fix nonsense result from two-argument form of jsonb_object()
when called with empty arrays (Michael Paquier, Andrew Dunstan)
(9.5.2) Fix misbehavior in jsonb_set()
when converting a path array element into an integer for use as an array subscript (Michael Paquier)
(9.5.2,9.4.7) Fix misformatting of negative time zone offsets by to_char()
's OF format code (Thomas Munro, Tom Lane)
(9.5.2) Fix possible incorrect logging of waits done by INSERT ... ON CONFLICT (Peter Geoghegan)
Log messages would sometimes claim that the wait was due to an exclusion constraint although no such constraint was responsible.
(9.5.2,9.4.7) Ignore recovery_min_apply_delay parameter until recovery has reached a consistent state (Michael Paquier)
Previously, standby servers would delay application of WAL records in response to recovery_min_apply_delay even while replaying the initial portion of WAL needed to make their database state valid. Since the standby is useless until it's reached a consistent database state, this was deemed unhelpful.
(9.5.2,9.4.7) Correctly handle cases where pg_subtrans is close to XID wraparound during server startup (Jeff Janes)
(9.5.2,9.4.7) Fix assorted bugs in logical decoding (Andres Freund)
Trouble cases included tuples larger than one page when replica identity is FULL, UPDATEs that change a primary key within a transaction large enough to be spooled to disk, incorrect reports of "subxact logged without previous toplevel record", and incorrect reporting of a transaction's commit time.
(9.5.2,9.4.7) Fix planner error with nested security barrier views when the outer view has a WHERE clause containing a correlated subquery (Dean Rasheed)
(9.5.2) Fix memory leak in GIN index searches (Tom Lane)
(9.5.2,9.4.7) Fix corner-case crash due to trying to free localeconv()
output strings more than once (Tom Lane)
(9.5.2,9.4.7) Fix parsing of affix files for ispell dictionaries (Tom Lane)
The code could go wrong if the affix file contained any characters whose byte length changes during case-folding, for example I in Turkish UTF8 locales.
(9.5.2,9.4.7) Avoid use of sscanf()
to parse ispell dictionary files (Artur Zakirov)
This dodges a portability problem on FreeBSD-derived platforms (including macOS).
(9.5.2) Fix atomic-operations code used on PPC with IBM's xlc compiler (Noah Misch)
This error led to rare failures of concurrent operations on that platform.
(9.5.2,9.4.7) Avoid a crash on old Windows versions (before 7SP1/2008R2SP1) with an AVX2-capable CPU and a Postgres build done with Visual Studio 2013 (Christian Ullrich)
This is a workaround for a bug in Visual Studio 2013's runtime library, which Microsoft have stated they will not fix in that version.
(9.5.2,9.4.7) Fix psql's tab completion logic to handle multibyte characters properly (Kyotaro Horiguchi, Robert Haas)
(9.5.2,9.4.7) Fix psql's tab completion for SECURITY LABEL (Tom Lane)
Pressing TAB after SECURITY LABEL might cause a crash or offering of inappropriate keywords.
(9.5.2,9.4.7) Make pg_ctl accept a wait timeout from the PGCTLTIMEOUT environment variable, if none is specified on the command line (Noah Misch)
This eases testing of slower buildfarm members by allowing them to globally specify a longer-than-normal timeout for postmaster startup and shutdown.
(9.5.2,9.4.7) Fix incorrect test for Windows service status in pg_ctl (Manuel Mathar)
The previous set of minor releases attempted to fix pg_ctl to properly determine whether to send log messages to Window's Event Log, but got the test backwards.
(9.5.2,9.4.7) Fix pgbench to correctly handle the combination of -C and -M prepared options (Tom Lane)
(9.5.2,9.4.7) In pg_upgrade, skip creating a deletion script when the new data directory is inside the old data directory (Bruce Momjian)
Blind application of the script in such cases would result in loss of the new data directory.
(9.5.2,9.4.7) In PL/Perl, properly translate empty Postgres arrays into empty Perl arrays (Alex Hunsaker)
(9.5.2,9.4.7) Make PL/Python cope with function names that aren't valid Python identifiers (Jim Nasby)
(9.5.2,9.4.7) Fix multiple mistakes in the statistics returned by contrib/pgstattuple's pgstatindex()
function (Tom Lane)
(9.5.2,9.4.7) Remove dependency on psed in MSVC builds, since it's no longer provided by core Perl (Michael Paquier, Andrew Dunstan)
(9.5.2,9.4.7) Update time zone data files to tzdata release 2016c for DST law changes in Azerbaijan, Chile, Haiti, Palestine, and Russia (Altai, Astrakhan, Kirov, Sakhalin, Ulyanovsk regions), plus historical corrections for Lithuania, Moldova, and Russia (Kaliningrad, Samara, Volgograd).
Release date: 2016-02-11
This release contains a variety of fixes from 9.5.0. For information about new features in the 9.5 major release, see Version 9.5.0.
A dump/restore is not required for those running 9.5.X.
(9.5.1,9.4.6) Fix infinite loops and buffer-overrun problems in regular expressions (Tom Lane)
Very large character ranges in bracket expressions could cause infinite loops in some cases, and memory overwrites in other cases. CVE-2016-0773 or CVE-2016-0773)
(9.5.1) Fix an oversight that caused hash joins to miss joining to some tuples of the inner relation in rare cases (Tomas Vondra, Tom Lane)
(9.5.1) Avoid pushdown of HAVING clauses when grouping sets are used (Andrew Gierth)
(9.5.1) Fix deparsing of ON CONFLICT arbiter WHERE clauses (Peter Geoghegan)
(9.5.1,9.4.6) Make %h and %r escapes in log_line_prefix work for messages emitted due to log_connections (Tom Lane)
Previously, %h/%r started to work just after a new session had emitted the "connection received" log message; now they work for that message too.
(9.5.1,9.4.6) Avoid leaking a token handle during SSPI authentication (Christian Ullrich)
(9.5.1,9.4.6) Fix psql's \det command to interpret its pattern argument the same way as other \d commands with potentially schema-qualified patterns do (Reece Hart)
(9.5.1,9.4.6) In pg_ctl on Windows, check service status to decide where to send output, rather than checking if standard output is a terminal (Michael Paquier)
(9.5.1,9.4.6) Fix assorted corner-case bugs in pg_dump's processing of extension member objects (Tom Lane)
(9.5.1) Fix improper quoting of domain constraint names in pg_dump (Elvis Pranskevichus)
(9.5.1,9.4.6) Make pg_dump mark a view's triggers as needing to be processed after its rule, to prevent possible failure during parallel pg_restore (Tom Lane)
(9.5.1,9.4.6) Install guards in pgbench against corner-case overflow conditions during evaluation of script-specified division or modulo operators (Fabien Coelho, Michael Paquier)
(9.5.1) Suppress useless warning message when pg_receivexlog connects to a pre-9.4 server (Marco Nenciarini)
(9.5.1,9.4.6) Avoid dump/reload problems when using both plpython2 and plpython3 (Tom Lane)
In principle, both versions of PL/Python can be used in the same database, though not in the same session (because the two versions of libpython cannot safely be used concurrently). However, pg_restore and pg_upgrade both do things that can fall foul of the same-session restriction. Work around that by changing the timing of the check.
(9.5.1,9.4.6) Fix PL/Python regression tests to pass with Python 3.5 (Peter Eisentraut)
(9.5.1,9.4.6) Prevent certain PL/Java parameters from being set by non-superusers (Noah Misch)
This change mitigates a PL/Java security bug CVE-2016-0766 or CVE-2016-0766), which was fixed in PL/Java by marking these parameters as superuser-only. To fix the security hazard for sites that update PostgreSQL more frequently than PL/Java, make the core code aware of them also.
(9.5.1,9.4.6) Fix ecpg-supplied header files to not contain comments continued from a preprocessor directive line onto the next line (Michael Meskes)
Such a comment is rejected by ecpg. It's not yet clear whether ecpg itself should be changed.
(9.5.1,9.4.6) Fix hstore_to_json_loose()
's test for whether an hstore value can be converted to a JSON number (Tom Lane)
Previously this function could be fooled by non-alphanumeric trailing characters, leading to emitting syntactically-invalid JSON.
(9.5.1,9.4.6) In contrib/postgres_fdw, fix bugs triggered by use of tableoid in data-modifying commands (Etsuro Fujita, Robert Haas)
(9.5.1) Fix ill-advised restriction of NAMEDATALEN to be less than 256 (Robert Haas, Tom Lane)
(9.5.1,9.4.6) Improve reproducibility of build output by ensuring filenames are given to the linker in a fixed order (Christoph Berg)
This avoids possible bitwise differences in the produced executable files from one build to the next.
(9.5.1,9.4.6) Ensure that dynloader.h is included in the installed header files in MSVC builds (Bruce Momjian, Michael Paquier)
(9.5.1,9.4.6) Update time zone data files to tzdata release 2016a for DST law changes in Cayman Islands, Metlakatla, and Trans-Baikal Territory (Zabaykalsky Krai), plus historical corrections for Pakistan.
Release date: 2016-01-07
Major enhancements in PostgreSQL 9.5 include:
(9.5.0) Allow INSERTs that would generate constraint conflicts to be turned into UPDATEs or ignored
(9.5.0) Add GROUP BY analysis features GROUPING SETS, CUBE and ROLLUP
(9.5.0) Add row-level security control
(9.5.0) Create mechanisms for tracking the progress of replication, including methods for identifying the origin of individual changes during logical replication
(9.5.0) Add Block Range Indexes (BRIN)
(9.5.0) Substantial performance improvements for sorting
(9.5.0) Substantial performance improvements for multi-CPU machines
The above items are explained in more detail in the sections below.
A dump/restore using pg_dumpall, or use of pg_upgrade, is required for those wishing to migrate data from any previous release.
Version 9.5 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities:
(9.5.0) Adjust operator precedence to match the SQL standard (Tom Lane)
The precedence of <=, >= and <> has been reduced to match that of <, > and =. The precedence of IS tests (e.g., x IS NULL) has been reduced to be just below these six comparison operators. Also, multi-keyword operators beginning with NOT now have the precedence of their base operator (for example, NOT BETWEEN now has the same precedence as BETWEEN) whereas before they had inconsistent precedence, behaving like NOT with respect to their left operand but like their base operator with respect to their right operand. The new configuration parameter operator_precedence_warning can be enabled to warn about queries in which these precedence changes result in different parsing choices.
(9.5.0) Change pg_ctl's default shutdown mode from smart to fast (Bruce Momjian)
This means the default behavior will be to forcibly cancel existing database sessions, not simply wait for them to exit.
(9.5.0) Use assignment cast behavior for data type conversions in PL/pgSQL assignments, rather than converting to and from text (Tom Lane)
This change causes conversions of Booleans to strings to produce true or false, not t or f. Other type conversions may succeed in more cases than before; for example, assigning a numeric value 3.9 to an integer variable will now assign 4 rather than failing. If no assignment-grade cast is defined for the particular source and destination types, PL/pgSQL will fall back to its old I/O conversion behavior.
(9.5.0) Allow characters in server command-line options to be escaped with a backslash (Andres Freund)
Formerly, spaces in the options string always separated options, so there was no way to include a space in an option value. Including a backslash in an option value now requires writing \\.
(9.5.0) Change the default value of the GSSAPI include_realm parameter to 1, so that by default the realm is not removed from a GSS or SSPI principal name (Stephen Frost)
(9.5.0) Replace configuration parameter checkpoint_segments with min_wal_size and max_wal_size (Heikki Linnakangas)
If you previously adjusted checkpoint_segments, the following formula will give you an approximately equivalent setting:
max_wal_size = (3 * checkpoint_segments) * 16MB
Note that the default setting for max_wal_size is much higher than the default checkpoint_segments used to be, so adjusting it might no longer be necessary.
(9.5.0) Control the Linux OOM killer via new environment variables PG_OOM_ADJUST_FILE and PG_OOM_ADJUST_VALUE, instead of compile-time options LINUX_OOM_SCORE_ADJ and LINUX_OOM_ADJ (Gurjeet Singh)
(9.5.0) Decommission server configuration parameter ssl_renegotiation_limit, which was deprecated in earlier releases (Andres Freund)
While SSL renegotiation is a good idea in theory, it has caused enough bugs to be considered a net negative in practice, and it is due to be removed from future versions of the relevant standards. We have therefore removed support for it from PostgreSQL. The ssl_renegotiation_limit parameter still exists, but cannot be set to anything but zero (disabled). It's not documented anymore, either.
(9.5.0) Remove server configuration parameter autocommit, which was already deprecated and non-operational (Tom Lane)
(9.5.0) Remove the pg_authid catalog's rolcatupdate field, as it had no usefulness (Adam Brightwell)
(9.5.0) The pg_stat_replication system view's sent field is now NULL, not zero, when it has no valid value (Magnus Hagander)
(9.5.0) Allow json and jsonb array extraction operators to accept negative subscripts, which count from the end of JSON arrays (Peter Geoghegan, Andrew Dunstan)
Previously, these operators returned NULL for negative subscripts.
Below you will find a detailed account of the changes between PostgreSQL 9.5 and the previous major release.
(9.5.0) Add Block Range Indexes (BRIN) (Ãlvaro Herrera)
BRIN indexes store only summary data (such as minimum and maximum values) for ranges of heap blocks. They are therefore very compact and cheap to update; but if the data is naturally clustered, they can still provide substantial speedup of searches.
(9.5.0) Allow queries to perform accurate distance filtering of bounding-box-indexed objects (polygons, circles) using GiST indexes (Alexander Korotkov, Heikki Linnakangas)
Previously, to exploit such an index a subquery had to be used to select a large number of rows ordered by bounding-box distance, and the result then had to be filtered further with a more accurate distance calculation.
(9.5.0) Allow GiST indexes to perform index-only scans (Anastasia Lubennikova, Heikki Linnakangas, Andreas Karlsson)
(9.5.0) Add configuration parameter gin_pending_list_limit to control the size of GIN pending lists (Fujii Masao)
This value can also be set on a per-index basis as an index storage parameter. Previously the pending-list size was controlled by work_mem, which was awkward because appropriate values for work_mem are often much too large for this purpose.
(9.5.0) Issue a warning during the creation of hash indexes because they are not crash-safe (Bruce Momjian)
(9.5.0) Improve the speed of sorting of varchar, text, and numeric fields via "abbreviated" keys (Peter Geoghegan, Andrew Gierth, Robert Haas)
(9.5.0) Extend the infrastructure that allows sorting to be performed by inlined, non-SQL-callable comparison functions to cover CREATE INDEX, REINDEX, and CLUSTER (Peter Geoghegan)
(9.5.0) Improve performance of hash joins (Tomas Vondra, Robert Haas)
(9.5.0) Improve concurrency of shared buffer replacement (Robert Haas, Amit Kapila, Andres Freund)
(9.5.0) Reduce the number of page locks and pins during index scans (Kevin Grittner)
The primary benefit of this is to allow index vacuums to be blocked less often.
(9.5.0) Make per-backend tracking of buffer pins more memory-efficient (Andres Freund)
(9.5.0) Improve lock scalability (Andres Freund)
This particularly addresses scalability problems when running on systems with multiple CPU sockets.
(9.5.0) Allow the optimizer to remove unnecessary references to left-joined subqueries (David Rowley)
(9.5.0) Allow pushdown of query restrictions into subqueries with window functions, where appropriate (David Rowley)
(9.5.0) Allow a non-leakproof function to be pushed down into a security barrier view if the function does not receive any view output columns (Dean Rasheed)
(9.5.0) Teach the planner to use statistics obtained from an expression index on a boolean-returning function, when a matching function call appears in WHERE (Tom Lane)
(9.5.0) Make ANALYZE compute basic statistics (null fraction and average column width) even for columns whose data type lacks an equality function (Oleksandr Shulgin)
(9.5.0) Speed up CRC (cyclic redundancy check) computations and switch to CRC-32C (Abhijit Menon-Sen, Heikki Linnakangas)
(9.5.0) Improve bitmap index scan performance (Teodor Sigaev, Tom Lane)
(9.5.0) Speed up CREATE INDEX by avoiding unnecessary memory copies (Robert Haas)
(9.5.0) Increase the number of buffer mapping partitions (Amit Kapila, Andres Freund, Robert Haas)
This improves performance for highly concurrent workloads.
(9.5.0) Add per-table autovacuum logging control via new log_autovacuum_min_duration storage parameter (Michael Paquier)
(9.5.0) Add new configuration parameter cluster_name (Thomas Munro)
This string, typically set in postgresql.conf, allows clients to identify the cluster. This name also appears in the process title of all server processes, allowing for easier identification of processes belonging to the same cluster.
(9.5.0) Prevent non-superusers from changing log_disconnections on connection startup (Fujii Masao)
(9.5.0) Check "Subject Alternative Names" in SSL server certificates, if present (Alexey Klyukin)
When they are present, this replaces checks against the certificate's "Common Name".
(9.5.0) Add system view pg_stat_ssl to report SSL connection information (Magnus Hagander)
(9.5.0) Add libpq functions to return SSL information in an implementation-independent way (Heikki Linnakangas)
While PQgetssl()
can still be used to call OpenSSL functions, it is now considered deprecated because future versions of libpq might support other SSL implementations. When possible, use the new functions PQsslAttribute()
, PQsslAttributeNames()
, and PQsslInUse()
to obtain SSL information in an SSL-implementation-independent way.
(9.5.0) Make libpq honor any OpenSSL thread callbacks (Jan Urbanski)
Previously they were overwritten.
(9.5.0) Replace configuration parameter checkpoint_segments with min_wal_size and max_wal_size (Heikki Linnakangas)
This change allows the allocation of a large number of WAL files without keeping them after they are no longer needed. Therefore the default for max_wal_size has been set to 1GB, much larger than the old default for checkpoint_segments. Also note that standby servers perform restartpoints to try to limit their WAL space consumption to max_wal_size; previously they did not pay any attention to checkpoint_segments.
(9.5.0) Control the Linux OOM killer via new environment variables PG_OOM_ADJUST_FILE and PG_OOM_ADJUST_VALUE (Gurjeet Singh)
The previous OOM control infrastructure involved compile-time options LINUX_OOM_SCORE_ADJ and LINUX_OOM_ADJ, which are no longer supported. The new behavior is available in all builds.
(9.5.0) Allow recording of transaction commit time stamps when configuration parameter track_commit_timestamp is enabled (Ãlvaro Herrera, Petr JelÃnek)
Time stamp information can be accessed using functions pg_xact_commit_timestamp()
and pg_last_committed_xact()
.
(9.5.0) Allow local_preload_libraries to be set by ALTER ROLE SET (Peter Eisentraut, Kyotaro Horiguchi)
(9.5.0) Allow autovacuum workers to respond to configuration parameter changes during a run (Michael Paquier)
(9.5.0) Make configuration parameter debug_assertions read-only (Andres Freund)
This means that assertions can no longer be turned off if they were enabled at compile time, allowing for more efficient code optimization. This change also removes the postgres -A option.
(9.5.0) Allow setting effective_io_concurrency on systems where it has no effect (Peter Eisentraut)
(9.5.0) Add system view pg_file_settings to show the contents of the server's configuration files (Sawada Masahiko)
(9.5.0) Add pending_restart to the system view pg_settings to indicate a change has been made but will not take effect until a database restart (Peter Eisentraut)
(9.5.0) Allow ALTER SYSTEM values to be reset with ALTER SYSTEM RESET (Vik Fearing)
This command removes the specified setting from postgresql.auto.conf.
(9.5.0) Create mechanisms for tracking the progress of replication, including methods for identifying the origin of individual changes during logical replication (Andres Freund)
This is helpful when implementing replication solutions.
(9.5.0) Rework truncation of the multixact commit log to be properly WAL-logged (Andres Freund)
This makes things substantially simpler and more robust.
(9.5.0) Add recovery.conf parameter recovery_target_action to control post-recovery activity (Petr JelÃnek)
This replaces the old parameter pause_at_recovery_target.
(9.5.0) Add new archive_mode value always to allow standbys to always archive received WAL files (Fujii Masao)
(9.5.0) Add configuration parameter wal_retrieve_retry_interval to control WAL read retry after failure (Alexey Vasiliev, Michael Paquier)
This is particularly helpful for warm standbys.
(9.5.0) Allow compression of full-page images stored in WAL (Rahila Syed, Michael Paquier)
This feature reduces WAL volume, at the cost of more CPU time spent on WAL logging and WAL replay. It is controlled by a new configuration parameter wal_compression, which currently is off by default.
(9.5.0) Archive WAL files with suffix .partial during standby promotion (Heikki Linnakangas)
(9.5.0) Add configuration parameter log_replication_commands to log replication commands (Fujii Masao)
By default, replication commands, e.g., IDENTIFY_SYSTEM, are not logged, even when log_statement is set to all.
(9.5.0) Report the processes holding replication slots in pg_replication_slots (Craig Ringer)
The new output column is active_pid.
(9.5.0) Allow recovery.conf's primary_conninfo setting to use connection URIs, e.g., postgres:// (Alexander Shulgin)
(9.5.0) Allow INSERTs that would generate constraint conflicts to be turned into UPDATEs or ignored (Peter Geoghegan, Heikki Linnakangas, Andres Freund)
The syntax is INSERT ... ON CONFLICT DO NOTHING/UPDATE. This is the Postgres implementation of the popular UPSERT command.
(9.5.0) Add GROUP BY analysis features GROUPING SETS, CUBE and ROLLUP (Andrew Gierth, Atri Sharma)
(9.5.0) Allow setting multiple target columns in an UPDATE from the result of a single sub-SELECT (Tom Lane)
This is accomplished using the syntax UPDATE tab SET (col1, col2, ...) = (SELECT ...).
(9.5.0) Add SELECT option SKIP LOCKED to skip locked rows (Thomas Munro)
This does not throw an error for locked rows like NOWAIT does.
(9.5.0) Add SELECT option TABLESAMPLE to return a subset of a table (Petr JelÃnek)
This feature supports the SQL-standard table sampling methods. In addition, there are provisions for user-defined table sampling methods.
(9.5.0) Suggest possible matches for mistyped column names (Peter Geoghegan, Robert Haas)
(9.5.0) Add more details about sort ordering in EXPLAIN output (Marius Timmer, Lukas Kreft, Arne Scheffer)
Details include COLLATE, DESC, USING, and NULLS FIRST/LAST.
(9.5.0) Make VACUUM log the number of pages skipped due to pins (Jim Nasby)
(9.5.0) Make TRUNCATE properly update the pg_stat* tuple counters (Alexander Shulgin)
(9.5.0) Allow REINDEX to reindex an entire schema using the SCHEMA option (Sawada Masahiko)
(9.5.0) Add VERBOSE option to REINDEX (Sawada Masahiko)
(9.5.0) Prevent REINDEX DATABASE and SCHEMA from outputting object names, unless VERBOSE is used (Simon Riggs)
(9.5.0) Remove obsolete FORCE option from REINDEX (Fujii Masao)
(9.5.0) Add row-level security control (Craig Ringer, KaiGai Kohei, Adam Brightwell, Dean Rasheed, Stephen Frost)
This feature allows row-by-row control over which users can add, modify, or even see rows in a table. This is controlled by new commands CREATE/ALTER/DROP POLICY and ALTER TABLE ... ENABLE/DISABLE ROW SECURITY.
(9.5.0) Allow changing of the WAL logging status of a table after creation with ALTER TABLE ... SET LOGGED / UNLOGGED (FabrÃzio de Royes Mello)
(9.5.0) Add IF NOT EXISTS clause to CREATE TABLE AS, CREATE INDEX, CREATE SEQUENCE, and CREATE MATERIALIZED VIEW (FabrÃzio de Royes Mello)
(9.5.0) Add support for IF EXISTS to ALTER TABLE ... RENAME CONSTRAINT (Bruce Momjian)
(9.5.0) Allow some DDL commands to accept CURRENT_USER or SESSION_USER, meaning the current user or session user, in place of a specific user name (Kyotaro Horiguchi, Ãlvaro Herrera)
This feature is now supported in ALTER USER, ALTER GROUP, ALTER ROLE, GRANT, and ALTER object OWNER TO commands.
(9.5.0) Support comments on domain constraints (Ãlvaro Herrera)
(9.5.0) Reduce lock levels of some create and alter trigger and foreign key commands (Simon Riggs, Andreas Karlsson)
(9.5.0) Allow LOCK TABLE ... ROW EXCLUSIVE MODE for those with INSERT privileges on the target table (Stephen Frost)
Previously this command required UPDATE, DELETE, or TRUNCATE privileges.
(9.5.0) Apply table and domain CHECK constraints in order by name (Tom Lane)
The previous ordering was indeterminate.
(9.5.0) Allow CREATE/ALTER DATABASE to manipulate datistemplate and datallowconn (Vik Fearing)
This allows these per-database settings to be changed without manually modifying the pg_database system catalog.
(9.5.0) Add support for IMPORT FOREIGN SCHEMA (Ronan Dunklau, Michael Paquier, Tom Lane)
This command allows automatic creation of local foreign tables that match the structure of existing tables on a remote server.
(9.5.0) Allow CHECK constraints to be placed on foreign tables (Shigeru Hanada, Etsuro Fujita)
Such constraints are assumed to be enforced on the remote server, and are not enforced locally. However, they are assumed to hold for purposes of query optimization, such as constraint exclusion.
(9.5.0) Allow foreign tables to participate in inheritance (Shigeru Hanada, Etsuro Fujita)
To let this work naturally, foreign tables are now allowed to have check constraints marked as not valid, and to set storage and OID characteristics, even though these operations are effectively no-ops for a foreign table.
(9.5.0) Allow foreign data wrappers and custom scans to implement join pushdown (KaiGai Kohei)
(9.5.0) Whenever a ddl_command_end event trigger is installed, capture details of DDL activity for it to inspect (Ãlvaro Herrera)
This information is available through a set-returning function pg_event_trigger_ddl_commands()
, or by inspection of C data structures if that function doesn't provide enough detail.
(9.5.0) Allow event triggers on table rewrites caused by ALTER TABLE (Dimitri Fontaine)
(9.5.0) Add event trigger support for database-level COMMENT, SECURITY LABEL, and GRANT/REVOKE (Ãlvaro Herrera)
(9.5.0) Add columns to the output of pg_event_trigger_dropped_objects
(Ãlvaro Herrera)
This allows simpler processing of delete operations.
(9.5.0) Allow the xml data type to accept empty or all-whitespace content values (Peter Eisentraut)
This is required by the SQL/XML specification.
(9.5.0) Allow macaddr input using the format xxxx-xxxx-xxxx (Herwin Weststrate)
(9.5.0) Disallow non-SQL-standard syntax for interval with both precision and field specifications (Bruce Momjian)
Per the standard, such type specifications should be written as, for example, INTERVAL MINUTE TO SECOND(2). PostgreSQL formerly allowed this to be written as INTERVAL(2) MINUTE TO SECOND, but it must now be written in the standard way.
(9.5.0) Add selectivity estimators for inet/cidr operators and improve estimators for text search functions (Emre Hasegeli, Tom Lane)
(9.5.0) Add data types regrole and regnamespace to simplify entering and pretty-printing the OID of a role or namespace (Kyotaro Horiguchi)
(9.5.0) Add jsonb functions jsonb_set()
and jsonb_pretty()
(Dmitry Dolgov, Andrew Dunstan, Petr JelÃnek)
(9.5.0) Add jsonb generator functions to_jsonb()
, jsonb_object()
, jsonb_build_object()
, jsonb_build_array()
, jsonb_agg()
, and jsonb_object_agg()
(Andrew Dunstan)
Equivalent functions already existed for type json.
(9.5.0) Reduce casting requirements to/from json and jsonb (Tom Lane)
(9.5.0) Allow text, text array, and integer values to be subtracted from jsonb documents (Dmitry Dolgov, Andrew Dunstan)
(9.5.0) Add jsonb || operator (Dmitry Dolgov, Andrew Dunstan)
(9.5.0) Add json_strip_nulls()
and jsonb_strip_nulls()
functions to remove JSON null values from documents (Andrew Dunstan)
(9.5.0) Add generate_series()
for numeric values (Plato Malugin)
(9.5.0) Allow array_agg()
and ARRAY()
to take arrays as inputs (Ali Akbar, Tom Lane)
(9.5.0) Add functions array_position()
and array_positions()
to return subscripts of array values (Pavel Stehule)
(9.5.0) Add a point-to-polygon distance operator <-> (Alexander Korotkov)
(9.5.0) Allow multibyte characters as escapes in SIMILAR TO and SUBSTRING (Jeff Davis)
Previously, only a single-byte character was allowed as an escape.
(9.5.0) Add a width_bucket()
variant that supports any sortable data type and non-uniform bucket widths (Petr JelÃnek)
(9.5.0) Add an optional missing_ok argument to pg_read_file()
and related functions (Michael Paquier, Heikki Linnakangas)
(9.5.0) Allow => to specify named parameters in function calls (Pavel Stehule)
Previously only := could be used. This requires removing the possibility for => to be a user-defined operator. Creation of user-defined => operators has been issuing warnings since PostgreSQL 9.0.
(9.5.0) Add POSIX-compliant rounding for platforms that use PostgreSQL-supplied rounding functions (Pedro Gimeno Fortea)
(9.5.0) Add function pg_get_object_address()
to return OIDs that uniquely identify an object, and function pg_identify_object_as_address()
to return object information based on OIDs (Ãlvaro Herrera)
(9.5.0) Loosen security checks for viewing queries in pg_stat_activity, executing pg_cancel_backend()
, and executing pg_terminate_backend()
(Stephen Frost)
Previously, only the specific role owning the target session could perform these operations; now membership in that role is sufficient.
(9.5.0) Add pg_stat_get_snapshot_timestamp()
to output the time stamp of the statistics snapshot (Matt Kelly)
This represents the last time the snapshot file was written to the file system.
(9.5.0) Add mxid_age()
to compute multi-xid age (Bruce Momjian)
(9.5.0) Add min()
/max()
aggregates for inet/cidr data types (Haribabu Kommi)
(9.5.0) Use 128-bit integers, where supported, as accumulators for some aggregate functions (Andreas Karlsson)
(9.5.0) Improve support for composite types in PL/Python (Ed Behn, Ronan Dunklau)
This allows PL/Python functions to return arrays of composite types.
(9.5.0) Reduce lossiness of PL/Python floating-point value conversions (Marko Kreen)
(9.5.0) Allow specification of conversion routines between SQL data types and data types of procedural languages (Peter Eisentraut)
This change adds new commands CREATE/DROP TRANSFORM. This also adds optional transformations between the hstore and ltree types to/from PL/Perl and PL/Python.
(9.5.0) Improve PL/pgSQL array performance (Tom Lane)
(9.5.0) Add an ASSERT statement in PL/pgSQL (Pavel Stehule)
(9.5.0) Allow more PL/pgSQL keywords to be used as identifiers (Tom Lane)
(9.5.0) Move pg_archivecleanup, pg_test_fsync, pg_test_timing, and pg_xlogdump from contrib to src/bin (Peter Eisentraut)
This should result in these programs being installed by default in most installations.
(9.5.0) Add pg_rewind, which allows re-synchronizing a master server after failback (Heikki Linnakangas)
(9.5.0) Allow pg_receivexlog to manage physical replication slots (Michael Paquier)
This is controlled via new --create-slot and --drop-slot options.
(9.5.0) Allow pg_receivexlog to synchronously flush WAL to storage using new --synchronous option (Furuya Osamu, Fujii Masao)
Without this, WAL files are fsync'ed only on close.
(9.5.0) Allow vacuumdb to vacuum in parallel using new --jobs option (Dilip Kumar)
(9.5.0) In vacuumdb, do not prompt for the same password repeatedly when multiple connections are necessary (Haribabu Kommi, Michael Paquier)
(9.5.0) Add --verbose option to reindexdb (Sawada Masahiko)
(9.5.0) Make pg_basebackup use a tablespace mapping file when using tar format, to support symbolic links and file paths of 100+ characters in length on MS Windows (Amit Kapila)
(9.5.0) Add pg_xlogdump option --stats to display summary statistics (Abhijit Menon-Sen)
(9.5.0) Allow psql to produce AsciiDoc output (Szymon Guz)
(9.5.0) Add an errors mode that displays only failed commands to psql's ECHO variable (Pavel Stehule)
This behavior can also be selected with psql's -b option.
(9.5.0) Provide separate column, header, and border linestyle control in psql's unicode linestyle (Pavel Stehule)
Single or double lines are supported; the default is single.
(9.5.0) Add new option %l in psql's PROMPT variables to display the current multiline statement line number (Sawada Masahiko)
(9.5.0) Add \pset option pager_min_lines to control pager invocation (Andrew Dunstan)
(9.5.0) Improve psql line counting used when deciding to invoke the pager (Andrew Dunstan)
(9.5.0) psql now fails if the file specified by an --output or --log-file switch cannot be written (Tom Lane, Daniel Vérité)
Previously, it effectively ignored the switch in such cases.
(9.5.0) Add psql tab completion when setting the search_path variable (Jeff Janes)
Currently only the first schema can be tab-completed.
(9.5.0) Improve psql's tab completion for triggers and rules (Andreas Karlsson)
(9.5.0) Add psql \? help sections variables and options (Pavel Stehule)
\? variables shows psql's special variables and \? options shows the command-line options. \? commands shows the meta-commands, which is the traditional output and remains the default. These help displays can also be obtained with the command-line option --help=section.
(9.5.0) Show tablespace size in psql's \db+ (FabrÃzio de Royes Mello)
(9.5.0) Show data type owners in psql's \dT+ (Magnus Hagander)
(9.5.0) Allow psql's \watch to output \timing information (Fujii Masao)
Also prevent --echo-hidden from echoing \watch queries, since that is generally unwanted.
(9.5.0) Make psql's \sf and \ef commands honor ECHO_HIDDEN (Andrew Dunstan)
(9.5.0) Improve psql tab completion for \set, \unset, and :variable names (Pavel Stehule)
(9.5.0) Allow tab completion of role names in psql \c commands (Ian Barwick)
(9.5.0) Allow pg_dump to share a snapshot taken by another session using --snapshot (Simon Riggs, Michael Paquier)
The remote snapshot must have been exported by pg_export_snapshot()
or logical replication slot creation. This can be used to share a consistent snapshot across multiple pg_dump processes.
(9.5.0) Support table sizes exceeding 8GB in tar archive format (Tom Lane)
The POSIX standard for tar format does not allow elements of a tar archive to exceed 8GB, but most modern implementations of tar support an extension that does allow it. Use the extension format when necessary, rather than failing.
(9.5.0) Make pg_dump always print the server and pg_dump versions (Jing Wang)
Previously, version information was only printed in --verbose mode.
(9.5.0) Remove the long-ignored -i/--ignore-version option from pg_dump, pg_dumpall, and pg_restore (Fujii Masao)
(9.5.0) Support multiple pg_ctl -o options, concatenating their values (Bruce Momjian)
(9.5.0) Allow control of pg_ctl's event source logging on MS Windows (MauMau)
This only controls pg_ctl, not the server, which has separate settings in postgresql.conf.
(9.5.0) If the server's listen address is set to a wildcard value (0.0.0.0 in IPv4 or :: in IPv6), connect via the loopback address rather than trying to use the wildcard address literally (Kondo Yuta)
This fix primarily affects Windows, since on other platforms pg_ctl will prefer to use a Unix-domain socket.
(9.5.0) Move pg_upgrade from contrib to src/bin (Peter Eisentraut)
In connection with this change, the functionality previously provided by the pg_upgrade_support module has been moved into the core server.
(9.5.0) Support multiple pg_upgrade -o/-O options, concatenating their values (Bruce Momjian)
(9.5.0) Improve database collation comparisons in pg_upgrade (Heikki Linnakangas)
(9.5.0) Remove support for upgrading from 8.3 clusters (Bruce Momjian)
(9.5.0) Move pgbench from contrib to src/bin (Peter Eisentraut)
(9.5.0) Fix calculation of TPS number "excluding connections establishing" (Tatsuo Ishii, Fabien Coelho)
The overhead for connection establishment was miscalculated whenever the number of pgbench threads was less than the number of client connections. Although this is clearly a bug, we won't back-patch it into pre-9.5 branches since it makes TPS numbers not comparable to previous results.
(9.5.0) Allow counting of pgbench transactions that take over a specified amount of time (Fabien Coelho)
This is controlled by a new --latency-limit option.
(9.5.0) Allow pgbench to generate Gaussian/exponential distributions using \setrandom (Kondo Mitsumasa, Fabien Coelho)
(9.5.0) Allow pgbench's \set command to handle arithmetic expressions containing more than one operator, and add % (modulo) to the set of operators it supports (Robert Haas, Fabien Coelho)
(9.5.0) Simplify WAL record format (Heikki Linnakangas)
This allows external tools to more easily track what blocks are modified.
(9.5.0) Improve the representation of transaction commit and abort WAL records (Andres Freund)
(9.5.0) Add atomic memory operations API (Andres Freund)
(9.5.0) Allow custom path and scan methods (KaiGai Kohei, Tom Lane)
This allows extensions greater control over the optimizer and executor.
(9.5.0) Allow foreign data wrappers to do post-filter locking (Etsuro Fujita)
(9.5.0) Foreign tables can now take part in INSERT ... ON CONFLICT DO NOTHING queries (Peter Geoghegan, Heikki Linnakangas, Andres Freund)
Foreign data wrappers must be modified to handle this. INSERT ... ON CONFLICT DO UPDATE is not supported on foreign tables.
(9.5.0) Improve hash_create()
's API for selecting simple-binary-key hash functions (Teodor Sigaev, Tom Lane)
(9.5.0) Improve parallel execution infrastructure (Robert Haas, Amit Kapila, Noah Misch, Rushabh Lathia, Jeevan Chalke)
(9.5.0) Remove Alpha (CPU) and Tru64 (OS) ports (Andres Freund)
(9.5.0) Remove swap-byte-based spinlock implementation for ARMv5 and earlier CPUs (Robert Haas)
ARMv5's weak memory ordering made this locking implementation unsafe. Spinlock support is still possible on newer gcc implementations with atomics support.
(9.5.0) Generate an error when excessively long (100+ character) file paths are written to tar files (Peter Eisentraut)
Tar does not support such overly-long paths.
(9.5.0) Change index operator class for columns pg_seclabel.provider and pg_shseclabel.provider to be text_pattern_ops (Tom Lane)
This avoids possible problems with these indexes when different databases of a cluster have different default collations.
(9.5.0) Change the spinlock primitives to function as compiler barriers (Robert Haas)
(9.5.0) Allow higher-precision time stamp resolution on Windows 8, Windows Server 2012, and later Windows systems (Craig Ringer)
(9.5.0) Install shared libraries to bin in MS Windows (Peter Eisentraut, Michael Paquier)
(9.5.0) Install src/test/modules together with contrib on MSVC builds (Michael Paquier)
(9.5.0) Allow configure's --with-extra-version option to be honored by the MSVC build (Michael Paquier)
(9.5.0) Pass PGFILEDESC into MSVC contrib builds (Michael Paquier)
(9.5.0) Add icons to all MSVC-built binaries and version information to all MS Windows binaries (Noah Misch)
MinGW already had such icons.
(9.5.0) Add optional-argument support to the internal getopt_long()
implementation (Michael Paquier, Andres Freund)
This is used by the MSVC build.
(9.5.0) Add statistics for minimum, maximum, mean, and standard deviation times to pg_stat_statements (Mitsumasa Kondo, Andrew Dunstan)
(9.5.0) Add pgcrypto function pgp_armor_headers()
to extract PGP armor headers (Marko Tiikkaja, Heikki Linnakangas)
(9.5.0) Allow empty replacement strings in unaccent (Mohammad Alhashash)
This is useful in languages where diacritic signs are represented as separate characters.
(9.5.0) Allow multicharacter source strings in unaccent (Tom Lane)
This could be useful in languages where diacritic signs are represented as separate characters. It also allows more complex unaccent dictionaries.
(9.5.0) Add contrib modules tsm_system_rows and tsm_system_time to allow additional table sampling methods (Petr JelÃnek)
(9.5.0) Add GIN index inspection functions to pageinspect (Heikki Linnakangas, Peter Geoghegan, Michael Paquier)
(9.5.0) Add information about buffer pins to pg_buffercache display (Andres Freund)
(9.5.0) Allow pgstattuple to report approximate answers with less overhead using pgstattuple_approx()
(Abhijit Menon-Sen)
(9.5.0) Move dummy_seclabel, test_shm_mq, test_parser, and worker_spi from contrib to src/test/modules (Ãlvaro Herrera)
These modules are only meant for server testing, so they do not need to be built or installed when packaging PostgreSQL.
Release date: 2020-02-13
This release contains a variety of fixes from 9.4.25. For information about new features in the 9.4 major release, see Version 9.4.0.
This is expected to be the last PostgreSQL release in the 9.4.X series. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.4.X.
However, if you are upgrading from a version earlier than 9.4.25, see Version 9.4.25.
(9.4.26,9.6.17,9.5.21) Avoid failure in logical decoding when a large transaction must be spilled into many separate temporary files (Amit Khandekar)
(9.4.26,9.6.17,9.5.21) Fix failure in logical replication publisher after a database crash and restart (Vignesh C)
(9.4.26,9.6.17,9.5.21) Avoid memory leak when there are no free dynamic shared memory slots (Thomas Munro)
(9.4.26,9.6.17,9.5.21) Ignore the CONCURRENTLY option when performing an index creation, drop, or rebuild on a temporary table (Michael Paquier, Heikki Linnakangas, Andres Freund)
This avoids strange failures if the temporary table has an ON COMMIT action. There is no benefit in using CONCURRENTLY for a temporary table anyway, since other sessions cannot access the table, making the extra processing pointless.
(9.4.26,9.6.17,9.5.21) Fix possible failure when resetting expression indexes on temporary tables that are marked ON COMMIT DELETE ROWS (Tom Lane)
(9.4.26,9.6.17,9.5.21) Fix handling of deleted pages in GIN indexes (Alexander Korotkov)
Avoid possible deadlocks, incorrect updates of a deleted page's state, and failure to traverse through a recently-deleted page.
(9.4.26,9.6.17,9.5.21) Fix possible crash with a SubPlan (sub-SELECT) within a multi-row VALUES list (Tom Lane)
(9.4.26,9.6.17,9.5.21) Fix unlikely crash with pass-by-reference aggregate transition states (Andres Freund, Teodor Sigaev)
(9.4.26,9.6.17,9.5.21) Improve error reporting in to_date()
and to_timestamp()
(Tom Lane, Ãlvaro Herrera)
Reports about incorrect month or day names in input strings could truncate the input in the middle of a multi-byte character, leading to an improperly encoded error message that could cause follow-on failures. Truncate at the next whitespace instead.
(9.4.26,9.6.17,9.5.21) Fix off-by-one result for EXTRACT (ISOYEAR FROM timestamp) for BC dates (Tom Lane)
(9.4.26,9.6.17,9.5.21) Avoid stack overflow in information_schema views when a self-referential view exists in the system catalogs (Tom Lane)
A self-referential view can't work; it will always result in infinite recursion. We handled that situation correctly when trying to execute the view, but not when inquiring whether it is automatically updatable.
(9.4.26,9.6.17,9.5.21) Improve performance of hash joins with very large inner relations (Thomas Munro)
(9.4.26,9.6.17,9.5.21) Fix edge-case crashes and misestimations in selectivity calculations for the <@ and @> range operators (Michael Paquier, Andrey Borodin, Tom Lane)
(9.4.26,9.6.17,9.5.21) Improve error reporting for attempts to use automatic updating of views with conditional INSTEAD rules (Dean Rasheed)
This has never been supported, but previously the error was thrown only at execution time, so that it could be masked by planner errors.
(9.4.26,9.6.17,9.5.21) Prevent a composite type from being included in itself indirectly via a range type (Tom Lane, Julien Rouhaud)
(9.4.26,9.6.17,9.5.21) Fix error reporting for index expressions of prohibited types (Amit Langote)
(9.4.26,9.6.17,9.5.21) Fix dumping of views that contain only a VALUES list to handle cases where a view output column has been renamed (Tom Lane)
(9.4.26,9.6.17,9.5.21) Allow libpq to parse all GSS-related connection parameters even when the GSSAPI code hasn't been compiled in (Tom Lane)
This makes the behavior similar to our SSL support, where it was long ago deemed to be a good idea to always accept all the related parameters, even if some are ignored or restricted due to lack of the feature in a particular build.
(9.4.26,9.6.17,9.5.21) Fix incorrect handling of %b and %B format codes in ecpg's PGTYPEStimestamp_fmt_asc()
function (Tomas Vondra)
Due to an off-by-one error, these codes would print the wrong month name, or possibly crash.
(9.4.26,9.6.17,9.5.21) Fix parallel pg_dump/pg_restore to more gracefully handle failure to create worker processes (Tom Lane)
(9.4.26,9.6.17,9.5.21) Prevent possible crash or lockup when attempting to terminate a parallel pg_dump/pg_restore run via a signal (Tom Lane)
(9.4.26,9.6.17,9.5.21) In pg_upgrade, look inside arrays and ranges while searching for non-upgradable data types in tables (Tom Lane)
(9.4.26,9.6.17,9.5.21) Apply more thorough syntax checking to createuser's --connection-limit option (Ãlvaro Herrera)
(9.4.26,9.6.17,9.5.21) In contrib/dict_int, reject maxlen settings less than one (Tomas Vondra)
This prevents a possible crash with silly settings for that parameter.
(9.4.26,9.6.17,9.5.21) Disallow NULL category values in contrib/tablefunc's crosstab()
function (Joe Conway)
This case never worked usefully, and it would crash on some platforms.
(9.4.26,9.6.17) Mark some timeout and statistics-tracking GUC variables as PGDLLIMPORT, to allow extensions to access them on Windows (Pascal Legrand)
This applies to idle_in_transaction_session_timeout, lock_timeout, statement_timeout, track_activities, track_counts, and track_functions.
(9.4.26,9.6.17,9.5.21) Fix race condition that led to delayed delivery of interprocess signals on Windows (Amit Kapila)
This caused visible timing oddities in NOTIFY, and perhaps other misbehavior.
(9.4.26,9.6.17,9.5.21) On Windows, retry a few times after an ERROR_ACCESS_DENIED file access failure (Alexander Lakhin, Tom Lane)
This helps cope with cases where a file open attempt fails because the targeted file is flagged for deletion but not yet actually gone. pg_ctl, for example, frequently failed with such an error when probing to see if the postmaster had shut down yet.
Release date: 2019-11-14
This release contains a variety of fixes from 9.4.24. For information about new features in the 9.4 major release, see Version 9.4.0.
The PostgreSQL community will stop releasing updates for the 9.4.X release series in February 2020. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.4.X.
However, if you use the contrib/intarray extension with a GiST index, and you rely on indexed searches for the <@ operator, see the entry below about that.
Also, if you are upgrading from a version earlier than 9.4.18, see Version 9.4.18.
(9.4.25,9.6.16,9.5.20) Prevent VACUUM from trying to freeze an old multixact ID involving a still-running transaction (Nathan Bossart, Jeremy Schneider)
This case would lead to VACUUM failing until the old transaction terminates.
(9.4.25,9.6.16,9.5.20) Ensure that offset expressions in WINDOW clauses are processed when a query's expressions are manipulated (Andrew Gierth)
This oversight could result in assorted failures when the offsets are nontrivial expressions. One example is that a function parameter reference in such an expression would fail if the function was inlined.
(9.4.25,9.6.16,9.5.20) Fix handling of whole-row variables in WITH CHECK OPTION expressions and row-level-security policy expressions (Andres Freund)
Previously, such usage might result in bogus errors about row type mismatches.
(9.4.25,9.6.16,9.5.20) Prevent possible double-free if a BEFORE UPDATE trigger returns the old tuple as-is, and it is not the last such trigger (Thomas Munro)
(9.4.25,9.6.16,9.5.20) In serializable mode, ensure that row-level predicate locks are acquired on the correct version of the row (Thomas Munro, Heikki Linnakangas)
If the visible version of the row is HOT-updated, the lock might be taken on its now-dead predecessor, resulting in subtle failures to guarantee serialization.
(9.4.25,9.6.16,9.5.20) Ensure that fsync()
is applied only to files that are opened read/write (Andres Freund, Michael Paquier)
Some code paths tried to do this after opening a file read-only, but on some platforms that causes "bad file descriptor" or similar errors.
(9.4.25,9.6.16,9.5.20) Allow encoding conversion to succeed on longer strings than before (Ãlvaro Herrera, Tom Lane)
Previously, there was a hard limit of 0.25GB on the input string, but now it will work as long as the converted output is not over 1GB.
(9.4.25,9.6.16,9.5.20) Allow repalloc()
to give back space when a large chunk is reduced in size (Tom Lane)
(9.4.25,9.6.16,9.5.20) Avoid failure in archive recovery if recovery_min_apply_delay is enabled (Fujii Masao)
recovery_min_apply_delay is not typically used in this configuration, but it should work.
(9.4.25,9.6.16,9.5.20) Avoid unwanted delay during shutdown of a logical replication walsender (Craig Ringer, Ãlvaro Herrera)
(9.4.25,9.6.16,9.5.20) Correctly time-stamp replication messages for logical decoding (Jeff Janes)
This oversight resulted, for example, in pg_stat_subscription.last_msg_send_time usually reading as NULL.
(9.4.25,9.6.16,9.5.20) In logical decoding, ensure that sub-transactions are correctly accounted for when reconstructing a snapshot (Masahiko Sawada)
This error leads to assertion failures; it's unclear whether any bad effects exist in production builds.
(9.4.25,9.6.16,9.5.20) Fix race condition during backend exit, when the backend process has previously waited for synchronous replication to occur (Dongming Liu)
(9.4.25,9.6.16,9.5.20) Fix ALTER SYSTEM to cope with duplicate entries in postgresql.auto.conf (Ian Barwick)
ALTER SYSTEM itself will not generate such a state, but external tools that modify postgresql.auto.conf could do so. Duplicate entries for the target variable will now be removed, and then the new setting (if any) will be appended at the end.
(9.4.25,9.6.16,9.5.20) Avoid logging complaints about abandoned connections when using PAM authentication (Tom Lane)
libpq-based clients will typically make two connection attempts when a password is required, since they don't prompt their user for a password until their first connection attempt fails. Therefore the server is coded not to generate useless log spam when a client closes the connection upon being asked for a password. However, the PAM authentication code hadn't gotten that memo, and would generate several messages about a phantom authentication failure.
(9.4.25,9.6.16,9.5.20) Fix some cases where an incomplete date specification is not detected in time with time zone input (Alexander Lakhin)
If a time zone with a time-varying UTC offset is specified, then a date must be as well, so that the offset can be resolved. Depending on the syntax used, this check was not enforced in some cases, allowing bogus output to be produced.
(9.4.25,9.6.16,9.5.20) Fix misbehavior of bitshiftright()
(Tom Lane)
The bitstring right shift operator failed to zero out padding space that exists in the last byte of the result when the bitstring length is not a multiple of 8. While invisible to most operations, any nonzero bits there would result in unexpected comparison behavior, since bitstring comparisons don't bother to ignore the extra bits, expecting them to always be zero.
If you have inconsistent data as a result of saving the output of bitshiftright()
in a table, it's possible to fix it with something like
UPDATE mytab SET bitcol = ~(~bitcol) WHERE bitcol != ~(~bitcol);
(9.4.25,9.6.16,9.5.20) Fix detection of edge-case integer overflow in interval multiplication (Yuya Watari)
(9.4.25,9.6.16,9.5.20) Fix incorrect compression logic for GIN posting lists (Heikki Linnakangas)
A GIN posting list item can require 7 bytes if the distance between adjacent indexed TIDs exceeds 16TB. One step in the logic was out of sync with that, and might try to write the value into a 6-byte buffer. In principle this could cause a stack overrun, but on most architectures it's likely that the next byte would be unused alignment padding, making the bug harmless. In any case the bug would be very difficult to hit.
(9.4.25,9.6.16,9.5.20) Fix handling of infinity, NaN, and NULL values in KNN-GiST (Alexander Korotkov)
The query's output order could be wrong (different from a plain sort's result) if some distances computed for non-null column values are infinity or NaN.
(9.4.25,9.6.16,9.5.20) Fix handling of searches for NULL in KNN-SP-GiST (Nikita Glukhov)
(9.4.25,9.6.16,9.5.20) On Windows, recognize additional spellings of the "Norwegian (Bokmål)" locale name (Tom Lane)
(9.4.25,9.6.16,9.5.20) Avoid compile failure if an ECPG client includes ecpglib.h while having ENABLE_NLS defined (Tom Lane)
This risk was created by a misplaced declaration: ecpg_gettext()
should not be visible to client code.
(9.4.25,9.6.16,9.5.20) In psql, resynchronize internal state about the server after an unexpected connection loss and successful reconnection (Peter Billen, Tom Lane)
Ordinarily this is unnecessary since the state would be the same anyway. But it can matter in corner cases, such as where the connection might lead to one of several servers. This change causes psql to re-issue any interactive messages that it would have issued at startup, for example about whether SSL is in use.
(9.4.25,9.6.16,9.5.20) Avoid platform-specific null pointer dereference in psql (Quentin Rameau)
(9.4.25,9.6.16,9.5.20) Fix pg_dump's handling of circular dependencies in views (Tom Lane)
In some cases a view may depend on an object that pg_dump needs to dump later than the view; the most common example is that a query using GROUP BY on a primary-key column may be semantically invalid without the primary key. This is now handled by emitting a dummy CREATE VIEW command that just establishes the view's column names and types, and then later emitting CREATE OR REPLACE VIEW with the full view definition. Previously, the dummy definition was actually a CREATE TABLE command, and this was automagically converted to a view by a later CREATE RULE command. The new approach has been used successfully in PostgreSQL version 10 and later. We are back-patching it into older releases now because of reports that the previous method causes bogus error messages about the view's replica identity status. This change also avoids problems when trying to use the --clean option during a restore involving such a view.
(9.4.25,9.6.16,9.5.20) In pg_dump, ensure stable output order for similarly-named triggers and row-level-security policy objects (Benjie Gillam)
Previously, if two triggers on different tables had the same names, they would be sorted in OID-based order, which is less desirable than sorting them by table name. Likewise for RLS policies.
(9.4.25,9.6.16,9.5.20) Fix pg_dump to work again with pre-8.3 source servers (Tom Lane)
A previous fix caused pg_dump to always try to query pg_opfamily, but that catalog doesn't exist before version 8.3.
(9.4.25,9.6.16,9.5.20) In pg_restore, treat -f - as meaning "output to stdout" (Ãlvaro Herrera)
This synchronizes pg_restore's behavior with some other applications, and in particular makes pre-v12 branches act similarly to version 12's pg_restore, simplifying creation of dump/restore scripts that work across multiple PostgreSQL versions. Before this change, pg_restore interpreted such a switch as meaning "output to a file named -", but few people would want that.
(9.4.25,9.6.16,9.5.20) Improve pg_upgrade's checks for the use of a data type that has changed representation, such as line (Tomas Vondra)
The previous coding could be fooled by cases where the data type of interest underlies a stored column of a domain or composite type.
(9.4.25,9.6.16,9.5.20) Detect file read errors during pg_basebackup (Jeevan Chalke)
(9.4.25,9.6.16,9.5.20) Fix failure in pg_waldump with the -s option, when a continuation WAL record ends exactly at a page boundary (Andrey Lepikhov)
(9.4.25,9.6.16,9.5.20) Fix contrib/intarray's GiST opclasses to not fail for empty arrays with <@ (Tom Lane)
A clause like array_column <@ constant_array is considered indexable, but the index search may not find empty array values; of course, such entries should trivially match the search.
The only practical back-patchable fix for this requires making <@ index searches scan the whole index, which is what this patch does. This is unfortunate: it means that the query performance is likely worse than a plain sequential scan would be.
Applications whose performance is adversely impacted by this change have a couple of options. They could switch to a GIN index, which doesn't have this bug, or they could replace array_column <@ constant_array with array_column <@ constant_array AND array_column && constant_array. That will provide about the same performance as before, and it will find all non-empty subsets of the given constant array, which is all that could reliably be expected of the query before.
(9.4.25,9.6.16,9.5.20) Allow configure --with-python to succeed when only python3 or only python2 can be found (Peter Eisentraut, Tom Lane)
Search for python, then python3, then python2, so that configure can succeed in the increasingly-more-common situation where there is no executable named simply python. It's still possible to override this choice by setting the PYTHON environment variable.
(9.4.25,9.6.16,9.5.20) Fix configure's test for presence of libperl so that it works on recent Red Hat releases (Tom Lane)
Previously, it could fail if the user sets CFLAGS to -O0.
(9.4.25,9.6.16,9.5.20) Ensure correct code generation for spinlocks on PowerPC (Noah Misch)
The previous spinlock coding allowed the compiler to select register zero for use with an assembly instruction that does not accept that register, causing a build failure. We have seen only one long-ago report that matches this bug, but it could cause problems for people trying to build modified PostgreSQL code or use atypical compiler options.
(9.4.25,9.6.16,9.5.20) On AIX, don't use the compiler option -qsrcmsg (Noah Misch)
This avoids an internal compiler error with xlc v16.1.0, with little consequence other than changing the format of compiler error messages.
(9.4.25,9.6.16,9.5.20) Fix MSVC build process to cope with spaces in the file path of OpenSSL (Andrew Dunstan)
(9.4.25,9.6.16,9.5.20) Update time zone data files to tzdata release 2019c for DST law changes in Fiji and Norfolk Island, plus historical corrections for Alberta, Austria, Belgium, British Columbia, Cambodia, Hong Kong, Indiana (Perry County), Kaliningrad, Kentucky, Michigan, Norfolk Island, South Korea, and Turkey.
Release date: 2019-08-08
This release contains a variety of fixes from 9.4.23. For information about new features in the 9.4 major release, see Version 9.4.0.
The PostgreSQL community will stop releasing updates for the 9.4.X release series in February 2020. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.4.X.
However, if you are upgrading from a version earlier than 9.4.18, see Version 9.4.18.
(9.4.24,9.6.15,9.5.19) Require schema qualification to cast to a temporary type when using functional cast syntax (Noah Misch)
We have long required invocations of temporary functions to explicitly specify the temporary schema, that is pg_temp.func_name(args). Require this as well for casting to temporary types using functional notation, for example pg_temp.type_name(arg). Otherwise it's possible to capture a function call using a temporary object, allowing privilege escalation in much the same ways that we blocked inCVE-2007-2138 or CVE-2007-2138. CVE-2019-10208 or CVE-2019-10208)
(9.4.24,9.6.15,9.5.19) Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when altering multiple columns' types in one command (Tom Lane)
This fixes a regression introduced in the most recent minor releases: indexes using the altered columns were not processed correctly, leading to strange failures during ALTER TABLE.
(9.4.24,9.6.15,9.5.19) Fix mishandling of multi-column foreign keys when rebuilding a foreign key constraint (Tom Lane)
ALTER TABLE could make an incorrect decision about whether revalidation of a foreign key is necessary, if not all columns of the key are of the same type. It seems likely that the error would always have been in the conservative direction, that is revalidating unnecessarily.
(9.4.24,9.6.15,9.5.19) Prevent incorrect canonicalization of date ranges with infinity endpoints (Laurenz Albe)
It's incorrect to try to convert an open range to a closed one or vice versa by incrementing or decrementing the endpoint value, if the endpoint is infinite; so leave the range alone in such cases.
(9.4.24,9.6.15,9.5.19) Fix loss of fractional digits when converting very large money values to numeric (Tom Lane)
(9.4.24,9.6.15,9.5.19) Fix spinlock assembly code for MIPS CPUs so that it works on MIPS r6 (YunQiang Su)
(9.4.24,9.6.15,9.5.19) Make libpq ignore carriage return (\r) in connection service files (Tom Lane, Michael Paquier)
In some corner cases, service files containing Windows-style newlines could be mis-parsed, resulting in connection failures.
(9.4.24,9.6.15,9.5.19) Fix pg_dump to ensure that custom operator classes are dumped in the right order (Tom Lane)
If a user-defined opclass is the subtype opclass of a user-defined range type, related objects were dumped in the wrong order, producing an unrestorable dump. (The underlying failure to handle opclass dependencies might manifest in other cases too, but this is the only known case.)
(9.4.24,9.6.15,9.5.19) Fix contrib/passwordcheck to coexist with other users of check_password_hook (Michael Paquier)
(9.4.24,9.6.15,9.5.19) Fix contrib/sepgsql tests to work under recent SELinux releases (Mike Palmiotto)
(9.4.24,9.6.15,9.5.19) Reduce stderr output from pg_upgrade's test script (Tom Lane)
(9.4.24,9.6.15,9.5.19) Support building Postgres with Microsoft Visual Studio 2019 (Haribabu Kommi)
(9.4.24,9.6.15,9.5.19) In Visual Studio builds, honor WindowsSDKVersion environment variable, if that's set (Peifeng Qiu)
This fixes build failures in some configurations.
(9.4.24,9.6.15,9.5.19) Support OpenSSL 1.1.0 and newer in Visual Studio builds (Juan José SantamarÃa Flecha, Michael Paquier)
(9.4.24,9.6.15,9.5.19) Avoid choosing localtime or posixrules as TimeZone during initdb (Tom Lane)
In some cases initdb would choose one of these artificial zone names over the "real" zone name. Prefer any other match to the C library's timezone behavior over these two.
(9.4.24,9.6.15,9.5.19) Adjust pg_timezone_names view to show the Factory time zone if and only if it has a short abbreviation (Tom Lane)
Historically, IANA set up this artificial zone with an "abbreviation" like Local time zone must be set--see zic manual page. Modern versions of the tzdb database show -00 instead, but some platforms alter the data to show one or another of the historical phrases. Show this zone only if it uses the modern abbreviation.
(9.4.24,9.6.15,9.5.19) Sync our copy of the timezone library with IANA tzcode release 2019b (Tom Lane)
This adds support for zic's new -b slim option to reduce the size of the installed zone files. We are not currently using that, but may enable it in future.
(9.4.24,9.6.15,9.5.19) Update time zone data files to tzdata release 2019b for DST law changes in Brazil, plus historical corrections for Hong Kong, Italy, and Palestine.
Release date: 2019-06-20
This release contains a variety of fixes from 9.4.22. For information about new features in the 9.4 major release, see Version 9.4.0.
The PostgreSQL community will stop releasing updates for the 9.4.X release series in February 2020. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.4.X.
However, if you are upgrading from a version earlier than 9.4.18, see Version 9.4.18.
(9.4.23,9.6.14,9.5.18) Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when the table has a partial exclusion constraint (Tom Lane)
(9.4.23,9.6.14,9.5.18) Fix incorrect printing of queries with duplicate join names (Philip Dubé)
This oversight caused a dump/restore failure for views containing such queries.
(9.4.23,9.6.14,9.5.18) Fix misoptimization of {1,1} quantifiers in regular expressions (Tom Lane)
Such quantifiers were treated as no-ops and optimized away; but the documentation specifies that they impose greediness, or non-greediness in the case of the non-greedy variant {1,1}?, on the subexpression they're attached to, and this did not happen. The misbehavior occurred only if the subexpression contained capturing parentheses or a back-reference.
(9.4.23,9.6.14,9.5.18) Fix race condition in check to see whether a pre-existing shared memory segment is still in use by a conflicting postmaster (Tom Lane)
(9.4.23,9.6.14,9.5.18) Avoid attempting to do database accesses for parameter checking in processes that are not connected to a specific database (Vignesh C, Andres Freund)
This error could result in failures like "cannot read pg_class without having selected a database".
(9.4.23,9.6.14,9.5.18) Improve initdb's handling of multiple equivalent names for the system time zone (Tom Lane, Andrew Gierth)
Make initdb examine the /etc/localtime symbolic link, if that exists, to break ties between equivalent names for the system time zone. This makes initdb more likely to select the time zone name that the user would expect when multiple identical time zones exist. It will not change the behavior if /etc/localtime is not a symlink to a zone data file, nor if the time zone is determined from the TZ environment variable.
Separately, prefer UTC over other spellings of that time zone, when neither TZ nor /etc/localtime provide a hint. This fixes an annoyance introduced by tzdata 2019a's change to make the UCT and UTC zone names equivalent: initdb was then preferring UCT, which almost nobody wants.
(9.4.23,9.6.14,9.5.18) Fix misleading error reports from reindexdb (Julien Rouhaud)
(9.4.23,9.6.14,9.5.18) In contrib/postgres_fdw, account for possible data modifications by local BEFORE ROW UPDATE triggers (Shohei Mochizuki)
If a trigger modified a column that was otherwise not changed by the UPDATE, the new value was not transmitted to the remote server.
(9.4.23,9.6.14,9.5.18) On Windows, avoid failure when the database encoding is set to SQL_ASCII and we attempt to log a non-ASCII string (Noah Misch)
The code had been assuming that such strings must be in UTF-8, and would throw an error if they didn't appear to be validly encoded. Now, just transmit the untranslated bytes to the log.
(9.4.23,9.6.14,9.5.18) Make PL/pgSQL's header files C++-safe (George Tarasov)
Release date: 2019-05-09
This release contains a variety of fixes from 9.4.21. For information about new features in the 9.4 major release, see Version 9.4.0.
The PostgreSQL community will stop releasing updates for the 9.4.X release series in February 2020. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.4.X.
However, if you are upgrading from a version earlier than 9.4.18, see Version 9.4.18.
(9.4.22,9.6.13,9.5.17) Fix behavior for an UPDATE or DELETE on an inheritance tree or partitioned table in which every table can be excluded (Amit Langote, Tom Lane)
In such cases, the query did not report the correct set of output columns when a RETURNING clause was present, and if there were any statement-level triggers that should be fired, it didn't fire them.
(9.4.22,9.6.13,9.5.17) Fix handling of explicit DEFAULT items in an INSERT ... VALUES command with multiple VALUES rows, if the target relation is an updatable view (Amit Langote, Dean Rasheed)
When the updatable view has no default for the column but its underlying table has one, a single-row INSERT ... VALUES will use the underlying table's default. In the multi-row case, however, NULL was always used. Correct it to act like the single-row case.
(9.4.22,9.6.13,9.5.17) Fix CREATE VIEW to allow zero-column views (Ashutosh Sharma)
We should allow this for consistency with allowing zero-column tables. Since a table can be converted to a view, zero-column views could be created even with the restriction in place, leading to dump/reload failures.
(9.4.22,9.6.13,9.5.17) Accept XML documents as valid values of type xml when xmloption is set to content, as required by SQL:2006 and later (Chapman Flack)
Previously PostgreSQL followed the SQL:2003 definition, which doesn't allow this. But that creates a serious problem for dump/restore: there is no setting of xmloption that will accept all valid XML data. Hence, switch to the 2006 definition.
pg_dump is also modified to emit SET xmloption = content while restoring data, ensuring that dump/restore works even if the prevailing setting is document.
(9.4.22,9.6.13,9.5.17) Improve server's startup-time checks for whether a pre-existing shared memory segment is still in use (Noah Misch)
The postmaster is now more likely to detect that there are still active processes from a previous postmaster incarnation, even if the postmaster.pid file has been removed.
(9.4.22,9.6.13,9.5.17) Fix incompatibility of GIN-index WAL records (Alexander Korotkov)
A fix applied in February's minor releases was not sufficiently careful about backwards compatibility, leading to problems if a standby server of that vintage reads GIN page-deletion WAL records generated by a primary server of a previous minor release.
(9.4.22,9.6.13,9.5.17) Tolerate EINVAL and ENOSYS error results, where appropriate, for fsync
and sync_file_range
calls (Thomas Munro, James Sewell)
The previous change to panic on file synchronization failures turns out to have been excessively paranoid for certain cases where a failure is predictable and essentially means "operation not supported".
(9.4.22,9.6.13,9.5.17) Fix "failed to build any N-way joins" planner failures with lateral references leading out of FULL outer joins (Tom Lane)
(9.4.22,9.6.13,9.5.17) Check the appropriate user's permissions when enforcing rules about letting a leaky operator see pg_statistic data (Dean Rasheed)
When an underlying table is being accessed via a view, consider the privileges of the view owner while deciding whether leaky operators may be applied to the table's statistics data, rather than the privileges of the user making the query. This makes the planner's rules about what data is visible match up with the executor's, avoiding unnecessarily-poor plans.
(9.4.22,9.6.13,9.5.17) Avoid O (N^2) performance issue when rolling back a transaction that created many tables (Tomas Vondra)
(9.4.22,9.6.13,9.5.17) Fix race conditions in management of dynamic shared memory (Thomas Munro)
These could lead to "dsa_area could not attach to segment" or "cannot unpin a segment that is not pinned" errors.
(9.4.22,9.6.13,9.5.17) Fix race condition in which a hot-standby postmaster could fail to shut down after receiving a smart-shutdown request (Tom Lane)
(9.4.22,9.6.13,9.5.17) Tighten validation of encoded SCRAM-SHA-256 and MD5 passwords (Jonathan Katz)
A password string that had the right initial characters could be mistaken for one that is correctly hashed into SCRAM-SHA-256 or MD5 format. The password would be accepted but would be unusable later.
(9.4.22,9.6.13,9.5.17) Fix handling of lc_time settings that imply an encoding different from the database's encoding (Juan José SantamarÃa Flecha, Tom Lane)
Localized month or day names that include non-ASCII characters previously caused unexpected errors or wrong output in such locales.
(9.4.22,9.6.13,9.5.17) Disallow NaN as a value for floating-point server parameters (Tom Lane)
(9.4.22,9.6.13,9.5.17) Rearrange REINDEX processing to avoid assertion failures when reindexing individual indexes of pg_class (Andres Freund, Tom Lane)
(9.4.22,9.6.13,9.5.17) Fix planner assertion failure for parameterized dummy paths (Tom Lane)
(9.4.22,9.6.13,9.5.17) Insert correct test function in the result of SnapBuildInitialSnapshot()
(Antonin Houska)
No core code cares about this, but some extensions do.
(9.4.22,9.6.13,9.5.17) Fix intermittent "could not reattach to shared memory" session startup failures on Windows (Noah Misch)
A previously unrecognized source of these failures is creation of thread stacks for a process's default thread pool. Arrange for such stacks to be allocated in a different memory region.
(9.4.22,9.6.13,9.5.17) Fix error detection in directory scanning on Windows (Konstantin Knizhnik)
Errors, such as lack of permissions to read the directory, were not detected or reported correctly; instead the code silently acted as though the directory were empty.
(9.4.22,9.6.13,9.5.17) Fix grammar problems in ecpg (Tom Lane)
A missing semicolon led to mistranslation of SET variable = DEFAULT (but not SET variable TO DEFAULT) in ecpg programs, producing syntactically invalid output that the server would reject. Additionally, in a DROP TYPE or DROP DOMAIN command that listed multiple type names, only the first type name was actually processed.
(9.4.22,9.6.13,9.5.17) Fix possible buffer overruns in ecpg's processing of include filenames (Liu Huailing, Fei Wu)
(9.4.22,9.6.13,9.5.17) Avoid crash in contrib/vacuumlo if an lo_unlink()
call failed (Tom Lane)
(9.4.22,9.6.13,9.5.17) Sync our copy of the timezone library with IANA tzcode release 2019a (Tom Lane)
This corrects a small bug in zic that caused it to output an incorrect year-2440 transition in the Africa/Casablanca zone, and adds support for zic's new -r option.
(9.4.22,9.6.13,9.5.17) Update time zone data files to tzdata release 2019a for DST law changes in Palestine and Metlakatla, plus historical corrections for Israel.
Etc/UCT is now a backward-compatibility link to Etc/UTC, instead of being a separate zone that generates the abbreviation UCT, which nowadays is typically a typo. PostgreSQL will still accept UCT as an input zone abbreviation, but it won't output it.
Release date: 2019-02-14
This release contains a variety of fixes from 9.4.20. For information about new features in the 9.4 major release, see Version 9.4.0.
The PostgreSQL community will stop releasing updates for the 9.4.X release series in February 2020. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.4.X.
However, if you are upgrading from a version earlier than 9.4.18, see Version 9.4.18.
(9.4.21,9.6.12,9.5.16) By default, panic instead of retrying after fsync()
failure, to avoid possible data corruption (Craig Ringer, Thomas Munro)
Some popular operating systems discard kernel data buffers when unable to write them out, reporting this as fsync()
failure. If we reissue the fsync()
request it will succeed, but in fact the data has been lost, so continuing risks database corruption. By raising a panic condition instead, we can replay from WAL, which may contain the only remaining copy of the data in such a situation. While this is surely ugly and inefficient, there are few alternatives, and fortunately the case happens very rarely.
A new server parameter data_sync_retry has been added to control this; if you are certain that your kernel does not discard dirty data buffers in such scenarios, you can set data_sync_retry to on to restore the old behavior.
(9.4.21,9.6.12,9.5.16) Include each major release branch's release notes in the documentation for only that branch, rather than that branch and all later ones (Tom Lane)
The duplication induced by the previous policy was getting out of hand. Our plan is to provide a full archive of release notes on the project's web site, but not duplicate it within each release.
(9.4.21,9.6.12,9.5.16) Avoid possible deadlock when acquiring multiple buffer locks (Nishant Fnu)
(9.4.21,9.6.12,9.5.16) Avoid deadlock between hot-standby queries and replay of GIN index page deletion (Alexander Korotkov)
(9.4.21,9.6.12,9.5.16) Fix possible crashes in logical replication when index expressions or predicates are in use (Peter Eisentraut)
(9.4.21,9.6.12,9.5.16) Avoid useless and expensive logical decoding of TOAST data during a table rewrite (Tomas Vondra)
(9.4.21,9.6.12,9.5.16) Fix logic for stopping a subset of WAL senders when synchronous replication is enabled (Paul Guo, Michael Paquier)
(9.4.21,9.6.12,9.5.16) Avoid possibly writing an incorrect replica identity field in a tuple deletion WAL record (Stas Kelvich)
(9.4.21,9.6.12,9.5.16) Avoid crash if libxml2 returns a null error message (Sergio Conde Gómez)
(9.4.21,9.6.12,9.5.16) Fix spurious grouping-related parser errors caused by inconsistent handling of collation assignment (Andrew Gierth)
In some cases, expressions that should be considered to match were not seen as matching, if they included operations on collatable data types.
(9.4.21,9.6.12,9.5.16) Check whether the comparison function underlying LEAST()
or GREATEST()
is leakproof, rather than just assuming it is (Tom Lane)
Actual information leaks from btree comparison functions are typically hard to provoke, but in principle they could happen.
(9.4.21,9.6.12,9.5.16) Fix incorrect planning of queries in which a lateral reference must be evaluated at a foreign table scan (Tom Lane)
(9.4.21,9.6.12,9.5.16) Fix corner-case underestimation of the cost of a merge join (Tom Lane)
The planner could prefer a merge join when the outer key range is much smaller than the inner key range, even if there are so many duplicate keys on the inner side that this is a poor choice.
(9.4.21,9.6.12,9.5.16) Avoid O (N^2) planning time growth when a query contains many thousand indexable clauses (Tom Lane)
(9.4.21,9.6.12,9.5.16) Improve ANALYZE's handling of concurrently-updated rows (Jeff Janes, Tom Lane)
Previously, rows deleted by an in-progress transaction were omitted from ANALYZE's sample, but this has been found to lead to more inconsistency than including them would do. In effect, the sample now corresponds to an MVCC snapshot as of ANALYZE's start time.
(9.4.21,9.6.12,9.5.16) Make TRUNCATE ignore inheritance child tables that are temporary tables of other sessions (Amit Langote, Michael Paquier)
This brings TRUNCATE into line with the behavior of other commands. Previously, such cases usually ended in failure.
(9.4.21,9.6.12,9.5.16) Allow UNLISTEN in hot-standby mode (Shay Rojansky)
This is necessarily a no-op, because LISTEN isn't allowed in hot-standby mode; but allowing the dummy operation simplifies session-state-reset logic in clients.
(9.4.21,9.6.12,9.5.16) Fix missing role dependencies in some schema and data type permissions lists (Tom Lane)
In some cases it was possible to drop a role to which permissions had been granted. This caused no immediate problem, but a subsequent dump/reload or upgrade would fail, with symptoms involving attempts to grant privileges to all-numeric role names.
(9.4.21,9.6.12,9.5.16) Ensure relation caches are updated properly after renaming constraints (Amit Langote)
(9.4.21,9.6.12,9.5.16) Make autovacuum more aggressive about removing leftover temporary tables, and also remove leftover temporary tables during DISCARD TEMP (Ãlvaro Herrera)
This helps ensure that remnants from a crashed session are cleaned up more promptly.
(9.4.21,9.6.12,9.5.16) Prevent empty GIN index pages from being reclaimed too quickly, causing failures of concurrent searches (Andrey Borodin, Alexander Korotkov)
(9.4.21,9.6.12,9.5.16) Fix edge-case failures in float-to-integer coercions (Andrew Gierth, Tom Lane)
Values very slightly above the maximum valid integer value might not be rejected, and then would overflow, producing the minimum valid integer instead. Also, values that should round to the minimum or maximum integer value might be incorrectly rejected.
(9.4.21,9.6.12,9.5.16) Disallow setting client_min_messages higher than ERROR (Jonah Harris, Tom Lane)
Previously, it was possible to set this variable to FATAL or PANIC, which had the effect of suppressing transmission of ordinary error messages to the client. However, that's contrary to guarantees that are given in the PostgreSQL wire protocol specification, and it caused some clients to become very confused. In released branches, fix this by silently treating such settings as meaning ERROR instead. Version 12 and later will reject those alternatives altogether.
(9.4.21,9.6.12,9.5.16) Fix ecpglib to use uselocale()
or _configthreadlocale()
in preference to setlocale()
(Michael Meskes, Tom Lane)
Since setlocale()
is not thread-local, and might not even be thread-safe, the previous coding caused problems in multi-threaded ecpg applications.
(9.4.21,9.6.12,9.5.16) Fix incorrect results for numeric data passed through an ecpg SQLDA (SQL Descriptor Area) (Daisuke Higuchi)
Values with leading zeroes were not copied correctly.
(9.4.21,9.6.12,9.5.16) Make psql's LaTeX output formats render special characters properly (Tom Lane)
Backslash and some other ASCII punctuation characters were not rendered correctly, leading to document syntax errors or wrong characters in the output.
(9.4.21,9.6.12,9.5.16) Fix pg_dump's handling of materialized views with indirect dependencies on primary keys (Tom Lane)
This led to mis-labeling of such views' dump archive entries, causing harmless warnings about "archive items not in correct section order"; less harmlessly, selective-restore options depending on those labels, such as --section, might misbehave.
(9.4.21,9.6.12,9.5.16) Avoid null-pointer-dereference crash on some platforms when pg_dump or pg_restore tries to report an error (Tom Lane)
(9.4.21,9.6.12,9.5.16) Fix contrib/hstore to calculate correct hash values for empty hstore values that were created in version 8.4 or before (Andrew Gierth)
The previous coding did not give the same result as for an empty hstore value created by a newer version, thus potentially causing wrong results in hash joins or hash aggregation. It is advisable to reindex any hash indexes built on hstore columns, if the table might contain data that was originally stored as far back as 8.4 and was never dumped/reloaded since then.
(9.4.21,9.6.12,9.5.16) Avoid crashes and excessive runtime with large inputs to contrib/intarray's gist__int_ops index support (Andrew Gierth)
(9.4.21,9.5.16) Adjust configure's selection of threading-related compiler flags and libraries to match what later PostgreSQL releases do (Tom Lane)
The coding previously used in the 9.4 and 9.5 branches fails outright on some newer platforms, so sync it with what 9.6 and later have been doing.
(9.4.21,9.6.12,9.5.16) Support new Makefile variables PG_CFLAGS, PG_CXXFLAGS, and PG_LDFLAGS in pgxs builds (Christoph Berg)
This simplifies customization of extension build processes.
(9.4.21,9.6.12,9.5.16) Fix Perl-coded build scripts to not assume "." is in the search path, since recent Perl versions don't include that (Andrew Dunstan)
(9.4.21,9.6.12,9.5.16) Fix server command-line option parsing problems on OpenBSD (Tom Lane)
(9.4.21,9.6.12,9.5.16) Update time zone data files to tzdata release 2018i for DST law changes in Kazakhstan, Metlakatla, and Sao Tome and Principe. Kazakhstan's Qyzylorda zone is split in two, creating a new zone Asia/Qostanay, as some areas did not change UTC offset. Historical corrections for Hong Kong and numerous Pacific islands.
Release date: 2018-11-08
This release contains a variety of fixes from 9.4.19. For information about new features in the 9.4 major release, see Version 9.4.0.
A dump/restore is not required for those running 9.4.X.
However, if you are upgrading from a version earlier than 9.4.18, see Version 9.4.18.
(9.4.20,9.6.11,9.5.15) Fix corner-case failures in has_foo_privilege()
family of functions (Tom Lane)
Return NULL rather than throwing an error when an invalid object OID is provided. Some of these functions got that right already, but not all. has_column_privilege()
was additionally capable of crashing on some platforms.
(9.4.20,9.6.11,9.5.15) Avoid O (N^2) slowdown in regular expression match/split functions on long strings (Andrew Gierth)
(9.4.20,9.6.11,9.5.15) Avoid O (N^3) slowdown in lexer for long strings of + or - characters (Andrew Gierth)
(9.4.20,9.6.11,9.5.15) Fix mis-execution of SubPlans when the outer query is being scanned backwards (Andrew Gierth)
(9.4.20,9.6.11,9.5.15) Fix failure of UPDATE/DELETE ... WHERE CURRENT OF ... after rewinding the referenced cursor (Tom Lane)
A cursor that scans multiple relations (particularly an inheritance tree) could produce wrong behavior if rewound to an earlier relation.
(9.4.20,9.6.11,9.5.15) Fix EvalPlanQual
to handle conditionally-executed InitPlans properly (Andrew Gierth, Tom Lane)
This resulted in hard-to-reproduce crashes or wrong answers in concurrent updates, if they contained code such as an uncorrelated sub-SELECT inside a CASE construct.
(9.4.20,9.6.11,9.5.15) Fix character-class checks to not fail on Windows for Unicode characters above U+FFFF (Tom Lane, Kenji Uno)
This bug affected full-text-search operations, as well as contrib/ltree and contrib/pg_trgm.
(9.4.20,9.6.11,9.5.15) Ensure that sequences owned by a foreign table are processed by ALTER OWNER on the table (Peter Eisentraut)
The ownership change should propagate to such sequences as well, but this was missed for foreign tables.
(9.4.20,9.6.11,9.5.15) Fix over-allocation of space for array_out()
's result string (Keiichi Hirobe)
(9.4.20,9.6.11,9.5.15) Fix memory leak in repeated SP-GiST index scans (Tom Lane)
This is only known to amount to anything significant in cases where an exclusion constraint using SP-GiST receives many new index entries in a single command.
(9.4.20,9.6.11,9.5.15) Ensure that ApplyLogicalMappingFile()
closes the mapping file when done with it (Tomas Vondra)
Previously, the file descriptor was leaked, eventually resulting in failures during logical decoding.
(9.4.20) Fix logical decoding to handle cases where a mapped catalog table is repeatedly rewritten, e.g. by VACUUM FULL (Andres Freund)
(9.4.20,9.6.11,9.5.15) Prevent starting the server with wal_level set to too low a value to support an existing replication slot (Andres Freund)
(9.4.20,9.6.11,9.5.15) Avoid crash if a utility command causes infinite recursion (Tom Lane)
(9.4.20,9.6.11,9.5.15) When initializing a hot standby, cope with duplicate XIDs caused by two-phase transactions on the master (Michael Paquier, Konstantin Knizhnik)
(9.4.20,9.6.11,9.5.15) Randomize the random()
seed in bootstrap and standalone backends, and in initdb (Noah Misch)
The main practical effect of this change is that it avoids a scenario where initdb might mistakenly conclude that POSIX shared memory is not available, due to name collisions caused by always using the same random seed.
(9.4.20,9.6.11,9.5.15) Allow DSM allocation to be interrupted (Chris Travers)
(9.4.20,9.6.11,9.5.15) Avoid possible buffer overrun when replaying GIN page recompression from WAL (Alexander Korotkov, Sivasubramanian Ramasubramanian)
(9.4.20,9.6.11,9.5.15) Fix missed fsync of a replication slot's directory (Konstantin Knizhnik, Michael Paquier)
(9.4.20,9.6.11,9.5.15) Fix unexpected timeouts when using wal_sender_timeout on a slow server (Noah Misch)
(9.4.20,9.6.11,9.5.15) Ensure that hot standby processes use the correct WAL consistency point (Alexander Kukushkin, Michael Paquier)
This prevents possible misbehavior just after a standby server has reached a consistent database state during WAL replay.
(9.4.20,9.6.11,9.5.15) Don't run atexit callbacks when servicing SIGQUIT (Heikki Linnakangas)
(9.4.20,9.6.11,9.5.15) Don't record foreign-server user mappings as members of extensions (Tom Lane)
If CREATE USER MAPPING is executed in an extension script, an extension dependency was created for the user mapping, which is unexpected. Roles can't be extension members, so user mappings shouldn't be either.
(9.4.20,9.6.11,9.5.15) Make syslogger more robust against failures in opening CSV log files (Tom Lane)
(9.4.20,9.6.11,9.5.15) Fix possible inconsistency in pg_dump's sorting of dissimilar object names (Jacob Champion)
(9.4.20,9.6.11,9.5.15) Ensure that pg_restore will schema-qualify the table name when emitting DISABLE/ENABLE TRIGGER commands (Tom Lane)
This avoids failures due to the new policy of running restores with restrictive search path.
(9.4.20,9.6.11,9.5.15) Fix pg_upgrade to handle event triggers in extensions correctly (Haribabu Kommi)
pg_upgrade failed to preserve an event trigger's extension-membership status.
(9.4.20,9.6.11,9.5.15) Fix pg_upgrade's cluster state check to work correctly on a standby server (Bruce Momjian)
(9.4.20,9.6.11,9.5.15) Enforce type cube's dimension limit in all contrib/cube functions (Andrey Borodin)
Previously, some cube-related functions could construct values that would be rejected by cube_in()
, leading to dump/reload failures.
(9.4.20,9.6.11,9.5.15) Fix contrib/unaccent's unaccent()
function to use the unaccent text search dictionary that is in the same schema as the function (Tom Lane)
Previously it tried to look up the dictionary using the search path, which could fail if the search path has a restrictive value.
(9.4.20,9.6.11,9.5.15) Fix build problems on macOS 10.14 (Mojave) (Tom Lane)
Adjust configure to add an -isysroot switch to CPPFLAGS; without this, PL/Perl and PL/Tcl fail to configure or build on macOS 10.14. The specific sysroot used can be overridden at configure time or build time by setting the PG_SYSROOT variable in the arguments of configure or make.
It is now recommended that Perl-related extensions write $(perl_includespec) rather than -I$(perl_archlibexp)/CORE in their compiler flags. The latter continues to work on most platforms, but not recent macOS.
Also, it should no longer be necessary to specify --with-tclconfig manually to get PL/Tcl to build on recent macOS releases.
(9.4.20,9.6.11,9.5.15) Fix MSVC build and regression-test scripts to work on recent Perl versions (Andrew Dunstan)
Perl no longer includes the current directory in its search path by default; work around that.
(9.4.20,9.5.15) Support building on Windows with Visual Studio 2015 or Visual Studio 2017 (Michael Paquier, Haribabu Kommi)
(9.4.20,9.6.11,9.5.15) Allow btree comparison functions to return INT_MIN (Tom Lane)
Up to now, we've forbidden datatype-specific comparison functions from returning INT_MIN, which allows callers to invert the sort order just by negating the comparison result. However, this was never safe for comparison functions that directly return the result of memcmp()
, strcmp()
, etc, as POSIX doesn't place any such restriction on those functions. At least some recent versions of memcmp()
can return INT_MIN, causing incorrect sort ordering. Hence, we've removed this restriction. Callers must now use the INVERT_COMPARE_RESULT() macro if they wish to invert the sort order.
(9.4.20,9.6.11,9.5.15) Fix recursion hazard in shared-invalidation message processing (Tom Lane)
This error could, for example, result in failure to access a system catalog or index that had just been processed by VACUUM FULL.
This change adds a new result code for LockAcquire
, which might possibly affect external callers of that function, though only very unusual usage patterns would have an issue with it. The API of LockAcquireExtended
is also changed.
(9.4.20,9.6.11,9.5.15) Save and restore SPI's global variables during SPI_connect()
and SPI_finish()
(Chapman Flack, Tom Lane)
This prevents possible interference when one SPI-using function calls another.
(9.4.20,9.5.15) Provide ALLOCSET_DEFAULT_SIZES and sibling macros in back branches (Tom Lane)
These macros have existed since 9.6, but there were requests to add them to older branches to allow extensions to rely on them without branch-specific coding.
(9.4.20,9.6.11,9.5.15) Avoid using potentially-under-aligned page buffers (Tom Lane)
Invent new union types PGAlignedBlock and PGAlignedXLogBlock, and use these in place of plain char arrays, ensuring that the compiler can't place the buffer at a misaligned start address. This fixes potential core dumps on alignment-picky platforms, and may improve performance even on platforms that allow misalignment.
(9.4.20,9.6.11,9.5.15) Make src/port/snprintf.c follow the C99 standard's definition of snprintf()
's result value (Tom Lane)
On platforms where this code is used (mostly Windows), its pre-C99 behavior could lead to failure to detect buffer overrun, if the calling code assumed C99 semantics.
(9.4.20,9.6.11,9.5.15) When building on i386 with the clang compiler, require -msse2 to be used (Andres Freund)
This avoids problems with missed floating point overflow checks.
(9.4.20,9.6.11,9.5.15) Fix configure's detection of the result type of strerror_r()
(Tom Lane)
The previous coding got the wrong answer when building with icc on Linux (and perhaps in other cases), leading to libpq not returning useful error messages for system-reported errors.
(9.4.20,9.6.11,9.5.15) Update time zone data files to tzdata release 2018g for DST law changes in Chile, Fiji, Morocco, and Russia (Volgograd), plus historical corrections for China, Hawaii, Japan, Macau, and North Korea.
Release date: 2018-08-09
This release contains a variety of fixes from 9.4.18. For information about new features in the 9.4 major release, see Version 9.4.0.
A dump/restore is not required for those running 9.4.X.
However, if you are upgrading from a version earlier than 9.4.18, see Version 9.4.18.
(9.4.19,9.6.10,9.5.14) Fix failure to reset libpq's state fully between connection attempts (Tom Lane)
An unprivileged user of dblink or postgres_fdw could bypass the checks intended to prevent use of server-side credentials, such as a ~/.pgpass file owned by the operating-system user running the server. Servers allowing peer authentication on local connections are particularly vulnerable. Other attacks such as SQL injection into a postgres_fdw session are also possible. Attacking postgres_fdw in this way requires the ability to create a foreign server object with selected connection parameters, but any user with access to dblink could exploit the problem. In general, an attacker with the ability to select the connection parameters for a libpq-using application could cause mischief, though other plausible attack scenarios are harder to think of. Our thanks to Andrew Krasichkov for reporting this issue. CVE-2018-10915 or CVE-2018-10915)
(9.4.19,9.6.10,9.5.14) Ensure that updates to the relfrozenxid and relminmxid values for "nailed" system catalogs are processed in a timely fashion (Andres Freund)
Overoptimistic caching rules could prevent these updates from being seen by other sessions, leading to spurious errors and/or data corruption. The problem was significantly worse for shared catalogs, such as pg_authid, because the stale cache data could persist into new sessions as well as existing ones.
(9.4.19,9.6.10,9.5.14) Fix case where a freshly-promoted standby crashes before having completed its first post-recovery checkpoint (Michael Paquier, Kyotaro Horiguchi, Pavan Deolasee, Ãlvaro Herrera)
This led to a situation where the server did not think it had reached a consistent database state during subsequent WAL replay, preventing restart.
(9.4.19,9.6.10,9.5.14) Avoid emitting a bogus WAL record when recycling an all-zero btree page (Amit Kapila)
This mistake has been seen to cause assertion failures, and potentially it could result in unnecessary query cancellations on hot standby servers.
(9.4.19,9.6.10,9.5.14) Improve performance of WAL replay for transactions that drop many relations (Fujii Masao)
This change reduces the number of times that shared buffers are scanned, so that it is of most benefit when that setting is large.
(9.4.19,9.6.10,9.5.14) Improve performance of lock releasing in standby server WAL replay (Thomas Munro)
(9.4.19,9.6.10,9.5.14) Make logical WAL senders report streaming state correctly (Simon Riggs, Sawada Masahiko)
The code previously mis-detected whether or not it had caught up with the upstream server.
(9.4.19,9.6.10,9.5.14) Fix bugs in snapshot handling during logical decoding, allowing wrong decoding results in rare cases (Arseny Sher, Ãlvaro Herrera)
(9.4.19,9.6.10,9.5.14) Ensure a table's cached index list is correctly rebuilt after an index creation fails partway through (Peter Geoghegan)
Previously, the failed index's OID could remain in the list, causing problems later in the same session.
(9.4.19,9.6.10,9.5.14) Fix mishandling of empty uncompressed posting list pages in GIN indexes (Sivasubramanian Ramasubramanian, Alexander Korotkov)
This could result in an assertion failure after pg_upgrade of a pre-9.4 GIN index (9.4 and later will not create such pages).
(9.4.19,9.6.10,9.5.14) Ensure that VACUUM will respond to signals within btree page deletion loops (Andres Freund)
Corrupted btree indexes could result in an infinite loop here, and that previously wasn't interruptible without forcing a crash.
(9.4.19,9.6.10,9.5.14) Fix misoptimization of equivalence classes involving composite-type columns (Tom Lane)
This resulted in failure to recognize that an index on a composite column could provide the sort order needed for a mergejoin on that column.
(9.4.19,9.6.10,9.5.14) Fix SQL-standard FETCH FIRST syntax to allow parameters ($n), as the standard expects (Andrew Gierth)
(9.4.19,9.6.10,9.5.14) Fix failure to schema-qualify some object names in getObjectDescription
output (Kyotaro Horiguchi, Tom Lane)
Names of collations, conversions, and text search objects were not schema-qualified when they should be.
(9.4.19,9.6.10,9.5.14) Widen COPY FROM's current-line-number counter from 32 to 64 bits (David Rowley)
This avoids two problems with input exceeding 4G lines: COPY FROM WITH HEADER would drop a line every 4G lines, not only the first line, and error reports could show a wrong line number.
(9.4.19,9.6.10,9.5.14) Add a string freeing function to ecpg's pgtypes library, so that cross-module memory management problems can be avoided on Windows (Takayuki Tsunakawa)
On Windows, crashes can ensue if the free
call for a given chunk of memory is not made from the same DLL that malloc
'ed the memory. The pgtypes library sometimes returns strings that it expects the caller to free, making it impossible to follow this rule. Add a PGTYPESchar_free()
function that just wraps free
, allowing applications to follow this rule.
(9.4.19,9.6.10,9.5.14) Fix ecpg's support for long long variables on Windows, as well as other platforms that declare strtoll
/strtoull
nonstandardly or not at all (Dang Minh Huong, Tom Lane)
(9.4.19,9.6.10,9.5.14) Fix misidentification of SQL statement type in PL/pgSQL, when a rule change causes a change in the semantics of a statement intra-session (Tom Lane)
This error led to assertion failures, or in rare cases, failure to enforce the INTO STRICT option as expected.
(9.4.19,9.6.10,9.5.14) Fix password prompting in client programs so that echo is properly disabled on Windows when stdin is not the terminal (Matthew Stickney)
(9.4.19,9.6.10,9.5.14) Further fix mis-quoting of values for list-valued GUC variables in dumps (Tom Lane)
The previous fix for quoting of search_path and other list-valued variables in pg_dump output turned out to misbehave for empty-string list elements, and it risked truncation of long file paths.
(9.4.19,9.6.10,9.5.14) Fix pg_dump's failure to dump REPLICA IDENTITY properties for constraint indexes (Tom Lane)
Manually created unique indexes were properly marked, but not those created by declaring UNIQUE or PRIMARY KEY constraints.
(9.4.19,9.6.10,9.5.14) Make pg_upgrade check that the old server was shut down cleanly (Bruce Momjian)
The previous check could be fooled by an immediate-mode shutdown.
(9.4.19,9.6.10,9.5.14) Fix crash in contrib/ltree's lca()
function when the input array is empty (Pierre Ducroquet)
(9.4.19,9.6.10,9.5.14) Fix various error-handling code paths in which an incorrect error code might be reported (Michael Paquier, Tom Lane, Magnus Hagander)
(9.4.19,9.6.10,9.5.14) Rearrange makefiles to ensure that programs link to freshly-built libraries (such as libpq.so) rather than ones that might exist in the system library directories (Tom Lane)
This avoids problems when building on platforms that supply old copies of PostgreSQL libraries.
(9.4.19,9.6.10,9.5.14) Update time zone data files to tzdata release 2018e for DST law changes in North Korea, plus historical corrections for Czechoslovakia.
This update includes a redefinition of "daylight savings" in Ireland, as well as for some past years in Namibia and Czechoslovakia. In those jurisdictions, legally standard time is observed in summer, and daylight savings time in winter, so that the daylight savings offset is one hour behind standard time not one hour ahead. This does not affect either the actual UTC offset or the timezone abbreviations in use; the only known effect is that the is_dst column in the pg_timezone_names view will now be true in winter and false in summer in these cases.
Release date: 2018-05-10
This release contains a variety of fixes from 9.4.17. For information about new features in the 9.4 major release, see Version 9.4.0.
A dump/restore is not required for those running 9.4.X.
However, if the function marking mistakes mentioned in the first changelog entry below affect you, you will want to take steps to correct your database catalogs.
Also, if you are upgrading from a version earlier than 9.4.17, see Version 9.4.17.
(9.4.18,9.6.9,9.5.13) Fix incorrect volatility markings on a few built-in functions (Thomas Munro, Tom Lane)
The functions query_to_xml
, cursor_to_xml
, cursor_to_xmlschema
, query_to_xmlschema
, and query_to_xml_and_xmlschema
should be marked volatile because they execute user-supplied queries that might contain volatile operations. They were not, leading to a risk of incorrect query optimization. This has been repaired for new installations by correcting the initial catalog data, but existing installations will continue to contain the incorrect markings. Practical use of these functions seems to pose little hazard, but in case of trouble, it can be fixed by manually updating these functions' pg_proc entries, for example ALTER FUNCTION pg_catalog.query_to_xml(text, boolean, boolean, text) VOLATILE. (Note that that will need to be done in each database of the installation.) Another option is to pg_upgrade the database to a version containing the corrected initial data.
(9.4.18,9.6.9,9.5.13) Avoid re-using TOAST value OIDs that match dead-but-not-yet-vacuumed TOAST entries (Pavan Deolasee)
Once the OID counter has wrapped around, it's possible to assign a TOAST value whose OID matches a previously deleted entry in the same TOAST table. If that entry were not yet vacuumed away, this resulted in "unexpected chunk number 0 (expected 1) for toast value nnnnn" errors, which would persist until the dead entry was removed by VACUUM. Fix by not selecting such OIDs when creating a new TOAST entry.
(9.4.18,9.6.9,9.5.13) Change ANALYZE's algorithm for updating pg_class.reltuples (David Gould)
Previously, pages not actually scanned by ANALYZE were assumed to retain their old tuple density. In a large table where ANALYZE samples only a small fraction of the pages, this meant that the overall tuple density estimate could not change very much, so that reltuples would change nearly proportionally to changes in the table's physical size (relpages) regardless of what was actually happening in the table. This has been observed to result in reltuples becoming so much larger than reality as to effectively shut off autovacuuming. To fix, assume that ANALYZE's sample is a statistically unbiased sample of the table (as it should be), and just extrapolate the density observed within those pages to the whole table.
(9.4.18,9.6.9,9.5.13) Avoid deadlocks in concurrent CREATE INDEX CONCURRENTLY commands that are run under SERIALIZABLE or REPEATABLE READ transaction isolation (Tom Lane)
(9.4.18,9.6.9,9.5.13) Fix possible slow execution of REFRESH MATERIALIZED VIEW CONCURRENTLY (Thomas Munro)
(9.4.18,9.6.9,9.5.13) Fix UPDATE/DELETE ... WHERE CURRENT OF to not fail when the referenced cursor uses an index-only-scan plan (Yugo Nagata, Tom Lane)
(9.4.18,9.6.9,9.5.13) Fix incorrect planning of join clauses pushed into parameterized paths (Andrew Gierth, Tom Lane)
This error could result in misclassifying a condition as a "join filter" for an outer join when it should be a plain "filter" condition, leading to incorrect join output.
(9.4.18,9.6.9,9.5.13) Fix misoptimization of CHECK constraints having provably-NULL subclauses of top-level AND/OR conditions (Tom Lane, Dean Rasheed)
This could, for example, allow constraint exclusion to exclude a child table that should not be excluded from a query.
(9.4.18,9.6.9,9.5.13) Avoid failure if a query-cancel or session-termination interrupt occurs while committing a prepared transaction (Stas Kelvich)
(9.4.18,9.6.9,9.5.13) Fix query-lifespan memory leakage in repeatedly executed hash joins (Tom Lane)
(9.4.18,9.6.9,9.5.13) Fix overly strict sanity check in heap_prepare_freeze_tuple
(Ãlvaro Herrera)
This could result in incorrect "cannot freeze committed xmax" failures in databases that have been pg_upgrade'd from 9.2 or earlier.
(9.4.18,9.6.9,9.5.13) Prevent dangling-pointer dereference when a C-coded before-update row trigger returns the "old" tuple (Rushabh Lathia)
(9.4.18,9.6.9,9.5.13) Reduce locking during autovacuum worker scheduling (Jeff Janes)
The previous behavior caused drastic loss of potential worker concurrency in databases with many tables.
(9.4.18,9.6.9,9.5.13) Ensure client hostname is copied while copying pg_stat_activity data to local memory (Edmund Horner)
Previously the supposedly-local snapshot contained a pointer into shared memory, allowing the client hostname column to change unexpectedly if any existing session disconnected.
(9.4.18,9.6.9,9.5.13) Fix incorrect processing of multiple compound affixes in ispell dictionaries (Arthur Zakirov)
(9.4.18,9.6.9,9.5.13) Fix collation-aware searches (that is, indexscans using inequality operators) in SP-GiST indexes on text columns (Tom Lane)
Such searches would return the wrong set of rows in most non-C locales.
(9.4.18,9.6.9,9.5.13) Count the number of index tuples correctly during initial build of an SP-GiST index (Tomas Vondra)
Previously, the tuple count was reported to be the same as that of the underlying table, which is wrong if the index is partial.
(9.4.18,9.6.9,9.5.13) Count the number of index tuples correctly during vacuuming of a GiST index (Andrey Borodin)
Previously it reported the estimated number of heap tuples, which might be inaccurate, and is certainly wrong if the index is partial.
(9.4.18,9.6.9,9.5.13) Fix a corner case where a streaming standby gets stuck at a WAL continuation record (Kyotaro Horiguchi)
(9.4.18,9.6.9,9.5.13) In logical decoding, avoid possible double processing of WAL data when a walsender restarts (Craig Ringer)
(9.4.18,9.6.9,9.5.13) Allow scalarltsel
and scalargtsel
to be used on non-core datatypes (Tomas Vondra)
(9.4.18,9.6.9,9.5.13) Reduce libpq's memory consumption when a server error is reported after a large amount of query output has been collected (Tom Lane)
Discard the previous output before, not after, processing the error message. On some platforms, notably Linux, this can make a difference in the application's subsequent memory footprint.
(9.4.18,9.6.9,9.5.13) Fix double-free crashes in ecpg (Patrick Krecker, Jeevan Ladhe)
(9.4.18,9.6.9,9.5.13) Fix ecpg to handle long long int variables correctly in MSVC builds (Michael Meskes, Andrew Gierth)
(9.4.18,9.6.9,9.5.13) Fix mis-quoting of values for list-valued GUC variables in dumps (Michael Paquier, Tom Lane)
The local_preload_libraries, session_preload_libraries, shared_preload_libraries, and temp_tablespaces variables were not correctly quoted in pg_dump output. This would cause problems if settings for these variables appeared in CREATE FUNCTION ... SET or ALTER DATABASE/ROLE ... SET clauses.
(9.4.18,9.6.9,9.5.13) Fix pg_recvlogical to not fail against pre-v10 PostgreSQL servers (Michael Paquier)
A previous fix caused pg_recvlogical to issue a command regardless of server version, but it should only be issued to v10 and later servers.
(9.4.18,9.6.9,9.5.13) Fix overflow handling in PL/pgSQL integer FOR loops (Tom Lane)
The previous coding failed to detect overflow of the loop variable on some non-gcc compilers, leading to an infinite loop.
(9.4.18,9.6.9,9.5.13) Adjust PL/Python regression tests to pass under Python 3.7 (Peter Eisentraut)
(9.4.18,9.6.9,9.5.13) Support testing PL/Python and related modules when building with Python 3 and MSVC (Andrew Dunstan)
(9.4.18,9.6.9,9.5.13) Rename internal b64_encode
and b64_decode
functions to avoid conflict with Solaris 11.4 built-in functions (Rainer Orth)
(9.4.18,9.6.9,9.5.13) Sync our copy of the timezone library with IANA tzcode release 2018e (Tom Lane)
This fixes the zic timezone data compiler to cope with negative daylight-savings offsets. While the PostgreSQL project will not immediately ship such timezone data, zic might be used with timezone data obtained directly from IANA, so it seems prudent to update zic now.
(9.4.18,9.6.9,9.5.13) Update time zone data files to tzdata release 2018d for DST law changes in Palestine and Antarctica (Casey Station), plus historical corrections for Portugal and its colonies, as well as Enderbury, Jamaica, Turks & Caicos Islands, and Uruguay.
Release date: 2018-03-01
This release contains a variety of fixes from 9.4.16. For information about new features in the 9.4 major release, see Version 9.4.0.
A dump/restore is not required for those running 9.4.X.
However, if you run an installation in which not all users are mutually trusting, or if you maintain an application or extension that is intended for use in arbitrary situations, it is strongly recommended that you read the documentation changes described in the first changelog entry below, and take suitable steps to ensure that your installation or code is secure.
Also, the changes described in the second changelog entry below may cause functions used in index expressions or materialized views to fail during auto-analyze, or when reloading from a dump. After upgrading, monitor the server logs for such problems, and fix affected functions.
Also, if you are upgrading from a version earlier than 9.4.13, see Version 9.4.13.
(9.4.17) Document how to configure installations and applications to guard against search-path-dependent trojan-horse attacks from other users (Noah Misch)
Using a search_path setting that includes any schemas writable by a hostile user enables that user to capture control of queries and then run arbitrary SQL code with the permissions of the attacked user. While it is possible to write queries that are proof against such hijacking, it is notationally tedious, and it's very easy to overlook holes. Therefore, we now recommend configurations in which no untrusted schemas appear in one's search path. Relevant documentation appears in Section 5.7.6 (for database administrators and users), Section 31.1 (for application authors), Section 35.15.1 (for extension authors), and CREATE FUNCTION (for authors of SECURITY DEFINER functions). CVE-2018-1058 or CVE-2018-1058)
(9.4.17,9.6.8,9.5.12) Avoid use of insecure search_path settings in pg_dump and other client programs (Noah Misch, Tom Lane)
pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications were themselves vulnerable to the type of hijacking described in the previous changelog entry; since these applications are commonly run by superusers, they present particularly attractive targets. To make them secure whether or not the installation as a whole has been secured, modify them to include only the pg_catalog schema in their search_path settings. Autovacuum worker processes now do the same, as well.
In cases where user-provided functions are indirectly executed by these programs — for example, user-provided functions in index expressions — the tighter search_path may result in errors, which will need to be corrected by adjusting those user-provided functions to not assume anything about what search path they are invoked under. That has always been good practice, but now it will be necessary for correct behavior. CVE-2018-1058 or CVE-2018-1058)
(9.4.17,9.6.8,9.5.12) Fix misbehavior of concurrent-update rechecks with CTE references appearing in subplans (Tom Lane)
If a CTE (WITH clause reference) is used in an InitPlan or SubPlan, and the query requires a recheck due to trying to update or lock a concurrently-updated row, incorrect results could be obtained.
(9.4.17,9.6.8,9.5.12) Fix planner failures with overlapping mergejoin clauses in an outer join (Tom Lane)
These mistakes led to "left and right pathkeys do not match in mergejoin" or "outer pathkeys do not match mergeclauses" planner errors in corner cases.
(9.4.17,9.6.8,9.5.12) Repair pg_upgrade's failure to preserve relfrozenxid for materialized views (Tom Lane, Andres Freund)
This oversight could lead to data corruption in materialized views after an upgrade, manifesting as "could not access status of transaction" or "found xmin from before relfrozenxid" errors. The problem would be more likely to occur in seldom-refreshed materialized views, or ones that were maintained only with REFRESH MATERIALIZED VIEW CONCURRENTLY.
If such corruption is observed, it can be repaired by refreshing the materialized view (without CONCURRENTLY).
(9.4.17,9.6.8,9.5.12) Fix incorrect reporting of PL/Python function names in error CONTEXT stacks (Tom Lane)
An error occurring within a nested PL/Python function call (that is, one reached via a SPI query from another PL/Python function) would result in a stack trace showing the inner function's name twice, rather than the expected results. Also, an error in a nested PL/Python DO block could result in a null pointer dereference crash on some platforms.
(9.4.17,9.6.8,9.5.12) Allow contrib/auto_explain's log_min_duration setting to range up to INT_MAX, or about 24 days instead of 35 minutes (Tom Lane)
Release date: 2018-02-08
This release contains a variety of fixes from 9.4.15. For information about new features in the 9.4 major release, see Version 9.4.0.
A dump/restore is not required for those running 9.4.X.
However, if you are upgrading from a version earlier than 9.4.13, see Version 9.4.13.
(9.4.16,9.6.7,9.5.11) Ensure that all temporary files made by pg_upgrade are non-world-readable (Tom Lane, Noah Misch)
pg_upgrade normally restricts its temporary files to be readable and writable only by the calling user. But the temporary file containing pg_dumpall -g output would be group- or world-readable, or even writable, if the user's umask setting allows. In typical usage on multi-user machines, the umask and/or the working directory's permissions would be tight enough to prevent problems; but there may be people using pg_upgrade in scenarios where this oversight would permit disclosure of database passwords to unfriendly eyes. CVE-2018-1053 or CVE-2018-1053)
(9.4.16,9.6.7,9.5.11) Fix vacuuming of tuples that were updated while key-share locked (Andres Freund, Ãlvaro Herrera)
In some cases VACUUM would fail to remove such tuples even though they are now dead, leading to assorted data corruption scenarios.
(9.4.16,9.6.7,9.5.11) Fix inadequate buffer locking in some LSN fetches (Jacob Champion, Asim Praveen, Ashwin Agrawal)
These errors could result in misbehavior under concurrent load. The potential consequences have not been characterized fully.
(9.4.16,9.6.7,9.5.11) Avoid unnecessary failure in a query on an inheritance tree that occurs concurrently with some child table being removed from the tree by ALTER TABLE NO INHERIT (Tom Lane)
(9.4.16,9.6.7,9.5.11) Fix spurious deadlock failures when multiple sessions are running CREATE INDEX CONCURRENTLY (Jeff Janes)
(9.4.16,9.6.7,9.5.11) Repair failure with correlated sub-SELECT inside VALUES inside a LATERAL subquery (Tom Lane)
(9.4.16,9.6.7,9.5.11) Fix "could not devise a query plan for the given query" planner failure for some cases involving nested UNION ALL inside a lateral subquery (Tom Lane)
(9.4.16,9.6.7,9.5.11) Fix logical decoding to correctly clean up disk files for crashed transactions (Atsushi Torikoshi)
Logical decoding may spill WAL records to disk for transactions generating many WAL records. Normally these files are cleaned up after the transaction's commit or abort record arrives; but if no such record is ever seen, the removal code misbehaved.
(9.4.16,9.6.7,9.5.11) Fix walsender timeout failure and failure to respond to interrupts when processing a large transaction (Petr Jelinek)
(9.4.16,9.6.7,9.5.11) Fix has_sequence_privilege()
to support WITH GRANT OPTION tests, as other privilege-testing functions do (Joe Conway)
(9.4.16,9.6.7,9.5.11) In databases using UTF8 encoding, ignore any XML declaration that asserts a different encoding (Pavel Stehule, Noah Misch)
We always store XML strings in the database encoding, so allowing libxml to act on a declaration of another encoding gave wrong results. In encodings other than UTF8, we don't promise to support non-ASCII XML data anyway, so retain the previous behavior for bug compatibility. This change affects only xpath()
and related functions; other XML code paths already acted this way.
(9.4.16,9.6.7,9.5.11) Provide for forward compatibility with future minor protocol versions (Robert Haas, Badrul Chowdhury)
Up to now, PostgreSQL servers simply rejected requests to use protocol versions newer than 3.0, so that there was no functional difference between the major and minor parts of the protocol version number. Allow clients to request versions 3.x without failing, sending back a message showing that the server only understands 3.0. This makes no difference at the moment, but back-patching this change should allow speedier introduction of future minor protocol upgrades.
(9.4.16,9.6.7,9.5.11) Cope with failure to start a parallel worker process (Amit Kapila, Robert Haas)
Parallel query previously tended to hang indefinitely if a worker could not be started, as the result of fork() failure or other low-probability problems.
(9.4.16,9.6.7,9.5.11) Prevent stack-overflow crashes when planning extremely deeply nested set operations (UNION/INTERSECT/EXCEPT) (Tom Lane)
(9.4.16,9.6.7,9.5.11) Fix null-pointer crashes for some types of LDAP URLs appearing in pg_hba.conf (Thomas Munro)
(9.4.16,9.6.7,9.5.11) Fix sample INSTR()
functions in the PL/pgSQL documentation (Yugo Nagata, Tom Lane)
These functions are stated to be Oracle® compatible, but they weren't exactly. In particular, there was a discrepancy in the interpretation of a negative third parameter: Oracle thinks that a negative value indicates the last place where the target substring can begin, whereas our functions took it as the last place where the target can end. Also, Oracle throws an error for a zero or negative fourth parameter, whereas our functions returned zero.
The sample code has been adjusted to match Oracle's behavior more precisely. Users who have copied this code into their applications may wish to update their copies.
(9.4.16,9.6.7,9.5.11) Fix pg_dump to make ACL (permissions), comment, and security label entries reliably identifiable in archive output formats (Tom Lane)
The "tag" portion of an ACL archive entry was usually just the name of the associated object. Make it start with the object type instead, bringing ACLs into line with the convention already used for comment and security label archive entries. Also, fix the comment and security label entries for the whole database, if present, to make their tags start with DATABASE so that they also follow this convention. This prevents false matches in code that tries to identify large-object-related entries by seeing if the tag starts with LARGE OBJECT. That could have resulted in misclassifying entries as data rather than schema, with undesirable results in a schema-only or data-only dump.
Note that this change has user-visible results in the output of pg_restore --list.
(9.4.16,9.6.7,9.5.11) In ecpg, detect indicator arrays that do not have the correct length and report an error (David Rader)
(9.4.16,9.6.7,9.5.11) Avoid triggering a libc assertion in contrib/hstore, due to use of memcpy()
with equal source and destination pointers (Tomas Vondra)
(9.4.16,9.6.7,9.5.11) Provide modern examples of how to auto-start Postgres on macOS (Tom Lane)
The scripts in contrib/start-scripts/osx use infrastructure that's been deprecated for over a decade, and which no longer works at all in macOS releases of the last couple of years. Add a new subdirectory contrib/start-scripts/macos containing scripts that use the newer launchd infrastructure.
(9.4.16,9.6.7,9.5.11) Fix incorrect selection of configuration-specific libraries for OpenSSL on Windows (Andrew Dunstan)
(9.4.16,9.6.7,9.5.11) Support linking to MinGW-built versions of libperl (Noah Misch)
This allows building PL/Perl with some common Perl distributions for Windows.
(9.4.16,9.6.7,9.5.11) Fix MSVC build to test whether 32-bit libperl needs -D_USE_32BIT_TIME_T (Noah Misch)
Available Perl distributions are inconsistent about what they expect, and lack any reliable means of reporting it, so resort to a build-time test on what the library being used actually does.
(9.4.16,9.6.7,9.5.11) On Windows, install the crash dump handler earlier in postmaster startup (Takayuki Tsunakawa)
This may allow collection of a core dump for some early-startup failures that did not produce a dump before.
(9.4.16,9.6.7,9.5.11) On Windows, avoid encoding-conversion-related crashes when emitting messages very early in postmaster startup (Takayuki Tsunakawa)
(9.4.16,9.6.7,9.5.11) Use our existing Motorola 68K spinlock code on OpenBSD as well as NetBSD (David Carlier)
(9.4.16,9.6.7,9.5.11,9.3.21) Add support for spinlocks on Motorola 88K (David Carlier)
(9.4.16,9.6.7,9.5.11) Update time zone data files to tzdata release 2018c for DST law changes in Brazil, Sao Tome and Principe, plus historical corrections for Bolivia, Japan, and South Sudan. The US/Pacific-New zone has been removed (it was only an alias for America/Los_Angeles anyway).
Release date: 2017-11-09
This release contains a variety of fixes from 9.4.14. For information about new features in the 9.4 major release, see Version 9.4.0.
A dump/restore is not required for those running 9.4.X.
However, if you are upgrading from a version earlier than 9.4.13, see Version 9.4.13.
(9.4.15,9.6.6,9.5.10) Fix crash due to rowtype mismatch in json{b}_populate_recordset()
(Michael Paquier, Tom Lane)
These functions used the result rowtype specified in the FROM ... AS clause without checking that it matched the actual rowtype of the supplied tuple value. If it didn't, that would usually result in a crash, though disclosure of server memory contents seems possible as well. CVE-2017-15098 or CVE-2017-15098)
(9.4.15,9.6.6,9.5.10) Fix sample server-start scripts to become $PGUSER before opening $PGLOG (Noah Misch)
Previously, the postmaster log file was opened while still running as root. The database owner could therefore mount an attack against another system user by making $PGLOG be a symbolic link to some other file, which would then become corrupted by appending log messages.
By default, these scripts are not installed anywhere. Users who have made use of them will need to manually recopy them, or apply the same changes to their modified versions. If the existing $PGLOG file is root-owned, it will need to be removed or renamed out of the way before restarting the server with the corrected script. CVE-2017-12172 or CVE-2017-12172)
(9.4.15,9.6.6,9.5.10) Fix crash when logical decoding is invoked from a SPI-using function, in particular any function written in a PL language (Tom Lane)
(9.4.15,9.6.6,9.5.10) Fix json_build_array()
, json_build_object()
, and their jsonb equivalents to handle explicit VARIADIC arguments correctly (Michael Paquier)
(9.4.15,9.6.6,9.5.10) Properly reject attempts to convert infinite float values to type numeric (Tom Lane, KaiGai Kohei)
Previously the behavior was platform-dependent.
(9.4.15,9.6.6,9.5.10) Fix corner-case crashes when columns have been added to the end of a view (Tom Lane)
(9.4.15,9.6.6,9.5.10) Record proper dependencies when a view or rule contains FieldSelect or FieldStore expression nodes (Tom Lane)
Lack of these dependencies could allow a column or data type DROP to go through when it ought to fail, thereby causing later uses of the view or rule to get errors. This patch does not do anything to protect existing views/rules, only ones created in the future.
(9.4.15,9.6.6,9.5.10) Correctly detect hashability of range data types (Tom Lane)
The planner mistakenly assumed that any range type could be hashed for use in hash joins or hash aggregation, but actually it must check whether the range's subtype has hash support. This does not affect any of the built-in range types, since they're all hashable anyway.
(9.4.15,9.6.6,9.5.10) Fix low-probability loss of NOTIFY messages due to XID wraparound (Marko Tiikkaja, Tom Lane)
If a session executed no queries, but merely listened for notifications, for more than 2 billion transactions, it started to miss some notifications from concurrently-committing transactions.
(9.4.15,9.6.6,9.5.10) Avoid SIGBUS crash on Linux when a DSM memory request exceeds the space available in tmpfs (Thomas Munro)
(9.4.15,9.6.6,9.5.10) Prevent low-probability crash in processing of nested trigger firings (Tom Lane)
(9.4.15,9.6.6,9.5.10) Allow COPY's FREEZE option to work when the transaction isolation level is REPEATABLE READ or higher (Noah Misch)
This case was unintentionally broken by a previous bug fix.
(9.4.15,9.6.6,9.5.10) Correctly restore the umask setting when file creation fails in COPY or lo_export()
(Peter Eisentraut)
(9.4.15,9.6.6,9.5.10) Give a better error message for duplicate column names in ANALYZE (Nathan Bossart)
(9.4.15,9.6.6,9.5.10) Fix mis-parsing of the last line in a non-newline-terminated pg_hba.conf file (Tom Lane)
(9.4.15,9.6.6,9.5.10) Fix libpq to not require user's home directory to exist (Tom Lane)
In v10, failure to find the home directory while trying to read ~/.pgpass was treated as a hard error, but it should just cause that file to not be found. Both v10 and previous release branches made the same mistake when reading ~/.pg_service.conf, though this was less obvious since that file is not sought unless a service name is specified.
(9.4.15,9.6.6,9.5.10) Fix libpq to guard against integer overflow in the row count of a PGresult (Michael Paquier)
(9.4.15,9.6.6,9.5.10) Fix ecpg's handling of out-of-scope cursor declarations with pointer or array variables (Michael Meskes)
(9.4.15,9.6.6,9.5.10) In ecpglib, correctly handle backslashes in string literals depending on whether standard_conforming_strings is set (Tsunakawa Takayuki)
(9.4.15,9.6.6,9.5.10) Make ecpglib's Informix-compatibility mode ignore fractional digits in integer input strings, as expected (Gao Zengqi, Michael Meskes)
(9.4.15,9.6.6,9.5.10) Sync our copy of the timezone library with IANA release tzcode2017c (Tom Lane)
This fixes various issues; the only one likely to be user-visible is that the default DST rules for a POSIX-style zone name, if no posixrules file exists in the timezone data directory, now match current US law rather than what it was a dozen years ago.
(9.4.15,9.6.6,9.5.10) Update time zone data files to tzdata release 2017c for DST law changes in Fiji, Namibia, Northern Cyprus, Sudan, Tonga, and Turks & Caicos Islands, plus historical corrections for Alaska, Apia, Burma, Calcutta, Detroit, Ireland, Namibia, and Pago Pago.
Release date: 2017-08-31
This release contains a small number of fixes from 9.4.13. For information about new features in the 9.4 major release, see Version 9.4.0.
A dump/restore is not required for those running 9.4.X.
However, if you are upgrading from a version earlier than 9.4.13, see Version 9.4.13.
(9.4.14) Fix failure of walsender processes to respond to shutdown signals (Marco Nenciarini)
A missed flag update resulted in walsenders continuing to run as long as they had a standby server connected, preventing primary-server shutdown unless immediate shutdown mode is used.
(9.4.14,9.6.5,9.5.9) Show foreign tables in information_schema.table_privileges view (Peter Eisentraut)
All other relevant information_schema views include foreign tables, but this one ignored them.
Since this view definition is installed by initdb, merely upgrading will not fix the problem. If you need to fix this in an existing installation, you can, as a superuser, do this in psql:
SET search_path TO information_schema; CREATE OR REPLACE VIEW table_privileges AS SELECT CAST(u_grantor.rolname AS sql_identifier) AS grantor, CAST(grantee.rolname AS sql_identifier) AS grantee, CAST(current_database() AS sql_identifier) AS table_catalog, CAST(nc.nspname AS sql_identifier) AS table_schema, CAST(c.relname AS sql_identifier) AS table_name, CAST(c.prtype AS character_data) AS privilege_type, CAST( CASE WHEN -- object owner always has grant options pg_has_role(grantee.oid, c.relowner, 'USAGE') OR c.grantable THEN 'YES' ELSE 'NO' END AS yes_or_no) AS is_grantable, CAST (CASE WHEN c.prtype = 'SELECT' THEN 'YES' ELSE 'NO' END AS yes_or_no) AS with_hierarchy FROM ( SELECT oid, relname, relnamespace, relkind, relowner, (aclexplode(coalesce(relacl, acldefault('r', relowner)))).* FROM pg_class ) AS c (oid, relname, relnamespace, relkind, relowner, grantor, grantee, prtype, grantable), pg_namespace nc, pg_authid u_grantor, ( SELECT oid, rolname FROM pg_authid UNION ALL SELECT 0::oid, 'PUBLIC' ) AS grantee (oid, rolname) WHERE c.relnamespace = nc.oid AND c.relkind IN ('r', 'v', 'f') AND c.grantee = grantee.oid AND c.grantor = u_grantor.oid AND c.prtype IN ('INSERT', 'SELECT', 'UPDATE', 'DELETE', 'TRUNCATE', 'REFERENCES', 'TRIGGER') AND (pg_has_role(u_grantor.oid, 'USAGE') OR pg_has_role(grantee.oid, 'USAGE') OR grantee.rolname = 'PUBLIC');
This must be repeated in each database to be fixed, including template0.
(9.4.14,9.6.5,9.5.9) Clean up handling of a fatal exit (e.g., due to receipt of SIGTERM) that occurs while trying to execute a ROLLBACK of a failed transaction (Tom Lane)
This situation could result in an assertion failure. In production builds, the exit would still occur, but it would log an unexpected message about "cannot drop active portal".
(9.4.14,9.6.5,9.5.9) Remove assertion that could trigger during a fatal exit (Tom Lane)
(9.4.14,9.6.5,9.5.9) Correctly identify columns that are of a range type or domain type over a composite type or domain type being searched for (Tom Lane)
Certain ALTER commands that change the definition of a composite type or domain type are supposed to fail if there are any stored values of that type in the database, because they lack the infrastructure needed to update or check such values. Previously, these checks could miss relevant values that are wrapped inside range types or sub-domains, possibly allowing the database to become inconsistent.
(9.4.14,9.6.5,9.5.9) Fix crash in pg_restore when using parallel mode and using a list file to select a subset of items to restore (FabrÃzio de Royes Mello)
(9.4.14,9.6.5,9.5.9) Change ecpg's parser to allow RETURNING clauses without attached C variables (Michael Meskes)
This allows ecpg programs to contain SQL constructs that use RETURNING internally (for example, inside a CTE) rather than using it to define values to be returned to the client.
(9.4.14,9.6.5,9.5.9) Improve selection of compiler flags for PL/Perl on Windows (Tom Lane)
This fix avoids possible crashes of PL/Perl due to inconsistent assumptions about the width of time_t values. A side-effect that may be visible to extension developers is that _USE_32BIT_TIME_T is no longer defined globally in PostgreSQL Windows builds. This is not expected to cause problems, because type time_t is not used in any PostgreSQL API definitions.
Release date: 2017-08-10
This release contains a variety of fixes from 9.4.12. For information about new features in the 9.4 major release, see Version 9.4.0.
A dump/restore is not required for those running 9.4.X.
However, if you use foreign data servers that make use of user passwords for authentication, see the first changelog entry below.
Also, if you are upgrading from a version earlier than 9.4.12, see Version 9.4.12.
(9.4.13,9.6.4,9.5.8) Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options (Noah Misch)
The fix forCVE-2017-7486 or CVE-2017-7486 was incorrect: it allowed a user to see the options in her own user mapping, even if she did not have USAGE permission on the associated foreign server. Such options might include a password that had been provided by the server owner rather than the user herself. Since information_schema.user_mapping_options does not show the options in such cases, pg_user_mappings should not either. CVE-2017-7547 or CVE-2017-7547)
By itself, this patch will only fix the behavior in newly initdb'd databases. If you wish to apply this change in an existing database, you will need to do the following:
Restart the postmaster after adding allow_system_table_mods = true to postgresql.conf. (In versions supporting ALTER SYSTEM, you can use that to make the configuration change, but you'll still need a restart.)
In each database of the cluster, run the following commands as superuser:
SET search_path = pg_catalog; CREATE OR REPLACE VIEW pg_user_mappings AS SELECT U.oid AS umid, S.oid AS srvid, S.srvname AS srvname, U.umuser AS umuser, CASE WHEN U.umuser = 0 THEN 'public' ELSE A.rolname END AS usename, CASE WHEN (U.umuser <> 0 AND A.rolname = current_user AND (pg_has_role (S.srvowner, 'USAGE') OR has_server_privilege (S.oid, 'USAGE'))) OR (U.umuser = 0 AND pg_has_role (S.srvowner, 'USAGE')) OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user) THEN U.umoptions ELSE NULL END AS umoptions FROM pg_user_mapping U LEFT JOIN pg_authid A ON (A.oid = U.umuser) JOIN pg_foreign_server S ON (U.umserver = S.oid);
Do not forget to include the template0 and template1 databases, or the vulnerability will still exist in databases you create later. To fix template0, you'll need to temporarily make it accept connections. In PostgreSQL 9.5 and later, you can use
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;
and then after fixing template0, undo that with
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;
In prior versions, instead use
UPDATE pg_database SET datallowconn = true WHERE datname = 'template0'; UPDATE pg_database SET datallowconn = false WHERE datname = 'template0';
Finally, remove the allow_system_table_mods configuration setting, and again restart the postmaster.
(9.4.13,9.6.4,9.5.8) Disallow empty passwords in all password-based authentication methods (Heikki Linnakangas)
libpq ignores empty password specifications, and does not transmit them to the server. So, if a user's password has been set to the empty string, it's impossible to log in with that password via psql or other libpq-based clients. An administrator might therefore believe that setting the password to empty is equivalent to disabling password login. However, with a modified or non-libpq-based client, logging in could be possible, depending on which authentication method is configured. In particular the most common method, md5, accepted empty passwords. Change the server to reject empty passwords in all cases. CVE-2017-7546 or CVE-2017-7546)
(9.4.13,9.6.4,9.5.8) Make lo_put()
check for UPDATE privilege on the target large object (Tom Lane, Michael Paquier)
lo_put()
should surely require the same permissions as lowrite()
, but the check was missing, allowing any user to change the data in a large object. CVE-2017-7548 or CVE-2017-7548)
(9.4.13,9.6.4,9.5.8) Fix concurrent locking of tuple update chains (Ãlvaro Herrera)
If several sessions concurrently lock a tuple update chain with nonconflicting lock modes using an old snapshot, and they all succeed, it was possible for some of them to nonetheless fail (and conclude there is no live tuple version) due to a race condition. This had consequences such as foreign-key checks failing to see a tuple that definitely exists but is being updated concurrently.
(9.4.13,9.6.4,9.5.8) Fix potential data corruption when freezing a tuple whose XMAX is a multixact with exactly one still-interesting member (Teodor Sigaev)
(9.4.13,9.6.4,9.5.8) Avoid integer overflow and ensuing crash when sorting more than one billion tuples in-memory (Sergey Koposov)
(9.4.13,9.6.4,9.5.8) On Windows, retry process creation if we fail to reserve the address range for our shared memory in the new process (Tom Lane, Amit Kapila)
This is expected to fix infrequent child-process-launch failures that are probably due to interference from antivirus products.
(9.4.13,9.6.4,9.5.8) Fix low-probability corruption of shared predicate-lock hash table in Windows builds (Thomas Munro, Tom Lane)
(9.4.13,9.6.4,9.5.8) Avoid logging clean closure of an SSL connection as though it were a connection reset (Michael Paquier)
(9.4.13,9.6.4,9.5.8) Prevent sending SSL session tickets to clients (Tom Lane)
This fix prevents reconnection failures with ticket-aware client-side SSL code.
(9.4.13,9.6.4,9.5.8) Fix code for setting tcp_keepalives_idle on Solaris (Tom Lane)
(9.4.13,9.6.4,9.5.8) Fix statistics collector to honor inquiry messages issued just after a postmaster shutdown and immediate restart (Tom Lane)
Statistics inquiries issued within half a second of the previous postmaster shutdown were effectively ignored.
(9.4.13,9.6.4,9.5.8) Ensure that the statistics collector's receive buffer size is at least 100KB (Tom Lane)
This reduces the risk of dropped statistics data on older platforms whose default receive buffer size is less than that.
(9.4.13,9.6.4,9.5.8) Fix possible creation of an invalid WAL segment when a standby is promoted just after it processes an XLOG_SWITCH WAL record (Andres Freund)
(9.4.13,9.6.4,9.5.8) Fix walsender to exit promptly when client requests shutdown (Tom Lane)
(9.4.13,9.6.4,9.5.8) Fix SIGHUP and SIGUSR1 handling in walsender processes (Petr Jelinek, Andres Freund)
(9.4.13,9.6.4,9.5.8) Prevent walsender-triggered panics during shutdown checkpoints (Andres Freund, Michael Paquier)
(9.4.13,9.6.4,9.5.8) Fix unnecessarily slow restarts of walreceiver processes due to race condition in postmaster (Tom Lane)
(9.4.13) Fix logical decoding failure with very wide tuples (Andres Freund)
Logical decoding crashed on tuples that are wider than 64KB (after compression, but with all data in-line). The case arises only when REPLICA IDENTITY FULL is enabled for a table containing such tuples.
(9.4.13,9.6.4,9.5.8) Fix leakage of small subtransactions spilled to disk during logical decoding (Andres Freund)
This resulted in temporary files consuming excessive disk space.
(9.4.13,9.6.4,9.5.8) Reduce the work needed to build snapshots during creation of logical-decoding slots (Andres Freund, Petr Jelinek)
The previous algorithm was infeasibly expensive on a server with a lot of open transactions.
(9.4.13,9.6.4,9.5.8) Fix race condition that could indefinitely delay creation of logical-decoding slots (Andres Freund, Petr Jelinek)
(9.4.13,9.6.4,9.5.8) Reduce overhead in processing syscache invalidation events (Tom Lane)
This is particularly helpful for logical decoding, which triggers frequent cache invalidation.
(9.4.13,9.6.4,9.5.8) Fix cases where an INSERT or UPDATE assigns to more than one element of a column that is of domain-over-array type (Tom Lane)
(9.4.13,9.6.4,9.5.8) Allow window functions to be used in sub-SELECTs that are within the arguments of an aggregate function (Tom Lane)
(9.4.13,9.6.4,9.5.8) Move autogenerated array types out of the way during ALTER ... RENAME (Vik Fearing)
Previously, we would rename a conflicting autogenerated array type out of the way during CREATE; this fix extends that behavior to renaming operations.
(9.4.13,9.6.4,9.5.8) Ensure that ALTER USER ... SET accepts all the syntax variants that ALTER ROLE ... SET does (Peter Eisentraut)
(9.4.13,9.6.4,9.5.8) Properly update dependency info when changing a datatype I/O function's argument or return type from opaque to the correct type (Heikki Linnakangas)
CREATE TYPE updates I/O functions declared in this long-obsolete style, but it forgot to record a dependency on the type, allowing a subsequent DROP TYPE to leave broken function definitions behind.
(9.4.13,9.6.4,9.5.8) Reduce memory usage when ANALYZE processes a tsvector column (Heikki Linnakangas)
(9.4.13,9.6.4,9.5.8) Fix unnecessary precision loss and sloppy rounding when multiplying or dividing money values by integers or floats (Tom Lane)
(9.4.13,9.6.4,9.5.8) Tighten checks for whitespace in functions that parse identifiers, such as regprocedurein()
(Tom Lane)
Depending on the prevailing locale, these functions could misinterpret fragments of multibyte characters as whitespace.
(9.4.13,9.6.4,9.5.8) Use relevant #define symbols from Perl while compiling PL/Perl (Ashutosh Sharma, Tom Lane)
This avoids portability problems, typically manifesting as a "handshake" mismatch during library load, when working with recent Perl versions.
(9.4.13,9.6.4,9.5.8) In libpq, reset GSS/SASL and SSPI authentication state properly after a failed connection attempt (Michael Paquier)
Failure to do this meant that when falling back from SSL to non-SSL connections, a GSS/SASL failure in the SSL attempt would always cause the non-SSL attempt to fail. SSPI did not fail, but it leaked memory.
(9.4.13,9.6.4,9.5.8) In psql, fix failure when COPY FROM STDIN is ended with a keyboard EOF signal and then another COPY FROM STDIN is attempted (Thomas Munro)
This misbehavior was observed on BSD-derived platforms (including macOS), but not on most others.
(9.4.13,9.6.4,9.5.8) Fix pg_dump and pg_restore to emit REFRESH MATERIALIZED VIEW commands last (Tom Lane)
This prevents errors during dump/restore when a materialized view refers to tables owned by a different user.
(9.4.13,9.6.4,9.5.8) Improve pg_dump/pg_restore's reporting of error conditions originating in zlib (Vladimir Kunschikov, Ãlvaro Herrera)
(9.4.13,9.6.4,9.5.8) Fix pg_dump with the --clean option to drop event triggers as expected (Tom Lane)
It also now correctly assigns ownership of event triggers; before, they were restored as being owned by the superuser running the restore script.
(9.4.13,9.6.4,9.5.8) Fix pg_dump to not emit invalid SQL for an empty operator class (Daniel Gustafsson)
(9.4.13,9.6.4,9.5.8) Fix pg_dump output to stdout on Windows (Kuntal Ghosh)
A compressed plain-text dump written to stdout would contain corrupt data due to failure to put the file descriptor into binary mode.
(9.4.13,9.6.4,9.5.8) Fix pg_get_ruledef()
to print correct output for the ON SELECT rule of a view whose columns have been renamed (Tom Lane)
In some corner cases, pg_dump relies on pg_get_ruledef()
to dump views, so that this error could result in dump/reload failures.
(9.4.13,9.6.4,9.5.8) Fix dumping of outer joins with empty constraints, such as the result of a NATURAL LEFT JOIN with no common columns (Tom Lane)
(9.4.13,9.6.4,9.5.8) Fix dumping of function expressions in the FROM clause in cases where the expression does not deparse into something that looks like a function call (Tom Lane)
(9.4.13,9.6.4,9.5.8) Fix pg_basebackup output to stdout on Windows (Haribabu Kommi)
A backup written to stdout would contain corrupt data due to failure to put the file descriptor into binary mode.
(9.4.13,9.6.4,9.5.8) Fix pg_upgrade to ensure that the ending WAL record does not have wal_level = minimum (Bruce Momjian)
This condition could prevent upgraded standby servers from reconnecting.
(9.4.13,9.6.4,9.5.8) In postgres_fdw, re-establish connections to remote servers after ALTER SERVER or ALTER USER MAPPING commands (Kyotaro Horiguchi)
This ensures that option changes affecting connection parameters will be applied promptly.
(9.4.13,9.6.4,9.5.8) In postgres_fdw, allow cancellation of remote transaction control commands (Robert Haas, Rafia Sabih)
This change allows us to quickly escape a wait for an unresponsive remote server in many more cases than previously.
(9.4.13,9.6.4,9.5.8) Increase MAX_SYSCACHE_CALLBACKS to provide more room for extensions (Tom Lane)
(9.4.13,9.6.4,9.5.8) Always use -fPIC, not -fpic, when building shared libraries with gcc (Tom Lane)
This supports larger extension libraries on platforms where it makes a difference.
(9.4.13,9.5.8) Fix unescaped-braces issue in our build scripts for Microsoft MSVC, to avoid a warning or error from recent Perl versions (Andrew Dunstan)
(9.4.13,9.6.4,9.5.8) In MSVC builds, handle the case where the openssl library is not within a VC subdirectory (Andrew Dunstan)
(9.4.13,9.6.4,9.5.8) In MSVC builds, add proper include path for libxml2 header files (Andrew Dunstan)
This fixes a former need to move things around in standard Windows installations of libxml2.
(9.4.13,9.6.4,9.5.8) In MSVC builds, recognize a Tcl library that is named tcl86.lib (Noah Misch)
(9.4.13,9.6.4,9.5.8) In MSVC builds, honor PROVE_FLAGS settings on vcregress.pl's command line (Andrew Dunstan)
Release date: 2017-05-11
This release contains a variety of fixes from 9.4.11. For information about new features in the 9.4 major release, see Version 9.4.0.
A dump/restore is not required for those running 9.4.X.
However, if you use foreign data servers that make use of user passwords for authentication, see the first changelog entry below.
Also, if you are using third-party replication tools that depend on "logical decoding", see the fourth changelog entry below.
Also, if you are upgrading from a version earlier than 9.4.11, see Version 9.4.11.
(9.4.12) Restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options (Michael Paquier, Feike Steenbergen)
The previous coding allowed the owner of a foreign server object, or anyone he has granted server USAGE permission to, to see the options for all user mappings associated with that server. This might well include passwords for other users. Adjust the view definition to match the behavior of information_schema.user_mapping_options, namely that these options are visible to the user being mapped, or if the mapping is for PUBLIC and the current user is the server owner, or if the current user is a superuser. CVE-2017-7486 or CVE-2017-7486)
By itself, this patch will only fix the behavior in newly initdb'd databases. If you wish to apply this change in an existing database, follow the corrected procedure shown in the changelog entry forCVE-2017-7547 or CVE-2017-7547, in Version 9.4.13.
(9.4.12,9.6.3,9.5.7) Prevent exposure of statistical information via leaky operators (Peter Eisentraut)
Some selectivity estimation functions in the planner will apply user-defined operators to values obtained from pg_statistic, such as most common values and histogram entries. This occurs before table permissions are checked, so a nefarious user could exploit the behavior to obtain these values for table columns he does not have permission to read. To fix, fall back to a default estimate if the operator's implementation function is not certified leak-proof and the calling user does not have permission to read the table column whose statistics are needed. At least one of these criteria is satisfied in most cases in practice. CVE-2017-7484 or CVE-2017-7484)
(9.4.12,9.6.3,9.5.7) Restore libpq's recognition of the PGREQUIRESSL environment variable (Daniel Gustafsson)
Processing of this environment variable was unintentionally dropped in PostgreSQL 9.3, but its documentation remained. This creates a security hazard, since users might be relying on the environment variable to force SSL-encrypted connections, but that would no longer be guaranteed. Restore handling of the variable, but give it lower priority than PGSSLMODE, to avoid breaking configurations that work correctly with post-9.3 code. CVE-2017-7485 or CVE-2017-7485)
(9.4.12,9.6.3,9.5.7) Fix possibly-invalid initial snapshot during logical decoding (Petr Jelinek, Andres Freund)
The initial snapshot created for a logical decoding replication slot was potentially incorrect. This could cause third-party tools that use logical decoding to copy incomplete/inconsistent initial data. This was more likely to happen if the source server was busy at the time of slot creation, or if another logical slot already existed.
If you are using a replication tool that depends on logical decoding, and it should have copied a nonempty data set at the start of replication, it is advisable to recreate the replica after installing this update, or to verify its contents against the source server.
(9.4.12,9.6.3,9.5.7) Fix possible corruption of "init forks" of unlogged indexes (Robert Haas, Michael Paquier)
This could result in an unlogged index being set to an invalid state after a crash and restart. Such a problem would persist until the index was dropped and rebuilt.
(9.4.12,9.6.3,9.5.7) Fix incorrect reconstruction of pg_subtrans entries when a standby server replays a prepared but uncommitted two-phase transaction (Tom Lane)
In most cases this turned out to have no visible ill effects, but in corner cases it could result in circular references in pg_subtrans, potentially causing infinite loops in queries that examine rows modified by the two-phase transaction.
(9.4.12,9.6.3,9.5.7) Avoid possible crash in walsender due to failure to initialize a string buffer (Stas Kelvich, Fujii Masao)
(9.4.12,9.6.3,9.5.7) Fix postmaster's handling of fork()
failure for a background worker process (Tom Lane)
Previously, the postmaster updated portions of its state as though the process had been launched successfully, resulting in subsequent confusion.
(9.4.12,9.6.3,9.5.7) Ensure parsing of queries in extension scripts sees the results of immediately-preceding DDL (Julien Rouhaud, Tom Lane)
Due to lack of a cache flush step between commands in an extension script file, non-utility queries might not see the effects of an immediately preceding catalog change, such as ALTER TABLE ... RENAME.
(9.4.12,9.6.3,9.5.7) Skip tablespace privilege checks when ALTER TABLE ... ALTER COLUMN TYPE rebuilds an existing index (Noah Misch)
The command failed if the calling user did not currently have CREATE privilege for the tablespace containing the index. That behavior seems unhelpful, so skip the check, allowing the index to be rebuilt where it is.
(9.4.12,9.6.3,9.5.7) Fix ALTER TABLE ... VALIDATE CONSTRAINT to not recurse to child tables when the constraint is marked NO INHERIT (Amit Langote)
This fix prevents unwanted "constraint does not exist" failures when no matching constraint is present in the child tables.
(9.4.12,9.6.3,9.5.7) Fix VACUUM to account properly for pages that could not be scanned due to conflicting page pins (Andrew Gierth)
This tended to lead to underestimation of the number of tuples in the table. In the worst case of a small heavily-contended table, VACUUM could incorrectly report that the table contained no tuples, leading to very bad planning choices.
(9.4.12,9.6.3,9.5.7) Ensure that bulk-tuple-transfer loops within a hash join are interruptible by query cancel requests (Tom Lane, Thomas Munro)
(9.4.12,9.6.3,9.5.7) Fix integer-overflow problems in interval comparison (Kyotaro Horiguchi, Tom Lane)
The comparison operators for type interval could yield wrong answers for intervals larger than about 296000 years. Indexes on columns containing such large values should be reindexed, since they may be corrupt.
(9.4.12,9.6.3,9.5.7) Fix cursor_to_xml()
to produce valid output with tableforest = false (Thomas Munro, Peter Eisentraut)
Previously it failed to produce a wrapping <table> element.
(9.4.12,9.6.3,9.5.7) Fix roundoff problems in float8_timestamptz()
and make_interval()
(Tom Lane)
These functions truncated, rather than rounded, when converting a floating-point value to integer microseconds; that could cause unexpectedly off-by-one results.
(9.4.12,9.6.3,9.5.7) Improve performance of pg_timezone_names view (Tom Lane, David Rowley)
(9.4.12,9.6.3,9.5.7) Reduce memory management overhead for contexts containing many large blocks (Tom Lane)
(9.4.12,9.6.3,9.5.7) Fix sloppy handling of corner-case errors from lseek()
and close()
(Tom Lane)
Neither of these system calls are likely to fail in typical situations, but if they did, fd.c could get quite confused.
(9.4.12,9.6.3,9.5.7) Fix incorrect check for whether postmaster is running as a Windows service (Michael Paquier)
This could result in attempting to write to the event log when that isn't accessible, so that no logging happens at all.
(9.4.12,9.6.3,9.5.7) Fix ecpg to support COMMIT PREPARED and ROLLBACK PREPARED (Masahiko Sawada)
(9.4.12,9.6.3,9.5.7) Fix a double-free error when processing dollar-quoted string literals in ecpg (Michael Meskes)
(9.4.12,9.6.3,9.5.7) In pg_dump, fix incorrect schema and owner marking for comments and security labels of some types of database objects (Giuseppe Broccolo, Tom Lane)
In simple cases this caused no ill effects; but for example, a schema-selective restore might omit comments it should include, because they were not marked as belonging to the schema of their associated object.
(9.4.12,9.6.3,9.5.7) Avoid emitting an invalid list file in pg_restore -l when SQL object names contain newlines (Tom Lane)
Replace newlines by spaces, which is sufficient to make the output valid for pg_restore -L's purposes.
(9.4.12,9.6.3,9.5.7) Fix pg_upgrade to transfer comments and security labels attached to "large objects" (blobs) (Stephen Frost)
Previously, blobs were correctly transferred to the new database, but any comments or security labels attached to them were lost.
(9.4.12,9.6.3,9.5.7) Improve error handling in contrib/adminpack's pg_file_write()
function (Noah Misch)
Notably, it failed to detect errors reported by fclose()
.
(9.4.12,9.6.3,9.5.7) In contrib/dblink, avoid leaking the previous unnamed connection when establishing a new unnamed connection (Joe Conway)
(9.4.12,9.6.3,9.5.7) Fix contrib/pg_trgm's extraction of trigrams from regular expressions (Tom Lane)
In some cases it would produce a broken data structure that could never match anything, leading to GIN or GiST indexscans that use a trigram index not finding any matches to the regular expression.
(9.4.12,9.5.7) In contrib/postgres_fdw, transmit query cancellation requests to the remote server (Michael Paquier, Etsuro Fujita)
Previously, a local query cancellation request did not cause an already-sent remote query to terminate early. This is a back-patch of work originally done for 9.6.
(9.4.12) Support OpenSSL 1.1.0 (Heikki Linnakangas, Andreas Karlsson, Tom Lane)
This is a back-patch of work previously done in newer branches; it's needed since many platforms are adopting newer OpenSSL versions.
(9.4.12,9.6.3,9.5.7,9.3.17,9.2.21) Support Tcl 8.6 in MSVC builds (Ãlvaro Herrera)
(9.4.12,9.6.3,9.5.7) Sync our copy of the timezone library with IANA release tzcode2017b (Tom Lane)
This fixes a bug affecting some DST transitions in January 2038.
(9.4.12,9.6.3,9.5.7) Update time zone data files to tzdata release 2017b for DST law changes in Chile, Haiti, and Mongolia, plus historical corrections for Ecuador, Kazakhstan, Liberia, and Spain. Switch to numeric abbreviations for numerous time zones in South America, the Pacific and Indian oceans, and some Asian and Middle Eastern countries.
The IANA time zone database previously provided textual abbreviations for all time zones, sometimes making up abbreviations that have little or no currency among the local population. They are in process of reversing that policy in favor of using numeric UTC offsets in zones where there is no evidence of real-world use of an English abbreviation. At least for the time being, PostgreSQL will continue to accept such removed abbreviations for timestamp input. But they will not be shown in the pg_timezone_names view nor used for output.
(9.4.12,9.6.3,9.5.7) Use correct daylight-savings rules for POSIX-style time zone names in MSVC builds (David Rowley)
The Microsoft MSVC build scripts neglected to install the posixrules file in the timezone directory tree. This resulted in the timezone code falling back to its built-in rule about what DST behavior to assume for a POSIX-style time zone name. For historical reasons that still corresponds to the DST rules the USA was using before 2007 (i.e., change on first Sunday in April and last Sunday in October). With this fix, a POSIX-style zone name will use the current and historical DST transition dates of the US/Eastern zone. If you don't want that, remove the posixrules file, or replace it with a copy of some other zone file (see Section 8.5.3). Note that due to caching, you may need to restart the server to get such changes to take effect.
Release date: 2017-02-09
This release contains a variety of fixes from 9.4.10. For information about new features in the 9.4 major release, see Version 9.4.0.
A dump/restore is not required for those running 9.4.X.
However, if your installation has been affected by the bug described in the first changelog entry below, then after updating you may need to take action to repair corrupted indexes.
Also, if you are upgrading from a version earlier than 9.4.10, see Version 9.4.10.
(9.4.11,9.6.2,9.5.6) Fix a race condition that could cause indexes built with CREATE INDEX CONCURRENTLY to be corrupt (Pavan Deolasee, Tom Lane)
If CREATE INDEX CONCURRENTLY was used to build an index that depends on a column not previously indexed, then rows updated by transactions that ran concurrently with the CREATE INDEX command could have received incorrect index entries. If you suspect this may have happened, the most reliable solution is to rebuild affected indexes after installing this update.
(9.4.11,9.6.2,9.5.6) Ensure that the special snapshot used for catalog scans is not invalidated by premature data pruning (Tom Lane)
Backends failed to account for this snapshot when advertising their oldest xmin, potentially allowing concurrent vacuuming operations to remove data that was still needed. This led to transient failures along the lines of "cache lookup failed for relation 1255".
(9.4.11,9.6.2,9.5.6) Unconditionally WAL-log creation of the "init fork" for an unlogged table (Michael Paquier)
Previously, this was skipped when wal_level = minimal, but actually it's necessary even in that case to ensure that the unlogged table is properly reset to empty after a crash.
(9.4.11,9.6.0,9.5.6) Reduce interlocking on standby servers during the replay of btree index vacuuming operations (Simon Riggs)
This change avoids substantial replication delays that sometimes occurred while replaying such operations.
(9.4.11,9.6.2,9.5.6) If the stats collector dies during hot standby, restart it (Takayuki Tsunakawa)
(9.4.11,9.6.2,9.5.6) Ensure that hot standby feedback works correctly when it's enabled at standby server start (Ants Aasma, Craig Ringer)
(9.4.11,9.6.2,9.5.6) Check for interrupts while hot standby is waiting for a conflicting query (Simon Riggs)
(9.4.11,9.6.2,9.5.6) Avoid constantly respawning the autovacuum launcher in a corner case (Amit Khandekar)
This fix avoids problems when autovacuum is nominally off and there are some tables that require freezing, but all such tables are already being processed by autovacuum workers.
(9.4.11,9.6.2,9.5.6) Fix check for when an extension member object can be dropped (Tom Lane)
Extension upgrade scripts should be able to drop member objects, but this was disallowed for serial-column sequences, and possibly other cases.
(9.4.11,9.6.2,9.5.6) Make sure ALTER TABLE preserves index tablespace assignments when rebuilding indexes (Tom Lane, Michael Paquier)
Previously, non-default settings of default_tablespace could result in broken indexes.
(9.4.11,9.6.2,9.5.6) Fix incorrect updating of trigger function properties when changing a foreign-key constraint's deferrability properties with ALTER TABLE ... ALTER CONSTRAINT (Tom Lane)
This led to odd failures during subsequent exercise of the foreign key, as the triggers were fired at the wrong times.
(9.4.11,9.6.2,9.5.6) Prevent dropping a foreign-key constraint if there are pending trigger events for the referenced relation (Tom Lane)
This avoids "could not find trigger NNN" or "relation NNN has no triggers" errors.
(9.4.11,9.6.2,9.5.6) Fix processing of OID column when a table with OIDs is associated to a parent with OIDs via ALTER TABLE ... INHERIT (Amit Langote)
The OID column should be treated the same as regular user columns in this case, but it wasn't, leading to odd behavior in later inheritance changes.
(9.4.11,9.6.2,9.5.6) Fix CREATE OR REPLACE VIEW to update the view query before attempting to apply the new view options (Dean Rasheed)
Previously the command would fail if the new options were inconsistent with the old view definition.
(9.4.11,9.6.2,9.5.6) Report correct object identity during ALTER TEXT SEARCH CONFIGURATION (Artur Zakirov)
The wrong catalog OID was reported to extensions such as logical decoding.
(9.4.11,9.6.0,9.5.6) Check for serializability conflicts before reporting constraint-violation failures (Thomas Munro)
When using serializable transaction isolation, it is desirable that any error due to concurrent transactions should manifest as a serialization failure, thereby cueing the application that a retry might succeed. Unfortunately, this does not reliably happen for duplicate-key failures caused by concurrent insertions. This change ensures that such an error will be reported as a serialization error if the application explicitly checked for the presence of a conflicting key (and did not find it) earlier in the transaction.
(9.4.11,9.6.2,9.5.6) Prevent multicolumn expansion of foo.* in an UPDATE source expression (Tom Lane)
This led to "UPDATE target count mismatch --- internal error". Now the syntax is understood as a whole-row variable, as it would be in other contexts.
(9.4.11,9.6.2,9.5.6) Ensure that column typmods are determined accurately for multi-row VALUES constructs (Tom Lane)
This fixes problems occurring when the first value in a column has a determinable typmod (e.g., length for a varchar value) but later values don't share the same limit.
(9.4.11,9.6.2,9.5.6) Throw error for an unfinished Unicode surrogate pair at the end of a Unicode string (Tom Lane)
Normally, a Unicode surrogate leading character must be followed by a Unicode surrogate trailing character, but the check for this was missed if the leading character was the last character in a Unicode string literal (U&'...') or Unicode identifier (U&"...").
(9.4.11,9.6.2,9.5.6) Ensure that a purely negative text search query, such as !foo, matches empty tsvectors (Tom Dunstan)
Such matches were found by GIN index searches, but not by sequential scans or GiST index searches.
(9.4.11,9.6.2,9.5.6) Prevent crash when ts_rewrite()
replaces a non-top-level subtree with an empty query (Artur Zakirov)
(9.4.11,9.6.2,9.5.6) Fix performance problems in ts_rewrite()
(Tom Lane)
(9.4.11,9.6.2,9.5.6) Fix ts_rewrite()
's handling of nested NOT operators (Tom Lane)
(9.4.11,9.6.2,9.5.6) Fix array_fill()
to handle empty arrays properly (Tom Lane)
(9.4.11,9.6.2,9.5.6) Fix one-byte buffer overrun in quote_literal_cstr()
(Heikki Linnakangas)
The overrun occurred only if the input consisted entirely of single quotes and/or backslashes.
(9.4.11,9.6.2,9.5.6) Prevent multiple calls of pg_start_backup()
and pg_stop_backup()
from running concurrently (Michael Paquier)
This avoids an assertion failure, and possibly worse things, if someone tries to run these functions in parallel.
(9.4.11,9.6.2,9.5.6) Avoid discarding interval-to-interval casts that aren't really no-ops (Tom Lane)
In some cases, a cast that should result in zeroing out low-order interval fields was mistakenly deemed to be a no-op and discarded. An example is that casting from INTERVAL MONTH to INTERVAL YEAR failed to clear the months field.
(9.4.11,9.6.2,9.5.6) Ensure that cached plans are invalidated by changes in foreign-table options (Amit Langote, Etsuro Fujita, Ashutosh Bapat)
(9.4.11,9.6.2,9.5.6) Fix pg_dump to dump user-defined casts and transforms that use built-in functions (Stephen Frost)
(9.4.11,9.6.2,9.5.6) Fix pg_restore with --create --if-exists to behave more sanely if an archive contains unrecognized DROP commands (Tom Lane)
This doesn't fix any live bug, but it may improve the behavior in future if pg_restore is used with an archive generated by a later pg_dump version.
(9.4.11,9.6.2,9.5.6) Fix pg_basebackup's rate limiting in the presence of slow I/O (Antonin Houska)
If disk I/O was transiently much slower than the specified rate limit, the calculation overflowed, effectively disabling the rate limit for the rest of the run.
(9.4.11,9.6.2,9.5.6) Fix pg_basebackup's handling of symlinked pg_stat_tmp and pg_replslot subdirectories (Magnus Hagander, Michael Paquier)
(9.4.11,9.6.2,9.5.6) Fix possible pg_basebackup failure on standby server when including WAL files (Amit Kapila, Robert Haas)
(9.4.11,9.6.2,9.5.6) Ensure that the Python exception objects we create for PL/Python are properly reference-counted (Rafa de la Torre, Tom Lane)
This avoids failures if the objects are used after a Python garbage collection cycle has occurred.
(9.4.11,9.6.2,9.5.6) Fix PL/Tcl to support triggers on tables that have .tupno as a column name (Tom Lane)
This matches the (previously undocumented) behavior of PL/Tcl's spi_exec and spi_execp commands, namely that a magic .tupno column is inserted only if there isn't a real column named that.
(9.4.11,9.6.2,9.5.6) Allow DOS-style line endings in ~/.pgpass files, even on Unix (Vik Fearing)
This change simplifies use of the same password file across Unix and Windows machines.
(9.4.11,9.6.2,9.5.6) Fix one-byte buffer overrun if ecpg is given a file name that ends with a dot (Takayuki Tsunakawa)
(9.4.11,9.6.2,9.5.6) Fix psql's tab completion for ALTER DEFAULT PRIVILEGES (Gilles Darold, Stephen Frost)
(9.4.11,9.6.2,9.5.6) In psql, treat an empty or all-blank setting of the PAGER environment variable as meaning "no pager" (Tom Lane)
Previously, such a setting caused output intended for the pager to vanish entirely.
(9.4.11,9.6.2,9.5.6) Improve contrib/dblink's reporting of low-level libpq errors, such as out-of-memory (Joe Conway)
(9.4.11,9.6.2,9.5.6) Teach contrib/dblink to ignore irrelevant server options when it uses a contrib/postgres_fdw foreign server as the source of connection options (Corey Huinker)
Previously, if the foreign server object had options that were not also libpq connection options, an error occurred.
(9.4.11,9.6.2,9.5.6) On Windows, ensure that environment variable changes are propagated to DLLs built with debug options (Christian Ullrich)
(9.4.11,9.6.2,9.5.6) Sync our copy of the timezone library with IANA release tzcode2016j (Tom Lane)
This fixes various issues, most notably that timezone data installation failed if the target directory didn't support hard links.
(9.4.11,9.6.2,9.5.6) Update time zone data files to tzdata release 2016j for DST law changes in northern Cyprus (adding a new zone Asia/Famagusta), Russia (adding a new zone Europe/Saratov), Tonga, and Antarctica/Casey. Historical corrections for Italy, Kazakhstan, Malta, and Palestine. Switch to preferring numeric zone abbreviations for Tonga.
Release date: 2016-10-27
This release contains a variety of fixes from 9.4.9. For information about new features in the 9.4 major release, see Version 9.4.0.
A dump/restore is not required for those running 9.4.X.
However, if your installation has been affected by the bug described in the first changelog entry below, then after updating you may need to take action to repair corrupted free space maps.
Also, if you are upgrading from a version earlier than 9.4.6, see Version 9.4.6.
(9.4.10,9.6.1,9.5.5) Fix WAL-logging of truncation of relation free space maps and visibility maps (Pavan Deolasee, Heikki Linnakangas)
It was possible for these files to not be correctly restored during crash recovery, or to be written incorrectly on a standby server. Bogus entries in a free space map could lead to attempts to access pages that have been truncated away from the relation itself, typically producing errors like "could not read block XXX: read only 0 of 8192 bytes". Checksum failures in the visibility map are also possible, if checksumming is enabled.
Procedures for determining whether there is a problem and repairing it if so are discussed at https://wiki.postgresql.org/wiki/Free_Space_Map_Problems.
(9.4.10,9.5.5) Fix incorrect creation of GIN index WAL records on big-endian machines (Tom Lane)
The typical symptom was "unexpected GIN leaf action" errors during WAL replay.
(9.4.10,9.5.5) Fix SELECT FOR UPDATE/SHARE to correctly lock tuples that have been updated by a subsequently-aborted transaction (Ãlvaro Herrera)
In 9.5 and later, the SELECT would sometimes fail to return such tuples at all. A failure has not been proven to occur in earlier releases, but might be possible with concurrent updates.
(9.4.10,9.5.5) Fix EvalPlanQual rechecks involving CTE scans (Tom Lane)
The recheck would always see the CTE as returning no rows, typically leading to failure to update rows that were recently updated.
(9.4.10,9.5.5) Fix improper repetition of previous results from hashed aggregation in a subquery (Andrew Gierth)
The test to see if we can reuse a previously-computed hash table of the aggregate state values neglected the possibility of an outer query reference appearing in an aggregate argument expression. A change in the value of such a reference should lead to recalculating the hash table, but did not.
(9.4.10,9.5.5) Fix query-lifespan memory leak in a bulk UPDATE on a table with a PRIMARY KEY or REPLICA IDENTITY index (Tom Lane)
(9.4.10,9.6.1,9.5.5) Fix EXPLAIN to emit valid XML when track_io_timing is on (Markus Winand)
Previously the XML output-format option produced syntactically invalid tags such as <I/O-Read-Time>. That is now rendered as <I-O-Read-Time>.
(9.4.10,9.5.5) Suppress printing of zeroes for unmeasured times in EXPLAIN (Maksim Milyutin)
Certain option combinations resulted in printing zero values for times that actually aren't ever measured in that combination. Our general policy in EXPLAIN is not to print such fields at all, so do that consistently in all cases.
(9.4.10,9.5.5) Fix timeout length when VACUUM is waiting for exclusive table lock so that it can truncate the table (Simon Riggs)
The timeout was meant to be 50 milliseconds, but it was actually only 50 microseconds, causing VACUUM to give up on truncation much more easily than intended. Set it to the intended value.
(9.4.10,9.6.1,9.5.5) Fix bugs in merging inherited CHECK constraints while creating or altering a table (Tom Lane, Amit Langote)
Allow identical CHECK constraints to be added to a parent and child table in either order. Prevent merging of a valid constraint from the parent table with a NOT VALID constraint on the child. Likewise, prevent merging of a NO INHERIT child constraint with an inherited constraint.
(9.4.10,9.5.5) Remove artificial restrictions on the values accepted by numeric_in()
and numeric_recv()
(Tom Lane)
We allow numeric values up to the limit of the storage format (more than 1e100000), so it seems fairly pointless that numeric_in()
rejected scientific-notation exponents above 1000. Likewise, it was silly for numeric_recv()
to reject more than 1000 digits in an input value.
(9.4.10,9.6.1,9.5.5) Avoid very-low-probability data corruption due to testing tuple visibility without holding buffer lock (Thomas Munro, Peter Geoghegan, Tom Lane)
(9.4.10,9.6.1,9.5.5) Fix logical WAL decoding to work properly when a subtransaction's WAL output is large enough to spill to disk (Andres Freund)
(9.4.10) Fix buffer overread in logical WAL decoding (Tom Lane)
Logical decoding of a tuple update record read 23 bytes too many, which was usually harmless but with very bad luck could result in a crash.
(9.4.10,9.5.5) Fix file descriptor leakage when truncating a temporary relation of more than 1GB (Andres Freund)
(9.4.10,9.5.5) Disallow starting a standalone backend with standby_mode turned on (Michael Paquier)
This can't do anything useful, since there will be no WAL receiver process to fetch more WAL data; and it could result in misbehavior in code that wasn't designed with this situation in mind.
(9.4.10,9.5.5) Properly initialize replication slot state when recycling a previously-used slot (Michael Paquier)
This failure to reset all of the fields of the slot could prevent VACUUM from removing dead tuples.
(9.4.10,9.6.1,9.5.5) Round shared-memory allocation request to a multiple of the actual huge page size when attempting to use huge pages on Linux (Tom Lane)
This avoids possible failures during munmap()
on systems with atypical default huge page sizes. Except in crash-recovery cases, there were no ill effects other than a log message.
(9.4.10,9.5.5) Use a more random value for the dynamic shared memory control segment's ID (Robert Haas, Tom Lane)
Previously, the same value would be chosen every time, because it was derived from random()
but srandom()
had not yet been called. While relatively harmless, this was not the intended behavior.
(9.4.10,9.5.5) On Windows, retry creation of the dynamic shared memory control segment after an access-denied error (Kyotaro Horiguchi, Amit Kapila)
Windows sometimes returns ERROR_ACCESS_DENIED rather than ERROR_ALREADY_EXISTS when there is an existing segment. This led to postmaster startup failure due to believing that the former was an unrecoverable error.
(9.4.10,9.6.1,9.5.5) Don't try to share SSL contexts across multiple connections in libpq (Heikki Linnakangas)
This led to assorted corner-case bugs, particularly when trying to use different SSL parameters for different connections.
(9.4.10,9.6.1,9.5.5) Avoid corner-case memory leak in libpq (Tom Lane)
The reported problem involved leaking an error report during PQreset()
, but there might be related cases.
(9.4.10,9.5.5) Make ecpg's --help and --version options work consistently with our other executables (Haribabu Kommi)
(9.4.10,9.5.5) Fix pgbench's calculation of average latency (Fabien Coelho)
The calculation was incorrect when there were \sleep commands in the script, or when the test duration was specified in number of transactions rather than total time.
(9.4.10,9.5.5) In pg_dump, never dump range constructor functions (Tom Lane)
This oversight led to pg_upgrade failures with extensions containing range types, due to duplicate creation of the constructor functions.
(9.4.10,9.6.1,9.5.5) In pg_xlogdump, retry opening new WAL segments when using --follow option (Magnus Hagander)
This allows for a possible delay in the server's creation of the next segment.
(9.4.10,9.5.5) Fix pg_xlogdump to cope with a WAL file that begins with a continuation record spanning more than one page (Pavan Deolasee)
(9.4.10,9.5.5) Fix contrib/pg_buffercache to work when shared_buffers exceeds 256GB (KaiGai Kohei)
(9.4.10,9.5.5) Fix contrib/intarray/bench/bench.pl to print the results of the EXPLAIN it does when given the -e option (Daniel Gustafsson)
(9.4.10,9.5.5) Install TAP test infrastructure so that it's available for extension testing (Craig Ringer)
When PostgreSQL has been configured with --enable-tap-tests, "make install" will now install the Perl support files for TAP testing where PGXS can find them. This allows non-core extensions to use $(prove_check) without extra tests.
(9.4.10,9.5.5) In MSVC builds, include pg_recvlogical in a client-only installation (MauMau)
(9.4.10,9.5.5) Update Windows time zone mapping to recognize some time zone names added in recent Windows versions (Michael Paquier)
(9.4.10,9.5.5) Prevent failure of obsolete dynamic time zone abbreviations (Tom Lane)
If a dynamic time zone abbreviation does not match any entry in the referenced time zone, treat it as equivalent to the time zone name. This avoids unexpected failures when IANA removes abbreviations from their time zone database, as they did in tzdata release 2016f and seem likely to do again in the future. The consequences were not limited to not recognizing the individual abbreviation; any mismatch caused the pg_timezone_abbrevs view to fail altogether.
(9.4.10,9.6.1,9.5.5) Update time zone data files to tzdata release 2016h for DST law changes in Palestine and Turkey, plus historical corrections for Turkey and some regions of Russia. Switch to numeric abbreviations for some time zones in Antarctica, the former Soviet Union, and Sri Lanka.
The IANA time zone database previously provided textual abbreviations for all time zones, sometimes making up abbreviations that have little or no currency among the local population. They are in process of reversing that policy in favor of using numeric UTC offsets in zones where there is no evidence of real-world use of an English abbreviation. At least for the time being, PostgreSQL will continue to accept such removed abbreviations for timestamp input. But they will not be shown in the pg_timezone_names view nor used for output.
In this update, AMT is no longer shown as being in use to mean Armenia Time. Therefore, we have changed the Default abbreviation set to interpret it as Amazon Time, thus UTC-4 not UTC+4.
Release date: 2016-08-11
This release contains a variety of fixes from 9.4.8. For information about new features in the 9.4 major release, see Version 9.4.0.
A dump/restore is not required for those running 9.4.X.
However, if you are upgrading from a version earlier than 9.4.6, see Version 9.4.6.
(9.4.9,9.5.4) Fix possible mis-evaluation of nested CASE-WHEN expressions (Heikki Linnakangas, Michael Paquier, Tom Lane)
A CASE expression appearing within the test value subexpression of another CASE could become confused about whether its own test value was null or not. Also, inlining of a SQL function implementing the equality operator used by a CASE expression could result in passing the wrong test value to functions called within a CASE expression in the SQL function's body. If the test values were of different data types, a crash might result; moreover such situations could be abused to allow disclosure of portions of server memory. CVE-2016-5423 or CVE-2016-5423)
(9.4.9,9.5.4) Fix client programs' handling of special characters in database and role names (Noah Misch, Nathan Bossart, Michael Paquier)
Numerous places in vacuumdb and other client programs could become confused by database and role names containing double quotes or backslashes. Tighten up quoting rules to make that safe. Also, ensure that when a conninfo string is used as a database name parameter to these programs, it is correctly treated as such throughout.
Fix handling of paired double quotes in psql's \connect and \password commands to match the documentation.
Introduce a new -reuse-previous option in psql's \connect command to allow explicit control of whether to re-use connection parameters from a previous connection. (Without this, the choice is based on whether the database name looks like a conninfo string, as before.) This allows secure handling of database names containing special characters in pg_dumpall scripts.
pg_dumpall now refuses to deal with database and role names containing carriage returns or newlines, as it seems impractical to quote those characters safely on Windows. In future we may reject such names on the server side, but that step has not been taken yet.
These are considered security fixes because crafted object names containing special characters could have been used to execute commands with superuser privileges the next time a superuser executes pg_dumpall or other routine maintenance operations. CVE-2016-5424 or CVE-2016-5424)
(9.4.9,9.5.4) Fix corner-case misbehaviors for IS NULL/IS NOT NULL applied to nested composite values (Andrew Gierth, Tom Lane)
The SQL standard specifies that IS NULL should return TRUE for a row of all null values (thus ROW (NULL,NULL) IS NULL yields TRUE), but this is not meant to apply recursively (thus ROW (NULL, ROW (NULL,NULL)) IS NULL yields FALSE). The core executor got this right, but certain planner optimizations treated the test as recursive (thus producing TRUE in both cases), and contrib/postgres_fdw could produce remote queries that misbehaved similarly.
(9.4.9,9.5.4) Make the inet and cidr data types properly reject IPv6 addresses with too many colon-separated fields (Tom Lane)
(9.4.9,9.5.4) Prevent crash in close_ps()
(the point ## lseg operator) for NaN input coordinates (Tom Lane)
Make it return NULL instead of crashing.
(9.4.9,9.5.4) Avoid possible crash in pg_get_expr()
when inconsistent values are passed to it (Michael Paquier, Thomas Munro)
(9.4.9,9.5.4) Fix several one-byte buffer over-reads in to_number()
(Peter Eisentraut)
In several cases the to_number()
function would read one more character than it should from the input string. There is a small chance of a crash, if the input happens to be adjacent to the end of memory.
(9.4.9,9.5.4) Do not run the planner on the query contained in CREATE MATERIALIZED VIEW or CREATE TABLE AS when WITH NO DATA is specified (Michael Paquier, Tom Lane)
This avoids some unnecessary failure conditions, for example if a stable function invoked by the materialized view depends on a table that doesn't exist yet.
(9.4.9,9.5.4) Avoid unsafe intermediate state during expensive paths through heap_update()
(Masahiko Sawada, Andres Freund)
Previously, these cases locked the target tuple (by setting its XMAX) but did not WAL-log that action, thus risking data integrity problems if the page were spilled to disk and then a database crash occurred before the tuple update could be completed.
(9.4.9,9.5.4) Fix hint bit update during WAL replay of row locking operations (Andres Freund)
The only known consequence of this problem is that row locks held by a prepared, but uncommitted, transaction might fail to be enforced after a crash and restart.
(9.4.9,9.5.4) Avoid unnecessary "could not serialize access" errors when acquiring FOR KEY SHARE row locks in serializable mode (Ãlvaro Herrera)
(9.4.9,9.5.4) Avoid crash in postgres -C when the specified variable has a null string value (Michael Paquier)
(9.4.9,9.5.4) Fix possible loss of large subtransactions in logical decoding (Petru-Florin Mihancea)
(9.4.9,9.5.4) Fix failure of logical decoding when a subtransaction contains no actual changes (Marko Tiikkaja, Andrew Gierth)
(9.4.9,9.5.4) Ensure that backends see up-to-date statistics for shared catalogs (Tom Lane)
The statistics collector failed to update the statistics file for shared catalogs after a request from a regular backend. This problem was partially masked because the autovacuum launcher regularly makes requests that did cause such updates; however, it became obvious with autovacuum disabled.
(9.4.9,9.5.4) Avoid redundant writes of the statistics files when multiple backends request updates close together (Tom Lane, Tomas Vondra)
(9.4.9,9.5.4) Avoid consuming a transaction ID during VACUUM (Alexander Korotkov)
Some cases in VACUUM unnecessarily caused an XID to be assigned to the current transaction. Normally this is negligible, but if one is up against the XID wraparound limit, consuming more XIDs during anti-wraparound vacuums is a very bad thing.
(9.4.9) Avoid canceling hot-standby queries during VACUUM FREEZE (Simon Riggs, Ãlvaro Herrera)
VACUUM FREEZE on an otherwise-idle master server could result in unnecessary cancellations of queries on its standby servers.
(9.4.9,9.5.4) Prevent possible failure when vacuuming multixact IDs in an installation that has been pg_upgrade'd from pre-9.3 (Andrew Gierth, Ãlvaro Herrera)
The usual symptom of this bug is errors like "MultiXactId NNN has not been created yet -- apparent wraparound".
(9.4.9,9.5.4) When a manual ANALYZE specifies a column list, don't reset the table's changes_since_analyze counter (Tom Lane)
If we're only analyzing some columns, we should not prevent routine auto-analyze from happening for the other columns.
(9.4.9,9.5.4) Fix ANALYZE's overestimation of n_distinct for a unique or nearly-unique column with many null entries (Tom Lane)
The nulls could get counted as though they were themselves distinct values, leading to serious planner misestimates in some types of queries.
(9.4.9,9.5.4) Prevent autovacuum from starting multiple workers for the same shared catalog (Ãlvaro Herrera)
Normally this isn't much of a problem because the vacuum doesn't take long anyway; but in the case of a severely bloated catalog, it could result in all but one worker uselessly waiting instead of doing useful work on other tables.
(9.4.9,9.5.4) Avoid duplicate buffer lock release when abandoning a b-tree index page deletion attempt (Tom Lane)
This mistake prevented VACUUM from completing in some cases involving corrupt b-tree indexes.
(9.4.9,9.5.4) Prevent infinite loop in GiST index build for geometric columns containing NaN component values (Tom Lane)
(9.4.9,9.5.4) Fix contrib/btree_gin to handle the smallest possible bigint value correctly (Peter Eisentraut)
(9.4.9,9.5.4) Teach libpq to correctly decode server version from future servers (Peter Eisentraut)
It's planned to switch to two-part instead of three-part server version numbers for releases after 9.6. Make sure that PQserverVersion()
returns the correct value for such cases.
(9.4.9,9.5.4) Fix ecpg's code for unsigned long long array elements (Michael Meskes)
(9.4.9,9.5.4) In pg_dump with both -c and -C options, avoid emitting an unwanted CREATE SCHEMA public command (David Johnston, Tom Lane)
(9.4.9,9.5.4) Improve handling of SIGTERM/control-C in parallel pg_dump and pg_restore (Tom Lane)
Make sure that the worker processes will exit promptly, and also arrange to send query-cancel requests to the connected backends, in case they are doing something long-running such as a CREATE INDEX.
(9.4.9,9.5.4) Fix error reporting in parallel pg_dump and pg_restore (Tom Lane)
Previously, errors reported by pg_dump or pg_restore worker processes might never make it to the user's console, because the messages went through the master process, and there were various deadlock scenarios that would prevent the master process from passing on the messages. Instead, just print everything to stderr. In some cases this will result in duplicate messages (for instance, if all the workers report a server shutdown), but that seems better than no message.
(9.4.9,9.5.4) Ensure that parallel pg_dump or pg_restore on Windows will shut down properly after an error (Kyotaro Horiguchi)
Previously, it would report the error, but then just sit until manually stopped by the user.
(9.4.9,9.5.4) Make pg_dump behave better when built without zlib support (Kyotaro Horiguchi)
It didn't work right for parallel dumps, and emitted some rather pointless warnings in other cases.
(9.4.9,9.5.4) Make pg_basebackup accept -Z 0 as specifying no compression (Fujii Masao)
(9.4.9,9.5.4) Fix makefiles' rule for building AIX shared libraries to be safe for parallel make (Noah Misch)
(9.4.9,9.5.4) Fix TAP tests and MSVC scripts to work when build directory's path name contains spaces (Michael Paquier, Kyotaro Horiguchi)
(9.4.9,9.5.4) Be more predictable about reporting "statement timeout" versus "lock timeout" (Tom Lane)
On heavily loaded machines, the regression tests sometimes failed due to reporting "lock timeout" even though the statement timeout should have occurred first.
(9.4.9,9.5.4) Make regression tests safe for Danish and Welsh locales (Jeff Janes, Tom Lane)
Change some test data that triggered the unusual sorting rules of these locales.
(9.4.9,9.5.4) Update our copy of the timezone code to match IANA's tzcode release 2016c (Tom Lane)
This is needed to cope with anticipated future changes in the time zone data files. It also fixes some corner-case bugs in coping with unusual time zones.
(9.4.9,9.5.4) Update time zone data files to tzdata release 2016f for DST law changes in Kemerovo and Novosibirsk, plus historical corrections for Azerbaijan, Belarus, and Morocco.
Release date: 2016-05-12
This release contains a variety of fixes from 9.4.7. For information about new features in the 9.4 major release, see Version 9.4.0.
A dump/restore is not required for those running 9.4.X.
However, if you are upgrading from a version earlier than 9.4.6, see Version 9.4.6.
(9.4.8,9.5.3) Clear the OpenSSL error queue before OpenSSL calls, rather than assuming it's clear already; and make sure we leave it clear afterwards (Peter Geoghegan, Dave Vitek, Peter Eisentraut)
This change prevents problems when there are multiple connections using OpenSSL within a single process and not all the code involved follows the same rules for when to clear the error queue. Failures have been reported specifically when a client application uses SSL connections in libpq concurrently with SSL connections using the PHP, Python, or Ruby wrappers for OpenSSL. It's possible for similar problems to arise within the server as well, if an extension module establishes an outgoing SSL connection.
(9.4.8,9.5.3) Fix "failed to build any N-way joins" planner error with a full join enclosed in the right-hand side of a left join (Tom Lane)
(9.4.8,9.5.3) Fix incorrect handling of equivalence-class tests in multilevel nestloop plans (Tom Lane)
Given a three-or-more-way equivalence class of variables, such as X.X = Y.Y = Z.Z, it was possible for the planner to omit some of the tests needed to enforce that all the variables are actually equal, leading to join rows being output that didn't satisfy the WHERE clauses. For various reasons, erroneous plans were seldom selected in practice, so that this bug has gone undetected for a long time.
(9.4.8,9.5.3) Fix query-lifespan memory leak in GIN index scans (Julien Rouhaud)
(9.4.8,9.5.3) Fix query-lifespan memory leak and potential index corruption hazard in GIN index insertion (Tom Lane)
The memory leak would typically not amount to much in simple queries, but it could be very substantial during a large GIN index build with high maintenance_work_mem.
(9.4.8,9.5.3) Fix possible misbehavior of TH, th, and Y,YYY format codes in to_timestamp()
(Tom Lane)
These could advance off the end of the input string, causing subsequent format codes to read garbage.
(9.4.8,9.5.3) Fix dumping of rules and views in which the array argument of a value operator ANY (array) construct is a sub-SELECT (Tom Lane)
(9.4.8,9.5.3) Disallow newlines in ALTER SYSTEM parameter values (Tom Lane)
The configuration-file parser doesn't support embedded newlines in string literals, so we mustn't allow them in values to be inserted by ALTER SYSTEM.
(9.4.8,9.5.3) Fix ALTER TABLE ... REPLICA IDENTITY USING INDEX to work properly if an index on OID is selected (David Rowley)
(9.4.8,9.5.3) Fix crash in logical decoding on alignment-picky platforms (Tom Lane, Andres Freund)
The failure occurred only with a transaction large enough to spill to disk and a primary-key change within that transaction.
(9.4.8,9.5.3) Avoid repeated requests for feedback from receiver while shutting down walsender (Nick Cleaton)
(9.4.8,9.5.3) Make pg_regress use a startup timeout from the PGCTLTIMEOUT environment variable, if that's set (Tom Lane)
This is for consistency with a behavior recently added to pg_ctl; it eases automated testing on slow machines.
(9.4.8,9.5.3) Fix pg_upgrade to correctly restore extension membership for operator families containing only one operator class (Tom Lane)
In such a case, the operator family was restored into the new database, but it was no longer marked as part of the extension. This had no immediate ill effects, but would cause later pg_dump runs to emit output that would cause (harmless) errors on restore.
(9.4.8,9.5.3) Fix pg_upgrade to not fail when new-cluster TOAST rules differ from old (Tom Lane)
pg_upgrade had special-case code to handle the situation where the new PostgreSQL version thinks that a table should have a TOAST table while the old version did not. That code was broken, so remove it, and instead do nothing in such cases; there seems no reason to believe that we can't get along fine without a TOAST table if that was okay according to the old version's rules.
(9.4.8,9.5.3) Reduce the number of SysV semaphores used by a build configured with --disable-spinlocks (Tom Lane)
(9.4.8,9.5.3) Rename internal function strtoi()
to strtoint()
to avoid conflict with a NetBSD library function (Thomas Munro)
(9.4.8,9.5.3) Fix reporting of errors from bind()
and listen()
system calls on Windows (Tom Lane)
(9.4.8,9.5.3) Reduce verbosity of compiler output when building with Microsoft Visual Studio (Christian Ullrich)
(9.4.8,9.5.3) Fix putenv()
to work properly with Visual Studio 2013 (Michael Paquier)
(9.4.8,9.5.3) Avoid possibly-unsafe use of Windows' FormatMessage()
function (Christian Ullrich)
Use the FORMAT_MESSAGE_IGNORE_INSERTS flag where appropriate. No live bug is known to exist here, but it seems like a good idea to be careful.
(9.4.8,9.5.3) Update time zone data files to tzdata release 2016d for DST law changes in Russia and Venezuela. There are new zone names Europe/Kirov and Asia/Tomsk to reflect the fact that these regions now have different time zone histories from adjacent regions.
Release date: 2016-03-31
This release contains a variety of fixes from 9.4.6. For information about new features in the 9.4 major release, see Version 9.4.0.
A dump/restore is not required for those running 9.4.X.
However, if you are upgrading from a version earlier than 9.4.6, see Version 9.4.6.
(9.4.7,9.5.2) Fix incorrect handling of NULL index entries in indexed ROW() comparisons (Tom Lane)
An index search using a row comparison such as ROW(a, b) > ROW('x', 'y') would stop upon reaching a NULL entry in the b column, ignoring the fact that there might be non-NULL b values associated with later values of a.
(9.4.7,9.5.2) Avoid unlikely data-loss scenarios due to renaming files without adequate fsync()
calls before and after (Michael Paquier, Tomas Vondra, Andres Freund)
(9.4.7,9.5.2) Fix bug in json_to_record()
when a field of its input object contains a sub-object with a field name matching one of the requested output column names (Tom Lane)
(9.4.7,9.5.2) Fix misformatting of negative time zone offsets by to_char()
's OF format code (Thomas Munro, Tom Lane)
(9.4.7,9.5.2) Ignore recovery_min_apply_delay parameter until recovery has reached a consistent state (Michael Paquier)
Previously, standby servers would delay application of WAL records in response to recovery_min_apply_delay even while replaying the initial portion of WAL needed to make their database state valid. Since the standby is useless until it's reached a consistent database state, this was deemed unhelpful.
(9.4.7,9.5.2) Correctly handle cases where pg_subtrans is close to XID wraparound during server startup (Jeff Janes)
(9.4.7,9.5.2) Fix assorted bugs in logical decoding (Andres Freund)
Trouble cases included tuples larger than one page when replica identity is FULL, UPDATEs that change a primary key within a transaction large enough to be spooled to disk, incorrect reports of "subxact logged without previous toplevel record", and incorrect reporting of a transaction's commit time.
(9.4.7,9.5.2) Fix planner error with nested security barrier views when the outer view has a WHERE clause containing a correlated subquery (Dean Rasheed)
(9.4.7,9.5.2) Fix corner-case crash due to trying to free localeconv()
output strings more than once (Tom Lane)
(9.4.7,9.5.2) Fix parsing of affix files for ispell dictionaries (Tom Lane)
The code could go wrong if the affix file contained any characters whose byte length changes during case-folding, for example I in Turkish UTF8 locales.
(9.4.7,9.5.2) Avoid use of sscanf()
to parse ispell dictionary files (Artur Zakirov)
This dodges a portability problem on FreeBSD-derived platforms (including macOS).
(9.4.7,9.5.2) Avoid a crash on old Windows versions (before 7SP1/2008R2SP1) with an AVX2-capable CPU and a Postgres build done with Visual Studio 2013 (Christian Ullrich)
This is a workaround for a bug in Visual Studio 2013's runtime library, which Microsoft have stated they will not fix in that version.
(9.4.7,9.5.2) Fix psql's tab completion logic to handle multibyte characters properly (Kyotaro Horiguchi, Robert Haas)
(9.4.7,9.5.2) Fix psql's tab completion for SECURITY LABEL (Tom Lane)
Pressing TAB after SECURITY LABEL might cause a crash or offering of inappropriate keywords.
(9.4.7,9.5.2) Make pg_ctl accept a wait timeout from the PGCTLTIMEOUT environment variable, if none is specified on the command line (Noah Misch)
This eases testing of slower buildfarm members by allowing them to globally specify a longer-than-normal timeout for postmaster startup and shutdown.
(9.4.7,9.5.2) Fix incorrect test for Windows service status in pg_ctl (Manuel Mathar)
The previous set of minor releases attempted to fix pg_ctl to properly determine whether to send log messages to Window's Event Log, but got the test backwards.
(9.4.7,9.5.2) Fix pgbench to correctly handle the combination of -C and -M prepared options (Tom Lane)
(9.4.7,9.5.2) In pg_upgrade, skip creating a deletion script when the new data directory is inside the old data directory (Bruce Momjian)
Blind application of the script in such cases would result in loss of the new data directory.
(9.4.7,9.5.2) In PL/Perl, properly translate empty Postgres arrays into empty Perl arrays (Alex Hunsaker)
(9.4.7,9.5.2) Make PL/Python cope with function names that aren't valid Python identifiers (Jim Nasby)
(9.4.7,9.5.2) Fix multiple mistakes in the statistics returned by contrib/pgstattuple's pgstatindex()
function (Tom Lane)
(9.4.7,9.5.2) Remove dependency on psed in MSVC builds, since it's no longer provided by core Perl (Michael Paquier, Andrew Dunstan)
(9.4.7,9.5.2) Update time zone data files to tzdata release 2016c for DST law changes in Azerbaijan, Chile, Haiti, Palestine, and Russia (Altai, Astrakhan, Kirov, Sakhalin, Ulyanovsk regions), plus historical corrections for Lithuania, Moldova, and Russia (Kaliningrad, Samara, Volgograd).
Release date: 2016-02-11
This release contains a variety of fixes from 9.4.5. For information about new features in the 9.4 major release, see Version 9.4.0.
A dump/restore is not required for those running 9.4.X.
However, if you are upgrading an installation that contains any GIN indexes that use the (non-default) jsonb_path_ops operator class, see the first changelog entry below.
Also, if you are upgrading from a version earlier than 9.4.4, see Version 9.4.4.
(9.4.6) Fix inconsistent hash calculations in jsonb_path_ops GIN indexes (Tom Lane)
When processing jsonb values that contain both scalars and sub-objects at the same nesting level, for example an array containing both scalars and sub-arrays, key hash values could be calculated differently than they would be for the same key in a different context. This could result in queries not finding entries that they should find. Fixing this means that existing indexes may now be inconsistent with the new hash calculation code. Users should REINDEX jsonb_path_ops GIN indexes after installing this update to make sure that all searches work as expected.
(9.4.6,9.5.1) Fix infinite loops and buffer-overrun problems in regular expressions (Tom Lane)
Very large character ranges in bracket expressions could cause infinite loops in some cases, and memory overwrites in other cases. CVE-2016-0773 or CVE-2016-0773)
(9.4.6) Perform an immediate shutdown if the postmaster.pid file is removed (Tom Lane)
The postmaster now checks every minute or so that postmaster.pid is still there and still contains its own PID. If not, it performs an immediate shutdown, as though it had received SIGQUIT. The main motivation for this change is to ensure that failed buildfarm runs will get cleaned up without manual intervention; but it also serves to limit the bad effects if a DBA forcibly removes postmaster.pid and then starts a new postmaster.
(9.4.6) In SERIALIZABLE transaction isolation mode, serialization anomalies could be missed due to race conditions during insertions (Kevin Grittner, Thomas Munro)
(9.4.6) Fix failure to emit appropriate WAL records when doing ALTER TABLE ... SET TABLESPACE for unlogged relations (Michael Paquier, Andres Freund)
Even though the relation's data is unlogged, the move must be logged or the relation will be inaccessible after a standby is promoted to master.
(9.4.6) Fix possible misinitialization of unlogged relations at the end of crash recovery (Andres Freund, Michael Paquier)
(9.4.6) Ensure walsender slots are fully re-initialized when being re-used (Magnus Hagander)
(9.4.6) Fix ALTER COLUMN TYPE to reconstruct inherited check constraints properly (Tom Lane)
(9.4.6) Fix REASSIGN OWNED to change ownership of composite types properly (Ãlvaro Herrera)
(9.4.6) Fix REASSIGN OWNED and ALTER OWNER to correctly update granted-permissions lists when changing owners of data types, foreign data wrappers, or foreign servers (Bruce Momjian, Ãlvaro Herrera)
(9.4.6) Fix REASSIGN OWNED to ignore foreign user mappings, rather than fail (Ãlvaro Herrera)
(9.4.6) Fix possible crash after doing query rewrite for an updatable view (Stephen Frost)
(9.4.6) Fix planner's handling of LATERAL references (Tom Lane)
This fixes some corner cases that led to "failed to build any N-way joins" or "could not devise a query plan" planner failures.
(9.4.6) Add more defenses against bad planner cost estimates for GIN index scans when the index's internal statistics are very out-of-date (Tom Lane)
(9.4.6) Make planner cope with hypothetical GIN indexes suggested by an index advisor plug-in (Julien Rouhaud)
(9.4.6) Speed up generation of unique table aliases in EXPLAIN and rule dumping, and ensure that generated aliases do not exceed NAMEDATALEN (Tom Lane)
(9.4.6) Fix dumping of whole-row Vars in ROW() and VALUES() lists (Tom Lane)
(9.4.6) Translation of minus-infinity dates and timestamps to json or jsonb incorrectly rendered them as plus-infinity (Tom Lane)
(9.4.6) Fix possible internal overflow in numeric division (Dean Rasheed)
(9.4.6) Fix enforcement of restrictions inside parentheses within regular expression lookahead constraints (Tom Lane)
Lookahead constraints aren't allowed to contain backrefs, and parentheses within them are always considered non-capturing, according to the manual. However, the code failed to handle these cases properly inside a parenthesized subexpression, and would give unexpected results.
(9.4.6) Conversion of regular expressions to indexscan bounds could produce incorrect bounds from regexps containing lookahead constraints (Tom Lane)
(9.4.6) Fix regular-expression compiler to handle loops of constraint arcs (Tom Lane)
The code added forCVE-2007-4772 or CVE-2007-4772 was both incomplete, in that it didn't handle loops involving more than one state, and incorrect, in that it could cause assertion failures (though there seem to be no bad consequences of that in a non-assert build). Multi-state loops would cause the compiler to run until the query was canceled or it reached the too-many-states error condition.
(9.4.6) Improve memory-usage accounting in regular-expression compiler (Tom Lane)
This causes the code to emit "regular expression is too complex" errors in some cases that previously used unreasonable amounts of time and memory.
(9.4.6) Improve performance of regular-expression compiler (Tom Lane)
(9.4.6,9.5.1) Make %h and %r escapes in log_line_prefix work for messages emitted due to log_connections (Tom Lane)
Previously, %h/%r started to work just after a new session had emitted the "connection received" log message; now they work for that message too.
(9.4.6) On Windows, ensure the shared-memory mapping handle gets closed in child processes that don't need it (Tom Lane, Amit Kapila)
This oversight resulted in failure to recover from crashes whenever logging_collector is turned on.
(9.4.6) Fix possible failure to detect socket EOF in non-blocking mode on Windows (Tom Lane)
It's not entirely clear whether this problem can happen in pre-9.5 branches, but if it did, the symptom would be that a walsender process would wait indefinitely rather than noticing a loss of connection.
(9.4.6,9.5.1) Avoid leaking a token handle during SSPI authentication (Christian Ullrich)
(9.4.6) In psql, ensure that libreadline's idea of the screen size is updated when the terminal window size changes (Merlin Moncure)
Previously, libreadline did not notice if the window was resized during query output, leading to strange behavior during later input of multiline queries.
(9.4.6,9.5.1) Fix psql's \det command to interpret its pattern argument the same way as other \d commands with potentially schema-qualified patterns do (Reece Hart)
(9.4.6) Avoid possible crash in psql's \c command when previous connection was via Unix socket and command specifies a new hostname and same username (Tom Lane)
(9.4.6) In pg_ctl start -w, test child process status directly rather than relying on heuristics (Tom Lane, Michael Paquier)
Previously, pg_ctl relied on an assumption that the new postmaster would always create postmaster.pid within five seconds. But that can fail on heavily-loaded systems, causing pg_ctl to report incorrectly that the postmaster failed to start.
Except on Windows, this change also means that a pg_ctl start -w done immediately after another such command will now reliably fail, whereas previously it would report success if done within two seconds of the first command.
(9.4.6) In pg_ctl start -w, don't attempt to use a wildcard listen address to connect to the postmaster (Kondo Yuta)
On Windows, pg_ctl would fail to detect postmaster startup if listen_addresses is set to 0.0.0.0 or ::, because it would try to use that value verbatim as the address to connect to, which doesn't work. Instead assume that 127.0.0.1 or ::1, respectively, is the right thing to use.
(9.4.6,9.5.1) In pg_ctl on Windows, check service status to decide where to send output, rather than checking if standard output is a terminal (Michael Paquier)
(9.4.6) In pg_dump and pg_basebackup, adopt the GNU convention for handling tar-archive members exceeding 8GB (Tom Lane)
The POSIX standard for tar file format does not allow archive member files to exceed 8GB, but most modern implementations of tar support an extension that fixes that. Adopt this extension so that pg_dump with -Ft no longer fails on tables with more than 8GB of data, and so that pg_basebackup can handle files larger than 8GB. In addition, fix some portability issues that could cause failures for members between 4GB and 8GB on some platforms. Potentially these problems could cause unrecoverable data loss due to unreadable backup files.
(9.4.6,9.5.1) Fix assorted corner-case bugs in pg_dump's processing of extension member objects (Tom Lane)
(9.4.6,9.5.1) Make pg_dump mark a view's triggers as needing to be processed after its rule, to prevent possible failure during parallel pg_restore (Tom Lane)
(9.4.6) Ensure that relation option values are properly quoted in pg_dump (Kouhei Sutou, Tom Lane)
A reloption value that isn't a simple identifier or number could lead to dump/reload failures due to syntax errors in CREATE statements issued by pg_dump. This is not an issue with any reloption currently supported by core PostgreSQL, but extensions could allow reloptions that cause the problem.
(9.4.6) Avoid repeated password prompts during parallel pg_dump (Zeus Kronion)
(9.4.6) Fix pg_upgrade's file-copying code to handle errors properly on Windows (Bruce Momjian)
(9.4.6,9.5.1) Install guards in pgbench against corner-case overflow conditions during evaluation of script-specified division or modulo operators (Fabien Coelho, Michael Paquier)
(9.4.6) Fix failure to localize messages emitted by pg_receivexlog and pg_recvlogical (Ioseph Kim)
(9.4.6,9.5.1) Avoid dump/reload problems when using both plpython2 and plpython3 (Tom Lane)
In principle, both versions of PL/Python can be used in the same database, though not in the same session (because the two versions of libpython cannot safely be used concurrently). However, pg_restore and pg_upgrade both do things that can fall foul of the same-session restriction. Work around that by changing the timing of the check.
(9.4.6,9.5.1) Fix PL/Python regression tests to pass with Python 3.5 (Peter Eisentraut)
(9.4.6) Fix premature clearing of libpq's input buffer when socket EOF is seen (Tom Lane)
This mistake caused libpq to sometimes not report the backend's final error message before reporting "server closed the connection unexpectedly".
(9.4.6,9.5.1) Prevent certain PL/Java parameters from being set by non-superusers (Noah Misch)
This change mitigates a PL/Java security bug CVE-2016-0766 or CVE-2016-0766), which was fixed in PL/Java by marking these parameters as superuser-only. To fix the security hazard for sites that update PostgreSQL more frequently than PL/Java, make the core code aware of them also.
(9.4.6) Improve libpq's handling of out-of-memory situations (Michael Paquier, Amit Kapila, Heikki Linnakangas)
(9.4.6) Fix order of arguments in ecpg-generated typedef statements (Michael Meskes)
(9.4.6) Use %g not %f format in ecpg's PGTYPESnumeric_from_double()
(Tom Lane)
(9.4.6,9.5.1) Fix ecpg-supplied header files to not contain comments continued from a preprocessor directive line onto the next line (Michael Meskes)
Such a comment is rejected by ecpg. It's not yet clear whether ecpg itself should be changed.
(9.4.6,9.5.1) Fix hstore_to_json_loose()
's test for whether an hstore value can be converted to a JSON number (Tom Lane)
Previously this function could be fooled by non-alphanumeric trailing characters, leading to emitting syntactically-invalid JSON.
(9.4.6) Ensure that contrib/pgcrypto's crypt()
function can be interrupted by query cancel (Andreas Karlsson)
(9.4.6,9.5.1) In contrib/postgres_fdw, fix bugs triggered by use of tableoid in data-modifying commands (Etsuro Fujita, Robert Haas)
(9.4.6) Accept flex versions later than 2.5.x (Tom Lane, Michael Paquier)
Now that flex 2.6.0 has been released, the version checks in our build scripts needed to be adjusted.
(9.4.6,9.5.1) Improve reproducibility of build output by ensuring filenames are given to the linker in a fixed order (Christoph Berg)
This avoids possible bitwise differences in the produced executable files from one build to the next.
(9.4.6) Install our missing script where PGXS builds can find it (Jim Nasby)
This allows sane behavior in a PGXS build done on a machine where build tools such as bison are missing.
(9.4.6,9.5.1) Ensure that dynloader.h is included in the installed header files in MSVC builds (Bruce Momjian, Michael Paquier)
(9.4.6) Add variant regression test expected-output file to match behavior of current libxml2 (Tom Lane)
The fix for libxml2'sCVE-2015-7499 or CVE-2015-7499 causes it not to output error context reports in some cases where it used to do so. This seems to be a bug, but we'll probably have to live with it for some time, so work around it.
(9.4.6,9.5.1) Update time zone data files to tzdata release 2016a for DST law changes in Cayman Islands, Metlakatla, and Trans-Baikal Territory (Zabaykalsky Krai), plus historical corrections for Pakistan.
Release date: 2015-10-08
This release contains a variety of fixes from 9.4.4. For information about new features in the 9.4 major release, see Version 9.4.0.
A dump/restore is not required for those running 9.4.X.
However, if you are upgrading from a version earlier than 9.4.4, see Version 9.4.4.
(9.4.5) Guard against stack overflows in json parsing (Oskari Saarenmaa)
If an application constructs PostgreSQL json or jsonb values from arbitrary user input, the application's users can reliably crash the PostgreSQL server, causing momentary denial of service. CVE-2015-5289 or CVE-2015-5289)
(9.4.5) Fix contrib/pgcrypto to detect and report too-short crypt()
salts (Josh Kupershmidt)
Certain invalid salt arguments crashed the server or disclosed a few bytes of server memory. We have not ruled out the viability of attacks that arrange for presence of confidential information in the disclosed bytes, but they seem unlikely. CVE-2015-5288 or CVE-2015-5288)
(9.4.5) Fix subtransaction cleanup after a portal (cursor) belonging to an outer subtransaction fails (Tom Lane, Michael Paquier)
A function executed in an outer-subtransaction cursor could cause an assertion failure or crash by referencing a relation created within an inner subtransaction.
(9.4.5) Fix possible deadlock during WAL insertion when commit_delay is set (Heikki Linnakangas)
(9.4.5) Ensure all relations referred to by an updatable view are properly locked during an update statement (Dean Rasheed)
(9.4.5) Fix insertion of relations into the relation cache "init file" (Tom Lane)
An oversight in a patch in the most recent minor releases caused pg_trigger_tgrelid_tgname_index to be omitted from the init file. Subsequent sessions detected this, then deemed the init file to be broken and silently ignored it, resulting in a significant degradation in session startup time. In addition to fixing the bug, install some guards so that any similar future mistake will be more obvious.
(9.4.5) Avoid O (N^2) behavior when inserting many tuples into a SPI query result (Neil Conway)
(9.4.5) Improve LISTEN startup time when there are many unread notifications (Matt Newell)
(9.4.5) Fix performance problem when a session alters large numbers of foreign key constraints (Jan Wieck, Tom Lane)
This was seen primarily when restoring pg_dump output for databases with many thousands of tables.
(9.4.5) Disable SSL renegotiation by default (Michael Paquier, Andres Freund)
While use of SSL renegotiation is a good idea in theory, we have seen too many bugs in practice, both in the underlying OpenSSL library and in our usage of it. Renegotiation will be removed entirely in 9.5 and later. In the older branches, just change the default value of ssl_renegotiation_limit to zero (disabled).
(9.4.5) Lower the minimum values of the *_freeze_max_age parameters (Andres Freund)
This is mainly to make tests of related behavior less time-consuming, but it may also be of value for installations with limited disk space.
(9.4.5) Limit the maximum value of wal_buffers to 2GB to avoid server crashes (Josh Berkus)
(9.4.5) Avoid logging complaints when a parameter that can only be set at server start appears multiple times in postgresql.conf, and fix counting of line numbers after an include_dir directive (Tom Lane)
(9.4.5) Fix rare internal overflow in multiplication of numeric values (Dean Rasheed)
(9.4.5) Guard against hard-to-reach stack overflows involving record types, range types, json, jsonb, tsquery, ltxtquery and query_int (Noah Misch)
(9.4.5) Fix handling of DOW and DOY in datetime input (Greg Stark)
These tokens aren't meant to be used in datetime values, but previously they resulted in opaque internal error messages rather than "invalid input syntax".
(9.4.5) Add more query-cancel checks to regular expression matching (Tom Lane)
(9.4.5) Add recursion depth protections to regular expression, SIMILAR TO, and LIKE matching (Tom Lane)
Suitable search patterns and a low stack depth limit could lead to stack-overrun crashes.
(9.4.5) Fix potential infinite loop in regular expression execution (Tom Lane)
A search pattern that can apparently match a zero-length string, but actually doesn't match because of a back reference, could lead to an infinite loop.
(9.4.5) In regular expression execution, correctly record match data for capturing parentheses within a quantifier even when the match is zero-length (Tom Lane)
(9.4.5) Fix low-memory failures in regular expression compilation (Andreas Seltenreich)
(9.4.5) Fix low-probability memory leak during regular expression execution (Tom Lane)
(9.4.5) Fix rare low-memory failure in lock cleanup during transaction abort (Tom Lane)
(9.4.5) Fix "unexpected out-of-memory situation during sort" errors when using tuplestores with small work_mem settings (Tom Lane)
(9.4.5) Fix very-low-probability stack overrun in qsort
(Tom Lane)
(9.4.5) Fix "invalid memory alloc request size" failure in hash joins with large work_mem settings (Tomas Vondra, Tom Lane)
(9.4.5) Fix assorted planner bugs (Tom Lane)
These mistakes could lead to incorrect query plans that would give wrong answers, or to assertion failures in assert-enabled builds, or to odd planner errors such as "could not devise a query plan for the given query", "could not find pathkey item to sort", "plan should not reference subplan's variable", or "failed to assign all NestLoopParams to plan nodes". Thanks are due to Andreas Seltenreich and Piotr Stefaniak for fuzz testing that exposed these problems.
(9.4.5) Improve planner's performance for UPDATE/DELETE on large inheritance sets (Tom Lane, Dean Rasheed)
(9.4.5) Ensure standby promotion trigger files are removed at postmaster startup (Michael Paquier, Fujii Masao)
This prevents unwanted promotion from occurring if these files appear in a database backup that is used to initialize a new standby server.
(9.4.5) During postmaster shutdown, ensure that per-socket lock files are removed and listen sockets are closed before we remove the postmaster.pid file (Tom Lane)
This avoids race-condition failures if an external script attempts to start a new postmaster as soon as pg_ctl stop returns.
(9.4.5) Ensure that the postmaster does not exit until all its child processes are gone, even in an immediate shutdown (Tom Lane)
Like the previous item, this avoids possible race conditions against a subsequently-started postmaster.
(9.4.5) Fix postmaster's handling of a startup-process crash during crash recovery (Tom Lane)
If, during a crash recovery cycle, the startup process crashes without having restored database consistency, we'd try to launch a new startup process, which typically would just crash again, leading to an infinite loop.
(9.4.5) Make emergency autovacuuming for multixact wraparound more robust (Andres Freund)
(9.4.5) Do not print a WARNING when an autovacuum worker is already gone when we attempt to signal it, and reduce log verbosity for such signals (Tom Lane)
(9.4.5) Prevent autovacuum launcher from sleeping unduly long if the server clock is moved backwards a large amount (Ãlvaro Herrera)
(9.4.5) Ensure that cleanup of a GIN index's pending-insertions list is interruptable by cancel requests (Jeff Janes)
(9.4.5) Allow all-zeroes pages in GIN indexes to be reused (Heikki Linnakangas)
Such a page might be left behind after a crash.
(9.4.5) Fix handling of all-zeroes pages in SP-GiST indexes (Heikki Linnakangas)
VACUUM attempted to recycle such pages, but did so in a way that wasn't crash-safe.
(9.4.5) Fix off-by-one error that led to otherwise-harmless warnings about "apparent wraparound" in subtrans/multixact truncation (Thomas Munro)
(9.4.5) Fix misreporting of CONTINUE and MOVE statement types in PL/pgSQL's error context messages (Pavel Stehule, Tom Lane)
(9.4.5) Fix PL/Perl to handle non-ASCII error message texts correctly (Alex Hunsaker)
(9.4.5) Fix PL/Python crash when returning the string representation of a record result (Tom Lane)
(9.4.5) Fix some places in PL/Tcl that neglected to check for failure of malloc()
calls (Michael Paquier, Ãlvaro Herrera)
(9.4.5) In contrib/isn, fix output of ISBN-13 numbers that begin with 979 (Fabien Coelho)
EANs beginning with 979 (but not 9790) are considered ISBNs, but they must be printed in the new 13-digit format, not the 10-digit format.
(9.4.5) Improve contrib/pg_stat_statements' handling of query-text garbage collection (Peter Geoghegan)
The external file containing query texts could bloat to very large sizes; once it got past 1GB attempts to trim it would fail, soon leading to situations where the file could not be read at all.
(9.4.5) Improve contrib/postgres_fdw's handling of collation-related decisions (Tom Lane)
The main user-visible effect is expected to be that comparisons involving varchar columns will be sent to the remote server for execution in more cases than before.
(9.4.5) Improve libpq's handling of out-of-memory conditions (Michael Paquier, Heikki Linnakangas)
(9.4.5) Fix memory leaks and missing out-of-memory checks in ecpg (Michael Paquier)
(9.4.5) Fix psql's code for locale-aware formatting of numeric output (Tom Lane)
The formatting code invoked by \pset numericlocale on did the wrong thing for some uncommon cases such as numbers with an exponent but no decimal point. It could also mangle already-localized output from the money data type.
(9.4.5) Prevent crash in psql's \c command when there is no current connection (Noah Misch)
(9.4.5) Make pg_dump handle inherited NOT VALID check constraints correctly (Tom Lane)
(9.4.5) Fix selection of default zlib compression level in pg_dump's directory output format (Andrew Dunstan)
(9.4.5) Ensure that temporary files created during a pg_dump run with tar-format output are not world-readable (Michael Paquier)
(9.4.5) Fix pg_dump and pg_upgrade to support cases where the postgres or template1 database is in a non-default tablespace (Marti Raudsepp, Bruce Momjian)
(9.4.5) Fix pg_dump to handle object privileges sanely when dumping from a server too old to have a particular privilege type (Tom Lane)
When dumping data types from pre-9.2 servers, and when dumping functions or procedural languages from pre-7.3 servers, pg_dump would produce GRANT/REVOKE commands that revoked the owner's grantable privileges and instead granted all privileges to PUBLIC. Since the privileges involved are just USAGE and EXECUTE, this isn't a security problem, but it's certainly a surprising representation of the older systems' behavior. Fix it to leave the default privilege state alone in these cases.
(9.4.5) Fix pg_dump to dump shell types (Tom Lane)
Shell types (that is, not-yet-fully-defined types) aren't useful for much, but nonetheless pg_dump should dump them.
(9.4.5) Fix assorted minor memory leaks in pg_dump and other client-side programs (Michael Paquier)
(9.4.5) Fix pgbench's progress-report behavior when a query, or pgbench itself, gets stuck (Fabien Coelho)
(9.4.5) Fix spinlock assembly code for Alpha hardware (Tom Lane)
(9.4.5) Fix spinlock assembly code for PPC hardware to be compatible with AIX's native assembler (Tom Lane)
Building with gcc didn't work if gcc had been configured to use the native assembler, which is becoming more common.
(9.4.5) On AIX, test the -qlonglong compiler option rather than just assuming it's safe to use (Noah Misch)
(9.4.5) On AIX, use -Wl,-brtllib link option to allow symbols to be resolved at runtime (Noah Misch)
Perl relies on this ability in 5.8.0 and later.
(9.4.5) Avoid use of inline functions when compiling with 32-bit xlc, due to compiler bugs (Noah Misch)
(9.4.5) Use librt for sched_yield()
when necessary, which it is on some Solaris versions (Oskari Saarenmaa)
(9.4.5) Translate encoding UHC as Windows code page 949 (Noah Misch)
This fixes presentation of non-ASCII log messages from processes that are not attached to any particular database, such as the postmaster.
(9.4.5) On Windows, avoid failure when doing encoding conversion to UTF16 outside a transaction, such as for log messages (Noah Misch)
(9.4.5) Fix postmaster startup failure due to not copying setlocale()
's return value (Noah Misch)
This has been reported on Windows systems with the ANSI code page set to CP936 ("Chinese (Simplified, PRC)"), and may occur with other multibyte code pages.
(9.4.5) Fix Windows install.bat script to handle target directory names that contain spaces (Heikki Linnakangas)
(9.4.5) Make the numeric form of the PostgreSQL version number (e.g., 90405) readily available to extension Makefiles, as a variable named VERSION_NUM (Michael Paquier)
(9.4.5) Update time zone data files to tzdata release 2015g for DST law changes in Cayman Islands, Fiji, Moldova, Morocco, Norfolk Island, North Korea, Turkey, and Uruguay. There is a new zone name America/Fort_Nelson for the Canadian Northern Rockies.
Release date: 2015-06-12
This release contains a small number of fixes from 9.4.3. For information about new features in the 9.4 major release, see Version 9.4.0.
A dump/restore is not required for those running 9.4.X.
However, if you are upgrading an installation that was previously upgraded using a pg_upgrade version between 9.3.0 and 9.3.4 inclusive, see the first changelog entry below.
Also, if you are upgrading from a version earlier than 9.4.2, see Version 9.4.2.
(9.4.4) Fix possible failure to recover from an inconsistent database state (Robert Haas)
Recent PostgreSQL releases introduced mechanisms to protect against multixact wraparound, but some of that code did not account for the possibility that it would need to run during crash recovery, when the database may not be in a consistent state. This could result in failure to restart after a crash, or failure to start up a secondary server. The lingering effects of a previously-fixed bug in pg_upgrade could also cause such a failure, in installations that had used pg_upgrade versions between 9.3.0 and 9.3.4.
The pg_upgrade bug in question was that it would set oldestMultiXid to 1 in pg_control even if the true value should be higher. With the fixes introduced in this release, such a situation will result in immediate emergency autovacuuming until a correct oldestMultiXid value can be determined. If that would pose a hardship, users can avoid it by doing manual vacuuming before upgrading to this release. In detail:
Check whether pg_controldata reports "Latest checkpoint's oldestMultiXid" to be 1. If not, there's nothing to do.
(9.4.4) Look in PGDATA/pg_multixact/offsets to see if there's a file named 0000. If there is, there's nothing to do.
(9.4.4) Otherwise, for each table that has pg_class.relminmxid equal to 1, VACUUM that table with both vacuum_multixact_freeze_min_age and vacuum_multixact_freeze_table_age set to zero. (You can use the vacuum cost delay parameters described in Section 18.4.4 to reduce the performance consequences for concurrent sessions.)
(9.4.4) Fix rare failure to invalidate relation cache init file (Tom Lane)
With just the wrong timing of concurrent activity, a VACUUM FULL on a system catalog might fail to update the "init file" that's used to avoid cache-loading work for new sessions. This would result in later sessions being unable to access that catalog at all. This is a very ancient bug, but it's so hard to trigger that no reproducible case had been seen until recently.
(9.4.4) Avoid deadlock between incoming sessions and CREATE/DROP DATABASE (Tom Lane)
A new session starting in a database that is the target of a DROP DATABASE command, or is the template for a CREATE DATABASE command, could cause the command to wait for five seconds and then fail, even if the new session would have exited before that.
(9.4.4) Improve planner's cost estimates for semi-joins and anti-joins with inner indexscans (Tom Lane, Tomas Vondra)
This type of plan is quite cheap when all the join clauses are used as index scan conditions, even if the inner scan would nominally fetch many rows, because the executor will stop after obtaining one row. The planner only partially accounted for that effect, and would therefore overestimate the cost, leading it to possibly choose some other much less efficient plan type.
Release date: 2015-06-04
This release contains a small number of fixes from 9.4.2. For information about new features in the 9.4 major release, see Version 9.4.0.
A dump/restore is not required for those running 9.4.X.
However, if you are upgrading from a version earlier than 9.4.2, see Version 9.4.2.
(9.4.3) Avoid failures while fsync
'ing data directory during crash restart (Abhijit Menon-Sen, Tom Lane)
In the previous minor releases we added a patch to fsync
everything in the data directory after a crash. Unfortunately its response to any error condition was to fail, thereby preventing the server from starting up, even when the problem was quite harmless. An example is that an unwritable file in the data directory would prevent restart on some platforms; but it is common to make SSL certificate files unwritable by the server. Revise this behavior so that permissions failures are ignored altogether, and other types of failures are logged but do not prevent continuing.
Also apply the same rules in initdb --sync-only. This case is less critical but it should act similarly.
(9.4.3) Fix pg_get_functiondef()
to show functions' LEAKPROOF property, if set (Jeevan Chalke)
(9.4.3) Fix pushJsonbValue()
to unpack jbvBinary objects (Andrew Dunstan)
This change does not affect any behavior in the core code as of 9.4, but it avoids a corner case for possible third-party callers.
(9.4.3) Remove configure's check prohibiting linking to a threaded libpython on OpenBSD (Tom Lane)
The failure this restriction was meant to prevent seems to not be a problem anymore on current OpenBSD versions.
Release date: 2015-05-22
This release contains a variety of fixes from 9.4.1. For information about new features in the 9.4 major release, see Version 9.4.0.
A dump/restore is not required for those running 9.4.X.
However, if you use contrib/citext's regexp_matches()
functions, see the changelog entry below about that.
Also, if you are upgrading from a version earlier than 9.4.1, see Version 9.4.1.
(9.4.2) Avoid possible crash when client disconnects just before the authentication timeout expires (Benkocs Norbert Attila)
If the timeout interrupt fired partway through the session shutdown sequence, SSL-related state would be freed twice, typically causing a crash and hence denial of service to other sessions. Experimentation shows that an unauthenticated remote attacker could trigger the bug somewhat consistently, hence treat as security issue. CVE-2015-3165 or CVE-2015-3165)
(9.4.2) Improve detection of system-call failures (Noah Misch)
Our replacement implementation of snprintf()
failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure, due to our code assuming that a buffer had been overwritten when it hadn't been. Also, there were a few places in which security-relevant calls of other system library functions did not check for failure.
It remains possible that some calls of the *printf()
family of functions are vulnerable to information disclosure if an out-of-memory error occurs at just the wrong time. We judge the risk to not be large, but will continue analysis in this area. CVE-2015-3166 or CVE-2015-3166)
(9.4.2) In contrib/pgcrypto, uniformly report decryption failures as "Wrong key or corrupt data" (Noah Misch)
Previously, some cases of decryption with an incorrect key could report other error message texts. It has been shown that such variance in error reports can aid attackers in recovering keys from other systems. While it's unknown whether pgcrypto's specific behaviors are likewise exploitable, it seems better to avoid the risk by using a one-size-fits-all message. CVE-2015-3167 or CVE-2015-3167)
(9.4.2) Protect against wraparound of multixact member IDs (Ãlvaro Herrera, Robert Haas, Thomas Munro)
Under certain usage patterns, the existing defenses against this might be insufficient, allowing pg_multixact/members files to be removed too early, resulting in data loss. The fix for this includes modifying the server to fail transactions that would result in overwriting old multixact member ID data, and improving autovacuum to ensure it will act proactively to prevent multixact member ID wraparound, as it does for transaction ID wraparound.
(9.4.2) Fix incorrect declaration of contrib/citext's regexp_matches()
functions (Tom Lane)
These functions should return setof text[], like the core functions they are wrappers for; but they were incorrectly declared as returning just text[]. This mistake had two results: first, if there was no match you got a scalar null result, whereas what you should get is an empty set (zero rows). Second, the g flag was effectively ignored, since you would get only one result array even if there were multiple matches.
While the latter behavior is clearly a bug, there might be applications depending on the former behavior; therefore the function declarations will not be changed by default until PostgreSQL 9.5. In pre-9.5 branches, the old behavior exists in version 1.0 of the citext extension, while we have provided corrected declarations in version 1.1 (which is not installed by default). To adopt the fix in pre-9.5 branches, execute ALTER EXTENSION citext UPDATE TO '1.1' in each database in which citext is installed. (You can also "update" back to 1.0 if you need to undo that.) Be aware that either update direction will require dropping and recreating any views or rules that use citext's regexp_matches()
functions.
(9.4.2) Render infinite dates and timestamps as infinity when converting to json, rather than throwing an error (Andrew Dunstan)
(9.4.2) Fix json/jsonb's populate_record()
and to_record()
functions to handle empty input properly (Andrew Dunstan)
(9.4.2) Fix incorrect checking of deferred exclusion constraints after a HOT update (Tom Lane)
If a new row that potentially violates a deferred exclusion constraint is HOT-updated (that is, no indexed columns change and the row can be stored back onto the same table page) later in the same transaction, the exclusion constraint would be reported as violated when the check finally occurred, even if the row(s) the new row originally conflicted with had been deleted.
(9.4.2) Fix behavior when changing foreign key constraint deferrability status with ALTER TABLE ... ALTER CONSTRAINT (Tom Lane)
Operations later in the same session or concurrent sessions might not honor the status change promptly.
(9.4.2) Fix planning of star-schema-style queries (Tom Lane)
Sometimes, efficient scanning of a large table requires that index parameters be provided from more than one other table (commonly, dimension tables whose keys are needed to index a large fact table). The planner should be able to find such plans, but an overly restrictive search heuristic prevented it.
(9.4.2) Prevent improper reordering of antijoins (NOT EXISTS joins) versus other outer joins (Tom Lane)
This oversight in the planner has been observed to cause "could not find RelOptInfo for given relids" errors, but it seems possible that sometimes an incorrect query plan might get past that consistency check and result in silently-wrong query output.
(9.4.2) Fix incorrect matching of subexpressions in outer-join plan nodes (Tom Lane)
Previously, if textually identical non-strict subexpressions were used both above and below an outer join, the planner might try to re-use the value computed below the join, which would be incorrect because the executor would force the value to NULL in case of an unmatched outer row.
(9.4.2) Fix GEQO planner to cope with failure of its join order heuristic (Tom Lane)
This oversight has been seen to lead to "failed to join all relations together" errors in queries involving LATERAL, and that might happen in other cases as well.
(9.4.2) Ensure that row locking occurs properly when the target of an UPDATE or DELETE is a security-barrier view (Stephen Frost)
(9.4.2) Use a file opened for read/write when syncing replication slot data during database startup (Andres Freund)
On some platforms, the previous coding could result in errors like "could not fsync file "pg_replslot/...": Bad file descriptor".
(9.4.2) Fix possible deadlock at startup when max_prepared_transactions is too small (Heikki Linnakangas)
(9.4.2) Don't archive useless preallocated WAL files after a timeline switch (Heikki Linnakangas)
(9.4.2) Recursively fsync()
the data directory after a crash (Abhijit Menon-Sen, Robert Haas)
This ensures consistency if another crash occurs shortly later. (The second crash would have to be a system-level crash, not just a database crash, for there to be a problem.)
(9.4.2) Fix autovacuum launcher's possible failure to shut down, if an error occurs after it receives SIGTERM (Ãlvaro Herrera)
(9.4.2) Fix failure to handle invalidation messages for system catalogs early in session startup (Tom Lane)
This oversight could result in failures in sessions that start concurrently with a VACUUM FULL on a system catalog.
(9.4.2) Fix crash in BackendIdGetTransactionIds()
when trying to get status for a backend process that just exited (Tom Lane)
(9.4.2) Cope with unexpected signals in LockBufferForCleanup()
(Andres Freund)
This oversight could result in spurious errors about "multiple backends attempting to wait for pincount 1".
(9.4.2) Fix crash when doing COPY IN to a table with check constraints that contain whole-row references (Tom Lane)
The known failure case only crashes in 9.4 and up, but there is very similar code in 9.3 and 9.2, so back-patch those branches as well.
(9.4.2) Avoid waiting for WAL flush or synchronous replication during commit of a transaction that was read-only so far as the user is concerned (Andres Freund)
Previously, a delay could occur at commit in transactions that had written WAL due to HOT page pruning, leading to undesirable effects such as sessions getting stuck at startup if all synchronous replicas are down. Sessions have also been observed to get stuck in catchup interrupt processing when using synchronous replication; this will fix that problem as well.
(9.4.2) Avoid busy-waiting with short recovery_min_apply_delay values (Andres Freund)
(9.4.2) Fix crash when manipulating hash indexes on temporary tables (Heikki Linnakangas)
(9.4.2) Fix possible failure during hash index bucket split, if other processes are modifying the index concurrently (Tom Lane)
(9.4.2) Fix memory leaks in GIN index vacuum (Heikki Linnakangas)
(9.4.2) Check for interrupts while analyzing index expressions (Jeff Janes)
ANALYZE executes index expressions many times; if there are slow functions in such an expression, it's desirable to be able to cancel the ANALYZE before that loop finishes.
(9.4.2) Ensure tableoid of a foreign table is reported correctly when a READ COMMITTED recheck occurs after locking rows in SELECT FOR UPDATE, UPDATE, or DELETE (Etsuro Fujita)
(9.4.2) Add the name of the target server to object description strings for foreign-server user mappings (Ãlvaro Herrera)
(9.4.2) Include the schema name in object identity strings for conversions (Ãlvaro Herrera)
(9.4.2) Recommend setting include_realm to 1 when using Kerberos/GSSAPI/SSPI authentication (Stephen Frost)
Without this, identically-named users from different realms cannot be distinguished. For the moment this is only a documentation change, but it will become the default setting in PostgreSQL 9.5.
(9.4.2) Remove code for matching IPv4 pg_hba.conf entries to IPv4-in-IPv6 addresses (Tom Lane)
This hack was added in 2003 in response to a report that some Linux kernels of the time would report IPv4 connections as having IPv4-in-IPv6 addresses. However, the logic was accidentally broken in 9.0. The lack of any field complaints since then shows that it's not needed anymore. Now we have reports that the broken code causes crashes on some systems, so let's just remove it rather than fix it. (Had we chosen to fix it, that would make for a subtle and potentially security-sensitive change in the effective meaning of IPv4 pg_hba.conf entries, which does not seem like a good thing to do in minor releases.)
(9.4.2) Fix status reporting for terminated background workers that were never actually started (Robert Haas)
(9.4.2) After a database crash, don't restart background workers that are marked BGW_NEVER_RESTART (Amit Khandekar)
(9.4.2) Report WAL flush, not insert, position in IDENTIFY_SYSTEM replication command (Heikki Linnakangas)
This avoids a possible startup failure in pg_receivexlog.
(9.4.2) While shutting down service on Windows, periodically send status updates to the Service Control Manager to prevent it from killing the service too soon; and ensure that pg_ctl will wait for shutdown (Krystian Bigaj)
(9.4.2) Reduce risk of network deadlock when using libpq's non-blocking mode (Heikki Linnakangas)
When sending large volumes of data, it's important to drain the input buffer every so often, in case the server has sent enough response data to cause it to block on output. (A typical scenario is that the server is sending a stream of NOTICE messages during COPY FROM STDIN.) This worked properly in the normal blocking mode, but not so much in non-blocking mode. We've modified libpq to opportunistically drain input when it can, but a full defense against this problem requires application cooperation: the application should watch for socket read-ready as well as write-ready conditions, and be sure to call PQconsumeInput()
upon read-ready.
(9.4.2) In libpq, fix misparsing of empty values in URI connection strings (Thomas Fanghaenel)
(9.4.2) Fix array handling in ecpg (Michael Meskes)
(9.4.2) Fix psql to sanely handle URIs and conninfo strings as the first parameter to \connect (David Fetter, Andrew Dunstan, Ãlvaro Herrera)
This syntax has been accepted (but undocumented) for a long time, but previously some parameters might be taken from the old connection instead of the given string, which was agreed to be undesirable.
(9.4.2) Suppress incorrect complaints from psql on some platforms that it failed to write ~/.psql_history at exit (Tom Lane)
This misbehavior was caused by a workaround for a bug in very old (pre-2006) versions of libedit. We fixed it by removing the workaround, which will cause a similar failure to appear for anyone still using such versions of libedit. Recommendation: upgrade that library, or use libreadline.
(9.4.2) Fix pg_dump's rule for deciding which casts are system-provided casts that should not be dumped (Tom Lane)
(9.4.2) In pg_dump, fix failure to honor -Z compression level option together with -Fd (Michael Paquier)
(9.4.2) Make pg_dump consider foreign key relationships between extension configuration tables while choosing dump order (Gilles Darold, Michael Paquier, Stephen Frost)
This oversight could result in producing dumps that fail to reload because foreign key constraints are transiently violated.
(9.4.2) Avoid possible pg_dump failure when concurrent sessions are creating and dropping temporary functions (Tom Lane)
(9.4.2) Fix dumping of views that are just VALUES(...) but have column aliases (Tom Lane)
(9.4.2) Ensure that a view's replication identity is correctly set to nothing during dump/restore (Marko Tiikkaja)
Previously, if the view was involved in a circular dependency, it might wind up with an incorrect replication identity property.
(9.4.2) In pg_upgrade, force timeline 1 in the new cluster (Bruce Momjian)
This change prevents upgrade failures caused by bogus complaints about missing WAL history files.
(9.4.2) In pg_upgrade, check for improperly non-connectable databases before proceeding (Bruce Momjian)
(9.4.2) In pg_upgrade, quote directory paths properly in the generated delete_old_cluster script (Bruce Momjian)
(9.4.2) In pg_upgrade, preserve database-level freezing info properly (Bruce Momjian)
This oversight could cause missing-clog-file errors for tables within the postgres and template1 databases.
(9.4.2) Run pg_upgrade and pg_resetxlog with restricted privileges on Windows, so that they don't fail when run by an administrator (Muhammad Asif Naeem)
(9.4.2) Improve handling of readdir()
failures when scanning directories in initdb and pg_basebackup (Marco Nenciarini)
(9.4.2) Fix slow sorting algorithm in contrib/intarray (Tom Lane)
(9.4.2,9.3.7,9.2.11,9.1.16,9.0.20) Fix compile failure on Sparc V8 machines (Rob Rowan)
(9.4.2,9.3.7) Silence some build warnings on macOS (Tom Lane)
(9.4.2) Update time zone data files to tzdata release 2015d for DST law changes in Egypt, Mongolia, and Palestine, plus historical changes in Canada and Chile. Also adopt revised zone abbreviations for the America/Adak zone (HST/HDT not HAST/HADT).
Release date: 2015-02-05
This release contains a variety of fixes from 9.4.0. For information about new features in the 9.4 major release, see Version 9.4.0.
A dump/restore is not required for those running 9.4.X.
However, if you are a Windows user and are using the "Norwegian (Bokmål)" locale, manual action is needed after the upgrade to replace any "Norwegian (Bokmål)_Norway" or "norwegian-bokmal" locale names stored in PostgreSQL system catalogs with the plain-ASCII alias "Norwegian_Norway". For details see http://wiki.postgresql.org/wiki/Changes_To_Norwegian_Locale
(9.4.1) Fix buffer overruns in to_char()
(Bruce Momjian)
When to_char()
processes a numeric formatting template calling for a large number of digits, PostgreSQL would read past the end of a buffer. When processing a crafted timestamp formatting template, PostgreSQL would write past the end of a buffer. Either case could crash the server. We have not ruled out the possibility of attacks that lead to privilege escalation, though they seem unlikely. CVE-2015-0241 or CVE-2015-0241)
(9.4.1) Fix buffer overrun in replacement *printf()
functions (Tom Lane)
PostgreSQL includes a replacement implementation of printf
and related functions. This code will overrun a stack buffer when formatting a floating point number (conversion specifiers e, E, f, F, g or G) with requested precision greater than about 500. This will crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. A database user can trigger such a buffer overrun through the to_char()
SQL function. While that is the only affected core PostgreSQL functionality, extension modules that use printf-family functions may be at risk as well.
This issue primarily affects PostgreSQL on Windows. PostgreSQL uses the system implementation of these functions where adequate, which it is on other modern platforms. CVE-2015-0242 or CVE-2015-0242)
(9.4.1) Fix buffer overruns in contrib/pgcrypto (Marko Tiikkaja, Noah Misch)
Errors in memory size tracking within the pgcrypto module permitted stack buffer overruns and improper dependence on the contents of uninitialized memory. The buffer overrun cases can crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. CVE-2015-0243 or CVE-2015-0243)
(9.4.1) Fix possible loss of frontend/backend protocol synchronization after an error (Heikki Linnakangas)
If any error occurred while the server was in the middle of reading a protocol message from the client, it could lose synchronization and incorrectly try to interpret part of the message's data as a new protocol message. An attacker able to submit crafted binary data within a command parameter might succeed in injecting his own SQL commands this way. Statement timeout and query cancellation are the most likely sources of errors triggering this scenario. Particularly vulnerable are applications that use a timeout and also submit arbitrary user-crafted data as binary query parameters. Disabling statement timeout will reduce, but not eliminate, the risk of exploit. Our thanks to Emil Lenngren for reporting this issue. CVE-2015-0244 or CVE-2015-0244)
(9.4.1) Fix information leak via constraint-violation error messages (Stephen Frost)
Some server error messages show the values of columns that violate a constraint, such as a unique constraint. If the user does not have SELECT privilege on all columns of the table, this could mean exposing values that the user should not be able to see. Adjust the code so that values are displayed only when they came from the SQL command or could be selected by the user. CVE-2014-8161 or CVE-2014-8161)
(9.4.1) Lock down regression testing's temporary installations on Windows (Noah Misch)
Use SSPI authentication to allow connections only from the OS user who launched the test suite. This closes on Windows the same vulnerability previously closed on other platforms, namely that other users might be able to connect to the test postmaster. CVE-2014-0067 or CVE-2014-0067)
(9.4.1) Cope with the Windows locale named "Norwegian (Bokmål)" (Heikki Linnakangas)
Non-ASCII locale names are problematic since it's not clear what encoding they should be represented in. Map the troublesome locale name to a plain-ASCII alias, "Norwegian_Norway".
9.4.0 mapped the troublesome name to "norwegian-bokmal", but that turns out not to work on all Windows configurations. "Norwegian_Norway" is now recommended instead.
(9.4.1) Fix use-of-already-freed-memory problem in EvalPlanQual processing (Tom Lane)
In READ COMMITTED mode, queries that lock or update recently-updated rows could crash as a result of this bug.
(9.4.1) Avoid possible deadlock while trying to acquire tuple locks in EvalPlanQual processing (Ãlvaro Herrera, Mark Kirkwood)
(9.4.1) Fix failure to wait when a transaction tries to acquire a FOR NO KEY EXCLUSIVE tuple lock, while multiple other transactions currently hold FOR SHARE locks (Ãlvaro Herrera)
(9.4.1) Improve performance of EXPLAIN with large range tables (Tom Lane)
(9.4.1) Fix jsonb Unicode escape processing, and in consequence disallow \u0000 (Tom Lane)
Previously, the JSON Unicode escape \u0000 was accepted and was stored as those six characters; but that is indistinguishable from what is stored for the input \\u0000, resulting in ambiguity. Moreover, in cases where de-escaped textual output is expected, such as the ->> operator, the sequence was printed as \u0000, which does not meet the expectation that JSON escaping would be removed. (Consistent behavior would require emitting a zero byte, but PostgreSQL does not support zero bytes embedded in text strings.) 9.4.0 included an ill-advised attempt to improve this situation by adjusting JSON output conversion rules; but of course that could not fix the fundamental ambiguity, and it turned out to break other usages of Unicode escape sequences. Revert that, and to avoid the core problem, reject \u0000 in jsonb input.
If a jsonb column contains a \u0000 value stored with 9.4.0, it will henceforth read out as though it were \\u0000, which is the other valid interpretation of the data stored by 9.4.0 for this case.
The json type did not have the storage-ambiguity problem, but it did have the problem of inconsistent de-escaped textual output. Therefore \u0000 will now also be rejected in json values when conversion to de-escaped form is required. This change does not break the ability to store \u0000 in json columns so long as no processing is done on the values. This is exactly parallel to the cases in which non-ASCII Unicode escapes are allowed when the database encoding is not UTF8.
(9.4.1) Fix namespace handling in xpath()
(Ali Akbar)
Previously, the xml value resulting from an xpath()
call would not have namespace declarations if the namespace declarations were attached to an ancestor element in the input xml value, rather than to the specific element being returned. Propagate the ancestral declaration so that the result is correct when considered in isolation.
(9.4.1) Fix assorted oversights in range-operator selectivity estimation (Emre Hasegeli)
This patch fixes corner-case "unexpected operator NNNN" planner errors, and improves the selectivity estimates for some other cases.
(9.4.1) Revert unintended reduction in maximum size of a GIN index item (Heikki Linnakangas)
9.4.0 could fail with "index row size exceeds maximum" errors for data that previous versions would accept.
(9.4.1) Fix query-duration memory leak during repeated GIN index rescans (Heikki Linnakangas)
(9.4.1) Fix possible crash when using nonzero gin_fuzzy_search_limit (Heikki Linnakangas)
(9.4.1) Assorted fixes for logical decoding (Andres Freund)
(9.4.1) Fix incorrect replay of WAL parameter change records that report changes in the wal_log_hints setting (Petr Jelinek)
(9.4.1) Change "pgstat wait timeout" warning message to be LOG level, and rephrase it to be more understandable (Tom Lane)
This message was originally thought to be essentially a can't-happen case, but it occurs often enough on our slower buildfarm members to be a nuisance. Reduce it to LOG level, and expend a bit more effort on the wording: it now reads "using stale statistics instead of current ones because stats collector is not responding".
(9.4.1) Warn if macOS's setlocale()
starts an unwanted extra thread inside the postmaster (Noah Misch)
(9.4.1) Fix libpq's behavior when /etc/passwd isn't readable (Tom Lane)
While doing PQsetdbLogin()
, libpq attempts to ascertain the user's operating system name, which on most Unix platforms involves reading /etc/passwd. As of 9.4, failure to do that was treated as a hard error. Restore the previous behavior, which was to fail only if the application does not provide a database role name to connect as. This supports operation in chroot environments that lack an /etc/passwd file.
(9.4.1) Improve consistency of parsing of psql's special variables (Tom Lane)
Allow variant spellings of on and off (such as 1/0) for ECHO_HIDDEN and ON_ERROR_ROLLBACK. Report a warning for unrecognized values for COMP_KEYWORD_CASE, ECHO, ECHO_HIDDEN, HISTCONTROL, ON_ERROR_ROLLBACK, and VERBOSITY. Recognize all values for all these variables case-insensitively; previously there was a mishmash of case-sensitive and case-insensitive behaviors.
(9.4.1) Fix pg_dump to handle comments on event triggers without failing (Tom Lane)
(9.4.1) Allow parallel pg_dump to use --serializable-deferrable (Kevin Grittner)
(9.4.1) Prevent WAL files created by pg_basebackup -x/-X from being archived again when the standby is promoted (Andres Freund)
(9.4.1) Handle unexpected query results, especially NULLs, safely in contrib/tablefunc's connectby()
(Michael Paquier)
connectby()
previously crashed if it encountered a NULL key value. It now prints that row but doesn't recurse further.
(9.4.1) Numerous cleanups of warnings from Coverity static code analyzer (Andres Freund, Tatsuo Ishii, Marko Kreen, Tom Lane, Michael Paquier)
These changes are mostly cosmetic but in some cases fix corner-case bugs, for example a crash rather than a proper error report after an out-of-memory failure. None are believed to represent security issues.
(9.4.1) Allow CFLAGS from configure's environment to override automatically-supplied CFLAGS (Tom Lane)
Previously, configure would add any switches that it chose of its own accord to the end of the user-specified CFLAGS string. Since most compilers process switches left-to-right, this meant that configure's choices would override the user-specified flags in case of conflicts. That should work the other way around, so adjust the logic to put the user's string at the end not the beginning.
(9.4.1) Make pg_regress remove any temporary installation it created upon successful exit (Tom Lane)
This results in a very substantial reduction in disk space usage during make check-world, since that sequence involves creation of numerous temporary installations.
(9.4.1) Add CST (China Standard Time) to our lists of timezone abbreviations (Tom Lane)
(9.4.1) Update time zone data files to tzdata release 2015a for DST law changes in Chile and Mexico, plus historical changes in Iceland.
Release date: 2014-12-18
Major enhancements in PostgreSQL 9.4 include:
(9.4.0) Add jsonb, a more capable and efficient data type for storing JSON data
(9.4.0) Add new SQL command ALTER SYSTEM for changing postgresql.conf configuration file entries
(9.4.0) Reduce lock strength for some ALTER TABLE commands
(9.4.0) Allow materialized views to be refreshed without blocking concurrent reads
(9.4.0) Add support for logical decoding of WAL data, to allow database changes to be streamed out in a customizable format
(9.4.0) Allow background worker processes to be dynamically registered, started and terminated
The above items are explained in more detail in the sections below.
A dump/restore using pg_dumpall, or use of pg_upgrade, is required for those wishing to migrate data from any previous release.
Version 9.4 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities:
(9.4.0) Tighten checks for multidimensional array input (Bruce Momjian)
Previously, an input array string that started with a single-element sub-array could later contain multi-element sub-arrays, e.g. '{{1}, {2,3}}'::int[] would be accepted.
(9.4.0) When converting values of type date, timestamp or timestamptz to JSON, render the values in a format compliant with ISO 8601 (Andrew Dunstan)
Previously such values were rendered according to the current DateStyle setting; but many JSON processors require timestamps to be in ISO 8601 format. If necessary, the previous behavior can be obtained by explicitly casting the datetime value to text before passing it to the JSON conversion function.
(9.4.0) The json #> text[] path extraction operator now returns its lefthand input, not NULL, if the array is empty (Tom Lane)
This is consistent with the notion that this represents zero applications of the simple field/element extraction operator ->. Similarly, json #>> text[] with an empty array merely coerces its lefthand input to text.
(9.4.0) Corner cases in the JSON field/element/path extraction operators now return NULL rather than raising an error (Tom Lane)
For example, applying field extraction to a JSON array now yields NULL not an error. This is more consistent (since some comparable cases such as no-such-field already returned NULL), and it makes it safe to create expression indexes that use these operators, since they will now not throw errors for any valid JSON input.
(9.4.0) Cause consecutive whitespace in to_timestamp()
and to_date()
format strings to consume a corresponding number of characters in the input string (whitespace or not), then conditionally consume adjacent whitespace, if not in FX mode (Jeevan Chalke)
Previously, consecutive whitespace characters in a non-FX format string behaved like a single whitespace character and consumed all adjacent whitespace in the input string. For example, previously a format string of three spaces would consume only the first space in ' 12', but it will now consume all three characters.
(9.4.0) Fix ts_rank_cd()
to ignore stripped lexemes (Alex Hill)
Previously, stripped lexemes were treated as if they had a default location, producing a rank of dubious usefulness.
(9.4.0) For functions declared to take VARIADIC "any", an actual parameter marked as VARIADIC must be of a determinable array type (Pavel Stehule)
Such parameters can no longer be written as an undecorated string literal or NULL; a cast to an appropriate array data type will now be required. Note that this does not affect parameters not marked VARIADIC.
(9.4.0) Ensure that whole-row variables expose the expected column names to functions that pay attention to column names within composite arguments (Tom Lane)
Constructs like row_to_json(tab.*) now always emit column names that match the column aliases visible for table tab at the point of the call. In previous releases the emitted column names would sometimes be the table's actual column names regardless of any aliases assigned in the query.
(9.4.0) DISCARD now also discards sequence-related state (FabrÃzio de Royes Mello, Robert Haas)
(9.4.0) Rename EXPLAIN ANALYZE's "total runtime" output to "execution time" (Tom Lane)
Now that planning time is also reported, the previous name was confusing.
(9.4.0) SHOW TIME ZONE now outputs simple numeric UTC offsets in POSIX timezone format (Tom Lane)
Previously, such timezone settings were displayed as interval values. The new output is properly interpreted by SET TIME ZONE when passed as a simple string, whereas the old output required special treatment to be re-parsed correctly.
(9.4.0) Foreign data wrappers that support updating foreign tables must consider the possible presence of AFTER ROW triggers (Noah Misch)
When an AFTER ROW trigger is present, all columns of the table must be returned by updating actions, since the trigger might inspect any or all of them. Previously, foreign tables never had triggers, so the FDW might optimize away fetching columns not mentioned in the RETURNING clause (if any).
(9.4.0) Prevent CHECK constraints from referencing system columns, except tableoid (Amit Kapila)
Previously such check constraints were allowed, but they would often cause errors during restores.
(9.4.0) Use the last specified recovery target parameter if multiple target parameters are specified (Heikki Linnakangas)
Previously, there was an undocumented precedence order among the recovery_target_xxx parameters.
(9.4.0) On Windows, automatically preserve quotes in command strings supplied by the user (Heikki Linnakangas)
User commands that did their own quote preservation might need adjustment. This is likely to be an issue for commands used in archive_command, restore_command, and COPY TO/FROM PROGRAM.
(9.4.0) Remove catalog column pg_class.reltoastidxid (Michael Paquier)
(9.4.0) Remove catalog column pg_rewrite.ev_attr (Kevin Grittner)
Per-column rules have not been supported since PostgreSQL 7.3.
(9.4.0) Remove native support for Kerberos authentication (--with-krb5, etc) (Magnus Hagander)
The supported way to use Kerberos authentication is with GSSAPI. The native code has been deprecated since PostgreSQL 8.3.
(9.4.0) In PL/Python, handle domains over arrays like the underlying array type (Rodolfo Campero)
Previously such values were treated as strings.
(9.4.0) Make libpq's PQconnectdbParams()
and PQpingParams()
functions process zero-length strings as defaults (Adrian Vondendriesch)
Previously, these functions treated zero-length string values as selecting the default in only some cases.
(9.4.0) Change empty arrays returned by the intarray module to be zero-dimensional arrays (Bruce Momjian)
Previously, empty arrays were returned as zero-length one-dimensional arrays, whose text representation looked the same as zero-dimensional arrays ({}), but they acted differently in array operations. intarray's behavior in this area now matches the built-in array operators.
(9.4.0) pg_upgrade now uses -U or --username to specify the user name (Bruce Momjian)
Previously this option was spelled -u or --user, but that was inconsistent with other tools.
Below you will find a detailed account of the changes between PostgreSQL 9.4 and the previous major release.
(9.4.0) Allow background worker processes to be dynamically registered, started and terminated (Robert Haas)
The new worker_spi module shows an example of use of this feature.
(9.4.0) Allow dynamic allocation of shared memory segments (Robert Haas, Amit Kapila)
This feature is illustrated in the test_shm_mq module.
(9.4.0) During crash recovery or immediate shutdown, send uncatchable termination signals (SIGKILL) to child processes that do not shut down promptly (MauMau, Ãlvaro Herrera)
This reduces the likelihood of leaving orphaned child processes behind after postmaster shutdown, as well as ensuring that crash recovery can proceed if some child processes have become "stuck".
(9.4.0) Improve randomness of the database system identifier (Tom Lane)
(9.4.0) Make VACUUM properly report dead but not-yet-removable rows to the statistics collector (Hari Babu)
Previously these were reported as live rows.
(9.4.0) Reduce GIN index size (Alexander Korotkov, Heikki Linnakangas)
Indexes upgraded via pg_upgrade will work fine but will still be in the old, larger GIN format. Use REINDEX to recreate old GIN indexes in the new format.
(9.4.0) Improve speed of multi-key GIN lookups (Alexander Korotkov, Heikki Linnakangas)
(9.4.0) Add GiST index support for inet and cidr data types (Emre Hasegeli)
Such indexes improve subnet and supernet lookups and ordering comparisons.
(9.4.0) Fix rare race condition in B-tree page deletion (Heikki Linnakangas)
(9.4.0) Make the handling of interrupted B-tree page splits more robust (Heikki Linnakangas)
(9.4.0) Allow multiple backends to insert into WAL buffers concurrently (Heikki Linnakangas)
This improves parallel write performance.
(9.4.0) Conditionally write only the modified portion of updated rows to WAL (Amit Kapila)
(9.4.0) Improve performance of aggregate functions used as window functions (David Rowley, Florian Pflug, Tom Lane)
(9.4.0) Improve speed of aggregates that use numeric state values (Hadi Moshayedi)
(9.4.0) Attempt to freeze tuples when tables are rewritten with CLUSTER or VACUUM FULL (Robert Haas, Andres Freund)
This can avoid the need to freeze the tuples in the future.
(9.4.0) Improve speed of COPY with default nextval()
columns (Simon Riggs)
(9.4.0) Improve speed of accessing many different sequences in the same session (David Rowley)
(9.4.0) Raise hard limit on the number of tuples held in memory during sorting and B-tree index builds (Noah Misch)
(9.4.0) Reduce memory allocated by PL/pgSQL DO blocks (Tom Lane)
(9.4.0) Make the planner more aggressive about extracting restriction clauses from mixed AND/OR clauses (Tom Lane)
(9.4.0) Disallow pushing volatile WHERE clauses down into DISTINCT subqueries (Tom Lane)
Pushing down a WHERE clause can produce a more efficient plan overall, but at the cost of evaluating the clause more often than is implied by the text of the query; so don't do it if the clause contains any volatile functions.
(9.4.0) Auto-resize the catalog caches (Heikki Linnakangas)
This reduces memory consumption for sessions accessing only a few tables, and improves performance for sessions accessing many tables.
(9.4.0) Add pg_stat_archiver system view to report WAL archiver activity (Gabriele Bartolini)
(9.4.0) Add n_mod_since_analyze columns to pg_stat_all_tables and related system views (Mark Kirkwood)
These columns expose the system's estimate of the number of changed tuples since the table's last ANALYZE. This estimate drives decisions about when to auto-analyze.
(9.4.0) Add backend_xid and backend_xmin columns to the system view pg_stat_activity, and a backend_xmin column to pg_stat_replication (Christian Kruse)
(9.4.0) Add support for SSL ECDH key exchange (Marko Kreen)
This allows use of Elliptic Curve keys for server authentication. Such keys are faster and have better security than RSA keys. The new configuration parameter ssl_ecdh_curve controls which curve is used for ECDH.
(9.4.0) Improve the default ssl_ciphers setting (Marko Kreen)
(9.4.0) By default, the server not the client now controls the preference order of SSL ciphers (Marko Kreen)
Previously, the order specified by ssl_ciphers was usually ignored in favor of client-side defaults, which are not configurable in most PostgreSQL clients. If desired, the old behavior can be restored via the new configuration parameter ssl_prefer_server_ciphers.
(9.4.0) Make log_connections show SSL encryption information (Andreas Kunert)
(9.4.0) Improve SSL renegotiation handling (Ãlvaro Herrera)
(9.4.0) Add new SQL command ALTER SYSTEM for changing postgresql.conf configuration file entries (Amit Kapila)
Previously such settings could only be changed by manually editing postgresql.conf.
(9.4.0) Add autovacuum_work_mem configuration parameter to control the amount of memory used by autovacuum workers (Peter Geoghegan)
(9.4.0) Add huge_pages parameter to allow using huge memory pages on Linux (Christian Kruse, Richard Poole, Abhijit Menon-Sen)
This can improve performance on large-memory systems.
(9.4.0) Add max_worker_processes parameter to limit the number of background workers (Robert Haas)
This is helpful in configuring a standby server to have the required number of worker processes (the same as the primary).
(9.4.0) Add superuser-only session_preload_libraries parameter to load libraries at session start (Peter Eisentraut)
In contrast to local_preload_libraries, this parameter can load any shared library, not just those in the $libdir/plugins directory.
(9.4.0) Add wal_log_hints parameter to enable WAL logging of hint-bit changes (Sawada Masahiko)
Hint bit changes are not normally logged, except when checksums are enabled. This is useful for external tools like pg_rewind.
(9.4.0) Increase the default settings of work_mem and maintenance_work_mem by four times (Bruce Momjian)
The new defaults are 4MB and 64MB respectively.
(9.4.0) Increase the default setting of effective_cache_size to 4GB (Bruce Momjian, Tom Lane)
(9.4.0) Allow printf
-style space padding to be specified in log_line_prefix (David Rowley)
(9.4.0) Allow terabyte units (TB) to be used when specifying configuration variable values (Simon Riggs)
(9.4.0) Show PIDs of lock holders and waiters and improve information about relations in log_lock_waits log messages (Christian Kruse)
(9.4.0) Reduce server logging level when loading shared libraries (Peter Geoghegan)
The previous level was LOG, which was too verbose for libraries loaded per-session.
(9.4.0) On Windows, make SQL_ASCII-encoded databases and server processes (e.g., postmaster) emit messages in the character encoding of the server's Windows user locale (Alexander Law, Noah Misch)
Previously these messages were output in the Windows ANSI code page.
(9.4.0) Add replication slots to coordinate activity on streaming standbys with the node they are streaming from (Andres Freund, Robert Haas)
Replication slots allow preservation of resources like WAL files on the primary until they are no longer needed by standby servers.
(9.4.0) Add recovery parameter recovery_min_apply_delay to delay replication (Robert Haas, FabrÃzio de Royes Mello, Simon Riggs)
Delaying replay on standby servers can be useful for recovering from user errors.
(9.4.0) Add recovery_target option immediate to stop WAL recovery as soon as a consistent state is reached (MauMau, Heikki Linnakangas)
(9.4.0) Improve recovery target processing (Heikki Linnakangas)
The timestamp reported by pg_last_xact_replay_timestamp()
now reflects already-committed records, not transactions about to be committed. Recovering to a restore point now replays the restore point, rather than stopping just before the restore point.
(9.4.0) pg_switch_xlog()
now clears any unused trailing space in the old WAL file (Heikki Linnakangas)
This improves the compression ratio for WAL files.
(9.4.0) Report failure return codes from external recovery commands (Peter Eisentraut)
(9.4.0) Reduce spinlock contention during WAL replay (Heikki Linnakangas)
(9.4.0) Write WAL records of running transactions more frequently (Andres Freund)
This allows standby servers to start faster and clean up resources more aggressively.
Logical decoding allows database changes to be streamed in a configurable format. The data is read from the WAL and transformed into the desired target format. To implement this feature, the following changes were made:
(9.4.0) Add support for logical decoding of WAL data, to allow database changes to be streamed out in a customizable format (Andres Freund)
(9.4.0) Add new wal_level setting logical to enable logical change-set encoding in WAL (Andres Freund)
(9.4.0) Add table-level parameter REPLICA IDENTITY to control logical replication (Andres Freund)
(9.4.0) Add relation option user_catalog_table to identify user-created tables involved in logical change-set encoding (Andres Freund)
(9.4.0) Add pg_recvlogical application to receive logical-decoding data (Andres Freund)
(9.4.0) Add test_decoding module to illustrate logical decoding at the SQL level (Andres Freund)
(9.4.0) Add WITH ORDINALITY syntax to number the rows returned from a set-returning function in the FROM clause (Andrew Gierth, David Fetter)
This is particularly useful for functions like unnest()
.
(9.4.0) Add ROWS FROM() syntax to allow horizontal concatenation of set-returning functions in the FROM clause (Andrew Gierth)
(9.4.0) Allow SELECT to have an empty target list (Tom Lane)
This was added so that views that select from a table with zero columns can be dumped and restored correctly.
(9.4.0) Ensure that SELECT ... FOR UPDATE NOWAIT does not wait in corner cases involving already-concurrently-updated tuples (Craig Ringer and Thomas Munro)
(9.4.0) Add DISCARD SEQUENCES command to discard cached sequence-related state (FabrÃzio de Royes Mello, Robert Haas)
DISCARD ALL will now also discard such information.
(9.4.0) Add FORCE NULL option to COPY FROM, which causes quoted strings matching the specified null string to be converted to NULLs in CSV mode (Ian Barwick, Michael Paquier)
Without this option, only unquoted matching strings will be imported as null values.
(9.4.0) Issue warnings for commands used outside of transaction blocks when they can have no effect (Bruce Momjian)
New warnings are issued for SET LOCAL, SET CONSTRAINTS, SET TRANSACTION and ABORT when used outside a transaction block.
(9.4.0) Make EXPLAIN ANALYZE show planning time (Andreas Karlsson)
(9.4.0) Make EXPLAIN show the grouping columns in Agg and Group nodes (Tom Lane)
(9.4.0) Make EXPLAIN ANALYZE show exact and lossy block counts in bitmap heap scans (Etsuro Fujita)
(9.4.0) Allow a materialized view to be refreshed without blocking other sessions from reading the view meanwhile (Kevin Grittner)
This is done with REFRESH MATERIALIZED VIEW CONCURRENTLY.
(9.4.0) Allow views to be automatically updated even if they contain some non-updatable columns (Dean Rasheed)
Previously the presence of non-updatable output columns such as expressions, literals, and function calls prevented automatic updates. Now INSERTs, UPDATEs and DELETEs are supported, provided that they do not attempt to assign new values to any of the non-updatable columns.
(9.4.0) Allow control over whether INSERTs and UPDATEs can add rows to an auto-updatable view that would not appear in the view (Dean Rasheed)
This is controlled with the new CREATE VIEW clause WITH CHECK OPTION.
(9.4.0) Allow security barrier views to be automatically updatable (Dean Rasheed)
(9.4.0) Support triggers on foreign tables (Ronan Dunklau)
(9.4.0) Allow moving groups of objects from one tablespace to another using the ALL IN TABLESPACE ... SET TABLESPACE form of ALTER TABLE, ALTER INDEX, or ALTER MATERIALIZED VIEW (Stephen Frost)
(9.4.0) Allow changing foreign key constraint deferrability via ALTER TABLE ... ALTER CONSTRAINT (Simon Riggs)
(9.4.0) Reduce lock strength for some ALTER TABLE commands (Simon Riggs, Noah Misch, Robert Haas)
Specifically, VALIDATE CONSTRAINT, CLUSTER ON, SET WITHOUT CLUSTER, ALTER COLUMN SET STATISTICS, ALTER COLUMN SET (attribute_option), ALTER COLUMN RESET (attribute_option) no longer require ACCESS EXCLUSIVE locks.
(9.4.0) Allow tablespace options to be set in CREATE TABLESPACE (Vik Fearing)
Formerly these options could only be set via ALTER TABLESPACE.
(9.4.0) Allow CREATE AGGREGATE to define the estimated size of the aggregate's transition state data (Hadi Moshayedi)
Proper use of this feature allows the planner to better estimate how much memory will be used by aggregates.
(9.4.0) Fix DROP IF EXISTS to avoid errors for non-existent objects in more cases (Pavel Stehule, Dean Rasheed)
(9.4.0) Improve how system relations are identified (Andres Freund, Robert Haas)
Previously, relations once moved into the pg_catalog schema could no longer be modified or dropped.
(9.4.0) Fully implement the line data type (Peter Eisentraut)
The line segment data type (lseg) has always been fully supported. The previous line data type (which was enabled only via a compile-time option) is not binary or dump-compatible with the new implementation.
(9.4.0) Add pg_lsn data type to represent a WAL log sequence number (LSN) (Robert Haas, Michael Paquier)
(9.4.0) Allow single-point polygons to be converted to circles (Bruce Momjian)
(9.4.0) Support time zone abbreviations that change UTC offset from time to time (Tom Lane)
Previously, PostgreSQL assumed that the UTC offset associated with a time zone abbreviation (such as EST) never changes in the usage of any particular locale. However this assumption fails in the real world, so introduce the ability for a zone abbreviation to represent a UTC offset that sometimes changes. Update the zone abbreviation definition files to make use of this feature in timezone locales that have changed the UTC offset of their abbreviations since 1970 (according to the IANA timezone database). In such timezones, PostgreSQL will now associate the correct UTC offset with the abbreviation depending on the given date.
(9.4.0) Allow 5+ digit years for non-ISO timestamp and date strings, where appropriate (Bruce Momjian)
(9.4.0) Add checks for overflow/underflow of interval values (Bruce Momjian)
(9.4.0) Add jsonb, a more capable and efficient data type for storing JSON data (Oleg Bartunov, Teodor Sigaev, Alexander Korotkov, Peter Geoghegan, Andrew Dunstan)
This new type allows faster access to values within a JSON document, and faster and more useful indexing of JSON columns. Scalar values in jsonb documents are stored as appropriate scalar SQL types, and the JSON document structure is pre-parsed rather than being stored as text as in the original json data type.
(9.4.0) Add new JSON functions to allow for the construction of arbitrarily complex JSON trees (Andrew Dunstan, Laurence Rowe)
New functions include json_array_elements_text()
, json_build_array()
, json_object()
, json_object_agg()
, json_to_record()
, and json_to_recordset()
.
(9.4.0) Add json_typeof()
to return the data type of a json value (Andrew Tipton)
(9.4.0) Add pg_sleep_for(interval)
and pg_sleep_until(timestamp)
to specify delays more flexibly (Vik Fearing, Julien Rouhaud)
The existing pg_sleep()
function only supports delays specified in seconds.
(9.4.0) Add cardinality()
function for arrays (Marko Tiikkaja)
This returns the total number of elements in the array, or zero for an array with no elements.
(9.4.0) Add SQL functions to allow large object reads/writes at arbitrary offsets (Pavel Stehule)
(9.4.0) Allow unnest()
to take multiple arguments, which are individually unnested then horizontally concatenated (Andrew Gierth)
(9.4.0) Add functions to construct times, dates, timestamps, timestamptzs, and intervals from individual values, rather than strings (Pavel Stehule)
These functions' names are prefixed with make_, e.g. make_date()
.
(9.4.0) Make to_char()
's TZ format specifier return a useful value for simple numeric time zone offsets (Tom Lane)
Previously, to_char (CURRENT_TIMESTAMP, 'TZ') returned an empty string if the timezone was set to a constant like -4.
(9.4.0) Add timezone offset format specifier OF to to_char()
(Bruce Momjian)
(9.4.0) Improve the random seed used for random()
(Honza Horak)
(9.4.0) Tighten validity checking for Unicode code points in chr(int)
(Tom Lane)
This function now only accepts values that are valid UTF8 characters according to RFC 3629.
(9.4.0) Add functions for looking up objects in pg_class, pg_proc, pg_type, and pg_operator that do not generate errors for non-existent objects (Yugo Nagata, Nozomi Anzai, Robert Haas)
For example, to_regclass()
does a lookup in pg_class similarly to the regclass input function, but it returns NULL for a non-existent object instead of failing.
(9.4.0) Add function pg_filenode_relation()
to allow for more efficient lookup of relation names from filenodes (Andres Freund)
(9.4.0) Add parameter_default column to information_schema.parameters view (Peter Eisentraut)
(9.4.0) Make information_schema.schemata show all accessible schemas (Peter Eisentraut)
Previously it only showed schemas owned by the current user.
(9.4.0) Add control over which rows are passed into aggregate functions via the FILTER clause (David Fetter)
(9.4.0) Support ordered-set (WITHIN GROUP) aggregates (Atri Sharma, Andrew Gierth, Tom Lane)
(9.4.0) Add standard ordered-set aggregates percentile_cont()
, percentile_disc()
, mode()
, rank()
, dense_rank()
, percent_rank()
, and cume_dist()
(Atri Sharma, Andrew Gierth)
(9.4.0) Support VARIADIC aggregate functions (Tom Lane)
(9.4.0) Allow polymorphic aggregates to have non-polymorphic state data types (Tom Lane)
This allows proper declaration in SQL of aggregates like the built-in aggregate array_agg()
.
(9.4.0) Add event trigger support to PL/Perl and PL/Tcl (Dimitri Fontaine)
(9.4.0) Convert numeric values to decimal in PL/Python (Szymon Guz, Ronan Dunklau)
Previously such values were converted to Python float values, risking loss of precision.
(9.4.0) Add ability to retrieve the current PL/pgSQL call stack using GET DIAGNOSTICS (Pavel Stehule, Stephen Frost)
(9.4.0) Add option print_strict_params to display the parameters passed to a query that violated a STRICT constraint (Marko Tiikkaja)
(9.4.0) Add variables plpgsql.extra_warnings and plpgsql.extra_errors to enable additional PL/pgSQL warnings and errors (Marko Tiikkaja, Petr Jelinek)
Currently only warnings/errors about shadowed variables are available.
(9.4.0) Make libpq's PQconndefaults()
function ignore invalid service files (Steve Singer, Bruce Momjian)
Previously it returned NULL if an incorrect service file was encountered.
(9.4.0) Accept TLS protocol versions beyond TLSv1 in libpq (Marko Kreen)
(9.4.0) Add createuser option -g to specify role membership (Christopher Browne)
(9.4.0) Add vacuumdb option --analyze-in-stages to analyze in stages of increasing granularity (Peter Eisentraut)
This allows minimal statistics to be created quickly.
(9.4.0) Make pg_resetxlog with option -n output current and potentially changed values (Rajeev Rastogi)
(9.4.0) Make initdb throw error for incorrect locale settings, rather than silently falling back to a default choice (Tom Lane)
(9.4.0) Make pg_ctl return exit code 4 for an inaccessible data directory (Amit Kapila, Bruce Momjian)
This behavior more closely matches the Linux Standard Base (LSB) Core Specification.
(9.4.0) On Windows, ensure that a non-absolute -D path specification is interpreted relative to pg_ctl's current directory (Kumar Rajeev Rastogi)
Previously it would be interpreted relative to whichever directory the underlying Windows service was started in.
(9.4.0) Allow sizeof()
in ECPG C array definitions (Michael Meskes)
(9.4.0) Make ECPG properly handle nesting of C-style comments in both C and SQL text (Michael Meskes)
(9.4.0) Suppress "No rows" output in psql expanded mode when the footer is disabled (Bruce Momjian)
(9.4.0) Allow Control-C to abort psql when it's hung at connection startup (Peter Eisentraut)
(9.4.0) Make psql's \db+ show tablespace options (Magnus Hagander)
(9.4.0) Make \do+ display the functions that implement the operators (Marko Tiikkaja)
(9.4.0) Make \d+ output an OID line only if an oid column exists in the table (Bruce Momjian)
Previously, the presence or absence of an oid column was always reported.
(9.4.0) Make \d show disabled system triggers (Bruce Momjian)
Previously, if you disabled all triggers, only user triggers would show as disabled.
(9.4.0) Fix \copy to no longer require a space between stdin and a semicolon (Etsuro Fujita)
(9.4.0) Output the row count at the end of \copy, just like COPY already did (Kumar Rajeev Rastogi)
(9.4.0) Fix \conninfo to display the server's IP address for connections using hostaddr (Fujii Masao)
Previously \conninfo could not display the server's IP address in such cases.
(9.4.0) Show the SSL protocol version in \conninfo (Marko Kreen)
(9.4.0) Add tab completion for \pset (Pavel Stehule)
(9.4.0) Allow \pset with no arguments to show all settings (Gilles Darold)
(9.4.0) Make \s display the name of the history file it wrote without converting it to an absolute path (Tom Lane)
The code previously attempted to convert a relative file name to an absolute path for display, but frequently got it wrong.
(9.4.0) Allow pg_restore options -I, -P, -T and -n to be specified multiple times (Heikki Linnakangas)
This allows multiple objects to be restored in one operation.
(9.4.0) Optionally add IF EXISTS clauses to the DROP commands emitted when removing old objects during a restore (Pavel Stehule)
This change prevents unnecessary errors when removing old objects. The new --if-exists option for pg_dump, pg_dumpall, and pg_restore is only available when --clean is also specified.
(9.4.0) Add pg_basebackup option --xlogdir to specify the pg_xlog directory location (Haribabu Kommi)
(9.4.0) Allow pg_basebackup to relocate tablespaces in the backup copy (Steeve Lennmark)
This is particularly useful for using pg_basebackup on the same machine as the primary.
(9.4.0) Allow network-stream base backups to be throttled (Antonin Houska)
This can be controlled with the pg_basebackup --max-rate parameter.
(9.4.0) Improve the way tuples are frozen to preserve forensic information (Robert Haas, Andres Freund)
This change removes the main objection to freezing tuples as soon as possible. Code that inspects tuple flag bits will need to be modified.
(9.4.0) No longer require function prototypes for functions marked with the PG_FUNCTION_INFO_V1
macro (Peter Eisentraut)
This change eliminates the need to write boilerplate prototypes. Note that the PG_FUNCTION_INFO_V1
macro must appear before the corresponding function definition to avoid compiler warnings.
(9.4.0) Remove SnapshotNow and HeapTupleSatisfiesNow()
(Robert Haas)
All existing uses have been switched to more appropriate snapshot types. Catalog scans now use MVCC snapshots.
(9.4.0) Add an API to allow memory allocations over one gigabyte (Noah Misch)
(9.4.0) Add psprintf()
to simplify memory allocation during string composition (Peter Eisentraut, Tom Lane)
(9.4.0) Support printf()
size modifier z to print size_t values (Andres Freund)
(9.4.0) Change API of appendStringInfoVA()
to better use vsnprintf()
(David Rowley, Tom Lane)
(9.4.0) Allow new types of external toast datums to be created (Andres Freund)
(9.4.0) Add single-reader, single-writer, lightweight shared message queue (Robert Haas)
(9.4.0) Improve spinlock speed on x86_64 CPUs (Heikki Linnakangas)
(9.4.0) Remove spinlock support for unsupported platforms SINIX, Sun3, and NS32K (Robert Haas)
(9.4.0) Remove IRIX port (Robert Haas)
(9.4.0) Reduce the number of semaphores required by --disable-spinlocks builds (Robert Haas)
(9.4.0) Rewrite duplicate_oids Unix shell script in Perl (Andrew Dunstan)
(9.4.0) Add Test Anything Protocol (TAP) tests for client programs (Peter Eisentraut)
Currently, these tests are run by make check-world only if the --enable-tap-tests option was given to configure. This might become the default behavior in some future release.
(9.4.0) Add make targets check-tests and installcheck-tests, which allow selection of individual tests to be run (Andrew Dunstan)
(9.4.0) Remove maintainer-check makefile rule (Peter Eisentraut)
The default build rules now include all the formerly-optional tests.
(9.4.0) Improve support for VPATH builds of PGXS modules (Cédric Villemain, Andrew Dunstan, Peter Eisentraut)
(9.4.0) Upgrade to Autoconf 2.69 (Peter Eisentraut)
(9.4.0) Add a configure flag that appends custom text to the PG_VERSION string (Oskari Saarenmaa)
This is useful for packagers building custom binaries.
(9.4.0) Improve DocBook XML validity (Peter Eisentraut)
(9.4.0) Fix various minor security and sanity issues reported by the Coverity scanner (Stephen Frost)
(9.4.0) Improve detection of invalid memory usage when testing PostgreSQL with Valgrind (Noah Misch)
(9.4.0) Improve sample Emacs configuration file emacs.samples (Peter Eisentraut)
Also add .dir-locals.el to the top of the source tree.
(9.4.0) Allow pgindent to accept a command-line list of typedefs (Bruce Momjian)
(9.4.0) Make pgindent smarter about blank lines around preprocessor conditionals (Bruce Momjian)
(9.4.0) Avoid most uses of dlltool in Cygwin and Mingw builds (Marco Atzeri, Hiroshi Inoue)
(9.4.0) Support client-only installs in MSVC (Windows) builds (MauMau)
(9.4.0) Add pg_prewarm extension to preload relation data into the shared buffer cache at server start (Robert Haas)
This allows reaching full operating performance more quickly.
(9.4.0) Add UUID random number generator gen_random_uuid()
to pgcrypto (Oskari Saarenmaa)
This allows creation of version 4 UUIDs without requiring installation of uuid-ossp.
(9.4.0) Allow uuid-ossp to work with the BSD or e2fsprogs UUID libraries, not only the OSSP UUID library (Matteo Beccati)
This improves the uuid-ossp module's portability since it no longer has to have the increasingly-obsolete OSSP library. The module's name is now rather a misnomer, but we won't change it.
(9.4.0) Add option to auto_explain to include trigger execution time (Horiguchi Kyotaro)
(9.4.0) Fix pgstattuple to not report rows from uncommitted transactions as dead (Robert Haas)
(9.4.0) Make pgstattuple functions use regclass-type arguments (Satoshi Nagayasu)
While text-type arguments are still supported, they may be removed in a future major release.
(9.4.0) Improve consistency of pgrowlocks output to honor snapshot rules more consistently (Robert Haas)
(9.4.0) Improve pg_trgm's choice of trigrams for indexed regular expression searches (Alexander Korotkov)
This change discourages use of trigrams containing whitespace, which are usually less selective.
(9.4.0) Allow pg_xlogdump to report a live log stream with --follow (Heikki Linnakangas)
(9.4.0) Store cube data more compactly (Stas Kelvich)
Existing data must be dumped/restored to use the new format. The old format can still be read.
(9.4.0) Reduce vacuumlo client-side memory usage by using a cursor (Andrew Dunstan)
(9.4.0) Dramatically reduce memory consumption in pg_upgrade (Bruce Momjian)
(9.4.0) Pass pg_upgrade's user name (-U) option to generated analyze scripts (Bruce Momjian)
(9.4.0) Remove line length limit for pgbench scripts (Sawada Masahiko)
The previous line limit was BUFSIZ.
(9.4.0) Add long option names to pgbench (Fabien Coelho)
(9.4.0) Add pgbench option --rate to control the transaction rate (Fabien Coelho)
(9.4.0) Add pgbench option --progress to print periodic progress reports (Fabien Coelho)
(9.4.0) Make pg_stat_statements use a file, rather than shared memory, for query text storage (Peter Geoghegan)
This removes the previous limitation on query text length, and allows a higher number of unique statements to be tracked by default.
(9.4.0) Allow reporting of pg_stat_statements's internal query hash identifier (Daniel Farina, Sameer Thakur, Peter Geoghegan)
(9.4.0) Add the ability to retrieve all pg_stat_statements information except the query text (Peter Geoghegan)
This allows monitoring tools to fetch query text only for just-created entries, improving performance during repeated querying of the statistics.
(9.4.0) Make pg_stat_statements ignore DEALLOCATE commands (Fabien Coelho)
It already ignored PREPARE, as well as planning time in general, so this seems more consistent.
(9.4.0) Save the statistics file into $PGDATA/pg_stat at server shutdown, rather than $PGDATA/global (Fujii Masao)
Release date: 2018-11-08
This release contains a variety of fixes from 9.3.24. For information about new features in the 9.3 major release, see Version 9.3.0.
This is expected to be the last PostgreSQL release in the 9.3.X series. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.3.X.
However, if you are upgrading from a version earlier than 9.3.23, see Version 9.3.23.
(9.3.25) Fix corner-case failures in has_foo_privilege()
family of functions (Tom Lane)
Return NULL rather than throwing an error when an invalid object
OID is provided. Some of these functions got that right already,
but not all. has_column_privilege()
was additionally capable of crashing on some platforms.
(9.3.25) Avoid O (N^2) slowdown in regular expression match/split functions on long strings (Andrew Gierth)
(9.3.25) Avoid O (N^3) slowdown in lexer for long strings of + or - characters (Andrew Gierth)
(9.3.25) Fix mis-execution of SubPlans when the outer query is being scanned backwards (Andrew Gierth)
(9.3.25) Fix failure of UPDATE/DELETE ... WHERE CURRENT OF ... after rewinding the referenced cursor (Tom Lane)
A cursor that scans multiple relations (particularly an inheritance tree) could produce wrong behavior if rewound to an earlier relation.
(9.3.25) Fix EvalPlanQual
to handle
conditionally-executed InitPlans properly (Andrew Gierth, Tom
Lane)
This resulted in hard-to-reproduce crashes or wrong answers in concurrent updates, if they contained code such as an uncorrelated sub-SELECT inside a CASE construct.
(9.3.25) Fix character-class checks to not fail on Windows for Unicode characters above U+FFFF (Tom Lane, Kenji Uno)
This bug affected full-text-search operations, as well as contrib/ltree and contrib/pg_trgm.
(9.3.25) Ensure that sequences owned by a foreign table are processed by ALTER OWNER on the table (Peter Eisentraut)
The ownership change should propagate to such sequences as well, but this was missed for foreign tables.
(9.3.25) Fix over-allocation of space for array_out()
's result string (Keiichi Hirobe)
(9.3.25) Fix memory leak in repeated SP-GiST index scans (Tom Lane)
This is only known to amount to anything significant in cases where an exclusion constraint using SP-GiST receives many new index entries in a single command.
(9.3.25) Avoid crash if a utility command causes infinite recursion (Tom Lane)
(9.3.25) When initializing a hot standby, cope with duplicate XIDs caused by two-phase transactions on the master (Michael Paquier, Konstantin Knizhnik)
(9.3.25) Randomize the random()
seed in
bootstrap and standalone backends, and in initdb (Noah Misch)
The main practical effect of this change is that it avoids a scenario where initdb might mistakenly conclude that POSIX shared memory is not available, due to name collisions caused by always using the same random seed.
(9.3.25) Ensure that hot standby processes use the correct WAL consistency point (Alexander Kukushkin, Michael Paquier)
This prevents possible misbehavior just after a standby server has reached a consistent database state during WAL replay.
(9.3.25) Don't run atexit callbacks when servicing SIGQUIT (Heikki Linnakangas)
(9.3.25) Don't record foreign-server user mappings as members of extensions (Tom Lane)
If CREATE USER MAPPING is executed in an extension script, an extension dependency was created for the user mapping, which is unexpected. Roles can't be extension members, so user mappings shouldn't be either.
(9.3.25) Make syslogger more robust against failures in opening CSV log files (Tom Lane)
(9.3.25) Fix possible inconsistency in pg_dump's sorting of dissimilar object names (Jacob Champion)
(9.3.25) Ensure that pg_restore will schema-qualify the table name when emitting DISABLE/ENABLE TRIGGER commands (Tom Lane)
This avoids failures due to the new policy of running restores with restrictive search path.
(9.3.25) Fix pg_upgrade to handle event triggers in extensions correctly (Haribabu Kommi)
pg_upgrade failed to preserve an event trigger's extension-membership status.
(9.3.25) Fix pg_upgrade's cluster state check to work correctly on a standby server (Bruce Momjian)
(9.3.25) Enforce type cube's dimension limit in all contrib/cube functions (Andrey Borodin)
Previously, some cube-related functions could construct values
that would be rejected by cube_in()
,
leading to dump/reload failures.
(9.3.25) Fix contrib/unaccent's unaccent()
function to use the unaccent text search dictionary that is in the same
schema as the function (Tom Lane)
Previously it tried to look up the dictionary using the search path, which could fail if the search path has a restrictive value.
(9.3.25) Fix build problems on macOS 10.14 (Mojave) (Tom Lane)
Adjust configure to add an -isysroot switch to CPPFLAGS; without this, PL/Perl and PL/Tcl fail to configure or build on macOS 10.14. The specific sysroot used can be overridden at configure time or build time by setting the PG_SYSROOT variable in the arguments of configure or make.
It is now recommended that Perl-related extensions write $(perl_includespec) rather than -I$(perl_archlibexp)/CORE in their compiler flags. The latter continues to work on most platforms, but not recent macOS.
Also, it should no longer be necessary to specify --with-tclconfig manually to get PL/Tcl to build on recent macOS releases.
(9.3.25) Fix MSVC build and regression-test scripts to work on recent Perl versions (Andrew Dunstan)
Perl no longer includes the current directory in its search path by default; work around that.
(9.3.25) Support building on Windows with Visual Studio 2015 or Visual Studio 2017 (Michael Paquier, Haribabu Kommi)
(9.3.25) Allow btree comparison functions to return INT_MIN (Tom Lane)
Up to now, we've forbidden datatype-specific comparison
functions from returning INT_MIN, which
allows callers to invert the sort order just by negating the
comparison result. However, this was never safe for comparison
functions that directly return the result of memcmp()
, strcmp()
,
etc, as POSIX doesn't place any such restriction on those
functions. At least some recent versions of memcmp()
can return INT_MIN, causing incorrect sort ordering. Hence,
we've removed this restriction. Callers must now use the INVERT_COMPARE_RESULT() macro if they wish to invert
the sort order.
(9.3.25) Fix recursion hazard in shared-invalidation message processing (Tom Lane)
This error could, for example, result in failure to access a system catalog or index that had just been processed by VACUUM FULL.
This change adds a new result code for LockAcquire
, which might possibly affect external
callers of that function, though only very unusual usage patterns
would have an issue with it. The API of LockAcquireExtended
is also changed.
(9.3.25) Save and restore SPI's global variables during SPI_connect()
and SPI_finish()
(Chapman Flack, Tom Lane)
This prevents possible interference when one SPI-using function calls another.
(9.3.25) Provide ALLOCSET_DEFAULT_SIZES and sibling macros in back branches (Tom Lane)
These macros have existed since 9.6, but there were requests to add them to older branches to allow extensions to rely on them without branch-specific coding.
(9.3.25) Avoid using potentially-under-aligned page buffers (Tom Lane)
Invent new union types PGAlignedBlock and PGAlignedXLogBlock, and use these in place of plain char arrays, ensuring that the compiler can't place the buffer at a misaligned start address. This fixes potential core dumps on alignment-picky platforms, and may improve performance even on platforms that allow misalignment.
(9.3.25) Make src/port/snprintf.c follow the
C99 standard's definition of snprintf()
's result value (Tom Lane)
On platforms where this code is used (mostly Windows), its pre-C99 behavior could lead to failure to detect buffer overrun, if the calling code assumed C99 semantics.
(9.3.25) When building on i386 with the clang compiler, require -msse2 to be used (Andres Freund)
This avoids problems with missed floating point overflow checks.
(9.3.25) Fix configure's detection of
the result type of strerror_r()
(Tom
Lane)
The previous coding got the wrong answer when building with icc on Linux (and perhaps in other cases), leading to libpq not returning useful error messages for system-reported errors.
(9.3.25) Update time zone data files to tzdata release 2018g for DST law changes in Chile, Fiji, Morocco, and Russia (Volgograd), plus historical corrections for China, Hawaii, Japan, Macau, and North Korea.
Release date: 2018-08-09
This release contains a variety of fixes from 9.3.23. For information about new features in the 9.3 major release, see Version 9.3.0.
The PostgreSQL community will stop releasing updates for the 9.3.X release series shortly after September 2018. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.3.X.
However, if you are upgrading from a version earlier than 9.3.23, see Version 9.3.23.
(9.3.24) Fix failure to reset libpq's state fully between connection attempts (Tom Lane)
An unprivileged user of dblink or postgres_fdw could bypass the checks intended to prevent use of server-side credentials, such as a ~/.pgpass file owned by the operating-system user running the server. Servers allowing peer authentication on local connections are particularly vulnerable. Other attacks such as SQL injection into a postgres_fdw session are also possible. Attacking postgres_fdw in this way requires the ability to create a foreign server object with selected connection parameters, but any user with access to dblink could exploit the problem. In general, an attacker with the ability to select the connection parameters for a libpq-using application could cause mischief, though other plausible attack scenarios are harder to think of. Our thanks to Andrew Krasichkov for reporting this issue. CVE-2018-10915 or CVE-2018-10915)
(9.3.24) Ensure that updates to the relfrozenxid and relminmxid values for "nailed" system catalogs are processed in a timely fashion (Andres Freund)
Overoptimistic caching rules could prevent these updates from being seen by other sessions, leading to spurious errors and/or data corruption. The problem was significantly worse for shared catalogs, such as pg_authid, because the stale cache data could persist into new sessions as well as existing ones.
(9.3.24) Fix case where a freshly-promoted standby crashes before having completed its first post-recovery checkpoint (Michael Paquier, Kyotaro Horiguchi, Pavan Deolasee, Ãlvaro Herrera)
This led to a situation where the server did not think it had reached a consistent database state during subsequent WAL replay, preventing restart.
(9.3.24) Avoid emitting a bogus WAL record when recycling an all-zero btree page (Amit Kapila)
This mistake has been seen to cause assertion failures, and potentially it could result in unnecessary query cancellations on hot standby servers.
(9.3.24) Improve performance of WAL replay for transactions that drop many relations (Fujii Masao)
This change reduces the number of times that shared buffers are scanned, so that it is of most benefit when that setting is large.
(9.3.24) Improve performance of lock releasing in standby server WAL replay (Thomas Munro)
(9.3.24) Ensure a table's cached index list is correctly rebuilt after an index creation fails partway through (Peter Geoghegan)
Previously, the failed index's OID could remain in the list, causing problems later in the same session.
(9.3.24) Fix misoptimization of equivalence classes involving composite-type columns (Tom Lane)
This resulted in failure to recognize that an index on a composite column could provide the sort order needed for a mergejoin on that column.
(9.3.24) Fix SQL-standard FETCH FIRST syntax to allow parameters ($n), as the standard expects (Andrew Gierth)
(9.3.24) Fix failure to schema-qualify some object names in getObjectDescription
output (Kyotaro Horiguchi,
Tom Lane)
Names of collations, conversions, and text search objects were not schema-qualified when they should be.
(9.3.24) Widen COPY FROM's current-line-number counter from 32 to 64 bits (David Rowley)
This avoids two problems with input exceeding 4G lines: COPY FROM WITH HEADER would drop a line every 4G lines, not only the first line, and error reports could show a wrong line number.
(9.3.24) Add a string freeing function to ecpg's pgtypes library, so that cross-module memory management problems can be avoided on Windows (Takayuki Tsunakawa)
On Windows, crashes can ensue if the free
call for a given chunk of memory is not made
from the same DLL that malloc
'ed the
memory. The pgtypes library sometimes
returns strings that it expects the caller to free, making it
impossible to follow this rule. Add a PGTYPESchar_free()
function that just wraps
free
, allowing applications to follow
this rule.
(9.3.24) Fix ecpg's support for
long long variables on Windows, as well as
other platforms that declare strtoll
/strtoull
nonstandardly or not at all (Dang Minh Huong, Tom Lane)
(9.3.24) Fix misidentification of SQL statement type in PL/pgSQL, when a rule change causes a change in the semantics of a statement intra-session (Tom Lane)
This error led to assertion failures, or in rare cases, failure to enforce the INTO STRICT option as expected.
(9.3.24) Fix password prompting in client programs so that echo is properly disabled on Windows when stdin is not the terminal (Matthew Stickney)
(9.3.24) Further fix mis-quoting of values for list-valued GUC variables in dumps (Tom Lane)
The previous fix for quoting of search_path and other list-valued variables in pg_dump output turned out to misbehave for empty-string list elements, and it risked truncation of long file paths.
(9.3.24) Make pg_upgrade check that the old server was shut down cleanly (Bruce Momjian)
The previous check could be fooled by an immediate-mode shutdown.
(9.3.24) Fix crash in contrib/ltree's
lca()
function when the input array
is empty (Pierre Ducroquet)
(9.3.24) Fix various error-handling code paths in which an incorrect error code might be reported (Michael Paquier, Tom Lane, Magnus Hagander)
(9.3.24) Rearrange makefiles to ensure that programs link to freshly-built libraries (such as libpq.so) rather than ones that might exist in the system library directories (Tom Lane)
This avoids problems when building on platforms that supply old copies of PostgreSQL libraries.
(9.3.24) Update time zone data files to tzdata release 2018e for DST law changes in North Korea, plus historical corrections for Czechoslovakia.
This update includes a redefinition of "daylight savings" in Ireland, as well as for some past years in Namibia and Czechoslovakia. In those jurisdictions, legally standard time is observed in summer, and daylight savings time in winter, so that the daylight savings offset is one hour behind standard time not one hour ahead. This does not affect either the actual UTC offset or the timezone abbreviations in use; the only known effect is that the is_dst column in the pg_timezone_names view will now be true in winter and false in summer in these cases.
Release date: 2018-05-10
This release contains a variety of fixes from 9.3.22. For information about new features in the 9.3 major release, see Version 9.3.0.
A dump/restore is not required for those running 9.3.X.
However, if the function marking mistakes mentioned in the first changelog entry below affect you, you will want to take steps to correct your database catalogs.
Also, if you are upgrading from a version earlier than 9.3.22, see Version 9.3.22.
(9.3.23) Fix incorrect volatility markings on a few built-in functions (Thomas Munro, Tom Lane)
The functions query_to_xml
,
cursor_to_xml
, cursor_to_xmlschema
, query_to_xmlschema
, and query_to_xml_and_xmlschema
should be marked
volatile because they execute user-supplied queries that might
contain volatile operations. They were not, leading to a risk of
incorrect query optimization. This has been repaired for new
installations by correcting the initial catalog data, but existing
installations will continue to contain the incorrect markings.
Practical use of these functions seems to pose little hazard, but
in case of trouble, it can be fixed by manually updating these
functions' pg_proc entries, for example
ALTER FUNCTION pg_catalog.query_to_xml(text,
boolean, boolean, text) VOLATILE. (Note that that will need to
be done in each database of the installation.) Another option is to
pg_upgrade the database to a
version containing the corrected initial data.
(9.3.23) Avoid re-using TOAST value OIDs that match dead-but-not-yet-vacuumed TOAST entries (Pavan Deolasee)
Once the OID counter has wrapped around, it's possible to assign a TOAST value whose OID matches a previously deleted entry in the same TOAST table. If that entry were not yet vacuumed away, this resulted in "unexpected chunk number 0 (expected 1) for toast value nnnnn" errors, which would persist until the dead entry was removed by VACUUM. Fix by not selecting such OIDs when creating a new TOAST entry.
(9.3.23) Change ANALYZE's algorithm for updating pg_class.reltuples (David Gould)
Previously, pages not actually scanned by ANALYZE were assumed to retain their old tuple density. In a large table where ANALYZE samples only a small fraction of the pages, this meant that the overall tuple density estimate could not change very much, so that reltuples would change nearly proportionally to changes in the table's physical size (relpages) regardless of what was actually happening in the table. This has been observed to result in reltuples becoming so much larger than reality as to effectively shut off autovacuuming. To fix, assume that ANALYZE's sample is a statistically unbiased sample of the table (as it should be), and just extrapolate the density observed within those pages to the whole table.
(9.3.23) Fix UPDATE/DELETE ... WHERE CURRENT OF to not fail when the referenced cursor uses an index-only-scan plan (Yugo Nagata, Tom Lane)
(9.3.23) Fix incorrect planning of join clauses pushed into parameterized paths (Andrew Gierth, Tom Lane)
This error could result in misclassifying a condition as a "join filter" for an outer join when it should be a plain "filter" condition, leading to incorrect join output.
(9.3.23) Fix misoptimization of CHECK constraints having provably-NULL subclauses of top-level AND/OR conditions (Tom Lane, Dean Rasheed)
This could, for example, allow constraint exclusion to exclude a child table that should not be excluded from a query.
(9.3.23) Avoid failure if a query-cancel or session-termination interrupt occurs while committing a prepared transaction (Stas Kelvich)
(9.3.23) Fix query-lifespan memory leakage in repeatedly executed hash joins (Tom Lane)
(9.3.23) Fix overly strict sanity check in heap_prepare_freeze_tuple
(Ãlvaro Herrera)
This could result in incorrect "cannot freeze committed xmax" failures in databases that have been pg_upgrade'd from 9.2 or earlier.
(9.3.23) Prevent dangling-pointer dereference when a C-coded before-update row trigger returns the "old" tuple (Rushabh Lathia)
(9.3.23) Reduce locking during autovacuum worker scheduling (Jeff Janes)
The previous behavior caused drastic loss of potential worker concurrency in databases with many tables.
(9.3.23) Ensure client hostname is copied while copying pg_stat_activity data to local memory (Edmund Horner)
Previously the supposedly-local snapshot contained a pointer into shared memory, allowing the client hostname column to change unexpectedly if any existing session disconnected.
(9.3.23) Fix incorrect processing of multiple compound affixes in ispell dictionaries (Arthur Zakirov)
(9.3.23) Fix collation-aware searches (that is, indexscans using inequality operators) in SP-GiST indexes on text columns (Tom Lane)
Such searches would return the wrong set of rows in most non-C locales.
(9.3.23) Count the number of index tuples correctly during initial build of an SP-GiST index (Tomas Vondra)
Previously, the tuple count was reported to be the same as that of the underlying table, which is wrong if the index is partial.
(9.3.23) Count the number of index tuples correctly during vacuuming of a GiST index (Andrey Borodin)
Previously it reported the estimated number of heap tuples, which might be inaccurate, and is certainly wrong if the index is partial.
(9.3.23) Allow scalarltsel
and scalargtsel
to be used on non-core datatypes
(Tomas Vondra)
(9.3.23) Reduce libpq's memory consumption when a server error is reported after a large amount of query output has been collected (Tom Lane)
Discard the previous output before, not after, processing the error message. On some platforms, notably Linux, this can make a difference in the application's subsequent memory footprint.
(9.3.23) Fix double-free crashes in ecpg (Patrick Krecker, Jeevan Ladhe)
(9.3.23) Fix ecpg to handle long long int variables correctly in MSVC builds (Michael Meskes, Andrew Gierth)
(9.3.23) Fix mis-quoting of values for list-valued GUC variables in dumps (Michael Paquier, Tom Lane)
The local_preload_libraries, session_preload_libraries, shared_preload_libraries, and temp_tablespaces variables were not correctly quoted in pg_dump output. This would cause problems if settings for these variables appeared in CREATE FUNCTION ... SET or ALTER DATABASE/ROLE ... SET clauses.
(9.3.23) Fix overflow handling in PL/pgSQL integer FOR loops (Tom Lane)
The previous coding failed to detect overflow of the loop variable on some non-gcc compilers, leading to an infinite loop.
(9.3.23) Adjust PL/Python regression tests to pass under Python 3.7 (Peter Eisentraut)
(9.3.23) Support testing PL/Python and related modules when building with Python 3 and MSVC (Andrew Dunstan)
(9.3.23) Rename internal b64_encode
and
b64_decode
functions to avoid
conflict with Solaris 11.4 built-in functions (Rainer Orth)
(9.3.23) Sync our copy of the timezone library with IANA tzcode release 2018e (Tom Lane)
This fixes the zic timezone data compiler to cope with negative daylight-savings offsets. While the PostgreSQL project will not immediately ship such timezone data, zic might be used with timezone data obtained directly from IANA, so it seems prudent to update zic now.
(9.3.23) Update time zone data files to tzdata release 2018d for DST law changes in Palestine and Antarctica (Casey Station), plus historical corrections for Portugal and its colonies, as well as Enderbury, Jamaica, Turks & Caicos Islands, and Uruguay.
Release date: 2018-03-01
This release contains a variety of fixes from 9.3.21. For information about new features in the 9.3 major release, see Version 9.3.0.
A dump/restore is not required for those running 9.3.X.
However, if you run an installation in which not all users are mutually trusting, or if you maintain an application or extension that is intended for use in arbitrary situations, it is strongly recommended that you read the documentation changes described in the first changelog entry below, and take suitable steps to ensure that your installation or code is secure.
Also, the changes described in the second changelog entry below may cause functions used in index expressions or materialized views to fail during auto-analyze, or when reloading from a dump. After upgrading, monitor the server logs for such problems, and fix affected functions.
Also, if you are upgrading from a version earlier than 9.3.18, see Version 9.3.18.
(9.3.22) Document how to configure installations and applications to guard against search-path-dependent trojan-horse attacks from other users (Noah Misch)
Using a search_path setting that includes any schemas writable by a hostile user enables that user to capture control of queries and then run arbitrary SQL code with the permissions of the attacked user. While it is possible to write queries that are proof against such hijacking, it is notationally tedious, and it's very easy to overlook holes. Therefore, we now recommend configurations in which no untrusted schemas appear in one's search path. Relevant documentation appears in Section 5.7.6 (for database administrators and users), Section 31.1 (for application authors), Section 35.15.1 (for extension authors), and CREATE FUNCTION (for authors of SECURITY DEFINER functions). CVE-2018-1058 or CVE-2018-1058)
(9.3.22) Avoid use of insecure search_path settings in pg_dump and other client programs (Noah Misch, Tom Lane)
pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications were themselves vulnerable to the type of hijacking described in the previous changelog entry; since these applications are commonly run by superusers, they present particularly attractive targets. To make them secure whether or not the installation as a whole has been secured, modify them to include only the pg_catalog schema in their search_path settings. Autovacuum worker processes now do the same, as well.
In cases where user-provided functions are indirectly executed by these programs — for example, user-provided functions in index expressions — the tighter search_path may result in errors, which will need to be corrected by adjusting those user-provided functions to not assume anything about what search path they are invoked under. That has always been good practice, but now it will be necessary for correct behavior. CVE-2018-1058 or CVE-2018-1058)
(9.3.22) Fix misbehavior of concurrent-update rechecks with CTE references appearing in subplans (Tom Lane)
If a CTE (WITH clause reference) is used in an InitPlan or SubPlan, and the query requires a recheck due to trying to update or lock a concurrently-updated row, incorrect results could be obtained.
(9.3.22) Fix planner failures with overlapping mergejoin clauses in an outer join (Tom Lane)
These mistakes led to "left and right pathkeys do not match in mergejoin" or "outer pathkeys do not match mergeclauses" planner errors in corner cases.
(9.3.22) Repair pg_upgrade's failure to preserve relfrozenxid for materialized views (Tom Lane, Andres Freund)
This oversight could lead to data corruption in materialized views after an upgrade, manifesting as "could not access status of transaction" or "found xmin from before relfrozenxid" errors. The problem would be more likely to occur in seldom-refreshed materialized views, or ones that were maintained only with REFRESH MATERIALIZED VIEW CONCURRENTLY.
If such corruption is observed, it can be repaired by refreshing the materialized view (without CONCURRENTLY).
(9.3.22) Fix incorrect reporting of PL/Python function names in error CONTEXT stacks (Tom Lane)
An error occurring within a nested PL/Python function call (that is, one reached via a SPI query from another PL/Python function) would result in a stack trace showing the inner function's name twice, rather than the expected results. Also, an error in a nested PL/Python DO block could result in a null pointer dereference crash on some platforms.
(9.3.22) Allow contrib/auto_explain's log_min_duration setting to range up to INT_MAX, or about 24 days instead of 35 minutes (Tom Lane)
Release date: 2018-02-08
This release contains a variety of fixes from 9.3.20. For information about new features in the 9.3 major release, see Version 9.3.0.
A dump/restore is not required for those running 9.3.X.
However, if you are upgrading from a version earlier than 9.3.18, see Version 9.3.18.
(9.3.21) Ensure that all temporary files made by pg_upgrade are non-world-readable (Tom Lane, Noah Misch)
pg_upgrade normally restricts its temporary files to be readable and writable only by the calling user. But the temporary file containing pg_dumpall -g output would be group- or world-readable, or even writable, if the user's umask setting allows. In typical usage on multi-user machines, the umask and/or the working directory's permissions would be tight enough to prevent problems; but there may be people using pg_upgrade in scenarios where this oversight would permit disclosure of database passwords to unfriendly eyes. CVE-2018-1053 or CVE-2018-1053)
(9.3.21) Fix vacuuming of tuples that were updated while key-share locked (Andres Freund, Ãlvaro Herrera)
In some cases VACUUM would fail to remove such tuples even though they are now dead, leading to assorted data corruption scenarios.
(9.3.21) Fix inadequate buffer locking in some LSN fetches (Jacob Champion, Asim Praveen, Ashwin Agrawal)
These errors could result in misbehavior under concurrent load. The potential consequences have not been characterized fully.
(9.3.21) Avoid unnecessary failure in a query on an inheritance tree that occurs concurrently with some child table being removed from the tree by ALTER TABLE NO INHERIT (Tom Lane)
(9.3.21) Repair failure with correlated sub-SELECT inside VALUES inside a LATERAL subquery (Tom Lane)
(9.3.21) Fix "could not devise a query plan for the given query" planner failure for some cases involving nested UNION ALL inside a lateral subquery (Tom Lane)
(9.3.21) Fix has_sequence_privilege()
to
support WITH GRANT OPTION tests, as other
privilege-testing functions do (Joe Conway)
(9.3.21) In databases using UTF8 encoding, ignore any XML declaration that asserts a different encoding (Pavel Stehule, Noah Misch)
We always store XML strings in the database encoding, so
allowing libxml to act on a declaration of another encoding gave
wrong results. In encodings other than UTF8, we don't promise to
support non-ASCII XML data anyway, so retain the previous behavior
for bug compatibility. This change affects only xpath()
and related functions; other XML code
paths already acted this way.
(9.3.21) Provide for forward compatibility with future minor protocol versions (Robert Haas, Badrul Chowdhury)
Up to now, PostgreSQL servers simply rejected requests to use protocol versions newer than 3.0, so that there was no functional difference between the major and minor parts of the protocol version number. Allow clients to request versions 3.x without failing, sending back a message showing that the server only understands 3.0. This makes no difference at the moment, but back-patching this change should allow speedier introduction of future minor protocol upgrades.
(9.3.21) Prevent stack-overflow crashes when planning extremely deeply nested set operations (UNION/INTERSECT/EXCEPT) (Tom Lane)
(9.3.21) Fix null-pointer crashes for some types of LDAP URLs appearing in pg_hba.conf (Thomas Munro)
(9.3.21) Fix sample INSTR()
functions in
the PL/pgSQL documentation (Yugo Nagata, Tom Lane)
These functions are stated to be Oracle® compatible, but they weren't exactly. In particular, there was a discrepancy in the interpretation of a negative third parameter: Oracle thinks that a negative value indicates the last place where the target substring can begin, whereas our functions took it as the last place where the target can end. Also, Oracle throws an error for a zero or negative fourth parameter, whereas our functions returned zero.
The sample code has been adjusted to match Oracle's behavior more precisely. Users who have copied this code into their applications may wish to update their copies.
(9.3.21) Fix pg_dump to make ACL (permissions), comment, and security label entries reliably identifiable in archive output formats (Tom Lane)
The "tag" portion of an ACL archive entry was usually just the name of the associated object. Make it start with the object type instead, bringing ACLs into line with the convention already used for comment and security label archive entries. Also, fix the comment and security label entries for the whole database, if present, to make their tags start with DATABASE so that they also follow this convention. This prevents false matches in code that tries to identify large-object-related entries by seeing if the tag starts with LARGE OBJECT. That could have resulted in misclassifying entries as data rather than schema, with undesirable results in a schema-only or data-only dump.
Note that this change has user-visible results in the output of pg_restore --list.
(9.3.21) In ecpg, detect indicator arrays that do not have the correct length and report an error (David Rader)
(9.3.21) Avoid triggering a libc assertion in contrib/hstore, due to use of memcpy()
with equal source and destination
pointers (Tomas Vondra)
(9.3.21) Provide modern examples of how to auto-start Postgres on macOS (Tom Lane)
The scripts in contrib/start-scripts/osx use infrastructure that's been deprecated for over a decade, and which no longer works at all in macOS releases of the last couple of years. Add a new subdirectory contrib/start-scripts/macos containing scripts that use the newer launchd infrastructure.
(9.3.21) Fix incorrect selection of configuration-specific libraries for OpenSSL on Windows (Andrew Dunstan)
(9.3.21) Support linking to MinGW-built versions of libperl (Noah Misch)
This allows building PL/Perl with some common Perl distributions for Windows.
(9.3.21) Fix MSVC build to test whether 32-bit libperl needs -D_USE_32BIT_TIME_T (Noah Misch)
Available Perl distributions are inconsistent about what they expect, and lack any reliable means of reporting it, so resort to a build-time test on what the library being used actually does.
(9.3.21) On Windows, install the crash dump handler earlier in postmaster startup (Takayuki Tsunakawa)
This may allow collection of a core dump for some early-startup failures that did not produce a dump before.
(9.3.21) On Windows, avoid encoding-conversion-related crashes when emitting messages very early in postmaster startup (Takayuki Tsunakawa)
(9.3.21) Use our existing Motorola 68K spinlock code on OpenBSD as well as NetBSD (David Carlier)
(9.3.21,9.6.7,9.5.11,9.4.16) Add support for spinlocks on Motorola 88K (David Carlier)
(9.3.21) Update time zone data files to tzdata release 2018c for DST law changes in Brazil, Sao Tome and Principe, plus historical corrections for Bolivia, Japan, and South Sudan. The US/Pacific-New zone has been removed (it was only an alias for America/Los_Angeles anyway).
Release date: 2017-11-09
This release contains a variety of fixes from 9.3.19. For information about new features in the 9.3 major release, see Version 9.3.0.
A dump/restore is not required for those running 9.3.X.
However, if you are upgrading from a version earlier than 9.3.18, see Version 9.3.18.
(9.3.20) Fix crash due to rowtype mismatch in json{b}_populate_recordset()
(Michael Paquier,
Tom Lane)
These functions used the result rowtype specified in the FROM ... AS clause without checking that it matched the actual rowtype of the supplied tuple value. If it didn't, that would usually result in a crash, though disclosure of server memory contents seems possible as well. CVE-2017-15098 or CVE-2017-15098)
(9.3.20,9.2.24) Fix sample server-start scripts to become $PGUSER before opening $PGLOG (Noah Misch)
Previously, the postmaster log file was opened while still running as root. The database owner could therefore mount an attack against another system user by making $PGLOG be a symbolic link to some other file, which would then become corrupted by appending log messages.
By default, these scripts are not installed anywhere. Users who have made use of them will need to manually recopy them, or apply the same changes to their modified versions. If the existing $PGLOG file is root-owned, it will need to be removed or renamed out of the way before restarting the server with the corrected script. CVE-2017-12172 or CVE-2017-12172)
(9.3.20,9.2.24) Properly reject attempts to convert infinite float values to type numeric (Tom Lane, KaiGai Kohei)
Previously the behavior was platform-dependent.
(9.3.20,9.2.24) Fix corner-case crashes when columns have been added to the end of a view (Tom Lane)
(9.3.20,9.2.24) Record proper dependencies when a view or rule contains FieldSelect or FieldStore expression nodes (Tom Lane)
Lack of these dependencies could allow a column or data type DROP to go through when it ought to fail, thereby causing later uses of the view or rule to get errors. This patch does not do anything to protect existing views/rules, only ones created in the future.
(9.3.20,9.2.24) Correctly detect hashability of range data types (Tom Lane)
The planner mistakenly assumed that any range type could be hashed for use in hash joins or hash aggregation, but actually it must check whether the range's subtype has hash support. This does not affect any of the built-in range types, since they're all hashable anyway.
(9.3.20,9.2.24) Fix low-probability loss of NOTIFY messages due to XID wraparound (Marko Tiikkaja, Tom Lane)
If a session executed no queries, but merely listened for notifications, for more than 2 billion transactions, it started to miss some notifications from concurrently-committing transactions.
(9.3.20,9.2.24) Prevent low-probability crash in processing of nested trigger firings (Tom Lane)
(9.3.20,9.2.24) Correctly restore the umask setting when file creation fails in
COPY or lo_export()
(Peter Eisentraut)
(9.3.20,9.2.24) Give a better error message for duplicate column names in ANALYZE (Nathan Bossart)
(9.3.20) Fix mis-parsing of the last line in a non-newline-terminated pg_hba.conf file (Tom Lane)
(9.3.20,9.2.24) Fix libpq to not require user's home directory to exist (Tom Lane)
In v10, failure to find the home directory while trying to read ~/.pgpass was treated as a hard error, but it should just cause that file to not be found. Both v10 and previous release branches made the same mistake when reading ~/.pg_service.conf, though this was less obvious since that file is not sought unless a service name is specified.
(9.3.20,9.2.24) Fix libpq to guard against integer overflow in the row count of a PGresult (Michael Paquier)
(9.3.20) Fix ecpg's handling of out-of-scope cursor declarations with pointer or array variables (Michael Meskes)
(9.3.20) Make ecpglib's Informix-compatibility mode ignore fractional digits in integer input strings, as expected (Gao Zengqi, Michael Meskes)
(9.3.20,9.2.24) Sync our copy of the timezone library with IANA release tzcode2017c (Tom Lane)
This fixes various issues; the only one likely to be user-visible is that the default DST rules for a POSIX-style zone name, if no posixrules file exists in the timezone data directory, now match current US law rather than what it was a dozen years ago.
(9.3.20,9.2.24) Update time zone data files to tzdata release 2017c for DST law changes in Fiji, Namibia, Northern Cyprus, Sudan, Tonga, and Turks & Caicos Islands, plus historical corrections for Alaska, Apia, Burma, Calcutta, Detroit, Ireland, Namibia, and Pago Pago.
Release date: 2017-08-31
This release contains a small number of fixes from 9.3.18. For information about new features in the 9.3 major release, see Version 9.3.0.
A dump/restore is not required for those running 9.3.X.
However, if you are upgrading from a version earlier than 9.3.18, see Version 9.3.18.
(9.3.19,9.2.23) Show foreign tables in information_schema.table_privileges view (Peter Eisentraut)
All other relevant information_schema views include foreign tables, but this one ignored them.
Since this view definition is installed by initdb, merely upgrading will not fix the problem. If you need to fix this in an existing installation, you can, as a superuser, do this in psql:
SET search_path TO information_schema; CREATE OR REPLACE VIEW table_privileges AS SELECT CAST(u_grantor.rolname AS sql_identifier) AS grantor, CAST(grantee.rolname AS sql_identifier) AS grantee, CAST(current_database() AS sql_identifier) AS table_catalog, CAST(nc.nspname AS sql_identifier) AS table_schema, CAST(c.relname AS sql_identifier) AS table_name, CAST(c.prtype AS character_data) AS privilege_type, CAST( CASE WHEN -- object owner always has grant options pg_has_role(grantee.oid, c.relowner, 'USAGE') OR c.grantable THEN 'YES' ELSE 'NO' END AS yes_or_no) AS is_grantable, CAST (CASE WHEN c.prtype = 'SELECT' THEN 'YES' ELSE 'NO' END AS yes_or_no) AS with_hierarchy FROM ( SELECT oid, relname, relnamespace, relkind, relowner, (aclexplode(coalesce(relacl, acldefault('r', relowner)))).* FROM pg_class ) AS c (oid, relname, relnamespace, relkind, relowner, grantor, grantee, prtype, grantable), pg_namespace nc, pg_authid u_grantor, ( SELECT oid, rolname FROM pg_authid UNION ALL SELECT 0::oid, 'PUBLIC' ) AS grantee (oid, rolname) WHERE c.relnamespace = nc.oid AND c.relkind IN ('r', 'v', 'f') AND c.grantee = grantee.oid AND c.grantor = u_grantor.oid AND c.prtype IN ('INSERT', 'SELECT', 'UPDATE', 'DELETE', 'TRUNCATE', 'REFERENCES', 'TRIGGER') AND (pg_has_role(u_grantor.oid, 'USAGE') OR pg_has_role(grantee.oid, 'USAGE') OR grantee.rolname = 'PUBLIC');
This must be repeated in each database to be fixed, including template0.
(9.3.19,9.2.23) Clean up handling of a fatal exit (e.g., due to receipt of SIGTERM) that occurs while trying to execute a ROLLBACK of a failed transaction (Tom Lane)
This situation could result in an assertion failure. In production builds, the exit would still occur, but it would log an unexpected message about "cannot drop active portal".
(9.3.19,9.2.23) Remove assertion that could trigger during a fatal exit (Tom Lane)
(9.3.19,9.2.23) Correctly identify columns that are of a range type or domain type over a composite type or domain type being searched for (Tom Lane)
Certain ALTER commands that change the definition of a composite type or domain type are supposed to fail if there are any stored values of that type in the database, because they lack the infrastructure needed to update or check such values. Previously, these checks could miss relevant values that are wrapped inside range types or sub-domains, possibly allowing the database to become inconsistent.
(9.3.19) Fix crash in pg_restore when using parallel mode and using a list file to select a subset of items to restore (FabrÃzio de Royes Mello)
(9.3.19,9.2.23) Change ecpg's parser to allow RETURNING clauses without attached C variables (Michael Meskes)
This allows ecpg programs to contain SQL constructs that use RETURNING internally (for example, inside a CTE) rather than using it to define values to be returned to the client.
(9.3.19,9.2.23) Improve selection of compiler flags for PL/Perl on Windows (Tom Lane)
This fix avoids possible crashes of PL/Perl due to inconsistent assumptions about the width of time_t values. A side-effect that may be visible to extension developers is that _USE_32BIT_TIME_T is no longer defined globally in PostgreSQL Windows builds. This is not expected to cause problems, because type time_t is not used in any PostgreSQL API definitions.
Release date: 2017-08-10
This release contains a variety of fixes from 9.3.17. For information about new features in the 9.3 major release, see Version 9.3.0.
A dump/restore is not required for those running 9.3.X.
However, if you use foreign data servers that make use of user passwords for authentication, see the first changelog entry below.
Also, if you are upgrading from a version earlier than 9.3.16, see Version 9.3.16.
(9.3.18,9.2.22) Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options (Noah Misch)
The fix forCVE-2017-7486 or CVE-2017-7486 was incorrect: it allowed a user to see the options in her own user mapping, even if she did not have USAGE permission on the associated foreign server. Such options might include a password that had been provided by the server owner rather than the user herself. Since information_schema.user_mapping_options does not show the options in such cases, pg_user_mappings should not either. CVE-2017-7547 or CVE-2017-7547)
By itself, this patch will only fix the behavior in newly initdb'd databases. If you wish to apply this change in an existing database, you will need to do the following:
Restart the postmaster after adding allow_system_table_mods = true to postgresql.conf. (In versions supporting ALTER SYSTEM, you can use that to make the configuration change, but you'll still need a restart.)
In each database of the cluster, run the following commands as superuser:
SET search_path = pg_catalog; CREATE OR REPLACE VIEW pg_user_mappings AS SELECT U.oid AS umid, S.oid AS srvid, S.srvname AS srvname, U.umuser AS umuser, CASE WHEN U.umuser = 0 THEN 'public' ELSE A.rolname END AS usename, CASE WHEN (U.umuser <> 0 AND A.rolname = current_user AND (pg_has_role (S.srvowner, 'USAGE') OR has_server_privilege (S.oid, 'USAGE'))) OR (U.umuser = 0 AND pg_has_role (S.srvowner, 'USAGE')) OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user) THEN U.umoptions ELSE NULL END AS umoptions FROM pg_user_mapping U LEFT JOIN pg_authid A ON (A.oid = U.umuser) JOIN pg_foreign_server S ON (U.umserver = S.oid);
Do not forget to include the template0 and template1 databases, or the vulnerability will still exist in databases you create later. To fix template0, you'll need to temporarily make it accept connections. In PostgreSQL 9.5 and later, you can use
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;
and then after fixing template0, undo that with
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;
In prior versions, instead use
UPDATE pg_database SET datallowconn = true WHERE datname = 'template0'; UPDATE pg_database SET datallowconn = false WHERE datname = 'template0';
Finally, remove the allow_system_table_mods configuration setting, and again restart the postmaster.
(9.3.18,9.2.22) Disallow empty passwords in all password-based authentication methods (Heikki Linnakangas)
libpq ignores empty password specifications, and does not transmit them to the server. So, if a user's password has been set to the empty string, it's impossible to log in with that password via psql or other libpq-based clients. An administrator might therefore believe that setting the password to empty is equivalent to disabling password login. However, with a modified or non-libpq-based client, logging in could be possible, depending on which authentication method is configured. In particular the most common method, md5, accepted empty passwords. Change the server to reject empty passwords in all cases. CVE-2017-7546 or CVE-2017-7546)
(9.3.18) Fix concurrent locking of tuple update chains (Ãlvaro Herrera)
If several sessions concurrently lock a tuple update chain with nonconflicting lock modes using an old snapshot, and they all succeed, it was possible for some of them to nonetheless fail (and conclude there is no live tuple version) due to a race condition. This had consequences such as foreign-key checks failing to see a tuple that definitely exists but is being updated concurrently.
(9.3.18) Fix potential data corruption when freezing a tuple whose XMAX is a multixact with exactly one still-interesting member (Teodor Sigaev)
(9.3.18,9.2.22) On Windows, retry process creation if we fail to reserve the address range for our shared memory in the new process (Tom Lane, Amit Kapila)
This is expected to fix infrequent child-process-launch failures that are probably due to interference from antivirus products.
(9.3.18,9.2.22) Fix low-probability corruption of shared predicate-lock hash table in Windows builds (Thomas Munro, Tom Lane)
(9.3.18,9.2.22) Avoid logging clean closure of an SSL connection as though it were a connection reset (Michael Paquier)
(9.3.18,9.2.22) Prevent sending SSL session tickets to clients (Tom Lane)
This fix prevents reconnection failures with ticket-aware client-side SSL code.
(9.3.18,9.2.22) Fix code for setting tcp_keepalives_idle on Solaris (Tom Lane)
(9.3.18,9.2.22) Fix statistics collector to honor inquiry messages issued just after a postmaster shutdown and immediate restart (Tom Lane)
Statistics inquiries issued within half a second of the previous postmaster shutdown were effectively ignored.
(9.3.18,9.2.22) Ensure that the statistics collector's receive buffer size is at least 100KB (Tom Lane)
This reduces the risk of dropped statistics data on older platforms whose default receive buffer size is less than that.
(9.3.18,9.2.22) Fix possible creation of an invalid WAL segment when a standby is promoted just after it processes an XLOG_SWITCH WAL record (Andres Freund)
(9.3.18,9.2.22) Fix SIGHUP and SIGUSR1 handling in walsender processes (Petr Jelinek, Andres Freund)
(9.3.18,9.2.22) Fix unnecessarily slow restarts of walreceiver processes due to race condition in postmaster (Tom Lane)
(9.3.18,9.2.22) Fix cases where an INSERT or UPDATE assigns to more than one element of a column that is of domain-over-array type (Tom Lane)
(9.3.18) Allow window functions to be used in sub-SELECTs that are within the arguments of an aggregate function (Tom Lane)
(9.3.18,9.2.22) Move autogenerated array types out of the way during ALTER ... RENAME (Vik Fearing)
Previously, we would rename a conflicting autogenerated array type out of the way during CREATE; this fix extends that behavior to renaming operations.
(9.3.18,9.2.22) Ensure that ALTER USER ... SET accepts all the syntax variants that ALTER ROLE ... SET does (Peter Eisentraut)
(9.3.18,9.2.22) Properly update dependency info when changing a datatype I/O function's argument or return type from opaque to the correct type (Heikki Linnakangas)
CREATE TYPE updates I/O functions declared in this long-obsolete style, but it forgot to record a dependency on the type, allowing a subsequent DROP TYPE to leave broken function definitions behind.
(9.3.18,9.2.22) Reduce memory usage when ANALYZE processes a tsvector column (Heikki Linnakangas)
(9.3.18,9.2.22) Fix unnecessary precision loss and sloppy rounding when multiplying or dividing money values by integers or floats (Tom Lane)
(9.3.18,9.2.22) Tighten checks for whitespace in functions that parse
identifiers, such as regprocedurein()
(Tom Lane)
Depending on the prevailing locale, these functions could misinterpret fragments of multibyte characters as whitespace.
(9.3.18,9.2.22) Use relevant #define symbols from Perl while compiling PL/Perl (Ashutosh Sharma, Tom Lane)
This avoids portability problems, typically manifesting as a "handshake" mismatch during library load, when working with recent Perl versions.
(9.3.18) In libpq, reset GSS/SASL and SSPI authentication state properly after a failed connection attempt (Michael Paquier)
Failure to do this meant that when falling back from SSL to non-SSL connections, a GSS/SASL failure in the SSL attempt would always cause the non-SSL attempt to fail. SSPI did not fail, but it leaked memory.
(9.3.18,9.2.22) In psql, fix failure when COPY FROM STDIN is ended with a keyboard EOF signal and then another COPY FROM STDIN is attempted (Thomas Munro)
This misbehavior was observed on BSD-derived platforms (including macOS), but not on most others.
(9.3.18) Fix pg_dump and pg_restore to emit REFRESH MATERIALIZED VIEW commands last (Tom Lane)
This prevents errors during dump/restore when a materialized view refers to tables owned by a different user.
(9.3.18) Fix pg_dump with the --clean option to drop event triggers as expected (Tom Lane)
It also now correctly assigns ownership of event triggers; before, they were restored as being owned by the superuser running the restore script.
(9.3.18,9.2.22) Fix pg_dump to not emit invalid SQL for an empty operator class (Daniel Gustafsson)
(9.3.18,9.2.22) Fix pg_dump output to stdout on Windows (Kuntal Ghosh)
A compressed plain-text dump written to stdout would contain corrupt data due to failure to put the file descriptor into binary mode.
(9.3.18,9.2.22) Fix pg_get_ruledef()
to print
correct output for the ON SELECT rule of a
view whose columns have been renamed (Tom Lane)
In some corner cases, pg_dump
relies on pg_get_ruledef()
to dump
views, so that this error could result in dump/reload failures.
(9.3.18) Fix dumping of outer joins with empty constraints, such as the result of a NATURAL LEFT JOIN with no common columns (Tom Lane)
(9.3.18,9.2.22) Fix dumping of function expressions in the FROM clause in cases where the expression does not deparse into something that looks like a function call (Tom Lane)
(9.3.18,9.2.22) Fix pg_basebackup output to stdout on Windows (Haribabu Kommi)
A backup written to stdout would contain corrupt data due to failure to put the file descriptor into binary mode.
(9.3.18,9.2.22) Fix pg_upgrade to ensure that the ending WAL record does not have wal_level = minimum (Bruce Momjian)
This condition could prevent upgraded standby servers from reconnecting.
(9.3.18) In postgres_fdw, re-establish connections to remote servers after ALTER SERVER or ALTER USER MAPPING commands (Kyotaro Horiguchi)
This ensures that option changes affecting connection parameters will be applied promptly.
(9.3.18) In postgres_fdw, allow cancellation of remote transaction control commands (Robert Haas, Rafia Sabih)
This change allows us to quickly escape a wait for an unresponsive remote server in many more cases than previously.
(9.3.18,9.2.22) Always use -fPIC, not -fpic, when building shared libraries with gcc (Tom Lane)
This supports larger extension libraries on platforms where it makes a difference.
(9.3.18,9.2.22) Fix unescaped-braces issue in our build scripts for Microsoft MSVC, to avoid a warning or error from recent Perl versions (Andrew Dunstan)
(9.3.18,9.2.22) In MSVC builds, handle the case where the openssl library is not within a VC subdirectory (Andrew Dunstan)
(9.3.18,9.2.22) In MSVC builds, add proper include path for libxml2 header files (Andrew Dunstan)
This fixes a former need to move things around in standard Windows installations of libxml2.
(9.3.18,9.2.22) In MSVC builds, recognize a Tcl library that is named tcl86.lib (Noah Misch)
Release date: 2017-05-11
This release contains a variety of fixes from 9.3.16. For information about new features in the 9.3 major release, see Version 9.3.0.
A dump/restore is not required for those running 9.3.X.
However, if you use foreign data servers that make use of user passwords for authentication, see the first changelog entry below.
Also, if you are upgrading from a version earlier than 9.3.16, see Version 9.3.16.
(9.3.17) Restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options (Michael Paquier, Feike Steenbergen)
The previous coding allowed the owner of a foreign server object, or anyone he has granted server USAGE permission to, to see the options for all user mappings associated with that server. This might well include passwords for other users. Adjust the view definition to match the behavior of information_schema.user_mapping_options, namely that these options are visible to the user being mapped, or if the mapping is for PUBLIC and the current user is the server owner, or if the current user is a superuser. CVE-2017-7486 or CVE-2017-7486)
By itself, this patch will only fix the behavior in newly initdb'd databases. If you wish to apply this change in an existing database, follow the corrected procedure shown in the changelog entry forCVE-2017-7547 or CVE-2017-7547, in Version 9.3.18.
(9.3.17,9.2.21) Prevent exposure of statistical information via leaky operators (Peter Eisentraut)
Some selectivity estimation functions in the planner will apply user-defined operators to values obtained from pg_statistic, such as most common values and histogram entries. This occurs before table permissions are checked, so a nefarious user could exploit the behavior to obtain these values for table columns he does not have permission to read. To fix, fall back to a default estimate if the operator's implementation function is not certified leak-proof and the calling user does not have permission to read the table column whose statistics are needed. At least one of these criteria is satisfied in most cases in practice. CVE-2017-7484 or CVE-2017-7484)
(9.3.17) Restore libpq's recognition of the PGREQUIRESSL environment variable (Daniel Gustafsson)
Processing of this environment variable was unintentionally dropped in PostgreSQL 9.3, but its documentation remained. This creates a security hazard, since users might be relying on the environment variable to force SSL-encrypted connections, but that would no longer be guaranteed. Restore handling of the variable, but give it lower priority than PGSSLMODE, to avoid breaking configurations that work correctly with post-9.3 code. CVE-2017-7485 or CVE-2017-7485)
(9.3.17,9.2.21) Fix possible corruption of "init forks" of unlogged indexes (Robert Haas, Michael Paquier)
This could result in an unlogged index being set to an invalid state after a crash and restart. Such a problem would persist until the index was dropped and rebuilt.
(9.3.17,9.2.21) Fix incorrect reconstruction of pg_subtrans entries when a standby server replays a prepared but uncommitted two-phase transaction (Tom Lane)
In most cases this turned out to have no visible ill effects, but in corner cases it could result in circular references in pg_subtrans, potentially causing infinite loops in queries that examine rows modified by the two-phase transaction.
(9.3.17,9.2.21) Ensure parsing of queries in extension scripts sees the results of immediately-preceding DDL (Julien Rouhaud, Tom Lane)
Due to lack of a cache flush step between commands in an extension script file, non-utility queries might not see the effects of an immediately preceding catalog change, such as ALTER TABLE ... RENAME.
(9.3.17,9.2.21) Skip tablespace privilege checks when ALTER TABLE ... ALTER COLUMN TYPE rebuilds an existing index (Noah Misch)
The command failed if the calling user did not currently have CREATE privilege for the tablespace containing the index. That behavior seems unhelpful, so skip the check, allowing the index to be rebuilt where it is.
(9.3.17,9.2.21) Fix ALTER TABLE ... VALIDATE CONSTRAINT to not recurse to child tables when the constraint is marked NO INHERIT (Amit Langote)
This fix prevents unwanted "constraint does not exist" failures when no matching constraint is present in the child tables.
(9.3.17,9.2.21) Fix VACUUM to account properly for pages that could not be scanned due to conflicting page pins (Andrew Gierth)
This tended to lead to underestimation of the number of tuples in the table. In the worst case of a small heavily-contended table, VACUUM could incorrectly report that the table contained no tuples, leading to very bad planning choices.
(9.3.17,9.2.21) Ensure that bulk-tuple-transfer loops within a hash join are interruptible by query cancel requests (Tom Lane, Thomas Munro)
(9.3.17,9.2.21) Fix cursor_to_xml()
to produce
valid output with tableforest =
false (Thomas Munro, Peter Eisentraut)
Previously it failed to produce a wrapping <table> element.
(9.3.17,9.2.21) Improve performance of pg_timezone_names view (Tom Lane, David Rowley)
(9.3.17,9.2.21) Fix sloppy handling of corner-case errors from lseek()
and close()
(Tom Lane)
Neither of these system calls are likely to fail in typical situations, but if they did, fd.c could get quite confused.
(9.3.17,9.2.21) Fix incorrect check for whether postmaster is running as a Windows service (Michael Paquier)
This could result in attempting to write to the event log when that isn't accessible, so that no logging happens at all.
(9.3.17,9.2.21) Fix ecpg to support COMMIT PREPARED and ROLLBACK PREPARED (Masahiko Sawada)
(9.3.17,9.2.21) Fix a double-free error when processing dollar-quoted string literals in ecpg (Michael Meskes)
(9.3.17,9.2.21) In pg_dump, fix incorrect schema and owner marking for comments and security labels of some types of database objects (Giuseppe Broccolo, Tom Lane)
In simple cases this caused no ill effects; but for example, a schema-selective restore might omit comments it should include, because they were not marked as belonging to the schema of their associated object.
(9.3.17,9.2.21) Avoid emitting an invalid list file in pg_restore -l when SQL object names contain newlines (Tom Lane)
Replace newlines by spaces, which is sufficient to make the output valid for pg_restore -L's purposes.
(9.3.17,9.2.21) Fix pg_upgrade to transfer comments and security labels attached to "large objects" (blobs) (Stephen Frost)
Previously, blobs were correctly transferred to the new database, but any comments or security labels attached to them were lost.
(9.3.17,9.2.21) Improve error handling in contrib/adminpack's pg_file_write()
function (Noah Misch)
Notably, it failed to detect errors reported by fclose()
.
(9.3.17,9.2.21) In contrib/dblink, avoid leaking the previous unnamed connection when establishing a new unnamed connection (Joe Conway)
(9.3.17) Fix contrib/pg_trgm's extraction of trigrams from regular expressions (Tom Lane)
In some cases it would produce a broken data structure that could never match anything, leading to GIN or GiST indexscans that use a trigram index not finding any matches to the regular expression.
(9.3.17) In contrib/postgres_fdw, transmit query cancellation requests to the remote server (Michael Paquier, Etsuro Fujita)
Previously, a local query cancellation request did not cause an already-sent remote query to terminate early. This is a back-patch of work originally done for 9.6.
(9.3.17,9.2.21) Support OpenSSL 1.1.0 (Heikki Linnakangas, Andreas Karlsson, Tom Lane)
This is a back-patch of work previously done in newer branches; it's needed since many platforms are adopting newer OpenSSL versions.
(9.3.17,9.6.3,9.5.7,9.4.12,9.2.21) Support Tcl 8.6 in MSVC builds (Ãlvaro Herrera)
(9.3.17,9.2.21) Sync our copy of the timezone library with IANA release tzcode2017b (Tom Lane)
This fixes a bug affecting some DST transitions in January 2038.
(9.3.17,9.2.21) Update time zone data files to tzdata release 2017b for DST law changes in Chile, Haiti, and Mongolia, plus historical corrections for Ecuador, Kazakhstan, Liberia, and Spain. Switch to numeric abbreviations for numerous time zones in South America, the Pacific and Indian oceans, and some Asian and Middle Eastern countries.
The IANA time zone database previously provided textual abbreviations for all time zones, sometimes making up abbreviations that have little or no currency among the local population. They are in process of reversing that policy in favor of using numeric UTC offsets in zones where there is no evidence of real-world use of an English abbreviation. At least for the time being, PostgreSQL will continue to accept such removed abbreviations for timestamp input. But they will not be shown in the pg_timezone_names view nor used for output.
(9.3.17,9.2.21) Use correct daylight-savings rules for POSIX-style time zone names in MSVC builds (David Rowley)
The Microsoft MSVC build scripts neglected to install the posixrules file in the timezone directory tree. This resulted in the timezone code falling back to its built-in rule about what DST behavior to assume for a POSIX-style time zone name. For historical reasons that still corresponds to the DST rules the USA was using before 2007 (i.e., change on first Sunday in April and last Sunday in October). With this fix, a POSIX-style zone name will use the current and historical DST transition dates of the US/Eastern zone. If you don't want that, remove the posixrules file, or replace it with a copy of some other zone file (see Section 8.5.3). Note that due to caching, you may need to restart the server to get such changes to take effect.
Release date: 2017-02-09
This release contains a variety of fixes from 9.3.15. For information about new features in the 9.3 major release, see Version 9.3.0.
A dump/restore is not required for those running 9.3.X.
However, if your installation has been affected by the bug described in the first changelog entry below, then after updating you may need to take action to repair corrupted indexes.
Also, if you are upgrading from a version earlier than 9.3.15, see Version 9.3.15.
(9.3.16,9.2.20) Fix a race condition that could cause indexes built with CREATE INDEX CONCURRENTLY to be corrupt (Pavan Deolasee, Tom Lane)
If CREATE INDEX CONCURRENTLY was used to build an index that depends on a column not previously indexed, then rows updated by transactions that ran concurrently with the CREATE INDEX command could have received incorrect index entries. If you suspect this may have happened, the most reliable solution is to rebuild affected indexes after installing this update.
(9.3.16,9.2.20) Unconditionally WAL-log creation of the "init fork" for an unlogged table (Michael Paquier)
Previously, this was skipped when wal_level = minimal, but actually it's necessary even in that case to ensure that the unlogged table is properly reset to empty after a crash.
(9.3.16,9.2.20) If the stats collector dies during hot standby, restart it (Takayuki Tsunakawa)
(9.3.16) Ensure that hot standby feedback works correctly when it's enabled at standby server start (Ants Aasma, Craig Ringer)
(9.3.16,9.2.20) Check for interrupts while hot standby is waiting for a conflicting query (Simon Riggs)
(9.3.16,9.2.20) Avoid constantly respawning the autovacuum launcher in a corner case (Amit Khandekar)
This fix avoids problems when autovacuum is nominally off and there are some tables that require freezing, but all such tables are already being processed by autovacuum workers.
(9.3.16,9.2.20) Fix check for when an extension member object can be dropped (Tom Lane)
Extension upgrade scripts should be able to drop member objects, but this was disallowed for serial-column sequences, and possibly other cases.
(9.3.16,9.2.20) Make sure ALTER TABLE preserves index tablespace assignments when rebuilding indexes (Tom Lane, Michael Paquier)
Previously, non-default settings of default_tablespace could result in broken indexes.
(9.3.16,9.2.20) Prevent dropping a foreign-key constraint if there are pending trigger events for the referenced relation (Tom Lane)
This avoids "could not find trigger NNN" or "relation NNN has no triggers" errors.
(9.3.16,9.2.20) Fix processing of OID column when a table with OIDs is associated to a parent with OIDs via ALTER TABLE ... INHERIT (Amit Langote)
The OID column should be treated the same as regular user columns in this case, but it wasn't, leading to odd behavior in later inheritance changes.
(9.3.16) Report correct object identity during ALTER TEXT SEARCH CONFIGURATION (Artur Zakirov)
The wrong catalog OID was reported to extensions such as logical decoding.
(9.3.16,9.2.20) Check for serializability conflicts before reporting constraint-violation failures (Thomas Munro)
When using serializable transaction isolation, it is desirable that any error due to concurrent transactions should manifest as a serialization failure, thereby cueing the application that a retry might succeed. Unfortunately, this does not reliably happen for duplicate-key failures caused by concurrent insertions. This change ensures that such an error will be reported as a serialization error if the application explicitly checked for the presence of a conflicting key (and did not find it) earlier in the transaction.
(9.3.16) Prevent multicolumn expansion of foo.* in an UPDATE source expression (Tom Lane)
This led to "UPDATE target count mismatch --- internal error". Now the syntax is understood as a whole-row variable, as it would be in other contexts.
(9.3.16,9.2.20) Ensure that column typmods are determined accurately for multi-row VALUES constructs (Tom Lane)
This fixes problems occurring when the first value in a column has a determinable typmod (e.g., length for a varchar value) but later values don't share the same limit.
(9.3.16,9.2.20) Throw error for an unfinished Unicode surrogate pair at the end of a Unicode string (Tom Lane)
Normally, a Unicode surrogate leading character must be followed by a Unicode surrogate trailing character, but the check for this was missed if the leading character was the last character in a Unicode string literal (U&'...') or Unicode identifier (U&"...").
(9.3.16,9.2.20) Ensure that a purely negative text search query, such as !foo, matches empty tsvectors (Tom Dunstan)
Such matches were found by GIN index searches, but not by sequential scans or GiST index searches.
(9.3.16,9.2.20) Prevent crash when ts_rewrite()
replaces a non-top-level subtree with an empty query (Artur
Zakirov)
(9.3.16,9.2.20) Fix performance problems in ts_rewrite()
(Tom Lane)
(9.3.16,9.2.20) Fix ts_rewrite()
's handling of
nested NOT operators (Tom Lane)
(9.3.16,9.2.20) Fix array_fill()
to handle empty
arrays properly (Tom Lane)
(9.3.16,9.2.20) Fix one-byte buffer overrun in quote_literal_cstr()
(Heikki Linnakangas)
The overrun occurred only if the input consisted entirely of single quotes and/or backslashes.
(9.3.16,9.2.20) Prevent multiple calls of pg_start_backup()
and pg_stop_backup()
from running concurrently
(Michael Paquier)
This avoids an assertion failure, and possibly worse things, if someone tries to run these functions in parallel.
(9.3.16,9.2.20) Avoid discarding interval-to-interval casts that aren't really no-ops (Tom Lane)
In some cases, a cast that should result in zeroing out low-order interval fields was mistakenly deemed to be a no-op and discarded. An example is that casting from INTERVAL MONTH to INTERVAL YEAR failed to clear the months field.
(9.3.16) Ensure that cached plans are invalidated by changes in foreign-table options (Amit Langote, Etsuro Fujita, Ashutosh Bapat)
(9.3.16,9.2.20) Fix pg_dump to dump user-defined casts and transforms that use built-in functions (Stephen Frost)
(9.3.16,9.2.20) Fix possible pg_basebackup failure on standby server when including WAL files (Amit Kapila, Robert Haas)
(9.3.16,9.2.20) Ensure that the Python exception objects we create for PL/Python are properly reference-counted (Rafa de la Torre, Tom Lane)
This avoids failures if the objects are used after a Python garbage collection cycle has occurred.
(9.3.16,9.2.20) Fix PL/Tcl to support triggers on tables that have .tupno as a column name (Tom Lane)
This matches the (previously undocumented) behavior of PL/Tcl's spi_exec and spi_execp commands, namely that a magic .tupno column is inserted only if there isn't a real column named that.
(9.3.16,9.2.20) Allow DOS-style line endings in ~/.pgpass files, even on Unix (Vik Fearing)
This change simplifies use of the same password file across Unix and Windows machines.
(9.3.16,9.2.20) Fix one-byte buffer overrun if ecpg is given a file name that ends with a dot (Takayuki Tsunakawa)
(9.3.16,9.2.20) Fix psql's tab completion for ALTER DEFAULT PRIVILEGES (Gilles Darold, Stephen Frost)
(9.3.16,9.2.20) In psql, treat an empty or all-blank setting of the PAGER environment variable as meaning "no pager" (Tom Lane)
Previously, such a setting caused output intended for the pager to vanish entirely.
(9.3.16,9.2.20) Improve contrib/dblink's reporting of low-level libpq errors, such as out-of-memory (Joe Conway)
(9.3.16) Teach contrib/dblink to ignore irrelevant server options when it uses a contrib/postgres_fdw foreign server as the source of connection options (Corey Huinker)
Previously, if the foreign server object had options that were not also libpq connection options, an error occurred.
(9.3.16,9.2.20) On Windows, ensure that environment variable changes are propagated to DLLs built with debug options (Christian Ullrich)
(9.3.16,9.2.20) Sync our copy of the timezone library with IANA release tzcode2016j (Tom Lane)
This fixes various issues, most notably that timezone data installation failed if the target directory didn't support hard links.
(9.3.16,9.2.20) Update time zone data files to tzdata release 2016j for DST law changes in northern Cyprus (adding a new zone Asia/Famagusta), Russia (adding a new zone Europe/Saratov), Tonga, and Antarctica/Casey. Historical corrections for Italy, Kazakhstan, Malta, and Palestine. Switch to preferring numeric zone abbreviations for Tonga.
Release date: 2016-10-27
This release contains a variety of fixes from 9.3.14. For information about new features in the 9.3 major release, see Version 9.3.0.
A dump/restore is not required for those running 9.3.X.
However, if your installation has been affected by the bug described in the first changelog entry below, then after updating you may need to take action to repair corrupted free space maps.
Also, if you are upgrading from a version earlier than 9.3.9, see Version 9.3.9.
(9.3.15) Fix WAL-logging of truncation of relation free space maps and visibility maps (Pavan Deolasee, Heikki Linnakangas)
It was possible for these files to not be correctly restored during crash recovery, or to be written incorrectly on a standby server. Bogus entries in a free space map could lead to attempts to access pages that have been truncated away from the relation itself, typically producing errors like "could not read block XXX: read only 0 of 8192 bytes". Checksum failures in the visibility map are also possible, if checksumming is enabled.
Procedures for determining whether there is a problem and repairing it if so are discussed at https://wiki.postgresql.org/wiki/Free_Space_Map_Problems.
(9.3.15) Fix SELECT FOR UPDATE/SHARE to correctly lock tuples that have been updated by a subsequently-aborted transaction (Ãlvaro Herrera)
In 9.5 and later, the SELECT would sometimes fail to return such tuples at all. A failure has not been proven to occur in earlier releases, but might be possible with concurrent updates.
(9.3.15,9.2.19,9.1.24) Fix EvalPlanQual rechecks involving CTE scans (Tom Lane)
The recheck would always see the CTE as returning no rows, typically leading to failure to update rows that were recently updated.
(9.3.15,9.2.19,9.1.24) Fix improper repetition of previous results from hashed aggregation in a subquery (Andrew Gierth)
The test to see if we can reuse a previously-computed hash table of the aggregate state values neglected the possibility of an outer query reference appearing in an aggregate argument expression. A change in the value of such a reference should lead to recalculating the hash table, but did not.
(9.3.15,9.2.19) Fix EXPLAIN to emit valid XML when track_io_timing is on (Markus Winand)
Previously the XML output-format option produced syntactically invalid tags such as <I/O-Read-Time>. That is now rendered as <I-O-Read-Time>.
(9.3.15,9.2.19) Suppress printing of zeroes for unmeasured times in EXPLAIN (Maksim Milyutin)
Certain option combinations resulted in printing zero values for times that actually aren't ever measured in that combination. Our general policy in EXPLAIN is not to print such fields at all, so do that consistently in all cases.
(9.3.15,9.2.19,9.1.24) Fix timeout length when VACUUM is waiting for exclusive table lock so that it can truncate the table (Simon Riggs)
The timeout was meant to be 50 milliseconds, but it was actually only 50 microseconds, causing VACUUM to give up on truncation much more easily than intended. Set it to the intended value.
(9.3.15,9.2.19) Fix bugs in merging inherited CHECK constraints while creating or altering a table (Tom Lane, Amit Langote)
Allow identical CHECK constraints to be added to a parent and child table in either order. Prevent merging of a valid constraint from the parent table with a NOT VALID constraint on the child. Likewise, prevent merging of a NO INHERIT child constraint with an inherited constraint.
(9.3.15,9.2.19,9.1.24) Remove artificial restrictions on the values accepted by
numeric_in()
and numeric_recv()
(Tom Lane)
We allow numeric values up to the limit of the storage format
(more than 1e100000), so it seems fairly
pointless that numeric_in()
rejected
scientific-notation exponents above 1000. Likewise, it was silly
for numeric_recv()
to reject more
than 1000 digits in an input value.
(9.3.15,9.2.19,9.1.24) Avoid very-low-probability data corruption due to testing tuple visibility without holding buffer lock (Thomas Munro, Peter Geoghegan, Tom Lane)
(9.3.15,9.2.19,9.1.24) Fix file descriptor leakage when truncating a temporary relation of more than 1GB (Andres Freund)
(9.3.15,9.2.19,9.1.24) Disallow starting a standalone backend with standby_mode turned on (Michael Paquier)
This can't do anything useful, since there will be no WAL receiver process to fetch more WAL data; and it could result in misbehavior in code that wasn't designed with this situation in mind.
(9.3.15,9.2.19,9.1.24) Don't try to share SSL contexts across multiple connections in libpq (Heikki Linnakangas)
This led to assorted corner-case bugs, particularly when trying to use different SSL parameters for different connections.
(9.3.15,9.2.19,9.1.24) Avoid corner-case memory leak in libpq (Tom Lane)
The reported problem involved leaking an error report during
PQreset()
, but there might be related
cases.
(9.3.15,9.2.19,9.1.24) Make ecpg's --help and --version options work consistently with our other executables (Haribabu Kommi)
(9.3.15,9.2.19) In pg_dump, never dump range constructor functions (Tom Lane)
This oversight led to pg_upgrade failures with extensions containing range types, due to duplicate creation of the constructor functions.
(9.3.15) In pg_xlogdump, retry opening new WAL segments when using --follow option (Magnus Hagander)
This allows for a possible delay in the server's creation of the next segment.
(9.3.15) Fix pg_xlogdump to cope with a WAL file that begins with a continuation record spanning more than one page (Pavan Deolasee)
(9.3.15,9.2.19,9.1.24) Fix contrib/intarray/bench/bench.pl to print the results of the EXPLAIN it does when given the -e option (Daniel Gustafsson)
(9.3.15,9.2.19) Update Windows time zone mapping to recognize some time zone names added in recent Windows versions (Michael Paquier)
(9.3.15,9.2.19,9.1.24) Prevent failure of obsolete dynamic time zone abbreviations (Tom Lane)
If a dynamic time zone abbreviation does not match any entry in the referenced time zone, treat it as equivalent to the time zone name. This avoids unexpected failures when IANA removes abbreviations from their time zone database, as they did in tzdata release 2016f and seem likely to do again in the future. The consequences were not limited to not recognizing the individual abbreviation; any mismatch caused the pg_timezone_abbrevs view to fail altogether.
(9.3.15,9.2.19,9.1.24) Update time zone data files to tzdata release 2016h for DST law changes in Palestine and Turkey, plus historical corrections for Turkey and some regions of Russia. Switch to numeric abbreviations for some time zones in Antarctica, the former Soviet Union, and Sri Lanka.
The IANA time zone database previously provided textual abbreviations for all time zones, sometimes making up abbreviations that have little or no currency among the local population. They are in process of reversing that policy in favor of using numeric UTC offsets in zones where there is no evidence of real-world use of an English abbreviation. At least for the time being, PostgreSQL will continue to accept such removed abbreviations for timestamp input. But they will not be shown in the pg_timezone_names view nor used for output.
In this update, AMT is no longer shown as being in use to mean Armenia Time. Therefore, we have changed the Default abbreviation set to interpret it as Amazon Time, thus UTC-4 not UTC+4.
Release date: 2016-08-11
This release contains a variety of fixes from 9.3.13. For information about new features in the 9.3 major release, see Version 9.3.0.
A dump/restore is not required for those running 9.3.X.
However, if you are upgrading from a version earlier than 9.3.9, see Version 9.3.9.
(9.3.14,9.2.18,9.1.23) Fix possible mis-evaluation of nested CASE-WHEN expressions (Heikki Linnakangas, Michael Paquier, Tom Lane)
A CASE expression appearing within the test value subexpression of another CASE could become confused about whether its own test value was null or not. Also, inlining of a SQL function implementing the equality operator used by a CASE expression could result in passing the wrong test value to functions called within a CASE expression in the SQL function's body. If the test values were of different data types, a crash might result; moreover such situations could be abused to allow disclosure of portions of server memory. CVE-2016-5423 or CVE-2016-5423)
(9.3.14,9.2.18,9.1.23) Fix client programs' handling of special characters in database and role names (Noah Misch, Nathan Bossart, Michael Paquier)
Numerous places in vacuumdb and other client programs could become confused by database and role names containing double quotes or backslashes. Tighten up quoting rules to make that safe. Also, ensure that when a conninfo string is used as a database name parameter to these programs, it is correctly treated as such throughout.
Fix handling of paired double quotes in psql's \connect and \password commands to match the documentation.
Introduce a new -reuse-previous option in psql's \connect command to allow explicit control of whether to re-use connection parameters from a previous connection. (Without this, the choice is based on whether the database name looks like a conninfo string, as before.) This allows secure handling of database names containing special characters in pg_dumpall scripts.
pg_dumpall now refuses to deal with database and role names containing carriage returns or newlines, as it seems impractical to quote those characters safely on Windows. In future we may reject such names on the server side, but that step has not been taken yet.
These are considered security fixes because crafted object names containing special characters could have been used to execute commands with superuser privileges the next time a superuser executes pg_dumpall or other routine maintenance operations. CVE-2016-5424 or CVE-2016-5424)
(9.3.14,9.2.18,9.1.23) Fix corner-case misbehaviors for IS NULL/IS NOT NULL applied to nested composite values (Andrew Gierth, Tom Lane)
The SQL standard specifies that IS NULL should return TRUE for a row of all null values (thus ROW (NULL,NULL) IS NULL yields TRUE), but this is not meant to apply recursively (thus ROW (NULL, ROW(NULL,NULL)) IS NULL yields FALSE). The core executor got this right, but certain planner optimizations treated the test as recursive (thus producing TRUE in both cases), and contrib/postgres_fdw could produce remote queries that misbehaved similarly.
(9.3.14,9.2.18,9.1.23) Make the inet and cidr data types properly reject IPv6 addresses with too many colon-separated fields (Tom Lane)
(9.3.14,9.2.18,9.1.23) Prevent crash in close_ps()
(the
point ## lseg operator) for NaN input coordinates (Tom Lane)
Make it return NULL instead of crashing.
(9.3.14) Avoid possible crash in pg_get_expr()
when inconsistent values are passed
to it (Michael Paquier, Thomas Munro)
(9.3.14,9.2.18,9.1.23) Fix several one-byte buffer over-reads in to_number()
(Peter Eisentraut)
In several cases the to_number()
function would read one more character than it should from the
input string. There is a small chance of a crash, if the input
happens to be adjacent to the end of memory.
(9.3.14) Do not run the planner on the query contained in CREATE MATERIALIZED VIEW or CREATE TABLE AS when WITH NO DATA is specified (Michael Paquier, Tom Lane)
This avoids some unnecessary failure conditions, for example if a stable function invoked by the materialized view depends on a table that doesn't exist yet.
(9.3.14,9.2.18,9.1.23) Avoid unsafe intermediate state during expensive paths through
heap_update()
(Masahiko Sawada,
Andres Freund)
Previously, these cases locked the target tuple (by setting its XMAX) but did not WAL-log that action, thus risking data integrity problems if the page were spilled to disk and then a database crash occurred before the tuple update could be completed.
(9.3.14) Fix hint bit update during WAL replay of row locking operations (Andres Freund)
The only known consequence of this problem is that row locks held by a prepared, but uncommitted, transaction might fail to be enforced after a crash and restart.
(9.3.14) Avoid unnecessary "could not serialize access" errors when acquiring FOR KEY SHARE row locks in serializable mode (Ãlvaro Herrera)
(9.3.14,9.2.18) Avoid crash in postgres -C when the specified variable has a null string value (Michael Paquier)
(9.3.14) Ensure that backends see up-to-date statistics for shared catalogs (Tom Lane)
The statistics collector failed to update the statistics file for shared catalogs after a request from a regular backend. This problem was partially masked because the autovacuum launcher regularly makes requests that did cause such updates; however, it became obvious with autovacuum disabled.
(9.3.14) Avoid redundant writes of the statistics files when multiple backends request updates close together (Tom Lane, Tomas Vondra)
(9.3.14,9.2.18,9.1.23) Avoid consuming a transaction ID during VACUUM (Alexander Korotkov)
Some cases in VACUUM unnecessarily caused an XID to be assigned to the current transaction. Normally this is negligible, but if one is up against the XID wraparound limit, consuming more XIDs during anti-wraparound vacuums is a very bad thing.
(9.3.14,9.2.18,9.1.23) Avoid canceling hot-standby queries during VACUUM FREEZE (Simon Riggs, Ãlvaro Herrera)
VACUUM FREEZE on an otherwise-idle master server could result in unnecessary cancellations of queries on its standby servers.
(9.3.14) Prevent possible failure when vacuuming multixact IDs in an installation that has been pg_upgrade'd from pre-9.3 (Andrew Gierth, Ãlvaro Herrera)
The usual symptom of this bug is errors like "MultiXactId NNN has not been created yet -- apparent wraparound".
(9.3.14,9.2.18,9.1.23) When a manual ANALYZE specifies a column list, don't reset the table's changes_since_analyze counter (Tom Lane)
If we're only analyzing some columns, we should not prevent routine auto-analyze from happening for the other columns.
(9.3.14,9.2.18,9.1.23) Fix ANALYZE's overestimation of n_distinct for a unique or nearly-unique column with many null entries (Tom Lane)
The nulls could get counted as though they were themselves distinct values, leading to serious planner misestimates in some types of queries.
(9.3.14,9.2.18,9.1.23) Prevent autovacuum from starting multiple workers for the same shared catalog (Ãlvaro Herrera)
Normally this isn't much of a problem because the vacuum doesn't take long anyway; but in the case of a severely bloated catalog, it could result in all but one worker uselessly waiting instead of doing useful work on other tables.
(9.3.14,9.2.18) Prevent infinite loop in GiST index build for geometric columns containing NaN component values (Tom Lane)
(9.3.14,9.2.18,9.1.23) Fix contrib/btree_gin to handle the smallest possible bigint value correctly (Peter Eisentraut)
(9.3.14,9.2.18,9.1.23) Teach libpq to correctly decode server version from future servers (Peter Eisentraut)
It's planned to switch to two-part instead of three-part server
version numbers for releases after 9.6. Make sure that PQserverVersion()
returns the correct value for
such cases.
(9.3.14,9.2.18,9.1.23) Fix ecpg's code for unsigned long long array elements (Michael Meskes)
(9.3.14,9.2.18) In pg_dump with both -c and -C options, avoid emitting an unwanted CREATE SCHEMA public command (David Johnston, Tom Lane)
(9.3.14) Improve handling of SIGTERM/control-C in parallel pg_dump and pg_restore (Tom Lane)
Make sure that the worker processes will exit promptly, and also arrange to send query-cancel requests to the connected backends, in case they are doing something long-running such as a CREATE INDEX.
(9.3.14) Fix error reporting in parallel pg_dump and pg_restore (Tom Lane)
Previously, errors reported by pg_dump or pg_restore worker processes might never make it to the user's console, because the messages went through the master process, and there were various deadlock scenarios that would prevent the master process from passing on the messages. Instead, just print everything to stderr. In some cases this will result in duplicate messages (for instance, if all the workers report a server shutdown), but that seems better than no message.
(9.3.14) Ensure that parallel pg_dump or pg_restore on Windows will shut down properly after an error (Kyotaro Horiguchi)
Previously, it would report the error, but then just sit until manually stopped by the user.
(9.3.14) Make pg_dump behave better when built without zlib support (Kyotaro Horiguchi)
It didn't work right for parallel dumps, and emitted some rather pointless warnings in other cases.
(9.3.14,9.2.18,9.1.23) Make pg_basebackup accept -Z 0 as specifying no compression (Fujii Masao)
(9.3.14,9.2.18,9.1.23) Fix makefiles' rule for building AIX shared libraries to be safe for parallel make (Noah Misch)
(9.3.14,9.2.18,9.1.23) Fix TAP tests and MSVC scripts to work when build directory's path name contains spaces (Michael Paquier, Kyotaro Horiguchi)
(9.3.14) Be more predictable about reporting "statement timeout" versus "lock timeout" (Tom Lane)
On heavily loaded machines, the regression tests sometimes failed due to reporting "lock timeout" even though the statement timeout should have occurred first.
(9.3.14,9.2.18,9.1.23) Make regression tests safe for Danish and Welsh locales (Jeff Janes, Tom Lane)
Change some test data that triggered the unusual sorting rules of these locales.
(9.3.14,9.2.18,9.1.23) Update our copy of the timezone code to match IANA's tzcode release 2016c (Tom Lane)
This is needed to cope with anticipated future changes in the time zone data files. It also fixes some corner-case bugs in coping with unusual time zones.
(9.3.14,9.2.18,9.1.23) Update time zone data files to tzdata release 2016f for DST law changes in Kemerovo and Novosibirsk, plus historical corrections for Azerbaijan, Belarus, and Morocco.
Release date: 2016-05-12
This release contains a variety of fixes from 9.3.12. For information about new features in the 9.3 major release, see Version 9.3.0.
A dump/restore is not required for those running 9.3.X.
However, if you are upgrading from a version earlier than 9.3.9, see Version 9.3.9.
(9.3.13,9.2.17,9.1.22) Clear the OpenSSL error queue before OpenSSL calls, rather than assuming it's clear already; and make sure we leave it clear afterwards (Peter Geoghegan, Dave Vitek, Peter Eisentraut)
This change prevents problems when there are multiple connections using OpenSSL within a single process and not all the code involved follows the same rules for when to clear the error queue. Failures have been reported specifically when a client application uses SSL connections in libpq concurrently with SSL connections using the PHP, Python, or Ruby wrappers for OpenSSL. It's possible for similar problems to arise within the server as well, if an extension module establishes an outgoing SSL connection.
(9.3.13,9.2.17,9.1.22) Fix "failed to build any N-way joins" planner error with a full join enclosed in the right-hand side of a left join (Tom Lane)
(9.3.13,9.2.17) Fix incorrect handling of equivalence-class tests in multilevel nestloop plans (Tom Lane)
Given a three-or-more-way equivalence class of variables, such as X.X = Y.Y = Z.Z, it was possible for the planner to omit some of the tests needed to enforce that all the variables are actually equal, leading to join rows being output that didn't satisfy the WHERE clauses. For various reasons, erroneous plans were seldom selected in practice, so that this bug has gone undetected for a long time.
(9.3.13,9.2.17,9.1.22) Fix possible misbehavior of TH,
th, and Y,YYY
format codes in to_timestamp()
(Tom
Lane)
These could advance off the end of the input string, causing subsequent format codes to read garbage.
(9.3.13,9.2.17,9.1.22) Fix dumping of rules and views in which the array argument of a value operator ANY (array) construct is a sub-SELECT (Tom Lane)
(9.3.13,9.2.17,9.1.22) Make pg_regress use a startup timeout from the PGCTLTIMEOUT environment variable, if that's set (Tom Lane)
This is for consistency with a behavior recently added to pg_ctl; it eases automated testing on slow machines.
(9.3.13,9.2.17,9.1.22) Fix pg_upgrade to correctly restore extension membership for operator families containing only one operator class (Tom Lane)
In such a case, the operator family was restored into the new database, but it was no longer marked as part of the extension. This had no immediate ill effects, but would cause later pg_dump runs to emit output that would cause (harmless) errors on restore.
(9.3.13) Fix pg_upgrade to not fail when new-cluster TOAST rules differ from old (Tom Lane)
pg_upgrade had special-case code to handle the situation where the new PostgreSQL version thinks that a table should have a TOAST table while the old version did not. That code was broken, so remove it, and instead do nothing in such cases; there seems no reason to believe that we can't get along fine without a TOAST table if that was okay according to the old version's rules.
(9.3.13,9.2.17) Back-port 9.4-era memory-barrier code changes into 9.2 and 9.3 (Tom Lane)
These changes were not originally needed in pre-9.4 branches, but we recently back-patched a fix that expected the barrier code to work properly. Only IA64 (when using icc), HPPA, and Alpha platforms are affected.
(9.3.13,9.2.17) Reduce the number of SysV semaphores used by a build configured with --disable-spinlocks (Tom Lane)
(9.3.13,9.2.17,9.1.22) Rename internal function strtoi()
to strtoint()
to avoid conflict with
a NetBSD library function (Thomas Munro)
(9.3.13,9.2.17,9.1.22) Fix reporting of errors from bind()
and listen()
system calls on Windows (Tom Lane)
(9.3.13,9.2.17,9.1.22) Reduce verbosity of compiler output when building with Microsoft Visual Studio (Christian Ullrich)
(9.3.13) Fix putenv()
to work properly with
Visual Studio 2013 (Michael Paquier)
(9.3.13,9.2.17,9.1.22) Avoid possibly-unsafe use of Windows' FormatMessage()
function (Christian Ullrich)
Use the FORMAT_MESSAGE_IGNORE_INSERTS flag where appropriate. No live bug is known to exist here, but it seems like a good idea to be careful.
(9.3.13,9.2.17,9.1.22) Update time zone data files to tzdata release 2016d for DST law changes in Russia and Venezuela. There are new zone names Europe/Kirov and Asia/Tomsk to reflect the fact that these regions now have different time zone histories from adjacent regions.
Release date: 2016-03-31
This release contains a variety of fixes from 9.3.11. For information about new features in the 9.3 major release, see Version 9.3.0.
A dump/restore is not required for those running 9.3.X.
However, if you are upgrading from a version earlier than 9.3.9, see Version 9.3.9.
(9.3.12,9.2.16,9.1.21) Fix incorrect handling of NULL index entries in indexed ROW() comparisons (Tom Lane)
An index search using a row comparison such as ROW(a, b) > ROW('x', 'y') would stop upon reaching a NULL entry in the b column, ignoring the fact that there might be non-NULL b values associated with later values of a.
(9.3.12,9.2.16,9.1.21) Avoid unlikely data-loss scenarios due to renaming files without
adequate fsync()
calls before and
after (Michael Paquier, Tomas Vondra, Andres Freund)
(9.3.12,9.2.16,9.1.21) Correctly handle cases where pg_subtrans is close to XID wraparound during server startup (Jeff Janes)
(9.3.12,9.2.16,9.1.21) Fix corner-case crash due to trying to free localeconv()
output strings more than once (Tom
Lane)
(9.3.12,9.2.16,9.1.21) Fix parsing of affix files for ispell dictionaries (Tom Lane)
The code could go wrong if the affix file contained any characters whose byte length changes during case-folding, for example I in Turkish UTF8 locales.
(9.3.12,9.2.16,9.1.21) Avoid use of sscanf()
to parse
ispell dictionary files (Artur
Zakirov)
This dodges a portability problem on FreeBSD-derived platforms (including macOS).
(9.3.12,9.2.16,9.1.21) Avoid a crash on old Windows versions (before 7SP1/2008R2SP1) with an AVX2-capable CPU and a Postgres build done with Visual Studio 2013 (Christian Ullrich)
This is a workaround for a bug in Visual Studio 2013's runtime library, which Microsoft have stated they will not fix in that version.
(9.3.12,9.2.16,9.1.21) Fix psql's tab completion logic to handle multibyte characters properly (Kyotaro Horiguchi, Robert Haas)
(9.3.12,9.2.16,9.1.21) Fix psql's tab completion for SECURITY LABEL (Tom Lane)
Pressing TAB after SECURITY LABEL might cause a crash or offering of inappropriate keywords.
(9.3.12,9.2.16,9.1.21) Make pg_ctl accept a wait timeout from the PGCTLTIMEOUT environment variable, if none is specified on the command line (Noah Misch)
This eases testing of slower buildfarm members by allowing them to globally specify a longer-than-normal timeout for postmaster startup and shutdown.
(9.3.12,9.2.16,9.1.21) Fix incorrect test for Windows service status in pg_ctl (Manuel Mathar)
The previous set of minor releases attempted to fix pg_ctl to properly determine whether to send log messages to Window's Event Log, but got the test backwards.
(9.3.12,9.2.16,9.1.21) Fix pgbench to correctly handle the combination of -C and -M prepared options (Tom Lane)
(9.3.12) In pg_upgrade, skip creating a deletion script when the new data directory is inside the old data directory (Bruce Momjian)
Blind application of the script in such cases would result in loss of the new data directory.
(9.3.12,9.2.16,9.1.21) In PL/Perl, properly translate empty Postgres arrays into empty Perl arrays (Alex Hunsaker)
(9.3.12,9.2.16,9.1.21) Make PL/Python cope with function names that aren't valid Python identifiers (Jim Nasby)
(9.3.12,9.2.16,9.1.21) Fix multiple mistakes in the statistics returned by contrib/pgstattuple's pgstatindex()
function (Tom Lane)
(9.3.12,9.2.16,9.1.21) Remove dependency on psed in MSVC builds, since it's no longer provided by core Perl (Michael Paquier, Andrew Dunstan)
(9.3.12,9.2.16,9.1.21) Update time zone data files to tzdata release 2016c for DST law changes in Azerbaijan, Chile, Haiti, Palestine, and Russia (Altai, Astrakhan, Kirov, Sakhalin, Ulyanovsk regions), plus historical corrections for Lithuania, Moldova, and Russia (Kaliningrad, Samara, Volgograd).
Release date: 2016-02-11
This release contains a variety of fixes from 9.3.10. For information about new features in the 9.3 major release, see Version 9.3.0.
A dump/restore is not required for those running 9.3.X.
However, if you are upgrading from a version earlier than 9.3.9, see Version 9.3.9.
(9.3.11,9.2.15,9.1.20) Fix infinite loops and buffer-overrun problems in regular expressions (Tom Lane)
Very large character ranges in bracket expressions could cause infinite loops in some cases, and memory overwrites in other cases. CVE-2016-0773 or CVE-2016-0773)
(9.3.11,9.2.15,9.1.20) Perform an immediate shutdown if the postmaster.pid file is removed (Tom Lane)
The postmaster now checks every minute or so that postmaster.pid is still there and still contains its own PID. If not, it performs an immediate shutdown, as though it had received SIGQUIT. The main motivation for this change is to ensure that failed buildfarm runs will get cleaned up without manual intervention; but it also serves to limit the bad effects if a DBA forcibly removes postmaster.pid and then starts a new postmaster.
(9.3.11,9.2.15,9.1.20) In SERIALIZABLE transaction isolation mode, serialization anomalies could be missed due to race conditions during insertions (Kevin Grittner, Thomas Munro)
(9.3.11,9.2.15,9.1.20) Fix failure to emit appropriate WAL records when doing ALTER TABLE ... SET TABLESPACE for unlogged relations (Michael Paquier, Andres Freund)
Even though the relation's data is unlogged, the move must be logged or the relation will be inaccessible after a standby is promoted to master.
(9.3.11,9.2.15,9.1.20) Fix possible misinitialization of unlogged relations at the end of crash recovery (Andres Freund, Michael Paquier)
(9.3.11) Ensure walsender slots are fully re-initialized when being re-used (Magnus Hagander)
(9.3.11,9.2.15,9.1.20) Fix ALTER COLUMN TYPE to reconstruct inherited check constraints properly (Tom Lane)
(9.3.11,9.2.15,9.1.20) Fix REASSIGN OWNED to change ownership of composite types properly (Ãlvaro Herrera)
(9.3.11,9.2.15,9.1.20) Fix REASSIGN OWNED and ALTER OWNER to correctly update granted-permissions lists when changing owners of data types, foreign data wrappers, or foreign servers (Bruce Momjian, Ãlvaro Herrera)
(9.3.11,9.2.15,9.1.20) Fix REASSIGN OWNED to ignore foreign user mappings, rather than fail (Ãlvaro Herrera)
(9.3.11) Fix possible crash after doing query rewrite for an updatable view (Stephen Frost)
(9.3.11) Fix planner's handling of LATERAL references (Tom Lane)
This fixes some corner cases that led to "failed to build any N-way joins" or "could not devise a query plan" planner failures.
(9.3.11,9.2.15,9.1.20) Add more defenses against bad planner cost estimates for GIN index scans when the index's internal statistics are very out-of-date (Tom Lane)
(9.3.11,9.2.15,9.1.20) Make planner cope with hypothetical GIN indexes suggested by an index advisor plug-in (Julien Rouhaud)
(9.3.11) Speed up generation of unique table aliases in EXPLAIN and rule dumping, and ensure that generated aliases do not exceed NAMEDATALEN (Tom Lane)
(9.3.11,9.2.15,9.1.20) Fix dumping of whole-row Vars in ROW() and VALUES() lists (Tom Lane)
(9.3.11,9.2.15,9.1.20) Fix possible internal overflow in numeric division (Dean Rasheed)
(9.3.11,9.2.15,9.1.20) Fix enforcement of restrictions inside parentheses within regular expression lookahead constraints (Tom Lane)
Lookahead constraints aren't allowed to contain backrefs, and parentheses within them are always considered non-capturing, according to the manual. However, the code failed to handle these cases properly inside a parenthesized subexpression, and would give unexpected results.
(9.3.11,9.2.15,9.1.20) Conversion of regular expressions to indexscan bounds could produce incorrect bounds from regexps containing lookahead constraints (Tom Lane)
(9.3.11,9.2.15,9.1.20) Fix regular-expression compiler to handle loops of constraint arcs (Tom Lane)
The code added forCVE-2007-4772 or CVE-2007-4772 was both incomplete, in that it didn't handle loops involving more than one state, and incorrect, in that it could cause assertion failures (though there seem to be no bad consequences of that in a non-assert build). Multi-state loops would cause the compiler to run until the query was canceled or it reached the too-many-states error condition.
(9.3.11,9.2.15,9.1.20) Improve memory-usage accounting in regular-expression compiler (Tom Lane)
This causes the code to emit "regular expression is too complex" errors in some cases that previously used unreasonable amounts of time and memory.
(9.3.11,9.2.15,9.1.20) Improve performance of regular-expression compiler (Tom Lane)
(9.3.11,9.2.15,9.1.20) Make %h and %r escapes in log_line_prefix work for messages emitted due to log_connections (Tom Lane)
Previously, %h/%r started to work just after a new session had emitted the "connection received" log message; now they work for that message too.
(9.3.11,9.2.15,9.1.20) On Windows, ensure the shared-memory mapping handle gets closed in child processes that don't need it (Tom Lane, Amit Kapila)
This oversight resulted in failure to recover from crashes whenever logging_collector is turned on.
(9.3.11,9.2.15,9.1.20) Fix possible failure to detect socket EOF in non-blocking mode on Windows (Tom Lane)
It's not entirely clear whether this problem can happen in pre-9.5 branches, but if it did, the symptom would be that a walsender process would wait indefinitely rather than noticing a loss of connection.
(9.3.11,9.2.15,9.1.20) Avoid leaking a token handle during SSPI authentication (Christian Ullrich)
(9.3.11,9.2.15,9.1.20) In psql, ensure that libreadline's idea of the screen size is updated when the terminal window size changes (Merlin Moncure)
Previously, libreadline did not notice if the window was resized during query output, leading to strange behavior during later input of multiline queries.
(9.3.11,9.2.15,9.1.20) Fix psql's \det command to interpret its pattern argument the same way as other \d commands with potentially schema-qualified patterns do (Reece Hart)
(9.3.11,9.2.15,9.1.20) Avoid possible crash in psql's \c command when previous connection was via Unix socket and command specifies a new hostname and same username (Tom Lane)
(9.3.11,9.2.15,9.1.20) In pg_ctl start -w, test child process status directly rather than relying on heuristics (Tom Lane, Michael Paquier)
Previously, pg_ctl relied on an assumption that the new postmaster would always create postmaster.pid within five seconds. But that can fail on heavily-loaded systems, causing pg_ctl to report incorrectly that the postmaster failed to start.
Except on Windows, this change also means that a pg_ctl start -w done immediately after another such command will now reliably fail, whereas previously it would report success if done within two seconds of the first command.
(9.3.11,9.2.15,9.1.20) In pg_ctl start -w, don't attempt to use a wildcard listen address to connect to the postmaster (Kondo Yuta)
On Windows, pg_ctl would fail to detect postmaster startup if listen_addresses is set to 0.0.0.0 or ::, because it would try to use that value verbatim as the address to connect to, which doesn't work. Instead assume that 127.0.0.1 or ::1, respectively, is the right thing to use.
(9.3.11,9.2.15,9.1.20) In pg_ctl on Windows, check service status to decide where to send output, rather than checking if standard output is a terminal (Michael Paquier)
(9.3.11,9.2.15,9.1.20) In pg_dump and pg_basebackup, adopt the GNU convention for handling tar-archive members exceeding 8GB (Tom Lane)
The POSIX standard for tar file format does not allow archive member files to exceed 8GB, but most modern implementations of tar support an extension that fixes that. Adopt this extension so that pg_dump with -Ft no longer fails on tables with more than 8GB of data, and so that pg_basebackup can handle files larger than 8GB. In addition, fix some portability issues that could cause failures for members between 4GB and 8GB on some platforms. Potentially these problems could cause unrecoverable data loss due to unreadable backup files.
(9.3.11,9.2.15,9.1.20) Fix assorted corner-case bugs in pg_dump's processing of extension member objects (Tom Lane)
(9.3.11,9.2.15,9.1.20) Make pg_dump mark a view's triggers as needing to be processed after its rule, to prevent possible failure during parallel pg_restore (Tom Lane)
(9.3.11,9.2.15,9.1.20) Ensure that relation option values are properly quoted in pg_dump (Kouhei Sutou, Tom Lane)
A reloption value that isn't a simple identifier or number could lead to dump/reload failures due to syntax errors in CREATE statements issued by pg_dump. This is not an issue with any reloption currently supported by core PostgreSQL, but extensions could allow reloptions that cause the problem.
(9.3.11) Avoid repeated password prompts during parallel pg_dump (Zeus Kronion)
(9.3.11,9.2.15,9.1.20) Fix pg_upgrade's file-copying code to handle errors properly on Windows (Bruce Momjian)
(9.3.11,9.2.15,9.1.20) Install guards in pgbench against corner-case overflow conditions during evaluation of script-specified division or modulo operators (Fabien Coelho, Michael Paquier)
(9.3.11,9.2.15) Fix failure to localize messages emitted by pg_receivexlog and pg_recvlogical (Ioseph Kim)
(9.3.11,9.2.15) Avoid dump/reload problems when using both plpython2 and plpython3 (Tom Lane)
In principle, both versions of PL/Python can be used in the same database, though not in the same session (because the two versions of libpython cannot safely be used concurrently). However, pg_restore and pg_upgrade both do things that can fall foul of the same-session restriction. Work around that by changing the timing of the check.
(9.3.11,9.2.15) Fix PL/Python regression tests to pass with Python 3.5 (Peter Eisentraut)
(9.3.11) Fix premature clearing of libpq's input buffer when socket EOF is seen (Tom Lane)
This mistake caused libpq to sometimes not report the backend's final error message before reporting "server closed the connection unexpectedly".
(9.3.11,9.2.15,9.1.20) Prevent certain PL/Java parameters from being set by non-superusers (Noah Misch)
This change mitigates a PL/Java security bug CVE-2016-0766 or CVE-2016-0766), which was fixed in PL/Java by marking these parameters as superuser-only. To fix the security hazard for sites that update PostgreSQL more frequently than PL/Java, make the core code aware of them also.
(9.3.11,9.2.15,9.1.20) Improve libpq's handling of out-of-memory situations (Michael Paquier, Amit Kapila, Heikki Linnakangas)
(9.3.11,9.2.15,9.1.20) Fix order of arguments in ecpg-generated typedef statements (Michael Meskes)
(9.3.11,9.2.15,9.1.20) Use %g not %f
format in ecpg's PGTYPESnumeric_from_double()
(Tom Lane)
(9.3.11,9.2.15,9.1.20) Fix ecpg-supplied header files to not contain comments continued from a preprocessor directive line onto the next line (Michael Meskes)
Such a comment is rejected by ecpg. It's not yet clear whether ecpg itself should be changed.
(9.3.11) Fix hstore_to_json_loose()
's test
for whether an hstore value can be converted
to a JSON number (Tom Lane)
Previously this function could be fooled by non-alphanumeric trailing characters, leading to emitting syntactically-invalid JSON.
(9.3.11,9.2.15,9.1.20) Ensure that contrib/pgcrypto's
crypt()
function can be interrupted
by query cancel (Andreas Karlsson)
(9.3.11,9.2.15,9.1.20) Accept flex versions later than 2.5.x (Tom Lane, Michael Paquier)
Now that flex 2.6.0 has been released, the version checks in our build scripts needed to be adjusted.
(9.3.11) Improve reproducibility of build output by ensuring filenames are given to the linker in a fixed order (Christoph Berg)
This avoids possible bitwise differences in the produced executable files from one build to the next.
(9.3.11,9.2.15,9.1.20) Install our missing script where PGXS builds can find it (Jim Nasby)
This allows sane behavior in a PGXS build done on a machine where build tools such as bison are missing.
(9.3.11,9.2.15,9.1.20) Ensure that dynloader.h is included in the installed header files in MSVC builds (Bruce Momjian, Michael Paquier)
(9.3.11,9.2.15,9.1.20) Add variant regression test expected-output file to match behavior of current libxml2 (Tom Lane)
The fix for libxml2'sCVE-2015-7499 or CVE-2015-7499 causes it not to output error context reports in some cases where it used to do so. This seems to be a bug, but we'll probably have to live with it for some time, so work around it.
(9.3.11,9.2.15,9.1.20) Update time zone data files to tzdata release 2016a for DST law changes in Cayman Islands, Metlakatla, and Trans-Baikal Territory (Zabaykalsky Krai), plus historical corrections for Pakistan.
Release date: 2015-10-08
This release contains a variety of fixes from 9.3.9. For information about new features in the 9.3 major release, see Version 9.3.0.
A dump/restore is not required for those running 9.3.X.
However, if you are upgrading from a version earlier than 9.3.9, see Version 9.3.9.
(9.3.10) Guard against stack overflows in json parsing (Oskari Saarenmaa)
If an application constructs PostgreSQL json or jsonb values from arbitrary user input, the application's users can reliably crash the PostgreSQL server, causing momentary denial of service. CVE-2015-5289 or CVE-2015-5289)
(9.3.10,9.2.14,9.1.19,9.0.23) Fix contrib/pgcrypto to detect and
report too-short crypt()
salts (Josh
Kupershmidt)
Certain invalid salt arguments crashed the server or disclosed a few bytes of server memory. We have not ruled out the viability of attacks that arrange for presence of confidential information in the disclosed bytes, but they seem unlikely. CVE-2015-5288 or CVE-2015-5288)
(9.3.10,9.2.14,9.1.19,9.0.23) Fix subtransaction cleanup after a portal (cursor) belonging to an outer subtransaction fails (Tom Lane, Michael Paquier)
A function executed in an outer-subtransaction cursor could cause an assertion failure or crash by referencing a relation created within an inner subtransaction.
(9.3.10) Ensure all relations referred to by an updatable view are properly locked during an update statement (Dean Rasheed)
(9.3.10,9.2.14,9.1.19,9.0.23) Fix insertion of relations into the relation cache "init file" (Tom Lane)
An oversight in a patch in the most recent minor releases caused pg_trigger_tgrelid_tgname_index to be omitted from the init file. Subsequent sessions detected this, then deemed the init file to be broken and silently ignored it, resulting in a significant degradation in session startup time. In addition to fixing the bug, install some guards so that any similar future mistake will be more obvious.
(9.3.10,9.2.14,9.1.19,9.0.23) Avoid O (N^2) behavior when inserting many tuples into a SPI query result (Neil Conway)
(9.3.10,9.2.14,9.1.19,9.0.23) Improve LISTEN startup time when there are many unread notifications (Matt Newell)
(9.3.10) Fix performance problem when a session alters large numbers of foreign key constraints (Jan Wieck, Tom Lane)
This was seen primarily when restoring pg_dump output for databases with many thousands of tables.
(9.3.10,9.2.14,9.1.19,9.0.23) Disable SSL renegotiation by default (Michael Paquier, Andres Freund)
While use of SSL renegotiation is a good idea in theory, we have seen too many bugs in practice, both in the underlying OpenSSL library and in our usage of it. Renegotiation will be removed entirely in 9.5 and later. In the older branches, just change the default value of ssl_renegotiation_limit to zero (disabled).
(9.3.10,9.2.14,9.1.19,9.0.23) Lower the minimum values of the *_freeze_max_age parameters (Andres Freund)
This is mainly to make tests of related behavior less time-consuming, but it may also be of value for installations with limited disk space.
(9.3.10,9.2.14,9.1.19,9.0.23) Limit the maximum value of wal_buffers to 2GB to avoid server crashes (Josh Berkus)
(9.3.10) Avoid logging complaints when a parameter that can only be set at server start appears multiple times in postgresql.conf, and fix counting of line numbers after an include_dir directive (Tom Lane)
(9.3.10,9.2.14,9.1.19,9.0.23) Fix rare internal overflow in multiplication of numeric values (Dean Rasheed)
(9.3.10,9.2.14,9.1.19,9.0.23) Guard against hard-to-reach stack overflows involving record types, range types, json, jsonb, tsquery, ltxtquery and query_int (Noah Misch)
(9.3.10,9.2.14,9.1.19,9.0.23) Fix handling of DOW and DOY in datetime input (Greg Stark)
These tokens aren't meant to be used in datetime values, but previously they resulted in opaque internal error messages rather than "invalid input syntax".
(9.3.10,9.2.14,9.1.19,9.0.23) Add more query-cancel checks to regular expression matching (Tom Lane)
(9.3.10,9.2.14,9.1.19,9.0.23) Add recursion depth protections to regular expression, SIMILAR TO, and LIKE matching (Tom Lane)
Suitable search patterns and a low stack depth limit could lead to stack-overrun crashes.
(9.3.10,9.2.14,9.1.19,9.0.23) Fix potential infinite loop in regular expression execution (Tom Lane)
A search pattern that can apparently match a zero-length string, but actually doesn't match because of a back reference, could lead to an infinite loop.
(9.3.10,9.2.14) In regular expression execution, correctly record match data for capturing parentheses within a quantifier even when the match is zero-length (Tom Lane)
(9.3.10,9.2.14,9.1.19,9.0.23) Fix low-memory failures in regular expression compilation (Andreas Seltenreich)
(9.3.10,9.2.14,9.1.19,9.0.23) Fix low-probability memory leak during regular expression execution (Tom Lane)
(9.3.10,9.2.14,9.1.19,9.0.23) Fix rare low-memory failure in lock cleanup during transaction abort (Tom Lane)
(9.3.10,9.2.14,9.1.19,9.0.23) Fix "unexpected out-of-memory situation during sort" errors when using tuplestores with small work_mem settings (Tom Lane)
(9.3.10,9.2.14,9.1.19,9.0.23) Fix very-low-probability stack overrun in qsort
(Tom Lane)
(9.3.10,9.2.14,9.1.19,9.0.23) Fix "invalid memory alloc request size" failure in hash joins with large work_mem settings (Tomas Vondra, Tom Lane)
(9.3.10,9.2.14,9.1.19,9.0.23) Fix assorted planner bugs (Tom Lane)
These mistakes could lead to incorrect query plans that would give wrong answers, or to assertion failures in assert-enabled builds, or to odd planner errors such as "could not devise a query plan for the given query", "could not find pathkey item to sort", "plan should not reference subplan's variable", or "failed to assign all NestLoopParams to plan nodes". Thanks are due to Andreas Seltenreich and Piotr Stefaniak for fuzz testing that exposed these problems.
(9.3.10,9.2.14) Improve planner's performance for UPDATE/DELETE on large inheritance sets (Tom Lane, Dean Rasheed)
(9.3.10,9.2.14,9.1.19) Ensure standby promotion trigger files are removed at postmaster startup (Michael Paquier, Fujii Masao)
This prevents unwanted promotion from occurring if these files appear in a database backup that is used to initialize a new standby server.
(9.3.10,9.2.14,9.1.19,9.0.23) During postmaster shutdown, ensure that per-socket lock files are removed and listen sockets are closed before we remove the postmaster.pid file (Tom Lane)
This avoids race-condition failures if an external script attempts to start a new postmaster as soon as pg_ctl stop returns.
(9.3.10,9.2.14,9.1.19,9.0.23) Fix postmaster's handling of a startup-process crash during crash recovery (Tom Lane)
If, during a crash recovery cycle, the startup process crashes without having restored database consistency, we'd try to launch a new startup process, which typically would just crash again, leading to an infinite loop.
(9.3.10) Make emergency autovacuuming for multixact wraparound more robust (Andres Freund)
(9.3.10,9.2.14,9.1.19,9.0.23) Do not print a WARNING when an autovacuum worker is already gone when we attempt to signal it, and reduce log verbosity for such signals (Tom Lane)
(9.3.10,9.2.14,9.1.19,9.0.23) Prevent autovacuum launcher from sleeping unduly long if the server clock is moved backwards a large amount (Ãlvaro Herrera)
(9.3.10,9.2.14,9.1.19,9.0.23) Ensure that cleanup of a GIN index's pending-insertions list is interruptable by cancel requests (Jeff Janes)
(9.3.10,9.2.14,9.1.19,9.0.23) Allow all-zeroes pages in GIN indexes to be reused (Heikki Linnakangas)
Such a page might be left behind after a crash.
(9.3.10,9.2.14) Fix handling of all-zeroes pages in SP-GiST indexes (Heikki Linnakangas)
VACUUM attempted to recycle such pages, but did so in a way that wasn't crash-safe.
(9.3.10,9.2.14,9.1.19,9.0.23) Fix off-by-one error that led to otherwise-harmless warnings about "apparent wraparound" in subtrans/multixact truncation (Thomas Munro)
(9.3.10,9.2.14,9.1.19,9.0.23) Fix misreporting of CONTINUE and MOVE statement types in PL/pgSQL's error context messages (Pavel Stehule, Tom Lane)
(9.3.10,9.2.14,9.1.19) Fix PL/Perl to handle non-ASCII error message texts correctly (Alex Hunsaker)
(9.3.10,9.2.14,9.1.19) Fix PL/Python crash when returning the string representation of a record result (Tom Lane)
(9.3.10,9.2.14,9.1.19,9.0.23) Fix some places in PL/Tcl that
neglected to check for failure of malloc()
calls (Michael Paquier, Ãlvaro
Herrera)
(9.3.10,9.2.14,9.1.19) In contrib/isn, fix output of ISBN-13 numbers that begin with 979 (Fabien Coelho)
EANs beginning with 979 (but not 9790) are considered ISBNs, but they must be printed in the new 13-digit format, not the 10-digit format.
(9.3.10) Improve contrib/postgres_fdw's handling of collation-related decisions (Tom Lane)
The main user-visible effect is expected to be that comparisons involving varchar columns will be sent to the remote server for execution in more cases than before.
(9.3.10,9.2.14,9.1.19,9.0.23) Improve libpq's handling of out-of-memory conditions (Michael Paquier, Heikki Linnakangas)
(9.3.10,9.2.14,9.1.19,9.0.23) Fix memory leaks and missing out-of-memory checks in ecpg (Michael Paquier)
(9.3.10,9.2.14,9.1.19,9.0.23) Fix psql's code for locale-aware formatting of numeric output (Tom Lane)
The formatting code invoked by \pset numericlocale on did the wrong thing for some uncommon cases such as numbers with an exponent but no decimal point. It could also mangle already-localized output from the money data type.
(9.3.10,9.2.14,9.1.19,9.0.23) Prevent crash in psql's \c command when there is no current connection (Noah Misch)
(9.3.10,9.2.14) Make pg_dump handle inherited NOT VALID check constraints correctly (Tom Lane)
(9.3.10,9.2.14,9.1.19) Fix selection of default zlib compression level in pg_dump's directory output format (Andrew Dunstan)
(9.3.10,9.2.14,9.1.19,9.0.23) Ensure that temporary files created during a pg_dump run with tar-format output are not world-readable (Michael Paquier)
(9.3.10,9.2.14,9.1.19,9.0.23) Fix pg_dump and pg_upgrade to support cases where the postgres or template1 database is in a non-default tablespace (Marti Raudsepp, Bruce Momjian)
(9.3.10,9.2.14) Fix pg_dump to handle object privileges sanely when dumping from a server too old to have a particular privilege type (Tom Lane)
When dumping data types from pre-9.2 servers, and when dumping functions or procedural languages from pre-7.3 servers, pg_dump would produce GRANT/REVOKE commands that revoked the owner's grantable privileges and instead granted all privileges to PUBLIC. Since the privileges involved are just USAGE and EXECUTE, this isn't a security problem, but it's certainly a surprising representation of the older systems' behavior. Fix it to leave the default privilege state alone in these cases.
(9.3.10,9.2.14,9.1.19,9.0.23) Fix pg_dump to dump shell types (Tom Lane)
Shell types (that is, not-yet-fully-defined types) aren't useful for much, but nonetheless pg_dump should dump them.
(9.3.10,9.2.14,9.1.19) Fix assorted minor memory leaks in pg_dump and other client-side programs (Michael Paquier)
(9.3.10,9.2.14,9.1.19,9.0.23) Fix spinlock assembly code for PPC hardware to be compatible with AIX's native assembler (Tom Lane)
Building with gcc didn't work if gcc had been configured to use the native assembler, which is becoming more common.
(9.3.10,9.2.14,9.1.19,9.0.23) On AIX, test the -qlonglong compiler option rather than just assuming it's safe to use (Noah Misch)
(9.3.10,9.2.14,9.1.19,9.0.23) On AIX, use -Wl,-brtllib link option to allow symbols to be resolved at runtime (Noah Misch)
Perl relies on this ability in 5.8.0 and later.
(9.3.10,9.2.14,9.1.19,9.0.23) Avoid use of inline functions when compiling with 32-bit xlc, due to compiler bugs (Noah Misch)
(9.3.10,9.2.14,9.1.19,9.0.23) Use librt for sched_yield()
when necessary, which it is on some
Solaris versions (Oskari Saarenmaa)
(9.3.10,9.2.14,9.1.19,9.0.23) Fix Windows install.bat script to handle target directory names that contain spaces (Heikki Linnakangas)
(9.3.10,9.2.14,9.1.19,9.0.23) Make the numeric form of the PostgreSQL version number (e.g., 90405) readily available to extension Makefiles, as a variable named VERSION_NUM (Michael Paquier)
(9.3.10,9.2.14,9.1.19,9.0.23) Update time zone data files to tzdata release 2015g for DST law changes in Cayman Islands, Fiji, Moldova, Morocco, Norfolk Island, North Korea, Turkey, and Uruguay. There is a new zone name America/Fort_Nelson for the Canadian Northern Rockies.
Release date: 2015-06-12
This release contains a small number of fixes from 9.3.8. For information about new features in the 9.3 major release, see Version 9.3.0.
A dump/restore is not required for those running 9.3.X.
However, if you are upgrading an installation that was previously upgraded using a pg_upgrade version between 9.3.0 and 9.3.4 inclusive, see the first changelog entry below.
Also, if you are upgrading from a version earlier than 9.3.7, see Version 9.3.7.
(9.3.9) Fix possible failure to recover from an inconsistent database state (Robert Haas)
Recent PostgreSQL releases introduced mechanisms to protect against multixact wraparound, but some of that code did not account for the possibility that it would need to run during crash recovery, when the database may not be in a consistent state. This could result in failure to restart after a crash, or failure to start up a secondary server. The lingering effects of a previously-fixed bug in pg_upgrade could also cause such a failure, in installations that had used pg_upgrade versions between 9.3.0 and 9.3.4.
The pg_upgrade bug in question was that it would set oldestMultiXid to 1 in pg_control even if the true value should be higher. With the fixes introduced in this release, such a situation will result in immediate emergency autovacuuming until a correct oldestMultiXid value can be determined. If that would pose a hardship, users can avoid it by doing manual vacuuming before upgrading to this release. In detail:
Check whether pg_controldata reports "Latest checkpoint's oldestMultiXid" to be 1. If not, there's nothing to do.
(9.3.9) Look in PGDATA/pg_multixact/offsets to see if there's a file named 0000. If there is, there's nothing to do.
(9.3.9) Otherwise, for each table that has pg_class.relminmxid equal to 1, VACUUM that table with both vacuum_multixact_freeze_min_age and vacuum_multixact_freeze_table_age set to zero. (You can use the vacuum cost delay parameters described in Section 18.4.4 to reduce the performance consequences for concurrent sessions.) You must use PostgreSQL 9.3.5 or later to perform this step.
(9.3.9,9.2.13,9.1.18,9.0.22) Fix rare failure to invalidate relation cache init file (Tom Lane)
With just the wrong timing of concurrent activity, a VACUUM FULL on a system catalog might fail to update the "init file" that's used to avoid cache-loading work for new sessions. This would result in later sessions being unable to access that catalog at all. This is a very ancient bug, but it's so hard to trigger that no reproducible case had been seen until recently.
(9.3.9,9.2.13,9.1.18,9.0.22) Avoid deadlock between incoming sessions and CREATE/DROP DATABASE (Tom Lane)
A new session starting in a database that is the target of a DROP DATABASE command, or is the template for a CREATE DATABASE command, could cause the command to wait for five seconds and then fail, even if the new session would have exited before that.
(9.3.9) Improve planner's cost estimates for semi-joins and anti-joins with inner indexscans (Tom Lane, Tomas Vondra)
This type of plan is quite cheap when all the join clauses are used as index scan conditions, even if the inner scan would nominally fetch many rows, because the executor will stop after obtaining one row. The planner only partially accounted for that effect, and would therefore overestimate the cost, leading it to possibly choose some other much less efficient plan type.
Release date: 2015-06-04
This release contains a small number of fixes from 9.3.7. For information about new features in the 9.3 major release, see Version 9.3.0.
A dump/restore is not required for those running 9.3.X.
However, if you are upgrading from a version earlier than 9.3.7, see Version 9.3.7.
(9.3.8) Avoid failures while fsync
'ing
data directory during crash restart (Abhijit Menon-Sen, Tom
Lane)
In the previous minor releases we added a patch to fsync
everything in the data directory after a
crash. Unfortunately its response to any error condition was to
fail, thereby preventing the server from starting up, even when the
problem was quite harmless. An example is that an unwritable file
in the data directory would prevent restart on some platforms; but
it is common to make SSL certificate files unwritable by the
server. Revise this behavior so that permissions failures are
ignored altogether, and other types of failures are logged but do
not prevent continuing.
Also apply the same rules in initdb --sync-only. This case is less critical but it should act similarly.
(9.3.8,9.2.12) Fix pg_get_functiondef()
to show
functions' LEAKPROOF property, if set
(Jeevan Chalke)
(9.3.8,9.2.12,9.1.17,9.0.21) Remove configure's check prohibiting linking to a threaded libpython on OpenBSD (Tom Lane)
The failure this restriction was meant to prevent seems to not be a problem anymore on current OpenBSD versions.
(9.3.8,9.2.12,9.1.17,9.0.21) Allow libpq to use TLS protocol versions beyond v1 (Noah Misch)
For a long time, libpq was coded so that the only SSL protocol it would allow was TLS v1. Now that newer TLS versions are becoming popular, allow it to negotiate the highest commonly-supported TLS version with the server. (PostgreSQL servers were already capable of such negotiation, so no change is needed on the server side.) This is a back-patch of a change already released in 9.4.0.
Release date: 2015-05-22
This release contains a variety of fixes from 9.3.6. For information about new features in the 9.3 major release, see Version 9.3.0.
A dump/restore is not required for those running 9.3.X.
However, if you use contrib/citext's
regexp_matches()
functions, see the
changelog entry below about that.
Also, if you are upgrading from a version earlier than 9.3.6, see Version 9.3.6.
(9.3.7,9.2.11,9.1.16,9.0.20) Avoid possible crash when client disconnects just before the authentication timeout expires (Benkocs Norbert Attila)
If the timeout interrupt fired partway through the session shutdown sequence, SSL-related state would be freed twice, typically causing a crash and hence denial of service to other sessions. Experimentation shows that an unauthenticated remote attacker could trigger the bug somewhat consistently, hence treat as security issue. CVE-2015-3165 or CVE-2015-3165)
(9.3.7,9.2.11,9.1.16,9.0.20) Improve detection of system-call failures (Noah Misch)
Our replacement implementation of snprintf()
failed to check for errors reported by
the underlying system library calls; the main case that might be
missed is out-of-memory situations. In the worst case this might
lead to information exposure, due to our code assuming that a
buffer had been overwritten when it hadn't been. Also, there were a
few places in which security-relevant calls of other system library
functions did not check for failure.
It remains possible that some calls of the *printf()
family of functions are vulnerable to
information disclosure if an out-of-memory error occurs at just the
wrong time. We judge the risk to not be large, but will continue
analysis in this area. CVE-2015-3166 or CVE-2015-3166)
(9.3.7,9.2.11,9.1.16,9.0.20) In contrib/pgcrypto, uniformly report decryption failures as "Wrong key or corrupt data" (Noah Misch)
Previously, some cases of decryption with an incorrect key could report other error message texts. It has been shown that such variance in error reports can aid attackers in recovering keys from other systems. While it's unknown whether pgcrypto's specific behaviors are likewise exploitable, it seems better to avoid the risk by using a one-size-fits-all message. CVE-2015-3167 or CVE-2015-3167)
(9.3.7) Protect against wraparound of multixact member IDs (Ãlvaro Herrera, Robert Haas, Thomas Munro)
Under certain usage patterns, the existing defenses against this might be insufficient, allowing pg_multixact/members files to be removed too early, resulting in data loss. The fix for this includes modifying the server to fail transactions that would result in overwriting old multixact member ID data, and improving autovacuum to ensure it will act proactively to prevent multixact member ID wraparound, as it does for transaction ID wraparound.
(9.3.7,9.2.11,9.1.16) Fix incorrect declaration of contrib/citext's regexp_matches()
functions (Tom Lane)
These functions should return setof text[], like the core functions they are wrappers for; but they were incorrectly declared as returning just text[]. This mistake had two results: first, if there was no match you got a scalar null result, whereas what you should get is an empty set (zero rows). Second, the g flag was effectively ignored, since you would get only one result array even if there were multiple matches.
While the latter behavior is clearly a bug, there might be
applications depending on the former behavior; therefore the
function declarations will not be changed by default until
PostgreSQL 9.5. In pre-9.5
branches, the old behavior exists in version 1.0 of the citext extension, while we have provided corrected
declarations in version 1.1 (which is not installed by default). To adopt
the fix in pre-9.5 branches, execute ALTER
EXTENSION citext UPDATE TO '1.1' in each database in which
citext is installed. (You can also
"update" back to 1.0 if you need to undo
that.) Be aware that either update direction will require dropping
and recreating any views or rules that use citext's regexp_matches()
functions.
(9.3.7,9.2.11,9.1.16,9.0.20) Fix incorrect checking of deferred exclusion constraints after a HOT update (Tom Lane)
If a new row that potentially violates a deferred exclusion constraint is HOT-updated (that is, no indexed columns change and the row can be stored back onto the same table page) later in the same transaction, the exclusion constraint would be reported as violated when the check finally occurred, even if the row(s) the new row originally conflicted with had been deleted.
(9.3.7,9.2.11) Fix planning of star-schema-style queries (Tom Lane)
Sometimes, efficient scanning of a large table requires that index parameters be provided from more than one other table (commonly, dimension tables whose keys are needed to index a large fact table). The planner should be able to find such plans, but an overly restrictive search heuristic prevented it.
(9.3.7,9.2.11,9.1.16,9.0.20) Prevent improper reordering of antijoins (NOT EXISTS joins) versus other outer joins (Tom Lane)
This oversight in the planner has been observed to cause "could not find RelOptInfo for given relids" errors, but it seems possible that sometimes an incorrect query plan might get past that consistency check and result in silently-wrong query output.
(9.3.7,9.2.11,9.1.16,9.0.20) Fix incorrect matching of subexpressions in outer-join plan nodes (Tom Lane)
Previously, if textually identical non-strict subexpressions were used both above and below an outer join, the planner might try to re-use the value computed below the join, which would be incorrect because the executor would force the value to NULL in case of an unmatched outer row.
(9.3.7,9.2.11,9.1.16,9.0.20) Fix GEQO planner to cope with failure of its join order heuristic (Tom Lane)
This oversight has been seen to lead to "failed to join all relations together" errors in queries involving LATERAL, and that might happen in other cases as well.
(9.3.7,9.2.11,9.1.16,9.0.20) Fix possible deadlock at startup when max_prepared_transactions is too small (Heikki Linnakangas)
(9.3.7,9.2.11,9.1.16,9.0.20) Don't archive useless preallocated WAL files after a timeline switch (Heikki Linnakangas)
(9.3.7,9.2.11,9.1.16,9.0.20) Recursively fsync()
the data
directory after a crash (Abhijit Menon-Sen, Robert Haas)
This ensures consistency if another crash occurs shortly later. (The second crash would have to be a system-level crash, not just a database crash, for there to be a problem.)
(9.3.7,9.2.11,9.1.16,9.0.20) Fix autovacuum launcher's possible failure to shut down, if an error occurs after it receives SIGTERM (Ãlvaro Herrera)
(9.3.7,9.2.11,9.1.16,9.0.20) Cope with unexpected signals in LockBufferForCleanup()
(Andres Freund)
This oversight could result in spurious errors about "multiple backends attempting to wait for pincount 1".
(9.3.7,9.2.11) Fix crash when doing COPY IN to a table with check constraints that contain whole-row references (Tom Lane)
The known failure case only crashes in 9.4 and up, but there is very similar code in 9.3 and 9.2, so back-patch those branches as well.
(9.3.7,9.2.11,9.1.16,9.0.20) Avoid waiting for WAL flush or synchronous replication during commit of a transaction that was read-only so far as the user is concerned (Andres Freund)
Previously, a delay could occur at commit in transactions that had written WAL due to HOT page pruning, leading to undesirable effects such as sessions getting stuck at startup if all synchronous replicas are down. Sessions have also been observed to get stuck in catchup interrupt processing when using synchronous replication; this will fix that problem as well.
(9.3.7,9.2.11,9.1.16,9.0.20) Fix crash when manipulating hash indexes on temporary tables (Heikki Linnakangas)
(9.3.7,9.2.11,9.1.16,9.0.20) Fix possible failure during hash index bucket split, if other processes are modifying the index concurrently (Tom Lane)
(9.3.7,9.2.11,9.1.16,9.0.20) Check for interrupts while analyzing index expressions (Jeff Janes)
ANALYZE executes index expressions many times; if there are slow functions in such an expression, it's desirable to be able to cancel the ANALYZE before that loop finishes.
(9.3.7,9.2.11,9.1.16) Ensure tableoid of a foreign table is reported correctly when a READ COMMITTED recheck occurs after locking rows in SELECT FOR UPDATE, UPDATE, or DELETE (Etsuro Fujita)
(9.3.7,9.2.11,9.1.16,9.0.20) Add the name of the target server to object description strings for foreign-server user mappings (Ãlvaro Herrera)
(9.3.7) Include the schema name in object identity strings for conversions (Ãlvaro Herrera)
(9.3.7,9.2.11,9.1.16,9.0.20) Recommend setting include_realm to 1 when using Kerberos/GSSAPI/SSPI authentication (Stephen Frost)
Without this, identically-named users from different realms cannot be distinguished. For the moment this is only a documentation change, but it will become the default setting in PostgreSQL 9.5.
(9.3.7,9.2.11,9.1.16,9.0.20) Remove code for matching IPv4 pg_hba.conf entries to IPv4-in-IPv6 addresses (Tom Lane)
This hack was added in 2003 in response to a report that some Linux kernels of the time would report IPv4 connections as having IPv4-in-IPv6 addresses. However, the logic was accidentally broken in 9.0. The lack of any field complaints since then shows that it's not needed anymore. Now we have reports that the broken code causes crashes on some systems, so let's just remove it rather than fix it. (Had we chosen to fix it, that would make for a subtle and potentially security-sensitive change in the effective meaning of IPv4 pg_hba.conf entries, which does not seem like a good thing to do in minor releases.)
(9.3.7,9.2.11,9.1.16) Report WAL flush, not insert, position in IDENTIFY_SYSTEM replication command (Heikki Linnakangas)
This avoids a possible startup failure in pg_receivexlog.
(9.3.7,9.2.11,9.1.16,9.0.20) While shutting down service on Windows, periodically send status updates to the Service Control Manager to prevent it from killing the service too soon; and ensure that pg_ctl will wait for shutdown (Krystian Bigaj)
(9.3.7,9.2.11,9.1.16,9.0.20) Reduce risk of network deadlock when using libpq's non-blocking mode (Heikki Linnakangas)
When sending large volumes of data, it's important to drain the
input buffer every so often, in case the server has sent enough
response data to cause it to block on output. (A typical scenario
is that the server is sending a stream of NOTICE messages during
COPY FROM STDIN.) This worked properly in
the normal blocking mode, but not so much in non-blocking mode.
We've modified libpq to
opportunistically drain input when it can, but a full defense
against this problem requires application cooperation: the
application should watch for socket read-ready as well as
write-ready conditions, and be sure to call PQconsumeInput()
upon read-ready.
(9.3.7,9.2.11) In libpq, fix misparsing of empty values in URI connection strings (Thomas Fanghaenel)
(9.3.7,9.2.11,9.1.16,9.0.20) Fix array handling in ecpg (Michael Meskes)
(9.3.7,9.2.11,9.1.16,9.0.20) Fix psql to sanely handle URIs and conninfo strings as the first parameter to \connect (David Fetter, Andrew Dunstan, Ãlvaro Herrera)
This syntax has been accepted (but undocumented) for a long time, but previously some parameters might be taken from the old connection instead of the given string, which was agreed to be undesirable.
(9.3.7,9.2.11,9.1.16,9.0.20) Suppress incorrect complaints from psql on some platforms that it failed to write ~/.psql_history at exit (Tom Lane)
This misbehavior was caused by a workaround for a bug in very old (pre-2006) versions of libedit. We fixed it by removing the workaround, which will cause a similar failure to appear for anyone still using such versions of libedit. Recommendation: upgrade that library, or use libreadline.
(9.3.7,9.2.11,9.1.16,9.0.20) Fix pg_dump's rule for deciding which casts are system-provided casts that should not be dumped (Tom Lane)
(9.3.7,9.2.11,9.1.16) In pg_dump, fix failure to honor -Z compression level option together with -Fd (Michael Paquier)
(9.3.7,9.2.11,9.1.16) Make pg_dump consider foreign key relationships between extension configuration tables while choosing dump order (Gilles Darold, Michael Paquier, Stephen Frost)
This oversight could result in producing dumps that fail to reload because foreign key constraints are transiently violated.
(9.3.7) Avoid possible pg_dump failure when concurrent sessions are creating and dropping temporary functions (Tom Lane)
(9.3.7,9.2.11,9.1.16,9.0.20) Fix dumping of views that are just VALUES(...) but have column aliases (Tom Lane)
(9.3.7,9.2.11,9.1.16,9.0.20) In pg_upgrade, force timeline 1 in the new cluster (Bruce Momjian)
This change prevents upgrade failures caused by bogus complaints about missing WAL history files.
(9.3.7,9.2.11,9.1.16,9.0.20) In pg_upgrade, check for improperly non-connectable databases before proceeding (Bruce Momjian)
(9.3.7,9.2.11,9.1.16,9.0.20) In pg_upgrade, quote directory paths properly in the generated delete_old_cluster script (Bruce Momjian)
(9.3.7,9.2.11,9.1.16,9.0.20) In pg_upgrade, preserve database-level freezing info properly (Bruce Momjian)
This oversight could cause missing-clog-file errors for tables within the postgres and template1 databases.
(9.3.7,9.2.11,9.1.16,9.0.20) Run pg_upgrade and pg_resetxlog with restricted privileges on Windows, so that they don't fail when run by an administrator (Muhammad Asif Naeem)
(9.3.7,9.2.11,9.1.16) Improve handling of readdir()
failures when scanning directories in initdb and pg_basebackup (Marco Nenciarini)
(9.3.7,9.2.11,9.1.16,9.0.20) Fix slow sorting algorithm in contrib/intarray (Tom Lane)
(9.3.7,9.4.2,9.2.11,9.1.16,9.0.20) Fix compile failure on Sparc V8 machines (Rob Rowan)
(9.3.7,9.4.2) Silence some build warnings on macOS (Tom Lane)
(9.3.7,9.2.11,9.1.16,9.0.20) Update time zone data files to tzdata release 2015d for DST law changes in Egypt, Mongolia, and Palestine, plus historical changes in Canada and Chile. Also adopt revised zone abbreviations for the America/Adak zone (HST/HDT not HAST/HADT).
Release date: 2015-02-05
This release contains a variety of fixes from 9.3.5. For information about new features in the 9.3 major release, see Version 9.3.0.
A dump/restore is not required for those running 9.3.X.
However, if you are a Windows user and are using the "Norwegian (Bokmål)" locale, manual action is needed after the upgrade to replace any "Norwegian (Bokmål)_Norway" locale names stored in PostgreSQL system catalogs with the plain-ASCII alias "Norwegian_Norway". For details see http://wiki.postgresql.org/wiki/Changes_To_Norwegian_Locale
Also, if you are upgrading from a version earlier than 9.3.5, see Version 9.3.5.
(9.3.6,9.2.10,9.1.15,9.0.19) Fix buffer overruns in to_char()
(Bruce Momjian)
When to_char()
processes a numeric
formatting template calling for a large number of digits,
PostgreSQL would read past the end
of a buffer. When processing a crafted timestamp formatting
template, PostgreSQL would write
past the end of a buffer. Either case could crash the server. We
have not ruled out the possibility of attacks that lead to
privilege escalation, though they seem unlikely.
CVE-2015-0241 or CVE-2015-0241)
(9.3.6,9.2.10,9.1.15,9.0.19) Fix buffer overrun in replacement *printf()
functions (Tom Lane)
PostgreSQL includes a
replacement implementation of printf
and related functions. This code will overrun a stack buffer when
formatting a floating point number (conversion specifiers
e, E, f, F, g or G) with requested
precision greater than about 500. This will crash the server, and
we have not ruled out the possibility of attacks that lead to
privilege escalation. A database user can trigger such a buffer
overrun through the to_char()
SQL
function. While that is the only affected core PostgreSQL functionality, extension modules
that use printf-family functions may be at risk as well.
This issue primarily affects PostgreSQL on Windows. PostgreSQL uses the system implementation of these functions where adequate, which it is on other modern platforms. CVE-2015-0242 or CVE-2015-0242)
(9.3.6,9.2.10,9.1.15,9.0.19) Fix buffer overruns in contrib/pgcrypto (Marko Tiikkaja, Noah Misch)
Errors in memory size tracking within the pgcrypto module permitted stack buffer overruns and improper dependence on the contents of uninitialized memory. The buffer overrun cases can crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. CVE-2015-0243 or CVE-2015-0243)
(9.3.6,9.2.10,9.1.15,9.0.19) Fix possible loss of frontend/backend protocol synchronization after an error (Heikki Linnakangas)
If any error occurred while the server was in the middle of reading a protocol message from the client, it could lose synchronization and incorrectly try to interpret part of the message's data as a new protocol message. An attacker able to submit crafted binary data within a command parameter might succeed in injecting his own SQL commands this way. Statement timeout and query cancellation are the most likely sources of errors triggering this scenario. Particularly vulnerable are applications that use a timeout and also submit arbitrary user-crafted data as binary query parameters. Disabling statement timeout will reduce, but not eliminate, the risk of exploit. Our thanks to Emil Lenngren for reporting this issue. CVE-2015-0244 or CVE-2015-0244)
(9.3.6,9.2.10,9.1.15,9.0.19) Fix information leak via constraint-violation error messages (Stephen Frost)
Some server error messages show the values of columns that violate a constraint, such as a unique constraint. If the user does not have SELECT privilege on all columns of the table, this could mean exposing values that the user should not be able to see. Adjust the code so that values are displayed only when they came from the SQL command or could be selected by the user. CVE-2014-8161 or CVE-2014-8161)
(9.3.6,9.2.10,9.1.15,9.0.19) Lock down regression testing's temporary installations on Windows (Noah Misch)
Use SSPI authentication to allow connections only from the OS user who launched the test suite. This closes on Windows the same vulnerability previously closed on other platforms, namely that other users might be able to connect to the test postmaster. CVE-2014-0067 or CVE-2014-0067)
(9.3.6,9.2.10) Cope with the Windows locale named "Norwegian (Bokmål)" (Heikki Linnakangas)
Non-ASCII locale names are problematic since it's not clear what encoding they should be represented in. Map the troublesome locale name to a plain-ASCII alias, "Norwegian_Norway".
(9.3.6,9.2.10,9.1.15,9.0.19) Avoid possible data corruption if ALTER DATABASE SET TABLESPACE is used to move a database to a new tablespace and then shortly later move it back to its original tablespace (Tom Lane)
(9.3.6,9.2.10,9.1.15,9.0.19) Avoid corrupting tables when ANALYZE inside a transaction is rolled back (Andres Freund, Tom Lane, Michael Paquier)
If the failing transaction had earlier removed the last index, rule, or trigger from the table, the table would be left in a corrupted state with the relevant pg_class flags not set though they should be.
(9.3.6,9.2.10,9.1.15) Ensure that unlogged tables are copied correctly during CREATE DATABASE or ALTER DATABASE SET TABLESPACE (Pavan Deolasee, Andres Freund)
(9.3.6) Fix incorrect processing of CreateEventTrigStmt.eventname (Petr Jelinek)
This could result in misbehavior if CREATE EVENT TRIGGER were executed as a prepared query, or via extended query protocol.
(9.3.6,9.2.10,9.1.15) Fix DROP's dependency searching to correctly handle the case where a table column is recursively visited before its table (Petr Jelinek, Tom Lane)
This case is only known to arise when an extension creates both a datatype and a table using that datatype. The faulty code might refuse a DROP EXTENSION unless CASCADE is specified, which should not be required.
(9.3.6,9.2.10,9.1.15,9.0.19) Fix use-of-already-freed-memory problem in EvalPlanQual processing (Tom Lane)
In READ COMMITTED mode, queries that lock or update recently-updated rows could crash as a result of this bug.
(9.3.6) Avoid possible deadlock while trying to acquire tuple locks in EvalPlanQual processing (Ãlvaro Herrera, Mark Kirkwood)
(9.3.6) Fix failure to wait when a transaction tries to acquire a FOR NO KEY EXCLUSIVE tuple lock, while multiple other transactions currently hold FOR SHARE locks (Ãlvaro Herrera)
(9.3.6,9.2.10,9.1.15,9.0.19) Fix planning of SELECT FOR UPDATE when using a partial index on a child table (Kyotaro Horiguchi)
In READ COMMITTED mode, SELECT FOR UPDATE must also recheck the partial index's WHERE condition when rechecking a recently-updated row to see if it still satisfies the query's WHERE condition. This requirement was missed if the index belonged to an inheritance child table, so that it was possible to incorrectly return rows that no longer satisfy the query condition.
(9.3.6,9.2.10,9.1.15,9.0.19) Fix corner case wherein SELECT FOR UPDATE could return a row twice, and possibly miss returning other rows (Tom Lane)
In READ COMMITTED mode, a SELECT FOR UPDATE that is scanning an inheritance tree could incorrectly return a row from a prior child table instead of the one it should return from a later child table.
(9.3.6) Improve performance of EXPLAIN with large range tables (Tom Lane)
(9.3.6,9.2.10,9.1.15,9.0.19) Reject duplicate column names in the referenced-columns list of a FOREIGN KEY declaration (David Rowley)
This restriction is per SQL standard. Previously we did not reject the case explicitly, but later on the code would fail with bizarre-looking errors.
(9.3.6) Re-enable error for SELECT ... OFFSET -1 (Tom Lane)
A negative offset value has been an error since 8.4, but an optimization added in 9.3 accidentally turned the case into a no-op. Restore the expected behavior.
(9.3.6,9.2.10) Restore previous behavior of conversion of domains to JSON (Tom Lane)
This change causes domains over numeric and boolean to be treated like their base types for purposes of conversion to JSON. It worked like that before 9.3.5 and 9.2.9, but was unintentionally changed while fixing a related problem.
(9.3.6) Fix json_agg()
to not return extra
trailing right brackets in its result (Tom Lane)
(9.3.6,9.2.10,9.1.15,9.0.19) Fix bugs in raising a numeric value to a large integral power (Tom Lane)
The previous code could get a wrong answer, or consume excessive amounts of time and memory before realizing that the answer must overflow.
(9.3.6,9.2.10,9.1.15,9.0.19) In numeric_recv()
, truncate away
any fractional digits that would be hidden according to the value's
dscale field (Tom Lane)
A numeric value's display scale (dscale) should never be less than the number of nonzero fractional digits; but apparently there's at least one broken client application that transmits binary numeric values in which that's true. This leads to strange behavior since the extra digits are taken into account by arithmetic operations even though they aren't printed. The least risky fix seems to be to truncate away such "hidden" digits on receipt, so that the value is indeed what it prints as.
(9.3.6,9.2.10) Fix incorrect search for shortest-first regular expression matches (Tom Lane)
Matching would often fail when the number of allowed iterations is limited by a ? quantifier or a bound expression.
(9.3.6,9.2.10,9.1.15,9.0.19) Reject out-of-range numeric timezone specifications (Tom Lane)
Simple numeric timezone specifications exceeding +/- 168 hours (one week) would be accepted, but could then cause null-pointer dereference crashes in certain operations. There's no use-case for such large UTC offsets, so reject them.
(9.3.6,9.2.10,9.1.15,9.0.19) Fix bugs in tsquery @> tsquery operator (Heikki Linnakangas)
Two different terms would be considered to match if they had the same CRC. Also, if the second operand had more terms than the first, it would be assumed not to be contained in the first; which is wrong since it might contain duplicate terms.
(9.3.6,9.2.10,9.1.15,9.0.19) Improve ispell dictionary's defenses against bad affix files (Tom Lane)
(9.3.6,9.2.10,9.1.15,9.0.19) Allow more than 64K phrases in a thesaurus dictionary (David Boutin)
The previous coding could crash on an oversize dictionary, so this was deemed a back-patchable bug fix rather than a feature addition.
(9.3.6,9.2.10,9.1.15,9.0.19) Fix namespace handling in xpath()
(Ali Akbar)
Previously, the xml value resulting from
an xpath()
call would not have
namespace declarations if the namespace declarations were attached
to an ancestor element in the input xml
value, rather than to the specific element being returned.
Propagate the ancestral declaration so that the result is correct
when considered in isolation.
(9.3.6,9.2.10) Ensure that whole-row variables expose nonempty column names to functions that pay attention to column names within composite arguments (Tom Lane)
In some contexts, constructs like row_to_json(tab.*) may not produce the expected column names. This is fixed properly as of 9.4; in older branches, just ensure that we produce some nonempty name. (In some cases this will be the underlying table's column name rather than the query-assigned alias that should theoretically be visible.)
(9.3.6,9.2.10) Fix mishandling of system columns, particularly tableoid, in FDW queries (Etsuro Fujita)
(9.3.6) Fix assorted oversights in range-operator selectivity estimation (Emre Hasegeli)
This patch fixes corner-case "unexpected operator NNNN" planner errors, and improves the selectivity estimates for some other cases.
(9.3.6,9.2.10) Avoid doing indexed_column = ANY (array) as an index qualifier if that leads to an inferior plan (Andrew Gierth)
In some cases, = ANY conditions applied to non-first index columns would be done as index conditions even though it would be better to use them as simple filter conditions.
(9.3.6) Fix "variable not found in subplan target list" planner failure when an inline-able SQL function taking a composite argument is used in a LATERAL subselect and the composite argument is a lateral reference (Tom Lane)
(9.3.6,9.2.10,9.1.15,9.0.19) Fix planner problems with nested append relations, such as inherited tables within UNION ALL subqueries (Tom Lane)
(9.3.6,9.2.10,9.1.15,9.0.19) Fail cleanly when a GiST index tuple doesn't fit on a page, rather than going into infinite recursion (Andrew Gierth)
(9.3.6,9.2.10,9.1.15,9.0.19) Exempt tables that have per-table cost_limit and/or cost_delay settings from autovacuum's global cost balancing rules (Ãlvaro Herrera)
The previous behavior resulted in basically ignoring these per-table settings, which was unintended. Now, a table having such settings will be vacuumed using those settings, independently of what is going on in other autovacuum workers. This may result in heavier total I/O load than before, so such settings should be re-examined for sanity.
(9.3.6,9.2.10) Avoid wholesale autovacuuming when autovacuum is nominally off (Tom Lane)
Even when autovacuum is nominally off, we will still launch autovacuum worker processes to vacuum tables that are at risk of XID wraparound. However, such a worker process then proceeded to vacuum all tables in the target database, if they met the usual thresholds for autovacuuming. This is at best pretty unexpected; at worst it delays response to the wraparound threat. Fix it so that if autovacuum is turned off, workers only do anti-wraparound vacuums and not any other work.
(9.3.6,9.2.10,9.1.15) During crash recovery, ensure that unlogged relations are rewritten as empty and are synced to disk before recovery is considered complete (Abhijit Menon-Sen, Andres Freund)
This prevents scenarios in which unlogged relations might contain garbage data following database crash recovery.
(9.3.6,9.2.10,9.1.15,9.0.19) Fix race condition between hot standby queries and replaying a full-page image (Heikki Linnakangas)
This mistake could result in transient errors in queries being executed in hot standby.
(9.3.6,9.2.10,9.1.15,9.0.19) Fix several cases where recovery logic improperly ignored WAL records for COMMIT/ABORT PREPARED (Heikki Linnakangas)
The most notable oversight was that recovery_target_xid could not be used to stop at a two-phase commit.
(9.3.6,9.2.10) Prevent latest WAL file from being archived a second time at completion of crash recovery (Fujii Masao)
(9.3.6,9.2.10,9.1.15,9.0.19) Avoid creating unnecessary .ready marker files for timeline history files (Fujii Masao)
(9.3.6,9.2.10,9.1.15,9.0.19) Fix possible null pointer dereference when an empty prepared statement is used and the log_statement setting is mod or ddl (Fujii Masao)
(9.3.6,9.2.10,9.1.15,9.0.19) Change "pgstat wait timeout" warning message to be LOG level, and rephrase it to be more understandable (Tom Lane)
This message was originally thought to be essentially a can't-happen case, but it occurs often enough on our slower buildfarm members to be a nuisance. Reduce it to LOG level, and expend a bit more effort on the wording: it now reads "using stale statistics instead of current ones because stats collector is not responding".
(9.3.6) Fix possible corruption of postmaster's list of dynamic background workers (Andres Freund)
(9.3.6,9.2.10,9.1.15,9.0.19) Fix SPARC spinlock implementation to ensure correctness if the CPU is being run in a non-TSO coherency mode, as some non-Solaris kernels do (Andres Freund)
(9.3.6,9.2.10,9.1.15) Warn if macOS's setlocale()
starts
an unwanted extra thread inside the postmaster (Noah Misch)
(9.3.6,9.2.10,9.1.15,9.0.19) Fix processing of repeated dbname
parameters in PQconnectdbParams()
(Alex Shulgin)
Unexpected behavior ensued if the first occurrence of dbname contained a connection string or URI to be expanded.
(9.3.6,9.2.10,9.1.15,9.0.19) Ensure that libpq reports a suitable error message on unexpected socket EOF (Marko Tiikkaja, Tom Lane)
Depending on kernel behavior, libpq might return an empty error string rather than something useful when the server unexpectedly closed the socket.
(9.3.6,9.2.10,9.1.15,9.0.19) Clear any old error message during PQreset()
(Heikki Linnakangas)
If PQreset()
is called repeatedly,
and the connection cannot be re-established, error messages from
the failed connection attempts kept accumulating in the PGconn's error string.
(9.3.6,9.2.10,9.1.15,9.0.19) Properly handle out-of-memory conditions while parsing connection options in libpq (Alex Shulgin, Heikki Linnakangas)
(9.3.6,9.2.10,9.1.15,9.0.19) Fix array overrun in ecpg's
version of ParseDateTime()
(Michael
Paquier)
(9.3.6,9.2.10,9.1.15,9.0.19) In initdb, give a clearer error message if a password file is specified but is empty (Mats Erik Andersson)
(9.3.6,9.2.10,9.1.15,9.0.19) Fix psql's \s command to work nicely with libedit, and add pager support (Stepan Rutz, Tom Lane)
When using libedit rather than readline, \s printed the command history in a fairly unreadable encoded format, and on recent libedit versions might fail altogether. Fix that by printing the history ourselves rather than having the library do it. A pleasant side-effect is that the pager is used if appropriate.
This patch also fixes a bug that caused newline encoding to be applied inconsistently when saving the command history with libedit. Multiline history entries written by older psql versions will be read cleanly with this patch, but perhaps not vice versa, depending on the exact libedit versions involved.
(9.3.6,9.2.10,9.1.15,9.0.19) Improve consistency of parsing of psql's special variables (Tom Lane)
Allow variant spellings of on and off (such as 1/0) for ECHO_HIDDEN and ON_ERROR_ROLLBACK. Report a warning for unrecognized values for COMP_KEYWORD_CASE, ECHO, ECHO_HIDDEN, HISTCONTROL, ON_ERROR_ROLLBACK, and VERBOSITY. Recognize all values for all these variables case-insensitively; previously there was a mishmash of case-sensitive and case-insensitive behaviors.
(9.3.6) Make psql's \watch command display nulls as specified by \pset null (Fujii Masao)
(9.3.6,9.2.10,9.1.15,9.0.19) Fix psql's expanded-mode display to work consistently when using border = 3 and linestyle = ascii or unicode (Stephen Frost)
(9.3.6) Fix pg_dump to handle comments on event triggers without failing (Tom Lane)
(9.3.6) Allow parallel pg_dump to use --serializable-deferrable (Kevin Grittner)
(9.3.6,9.2.10,9.1.15) Improve performance of pg_dump when the database contains many instances of multiple dependency paths between the same two objects (Tom Lane)
(9.3.6,9.2.10) Fix pg_dumpall to restore its ability to dump from pre-8.1 servers (Gilles Darold)
(9.3.6,9.2.10,9.1.15,9.0.19) Fix possible deadlock during parallel restore of a schema-only dump (Robert Haas, Tom Lane)
(9.3.6,9.2.10,9.1.15,9.0.19) Fix core dump in pg_dump --binary-upgrade on zero-column composite type (Rushabh Lathia)
(9.3.6) Fix failure to fsync tables in nondefault tablespaces during pg_upgrade (Abhijit Menon-Sen, Andres Freund)
With an operating system crash and some bad luck, this could result in data loss during an upgrade.
(9.3.6) In pg_upgrade, cope with cases where the new cluster creates a TOAST table for a table that didn't previously have one (Bruce Momjian)
Previously this could result in failures due to OID conflicts.
(9.3.6) In pg_upgrade, don't try to set autovacuum_multixact_freeze_max_age for the old cluster (Bruce Momjian)
This could result in failure because not all 9.3.X versions have that parameter. Fortunately, we don't actually need to set it at all.
(9.3.6) In pg_upgrade, preserve the transaction ID epoch (Bruce Momjian)
This oversight did not bother PostgreSQL proper, but could confuse some external replication tools.
(9.3.6,9.2.10,9.1.15) Prevent WAL files created by pg_basebackup -x/-X from being archived again when the standby is promoted (Andres Freund)
(9.3.6) Fix memory leak in pg_receivexlog (Fujii Masao)
(9.3.6) Fix unintended suppression of pg_receivexlog verbose messages (Fujii Masao)
(9.3.6,9.2.10) Fix failure of contrib/auto_explain to print per-node timing information when doing EXPLAIN ANALYZE (Tom Lane)
(9.3.6,9.2.10,9.1.15) Fix upgrade-from-unpackaged script for contrib/citext (Tom Lane)
(9.3.6) Avoid integer overflow and buffer overrun in contrib/hstore's hstore_to_json()
(Heikki Linnakangas)
(9.3.6) Fix recognition of numbers in hstore_to_json_loose()
, so that JSON numbers and
strings are correctly distinguished (Andrew Dunstan)
(9.3.6,9.2.10,9.1.15,9.0.19) Fix block number checking in contrib/pageinspect's get_raw_page()
(Tom Lane)
The incorrect checking logic could prevent access to some pages in non-main relation forks.
(9.3.6,9.2.10,9.1.15,9.0.19) Fix contrib/pgcrypto's pgp_sym_decrypt()
to not fail on messages whose
length is 6 less than a power of 2 (Marko Tiikkaja)
(9.3.6,9.2.10,9.1.15) Fix file descriptor leak in contrib/pg_test_fsync (Jeff Janes)
This could cause failure to remove temporary files on Windows.
(9.3.6,9.2.10,9.1.15,9.0.19) Handle unexpected query results, especially NULLs, safely in
contrib/tablefunc's connectby()
(Michael Paquier)
connectby()
previously crashed if
it encountered a NULL key value. It now prints that row but doesn't
recurse further.
(9.3.6,9.2.10,9.1.15,9.0.19) Avoid a possible crash in contrib/xml2's xslt_process()
(Mark Simonetti)
libxslt seems to have an undocumented dependency on the order in which resources are freed; reorder our calls to avoid a crash.
(9.3.6,9.2.10,9.1.15) Mark some contrib I/O functions with correct volatility properties (Tom Lane)
The previous over-conservative marking was immaterial in normal use, but could cause optimization problems or rejection of valid index expression definitions. Since the consequences are not large, we've just adjusted the function definitions in the extension modules' scripts, without changing version numbers.
(9.3.6,9.2.10,9.1.15,9.0.19) Numerous cleanups of warnings from Coverity static code analyzer (Andres Freund, Tatsuo Ishii, Marko Kreen, Tom Lane, Michael Paquier)
These changes are mostly cosmetic but in some cases fix corner-case bugs, for example a crash rather than a proper error report after an out-of-memory failure. None are believed to represent security issues.
(9.3.6) Fix setup of background workers in EXEC_BACKEND builds, eg Windows (Robert Haas)
(9.3.6,9.2.10,9.1.15,9.0.19) Detect incompatible OpenLDAP versions during build (Noah Misch)
With OpenLDAP versions 2.4.24 through 2.4.31, inclusive, PostgreSQL backends can crash at exit. Raise a warning during configure based on the compile-time OpenLDAP version number, and test the crashing scenario in the contrib/dblink regression test.
(9.3.6,9.2.10,9.1.15,9.0.19) In non-MSVC Windows builds, ensure libpq.dll is installed with execute permissions (Noah Misch)
(9.3.6,9.2.10,9.1.15,9.0.19) Make pg_regress remove any temporary installation it created upon successful exit (Tom Lane)
This results in a very substantial reduction in disk space usage during make check-world, since that sequence involves creation of numerous temporary installations.
(9.3.6,9.2.10,9.1.15,9.0.19) Support time zone abbreviations that change UTC offset from time to time (Tom Lane)
Previously, PostgreSQL assumed that the UTC offset associated with a time zone abbreviation (such as EST) never changes in the usage of any particular locale. However this assumption fails in the real world, so introduce the ability for a zone abbreviation to represent a UTC offset that sometimes changes. Update the zone abbreviation definition files to make use of this feature in timezone locales that have changed the UTC offset of their abbreviations since 1970 (according to the IANA timezone database). In such timezones, PostgreSQL will now associate the correct UTC offset with the abbreviation depending on the given date.
(9.3.6,9.2.10,9.1.15,9.0.19) Update time zone abbreviations lists (Tom Lane)
Add CST (China Standard Time) to our lists. Remove references to ADT as "Arabia Daylight Time", an abbreviation that's been out of use since 2007; therefore, claiming there is a conflict with "Atlantic Daylight Time" doesn't seem especially helpful. Fix entirely incorrect GMT offsets for CKT (Cook Islands), FJT, and FJST (Fiji); we didn't even have them on the proper side of the date line.
(9.3.6,9.2.10) Update time zone data files to tzdata release 2015a.
The IANA timezone database has adopted abbreviations of the form AxST/AxDT for all Australian time zones, reflecting what they believe to be current majority practice Down Under. These names do not conflict with usage elsewhere (other than ACST for Acre Summer Time, which has been in disuse since 1994). Accordingly, adopt these names into our "Default" timezone abbreviation set. The "Australia" abbreviation set now contains only CST, EAST, EST, SAST, SAT, and WST, all of which are thought to be mostly historical usage. Note that SAST has also been changed to be South Africa Standard Time in the "Default" abbreviation set.
Also, add zone abbreviations SRET (Asia/Srednekolymsk) and XJT (Asia/Urumqi), and use WSST/WSDT for western Samoa. Also, there were DST law changes in Chile, Mexico, the Turks & Caicos Islands (America/Grand_Turk), and Fiji. There is a new zone Pacific/Bougainville for portions of Papua New Guinea. Also, numerous corrections for historical (pre-1970) time zone data.
Release date: 2014-07-24
This release contains a variety of fixes from 9.3.4. For information about new features in the 9.3 major release, see Version 9.3.0.
A dump/restore is not required for those running 9.3.X.
However, this release corrects a logic error in pg_upgrade, as well as an index corruption problem in some GiST indexes. See the first two changelog entries below to find out whether your installation has been affected and what steps you should take if so.
Also, if you are upgrading from a version earlier than 9.3.4, see Version 9.3.4.
(9.3.5) In pg_upgrade, remove pg_multixact files left behind by initdb (Bruce Momjian)
If you used a pre-9.3.5 version of pg_upgrade to upgrade a database cluster to 9.3, it might have left behind a file $PGDATA/pg_multixact/offsets/0000 that should not be there and will eventually cause problems in VACUUM. However, in common cases this file is actually valid and must not be removed. To determine whether your installation has this problem, run this query as superuser, in any database of the cluster:
WITH list(file) AS (SELECT * FROM pg_ls_dir('pg_multixact/offsets')) SELECT EXISTS (SELECT * FROM list WHERE file = '0000') AND NOT EXISTS (SELECT * FROM list WHERE file = '0001') AND NOT EXISTS (SELECT * FROM list WHERE file = 'FFFF') AND EXISTS (SELECT * FROM list WHERE file != '0000') AS file_0000_removal_required;
If this query returns t, manually remove the file $PGDATA/pg_multixact/offsets/0000. Do nothing if the query returns f.
(9.3.5,9.2.9,9.1.14,9.0.18,8.4.22) Correctly initialize padding bytes in contrib/btree_gist indexes on bit columns (Heikki Linnakangas)
This error could result in incorrect query results due to values that should compare equal not being seen as equal. Users with GiST indexes on bit or bit varying columns should REINDEX those indexes after installing this update.
(9.3.5,9.2.9,9.1.14,9.0.18,8.4.22) Protect against torn pages when deleting GIN list pages (Heikki Linnakangas)
This fix prevents possible index corruption if a system crash occurs while the page update is being written to disk.
(9.3.5,9.2.9,9.1.14,9.0.18) Don't clear the right-link of a GiST index page while replaying updates from WAL (Heikki Linnakangas)
This error could lead to transiently wrong answers from GiST index scans performed in Hot Standby.
(9.3.5,9.2.9) Fix corner-case infinite loop during insertion into an SP-GiST text index (Tom Lane)
(9.3.5) Fix incorrect answers from SP-GiST index searches with -|- (range adjacency) operator (Heikki Linnakangas)
(9.3.5) Fix wraparound handling for pg_multixact/members (Ãlvaro Herrera)
(9.3.5) Truncate pg_multixact during checkpoints, not during VACUUM (Ãlvaro Herrera)
This change ensures that pg_multixact segments can't be removed if they'd still be needed during WAL replay after a crash.
(9.3.5) Fix possible inconsistency of all-visible flags after WAL recovery (Heikki Linnakangas)
(9.3.5,9.2.9,9.1.14,9.0.18,8.4.22) Fix possibly-incorrect cache invalidation during nested calls to
ReceiveSharedInvalidMessages
(Andres
Freund)
(9.3.5) Fix race condition when updating a tuple concurrently locked by another process (Andres Freund, Ãlvaro Herrera)
(9.3.5,9.2.9,9.1.14) Fix "could not find pathkey item to sort" planner failures with UNION ALL over subqueries reading from tables with inheritance children (Tom Lane)
(9.3.5,9.2.9,9.1.14,9.0.18,8.4.22) Don't assume a subquery's output is unique if there's a set-returning function in its targetlist (David Rowley)
This oversight could lead to misoptimization of constructs like WHERE x IN (SELECT y, generate_series(1,10) FROM t GROUP BY y).
(9.3.5,9.2.9) Improve planner to drop constant-NULL inputs of AND/OR when possible (Tom Lane)
This change fixes some cases where the more aggressive parameter substitution done by 9.2 and later can lead to a worse plan than older versions produced.
(9.3.5) Ensure that the planner sees equivalent VARIADIC and non-VARIADIC function calls as equivalent (Tom Lane)
This bug could for example result in failure to use expression indexes involving variadic functions. It might be necessary to re-create such indexes, and/or re-create views including variadic function calls that should match the indexes, for the fix to be effective for existing 9.3 installations.
(9.3.5) Fix handling of nested JSON objects in
json_populate_recordset()
and friends
(Michael Paquier, Tom Lane)
A nested JSON object could result in previous fields of the parent object not being shown in the output.
(9.3.5,9.2.9) Fix identification of input type category in to_json()
and friends (Tom Lane)
This is known to have led to inadequate quoting of money fields in the JSON result, and there may have been wrong results for other data types as well.
(9.3.5,9.2.9,9.1.14,9.0.18,8.4.22) Fix failure to detoast fields in composite elements of structured types (Tom Lane)
This corrects cases where TOAST pointers could be copied into other tables without being dereferenced. If the original data is later deleted, it would lead to errors like "missing chunk number 0 for toast value ..." when the now-dangling pointer is used.
(9.3.5,9.2.9,9.1.14,9.0.18,8.4.22) Fix "record type has not been registered" failures with whole-row references to the output of Append plan nodes (Tom Lane)
(9.3.5,9.2.9,9.1.14,9.0.18,8.4.22) Fix possible crash when invoking a user-defined function while rewinding a cursor (Tom Lane)
(9.3.5,9.2.9,9.1.14,9.0.18,8.4.22) Fix query-lifespan memory leak while evaluating the arguments for a function in FROM (Tom Lane)
(9.3.5,9.2.9,9.1.14,9.0.18,8.4.22) Fix session-lifespan memory leaks in regular-expression processing (Tom Lane, Arthur O'Dwyer, Greg Stark)
(9.3.5,9.2.9,9.1.14,9.0.18,8.4.22) Fix data encoding error in hungarian.stop (Tom Lane)
(9.3.5,9.2.9,9.1.14) Prevent foreign tables from being created with OIDS when default_with_oids is true (Etsuro Fujita)
(9.3.5,9.2.9,9.1.14,9.0.18,8.4.22) Fix liveness checks for rows that were inserted in the current transaction and then deleted by a now-rolled-back subtransaction (Andres Freund)
This could cause problems (at least spurious warnings, and at worst an infinite loop) if CREATE INDEX or CLUSTER were done later in the same transaction.
(9.3.5,9.2.9,9.1.14,9.0.18,8.4.22) Clear pg_stat_activity.xact_start during PREPARE TRANSACTION (Andres Freund)
After the PREPARE, the originating session is no longer in a transaction, so it should not continue to display a transaction start time.
(9.3.5,9.2.9,9.1.14,9.0.18,8.4.22) Fix REASSIGN OWNED to not fail for text search objects (Ãlvaro Herrera)
(9.3.5) Prevent pg_class.relminmxid values from going backwards during VACUUM FULL (Ãlvaro Herrera)
(9.3.5) Reduce indentation in rule/view dumps to improve readability and avoid excessive whitespace (Greg Stark, Tom Lane)
This change reduces the amount of indentation applied to nested constructs, including some cases that the user probably doesn't think of as nested, such as UNION lists. Previously, deeply nested constructs were printed with an amount of whitespace growing as O(N^2), which created a performance problem and even risk of out-of-memory failures. Now the indentation is reduced modulo 40, which is initially odd to look at but seems to preserve readability better than simply limiting the indentation would do. Redundant parenthesization of UNION lists has been reduced as well.
(9.3.5) Fix dumping of rules/views when subsequent addition of a column has resulted in multiple input columns matching a USING specification (Tom Lane)
(9.3.5) Repair view printing for some cases involving functions in FROM that return a composite type containing dropped columns (Tom Lane)
(9.3.5,9.2.9,9.1.14,9.0.18,8.4.22) Block signals during postmaster startup (Tom Lane)
This ensures that the postmaster will properly clean up after itself if, for example, it receives SIGINT while still starting up.
(9.3.5,9.2.9,9.1.14) Fix client host name lookup when processing pg_hba.conf entries that specify host names instead of IP addresses (Tom Lane)
Ensure that reverse-DNS lookup failures are reported, instead of just silently not matching such entries. Also ensure that we make only one reverse-DNS lookup attempt per connection, not one per host name entry, which is what previously happened if the lookup attempts failed.
(9.3.5,9.2.9) Allow the root user to use postgres -C variable and postgres --describe-config (MauMau)
The prohibition on starting the server as root does not need to extend to these operations, and relaxing it prevents failure of pg_ctl in some scenarios.
(9.3.5,9.2.9,9.1.14,9.0.18,8.4.22) Secure Unix-domain sockets of temporary postmasters started during make check (Noah Misch)
Any local user able to access the socket file could connect as the server's bootstrap superuser, then proceed to execute arbitrary code as the operating-system user running the test, as we previously noted inCVE-2014-0067 or CVE-2014-0067. This change defends against that risk by placing the server's socket in a temporary, mode 0700 subdirectory of /tmp. The hazard remains however on platforms where Unix sockets are not supported, notably Windows, because then the temporary postmaster must accept local TCP connections.
A useful side effect of this change is to simplify make check testing in builds that override DEFAULT_PGSOCKET_DIR. Popular non-default values like /var/run/postgresql are often not writable by the build user, requiring workarounds that will no longer be necessary.
(9.3.5,9.2.9,9.1.14,9.0.18) Fix tablespace creation WAL replay to work on Windows (MauMau)
(9.3.5,9.2.9,9.1.14,9.0.18) Fix detection of socket creation failures on Windows (Bruce Momjian)
(9.3.5,9.2.9,9.1.14,9.0.18,8.4.22) On Windows, allow new sessions to absorb values of PGC_BACKEND parameters (such as log_connections) from the configuration file (Amit Kapila)
Previously, if such a parameter were changed in the file post-startup, the change would have no effect.
(9.3.5,9.2.9,9.1.14,9.0.18,8.4.22) Properly quote executable path names on Windows (Nikhil Deshpande)
This oversight could cause initdb and pg_upgrade to fail on Windows, if the installation path contained both spaces and @ signs.
(9.3.5,9.2.9,9.1.14) Fix linking of libpython on macOS (Tom Lane)
The method we previously used can fail with the Python library supplied by Xcode 5.0 and later.
(9.3.5,9.2.9,9.1.14,9.0.18,8.4.22) Avoid buffer bloat in libpq when the server consistently sends data faster than the client can absorb it (Shin-ichi Morita, Tom Lane)
libpq could be coerced into
enlarging its input buffer until it runs out of memory (which would
be reported misleadingly as "lost
synchronization with server"). Under ordinary circumstances
it's quite far-fetched that data could be continuously transmitted
more quickly than the recv()
loop can
absorb it, but this has been observed when the client is
artificially slowed by scheduler constraints.
(9.3.5,9.2.9,9.1.14,9.0.18,8.4.22) Ensure that LDAP lookup attempts in libpq time out as intended (Laurenz Albe)
(9.3.5,9.2.9,9.1.14,9.0.18) Fix ecpg to do the right thing when an array of char * is the target for a FETCH statement returning more than one row, as well as some other array-handling fixes (Ashutosh Bapat)
(9.3.5) Fix pg_dump to cope with a materialized view that depends on a table's primary key (Tom Lane)
This occurs if the view's query relies on functional dependency to abbreviate a GROUP BY list. pg_dump got sufficiently confused that it dumped the materialized view as a regular view.
(9.3.5) Fix parsing of pg_dumpall's -i switch (Tom Lane)
(9.3.5,9.2.9,9.1.14,9.0.18,8.4.22) Fix pg_restore's processing of old-style large object comments (Tom Lane)
A direct-to-database restore from an archive file generated by a pre-9.0 version of pg_dump would usually fail if the archive contained more than a few comments for large objects.
(9.3.5,9.2.9) Fix pg_upgrade for cases where the new server creates a TOAST table but the old version did not (Bruce Momjian)
This rare situation would manifest as "relation OID mismatch" errors.
(9.3.5) In pg_upgrade, preserve pg_database.datminmxid and pg_class.relminmxid values from the old cluster, or insert reasonable values when upgrading from pre-9.3; also defend against unreasonable values in the core server (Bruce Momjian, Ãlvaro Herrera, Tom Lane)
These changes prevent scenarios in which autovacuum might insist on scanning the entire cluster's contents immediately upon starting the new cluster, or in which tracking of unfrozen MXID values might be disabled completely.
(9.3.5,9.2.9) Prevent contrib/auto_explain from changing the output of a user's EXPLAIN (Tom Lane)
If auto_explain is active, it could cause an EXPLAIN (ANALYZE, TIMING OFF) command to nonetheless print timing information.
(9.3.5,9.2.9) Fix query-lifespan memory leak in contrib/dblink (MauMau, Joe Conway)
(9.3.5,9.2.9,9.1.14,9.0.18,8.4.22) In contrib/pgcrypto functions, ensure sensitive information is cleared from stack variables before returning (Marko Kreen)
(9.3.5,9.2.9) Prevent use of already-freed memory in contrib/pgstattuple's pgstat_heap()
(Noah Misch)
(9.3.5,9.2.9,9.1.14,9.0.18,8.4.22) In contrib/uuid-ossp, cache the state of the OSSP UUID library across calls (Tom Lane)
This improves the efficiency of UUID generation and reduces the amount of entropy drawn from /dev/urandom, on platforms that have that.
(9.3.5,9.2.9,9.1.14,9.0.18,8.4.22) Update time zone data files to tzdata release 2014e for DST law changes in Crimea, Egypt, and Morocco.
Release date: 2014-03-20
This release contains a variety of fixes from 9.3.3. For information about new features in the 9.3 major release, see Version 9.3.0.
A dump/restore is not required for those running 9.3.X.
However, the error fixed in the first changelog entry below could have resulted in corrupt data on standby servers. It may be prudent to reinitialize standby servers from fresh base backups after installing this update.
Also, if you are upgrading from a version earlier than 9.3.3, see Version 9.3.3.
(9.3.4) Fix WAL replay of locking an already-updated tuple (Andres Freund, Ãlvaro Herrera)
This error caused updated rows to not be found by index scans, resulting in inconsistent query results depending on whether an index scan was used. Subsequent processing could result in constraint violations, since the previously updated row would not be found by later index searches, thus possibly allowing conflicting rows to be inserted. Since this error is in WAL replay, it would only manifest during crash recovery or on standby servers. The improperly-replayed case most commonly arises when a table row that is referenced by a foreign-key constraint is updated concurrently with creation of a referencing row.
(9.3.4,9.2.8,9.1.13,9.0.17,8.4.21) Restore GIN metapages unconditionally to avoid torn-page risk (Heikki Linnakangas)
Although this oversight could theoretically result in a corrupted index, it is unlikely to have caused any problems in practice, since the active part of a GIN metapage is smaller than a standard 512-byte disk sector.
(9.3.4,9.2.8,9.1.13,9.0.17) Avoid race condition in checking transaction commit status during receipt of a NOTIFY message (Marko Tiikkaja)
This prevents a scenario wherein a sufficiently fast client might respond to a notification before database updates made by the notifier have become visible to the recipient.
(9.3.4) Allow materialized views to be referenced in UPDATE and DELETE commands (Michael Paquier)
Previously such queries failed with a complaint about not being able to lock rows in the materialized view.
(9.3.4,9.2.8,9.1.13,9.0.17,8.4.21) Allow regular-expression operators to be terminated early by query cancel requests (Tom Lane)
This prevents scenarios wherein a pathological regular expression could lock up a server process uninterruptibly for a long time.
(9.3.4,9.2.8,9.1.13,9.0.17,8.4.21) Remove incorrect code that tried to allow OVERLAPS with single-element row arguments (Joshua Yanovski)
This code never worked correctly, and since the case is neither specified by the SQL standard nor documented, it seemed better to remove it than fix it.
(9.3.4,9.2.8,9.1.13,9.0.17,8.4.21) Avoid getting more than AccessShareLock when de-parsing a rule or view (Dean Rasheed)
This oversight resulted in pg_dump unexpectedly acquiring RowExclusiveLock locks on tables mentioned as the targets of INSERT/UPDATE/DELETE commands in rules. While usually harmless, that could interfere with concurrent transactions that tried to acquire, for example, ShareLock on those tables.
(9.3.4,9.2.8,9.1.13,9.0.17) Improve performance of index endpoint probes during planning (Tom Lane)
This change fixes a significant performance problem that occurred when there were many not-yet-committed rows at the end of the index, which is a common situation for indexes on sequentially-assigned values such as timestamps or sequence-generated identifiers.
(9.3.4) Use non-default selectivity estimates for value IN (list) and value operator ANY (array) expressions when the righthand side is a stable expression (Tom Lane)
(9.3.4) Remove the correct per-database statistics file during DROP DATABASE (Tomas Vondra)
This fix prevents a permanent leak of statistics file space. Users who have done many DROP DATABASE commands since upgrading to PostgreSQL 9.3 may wish to check their statistics directory and delete statistics files that do not correspond to any existing database. Please note that db_0.stat should not be removed.
(9.3.4) Fix walsender ping logic to avoid inappropriate disconnects under continuous load (Andres Freund, Heikki Linnakangas)
walsender failed to send ping messages to the client if it was constantly busy sending WAL data; but it expected to see ping responses despite that, and would therefore disconnect once wal_sender_timeout elapsed.
(9.3.4,9.2.8,9.1.13) Fix walsender's failure to shut down cleanly when client is pg_receivexlog (Fujii Masao)
(9.3.4,9.2.8) Check WAL level and hot standby parameters correctly when doing crash recovery that will be followed by archive recovery (Heikki Linnakangas)
(9.3.4,9.2.8,9.1.13,9.0.17) Fix test to see if hot standby connections can be allowed immediately after a crash (Heikki Linnakangas)
(9.3.4) Add read-only data_checksums parameter to display whether page checksums are enabled (Heikki Linnakangas)
Without this parameter, determining the state of checksum processing was difficult.
(9.3.4,9.2.8,9.1.13,9.0.17,8.4.21) Prevent interrupts while reporting non-ERROR messages (Tom Lane)
This guards against rare server-process freezeups due to
recursive entry to syslog()
, and
perhaps other related problems.
(9.3.4,9.2.8,9.1.13) Fix memory leak in PL/Perl when returning a composite result, including multiple-OUT-parameter cases (Alex Hunsaker)
(9.3.4,9.2.8) Fix tracking of psql script line numbers during \copy from out-of-line data (Kumar Rajeev Rastogi, Amit Khandekar)
\copy ... from incremented the script file line number for each data line, even if the data was not coming from the script file. This mistake resulted in wrong line numbers being reported for any errors occurring later in the same script file.
(9.3.4) Fix contrib/postgres_fdw to handle multiple join conditions properly (Tom Lane)
This oversight could result in sending WHERE clauses to the remote server for execution even though the clauses are not known to have the same semantics on the remote server (for example, clauses that use non-built-in operators). The query might succeed anyway, but it could also fail with errors from the remote server, or worse give silently wrong answers.
(9.3.4,9.2.8,9.1.13,9.0.17) Prevent intermittent "could not reserve shared memory region" failures on recent Windows versions (MauMau)
(9.3.4,9.2.8,9.1.13,9.0.17,8.4.21) Update time zone data files to tzdata release 2014a for DST law changes in Fiji and Turkey, plus historical changes in Israel and Ukraine.
Release date: 2014-02-20
This release contains a variety of fixes from 9.3.2. For information about new features in the 9.3 major release, see Version 9.3.0.
A dump/restore is not required for those running 9.3.X.
However, several of the issues corrected in this release could have resulted in corruption of foreign-key constraints; that is, there might now be referencing rows for which there is no matching row in the referenced table. It may be worthwhile to recheck such constraints after installing this update. The simplest way to do that is to drop and recreate each suspect constraint; however, that will require taking an exclusive lock on both tables, so it is unlikely to be acceptable in production databases. Alternatively, you can do a manual join query between the two tables to look for unmatched rows.
Note also the requirement for replication standby servers to be upgraded before their master server is upgraded.
Also, if you are upgrading from a version earlier than 9.3.2, see Version 9.3.2.
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch)
Granting a role without ADMIN OPTION is supposed to prevent the grantee from adding or removing members from the granted role, but this restriction was easily bypassed by doing SET ROLE first. The security impact is mostly that a role member can revoke the access of others, contrary to the wishes of his grantor. Unapproved role member additions are a lesser concern, since an uncooperative role member could provide most of his rights to others anyway by creating views or SECURITY DEFINER functions. CVE-2014-0060 or CVE-2014-0060)
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Prevent privilege escalation via manual calls to PL validator functions (Andres Freund)
The primary role of PL validator functions is to be called implicitly during CREATE FUNCTION, but they are also normal SQL functions that a user can call explicitly. Calling a validator on a function actually written in some other language was not checked for and could be exploited for privilege-escalation purposes. The fix involves adding a call to a privilege-checking function in each validator function. Non-core procedural languages will also need to make this change to their own validator functions, if any. CVE-2014-0061 or CVE-2014-0061)
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Avoid multiple name lookups during table and index DDL (Robert Haas, Andres Freund)
If the name lookups come to different conclusions due to concurrent activity, we might perform some parts of the DDL on a different table than other parts. At least in the case of CREATE INDEX, this can be used to cause the permissions checks to be performed against a different table than the index creation, allowing for a privilege escalation attack. CVE-2014-0062 or CVE-2014-0062)
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Prevent buffer overrun with long datetime strings (Noah Misch)
The MAXDATELEN constant was too small
for the longest possible value of type interval, allowing a buffer overrun in interval_out()
. Although the datetime input
functions were more careful about avoiding buffer overrun, the
limit was short enough to cause them to reject some valid inputs,
such as input containing a very long timezone name. The
ecpg library contained these
vulnerabilities along with some of its own. CVE-2014-0063 or CVE-2014-0063)
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Prevent buffer overrun due to integer overflow in size calculations (Noah Misch, Heikki Linnakangas)
Several functions, mostly type input functions, calculated an allocation size without checking for overflow. If overflow did occur, a too-small buffer would be allocated and then written past. CVE-2014-0064 or CVE-2014-0064)
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich)
Use strlcpy()
and related
functions to provide a clear guarantee that fixed-size buffers are
not overrun. Unlike the preceding items, it is unclear whether
these cases really represent live issues, since in most cases there
appear to be previous constraints on the size of the input string.
Nonetheless it seems prudent to silence all Coverity warnings of
this type. CVE-2014-0065 or CVE-2014-0065)
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Avoid crashing if crypt()
returns
NULL (Honza Horak, Bruce Momjian)
There are relatively few scenarios in which crypt()
could return NULL, but contrib/chkpass would crash if it did. One
practical case in which this could be an issue is if libc is configured to refuse to execute
unapproved hashing algorithms (e.g., "FIPS
mode"). CVE-2014-0066 or CVE-2014-0066)
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Document risks of make check in the regression testing instructions (Noah Misch, Tom Lane)
Since the temporary server started by make check uses "trust" authentication, another user on the same machine could connect to it as database superuser, and then potentially exploit the privileges of the operating-system user who started the tests. A future release will probably incorporate changes in the testing procedure to prevent this risk, but some public discussion is needed first. So for the moment, just warn people against using make check when there are untrusted users on the same machine. CVE-2014-0067 or CVE-2014-0067)
(9.3.3) Rework tuple freezing protocol (Ãlvaro Herrera, Andres Freund)
The logic for tuple freezing was unable to handle some cases involving freezing of multixact IDs, with the practical effect that shared row-level locks might be forgotten once old enough.
Fixing this required changing the WAL record format for tuple freezing. While this is no issue for standalone servers, when using replication it means that standby servers must be upgraded to 9.3.3 or later before their masters are. An older standby will be unable to interpret freeze records generated by a newer master, and will fail with a PANIC message. (In such a case, upgrading the standby should be sufficient to let it resume execution.)
(9.3.3) Create separate GUC parameters to control multixact freezing (Ãlvaro Herrera)
9.3 requires multixact tuple labels to be frozen before they grow too old, in the same fashion as plain transaction ID labels have been frozen for some time. Previously, the transaction ID freezing parameters were used for multixact IDs too; but since the consumption rates of transaction IDs and multixact IDs can be quite different, this did not work very well. Introduce new settings vacuum_multixact_freeze_min_age, vacuum_multixact_freeze_table_age, and autovacuum_multixact_freeze_max_age to control when to freeze multixacts.
(9.3.3) Account for remote row locks propagated by local updates (Ãlvaro Herrera)
If a row was locked by transaction A, and transaction B updated it, the new version of the row created by B would be locked by A, yet visible only to B. If transaction B then again updated the row, A's lock wouldn't get checked, thus possibly allowing B to complete when it shouldn't. This case is new in 9.3 since prior versions did not have any types of row locking that would permit another transaction to update the row at all.
This oversight could allow referential integrity checks to give false positives (for instance, allow deletes that should have been rejected). Applications using the new commands SELECT FOR KEY SHARE and SELECT FOR NO KEY UPDATE might also have suffered locking failures of this kind.
(9.3.3) Prevent "forgetting" valid row locks when one of several holders of a row lock aborts (Ãlvaro Herrera)
This was yet another mechanism by which a shared row lock could be lost, thus possibly allowing updates that should have been prevented by foreign-key constraints.
(9.3.3) Fix incorrect logic during update chain locking (Ãlvaro Herrera)
This mistake could result in spurious "could not serialize access due to concurrent update" errors in REPEATABLE READ and SERIALIZABLE transaction isolation modes.
(9.3.3) Handle wraparound correctly during extension or truncation of pg_multixact/members (Andres Freund, Ãlvaro Herrera)
(9.3.3) Fix handling of 5-digit filenames in pg_multixact/members (Ãlvaro Herrera)
As of 9.3, these names can be more than 4 digits, but the directory cleanup code ignored such files.
(9.3.3) Improve performance of multixact cache code (Ãlvaro Herrera)
(9.3.3) Optimize updating a row that's already locked by the same transaction (Andres Freund, Ãlvaro Herrera)
This fixes a performance regression from pre-9.3 versions when doing SELECT FOR UPDATE followed by UPDATE/DELETE.
(9.3.3) During archive recovery, prefer highest timeline number when WAL segments with the same ID are present in both the archive and pg_xlog/ (Kyotaro Horiguchi)
Previously, not-yet-archived segments could get ignored during recovery. This reverts an undesirable behavioral change in 9.3.0 back to the way things worked pre-9.3.
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Fix possible mis-replay of WAL records when some segments of a relation aren't full size (Greg Stark, Tom Lane)
The WAL update could be applied to the wrong page, potentially many pages past where it should have been. Aside from corrupting data, this error has been observed to result in significant "bloat" of standby servers compared to their masters, due to updates being applied far beyond where the end-of-file should have been. This failure mode does not appear to be a significant risk during crash recovery, only when initially synchronizing a standby created from a base backup taken from a quickly-changing master.
(9.3.3,9.2.7,9.1.12,9.0.16) Fix bug in determining when recovery has reached consistency (Tomonari Katsumata, Heikki Linnakangas)
In some cases WAL replay would mistakenly conclude that the database was already consistent at the start of replay, thus possibly allowing hot-standby queries before the database was really consistent. Other symptoms such as "PANIC: WAL contains references to invalid pages" were also possible.
(9.3.3) Fix WAL logging of visibility map changes (Heikki Linnakangas)
(9.3.3,9.2.7,9.1.12,9.0.16) Fix improper locking of btree index pages while replaying a VACUUM operation in hot-standby mode (Andres Freund, Heikki Linnakangas, Tom Lane)
This error could result in "PANIC: WAL contains references to invalid pages" failures.
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Ensure that insertions into non-leaf GIN index pages write a full-page WAL record when appropriate (Heikki Linnakangas)
The previous coding risked index corruption in the event of a partial-page write during a system crash.
(9.3.3,9.2.7,9.1.12) When pause_at_recovery_target and recovery_target_inclusive are both set, ensure the target record is applied before pausing, not after (Heikki Linnakangas)
(9.3.3) Ensure walreceiver sends hot-standby feedback messages on time even when there is a continuous stream of data (Andres Freund, Amit Kapila)
(9.3.3) Prevent timeout interrupts from taking control away from mainline code unless ImmediateInterruptOK is set (Andres Freund, Tom Lane)
This is a serious issue for any application making use of statement timeouts, as it could cause all manner of strange failures after a timeout occurred. We have seen reports of "stuck" spinlocks, ERRORs being unexpectedly promoted to PANICs, unkillable backends, and other misbehaviors.
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Fix race conditions during server process exit (Robert Haas)
Ensure that signal handlers don't attempt to use the process's MyProc pointer after it's no longer valid.
(9.3.3,9.2.7,9.1.12) Fix race conditions in walsender shutdown logic and walreceiver SIGHUP signal handler (Tom Lane)
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Fix unsafe references to errno within error reporting logic (Christian Kruse)
This would typically lead to odd behaviors such as missing or inappropriate HINT fields.
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Fix possible crashes from using ereport()
too early during server startup (Tom
Lane)
The principal case we've seen in the field is a crash if the server is started in a directory it doesn't have permission to read.
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Clear retry flags properly in OpenSSL socket write function (Alexander Kukushkin)
This omission could result in a server lockup after unexpected loss of an SSL-encrypted connection.
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Fix length checking for Unicode identifiers (U&"..." syntax) containing escapes (Tom Lane)
A spurious truncation warning would be printed for such identifiers if the escaped form of the identifier was too long, but the identifier actually didn't need truncation after de-escaping.
(9.3.3) Fix parsing of Unicode literals and identifiers just before the end of a command string or function body (Tom Lane)
(9.3.3,9.2.7,9.1.12,9.0.16) Allow keywords that are type names to be used in lists of roles (Stephen Frost)
A previous patch allowed such keywords to be used without quoting in places such as role identifiers; but it missed cases where a list of role identifiers was permitted, such as DROP ROLE.
(9.3.3,9.2.7,9.1.12) Fix parser crash for EXISTS (SELECT * FROM zero_column_table) (Tom Lane)
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Fix possible crash due to invalid plan for nested sub-selects, such as WHERE (... x IN (SELECT ...) ...) IN (SELECT ...) (Tom Lane)
(9.3.3) Fix mishandling of WHERE conditions pulled up from a LATERAL subquery (Tom Lane)
The typical symptom of this bug was a "JOIN qualification cannot refer to other relations" error, though subtle logic errors in created plans seem possible as well.
(9.3.3) Disallow LATERAL references to the target table of an UPDATE/DELETE (Tom Lane)
While this might be allowed in some future release, it was unintentional in 9.3, and didn't work quite right anyway.
(9.3.3,9.2.7) Fix UPDATE/DELETE of an inherited target table that has UNION ALL subqueries (Tom Lane)
Without this fix, UNION ALL subqueries aren't correctly inserted into the update plans for inheritance child tables after the first one, typically resulting in no update happening for those child table(s).
(9.3.3) Fix ANALYZE to not fail on a column that's a domain over a range type (Tom Lane)
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Ensure that ANALYZE creates statistics for a table column even when all the values in it are "too wide" (Tom Lane)
ANALYZE intentionally omits very wide values from its histogram and most-common-values calculations, but it neglected to do something sane in the case that all the sampled entries are too wide.
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) In ALTER TABLE ... SET TABLESPACE, allow the database's default tablespace to be used without a permissions check (Stephen Frost)
CREATE TABLE has always allowed such usage, but ALTER TABLE didn't get the memo.
(9.3.3) Fix support for extensions containing event triggers (Tom Lane)
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Fix "cannot accept a set" error when some arms of a CASE return a set and others don't (Tom Lane)
(9.3.3) Fix memory leakage in JSON functions (Craig Ringer)
(9.3.3,9.2.7) Properly distinguish numbers from non-numbers when generating JSON output (Andrew Dunstan)
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Fix checks for all-zero client addresses in pgstat functions (Kevin Grittner)
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Fix possible misclassification of multibyte characters by the text search parser (Tom Lane)
Non-ASCII characters could be misclassified when using C locale with a multibyte encoding. On Cygwin, non-C locales could fail as well.
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Fix possible misbehavior in plainto_tsquery()
(Heikki Linnakangas)
Use memmove()
not memcpy()
for copying overlapping memory regions.
There have been no field reports of this actually causing trouble,
but it's certainly risky.
(9.3.3,9.2.7,9.1.12) Fix placement of permissions checks in pg_start_backup()
and pg_stop_backup()
(Andres Freund, Magnus
Hagander)
The previous coding might attempt to do catalog access when it shouldn't.
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Accept SHIFT_JIS as an encoding name for locale checking purposes (Tatsuo Ishii)
(9.3.3,9.2.7) Fix *-qualification of named parameters in SQL-language functions (Tom Lane)
Given a composite-type parameter named foo, $1.* worked fine, but foo.* not so much.
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Fix misbehavior of PQhost()
on
Windows (Fujii Masao)
It should return localhost if no host has been specified.
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Improve error handling in libpq and psql for failures during COPY TO STDOUT/FROM STDIN (Tom Lane)
In particular this fixes an infinite loop that could occur in 9.2 and up if the server connection was lost during COPY FROM STDIN. Variants of that scenario might be possible in older versions, or with other client applications.
(9.3.3,9.2.7) Fix incorrect translation handling in some psql \d commands (Peter Eisentraut, Tom Lane)
(9.3.3,9.2.7) Ensure pg_basebackup's background process is killed when exiting its foreground process (Magnus Hagander)
(9.3.3,9.2.7,9.1.12) Fix possible incorrect printing of filenames in pg_basebackup's verbose mode (Magnus Hagander)
(9.3.3,9.2.7,9.1.12) Avoid including tablespaces inside PGDATA twice in base backups (Dimitri Fontaine, Magnus Hagander)
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Fix misaligned descriptors in ecpg (MauMau)
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) In ecpg, handle lack of a hostname in the connection parameters properly (Michael Meskes)
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Fix performance regression in contrib/dblink connection startup (Joe Conway)
Avoid an unnecessary round trip when client and server encodings match.
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) In contrib/isn, fix incorrect calculation of the check digit for ISMN values (Fabien Coelho)
(9.3.3) Fix contrib/pgbench's progress logging to avoid overflow when the scale factor is large (Tatsuo Ishii)
(9.3.3,9.2.7) Fix contrib/pg_stat_statement's handling of CURRENT_DATE and related constructs (Kyotaro Horiguchi)
(9.3.3) Improve lost-connection error handling in contrib/postgres_fdw (Tom Lane)
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Ensure client-code-only installation procedure works as documented (Peter Eisentraut)
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) In Mingw and Cygwin builds, install the libpq DLL in the bin directory (Andrew Dunstan)
This duplicates what the MSVC build has long done. It should fix problems with programs like psql failing to start because they can't find the DLL.
(9.3.3,9.2.7,9.1.12,9.0.16) Avoid using the deprecated dllwrap tool in Cygwin builds (Marco Atzeri)
(9.3.3) Enable building with Visual Studio 2013 (Brar Piening)
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Don't generate plain-text HISTORY and src/test/regress/README files anymore (Tom Lane)
These text files duplicated the main HTML and PDF documentation formats. The trouble involved in maintaining them greatly outweighs the likely audience for plain-text format. Distribution tarballs will still contain files by these names, but they'll just be stubs directing the reader to consult the main documentation. The plain-text INSTALL file will still be maintained, as there is arguably a use-case for that.
(9.3.3,9.2.7,9.1.12,9.0.16,8.4.20) Update time zone data files to tzdata release 2013i for DST law changes in Jordan and historical changes in Cuba.
In addition, the zones Asia/Riyadh87, Asia/Riyadh88, and Asia/Riyadh89 have been removed, as they are no longer maintained by IANA, and never represented actual civil timekeeping practice.
Release date: 2013-12-05
This release contains a variety of fixes from 9.3.1. For information about new features in the 9.3 major release, see Version 9.3.0.
A dump/restore is not required for those running 9.3.X.
However, this release corrects a number of potential data corruption issues. See the first three changelog entries below to find out whether your installation has been affected and what steps you can take if so.
Also, if you are upgrading from a version earlier than 9.3.1, see Version 9.3.1.
(9.3.2,9.2.6) Fix VACUUM's tests to see whether it can update relfrozenxid (Andres Freund)
In some cases VACUUM (either manual or autovacuum) could incorrectly advance a table's relfrozenxid value, allowing tuples to escape freezing, causing those rows to become invisible once 2^31 transactions have elapsed. The probability of data loss is fairly low since multiple incorrect advancements would need to happen before actual loss occurs, but it's not zero. In 9.2.0 and later, the probability of loss is higher, and it's also possible to get "could not access status of transaction" errors as a consequence of this bug. Users upgrading from releases 9.0.4 or 8.4.8 or earlier are not affected, but all later versions contain the bug.
The issue can be ameliorated by, after upgrading, vacuuming all tables in all databases while having vacuum_freeze_table_age set to zero. This will fix any latent corruption but will not be able to fix all pre-existing data errors. However, an installation can be presumed safe after performing this vacuuming if it has executed fewer than 2^31 update transactions in its lifetime (check this with SELECT txid_current() < 2^31).
(9.3.2) Fix multiple bugs in MultiXactId freezing (Andres Freund, Ãlvaro Herrera)
These bugs could lead to "could not access status of transaction" errors, or to duplicate or vanishing rows. Users upgrading from releases prior to 9.3.0 are not affected.
The issue can be ameliorated by, after upgrading, vacuuming all tables in all databases while having vacuum_freeze_table_age set to zero. This will fix latent corruption but will not be able to fix all pre-existing data errors.
As a separate issue, these bugs can also cause standby servers to get out of sync with the primary, thus exhibiting data errors that are not in the primary. Therefore, it's recommended that 9.3.0 and 9.3.1 standby servers be re-cloned from the primary (e.g., with a new base backup) after upgrading.
(9.3.2,9.2.6,9.1.11,9.0.15) Fix initialization of pg_clog and pg_subtrans during hot standby startup (Andres Freund, Heikki Linnakangas)
This bug can cause data loss on standby servers at the moment they start to accept hot-standby queries, by marking committed transactions as uncommitted. The likelihood of such corruption is small unless, at the time of standby startup, the primary server has executed many updating transactions since its last checkpoint. Symptoms include missing rows, rows that should have been deleted being still visible, and obsolete versions of updated rows being still visible alongside their newer versions.
This bug was introduced in versions 9.3.0, 9.2.5, 9.1.10, and 9.0.14. Standby servers that have only been running earlier releases are not at risk. It's recommended that standby servers that have ever run any of the buggy releases be re-cloned from the primary (e.g., with a new base backup) after upgrading.
(9.3.2) Fix multiple bugs in update chain traversal (Andres Freund, Ãlvaro Herrera)
These bugs could result in incorrect behavior, such as locking or even updating the wrong row, in the presence of concurrent updates. Spurious "unable to fetch updated version of tuple" errors were also possible.
(9.3.2,9.2.6) Fix dangling-pointer problem in fast-path locking (Tom Lane)
This could lead to corruption of the lock data structures in shared memory, causing "lock already held" and other odd errors.
(9.3.2) Fix assorted race conditions in timeout management (Tom Lane)
These errors could result in a server process becoming unresponsive because it had blocked SIGALRM and/or SIGINT.
(9.3.2,9.2.6,9.1.11,9.0.15) Truncate pg_multixact contents during WAL replay (Andres Freund)
This avoids ever-increasing disk space consumption in standby servers.
(9.3.2,9.2.6) Ensure an anti-wraparound VACUUM counts a page as scanned when it's only verified that no tuples need freezing (Sergey Burladyan, Jeff Janes)
This bug could result in failing to advance relfrozenxid, so that the table would still be thought to need another anti-wraparound vacuum. In the worst case the database might even shut down to prevent wraparound.
(9.3.2) Fix full-table-vacuum request mechanism for MultiXactIds (Andres Freund)
This bug could result in large amounts of useless autovacuum activity.
(9.3.2,9.2.6,9.1.11,9.0.15,8.4.19) Fix race condition in GIN index posting tree page deletion (Heikki Linnakangas)
This could lead to transient wrong answers or query failures.
(9.3.2,9.2.6) Fix "unexpected spgdoinsert() failure" error during SP-GiST index creation (Teodor Sigaev)
(9.3.2) Fix assorted bugs in materialized views (Kevin Grittner, Andres Freund)
(9.3.2) Re-allow duplicate table aliases if they're within aliased JOINs (Tom Lane)
Historically PostgreSQL has accepted queries like
SELECT ... FROM tab1 x CROSS JOIN (tab2 x CROSS JOIN tab3 y) z
although a strict reading of the SQL standard would forbid the duplicate usage of table alias x. A misguided change in 9.3.0 caused it to reject some such cases that were formerly accepted. Restore the previous behavior.
(9.3.2,9.2.6,9.1.11,9.0.15,8.4.19) Avoid flattening a subquery whose SELECT list contains a volatile function wrapped inside a sub-SELECT (Tom Lane)
This avoids unexpected results due to extra evaluations of the volatile function.
(9.3.2,9.2.6,9.1.11,9.0.15,8.4.19) Fix planner's processing of non-simple-variable subquery outputs nested within outer joins (Tom Lane)
This error could lead to incorrect plans for queries involving multiple levels of subqueries within JOIN syntax.
(9.3.2,9.2.6) Fix incorrect planning in cases where the same non-strict expression appears in multiple WHERE and outer JOIN equality clauses (Tom Lane)
(9.3.2,9.2.6) Fix planner crash with whole-row reference to a subquery (Tom Lane)
(9.3.2,9.2.6,9.1.11) Fix incorrect generation of optimized MIN()/MAX() plans for inheritance trees (Tom Lane)
The planner could fail in cases where the MIN()/MAX() argument was an expression rather than a simple variable.
(9.3.2,9.2.6,9.1.11,9.0.15,8.4.19) Fix premature deletion of temporary files (Andres Freund)
(9.3.2,9.2.6) Prevent intra-transaction memory leak when printing range values (Tom Lane)
This fix actually cures transient memory leaks in any datatype output function, but range types are the only ones known to have had a significant problem.
(9.3.2) Fix memory leaks when reloading configuration files (Heikki Linnakangas, Hari Babu)
(9.3.2,9.2.6) Prevent incorrect display of dropped columns in NOT NULL and CHECK constraint violation messages (Michael Paquier and Tom Lane)
(9.3.2,9.2.6) Allow default arguments and named-argument notation for window functions (Tom Lane)
Previously, these cases were likely to crash.
(9.3.2) Suppress trailing whitespace on each line when pretty-printing rules and views (Tom Lane)
9.3.0 generated such whitespace in many more cases than previous versions did. To reduce unexpected behavioral changes, suppress unnecessary whitespace in all cases.
(9.3.2,9.2.6,9.1.11,9.0.15,8.4.19) Fix possible read past end of memory in rule printing (Peter Eisentraut)
(9.3.2,9.2.6,9.1.11,9.0.15,8.4.19) Fix array slicing of int2vector and oidvector values (Tom Lane)
Expressions of this kind are now implicitly promoted to regular int2 or oid arrays.
(9.3.2) Return a valid JSON value when converting an empty hstore value to json (Oskari Saarenmaa)
(9.3.2,9.2.6,9.1.11,9.0.15,8.4.19) Fix incorrect behaviors when using a SQL-standard, simple GMT offset timezone (Tom Lane)
In some cases, the system would use the simple GMT offset value
when it should have used the regular timezone setting that had
prevailed before the simple offset was selected. This change also
causes the timeofday
function to
honor the simple GMT offset zone.
(9.3.2,9.2.6,9.1.11,9.0.15,8.4.19) Prevent possible misbehavior when logging translations of Windows error codes (Tom Lane)
(9.3.2,9.2.6,9.1.11,9.0.15,8.4.19) Properly quote generated command lines in pg_ctl (Naoya Anzai and Tom Lane)
This fix applies only to Windows.
(9.3.2,9.2.6,9.1.11,9.0.15,8.4.19) Fix pg_dumpall to work when a source database sets default_transaction_read_only via ALTER DATABASE SET (Kevin Grittner)
Previously, the generated script would fail during restore.
(9.3.2) Fix pg_isready to handle its -d option properly (FabrÃzio de Royes Mello and Fujii Masao)
(9.3.2) Fix parsing of WAL file names in pg_receivexlog (Heikki Linnakangas)
This error made pg_receivexlog unable to restart streaming after stopping, once at least 4 GB of WAL had been written.
(9.3.2) Report out-of-disk-space failures properly in pg_upgrade (Peter Eisentraut)
(9.3.2,9.2.6,9.1.11) Make ecpg search for quoted cursor names case-sensitively (Zoltán Böszörményi)
(9.3.2,9.2.6,9.1.11,9.0.15,8.4.19) Fix ecpg's processing of lists of variables declared varchar (Zoltán Böszörményi)
(9.3.2,9.2.6,9.1.11,9.0.15,8.4.19) Make contrib/lo defend against incorrect trigger definitions (Marc Cousin)
(9.3.2,9.2.6,9.1.11,9.0.15,8.4.19) Update time zone data files to tzdata release 2013h for DST law changes in Argentina, Brazil, Jordan, Libya, Liechtenstein, Morocco, and Palestine. Also, new timezone abbreviations WIB, WIT, WITA for Indonesia.
Release date: 2013-10-10
This release contains a variety of fixes from 9.3.0. For information about new features in the 9.3 major release, see Version 9.3.0.
A dump/restore is not required for those running 9.3.X.
However, if you use the hstore extension, see the first changelog entry.
(9.3.1) Ensure new-in-9.3 JSON functionality is added to the hstore extension during an update (Andrew Dunstan)
Users who upgraded a pre-9.3 database containing hstore should execute
ALTER EXTENSION hstore UPDATE;
after installing 9.3.1, to add two new JSON functions and a cast. (If hstore is already up to date, this command does nothing.)
(9.3.1,9.2.5) Fix memory leak when creating B-tree indexes on range columns (Heikki Linnakangas)
(9.3.1,9.2.5,9.1.10,9.0.14,8.4.18) Fix memory leak caused by lo_open()
failure (Heikki Linnakangas)
(9.3.1,9.2.5,9.1.10) Serializable snapshot fixes (Kevin Grittner, Heikki Linnakangas)
(9.3.1,9.2.5,9.1.10,9.0.14,8.4.18) Fix deadlock bug in libpq when using SSL (Stephen Frost)
(9.3.1) Fix timeline handling bugs in pg_receivexlog (Heikki Linnakangas, Andrew Gierth)
(9.3.1,9.2.5,9.1.10,9.0.14,8.4.18) Prevent CREATE FUNCTION from checking SET variables unless function body checking is enabled (Tom Lane)
(9.3.1,9.2.5,9.1.10,9.0.14,8.4.18) Remove rare inaccurate warning during vacuum of index-less tables (Heikki Linnakangas)
Release date: 2013-09-09
Major enhancements in PostgreSQL 9.3 include:
(9.3.0) Add materialized views
(9.3.0) Make simple views auto-updatable
(9.3.0) Add many features for the JSON data type, including operators and functions to extract elements from JSON values
(9.3.0) Implement SQL-standard LATERAL option for FROM-clause subqueries and function calls
(9.3.0) Allow foreign data wrappers to support writes (inserts/updates/deletes) on foreign tables
(9.3.0) Add a Postgres foreign data wrapper to allow access to other Postgres servers
(9.3.0) Add support for event triggers
(9.3.0) Add optional ability to checksum data pages and report corruption
(9.3.0) Prevent non-key-field row updates from blocking foreign key checks
(9.3.0) Greatly reduce System V shared memory requirements
The above items are explained in more detail in the sections below.
A dump/restore using pg_dumpall, or use of pg_upgrade, is required for those wishing to migrate data from any previous release.
Version 9.3 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities:
(9.3.0) Rename replication_timeout to wal_sender_timeout (Amit Kapila)
This setting controls the WAL sender timeout.
(9.3.0) Require superuser privileges to set commit_delay because it can now potentially delay other sessions (Simon Riggs)
(9.3.0) Allow in-memory sorts to use their full memory allocation (Jeff Janes)
Users who have set work_mem based on the previous behavior may need to revisit that setting.
(9.3.0) Throw an error if a tuple to be updated or deleted has already been updated or deleted by a BEFORE trigger (Kevin Grittner)
Formerly, the originally-intended update was silently skipped, resulting in logical inconsistency since the trigger might have propagated data to other places based on the intended update. Now an error is thrown to prevent the inconsistent results from being committed. If this change affects your application, the best solution is usually to move the data-propagation actions to an AFTER trigger.
This error will also be thrown if a query invokes a volatile function that modifies rows that are later modified by the query itself. Such cases likewise previously resulted in silently skipping updates.
(9.3.0) Change multicolumn ON UPDATE SET NULL/SET DEFAULT foreign key actions to affect all columns of the constraint, not just those changed in the UPDATE (Tom Lane)
Previously, we would set only those referencing columns that correspond to referenced columns that were changed by the UPDATE. This was what was required by SQL-92, but more recent editions of the SQL standard specify the new behavior.
(9.3.0) Force cached plans to be replanned if the search_path changes (Tom Lane)
Previously, cached plans already generated in the current session were not redone if the query was re-executed with a new search_path setting, resulting in surprising behavior.
(9.3.0) Fix to_number()
to properly handle a period used
as a thousands separator (Tom Lane)
Previously, a period was considered to be a decimal point even when the locale says it isn't and the D format code is used to specify use of the locale-specific decimal point. This resulted in wrong answers if FM format was also used.
(9.3.0) Fix STRICT non-set-returning functions that have set-returning functions in their arguments to properly return null rows (Tom Lane)
A null value passed to the strict function should result in a null output, but instead, that output row was suppressed entirely.
(9.3.0) Store WAL in a continuous stream, rather than skipping the last 16MB segment every 4GB (Heikki Linnakangas)
Previously, WAL files with names ending in FF were not used because of this skipping. If you have WAL backup or restore scripts that took this behavior into account, they will need to be adjusted.
(9.3.0) In pg_constraint.confmatchtype, store the default foreign key match type (non-FULL, non-PARTIAL) as s for "simple" (Tom Lane)
Previously this case was represented by u for "unspecified".
Below you will find a detailed account of the changes between PostgreSQL 9.3 and the previous major release.
(9.3.0) Prevent non-key-field row updates from blocking foreign key checks (Ãlvaro Herrera, Noah Misch, Andres Freund, Alexander Shulgin, Marti Raudsepp, Alexander Shulgin)
This change improves concurrency and reduces the probability of deadlocks when updating tables involved in a foreign-key constraint. UPDATEs that do not change any columns referenced in a foreign key now take the new NO KEY UPDATE lock mode on the row, while foreign key checks use the new KEY SHARE lock mode, which does not conflict with NO KEY UPDATE. So there is no blocking unless a foreign-key column is changed.
(9.3.0) Add configuration variable lock_timeout to allow limiting how long a session will wait to acquire any one lock (Zoltán Böszörményi)
(9.3.0) Add SP-GiST support for range data types (Alexander Korotkov)
(9.3.0) Allow GiST indexes to be unlogged (Jeevan Chalke)
(9.3.0) Improve performance of GiST index insertion by randomizing the choice of which page to descend to when there are multiple equally good alternatives (Heikki Linnakangas)
(9.3.0) Improve concurrency of hash index operations (Robert Haas)
(9.3.0) Collect and use histograms of upper and lower bounds, as well as range lengths, for range types (Alexander Korotkov)
(9.3.0) Improve optimizer's cost estimation for index access (Tom Lane)
(9.3.0) Improve optimizer's hash table size estimate for doing DISTINCT via hash aggregation (Tom Lane)
(9.3.0) Suppress no-op Result and Limit plan nodes (Kyotaro Horiguchi, Amit Kapila, Tom Lane)
(9.3.0) Reduce optimizer overhead by not keeping plans on the basis of cheap startup cost when the optimizer only cares about total cost overall (Tom Lane)
(9.3.0) Add COPY FREEZE option to avoid the overhead of marking tuples as frozen later (Simon Riggs, Jeff Davis)
(9.3.0) Improve performance of NUMERIC calculations (Kyotaro Horiguchi)
(9.3.0) Improve synchronization of sessions waiting for commit_delay (Peter Geoghegan)
This greatly improves the usefulness of commit_delay.
(9.3.0) Improve performance of the CREATE TEMPORARY TABLE ... ON COMMIT DELETE ROWS option by not truncating such temporary tables in transactions that haven't touched any temporary tables (Heikki Linnakangas)
(9.3.0) Make vacuum recheck visibility after it has removed expired tuples (Pavan Deolasee)
This increases the chance of a page being marked as all-visible.
(9.3.0) Add per-resource-owner lock caches (Jeff Janes)
This speeds up lock bookkeeping at statement completion in multi-statement transactions that hold many locks; it is particularly useful for pg_dump.
(9.3.0) Avoid scanning the entire relation cache at commit of a transaction that creates a new relation (Jeff Janes)
This speeds up sessions that create many tables in successive small transactions, such as a pg_restore run.
(9.3.0) Improve performance of transactions that drop many relations (Tomas Vondra)
(9.3.0) Add optional ability to checksum data pages and report corruption (Simon Riggs, Jeff Davis, Greg Smith, Ants Aasma)
The checksum option can be set during initdb.
(9.3.0) Split the statistics collector's data file into separate global and per-database files (Tomas Vondra)
This reduces the I/O required for statistics tracking.
(9.3.0) Fix the statistics collector to operate properly in cases where the system clock goes backwards (Tom Lane)
Previously, statistics collection would stop until the time again reached the latest time previously recorded.
(9.3.0) Emit an informative message to postmaster standard error when we are about to stop logging there (Tom Lane)
This should help reduce user confusion about where to look for log output in common configurations that log to standard error only during postmaster startup.
(9.3.0) When an authentication failure occurs, log the relevant pg_hba.conf line, to ease debugging of unintended failures (Magnus Hagander)
(9.3.0) Improve LDAP error reporting and documentation (Peter Eisentraut)
(9.3.0) Add support for specifying LDAP authentication parameters in URL format, per RFC 4516 (Peter Eisentraut)
(9.3.0) Change the ssl_ciphers parameter to start with DEFAULT, rather than ALL, then remove insecure ciphers (Magnus Hagander)
This should yield a more appropriate SSL cipher set.
(9.3.0) Parse and load pg_ident.conf once, not during each connection (Amit Kapila)
This is similar to how pg_hba.conf is processed.
(9.3.0) Greatly reduce System V shared memory requirements (Robert Haas)
On Unix-like systems, mmap()
is
now used for most of PostgreSQL's
shared memory. For most users, this will eliminate any need to
adjust kernel parameters for shared memory.
(9.3.0) Allow the postmaster to listen on multiple Unix-domain sockets (Honza Horák)
The configuration parameter unix_socket_directory is replaced by unix_socket_directories, which accepts a list of directories.
(9.3.0) Allow a directory of configuration files to be processed (Magnus Hagander, Greg Smith, Selena Deckelmann)
Such a directory is specified with include_dir in the server configuration file.
(9.3.0) Increase the maximum initdb-configured value for shared_buffers to 128MB (Robert Haas)
This is the maximum value that initdb will attempt to set in postgresql.conf; the previous maximum was 32MB.
(9.3.0) Remove the external PID file, if any, on postmaster exit (Peter Eisentraut)
(9.3.0) Allow a streaming replication standby to follow a timeline switch (Heikki Linnakangas)
This allows streaming standby servers to receive WAL data from a slave newly promoted to master status. Previously, other standbys would require a resync to begin following the new master.
(9.3.0) Add SQL functions pg_is_in_backup()
and pg_backup_start_time()
(Gilles Darold)
These functions report the status of base backups.
(9.3.0) Improve performance of streaming log shipping with synchronous_commit disabled (Andres Freund)
(9.3.0) Allow much faster promotion of a streaming standby to primary (Simon Riggs, Kyotaro Horiguchi)
(9.3.0) Add the last checkpoint's redo location to pg_controldata's output (Fujii Masao)
This information is useful for determining which WAL files are needed for restore.
(9.3.0) Allow tools like pg_receivexlog to run on computers with different architectures (Heikki Linnakangas)
WAL files can still only be replayed on servers with the same architecture as the primary; but they can now be transmitted to and stored on machines of any architecture, since the streaming replication protocol is now machine-independent.
(9.3.0) Make pg_basebackup --write-recovery-conf output a minimal recovery.conf file (Zoltán Böszörményi, Magnus Hagander)
This simplifies setting up a standby server.
(9.3.0) Allow pg_receivexlog and pg_basebackup --xlog-method to handle streaming timeline switches (Heikki Linnakangas)
(9.3.0) Add wal_receiver_timeout parameter to control the WAL receiver's timeout (Amit Kapila)
This allows more rapid detection of connection failure.
(9.3.0) Change the WAL record format to allow splitting the record header across pages (Heikki Linnakangas)
The new format is slightly more compact, and is more efficient to write.
(9.3.0) Implement SQL-standard LATERAL option for FROM-clause subqueries and function calls (Tom Lane)
This feature allows subqueries and functions in FROM to reference columns from other tables in the FROM clause. The LATERAL keyword is optional for functions.
(9.3.0) Add support for piping COPY and psql \copy data to/from an external program (Etsuro Fujita)
(9.3.0) Allow a multirow VALUES clause in a rule to reference OLD/NEW (Tom Lane)
(9.3.0) Add support for event triggers (Dimitri Fontaine, Robert Haas, Ãlvaro Herrera)
This allows server-side functions written in event-enabled languages to be called when DDL commands are run.
(9.3.0) Allow foreign data wrappers to support writes (inserts/updates/deletes) on foreign tables (KaiGai Kohei)
(9.3.0) Add CREATE SCHEMA ... IF NOT EXISTS clause (FabrÃzio de Royes Mello)
(9.3.0) Make REASSIGN OWNED also change ownership of shared objects (Ãlvaro Herrera)
(9.3.0) Make CREATE AGGREGATE complain if the given initial value string is not valid input for the transition datatype (Tom Lane)
(9.3.0) Suppress CREATE TABLE's messages about implicit index and sequence creation (Robert Haas)
These messages now appear at DEBUG1 verbosity, so that they will not be shown by default.
(9.3.0) Allow DROP TABLE IF EXISTS to succeed when a non-existent schema is specified in the table name (Bruce Momjian)
Previously, it threw an error if the schema did not exist.
(9.3.0) Provide clients with constraint violation details as separate fields (Pavel Stehule)
This allows clients to retrieve table, column, data type, or constraint name error details. Previously such information had to be extracted from error strings. Client library support is required to access these fields.
(9.3.0) Support IF NOT EXISTS option in ALTER TYPE ... ADD VALUE (Andrew Dunstan)
This is useful for conditionally adding values to enumerated types.
(9.3.0) Add ALTER ROLE ALL SET to establish settings for all users (Peter Eisentraut)
This allows settings to apply to all users in all databases. ALTER DATABASE SET already allowed addition of settings for all users in a single database. postgresql.conf has a similar effect.
(9.3.0) Add support for ALTER RULE ... RENAME (Ali Dar)
(9.3.0) Add materialized views (Kevin Grittner)
Unlike ordinary views, where the base tables are read on every access, materialized views create physical tables at creation or refresh time. Access to the materialized view then reads from its physical table. There is not yet any facility for incrementally refreshing materialized views or auto-accessing them via base table access.
(9.3.0) Make simple views auto-updatable (Dean Rasheed)
Simple views that reference some or all columns from a single base table are now updatable by default. More complex views can be made updatable using INSTEAD OF triggers or INSTEAD rules.
(9.3.0) Add CREATE RECURSIVE VIEW syntax (Peter Eisentraut)
Internally this is translated into CREATE VIEW ... WITH RECURSIVE ....
(9.3.0) Improve view/rule printing code to handle cases where referenced tables are renamed, or columns are renamed, added, or dropped (Tom Lane)
Table and column renamings can produce cases where, if we merely substitute the new name into the original text of a rule or view, the result is ambiguous. This change fixes the rule-dumping code to insert manufactured table and column aliases when needed to preserve the original semantics.
(9.3.0) Increase the maximum size of large objects from 2GB to 4TB (Nozomi Anzai, Yugo Nagata)
This change includes adding 64-bit-capable large object access functions, both in the server and in libpq.
(9.3.0) Allow text timezone designations, e.g. "America/Chicago", in the "T" field of ISO-format timestamptz input (Bruce Momjian)
(9.3.0) Add operators and functions to extract elements from JSON values (Andrew Dunstan)
(9.3.0) Allow JSON values to be converted into records (Andrew Dunstan)
(9.3.0) Add functions to convert scalars, records, and hstore values to JSON (Andrew Dunstan)
(9.3.0) Add array_remove()
and array_replace()
functions (Marco Nenciarini,
Gabriele Bartolini)
(9.3.0) Allow concat()
and format()
to properly expand VARIADIC-labeled arguments (Pavel Stehule)
(9.3.0) Improve format()
to provide field width and
left/right alignment options (Pavel Stehule)
(9.3.0) Make to_char()
, to_date()
, and to_timestamp()
handle negative (BC) century
values properly (Bruce Momjian)
Previously the behavior was either wrong or inconsistent with positive/AD handling, e.g. with the format mask "IYYY-IW-DY".
(9.3.0) Make to_date()
and to_timestamp()
return proper results when
mixing ISO and Gregorian
week/day designations (Bruce Momjian)
(9.3.0) Cause pg_get_viewdef()
to start a new line by
default after each SELECT target list
entry and FROM entry (Marko Tiikkaja)
This reduces line length in view printing, for instance in pg_dump output.
(9.3.0) Fix map_sql_value_to_xml_value()
to print values of domain types the same way their base type would
be printed (Pavel Stehule)
There are special formatting rules for certain built-in types such as boolean; these rules now also apply to domains over these types.
(9.3.0) Allow PL/pgSQL to use RETURN with a composite-type expression (Asif Rehman)
Previously, in a function returning a composite type, RETURN could only reference a variable of that type.
(9.3.0) Allow PL/pgSQL to access constraint violation details as separate fields (Pavel Stehule)
(9.3.0) Allow PL/pgSQL to access the number of rows processed by COPY (Pavel Stehule)
A COPY executed in a PL/pgSQL function now updates the value retrieved by GET DIAGNOSTICS x = ROW_COUNT.
(9.3.0) Allow unreserved keywords to be used as identifiers everywhere in PL/pgSQL (Tom Lane)
In certain places in the PL/pgSQL grammar, keywords had to be quoted to be used as identifiers, even if they were nominally unreserved.
(9.3.0) Add PL/Python result object string handler (Peter Eisentraut)
This allows plpy.debug(rv) to output something reasonable.
(9.3.0) Make PL/Python convert OID values to a proper Python numeric type (Peter Eisentraut)
(9.3.0) Handle SPI errors raised explicitly (with PL/Python's RAISE) the same as internal SPI errors (Oskari Saarenmaa and Jan Urbanski)
(9.3.0) Prevent leakage of SPI tuple tables during subtransaction abort (Tom Lane)
At the end of any failed subtransaction, the core SPI code now
releases any SPI tuple tables that were created during that
subtransaction. This avoids the need for SPI-using code to keep
track of such tuple tables and release them manually in
error-recovery code. Failure to do so caused a number of
transaction-lifespan memory leakage issues in PL/pgSQL and perhaps
other SPI clients. SPI_freetuptable()
now protects itself
against multiple freeing requests, so any existing code that did
take care to clean up shouldn't be broken by this change.
(9.3.0) Allow SPI functions to access the number of rows processed by COPY (Pavel Stehule)
(9.3.0) Add command-line utility pg_isready to check if the server is ready to accept connections (Phil Sorber)
(9.3.0) Support multiple --table arguments for pg_restore, clusterdb, reindexdb, and vacuumdb (Josh Kupershmidt)
This is similar to the way pg_dump's --table option works.
(9.3.0) Add --dbname option to pg_dumpall, pg_basebackup, and pg_receivexlog to allow specifying a connection string (Amit Kapila)
(9.3.0) Add libpq function PQconninfo()
to return connection information
(Zoltán Böszörményi, Magnus Hagander)
(9.3.0) Adjust function cost settings so psql tab completion and pattern searching are more efficient (Tom Lane)
(9.3.0) Improve psql's tab completion coverage (Jeff Janes, Dean Rasheed, Peter Eisentraut, Magnus Hagander)
(9.3.0) Allow the psql --single-transaction mode to work when reading from standard input (Fabien Coelho, Robert Haas)
Previously this option only worked when reading from a file.
(9.3.0) Remove psql warning when connecting to an older server (Peter Eisentraut)
A warning is still issued when connecting to a server of a newer major version than psql's.
(9.3.0) Add psql command \watch to repeatedly execute a SQL command (Will Leinweber)
(9.3.0) Add psql command \gset to store query results in psql variables (Pavel Stehule)
(9.3.0) Add SSL information to psql's \conninfo command (Alastair Turner)
(9.3.0) Add "Security" column to psql's \df+ output (Jon Erdman)
(9.3.0) Allow psql command \l to accept a database name pattern (Peter Eisentraut)
(9.3.0) In psql, do not allow \connect to use defaults if there is no active connection (Bruce Momjian)
This might be the case if the server had crashed.
(9.3.0) Properly reset state after failure of a SQL command executed with psql's \g file (Tom Lane)
Previously, the output from subsequent SQL commands would unexpectedly continue to go to the same file.
(9.3.0) Add a latex-longtable output format to psql (Bruce Momjian)
This format allows tables to span multiple pages.
(9.3.0) Add a border=3 output mode to the psql latex format (Bruce Momjian)
(9.3.0) In psql's tuples-only and expanded output modes, no longer emit "(No rows)" for zero rows (Peter Eisentraut)
(9.3.0) In psql's unaligned, expanded output mode, no longer print an empty line for zero rows (Peter Eisentraut)
(9.3.0) Add pg_dump --jobs option to dump tables in parallel (Joachim Wieland)
(9.3.0) Make pg_dump output functions in a more predictable order (Joel Jacobson)
(9.3.0) Fix tar files emitted by pg_dump to be POSIX conformant (Brian Weaver, Tom Lane)
(9.3.0) Add --dbname option to pg_dump, for consistency with other client commands (Heikki Linnakangas)
The database name could already be supplied last without a flag.
(9.3.0) Make initdb fsync the newly created data directory (Jeff Davis)
This insures data integrity in event of a system crash shortly after initdb. This can be disabled by using --nosync.
(9.3.0) Add initdb --sync-only option to sync the data directory to durable storage (Bruce Momjian)
This is used by pg_upgrade.
(9.3.0) Make initdb issue a warning about placing the data directory at the top of a file system mount point (Bruce Momjian)
(9.3.0) Add infrastructure to allow plug-in background worker processes (Ãlvaro Herrera)
(9.3.0) Create a centralized timeout API (Zoltán Böszörményi)
(9.3.0) Create libpgcommon and move pg_malloc()
and other functions there (Ãlvaro
Herrera, Andres Freund)
This allows libpgport to be used solely for portability-related code.
(9.3.0) Add support for list links embedded in larger structs (Andres Freund)
(9.3.0) Use SA_RESTART for all signals, including SIGALRM (Tom Lane)
(9.3.0) Ensure that the correct text domain is used when translating
errcontext()
messages (Heikki
Linnakangas)
(9.3.0) Standardize naming of client-side memory allocation functions (Tom Lane)
(9.3.0) Provide support for "static assertions" that will fail at compile time if some compile-time-constant condition is not met (Andres Freund, Tom Lane)
(9.3.0) Support Assert()
in client-side
code (Andrew Dunstan)
(9.3.0) Add decoration to inform the C compiler that some ereport()
and elog()
calls do not return (Peter Eisentraut,
Andres Freund, Tom Lane, Heikki Linnakangas)
(9.3.0) Allow options to be passed to the regression test output comparison utility via PG_REGRESS_DIFF_OPTS (Peter Eisentraut)
(9.3.0) Add isolation tests for CREATE INDEX CONCURRENTLY (Abhijit Menon-Sen)
(9.3.0) Remove typedefs for int2/int4 as they are better represented as int16/int32 (Peter Eisentraut)
(9.3.0) Fix install-strip on Mac OS X (Peter Eisentraut)
(9.3.0) Remove configure flag --disable-shared, as it is no longer supported (Bruce Momjian)
(9.3.0) Rewrite pgindent in Perl (Andrew Dunstan)
(9.3.0) Provide Emacs macro to set Perl formatting to match PostgreSQL's perltidy settings (Peter Eisentraut)
(9.3.0) Run tool to check the keyword list whenever the backend grammar is changed (Tom Lane)
(9.3.0) Change the way UESCAPE is lexed, to significantly reduce the size of the lexer tables (Heikki Linnakangas)
(9.3.0) Centralize flex and bison make rules (Peter Eisentraut)
This is useful for pgxs authors.
(9.3.0) Change many internal backend functions to return object OIDs rather than void (Dimitri Fontaine)
This is useful for event triggers.
(9.3.0) Invent pre-commit/pre-prepare/pre-subcommit events for transaction callbacks (Tom Lane)
Loadable modules that use transaction callbacks might need modification to handle these new event types.
(9.3.0) Add function pg_identify_object()
to produce a
machine-readable description of a database object (Ãlvaro
Herrera)
(9.3.0) Add post-ALTER-object server hooks (KaiGai Kohei)
(9.3.0) Implement a generic binary heap and use it for Merge-Append operations (Abhijit Menon-Sen)
(9.3.0) Provide a tool to help detect timezone abbreviation changes when updating the src/timezone/data files (Tom Lane)
(9.3.0) Add pkg-config support for libpq and ecpg libraries (Peter Eisentraut)
(9.3.0) Remove src/tools/backend, now that the content is on the PostgreSQL wiki (Bruce Momjian)
(9.3.0) Split out WAL reading as an independent facility (Heikki Linnakangas, Andres Freund)
(9.3.0) Use a 64-bit integer to represent WAL positions (XLogRecPtr) instead of two 32-bit integers (Heikki Linnakangas)
Generally, tools that need to read the WAL format will need to be adjusted.
(9.3.0) Allow PL/Python to support platform-specific include directories (Peter Eisentraut)
(9.3.0) Allow PL/Python on OS X to build against custom versions of Python (Peter Eisentraut)
(9.3.0) Add a Postgres foreign data wrapper contrib module to allow access to other Postgres servers (Shigeru Hanada)
This foreign data wrapper supports writes.
(9.3.0) Add pg_xlogdump contrib program (Andres Freund)
(9.3.0) Add support for indexing of regular-expression searches in pg_trgm (Alexander Korotkov)
(9.3.0) Improve pg_trgm's handling of multibyte characters (Tom Lane)
On a platform that does not have the wcstombs() or towlower() library functions, this could result in an incompatible change in the contents of pg_trgm indexes for non-ASCII data. In such cases, REINDEX those indexes to ensure correct search results.
(9.3.0) Add a pgstattuple function to report the size of the pending-insertions list of a GIN index (Fujii Masao)
(9.3.0) Make oid2name, pgbench, and vacuumlo set fallback_application_name (Amit Kapila)
(9.3.0) Improve output of pg_test_timing (Bruce Momjian)
(9.3.0) Improve output of pg_test_fsync (Peter Geoghegan)
(9.3.0) Create a dedicated foreign data wrapper, with its own option validator function, for dblink (Shigeru Hanada)
When using this FDW to define the target of a dblink connection, instead of using a hard-wired list of connection options, the underlying libpq library is consulted to see what connection options it supports.
(9.3.0) Allow pg_upgrade to do dumps and restores in parallel (Bruce Momjian, Andrew Dunstan)
This allows parallel schema dump/restore of databases, as well as parallel copy/link of data files per tablespace. Use the --jobs option to specify the level of parallelism.
(9.3.0) Make pg_upgrade create Unix-domain sockets in the current directory (Bruce Momjian, Tom Lane)
This reduces the possibility that someone will accidentally connect during the upgrade.
(9.3.0) Make pg_upgrade --check mode properly detect the location of non-default socket directories (Bruce Momjian, Tom Lane)
(9.3.0) Improve performance of pg_upgrade for databases with many tables (Bruce Momjian)
(9.3.0) Improve pg_upgrade's logs by showing executed commands (Ãlvaro Herrera)
(9.3.0) Improve pg_upgrade's status display during copy/link (Bruce Momjian)
(9.3.0) Add --foreign-keys option to pgbench (Jeff Janes)
This adds foreign key constraints to the standard tables created by pgbench, for use in foreign key performance testing.
(9.3.0) Allow pgbench to aggregate performance statistics and produce output every --aggregate-interval seconds (Tomas Vondra)
(9.3.0) Add pgbench --sampling-rate option to control the percentage of transactions logged (Tomas Vondra)
(9.3.0) Reduce and improve the status message output of pgbench's initialization mode (Robert Haas, Peter Eisentraut)
(9.3.0) Add pgbench -q mode to print one output line every five seconds (Tomas Vondra)
(9.3.0) Output pgbench elapsed and estimated remaining time during initialization (Tomas Vondra)
(9.3.0) Allow pgbench to use much larger scale factors, by changing relevant columns from integer to bigint when the requested scale factor exceeds 20000 (Greg Smith)
(9.3.0) Allow EPUB-format documentation to be created (Peter Eisentraut)
(9.3.0) Update FreeBSD kernel configuration documentation (Brad Davis)
(9.3.0) Improve WINDOW function documentation (Bruce Momjian, Florian Pflug)
(9.3.0) Add instructions for setting up the documentation tool chain on macOS (Peter Eisentraut)
(9.3.0) Improve commit_delay documentation (Peter Geoghegan)
Release date: 2017-11-09
This release contains a variety of fixes from 9.2.23. For information about new features in the 9.2 major release, see Version 9.2.0.
This is expected to be the last PostgreSQL release in the 9.2.X series. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.2.X.
However, if you are upgrading from a version earlier than 9.2.22, see Version 9.2.22.
(9.2.24,9.3.20) Fix sample server-start scripts to become $PGUSER before opening $PGLOG (Noah Misch)
Previously, the postmaster log file was opened while still running as root. The database owner could therefore mount an attack against another system user by making $PGLOG be a symbolic link to some other file, which would then become corrupted by appending log messages.
By default, these scripts are not installed anywhere. Users who have made use of them will need to manually recopy them, or apply the same changes to their modified versions. If the existing $PGLOG file is root-owned, it will need to be removed or renamed out of the way before restarting the server with the corrected script. CVE-2017-12172 or CVE-2017-12172)
(9.2.24,9.3.20) Properly reject attempts to convert infinite float values to type numeric (Tom Lane, KaiGai Kohei)
Previously the behavior was platform-dependent.
(9.2.24,9.3.20) Fix corner-case crashes when columns have been added to the end of a view (Tom Lane)
(9.2.24,9.3.20) Record proper dependencies when a view or rule contains FieldSelect or FieldStore expression nodes (Tom Lane)
Lack of these dependencies could allow a column or data type DROP to go through when it ought to fail, thereby causing later uses of the view or rule to get errors. This patch does not do anything to protect existing views/rules, only ones created in the future.
(9.2.24,9.3.20) Correctly detect hashability of range data types (Tom Lane)
The planner mistakenly assumed that any range type could be hashed for use in hash joins or hash aggregation, but actually it must check whether the range's subtype has hash support. This does not affect any of the built-in range types, since they're all hashable anyway.
(9.2.24,9.3.20) Fix low-probability loss of NOTIFY messages due to XID wraparound (Marko Tiikkaja, Tom Lane)
If a session executed no queries, but merely listened for notifications, for more than 2 billion transactions, it started to miss some notifications from concurrently-committing transactions.
(9.2.24,9.3.20) Prevent low-probability crash in processing of nested trigger firings (Tom Lane)
(9.2.24,9.3.20) Correctly restore the umask setting when file creation fails in
COPY or lo_export()
(Peter Eisentraut)
(9.2.24,9.3.20) Give a better error message for duplicate column names in ANALYZE (Nathan Bossart)
(9.2.24,9.3.20) Fix libpq to not require user's home directory to exist (Tom Lane)
In v10, failure to find the home directory while trying to read ~/.pgpass was treated as a hard error, but it should just cause that file to not be found. Both v10 and previous release branches made the same mistake when reading ~/.pg_service.conf, though this was less obvious since that file is not sought unless a service name is specified.
(9.2.24,9.3.20) Fix libpq to guard against integer overflow in the row count of a PGresult (Michael Paquier)
(9.2.24,9.3.20) Sync our copy of the timezone library with IANA release tzcode2017c (Tom Lane)
This fixes various issues; the only one likely to be user-visible is that the default DST rules for a POSIX-style zone name, if no posixrules file exists in the timezone data directory, now match current US law rather than what it was a dozen years ago.
(9.2.24,9.3.20) Update time zone data files to tzdata release 2017c for DST law changes in Fiji, Namibia, Northern Cyprus, Sudan, Tonga, and Turks & Caicos Islands, plus historical corrections for Alaska, Apia, Burma, Calcutta, Detroit, Ireland, Namibia, and Pago Pago.
Release date: 2017-08-31
This release contains a small number of fixes from 9.2.22. For information about new features in the 9.2 major release, see Version 9.2.0.
The PostgreSQL community will stop releasing updates for the 9.2.X release series in September 2017. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.2.X.
However, if you are upgrading from a version earlier than 9.2.22, see Version 9.2.22.
(9.2.23,9.3.19) Show foreign tables in information_schema.table_privileges view (Peter Eisentraut)
All other relevant information_schema views include foreign tables, but this one ignored them.
Since this view definition is installed by initdb, merely upgrading will not fix the problem. If you need to fix this in an existing installation, you can, as a superuser, do this in psql:
SET search_path TO information_schema; CREATE OR REPLACE VIEW table_privileges AS SELECT CAST(u_grantor.rolname AS sql_identifier) AS grantor, CAST(grantee.rolname AS sql_identifier) AS grantee, CAST(current_database() AS sql_identifier) AS table_catalog, CAST(nc.nspname AS sql_identifier) AS table_schema, CAST(c.relname AS sql_identifier) AS table_name, CAST(c.prtype AS character_data) AS privilege_type, CAST( CASE WHEN -- object owner always has grant options pg_has_role(grantee.oid, c.relowner, 'USAGE') OR c.grantable THEN 'YES' ELSE 'NO' END AS yes_or_no) AS is_grantable, CAST (CASE WHEN c.prtype = 'SELECT' THEN 'YES' ELSE 'NO' END AS yes_or_no) AS with_hierarchy FROM ( SELECT oid, relname, relnamespace, relkind, relowner, (aclexplode(coalesce(relacl, acldefault('r', relowner)))).* FROM pg_class ) AS c (oid, relname, relnamespace, relkind, relowner, grantor, grantee, prtype, grantable), pg_namespace nc, pg_authid u_grantor, ( SELECT oid, rolname FROM pg_authid UNION ALL SELECT 0::oid, 'PUBLIC' ) AS grantee (oid, rolname) WHERE c.relnamespace = nc.oid AND c.relkind IN ('r', 'v', 'f') AND c.grantee = grantee.oid AND c.grantor = u_grantor.oid AND c.prtype IN ('INSERT', 'SELECT', 'UPDATE', 'DELETE', 'TRUNCATE', 'REFERENCES', 'TRIGGER') AND (pg_has_role(u_grantor.oid, 'USAGE') OR pg_has_role(grantee.oid, 'USAGE') OR grantee.rolname = 'PUBLIC');
This must be repeated in each database to be fixed, including template0.
(9.2.23,9.3.19) Clean up handling of a fatal exit (e.g., due to receipt of SIGTERM) that occurs while trying to execute a ROLLBACK of a failed transaction (Tom Lane)
This situation could result in an assertion failure. In production builds, the exit would still occur, but it would log an unexpected message about "cannot drop active portal".
(9.2.23,9.3.19) Remove assertion that could trigger during a fatal exit (Tom Lane)
(9.2.23,9.3.19) Correctly identify columns that are of a range type or domain type over a composite type or domain type being searched for (Tom Lane)
Certain ALTER commands that change the definition of a composite type or domain type are supposed to fail if there are any stored values of that type in the database, because they lack the infrastructure needed to update or check such values. Previously, these checks could miss relevant values that are wrapped inside range types or sub-domains, possibly allowing the database to become inconsistent.
(9.2.23,9.3.19) Change ecpg's parser to allow RETURNING clauses without attached C variables (Michael Meskes)
This allows ecpg programs to contain SQL constructs that use RETURNING internally (for example, inside a CTE) rather than using it to define values to be returned to the client.
(9.2.23,9.3.19) Improve selection of compiler flags for PL/Perl on Windows (Tom Lane)
This fix avoids possible crashes of PL/Perl due to inconsistent assumptions about the width of time_t values. A side-effect that may be visible to extension developers is that _USE_32BIT_TIME_T is no longer defined globally in PostgreSQL Windows builds. This is not expected to cause problems, because type time_t is not used in any PostgreSQL API definitions.
Release date: 2017-08-10
This release contains a variety of fixes from 9.2.21. For information about new features in the 9.2 major release, see Version 9.2.0.
The PostgreSQL community will stop releasing updates for the 9.2.X release series in September 2017. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.2.X.
However, if you use foreign data servers that make use of user passwords for authentication, see the first changelog entry below.
Also, if you are upgrading from a version earlier than 9.2.20, see Version 9.2.20.
(9.2.22,9.3.18) Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options (Noah Misch)
The fix forCVE-2017-7486 or CVE-2017-7486 was incorrect: it allowed a user to see the options in her own user mapping, even if she did not have USAGE permission on the associated foreign server. Such options might include a password that had been provided by the server owner rather than the user herself. Since information_schema.user_mapping_options does not show the options in such cases, pg_user_mappings should not either. CVE-2017-7547 or CVE-2017-7547)
By itself, this patch will only fix the behavior in newly initdb'd databases. If you wish to apply this change in an existing database, you will need to do the following:
Restart the postmaster after adding allow_system_table_mods = true to postgresql.conf. (In versions supporting ALTER SYSTEM, you can use that to make the configuration change, but you'll still need a restart.)
In each database of the cluster, run the following commands as superuser:
SET search_path = pg_catalog; CREATE OR REPLACE VIEW pg_user_mappings AS SELECT U.oid AS umid, S.oid AS srvid, S.srvname AS srvname, U.umuser AS umuser, CASE WHEN U.umuser = 0 THEN 'public' ELSE A.rolname END AS usename, CASE WHEN (U.umuser <> 0 AND A.rolname = current_user AND (pg_has_role (S.srvowner, 'USAGE') OR has_server_privilege (S.oid, 'USAGE'))) OR (U.umuser = 0 AND pg_has_role (S.srvowner, 'USAGE')) OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user) THEN U.umoptions ELSE NULL END AS umoptions FROM pg_user_mapping U LEFT JOIN pg_authid A ON (A.oid = U.umuser) JOIN pg_foreign_server S ON (U.umserver = S.oid);
Do not forget to include the template0 and template1 databases, or the vulnerability will still exist in databases you create later. To fix template0, you'll need to temporarily make it accept connections. In PostgreSQL 9.5 and later, you can use
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;
and then after fixing template0, undo that with
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;
In prior versions, instead use
UPDATE pg_database SET datallowconn = true WHERE datname = 'template0'; UPDATE pg_database SET datallowconn = false WHERE datname = 'template0';
Finally, remove the allow_system_table_mods configuration setting, and again restart the postmaster.
(9.2.22,9.3.18) Disallow empty passwords in all password-based authentication methods (Heikki Linnakangas)
libpq ignores empty password specifications, and does not transmit them to the server. So, if a user's password has been set to the empty string, it's impossible to log in with that password via psql or other libpq-based clients. An administrator might therefore believe that setting the password to empty is equivalent to disabling password login. However, with a modified or non-libpq-based client, logging in could be possible, depending on which authentication method is configured. In particular the most common method, md5, accepted empty passwords. Change the server to reject empty passwords in all cases. CVE-2017-7546 or CVE-2017-7546)
(9.2.22,9.3.18) On Windows, retry process creation if we fail to reserve the address range for our shared memory in the new process (Tom Lane, Amit Kapila)
This is expected to fix infrequent child-process-launch failures that are probably due to interference from antivirus products.
(9.2.22,9.3.18) Fix low-probability corruption of shared predicate-lock hash table in Windows builds (Thomas Munro, Tom Lane)
(9.2.22,9.3.18) Avoid logging clean closure of an SSL connection as though it were a connection reset (Michael Paquier)
(9.2.22,9.3.18) Prevent sending SSL session tickets to clients (Tom Lane)
This fix prevents reconnection failures with ticket-aware client-side SSL code.
(9.2.22,9.3.18) Fix code for setting tcp_keepalives_idle on Solaris (Tom Lane)
(9.2.22,9.3.18) Fix statistics collector to honor inquiry messages issued just after a postmaster shutdown and immediate restart (Tom Lane)
Statistics inquiries issued within half a second of the previous postmaster shutdown were effectively ignored.
(9.2.22,9.3.18) Ensure that the statistics collector's receive buffer size is at least 100KB (Tom Lane)
This reduces the risk of dropped statistics data on older platforms whose default receive buffer size is less than that.
(9.2.22,9.3.18) Fix possible creation of an invalid WAL segment when a standby is promoted just after it processes an XLOG_SWITCH WAL record (Andres Freund)
(9.2.22,9.3.18) Fix SIGHUP and SIGUSR1 handling in walsender processes (Petr Jelinek, Andres Freund)
(9.2.22,9.3.18) Fix unnecessarily slow restarts of walreceiver processes due to race condition in postmaster (Tom Lane)
(9.2.22,9.3.18) Fix cases where an INSERT or UPDATE assigns to more than one element of a column that is of domain-over-array type (Tom Lane)
(9.2.22,9.3.18) Move autogenerated array types out of the way during ALTER ... RENAME (Vik Fearing)
Previously, we would rename a conflicting autogenerated array type out of the way during CREATE; this fix extends that behavior to renaming operations.
(9.2.22,9.3.18) Ensure that ALTER USER ... SET accepts all the syntax variants that ALTER ROLE ... SET does (Peter Eisentraut)
(9.2.22,9.3.18) Properly update dependency info when changing a datatype I/O function's argument or return type from opaque to the correct type (Heikki Linnakangas)
CREATE TYPE updates I/O functions declared in this long-obsolete style, but it forgot to record a dependency on the type, allowing a subsequent DROP TYPE to leave broken function definitions behind.
(9.2.22,9.3.18) Reduce memory usage when ANALYZE processes a tsvector column (Heikki Linnakangas)
(9.2.22,9.3.18) Fix unnecessary precision loss and sloppy rounding when multiplying or dividing money values by integers or floats (Tom Lane)
(9.2.22,9.3.18) Tighten checks for whitespace in functions that parse
identifiers, such as regprocedurein()
(Tom Lane)
Depending on the prevailing locale, these functions could misinterpret fragments of multibyte characters as whitespace.
(9.2.22,9.3.18) Use relevant #define symbols from Perl while compiling PL/Perl (Ashutosh Sharma, Tom Lane)
This avoids portability problems, typically manifesting as a "handshake" mismatch during library load, when working with recent Perl versions.
(9.2.22,9.3.18) In psql, fix failure when COPY FROM STDIN is ended with a keyboard EOF signal and then another COPY FROM STDIN is attempted (Thomas Munro)
This misbehavior was observed on BSD-derived platforms (including macOS), but not on most others.
(9.2.22,9.3.18) Fix pg_dump to not emit invalid SQL for an empty operator class (Daniel Gustafsson)
(9.2.22,9.3.18) Fix pg_dump output to stdout on Windows (Kuntal Ghosh)
A compressed plain-text dump written to stdout would contain corrupt data due to failure to put the file descriptor into binary mode.
(9.2.22,9.3.18) Fix pg_get_ruledef()
to print
correct output for the ON SELECT rule of a
view whose columns have been renamed (Tom Lane)
In some corner cases, pg_dump
relies on pg_get_ruledef()
to dump
views, so that this error could result in dump/reload failures.
(9.2.22,9.3.18) Fix dumping of function expressions in the FROM clause in cases where the expression does not deparse into something that looks like a function call (Tom Lane)
(9.2.22,9.3.18) Fix pg_basebackup output to stdout on Windows (Haribabu Kommi)
A backup written to stdout would contain corrupt data due to failure to put the file descriptor into binary mode.
(9.2.22,9.3.18) Fix pg_upgrade to ensure that the ending WAL record does not have wal_level = minimum (Bruce Momjian)
This condition could prevent upgraded standby servers from reconnecting.
(9.2.22,9.3.18) Always use -fPIC, not -fpic, when building shared libraries with gcc (Tom Lane)
This supports larger extension libraries on platforms where it makes a difference.
(9.2.22,9.3.18) Fix unescaped-braces issue in our build scripts for Microsoft MSVC, to avoid a warning or error from recent Perl versions (Andrew Dunstan)
(9.2.22,9.3.18) In MSVC builds, handle the case where the openssl library is not within a VC subdirectory (Andrew Dunstan)
(9.2.22,9.3.18) In MSVC builds, add proper include path for libxml2 header files (Andrew Dunstan)
This fixes a former need to move things around in standard Windows installations of libxml2.
(9.2.22,9.3.18) In MSVC builds, recognize a Tcl library that is named tcl86.lib (Noah Misch)
Release date: 2017-05-11
This release contains a variety of fixes from 9.2.20. For information about new features in the 9.2 major release, see Version 9.2.0.
The PostgreSQL community will stop releasing updates for the 9.2.X release series in September 2017. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.2.X.
However, if you use foreign data servers that make use of user passwords for authentication, see the first changelog entry below.
Also, if you are upgrading from a version earlier than 9.2.20, see Version 9.2.20.
(9.2.21) Restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options (Michael Paquier, Feike Steenbergen)
The previous coding allowed the owner of a foreign server object, or anyone he has granted server USAGE permission to, to see the options for all user mappings associated with that server. This might well include passwords for other users. Adjust the view definition to match the behavior of information_schema.user_mapping_options, namely that these options are visible to the user being mapped, or if the mapping is for PUBLIC and the current user is the server owner, or if the current user is a superuser. CVE-2017-7486 or CVE-2017-7486)
By itself, this patch will only fix the behavior in newly initdb'd databases. If you wish to apply this change in an existing database, follow the corrected procedure shown in the changelog entry forCVE-2017-7547 or CVE-2017-7547, in Version 9.2.22.
(9.2.21,9.3.17) Prevent exposure of statistical information via leaky operators (Peter Eisentraut)
Some selectivity estimation functions in the planner will apply user-defined operators to values obtained from pg_statistic, such as most common values and histogram entries. This occurs before table permissions are checked, so a nefarious user could exploit the behavior to obtain these values for table columns he does not have permission to read. To fix, fall back to a default estimate if the operator's implementation function is not certified leak-proof and the calling user does not have permission to read the table column whose statistics are needed. At least one of these criteria is satisfied in most cases in practice. CVE-2017-7484 or CVE-2017-7484)
(9.2.21,9.3.17) Fix possible corruption of "init forks" of unlogged indexes (Robert Haas, Michael Paquier)
This could result in an unlogged index being set to an invalid state after a crash and restart. Such a problem would persist until the index was dropped and rebuilt.
(9.2.21,9.3.17) Fix incorrect reconstruction of pg_subtrans entries when a standby server replays a prepared but uncommitted two-phase transaction (Tom Lane)
In most cases this turned out to have no visible ill effects, but in corner cases it could result in circular references in pg_subtrans, potentially causing infinite loops in queries that examine rows modified by the two-phase transaction.
(9.2.21,9.3.17) Ensure parsing of queries in extension scripts sees the results of immediately-preceding DDL (Julien Rouhaud, Tom Lane)
Due to lack of a cache flush step between commands in an extension script file, non-utility queries might not see the effects of an immediately preceding catalog change, such as ALTER TABLE ... RENAME.
(9.2.21,9.3.17) Skip tablespace privilege checks when ALTER TABLE ... ALTER COLUMN TYPE rebuilds an existing index (Noah Misch)
The command failed if the calling user did not currently have CREATE privilege for the tablespace containing the index. That behavior seems unhelpful, so skip the check, allowing the index to be rebuilt where it is.
(9.2.21,9.3.17) Fix ALTER TABLE ... VALIDATE CONSTRAINT to not recurse to child tables when the constraint is marked NO INHERIT (Amit Langote)
This fix prevents unwanted "constraint does not exist" failures when no matching constraint is present in the child tables.
(9.2.21,9.3.17) Fix VACUUM to account properly for pages that could not be scanned due to conflicting page pins (Andrew Gierth)
This tended to lead to underestimation of the number of tuples in the table. In the worst case of a small heavily-contended table, VACUUM could incorrectly report that the table contained no tuples, leading to very bad planning choices.
(9.2.21,9.3.17) Ensure that bulk-tuple-transfer loops within a hash join are interruptible by query cancel requests (Tom Lane, Thomas Munro)
(9.2.21,9.3.17) Fix cursor_to_xml()
to produce
valid output with tableforest =
false (Thomas Munro, Peter Eisentraut)
Previously it failed to produce a wrapping <table> element.
(9.2.21,9.3.17) Improve performance of pg_timezone_names view (Tom Lane, David Rowley)
(9.2.21,9.3.17) Fix sloppy handling of corner-case errors from lseek()
and close()
(Tom Lane)
Neither of these system calls are likely to fail in typical situations, but if they did, fd.c could get quite confused.
(9.2.21,9.3.17) Fix incorrect check for whether postmaster is running as a Windows service (Michael Paquier)
This could result in attempting to write to the event log when that isn't accessible, so that no logging happens at all.
(9.2.21,9.3.17) Fix ecpg to support COMMIT PREPARED and ROLLBACK PREPARED (Masahiko Sawada)
(9.2.21,9.3.17) Fix a double-free error when processing dollar-quoted string literals in ecpg (Michael Meskes)
(9.2.21,9.3.17) In pg_dump, fix incorrect schema and owner marking for comments and security labels of some types of database objects (Giuseppe Broccolo, Tom Lane)
In simple cases this caused no ill effects; but for example, a schema-selective restore might omit comments it should include, because they were not marked as belonging to the schema of their associated object.
(9.2.21,9.3.17) Avoid emitting an invalid list file in pg_restore -l when SQL object names contain newlines (Tom Lane)
Replace newlines by spaces, which is sufficient to make the output valid for pg_restore -L's purposes.
(9.2.21,9.3.17) Fix pg_upgrade to transfer comments and security labels attached to "large objects" (blobs) (Stephen Frost)
Previously, blobs were correctly transferred to the new database, but any comments or security labels attached to them were lost.
(9.2.21,9.3.17) Improve error handling in contrib/adminpack's pg_file_write()
function (Noah Misch)
Notably, it failed to detect errors reported by fclose()
.
(9.2.21,9.3.17) In contrib/dblink, avoid leaking the previous unnamed connection when establishing a new unnamed connection (Joe Conway)
(9.2.21,9.3.17) Support OpenSSL 1.1.0 (Heikki Linnakangas, Andreas Karlsson, Tom Lane)
This is a back-patch of work previously done in newer branches; it's needed since many platforms are adopting newer OpenSSL versions.
(9.2.21,9.6.3,9.5.7,9.4.12,9.3.17) Support Tcl 8.6 in MSVC builds (Ãlvaro Herrera)
(9.2.21,9.3.17) Sync our copy of the timezone library with IANA release tzcode2017b (Tom Lane)
This fixes a bug affecting some DST transitions in January 2038.
(9.2.21,9.3.17) Update time zone data files to tzdata release 2017b for DST law changes in Chile, Haiti, and Mongolia, plus historical corrections for Ecuador, Kazakhstan, Liberia, and Spain. Switch to numeric abbreviations for numerous time zones in South America, the Pacific and Indian oceans, and some Asian and Middle Eastern countries.
The IANA time zone database previously provided textual abbreviations for all time zones, sometimes making up abbreviations that have little or no currency among the local population. They are in process of reversing that policy in favor of using numeric UTC offsets in zones where there is no evidence of real-world use of an English abbreviation. At least for the time being, PostgreSQL will continue to accept such removed abbreviations for timestamp input. But they will not be shown in the pg_timezone_names view nor used for output.
(9.2.21,9.3.17) Use correct daylight-savings rules for POSIX-style time zone names in MSVC builds (David Rowley)
The Microsoft MSVC build scripts neglected to install the posixrules file in the timezone directory tree. This resulted in the timezone code falling back to its built-in rule about what DST behavior to assume for a POSIX-style time zone name. For historical reasons that still corresponds to the DST rules the USA was using before 2007 (i.e., change on first Sunday in April and last Sunday in October). With this fix, a POSIX-style zone name will use the current and historical DST transition dates of the US/Eastern zone. If you don't want that, remove the posixrules file, or replace it with a copy of some other zone file (see Section 8.5.3). Note that due to caching, you may need to restart the server to get such changes to take effect.
Release date: 2017-02-09
This release contains a variety of fixes from 9.2.19. For information about new features in the 9.2 major release, see Version 9.2.0.
A dump/restore is not required for those running 9.2.X.
However, if your installation has been affected by the bug described in the first changelog entry below, then after updating you may need to take action to repair corrupted indexes.
Also, if you are upgrading from a version earlier than 9.2.11, see Version 9.2.11.
(9.2.20,9.3.16) Fix a race condition that could cause indexes built with CREATE INDEX CONCURRENTLY to be corrupt (Pavan Deolasee, Tom Lane)
If CREATE INDEX CONCURRENTLY was used to build an index that depends on a column not previously indexed, then rows updated by transactions that ran concurrently with the CREATE INDEX command could have received incorrect index entries. If you suspect this may have happened, the most reliable solution is to rebuild affected indexes after installing this update.
(9.2.20,9.3.16) Unconditionally WAL-log creation of the "init fork" for an unlogged table (Michael Paquier)
Previously, this was skipped when wal_level = minimal, but actually it's necessary even in that case to ensure that the unlogged table is properly reset to empty after a crash.
(9.2.20) Fix WAL page header validation when re-reading segments (Takayuki Tsunakawa, Amit Kapila)
In corner cases, a spurious "out-of-sequence TLI" error could be reported during recovery.
(9.2.20,9.3.16) If the stats collector dies during hot standby, restart it (Takayuki Tsunakawa)
(9.2.20,9.3.16) Check for interrupts while hot standby is waiting for a conflicting query (Simon Riggs)
(9.2.20,9.3.16) Avoid constantly respawning the autovacuum launcher in a corner case (Amit Khandekar)
This fix avoids problems when autovacuum is nominally off and there are some tables that require freezing, but all such tables are already being processed by autovacuum workers.
(9.2.20,9.3.16) Fix check for when an extension member object can be dropped (Tom Lane)
Extension upgrade scripts should be able to drop member objects, but this was disallowed for serial-column sequences, and possibly other cases.
(9.2.20,9.3.16) Make sure ALTER TABLE preserves index tablespace assignments when rebuilding indexes (Tom Lane, Michael Paquier)
Previously, non-default settings of default_tablespace could result in broken indexes.
(9.2.20,9.3.16) Prevent dropping a foreign-key constraint if there are pending trigger events for the referenced relation (Tom Lane)
This avoids "could not find trigger NNN" or "relation NNN has no triggers" errors.
(9.2.20,9.3.16) Fix processing of OID column when a table with OIDs is associated to a parent with OIDs via ALTER TABLE ... INHERIT (Amit Langote)
The OID column should be treated the same as regular user columns in this case, but it wasn't, leading to odd behavior in later inheritance changes.
(9.2.20,9.3.16) Check for serializability conflicts before reporting constraint-violation failures (Thomas Munro)
When using serializable transaction isolation, it is desirable that any error due to concurrent transactions should manifest as a serialization failure, thereby cueing the application that a retry might succeed. Unfortunately, this does not reliably happen for duplicate-key failures caused by concurrent insertions. This change ensures that such an error will be reported as a serialization error if the application explicitly checked for the presence of a conflicting key (and did not find it) earlier in the transaction.
(9.2.20,9.3.16) Ensure that column typmods are determined accurately for multi-row VALUES constructs (Tom Lane)
This fixes problems occurring when the first value in a column has a determinable typmod (e.g., length for a varchar value) but later values don't share the same limit.
(9.2.20,9.3.16) Throw error for an unfinished Unicode surrogate pair at the end of a Unicode string (Tom Lane)
Normally, a Unicode surrogate leading character must be followed by a Unicode surrogate trailing character, but the check for this was missed if the leading character was the last character in a Unicode string literal (U&'...') or Unicode identifier (U&"...").
(9.2.20,9.3.16) Ensure that a purely negative text search query, such as !foo, matches empty tsvectors (Tom Dunstan)
Such matches were found by GIN index searches, but not by sequential scans or GiST index searches.
(9.2.20,9.3.16) Prevent crash when ts_rewrite()
replaces a non-top-level subtree with an empty query (Artur
Zakirov)
(9.2.20,9.3.16) Fix performance problems in ts_rewrite()
(Tom Lane)
(9.2.20,9.3.16) Fix ts_rewrite()
's handling of
nested NOT operators (Tom Lane)
(9.2.20,9.3.16) Fix array_fill()
to handle empty
arrays properly (Tom Lane)
(9.2.20,9.3.16) Fix one-byte buffer overrun in quote_literal_cstr()
(Heikki Linnakangas)
The overrun occurred only if the input consisted entirely of single quotes and/or backslashes.
(9.2.20,9.3.16) Prevent multiple calls of pg_start_backup()
and pg_stop_backup()
from running concurrently
(Michael Paquier)
This avoids an assertion failure, and possibly worse things, if someone tries to run these functions in parallel.
(9.2.20,9.3.16) Avoid discarding interval-to-interval casts that aren't really no-ops (Tom Lane)
In some cases, a cast that should result in zeroing out low-order interval fields was mistakenly deemed to be a no-op and discarded. An example is that casting from INTERVAL MONTH to INTERVAL YEAR failed to clear the months field.
(9.2.20,9.3.16) Fix pg_dump to dump user-defined casts and transforms that use built-in functions (Stephen Frost)
(9.2.20,9.3.16) Fix possible pg_basebackup failure on standby server when including WAL files (Amit Kapila, Robert Haas)
(9.2.20,9.3.16) Ensure that the Python exception objects we create for PL/Python are properly reference-counted (Rafa de la Torre, Tom Lane)
This avoids failures if the objects are used after a Python garbage collection cycle has occurred.
(9.2.20,9.3.16) Fix PL/Tcl to support triggers on tables that have .tupno as a column name (Tom Lane)
This matches the (previously undocumented) behavior of PL/Tcl's spi_exec and spi_execp commands, namely that a magic .tupno column is inserted only if there isn't a real column named that.
(9.2.20,9.3.16) Allow DOS-style line endings in ~/.pgpass files, even on Unix (Vik Fearing)
This change simplifies use of the same password file across Unix and Windows machines.
(9.2.20,9.3.16) Fix one-byte buffer overrun if ecpg is given a file name that ends with a dot (Takayuki Tsunakawa)
(9.2.20,9.3.16) Fix psql's tab completion for ALTER DEFAULT PRIVILEGES (Gilles Darold, Stephen Frost)
(9.2.20,9.3.16) In psql, treat an empty or all-blank setting of the PAGER environment variable as meaning "no pager" (Tom Lane)
Previously, such a setting caused output intended for the pager to vanish entirely.
(9.2.20,9.3.16) Improve contrib/dblink's reporting of low-level libpq errors, such as out-of-memory (Joe Conway)
(9.2.20,9.3.16) On Windows, ensure that environment variable changes are propagated to DLLs built with debug options (Christian Ullrich)
(9.2.20,9.3.16) Sync our copy of the timezone library with IANA release tzcode2016j (Tom Lane)
This fixes various issues, most notably that timezone data installation failed if the target directory didn't support hard links.
(9.2.20,9.3.16) Update time zone data files to tzdata release 2016j for DST law changes in northern Cyprus (adding a new zone Asia/Famagusta), Russia (adding a new zone Europe/Saratov), Tonga, and Antarctica/Casey. Historical corrections for Italy, Kazakhstan, Malta, and Palestine. Switch to preferring numeric zone abbreviations for Tonga.
Release date: 2016-10-27
This release contains a variety of fixes from 9.2.18. For information about new features in the 9.2 major release, see Version 9.2.0.
A dump/restore is not required for those running 9.2.X.
However, if you are upgrading from a version earlier than 9.2.11, see Version 9.2.11.
(9.2.19,9.3.15,9.1.24) Fix EvalPlanQual rechecks involving CTE scans (Tom Lane)
The recheck would always see the CTE as returning no rows, typically leading to failure to update rows that were recently updated.
(9.2.19,9.3.15,9.1.24) Fix improper repetition of previous results from hashed aggregation in a subquery (Andrew Gierth)
The test to see if we can reuse a previously-computed hash table of the aggregate state values neglected the possibility of an outer query reference appearing in an aggregate argument expression. A change in the value of such a reference should lead to recalculating the hash table, but did not.
(9.2.19,9.3.15) Fix EXPLAIN to emit valid XML when track_io_timing is on (Markus Winand)
Previously the XML output-format option produced syntactically invalid tags such as <I/O-Read-Time>. That is now rendered as <I-O-Read-Time>.
(9.2.19,9.3.15) Suppress printing of zeroes for unmeasured times in EXPLAIN (Maksim Milyutin)
Certain option combinations resulted in printing zero values for times that actually aren't ever measured in that combination. Our general policy in EXPLAIN is not to print such fields at all, so do that consistently in all cases.
(9.2.19,9.3.15,9.1.24) Fix timeout length when VACUUM is waiting for exclusive table lock so that it can truncate the table (Simon Riggs)
The timeout was meant to be 50 milliseconds, but it was actually only 50 microseconds, causing VACUUM to give up on truncation much more easily than intended. Set it to the intended value.
(9.2.19,9.3.15) Fix bugs in merging inherited CHECK constraints while creating or altering a table (Tom Lane, Amit Langote)
Allow identical CHECK constraints to be added to a parent and child table in either order. Prevent merging of a valid constraint from the parent table with a NOT VALID constraint on the child. Likewise, prevent merging of a NO INHERIT child constraint with an inherited constraint.
(9.2.19,9.3.15,9.1.24) Remove artificial restrictions on the values accepted by
numeric_in()
and numeric_recv()
(Tom Lane)
We allow numeric values up to the limit of the storage format
(more than 1e100000), so it seems fairly
pointless that numeric_in()
rejected
scientific-notation exponents above 1000. Likewise, it was silly
for numeric_recv()
to reject more
than 1000 digits in an input value.
(9.2.19,9.3.15,9.1.24) Avoid very-low-probability data corruption due to testing tuple visibility without holding buffer lock (Thomas Munro, Peter Geoghegan, Tom Lane)
(9.2.19,9.3.15,9.1.24) Fix file descriptor leakage when truncating a temporary relation of more than 1GB (Andres Freund)
(9.2.19,9.3.15,9.1.24) Disallow starting a standalone backend with standby_mode turned on (Michael Paquier)
This can't do anything useful, since there will be no WAL receiver process to fetch more WAL data; and it could result in misbehavior in code that wasn't designed with this situation in mind.
(9.2.19,9.3.15,9.1.24) Don't try to share SSL contexts across multiple connections in libpq (Heikki Linnakangas)
This led to assorted corner-case bugs, particularly when trying to use different SSL parameters for different connections.
(9.2.19,9.3.15,9.1.24) Avoid corner-case memory leak in libpq (Tom Lane)
The reported problem involved leaking an error report during
PQreset()
, but there might be related
cases.
(9.2.19,9.3.15,9.1.24) Make ecpg's --help and --version options work consistently with our other executables (Haribabu Kommi)
(9.2.19,9.3.15) In pg_dump, never dump range constructor functions (Tom Lane)
This oversight led to pg_upgrade failures with extensions containing range types, due to duplicate creation of the constructor functions.
(9.2.19,9.3.15,9.1.24) Fix contrib/intarray/bench/bench.pl to print the results of the EXPLAIN it does when given the -e option (Daniel Gustafsson)
(9.2.19,9.3.15) Update Windows time zone mapping to recognize some time zone names added in recent Windows versions (Michael Paquier)
(9.2.19,9.3.15,9.1.24) Prevent failure of obsolete dynamic time zone abbreviations (Tom Lane)
If a dynamic time zone abbreviation does not match any entry in the referenced time zone, treat it as equivalent to the time zone name. This avoids unexpected failures when IANA removes abbreviations from their time zone database, as they did in tzdata release 2016f and seem likely to do again in the future. The consequences were not limited to not recognizing the individual abbreviation; any mismatch caused the pg_timezone_abbrevs view to fail altogether.
(9.2.19,9.3.15,9.1.24) Update time zone data files to tzdata release 2016h for DST law changes in Palestine and Turkey, plus historical corrections for Turkey and some regions of Russia. Switch to numeric abbreviations for some time zones in Antarctica, the former Soviet Union, and Sri Lanka.
The IANA time zone database previously provided textual abbreviations for all time zones, sometimes making up abbreviations that have little or no currency among the local population. They are in process of reversing that policy in favor of using numeric UTC offsets in zones where there is no evidence of real-world use of an English abbreviation. At least for the time being, PostgreSQL will continue to accept such removed abbreviations for timestamp input. But they will not be shown in the pg_timezone_names view nor used for output.
In this update, AMT is no longer shown as being in use to mean Armenia Time. Therefore, we have changed the Default abbreviation set to interpret it as Amazon Time, thus UTC-4 not UTC+4.
Release date: 2016-08-11
This release contains a variety of fixes from 9.2.17. For information about new features in the 9.2 major release, see Version 9.2.0.
A dump/restore is not required for those running 9.2.X.
However, if you are upgrading from a version earlier than 9.2.11, see Version 9.2.11.
(9.2.18,9.3.14,9.1.23) Fix possible mis-evaluation of nested CASE-WHEN expressions (Heikki Linnakangas, Michael Paquier, Tom Lane)
A CASE expression appearing within the test value subexpression of another CASE could become confused about whether its own test value was null or not. Also, inlining of a SQL function implementing the equality operator used by a CASE expression could result in passing the wrong test value to functions called within a CASE expression in the SQL function's body. If the test values were of different data types, a crash might result; moreover such situations could be abused to allow disclosure of portions of server memory. CVE-2016-5423 or CVE-2016-5423)
(9.2.18,9.3.14,9.1.23) Fix client programs' handling of special characters in database and role names (Noah Misch, Nathan Bossart, Michael Paquier)
Numerous places in vacuumdb and other client programs could become confused by database and role names containing double quotes or backslashes. Tighten up quoting rules to make that safe. Also, ensure that when a conninfo string is used as a database name parameter to these programs, it is correctly treated as such throughout.
Fix handling of paired double quotes in psql's \connect and \password commands to match the documentation.
Introduce a new -reuse-previous option in psql's \connect command to allow explicit control of whether to re-use connection parameters from a previous connection. (Without this, the choice is based on whether the database name looks like a conninfo string, as before.) This allows secure handling of database names containing special characters in pg_dumpall scripts.
pg_dumpall now refuses to deal with database and role names containing carriage returns or newlines, as it seems impractical to quote those characters safely on Windows. In future we may reject such names on the server side, but that step has not been taken yet.
These are considered security fixes because crafted object names containing special characters could have been used to execute commands with superuser privileges the next time a superuser executes pg_dumpall or other routine maintenance operations. CVE-2016-5424 or CVE-2016-5424)
(9.2.18,9.3.14,9.1.23) Fix corner-case misbehaviors for IS NULL/IS NOT NULL applied to nested composite values (Andrew Gierth, Tom Lane)
The SQL standard specifies that IS NULL should return TRUE for a row of all null values (thus ROW (NULL,NULL) IS NULL yields TRUE), but this is not meant to apply recursively (thus ROW (NULL, ROW(NULL,NULL)) IS NULL yields FALSE). The core executor got this right, but certain planner optimizations treated the test as recursive (thus producing TRUE in both cases), and contrib/postgres_fdw could produce remote queries that misbehaved similarly.
(9.2.18,9.3.14,9.1.23) Make the inet and cidr data types properly reject IPv6 addresses with too many colon-separated fields (Tom Lane)
(9.2.18,9.3.14,9.1.23) Prevent crash in close_ps()
(the
point ## lseg operator) for NaN input coordinates (Tom Lane)
Make it return NULL instead of crashing.
(9.2.18,9.3.14,9.1.23) Fix several one-byte buffer over-reads in to_number()
(Peter Eisentraut)
In several cases the to_number()
function would read one more character than it should from the
input string. There is a small chance of a crash, if the input
happens to be adjacent to the end of memory.
(9.2.18,9.3.14,9.1.23) Avoid unsafe intermediate state during expensive paths through
heap_update()
(Masahiko Sawada,
Andres Freund)
Previously, these cases locked the target tuple (by setting its XMAX) but did not WAL-log that action, thus risking data integrity problems if the page were spilled to disk and then a database crash occurred before the tuple update could be completed.
(9.2.18,9.3.14) Avoid crash in postgres -C when the specified variable has a null string value (Michael Paquier)
(9.2.18,9.3.14,9.1.23) Avoid consuming a transaction ID during VACUUM (Alexander Korotkov)
Some cases in VACUUM unnecessarily caused an XID to be assigned to the current transaction. Normally this is negligible, but if one is up against the XID wraparound limit, consuming more XIDs during anti-wraparound vacuums is a very bad thing.
(9.2.18,9.3.14,9.1.23) Avoid canceling hot-standby queries during VACUUM FREEZE (Simon Riggs, Ãlvaro Herrera)
VACUUM FREEZE on an otherwise-idle master server could result in unnecessary cancellations of queries on its standby servers.
(9.2.18,9.3.14,9.1.23) When a manual ANALYZE specifies a column list, don't reset the table's changes_since_analyze counter (Tom Lane)
If we're only analyzing some columns, we should not prevent routine auto-analyze from happening for the other columns.
(9.2.18,9.3.14,9.1.23) Fix ANALYZE's overestimation of n_distinct for a unique or nearly-unique column with many null entries (Tom Lane)
The nulls could get counted as though they were themselves distinct values, leading to serious planner misestimates in some types of queries.
(9.2.18,9.3.14,9.1.23) Prevent autovacuum from starting multiple workers for the same shared catalog (Ãlvaro Herrera)
Normally this isn't much of a problem because the vacuum doesn't take long anyway; but in the case of a severely bloated catalog, it could result in all but one worker uselessly waiting instead of doing useful work on other tables.
(9.2.18,9.3.14) Prevent infinite loop in GiST index build for geometric columns containing NaN component values (Tom Lane)
(9.2.18,9.3.14,9.1.23) Fix contrib/btree_gin to handle the smallest possible bigint value correctly (Peter Eisentraut)
(9.2.18,9.3.14,9.1.23) Teach libpq to correctly decode server version from future servers (Peter Eisentraut)
It's planned to switch to two-part instead of three-part server
version numbers for releases after 9.6. Make sure that PQserverVersion()
returns the correct value for
such cases.
(9.2.18,9.3.14,9.1.23) Fix ecpg's code for unsigned long long array elements (Michael Meskes)
(9.2.18,9.3.14) In pg_dump with both -c and -C options, avoid emitting an unwanted CREATE SCHEMA public command (David Johnston, Tom Lane)
(9.2.18,9.3.14,9.1.23) Make pg_basebackup accept -Z 0 as specifying no compression (Fujii Masao)
(9.2.18,9.3.14,9.1.23) Fix makefiles' rule for building AIX shared libraries to be safe for parallel make (Noah Misch)
(9.2.18,9.3.14,9.1.23) Fix TAP tests and MSVC scripts to work when build directory's path name contains spaces (Michael Paquier, Kyotaro Horiguchi)
(9.2.18,9.3.14,9.1.23) Make regression tests safe for Danish and Welsh locales (Jeff Janes, Tom Lane)
Change some test data that triggered the unusual sorting rules of these locales.
(9.2.18,9.3.14,9.1.23) Update our copy of the timezone code to match IANA's tzcode release 2016c (Tom Lane)
This is needed to cope with anticipated future changes in the time zone data files. It also fixes some corner-case bugs in coping with unusual time zones.
(9.2.18,9.3.14,9.1.23) Update time zone data files to tzdata release 2016f for DST law changes in Kemerovo and Novosibirsk, plus historical corrections for Azerbaijan, Belarus, and Morocco.
Release date: 2016-05-12
This release contains a variety of fixes from 9.2.16. For information about new features in the 9.2 major release, see Version 9.2.0.
A dump/restore is not required for those running 9.2.X.
However, if you are upgrading from a version earlier than 9.2.11, see Version 9.2.11.
(9.2.17,9.3.13,9.1.22) Clear the OpenSSL error queue before OpenSSL calls, rather than assuming it's clear already; and make sure we leave it clear afterwards (Peter Geoghegan, Dave Vitek, Peter Eisentraut)
This change prevents problems when there are multiple connections using OpenSSL within a single process and not all the code involved follows the same rules for when to clear the error queue. Failures have been reported specifically when a client application uses SSL connections in libpq concurrently with SSL connections using the PHP, Python, or Ruby wrappers for OpenSSL. It's possible for similar problems to arise within the server as well, if an extension module establishes an outgoing SSL connection.
(9.2.17,9.3.13,9.1.22) Fix "failed to build any N-way joins" planner error with a full join enclosed in the right-hand side of a left join (Tom Lane)
(9.2.17,9.3.13) Fix incorrect handling of equivalence-class tests in multilevel nestloop plans (Tom Lane)
Given a three-or-more-way equivalence class of variables, such as X.X = Y.Y = Z.Z, it was possible for the planner to omit some of the tests needed to enforce that all the variables are actually equal, leading to join rows being output that didn't satisfy the WHERE clauses. For various reasons, erroneous plans were seldom selected in practice, so that this bug has gone undetected for a long time.
(9.2.17,9.3.13,9.1.22) Fix possible misbehavior of TH,
th, and Y,YYY
format codes in to_timestamp()
(Tom
Lane)
These could advance off the end of the input string, causing subsequent format codes to read garbage.
(9.2.17,9.3.13,9.1.22) Fix dumping of rules and views in which the array argument of a value operator ANY (array) construct is a sub-SELECT (Tom Lane)
(9.2.17,9.3.13,9.1.22) Make pg_regress use a startup timeout from the PGCTLTIMEOUT environment variable, if that's set (Tom Lane)
This is for consistency with a behavior recently added to pg_ctl; it eases automated testing on slow machines.
(9.2.17,9.3.13,9.1.22) Fix pg_upgrade to correctly restore extension membership for operator families containing only one operator class (Tom Lane)
In such a case, the operator family was restored into the new database, but it was no longer marked as part of the extension. This had no immediate ill effects, but would cause later pg_dump runs to emit output that would cause (harmless) errors on restore.
(9.2.17,9.3.13) Back-port 9.4-era memory-barrier code changes into 9.2 and 9.3 (Tom Lane)
These changes were not originally needed in pre-9.4 branches, but we recently back-patched a fix that expected the barrier code to work properly. Only IA64 (when using icc), HPPA, and Alpha platforms are affected.
(9.2.17,9.3.13) Reduce the number of SysV semaphores used by a build configured with --disable-spinlocks (Tom Lane)
(9.2.17,9.3.13,9.1.22) Rename internal function strtoi()
to strtoint()
to avoid conflict with
a NetBSD library function (Thomas Munro)
(9.2.17,9.3.13,9.1.22) Fix reporting of errors from bind()
and listen()
system calls on Windows (Tom Lane)
(9.2.17,9.3.13,9.1.22) Reduce verbosity of compiler output when building with Microsoft Visual Studio (Christian Ullrich)
(9.2.17,9.3.13,9.1.22) Avoid possibly-unsafe use of Windows' FormatMessage()
function (Christian Ullrich)
Use the FORMAT_MESSAGE_IGNORE_INSERTS flag where appropriate. No live bug is known to exist here, but it seems like a good idea to be careful.
(9.2.17,9.3.13,9.1.22) Update time zone data files to tzdata release 2016d for DST law changes in Russia and Venezuela. There are new zone names Europe/Kirov and Asia/Tomsk to reflect the fact that these regions now have different time zone histories from adjacent regions.
Release date: 2016-03-31
This release contains a variety of fixes from 9.2.15. For information about new features in the 9.2 major release, see Version 9.2.0.
A dump/restore is not required for those running 9.2.X.
However, if you are upgrading from a version earlier than 9.2.11, see Version 9.2.11.
(9.2.16,9.3.12,9.1.21) Fix incorrect handling of NULL index entries in indexed ROW() comparisons (Tom Lane)
An index search using a row comparison such as ROW(a, b) > ROW('x', 'y') would stop upon reaching a NULL entry in the b column, ignoring the fact that there might be non-NULL b values associated with later values of a.
(9.2.16,9.3.12,9.1.21) Avoid unlikely data-loss scenarios due to renaming files without
adequate fsync()
calls before and
after (Michael Paquier, Tomas Vondra, Andres Freund)
(9.2.16,9.3.12,9.1.21) Correctly handle cases where pg_subtrans is close to XID wraparound during server startup (Jeff Janes)
(9.2.16,9.3.12,9.1.21) Fix corner-case crash due to trying to free localeconv()
output strings more than once (Tom
Lane)
(9.2.16,9.3.12,9.1.21) Fix parsing of affix files for ispell dictionaries (Tom Lane)
The code could go wrong if the affix file contained any characters whose byte length changes during case-folding, for example I in Turkish UTF8 locales.
(9.2.16,9.3.12,9.1.21) Avoid use of sscanf()
to parse
ispell dictionary files (Artur
Zakirov)
This dodges a portability problem on FreeBSD-derived platforms (including macOS).
(9.2.16,9.3.12,9.1.21) Avoid a crash on old Windows versions (before 7SP1/2008R2SP1) with an AVX2-capable CPU and a Postgres build done with Visual Studio 2013 (Christian Ullrich)
This is a workaround for a bug in Visual Studio 2013's runtime library, which Microsoft have stated they will not fix in that version.
(9.2.16,9.3.12,9.1.21) Fix psql's tab completion logic to handle multibyte characters properly (Kyotaro Horiguchi, Robert Haas)
(9.2.16,9.3.12,9.1.21) Fix psql's tab completion for SECURITY LABEL (Tom Lane)
Pressing TAB after SECURITY LABEL might cause a crash or offering of inappropriate keywords.
(9.2.16,9.3.12,9.1.21) Make pg_ctl accept a wait timeout from the PGCTLTIMEOUT environment variable, if none is specified on the command line (Noah Misch)
This eases testing of slower buildfarm members by allowing them to globally specify a longer-than-normal timeout for postmaster startup and shutdown.
(9.2.16,9.3.12,9.1.21) Fix incorrect test for Windows service status in pg_ctl (Manuel Mathar)
The previous set of minor releases attempted to fix pg_ctl to properly determine whether to send log messages to Window's Event Log, but got the test backwards.
(9.2.16,9.3.12,9.1.21) Fix pgbench to correctly handle the combination of -C and -M prepared options (Tom Lane)
(9.2.16,9.3.12,9.1.21) In PL/Perl, properly translate empty Postgres arrays into empty Perl arrays (Alex Hunsaker)
(9.2.16,9.3.12,9.1.21) Make PL/Python cope with function names that aren't valid Python identifiers (Jim Nasby)
(9.2.16,9.3.12,9.1.21) Fix multiple mistakes in the statistics returned by contrib/pgstattuple's pgstatindex()
function (Tom Lane)
(9.2.16,9.3.12,9.1.21) Remove dependency on psed in MSVC builds, since it's no longer provided by core Perl (Michael Paquier, Andrew Dunstan)
(9.2.16,9.3.12,9.1.21) Update time zone data files to tzdata release 2016c for DST law changes in Azerbaijan, Chile, Haiti, Palestine, and Russia (Altai, Astrakhan, Kirov, Sakhalin, Ulyanovsk regions), plus historical corrections for Lithuania, Moldova, and Russia (Kaliningrad, Samara, Volgograd).
Release date: 2016-02-11
This release contains a variety of fixes from 9.2.14. For information about new features in the 9.2 major release, see Version 9.2.0.
A dump/restore is not required for those running 9.2.X.
However, if you are upgrading from a version earlier than 9.2.11, see Version 9.2.11.
(9.2.15,9.3.11,9.1.20) Fix infinite loops and buffer-overrun problems in regular expressions (Tom Lane)
Very large character ranges in bracket expressions could cause infinite loops in some cases, and memory overwrites in other cases. CVE-2016-0773 or CVE-2016-0773)
(9.2.15,9.3.11,9.1.20) Perform an immediate shutdown if the postmaster.pid file is removed (Tom Lane)
The postmaster now checks every minute or so that postmaster.pid is still there and still contains its own PID. If not, it performs an immediate shutdown, as though it had received SIGQUIT. The main motivation for this change is to ensure that failed buildfarm runs will get cleaned up without manual intervention; but it also serves to limit the bad effects if a DBA forcibly removes postmaster.pid and then starts a new postmaster.
(9.2.15,9.3.11,9.1.20) In SERIALIZABLE transaction isolation mode, serialization anomalies could be missed due to race conditions during insertions (Kevin Grittner, Thomas Munro)
(9.2.15,9.3.11,9.1.20) Fix failure to emit appropriate WAL records when doing ALTER TABLE ... SET TABLESPACE for unlogged relations (Michael Paquier, Andres Freund)
Even though the relation's data is unlogged, the move must be logged or the relation will be inaccessible after a standby is promoted to master.
(9.2.15,9.3.11,9.1.20) Fix possible misinitialization of unlogged relations at the end of crash recovery (Andres Freund, Michael Paquier)
(9.2.15,9.3.11,9.1.20) Fix ALTER COLUMN TYPE to reconstruct inherited check constraints properly (Tom Lane)
(9.2.15,9.3.11,9.1.20) Fix REASSIGN OWNED to change ownership of composite types properly (Ãlvaro Herrera)
(9.2.15,9.3.11,9.1.20) Fix REASSIGN OWNED and ALTER OWNER to correctly update granted-permissions lists when changing owners of data types, foreign data wrappers, or foreign servers (Bruce Momjian, Ãlvaro Herrera)
(9.2.15,9.3.11,9.1.20) Fix REASSIGN OWNED to ignore foreign user mappings, rather than fail (Ãlvaro Herrera)
(9.2.15,9.3.11,9.1.20) Add more defenses against bad planner cost estimates for GIN index scans when the index's internal statistics are very out-of-date (Tom Lane)
(9.2.15,9.3.11,9.1.20) Make planner cope with hypothetical GIN indexes suggested by an index advisor plug-in (Julien Rouhaud)
(9.2.15,9.3.11,9.1.20) Fix dumping of whole-row Vars in ROW() and VALUES() lists (Tom Lane)
(9.2.15,9.3.11,9.1.20) Fix possible internal overflow in numeric division (Dean Rasheed)
(9.2.15,9.3.11,9.1.20) Fix enforcement of restrictions inside parentheses within regular expression lookahead constraints (Tom Lane)
Lookahead constraints aren't allowed to contain backrefs, and parentheses within them are always considered non-capturing, according to the manual. However, the code failed to handle these cases properly inside a parenthesized subexpression, and would give unexpected results.
(9.2.15,9.3.11,9.1.20) Conversion of regular expressions to indexscan bounds could produce incorrect bounds from regexps containing lookahead constraints (Tom Lane)
(9.2.15,9.3.11,9.1.20) Fix regular-expression compiler to handle loops of constraint arcs (Tom Lane)
The code added forCVE-2007-4772 or CVE-2007-4772 was both incomplete, in that it didn't handle loops involving more than one state, and incorrect, in that it could cause assertion failures (though there seem to be no bad consequences of that in a non-assert build). Multi-state loops would cause the compiler to run until the query was canceled or it reached the too-many-states error condition.
(9.2.15,9.3.11,9.1.20) Improve memory-usage accounting in regular-expression compiler (Tom Lane)
This causes the code to emit "regular expression is too complex" errors in some cases that previously used unreasonable amounts of time and memory.
(9.2.15,9.3.11,9.1.20) Improve performance of regular-expression compiler (Tom Lane)
(9.2.15,9.3.11,9.1.20) Make %h and %r escapes in log_line_prefix work for messages emitted due to log_connections (Tom Lane)
Previously, %h/%r started to work just after a new session had emitted the "connection received" log message; now they work for that message too.
(9.2.15,9.3.11,9.1.20) On Windows, ensure the shared-memory mapping handle gets closed in child processes that don't need it (Tom Lane, Amit Kapila)
This oversight resulted in failure to recover from crashes whenever logging_collector is turned on.
(9.2.15,9.3.11,9.1.20) Fix possible failure to detect socket EOF in non-blocking mode on Windows (Tom Lane)
It's not entirely clear whether this problem can happen in pre-9.5 branches, but if it did, the symptom would be that a walsender process would wait indefinitely rather than noticing a loss of connection.
(9.2.15,9.3.11,9.1.20) Avoid leaking a token handle during SSPI authentication (Christian Ullrich)
(9.2.15,9.3.11,9.1.20) In psql, ensure that libreadline's idea of the screen size is updated when the terminal window size changes (Merlin Moncure)
Previously, libreadline did not notice if the window was resized during query output, leading to strange behavior during later input of multiline queries.
(9.2.15,9.3.11,9.1.20) Fix psql's \det command to interpret its pattern argument the same way as other \d commands with potentially schema-qualified patterns do (Reece Hart)
(9.2.15,9.3.11,9.1.20) Avoid possible crash in psql's \c command when previous connection was via Unix socket and command specifies a new hostname and same username (Tom Lane)
(9.2.15,9.3.11,9.1.20) In pg_ctl start -w, test child process status directly rather than relying on heuristics (Tom Lane, Michael Paquier)
Previously, pg_ctl relied on an assumption that the new postmaster would always create postmaster.pid within five seconds. But that can fail on heavily-loaded systems, causing pg_ctl to report incorrectly that the postmaster failed to start.
Except on Windows, this change also means that a pg_ctl start -w done immediately after another such command will now reliably fail, whereas previously it would report success if done within two seconds of the first command.
(9.2.15,9.3.11,9.1.20) In pg_ctl start -w, don't attempt to use a wildcard listen address to connect to the postmaster (Kondo Yuta)
On Windows, pg_ctl would fail to detect postmaster startup if listen_addresses is set to 0.0.0.0 or ::, because it would try to use that value verbatim as the address to connect to, which doesn't work. Instead assume that 127.0.0.1 or ::1, respectively, is the right thing to use.
(9.2.15,9.3.11,9.1.20) In pg_ctl on Windows, check service status to decide where to send output, rather than checking if standard output is a terminal (Michael Paquier)
(9.2.15,9.3.11,9.1.20) In pg_dump and pg_basebackup, adopt the GNU convention for handling tar-archive members exceeding 8GB (Tom Lane)
The POSIX standard for tar file format does not allow archive member files to exceed 8GB, but most modern implementations of tar support an extension that fixes that. Adopt this extension so that pg_dump with -Ft no longer fails on tables with more than 8GB of data, and so that pg_basebackup can handle files larger than 8GB. In addition, fix some portability issues that could cause failures for members between 4GB and 8GB on some platforms. Potentially these problems could cause unrecoverable data loss due to unreadable backup files.
(9.2.15,9.3.11,9.1.20) Fix assorted corner-case bugs in pg_dump's processing of extension member objects (Tom Lane)
(9.2.15,9.3.11,9.1.20) Make pg_dump mark a view's triggers as needing to be processed after its rule, to prevent possible failure during parallel pg_restore (Tom Lane)
(9.2.15,9.3.11,9.1.20) Ensure that relation option values are properly quoted in pg_dump (Kouhei Sutou, Tom Lane)
A reloption value that isn't a simple identifier or number could lead to dump/reload failures due to syntax errors in CREATE statements issued by pg_dump. This is not an issue with any reloption currently supported by core PostgreSQL, but extensions could allow reloptions that cause the problem.
(9.2.15,9.3.11,9.1.20) Fix pg_upgrade's file-copying code to handle errors properly on Windows (Bruce Momjian)
(9.2.15,9.3.11,9.1.20) Install guards in pgbench against corner-case overflow conditions during evaluation of script-specified division or modulo operators (Fabien Coelho, Michael Paquier)
(9.2.15,9.3.11) Fix failure to localize messages emitted by pg_receivexlog and pg_recvlogical (Ioseph Kim)
(9.2.15,9.3.11) Avoid dump/reload problems when using both plpython2 and plpython3 (Tom Lane)
In principle, both versions of PL/Python can be used in the same database, though not in the same session (because the two versions of libpython cannot safely be used concurrently). However, pg_restore and pg_upgrade both do things that can fall foul of the same-session restriction. Work around that by changing the timing of the check.
(9.2.15,9.3.11) Fix PL/Python regression tests to pass with Python 3.5 (Peter Eisentraut)
(9.2.15,9.3.11,9.1.20) Prevent certain PL/Java parameters from being set by non-superusers (Noah Misch)
This change mitigates a PL/Java security bug CVE-2016-0766 or CVE-2016-0766), which was fixed in PL/Java by marking these parameters as superuser-only. To fix the security hazard for sites that update PostgreSQL more frequently than PL/Java, make the core code aware of them also.
(9.2.15,9.3.11,9.1.20) Improve libpq's handling of out-of-memory situations (Michael Paquier, Amit Kapila, Heikki Linnakangas)
(9.2.15,9.3.11,9.1.20) Fix order of arguments in ecpg-generated typedef statements (Michael Meskes)
(9.2.15,9.3.11,9.1.20) Use %g not %f
format in ecpg's PGTYPESnumeric_from_double()
(Tom Lane)
(9.2.15,9.3.11,9.1.20) Fix ecpg-supplied header files to not contain comments continued from a preprocessor directive line onto the next line (Michael Meskes)
Such a comment is rejected by ecpg. It's not yet clear whether ecpg itself should be changed.
(9.2.15,9.3.11,9.1.20) Ensure that contrib/pgcrypto's
crypt()
function can be interrupted
by query cancel (Andreas Karlsson)
(9.2.15,9.3.11,9.1.20) Accept flex versions later than 2.5.x (Tom Lane, Michael Paquier)
Now that flex 2.6.0 has been released, the version checks in our build scripts needed to be adjusted.
(9.2.15,9.3.11,9.1.20) Install our missing script where PGXS builds can find it (Jim Nasby)
This allows sane behavior in a PGXS build done on a machine where build tools such as bison are missing.
(9.2.15,9.3.11,9.1.20) Ensure that dynloader.h is included in the installed header files in MSVC builds (Bruce Momjian, Michael Paquier)
(9.2.15,9.3.11,9.1.20) Add variant regression test expected-output file to match behavior of current libxml2 (Tom Lane)
The fix for libxml2'sCVE-2015-7499 or CVE-2015-7499 causes it not to output error context reports in some cases where it used to do so. This seems to be a bug, but we'll probably have to live with it for some time, so work around it.
(9.2.15,9.3.11,9.1.20) Update time zone data files to tzdata release 2016a for DST law changes in Cayman Islands, Metlakatla, and Trans-Baikal Territory (Zabaykalsky Krai), plus historical corrections for Pakistan.
Release date: 2015-10-08
This release contains a variety of fixes from 9.2.13. For information about new features in the 9.2 major release, see Version 9.2.0.
A dump/restore is not required for those running 9.2.X.
However, if you are upgrading from a version earlier than 9.2.11, see Version 9.2.11.
(9.2.14,9.3.10,9.1.19,9.0.23) Fix contrib/pgcrypto to detect and
report too-short crypt()
salts (Josh
Kupershmidt)
Certain invalid salt arguments crashed the server or disclosed a few bytes of server memory. We have not ruled out the viability of attacks that arrange for presence of confidential information in the disclosed bytes, but they seem unlikely. CVE-2015-5288 or CVE-2015-5288)
(9.2.14,9.3.10,9.1.19,9.0.23) Fix subtransaction cleanup after a portal (cursor) belonging to an outer subtransaction fails (Tom Lane, Michael Paquier)
A function executed in an outer-subtransaction cursor could cause an assertion failure or crash by referencing a relation created within an inner subtransaction.
(9.2.14,9.3.10,9.1.19,9.0.23) Fix insertion of relations into the relation cache "init file" (Tom Lane)
An oversight in a patch in the most recent minor releases caused pg_trigger_tgrelid_tgname_index to be omitted from the init file. Subsequent sessions detected this, then deemed the init file to be broken and silently ignored it, resulting in a significant degradation in session startup time. In addition to fixing the bug, install some guards so that any similar future mistake will be more obvious.
(9.2.14,9.3.10,9.1.19,9.0.23) Avoid O (N^2) behavior when inserting many tuples into a SPI query result (Neil Conway)
(9.2.14,9.3.10,9.1.19,9.0.23) Improve LISTEN startup time when there are many unread notifications (Matt Newell)
(9.2.14,9.1.19) Back-patch 9.3-era addition of per-resource-owner lock caches (Jeff Janes)
This substantially improves performance when pg_dump tries to dump a large number of tables.
(9.2.14,9.3.10,9.1.19,9.0.23) Disable SSL renegotiation by default (Michael Paquier, Andres Freund)
While use of SSL renegotiation is a good idea in theory, we have seen too many bugs in practice, both in the underlying OpenSSL library and in our usage of it. Renegotiation will be removed entirely in 9.5 and later. In the older branches, just change the default value of ssl_renegotiation_limit to zero (disabled).
(9.2.14,9.3.10,9.1.19,9.0.23) Lower the minimum values of the *_freeze_max_age parameters (Andres Freund)
This is mainly to make tests of related behavior less time-consuming, but it may also be of value for installations with limited disk space.
(9.2.14,9.3.10,9.1.19,9.0.23) Limit the maximum value of wal_buffers to 2GB to avoid server crashes (Josh Berkus)
(9.2.14,9.3.10,9.1.19,9.0.23) Fix rare internal overflow in multiplication of numeric values (Dean Rasheed)
(9.2.14,9.3.10,9.1.19,9.0.23) Guard against hard-to-reach stack overflows involving record types, range types, json, jsonb, tsquery, ltxtquery and query_int (Noah Misch)
(9.2.14,9.3.10,9.1.19,9.0.23) Fix handling of DOW and DOY in datetime input (Greg Stark)
These tokens aren't meant to be used in datetime values, but previously they resulted in opaque internal error messages rather than "invalid input syntax".
(9.2.14,9.3.10,9.1.19,9.0.23) Add more query-cancel checks to regular expression matching (Tom Lane)
(9.2.14,9.3.10,9.1.19,9.0.23) Add recursion depth protections to regular expression, SIMILAR TO, and LIKE matching (Tom Lane)
Suitable search patterns and a low stack depth limit could lead to stack-overrun crashes.
(9.2.14,9.3.10,9.1.19,9.0.23) Fix potential infinite loop in regular expression execution (Tom Lane)
A search pattern that can apparently match a zero-length string, but actually doesn't match because of a back reference, could lead to an infinite loop.
(9.2.14,9.3.10) In regular expression execution, correctly record match data for capturing parentheses within a quantifier even when the match is zero-length (Tom Lane)
(9.2.14,9.3.10,9.1.19,9.0.23) Fix low-memory failures in regular expression compilation (Andreas Seltenreich)
(9.2.14,9.3.10,9.1.19,9.0.23) Fix low-probability memory leak during regular expression execution (Tom Lane)
(9.2.14,9.3.10,9.1.19,9.0.23) Fix rare low-memory failure in lock cleanup during transaction abort (Tom Lane)
(9.2.14,9.3.10,9.1.19,9.0.23) Fix "unexpected out-of-memory situation during sort" errors when using tuplestores with small work_mem settings (Tom Lane)
(9.2.14,9.3.10,9.1.19,9.0.23) Fix very-low-probability stack overrun in qsort
(Tom Lane)
(9.2.14,9.3.10,9.1.19,9.0.23) Fix "invalid memory alloc request size" failure in hash joins with large work_mem settings (Tomas Vondra, Tom Lane)
(9.2.14,9.3.10,9.1.19,9.0.23) Fix assorted planner bugs (Tom Lane)
These mistakes could lead to incorrect query plans that would give wrong answers, or to assertion failures in assert-enabled builds, or to odd planner errors such as "could not devise a query plan for the given query", "could not find pathkey item to sort", "plan should not reference subplan's variable", or "failed to assign all NestLoopParams to plan nodes". Thanks are due to Andreas Seltenreich and Piotr Stefaniak for fuzz testing that exposed these problems.
(9.2.14,9.3.10) Improve planner's performance for UPDATE/DELETE on large inheritance sets (Tom Lane, Dean Rasheed)
(9.2.14,9.3.10,9.1.19) Ensure standby promotion trigger files are removed at postmaster startup (Michael Paquier, Fujii Masao)
This prevents unwanted promotion from occurring if these files appear in a database backup that is used to initialize a new standby server.
(9.2.14,9.3.10,9.1.19,9.0.23) During postmaster shutdown, ensure that per-socket lock files are removed and listen sockets are closed before we remove the postmaster.pid file (Tom Lane)
This avoids race-condition failures if an external script attempts to start a new postmaster as soon as pg_ctl stop returns.
(9.2.14,9.3.10,9.1.19,9.0.23) Fix postmaster's handling of a startup-process crash during crash recovery (Tom Lane)
If, during a crash recovery cycle, the startup process crashes without having restored database consistency, we'd try to launch a new startup process, which typically would just crash again, leading to an infinite loop.
(9.2.14,9.3.10,9.1.19,9.0.23) Do not print a WARNING when an autovacuum worker is already gone when we attempt to signal it, and reduce log verbosity for such signals (Tom Lane)
(9.2.14,9.3.10,9.1.19,9.0.23) Prevent autovacuum launcher from sleeping unduly long if the server clock is moved backwards a large amount (Ãlvaro Herrera)
(9.2.14,9.3.10,9.1.19,9.0.23) Ensure that cleanup of a GIN index's pending-insertions list is interruptable by cancel requests (Jeff Janes)
(9.2.14,9.3.10,9.1.19,9.0.23) Allow all-zeroes pages in GIN indexes to be reused (Heikki Linnakangas)
Such a page might be left behind after a crash.
(9.2.14,9.3.10) Fix handling of all-zeroes pages in SP-GiST indexes (Heikki Linnakangas)
VACUUM attempted to recycle such pages, but did so in a way that wasn't crash-safe.
(9.2.14,9.3.10,9.1.19,9.0.23) Fix off-by-one error that led to otherwise-harmless warnings about "apparent wraparound" in subtrans/multixact truncation (Thomas Munro)
(9.2.14,9.3.10,9.1.19,9.0.23) Fix misreporting of CONTINUE and MOVE statement types in PL/pgSQL's error context messages (Pavel Stehule, Tom Lane)
(9.2.14,9.3.10,9.1.19) Fix PL/Perl to handle non-ASCII error message texts correctly (Alex Hunsaker)
(9.2.14,9.3.10,9.1.19) Fix PL/Python crash when returning the string representation of a record result (Tom Lane)
(9.2.14,9.3.10,9.1.19,9.0.23) Fix some places in PL/Tcl that
neglected to check for failure of malloc()
calls (Michael Paquier, Ãlvaro
Herrera)
(9.2.14,9.3.10,9.1.19) In contrib/isn, fix output of ISBN-13 numbers that begin with 979 (Fabien Coelho)
EANs beginning with 979 (but not 9790) are considered ISBNs, but they must be printed in the new 13-digit format, not the 10-digit format.
(9.2.14) Fix contrib/sepgsql's handling of SELECT INTO statements (Kohei KaiGai)
(9.2.14,9.3.10,9.1.19,9.0.23) Improve libpq's handling of out-of-memory conditions (Michael Paquier, Heikki Linnakangas)
(9.2.14,9.3.10,9.1.19,9.0.23) Fix memory leaks and missing out-of-memory checks in ecpg (Michael Paquier)
(9.2.14,9.3.10,9.1.19,9.0.23) Fix psql's code for locale-aware formatting of numeric output (Tom Lane)
The formatting code invoked by \pset numericlocale on did the wrong thing for some uncommon cases such as numbers with an exponent but no decimal point. It could also mangle already-localized output from the money data type.
(9.2.14,9.3.10,9.1.19,9.0.23) Prevent crash in psql's \c command when there is no current connection (Noah Misch)
(9.2.14,9.3.10) Make pg_dump handle inherited NOT VALID check constraints correctly (Tom Lane)
(9.2.14,9.3.10,9.1.19) Fix selection of default zlib compression level in pg_dump's directory output format (Andrew Dunstan)
(9.2.14,9.3.10,9.1.19,9.0.23) Ensure that temporary files created during a pg_dump run with tar-format output are not world-readable (Michael Paquier)
(9.2.14,9.3.10,9.1.19,9.0.23) Fix pg_dump and pg_upgrade to support cases where the postgres or template1 database is in a non-default tablespace (Marti Raudsepp, Bruce Momjian)
(9.2.14,9.3.10) Fix pg_dump to handle object privileges sanely when dumping from a server too old to have a particular privilege type (Tom Lane)
When dumping data types from pre-9.2 servers, and when dumping functions or procedural languages from pre-7.3 servers, pg_dump would produce GRANT/REVOKE commands that revoked the owner's grantable privileges and instead granted all privileges to PUBLIC. Since the privileges involved are just USAGE and EXECUTE, this isn't a security problem, but it's certainly a surprising representation of the older systems' behavior. Fix it to leave the default privilege state alone in these cases.
(9.2.14,9.3.10,9.1.19,9.0.23) Fix pg_dump to dump shell types (Tom Lane)
Shell types (that is, not-yet-fully-defined types) aren't useful for much, but nonetheless pg_dump should dump them.
(9.2.14,9.3.10,9.1.19) Fix assorted minor memory leaks in pg_dump and other client-side programs (Michael Paquier)
(9.2.14,9.3.10,9.1.19,9.0.23) Fix spinlock assembly code for PPC hardware to be compatible with AIX's native assembler (Tom Lane)
Building with gcc didn't work if gcc had been configured to use the native assembler, which is becoming more common.
(9.2.14,9.3.10,9.1.19,9.0.23) On AIX, test the -qlonglong compiler option rather than just assuming it's safe to use (Noah Misch)
(9.2.14,9.3.10,9.1.19,9.0.23) On AIX, use -Wl,-brtllib link option to allow symbols to be resolved at runtime (Noah Misch)
Perl relies on this ability in 5.8.0 and later.
(9.2.14,9.3.10,9.1.19,9.0.23) Avoid use of inline functions when compiling with 32-bit xlc, due to compiler bugs (Noah Misch)
(9.2.14,9.3.10,9.1.19,9.0.23) Use librt for sched_yield()
when necessary, which it is on some
Solaris versions (Oskari Saarenmaa)
(9.2.14,9.3.10,9.1.19,9.0.23) Fix Windows install.bat script to handle target directory names that contain spaces (Heikki Linnakangas)
(9.2.14,9.3.10,9.1.19,9.0.23) Make the numeric form of the PostgreSQL version number (e.g., 90405) readily available to extension Makefiles, as a variable named VERSION_NUM (Michael Paquier)
(9.2.14,9.3.10,9.1.19,9.0.23) Update time zone data files to tzdata release 2015g for DST law changes in Cayman Islands, Fiji, Moldova, Morocco, Norfolk Island, North Korea, Turkey, and Uruguay. There is a new zone name America/Fort_Nelson for the Canadian Northern Rockies.
Release date: 2015-06-12
This release contains a small number of fixes from 9.2.12. For information about new features in the 9.2 major release, see Version 9.2.0.
A dump/restore is not required for those running 9.2.X.
However, if you are upgrading from a version earlier than 9.2.11, see Version 9.2.11.
(9.2.13,9.3.9,9.1.18,9.0.22) Fix rare failure to invalidate relation cache init file (Tom Lane)
With just the wrong timing of concurrent activity, a VACUUM FULL on a system catalog might fail to update the "init file" that's used to avoid cache-loading work for new sessions. This would result in later sessions being unable to access that catalog at all. This is a very ancient bug, but it's so hard to trigger that no reproducible case had been seen until recently.
(9.2.13,9.3.9,9.1.18,9.0.22) Avoid deadlock between incoming sessions and CREATE/DROP DATABASE (Tom Lane)
A new session starting in a database that is the target of a DROP DATABASE command, or is the template for a CREATE DATABASE command, could cause the command to wait for five seconds and then fail, even if the new session would have exited before that.
Release date: 2015-06-04
This release contains a small number of fixes from 9.2.11. For information about new features in the 9.2 major release, see Version 9.2.0.
A dump/restore is not required for those running 9.2.X.
However, if you are upgrading from a version earlier than 9.2.11, see Version 9.2.11.
(9.2.12,9.1.17,9.0.21) Avoid failures while fsync
'ing
data directory during crash restart (Abhijit Menon-Sen, Tom
Lane)
In the previous minor releases we added a patch to fsync
everything in the data directory after a
crash. Unfortunately its response to any error condition was to
fail, thereby preventing the server from starting up, even when the
problem was quite harmless. An example is that an unwritable file
in the data directory would prevent restart on some platforms; but
it is common to make SSL certificate files unwritable by the
server. Revise this behavior so that permissions failures are
ignored altogether, and other types of failures are logged but do
not prevent continuing.
(9.2.12,9.3.8) Fix pg_get_functiondef()
to show
functions' LEAKPROOF property, if set
(Jeevan Chalke)
(9.2.12,9.3.8,9.1.17,9.0.21) Remove configure's check prohibiting linking to a threaded libpython on OpenBSD (Tom Lane)
The failure this restriction was meant to prevent seems to not be a problem anymore on current OpenBSD versions.
(9.2.12,9.3.8,9.1.17,9.0.21) Allow libpq to use TLS protocol versions beyond v1 (Noah Misch)
For a long time, libpq was coded so that the only SSL protocol it would allow was TLS v1. Now that newer TLS versions are becoming popular, allow it to negotiate the highest commonly-supported TLS version with the server. (PostgreSQL servers were already capable of such negotiation, so no change is needed on the server side.) This is a back-patch of a change already released in 9.4.0.
Release date: 2015-05-22
This release contains a variety of fixes from 9.2.10. For information about new features in the 9.2 major release, see Version 9.2.0.
A dump/restore is not required for those running 9.2.X.
However, if you use contrib/citext's
regexp_matches()
functions, see the
changelog entry below about that.
Also, if you are upgrading from a version earlier than 9.2.10, see Version 9.2.10.
(9.2.11,9.3.7,9.1.16,9.0.20) Avoid possible crash when client disconnects just before the authentication timeout expires (Benkocs Norbert Attila)
If the timeout interrupt fired partway through the session shutdown sequence, SSL-related state would be freed twice, typically causing a crash and hence denial of service to other sessions. Experimentation shows that an unauthenticated remote attacker could trigger the bug somewhat consistently, hence treat as security issue. CVE-2015-3165 or CVE-2015-3165)
(9.2.11,9.3.7,9.1.16,9.0.20) Improve detection of system-call failures (Noah Misch)
Our replacement implementation of snprintf()
failed to check for errors reported by
the underlying system library calls; the main case that might be
missed is out-of-memory situations. In the worst case this might
lead to information exposure, due to our code assuming that a
buffer had been overwritten when it hadn't been. Also, there were a
few places in which security-relevant calls of other system library
functions did not check for failure.
It remains possible that some calls of the *printf()
family of functions are vulnerable to
information disclosure if an out-of-memory error occurs at just the
wrong time. We judge the risk to not be large, but will continue
analysis in this area. CVE-2015-3166 or CVE-2015-3166)
(9.2.11,9.3.7,9.1.16,9.0.20) In contrib/pgcrypto, uniformly report decryption failures as "Wrong key or corrupt data" (Noah Misch)
Previously, some cases of decryption with an incorrect key could report other error message texts. It has been shown that such variance in error reports can aid attackers in recovering keys from other systems. While it's unknown whether pgcrypto's specific behaviors are likewise exploitable, it seems better to avoid the risk by using a one-size-fits-all message. CVE-2015-3167 or CVE-2015-3167)
(9.2.11,9.3.7,9.1.16) Fix incorrect declaration of contrib/citext's regexp_matches()
functions (Tom Lane)
These functions should return setof text[], like the core functions they are wrappers for; but they were incorrectly declared as returning just text[]. This mistake had two results: first, if there was no match you got a scalar null result, whereas what you should get is an empty set (zero rows). Second, the g flag was effectively ignored, since you would get only one result array even if there were multiple matches.
While the latter behavior is clearly a bug, there might be
applications depending on the former behavior; therefore the
function declarations will not be changed by default until
PostgreSQL 9.5. In pre-9.5
branches, the old behavior exists in version 1.0 of the citext extension, while we have provided corrected
declarations in version 1.1 (which is not installed by default). To adopt
the fix in pre-9.5 branches, execute ALTER
EXTENSION citext UPDATE TO '1.1' in each database in which
citext is installed. (You can also
"update" back to 1.0 if you need to undo
that.) Be aware that either update direction will require dropping
and recreating any views or rules that use citext's regexp_matches()
functions.
(9.2.11,9.3.7,9.1.16,9.0.20) Fix incorrect checking of deferred exclusion constraints after a HOT update (Tom Lane)
If a new row that potentially violates a deferred exclusion constraint is HOT-updated (that is, no indexed columns change and the row can be stored back onto the same table page) later in the same transaction, the exclusion constraint would be reported as violated when the check finally occurred, even if the row(s) the new row originally conflicted with had been deleted.
(9.2.11,9.3.7) Fix planning of star-schema-style queries (Tom Lane)
Sometimes, efficient scanning of a large table requires that index parameters be provided from more than one other table (commonly, dimension tables whose keys are needed to index a large fact table). The planner should be able to find such plans, but an overly restrictive search heuristic prevented it.
(9.2.11,9.3.7,9.1.16,9.0.20) Prevent improper reordering of antijoins (NOT EXISTS joins) versus other outer joins (Tom Lane)
This oversight in the planner has been observed to cause "could not find RelOptInfo for given relids" errors, but it seems possible that sometimes an incorrect query plan might get past that consistency check and result in silently-wrong query output.
(9.2.11,9.3.7,9.1.16,9.0.20) Fix incorrect matching of subexpressions in outer-join plan nodes (Tom Lane)
Previously, if textually identical non-strict subexpressions were used both above and below an outer join, the planner might try to re-use the value computed below the join, which would be incorrect because the executor would force the value to NULL in case of an unmatched outer row.
(9.2.11,9.3.7,9.1.16,9.0.20) Fix GEQO planner to cope with failure of its join order heuristic (Tom Lane)
This oversight has been seen to lead to "failed to join all relations together" errors in queries involving LATERAL, and that might happen in other cases as well.
(9.2.11,9.3.7,9.1.16,9.0.20) Fix possible deadlock at startup when max_prepared_transactions is too small (Heikki Linnakangas)
(9.2.11,9.3.7,9.1.16,9.0.20) Don't archive useless preallocated WAL files after a timeline switch (Heikki Linnakangas)
(9.2.11,9.1.16,9.0.20) Avoid "cannot GetMultiXactIdMembers() during recovery" error (Ãlvaro Herrera)
(9.2.11,9.3.7,9.1.16,9.0.20) Recursively fsync()
the data
directory after a crash (Abhijit Menon-Sen, Robert Haas)
This ensures consistency if another crash occurs shortly later. (The second crash would have to be a system-level crash, not just a database crash, for there to be a problem.)
(9.2.11,9.3.7,9.1.16,9.0.20) Fix autovacuum launcher's possible failure to shut down, if an error occurs after it receives SIGTERM (Ãlvaro Herrera)
(9.2.11,9.3.7,9.1.16,9.0.20) Cope with unexpected signals in LockBufferForCleanup()
(Andres Freund)
This oversight could result in spurious errors about "multiple backends attempting to wait for pincount 1".
(9.2.11,9.3.7) Fix crash when doing COPY IN to a table with check constraints that contain whole-row references (Tom Lane)
The known failure case only crashes in 9.4 and up, but there is very similar code in 9.3 and 9.2, so back-patch those branches as well.
(9.2.11,9.3.7,9.1.16,9.0.20) Avoid waiting for WAL flush or synchronous replication during commit of a transaction that was read-only so far as the user is concerned (Andres Freund)
Previously, a delay could occur at commit in transactions that had written WAL due to HOT page pruning, leading to undesirable effects such as sessions getting stuck at startup if all synchronous replicas are down. Sessions have also been observed to get stuck in catchup interrupt processing when using synchronous replication; this will fix that problem as well.
(9.2.11,9.3.7,9.1.16,9.0.20) Fix crash when manipulating hash indexes on temporary tables (Heikki Linnakangas)
(9.2.11,9.3.7,9.1.16,9.0.20) Fix possible failure during hash index bucket split, if other processes are modifying the index concurrently (Tom Lane)
(9.2.11,9.3.7,9.1.16,9.0.20) Check for interrupts while analyzing index expressions (Jeff Janes)
ANALYZE executes index expressions many times; if there are slow functions in such an expression, it's desirable to be able to cancel the ANALYZE before that loop finishes.
(9.2.11,9.3.7,9.1.16) Ensure tableoid of a foreign table is reported correctly when a READ COMMITTED recheck occurs after locking rows in SELECT FOR UPDATE, UPDATE, or DELETE (Etsuro Fujita)
(9.2.11,9.3.7,9.1.16,9.0.20) Add the name of the target server to object description strings for foreign-server user mappings (Ãlvaro Herrera)
(9.2.11,9.3.7,9.1.16,9.0.20) Recommend setting include_realm to 1 when using Kerberos/GSSAPI/SSPI authentication (Stephen Frost)
Without this, identically-named users from different realms cannot be distinguished. For the moment this is only a documentation change, but it will become the default setting in PostgreSQL 9.5.
(9.2.11,9.3.7,9.1.16,9.0.20) Remove code for matching IPv4 pg_hba.conf entries to IPv4-in-IPv6 addresses (Tom Lane)
This hack was added in 2003 in response to a report that some Linux kernels of the time would report IPv4 connections as having IPv4-in-IPv6 addresses. However, the logic was accidentally broken in 9.0. The lack of any field complaints since then shows that it's not needed anymore. Now we have reports that the broken code causes crashes on some systems, so let's just remove it rather than fix it. (Had we chosen to fix it, that would make for a subtle and potentially security-sensitive change in the effective meaning of IPv4 pg_hba.conf entries, which does not seem like a good thing to do in minor releases.)
(9.2.11,9.3.7,9.1.16) Report WAL flush, not insert, position in IDENTIFY_SYSTEM replication command (Heikki Linnakangas)
This avoids a possible startup failure in pg_receivexlog.
(9.2.11,9.3.7,9.1.16,9.0.20) While shutting down service on Windows, periodically send status updates to the Service Control Manager to prevent it from killing the service too soon; and ensure that pg_ctl will wait for shutdown (Krystian Bigaj)
(9.2.11,9.3.7,9.1.16,9.0.20) Reduce risk of network deadlock when using libpq's non-blocking mode (Heikki Linnakangas)
When sending large volumes of data, it's important to drain the
input buffer every so often, in case the server has sent enough
response data to cause it to block on output. (A typical scenario
is that the server is sending a stream of NOTICE messages during
COPY FROM STDIN.) This worked properly in
the normal blocking mode, but not so much in non-blocking mode.
We've modified libpq to
opportunistically drain input when it can, but a full defense
against this problem requires application cooperation: the
application should watch for socket read-ready as well as
write-ready conditions, and be sure to call PQconsumeInput()
upon read-ready.
(9.2.11,9.3.7) In libpq, fix misparsing of empty values in URI connection strings (Thomas Fanghaenel)
(9.2.11,9.3.7,9.1.16,9.0.20) Fix array handling in ecpg (Michael Meskes)
(9.2.11,9.3.7,9.1.16,9.0.20) Fix psql to sanely handle URIs and conninfo strings as the first parameter to \connect (David Fetter, Andrew Dunstan, Ãlvaro Herrera)
This syntax has been accepted (but undocumented) for a long time, but previously some parameters might be taken from the old connection instead of the given string, which was agreed to be undesirable.
(9.2.11,9.3.7,9.1.16,9.0.20) Suppress incorrect complaints from psql on some platforms that it failed to write ~/.psql_history at exit (Tom Lane)
This misbehavior was caused by a workaround for a bug in very old (pre-2006) versions of libedit. We fixed it by removing the workaround, which will cause a similar failure to appear for anyone still using such versions of libedit. Recommendation: upgrade that library, or use libreadline.
(9.2.11,9.3.7,9.1.16,9.0.20) Fix pg_dump's rule for deciding which casts are system-provided casts that should not be dumped (Tom Lane)
(9.2.11,9.3.7,9.1.16) In pg_dump, fix failure to honor -Z compression level option together with -Fd (Michael Paquier)
(9.2.11,9.3.7,9.1.16) Make pg_dump consider foreign key relationships between extension configuration tables while choosing dump order (Gilles Darold, Michael Paquier, Stephen Frost)
This oversight could result in producing dumps that fail to reload because foreign key constraints are transiently violated.
(9.2.11,9.3.7,9.1.16,9.0.20) Fix dumping of views that are just VALUES(...) but have column aliases (Tom Lane)
(9.2.11,9.3.7,9.1.16,9.0.20) In pg_upgrade, force timeline 1 in the new cluster (Bruce Momjian)
This change prevents upgrade failures caused by bogus complaints about missing WAL history files.
(9.2.11,9.3.7,9.1.16,9.0.20) In pg_upgrade, check for improperly non-connectable databases before proceeding (Bruce Momjian)
(9.2.11,9.3.7,9.1.16,9.0.20) In pg_upgrade, quote directory paths properly in the generated delete_old_cluster script (Bruce Momjian)
(9.2.11,9.3.7,9.1.16,9.0.20) In pg_upgrade, preserve database-level freezing info properly (Bruce Momjian)
This oversight could cause missing-clog-file errors for tables within the postgres and template1 databases.
(9.2.11,9.3.7,9.1.16,9.0.20) Run pg_upgrade and pg_resetxlog with restricted privileges on Windows, so that they don't fail when run by an administrator (Muhammad Asif Naeem)
(9.2.11,9.3.7,9.1.16) Improve handling of readdir()
failures when scanning directories in initdb and pg_basebackup (Marco Nenciarini)
(9.2.11) Fix failure in pg_receivexlog (Andres Freund)
A patch merge mistake in 9.2.10 led to "could not create archive status file" errors.
(9.2.11,9.3.7,9.1.16,9.0.20) Fix slow sorting algorithm in contrib/intarray (Tom Lane)
(9.2.11,9.4.2,9.3.7,9.1.16,9.0.20) Fix compile failure on Sparc V8 machines (Rob Rowan)
(9.2.11,9.3.7,9.1.16,9.0.20) Update time zone data files to tzdata release 2015d for DST law changes in Egypt, Mongolia, and Palestine, plus historical changes in Canada and Chile. Also adopt revised zone abbreviations for the America/Adak zone (HST/HDT not HAST/HADT).
Release date: 2015-02-05
This release contains a variety of fixes from 9.2.9. For information about new features in the 9.2 major release, see Version 9.2.0.
A dump/restore is not required for those running 9.2.X.
However, if you are a Windows user and are using the "Norwegian (Bokmål)" locale, manual action is needed after the upgrade to replace any "Norwegian (Bokmål)_Norway" locale names stored in PostgreSQL system catalogs with the plain-ASCII alias "Norwegian_Norway". For details see http://wiki.postgresql.org/wiki/Changes_To_Norwegian_Locale
Also, if you are upgrading from a version earlier than 9.2.9, see Version 9.2.9.
(9.2.10,9.3.6,9.1.15,9.0.19) Fix buffer overruns in to_char()
(Bruce Momjian)
When to_char()
processes a numeric
formatting template calling for a large number of digits,
PostgreSQL would read past the end
of a buffer. When processing a crafted timestamp formatting
template, PostgreSQL would write
past the end of a buffer. Either case could crash the server. We
have not ruled out the possibility of attacks that lead to
privilege escalation, though they seem unlikely.
CVE-2015-0241 or CVE-2015-0241)
(9.2.10,9.3.6,9.1.15,9.0.19) Fix buffer overrun in replacement *printf()
functions (Tom Lane)
PostgreSQL includes a
replacement implementation of printf
and related functions. This code will overrun a stack buffer when
formatting a floating point number (conversion specifiers
e, E, f, F, g or G) with requested
precision greater than about 500. This will crash the server, and
we have not ruled out the possibility of attacks that lead to
privilege escalation. A database user can trigger such a buffer
overrun through the to_char()
SQL
function. While that is the only affected core PostgreSQL functionality, extension modules
that use printf-family functions may be at risk as well.
This issue primarily affects PostgreSQL on Windows. PostgreSQL uses the system implementation of these functions where adequate, which it is on other modern platforms. CVE-2015-0242 or CVE-2015-0242)
(9.2.10,9.3.6,9.1.15,9.0.19) Fix buffer overruns in contrib/pgcrypto (Marko Tiikkaja, Noah Misch)
Errors in memory size tracking within the pgcrypto module permitted stack buffer overruns and improper dependence on the contents of uninitialized memory. The buffer overrun cases can crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. CVE-2015-0243 or CVE-2015-0243)
(9.2.10,9.3.6,9.1.15,9.0.19) Fix possible loss of frontend/backend protocol synchronization after an error (Heikki Linnakangas)
If any error occurred while the server was in the middle of reading a protocol message from the client, it could lose synchronization and incorrectly try to interpret part of the message's data as a new protocol message. An attacker able to submit crafted binary data within a command parameter might succeed in injecting his own SQL commands this way. Statement timeout and query cancellation are the most likely sources of errors triggering this scenario. Particularly vulnerable are applications that use a timeout and also submit arbitrary user-crafted data as binary query parameters. Disabling statement timeout will reduce, but not eliminate, the risk of exploit. Our thanks to Emil Lenngren for reporting this issue. CVE-2015-0244 or CVE-2015-0244)
(9.2.10,9.3.6,9.1.15,9.0.19) Fix information leak via constraint-violation error messages (Stephen Frost)
Some server error messages show the values of columns that violate a constraint, such as a unique constraint. If the user does not have SELECT privilege on all columns of the table, this could mean exposing values that the user should not be able to see. Adjust the code so that values are displayed only when they came from the SQL command or could be selected by the user. CVE-2014-8161 or CVE-2014-8161)
(9.2.10,9.3.6,9.1.15,9.0.19) Lock down regression testing's temporary installations on Windows (Noah Misch)
Use SSPI authentication to allow connections only from the OS user who launched the test suite. This closes on Windows the same vulnerability previously closed on other platforms, namely that other users might be able to connect to the test postmaster. CVE-2014-0067 or CVE-2014-0067)
(9.2.10,9.3.6) Cope with the Windows locale named "Norwegian (Bokmål)" (Heikki Linnakangas)
Non-ASCII locale names are problematic since it's not clear what encoding they should be represented in. Map the troublesome locale name to a plain-ASCII alias, "Norwegian_Norway".
(9.2.10,9.3.6,9.1.15,9.0.19) Avoid possible data corruption if ALTER DATABASE SET TABLESPACE is used to move a database to a new tablespace and then shortly later move it back to its original tablespace (Tom Lane)
(9.2.10,9.3.6,9.1.15,9.0.19) Avoid corrupting tables when ANALYZE inside a transaction is rolled back (Andres Freund, Tom Lane, Michael Paquier)
If the failing transaction had earlier removed the last index, rule, or trigger from the table, the table would be left in a corrupted state with the relevant pg_class flags not set though they should be.
(9.2.10,9.3.6,9.1.15) Ensure that unlogged tables are copied correctly during CREATE DATABASE or ALTER DATABASE SET TABLESPACE (Pavan Deolasee, Andres Freund)
(9.2.10,9.3.6,9.1.15) Fix DROP's dependency searching to correctly handle the case where a table column is recursively visited before its table (Petr Jelinek, Tom Lane)
This case is only known to arise when an extension creates both a datatype and a table using that datatype. The faulty code might refuse a DROP EXTENSION unless CASCADE is specified, which should not be required.
(9.2.10,9.3.6,9.1.15,9.0.19) Fix use-of-already-freed-memory problem in EvalPlanQual processing (Tom Lane)
In READ COMMITTED mode, queries that lock or update recently-updated rows could crash as a result of this bug.
(9.2.10,9.3.6,9.1.15,9.0.19) Fix planning of SELECT FOR UPDATE when using a partial index on a child table (Kyotaro Horiguchi)
In READ COMMITTED mode, SELECT FOR UPDATE must also recheck the partial index's WHERE condition when rechecking a recently-updated row to see if it still satisfies the query's WHERE condition. This requirement was missed if the index belonged to an inheritance child table, so that it was possible to incorrectly return rows that no longer satisfy the query condition.
(9.2.10,9.3.6,9.1.15,9.0.19) Fix corner case wherein SELECT FOR UPDATE could return a row twice, and possibly miss returning other rows (Tom Lane)
In READ COMMITTED mode, a SELECT FOR UPDATE that is scanning an inheritance tree could incorrectly return a row from a prior child table instead of the one it should return from a later child table.
(9.2.10,9.3.6,9.1.15,9.0.19) Reject duplicate column names in the referenced-columns list of a FOREIGN KEY declaration (David Rowley)
This restriction is per SQL standard. Previously we did not reject the case explicitly, but later on the code would fail with bizarre-looking errors.
(9.2.10,9.3.6) Restore previous behavior of conversion of domains to JSON (Tom Lane)
This change causes domains over numeric and boolean to be treated like their base types for purposes of conversion to JSON. It worked like that before 9.3.5 and 9.2.9, but was unintentionally changed while fixing a related problem.
(9.2.10,9.3.6,9.1.15,9.0.19) Fix bugs in raising a numeric value to a large integral power (Tom Lane)
The previous code could get a wrong answer, or consume excessive amounts of time and memory before realizing that the answer must overflow.
(9.2.10,9.3.6,9.1.15,9.0.19) In numeric_recv()
, truncate away
any fractional digits that would be hidden according to the value's
dscale field (Tom Lane)
A numeric value's display scale (dscale) should never be less than the number of nonzero fractional digits; but apparently there's at least one broken client application that transmits binary numeric values in which that's true. This leads to strange behavior since the extra digits are taken into account by arithmetic operations even though they aren't printed. The least risky fix seems to be to truncate away such "hidden" digits on receipt, so that the value is indeed what it prints as.
(9.2.10,9.3.6) Fix incorrect search for shortest-first regular expression matches (Tom Lane)
Matching would often fail when the number of allowed iterations is limited by a ? quantifier or a bound expression.
(9.2.10,9.3.6,9.1.15,9.0.19) Reject out-of-range numeric timezone specifications (Tom Lane)
Simple numeric timezone specifications exceeding +/- 168 hours (one week) would be accepted, but could then cause null-pointer dereference crashes in certain operations. There's no use-case for such large UTC offsets, so reject them.
(9.2.10,9.3.6,9.1.15,9.0.19) Fix bugs in tsquery @> tsquery operator (Heikki Linnakangas)
Two different terms would be considered to match if they had the same CRC. Also, if the second operand had more terms than the first, it would be assumed not to be contained in the first; which is wrong since it might contain duplicate terms.
(9.2.10,9.3.6,9.1.15,9.0.19) Improve ispell dictionary's defenses against bad affix files (Tom Lane)
(9.2.10,9.3.6,9.1.15,9.0.19) Allow more than 64K phrases in a thesaurus dictionary (David Boutin)
The previous coding could crash on an oversize dictionary, so this was deemed a back-patchable bug fix rather than a feature addition.
(9.2.10,9.3.6,9.1.15,9.0.19) Fix namespace handling in xpath()
(Ali Akbar)
Previously, the xml value resulting from
an xpath()
call would not have
namespace declarations if the namespace declarations were attached
to an ancestor element in the input xml
value, rather than to the specific element being returned.
Propagate the ancestral declaration so that the result is correct
when considered in isolation.
(9.2.10,9.3.6) Ensure that whole-row variables expose nonempty column names to functions that pay attention to column names within composite arguments (Tom Lane)
In some contexts, constructs like row_to_json(tab.*) may not produce the expected column names. This is fixed properly as of 9.4; in older branches, just ensure that we produce some nonempty name. (In some cases this will be the underlying table's column name rather than the query-assigned alias that should theoretically be visible.)
(9.2.10,9.3.6) Fix mishandling of system columns, particularly tableoid, in FDW queries (Etsuro Fujita)
(9.2.10,9.3.6) Avoid doing indexed_column = ANY (array) as an index qualifier if that leads to an inferior plan (Andrew Gierth)
In some cases, = ANY conditions applied to non-first index columns would be done as index conditions even though it would be better to use them as simple filter conditions.
(9.2.10,9.3.6,9.1.15,9.0.19) Fix planner problems with nested append relations, such as inherited tables within UNION ALL subqueries (Tom Lane)
(9.2.10,9.3.6,9.1.15,9.0.19) Fail cleanly when a GiST index tuple doesn't fit on a page, rather than going into infinite recursion (Andrew Gierth)
(9.2.10,9.3.6,9.1.15,9.0.19) Exempt tables that have per-table cost_limit and/or cost_delay settings from autovacuum's global cost balancing rules (Ãlvaro Herrera)
The previous behavior resulted in basically ignoring these per-table settings, which was unintended. Now, a table having such settings will be vacuumed using those settings, independently of what is going on in other autovacuum workers. This may result in heavier total I/O load than before, so such settings should be re-examined for sanity.
(9.2.10,9.3.6) Avoid wholesale autovacuuming when autovacuum is nominally off (Tom Lane)
Even when autovacuum is nominally off, we will still launch autovacuum worker processes to vacuum tables that are at risk of XID wraparound. However, such a worker process then proceeded to vacuum all tables in the target database, if they met the usual thresholds for autovacuuming. This is at best pretty unexpected; at worst it delays response to the wraparound threat. Fix it so that if autovacuum is turned off, workers only do anti-wraparound vacuums and not any other work.
(9.2.10,9.3.6,9.1.15) During crash recovery, ensure that unlogged relations are rewritten as empty and are synced to disk before recovery is considered complete (Abhijit Menon-Sen, Andres Freund)
This prevents scenarios in which unlogged relations might contain garbage data following database crash recovery.
(9.2.10,9.3.6,9.1.15,9.0.19) Fix race condition between hot standby queries and replaying a full-page image (Heikki Linnakangas)
This mistake could result in transient errors in queries being executed in hot standby.
(9.2.10,9.3.6,9.1.15,9.0.19) Fix several cases where recovery logic improperly ignored WAL records for COMMIT/ABORT PREPARED (Heikki Linnakangas)
The most notable oversight was that recovery_target_xid could not be used to stop at a two-phase commit.
(9.2.10,9.3.6) Prevent latest WAL file from being archived a second time at completion of crash recovery (Fujii Masao)
(9.2.10,9.3.6,9.1.15,9.0.19) Avoid creating unnecessary .ready marker files for timeline history files (Fujii Masao)
(9.2.10,9.3.6,9.1.15,9.0.19) Fix possible null pointer dereference when an empty prepared statement is used and the log_statement setting is mod or ddl (Fujii Masao)
(9.2.10,9.3.6,9.1.15,9.0.19) Change "pgstat wait timeout" warning message to be LOG level, and rephrase it to be more understandable (Tom Lane)
This message was originally thought to be essentially a can't-happen case, but it occurs often enough on our slower buildfarm members to be a nuisance. Reduce it to LOG level, and expend a bit more effort on the wording: it now reads "using stale statistics instead of current ones because stats collector is not responding".
(9.2.10,9.3.6,9.1.15,9.0.19) Fix SPARC spinlock implementation to ensure correctness if the CPU is being run in a non-TSO coherency mode, as some non-Solaris kernels do (Andres Freund)
(9.2.10,9.3.6,9.1.15) Warn if macOS's setlocale()
starts
an unwanted extra thread inside the postmaster (Noah Misch)
(9.2.10,9.3.6,9.1.15,9.0.19) Fix processing of repeated dbname
parameters in PQconnectdbParams()
(Alex Shulgin)
Unexpected behavior ensued if the first occurrence of dbname contained a connection string or URI to be expanded.
(9.2.10,9.3.6,9.1.15,9.0.19) Ensure that libpq reports a suitable error message on unexpected socket EOF (Marko Tiikkaja, Tom Lane)
Depending on kernel behavior, libpq might return an empty error string rather than something useful when the server unexpectedly closed the socket.
(9.2.10,9.3.6,9.1.15,9.0.19) Clear any old error message during PQreset()
(Heikki Linnakangas)
If PQreset()
is called repeatedly,
and the connection cannot be re-established, error messages from
the failed connection attempts kept accumulating in the PGconn's error string.
(9.2.10,9.3.6,9.1.15,9.0.19) Properly handle out-of-memory conditions while parsing connection options in libpq (Alex Shulgin, Heikki Linnakangas)
(9.2.10,9.3.6,9.1.15,9.0.19) Fix array overrun in ecpg's
version of ParseDateTime()
(Michael
Paquier)
(9.2.10,9.3.6,9.1.15,9.0.19) In initdb, give a clearer error message if a password file is specified but is empty (Mats Erik Andersson)
(9.2.10,9.3.6,9.1.15,9.0.19) Fix psql's \s command to work nicely with libedit, and add pager support (Stepan Rutz, Tom Lane)
When using libedit rather than readline, \s printed the command history in a fairly unreadable encoded format, and on recent libedit versions might fail altogether. Fix that by printing the history ourselves rather than having the library do it. A pleasant side-effect is that the pager is used if appropriate.
This patch also fixes a bug that caused newline encoding to be applied inconsistently when saving the command history with libedit. Multiline history entries written by older psql versions will be read cleanly with this patch, but perhaps not vice versa, depending on the exact libedit versions involved.
(9.2.10,9.3.6,9.1.15,9.0.19) Improve consistency of parsing of psql's special variables (Tom Lane)
Allow variant spellings of on and off (such as 1/0) for ECHO_HIDDEN and ON_ERROR_ROLLBACK. Report a warning for unrecognized values for COMP_KEYWORD_CASE, ECHO, ECHO_HIDDEN, HISTCONTROL, ON_ERROR_ROLLBACK, and VERBOSITY. Recognize all values for all these variables case-insensitively; previously there was a mishmash of case-sensitive and case-insensitive behaviors.
(9.2.10,9.3.6,9.1.15,9.0.19) Fix psql's expanded-mode display to work consistently when using border = 3 and linestyle = ascii or unicode (Stephen Frost)
(9.2.10,9.3.6,9.1.15) Improve performance of pg_dump when the database contains many instances of multiple dependency paths between the same two objects (Tom Lane)
(9.2.10,9.3.6) Fix pg_dumpall to restore its ability to dump from pre-8.1 servers (Gilles Darold)
(9.2.10,9.3.6,9.1.15,9.0.19) Fix possible deadlock during parallel restore of a schema-only dump (Robert Haas, Tom Lane)
(9.2.10,9.3.6,9.1.15,9.0.19) Fix core dump in pg_dump --binary-upgrade on zero-column composite type (Rushabh Lathia)
(9.2.10,9.3.6,9.1.15) Prevent WAL files created by pg_basebackup -x/-X from being archived again when the standby is promoted (Andres Freund)
(9.2.10,9.3.6) Fix failure of contrib/auto_explain to print per-node timing information when doing EXPLAIN ANALYZE (Tom Lane)
(9.2.10,9.3.6,9.1.15) Fix upgrade-from-unpackaged script for contrib/citext (Tom Lane)
(9.2.10,9.3.6,9.1.15,9.0.19) Fix block number checking in contrib/pageinspect's get_raw_page()
(Tom Lane)
The incorrect checking logic could prevent access to some pages in non-main relation forks.
(9.2.10,9.3.6,9.1.15,9.0.19) Fix contrib/pgcrypto's pgp_sym_decrypt()
to not fail on messages whose
length is 6 less than a power of 2 (Marko Tiikkaja)
(9.2.10,9.3.6,9.1.15) Fix file descriptor leak in contrib/pg_test_fsync (Jeff Janes)
This could cause failure to remove temporary files on Windows.
(9.2.10,9.3.6,9.1.15,9.0.19) Handle unexpected query results, especially NULLs, safely in
contrib/tablefunc's connectby()
(Michael Paquier)
connectby()
previously crashed if
it encountered a NULL key value. It now prints that row but doesn't
recurse further.
(9.2.10,9.3.6,9.1.15,9.0.19) Avoid a possible crash in contrib/xml2's xslt_process()
(Mark Simonetti)
libxslt seems to have an undocumented dependency on the order in which resources are freed; reorder our calls to avoid a crash.
(9.2.10,9.3.6,9.1.15) Mark some contrib I/O functions with correct volatility properties (Tom Lane)
The previous over-conservative marking was immaterial in normal use, but could cause optimization problems or rejection of valid index expression definitions. Since the consequences are not large, we've just adjusted the function definitions in the extension modules' scripts, without changing version numbers.
(9.2.10,9.3.6,9.1.15,9.0.19) Numerous cleanups of warnings from Coverity static code analyzer (Andres Freund, Tatsuo Ishii, Marko Kreen, Tom Lane, Michael Paquier)
These changes are mostly cosmetic but in some cases fix corner-case bugs, for example a crash rather than a proper error report after an out-of-memory failure. None are believed to represent security issues.
(9.2.10,9.3.6,9.1.15,9.0.19) Detect incompatible OpenLDAP versions during build (Noah Misch)
With OpenLDAP versions 2.4.24 through 2.4.31, inclusive, PostgreSQL backends can crash at exit. Raise a warning during configure based on the compile-time OpenLDAP version number, and test the crashing scenario in the contrib/dblink regression test.
(9.2.10,9.3.6,9.1.15,9.0.19) In non-MSVC Windows builds, ensure libpq.dll is installed with execute permissions (Noah Misch)
(9.2.10,9.3.6,9.1.15,9.0.19) Make pg_regress remove any temporary installation it created upon successful exit (Tom Lane)
This results in a very substantial reduction in disk space usage during make check-world, since that sequence involves creation of numerous temporary installations.
(9.2.10,9.3.6,9.1.15,9.0.19) Support time zone abbreviations that change UTC offset from time to time (Tom Lane)
Previously, PostgreSQL assumed that the UTC offset associated with a time zone abbreviation (such as EST) never changes in the usage of any particular locale. However this assumption fails in the real world, so introduce the ability for a zone abbreviation to represent a UTC offset that sometimes changes. Update the zone abbreviation definition files to make use of this feature in timezone locales that have changed the UTC offset of their abbreviations since 1970 (according to the IANA timezone database). In such timezones, PostgreSQL will now associate the correct UTC offset with the abbreviation depending on the given date.
(9.2.10,9.3.6,9.1.15,9.0.19) Update time zone abbreviations lists (Tom Lane)
Add CST (China Standard Time) to our lists. Remove references to ADT as "Arabia Daylight Time", an abbreviation that's been out of use since 2007; therefore, claiming there is a conflict with "Atlantic Daylight Time" doesn't seem especially helpful. Fix entirely incorrect GMT offsets for CKT (Cook Islands), FJT, and FJST (Fiji); we didn't even have them on the proper side of the date line.
(9.2.10,9.3.6) Update time zone data files to tzdata release 2015a.
The IANA timezone database has adopted abbreviations of the form AxST/AxDT for all Australian time zones, reflecting what they believe to be current majority practice Down Under. These names do not conflict with usage elsewhere (other than ACST for Acre Summer Time, which has been in disuse since 1994). Accordingly, adopt these names into our "Default" timezone abbreviation set. The "Australia" abbreviation set now contains only CST, EAST, EST, SAST, SAT, and WST, all of which are thought to be mostly historical usage. Note that SAST has also been changed to be South Africa Standard Time in the "Default" abbreviation set.
Also, add zone abbreviations SRET (Asia/Srednekolymsk) and XJT (Asia/Urumqi), and use WSST/WSDT for western Samoa. Also, there were DST law changes in Chile, Mexico, the Turks & Caicos Islands (America/Grand_Turk), and Fiji. There is a new zone Pacific/Bougainville for portions of Papua New Guinea. Also, numerous corrections for historical (pre-1970) time zone data.
Release date: 2014-07-24
This release contains a variety of fixes from 9.2.8. For information about new features in the 9.2 major release, see Version 9.2.0.
A dump/restore is not required for those running 9.2.X.
However, this release corrects an index corruption problem in some GiST indexes. See the first changelog entry below to find out whether your installation has been affected and what steps you should take if so.
Also, if you are upgrading from a version earlier than 9.2.6, see Version 9.2.6.
(9.2.9,9.3.5,9.1.14,9.0.18,8.4.22) Correctly initialize padding bytes in contrib/btree_gist indexes on bit columns (Heikki Linnakangas)
This error could result in incorrect query results due to values that should compare equal not being seen as equal. Users with GiST indexes on bit or bit varying columns should REINDEX those indexes after installing this update.
(9.2.9,9.3.5,9.1.14,9.0.18,8.4.22) Protect against torn pages when deleting GIN list pages (Heikki Linnakangas)
This fix prevents possible index corruption if a system crash occurs while the page update is being written to disk.
(9.2.9,9.3.5,9.1.14,9.0.18) Don't clear the right-link of a GiST index page while replaying updates from WAL (Heikki Linnakangas)
This error could lead to transiently wrong answers from GiST index scans performed in Hot Standby.
(9.2.9,9.3.5) Fix corner-case infinite loop during insertion into an SP-GiST text index (Tom Lane)
(9.2.9,9.1.14) Fix feedback status when hot_standby_feedback is turned off on-the-fly (Simon Riggs)
(9.2.9,9.3.5,9.1.14,9.0.18,8.4.22) Fix possibly-incorrect cache invalidation during nested calls to
ReceiveSharedInvalidMessages
(Andres
Freund)
(9.2.9) Fix planner's mishandling of nested PlaceHolderVars generated in nested-nestloop plans (Tom Lane)
This oversight could result in "variable not found in subplan target lists" errors, or in silently wrong query results.
(9.2.9,9.3.5,9.1.14) Fix "could not find pathkey item to sort" planner failures with UNION ALL over subqueries reading from tables with inheritance children (Tom Lane)
(9.2.9,9.3.5,9.1.14,9.0.18,8.4.22) Don't assume a subquery's output is unique if there's a set-returning function in its targetlist (David Rowley)
This oversight could lead to misoptimization of constructs like WHERE x IN (SELECT y, generate_series(1,10) FROM t GROUP BY y).
(9.2.9,9.3.5) Improve planner to drop constant-NULL inputs of AND/OR when possible (Tom Lane)
This change fixes some cases where the more aggressive parameter substitution done by 9.2 and later can lead to a worse plan than older versions produced.
(9.2.9,9.3.5) Fix identification of input type category in to_json()
and friends (Tom Lane)
This is known to have led to inadequate quoting of money fields in the JSON result, and there may have been wrong results for other data types as well.
(9.2.9,9.3.5,9.1.14,9.0.18,8.4.22) Fix failure to detoast fields in composite elements of structured types (Tom Lane)
This corrects cases where TOAST pointers could be copied into other tables without being dereferenced. If the original data is later deleted, it would lead to errors like "missing chunk number 0 for toast value ..." when the now-dangling pointer is used.
(9.2.9,9.3.5,9.1.14,9.0.18,8.4.22) Fix "record type has not been registered" failures with whole-row references to the output of Append plan nodes (Tom Lane)
(9.2.9,9.3.5,9.1.14,9.0.18,8.4.22) Fix possible crash when invoking a user-defined function while rewinding a cursor (Tom Lane)
(9.2.9,9.3.5,9.1.14,9.0.18,8.4.22) Fix query-lifespan memory leak while evaluating the arguments for a function in FROM (Tom Lane)
(9.2.9,9.3.5,9.1.14,9.0.18,8.4.22) Fix session-lifespan memory leaks in regular-expression processing (Tom Lane, Arthur O'Dwyer, Greg Stark)
(9.2.9,9.3.5,9.1.14,9.0.18,8.4.22) Fix data encoding error in hungarian.stop (Tom Lane)
(9.2.9,9.3.5,9.1.14) Prevent foreign tables from being created with OIDS when default_with_oids is true (Etsuro Fujita)
(9.2.9,9.3.5,9.1.14,9.0.18,8.4.22) Fix liveness checks for rows that were inserted in the current transaction and then deleted by a now-rolled-back subtransaction (Andres Freund)
This could cause problems (at least spurious warnings, and at worst an infinite loop) if CREATE INDEX or CLUSTER were done later in the same transaction.
(9.2.9,9.3.5,9.1.14,9.0.18,8.4.22) Clear pg_stat_activity.xact_start during PREPARE TRANSACTION (Andres Freund)
After the PREPARE, the originating session is no longer in a transaction, so it should not continue to display a transaction start time.
(9.2.9,9.3.5,9.1.14,9.0.18,8.4.22) Fix REASSIGN OWNED to not fail for text search objects (Ãlvaro Herrera)
(9.2.9,9.3.5,9.1.14,9.0.18,8.4.22) Block signals during postmaster startup (Tom Lane)
This ensures that the postmaster will properly clean up after itself if, for example, it receives SIGINT while still starting up.
(9.2.9,9.3.5,9.1.14) Fix client host name lookup when processing pg_hba.conf entries that specify host names instead of IP addresses (Tom Lane)
Ensure that reverse-DNS lookup failures are reported, instead of just silently not matching such entries. Also ensure that we make only one reverse-DNS lookup attempt per connection, not one per host name entry, which is what previously happened if the lookup attempts failed.
(9.2.9,9.3.5) Allow the root user to use postgres -C variable and postgres --describe-config (MauMau)
The prohibition on starting the server as root does not need to extend to these operations, and relaxing it prevents failure of pg_ctl in some scenarios.
(9.2.9,9.3.5,9.1.14,9.0.18,8.4.22) Secure Unix-domain sockets of temporary postmasters started during make check (Noah Misch)
Any local user able to access the socket file could connect as the server's bootstrap superuser, then proceed to execute arbitrary code as the operating-system user running the test, as we previously noted inCVE-2014-0067 or CVE-2014-0067. This change defends against that risk by placing the server's socket in a temporary, mode 0700 subdirectory of /tmp. The hazard remains however on platforms where Unix sockets are not supported, notably Windows, because then the temporary postmaster must accept local TCP connections.
A useful side effect of this change is to simplify make check testing in builds that override DEFAULT_PGSOCKET_DIR. Popular non-default values like /var/run/postgresql are often not writable by the build user, requiring workarounds that will no longer be necessary.
(9.2.9,9.3.5,9.1.14,9.0.18) Fix tablespace creation WAL replay to work on Windows (MauMau)
(9.2.9,9.3.5,9.1.14,9.0.18) Fix detection of socket creation failures on Windows (Bruce Momjian)
(9.2.9,9.3.5,9.1.14,9.0.18,8.4.22) On Windows, allow new sessions to absorb values of PGC_BACKEND parameters (such as log_connections) from the configuration file (Amit Kapila)
Previously, if such a parameter were changed in the file post-startup, the change would have no effect.
(9.2.9,9.3.5,9.1.14,9.0.18,8.4.22) Properly quote executable path names on Windows (Nikhil Deshpande)
This oversight could cause initdb and pg_upgrade to fail on Windows, if the installation path contained both spaces and @ signs.
(9.2.9,9.3.5,9.1.14) Fix linking of libpython on macOS (Tom Lane)
The method we previously used can fail with the Python library supplied by Xcode 5.0 and later.
(9.2.9,9.3.5,9.1.14,9.0.18,8.4.22) Avoid buffer bloat in libpq when the server consistently sends data faster than the client can absorb it (Shin-ichi Morita, Tom Lane)
libpq could be coerced into
enlarging its input buffer until it runs out of memory (which would
be reported misleadingly as "lost
synchronization with server"). Under ordinary circumstances
it's quite far-fetched that data could be continuously transmitted
more quickly than the recv()
loop can
absorb it, but this has been observed when the client is
artificially slowed by scheduler constraints.
(9.2.9,9.3.5,9.1.14,9.0.18,8.4.22) Ensure that LDAP lookup attempts in libpq time out as intended (Laurenz Albe)
(9.2.9,9.3.5,9.1.14,9.0.18) Fix ecpg to do the right thing when an array of char * is the target for a FETCH statement returning more than one row, as well as some other array-handling fixes (Ashutosh Bapat)
(9.2.9,9.3.5,9.1.14,9.0.18,8.4.22) Fix pg_restore's processing of old-style large object comments (Tom Lane)
A direct-to-database restore from an archive file generated by a pre-9.0 version of pg_dump would usually fail if the archive contained more than a few comments for large objects.
(9.2.9,9.3.5) Fix pg_upgrade for cases where the new server creates a TOAST table but the old version did not (Bruce Momjian)
This rare situation would manifest as "relation OID mismatch" errors.
(9.2.9,9.3.5) Prevent contrib/auto_explain from changing the output of a user's EXPLAIN (Tom Lane)
If auto_explain is active, it could cause an EXPLAIN (ANALYZE, TIMING OFF) command to nonetheless print timing information.
(9.2.9,9.3.5) Fix query-lifespan memory leak in contrib/dblink (MauMau, Joe Conway)
(9.2.9,9.3.5,9.1.14,9.0.18,8.4.22) In contrib/pgcrypto functions, ensure sensitive information is cleared from stack variables before returning (Marko Kreen)
(9.2.9,9.3.5) Prevent use of already-freed memory in contrib/pgstattuple's pgstat_heap()
(Noah Misch)
(9.2.9,9.3.5,9.1.14,9.0.18,8.4.22) In contrib/uuid-ossp, cache the state of the OSSP UUID library across calls (Tom Lane)
This improves the efficiency of UUID generation and reduces the amount of entropy drawn from /dev/urandom, on platforms that have that.
(9.2.9,9.3.5,9.1.14,9.0.18,8.4.22) Update time zone data files to tzdata release 2014e for DST law changes in Crimea, Egypt, and Morocco.
Release date: 2014-03-20
This release contains a variety of fixes from 9.2.7. For information about new features in the 9.2 major release, see Version 9.2.0.
A dump/restore is not required for those running 9.2.X.
However, if you are upgrading from a version earlier than 9.2.6, see Version 9.2.6.
(9.2.8,9.3.4,9.1.13,9.0.17,8.4.21) Restore GIN metapages unconditionally to avoid torn-page risk (Heikki Linnakangas)
Although this oversight could theoretically result in a corrupted index, it is unlikely to have caused any problems in practice, since the active part of a GIN metapage is smaller than a standard 512-byte disk sector.
(9.2.8,9.3.4,9.1.13,9.0.17) Avoid race condition in checking transaction commit status during receipt of a NOTIFY message (Marko Tiikkaja)
This prevents a scenario wherein a sufficiently fast client might respond to a notification before database updates made by the notifier have become visible to the recipient.
(9.2.8,9.3.4,9.1.13,9.0.17,8.4.21) Allow regular-expression operators to be terminated early by query cancel requests (Tom Lane)
This prevents scenarios wherein a pathological regular expression could lock up a server process uninterruptibly for a long time.
(9.2.8,9.3.4,9.1.13,9.0.17,8.4.21) Remove incorrect code that tried to allow OVERLAPS with single-element row arguments (Joshua Yanovski)
This code never worked correctly, and since the case is neither specified by the SQL standard nor documented, it seemed better to remove it than fix it.
(9.2.8,9.3.4,9.1.13,9.0.17,8.4.21) Avoid getting more than AccessShareLock when de-parsing a rule or view (Dean Rasheed)
This oversight resulted in pg_dump unexpectedly acquiring RowExclusiveLock locks on tables mentioned as the targets of INSERT/UPDATE/DELETE commands in rules. While usually harmless, that could interfere with concurrent transactions that tried to acquire, for example, ShareLock on those tables.
(9.2.8,9.3.4,9.1.13,9.0.17) Improve performance of index endpoint probes during planning (Tom Lane)
This change fixes a significant performance problem that occurred when there were many not-yet-committed rows at the end of the index, which is a common situation for indexes on sequentially-assigned values such as timestamps or sequence-generated identifiers.
(9.2.8,9.3.4,9.1.13) Fix walsender's failure to shut down cleanly when client is pg_receivexlog (Fujii Masao)
(9.2.8,9.3.4) Check WAL level and hot standby parameters correctly when doing crash recovery that will be followed by archive recovery (Heikki Linnakangas)
(9.2.8,9.3.4,9.1.13,9.0.17) Fix test to see if hot standby connections can be allowed immediately after a crash (Heikki Linnakangas)
(9.2.8,9.3.4,9.1.13,9.0.17,8.4.21) Prevent interrupts while reporting non-ERROR messages (Tom Lane)
This guards against rare server-process freezeups due to
recursive entry to syslog()
, and
perhaps other related problems.
(9.2.8,9.3.4,9.1.13) Fix memory leak in PL/Perl when returning a composite result, including multiple-OUT-parameter cases (Alex Hunsaker)
(9.2.8,9.3.4) Fix tracking of psql script line numbers during \copy from out-of-line data (Kumar Rajeev Rastogi, Amit Khandekar)
\copy ... from incremented the script file line number for each data line, even if the data was not coming from the script file. This mistake resulted in wrong line numbers being reported for any errors occurring later in the same script file.
(9.2.8,9.3.4,9.1.13,9.0.17) Prevent intermittent "could not reserve shared memory region" failures on recent Windows versions (MauMau)
(9.2.8,9.3.4,9.1.13,9.0.17,8.4.21) Update time zone data files to tzdata release 2014a for DST law changes in Fiji and Turkey, plus historical changes in Israel and Ukraine.
Release date: 2014-02-20
This release contains a variety of fixes from 9.2.6. For information about new features in the 9.2 major release, see Version 9.2.0.
A dump/restore is not required for those running 9.2.X.
However, if you are upgrading from a version earlier than 9.2.6, see Version 9.2.6.
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch)
Granting a role without ADMIN OPTION is supposed to prevent the grantee from adding or removing members from the granted role, but this restriction was easily bypassed by doing SET ROLE first. The security impact is mostly that a role member can revoke the access of others, contrary to the wishes of his grantor. Unapproved role member additions are a lesser concern, since an uncooperative role member could provide most of his rights to others anyway by creating views or SECURITY DEFINER functions. CVE-2014-0060 or CVE-2014-0060)
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Prevent privilege escalation via manual calls to PL validator functions (Andres Freund)
The primary role of PL validator functions is to be called implicitly during CREATE FUNCTION, but they are also normal SQL functions that a user can call explicitly. Calling a validator on a function actually written in some other language was not checked for and could be exploited for privilege-escalation purposes. The fix involves adding a call to a privilege-checking function in each validator function. Non-core procedural languages will also need to make this change to their own validator functions, if any. CVE-2014-0061 or CVE-2014-0061)
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Avoid multiple name lookups during table and index DDL (Robert Haas, Andres Freund)
If the name lookups come to different conclusions due to concurrent activity, we might perform some parts of the DDL on a different table than other parts. At least in the case of CREATE INDEX, this can be used to cause the permissions checks to be performed against a different table than the index creation, allowing for a privilege escalation attack. CVE-2014-0062 or CVE-2014-0062)
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Prevent buffer overrun with long datetime strings (Noah Misch)
The MAXDATELEN constant was too small
for the longest possible value of type interval, allowing a buffer overrun in interval_out()
. Although the datetime input
functions were more careful about avoiding buffer overrun, the
limit was short enough to cause them to reject some valid inputs,
such as input containing a very long timezone name. The
ecpg library contained these
vulnerabilities along with some of its own. CVE-2014-0063 or CVE-2014-0063)
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Prevent buffer overrun due to integer overflow in size calculations (Noah Misch, Heikki Linnakangas)
Several functions, mostly type input functions, calculated an allocation size without checking for overflow. If overflow did occur, a too-small buffer would be allocated and then written past. CVE-2014-0064 or CVE-2014-0064)
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich)
Use strlcpy()
and related
functions to provide a clear guarantee that fixed-size buffers are
not overrun. Unlike the preceding items, it is unclear whether
these cases really represent live issues, since in most cases there
appear to be previous constraints on the size of the input string.
Nonetheless it seems prudent to silence all Coverity warnings of
this type. CVE-2014-0065 or CVE-2014-0065)
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Avoid crashing if crypt()
returns
NULL (Honza Horak, Bruce Momjian)
There are relatively few scenarios in which crypt()
could return NULL, but contrib/chkpass would crash if it did. One
practical case in which this could be an issue is if libc is configured to refuse to execute
unapproved hashing algorithms (e.g., "FIPS
mode"). CVE-2014-0066 or CVE-2014-0066)
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Document risks of make check in the regression testing instructions (Noah Misch, Tom Lane)
Since the temporary server started by make check uses "trust" authentication, another user on the same machine could connect to it as database superuser, and then potentially exploit the privileges of the operating-system user who started the tests. A future release will probably incorporate changes in the testing procedure to prevent this risk, but some public discussion is needed first. So for the moment, just warn people against using make check when there are untrusted users on the same machine. CVE-2014-0067 or CVE-2014-0067)
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Fix possible mis-replay of WAL records when some segments of a relation aren't full size (Greg Stark, Tom Lane)
The WAL update could be applied to the wrong page, potentially many pages past where it should have been. Aside from corrupting data, this error has been observed to result in significant "bloat" of standby servers compared to their masters, due to updates being applied far beyond where the end-of-file should have been. This failure mode does not appear to be a significant risk during crash recovery, only when initially synchronizing a standby created from a base backup taken from a quickly-changing master.
(9.2.7,9.3.3,9.1.12,9.0.16) Fix bug in determining when recovery has reached consistency (Tomonari Katsumata, Heikki Linnakangas)
In some cases WAL replay would mistakenly conclude that the database was already consistent at the start of replay, thus possibly allowing hot-standby queries before the database was really consistent. Other symptoms such as "PANIC: WAL contains references to invalid pages" were also possible.
(9.2.7,9.3.3,9.1.12,9.0.16) Fix improper locking of btree index pages while replaying a VACUUM operation in hot-standby mode (Andres Freund, Heikki Linnakangas, Tom Lane)
This error could result in "PANIC: WAL contains references to invalid pages" failures.
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Ensure that insertions into non-leaf GIN index pages write a full-page WAL record when appropriate (Heikki Linnakangas)
The previous coding risked index corruption in the event of a partial-page write during a system crash.
(9.2.7,9.3.3,9.1.12) When pause_at_recovery_target and recovery_target_inclusive are both set, ensure the target record is applied before pausing, not after (Heikki Linnakangas)
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Fix race conditions during server process exit (Robert Haas)
Ensure that signal handlers don't attempt to use the process's MyProc pointer after it's no longer valid.
(9.2.7,9.3.3,9.1.12) Fix race conditions in walsender shutdown logic and walreceiver SIGHUP signal handler (Tom Lane)
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Fix unsafe references to errno within error reporting logic (Christian Kruse)
This would typically lead to odd behaviors such as missing or inappropriate HINT fields.
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Fix possible crashes from using ereport()
too early during server startup (Tom
Lane)
The principal case we've seen in the field is a crash if the server is started in a directory it doesn't have permission to read.
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Clear retry flags properly in OpenSSL socket write function (Alexander Kukushkin)
This omission could result in a server lockup after unexpected loss of an SSL-encrypted connection.
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Fix length checking for Unicode identifiers (U&"..." syntax) containing escapes (Tom Lane)
A spurious truncation warning would be printed for such identifiers if the escaped form of the identifier was too long, but the identifier actually didn't need truncation after de-escaping.
(9.2.7,9.3.3,9.1.12,9.0.16) Allow keywords that are type names to be used in lists of roles (Stephen Frost)
A previous patch allowed such keywords to be used without quoting in places such as role identifiers; but it missed cases where a list of role identifiers was permitted, such as DROP ROLE.
(9.2.7,9.3.3,9.1.12) Fix parser crash for EXISTS (SELECT * FROM zero_column_table) (Tom Lane)
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Fix possible crash due to invalid plan for nested sub-selects, such as WHERE (... x IN (SELECT ...) ...) IN (SELECT ...) (Tom Lane)
(9.2.7,9.3.3) Fix UPDATE/DELETE of an inherited target table that has UNION ALL subqueries (Tom Lane)
Without this fix, UNION ALL subqueries aren't correctly inserted into the update plans for inheritance child tables after the first one, typically resulting in no update happening for those child table(s).
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Ensure that ANALYZE creates statistics for a table column even when all the values in it are "too wide" (Tom Lane)
ANALYZE intentionally omits very wide values from its histogram and most-common-values calculations, but it neglected to do something sane in the case that all the sampled entries are too wide.
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) In ALTER TABLE ... SET TABLESPACE, allow the database's default tablespace to be used without a permissions check (Stephen Frost)
CREATE TABLE has always allowed such usage, but ALTER TABLE didn't get the memo.
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Fix "cannot accept a set" error when some arms of a CASE return a set and others don't (Tom Lane)
(9.2.7,9.3.3) Properly distinguish numbers from non-numbers when generating JSON output (Andrew Dunstan)
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Fix checks for all-zero client addresses in pgstat functions (Kevin Grittner)
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Fix possible misclassification of multibyte characters by the text search parser (Tom Lane)
Non-ASCII characters could be misclassified when using C locale with a multibyte encoding. On Cygwin, non-C locales could fail as well.
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Fix possible misbehavior in plainto_tsquery()
(Heikki Linnakangas)
Use memmove()
not memcpy()
for copying overlapping memory regions.
There have been no field reports of this actually causing trouble,
but it's certainly risky.
(9.2.7,9.3.3,9.1.12) Fix placement of permissions checks in pg_start_backup()
and pg_stop_backup()
(Andres Freund, Magnus
Hagander)
The previous coding might attempt to do catalog access when it shouldn't.
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Accept SHIFT_JIS as an encoding name for locale checking purposes (Tatsuo Ishii)
(9.2.7,9.3.3) Fix *-qualification of named parameters in SQL-language functions (Tom Lane)
Given a composite-type parameter named foo, $1.* worked fine, but foo.* not so much.
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Fix misbehavior of PQhost()
on
Windows (Fujii Masao)
It should return localhost if no host has been specified.
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Improve error handling in libpq and psql for failures during COPY TO STDOUT/FROM STDIN (Tom Lane)
In particular this fixes an infinite loop that could occur in 9.2 and up if the server connection was lost during COPY FROM STDIN. Variants of that scenario might be possible in older versions, or with other client applications.
(9.2.7,9.3.3) Fix incorrect translation handling in some psql \d commands (Peter Eisentraut, Tom Lane)
(9.2.7,9.3.3) Ensure pg_basebackup's background process is killed when exiting its foreground process (Magnus Hagander)
(9.2.7,9.3.3,9.1.12) Fix possible incorrect printing of filenames in pg_basebackup's verbose mode (Magnus Hagander)
(9.2.7,9.3.3,9.1.12) Avoid including tablespaces inside PGDATA twice in base backups (Dimitri Fontaine, Magnus Hagander)
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Fix misaligned descriptors in ecpg (MauMau)
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) In ecpg, handle lack of a hostname in the connection parameters properly (Michael Meskes)
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Fix performance regression in contrib/dblink connection startup (Joe Conway)
Avoid an unnecessary round trip when client and server encodings match.
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) In contrib/isn, fix incorrect calculation of the check digit for ISMN values (Fabien Coelho)
(9.2.7,9.3.3) Fix contrib/pg_stat_statement's handling of CURRENT_DATE and related constructs (Kyotaro Horiguchi)
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Ensure client-code-only installation procedure works as documented (Peter Eisentraut)
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) In Mingw and Cygwin builds, install the libpq DLL in the bin directory (Andrew Dunstan)
This duplicates what the MSVC build has long done. It should fix problems with programs like psql failing to start because they can't find the DLL.
(9.2.7,9.3.3,9.1.12,9.0.16) Avoid using the deprecated dllwrap tool in Cygwin builds (Marco Atzeri)
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Don't generate plain-text HISTORY and src/test/regress/README files anymore (Tom Lane)
These text files duplicated the main HTML and PDF documentation formats. The trouble involved in maintaining them greatly outweighs the likely audience for plain-text format. Distribution tarballs will still contain files by these names, but they'll just be stubs directing the reader to consult the main documentation. The plain-text INSTALL file will still be maintained, as there is arguably a use-case for that.
(9.2.7,9.3.3,9.1.12,9.0.16,8.4.20) Update time zone data files to tzdata release 2013i for DST law changes in Jordan and historical changes in Cuba.
In addition, the zones Asia/Riyadh87, Asia/Riyadh88, and Asia/Riyadh89 have been removed, as they are no longer maintained by IANA, and never represented actual civil timekeeping practice.
Release date: 2013-12-05
This release contains a variety of fixes from 9.2.5. For information about new features in the 9.2 major release, see Version 9.2.0.
A dump/restore is not required for those running 9.2.X.
However, this release corrects a number of potential data corruption issues. See the first two changelog entries below to find out whether your installation has been affected and what steps you can take if so.
Also, if you are upgrading from a version earlier than 9.2.4, see Version 9.2.4.
(9.2.6,9.3.2) Fix VACUUM's tests to see whether it can update relfrozenxid (Andres Freund)
In some cases VACUUM (either manual or autovacuum) could incorrectly advance a table's relfrozenxid value, allowing tuples to escape freezing, causing those rows to become invisible once 2^31 transactions have elapsed. The probability of data loss is fairly low since multiple incorrect advancements would need to happen before actual loss occurs, but it's not zero. In 9.2.0 and later, the probability of loss is higher, and it's also possible to get "could not access status of transaction" errors as a consequence of this bug. Users upgrading from releases 9.0.4 or 8.4.8 or earlier are not affected, but all later versions contain the bug.
The issue can be ameliorated by, after upgrading, vacuuming all tables in all databases while having vacuum_freeze_table_age set to zero. This will fix any latent corruption but will not be able to fix all pre-existing data errors. However, an installation can be presumed safe after performing this vacuuming if it has executed fewer than 2^31 update transactions in its lifetime (check this with SELECT txid_current() < 2^31).
(9.2.6,9.3.2,9.1.11,9.0.15) Fix initialization of pg_clog and pg_subtrans during hot standby startup (Andres Freund, Heikki Linnakangas)
This bug can cause data loss on standby servers at the moment they start to accept hot-standby queries, by marking committed transactions as uncommitted. The likelihood of such corruption is small unless, at the time of standby startup, the primary server has executed many updating transactions since its last checkpoint. Symptoms include missing rows, rows that should have been deleted being still visible, and obsolete versions of updated rows being still visible alongside their newer versions.
This bug was introduced in versions 9.3.0, 9.2.5, 9.1.10, and 9.0.14. Standby servers that have only been running earlier releases are not at risk. It's recommended that standby servers that have ever run any of the buggy releases be re-cloned from the primary (e.g., with a new base backup) after upgrading.
(9.2.6,9.3.2) Fix dangling-pointer problem in fast-path locking (Tom Lane)
This could lead to corruption of the lock data structures in shared memory, causing "lock already held" and other odd errors.
(9.2.6,9.3.2,9.1.11,9.0.15) Truncate pg_multixact contents during WAL replay (Andres Freund)
This avoids ever-increasing disk space consumption in standby servers.
(9.2.6,9.3.2) Ensure an anti-wraparound VACUUM counts a page as scanned when it's only verified that no tuples need freezing (Sergey Burladyan, Jeff Janes)
This bug could result in failing to advance relfrozenxid, so that the table would still be thought to need another anti-wraparound vacuum. In the worst case the database might even shut down to prevent wraparound.
(9.2.6,9.3.2,9.1.11,9.0.15,8.4.19) Fix race condition in GIN index posting tree page deletion (Heikki Linnakangas)
This could lead to transient wrong answers or query failures.
(9.2.6,9.3.2) Fix "unexpected spgdoinsert() failure" error during SP-GiST index creation (Teodor Sigaev)
(9.2.6,9.3.2,9.1.11,9.0.15,8.4.19) Avoid flattening a subquery whose SELECT list contains a volatile function wrapped inside a sub-SELECT (Tom Lane)
This avoids unexpected results due to extra evaluations of the volatile function.
(9.2.6,9.3.2,9.1.11,9.0.15,8.4.19) Fix planner's processing of non-simple-variable subquery outputs nested within outer joins (Tom Lane)
This error could lead to incorrect plans for queries involving multiple levels of subqueries within JOIN syntax.
(9.2.6,9.3.2) Fix incorrect planning in cases where the same non-strict expression appears in multiple WHERE and outer JOIN equality clauses (Tom Lane)
(9.2.6,9.3.2) Fix planner crash with whole-row reference to a subquery (Tom Lane)
(9.2.6,9.3.2,9.1.11) Fix incorrect generation of optimized MIN()/MAX() plans for inheritance trees (Tom Lane)
The planner could fail in cases where the MIN()/MAX() argument was an expression rather than a simple variable.
(9.2.6,9.3.2,9.1.11,9.0.15,8.4.19) Fix premature deletion of temporary files (Andres Freund)
(9.2.6,9.3.2) Prevent intra-transaction memory leak when printing range values (Tom Lane)
This fix actually cures transient memory leaks in any datatype output function, but range types are the only ones known to have had a significant problem.
(9.2.6,9.3.2) Prevent incorrect display of dropped columns in NOT NULL and CHECK constraint violation messages (Michael Paquier and Tom Lane)
(9.2.6,9.3.2) Allow default arguments and named-argument notation for window functions (Tom Lane)
Previously, these cases were likely to crash.
(9.2.6,9.3.2,9.1.11,9.0.15,8.4.19) Fix possible read past end of memory in rule printing (Peter Eisentraut)
(9.2.6,9.3.2,9.1.11,9.0.15,8.4.19) Fix array slicing of int2vector and oidvector values (Tom Lane)
Expressions of this kind are now implicitly promoted to regular int2 or oid arrays.
(9.2.6,9.3.2,9.1.11,9.0.15,8.4.19) Fix incorrect behaviors when using a SQL-standard, simple GMT offset timezone (Tom Lane)
In some cases, the system would use the simple GMT offset value
when it should have used the regular timezone setting that had
prevailed before the simple offset was selected. This change also
causes the timeofday
function to
honor the simple GMT offset zone.
(9.2.6,9.3.2,9.1.11,9.0.15,8.4.19) Prevent possible misbehavior when logging translations of Windows error codes (Tom Lane)
(9.2.6,9.3.2,9.1.11,9.0.15,8.4.19) Properly quote generated command lines in pg_ctl (Naoya Anzai and Tom Lane)
This fix applies only to Windows.
(9.2.6,9.3.2,9.1.11,9.0.15,8.4.19) Fix pg_dumpall to work when a source database sets default_transaction_read_only via ALTER DATABASE SET (Kevin Grittner)
Previously, the generated script would fail during restore.
(9.2.6,9.3.2,9.1.11) Make ecpg search for quoted cursor names case-sensitively (Zoltán Böszörményi)
(9.2.6,9.3.2,9.1.11,9.0.15,8.4.19) Fix ecpg's processing of lists of variables declared varchar (Zoltán Böszörményi)
(9.2.6,9.3.2,9.1.11,9.0.15,8.4.19) Make contrib/lo defend against incorrect trigger definitions (Marc Cousin)
(9.2.6,9.3.2,9.1.11,9.0.15,8.4.19) Update time zone data files to tzdata release 2013h for DST law changes in Argentina, Brazil, Jordan, Libya, Liechtenstein, Morocco, and Palestine. Also, new timezone abbreviations WIB, WIT, WITA for Indonesia.
Release date: 2013-10-10
This release contains a variety of fixes from 9.2.4. For information about new features in the 9.2 major release, see Version 9.2.0.
A dump/restore is not required for those running 9.2.X.
However, if you are upgrading from a version earlier than 9.2.4, see Version 9.2.4.
(9.2.5,9.1.10,9.0.14,8.4.18) Prevent corruption of multi-byte characters when attempting to case-fold identifiers (Andrew Dunstan)
PostgreSQL case-folds non-ASCII characters only when using a single-byte server encoding.
(9.2.5,9.3.1) Fix memory leak when creating B-tree indexes on range columns (Heikki Linnakangas)
(9.2.5,9.1.10,9.0.14) Fix checkpoint memory leak in background writer when wal_level = hot_standby (Naoya Anzai)
(9.2.5,9.3.1,9.1.10,9.0.14,8.4.18) Fix memory leak caused by lo_open()
failure (Heikki Linnakangas)
(9.2.5,9.1.10,9.0.14,8.4.18) Fix memory overcommit bug when work_mem is using more than 24GB of memory (Stephen Frost)
(9.2.5,9.3.1,9.1.10) Serializable snapshot fixes (Kevin Grittner, Heikki Linnakangas)
(9.2.5,9.3.1,9.1.10,9.0.14,8.4.18) Fix deadlock bug in libpq when using SSL (Stephen Frost)
(9.2.5,9.1.10,9.0.14) Fix possible SSL state corruption in threaded libpq applications (Nick Phillips, Stephen Frost)
(9.2.5) Improve estimate of planner cost when choosing between generic and custom plans (Tom Lane)
This change will favor generic plans when planning cost is high.
(9.2.5,9.1.10,9.0.14,8.4.18) Properly compute row estimates for boolean columns containing many NULL values (Andrew Gierth)
Previously tests like col IS NOT TRUE and col IS NOT FALSE did not properly factor in NULL values when estimating plan costs.
(9.2.5) Fix accounting for qualifier evaluation costs in UNION ALL and inheritance queries (Tom Lane)
This fixes cases where suboptimal query plans could be chosen if some WHERE clauses are expensive to calculate.
(9.2.5,9.1.10,9.0.14,8.4.18) Prevent pushing down WHERE clauses into unsafe UNION/INTERSECT subqueries (Tom Lane)
Subqueries of a UNION or INTERSECT that contain set-returning functions or volatile functions in their SELECT lists could be improperly optimized, leading to run-time errors or incorrect query results.
(9.2.5,9.1.10,9.0.14,8.4.18) Fix rare case of "failed to locate grouping columns" planner failure (Tom Lane)
(9.2.5,9.1.10) Fix pg_dump of foreign tables with dropped columns (Andrew Dunstan)
Previously such cases could cause a pg_upgrade error.
(9.2.5,9.1.10) Reorder pg_dump processing of extension-related rules and event triggers (Joe Conway)
(9.2.5,9.1.10) Force dumping of extension tables if specified by pg_dump -t or -n (Joe Conway)
(9.2.5,9.1.10,9.0.14,8.4.18) Improve view dumping code's handling of dropped columns in referenced tables (Tom Lane)
(9.2.5,9.1.10) Fix pg_restore -l with the directory archive to display the correct format name (Fujii Masao)
(9.2.5,9.1.10,9.0.14) Properly record index comments created using UNIQUE and PRIMARY KEY syntax (Andres Freund)
This fixes a parallel pg_restore failure.
(9.2.5) Cause pg_basebackup -x with an empty xlog directory to throw an error rather than crashing (Magnus Hagander, Haruka Takatsuka)
(9.2.5,9.1.10) Properly guarantee transmission of WAL files before clean switchover (Fujii Masao)
Previously, the streaming replication connection might close before all WAL files had been replayed on the standby.
(9.2.5,9.1.10) Fix WAL segment timeline handling during recovery (Mitsumasa Kondo, Heikki Linnakangas)
WAL file recycling during standby recovery could lead to premature recovery completion, resulting in data loss.
(9.2.5) Prevent errors in WAL replay due to references to uninitialized empty pages (Andres Freund)
(9.2.5,9.1.10,9.0.14) Fix REINDEX TABLE and REINDEX DATABASE to properly revalidate constraints and mark invalidated indexes as valid (Noah Misch)
REINDEX INDEX has always worked properly.
(9.2.5) Avoid deadlocks during insertion into SP-GiST indexes (Teodor Sigaev)
(9.2.5,9.1.10,9.0.14,8.4.18) Fix possible deadlock during concurrent CREATE INDEX CONCURRENTLY operations (Tom Lane)
(9.2.5) Fix GiST index lookup crash (Tom Lane)
(9.2.5,9.1.10,9.0.14,8.4.18) Fix regexp_matches()
handling of
zero-length matches (Jeevan Chalke)
Previously, zero-length matches like '^' could return too many matches.
(9.2.5,9.1.10,9.0.14,8.4.18) Fix crash for overly-complex regular expressions (Heikki Linnakangas)
(9.2.5,9.1.10,9.0.14,8.4.18) Fix regular expression match failures for back references combined with non-greedy quantifiers (Jeevan Chalke)
(9.2.5,9.3.1,9.1.10,9.0.14,8.4.18) Prevent CREATE FUNCTION from checking SET variables unless function body checking is enabled (Tom Lane)
(9.2.5,9.1.10,9.0.14) Allow ALTER DEFAULT PRIVILEGES to operate on schemas without requiring CREATE permission (Tom Lane)
(9.2.5,9.1.10,9.0.14) Loosen restriction on keywords used in queries (Tom Lane)
Specifically, lessen keyword restrictions for role names, language names, EXPLAIN and COPY options, and SET values. This allows COPY ... (FORMAT BINARY) to work as expected; previously BINARY needed to be quoted.
(9.2.5) Print proper line number during COPY failure (Heikki Linnakangas)
(9.2.5,9.1.10,9.0.14,8.4.18) Fix pgp_pub_decrypt()
so it works
for secret keys with passwords (Marko Kreen)
(9.2.5,9.1.10) Make pg_upgrade use pg_dump --quote-all-identifiers to avoid problems with keyword changes between releases (Tom Lane)
(9.2.5,9.3.1,9.1.10,9.0.14,8.4.18) Remove rare inaccurate warning during vacuum of index-less tables (Heikki Linnakangas)
(9.2.5,9.1.10,9.0.14) Ensure that VACUUM ANALYZE still runs the ANALYZE phase if its attempt to truncate the file is cancelled due to lock conflicts (Kevin Grittner)
(9.2.5,9.1.10,8.4.18) Avoid possible failure when performing transaction control commands (e.g ROLLBACK) in prepared queries (Tom Lane)
(9.2.5,9.1.10,9.0.14,8.4.18) Ensure that floating-point data input accepts standard spellings of "infinity" on all platforms (Tom Lane)
The C99 standard says that allowable spellings are inf, +inf, -inf, infinity, +infinity, and -infinity.
Make sure we recognize these even if the platform's strtod
function doesn't.
(9.2.5) Avoid unnecessary reporting when track_activities is off (Tom Lane)
(9.2.5,9.1.10,9.0.14,8.4.18) Expand ability to compare rows to records and arrays (Rafal Rzepecki, Tom Lane)
(9.2.5) Prevent crash when psql's PSQLRC variable contains a tilde (Bruce Momjian)
(9.2.5) Add spinlock support for ARM64 (Mark Salter)
(9.2.5,9.1.10,9.0.14,8.4.18) Update time zone data files to tzdata release 2013d for DST law changes in Israel, Morocco, Palestine, and Paraguay. Also, historical zone data corrections for Macquarie Island.
Release date: 2013-04-04
This release contains a variety of fixes from 9.2.3. For information about new features in the 9.2 major release, see Version 9.2.0.
A dump/restore is not required for those running 9.2.X.
However, this release corrects several errors in management of GiST indexes. After installing this update, it is advisable to REINDEX any GiST indexes that meet one or more of the conditions described below.
Also, if you are upgrading from a version earlier than 9.2.2, see Version 9.2.2.
(9.2.4,9.1.9,9.0.13) Fix insecure parsing of server command-line switches (Mitsumasa Kondo, Kyotaro Horiguchi)
A connection request containing a database name that begins with "-" could be crafted to damage or destroy files within the server's data directory, even if the request is eventually rejected. CVE-2013-1899 or CVE-2013-1899)
(9.2.4,9.1.9,9.0.13,8.4.17) Reset OpenSSL randomness state in each postmaster child process (Marko Kreen)
This avoids a scenario wherein random numbers generated by contrib/pgcrypto functions might be relatively easy for another database user to guess. The risk is only significant when the postmaster is configured with ssl = on but most connections don't use SSL encryption. CVE-2013-1900 or CVE-2013-1900)
(9.2.4,9.1.9) Make REPLICATION privilege checks test current user not authenticated user (Noah Misch)
An unprivileged database user could exploit this mistake to call
pg_start_backup()
or pg_stop_backup()
, thus possibly interfering with
creation of routine backups. CVE-2013-1901 or CVE-2013-1901)
(9.2.4,9.1.9,9.0.13,8.4.17) Fix GiST indexes to not use "fuzzy" geometric comparisons when it's not appropriate to do so (Alexander Korotkov)
The core geometric types perform comparisons using "fuzzy" equality, but gist_box_same
must do exact comparisons, else
GiST indexes using it might become inconsistent. After installing
this update, users should REINDEX any GiST
indexes on box, polygon, circle, or point columns, since all of these use gist_box_same
.
(9.2.4,9.1.9,9.0.13,8.4.17) Fix erroneous range-union and penalty logic in GiST indexes that use contrib/btree_gist for variable-width data types, that is text, bytea, bit, and numeric columns (Tom Lane)
These errors could result in inconsistent indexes in which some keys that are present would not be found by searches, and also in useless index bloat. Users are advised to REINDEX such indexes after installing this update.
(9.2.4,9.1.9,9.0.13,8.4.17) Fix bugs in GiST page splitting code for multi-column indexes (Tom Lane)
These errors could result in inconsistent indexes in which some keys that are present would not be found by searches, and also in indexes that are unnecessarily inefficient to search. Users are advised to REINDEX multi-column GiST indexes after installing this update.
(9.2.4,9.1.9,9.0.13) Fix gist_point_consistent
to
handle fuzziness consistently (Alexander Korotkov)
Index scans on GiST indexes on point
columns would sometimes yield results different from a sequential
scan, because gist_point_consistent
disagreed with the underlying operator code about whether to do
comparisons exactly or fuzzily.
(9.2.4,9.1.9,9.0.13) Fix buffer leak in WAL replay (Heikki Linnakangas)
This bug could result in "incorrect local pin count" errors during replay, making recovery impossible.
(9.2.4) Ensure we do crash recovery before entering archive recovery, if the database was not stopped cleanly and a recovery.conf file is present (Heikki Linnakangas, Kyotaro Horiguchi, Mitsumasa Kondo)
This is needed to ensure that the database is consistent in certain scenarios, such as initializing a standby server with a filesystem snapshot from a running server.
(9.2.4) Avoid deleting not-yet-archived WAL files during crash recovery (Heikki Linnakangas, Fujii Masao)
(9.2.4,9.1.9,9.0.13) Fix race condition in DELETE RETURNING (Tom Lane)
Under the right circumstances, DELETE RETURNING could attempt to fetch data from a shared buffer that the current process no longer has any pin on. If some other process changed the buffer meanwhile, this would lead to garbage RETURNING output, or even a crash.
(9.2.4,9.1.9,9.0.13,8.4.17) Fix infinite-loop risk in regular expression compilation (Tom Lane, Don Porter)
(9.2.4,9.1.9,9.0.13,8.4.17) Fix potential null-pointer dereference in regular expression compilation (Tom Lane)
(9.2.4,9.1.9,9.0.13,8.4.17) Fix to_char()
to use ASCII-only
case-folding rules where appropriate (Tom Lane)
This fixes misbehavior of some template patterns that should be locale-independent, but mishandled "I" and "i" in Turkish locales.
(9.2.4,9.1.9,9.0.13,8.4.17) Fix unwanted rejection of timestamp 1999-12-31 24:00:00 (Tom Lane)
(9.2.4) Fix SQL-language functions to be safely usable as support functions for range types (Tom Lane)
(9.2.4,9.1.9,9.0.13) Fix logic error when a single transaction does UNLISTEN then LISTEN (Tom Lane)
The session wound up not listening for notify events at all, though it surely should listen in this case.
(9.2.4,9.1.9) Fix possible planner crash after columns have been added to a view that's depended on by another view (Tom Lane)
(9.2.4) Fix performance issue in EXPLAIN (ANALYZE, TIMING OFF) (Pavel Stehule)
(9.2.4,9.1.9,9.0.13,8.4.17) Remove useless "picksplit doesn't support secondary split" log messages (Josh Hansen, Tom Lane)
This message seems to have been added in expectation of code that was never written, and probably never will be, since GiST's default handling of secondary splits is actually pretty good. So stop nagging end users about it.
(9.2.4) Remove vestigial secondary-split support in gist_box_picksplit()
(Tom Lane)
Not only was this implementation of secondary-split not better than the default implementation, it's actually worse. So remove it and let the default code path handle the case.
(9.2.4,9.1.9,9.0.13,8.4.17) Fix possible failure to send a session's last few transaction commit/abort counts to the statistics collector (Tom Lane)
(9.2.4,9.1.9,9.0.13,8.4.17) Eliminate memory leaks in PL/Perl's spi_prepare()
function (Alex Hunsaker, Tom
Lane)
(9.2.4,9.1.9,9.0.13,8.4.17) Fix pg_dumpall to handle database names containing "=" correctly (Heikki Linnakangas)
(9.2.4,9.1.9,9.0.13,8.4.17) Avoid crash in pg_dump when an incorrect connection string is given (Heikki Linnakangas)
(9.2.4,9.1.9,9.0.13) Ignore invalid indexes in pg_dump and pg_upgrade (Michael Paquier, Bruce Momjian)
Dumping invalid indexes can cause problems at restore time, for example if the reason the index creation failed was because it tried to enforce a uniqueness condition not satisfied by the table's data. Also, if the index creation is in fact still in progress, it seems reasonable to consider it to be an uncommitted DDL change, which pg_dump wouldn't be expected to dump anyway. pg_upgrade now also skips invalid indexes rather than failing.
(9.2.4,9.1.9) In pg_basebackup, include only the current server version's subdirectory when backing up a tablespace (Heikki Linnakangas)
(9.2.4,9.1.9) Add a server version check in pg_basebackup and pg_receivexlog, so they fail cleanly with version combinations that won't work (Heikki Linnakangas)
(9.2.4) Fix contrib/dblink to handle inconsistent settings of DateStyle or IntervalStyle safely (Daniel Farina, Tom Lane)
Previously, if the remote server had different settings of these parameters, ambiguous dates might be read incorrectly. This fix ensures that datetime and interval columns fetched by a dblink query will be interpreted correctly. Note however that inconsistent settings are still risky, since literal values appearing in SQL commands sent to the remote server might be interpreted differently than they would be locally.
(9.2.4,9.1.9,9.0.13,8.4.17) Fix contrib/pg_trgm's similarity()
function to return zero for
trigram-less strings (Tom Lane)
Previously it returned NaN due to internal division by zero.
(9.2.4) Enable building PostgreSQL with Microsoft Visual Studio 2012 (Brar Piening, Noah Misch)
(9.2.4,9.1.9,9.0.13,8.4.17) Update time zone data files to tzdata release 2013b for DST law changes in Chile, Haiti, Morocco, Paraguay, and some Russian areas. Also, historical zone data corrections for numerous places.
Also, update the time zone abbreviation files for recent changes in Russia and elsewhere: CHOT, GET, IRKT, KGT, KRAT, MAGT, MAWT, MSK, NOVT, OMST, TKT, VLAT, WST, YAKT, YEKT now follow their current meanings, and VOLT (Europe/Volgograd) and MIST (Antarctica/Macquarie) are added to the default abbreviations list.
Release date: 2013-02-07
This release contains a variety of fixes from 9.2.2. For information about new features in the 9.2 major release, see Version 9.2.0.
A dump/restore is not required for those running 9.2.X.
However, if you are upgrading from a version earlier than 9.2.2, see Version 9.2.2.
(9.2.3,9.1.8,9.0.12,8.4.16,8.3.23) Prevent execution of enum_recv
from SQL (Tom Lane)
The function was misdeclared, allowing a simple SQL command to crash the server. In principle an attacker might be able to use it to examine the contents of server memory. Our thanks to Sumit Soni (via Secunia SVCRP) for reporting this issue. CVE-2013-0255 or CVE-2013-0255)
(9.2.3,9.1.8,9.0.12) Fix multiple problems in detection of when a consistent database state has been reached during WAL replay (Fujii Masao, Heikki Linnakangas, Simon Riggs, Andres Freund)
(9.2.3) Fix detection of end-of-backup point when no actual redo work is required (Heikki Linnakangas)
This mistake could result in incorrect "WAL ends before end of online backup" errors.
(9.2.3,9.1.8,9.0.12,8.4.16) Update minimum recovery point when truncating a relation file (Heikki Linnakangas)
Once data has been discarded, it's no longer safe to stop recovery at an earlier point in the timeline.
(9.2.3,9.1.8) Fix recycling of WAL segments after changing recovery target timeline (Heikki Linnakangas)
(9.2.3) Properly restore timeline history files from archive on cascading standby servers (Heikki Linnakangas)
(9.2.3) Fix lock conflict detection on hot-standby servers (Andres Freund, Robert Haas)
(9.2.3,9.1.8,9.0.12) Fix missing cancellations in hot standby mode (Noah Misch, Simon Riggs)
The need to cancel conflicting hot-standby queries would sometimes be missed, allowing those queries to see inconsistent data.
(9.2.3,9.1.8) Prevent recovery pause feature from pausing before users can connect (Tom Lane)
(9.2.3,9.1.8,9.0.12,8.4.16,8.3.23) Fix SQL grammar to allow subscripting or field selection from a sub-SELECT result (Tom Lane)
(9.2.3,9.1.8,9.0.12) Fix performance problems with autovacuum truncation in busy workloads (Jan Wieck)
Truncation of empty pages at the end of a table requires exclusive lock, but autovacuum was coded to fail (and release the table lock) when there are conflicting lock requests. Under load, it is easily possible that truncation would never occur, resulting in table bloat. Fix by performing a partial truncation, releasing the lock, then attempting to re-acquire the lock and continue. This fix also greatly reduces the average time before autovacuum releases the lock after a conflicting request arrives.
(9.2.3) Improve performance of SPI_execute
and related functions, thereby improving PL/pgSQL's EXECUTE (Heikki Linnakangas, Tom Lane)
Remove some data-copying overhead that was added in 9.2 as a consequence of revisions in the plan caching mechanism. This eliminates a performance regression compared to 9.1, and also saves memory, especially when the query string to be executed contains many SQL statements.
A side benefit is that multi-statement query strings are now processed fully serially, that is we complete execution of earlier statements before running parse analysis and planning on the following ones. This eliminates a long-standing issue, in that DDL that should affect the behavior of a later statement will now behave as expected.
(9.2.3) Restore pre-9.2 cost estimates for index usage (Tom Lane)
An ill-considered change of a fudge factor led to undesirably high cost estimates for use of very large indexes.
(9.2.3) Fix intermittent crash in DROP INDEX CONCURRENTLY (Tom Lane)
(9.2.3) Fix potential corruption of shared-memory lock table during CREATE/DROP INDEX CONCURRENTLY (Tom Lane)
(9.2.3) Fix COPY's multiple-tuple-insertion code for the case of a tuple larger than page size minus fillfactor (Heikki Linnakangas)
The previous coding could get into an infinite loop.
(9.2.3,9.1.8,9.0.12,8.4.16,8.3.23) Protect against race conditions when scanning pg_tablespace (Stephen Frost, Tom Lane)
CREATE DATABASE and DROP DATABASE could misbehave if there were concurrent updates of pg_tablespace entries.
(9.2.3,9.1.8,9.0.12,8.4.16,8.3.23) Prevent DROP OWNED from trying to drop whole databases or tablespaces (Ãlvaro Herrera)
For safety, ownership of these objects must be reassigned, not dropped.
(9.2.3,9.1.8,9.0.12,8.4.16) Fix error in vacuum_freeze_table_age implementation (Andres Freund)
In installations that have existed for more than vacuum_freeze_min_age transactions, this mistake prevented autovacuum from using partial-table scans, so that a full-table scan would always happen instead.
(9.2.3,9.1.8,9.0.12,8.4.16,8.3.23) Prevent misbehavior when a RowExpr or XmlExpr is parse-analyzed twice (Andres Freund, Tom Lane)
This mistake could be user-visible in contexts such as CREATE TABLE LIKE INCLUDING INDEXES.
(9.2.3,9.1.8,9.0.12,8.4.16,8.3.23) Improve defenses against integer overflow in hashtable sizing calculations (Jeff Davis)
(9.2.3) Fix some bugs associated with privileges on datatypes (Tom Lane)
There were some issues with default privileges for types, and pg_dump failed to dump such privileges at all.
(9.2.3,9.1.8) Fix failure to ignore leftover temporary tables after a server crash (Tom Lane)
(9.2.3) Fix failure to rotate postmaster log files for size reasons on Windows (Jeff Janes, Heikki Linnakangas)
(9.2.3,9.1.8,9.0.12,8.4.16) Reject out-of-range dates in to_date()
(Hitoshi Harada)
(9.2.3,9.1.8) Fix pg_extension_config_dump()
to
handle extension-update cases properly (Tom Lane)
This function will now replace any existing entry for the target table, making it usable in extension update scripts.
(9.2.3) Fix PL/pgSQL's reporting of plan-time errors in possibly-simple expressions (Tom Lane)
The previous coding resulted in sometimes omitting the first line in the CONTEXT traceback for the error.
(9.2.3,9.1.8) Fix PL/Python's handling of functions used as triggers on multiple tables (Andres Freund)
(9.2.3,9.1.8,9.0.12,8.4.16,8.3.23) Ensure that non-ASCII prompt strings are translated to the correct code page on Windows (Alexander Law, Noah Misch)
This bug affected psql and some other client programs.
(9.2.3,9.1.8,9.0.12,8.4.16,8.3.23) Fix possible crash in psql's \? command when not connected to a database (Meng Qingzhong)
(9.2.3,9.1.8) Fix possible error if a relation file is removed while pg_basebackup is running (Heikki Linnakangas)
(9.2.3) Tolerate timeline switches while pg_basebackup -X fetch is backing up a standby server (Heikki Linnakangas)
(9.2.3,9.1.8) Make pg_dump exclude data of unlogged tables when running on a hot-standby server (Magnus Hagander)
This would fail anyway because the data is not available on the standby server, so it seems most convenient to assume --no-unlogged-table-data automatically.
(9.2.3,9.1.8,9.0.12) Fix pg_upgrade to deal with invalid indexes safely (Bruce Momjian)
(9.2.3) Fix pg_upgrade's -O/-o options (Marti Raudsepp)
(9.2.3,9.1.8,9.0.12,8.4.16,8.3.23) Fix one-byte buffer overrun in libpq's PQprintTuples
(Xi Wang)
This ancient function is not used anywhere by PostgreSQL itself, but it might still be used by some client code.
(9.2.3,9.1.8,9.0.12,8.4.16) Make ecpglib use translated messages properly (Chen Huajun)
(9.2.3,9.1.8,9.0.12,8.4.16) Properly install ecpg_compat and pgtypes libraries on MSVC (Jiang Guiqing)
(9.2.3,9.1.8,9.0.12) Include our version of isinf()
in
libecpg if it's not provided by
the system (Jiang Guiqing)
(9.2.3,9.1.8,9.0.12,8.4.16,8.3.23) Rearrange configure's tests for supplied functions so it is not fooled by bogus exports from libedit/libreadline (Christoph Berg)
(9.2.3,9.1.8,9.0.12,8.4.16,8.3.23) Ensure Windows build number increases over time (Magnus Hagander)
(9.2.3,9.1.8,9.0.12,8.4.16,8.3.23) Make pgxs build executables with the right .exe suffix when cross-compiling for Windows (Zoltan Boszormenyi)
(9.2.3,9.1.8,9.0.12,8.4.16,8.3.23) Add new timezone abbreviation FET (Tom Lane)
This is now used in some eastern-European time zones.
Release date: 2012-12-06
This release contains a variety of fixes from 9.2.1. For information about new features in the 9.2 major release, see Version 9.2.0.
A dump/restore is not required for those running 9.2.X.
However, you may need to perform REINDEX operations to correct problems in concurrently-built indexes, as described in the first changelog item below.
Also, if you are upgrading from version 9.2.0, see Version 9.2.1.
(9.2.2) Fix multiple bugs associated with CREATE/DROP INDEX CONCURRENTLY (Andres Freund, Tom Lane, Simon Riggs, Pavan Deolasee)
An error introduced while adding DROP INDEX CONCURRENTLY allowed incorrect indexing decisions to be made during the initial phase of CREATE INDEX CONCURRENTLY; so that indexes built by that command could be corrupt. It is recommended that indexes built in 9.2.X with CREATE INDEX CONCURRENTLY be rebuilt after applying this update.
In addition, fix CREATE/DROP INDEX CONCURRENTLY to use in-place updates when changing the state of an index's pg_index row. This prevents race conditions that could cause concurrent sessions to miss updating the target index, thus again resulting in corrupt concurrently-created indexes.
Also, fix various other operations to ensure that they ignore invalid indexes resulting from a failed CREATE INDEX CONCURRENTLY command. The most important of these is VACUUM, because an auto-vacuum could easily be launched on the table before corrective action can be taken to fix or remove the invalid index.
Also fix DROP INDEX CONCURRENTLY to not disable insertions into the target index until all queries using it are done.
Also fix misbehavior if DROP INDEX CONCURRENTLY is canceled: the previous coding could leave an un-droppable index behind.
(9.2.2) Correct predicate locking for DROP INDEX CONCURRENTLY (Kevin Grittner)
Previously, SSI predicate locks were processed at the wrong time, possibly leading to incorrect behavior of serializable transactions executing in parallel with the DROP.
(9.2.2,9.1.7,9.0.11) Fix buffer locking during WAL replay (Tom Lane)
The WAL replay code was insufficiently careful about locking buffers when replaying WAL records that affect more than one page. This could result in hot standby queries transiently seeing inconsistent states, resulting in wrong answers or unexpected failures.
(9.2.2,9.1.7,9.0.11) Fix an error in WAL generation logic for GIN indexes (Tom Lane)
This could result in index corruption, if a torn-page failure occurred.
(9.2.2) Fix an error in WAL replay logic for SP-GiST indexes (Tom Lane)
This could result in index corruption after a crash, or on a standby server.
(9.2.2) Fix incorrect detection of end-of-base-backup location during WAL recovery (Heikki Linnakangas)
This mistake allowed hot standby mode to start up before the database reaches a consistent state.
(9.2.2,9.1.7,9.0.11) Properly remove startup process's virtual XID lock when promoting a hot standby server to normal running (Simon Riggs)
This oversight could prevent subsequent execution of certain operations such as CREATE INDEX CONCURRENTLY.
(9.2.2,9.1.7,9.0.11) Avoid bogus "out-of-sequence timeline ID" errors in standby mode (Heikki Linnakangas)
(9.2.2,9.1.7,9.0.11) Prevent the postmaster from launching new child processes after it's received a shutdown signal (Tom Lane)
This mistake could result in shutdown taking longer than it should, or even never completing at all without additional user action.
(9.2.2) Fix the syslogger process to not fail when log_rotation_age exceeds 2^31 milliseconds (about 25 days) (Tom Lane)
(9.2.2) Fix WaitLatch()
to return promptly
when the requested timeout expires (Jeff Janes, Tom Lane)
With the previous coding, a steady stream of
non-wait-terminating interrupts could delay return from
WaitLatch()
indefinitely. This has
been shown to be a problem for the autovacuum launcher process, and
might cause trouble elsewhere as well.
(9.2.2,9.1.7,9.0.11,8.4.15,8.3.22) Avoid corruption of internal hash tables when out of memory (Hitoshi Harada)
(9.2.2,9.1.7) Prevent file descriptors for dropped tables from being held open past transaction end (Tom Lane)
This should reduce problems with long-since-dropped tables continuing to occupy disk space.
(9.2.2,9.1.7) Prevent database-wide crash and restart when a new child process is unable to create a pipe for its latch (Tom Lane)
Although the new process must fail, there is no good reason to force a database-wide restart, so avoid that. This improves robustness when the kernel is nearly out of file descriptors.
(9.2.2) Avoid planner crash with joins to unflattened subqueries (Tom Lane)
(9.2.2) Fix planning of non-strict equivalence clauses above outer joins (Tom Lane)
The planner could derive incorrect constraints from a clause equating a non-strict construct to something else, for example WHERE COALESCE(foo, 0) = 0 when foo is coming from the nullable side of an outer join. 9.2 showed this type of error in more cases than previous releases, but the basic bug has been there for a long time.
(9.2.2,9.1.7) Fix SELECT DISTINCT with
index-optimized MIN
/MAX
on an inheritance tree (Tom Lane)
The planner would fail with "failed to re-find MinMaxAggInfo record" given this combination of factors.
(9.2.2) Make sure the planner sees implicit and explicit casts as equivalent for all purposes, except in the minority of cases where there's actually a semantic difference (Tom Lane)
(9.2.2) Include join clauses when considering whether partial indexes can be used for a query (Tom Lane)
A strict join clause can be sufficient to establish an x IS NOT NULL predicate, for example. This fixes a planner regression in 9.2, since previous versions could make comparable deductions.
(9.2.2) Limit growth of planning time when there are many indexable join clauses for the same index (Tom Lane)
(9.2.2,9.1.7,9.0.11,8.4.15,8.3.22) Improve planner's ability to prove exclusion constraints from equivalence classes (Tom Lane)
(9.2.2,9.1.7,9.0.11,8.4.15,8.3.22) Fix partial-row matching in hashed subplans to handle cross-type cases correctly (Tom Lane)
This affects multicolumn NOT IN subplans, such as WHERE (a, b) NOT IN (SELECT x, y FROM ...) when for instance b and y are int4 and int8 respectively. This mistake led to wrong answers or crashes depending on the specific datatypes involved.
(9.2.2) Fix btree mark/restore functions to handle array keys (Tom Lane)
This oversight could result in wrong answers from merge joins whose inner side is an index scan using an indexed_column = ANY(array) condition.
(9.2.2) Revert patch for taking fewer snapshots (Tom Lane)
The 9.2 change to reduce the number of snapshots taken during query execution led to some anomalous behaviors not seen in previous releases, because execution would proceed with a snapshot acquired before locking the tables used by the query. Thus, for example, a query would not be guaranteed to see updates committed by a preceding transaction even if that transaction had exclusive lock. We'll probably revisit this in future releases, but meanwhile put it back the way it was before 9.2.
(9.2.2,9.1.7) Acquire buffer lock when re-fetching the old tuple for an AFTER ROW UPDATE/DELETE trigger (Andres Freund)
In very unusual circumstances, this oversight could result in passing incorrect data to a trigger WHEN condition, or to the precheck logic for a foreign-key enforcement trigger. That could result in a crash, or in an incorrect decision about whether to fire the trigger.
(9.2.2,9.1.7,9.0.11,8.4.15) Fix ALTER COLUMN TYPE to handle inherited check constraints properly (Pavan Deolasee)
This worked correctly in pre-8.4 releases, and now works correctly in 8.4 and later.
(9.2.2,9.1.7) Fix ALTER EXTENSION SET SCHEMA's failure to move some subsidiary objects into the new schema (Ãlvaro Herrera, Dimitri Fontaine)
(9.2.2) Handle CREATE TABLE AS EXECUTE correctly in extended query protocol (Tom Lane)
(9.2.2) Don't modify the input parse tree in DROP RULE IF NOT EXISTS and DROP TRIGGER IF NOT EXISTS (Tom Lane)
This mistake would cause errors if a cached statement of one of these types was re-executed.
(9.2.2,9.1.7,9.0.11,8.4.15,8.3.22) Fix REASSIGN OWNED to handle grants on tablespaces (Ãlvaro Herrera)
(9.2.2,9.1.7,9.0.11,8.4.15,8.3.22) Ignore incorrect pg_attribute entries for system columns for views (Tom Lane)
Views do not have any system columns. However, we forgot to remove such entries when converting a table to a view. That's fixed properly for 9.3 and later, but in previous branches we need to defend against existing mis-converted views.
(9.2.2,9.1.7,9.0.11,8.4.15,8.3.22) Fix rule printing to dump INSERT INTO table DEFAULT VALUES correctly (Tom Lane)
(9.2.2,9.1.7,9.0.11,8.4.15,8.3.22) Guard against stack overflow when there are too many UNION/INTERSECT/EXCEPT clauses in a query (Tom Lane)
(9.2.2,9.1.7,9.0.11,8.4.15,8.3.22) Prevent platform-dependent failures when dividing the minimum possible integer value by -1 (Xi Wang, Tom Lane)
(9.2.2,9.1.7,9.0.11,8.4.15,8.3.22) Fix possible access past end of string in date parsing (Hitoshi Harada)
(9.2.2,9.1.7,9.0.11) Fix failure to advance XID epoch if XID wraparound happens during a checkpoint and wal_level is hot_standby (Tom Lane, Andres Freund)
While this mistake had no particular impact on PostgreSQL itself, it was bad for applications
that rely on txid_current()
and
related functions: the TXID value would appear to go backwards.
(9.2.2) Fix pg_terminate_backend()
and
pg_cancel_backend()
to not throw
error for a non-existent target process (Josh Kupershmidt)
This case already worked as intended when called by a superuser, but not so much when called by ordinary users.
(9.2.2,9.1.7) Fix display of pg_stat_replication.sync_state at a page boundary (Kyotaro Horiguchi)
(9.2.2,9.1.7,9.0.11,8.4.15,8.3.22) Produce an understandable error message if the length of the path name for a Unix-domain socket exceeds the platform-specific limit (Tom Lane, Andrew Dunstan)
Formerly, this would result in something quite unhelpful, such as "Non-recoverable failure in name resolution".
(9.2.2,9.1.7,9.0.11,8.4.15,8.3.22) Fix memory leaks when sending composite column values to the client (Tom Lane)
(9.2.2) Save some cycles by not searching for subtransaction locks at commit (Simon Riggs)
In a transaction holding many exclusive locks, this useless activity could be quite costly.
(9.2.2) Make pg_ctl more robust about reading the postmaster.pid file (Heikki Linnakangas)
This fixes race conditions and possible file descriptor leakage.
(9.2.2,9.1.7,9.0.11,8.4.15,8.3.22) Fix possible crash in psql if incorrectly-encoded data is presented and the client_encoding setting is a client-only encoding, such as SJIS (Jiang Guiqing)
(9.2.2) Make pg_dump dump SEQUENCE SET items in the data not pre-data section of the archive (Tom Lane)
This fixes an undesirable inconsistency between the meanings of --data-only and --section=data, and also fixes dumping of sequences that are marked as extension configuration tables.
(9.2.2) Fix pg_dump's handling of DROP DATABASE commands in --clean mode (Guillaume Lelarge)
Beginning in 9.2.0, pg_dump --clean would issue a DROP DATABASE command, which was either useless or dangerous depending on the usage scenario. It no longer does that. This change also fixes the combination of --clean and --create to work sensibly, i.e., emit DROP DATABASE then CREATE DATABASE before reconnecting to the target database.
(9.2.2) Fix pg_dump for views with circular dependencies and no relation options (Tom Lane)
The previous fix to dump relation options when a view is involved in a circular dependency didn't work right for the case that the view has no options; it emitted ALTER VIEW foo SET () which is invalid syntax.
(9.2.2,9.1.7,9.0.11,8.4.15,8.3.22) Fix bugs in the restore.sql script emitted by pg_dump in tar output format (Tom Lane)
The script would fail outright on tables whose names include upper-case characters. Also, make the script capable of restoring data in --inserts mode as well as the regular COPY mode.
(9.2.2,9.1.7,9.0.11,8.4.15,8.3.22) Fix pg_restore to accept POSIX-conformant tar files (Brian Weaver, Tom Lane)
The original coding of pg_dump's tar output mode produced files that are not fully conformant with the POSIX standard. This has been corrected for version 9.3. This patch updates previous branches so that they will accept both the incorrect and the corrected formats, in hopes of avoiding compatibility problems when 9.3 comes out.
(9.2.2,9.1.7) Fix tar files emitted by pg_basebackup to be POSIX conformant (Brian Weaver, Tom Lane)
(9.2.2,9.1.7,9.0.11,8.4.15,8.3.22) Fix pg_resetxlog to locate postmaster.pid correctly when given a relative path to the data directory (Tom Lane)
This mistake could lead to pg_resetxlog not noticing that there is an active postmaster using the data directory.
(9.2.2,9.1.7,9.0.11,8.4.15,8.3.22) Fix libpq's lo_import()
and lo_export()
functions to report file I/O errors
properly (Tom Lane)
(9.2.2,9.1.7,9.0.11,8.4.15,8.3.22) Fix ecpg's processing of nested structure pointer variables (Muhammad Usama)
(9.2.2,9.1.7,9.0.11) Fix ecpg's ecpg_get_data
function to handle arrays properly
(Michael Meskes)
(9.2.2) Prevent pg_upgrade from trying to process TOAST tables for system catalogs (Bruce Momjian)
This fixes an error seen when the information_schema has been dropped and recreated. Other failures were also possible.
(9.2.2) Improve pg_upgrade performance by setting synchronous_commit to off in the new cluster (Bruce Momjian)
(9.2.2,9.1.7,9.0.11,8.4.15,8.3.22) Make contrib/pageinspect's btree page inspection functions take buffer locks while examining pages (Tom Lane)
(9.2.2) Work around unportable behavior of malloc(0) and realloc (NULL, 0) (Tom Lane)
On platforms where these calls return NULL, some code mistakenly thought that meant out-of-memory. This is known to have broken pg_dump for databases containing no user-defined aggregates. There might be other cases as well.
(9.2.2,9.1.7) Ensure that make install for an extension creates the extension installation directory (Cédric Villemain)
Previously, this step was missed if MODULEDIR was set in the extension's Makefile.
(9.2.2,9.1.7,9.0.11,8.4.15,8.3.22) Fix pgxs support for building loadable modules on AIX (Tom Lane)
Building modules outside the original source tree didn't work on AIX.
(9.2.2,9.1.7,9.0.11,8.4.15,8.3.22) Update time zone data files to tzdata release 2012j for DST law changes in Cuba, Israel, Jordan, Libya, Palestine, Western Samoa, and portions of Brazil.
Release date: 2012-09-24
This release contains a variety of fixes from 9.2.0. For information about new features in the 9.2 major release, see Version 9.2.0.
A dump/restore is not required for those running 9.2.X.
However, you may need to perform REINDEX and/or VACUUM operations to recover from the effects of the data corruption bug described in the first changelog item below.
(9.2.1) Fix persistence marking of shared buffers during WAL replay (Jeff Davis)
This mistake can result in buffers not being written out during checkpoints, resulting in data corruption if the server later crashes without ever having written those buffers. Corruption can occur on any server following crash recovery, but it is significantly more likely to occur on standby slave servers since those perform much more WAL replay. There is a low probability of corruption of btree and GIN indexes. There is a much higher probability of corruption of table "visibility maps", which might lead to wrong answers from index-only scans. Table data proper cannot be corrupted by this bug.
While no index corruption due to this bug is known to have occurred in the field, as a precautionary measure it is recommended that production installations REINDEX all btree and GIN indexes at a convenient time after upgrading to 9.2.1.
Also, it is recommended to perform a VACUUM of all tables while having vacuum_freeze_table_age set to zero. This will fix any incorrect visibility map data. vacuum_cost_delay can be adjusted to reduce the performance impact of vacuuming, while causing it to take longer to finish.
(9.2.1) Fix possible incorrect sorting of output from queries involving WHERE indexed_column IN (list_of_values) (Tom Lane)
(9.2.1) Fix planner failure for queries involving GROUP BY expressions along with window functions and aggregates (Tom Lane)
(9.2.1) Fix planner's assignment of executor parameters (Tom Lane)
This error could result in wrong answers from queries that scan the same WITH subquery multiple times.
(9.2.1) Improve planner's handling of join conditions in index scans (Tom Lane)
(9.2.1,9.1.6) Improve selectivity estimation for text search queries involving prefixes, i.e. word:* patterns (Tom Lane)
(9.2.1) Fix delayed recognition of permissions changes (Tom Lane)
A command that needed no locks other than ones its transaction already had might fail to notice a concurrent GRANT or REVOKE that committed since the start of its transaction.
(9.2.1) Fix ANALYZE to not fail when a column is a domain over an array type (Tom Lane)
(9.2.1,9.1.6,9.0.10,8.4.14,8.3.21) Prevent PL/Perl from crashing if a recursive PL/Perl function is redefined while being executed (Tom Lane)
(9.2.1,9.1.6,9.0.10,8.4.14,8.3.21) Work around possible misoptimization in PL/Perl (Tom Lane)
Some Linux distributions contain an incorrect version of pthread.h that results in incorrect compiled code in PL/Perl, leading to crashes if a PL/Perl function calls another one that throws an error.
(9.2.1,9.1.6) Remove unnecessary dependency on pg_config from pg_upgrade (Peter Eisentraut)
(9.2.1,9.1.6,9.0.10,8.4.14,8.3.21) Update time zone data files to tzdata release 2012f for DST law changes in Fiji
Release date: 2012-09-10
This release has been largely focused on performance improvements, though new SQL features are not lacking. Work also continues in the area of replication support. Major enhancements include:
(9.2.0) Allow queries to retrieve data only from indexes, avoiding heap access (index-only scans)
(9.2.0) Allow the planner to generate custom plans for specific parameter values even when using prepared statements
(9.2.0) Improve the planner's ability to use nested loops with inner index scans
(9.2.0) Allow streaming replication slaves to forward data to other slaves (cascading replication)
(9.2.0) Allow pg_basebackup to make base backups from standby servers
(9.2.0) Add a pg_receivexlog tool to archive WAL file changes as they are written
(9.2.0) Add the SP-GiST (Space-Partitioned GiST) index access method
(9.2.0) Add support for range data types
(9.2.0) Add a JSON data type
(9.2.0) Add a security_barrier option for views
(9.2.0) Allow libpq connection strings to have the format of a URI
(9.2.0) Add a single-row processing mode to libpq for better handling of large result sets
The above items are explained in more detail in the sections below.
A dump/restore using pg_dump, or use of pg_upgrade, is required for those wishing to migrate data from any previous release.
Version 9.2 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities:
(9.2.0) Remove the spclocation field from pg_tablespace (Magnus Hagander)
This field was duplicative of the symbolic links that actually
define tablespace locations, and thus risked errors of omission
when moving a tablespace. This change allows tablespace directories
to be moved while the server is down, by manually adjusting the
symbolic links. To replace this field, we have added pg_tablespace_location()
to allow querying of
the symbolic links.
(9.2.0) Move tsvector most-common-element statistics to new pg_stats columns (Alexander Korotkov)
Consult most_common_elems and most_common_elem_freqs for the data formerly available in most_common_vals and most_common_freqs for a tsvector column.
(9.2.0) Remove hstore's => operator (Robert Haas)
Users should now use hstore(text,
text)
. Since PostgreSQL
9.0, a warning message has been emitted when an operator named
=> is created because the
SQL standard reserves that token
for another use.
(9.2.0) Ensure that xpath()
escapes special characters in string
values (Florian Pflug)
Without this it is possible for the result not to be valid XML.
(9.2.0) Make pg_relation_size()
and friends return NULL if
the object does not exist (Phil Sorber)
This prevents queries that call these functions from returning errors immediately after a concurrent DROP.
(9.2.0) Make EXTRACT (EPOCH FROM timestamp
without time zone)
measure the epoch from local
midnight, not UTC midnight (Tom
Lane)
This change reverts an ill-considered change made in release 7.3. Measuring from UTC midnight was inconsistent because it made the result dependent on the timezone setting, which computations for timestamp without time zone should not be. The previous behavior remains available by casting the input value to timestamp with time zone.
(9.2.0) Properly parse time strings with trailing yesterday, today, and tomorrow (Dean Rasheed)
Previously, SELECT '04:00:00 yesterday'::timestamp returned yesterday's date at midnight.
(9.2.0) Fix to_date()
and to_timestamp()
to wrap incomplete dates toward
2020 (Bruce Momjian)
Previously, supplied years and year masks of less than four digits wrapped inconsistently.
(9.2.0) Prevent ALTER DOMAIN from working on non-domain types (Peter Eisentraut)
Owner and schema changes were previously possible on non-domain types.
(9.2.0) No longer forcibly lowercase procedural language names in CREATE FUNCTION (Robert Haas)
While unquoted language identifiers are still lowercased, strings and quoted identifiers are no longer forcibly down-cased. Thus for example CREATE FUNCTION ... LANGUAGE 'C' will no longer work; it must be spelled 'c', or better omit the quotes.
(9.2.0) Change system-generated names of foreign key enforcement triggers (Tom Lane)
This change ensures that the triggers fire in the correct order in some corner cases involving self-referential foreign key constraints.
(9.2.0) Provide consistent backquote, variable expansion, and quoted substring behavior in psql meta-command arguments (Tom Lane)
Previously, such references were treated oddly when not separated by whitespace from adjacent text. For example 'FOO'BAR was output as FOO BAR (unexpected insertion of a space) and FOO'BAR'BAZ was output unchanged (not removing the quotes as most would expect).
(9.2.0) No longer treat clusterdb table names as double-quoted; no longer treat reindexdb table and index names as double-quoted (Bruce Momjian)
Users must now include double-quotes in the command arguments if quoting is wanted.
(9.2.0) createuser no longer prompts for option settings by default (Peter Eisentraut)
Use --interactive to obtain the old behavior.
(9.2.0) Disable prompting for the user name in dropuser unless --interactive is specified (Peter Eisentraut)
(9.2.0) Add server parameters for specifying the locations of server-side SSL files (Peter Eisentraut)
This allows changing the names and locations of the files that were previously hard-coded as server.crt, server.key, root.crt, and root.crl in the data directory. The server will no longer examine root.crt or root.crl by default; to load these files, the associated parameters must be set to non-default values.
(9.2.0) Remove the silent_mode parameter (Heikki Linnakangas)
Similar behavior can be obtained with pg_ctl start -l postmaster.log.
(9.2.0) Remove the wal_sender_delay parameter, as it is no longer needed (Tom Lane)
(9.2.0) Remove the custom_variable_classes parameter (Tom Lane)
The checking provided by this setting was dubious. Now any setting can be prefixed by any class name.
(9.2.0) Rename pg_stat_activity.procpid to pid, to match other system tables (Magnus Hagander)
(9.2.0) Create a separate pg_stat_activity column to report process state (Scott Mead, Magnus Hagander)
The previous query and query_start values now remain available for an idle session, allowing enhanced analysis.
(9.2.0) Rename pg_stat_activity.current_query to query because it is not cleared when the query completes (Magnus Hagander)
(9.2.0) Change all SQL-level statistics timing values to be float8 columns measured in milliseconds (Tom Lane)
This change eliminates the designed-in assumption that the values are accurate to microseconds and no more (since the float8 values can be fractional). The columns affected are pg_stat_user_functions.total_time, pg_stat_user_functions.self_time, pg_stat_xact_user_functions.total_time, and pg_stat_xact_user_functions.self_time. The statistics functions underlying these columns now also return float8 milliseconds, rather than bigint microseconds. contrib/pg_stat_statements' total_time column is now also measured in milliseconds.
Below you will find a detailed account of the changes between PostgreSQL 9.2 and the previous major release.
(9.2.0) Allow queries to retrieve data only from indexes, avoiding heap access (Robert Haas, Ibrar Ahmed, Heikki Linnakangas, Tom Lane)
This feature is often called index-only scans. Heap access can be skipped for heap pages containing only tuples that are visible to all sessions, as reported by the visibility map; so the benefit applies mainly to mostly-static data. The visibility map was made crash-safe as a necessary part of implementing this feature.
(9.2.0) Add the SP-GiST (Space-Partitioned GiST) index access method (Teodor Sigaev, Oleg Bartunov, Tom Lane)
SP-GiST is comparable to GiST in flexibility, but supports unbalanced partitioned search structures rather than balanced trees. For suitable problems, SP-GiST can be faster than GiST in both index build time and search time.
(9.2.0) Allow group commit to work effectively under heavy load (Peter Geoghegan, Simon Riggs, Heikki Linnakangas)
Previously, batching of commits became ineffective as the write workload increased, because of internal lock contention.
(9.2.0) Allow uncontended locks to be managed using a new fast-path lock mechanism (Robert Haas)
(9.2.0) Reduce overhead of creating virtual transaction ID locks (Robert Haas)
(9.2.0) Reduce the overhead of serializable isolation level locks (Dan Ports)
(9.2.0) Improve PowerPC and Itanium spinlock performance (Manabu Ori, Robert Haas, Tom Lane)
(9.2.0) Reduce overhead for shared invalidation cache messages (Robert Haas)
(9.2.0) Move the frequently accessed members of the PGPROC shared memory array to a separate array (Pavan Deolasee, Heikki Linnakangas, Robert Haas)
(9.2.0) Improve COPY performance by adding tuples to the heap in batches (Heikki Linnakangas)
(9.2.0) Improve GiST index performance for geometric data types by producing better trees with less memory allocation overhead (Alexander Korotkov)
(9.2.0) Improve GiST index build times (Alexander Korotkov, Heikki Linnakangas)
(9.2.0) Allow hint bits to be set sooner for temporary and unlogged tables (Robert Haas)
(9.2.0) Allow sorting to be performed by inlined, non-SQL-callable comparison functions (Peter Geoghegan, Robert Haas, Tom Lane)
(9.2.0) Make the number of CLOG buffers scale based on shared_buffers (Robert Haas, Simon Riggs, Tom Lane)
(9.2.0) Improve performance of buffer pool scans that occur when tables or databases are dropped (Jeff Janes, Simon Riggs)
(9.2.0) Improve performance of checkpointer's fsync-request queue when many tables are being dropped or truncated (Tom Lane)
(9.2.0) Pass the safe number of file descriptors to child processes on Windows (Heikki Linnakangas)
This allows Windows sessions to use more open file descriptors than before.
(9.2.0) Create a dedicated background process to perform checkpoints (Simon Riggs)
Formerly the background writer did both dirty-page writing and checkpointing. Separating this into two processes allows each goal to be accomplished more predictably.
(9.2.0) Improve asynchronous commit behavior by waking the walwriter sooner (Simon Riggs)
Previously, only wal_writer_delay triggered WAL flushing to disk; now filling a WAL buffer also triggers WAL writes.
(9.2.0) Allow the bgwriter, walwriter, checkpointer, statistics collector, log collector, and archiver background processes to sleep more efficiently during periods of inactivity (Peter Geoghegan, Tom Lane)
This series of changes reduces the frequency of process wake-ups when there is nothing to do, dramatically reducing power consumption on idle servers.
(9.2.0) Allow the planner to generate custom plans for specific parameter values even when using prepared statements (Tom Lane)
In the past, a prepared statement always had a single "generic" plan that was used for all parameter values, which was frequently much inferior to the plans used for non-prepared statements containing explicit constant values. Now, the planner attempts to generate custom plans for specific parameter values. A generic plan will only be used after custom plans have repeatedly proven to provide no benefit. This change should eliminate the performance penalties formerly seen from use of prepared statements (including non-dynamic statements in PL/pgSQL).
(9.2.0) Improve the planner's ability to use nested loops with inner index scans (Tom Lane)
The new "parameterized path" mechanism allows inner index scans to use values from relations that are more than one join level up from the scan. This can greatly improve performance in situations where semantic restrictions (such as outer joins) limit the allowed join orderings.
(9.2.0) Improve the planning API for foreign data wrappers (Etsuro Fujita, Shigeru Hanada, Tom Lane)
Wrappers can now provide multiple access "paths" for their tables, allowing more flexibility in join planning.
(9.2.0) Recognize self-contradictory restriction clauses for non-table relations (Tom Lane)
This check is only performed when constraint_exclusion is on.
(9.2.0) Allow indexed_col op ANY (ARRAY[...]) conditions to be used in plain index scans and index-only scans (Tom Lane)
Formerly such conditions could only be used in bitmap index scans.
(9.2.0) Support MIN
/MAX
index optimizations on boolean columns (Marti Raudsepp)
(9.2.0) Account for set-returning functions in SELECT target lists when setting row count estimates (Tom Lane)
(9.2.0) Fix planner to handle indexes with duplicated columns more reliably (Tom Lane)
(9.2.0) Collect and use element-frequency statistics for arrays (Alexander Korotkov, Tom Lane)
This change improves selectivity estimation for the array <@, &&, and @> operators (array containment and overlaps).
(9.2.0) Allow statistics to be collected for foreign tables (Etsuro Fujita)
(9.2.0) Improve cost estimates for use of partial indexes (Tom Lane)
(9.2.0) Improve the planner's ability to use statistics for columns referenced in subqueries (Tom Lane)
(9.2.0) Improve statistical estimates for subqueries using DISTINCT (Tom Lane)
(9.2.0) Do not treat role names and samerole specified in pg_hba.conf as automatically including superusers (Andrew Dunstan)
This makes it easier to use reject lines with group roles.
(9.2.0) Adjust pg_hba.conf processing to handle token parsing more consistently (Brendan Jurd, Ãlvaro Herrera)
(9.2.0) Disallow empty pg_hba.conf files (Tom Lane)
This was done to more quickly detect misconfiguration.
(9.2.0) Make superuser privilege imply replication privilege (Noah Misch)
This avoids the need to explicitly assign such privileges.
(9.2.0) Attempt to log the current query string during a backend crash (Marti Raudsepp)
(9.2.0) Make logging of autovacuum I/O activity more verbose (Greg Smith, Noah Misch)
This logging is triggered by log_autovacuum_min_duration.
(9.2.0) Make WAL replay report failures sooner (Fujii Masao)
There were some cases where failures were only reported once the server went into master mode.
(9.2.0) Add pg_xlog_location_diff()
to simplify WAL
location comparisons (Euler Taveira de Oliveira)
This is useful for computing replication lag.
(9.2.0) Support configurable event log application names on Windows (MauMau, Magnus Hagander)
This allows different instances to use the event log with different identifiers, by setting the event_source server parameter, which is similar to how syslog_ident works.
(9.2.0) Change "unexpected EOF" messages to DEBUG1 level, except when there is an open transaction (Magnus Hagander)
This change reduces log chatter caused by applications that close database connections ungracefully.
(9.2.0) Track temporary file sizes and file counts in the pg_stat_database system view (Tomas Vondra)
(9.2.0) Add a deadlock counter to the pg_stat_database system view (Magnus Hagander)
(9.2.0) Add a server parameter track_io_timing to track I/O timings (Ants Aasma, Robert Haas)
(9.2.0) Report checkpoint timing information in pg_stat_bgwriter (Greg Smith, Peter Geoghegan)
(9.2.0) Silently ignore nonexistent schemas specified in search_path (Tom Lane)
This makes it more convenient to use generic path settings, which might include some schemas that don't exist in all databases.
(9.2.0) Allow superusers to set deadlock_timeout per-session, not just per-cluster (Noah Misch)
This allows deadlock_timeout to be reduced for transactions that are likely to be involved in a deadlock, thus detecting the failure more quickly. Alternatively, increasing the value can be used to reduce the chances of a session being chosen for cancellation due to a deadlock.
(9.2.0) Add a server parameter temp_file_limit to constrain temporary file space usage per session (Mark Kirkwood)
(9.2.0) Allow a superuser to SET an extension's superuser-only custom variable before loading the associated extension (Tom Lane)
The system now remembers whether a SET was performed by a superuser, so that proper privilege checking can be done when the extension is loaded.
(9.2.0) Add postmaster -C option to query configuration parameters (Bruce Momjian)
This allows pg_ctl to better handle cases where PGDATA or -D points to a configuration-only directory.
(9.2.0) Replace an empty locale name with the implied value in CREATE DATABASE (Tom Lane)
This prevents cases where pg_database.datcollate or datctype could be interpreted differently after a server restart.
(9.2.0) Allow multiple errors in postgresql.conf to be reported, rather than just the first one (Alexey Klyukin, Tom Lane)
(9.2.0) Allow a reload of postgresql.conf to be processed by all sessions, even if there are some settings that are invalid for particular sessions (Alexey Klyukin)
Previously, such not-valid-within-session values would cause all setting changes to be ignored by that session.
(9.2.0) Add an include_if_exists facility for configuration files (Greg Smith)
This works the same as include, except that an error is not thrown if the file is missing.
(9.2.0) Identify the server time zone during initdb, and set postgresql.conf entries timezone and log_timezone accordingly (Tom Lane)
This avoids expensive time zone probes during server start.
(9.2.0) Fix pg_settings to report postgresql.conf line numbers on Windows (Tom Lane)
(9.2.0) Allow streaming replication slaves to forward data to other slaves (cascading replication) (Fujii Masao)
Previously, only the master server could supply streaming replication log files to standby servers.
(9.2.0) Add new synchronous_commit mode remote_write (Fujii Masao, Simon Riggs)
This mode waits for the standby server to write transaction data to its own operating system, but does not wait for the data to be flushed to the standby's disk.
(9.2.0) Add a pg_receivexlog tool to archive WAL file changes as they are written, rather than waiting for completed WAL files (Magnus Hagander)
(9.2.0) Allow pg_basebackup to make base backups from standby servers (Jun Ishizuka, Fujii Masao)
This feature lets the work of making new base backups be off-loaded from the primary server.
(9.2.0) Allow streaming of WAL files while pg_basebackup is performing a backup (Magnus Hagander)
This allows passing of WAL files to the standby before they are discarded on the primary.
(9.2.0) Cancel the running query if the client gets disconnected (Florian Pflug)
If the backend detects loss of client connection during a query, it will now cancel the query rather than attempting to finish it.
(9.2.0) Retain column names at run time for row expressions (Andrew Dunstan, Tom Lane)
This change allows better results when a row value is converted to hstore or json type: the fields of the resulting value will now have the expected names.
(9.2.0) Improve column labels used for sub-SELECT results (Marti Raudsepp)
Previously, the generic label ?column? was used.
(9.2.0) Improve heuristics for determining the types of unknown values (Tom Lane)
The longstanding rule that an unknown constant might have the same type as the value on the other side of the operator using it is now applied when considering polymorphic operators, not only for simple operator matches.
(9.2.0) Warn about creating casts to or from domain types (Robert Haas)
Such casts have no effect.
(9.2.0) When a row fails a CHECK or NOT NULL constraint, show the row's contents as error detail (Jan Kundrát)
This should make it easier to identify which row is problematic when an insert or update is processing many rows.
(9.2.0) Provide more reliable operation during concurrent DDL (Robert Haas, Noah Misch)
This change adds locking that should eliminate "cache lookup failed" errors in many scenarios. Also, it is no longer possible to add relations to a schema that is being concurrently dropped, a scenario that formerly led to inconsistent system catalog contents.
(9.2.0) Add CONCURRENTLY option to DROP INDEX (Simon Riggs)
This allows index removal without blocking other sessions.
(9.2.0) Allow foreign data wrappers to have per-column options (Shigeru Hanada)
(9.2.0) Improve pretty-printing of view definitions (Andrew Dunstan)
(9.2.0) Allow CHECK constraints to be declared NOT VALID (Ãlvaro Herrera)
Adding a NOT VALID constraint does not cause the table to be scanned to verify that existing rows meet the constraint. Subsequently, newly added or updated rows are checked. Such constraints are ignored by the planner when considering constraint_exclusion, since it is not certain that all rows meet the constraint.
The new ALTER TABLE VALIDATE command allows NOT VALID constraints to be checked for existing rows, after which they are converted into ordinary constraints.
(9.2.0) Allow CHECK constraints to be declared NO INHERIT (Nikhil Sontakke, Alex Hunsaker, Ãlvaro Herrera)
This makes them enforceable only on the parent table, not on child tables.
(9.2.0) Add the ability to rename constraints (Peter Eisentraut)
(9.2.0) Reduce need to rebuild tables and indexes for certain ALTER TABLE ... ALTER COLUMN TYPE operations (Noah Misch)
Increasing the length limit for a varchar or varbit column, or removing the limit altogether, no longer requires a table rewrite. Similarly, increasing the allowable precision of a numeric column, or changing a column from constrained numeric to unconstrained numeric, no longer requires a table rewrite. Table rewrites are also avoided in similar cases involving the interval, timestamp, and timestamptz types.
(9.2.0) Avoid having ALTER TABLE revalidate foreign key constraints in some cases where it is not necessary (Noah Misch)
(9.2.0) Add IF EXISTS options to some ALTER commands (Pavel Stehule)
For example, ALTER FOREIGN TABLE IF EXISTS foo RENAME TO bar.
(9.2.0) Add ALTER FOREIGN DATA WRAPPER ... RENAME and ALTER SERVER ... RENAME (Peter Eisentraut)
(9.2.0) Add ALTER DOMAIN ... RENAME (Peter Eisentraut)
You could already rename domains using ALTER TYPE.
(9.2.0) Throw an error for ALTER DOMAIN ... DROP CONSTRAINT on a nonexistent constraint (Peter Eisentraut)
An IF EXISTS option has been added to provide the previous behavior.
(9.2.0) Allow CREATE TABLE (LIKE ...) from foreign tables, views, and composite types (Peter Eisentraut)
For example, this allows a table to be created whose schema matches a view.
(9.2.0) Fix CREATE TABLE (LIKE ...) to avoid index name conflicts when copying index comments (Tom Lane)
(9.2.0) Fix CREATE TABLE ... AS EXECUTE to handle WITH NO DATA and column name specifications (Tom Lane)
(9.2.0) Add a security_barrier option for views (KaiGai Kohei, Robert Haas)
This option prevents optimizations that might allow view-protected data to be exposed to users, for example pushing a clause involving an insecure function into the WHERE clause of the view. Such views can be expected to perform more poorly than ordinary views.
(9.2.0) Add a new LEAKPROOF function attribute to mark functions that can safely be pushed down into security_barrier views (KaiGai Kohei)
(9.2.0) Add support for privileges on data types (Peter Eisentraut)
This adds support for the SQL-conforming USAGE privilege on types and domains. The intent is to be able to restrict which users can create dependencies on types, since such dependencies limit the owner's ability to alter the type.
(9.2.0) Check for INSERT privileges in SELECT INTO / CREATE TABLE AS (KaiGai Kohei)
Because the object is being created by SELECT INTO or CREATE TABLE AS, the creator would ordinarily have insert permissions; but there are corner cases where this is not true, such as when ALTER DEFAULT PRIVILEGES has removed such permissions.
(9.2.0) Allow VACUUM to more easily skip pages that cannot be locked (Simon Riggs, Robert Haas)
This change should greatly reduce the incidence of VACUUM getting "stuck" waiting for other sessions.
(9.2.0) Make EXPLAIN (BUFFERS) count blocks dirtied and written (Robert Haas)
(9.2.0) Make EXPLAIN ANALYZE report the number of rows rejected by filter steps (Marko Tiikkaja)
(9.2.0) Allow EXPLAIN ANALYZE to avoid timing overhead when time values are not wanted (Tomas Vondra)
This is accomplished by setting the new TIMING option to FALSE.
(9.2.0) Add support for range data types (Jeff Davis, Tom Lane, Alexander Korotkov)
A range data type stores a lower and upper bound belonging to its base data type. It supports operations like contains, overlaps, and intersection.
(9.2.0) Add a JSON data type (Robert Haas)
This type stores JSON (JavaScript Object Notation) data with proper validation.
(9.2.0) Add array_to_json()
and row_to_json()
(Andrew Dunstan)
(9.2.0) Add a SMALLSERIAL data type (Mike Pultz)
This is like SERIAL, except it stores the sequence in a two-byte integer column (int2).
(9.2.0) Allow domains to be declared NOT VALID (Ãlvaro Herrera)
This option can be set at domain creation time, or via ALTER DOMAIN ... ADD CONSTRAINT ... NOT VALID. ALTER DOMAIN ... VALIDATE CONSTRAINT fully validates the constraint.
(9.2.0) Support more locale-specific formatting options for the money data type (Tom Lane)
Specifically, honor all the POSIX options for ordering of the value, sign, and currency symbol in monetary output. Also, make sure that the thousands separator is only inserted to the left of the decimal point, as required by POSIX.
(9.2.0) Add bitwise "and", "or", and "not" operators for the macaddr data type (Brendan Jurd)
(9.2.0) Allow xpath()
to return a single-element
XML array when supplied a scalar
value (Florian Pflug)
Previously, it returned an empty array. This change will also
cause xpath_exists()
to return true,
not false, for such expressions.
(9.2.0) Improve XML error handling to be more robust (Florian Pflug)
(9.2.0) Allow non-superusers to use pg_cancel_backend()
and pg_terminate_backend()
on other sessions
belonging to the same user (Magnus Hagander, Josh Kupershmidt, Dan
Farina)
Previously only superusers were allowed to use these functions.
(9.2.0) Allow importing and exporting of transaction snapshots (Joachim Wieland, Tom Lane)
This allows multiple transactions to share identical views of
the database state. Snapshots are exported via
pg_export_snapshot()
and imported via SET TRANSACTION
SNAPSHOT. Only snapshots from currently-running
transactions can be imported.
(9.2.0) Support COLLATION FOR on expressions (Peter Eisentraut)
This returns a string representing the collation of the expression.
(9.2.0) Add pg_opfamily_is_visible()
(Josh
Kupershmidt)
(9.2.0) Add a numeric variant of pg_size_pretty()
for use with pg_xlog_location_diff()
(Fujii Masao)
(9.2.0) Add a pg_trigger_depth()
function (Kevin
Grittner)
This reports the current trigger call depth.
(9.2.0) Allow string_agg()
to process bytea values (Pavel Stehule)
(9.2.0) Fix regular expressions in which a back-reference occurs within a larger quantified subexpression (Tom Lane)
For example, ^(\w+)( \1)+$. Previous releases did not check that the back-reference actually matched the first occurrence.
(9.2.0) Add information schema views role_udt_grants, udt_privileges, and user_defined_types (Peter Eisentraut)
(9.2.0) Add composite-type attributes to the information schema element_types view (Peter Eisentraut)
(9.2.0) Implement interval_type columns in the information schema (Peter Eisentraut)
Formerly these columns read as nulls.
(9.2.0) Implement collation-related columns in the information schema attributes, columns, domains, and element_types views (Peter Eisentraut)
(9.2.0) Implement the with_hierarchy column in the information schema table_privileges view (Peter Eisentraut)
(9.2.0) Add display of sequence USAGE privileges to information schema (Peter Eisentraut)
(9.2.0) Make the information schema show default privileges (Peter Eisentraut)
Previously, non-empty default permissions were not represented in the views.
(9.2.0) Allow the PL/pgSQL OPEN cursor command to supply parameters by name (Yeb Havinga)
(9.2.0) Add a GET STACKED DIAGNOSTICS PL/pgSQL command to retrieve exception info (Pavel Stehule)
(9.2.0) Speed up PL/pgSQL array assignment by caching type information (Pavel Stehule)
(9.2.0) Improve performance and memory consumption for long chains of ELSIF clauses (Tom Lane)
(9.2.0) Output the function signature, not just the name, in PL/pgSQL error messages (Pavel Stehule)
(9.2.0) Add PL/Python SPI cursor support (Jan Urbanski)
This allows PL/Python to read partial result sets.
(9.2.0) Add result metadata functions to PL/Python (Peter Eisentraut)
Specifically, this adds result object functions .colnames, .coltypes, and .coltypmods.
(9.2.0) Remove support for Python 2.2 (Peter Eisentraut)
(9.2.0) Allow SQL-language functions to reference parameters by name (Matthew Draper)
To use this, simply name the function arguments and then reference the argument names in the SQL function body.
(9.2.0) Add initdb options --auth-local and --auth-host (Peter Eisentraut)
This allows separate control of local and host pg_hba.conf authentication settings. --auth still controls both.
(9.2.0) Add --replication/--no-replication flags to createuser to control replication permission (Fujii Masao)
(9.2.0) Add the --if-exists option to dropdb and dropuser (Josh Kupershmidt)
(9.2.0) Give command-line tools the ability to specify the name of the database to connect to, and fall back to template1 if a postgres database connection fails (Robert Haas)
(9.2.0) Add a display mode to auto-expand output based on the display width (Peter Eisentraut)
This adds the auto option to the \x command, which switches to the expanded mode when the normal output would be wider than the screen.
(9.2.0) Allow inclusion of a script file that is named relative to the directory of the file from which it was invoked (Gurjeet Singh)
This is done with a new command \ir.
(9.2.0) Add support for non-ASCII characters in psql variable names (Tom Lane)
(9.2.0) Add support for major-version-specific .psqlrc files (Bruce Momjian)
psql already supported minor-version-specific .psqlrc files.
(9.2.0) Provide environment variable overrides for psql history and startup file locations (Andrew Dunstan)
PSQL_HISTORY and PSQLRC now determine these file names if set.
(9.2.0) Add a \setenv command to modify the environment variables passed to child processes (Andrew Dunstan)
(9.2.0) Name psql's temporary editor files with a .sql extension (Peter Eisentraut)
This allows extension-sensitive editors to select the right mode.
(9.2.0) Allow psql to use zero-byte field and record separators (Peter Eisentraut)
Various shell tools use zero-byte (NUL) separators, e.g. find.
(9.2.0) Make the \timing option report times for failed queries (Magnus Hagander)
Previously times were reported only for successful queries.
(9.2.0) Unify and tighten psql's treatment of \copy and SQL COPY (Noah Misch)
This fix makes failure behavior more predictable and honors \set ON_ERROR_ROLLBACK.
(9.2.0) Make \d on a sequence show the table/column name owning it (Magnus Hagander)
(9.2.0) Show statistics target for columns in \d+ (Magnus Hagander)
(9.2.0) Show role password expiration dates in \du (FabrÃzio de Royes Mello)
(9.2.0) Display comments for casts, conversions, domains, and languages (Josh Kupershmidt)
These are included in the output of \dC+, \dc+, \dD+, and \dL respectively.
(9.2.0) Display comments for SQL/MED objects (Josh Kupershmidt)
These are included in the output of \des+, \det+, and \dew+ for foreign servers, foreign tables, and foreign data wrappers respectively.
(9.2.0) Change \dd to display comments only for object types without their own backslash command (Josh Kupershmidt)
(9.2.0) In psql tab completion, complete SQL keywords in either upper or lower case according to the new COMP_KEYWORD_CASE setting (Peter Eisentraut)
(9.2.0) Add tab completion support for EXECUTE (Andreas Karlsson)
(9.2.0) Allow tab completion of role references in GRANT/REVOKE (Peter Eisentraut)
(9.2.0) Allow tab completion of file names to supply quotes, when necessary (Noah Misch)
(9.2.0) Change tab completion support for TABLE to also include views (Magnus Hagander)
(9.2.0) Add an --exclude-table-data option to pg_dump (Andrew Dunstan)
This allows dumping of a table's definition but not its data, on a per-table basis.
(9.2.0) Add a --section option to pg_dump and pg_restore (Andrew Dunstan)
Valid values are pre-data, data, and post-data. The option can be given more than once to select two or more sections.
(9.2.0) Make pg_dumpall dump all roles first, then all configuration settings on roles (Phil Sorber)
This allows a role's configuration settings to mention other roles without generating an error.
(9.2.0) Allow pg_dumpall to avoid errors if the postgres database is missing in the new cluster (Robert Haas)
(9.2.0) Dump foreign server user mappings in user name order (Peter Eisentraut)
This helps produce deterministic dump files.
(9.2.0) Dump operators in a predictable order (Peter Eisentraut)
(9.2.0) Tighten rules for when extension configuration tables are dumped by pg_dump (Tom Lane)
(9.2.0) Make pg_dump emit more useful dependency information (Tom Lane)
The dependency links included in archive-format dumps were formerly of very limited use, because they frequently referenced objects that appeared nowhere in the dump. Now they represent actual dependencies (possibly indirect) among the dumped objects.
(9.2.0) Improve pg_dump's performance when dumping many database objects (Tom Lane)
(9.2.0) Allow libpq connection strings to have the format of a URI (Alexander Shulgin)
The syntax begins with postgres://. This can allow applications to avoid implementing their own parser for URIs representing database connections.
(9.2.0) Add a connection option to disable SSL compression (Laurenz Albe)
This can be used to remove the overhead of SSL compression on fast networks.
(9.2.0) Add a single-row processing mode for better handling of large result sets (Kyotaro Horiguchi, Marko Kreen)
Previously, libpq always collected the entire query result in memory before passing it back to the application.
(9.2.0) Add const qualifiers to the
declarations of the functions PQconnectdbParams
, PQconnectStartParams
, and PQpingParams
(Lionel Elie Mamane)
(9.2.0) Allow the .pgpass file to include escaped characters in the password field (Robert Haas)
(9.2.0) Make library functions use abort()
instead of exit()
when it is
necessary to terminate the process (Peter Eisentraut)
This choice does not interfere with the normal exit codes used by the program, and generates a signal that can be caught by the caller.
(9.2.0) Remove dead ports (Peter Eisentraut)
The following platforms are no longer supported: dgux, nextstep, sunos4, svr4, ultrix4, univel, bsdi.
(9.2.0) Add support for building with MS Visual Studio 2010 (Brar Piening)
(9.2.0) Enable compiling with the MinGW-w64 32-bit compiler (Lars Kanis)
(9.2.0) Install plpgsql.h into include/server during installation (Heikki Linnakangas)
(9.2.0) Improve the latch facility to include detection of postmaster death (Peter Geoghegan, Heikki Linnakangas, Tom Lane)
This eliminates one of the main reasons that background processes formerly had to wake up to poll for events.
(9.2.0) Use C flexible array members, where supported (Peter Eisentraut)
(9.2.0) Improve the concurrent transaction regression tests (isolationtester) (Noah Misch)
(9.2.0) Modify thread_test to create its test files in the current directory, rather than /tmp (Bruce Momjian)
(9.2.0) Improve flex and bison warning and error reporting (Tom Lane)
(9.2.0) Add memory barrier support (Robert Haas)
This is currently unused.
(9.2.0) Modify pgindent to use a typedef file (Bruce Momjian)
(9.2.0) Add a hook for processing messages due to be sent to the server log (Martin Pihlak)
(9.2.0) Add object access hooks for DROP commands (KaiGai Kohei)
(9.2.0) Centralize DROP handling for some object types (KaiGai Kohei)
(9.2.0) Add a pg_upgrade test suite (Peter Eisentraut)
(9.2.0) Sync regular expression code with TCL 8.5.11 and improve internal processing (Tom Lane)
(9.2.0) Move CRC tables to libpgport, and provide them in a separate include file (Daniel Farina)
(9.2.0) Add options to git_changelog for use in major release note creation (Bruce Momjian)
(9.2.0) Support Linux's /proc/self/oom_score_adj API (Tom Lane)
(9.2.0) Improve efficiency of dblink by using libpq's new single-row processing mode (Kyotaro Horiguchi, Marko Kreen)
This improvement does not apply to dblink_send_query()
/dblink_get_result()
.
(9.2.0) Support force_not_null option in file_fdw (Shigeru Hanada)
(9.2.0) Implement dry-run mode for pg_archivecleanup (Gabriele Bartolini)
This only outputs the names of files to be deleted.
(9.2.0) Add new pgbench switches --unlogged-tables, --tablespace, and --index-tablespace (Robert Haas)
(9.2.0) Change pg_test_fsync to test for a fixed amount of time, rather than a fixed number of cycles (Bruce Momjian)
The -o/cycles option was removed, and -s/seconds added.
(9.2.0) Add a pg_test_timing utility to measure clock monotonicity and timing overhead (Ants Aasma, Greg Smith)
(9.2.0) Add a tcn (triggered change notification) module to generate NOTIFY events on table changes (Kevin Grittner)
(9.2.0) Adjust pg_upgrade environment variables (Bruce Momjian)
Rename data, bin, and port environment variables to begin with PG, and support PGPORTOLD/PGPORTNEW, to replace PGPORT.
(9.2.0) Overhaul pg_upgrade logging and failure reporting (Bruce Momjian)
Create four append-only log files, and delete them on success. Add -r/--retain option to unconditionally retain these files. Also remove pg_upgrade options -g/-G/-l options as unnecessary, and tighten log file permissions.
(9.2.0) Make pg_upgrade create a script to incrementally generate more accurate optimizer statistics (Bruce Momjian)
This reduces the time needed to generate minimal cluster statistics after an upgrade.
(9.2.0) Allow pg_upgrade to upgrade an old cluster that does not have a postgres database (Bruce Momjian)
(9.2.0) Allow pg_upgrade to handle cases where some old or new databases are missing, as long as they are empty (Bruce Momjian)
(9.2.0) Allow pg_upgrade to handle configuration-only directory installations (Bruce Momjian)
(9.2.0) In pg_upgrade, add -o/-O options to pass parameters to the servers (Bruce Momjian)
This is useful for configuration-only directory installs.
(9.2.0) Change pg_upgrade to use port 50432 by default (Bruce Momjian)
This helps avoid unintended client connections during the upgrade.
(9.2.0) Reduce cluster locking in pg_upgrade (Bruce Momjian)
Specifically, only lock the old cluster if link mode is used, and do it right after the schema is restored.
(9.2.0) Allow pg_stat_statements to aggregate similar queries via SQL text normalization (Peter Geoghegan, Tom Lane)
Users with applications that use non-parameterized SQL will now be able to monitor query performance without detailed log analysis.
(9.2.0) Add dirtied and written block counts and read/write times to pg_stat_statements (Robert Haas, Ants Aasma)
(9.2.0) Prevent pg_stat_statements from double-counting PREPARE and EXECUTE commands (Tom Lane)
(9.2.0) Support SECURITY LABEL on global objects (KaiGai Kohei, Robert Haas)
Specifically, add security labels to databases, tablespaces, and roles.
(9.2.0) Allow sepgsql to honor database labels (KaiGai Kohei)
(9.2.0) Perform sepgsql permission checks during the creation of various objects (KaiGai Kohei)
(9.2.0) Add sepgsql_setcon()
and related
functions to control the sepgsql security domain (KaiGai Kohei)
(9.2.0) Add a user space access cache to sepgsql to improve performance (KaiGai Kohei)
(9.2.0) Add a rule to optionally build HTML documentation using the stylesheet from the website (Magnus Hagander)
Use gmake STYLE=website draft.
(9.2.0) Improve EXPLAIN documentation (Tom Lane)
(9.2.0) Document that user/database names are preserved with double-quoting by command-line tools like vacuumdb (Bruce Momjian)
(9.2.0) Document the actual string returned by the client for MD5 authentication (Cyan Ogilvie)
(9.2.0) Deprecate use of GLOBAL and LOCAL in CREATE TEMP TABLE (Noah Misch)
PostgreSQL has long treated these keyword as no-ops, and continues to do so; but in future they might mean what the SQL standard says they mean, so applications should avoid using them.
Release date: 2016-10-27
This release contains a variety of fixes from 9.1.23. For information about new features in the 9.1 major release, see Version 9.1.0.
This is expected to be the last PostgreSQL release in the 9.1.X series. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.1.X.
However, if you are upgrading from a version earlier than 9.1.16, see Version 9.1.16.
(9.1.24,9.3.15,9.2.19) Fix EvalPlanQual rechecks involving CTE scans (Tom Lane)
The recheck would always see the CTE as returning no rows, typically leading to failure to update rows that were recently updated.
(9.1.24,9.3.15,9.2.19) Fix improper repetition of previous results from hashed aggregation in a subquery (Andrew Gierth)
The test to see if we can reuse a previously-computed hash table of the aggregate state values neglected the possibility of an outer query reference appearing in an aggregate argument expression. A change in the value of such a reference should lead to recalculating the hash table, but did not.
(9.1.24,9.3.15,9.2.19) Fix timeout length when VACUUM is waiting for exclusive table lock so that it can truncate the table (Simon Riggs)
The timeout was meant to be 50 milliseconds, but it was actually only 50 microseconds, causing VACUUM to give up on truncation much more easily than intended. Set it to the intended value.
(9.1.24,9.3.15,9.2.19) Remove artificial restrictions on the values accepted by
numeric_in()
and numeric_recv()
(Tom Lane)
We allow numeric values up to the limit of the storage format
(more than 1e100000), so it seems fairly
pointless that numeric_in()
rejected
scientific-notation exponents above 1000. Likewise, it was silly
for numeric_recv()
to reject more
than 1000 digits in an input value.
(9.1.24,9.3.15,9.2.19) Avoid very-low-probability data corruption due to testing tuple visibility without holding buffer lock (Thomas Munro, Peter Geoghegan, Tom Lane)
(9.1.24,9.3.15,9.2.19) Fix file descriptor leakage when truncating a temporary relation of more than 1GB (Andres Freund)
(9.1.24,9.3.15,9.2.19) Disallow starting a standalone backend with standby_mode turned on (Michael Paquier)
This can't do anything useful, since there will be no WAL receiver process to fetch more WAL data; and it could result in misbehavior in code that wasn't designed with this situation in mind.
(9.1.24,9.3.15,9.2.19) Don't try to share SSL contexts across multiple connections in libpq (Heikki Linnakangas)
This led to assorted corner-case bugs, particularly when trying to use different SSL parameters for different connections.
(9.1.24,9.3.15,9.2.19) Avoid corner-case memory leak in libpq (Tom Lane)
The reported problem involved leaking an error report during
PQreset()
, but there might be related
cases.
(9.1.24,9.3.15,9.2.19) Make ecpg's --help and --version options work consistently with our other executables (Haribabu Kommi)
(9.1.24,9.3.15,9.2.19) Fix contrib/intarray/bench/bench.pl to print the results of the EXPLAIN it does when given the -e option (Daniel Gustafsson)
(9.1.24,9.3.15,9.2.19) Prevent failure of obsolete dynamic time zone abbreviations (Tom Lane)
If a dynamic time zone abbreviation does not match any entry in the referenced time zone, treat it as equivalent to the time zone name. This avoids unexpected failures when IANA removes abbreviations from their time zone database, as they did in tzdata release 2016f and seem likely to do again in the future. The consequences were not limited to not recognizing the individual abbreviation; any mismatch caused the pg_timezone_abbrevs view to fail altogether.
(9.1.24,9.3.15,9.2.19) Update time zone data files to tzdata release 2016h for DST law changes in Palestine and Turkey, plus historical corrections for Turkey and some regions of Russia. Switch to numeric abbreviations for some time zones in Antarctica, the former Soviet Union, and Sri Lanka.
The IANA time zone database previously provided textual abbreviations for all time zones, sometimes making up abbreviations that have little or no currency among the local population. They are in process of reversing that policy in favor of using numeric UTC offsets in zones where there is no evidence of real-world use of an English abbreviation. At least for the time being, PostgreSQL will continue to accept such removed abbreviations for timestamp input. But they will not be shown in the pg_timezone_names view nor used for output.
In this update, AMT is no longer shown as being in use to mean Armenia Time. Therefore, we have changed the Default abbreviation set to interpret it as Amazon Time, thus UTC-4 not UTC+4.
Release date: 2016-08-11
This release contains a variety of fixes from 9.1.22. For information about new features in the 9.1 major release, see Version 9.1.0.
The PostgreSQL community will stop releasing updates for the 9.1.X release series in September 2016. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.1.X.
However, if you are upgrading from a version earlier than 9.1.16, see Version 9.1.16.
(9.1.23,9.3.14,9.2.18) Fix possible mis-evaluation of nested CASE-WHEN expressions (Heikki Linnakangas, Michael Paquier, Tom Lane)
A CASE expression appearing within the test value subexpression of another CASE could become confused about whether its own test value was null or not. Also, inlining of a SQL function implementing the equality operator used by a CASE expression could result in passing the wrong test value to functions called within a CASE expression in the SQL function's body. If the test values were of different data types, a crash might result; moreover such situations could be abused to allow disclosure of portions of server memory. CVE-2016-5423 or CVE-2016-5423)
(9.1.23,9.3.14,9.2.18) Fix client programs' handling of special characters in database and role names (Noah Misch, Nathan Bossart, Michael Paquier)
Numerous places in vacuumdb and other client programs could become confused by database and role names containing double quotes or backslashes. Tighten up quoting rules to make that safe. Also, ensure that when a conninfo string is used as a database name parameter to these programs, it is correctly treated as such throughout.
Fix handling of paired double quotes in psql's \connect and \password commands to match the documentation.
Introduce a new -reuse-previous option in psql's \connect command to allow explicit control of whether to re-use connection parameters from a previous connection. (Without this, the choice is based on whether the database name looks like a conninfo string, as before.) This allows secure handling of database names containing special characters in pg_dumpall scripts.
pg_dumpall now refuses to deal with database and role names containing carriage returns or newlines, as it seems impractical to quote those characters safely on Windows. In future we may reject such names on the server side, but that step has not been taken yet.
These are considered security fixes because crafted object names containing special characters could have been used to execute commands with superuser privileges the next time a superuser executes pg_dumpall or other routine maintenance operations. CVE-2016-5424 or CVE-2016-5424)
(9.1.23,9.3.14,9.2.18) Fix corner-case misbehaviors for IS NULL/IS NOT NULL applied to nested composite values (Andrew Gierth, Tom Lane)
The SQL standard specifies that IS NULL should return TRUE for a row of all null values (thus ROW (NULL,NULL) IS NULL yields TRUE), but this is not meant to apply recursively (thus ROW (NULL, ROW(NULL,NULL)) IS NULL yields FALSE). The core executor got this right, but certain planner optimizations treated the test as recursive (thus producing TRUE in both cases), and contrib/postgres_fdw could produce remote queries that misbehaved similarly.
(9.1.23,9.3.14,9.2.18) Make the inet and cidr data types properly reject IPv6 addresses with too many colon-separated fields (Tom Lane)
(9.1.23,9.3.14,9.2.18) Prevent crash in close_ps()
(the
point ## lseg operator) for NaN input coordinates (Tom Lane)
Make it return NULL instead of crashing.
(9.1.23,9.3.14,9.2.18) Fix several one-byte buffer over-reads in to_number()
(Peter Eisentraut)
In several cases the to_number()
function would read one more character than it should from the
input string. There is a small chance of a crash, if the input
happens to be adjacent to the end of memory.
(9.1.23,9.3.14,9.2.18) Avoid unsafe intermediate state during expensive paths through
heap_update()
(Masahiko Sawada,
Andres Freund)
Previously, these cases locked the target tuple (by setting its XMAX) but did not WAL-log that action, thus risking data integrity problems if the page were spilled to disk and then a database crash occurred before the tuple update could be completed.
(9.1.23,9.3.14,9.2.18) Avoid consuming a transaction ID during VACUUM (Alexander Korotkov)
Some cases in VACUUM unnecessarily caused an XID to be assigned to the current transaction. Normally this is negligible, but if one is up against the XID wraparound limit, consuming more XIDs during anti-wraparound vacuums is a very bad thing.
(9.1.23,9.3.14,9.2.18) Avoid canceling hot-standby queries during VACUUM FREEZE (Simon Riggs, Ãlvaro Herrera)
VACUUM FREEZE on an otherwise-idle master server could result in unnecessary cancellations of queries on its standby servers.
(9.1.23,9.3.14,9.2.18) When a manual ANALYZE specifies a column list, don't reset the table's changes_since_analyze counter (Tom Lane)
If we're only analyzing some columns, we should not prevent routine auto-analyze from happening for the other columns.
(9.1.23,9.3.14,9.2.18) Fix ANALYZE's overestimation of n_distinct for a unique or nearly-unique column with many null entries (Tom Lane)
The nulls could get counted as though they were themselves distinct values, leading to serious planner misestimates in some types of queries.
(9.1.23,9.3.14,9.2.18) Prevent autovacuum from starting multiple workers for the same shared catalog (Ãlvaro Herrera)
Normally this isn't much of a problem because the vacuum doesn't take long anyway; but in the case of a severely bloated catalog, it could result in all but one worker uselessly waiting instead of doing useful work on other tables.
(9.1.23,9.3.14,9.2.18) Fix contrib/btree_gin to handle the smallest possible bigint value correctly (Peter Eisentraut)
(9.1.23,9.3.14,9.2.18) Teach libpq to correctly decode server version from future servers (Peter Eisentraut)
It's planned to switch to two-part instead of three-part server
version numbers for releases after 9.6. Make sure that PQserverVersion()
returns the correct value for
such cases.
(9.1.23,9.3.14,9.2.18) Fix ecpg's code for unsigned long long array elements (Michael Meskes)
(9.1.23,9.3.14,9.2.18) Make pg_basebackup accept -Z 0 as specifying no compression (Fujii Masao)
(9.1.23) Revert to the old heuristic timeout for pg_ctl start -w (Tom Lane)
The new method adopted as of release 9.1.20 does not work when silent_mode is enabled, so go back to the old way.
(9.1.23,9.3.14,9.2.18) Fix makefiles' rule for building AIX shared libraries to be safe for parallel make (Noah Misch)
(9.1.23,9.3.14,9.2.18) Fix TAP tests and MSVC scripts to work when build directory's path name contains spaces (Michael Paquier, Kyotaro Horiguchi)
(9.1.23,9.3.14,9.2.18) Make regression tests safe for Danish and Welsh locales (Jeff Janes, Tom Lane)
Change some test data that triggered the unusual sorting rules of these locales.
(9.1.23,9.3.14,9.2.18) Update our copy of the timezone code to match IANA's tzcode release 2016c (Tom Lane)
This is needed to cope with anticipated future changes in the time zone data files. It also fixes some corner-case bugs in coping with unusual time zones.
(9.1.23,9.3.14,9.2.18) Update time zone data files to tzdata release 2016f for DST law changes in Kemerovo and Novosibirsk, plus historical corrections for Azerbaijan, Belarus, and Morocco.
Release date: 2016-05-12
This release contains a variety of fixes from 9.1.21. For information about new features in the 9.1 major release, see Version 9.1.0.
The PostgreSQL community will stop releasing updates for the 9.1.X release series in September 2016. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.1.X.
However, if you are upgrading from a version earlier than 9.1.16, see Version 9.1.16.
(9.1.22,9.3.13,9.2.17) Clear the OpenSSL error queue before OpenSSL calls, rather than assuming it's clear already; and make sure we leave it clear afterwards (Peter Geoghegan, Dave Vitek, Peter Eisentraut)
This change prevents problems when there are multiple connections using OpenSSL within a single process and not all the code involved follows the same rules for when to clear the error queue. Failures have been reported specifically when a client application uses SSL connections in libpq concurrently with SSL connections using the PHP, Python, or Ruby wrappers for OpenSSL. It's possible for similar problems to arise within the server as well, if an extension module establishes an outgoing SSL connection.
(9.1.22,9.3.13,9.2.17) Fix "failed to build any N-way joins" planner error with a full join enclosed in the right-hand side of a left join (Tom Lane)
(9.1.22,9.3.13,9.2.17) Fix possible misbehavior of TH,
th, and Y,YYY
format codes in to_timestamp()
(Tom
Lane)
These could advance off the end of the input string, causing subsequent format codes to read garbage.
(9.1.22,9.3.13,9.2.17) Fix dumping of rules and views in which the array argument of a value operator ANY (array) construct is a sub-SELECT (Tom Lane)
(9.1.22,9.3.13,9.2.17) Make pg_regress use a startup timeout from the PGCTLTIMEOUT environment variable, if that's set (Tom Lane)
This is for consistency with a behavior recently added to pg_ctl; it eases automated testing on slow machines.
(9.1.22,9.3.13,9.2.17) Fix pg_upgrade to correctly restore extension membership for operator families containing only one operator class (Tom Lane)
In such a case, the operator family was restored into the new database, but it was no longer marked as part of the extension. This had no immediate ill effects, but would cause later pg_dump runs to emit output that would cause (harmless) errors on restore.
(9.1.22,9.3.13,9.2.17) Rename internal function strtoi()
to strtoint()
to avoid conflict with
a NetBSD library function (Thomas Munro)
(9.1.22,9.3.13,9.2.17) Fix reporting of errors from bind()
and listen()
system calls on Windows (Tom Lane)
(9.1.22,9.3.13,9.2.17) Reduce verbosity of compiler output when building with Microsoft Visual Studio (Christian Ullrich)
(9.1.22,9.3.13,9.2.17) Avoid possibly-unsafe use of Windows' FormatMessage()
function (Christian Ullrich)
Use the FORMAT_MESSAGE_IGNORE_INSERTS flag where appropriate. No live bug is known to exist here, but it seems like a good idea to be careful.
(9.1.22,9.3.13,9.2.17) Update time zone data files to tzdata release 2016d for DST law changes in Russia and Venezuela. There are new zone names Europe/Kirov and Asia/Tomsk to reflect the fact that these regions now have different time zone histories from adjacent regions.
Release date: 2016-03-31
This release contains a variety of fixes from 9.1.20. For information about new features in the 9.1 major release, see Version 9.1.0.
A dump/restore is not required for those running 9.1.X.
However, if you are upgrading from a version earlier than 9.1.16, see Version 9.1.16.
(9.1.21,9.3.12,9.2.16) Fix incorrect handling of NULL index entries in indexed ROW() comparisons (Tom Lane)
An index search using a row comparison such as ROW(a, b) > ROW('x', 'y') would stop upon reaching a NULL entry in the b column, ignoring the fact that there might be non-NULL b values associated with later values of a.
(9.1.21,9.3.12,9.2.16) Avoid unlikely data-loss scenarios due to renaming files without
adequate fsync()
calls before and
after (Michael Paquier, Tomas Vondra, Andres Freund)
(9.1.21,9.3.12,9.2.16) Correctly handle cases where pg_subtrans is close to XID wraparound during server startup (Jeff Janes)
(9.1.21,9.3.12,9.2.16) Fix corner-case crash due to trying to free localeconv()
output strings more than once (Tom
Lane)
(9.1.21,9.3.12,9.2.16) Fix parsing of affix files for ispell dictionaries (Tom Lane)
The code could go wrong if the affix file contained any characters whose byte length changes during case-folding, for example I in Turkish UTF8 locales.
(9.1.21,9.3.12,9.2.16) Avoid use of sscanf()
to parse
ispell dictionary files (Artur
Zakirov)
This dodges a portability problem on FreeBSD-derived platforms (including macOS).
(9.1.21,9.3.12,9.2.16) Avoid a crash on old Windows versions (before 7SP1/2008R2SP1) with an AVX2-capable CPU and a Postgres build done with Visual Studio 2013 (Christian Ullrich)
This is a workaround for a bug in Visual Studio 2013's runtime library, which Microsoft have stated they will not fix in that version.
(9.1.21,9.3.12,9.2.16) Fix psql's tab completion logic to handle multibyte characters properly (Kyotaro Horiguchi, Robert Haas)
(9.1.21,9.3.12,9.2.16) Fix psql's tab completion for SECURITY LABEL (Tom Lane)
Pressing TAB after SECURITY LABEL might cause a crash or offering of inappropriate keywords.
(9.1.21,9.3.12,9.2.16) Make pg_ctl accept a wait timeout from the PGCTLTIMEOUT environment variable, if none is specified on the command line (Noah Misch)
This eases testing of slower buildfarm members by allowing them to globally specify a longer-than-normal timeout for postmaster startup and shutdown.
(9.1.21,9.3.12,9.2.16) Fix incorrect test for Windows service status in pg_ctl (Manuel Mathar)
The previous set of minor releases attempted to fix pg_ctl to properly determine whether to send log messages to Window's Event Log, but got the test backwards.
(9.1.21,9.3.12,9.2.16) Fix pgbench to correctly handle the combination of -C and -M prepared options (Tom Lane)
(9.1.21,9.3.12,9.2.16) In PL/Perl, properly translate empty Postgres arrays into empty Perl arrays (Alex Hunsaker)
(9.1.21,9.3.12,9.2.16) Make PL/Python cope with function names that aren't valid Python identifiers (Jim Nasby)
(9.1.21,9.3.12,9.2.16) Fix multiple mistakes in the statistics returned by contrib/pgstattuple's pgstatindex()
function (Tom Lane)
(9.1.21,9.3.12,9.2.16) Remove dependency on psed in MSVC builds, since it's no longer provided by core Perl (Michael Paquier, Andrew Dunstan)
(9.1.21,9.3.12,9.2.16) Update time zone data files to tzdata release 2016c for DST law changes in Azerbaijan, Chile, Haiti, Palestine, and Russia (Altai, Astrakhan, Kirov, Sakhalin, Ulyanovsk regions), plus historical corrections for Lithuania, Moldova, and Russia (Kaliningrad, Samara, Volgograd).
Release date: 2016-02-11
This release contains a variety of fixes from 9.1.19. For information about new features in the 9.1 major release, see Version 9.1.0.
A dump/restore is not required for those running 9.1.X.
However, if you are upgrading from a version earlier than 9.1.16, see Version 9.1.16.
(9.1.20,9.3.11,9.2.15) Fix infinite loops and buffer-overrun problems in regular expressions (Tom Lane)
Very large character ranges in bracket expressions could cause infinite loops in some cases, and memory overwrites in other cases. CVE-2016-0773 or CVE-2016-0773)
(9.1.20,9.3.11,9.2.15) Perform an immediate shutdown if the postmaster.pid file is removed (Tom Lane)
The postmaster now checks every minute or so that postmaster.pid is still there and still contains its own PID. If not, it performs an immediate shutdown, as though it had received SIGQUIT. The main motivation for this change is to ensure that failed buildfarm runs will get cleaned up without manual intervention; but it also serves to limit the bad effects if a DBA forcibly removes postmaster.pid and then starts a new postmaster.
(9.1.20,9.3.11,9.2.15) In SERIALIZABLE transaction isolation mode, serialization anomalies could be missed due to race conditions during insertions (Kevin Grittner, Thomas Munro)
(9.1.20,9.3.11,9.2.15) Fix failure to emit appropriate WAL records when doing ALTER TABLE ... SET TABLESPACE for unlogged relations (Michael Paquier, Andres Freund)
Even though the relation's data is unlogged, the move must be logged or the relation will be inaccessible after a standby is promoted to master.
(9.1.20,9.3.11,9.2.15) Fix possible misinitialization of unlogged relations at the end of crash recovery (Andres Freund, Michael Paquier)
(9.1.20,9.3.11,9.2.15) Fix ALTER COLUMN TYPE to reconstruct inherited check constraints properly (Tom Lane)
(9.1.20,9.3.11,9.2.15) Fix REASSIGN OWNED to change ownership of composite types properly (Ãlvaro Herrera)
(9.1.20,9.3.11,9.2.15) Fix REASSIGN OWNED and ALTER OWNER to correctly update granted-permissions lists when changing owners of data types, foreign data wrappers, or foreign servers (Bruce Momjian, Ãlvaro Herrera)
(9.1.20,9.3.11,9.2.15) Fix REASSIGN OWNED to ignore foreign user mappings, rather than fail (Ãlvaro Herrera)
(9.1.20,9.3.11,9.2.15) Add more defenses against bad planner cost estimates for GIN index scans when the index's internal statistics are very out-of-date (Tom Lane)
(9.1.20,9.3.11,9.2.15) Make planner cope with hypothetical GIN indexes suggested by an index advisor plug-in (Julien Rouhaud)
(9.1.20,9.3.11,9.2.15) Fix dumping of whole-row Vars in ROW() and VALUES() lists (Tom Lane)
(9.1.20,9.3.11,9.2.15) Fix possible internal overflow in numeric division (Dean Rasheed)
(9.1.20,9.3.11,9.2.15) Fix enforcement of restrictions inside parentheses within regular expression lookahead constraints (Tom Lane)
Lookahead constraints aren't allowed to contain backrefs, and parentheses within them are always considered non-capturing, according to the manual. However, the code failed to handle these cases properly inside a parenthesized subexpression, and would give unexpected results.
(9.1.20,9.3.11,9.2.15) Conversion of regular expressions to indexscan bounds could produce incorrect bounds from regexps containing lookahead constraints (Tom Lane)
(9.1.20,9.3.11,9.2.15) Fix regular-expression compiler to handle loops of constraint arcs (Tom Lane)
The code added forCVE-2007-4772 or CVE-2007-4772 was both incomplete, in that it didn't handle loops involving more than one state, and incorrect, in that it could cause assertion failures (though there seem to be no bad consequences of that in a non-assert build). Multi-state loops would cause the compiler to run until the query was canceled or it reached the too-many-states error condition.
(9.1.20,9.3.11,9.2.15) Improve memory-usage accounting in regular-expression compiler (Tom Lane)
This causes the code to emit "regular expression is too complex" errors in some cases that previously used unreasonable amounts of time and memory.
(9.1.20,9.3.11,9.2.15) Improve performance of regular-expression compiler (Tom Lane)
(9.1.20,9.3.11,9.2.15) Make %h and %r escapes in log_line_prefix work for messages emitted due to log_connections (Tom Lane)
Previously, %h/%r started to work just after a new session had emitted the "connection received" log message; now they work for that message too.
(9.1.20,9.3.11,9.2.15) On Windows, ensure the shared-memory mapping handle gets closed in child processes that don't need it (Tom Lane, Amit Kapila)
This oversight resulted in failure to recover from crashes whenever logging_collector is turned on.
(9.1.20,9.3.11,9.2.15) Fix possible failure to detect socket EOF in non-blocking mode on Windows (Tom Lane)
It's not entirely clear whether this problem can happen in pre-9.5 branches, but if it did, the symptom would be that a walsender process would wait indefinitely rather than noticing a loss of connection.
(9.1.20,9.3.11,9.2.15) Avoid leaking a token handle during SSPI authentication (Christian Ullrich)
(9.1.20,9.3.11,9.2.15) In psql, ensure that libreadline's idea of the screen size is updated when the terminal window size changes (Merlin Moncure)
Previously, libreadline did not notice if the window was resized during query output, leading to strange behavior during later input of multiline queries.
(9.1.20,9.3.11,9.2.15) Fix psql's \det command to interpret its pattern argument the same way as other \d commands with potentially schema-qualified patterns do (Reece Hart)
(9.1.20,9.3.11,9.2.15) Avoid possible crash in psql's \c command when previous connection was via Unix socket and command specifies a new hostname and same username (Tom Lane)
(9.1.20,9.3.11,9.2.15) In pg_ctl start -w, test child process status directly rather than relying on heuristics (Tom Lane, Michael Paquier)
Previously, pg_ctl relied on an assumption that the new postmaster would always create postmaster.pid within five seconds. But that can fail on heavily-loaded systems, causing pg_ctl to report incorrectly that the postmaster failed to start.
Except on Windows, this change also means that a pg_ctl start -w done immediately after another such command will now reliably fail, whereas previously it would report success if done within two seconds of the first command.
(9.1.20,9.3.11,9.2.15) In pg_ctl start -w, don't attempt to use a wildcard listen address to connect to the postmaster (Kondo Yuta)
On Windows, pg_ctl would fail to detect postmaster startup if listen_addresses is set to 0.0.0.0 or ::, because it would try to use that value verbatim as the address to connect to, which doesn't work. Instead assume that 127.0.0.1 or ::1, respectively, is the right thing to use.
(9.1.20,9.3.11,9.2.15) In pg_ctl on Windows, check service status to decide where to send output, rather than checking if standard output is a terminal (Michael Paquier)
(9.1.20,9.3.11,9.2.15) In pg_dump and pg_basebackup, adopt the GNU convention for handling tar-archive members exceeding 8GB (Tom Lane)
The POSIX standard for tar file format does not allow archive member files to exceed 8GB, but most modern implementations of tar support an extension that fixes that. Adopt this extension so that pg_dump with -Ft no longer fails on tables with more than 8GB of data, and so that pg_basebackup can handle files larger than 8GB. In addition, fix some portability issues that could cause failures for members between 4GB and 8GB on some platforms. Potentially these problems could cause unrecoverable data loss due to unreadable backup files.
(9.1.20,9.3.11,9.2.15) Fix assorted corner-case bugs in pg_dump's processing of extension member objects (Tom Lane)
(9.1.20,9.3.11,9.2.15) Make pg_dump mark a view's triggers as needing to be processed after its rule, to prevent possible failure during parallel pg_restore (Tom Lane)
(9.1.20,9.3.11,9.2.15) Ensure that relation option values are properly quoted in pg_dump (Kouhei Sutou, Tom Lane)
A reloption value that isn't a simple identifier or number could lead to dump/reload failures due to syntax errors in CREATE statements issued by pg_dump. This is not an issue with any reloption currently supported by core PostgreSQL, but extensions could allow reloptions that cause the problem.
(9.1.20,9.3.11,9.2.15) Fix pg_upgrade's file-copying code to handle errors properly on Windows (Bruce Momjian)
(9.1.20,9.3.11,9.2.15) Install guards in pgbench against corner-case overflow conditions during evaluation of script-specified division or modulo operators (Fabien Coelho, Michael Paquier)
(9.1.20,9.3.11,9.2.15) Prevent certain PL/Java parameters from being set by non-superusers (Noah Misch)
This change mitigates a PL/Java security bug CVE-2016-0766 or CVE-2016-0766), which was fixed in PL/Java by marking these parameters as superuser-only. To fix the security hazard for sites that update PostgreSQL more frequently than PL/Java, make the core code aware of them also.
(9.1.20,9.3.11,9.2.15) Improve libpq's handling of out-of-memory situations (Michael Paquier, Amit Kapila, Heikki Linnakangas)
(9.1.20,9.3.11,9.2.15) Fix order of arguments in ecpg-generated typedef statements (Michael Meskes)
(9.1.20,9.3.11,9.2.15) Use %g not %f
format in ecpg's PGTYPESnumeric_from_double()
(Tom Lane)
(9.1.20,9.3.11,9.2.15) Fix ecpg-supplied header files to not contain comments continued from a preprocessor directive line onto the next line (Michael Meskes)
Such a comment is rejected by ecpg. It's not yet clear whether ecpg itself should be changed.
(9.1.20,9.3.11,9.2.15) Ensure that contrib/pgcrypto's
crypt()
function can be interrupted
by query cancel (Andreas Karlsson)
(9.1.20,9.3.11,9.2.15) Accept flex versions later than 2.5.x (Tom Lane, Michael Paquier)
Now that flex 2.6.0 has been released, the version checks in our build scripts needed to be adjusted.
(9.1.20,9.3.11,9.2.15) Install our missing script where PGXS builds can find it (Jim Nasby)
This allows sane behavior in a PGXS build done on a machine where build tools such as bison are missing.
(9.1.20,9.3.11,9.2.15) Ensure that dynloader.h is included in the installed header files in MSVC builds (Bruce Momjian, Michael Paquier)
(9.1.20,9.3.11,9.2.15) Add variant regression test expected-output file to match behavior of current libxml2 (Tom Lane)
The fix for libxml2'sCVE-2015-7499 or CVE-2015-7499 causes it not to output error context reports in some cases where it used to do so. This seems to be a bug, but we'll probably have to live with it for some time, so work around it.
(9.1.20,9.3.11,9.2.15) Update time zone data files to tzdata release 2016a for DST law changes in Cayman Islands, Metlakatla, and Trans-Baikal Territory (Zabaykalsky Krai), plus historical corrections for Pakistan.
Release date: 2015-10-08
This release contains a variety of fixes from 9.1.18. For information about new features in the 9.1 major release, see Version 9.1.0.
A dump/restore is not required for those running 9.1.X.
However, if you are upgrading from a version earlier than 9.1.16, see Version 9.1.16.
(9.1.19,9.3.10,9.2.14,9.0.23) Fix contrib/pgcrypto to detect and
report too-short crypt()
salts (Josh
Kupershmidt)
Certain invalid salt arguments crashed the server or disclosed a few bytes of server memory. We have not ruled out the viability of attacks that arrange for presence of confidential information in the disclosed bytes, but they seem unlikely. CVE-2015-5288 or CVE-2015-5288)
(9.1.19,9.3.10,9.2.14,9.0.23) Fix subtransaction cleanup after a portal (cursor) belonging to an outer subtransaction fails (Tom Lane, Michael Paquier)
A function executed in an outer-subtransaction cursor could cause an assertion failure or crash by referencing a relation created within an inner subtransaction.
(9.1.19,9.3.10,9.2.14,9.0.23) Fix insertion of relations into the relation cache "init file" (Tom Lane)
An oversight in a patch in the most recent minor releases caused pg_trigger_tgrelid_tgname_index to be omitted from the init file. Subsequent sessions detected this, then deemed the init file to be broken and silently ignored it, resulting in a significant degradation in session startup time. In addition to fixing the bug, install some guards so that any similar future mistake will be more obvious.
(9.1.19,9.3.10,9.2.14,9.0.23) Avoid O (N^2) behavior when inserting many tuples into a SPI query result (Neil Conway)
(9.1.19,9.3.10,9.2.14,9.0.23) Improve LISTEN startup time when there are many unread notifications (Matt Newell)
(9.1.19,9.2.14) Back-patch 9.3-era addition of per-resource-owner lock caches (Jeff Janes)
This substantially improves performance when pg_dump tries to dump a large number of tables.
(9.1.19,9.3.10,9.2.14,9.0.23) Disable SSL renegotiation by default (Michael Paquier, Andres Freund)
While use of SSL renegotiation is a good idea in theory, we have seen too many bugs in practice, both in the underlying OpenSSL library and in our usage of it. Renegotiation will be removed entirely in 9.5 and later. In the older branches, just change the default value of ssl_renegotiation_limit to zero (disabled).
(9.1.19,9.3.10,9.2.14,9.0.23) Lower the minimum values of the *_freeze_max_age parameters (Andres Freund)
This is mainly to make tests of related behavior less time-consuming, but it may also be of value for installations with limited disk space.
(9.1.19,9.3.10,9.2.14,9.0.23) Limit the maximum value of wal_buffers to 2GB to avoid server crashes (Josh Berkus)
(9.1.19,9.3.10,9.2.14,9.0.23) Fix rare internal overflow in multiplication of numeric values (Dean Rasheed)
(9.1.19,9.3.10,9.2.14,9.0.23) Guard against hard-to-reach stack overflows involving record types, range types, json, jsonb, tsquery, ltxtquery and query_int (Noah Misch)
(9.1.19,9.3.10,9.2.14,9.0.23) Fix handling of DOW and DOY in datetime input (Greg Stark)
These tokens aren't meant to be used in datetime values, but previously they resulted in opaque internal error messages rather than "invalid input syntax".
(9.1.19,9.3.10,9.2.14,9.0.23) Add more query-cancel checks to regular expression matching (Tom Lane)
(9.1.19,9.3.10,9.2.14,9.0.23) Add recursion depth protections to regular expression, SIMILAR TO, and LIKE matching (Tom Lane)
Suitable search patterns and a low stack depth limit could lead to stack-overrun crashes.
(9.1.19,9.3.10,9.2.14,9.0.23) Fix potential infinite loop in regular expression execution (Tom Lane)
A search pattern that can apparently match a zero-length string, but actually doesn't match because of a back reference, could lead to an infinite loop.
(9.1.19,9.3.10,9.2.14,9.0.23) Fix low-memory failures in regular expression compilation (Andreas Seltenreich)
(9.1.19,9.3.10,9.2.14,9.0.23) Fix low-probability memory leak during regular expression execution (Tom Lane)
(9.1.19,9.3.10,9.2.14,9.0.23) Fix rare low-memory failure in lock cleanup during transaction abort (Tom Lane)
(9.1.19,9.3.10,9.2.14,9.0.23) Fix "unexpected out-of-memory situation during sort" errors when using tuplestores with small work_mem settings (Tom Lane)
(9.1.19,9.3.10,9.2.14,9.0.23) Fix very-low-probability stack overrun in qsort
(Tom Lane)
(9.1.19,9.3.10,9.2.14,9.0.23) Fix "invalid memory alloc request size" failure in hash joins with large work_mem settings (Tomas Vondra, Tom Lane)
(9.1.19,9.3.10,9.2.14,9.0.23) Fix assorted planner bugs (Tom Lane)
These mistakes could lead to incorrect query plans that would give wrong answers, or to assertion failures in assert-enabled builds, or to odd planner errors such as "could not devise a query plan for the given query", "could not find pathkey item to sort", "plan should not reference subplan's variable", or "failed to assign all NestLoopParams to plan nodes". Thanks are due to Andreas Seltenreich and Piotr Stefaniak for fuzz testing that exposed these problems.
(9.1.19,9.0.23) Use fuzzy path cost tiebreaking rule in all supported branches (Tom Lane)
This change is meant to avoid platform-specific behavior when alternative plan choices have effectively-identical estimated costs.
(9.1.19,9.3.10,9.2.14) Ensure standby promotion trigger files are removed at postmaster startup (Michael Paquier, Fujii Masao)
This prevents unwanted promotion from occurring if these files appear in a database backup that is used to initialize a new standby server.
(9.1.19,9.3.10,9.2.14,9.0.23) During postmaster shutdown, ensure that per-socket lock files are removed and listen sockets are closed before we remove the postmaster.pid file (Tom Lane)
This avoids race-condition failures if an external script attempts to start a new postmaster as soon as pg_ctl stop returns.
(9.1.19,9.3.10,9.2.14,9.0.23) Fix postmaster's handling of a startup-process crash during crash recovery (Tom Lane)
If, during a crash recovery cycle, the startup process crashes without having restored database consistency, we'd try to launch a new startup process, which typically would just crash again, leading to an infinite loop.
(9.1.19,9.3.10,9.2.14,9.0.23) Do not print a WARNING when an autovacuum worker is already gone when we attempt to signal it, and reduce log verbosity for such signals (Tom Lane)
(9.1.19,9.3.10,9.2.14,9.0.23) Prevent autovacuum launcher from sleeping unduly long if the server clock is moved backwards a large amount (Ãlvaro Herrera)
(9.1.19,9.3.10,9.2.14,9.0.23) Ensure that cleanup of a GIN index's pending-insertions list is interruptable by cancel requests (Jeff Janes)
(9.1.19,9.3.10,9.2.14,9.0.23) Allow all-zeroes pages in GIN indexes to be reused (Heikki Linnakangas)
Such a page might be left behind after a crash.
(9.1.19,9.3.10,9.2.14,9.0.23) Fix off-by-one error that led to otherwise-harmless warnings about "apparent wraparound" in subtrans/multixact truncation (Thomas Munro)
(9.1.19,9.3.10,9.2.14,9.0.23) Fix misreporting of CONTINUE and MOVE statement types in PL/pgSQL's error context messages (Pavel Stehule, Tom Lane)
(9.1.19,9.3.10,9.2.14) Fix PL/Perl to handle non-ASCII error message texts correctly (Alex Hunsaker)
(9.1.19,9.3.10,9.2.14) Fix PL/Python crash when returning the string representation of a record result (Tom Lane)
(9.1.19,9.3.10,9.2.14,9.0.23) Fix some places in PL/Tcl that
neglected to check for failure of malloc()
calls (Michael Paquier, Ãlvaro
Herrera)
(9.1.19,9.3.10,9.2.14) In contrib/isn, fix output of ISBN-13 numbers that begin with 979 (Fabien Coelho)
EANs beginning with 979 (but not 9790) are considered ISBNs, but they must be printed in the new 13-digit format, not the 10-digit format.
(9.1.19,9.3.10,9.2.14,9.0.23) Improve libpq's handling of out-of-memory conditions (Michael Paquier, Heikki Linnakangas)
(9.1.19,9.3.10,9.2.14,9.0.23) Fix memory leaks and missing out-of-memory checks in ecpg (Michael Paquier)
(9.1.19,9.3.10,9.2.14,9.0.23) Fix psql's code for locale-aware formatting of numeric output (Tom Lane)
The formatting code invoked by \pset numericlocale on did the wrong thing for some uncommon cases such as numbers with an exponent but no decimal point. It could also mangle already-localized output from the money data type.
(9.1.19,9.3.10,9.2.14,9.0.23) Prevent crash in psql's \c command when there is no current connection (Noah Misch)
(9.1.19,9.3.10,9.2.14) Fix selection of default zlib compression level in pg_dump's directory output format (Andrew Dunstan)
(9.1.19,9.3.10,9.2.14,9.0.23) Ensure that temporary files created during a pg_dump run with tar-format output are not world-readable (Michael Paquier)
(9.1.19,9.3.10,9.2.14,9.0.23) Fix pg_dump and pg_upgrade to support cases where the postgres or template1 database is in a non-default tablespace (Marti Raudsepp, Bruce Momjian)
(9.1.19,9.0.23) Fix pg_dump to handle object privileges sanely when dumping from a server too old to have a particular privilege type (Tom Lane)
When dumping functions or procedural languages from pre-7.3 servers, pg_dump would produce GRANT/REVOKE commands that revoked the owner's grantable privileges and instead granted all privileges to PUBLIC. Since the privileges involved are just USAGE and EXECUTE, this isn't a security problem, but it's certainly a surprising representation of the older systems' behavior. Fix it to leave the default privilege state alone in these cases.
(9.1.19,9.3.10,9.2.14,9.0.23) Fix pg_dump to dump shell types (Tom Lane)
Shell types (that is, not-yet-fully-defined types) aren't useful for much, but nonetheless pg_dump should dump them.
(9.1.19,9.3.10,9.2.14) Fix assorted minor memory leaks in pg_dump and other client-side programs (Michael Paquier)
(9.1.19,9.3.10,9.2.14,9.0.23) Fix spinlock assembly code for PPC hardware to be compatible with AIX's native assembler (Tom Lane)
Building with gcc didn't work if gcc had been configured to use the native assembler, which is becoming more common.
(9.1.19,9.3.10,9.2.14,9.0.23) On AIX, test the -qlonglong compiler option rather than just assuming it's safe to use (Noah Misch)
(9.1.19,9.3.10,9.2.14,9.0.23) On AIX, use -Wl,-brtllib link option to allow symbols to be resolved at runtime (Noah Misch)
Perl relies on this ability in 5.8.0 and later.
(9.1.19,9.3.10,9.2.14,9.0.23) Avoid use of inline functions when compiling with 32-bit xlc, due to compiler bugs (Noah Misch)
(9.1.19,9.3.10,9.2.14,9.0.23) Use librt for sched_yield()
when necessary, which it is on some
Solaris versions (Oskari Saarenmaa)
(9.1.19,9.3.10,9.2.14,9.0.23) Fix Windows install.bat script to handle target directory names that contain spaces (Heikki Linnakangas)
(9.1.19,9.3.10,9.2.14,9.0.23) Make the numeric form of the PostgreSQL version number (e.g., 90405) readily available to extension Makefiles, as a variable named VERSION_NUM (Michael Paquier)
(9.1.19,9.3.10,9.2.14,9.0.23) Update time zone data files to tzdata release 2015g for DST law changes in Cayman Islands, Fiji, Moldova, Morocco, Norfolk Island, North Korea, Turkey, and Uruguay. There is a new zone name America/Fort_Nelson for the Canadian Northern Rockies.
Release date: 2015-06-12
This release contains a small number of fixes from 9.1.17. For information about new features in the 9.1 major release, see Version 9.1.0.
A dump/restore is not required for those running 9.1.X.
However, if you are upgrading from a version earlier than 9.1.16, see Version 9.1.16.
(9.1.18,9.3.9,9.2.13,9.0.22) Fix rare failure to invalidate relation cache init file (Tom Lane)
With just the wrong timing of concurrent activity, a VACUUM FULL on a system catalog might fail to update the "init file" that's used to avoid cache-loading work for new sessions. This would result in later sessions being unable to access that catalog at all. This is a very ancient bug, but it's so hard to trigger that no reproducible case had been seen until recently.
(9.1.18,9.3.9,9.2.13,9.0.22) Avoid deadlock between incoming sessions and CREATE/DROP DATABASE (Tom Lane)
A new session starting in a database that is the target of a DROP DATABASE command, or is the template for a CREATE DATABASE command, could cause the command to wait for five seconds and then fail, even if the new session would have exited before that.
Release date: 2015-06-04
This release contains a small number of fixes from 9.1.16. For information about new features in the 9.1 major release, see Version 9.1.0.
A dump/restore is not required for those running 9.1.X.
However, if you are upgrading from a version earlier than 9.1.16, see Version 9.1.16.
(9.1.17,9.2.12,9.0.21) Avoid failures while fsync
'ing
data directory during crash restart (Abhijit Menon-Sen, Tom
Lane)
In the previous minor releases we added a patch to fsync
everything in the data directory after a
crash. Unfortunately its response to any error condition was to
fail, thereby preventing the server from starting up, even when the
problem was quite harmless. An example is that an unwritable file
in the data directory would prevent restart on some platforms; but
it is common to make SSL certificate files unwritable by the
server. Revise this behavior so that permissions failures are
ignored altogether, and other types of failures are logged but do
not prevent continuing.
(9.1.17,9.3.8,9.2.12,9.0.21) Remove configure's check prohibiting linking to a threaded libpython on OpenBSD (Tom Lane)
The failure this restriction was meant to prevent seems to not be a problem anymore on current OpenBSD versions.
(9.1.17,9.3.8,9.2.12,9.0.21) Allow libpq to use TLS protocol versions beyond v1 (Noah Misch)
For a long time, libpq was coded so that the only SSL protocol it would allow was TLS v1. Now that newer TLS versions are becoming popular, allow it to negotiate the highest commonly-supported TLS version with the server. (PostgreSQL servers were already capable of such negotiation, so no change is needed on the server side.) This is a back-patch of a change already released in 9.4.0.
Release date: 2015-05-22
This release contains a variety of fixes from 9.1.15. For information about new features in the 9.1 major release, see Version 9.1.0.
A dump/restore is not required for those running 9.1.X.
However, if you use contrib/citext's
regexp_matches()
functions, see the
changelog entry below about that.
Also, if you are upgrading from a version earlier than 9.1.14, see Version 9.1.14.
(9.1.16,9.3.7,9.2.11,9.0.20) Avoid possible crash when client disconnects just before the authentication timeout expires (Benkocs Norbert Attila)
If the timeout interrupt fired partway through the session shutdown sequence, SSL-related state would be freed twice, typically causing a crash and hence denial of service to other sessions. Experimentation shows that an unauthenticated remote attacker could trigger the bug somewhat consistently, hence treat as security issue. CVE-2015-3165 or CVE-2015-3165)
(9.1.16,9.3.7,9.2.11,9.0.20) Improve detection of system-call failures (Noah Misch)
Our replacement implementation of snprintf()
failed to check for errors reported by
the underlying system library calls; the main case that might be
missed is out-of-memory situations. In the worst case this might
lead to information exposure, due to our code assuming that a
buffer had been overwritten when it hadn't been. Also, there were a
few places in which security-relevant calls of other system library
functions did not check for failure.
It remains possible that some calls of the *printf()
family of functions are vulnerable to
information disclosure if an out-of-memory error occurs at just the
wrong time. We judge the risk to not be large, but will continue
analysis in this area. CVE-2015-3166 or CVE-2015-3166)
(9.1.16,9.3.7,9.2.11,9.0.20) In contrib/pgcrypto, uniformly report decryption failures as "Wrong key or corrupt data" (Noah Misch)
Previously, some cases of decryption with an incorrect key could report other error message texts. It has been shown that such variance in error reports can aid attackers in recovering keys from other systems. While it's unknown whether pgcrypto's specific behaviors are likewise exploitable, it seems better to avoid the risk by using a one-size-fits-all message. CVE-2015-3167 or CVE-2015-3167)
(9.1.16,9.3.7,9.2.11) Fix incorrect declaration of contrib/citext's regexp_matches()
functions (Tom Lane)
These functions should return setof text[], like the core functions they are wrappers for; but they were incorrectly declared as returning just text[]. This mistake had two results: first, if there was no match you got a scalar null result, whereas what you should get is an empty set (zero rows). Second, the g flag was effectively ignored, since you would get only one result array even if there were multiple matches.
While the latter behavior is clearly a bug, there might be
applications depending on the former behavior; therefore the
function declarations will not be changed by default until
PostgreSQL 9.5. In pre-9.5
branches, the old behavior exists in version 1.0 of the citext extension, while we have provided corrected
declarations in version 1.1 (which is not installed by default). To adopt
the fix in pre-9.5 branches, execute ALTER
EXTENSION citext UPDATE TO '1.1' in each database in which
citext is installed. (You can also
"update" back to 1.0 if you need to undo
that.) Be aware that either update direction will require dropping
and recreating any views or rules that use citext's regexp_matches()
functions.
(9.1.16,9.3.7,9.2.11,9.0.20) Fix incorrect checking of deferred exclusion constraints after a HOT update (Tom Lane)
If a new row that potentially violates a deferred exclusion constraint is HOT-updated (that is, no indexed columns change and the row can be stored back onto the same table page) later in the same transaction, the exclusion constraint would be reported as violated when the check finally occurred, even if the row(s) the new row originally conflicted with had been deleted.
(9.1.16,9.3.7,9.2.11,9.0.20) Prevent improper reordering of antijoins (NOT EXISTS joins) versus other outer joins (Tom Lane)
This oversight in the planner has been observed to cause "could not find RelOptInfo for given relids" errors, but it seems possible that sometimes an incorrect query plan might get past that consistency check and result in silently-wrong query output.
(9.1.16,9.3.7,9.2.11,9.0.20) Fix incorrect matching of subexpressions in outer-join plan nodes (Tom Lane)
Previously, if textually identical non-strict subexpressions were used both above and below an outer join, the planner might try to re-use the value computed below the join, which would be incorrect because the executor would force the value to NULL in case of an unmatched outer row.
(9.1.16,9.3.7,9.2.11,9.0.20) Fix GEQO planner to cope with failure of its join order heuristic (Tom Lane)
This oversight has been seen to lead to "failed to join all relations together" errors in queries involving LATERAL, and that might happen in other cases as well.
(9.1.16,9.3.7,9.2.11,9.0.20) Fix possible deadlock at startup when max_prepared_transactions is too small (Heikki Linnakangas)
(9.1.16,9.3.7,9.2.11,9.0.20) Don't archive useless preallocated WAL files after a timeline switch (Heikki Linnakangas)
(9.1.16,9.2.11,9.0.20) Avoid "cannot GetMultiXactIdMembers() during recovery" error (Ãlvaro Herrera)
(9.1.16,9.3.7,9.2.11,9.0.20) Recursively fsync()
the data
directory after a crash (Abhijit Menon-Sen, Robert Haas)
This ensures consistency if another crash occurs shortly later. (The second crash would have to be a system-level crash, not just a database crash, for there to be a problem.)
(9.1.16,9.3.7,9.2.11,9.0.20) Fix autovacuum launcher's possible failure to shut down, if an error occurs after it receives SIGTERM (Ãlvaro Herrera)
(9.1.16,9.3.7,9.2.11,9.0.20) Cope with unexpected signals in LockBufferForCleanup()
(Andres Freund)
This oversight could result in spurious errors about "multiple backends attempting to wait for pincount 1".
(9.1.16,9.3.7,9.2.11,9.0.20) Avoid waiting for WAL flush or synchronous replication during commit of a transaction that was read-only so far as the user is concerned (Andres Freund)
Previously, a delay could occur at commit in transactions that had written WAL due to HOT page pruning, leading to undesirable effects such as sessions getting stuck at startup if all synchronous replicas are down. Sessions have also been observed to get stuck in catchup interrupt processing when using synchronous replication; this will fix that problem as well.
(9.1.16,9.3.7,9.2.11,9.0.20) Fix crash when manipulating hash indexes on temporary tables (Heikki Linnakangas)
(9.1.16,9.3.7,9.2.11,9.0.20) Fix possible failure during hash index bucket split, if other processes are modifying the index concurrently (Tom Lane)
(9.1.16,9.3.7,9.2.11,9.0.20) Check for interrupts while analyzing index expressions (Jeff Janes)
ANALYZE executes index expressions many times; if there are slow functions in such an expression, it's desirable to be able to cancel the ANALYZE before that loop finishes.
(9.1.16,9.3.7,9.2.11) Ensure tableoid of a foreign table is reported correctly when a READ COMMITTED recheck occurs after locking rows in SELECT FOR UPDATE, UPDATE, or DELETE (Etsuro Fujita)
(9.1.16,9.3.7,9.2.11,9.0.20) Add the name of the target server to object description strings for foreign-server user mappings (Ãlvaro Herrera)
(9.1.16,9.3.7,9.2.11,9.0.20) Recommend setting include_realm to 1 when using Kerberos/GSSAPI/SSPI authentication (Stephen Frost)
Without this, identically-named users from different realms cannot be distinguished. For the moment this is only a documentation change, but it will become the default setting in PostgreSQL 9.5.
(9.1.16,9.3.7,9.2.11,9.0.20) Remove code for matching IPv4 pg_hba.conf entries to IPv4-in-IPv6 addresses (Tom Lane)
This hack was added in 2003 in response to a report that some Linux kernels of the time would report IPv4 connections as having IPv4-in-IPv6 addresses. However, the logic was accidentally broken in 9.0. The lack of any field complaints since then shows that it's not needed anymore. Now we have reports that the broken code causes crashes on some systems, so let's just remove it rather than fix it. (Had we chosen to fix it, that would make for a subtle and potentially security-sensitive change in the effective meaning of IPv4 pg_hba.conf entries, which does not seem like a good thing to do in minor releases.)
(9.1.16,9.3.7,9.2.11) Report WAL flush, not insert, position in IDENTIFY_SYSTEM replication command (Heikki Linnakangas)
This avoids a possible startup failure in pg_receivexlog.
(9.1.16,9.3.7,9.2.11,9.0.20) While shutting down service on Windows, periodically send status updates to the Service Control Manager to prevent it from killing the service too soon; and ensure that pg_ctl will wait for shutdown (Krystian Bigaj)
(9.1.16,9.3.7,9.2.11,9.0.20) Reduce risk of network deadlock when using libpq's non-blocking mode (Heikki Linnakangas)
When sending large volumes of data, it's important to drain the
input buffer every so often, in case the server has sent enough
response data to cause it to block on output. (A typical scenario
is that the server is sending a stream of NOTICE messages during
COPY FROM STDIN.) This worked properly in
the normal blocking mode, but not so much in non-blocking mode.
We've modified libpq to
opportunistically drain input when it can, but a full defense
against this problem requires application cooperation: the
application should watch for socket read-ready as well as
write-ready conditions, and be sure to call PQconsumeInput()
upon read-ready.
(9.1.16,9.3.7,9.2.11,9.0.20) Fix array handling in ecpg (Michael Meskes)
(9.1.16,9.3.7,9.2.11,9.0.20) Fix psql to sanely handle URIs and conninfo strings as the first parameter to \connect (David Fetter, Andrew Dunstan, Ãlvaro Herrera)
This syntax has been accepted (but undocumented) for a long time, but previously some parameters might be taken from the old connection instead of the given string, which was agreed to be undesirable.
(9.1.16,9.3.7,9.2.11,9.0.20) Suppress incorrect complaints from psql on some platforms that it failed to write ~/.psql_history at exit (Tom Lane)
This misbehavior was caused by a workaround for a bug in very old (pre-2006) versions of libedit. We fixed it by removing the workaround, which will cause a similar failure to appear for anyone still using such versions of libedit. Recommendation: upgrade that library, or use libreadline.
(9.1.16,9.3.7,9.2.11,9.0.20) Fix pg_dump's rule for deciding which casts are system-provided casts that should not be dumped (Tom Lane)
(9.1.16,9.3.7,9.2.11) In pg_dump, fix failure to honor -Z compression level option together with -Fd (Michael Paquier)
(9.1.16,9.3.7,9.2.11) Make pg_dump consider foreign key relationships between extension configuration tables while choosing dump order (Gilles Darold, Michael Paquier, Stephen Frost)
This oversight could result in producing dumps that fail to reload because foreign key constraints are transiently violated.
(9.1.16,9.3.7,9.2.11,9.0.20) Fix dumping of views that are just VALUES(...) but have column aliases (Tom Lane)
(9.1.16,9.3.7,9.2.11,9.0.20) In pg_upgrade, force timeline 1 in the new cluster (Bruce Momjian)
This change prevents upgrade failures caused by bogus complaints about missing WAL history files.
(9.1.16,9.3.7,9.2.11,9.0.20) In pg_upgrade, check for improperly non-connectable databases before proceeding (Bruce Momjian)
(9.1.16,9.3.7,9.2.11,9.0.20) In pg_upgrade, quote directory paths properly in the generated delete_old_cluster script (Bruce Momjian)
(9.1.16,9.3.7,9.2.11,9.0.20) In pg_upgrade, preserve database-level freezing info properly (Bruce Momjian)
This oversight could cause missing-clog-file errors for tables within the postgres and template1 databases.
(9.1.16,9.3.7,9.2.11,9.0.20) Run pg_upgrade and pg_resetxlog with restricted privileges on Windows, so that they don't fail when run by an administrator (Muhammad Asif Naeem)
(9.1.16,9.3.7,9.2.11) Improve handling of readdir()
failures when scanning directories in initdb and pg_basebackup (Marco Nenciarini)
(9.1.16,9.3.7,9.2.11,9.0.20) Fix slow sorting algorithm in contrib/intarray (Tom Lane)
(9.1.16,9.4.2,9.3.7,9.2.11,9.0.20) Fix compile failure on Sparc V8 machines (Rob Rowan)
(9.1.16,9.3.7,9.2.11,9.0.20) Update time zone data files to tzdata release 2015d for DST law changes in Egypt, Mongolia, and Palestine, plus historical changes in Canada and Chile. Also adopt revised zone abbreviations for the America/Adak zone (HST/HDT not HAST/HADT).
Release date: 2015-02-05
This release contains a variety of fixes from 9.1.14. For information about new features in the 9.1 major release, see Version 9.1.0.
A dump/restore is not required for those running 9.1.X.
However, if you are upgrading from a version earlier than 9.1.14, see Version 9.1.14.
(9.1.15,9.3.6,9.2.10,9.0.19) Fix buffer overruns in to_char()
(Bruce Momjian)
When to_char()
processes a numeric
formatting template calling for a large number of digits,
PostgreSQL would read past the end
of a buffer. When processing a crafted timestamp formatting
template, PostgreSQL would write
past the end of a buffer. Either case could crash the server. We
have not ruled out the possibility of attacks that lead to
privilege escalation, though they seem unlikely.
CVE-2015-0241 or CVE-2015-0241)
(9.1.15,9.3.6,9.2.10,9.0.19) Fix buffer overrun in replacement *printf()
functions (Tom Lane)
PostgreSQL includes a
replacement implementation of printf
and related functions. This code will overrun a stack buffer when
formatting a floating point number (conversion specifiers
e, E, f, F, g or G) with requested
precision greater than about 500. This will crash the server, and
we have not ruled out the possibility of attacks that lead to
privilege escalation. A database user can trigger such a buffer
overrun through the to_char()
SQL
function. While that is the only affected core PostgreSQL functionality, extension modules
that use printf-family functions may be at risk as well.
This issue primarily affects PostgreSQL on Windows. PostgreSQL uses the system implementation of these functions where adequate, which it is on other modern platforms. CVE-2015-0242 or CVE-2015-0242)
(9.1.15,9.3.6,9.2.10,9.0.19) Fix buffer overruns in contrib/pgcrypto (Marko Tiikkaja, Noah Misch)
Errors in memory size tracking within the pgcrypto module permitted stack buffer overruns and improper dependence on the contents of uninitialized memory. The buffer overrun cases can crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. CVE-2015-0243 or CVE-2015-0243)
(9.1.15,9.3.6,9.2.10,9.0.19) Fix possible loss of frontend/backend protocol synchronization after an error (Heikki Linnakangas)
If any error occurred while the server was in the middle of reading a protocol message from the client, it could lose synchronization and incorrectly try to interpret part of the message's data as a new protocol message. An attacker able to submit crafted binary data within a command parameter might succeed in injecting his own SQL commands this way. Statement timeout and query cancellation are the most likely sources of errors triggering this scenario. Particularly vulnerable are applications that use a timeout and also submit arbitrary user-crafted data as binary query parameters. Disabling statement timeout will reduce, but not eliminate, the risk of exploit. Our thanks to Emil Lenngren for reporting this issue. CVE-2015-0244 or CVE-2015-0244)
(9.1.15,9.3.6,9.2.10,9.0.19) Fix information leak via constraint-violation error messages (Stephen Frost)
Some server error messages show the values of columns that violate a constraint, such as a unique constraint. If the user does not have SELECT privilege on all columns of the table, this could mean exposing values that the user should not be able to see. Adjust the code so that values are displayed only when they came from the SQL command or could be selected by the user. CVE-2014-8161 or CVE-2014-8161)
(9.1.15,9.3.6,9.2.10,9.0.19) Lock down regression testing's temporary installations on Windows (Noah Misch)
Use SSPI authentication to allow connections only from the OS user who launched the test suite. This closes on Windows the same vulnerability previously closed on other platforms, namely that other users might be able to connect to the test postmaster. CVE-2014-0067 or CVE-2014-0067)
(9.1.15,9.3.6,9.2.10,9.0.19) Avoid possible data corruption if ALTER DATABASE SET TABLESPACE is used to move a database to a new tablespace and then shortly later move it back to its original tablespace (Tom Lane)
(9.1.15,9.3.6,9.2.10,9.0.19) Avoid corrupting tables when ANALYZE inside a transaction is rolled back (Andres Freund, Tom Lane, Michael Paquier)
If the failing transaction had earlier removed the last index, rule, or trigger from the table, the table would be left in a corrupted state with the relevant pg_class flags not set though they should be.
(9.1.15,9.3.6,9.2.10) Ensure that unlogged tables are copied correctly during CREATE DATABASE or ALTER DATABASE SET TABLESPACE (Pavan Deolasee, Andres Freund)
(9.1.15,9.3.6,9.2.10) Fix DROP's dependency searching to correctly handle the case where a table column is recursively visited before its table (Petr Jelinek, Tom Lane)
This case is only known to arise when an extension creates both a datatype and a table using that datatype. The faulty code might refuse a DROP EXTENSION unless CASCADE is specified, which should not be required.
(9.1.15,9.3.6,9.2.10,9.0.19) Fix use-of-already-freed-memory problem in EvalPlanQual processing (Tom Lane)
In READ COMMITTED mode, queries that lock or update recently-updated rows could crash as a result of this bug.
(9.1.15,9.3.6,9.2.10,9.0.19) Fix planning of SELECT FOR UPDATE when using a partial index on a child table (Kyotaro Horiguchi)
In READ COMMITTED mode, SELECT FOR UPDATE must also recheck the partial index's WHERE condition when rechecking a recently-updated row to see if it still satisfies the query's WHERE condition. This requirement was missed if the index belonged to an inheritance child table, so that it was possible to incorrectly return rows that no longer satisfy the query condition.
(9.1.15,9.3.6,9.2.10,9.0.19) Fix corner case wherein SELECT FOR UPDATE could return a row twice, and possibly miss returning other rows (Tom Lane)
In READ COMMITTED mode, a SELECT FOR UPDATE that is scanning an inheritance tree could incorrectly return a row from a prior child table instead of the one it should return from a later child table.
(9.1.15,9.3.6,9.2.10,9.0.19) Reject duplicate column names in the referenced-columns list of a FOREIGN KEY declaration (David Rowley)
This restriction is per SQL standard. Previously we did not reject the case explicitly, but later on the code would fail with bizarre-looking errors.
(9.1.15,9.3.6,9.2.10,9.0.19) Fix bugs in raising a numeric value to a large integral power (Tom Lane)
The previous code could get a wrong answer, or consume excessive amounts of time and memory before realizing that the answer must overflow.
(9.1.15,9.3.6,9.2.10,9.0.19) In numeric_recv()
, truncate away
any fractional digits that would be hidden according to the value's
dscale field (Tom Lane)
A numeric value's display scale (dscale) should never be less than the number of nonzero fractional digits; but apparently there's at least one broken client application that transmits binary numeric values in which that's true. This leads to strange behavior since the extra digits are taken into account by arithmetic operations even though they aren't printed. The least risky fix seems to be to truncate away such "hidden" digits on receipt, so that the value is indeed what it prints as.
(9.1.15,9.3.6,9.2.10,9.0.19) Reject out-of-range numeric timezone specifications (Tom Lane)
Simple numeric timezone specifications exceeding +/- 168 hours (one week) would be accepted, but could then cause null-pointer dereference crashes in certain operations. There's no use-case for such large UTC offsets, so reject them.
(9.1.15,9.3.6,9.2.10,9.0.19) Fix bugs in tsquery @> tsquery operator (Heikki Linnakangas)
Two different terms would be considered to match if they had the same CRC. Also, if the second operand had more terms than the first, it would be assumed not to be contained in the first; which is wrong since it might contain duplicate terms.
(9.1.15,9.3.6,9.2.10,9.0.19) Improve ispell dictionary's defenses against bad affix files (Tom Lane)
(9.1.15,9.3.6,9.2.10,9.0.19) Allow more than 64K phrases in a thesaurus dictionary (David Boutin)
The previous coding could crash on an oversize dictionary, so this was deemed a back-patchable bug fix rather than a feature addition.
(9.1.15,9.3.6,9.2.10,9.0.19) Fix namespace handling in xpath()
(Ali Akbar)
Previously, the xml value resulting from
an xpath()
call would not have
namespace declarations if the namespace declarations were attached
to an ancestor element in the input xml
value, rather than to the specific element being returned.
Propagate the ancestral declaration so that the result is correct
when considered in isolation.
(9.1.15,9.3.6,9.2.10,9.0.19) Fix planner problems with nested append relations, such as inherited tables within UNION ALL subqueries (Tom Lane)
(9.1.15,9.3.6,9.2.10,9.0.19) Fail cleanly when a GiST index tuple doesn't fit on a page, rather than going into infinite recursion (Andrew Gierth)
(9.1.15,9.3.6,9.2.10,9.0.19) Exempt tables that have per-table cost_limit and/or cost_delay settings from autovacuum's global cost balancing rules (Ãlvaro Herrera)
The previous behavior resulted in basically ignoring these per-table settings, which was unintended. Now, a table having such settings will be vacuumed using those settings, independently of what is going on in other autovacuum workers. This may result in heavier total I/O load than before, so such settings should be re-examined for sanity.
(9.1.15,9.0.19) Avoid wholesale autovacuuming when autovacuum is nominally off (Tom Lane)
Even when autovacuum is nominally off, we will still launch autovacuum worker processes to vacuum tables that are at risk of XID wraparound. However, such a worker process then proceeded to vacuum all tables in the target database, if they met the usual thresholds for autovacuuming. This is at best pretty unexpected; at worst it delays response to the wraparound threat. Fix it so that if autovacuum is turned off, workers only do anti-wraparound vacuums and not any other work.
(9.1.15,9.3.6,9.2.10) During crash recovery, ensure that unlogged relations are rewritten as empty and are synced to disk before recovery is considered complete (Abhijit Menon-Sen, Andres Freund)
This prevents scenarios in which unlogged relations might contain garbage data following database crash recovery.
(9.1.15,9.3.6,9.2.10,9.0.19) Fix race condition between hot standby queries and replaying a full-page image (Heikki Linnakangas)
This mistake could result in transient errors in queries being executed in hot standby.
(9.1.15,9.3.6,9.2.10,9.0.19) Fix several cases where recovery logic improperly ignored WAL records for COMMIT/ABORT PREPARED (Heikki Linnakangas)
The most notable oversight was that recovery_target_xid could not be used to stop at a two-phase commit.
(9.1.15,9.3.6,9.2.10,9.0.19) Avoid creating unnecessary .ready marker files for timeline history files (Fujii Masao)
(9.1.15,9.3.6,9.2.10,9.0.19) Fix possible null pointer dereference when an empty prepared statement is used and the log_statement setting is mod or ddl (Fujii Masao)
(9.1.15,9.3.6,9.2.10,9.0.19) Change "pgstat wait timeout" warning message to be LOG level, and rephrase it to be more understandable (Tom Lane)
This message was originally thought to be essentially a can't-happen case, but it occurs often enough on our slower buildfarm members to be a nuisance. Reduce it to LOG level, and expend a bit more effort on the wording: it now reads "using stale statistics instead of current ones because stats collector is not responding".
(9.1.15,9.3.6,9.2.10,9.0.19) Fix SPARC spinlock implementation to ensure correctness if the CPU is being run in a non-TSO coherency mode, as some non-Solaris kernels do (Andres Freund)
(9.1.15,9.3.6,9.2.10) Warn if macOS's setlocale()
starts
an unwanted extra thread inside the postmaster (Noah Misch)
(9.1.15,9.3.6,9.2.10,9.0.19) Fix processing of repeated dbname
parameters in PQconnectdbParams()
(Alex Shulgin)
Unexpected behavior ensued if the first occurrence of dbname contained a connection string or URI to be expanded.
(9.1.15,9.3.6,9.2.10,9.0.19) Ensure that libpq reports a suitable error message on unexpected socket EOF (Marko Tiikkaja, Tom Lane)
Depending on kernel behavior, libpq might return an empty error string rather than something useful when the server unexpectedly closed the socket.
(9.1.15,9.3.6,9.2.10,9.0.19) Clear any old error message during PQreset()
(Heikki Linnakangas)
If PQreset()
is called repeatedly,
and the connection cannot be re-established, error messages from
the failed connection attempts kept accumulating in the PGconn's error string.
(9.1.15,9.3.6,9.2.10,9.0.19) Properly handle out-of-memory conditions while parsing connection options in libpq (Alex Shulgin, Heikki Linnakangas)
(9.1.15,9.3.6,9.2.10,9.0.19) Fix array overrun in ecpg's
version of ParseDateTime()
(Michael
Paquier)
(9.1.15,9.3.6,9.2.10,9.0.19) In initdb, give a clearer error message if a password file is specified but is empty (Mats Erik Andersson)
(9.1.15,9.3.6,9.2.10,9.0.19) Fix psql's \s command to work nicely with libedit, and add pager support (Stepan Rutz, Tom Lane)
When using libedit rather than readline, \s printed the command history in a fairly unreadable encoded format, and on recent libedit versions might fail altogether. Fix that by printing the history ourselves rather than having the library do it. A pleasant side-effect is that the pager is used if appropriate.
This patch also fixes a bug that caused newline encoding to be applied inconsistently when saving the command history with libedit. Multiline history entries written by older psql versions will be read cleanly with this patch, but perhaps not vice versa, depending on the exact libedit versions involved.
(9.1.15,9.3.6,9.2.10,9.0.19) Improve consistency of parsing of psql's special variables (Tom Lane)
Allow variant spellings of on and off (such as 1/0) for ECHO_HIDDEN and ON_ERROR_ROLLBACK. Report a warning for unrecognized values for COMP_KEYWORD_CASE, ECHO, ECHO_HIDDEN, HISTCONTROL, ON_ERROR_ROLLBACK, and VERBOSITY. Recognize all values for all these variables case-insensitively; previously there was a mishmash of case-sensitive and case-insensitive behaviors.
(9.1.15,9.3.6,9.2.10,9.0.19) Fix psql's expanded-mode display to work consistently when using border = 3 and linestyle = ascii or unicode (Stephen Frost)
(9.1.15,9.3.6,9.2.10) Improve performance of pg_dump when the database contains many instances of multiple dependency paths between the same two objects (Tom Lane)
(9.1.15,9.3.6,9.2.10,9.0.19) Fix possible deadlock during parallel restore of a schema-only dump (Robert Haas, Tom Lane)
(9.1.15,9.3.6,9.2.10,9.0.19) Fix core dump in pg_dump --binary-upgrade on zero-column composite type (Rushabh Lathia)
(9.1.15,9.3.6,9.2.10) Prevent WAL files created by pg_basebackup -x/-X from being archived again when the standby is promoted (Andres Freund)
(9.1.15,9.3.6,9.2.10) Fix upgrade-from-unpackaged script for contrib/citext (Tom Lane)
(9.1.15,9.3.6,9.2.10,9.0.19) Fix block number checking in contrib/pageinspect's get_raw_page()
(Tom Lane)
The incorrect checking logic could prevent access to some pages in non-main relation forks.
(9.1.15,9.3.6,9.2.10,9.0.19) Fix contrib/pgcrypto's pgp_sym_decrypt()
to not fail on messages whose
length is 6 less than a power of 2 (Marko Tiikkaja)
(9.1.15,9.3.6,9.2.10) Fix file descriptor leak in contrib/pg_test_fsync (Jeff Janes)
This could cause failure to remove temporary files on Windows.
(9.1.15,9.3.6,9.2.10,9.0.19) Handle unexpected query results, especially NULLs, safely in
contrib/tablefunc's connectby()
(Michael Paquier)
connectby()
previously crashed if
it encountered a NULL key value. It now prints that row but doesn't
recurse further.
(9.1.15,9.3.6,9.2.10,9.0.19) Avoid a possible crash in contrib/xml2's xslt_process()
(Mark Simonetti)
libxslt seems to have an undocumented dependency on the order in which resources are freed; reorder our calls to avoid a crash.
(9.1.15,9.3.6,9.2.10) Mark some contrib I/O functions with correct volatility properties (Tom Lane)
The previous over-conservative marking was immaterial in normal use, but could cause optimization problems or rejection of valid index expression definitions. Since the consequences are not large, we've just adjusted the function definitions in the extension modules' scripts, without changing version numbers.
(9.1.15,9.3.6,9.2.10,9.0.19) Numerous cleanups of warnings from Coverity static code analyzer (Andres Freund, Tatsuo Ishii, Marko Kreen, Tom Lane, Michael Paquier)
These changes are mostly cosmetic but in some cases fix corner-case bugs, for example a crash rather than a proper error report after an out-of-memory failure. None are believed to represent security issues.
(9.1.15,9.3.6,9.2.10,9.0.19) Detect incompatible OpenLDAP versions during build (Noah Misch)
With OpenLDAP versions 2.4.24 through 2.4.31, inclusive, PostgreSQL backends can crash at exit. Raise a warning during configure based on the compile-time OpenLDAP version number, and test the crashing scenario in the contrib/dblink regression test.
(9.1.15,9.3.6,9.2.10,9.0.19) In non-MSVC Windows builds, ensure libpq.dll is installed with execute permissions (Noah Misch)
(9.1.15,9.3.6,9.2.10,9.0.19) Make pg_regress remove any temporary installation it created upon successful exit (Tom Lane)
This results in a very substantial reduction in disk space usage during make check-world, since that sequence involves creation of numerous temporary installations.
(9.1.15,9.3.6,9.2.10,9.0.19) Support time zone abbreviations that change UTC offset from time to time (Tom Lane)
Previously, PostgreSQL assumed that the UTC offset associated with a time zone abbreviation (such as EST) never changes in the usage of any particular locale. However this assumption fails in the real world, so introduce the ability for a zone abbreviation to represent a UTC offset that sometimes changes. Update the zone abbreviation definition files to make use of this feature in timezone locales that have changed the UTC offset of their abbreviations since 1970 (according to the IANA timezone database). In such timezones, PostgreSQL will now associate the correct UTC offset with the abbreviation depending on the given date.
(9.1.15,9.3.6,9.2.10,9.0.19) Update time zone abbreviations lists (Tom Lane)
Add CST (China Standard Time) to our lists. Remove references to ADT as "Arabia Daylight Time", an abbreviation that's been out of use since 2007; therefore, claiming there is a conflict with "Atlantic Daylight Time" doesn't seem especially helpful. Fix entirely incorrect GMT offsets for CKT (Cook Islands), FJT, and FJST (Fiji); we didn't even have them on the proper side of the date line.
(9.1.15,9.0.19) Update time zone data files to tzdata release 2015a.
The IANA timezone database has adopted abbreviations of the form AxST/AxDT for all Australian time zones, reflecting what they believe to be current majority practice Down Under. These names do not conflict with usage elsewhere (other than ACST for Acre Summer Time, which has been in disuse since 1994). Accordingly, adopt these names into our "Default" timezone abbreviation set. The "Australia" abbreviation set now contains only CST, EAST, EST, SAST, SAT, and WST, all of which are thought to be mostly historical usage. Note that SAST has also been changed to be South Africa Standard Time in the "Default" abbreviation set.
Also, add zone abbreviations SRET (Asia/Srednekolymsk) and XJT (Asia/Urumqi), and use WSST/WSDT for western Samoa. Also, there were DST law changes in Chile, Mexico, the Turks & Caicos Islands (America/Grand_Turk), and Fiji. There is a new zone Pacific/Bougainville for portions of Papua New Guinea. Also, numerous corrections for historical (pre-1970) time zone data.
Release date: 2014-07-24
This release contains a variety of fixes from 9.1.13. For information about new features in the 9.1 major release, see Version 9.1.0.
A dump/restore is not required for those running 9.1.X.
However, this release corrects an index corruption problem in some GiST indexes. See the first changelog entry below to find out whether your installation has been affected and what steps you should take if so.
Also, if you are upgrading from a version earlier than 9.1.11, see Version 9.1.11.
(9.1.14,9.3.5,9.2.9,9.0.18,8.4.22) Correctly initialize padding bytes in contrib/btree_gist indexes on bit columns (Heikki Linnakangas)
This error could result in incorrect query results due to values that should compare equal not being seen as equal. Users with GiST indexes on bit or bit varying columns should REINDEX those indexes after installing this update.
(9.1.14,9.3.5,9.2.9,9.0.18,8.4.22) Protect against torn pages when deleting GIN list pages (Heikki Linnakangas)
This fix prevents possible index corruption if a system crash occurs while the page update is being written to disk.
(9.1.14,9.3.5,9.2.9,9.0.18) Don't clear the right-link of a GiST index page while replaying updates from WAL (Heikki Linnakangas)
This error could lead to transiently wrong answers from GiST index scans performed in Hot Standby.
(9.1.14,9.2.9) Fix feedback status when hot_standby_feedback is turned off on-the-fly (Simon Riggs)
(9.1.14,9.3.5,9.2.9,9.0.18,8.4.22) Fix possibly-incorrect cache invalidation during nested calls to
ReceiveSharedInvalidMessages
(Andres
Freund)
(9.1.14,9.3.5,9.2.9) Fix "could not find pathkey item to sort" planner failures with UNION ALL over subqueries reading from tables with inheritance children (Tom Lane)
(9.1.14,9.3.5,9.2.9,9.0.18,8.4.22) Don't assume a subquery's output is unique if there's a set-returning function in its targetlist (David Rowley)
This oversight could lead to misoptimization of constructs like WHERE x IN (SELECT y, generate_series(1,10) FROM t GROUP BY y).
(9.1.14,9.3.5,9.2.9,9.0.18,8.4.22) Fix failure to detoast fields in composite elements of structured types (Tom Lane)
This corrects cases where TOAST pointers could be copied into other tables without being dereferenced. If the original data is later deleted, it would lead to errors like "missing chunk number 0 for toast value ..." when the now-dangling pointer is used.
(9.1.14,9.3.5,9.2.9,9.0.18,8.4.22) Fix "record type has not been registered" failures with whole-row references to the output of Append plan nodes (Tom Lane)
(9.1.14,9.3.5,9.2.9,9.0.18,8.4.22) Fix possible crash when invoking a user-defined function while rewinding a cursor (Tom Lane)
(9.1.14,9.3.5,9.2.9,9.0.18,8.4.22) Fix query-lifespan memory leak while evaluating the arguments for a function in FROM (Tom Lane)
(9.1.14,9.3.5,9.2.9,9.0.18,8.4.22) Fix session-lifespan memory leaks in regular-expression processing (Tom Lane, Arthur O'Dwyer, Greg Stark)
(9.1.14,9.3.5,9.2.9,9.0.18,8.4.22) Fix data encoding error in hungarian.stop (Tom Lane)
(9.1.14,9.3.5,9.2.9) Prevent foreign tables from being created with OIDS when default_with_oids is true (Etsuro Fujita)
(9.1.14,9.3.5,9.2.9,9.0.18,8.4.22) Fix liveness checks for rows that were inserted in the current transaction and then deleted by a now-rolled-back subtransaction (Andres Freund)
This could cause problems (at least spurious warnings, and at worst an infinite loop) if CREATE INDEX or CLUSTER were done later in the same transaction.
(9.1.14,9.3.5,9.2.9,9.0.18,8.4.22) Clear pg_stat_activity.xact_start during PREPARE TRANSACTION (Andres Freund)
After the PREPARE, the originating session is no longer in a transaction, so it should not continue to display a transaction start time.
(9.1.14,9.3.5,9.2.9,9.0.18,8.4.22) Fix REASSIGN OWNED to not fail for text search objects (Ãlvaro Herrera)
(9.1.14,9.3.5,9.2.9,9.0.18,8.4.22) Block signals during postmaster startup (Tom Lane)
This ensures that the postmaster will properly clean up after itself if, for example, it receives SIGINT while still starting up.
(9.1.14,9.3.5,9.2.9) Fix client host name lookup when processing pg_hba.conf entries that specify host names instead of IP addresses (Tom Lane)
Ensure that reverse-DNS lookup failures are reported, instead of just silently not matching such entries. Also ensure that we make only one reverse-DNS lookup attempt per connection, not one per host name entry, which is what previously happened if the lookup attempts failed.
(9.1.14,9.3.5,9.2.9,9.0.18,8.4.22) Secure Unix-domain sockets of temporary postmasters started during make check (Noah Misch)
Any local user able to access the socket file could connect as the server's bootstrap superuser, then proceed to execute arbitrary code as the operating-system user running the test, as we previously noted inCVE-2014-0067 or CVE-2014-0067. This change defends against that risk by placing the server's socket in a temporary, mode 0700 subdirectory of /tmp. The hazard remains however on platforms where Unix sockets are not supported, notably Windows, because then the temporary postmaster must accept local TCP connections.
A useful side effect of this change is to simplify make check testing in builds that override DEFAULT_PGSOCKET_DIR. Popular non-default values like /var/run/postgresql are often not writable by the build user, requiring workarounds that will no longer be necessary.
(9.1.14,9.3.5,9.2.9,9.0.18) Fix tablespace creation WAL replay to work on Windows (MauMau)
(9.1.14,9.3.5,9.2.9,9.0.18) Fix detection of socket creation failures on Windows (Bruce Momjian)
(9.1.14,9.3.5,9.2.9,9.0.18,8.4.22) On Windows, allow new sessions to absorb values of PGC_BACKEND parameters (such as log_connections) from the configuration file (Amit Kapila)
Previously, if such a parameter were changed in the file post-startup, the change would have no effect.
(9.1.14,9.3.5,9.2.9,9.0.18,8.4.22) Properly quote executable path names on Windows (Nikhil Deshpande)
This oversight could cause initdb and pg_upgrade to fail on Windows, if the installation path contained both spaces and @ signs.
(9.1.14,9.3.5,9.2.9) Fix linking of libpython on macOS (Tom Lane)
The method we previously used can fail with the Python library supplied by Xcode 5.0 and later.
(9.1.14,9.3.5,9.2.9,9.0.18,8.4.22) Avoid buffer bloat in libpq when the server consistently sends data faster than the client can absorb it (Shin-ichi Morita, Tom Lane)
libpq could be coerced into
enlarging its input buffer until it runs out of memory (which would
be reported misleadingly as "lost
synchronization with server"). Under ordinary circumstances
it's quite far-fetched that data could be continuously transmitted
more quickly than the recv()
loop can
absorb it, but this has been observed when the client is
artificially slowed by scheduler constraints.
(9.1.14,9.3.5,9.2.9,9.0.18,8.4.22) Ensure that LDAP lookup attempts in libpq time out as intended (Laurenz Albe)
(9.1.14,9.3.5,9.2.9,9.0.18) Fix ecpg to do the right thing when an array of char * is the target for a FETCH statement returning more than one row, as well as some other array-handling fixes (Ashutosh Bapat)
(9.1.14,9.3.5,9.2.9,9.0.18,8.4.22) Fix pg_restore's processing of old-style large object comments (Tom Lane)
A direct-to-database restore from an archive file generated by a pre-9.0 version of pg_dump would usually fail if the archive contained more than a few comments for large objects.
(9.1.14,9.3.5,9.2.9,9.0.18,8.4.22) In contrib/pgcrypto functions, ensure sensitive information is cleared from stack variables before returning (Marko Kreen)
(9.1.14,9.3.5,9.2.9,9.0.18,8.4.22) In contrib/uuid-ossp, cache the state of the OSSP UUID library across calls (Tom Lane)
This improves the efficiency of UUID generation and reduces the amount of entropy drawn from /dev/urandom, on platforms that have that.
(9.1.14,9.3.5,9.2.9,9.0.18,8.4.22) Update time zone data files to tzdata release 2014e for DST law changes in Crimea, Egypt, and Morocco.
Release date: 2014-03-20
This release contains a variety of fixes from 9.1.12. For information about new features in the 9.1 major release, see Version 9.1.0.
A dump/restore is not required for those running 9.1.X.
However, if you are upgrading from a version earlier than 9.1.11, see Version 9.1.11.
(9.1.13,9.3.4,9.2.8,9.0.17,8.4.21) Restore GIN metapages unconditionally to avoid torn-page risk (Heikki Linnakangas)
Although this oversight could theoretically result in a corrupted index, it is unlikely to have caused any problems in practice, since the active part of a GIN metapage is smaller than a standard 512-byte disk sector.
(9.1.13,9.3.4,9.2.8,9.0.17) Avoid race condition in checking transaction commit status during receipt of a NOTIFY message (Marko Tiikkaja)
This prevents a scenario wherein a sufficiently fast client might respond to a notification before database updates made by the notifier have become visible to the recipient.
(9.1.13,9.3.4,9.2.8,9.0.17,8.4.21) Allow regular-expression operators to be terminated early by query cancel requests (Tom Lane)
This prevents scenarios wherein a pathological regular expression could lock up a server process uninterruptibly for a long time.
(9.1.13,9.3.4,9.2.8,9.0.17,8.4.21) Remove incorrect code that tried to allow OVERLAPS with single-element row arguments (Joshua Yanovski)
This code never worked correctly, and since the case is neither specified by the SQL standard nor documented, it seemed better to remove it than fix it.
(9.1.13,9.3.4,9.2.8,9.0.17,8.4.21) Avoid getting more than AccessShareLock when de-parsing a rule or view (Dean Rasheed)
This oversight resulted in pg_dump unexpectedly acquiring RowExclusiveLock locks on tables mentioned as the targets of INSERT/UPDATE/DELETE commands in rules. While usually harmless, that could interfere with concurrent transactions that tried to acquire, for example, ShareLock on those tables.
(9.1.13,9.3.4,9.2.8,9.0.17) Improve performance of index endpoint probes during planning (Tom Lane)
This change fixes a significant performance problem that occurred when there were many not-yet-committed rows at the end of the index, which is a common situation for indexes on sequentially-assigned values such as timestamps or sequence-generated identifiers.
(9.1.13,9.3.4,9.2.8) Fix walsender's failure to shut down cleanly when client is pg_receivexlog (Fujii Masao)
(9.1.13,9.3.4,9.2.8,9.0.17) Fix test to see if hot standby connections can be allowed immediately after a crash (Heikki Linnakangas)
(9.1.13,9.3.4,9.2.8,9.0.17,8.4.21) Prevent interrupts while reporting non-ERROR messages (Tom Lane)
This guards against rare server-process freezeups due to
recursive entry to syslog()
, and
perhaps other related problems.
(9.1.13,9.3.4,9.2.8) Fix memory leak in PL/Perl when returning a composite result, including multiple-OUT-parameter cases (Alex Hunsaker)
(9.1.13,9.3.4,9.2.8,9.0.17) Prevent intermittent "could not reserve shared memory region" failures on recent Windows versions (MauMau)
(9.1.13,9.3.4,9.2.8,9.0.17,8.4.21) Update time zone data files to tzdata release 2014a for DST law changes in Fiji and Turkey, plus historical changes in Israel and Ukraine.
Release date: 2014-02-20
This release contains a variety of fixes from 9.1.11. For information about new features in the 9.1 major release, see Version 9.1.0.
A dump/restore is not required for those running 9.1.X.
However, if you are upgrading from a version earlier than 9.1.11, see Version 9.1.11.
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch)
Granting a role without ADMIN OPTION is supposed to prevent the grantee from adding or removing members from the granted role, but this restriction was easily bypassed by doing SET ROLE first. The security impact is mostly that a role member can revoke the access of others, contrary to the wishes of his grantor. Unapproved role member additions are a lesser concern, since an uncooperative role member could provide most of his rights to others anyway by creating views or SECURITY DEFINER functions. CVE-2014-0060 or CVE-2014-0060)
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Prevent privilege escalation via manual calls to PL validator functions (Andres Freund)
The primary role of PL validator functions is to be called implicitly during CREATE FUNCTION, but they are also normal SQL functions that a user can call explicitly. Calling a validator on a function actually written in some other language was not checked for and could be exploited for privilege-escalation purposes. The fix involves adding a call to a privilege-checking function in each validator function. Non-core procedural languages will also need to make this change to their own validator functions, if any. CVE-2014-0061 or CVE-2014-0061)
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Avoid multiple name lookups during table and index DDL (Robert Haas, Andres Freund)
If the name lookups come to different conclusions due to concurrent activity, we might perform some parts of the DDL on a different table than other parts. At least in the case of CREATE INDEX, this can be used to cause the permissions checks to be performed against a different table than the index creation, allowing for a privilege escalation attack. CVE-2014-0062 or CVE-2014-0062)
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Prevent buffer overrun with long datetime strings (Noah Misch)
The MAXDATELEN constant was too small
for the longest possible value of type interval, allowing a buffer overrun in interval_out()
. Although the datetime input
functions were more careful about avoiding buffer overrun, the
limit was short enough to cause them to reject some valid inputs,
such as input containing a very long timezone name. The
ecpg library contained these
vulnerabilities along with some of its own. CVE-2014-0063 or CVE-2014-0063)
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Prevent buffer overrun due to integer overflow in size calculations (Noah Misch, Heikki Linnakangas)
Several functions, mostly type input functions, calculated an allocation size without checking for overflow. If overflow did occur, a too-small buffer would be allocated and then written past. CVE-2014-0064 or CVE-2014-0064)
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich)
Use strlcpy()
and related
functions to provide a clear guarantee that fixed-size buffers are
not overrun. Unlike the preceding items, it is unclear whether
these cases really represent live issues, since in most cases there
appear to be previous constraints on the size of the input string.
Nonetheless it seems prudent to silence all Coverity warnings of
this type. CVE-2014-0065 or CVE-2014-0065)
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Avoid crashing if crypt()
returns
NULL (Honza Horak, Bruce Momjian)
There are relatively few scenarios in which crypt()
could return NULL, but contrib/chkpass would crash if it did. One
practical case in which this could be an issue is if libc is configured to refuse to execute
unapproved hashing algorithms (e.g., "FIPS
mode"). CVE-2014-0066 or CVE-2014-0066)
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Document risks of make check in the regression testing instructions (Noah Misch, Tom Lane)
Since the temporary server started by make check uses "trust" authentication, another user on the same machine could connect to it as database superuser, and then potentially exploit the privileges of the operating-system user who started the tests. A future release will probably incorporate changes in the testing procedure to prevent this risk, but some public discussion is needed first. So for the moment, just warn people against using make check when there are untrusted users on the same machine. CVE-2014-0067 or CVE-2014-0067)
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Fix possible mis-replay of WAL records when some segments of a relation aren't full size (Greg Stark, Tom Lane)
The WAL update could be applied to the wrong page, potentially many pages past where it should have been. Aside from corrupting data, this error has been observed to result in significant "bloat" of standby servers compared to their masters, due to updates being applied far beyond where the end-of-file should have been. This failure mode does not appear to be a significant risk during crash recovery, only when initially synchronizing a standby created from a base backup taken from a quickly-changing master.
(9.1.12,9.3.3,9.2.7,9.0.16) Fix bug in determining when recovery has reached consistency (Tomonari Katsumata, Heikki Linnakangas)
In some cases WAL replay would mistakenly conclude that the database was already consistent at the start of replay, thus possibly allowing hot-standby queries before the database was really consistent. Other symptoms such as "PANIC: WAL contains references to invalid pages" were also possible.
(9.1.12,9.3.3,9.2.7,9.0.16) Fix improper locking of btree index pages while replaying a VACUUM operation in hot-standby mode (Andres Freund, Heikki Linnakangas, Tom Lane)
This error could result in "PANIC: WAL contains references to invalid pages" failures.
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Ensure that insertions into non-leaf GIN index pages write a full-page WAL record when appropriate (Heikki Linnakangas)
The previous coding risked index corruption in the event of a partial-page write during a system crash.
(9.1.12,9.3.3,9.2.7) When pause_at_recovery_target and recovery_target_inclusive are both set, ensure the target record is applied before pausing, not after (Heikki Linnakangas)
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Fix race conditions during server process exit (Robert Haas)
Ensure that signal handlers don't attempt to use the process's MyProc pointer after it's no longer valid.
(9.1.12,9.3.3,9.2.7) Fix race conditions in walsender shutdown logic and walreceiver SIGHUP signal handler (Tom Lane)
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Fix unsafe references to errno within error reporting logic (Christian Kruse)
This would typically lead to odd behaviors such as missing or inappropriate HINT fields.
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Fix possible crashes from using ereport()
too early during server startup (Tom
Lane)
The principal case we've seen in the field is a crash if the server is started in a directory it doesn't have permission to read.
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Clear retry flags properly in OpenSSL socket write function (Alexander Kukushkin)
This omission could result in a server lockup after unexpected loss of an SSL-encrypted connection.
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Fix length checking for Unicode identifiers (U&"..." syntax) containing escapes (Tom Lane)
A spurious truncation warning would be printed for such identifiers if the escaped form of the identifier was too long, but the identifier actually didn't need truncation after de-escaping.
(9.1.12,9.3.3,9.2.7,9.0.16) Allow keywords that are type names to be used in lists of roles (Stephen Frost)
A previous patch allowed such keywords to be used without quoting in places such as role identifiers; but it missed cases where a list of role identifiers was permitted, such as DROP ROLE.
(9.1.12,9.3.3,9.2.7) Fix parser crash for EXISTS (SELECT * FROM zero_column_table) (Tom Lane)
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Fix possible crash due to invalid plan for nested sub-selects, such as WHERE (... x IN (SELECT ...) ...) IN (SELECT ...) (Tom Lane)
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Ensure that ANALYZE creates statistics for a table column even when all the values in it are "too wide" (Tom Lane)
ANALYZE intentionally omits very wide values from its histogram and most-common-values calculations, but it neglected to do something sane in the case that all the sampled entries are too wide.
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) In ALTER TABLE ... SET TABLESPACE, allow the database's default tablespace to be used without a permissions check (Stephen Frost)
CREATE TABLE has always allowed such usage, but ALTER TABLE didn't get the memo.
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Fix "cannot accept a set" error when some arms of a CASE return a set and others don't (Tom Lane)
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Fix checks for all-zero client addresses in pgstat functions (Kevin Grittner)
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Fix possible misclassification of multibyte characters by the text search parser (Tom Lane)
Non-ASCII characters could be misclassified when using C locale with a multibyte encoding. On Cygwin, non-C locales could fail as well.
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Fix possible misbehavior in plainto_tsquery()
(Heikki Linnakangas)
Use memmove()
not memcpy()
for copying overlapping memory regions.
There have been no field reports of this actually causing trouble,
but it's certainly risky.
(9.1.12,9.3.3,9.2.7) Fix placement of permissions checks in pg_start_backup()
and pg_stop_backup()
(Andres Freund, Magnus
Hagander)
The previous coding might attempt to do catalog access when it shouldn't.
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Accept SHIFT_JIS as an encoding name for locale checking purposes (Tatsuo Ishii)
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Fix misbehavior of PQhost()
on
Windows (Fujii Masao)
It should return localhost if no host has been specified.
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Improve error handling in libpq and psql for failures during COPY TO STDOUT/FROM STDIN (Tom Lane)
In particular this fixes an infinite loop that could occur in 9.2 and up if the server connection was lost during COPY FROM STDIN. Variants of that scenario might be possible in older versions, or with other client applications.
(9.1.12,9.3.3,9.2.7) Fix possible incorrect printing of filenames in pg_basebackup's verbose mode (Magnus Hagander)
(9.1.12,9.3.3,9.2.7) Avoid including tablespaces inside PGDATA twice in base backups (Dimitri Fontaine, Magnus Hagander)
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Fix misaligned descriptors in ecpg (MauMau)
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) In ecpg, handle lack of a hostname in the connection parameters properly (Michael Meskes)
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Fix performance regression in contrib/dblink connection startup (Joe Conway)
Avoid an unnecessary round trip when client and server encodings match.
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) In contrib/isn, fix incorrect calculation of the check digit for ISMN values (Fabien Coelho)
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Ensure client-code-only installation procedure works as documented (Peter Eisentraut)
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) In Mingw and Cygwin builds, install the libpq DLL in the bin directory (Andrew Dunstan)
This duplicates what the MSVC build has long done. It should fix problems with programs like psql failing to start because they can't find the DLL.
(9.1.12,9.3.3,9.2.7,9.0.16) Avoid using the deprecated dllwrap tool in Cygwin builds (Marco Atzeri)
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Don't generate plain-text HISTORY and src/test/regress/README files anymore (Tom Lane)
These text files duplicated the main HTML and PDF documentation formats. The trouble involved in maintaining them greatly outweighs the likely audience for plain-text format. Distribution tarballs will still contain files by these names, but they'll just be stubs directing the reader to consult the main documentation. The plain-text INSTALL file will still be maintained, as there is arguably a use-case for that.
(9.1.12,9.3.3,9.2.7,9.0.16,8.4.20) Update time zone data files to tzdata release 2013i for DST law changes in Jordan and historical changes in Cuba.
In addition, the zones Asia/Riyadh87, Asia/Riyadh88, and Asia/Riyadh89 have been removed, as they are no longer maintained by IANA, and never represented actual civil timekeeping practice.
Release date: 2013-12-05
This release contains a variety of fixes from 9.1.10. For information about new features in the 9.1 major release, see Version 9.1.0.
A dump/restore is not required for those running 9.1.X.
However, this release corrects a number of potential data corruption issues. See the first two changelog entries below to find out whether your installation has been affected and what steps you can take if so.
Also, if you are upgrading from a version earlier than 9.1.9, see Version 9.1.9.
(9.1.11,9.0.15) Fix VACUUM's tests to see whether it can update relfrozenxid (Andres Freund)
In some cases VACUUM (either manual or autovacuum) could incorrectly advance a table's relfrozenxid value, allowing tuples to escape freezing, causing those rows to become invisible once 2^31 transactions have elapsed. The probability of data loss is fairly low since multiple incorrect advancements would need to happen before actual loss occurs, but it's not zero. Users upgrading from releases 9.0.4 or 8.4.8 or earlier are not affected, but all later versions contain the bug.
The issue can be ameliorated by, after upgrading, vacuuming all tables in all databases while having vacuum_freeze_table_age set to zero. This will fix any latent corruption but will not be able to fix all pre-existing data errors. However, an installation can be presumed safe after performing this vacuuming if it has executed fewer than 2^31 update transactions in its lifetime (check this with SELECT txid_current() < 2^31).
(9.1.11,9.3.2,9.2.6,9.0.15) Fix initialization of pg_clog and pg_subtrans during hot standby startup (Andres Freund, Heikki Linnakangas)
This bug can cause data loss on standby servers at the moment they start to accept hot-standby queries, by marking committed transactions as uncommitted. The likelihood of such corruption is small unless, at the time of standby startup, the primary server has executed many updating transactions since its last checkpoint. Symptoms include missing rows, rows that should have been deleted being still visible, and obsolete versions of updated rows being still visible alongside their newer versions.
This bug was introduced in versions 9.3.0, 9.2.5, 9.1.10, and 9.0.14. Standby servers that have only been running earlier releases are not at risk. It's recommended that standby servers that have ever run any of the buggy releases be re-cloned from the primary (e.g., with a new base backup) after upgrading.
(9.1.11,9.3.2,9.2.6,9.0.15) Truncate pg_multixact contents during WAL replay (Andres Freund)
This avoids ever-increasing disk space consumption in standby servers.
(9.1.11,9.3.2,9.2.6,9.0.15,8.4.19) Fix race condition in GIN index posting tree page deletion (Heikki Linnakangas)
This could lead to transient wrong answers or query failures.
(9.1.11,9.3.2,9.2.6,9.0.15,8.4.19) Avoid flattening a subquery whose SELECT list contains a volatile function wrapped inside a sub-SELECT (Tom Lane)
This avoids unexpected results due to extra evaluations of the volatile function.
(9.1.11,9.3.2,9.2.6,9.0.15,8.4.19) Fix planner's processing of non-simple-variable subquery outputs nested within outer joins (Tom Lane)
This error could lead to incorrect plans for queries involving multiple levels of subqueries within JOIN syntax.
(9.1.11,9.3.2,9.2.6) Fix incorrect generation of optimized MIN()/MAX() plans for inheritance trees (Tom Lane)
The planner could fail in cases where the MIN()/MAX() argument was an expression rather than a simple variable.
(9.1.11,9.3.2,9.2.6,9.0.15,8.4.19) Fix premature deletion of temporary files (Andres Freund)
(9.1.11,9.3.2,9.2.6,9.0.15,8.4.19) Fix possible read past end of memory in rule printing (Peter Eisentraut)
(9.1.11,9.3.2,9.2.6,9.0.15,8.4.19) Fix array slicing of int2vector and oidvector values (Tom Lane)
Expressions of this kind are now implicitly promoted to regular int2 or oid arrays.
(9.1.11,9.3.2,9.2.6,9.0.15,8.4.19) Fix incorrect behaviors when using a SQL-standard, simple GMT offset timezone (Tom Lane)
In some cases, the system would use the simple GMT offset value
when it should have used the regular timezone setting that had
prevailed before the simple offset was selected. This change also
causes the timeofday
function to
honor the simple GMT offset zone.
(9.1.11,9.3.2,9.2.6,9.0.15,8.4.19) Prevent possible misbehavior when logging translations of Windows error codes (Tom Lane)
(9.1.11,9.3.2,9.2.6,9.0.15,8.4.19) Properly quote generated command lines in pg_ctl (Naoya Anzai and Tom Lane)
This fix applies only to Windows.
(9.1.11,9.3.2,9.2.6,9.0.15,8.4.19) Fix pg_dumpall to work when a source database sets default_transaction_read_only via ALTER DATABASE SET (Kevin Grittner)
Previously, the generated script would fail during restore.
(9.1.11,9.3.2,9.2.6) Make ecpg search for quoted cursor names case-sensitively (Zoltán Böszörményi)
(9.1.11,9.3.2,9.2.6,9.0.15,8.4.19) Fix ecpg's processing of lists of variables declared varchar (Zoltán Böszörményi)
(9.1.11,9.3.2,9.2.6,9.0.15,8.4.19) Make contrib/lo defend against incorrect trigger definitions (Marc Cousin)
(9.1.11,9.3.2,9.2.6,9.0.15,8.4.19) Update time zone data files to tzdata release 2013h for DST law changes in Argentina, Brazil, Jordan, Libya, Liechtenstein, Morocco, and Palestine. Also, new timezone abbreviations WIB, WIT, WITA for Indonesia.
Release date: 2013-10-10
This release contains a variety of fixes from 9.1.9. For information about new features in the 9.1 major release, see Version 9.1.0.
A dump/restore is not required for those running 9.1.X.
However, if you are upgrading from a version earlier than 9.1.9, see Version 9.1.9.
(9.1.10,9.2.5,9.0.14,8.4.18) Prevent corruption of multi-byte characters when attempting to case-fold identifiers (Andrew Dunstan)
PostgreSQL case-folds non-ASCII characters only when using a single-byte server encoding.
(9.1.10,9.2.5,9.0.14) Fix checkpoint memory leak in background writer when wal_level = hot_standby (Naoya Anzai)
(9.1.10,9.3.1,9.2.5,9.0.14,8.4.18) Fix memory leak caused by lo_open()
failure (Heikki Linnakangas)
(9.1.10,9.2.5,9.0.14,8.4.18) Fix memory overcommit bug when work_mem is using more than 24GB of memory (Stephen Frost)
(9.1.10,9.3.1,9.2.5) Serializable snapshot fixes (Kevin Grittner, Heikki Linnakangas)
(9.1.10,9.3.1,9.2.5,9.0.14,8.4.18) Fix deadlock bug in libpq when using SSL (Stephen Frost)
(9.1.10,9.2.5,9.0.14) Fix possible SSL state corruption in threaded libpq applications (Nick Phillips, Stephen Frost)
(9.1.10,9.2.5,9.0.14,8.4.18) Properly compute row estimates for boolean columns containing many NULL values (Andrew Gierth)
Previously tests like col IS NOT TRUE and col IS NOT FALSE did not properly factor in NULL values when estimating plan costs.
(9.1.10,9.2.5,9.0.14,8.4.18) Prevent pushing down WHERE clauses into unsafe UNION/INTERSECT subqueries (Tom Lane)
Subqueries of a UNION or INTERSECT that contain set-returning functions or volatile functions in their SELECT lists could be improperly optimized, leading to run-time errors or incorrect query results.
(9.1.10,9.2.5,9.0.14,8.4.18) Fix rare case of "failed to locate grouping columns" planner failure (Tom Lane)
(9.1.10,9.2.5) Fix pg_dump of foreign tables with dropped columns (Andrew Dunstan)
Previously such cases could cause a pg_upgrade error.
(9.1.10,9.2.5) Reorder pg_dump processing of extension-related rules and event triggers (Joe Conway)
(9.1.10,9.2.5) Force dumping of extension tables if specified by pg_dump -t or -n (Joe Conway)
(9.1.10,9.2.5,9.0.14,8.4.18) Improve view dumping code's handling of dropped columns in referenced tables (Tom Lane)
(9.1.10,9.2.5) Fix pg_restore -l with the directory archive to display the correct format name (Fujii Masao)
(9.1.10,9.2.5,9.0.14) Properly record index comments created using UNIQUE and PRIMARY KEY syntax (Andres Freund)
This fixes a parallel pg_restore failure.
(9.1.10,9.2.5) Properly guarantee transmission of WAL files before clean switchover (Fujii Masao)
Previously, the streaming replication connection might close before all WAL files had been replayed on the standby.
(9.1.10,9.2.5) Fix WAL segment timeline handling during recovery (Mitsumasa Kondo, Heikki Linnakangas)
WAL file recycling during standby recovery could lead to premature recovery completion, resulting in data loss.
(9.1.10,9.2.5,9.0.14) Fix REINDEX TABLE and REINDEX DATABASE to properly revalidate constraints and mark invalidated indexes as valid (Noah Misch)
REINDEX INDEX has always worked properly.
(9.1.10,9.2.5,9.0.14,8.4.18) Fix possible deadlock during concurrent CREATE INDEX CONCURRENTLY operations (Tom Lane)
(9.1.10,9.2.5,9.0.14,8.4.18) Fix regexp_matches()
handling of
zero-length matches (Jeevan Chalke)
Previously, zero-length matches like '^' could return too many matches.
(9.1.10,9.2.5,9.0.14,8.4.18) Fix crash for overly-complex regular expressions (Heikki Linnakangas)
(9.1.10,9.2.5,9.0.14,8.4.18) Fix regular expression match failures for back references combined with non-greedy quantifiers (Jeevan Chalke)
(9.1.10,9.3.1,9.2.5,9.0.14,8.4.18) Prevent CREATE FUNCTION from checking SET variables unless function body checking is enabled (Tom Lane)
(9.1.10,9.2.5,9.0.14) Allow ALTER DEFAULT PRIVILEGES to operate on schemas without requiring CREATE permission (Tom Lane)
(9.1.10,9.2.5,9.0.14) Loosen restriction on keywords used in queries (Tom Lane)
Specifically, lessen keyword restrictions for role names, language names, EXPLAIN and COPY options, and SET values. This allows COPY ... (FORMAT BINARY) to work as expected; previously BINARY needed to be quoted.
(9.1.10,9.2.5,9.0.14,8.4.18) Fix pgp_pub_decrypt()
so it works
for secret keys with passwords (Marko Kreen)
(9.1.10,9.2.5) Make pg_upgrade use pg_dump --quote-all-identifiers to avoid problems with keyword changes between releases (Tom Lane)
(9.1.10,9.3.1,9.2.5,9.0.14,8.4.18) Remove rare inaccurate warning during vacuum of index-less tables (Heikki Linnakangas)
(9.1.10,9.2.5,9.0.14) Ensure that VACUUM ANALYZE still runs the ANALYZE phase if its attempt to truncate the file is cancelled due to lock conflicts (Kevin Grittner)
(9.1.10,9.2.5,8.4.18) Avoid possible failure when performing transaction control commands (e.g ROLLBACK) in prepared queries (Tom Lane)
(9.1.10,9.2.5,9.0.14,8.4.18) Ensure that floating-point data input accepts standard spellings of "infinity" on all platforms (Tom Lane)
The C99 standard says that allowable spellings are inf, +inf, -inf, infinity, +infinity, and -infinity.
Make sure we recognize these even if the platform's strtod
function doesn't.
(9.1.10,9.2.5,9.0.14,8.4.18) Expand ability to compare rows to records and arrays (Rafal Rzepecki, Tom Lane)
(9.1.10,9.2.5,9.0.14,8.4.18) Update time zone data files to tzdata release 2013d for DST law changes in Israel, Morocco, Palestine, and Paraguay. Also, historical zone data corrections for Macquarie Island.
Release date: 2013-04-04
This release contains a variety of fixes from 9.1.8. For information about new features in the 9.1 major release, see Version 9.1.0.
A dump/restore is not required for those running 9.1.X.
However, this release corrects several errors in management of GiST indexes. After installing this update, it is advisable to REINDEX any GiST indexes that meet one or more of the conditions described below.
Also, if you are upgrading from a version earlier than 9.1.6, see Version 9.1.6.
(9.1.9,9.2.4,9.0.13) Fix insecure parsing of server command-line switches (Mitsumasa Kondo, Kyotaro Horiguchi)
A connection request containing a database name that begins with "-" could be crafted to damage or destroy files within the server's data directory, even if the request is eventually rejected. CVE-2013-1899 or CVE-2013-1899)
(9.1.9,9.2.4,9.0.13,8.4.17) Reset OpenSSL randomness state in each postmaster child process (Marko Kreen)
This avoids a scenario wherein random numbers generated by contrib/pgcrypto functions might be relatively easy for another database user to guess. The risk is only significant when the postmaster is configured with ssl = on but most connections don't use SSL encryption. CVE-2013-1900 or CVE-2013-1900)
(9.1.9,9.2.4) Make REPLICATION privilege checks test current user not authenticated user (Noah Misch)
An unprivileged database user could exploit this mistake to call
pg_start_backup()
or pg_stop_backup()
, thus possibly interfering with
creation of routine backups. CVE-2013-1901 or CVE-2013-1901)
(9.1.9,9.2.4,9.0.13,8.4.17) Fix GiST indexes to not use "fuzzy" geometric comparisons when it's not appropriate to do so (Alexander Korotkov)
The core geometric types perform comparisons using "fuzzy" equality, but gist_box_same
must do exact comparisons, else
GiST indexes using it might become inconsistent. After installing
this update, users should REINDEX any GiST
indexes on box, polygon, circle, or point columns, since all of these use gist_box_same
.
(9.1.9,9.2.4,9.0.13,8.4.17) Fix erroneous range-union and penalty logic in GiST indexes that use contrib/btree_gist for variable-width data types, that is text, bytea, bit, and numeric columns (Tom Lane)
These errors could result in inconsistent indexes in which some keys that are present would not be found by searches, and also in useless index bloat. Users are advised to REINDEX such indexes after installing this update.
(9.1.9,9.2.4,9.0.13,8.4.17) Fix bugs in GiST page splitting code for multi-column indexes (Tom Lane)
These errors could result in inconsistent indexes in which some keys that are present would not be found by searches, and also in indexes that are unnecessarily inefficient to search. Users are advised to REINDEX multi-column GiST indexes after installing this update.
(9.1.9,9.2.4,9.0.13) Fix gist_point_consistent
to
handle fuzziness consistently (Alexander Korotkov)
Index scans on GiST indexes on point
columns would sometimes yield results different from a sequential
scan, because gist_point_consistent
disagreed with the underlying operator code about whether to do
comparisons exactly or fuzzily.
(9.1.9,9.2.4,9.0.13) Fix buffer leak in WAL replay (Heikki Linnakangas)
This bug could result in "incorrect local pin count" errors during replay, making recovery impossible.
(9.1.9,9.2.4,9.0.13) Fix race condition in DELETE RETURNING (Tom Lane)
Under the right circumstances, DELETE RETURNING could attempt to fetch data from a shared buffer that the current process no longer has any pin on. If some other process changed the buffer meanwhile, this would lead to garbage RETURNING output, or even a crash.
(9.1.9,9.2.4,9.0.13,8.4.17) Fix infinite-loop risk in regular expression compilation (Tom Lane, Don Porter)
(9.1.9,9.2.4,9.0.13,8.4.17) Fix potential null-pointer dereference in regular expression compilation (Tom Lane)
(9.1.9,9.2.4,9.0.13,8.4.17) Fix to_char()
to use ASCII-only
case-folding rules where appropriate (Tom Lane)
This fixes misbehavior of some template patterns that should be locale-independent, but mishandled "I" and "i" in Turkish locales.
(9.1.9,9.2.4,9.0.13,8.4.17) Fix unwanted rejection of timestamp 1999-12-31 24:00:00 (Tom Lane)
(9.1.9,9.2.4,9.0.13) Fix logic error when a single transaction does UNLISTEN then LISTEN (Tom Lane)
The session wound up not listening for notify events at all, though it surely should listen in this case.
(9.1.9,9.2.4) Fix possible planner crash after columns have been added to a view that's depended on by another view (Tom Lane)
(9.1.9,9.2.4,9.0.13,8.4.17) Remove useless "picksplit doesn't support secondary split" log messages (Josh Hansen, Tom Lane)
This message seems to have been added in expectation of code that was never written, and probably never will be, since GiST's default handling of secondary splits is actually pretty good. So stop nagging end users about it.
(9.1.9,9.2.4,9.0.13,8.4.17) Fix possible failure to send a session's last few transaction commit/abort counts to the statistics collector (Tom Lane)
(9.1.9,9.2.4,9.0.13,8.4.17) Eliminate memory leaks in PL/Perl's spi_prepare()
function (Alex Hunsaker, Tom
Lane)
(9.1.9,9.2.4,9.0.13,8.4.17) Fix pg_dumpall to handle database names containing "=" correctly (Heikki Linnakangas)
(9.1.9,9.2.4,9.0.13,8.4.17) Avoid crash in pg_dump when an incorrect connection string is given (Heikki Linnakangas)
(9.1.9,9.2.4,9.0.13) Ignore invalid indexes in pg_dump and pg_upgrade (Michael Paquier, Bruce Momjian)
Dumping invalid indexes can cause problems at restore time, for example if the reason the index creation failed was because it tried to enforce a uniqueness condition not satisfied by the table's data. Also, if the index creation is in fact still in progress, it seems reasonable to consider it to be an uncommitted DDL change, which pg_dump wouldn't be expected to dump anyway. pg_upgrade now also skips invalid indexes rather than failing.
(9.1.9,9.2.4) In pg_basebackup, include only the current server version's subdirectory when backing up a tablespace (Heikki Linnakangas)
(9.1.9,9.2.4) Add a server version check in pg_basebackup and pg_receivexlog, so they fail cleanly with version combinations that won't work (Heikki Linnakangas)
(9.1.9,9.2.4,9.0.13,8.4.17) Fix contrib/pg_trgm's similarity()
function to return zero for
trigram-less strings (Tom Lane)
Previously it returned NaN due to internal division by zero.
(9.1.9,9.2.4,9.0.13,8.4.17) Update time zone data files to tzdata release 2013b for DST law changes in Chile, Haiti, Morocco, Paraguay, and some Russian areas. Also, historical zone data corrections for numerous places.
Also, update the time zone abbreviation files for recent changes in Russia and elsewhere: CHOT, GET, IRKT, KGT, KRAT, MAGT, MAWT, MSK, NOVT, OMST, TKT, VLAT, WST, YAKT, YEKT now follow their current meanings, and VOLT (Europe/Volgograd) and MIST (Antarctica/Macquarie) are added to the default abbreviations list.
Release date: 2013-02-07
This release contains a variety of fixes from 9.1.7. For information about new features in the 9.1 major release, see Version 9.1.0.
A dump/restore is not required for those running 9.1.X.
However, if you are upgrading from a version earlier than 9.1.6, see Version 9.1.6.
(9.1.8,9.2.3,9.0.12,8.4.16,8.3.23) Prevent execution of enum_recv
from SQL (Tom Lane)
The function was misdeclared, allowing a simple SQL command to crash the server. In principle an attacker might be able to use it to examine the contents of server memory. Our thanks to Sumit Soni (via Secunia SVCRP) for reporting this issue. CVE-2013-0255 or CVE-2013-0255)
(9.1.8,9.2.3,9.0.12) Fix multiple problems in detection of when a consistent database state has been reached during WAL replay (Fujii Masao, Heikki Linnakangas, Simon Riggs, Andres Freund)
(9.1.8,9.2.3,9.0.12,8.4.16) Update minimum recovery point when truncating a relation file (Heikki Linnakangas)
Once data has been discarded, it's no longer safe to stop recovery at an earlier point in the timeline.
(9.1.8,9.2.3) Fix recycling of WAL segments after changing recovery target timeline (Heikki Linnakangas)
(9.1.8,9.2.3,9.0.12) Fix missing cancellations in hot standby mode (Noah Misch, Simon Riggs)
The need to cancel conflicting hot-standby queries would sometimes be missed, allowing those queries to see inconsistent data.
(9.1.8,9.2.3) Prevent recovery pause feature from pausing before users can connect (Tom Lane)
(9.1.8,9.2.3,9.0.12,8.4.16,8.3.23) Fix SQL grammar to allow subscripting or field selection from a sub-SELECT result (Tom Lane)
(9.1.8,9.2.3,9.0.12) Fix performance problems with autovacuum truncation in busy workloads (Jan Wieck)
Truncation of empty pages at the end of a table requires exclusive lock, but autovacuum was coded to fail (and release the table lock) when there are conflicting lock requests. Under load, it is easily possible that truncation would never occur, resulting in table bloat. Fix by performing a partial truncation, releasing the lock, then attempting to re-acquire the lock and continue. This fix also greatly reduces the average time before autovacuum releases the lock after a conflicting request arrives.
(9.1.8,9.2.3,9.0.12,8.4.16,8.3.23) Protect against race conditions when scanning pg_tablespace (Stephen Frost, Tom Lane)
CREATE DATABASE and DROP DATABASE could misbehave if there were concurrent updates of pg_tablespace entries.
(9.1.8,9.2.3,9.0.12,8.4.16,8.3.23) Prevent DROP OWNED from trying to drop whole databases or tablespaces (Ãlvaro Herrera)
For safety, ownership of these objects must be reassigned, not dropped.
(9.1.8,9.2.3,9.0.12,8.4.16) Fix error in vacuum_freeze_table_age implementation (Andres Freund)
In installations that have existed for more than vacuum_freeze_min_age transactions, this mistake prevented autovacuum from using partial-table scans, so that a full-table scan would always happen instead.
(9.1.8,9.2.3,9.0.12,8.4.16,8.3.23) Prevent misbehavior when a RowExpr or XmlExpr is parse-analyzed twice (Andres Freund, Tom Lane)
This mistake could be user-visible in contexts such as CREATE TABLE LIKE INCLUDING INDEXES.
(9.1.8,9.2.3,9.0.12,8.4.16,8.3.23) Improve defenses against integer overflow in hashtable sizing calculations (Jeff Davis)
(9.1.8,9.2.3) Fix failure to ignore leftover temporary tables after a server crash (Tom Lane)
(9.1.8,9.2.3,9.0.12,8.4.16) Reject out-of-range dates in to_date()
(Hitoshi Harada)
(9.1.8,9.2.3) Fix pg_extension_config_dump()
to
handle extension-update cases properly (Tom Lane)
This function will now replace any existing entry for the target table, making it usable in extension update scripts.
(9.1.8,9.2.3) Fix PL/Python's handling of functions used as triggers on multiple tables (Andres Freund)
(9.1.8,9.2.3,9.0.12,8.4.16,8.3.23) Ensure that non-ASCII prompt strings are translated to the correct code page on Windows (Alexander Law, Noah Misch)
This bug affected psql and some other client programs.
(9.1.8,9.2.3,9.0.12,8.4.16,8.3.23) Fix possible crash in psql's \? command when not connected to a database (Meng Qingzhong)
(9.1.8,9.2.3) Fix possible error if a relation file is removed while pg_basebackup is running (Heikki Linnakangas)
(9.1.8,9.2.3) Make pg_dump exclude data of unlogged tables when running on a hot-standby server (Magnus Hagander)
This would fail anyway because the data is not available on the standby server, so it seems most convenient to assume --no-unlogged-table-data automatically.
(9.1.8,9.2.3,9.0.12) Fix pg_upgrade to deal with invalid indexes safely (Bruce Momjian)
(9.1.8,9.2.3,9.0.12,8.4.16,8.3.23) Fix one-byte buffer overrun in libpq's PQprintTuples
(Xi Wang)
This ancient function is not used anywhere by PostgreSQL itself, but it might still be used by some client code.
(9.1.8,9.2.3,9.0.12,8.4.16) Make ecpglib use translated messages properly (Chen Huajun)
(9.1.8,9.2.3,9.0.12,8.4.16) Properly install ecpg_compat and pgtypes libraries on MSVC (Jiang Guiqing)
(9.1.8,9.2.3,9.0.12) Include our version of isinf()
in
libecpg if it's not provided by
the system (Jiang Guiqing)
(9.1.8,9.2.3,9.0.12,8.4.16,8.3.23) Rearrange configure's tests for supplied functions so it is not fooled by bogus exports from libedit/libreadline (Christoph Berg)
(9.1.8,9.2.3,9.0.12,8.4.16,8.3.23) Ensure Windows build number increases over time (Magnus Hagander)
(9.1.8,9.2.3,9.0.12,8.4.16,8.3.23) Make pgxs build executables with the right .exe suffix when cross-compiling for Windows (Zoltan Boszormenyi)
(9.1.8,9.2.3,9.0.12,8.4.16,8.3.23) Add new timezone abbreviation FET (Tom Lane)
This is now used in some eastern-European time zones.
Release date: 2012-12-06
This release contains a variety of fixes from 9.1.6. For information about new features in the 9.1 major release, see Version 9.1.0.
A dump/restore is not required for those running 9.1.X.
However, if you are upgrading from a version earlier than 9.1.6, see Version 9.1.6.
(9.1.7,9.0.11,8.4.15,8.3.22) Fix multiple bugs associated with CREATE INDEX CONCURRENTLY (Andres Freund, Tom Lane)
Fix CREATE INDEX CONCURRENTLY to use in-place updates when changing the state of an index's pg_index row. This prevents race conditions that could cause concurrent sessions to miss updating the target index, thus resulting in corrupt concurrently-created indexes.
Also, fix various other operations to ensure that they ignore invalid indexes resulting from a failed CREATE INDEX CONCURRENTLY command. The most important of these is VACUUM, because an auto-vacuum could easily be launched on the table before corrective action can be taken to fix or remove the invalid index.
(9.1.7,9.2.2,9.0.11) Fix buffer locking during WAL replay (Tom Lane)
The WAL replay code was insufficiently careful about locking buffers when replaying WAL records that affect more than one page. This could result in hot standby queries transiently seeing inconsistent states, resulting in wrong answers or unexpected failures.
(9.1.7,9.2.2,9.0.11) Fix an error in WAL generation logic for GIN indexes (Tom Lane)
This could result in index corruption, if a torn-page failure occurred.
(9.1.7,9.2.2,9.0.11) Properly remove startup process's virtual XID lock when promoting a hot standby server to normal running (Simon Riggs)
This oversight could prevent subsequent execution of certain operations such as CREATE INDEX CONCURRENTLY.
(9.1.7,9.2.2,9.0.11) Avoid bogus "out-of-sequence timeline ID" errors in standby mode (Heikki Linnakangas)
(9.1.7,9.2.2,9.0.11) Prevent the postmaster from launching new child processes after it's received a shutdown signal (Tom Lane)
This mistake could result in shutdown taking longer than it should, or even never completing at all without additional user action.
(9.1.7,9.2.2,9.0.11,8.4.15,8.3.22) Avoid corruption of internal hash tables when out of memory (Hitoshi Harada)
(9.1.7,9.2.2) Prevent file descriptors for dropped tables from being held open past transaction end (Tom Lane)
This should reduce problems with long-since-dropped tables continuing to occupy disk space.
(9.1.7,9.2.2) Prevent database-wide crash and restart when a new child process is unable to create a pipe for its latch (Tom Lane)
Although the new process must fail, there is no good reason to force a database-wide restart, so avoid that. This improves robustness when the kernel is nearly out of file descriptors.
(9.1.7,9.0.11,8.4.15,8.3.22) Fix planning of non-strict equivalence clauses above outer joins (Tom Lane)
The planner could derive incorrect constraints from a clause equating a non-strict construct to something else, for example WHERE COALESCE(foo, 0) = 0 when foo is coming from the nullable side of an outer join.
(9.1.7,9.2.2) Fix SELECT DISTINCT with
index-optimized MIN
/MAX
on an inheritance tree (Tom Lane)
The planner would fail with "failed to re-find MinMaxAggInfo record" given this combination of factors.
(9.1.7,9.2.2,9.0.11,8.4.15,8.3.22) Improve planner's ability to prove exclusion constraints from equivalence classes (Tom Lane)
(9.1.7,9.2.2,9.0.11,8.4.15,8.3.22) Fix partial-row matching in hashed subplans to handle cross-type cases correctly (Tom Lane)
This affects multicolumn NOT IN subplans, such as WHERE (a, b) NOT IN (SELECT x, y FROM ...) when for instance b and y are int4 and int8 respectively. This mistake led to wrong answers or crashes depending on the specific datatypes involved.
(9.1.7,9.2.2) Acquire buffer lock when re-fetching the old tuple for an AFTER ROW UPDATE/DELETE trigger (Andres Freund)
In very unusual circumstances, this oversight could result in passing incorrect data to a trigger WHEN condition, or to the precheck logic for a foreign-key enforcement trigger. That could result in a crash, or in an incorrect decision about whether to fire the trigger.
(9.1.7,9.2.2,9.0.11,8.4.15) Fix ALTER COLUMN TYPE to handle inherited check constraints properly (Pavan Deolasee)
This worked correctly in pre-8.4 releases, and now works correctly in 8.4 and later.
(9.1.7,9.2.2) Fix ALTER EXTENSION SET SCHEMA's failure to move some subsidiary objects into the new schema (Ãlvaro Herrera, Dimitri Fontaine)
(9.1.7,9.2.2,9.0.11,8.4.15,8.3.22) Fix REASSIGN OWNED to handle grants on tablespaces (Ãlvaro Herrera)
(9.1.7,9.2.2,9.0.11,8.4.15,8.3.22) Ignore incorrect pg_attribute entries for system columns for views (Tom Lane)
Views do not have any system columns. However, we forgot to remove such entries when converting a table to a view. That's fixed properly for 9.3 and later, but in previous branches we need to defend against existing mis-converted views.
(9.1.7,9.2.2,9.0.11,8.4.15,8.3.22) Fix rule printing to dump INSERT INTO table DEFAULT VALUES correctly (Tom Lane)
(9.1.7,9.2.2,9.0.11,8.4.15,8.3.22) Guard against stack overflow when there are too many UNION/INTERSECT/EXCEPT clauses in a query (Tom Lane)
(9.1.7,9.2.2,9.0.11,8.4.15,8.3.22) Prevent platform-dependent failures when dividing the minimum possible integer value by -1 (Xi Wang, Tom Lane)
(9.1.7,9.2.2,9.0.11,8.4.15,8.3.22) Fix possible access past end of string in date parsing (Hitoshi Harada)
(9.1.7,9.2.2,9.0.11) Fix failure to advance XID epoch if XID wraparound happens during a checkpoint and wal_level is hot_standby (Tom Lane, Andres Freund)
While this mistake had no particular impact on PostgreSQL itself, it was bad for applications
that rely on txid_current()
and
related functions: the TXID value would appear to go backwards.
(9.1.7,9.2.2) Fix display of pg_stat_replication.sync_state at a page boundary (Kyotaro Horiguchi)
(9.1.7,9.2.2,9.0.11,8.4.15,8.3.22) Produce an understandable error message if the length of the path name for a Unix-domain socket exceeds the platform-specific limit (Tom Lane, Andrew Dunstan)
Formerly, this would result in something quite unhelpful, such as "Non-recoverable failure in name resolution".
(9.1.7,9.2.2,9.0.11,8.4.15,8.3.22) Fix memory leaks when sending composite column values to the client (Tom Lane)
(9.1.7,9.0.11,8.4.15,8.3.22) Make pg_ctl more robust about reading the postmaster.pid file (Heikki Linnakangas)
Fix race conditions and possible file descriptor leakage.
(9.1.7,9.2.2,9.0.11,8.4.15,8.3.22) Fix possible crash in psql if incorrectly-encoded data is presented and the client_encoding setting is a client-only encoding, such as SJIS (Jiang Guiqing)
(9.1.7) Make pg_dump dump SEQUENCE SET items in the data not pre-data section of the archive (Tom Lane)
This change fixes dumping of sequences that are marked as extension configuration tables.
(9.1.7,9.2.2,9.0.11,8.4.15,8.3.22) Fix bugs in the restore.sql script emitted by pg_dump in tar output format (Tom Lane)
The script would fail outright on tables whose names include upper-case characters. Also, make the script capable of restoring data in --inserts mode as well as the regular COPY mode.
(9.1.7,9.2.2,9.0.11,8.4.15,8.3.22) Fix pg_restore to accept POSIX-conformant tar files (Brian Weaver, Tom Lane)
The original coding of pg_dump's tar output mode produced files that are not fully conformant with the POSIX standard. This has been corrected for version 9.3. This patch updates previous branches so that they will accept both the incorrect and the corrected formats, in hopes of avoiding compatibility problems when 9.3 comes out.
(9.1.7,9.2.2) Fix tar files emitted by pg_basebackup to be POSIX conformant (Brian Weaver, Tom Lane)
(9.1.7,9.2.2,9.0.11,8.4.15,8.3.22) Fix pg_resetxlog to locate postmaster.pid correctly when given a relative path to the data directory (Tom Lane)
This mistake could lead to pg_resetxlog not noticing that there is an active postmaster using the data directory.
(9.1.7,9.2.2,9.0.11,8.4.15,8.3.22) Fix libpq's lo_import()
and lo_export()
functions to report file I/O errors
properly (Tom Lane)
(9.1.7,9.2.2,9.0.11,8.4.15,8.3.22) Fix ecpg's processing of nested structure pointer variables (Muhammad Usama)
(9.1.7,9.2.2,9.0.11) Fix ecpg's ecpg_get_data
function to handle arrays properly
(Michael Meskes)
(9.1.7,9.2.2,9.0.11,8.4.15,8.3.22) Make contrib/pageinspect's btree page inspection functions take buffer locks while examining pages (Tom Lane)
(9.1.7,9.2.2) Ensure that make install for an extension creates the extension installation directory (Cédric Villemain)
Previously, this step was missed if MODULEDIR was set in the extension's Makefile.
(9.1.7,9.2.2,9.0.11,8.4.15,8.3.22) Fix pgxs support for building loadable modules on AIX (Tom Lane)
Building modules outside the original source tree didn't work on AIX.
(9.1.7,9.2.2,9.0.11,8.4.15,8.3.22) Update time zone data files to tzdata release 2012j for DST law changes in Cuba, Israel, Jordan, Libya, Palestine, Western Samoa, and portions of Brazil.
Release date: 2012-09-24
This release contains a variety of fixes from 9.1.5. For information about new features in the 9.1 major release, see Version 9.1.0.
A dump/restore is not required for those running 9.1.X.
However, you may need to perform REINDEX operations to recover from the effects of the data corruption bug described in the first changelog item below.
Also, if you are upgrading from a version earlier than 9.1.4, see Version 9.1.4.
(9.1.6) Fix persistence marking of shared buffers during WAL replay (Jeff Davis)
This mistake can result in buffers not being written out during checkpoints, resulting in data corruption if the server later crashes without ever having written those buffers. Corruption can occur on any server following crash recovery, but it is significantly more likely to occur on standby slave servers since those perform much more WAL replay. There is a low probability of corruption of btree and GIN indexes. There is a much higher probability of corruption of table "visibility maps". Fortunately, visibility maps are non-critical data in 9.1, so the worst consequence of such corruption in 9.1 installations is transient inefficiency of vacuuming. Table data proper cannot be corrupted by this bug.
While no index corruption due to this bug is known to have occurred in the field, as a precautionary measure it is recommended that production installations REINDEX all btree and GIN indexes at a convenient time after upgrading to 9.1.6.
Also, if you intend to do an in-place upgrade to 9.2.X, before doing so it is recommended to perform a VACUUM of all tables while having vacuum_freeze_table_age set to zero. This will ensure that any lingering wrong data in the visibility maps is corrected before 9.2.X can depend on it. vacuum_cost_delay can be adjusted to reduce the performance impact of vacuuming, while causing it to take longer to finish.
(9.1.6,9.0.10,8.4.14) Fix planner's assignment of executor parameters, and fix executor's rescan logic for CTE plan nodes (Tom Lane)
These errors could result in wrong answers from queries that scan the same WITH subquery multiple times.
(9.1.6) Fix misbehavior when default_transaction_isolation is set to serializable (Kevin Grittner, Tom Lane, Heikki Linnakangas)
Symptoms include crashes at process start on Windows, and crashes in hot standby operation.
(9.1.6,9.2.1) Improve selectivity estimation for text search queries involving prefixes, i.e. word:* patterns (Tom Lane)
(9.1.6,9.0.10,8.4.14,8.3.21) Improve page-splitting decisions in GiST indexes (Alexander Korotkov, Robert Haas, Tom Lane)
Multi-column GiST indexes might suffer unexpected bloat due to this error.
(9.1.6,9.0.10,8.4.14,8.3.21) Fix cascading privilege revoke to stop if privileges are still held (Tom Lane)
If we revoke a grant option from some role X, but X still holds that option via a grant from someone else, we should not recursively revoke the corresponding privilege from role(s) Y that X had granted it to.
(9.1.6) Disallow extensions from containing the schema they are assigned to (Thom Brown)
This situation creates circular dependencies that confuse pg_dump and probably other things. It's confusing for humans too, so disallow it.
(9.1.6,9.0.10) Improve error messages for Hot Standby misconfiguration errors (Gurjeet Singh)
(9.1.6) Make configure probe for
mbstowcs_l
(Tom Lane)
This fixes build failures on some versions of AIX.
(9.1.6,9.0.10,8.4.14,8.3.21) Fix handling of SIGFPE when PL/Perl is in use (Andres Freund)
Perl resets the process's SIGFPE handler to SIG_IGN, which could result in crashes later on. Restore the normal Postgres signal handler after initializing PL/Perl.
(9.1.6,9.2.1,9.0.10,8.4.14,8.3.21) Prevent PL/Perl from crashing if a recursive PL/Perl function is redefined while being executed (Tom Lane)
(9.1.6,9.2.1,9.0.10,8.4.14,8.3.21) Work around possible misoptimization in PL/Perl (Tom Lane)
Some Linux distributions contain an incorrect version of pthread.h that results in incorrect compiled code in PL/Perl, leading to crashes if a PL/Perl function calls another one that throws an error.
(9.1.6) Fix bugs in contrib/pg_trgm's LIKE pattern analysis code (Fujii Masao)
LIKE queries using a trigram index could produce wrong results if the pattern contained LIKE escape characters.
(9.1.6,9.0.10) Fix pg_upgrade's handling of line endings on Windows (Andrew Dunstan)
Previously, pg_upgrade might add or remove carriage returns in places such as function bodies.
(9.1.6,9.0.10) On Windows, make pg_upgrade use backslash path separators in the scripts it emits (Andrew Dunstan)
(9.1.6,9.2.1) Remove unnecessary dependency on pg_config from pg_upgrade (Peter Eisentraut)
(9.1.6,9.2.1,9.0.10,8.4.14,8.3.21) Update time zone data files to tzdata release 2012f for DST law changes in Fiji
Release date: 2012-08-17
This release contains a variety of fixes from 9.1.4. For information about new features in the 9.1 major release, see Version 9.1.0.
A dump/restore is not required for those running 9.1.X.
However, if you are upgrading from a version earlier than 9.1.4, see Version 9.1.4.
(9.1.5,9.0.9,8.4.13,8.3.20) Prevent access to external files/URLs via XML entity references (Noah Misch, Tom Lane)
xml_parse()
would attempt to fetch
external files or URLs as needed to resolve DTD and entity
references in an XML value, thus allowing unprivileged database
users to attempt to fetch data with the privileges of the database
server. While the external data wouldn't get returned directly to
the user, portions of it could be exposed in error messages if the
data didn't parse as valid XML; and in any case the mere ability to
check existence of a file might be useful to an attacker.
CVE-2012-3489 or CVE-2012-3489)
(9.1.5,9.0.9,8.4.13,8.3.20) Prevent access to external files/URLs via contrib/xml2's xslt_process()
(Peter Eisentraut)
libxslt offers the ability to read and write both files and URLs through stylesheet commands, thus allowing unprivileged database users to both read and write data with the privileges of the database server. Disable that through proper use of libxslt's security options. CVE-2012-3488 or CVE-2012-3488)
Also, remove xslt_process()
's
ability to fetch documents and stylesheets from external
files/URLs. While this was a documented "feature", it was long regarded as a bad idea. The
fix forCVE-2012-3489 or CVE-2012-3489 broke that capability, and rather than expend
effort on trying to fix it, we're just going to summarily remove
it.
(9.1.5,9.0.9,8.4.13,8.3.20) Prevent too-early recycling of btree index pages (Noah Misch)
When we allowed read-only transactions to skip assigning XIDs, we introduced the possibility that a deleted btree page could be recycled while a read-only transaction was still in flight to it. This would result in incorrect index search results. The probability of such an error occurring in the field seems very low because of the timing requirements, but nonetheless it should be fixed.
(9.1.5,9.0.9,8.4.13,8.3.20) Fix crash-safety bug with newly-created-or-reset sequences (Tom Lane)
If ALTER SEQUENCE was executed on a
freshly created or reset sequence, and then precisely one
nextval()
call was made on it, and
then the server crashed, WAL replay would restore the sequence to a
state in which it appeared that no nextval()
had been done, thus allowing the first
sequence value to be returned again by the next nextval()
call. In particular this could manifest
for serial columns, since creation of a
serial column's sequence includes an ALTER
SEQUENCE OWNED BY step.
(9.1.5) Fix race condition in enum-type value comparisons (Robert Haas, Tom Lane)
Comparisons could fail when encountering an enum value added since the current query started.
(9.1.5,9.0.9) Fix txid_current()
to report the
correct epoch when not in hot standby (Heikki Linnakangas)
This fixes a regression introduced in the previous minor release.
(9.1.5) Prevent selection of unsuitable replication connections as the synchronous standby (Fujii Masao)
The master might improperly choose pseudo-servers such as pg_receivexlog or pg_basebackup as the synchronous standby, and then wait indefinitely for them.
(9.1.5,9.0.9) Fix bug in startup of Hot Standby when a master transaction has many subtransactions (Andres Freund)
This mistake led to failures reported as "out-of-order XID insertion in KnownAssignedXids".
(9.1.5,9.0.9,8.4.13,8.3.20) Ensure the backup_label file is
fsync'd after pg_start_backup()
(Dave
Kerr)
(9.1.5,9.0.9) Fix timeout handling in walsender processes (Tom Lane)
WAL sender background processes neglected to establish a SIGALRM handler, meaning they would wait forever in some corner cases where a timeout ought to happen.
(9.1.5) Wake walsenders after each background flush by walwriter (Andres Freund, Simon Riggs)
This greatly reduces replication delay when the workload contains only asynchronously-committed transactions.
(9.1.5,9.0.9) Fix LISTEN/NOTIFY to cope better with I/O problems, such as out of disk space (Tom Lane)
After a write failure, all subsequent attempts to send more NOTIFY messages would fail with messages like "Could not read from file "pg_notify/nnnn" at offset nnnnn: Success".
(9.1.5,9.0.9,8.4.13,8.3.20) Only allow autovacuum to be auto-canceled by a directly blocked process (Tom Lane)
The original coding could allow inconsistent behavior in some cases; in particular, an autovacuum could get canceled after less than deadlock_timeout grace period.
(9.1.5,9.0.9,8.4.13,8.3.20) Improve logging of autovacuum cancels (Robert Haas)
(9.1.5,9.0.9,8.4.13,8.3.20) Fix log collector so that log_truncate_on_rotation works during the very first log rotation after server start (Tom Lane)
(9.1.5,9.0.9,8.4.13) Fix WITH attached to a nested set operation (UNION/INTERSECT/EXCEPT) (Tom Lane)
(9.1.5,9.0.9,8.4.13,8.3.20) Ensure that a whole-row reference to a subquery doesn't include any extra GROUP BY or ORDER BY columns (Tom Lane)
(9.1.5) Fix dependencies generated during ALTER TABLE ... ADD CONSTRAINT USING INDEX (Tom Lane)
This command left behind a redundant pg_depend entry for the index, which could confuse later operations, notably ALTER TABLE ... ALTER COLUMN TYPE on one of the indexed columns.
(9.1.5) Fix REASSIGN OWNED to work on extensions (Álvaro Herrera)
(9.1.5,9.0.9,8.4.13,8.3.20) Disallow copying whole-row references in CHECK constraints and index definitions during CREATE TABLE (Tom Lane)
This situation can arise in CREATE TABLE with LIKE or INHERITS. The copied whole-row variable was incorrectly labeled with the row type of the original table not the new one. Rejecting the case seems reasonable for LIKE, since the row types might well diverge later. For INHERITS we should ideally allow it, with an implicit coercion to the parent table's row type; but that will require more work than seems safe to back-patch.
(9.1.5,9.0.9,8.4.13,8.3.20) Fix memory leak in ARRAY (SELECT ...) subqueries (Heikki Linnakangas, Tom Lane)
(9.1.5) Fix planner to pass correct collation to operator selectivity estimators (Tom Lane)
This was not previously required by any core selectivity estimation function, but third-party code might need it.
(9.1.5,9.0.9,8.4.13,8.3.20) Fix extraction of common prefixes from regular expressions (Tom Lane)
The code could get confused by quantified parenthesized subexpressions, such as ^(foo)?bar. This would lead to incorrect index optimization of searches for such patterns.
(9.1.5,9.0.9,8.4.13) Fix bugs with parsing signed hh:mm and hh:mm:ss fields in interval constants (Amit Kapila, Tom Lane)
(9.1.5) Fix pg_dump to better handle views containing partial GROUP BY lists (Tom Lane)
A view that lists only a primary key column in GROUP BY, but uses other table columns as if they were grouped, gets marked as depending on the primary key. Improper handling of such primary key dependencies in pg_dump resulted in poorly-ordered dumps, which at best would be inefficient to restore and at worst could result in outright failure of a parallel pg_restore run.
(9.1.5) In PL/Perl, avoid setting UTF8 flag when in SQL_ASCII encoding (Alex Hunsaker, Kyotaro Horiguchi, Álvaro Herrera)
(9.1.5,9.0.9) Use Postgres' encoding conversion functions, not Python's, when converting a Python Unicode string to the server encoding in PL/Python (Jan Urbanski)
This avoids some corner-case problems, notably that Python doesn't support all the encodings Postgres does. A notable functional change is that if the server encoding is SQL_ASCII, you will get the UTF-8 representation of the string; formerly, any non-ASCII characters in the string would result in an error.
(9.1.5,9.0.9) Fix mapping of PostgreSQL encodings to Python encodings in PL/Python (Jan Urbanski)
(9.1.5,9.0.9,8.4.13,8.3.20) Report errors properly in contrib/xml2's xslt_process()
(Tom Lane)
(9.1.5,9.0.9,8.4.13,8.3.20) Update time zone data files to tzdata release 2012e for DST law changes in Morocco and Tokelau
Release date: 2012-06-04
This release contains a variety of fixes from 9.1.3. For information about new features in the 9.1 major release, see Version 9.1.0.
A dump/restore is not required for those running 9.1.X.
However, if you use the citext data type, and you upgraded from a previous major release by running pg_upgrade, you should run CREATE EXTENSION citext FROM unpackaged to avoid collation-related failures in citext operations. The same is necessary if you restore a dump from a pre-9.1 database that contains an instance of the citext data type. If you've already run the CREATE EXTENSION command before upgrading to 9.1.4, you will instead need to do manual catalog updates as explained in the third changelog item below.
Also, if you are upgrading from a version earlier than 9.1.2, see Version 9.1.2.
(9.1.4,9.0.8,8.4.12,8.3.19) Fix incorrect password transformation in contrib/pgcrypto's DES crypt()
function (Solar Designer)
If a password string contained the byte value 0x80, the remainder of the password was ignored, causing the password to be much weaker than it appeared. With this fix, the rest of the string is properly included in the DES hash. Any stored password values that are affected by this bug will thus no longer match, so the stored values may need to be updated. CVE-2012-2143 or CVE-2012-2143)
(9.1.4,9.0.8,8.4.12,8.3.19) Ignore SECURITY DEFINER and SET attributes for a procedural language's call handler (Tom Lane)
Applying such attributes to a call handler could crash the server. CVE-2012-2655 or CVE-2012-2655)
(9.1.4) Make contrib/citext's upgrade script fix collations of citext arrays and domains over citext (Tom Lane)
Release 9.1.2 provided a fix for collations of citext columns and indexes in databases upgraded or reloaded from pre-9.1 installations, but that fix was incomplete: it neglected to handle arrays and domains over citext. This release extends the module's upgrade script to handle these cases. As before, if you have already run the upgrade script, you'll need to run the collation update commands by hand instead. See the 9.1.2 release notes for more information about doing this.
(9.1.4,9.0.8,8.4.12,8.3.19) Allow numeric timezone offsets in timestamp input to be up to 16 hours away from UTC (Tom Lane)
Some historical time zones have offsets larger than 15 hours, the previous limit. This could result in dumped data values being rejected during reload.
(9.1.4,9.0.8,8.4.12,8.3.19) Fix timestamp conversion to cope when the given time is exactly the last DST transition time for the current timezone (Tom Lane)
This oversight has been there a long time, but was not noticed previously because most DST-using zones are presumed to have an indefinite sequence of future DST transitions.
(9.1.4,9.0.8,8.4.12,8.3.19) Fix text to name and char to name casts to perform string truncation correctly in multibyte encodings (Karl Schnaitter)
(9.1.4,9.0.8,8.4.12,8.3.19) Fix memory copying bug in to_tsquery()
(Heikki Linnakangas)
(9.1.4,9.0.8) Ensure txid_current()
reports the
correct epoch when executed in hot standby (Simon Riggs)
(9.1.4,9.0.8,8.4.12) Fix planner's handling of outer PlaceHolderVars within subqueries (Tom Lane)
This bug concerns sub-SELECTs that reference variables coming from the nullable side of an outer join of the surrounding query. In 9.1, queries affected by this bug would fail with "ERROR: Upper-level PlaceHolderVar found where not expected". But in 9.0 and 8.4, you'd silently get possibly-wrong answers, since the value transmitted into the subquery wouldn't go to null when it should.
(9.1.4) Fix planning of UNION ALL subqueries with output columns that are not simple variables (Tom Lane)
Planning of such cases got noticeably worse in 9.1 as a result of a misguided fix for "MergeAppend child's targetlist doesn't match MergeAppend" errors. Revert that fix and do it another way.
(9.1.4,9.0.8,8.4.12,8.3.19) Fix slow session startup when pg_attribute is very large (Tom Lane)
If pg_attribute exceeds one-fourth of shared_buffers, cache rebuilding code that is sometimes needed during session start would trigger the synchronized-scan logic, causing it to take many times longer than normal. The problem was particularly acute if many new sessions were starting at once.
(9.1.4,9.0.8,8.4.12,8.3.19) Ensure sequential scans check for query cancel reasonably often (Merlin Moncure)
A scan encountering many consecutive pages that contain no live tuples would not respond to interrupts meanwhile.
(9.1.4,9.0.8,8.4.12,8.3.19) Ensure the Windows implementation of PGSemaphoreLock()
clears ImmediateInterruptOK before returning (Tom Lane)
This oversight meant that a query-cancel interrupt received later in the same query could be accepted at an unsafe time, with unpredictable but not good consequences.
(9.1.4,9.0.8,8.4.12,8.3.19) Show whole-row variables safely when printing views or rules (Abbas Butt, Tom Lane)
Corner cases involving ambiguous names (that is, the name could be either a table or column name of the query) were printed in an ambiguous way, risking that the view or rule would be interpreted differently after dump and reload. Avoid the ambiguous case by attaching a no-op cast.
(9.1.4,9.0.8,8.4.12) Fix COPY FROM to properly handle null marker strings that correspond to invalid encoding (Tom Lane)
A null marker string such as E'\\0' should work, and did work in the past, but the case got broken in 8.4.
(9.1.4) Fix EXPLAIN VERBOSE for writable CTEs containing RETURNING clauses (Tom Lane)
(9.1.4) Fix PREPARE TRANSACTION to work correctly in the presence of advisory locks (Tom Lane)
Historically, PREPARE TRANSACTION has simply ignored any session-level advisory locks the session holds, but this case was accidentally broken in 9.1.
(9.1.4) Fix truncation of unlogged tables (Robert Haas)
(9.1.4) Ignore missing schemas during non-interactive assignments of search_path (Tom Lane)
This re-aligns 9.1's behavior with that of older branches. Previously 9.1 would throw an error for nonexistent schemas mentioned in search_path settings obtained from places such as ALTER DATABASE SET.
(9.1.4) Fix bugs with temporary or transient tables used in extension scripts (Tom Lane)
This includes cases such as a rewriting ALTER TABLE within an extension update script, since that uses a transient table behind the scenes.
(9.1.4,9.0.8,8.4.12,8.3.19) Ensure autovacuum worker processes perform stack depth checking properly (Heikki Linnakangas)
Previously, infinite recursion in a function invoked by auto-ANALYZE could crash worker processes.
(9.1.4,9.0.8,8.4.12,8.3.19) Fix logging collector to not lose log coherency under high load (Andrew Dunstan)
The collector previously could fail to reassemble large messages if it got too busy.
(9.1.4,9.0.8,8.4.12,8.3.19) Fix logging collector to ensure it will restart file rotation after receiving SIGHUP (Tom Lane)
(9.1.4) Fix "too many LWLocks taken" failure in GiST indexes (Heikki Linnakangas)
(9.1.4,9.0.8,8.4.12) Fix WAL replay logic for GIN indexes to not fail if the index was subsequently dropped (Tom Lane)
(9.1.4) Correctly detect SSI conflicts of prepared transactions after a crash (Dan Ports)
(9.1.4) Avoid synchronous replication delay when committing a transaction that only modified temporary tables (Heikki Linnakangas)
In such a case the transaction's commit record need not be flushed to standby servers, but some of the code didn't know that and waited for it to happen anyway.
(9.1.4) Fix error handling in pg_basebackup (Thomas Ogrisegg, Fujii Masao)
(9.1.4) Fix walsender to not go into a busy loop if connection is terminated (Fujii Masao)
(9.1.4,9.0.8,8.4.12) Fix memory leak in PL/pgSQL's RETURN NEXT command (Joe Conway)
(9.1.4,9.0.8,8.4.12,8.3.19) Fix PL/pgSQL's GET DIAGNOSTICS command when the target is the function's first variable (Tom Lane)
(9.1.4) Ensure that PL/Perl package-qualifies the _TD variable (Alex Hunsaker)
This bug caused trigger invocations to fail when they are nested within a function invocation that changes the current package.
(9.1.4) Fix PL/Python functions returning composite types to accept a string for their result value (Jan Urbanski)
This case was accidentally broken by the 9.1 additions to allow a composite result value to be supplied in other formats, such as dictionaries.
(9.1.4,9.0.8,8.4.12) Fix potential access off the end of memory in psql's expanded display (\x) mode (Peter Eisentraut)
(9.1.4,9.0.8,8.4.12,8.3.19) Fix several performance problems in pg_dump when the database contains many objects (Jeff Janes, Tom Lane)
pg_dump could get very slow if the database contained many schemas, or if many objects are in dependency loops, or if there are many owned sequences.
(9.1.4) Fix memory and file descriptor leaks in pg_restore when reading a directory-format archive (Peter Eisentraut)
(9.1.4,9.0.8) Fix pg_upgrade for the case that a database stored in a non-default tablespace contains a table in the cluster's default tablespace (Bruce Momjian)
(9.1.4,9.0.8) In ecpg, fix rare memory leaks and possible overwrite of one byte after the sqlca_t structure (Peter Eisentraut)
(9.1.4,9.0.8,8.4.12,8.3.19) Fix contrib/dblink's dblink_exec()
to not leak temporary database
connections upon error (Tom Lane)
(9.1.4,9.0.8,8.4.12) Fix contrib/dblink to report the correct connection name in error messages (Kyotaro Horiguchi)
(9.1.4,9.0.8) Fix contrib/vacuumlo to use multiple transactions when dropping many large objects (Tim Lewis, Robert Haas, Tom Lane)
This change avoids exceeding max_locks_per_transaction when many objects need to be dropped. The behavior can be adjusted with the new -l (limit) option.
(9.1.4,9.0.8,8.4.12,8.3.19) Update time zone data files to tzdata release 2012c for DST law changes in Antarctica, Armenia, Chile, Cuba, Falkland Islands, Gaza, Haiti, Hebron, Morocco, Syria, and Tokelau Islands; also historical corrections for Canada.
Release date: 2012-02-27
This release contains a variety of fixes from 9.1.2. For information about new features in the 9.1 major release, see Version 9.1.0.
A dump/restore is not required for those running 9.1.X.
However, if you are upgrading from a version earlier than 9.1.2, see Version 9.1.2.
(9.1.3,9.0.7,8.4.11,8.3.18) Require execute permission on the trigger function for CREATE TRIGGER (Robert Haas)
This missing check could allow another user to execute a trigger function with forged input data, by installing it on a table he owns. This is only of significance for trigger functions marked SECURITY DEFINER, since otherwise trigger functions run as the table owner anyway. CVE-2012-0866 or CVE-2012-0866)
(9.1.3,9.0.7,8.4.11) Remove arbitrary limitation on length of common name in SSL certificates (Heikki Linnakangas)
Both libpq and the server truncated the common name extracted from an SSL certificate at 32 bytes. Normally this would cause nothing worse than an unexpected verification failure, but there are some rather-implausible scenarios in which it might allow one certificate holder to impersonate another. The victim would have to have a common name exactly 32 bytes long, and the attacker would have to persuade a trusted CA to issue a certificate in which the common name has that string as a prefix. Impersonating a server would also require some additional exploit to redirect client connections. CVE-2012-0867 or CVE-2012-0867)
(9.1.3,9.0.7,8.4.11,8.3.18) Convert newlines to spaces in names written in pg_dump comments (Robert Haas)
pg_dump was incautious about sanitizing object names that are emitted within SQL comments in its output script. A name containing a newline would at least render the script syntactically incorrect. Maliciously crafted object names could present a SQL injection risk when the script is reloaded. CVE-2012-0868 or CVE-2012-0868)
(9.1.3,9.0.7,8.4.11,8.3.18) Fix btree index corruption from insertions concurrent with vacuuming (Tom Lane)
An index page split caused by an insertion could sometimes cause a concurrently-running VACUUM to miss removing index entries that it should remove. After the corresponding table rows are removed, the dangling index entries would cause errors (such as "could not read block N in file ...") or worse, silently wrong query results after unrelated rows are re-inserted at the now-free table locations. This bug has been present since release 8.2, but occurs so infrequently that it was not diagnosed until now. If you have reason to suspect that it has happened in your database, reindexing the affected index will fix things.
(9.1.3,9.0.7) Fix transient zeroing of shared buffers during WAL replay (Tom Lane)
The replay logic would sometimes zero and refill a shared buffer, so that the contents were transiently invalid. In hot standby mode this can result in a query that's executing in parallel seeing garbage data. Various symptoms could result from that, but the most common one seems to be "invalid memory alloc request size".
(9.1.3) Fix handling of data-modifying WITH subplans in READ COMMITTED rechecking (Tom Lane)
A WITH clause containing INSERT/UPDATE/DELETE would crash if the parent UPDATE or DELETE command needed to be re-evaluated at one or more rows due to concurrent updates in READ COMMITTED mode.
(9.1.3) Fix corner case in SSI transaction cleanup (Dan Ports)
When finishing up a read-write serializable transaction, a crash could occur if all remaining active serializable transactions are read-only.
(9.1.3,9.0.7) Fix postmaster to attempt restart after a hot-standby crash (Tom Lane)
A logic error caused the postmaster to terminate, rather than attempt to restart the cluster, if any backend process crashed while operating in hot standby mode.
(9.1.3,9.0.7) Fix CLUSTER/VACUUM FULL handling of toast values owned by recently-updated rows (Tom Lane)
This oversight could lead to "duplicate key value violates unique constraint" errors being reported against the toast table's index during one of these commands.
(9.1.3,9.0.7,8.4.11) Update per-column permissions, not only per-table permissions, when changing table owner (Tom Lane)
Failure to do this meant that any previously granted column permissions were still shown as having been granted by the old owner. This meant that neither the new owner nor a superuser could revoke the now-untraceable-to-table-owner permissions.
(9.1.3,9.0.7) Support foreign data wrappers and foreign servers in REASSIGN OWNED (Álvaro Herrera)
This command failed with "unexpected classid" errors if it needed to change the ownership of any such objects.
(9.1.3,9.0.7,8.4.11,8.3.18) Allow non-existent values for some settings in ALTER USER/DATABASE SET (Heikki Linnakangas)
Allow default_text_search_config, default_tablespace, and temp_tablespaces to be set to names that are not known. This is because they might be known in another database where the setting is intended to be used, or for the tablespace cases because the tablespace might not be created yet. The same issue was previously recognized for search_path, and these settings now act like that one.
(9.1.3) Fix "unsupported node type" error caused by COLLATE in an INSERT expression (Tom Lane)
(9.1.3,9.0.7,8.4.11) Avoid crashing when we have problems deleting table files post-commit (Tom Lane)
Dropping a table should lead to deleting the underlying disk files only after the transaction commits. In event of failure then (for instance, because of wrong file permissions) the code is supposed to just emit a warning message and go on, since it's too late to abort the transaction. This logic got broken as of release 8.4, causing such situations to result in a PANIC and an unrestartable database.
(9.1.3,9.0.7) Recover from errors occurring during WAL replay of DROP TABLESPACE (Tom Lane)
Replay will attempt to remove the tablespace's directories, but there are various reasons why this might fail (for example, incorrect ownership or permissions on those directories). Formerly the replay code would panic, rendering the database unrestartable without manual intervention. It seems better to log the problem and continue, since the only consequence of failure to remove the directories is some wasted disk space.
(9.1.3,9.0.7) Fix race condition in logging AccessExclusiveLocks for hot standby (Simon Riggs)
Sometimes a lock would be logged as being held by "transaction zero". This is at least known to produce assertion failures on slave servers, and might be the cause of more serious problems.
(9.1.3,9.0.7,8.4.11,8.3.18) Track the OID counter correctly during WAL replay, even when it wraps around (Tom Lane)
Previously the OID counter would remain stuck at a high value until the system exited replay mode. The practical consequences of that are usually nil, but there are scenarios wherein a standby server that's been promoted to master might take a long time to advance the OID counter to a reasonable value once values are needed.
(9.1.3,9.0.7) Prevent emitting misleading "consistent recovery state reached" log message at the beginning of crash recovery (Heikki Linnakangas)
(9.1.3,9.0.7) Fix initial value of pg_stat_replication.replay_location (Fujii Masao)
Previously, the value shown would be wrong until at least one WAL record had been replayed.
(9.1.3,9.0.7,8.4.11,8.3.18) Fix regular expression back-references with * attached (Tom Lane)
Rather than enforcing an exact string match, the code would effectively accept any string that satisfies the pattern sub-expression referenced by the back-reference symbol.
A similar problem still afflicts back-references that are embedded in a larger quantified expression, rather than being the immediate subject of the quantifier. This will be addressed in a future PostgreSQL release.
(9.1.3,9.0.7,8.4.11,8.3.18) Fix recently-introduced memory leak in processing of inet/cidr values (Heikki Linnakangas)
A patch in the December 2011 releases of PostgreSQL caused memory leakage in these operations, which could be significant in scenarios such as building a btree index on such a column.
(9.1.3) Fix planner's ability to push down index-expression restrictions through UNION ALL (Tom Lane)
This type of optimization was inadvertently disabled by a fix for another problem in 9.1.2.
(9.1.3) Fix planning of WITH clauses referenced in UPDATE/DELETE on an inherited table (Tom Lane)
This bug led to "could not find plan for CTE" failures.
(9.1.3) Fix GIN cost estimation to handle column IN (...) index conditions (Marti Raudsepp)
This oversight would usually lead to crashes if such a condition could be used with a GIN index.
(9.1.3) Prevent assertion failure when exiting a session with an open, failed transaction (Tom Lane)
This bug has no impact on normal builds with asserts not enabled.
(9.1.3,9.0.7,8.4.11) Fix dangling pointer after CREATE TABLE AS/SELECT INTO in a SQL-language function (Tom Lane)
In most cases this only led to an assertion failure in assert-enabled builds, but worse consequences seem possible.
(9.1.3,9.0.7,8.4.11,8.3.18) Avoid double close of file handle in syslogger on Windows (MauMau)
Ordinarily this error was invisible, but it would cause an exception when running on a debug version of Windows.
(9.1.3,9.0.7,8.4.11,8.3.18) Fix I/O-conversion-related memory leaks in plpgsql (Andres Freund, Jan Urbanski, Tom Lane)
Certain operations would leak memory until the end of the current function.
(9.1.3) Work around bug in perl's SvPVutf8() function (Andrew Dunstan)
This function crashes when handed a typeglob or certain read-only objects such as $^V. Make plperl avoid passing those to it.
(9.1.3) In pg_dump, don't dump contents of an extension's configuration tables if the extension itself is not being dumped (Tom Lane)
(9.1.3,9.0.7,8.4.11,8.3.18) Improve pg_dump's handling of inherited table columns (Tom Lane)
pg_dump mishandled situations where a child column has a different default expression than its parent column. If the default is textually identical to the parent's default, but not actually the same (for instance, because of schema search path differences) it would not be recognized as different, so that after dump and restore the child would be allowed to inherit the parent's default. Child columns that are NOT NULL where their parent is not could also be restored subtly incorrectly.
(9.1.3,9.0.7,8.4.11,8.3.18) Fix pg_restore's direct-to-database mode for INSERT-style table data (Tom Lane)
Direct-to-database restores from archive files made with --inserts or --column-inserts options fail when using pg_restore from a release dated September or December 2011, as a result of an oversight in a fix for another problem. The archive file itself is not at fault, and text-mode output is okay.
(9.1.3) Teach pg_upgrade to handle renaming of plpython's shared library (Bruce Momjian)
Upgrading a pre-9.1 database that included plpython would fail because of this oversight.
(9.1.3,9.0.7) Allow pg_upgrade to process tables containing regclass columns (Bruce Momjian)
Since pg_upgrade now takes care to preserve pg_class OIDs, there was no longer any reason for this restriction.
(9.1.3,9.0.7) Make libpq ignore ENOTDIR errors when looking for an SSL client certificate file (Magnus Hagander)
This allows SSL connections to be established, though without a certificate, even when the user's home directory is set to something like /dev/null.
(9.1.3,9.0.7) Fix some more field alignment issues in ecpg's SQLDA area (Zoltan Boszormenyi)
(9.1.3,9.0.7,8.4.11) Allow AT option in ecpg DEALLOCATE statements (Michael Meskes)
The infrastructure to support this has been there for awhile, but through an oversight there was still an error check rejecting the case.
(9.1.3,9.0.7) Do not use the variable name when defining a varchar structure in ecpg (Michael Meskes)
(9.1.3,9.0.7) Fix contrib/auto_explain's JSON output mode to produce valid JSON (Andrew Dunstan)
The output used brackets at the top level, when it should have used braces.
(9.1.3,9.0.7,8.4.11,8.3.18) Fix error in contrib/intarray's int[] & int[] operator (Guillaume Lelarge)
If the smallest integer the two input arrays have in common is 1, and there are smaller values in either array, then 1 would be incorrectly omitted from the result.
(9.1.3,9.0.7,8.4.11,8.3.18) Fix error detection in contrib/pgcrypto's encrypt_iv()
and decrypt_iv()
(Marko Kreen)
These functions failed to report certain types of invalid-input errors, and would instead return random garbage values for incorrect input.
(9.1.3,9.0.7,8.4.11,8.3.18) Fix one-byte buffer overrun in contrib/test_parser (Paul Guyot)
The code would try to read one more byte than it should, which would crash in corner cases. Since contrib/test_parser is only example code, this is not a security issue in itself, but bad example code is still bad.
(9.1.3,9.0.7,8.4.11,8.3.18) Use __sync_lock_test_and_set()
for
spinlocks on ARM, if available (Martin Pitt)
This function replaces our previous use of the SWPB instruction, which is deprecated and not available on ARMv6 and later. Reports suggest that the old code doesn't fail in an obvious way on recent ARM boards, but simply doesn't interlock concurrent accesses, leading to bizarre failures in multiprocess operation.
(9.1.3,9.0.7,8.4.11,8.3.18) Use -fexcess-precision=standard option when building with gcc versions that accept it (Andrew Dunstan)
This prevents assorted scenarios wherein recent versions of gcc will produce creative results.
(9.1.3,9.0.7,8.4.11,8.3.18) Allow use of threaded Python on FreeBSD (Chris Rees)
Our configure script previously believed that this combination wouldn't work; but FreeBSD fixed the problem, so remove that error check.
(9.1.3) Allow MinGW builds to use standardly-named OpenSSL libraries (Tomasz Ostrowski)
Release date: 2011-12-05
This release contains a variety of fixes from 9.1.1. For information about new features in the 9.1 major release, see Version 9.1.0.
A dump/restore is not required for those running 9.1.X.
However, a longstanding error was discovered in the definition of the information_schema.referential_constraints view. If you rely on correct results from that view, you should replace its definition as explained in the first changelog item below.
Also, if you use the citext data type, and you upgraded from a previous major release by running pg_upgrade, you should run CREATE EXTENSION citext FROM unpackaged to avoid collation-related failures in citext operations. The same is necessary if you restore a dump from a pre-9.1 database that contains an instance of the citext data type. If you've already run the CREATE EXTENSION command before upgrading to 9.1.2, you will instead need to do manual catalog updates as explained in the second changelog item.
(9.1.2,9.0.6,8.4.10,8.3.17,8.2.23) Fix bugs in information_schema.referential_constraints view (Tom Lane)
This view was being insufficiently careful about matching the foreign-key constraint to the depended-on primary or unique key constraint. That could result in failure to show a foreign key constraint at all, or showing it multiple times, or claiming that it depends on a different constraint than the one it really does.
Since the view definition is installed by initdb, merely upgrading will not fix the problem. If you need to fix this in an existing installation, you can (as a superuser) drop the information_schema schema then re-create it by sourcing SHAREDIR/information_schema.sql. (Run pg_config --sharedir if you're uncertain where SHAREDIR is.) This must be repeated in each database to be fixed.
(9.1.2) Make contrib/citext's upgrade script fix collations of citext columns and indexes (Tom Lane)
Existing citext columns and indexes aren't correctly marked as being of a collatable data type during pg_upgrade from a pre-9.1 server, or when a pre-9.1 dump containing the citext type is loaded into a 9.1 server. That leads to operations on these columns failing with errors such as "could not determine which collation to use for string comparison". This change allows them to be fixed by the same script that upgrades the citext module into a proper 9.1 extension during CREATE EXTENSION citext FROM unpackaged.
If you have a previously-upgraded database that is suffering from this problem, and you already ran the CREATE EXTENSION command, you can manually run (as superuser) the UPDATE commands found at the end of SHAREDIR/extension/citext--unpackaged--1.0.sql. (Run pg_config --sharedir if you're uncertain where SHAREDIR is.) There is no harm in doing this again if unsure.
(9.1.2,9.0.6) Fix possible crash during UPDATE or DELETE that joins to the output of a scalar-returning function (Tom Lane)
A crash could only occur if the target row had been concurrently updated, so this problem surfaced only intermittently.
(9.1.2,9.0.6,8.4.10) Fix incorrect replay of WAL records for GIN index updates (Tom Lane)
This could result in transiently failing to find index entries after a crash, or on a hot-standby server. The problem would be repaired by the next VACUUM of the index, however.
(9.1.2,9.0.6,8.4.10,8.3.17,8.2.23) Fix TOAST-related data corruption during CREATE TABLE dest AS SELECT * FROM src or INSERT INTO dest SELECT * FROM src (Tom Lane)
If a table has been modified by ALTER TABLE ADD COLUMN, attempts to copy its data verbatim to another table could produce corrupt results in certain corner cases. The problem can only manifest in this precise form in 8.4 and later, but we patched earlier versions as well in case there are other code paths that could trigger the same bug.
(9.1.2,9.0.6) Fix possible failures during hot standby startup (Simon Riggs)
(9.1.2,9.0.6) Start hot standby faster when initial snapshot is incomplete (Simon Riggs)
(9.1.2,9.0.6,8.4.10,8.3.17,8.2.23) Fix race condition during toast table access from stale syscache entries (Tom Lane)
The typical symptom was transient errors like "missing chunk number 0 for toast value NNNNN in pg_toast_2619", where the cited toast table would always belong to a system catalog.
(9.1.2,9.0.6,8.4.10) Track dependencies of functions on items used in parameter default expressions (Tom Lane)
Previously, a referenced object could be dropped without having dropped or modified the function, leading to misbehavior when the function was used. Note that merely installing this update will not fix the missing dependency entries; to do that, you'd need to CREATE OR REPLACE each such function afterwards. If you have functions whose defaults depend on non-built-in objects, doing so is recommended.
(9.1.2) Fix incorrect management of placeholder variables in nestloop joins (Tom Lane)
This bug is known to lead to "variable not found in subplan target list" planner errors, and could possibly result in wrong query output when outer joins are involved.
(9.1.2) Fix window functions that sort by expressions involving aggregates (Tom Lane)
Previously these could fail with "could not find pathkey item to sort" planner errors.
(9.1.2) Fix "MergeAppend child's targetlist doesn't match MergeAppend" planner errors (Tom Lane)
(9.1.2) Fix index matching for operators with both collatable and noncollatable inputs (Tom Lane)
In 9.1.0, an indexable operator that has a non-collatable left-hand input type and a collatable right-hand input type would not be recognized as matching the left-hand column's index. An example is the hstore ? text operator.
(9.1.2,9.0.6,8.4.10) Allow inlining of set-returning SQL functions with multiple OUT parameters (Tom Lane)
(9.1.2,9.0.6) Don't trust deferred-unique indexes for join removal (Tom Lane and Marti Raudsepp)
A deferred uniqueness constraint might not hold intra-transaction, so assuming that it does could give incorrect query results.
(9.1.2,9.0.6,8.4.10,8.3.17) Make DatumGetInetP()
unpack inet
datums that have a 1-byte header, and add a new macro, DatumGetInetPP()
, that does not (Heikki
Linnakangas)
This change affects no core code, but might prevent crashes in
add-on code that expects DatumGetInetP()
to produce an unpacked datum as
per usual convention.
(9.1.2,9.0.6,8.4.10,8.3.17,8.2.23) Improve locale support in money type's input and output (Tom Lane)
Aside from not supporting all standard lc_monetary formatting options, the input and output functions were inconsistent, meaning there were locales in which dumped money values could not be re-read.
(9.1.2,9.0.6,8.4.10,8.3.17,8.2.23) Don't let transform_null_equals affect CASE foo WHEN NULL ... constructs (Heikki Linnakangas)
transform_null_equals is only supposed to affect foo = NULL expressions written directly by the user, not equality checks generated internally by this form of CASE.
(9.1.2,9.0.6,8.4.10,8.3.17,8.2.23) Change foreign-key trigger creation order to better support self-referential foreign keys (Tom Lane)
For a cascading foreign key that references its own table, a row update will fire both the ON UPDATE trigger and the CHECK trigger as one event. The ON UPDATE trigger must execute first, else the CHECK will check a non-final state of the row and possibly throw an inappropriate error. However, the firing order of these triggers is determined by their names, which generally sort in creation order since the triggers have auto-generated names following the convention "RI_ConstraintTrigger_NNNN". A proper fix would require modifying that convention, which we will do in 9.2, but it seems risky to change it in existing releases. So this patch just changes the creation order of the triggers. Users encountering this type of error should drop and re-create the foreign key constraint to get its triggers into the right order.
(9.1.2) Fix IF EXISTS to work correctly in DROP OPERATOR FAMILY (Robert Haas)
(9.1.2) Disallow dropping of an extension from within its own script (Tom Lane)
This prevents odd behavior in case of incorrect management of extension dependencies.
(9.1.2) Don't mark auto-generated types as extension members (Robert Haas)
Relation rowtypes and automatically-generated array types do not need to have their own extension membership entries in pg_depend, and creating such entries complicates matters for extension upgrades.
(9.1.2) Cope with invalid pre-existing search_path settings during CREATE EXTENSION (Tom Lane)
(9.1.2,9.0.6,8.4.10,8.3.17) Avoid floating-point underflow while tracking buffer allocation rate (Greg Matthews)
While harmless in itself, on certain platforms this would result in annoying kernel log messages.
(9.1.2) Prevent autovacuum transactions from running in serializable mode (Tom Lane)
Autovacuum formerly used the cluster-wide default transaction isolation level, but there is no need for it to use anything higher than READ COMMITTED, and using SERIALIZABLE could result in unnecessary delays for other processes.
(9.1.2) Ensure walsender processes respond promptly to SIGTERM (Magnus Hagander)
(9.1.2) Exclude postmaster.opts from base backups (Magnus Hagander)
(9.1.2,9.0.6,8.4.10) Preserve configuration file name and line number values when starting child processes under Windows (Tom Lane)
Formerly, these would not be displayed correctly in the pg_settings view.
(9.1.2,9.0.6) Fix incorrect field alignment in ecpg's SQLDA area (Zoltan Boszormenyi)
(9.1.2,9.0.6,8.4.10,8.3.17,8.2.23) Preserve blank lines within commands in psql's command history (Robert Haas)
The former behavior could cause problems if an empty line was removed from within a string literal, for example.
(9.1.2) Avoid platform-specific infinite loop in pg_dump (Steve Singer)
(9.1.2) Fix compression of plain-text output format in pg_dump (Adrian Klaver and Tom Lane)
pg_dump has historically understood -Z with no -F switch to mean that it should emit a gzip-compressed version of its plain text output. Restore that behavior.
(9.1.2,9.0.6,8.4.10,8.3.17) Fix pg_dump to dump user-defined casts between auto-generated types, such as table rowtypes (Tom Lane)
(9.1.2) Fix missed quoting of foreign server names in pg_dump (Tom Lane)
(9.1.2,9.0.6) Assorted fixes for pg_upgrade (Bruce Momjian)
Handle exclusion constraints correctly, avoid failures on Windows, don't complain about mismatched toast table names in 8.4 databases.
(9.1.2) In PL/pgSQL, allow foreign tables to define row types (Alexander Soudakov)
(9.1.2) Fix up conversions of PL/Perl functions' results (Alex Hunsaker and Tom Lane)
Restore the pre-9.1 behavior that PL/Perl functions returning void ignore the result value of their last Perl statement; 9.1.0 would throw an error if that statement returned a reference. Also, make sure it works to return a string value for a composite type, so long as the string meets the type's input format. In addition, throw errors for attempts to return Perl arrays or hashes when the function's declared result type is not an array or composite type, respectively. (Pre-9.1 versions rather uselessly returned strings like ARRAY(0x221a9a0) or HASH(0x221aa90) in such cases.)
(9.1.2) Ensure PL/Perl strings are always correctly UTF8-encoded (Amit Khandekar and Alex Hunsaker)
(9.1.2,9.0.6,8.4.10,8.3.17,8.2.23) Use the preferred version of xsubpp to build PL/Perl, not necessarily the operating system's main copy (David Wheeler and Alex Hunsaker)
(9.1.2) Correctly propagate SQLSTATE in PL/Python exceptions (Mika Eloranta and Jan Urbanski)
(9.1.2) Do not install PL/Python extension files for Python major versions other than the one built against (Peter Eisentraut)
(9.1.2) Change all the contrib extension script files to report a useful error message if they are fed to psql (Andrew Dunstan and Tom Lane)
This should help teach people about the new method of using CREATE EXTENSION to load these files. In most cases, sourcing the scripts directly would fail anyway, but with harder-to-interpret messages.
(9.1.2,9.0.6,8.4.10,8.3.17) Fix incorrect coding in contrib/dict_int and contrib/dict_xsyn (Tom Lane)
Some functions incorrectly assumed that memory returned by
palloc()
is guaranteed zeroed.
(9.1.2) Remove contrib/sepgsql tests from the regular regression test mechanism (Tom Lane)
Since these tests require root privileges for setup, they're impractical to run automatically. Switch over to a manual approach instead, and provide a testing script to help with that.
(9.1.2,9.0.6) Fix assorted errors in contrib/unaccent's configuration file parsing (Tom Lane)
(9.1.2,9.0.6,8.4.10,8.3.17,8.2.23) Honor query cancel interrupts promptly in pgstatindex()
(Robert Haas)
(9.1.2) Fix incorrect quoting of log file name in macOS start script (Sidar Lopez)
(9.1.2) Revert unintentional enabling of WAL_DEBUG (Robert Haas)
Fortunately, as debugging tools go, this one is pretty cheap; but it's not intended to be enabled by default, so revert.
(9.1.2,9.0.6,8.4.10,8.3.17,8.2.23) Ensure VPATH builds properly install all server header files (Peter Eisentraut)
(9.1.2,9.0.6,8.4.10,8.3.17,8.2.23) Shorten file names reported in verbose error messages (Peter Eisentraut)
Regular builds have always reported just the name of the C file containing the error message call, but VPATH builds formerly reported an absolute path name.
(9.1.2,9.0.6,8.4.10,8.3.17,8.2.23) Fix interpretation of Windows timezone names for Central America (Tom Lane)
Map "Central America Standard Time" to CST6, not CST6CDT, because DST is generally not observed anywhere in Central America.
(9.1.2,9.0.6,8.4.10,8.3.17,8.2.23) Update time zone data files to tzdata release 2011n for DST law changes in Brazil, Cuba, Fiji, Palestine, Russia, and Samoa; also historical corrections for Alaska and British East Africa.
Release date: 2011-09-26
This release contains a small number of fixes from 9.1.0. For information about new features in the 9.1 major release, see Version 9.1.0.
A dump/restore is not required for those running 9.1.X.
(9.1.1,9.0.5,8.4.9) Make pg_options_to_table
return
NULL for an option with no value (Tom Lane)
Previously such cases would result in a server crash.
(9.1.1,9.0.5,8.4.9,8.3.16,8.2.22) Fix memory leak at end of a GiST index scan (Tom Lane)
Commands that perform many separate GiST index scans, such as verification of a new GiST-based exclusion constraint on a table already containing many rows, could transiently require large amounts of memory due to this leak.
(9.1.1) Fix explicit reference to pg_temp schema in CREATE TEMPORARY TABLE (Robert Haas)
This used to be allowed, but failed in 9.1.0.
Release date: 2011-09-12
This release shows PostgreSQL moving beyond the traditional relational-database feature set with new, ground-breaking functionality that is unique to PostgreSQL. The streaming replication feature introduced in release 9.0 is significantly enhanced by adding a synchronous-replication option, streaming backups, and monitoring improvements. Major enhancements include:
(9.1.0) Allow synchronous replication
(9.1.0) Add support for foreign tables
(9.1.0) Add per-column collation support
(9.1.0) Add extensions which simplify packaging of additions to PostgreSQL
(9.1.0) Add a true serializable isolation level
(9.1.0) Support unlogged tables using the UNLOGGED option in CREATE TABLE
(9.1.0) Allow data-modification commands (INSERT/UPDATE/DELETE) in WITH clauses
(9.1.0) Add nearest-neighbor (order-by-operator) searching to GiST indexes
(9.1.0) Add a SECURITY LABEL command and support for SELinux permissions control
(9.1.0) Update the PL/Python server-side language
The above items are explained in more detail in the sections below.
A dump/restore using pg_dump, or use of pg_upgrade, is required for those wishing to migrate data from any previous release.
Version 9.1 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities:
(9.1.0) Change the default value of standard_conforming_strings to on (Robert Haas)
By default, backslashes are now ordinary characters in string literals, not escape characters. This change removes a long-standing incompatibility with the SQL standard. escape_string_warning has produced warnings about this usage for years. E'' strings are the proper way to embed backslash escapes in strings and are unaffected by this change.
Warning |
This change can break applications that are not expecting it and do their own string escaping according to the old rules. The consequences could be as severe as introducing SQL-injection security holes. Be sure to test applications that are exposed to untrusted input, to ensure that they correctly handle single quotes and backslashes in text strings. |
(9.1.0) Disallow function-style and attribute-style data type casts for composite types (Tom Lane)
For example, disallow composite_value.text and text(composite_value). Unintentional uses of this syntax have frequently resulted in bug reports; although it was not a bug, it seems better to go back to rejecting such expressions. The CAST and :: syntaxes are still available for use when a cast of an entire composite value is actually intended.
(9.1.0) Tighten casting checks for domains based on arrays (Tom Lane)
When a domain is based on an array type, it is allowed to "look through" the domain type to access the array elements, including subscripting the domain value to fetch or assign an element. Assignment to an element of such a domain value, for instance via UPDATE ... SET domaincol[5] = ..., will now result in rechecking the domain type's constraints, whereas before the checks were skipped.
(9.1.0) Change string_to_array()
to return an empty array
for a zero-length string (Pavel Stehule)
Previously this returned a null value.
(9.1.0) Change string_to_array()
so a NULL separator splits the string into characters
(Pavel Stehule)
Previously this returned a null value.
(9.1.0) Fix improper checks for before/after triggers (Tom Lane)
Triggers can now be fired in three cases: BEFORE, AFTER, or INSTEAD OF some action. Trigger function authors should verify that their logic behaves sanely in all three cases.
(9.1.0) Require superuser or CREATEROLE permissions in order to set comments on roles (Tom Lane)
(9.1.0) Change pg_last_xlog_receive_location()
so it never
moves backwards (Fujii Masao)
Previously, the value of pg_last_xlog_receive_location()
could move
backward when streaming replication is restarted.
(9.1.0) Have logging of replication connections honor log_connections (Magnus Hagander)
Previously, replication connections were always logged.
(9.1.0) Change PL/pgSQL's RAISE command without parameters to be catchable by the attached exception block (Piyush Newe)
Previously RAISE in a code block was always scoped to an attached exception block, so it was uncatchable at the same scope.
(9.1.0) Adjust PL/pgSQL's error line numbering code to be consistent with other PLs (Pavel Stehule)
Previously, PL/pgSQL would ignore (not count) an empty line at the start of the function body. Since this was inconsistent with all other languages, the special case was removed.
(9.1.0) Make PL/pgSQL complain about conflicting IN and OUT parameter names (Tom Lane)
Formerly, the collision was not detected, and the name would just silently refer to only the OUT parameter.
(9.1.0) Type modifiers of PL/pgSQL variables are now visible to the SQL parser (Tom Lane)
A type modifier (such as a varchar length limit) attached to a PL/pgSQL variable was formerly enforced during assignments, but was ignored for all other purposes. Such variables will now behave more like table columns declared with the same modifier. This is not expected to make any visible difference in most cases, but it could result in subtle changes for some SQL commands issued by PL/pgSQL functions.
(9.1.0) All contrib modules are now installed with CREATE EXTENSION rather than by manually invoking their SQL scripts (Dimitri Fontaine, Tom Lane)
To update an existing database containing the 9.0 version of a contrib module, use CREATE EXTENSION ... FROM unpackaged to wrap the existing contrib module's objects into an extension. When updating from a pre-9.0 version, drop the contrib module's objects using its old uninstall script, then use CREATE EXTENSION.
(9.1.0) Make pg_stat_reset()
reset all database-level
statistics (Tomas Vondra)
Some pg_stat_database counters were not being reset.
(9.1.0) Fix some information_schema.triggers column names to match the new SQL-standard names (Dean Rasheed)
(9.1.0) Treat ECPG cursor names as case-insensitive (Zoltan Boszormenyi)
Below you will find a detailed account of the changes between PostgreSQL 9.1 and the previous major release.
(9.1.0) Support unlogged tables using the UNLOGGED option in CREATE TABLE (Robert Haas)
Such tables provide better update performance than regular tables, but are not crash-safe: their contents are automatically cleared in case of a server crash. Their contents do not propagate to replication slaves, either.
(9.1.0) Allow FULL OUTER JOIN to be implemented as a hash join, and allow either side of a LEFT OUTER JOIN or RIGHT OUTER JOIN to be hashed (Tom Lane)
Previously FULL OUTER JOIN could only be implemented as a merge join, and LEFT OUTER JOIN and RIGHT OUTER JOIN could hash only the nullable side of the join. These changes provide additional query optimization possibilities.
(9.1.0) Merge duplicate fsync requests (Robert Haas, Greg Smith)
This greatly improves performance under heavy write loads.
(9.1.0) Improve performance of commit_siblings (Greg Smith)
This allows the use of commit_siblings with less overhead.
(9.1.0) Reduce the memory requirement for large ispell dictionaries (Pavel Stehule, Tom Lane)
(9.1.0) Avoid leaving data files open after "blind writes" (Álvaro Herrera)
This fixes scenarios in which backends might hold files open long after they were deleted, preventing the kernel from reclaiming disk space.
(9.1.0) Allow inheritance table scans to return meaningfully-sorted results (Greg Stark, Hans-Jürgen Schonig, Robert Haas, Tom Lane)
This allows better optimization of queries that use ORDER BY, LIMIT, or MIN/MAX with inherited tables.
(9.1.0) Improve GIN index scan cost estimation (Teodor Sigaev)
(9.1.0) Improve cost estimation for aggregates and window functions (Tom Lane)
(9.1.0) Support host names and host suffixes (e.g. .example.com) in pg_hba.conf (Peter Eisentraut)
Previously only host IP addresses and CIDR values were supported.
(9.1.0) Support the key word all in the host column of pg_hba.conf (Peter Eisentraut)
Previously people used 0.0.0.0/0 or ::/0 for this.
(9.1.0) Reject local lines in pg_hba.conf on platforms that don't support Unix-socket connections (Magnus Hagander)
Formerly, such lines were silently ignored, which could be surprising. This makes the behavior more like other unsupported cases.
(9.1.0) Allow GSSAPI to be used to authenticate to servers via SSPI (Christian Ullrich)
Specifically this allows Unix-based GSSAPI clients to do SSPI authentication with Windows servers.
(9.1.0) ident authentication over local sockets is now known as peer (Magnus Hagander)
The old term is still accepted for backward compatibility, but since the two methods are fundamentally different, it seemed better to adopt different names for them.
(9.1.0) Rewrite peer authentication to avoid use of credential control messages (Tom Lane)
This change makes the peer authentication code simpler and
better-performing. However, it requires the platform to provide the
getpeereid
function or an equivalent
socket operation. So far as is known, the only platform for which
peer authentication worked before and now will not is pre-5.0
NetBSD.
(9.1.0) Add details to the logging of restartpoints and checkpoints, which is controlled by log_checkpoints (Fujii Masao, Greg Smith)
New details include WAL file and sync activity.
(9.1.0) Add log_file_mode which controls the permissions on log files created by the logging collector (Martin Pihlak)
(9.1.0) Reduce the default maximum line length for syslog logging to 900 bytes plus prefixes (Noah Misch)
This avoids truncation of long log lines on syslog implementations that have a 1KB length limit, rather than the more common 2KB.
(9.1.0) Add client_hostname column to pg_stat_activity (Peter Eisentraut)
Previously only the client address was reported.
(9.1.0) Add pg_stat_xact_* statistics functions and views (Joel Jacobson)
These are like the database-wide statistics counter views, but reflect counts for only the current transaction.
(9.1.0) Add time of last reset in database-level and background writer statistics views (Tomas Vondra)
(9.1.0) Add columns showing the number of vacuum and analyze operations in pg_stat_*_tables views (Magnus Hagander)
(9.1.0) Add buffers_backend_fsync column to pg_stat_bgwriter (Greg Smith)
This new column counts the number of times a backend fsyncs a buffer.
(9.1.0) Provide auto-tuning of wal_buffers (Greg Smith)
By default, the value of wal_buffers is now chosen automatically based on the value of shared_buffers.
(9.1.0) Increase the maximum values for deadlock_timeout, log_min_duration_statement, and log_autovacuum_min_duration (Peter Eisentraut)
The maximum value for each of these parameters was previously only about 35 minutes. Much larger values are now allowed.
(9.1.0) Allow synchronous replication (Simon Riggs, Fujii Masao)
This allows the primary server to wait for a standby to write a transaction's information to disk before acknowledging the commit. One standby at a time can take the role of the synchronous standby, as controlled by the synchronous_standby_names setting. Synchronous replication can be enabled or disabled on a per-transaction basis using the synchronous_commit setting.
(9.1.0) Add protocol support for sending file system backups to standby servers using the streaming replication network connection (Magnus Hagander, Heikki Linnakangas)
This avoids the requirement of manually transferring a file system backup when setting up a standby server.
(9.1.0) Add replication_timeout setting (Fujii Masao, Heikki Linnakangas)
Replication connections that are idle for more than the replication_timeout interval will be terminated automatically. Formerly, a failed connection was typically not detected until the TCP timeout elapsed, which is inconveniently long in many situations.
(9.1.0) Add command-line tool pg_basebackup for creating a new standby server or database backup (Magnus Hagander)
(9.1.0) Add a replication permission for roles (Magnus Hagander)
This is a read-only permission used for streaming replication. It allows a non-superuser role to be used for replication connections. Previously only superusers could initiate replication connections; superusers still have this permission by default.
(9.1.0) Add system view pg_stat_replication which displays activity of WAL sender processes (Itagaki Takahiro, Simon Riggs)
This reports the status of all connected standby servers.
(9.1.0) Add monitoring function pg_last_xact_replay_timestamp()
(Fujii
Masao)
This returns the time at which the primary generated the most recent commit or abort record applied on the standby.
(9.1.0) Add configuration parameter hot_standby_feedback to enable standbys to postpone cleanup of old row versions on the primary (Simon Riggs)
This helps avoid canceling long-running queries on the standby.
(9.1.0) Add the pg_stat_database_conflicts system view to show queries that have been canceled and the reason (Magnus Hagander)
Cancellations can occur because of dropped tablespaces, lock timeouts, old snapshots, pinned buffers, and deadlocks.
(9.1.0) Add a conflicts count to pg_stat_database (Magnus Hagander)
This is the number of conflicts that occurred in the database.
(9.1.0) Increase the maximum values for max_standby_archive_delay and max_standby_streaming_delay
The maximum value for each of these parameters was previously only about 35 minutes. Much larger values are now allowed.
(9.1.0) Add ERRCODE_T_R_DATABASE_DROPPED error code to report recovery conflicts due to dropped databases (Tatsuo Ishii)
This is useful for connection pooling software.
(9.1.0) Add functions to control streaming replication replay (Simon Riggs)
The new functions are
pg_xlog_replay_pause()
,
pg_xlog_replay_resume()
, and the status function
pg_is_xlog_replay_paused()
.
(9.1.0) Add recovery.conf setting pause_at_recovery_target to pause recovery at target (Simon Riggs)
This allows a recovery server to be queried to check whether the recovery point is the one desired.
(9.1.0) Add the ability to create named restore points using pg_create_restore_point()
(Jaime
Casanova)
These named restore points can be specified as recovery targets using the new recovery.conf setting recovery_target_name.
(9.1.0) Allow standby recovery to switch to a new timeline automatically (Heikki Linnakangas)
Now standby servers scan the archive directory for new timelines periodically.
(9.1.0) Add restart_after_crash setting which disables automatic server restart after a backend crash (Robert Haas)
This allows external cluster management software to control whether the database server restarts or not.
(9.1.0) Allow recovery.conf to use the same quoting behavior as postgresql.conf (Dimitri Fontaine)
Previously all values had to be quoted.
(9.1.0) Add a true serializable isolation level (Kevin Grittner, Dan Ports)
Previously, asking for serializable isolation guaranteed only that a single MVCC snapshot would be used for the entire transaction, which allowed certain documented anomalies. The old snapshot isolation behavior is still available by requesting the REPEATABLE READ isolation level.
(9.1.0) Allow data-modification commands (INSERT/UPDATE/DELETE) in WITH clauses (Marko Tiikkaja, Hitoshi Harada)
These commands can use RETURNING to pass data up to the containing query.
(9.1.0) Allow WITH clauses to be attached to INSERT, UPDATE, DELETE statements (Marko Tiikkaja, Hitoshi Harada)
(9.1.0) Allow non-GROUP BY columns in the query target list when the primary key is specified in the GROUP BY clause (Peter Eisentraut)
The SQL standard allows this behavior, and because of the primary key, the result is unambiguous.
(9.1.0) Allow use of the key word DISTINCT in UNION/INTERSECT/EXCEPT clauses (Tom Lane)
DISTINCT is the default behavior so use of this key word is redundant, but the SQL standard allows it.
(9.1.0) Fix ordinary queries with rules to use the same snapshot behavior as EXPLAIN ANALYZE (Marko Tiikkaja)
Previously EXPLAIN ANALYZE used slightly different snapshot timing for queries involving rules. The EXPLAIN ANALYZE behavior was judged to be more logical.
(9.1.0) Add per-column collation support (Peter Eisentraut, Tom Lane)
Previously collation (the sort ordering of text strings) could only be chosen at database creation. Collation can now be set per column, domain, index, or expression, via the SQL-standard COLLATE clause.
(9.1.0) Add extensions which simplify packaging of additions to PostgreSQL (Dimitri Fontaine, Tom Lane)
Extensions are controlled by the new CREATE/ALTER/DROP EXTENSION commands. This replaces ad-hoc methods of grouping objects that are added to a PostgreSQL installation.
(9.1.0) Add support for foreign tables (Shigeru Hanada, Robert Haas, Jan Urbanski, Heikki Linnakangas)
This allows data stored outside the database to be used like native PostgreSQL-stored data. Foreign tables are currently read-only, however.
(9.1.0) Allow new values to be added to an existing enum type via ALTER TYPE (Andrew Dunstan)
(9.1.0) Add ALTER TYPE ... ADD/DROP/ALTER/RENAME ATTRIBUTE (Peter Eisentraut)
This allows modification of composite types.
(9.1.0) Add RESTRICT/CASCADE to ALTER TYPE operations on typed tables (Peter Eisentraut)
This controls ADD/DROP/ALTER/RENAME ATTRIBUTE cascading behavior.
(9.1.0) Support ALTER TABLE name {OF | NOT OF} type (Noah Misch)
This syntax allows a standalone table to be made into a typed table, or a typed table to be made standalone.
(9.1.0) Add support for more object types in ALTER ... SET SCHEMA commands (Dimitri Fontaine)
This command is now supported for conversions, operators, operator classes, operator families, text search configurations, text search dictionaries, text search parsers, and text search templates.
(9.1.0) Add ALTER TABLE ... ADD UNIQUE/PRIMARY KEY USING INDEX (Gurjeet Singh)
This allows a primary key or unique constraint to be defined using an existing unique index, including a concurrently created unique index.
(9.1.0) Allow ALTER TABLE to add foreign keys without validation (Simon Riggs)
The new option is called NOT VALID. The constraint's state can later be modified to VALIDATED and validation checks performed. Together these allow you to add a foreign key with minimal impact on read and write operations.
(9.1.0) Allow ALTER TABLE ... SET DATA TYPE to avoid table rewrites in appropriate cases (Noah Misch, Robert Haas)
For example, converting a varchar column to text no longer requires a rewrite of the table. However, increasing the length constraint on a varchar column still requires a table rewrite.
(9.1.0) Add CREATE TABLE IF NOT EXISTS syntax (Robert Haas)
This allows table creation without causing an error if the table already exists.
(9.1.0) Fix possible "tuple concurrently updated" error when two backends attempt to add an inheritance child to the same table at the same time (Robert Haas)
ALTER TABLE now takes a stronger lock on the parent table, so that the sessions cannot try to update it simultaneously.
(9.1.0) Add a SECURITY LABEL command (KaiGai Kohei)
This allows security labels to be assigned to objects.
(9.1.0) Add transaction-level advisory locks (Marko Tiikkaja)
These are similar to the existing session-level advisory locks, but such locks are automatically released at transaction end.
(9.1.0) Make TRUNCATE ... RESTART IDENTITY restart sequences transactionally (Steve Singer)
Previously the counter could have been left out of sync if a backend crashed between the on-commit truncation activity and commit completion.
(9.1.0) Add ENCODING option to COPY TO/FROM (Hitoshi Harada, Itagaki Takahiro)
This allows the encoding of the COPY file to be specified separately from client encoding.
(9.1.0) Add bidirectional COPY protocol support (Fujii Masao)
This is currently only used by streaming replication.
(9.1.0) Make EXPLAIN VERBOSE show the function call expression in a FunctionScan node (Tom Lane)
(9.1.0) Add additional details to the output of VACUUM FULL VERBOSE and CLUSTER VERBOSE (Itagaki Takahiro)
New information includes the live and dead tuple count and whether CLUSTER is using an index to rebuild.
(9.1.0) Prevent autovacuum from waiting if it cannot acquire a table lock (Robert Haas)
It will try to vacuum that table later.
(9.1.0) Allow CLUSTER to sort the table rather than scanning the index when it seems likely to be cheaper (Leonardo Francalanci)
(9.1.0) Add nearest-neighbor (order-by-operator) searching to GiST indexes (Teodor Sigaev, Tom Lane)
This allows GiST indexes to quickly return the N closest values in a query with LIMIT. For example
SELECT * FROM places ORDER BY location <-> point '(101,456)' LIMIT 10;
finds the ten places closest to a given target point.
(9.1.0) Allow GIN indexes to index null and empty values (Tom Lane)
This allows full GIN index scans, and fixes various corner cases in which GIN scans would fail.
(9.1.0) Allow GIN indexes to better recognize duplicate search entries (Tom Lane)
This reduces the cost of index scans, especially in cases where it avoids unnecessary full index scans.
(9.1.0) Fix GiST indexes to be fully crash-safe (Heikki Linnakangas)
Previously there were rare cases where a REINDEX would be required (you would be informed).
(9.1.0) Allow numeric to use a more compact, two-byte header in common cases (Robert Haas)
Previously all numeric values had four-byte headers; this change saves on disk storage.
(9.1.0) Add support for dividing money by money (Andy Balholm)
(9.1.0) Allow binary I/O on type void (Radoslaw Smogura)
(9.1.0) Improve hypotenuse calculations for geometric operators (Paul Matthews)
This avoids unnecessary overflows, and may also be more accurate.
(9.1.0) Support hashing array values (Tom Lane)
This provides additional query optimization possibilities.
(9.1.0) Don't treat a composite type as sortable unless all its column types are sortable (Tom Lane)
This avoids possible "could not identify a comparison function" failures at runtime, if it is possible to implement the query without sorting. Also, ANALYZE won't try to use inappropriate statistics-gathering methods for columns of such composite types.
(9.1.0) Add support for casting between money and numeric (Andy Balholm)
(9.1.0) Add support for casting from int4 and int8 to money (Joey Adams)
(9.1.0) Allow casting a table's row type to the table's supertype if it's a typed table (Peter Eisentraut)
This is analogous to the existing facility that allows casting a row type to a supertable's row type.
(9.1.0) Add XML function XMLEXISTS and xpath_exists()
functions (Mike Fowler)
These are used for XPath matching.
(9.1.0) Add XML functions xml_is_well_formed()
, xml_is_well_formed_document()
, xml_is_well_formed_content()
(Mike
Fowler)
These check whether the input is properly-formed XML. They provide functionality that was previously available only in the deprecated contrib/xml2 module.
(9.1.0) Add SQL function format(text,
...)
, which behaves analogously to C's printf()
(Pavel Stehule, Robert Haas)
It currently supports formats for strings, SQL literals, and SQL identifiers.
(9.1.0) Add string functions concat()
, concat_ws()
, left()
, right()
, and reverse()
(Pavel Stehule)
These improve compatibility with other database products.
(9.1.0) Add function pg_read_binary_file()
to read binary files
(Dimitri Fontaine, Itagaki Takahiro)
(9.1.0) Add a single-parameter version of function pg_read_file()
to read an entire file
(Dimitri Fontaine, Itagaki Takahiro)
(9.1.0) Add three-parameter forms of array_to_string()
and string_to_array()
for null value processing
control (Pavel Stehule)
(9.1.0) Add the pg_describe_object()
function (Álvaro
Herrera)
This function is used to obtain a human-readable string describing an object, based on the pg_class OID, object OID, and sub-object ID. It can be used to help interpret the contents of pg_depend.
(9.1.0) Update comments for built-in operators and their underlying functions (Tom Lane)
Functions that are meant to be used via an associated operator are now commented as such.
(9.1.0) Add variable
quote_all_identifiers to force the quoting of all
identifiers in EXPLAIN and in system
catalog functions like pg_get_viewdef()
(Robert Haas)
This makes exporting schemas to tools and other databases with different quoting rules easier.
(9.1.0) Add columns to the information_schema.sequences system view (Peter Eisentraut)
Previously, though the view existed, the columns about the sequence parameters were unimplemented.
(9.1.0) Allow public as a pseudo-role name in
has_table_privilege()
and related functions
(Álvaro Herrera)
This allows checking for public permissions.
(9.1.0) Support INSTEAD OF triggers on views (Dean Rasheed)
This feature can be used to implement fully updatable views.
(9.1.0) Add FOREACH IN ARRAY to PL/pgSQL (Pavel Stehule)
This is more efficient and readable than previous methods of iterating through the elements of an array value.
(9.1.0) Allow RAISE without parameters to be caught in the same places that could catch a RAISE ERROR from the same location (Piyush Newe)
The previous coding threw the error from the block containing the active exception handler. The new behavior is more consistent with other DBMS products.
(9.1.0) Allow generic record arguments to PL/Perl functions (Andrew Dunstan)
PL/Perl functions can now be declared to accept type record. The behavior is the same as for any named composite type.
(9.1.0) Convert PL/Perl array arguments to Perl arrays (Alexey Klyukin, Alex Hunsaker)
String representations are still available.
(9.1.0) Convert PL/Perl composite-type arguments to Perl hashes (Alexey Klyukin, Alex Hunsaker)
String representations are still available.
(9.1.0) Add table function support for PL/Python (Jan Urbanski)
PL/Python can now return multiple OUT parameters and record sets.
(9.1.0) Add a validator to PL/Python (Jan Urbanski)
This allows PL/Python functions to be syntax-checked at function creation time.
(9.1.0) Allow exceptions for SQL queries in PL/Python (Jan Urbanski)
This allows access to SQL-generated exception error codes from PL/Python exception blocks.
(9.1.0) Add explicit subtransactions to PL/Python (Jan Urbanski)
(9.1.0) Add PL/Python functions for quoting strings (Jan Urbanski)
These functions are plpy.quote_ident, plpy.quote_literal, and plpy.quote_nullable.
(9.1.0) Add traceback information to PL/Python errors (Jan Urbanski)
(9.1.0) Report PL/Python errors from iterators with PLy_elog (Jan Urbanski)
(9.1.0) Fix exception handling with Python 3 (Jan Urbanski)
Exception classes were previously not available in plpy under Python 3.
(9.1.0) Mark createlang and droplang as deprecated now that they just invoke extension commands (Tom Lane)
(9.1.0) Add psql command \conninfo to show current connection information (David Christensen)
(9.1.0) Add psql command \sf to show a function's definition (Pavel Stehule)
(9.1.0) Add psql command \dL to list languages (Fernando Ike)
(9.1.0) Add the S ("system") option to psql's \dn (list schemas) command (Tom Lane)
\dn without S now suppresses system schemas.
(9.1.0) Allow psql's \e and \ef commands to accept a line number to be used to position the cursor in the editor (Pavel Stehule)
This is passed to the editor according to the PSQL_EDITOR_LINENUMBER_ARG environment variable.
(9.1.0) Have psql set the client encoding from the operating system locale by default (Heikki Linnakangas)
This only happens if the PGCLIENTENCODING environment variable is not set.
(9.1.0) Make \d distinguish between unique indexes and unique constraints (Josh Kupershmidt)
(9.1.0) Make \dt+ report pg_table_size
instead of pg_relation_size
when talking to 9.0 or later
servers (Bernd Helmle)
This is a more useful measure of table size, but note that it is not identical to what was previously reported in the same display.
(9.1.0) Additional tab completion support (Itagaki Takahiro, Pavel Stehule, Andrey Popp, Christoph Berg, David Fetter, Josh Kupershmidt)
(9.1.0) Add pg_dump and pg_dumpall option --quote-all-identifiers to force quoting of all identifiers (Robert Haas)
(9.1.0) Add directory format to pg_dump (Joachim Wieland, Heikki Linnakangas)
This is internally similar to the tar pg_dump format.
(9.1.0) Fix pg_ctl so it no longer incorrectly reports that the server is not running (Bruce Momjian)
Previously this could happen if the server was running but pg_ctl could not authenticate.
(9.1.0) Improve pg_ctl start's "wait" (-w) option (Bruce Momjian, Tom Lane)
The wait mode is now significantly more robust. It will not get confused by non-default postmaster port numbers, non-default Unix-domain socket locations, permission problems, or stale postmaster lock files.
(9.1.0) Add promote option to pg_ctl to switch a standby server to primary (Fujii Masao)
(9.1.0) Add a libpq connection option client_encoding which behaves like the PGCLIENTENCODING environment variable (Heikki Linnakangas)
The value auto sets the client encoding based on the operating system locale.
(9.1.0) Add PQlibVersion()
function which returns the
libpq library version (Magnus Hagander)
libpq already had PQserverVersion()
which returns the server
version.
(9.1.0) Allow libpq-using clients to check the user name of the server process when connecting via Unix-domain sockets, with the new requirepeer connection option (Peter Eisentraut)
PostgreSQL already allowed servers to check the client user name when connecting via Unix-domain sockets.
(9.1.0) Add PQping()
and PQpingParams()
to libpq (Bruce Momjian, Tom
Lane)
These functions allow detection of the server's status without trying to open a new session.
(9.1.0) Allow ECPG to accept dynamic cursor names even in WHERE CURRENT OF clauses (Zoltan Boszormenyi)
(9.1.0) Make ecpglib write double values with a precision of 15 digits, not 14 as formerly (Akira Kurosawa)
(9.1.0) Use +Olibmerrno compile flag with HP-UX C compilers that accept it (Ibrar Ahmed)
This avoids possible misbehavior of math library calls on recent HP platforms.
(9.1.0) Improved parallel make support (Peter Eisentraut)
This allows for faster compiles. Also, make -k now works more consistently.
(9.1.0) Require GNU make 3.80 or newer (Peter Eisentraut)
This is necessary because of the parallel-make improvements.
(9.1.0) Add make maintainer-check target (Peter Eisentraut)
This target performs various source code checks that are not appropriate for either the build or the regression tests. Currently: duplicate_oids, SGML syntax and tabs check, NLS syntax check.
(9.1.0) Support make check in contrib (Peter Eisentraut)
Formerly only make installcheck worked, but now there is support for testing in a temporary installation. The top-level make check-world target now includes testing contrib this way.
(9.1.0) On Windows, allow pg_ctl to register the service as auto-start or start-on-demand (Quan Zongliang)
(9.1.0) Add support for collecting crash dumps on Windows (Craig Ringer, Magnus Hagander)
minidumps can now be generated by non-debug Windows binaries and analyzed by standard debugging tools.
(9.1.0) Enable building with the MinGW64 compiler (Andrew Dunstan)
This allows building 64-bit Windows binaries even on non-Windows platforms via cross-compiling.
(9.1.0) Revise the API for GUC variable assign hooks (Tom Lane)
The previous functions of assign hooks are now split between check hooks and assign hooks, where the former can fail but the latter shouldn't. This change will impact add-on modules that define custom GUC parameters.
(9.1.0) Add latches to the source code to support waiting for events (Heikki Linnakangas)
(9.1.0) Centralize data modification permissions-checking logic (KaiGai Kohei)
(9.1.0) Add missing get_object_oid()
functions, for
consistency (Robert Haas)
(9.1.0) Improve ability to use C++ compilers for compiling add-on modules by removing conflicting key words (Tom Lane)
(9.1.0) Add support for DragonFly BSD (Rumko)
(9.1.0) Expose quote_literal_cstr()
for
backend use (Robert Haas)
(9.1.0) Run regression tests in the default encoding (Peter Eisentraut)
Regression tests were previously always run with SQL_ASCII encoding.
(9.1.0) Add src/tools/git_changelog to replace cvs2cl and pgcvslog (Robert Haas, Tom Lane)
(9.1.0) Add git-external-diff script to src/tools (Bruce Momjian)
This is used to generate context diffs from git.
(9.1.0) Improve support for building with Clang (Peter Eisentraut)
(9.1.0) Add source code hooks to check permissions (Robert Haas, Stephen Frost)
(9.1.0) Add post-object-creation function hooks for use by security frameworks (KaiGai Kohei)
(9.1.0) Add a client authentication hook (KaiGai Kohei)
(9.1.0) Modify contrib modules and procedural languages to install via the new extension mechanism (Tom Lane, Dimitri Fontaine)
(9.1.0) Add contrib/file_fdw foreign-data wrapper (Shigeru Hanada)
Foreign tables using this foreign data wrapper can read flat files in a manner very similar to COPY.
(9.1.0) Add nearest-neighbor search support to contrib/pg_trgm and contrib/btree_gist (Teodor Sigaev)
(9.1.0) Add contrib/btree_gist support for searching on not-equals (Jeff Davis)
(9.1.0) Fix contrib/fuzzystrmatch's levenshtein()
function to handle multibyte
characters (Alexander Korotkov)
(9.1.0) Add ssl_cipher()
and ssl_version()
functions to contrib/sslinfo
(Robert Haas)
(9.1.0) Fix contrib/intarray and contrib/hstore to give consistent results with indexed empty arrays (Tom Lane)
Previously an empty-array query that used an index might return different results from one that used a sequential scan.
(9.1.0) Allow contrib/intarray to work properly on multidimensional arrays (Tom Lane)
(9.1.0) In contrib/intarray, avoid errors complaining about the presence of nulls in cases where no nulls are actually present (Tom Lane)
(9.1.0) In contrib/intarray, fix behavior of containment operators with respect to empty arrays (Tom Lane)
Empty arrays are now correctly considered to be contained in any other array.
(9.1.0) Remove contrib/xml2's arbitrary limit on the number of
parameter=value pairs that can be handled by
xslt_process()
(Pavel Stehule)
The previous limit was 10.
(9.1.0) In contrib/pageinspect, fix heap_page_item to return infomasks as 32-bit values (Álvaro Herrera)
This avoids returning negative values, which was confusing. The underlying value is a 16-bit unsigned integer.
(9.1.0) Add contrib/sepgsql to interface permission checks with SELinux (KaiGai Kohei)
This uses the new SECURITY LABEL facility.
(9.1.0) Add contrib module auth_delay (KaiGai Kohei)
This causes the server to pause before returning authentication failure; it is designed to make brute force password attacks more difficult.
(9.1.0) Add dummy_seclabel contrib module (KaiGai Kohei)
This is used for permission regression testing.
(9.1.0) Add support for LIKE and ILIKE index searches to contrib/pg_trgm (Alexander Korotkov)
(9.1.0) Add levenshtein_less_equal()
function to contrib/fuzzystrmatch, which is optimized for
small distances (Alexander Korotkov)
(9.1.0) Improve performance of index lookups on contrib/seg columns (Alexander Korotkov)
(9.1.0) Improve performance of pg_upgrade for databases with many relations (Bruce Momjian)
(9.1.0) Add flag to contrib/pgbench to report per-statement latencies (Florian Pflug)
(9.1.0) Move src/tools/test_fsync to contrib/pg_test_fsync (Bruce Momjian, Tom Lane)
(9.1.0) Add O_DIRECT support to contrib/pg_test_fsync (Bruce Momjian)
This matches the use of O_DIRECT by wal_sync_method.
(9.1.0) Add new tests to contrib/pg_test_fsync (Bruce Momjian)
(9.1.0) Extensive ECPG documentation improvements (Satoshi Nagayasu)
(9.1.0) Extensive proofreading and documentation improvements (Thom Brown, Josh Kupershmidt, Susanne Ebrecht)
(9.1.0) Add documentation for exit_on_error (Robert Haas)
This parameter causes sessions to exit on any error.
(9.1.0) Add documentation for pg_options_to_table()
(Josh Berkus)
This function shows table storage options in a readable form.
(9.1.0) Document that it is possible to access all composite type fields using (compositeval).* syntax (Peter Eisentraut)
(9.1.0) Document that translate()
removes characters in from that don't have a corresponding to character (Josh Kupershmidt)
(9.1.0) Merge documentation for CREATE CONSTRAINT TRIGGER and CREATE TRIGGER (Álvaro Herrera)
(9.1.0) Centralize permission and upgrade documentation (Bruce Momjian)
(9.1.0) Add kernel tuning documentation for Solaris 10 (Josh Berkus)
Previously only Solaris 9 kernel tuning was documented.
(9.1.0) Handle non-ASCII characters consistently in HISTORY file (Peter Eisentraut)
While the HISTORY file is in English, we do have to deal with non-ASCII letters in contributor names. These are now transliterated so that they are reasonably legible without assumptions about character set.
Release date: 2015-10-08
This release contains a variety of fixes from 9.0.22. For information about new features in the 9.0 major release, see Version 9.0.0.
This is expected to be the last PostgreSQL release in the 9.0.X series. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.18, see Version 9.0.18.
(9.0.23,9.3.10,9.2.14,9.1.19) Fix contrib/pgcrypto to detect and
report too-short crypt()
salts (Josh
Kupershmidt)
Certain invalid salt arguments crashed the server or disclosed a few bytes of server memory. We have not ruled out the viability of attacks that arrange for presence of confidential information in the disclosed bytes, but they seem unlikely. CVE-2015-5288 or CVE-2015-5288)
(9.0.23,9.3.10,9.2.14,9.1.19) Fix subtransaction cleanup after a portal (cursor) belonging to an outer subtransaction fails (Tom Lane, Michael Paquier)
A function executed in an outer-subtransaction cursor could cause an assertion failure or crash by referencing a relation created within an inner subtransaction.
(9.0.23,9.3.10,9.2.14,9.1.19) Fix insertion of relations into the relation cache "init file" (Tom Lane)
An oversight in a patch in the most recent minor releases caused pg_trigger_tgrelid_tgname_index to be omitted from the init file. Subsequent sessions detected this, then deemed the init file to be broken and silently ignored it, resulting in a significant degradation in session startup time. In addition to fixing the bug, install some guards so that any similar future mistake will be more obvious.
(9.0.23,9.3.10,9.2.14,9.1.19) Avoid O (N^2) behavior when inserting many tuples into a SPI query result (Neil Conway)
(9.0.23,9.3.10,9.2.14,9.1.19) Improve LISTEN startup time when there are many unread notifications (Matt Newell)
(9.0.23,9.3.10,9.2.14,9.1.19) Disable SSL renegotiation by default (Michael Paquier, Andres Freund)
While use of SSL renegotiation is a good idea in theory, we have seen too many bugs in practice, both in the underlying OpenSSL library and in our usage of it. Renegotiation will be removed entirely in 9.5 and later. In the older branches, just change the default value of ssl_renegotiation_limit to zero (disabled).
(9.0.23,9.3.10,9.2.14,9.1.19) Lower the minimum values of the *_freeze_max_age parameters (Andres Freund)
This is mainly to make tests of related behavior less time-consuming, but it may also be of value for installations with limited disk space.
(9.0.23,9.3.10,9.2.14,9.1.19) Limit the maximum value of wal_buffers to 2GB to avoid server crashes (Josh Berkus)
(9.0.23,9.3.10,9.2.14,9.1.19) Fix rare internal overflow in multiplication of numeric values (Dean Rasheed)
(9.0.23,9.3.10,9.2.14,9.1.19) Guard against hard-to-reach stack overflows involving record types, range types, json, jsonb, tsquery, ltxtquery and query_int (Noah Misch)
(9.0.23,9.3.10,9.2.14,9.1.19) Fix handling of DOW and DOY in datetime input (Greg Stark)
These tokens aren't meant to be used in datetime values, but previously they resulted in opaque internal error messages rather than "invalid input syntax".
(9.0.23,9.3.10,9.2.14,9.1.19) Add more query-cancel checks to regular expression matching (Tom Lane)
(9.0.23,9.3.10,9.2.14,9.1.19) Add recursion depth protections to regular expression, SIMILAR TO, and LIKE matching (Tom Lane)
Suitable search patterns and a low stack depth limit could lead to stack-overrun crashes.
(9.0.23,9.3.10,9.2.14,9.1.19) Fix potential infinite loop in regular expression execution (Tom Lane)
A search pattern that can apparently match a zero-length string, but actually doesn't match because of a back reference, could lead to an infinite loop.
(9.0.23,9.3.10,9.2.14,9.1.19) Fix low-memory failures in regular expression compilation (Andreas Seltenreich)
(9.0.23,9.3.10,9.2.14,9.1.19) Fix low-probability memory leak during regular expression execution (Tom Lane)
(9.0.23,9.3.10,9.2.14,9.1.19) Fix rare low-memory failure in lock cleanup during transaction abort (Tom Lane)
(9.0.23,9.3.10,9.2.14,9.1.19) Fix "unexpected out-of-memory situation during sort" errors when using tuplestores with small work_mem settings (Tom Lane)
(9.0.23,9.3.10,9.2.14,9.1.19) Fix very-low-probability stack overrun in qsort
(Tom Lane)
(9.0.23,9.3.10,9.2.14,9.1.19) Fix "invalid memory alloc request size" failure in hash joins with large work_mem settings (Tomas Vondra, Tom Lane)
(9.0.23,9.3.10,9.2.14,9.1.19) Fix assorted planner bugs (Tom Lane)
These mistakes could lead to incorrect query plans that would give wrong answers, or to assertion failures in assert-enabled builds, or to odd planner errors such as "could not devise a query plan for the given query", "could not find pathkey item to sort", "plan should not reference subplan's variable", or "failed to assign all NestLoopParams to plan nodes". Thanks are due to Andreas Seltenreich and Piotr Stefaniak for fuzz testing that exposed these problems.
(9.0.23,9.1.19) Use fuzzy path cost tiebreaking rule in all supported branches (Tom Lane)
This change is meant to avoid platform-specific behavior when alternative plan choices have effectively-identical estimated costs.
(9.0.23,9.3.10,9.2.14,9.1.19) During postmaster shutdown, ensure that per-socket lock files are removed and listen sockets are closed before we remove the postmaster.pid file (Tom Lane)
This avoids race-condition failures if an external script attempts to start a new postmaster as soon as pg_ctl stop returns.
(9.0.23,9.3.10,9.2.14,9.1.19) Fix postmaster's handling of a startup-process crash during crash recovery (Tom Lane)
If, during a crash recovery cycle, the startup process crashes without having restored database consistency, we'd try to launch a new startup process, which typically would just crash again, leading to an infinite loop.
(9.0.23,9.3.10,9.2.14,9.1.19) Do not print a WARNING when an autovacuum worker is already gone when we attempt to signal it, and reduce log verbosity for such signals (Tom Lane)
(9.0.23,9.3.10,9.2.14,9.1.19) Prevent autovacuum launcher from sleeping unduly long if the server clock is moved backwards a large amount (Ãlvaro Herrera)
(9.0.23,9.3.10,9.2.14,9.1.19) Ensure that cleanup of a GIN index's pending-insertions list is interruptable by cancel requests (Jeff Janes)
(9.0.23,9.3.10,9.2.14,9.1.19) Allow all-zeroes pages in GIN indexes to be reused (Heikki Linnakangas)
Such a page might be left behind after a crash.
(9.0.23,9.3.10,9.2.14,9.1.19) Fix off-by-one error that led to otherwise-harmless warnings about "apparent wraparound" in subtrans/multixact truncation (Thomas Munro)
(9.0.23,9.3.10,9.2.14,9.1.19) Fix misreporting of CONTINUE and MOVE statement types in PL/pgSQL's error context messages (Pavel Stehule, Tom Lane)
(9.0.23,9.3.10,9.2.14,9.1.19) Fix some places in PL/Tcl that
neglected to check for failure of malloc()
calls (Michael Paquier, Ãlvaro
Herrera)
(9.0.23,9.3.10,9.2.14,9.1.19) Improve libpq's handling of out-of-memory conditions (Michael Paquier, Heikki Linnakangas)
(9.0.23,9.3.10,9.2.14,9.1.19) Fix memory leaks and missing out-of-memory checks in ecpg (Michael Paquier)
(9.0.23,9.3.10,9.2.14,9.1.19) Fix psql's code for locale-aware formatting of numeric output (Tom Lane)
The formatting code invoked by \pset numericlocale on did the wrong thing for some uncommon cases such as numbers with an exponent but no decimal point. It could also mangle already-localized output from the money data type.
(9.0.23,9.3.10,9.2.14,9.1.19) Prevent crash in psql's \c command when there is no current connection (Noah Misch)
(9.0.23,9.3.10,9.2.14,9.1.19) Ensure that temporary files created during a pg_dump run with tar-format output are not world-readable (Michael Paquier)
(9.0.23,9.3.10,9.2.14,9.1.19) Fix pg_dump and pg_upgrade to support cases where the postgres or template1 database is in a non-default tablespace (Marti Raudsepp, Bruce Momjian)
(9.0.23,9.1.19) Fix pg_dump to handle object privileges sanely when dumping from a server too old to have a particular privilege type (Tom Lane)
When dumping functions or procedural languages from pre-7.3 servers, pg_dump would produce GRANT/REVOKE commands that revoked the owner's grantable privileges and instead granted all privileges to PUBLIC. Since the privileges involved are just USAGE and EXECUTE, this isn't a security problem, but it's certainly a surprising representation of the older systems' behavior. Fix it to leave the default privilege state alone in these cases.
(9.0.23,9.3.10,9.2.14,9.1.19) Fix pg_dump to dump shell types (Tom Lane)
Shell types (that is, not-yet-fully-defined types) aren't useful for much, but nonetheless pg_dump should dump them.
(9.0.23,9.3.10,9.2.14,9.1.19) Fix spinlock assembly code for PPC hardware to be compatible with AIX's native assembler (Tom Lane)
Building with gcc didn't work if gcc had been configured to use the native assembler, which is becoming more common.
(9.0.23,9.3.10,9.2.14,9.1.19) On AIX, test the -qlonglong compiler option rather than just assuming it's safe to use (Noah Misch)
(9.0.23,9.3.10,9.2.14,9.1.19) On AIX, use -Wl,-brtllib link option to allow symbols to be resolved at runtime (Noah Misch)
Perl relies on this ability in 5.8.0 and later.
(9.0.23,9.3.10,9.2.14,9.1.19) Avoid use of inline functions when compiling with 32-bit xlc, due to compiler bugs (Noah Misch)
(9.0.23,9.3.10,9.2.14,9.1.19) Use librt for sched_yield()
when necessary, which it is on some
Solaris versions (Oskari Saarenmaa)
(9.0.23,9.3.10,9.2.14,9.1.19) Fix Windows install.bat script to handle target directory names that contain spaces (Heikki Linnakangas)
(9.0.23,9.3.10,9.2.14,9.1.19) Make the numeric form of the PostgreSQL version number (e.g., 90405) readily available to extension Makefiles, as a variable named VERSION_NUM (Michael Paquier)
(9.0.23,9.3.10,9.2.14,9.1.19) Update time zone data files to tzdata release 2015g for DST law changes in Cayman Islands, Fiji, Moldova, Morocco, Norfolk Island, North Korea, Turkey, and Uruguay. There is a new zone name America/Fort_Nelson for the Canadian Northern Rockies.
Release date: 2015-06-12
This release contains a small number of fixes from 9.0.21. For information about new features in the 9.0 major release, see Version 9.0.0.
The PostgreSQL community will stop releasing updates for the 9.0.X release series in September 2015. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.18, see Version 9.0.18.
(9.0.22,9.3.9,9.2.13,9.1.18) Fix rare failure to invalidate relation cache init file (Tom Lane)
With just the wrong timing of concurrent activity, a VACUUM FULL on a system catalog might fail to update the "init file" that's used to avoid cache-loading work for new sessions. This would result in later sessions being unable to access that catalog at all. This is a very ancient bug, but it's so hard to trigger that no reproducible case had been seen until recently.
(9.0.22,9.3.9,9.2.13,9.1.18) Avoid deadlock between incoming sessions and CREATE/DROP DATABASE (Tom Lane)
A new session starting in a database that is the target of a DROP DATABASE command, or is the template for a CREATE DATABASE command, could cause the command to wait for five seconds and then fail, even if the new session would have exited before that.
Release date: 2015-06-04
This release contains a small number of fixes from 9.0.20. For information about new features in the 9.0 major release, see Version 9.0.0.
The PostgreSQL community will stop releasing updates for the 9.0.X release series in September 2015. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.18, see Version 9.0.18.
(9.0.21,9.2.12,9.1.17) Avoid failures while fsync
'ing
data directory during crash restart (Abhijit Menon-Sen, Tom
Lane)
In the previous minor releases we added a patch to fsync
everything in the data directory after a
crash. Unfortunately its response to any error condition was to
fail, thereby preventing the server from starting up, even when the
problem was quite harmless. An example is that an unwritable file
in the data directory would prevent restart on some platforms; but
it is common to make SSL certificate files unwritable by the
server. Revise this behavior so that permissions failures are
ignored altogether, and other types of failures are logged but do
not prevent continuing.
(9.0.21,9.3.8,9.2.12,9.1.17) Remove configure's check prohibiting linking to a threaded libpython on OpenBSD (Tom Lane)
The failure this restriction was meant to prevent seems to not be a problem anymore on current OpenBSD versions.
(9.0.21,9.3.8,9.2.12,9.1.17) Allow libpq to use TLS protocol versions beyond v1 (Noah Misch)
For a long time, libpq was coded so that the only SSL protocol it would allow was TLS v1. Now that newer TLS versions are becoming popular, allow it to negotiate the highest commonly-supported TLS version with the server. (PostgreSQL servers were already capable of such negotiation, so no change is needed on the server side.) This is a back-patch of a change already released in 9.4.0.
Release date: 2015-05-22
This release contains a variety of fixes from 9.0.19. For information about new features in the 9.0 major release, see Version 9.0.0.
The PostgreSQL community will stop releasing updates for the 9.0.X release series in September 2015. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.18, see Version 9.0.18.
(9.0.20,9.3.7,9.2.11,9.1.16) Avoid possible crash when client disconnects just before the authentication timeout expires (Benkocs Norbert Attila)
If the timeout interrupt fired partway through the session shutdown sequence, SSL-related state would be freed twice, typically causing a crash and hence denial of service to other sessions. Experimentation shows that an unauthenticated remote attacker could trigger the bug somewhat consistently, hence treat as security issue. CVE-2015-3165 or CVE-2015-3165)
(9.0.20,9.3.7,9.2.11,9.1.16) Improve detection of system-call failures (Noah Misch)
Our replacement implementation of snprintf()
failed to check for errors reported by
the underlying system library calls; the main case that might be
missed is out-of-memory situations. In the worst case this might
lead to information exposure, due to our code assuming that a
buffer had been overwritten when it hadn't been. Also, there were a
few places in which security-relevant calls of other system library
functions did not check for failure.
It remains possible that some calls of the *printf()
family of functions are vulnerable to
information disclosure if an out-of-memory error occurs at just the
wrong time. We judge the risk to not be large, but will continue
analysis in this area. CVE-2015-3166 or CVE-2015-3166)
(9.0.20,9.3.7,9.2.11,9.1.16) In contrib/pgcrypto, uniformly report decryption failures as "Wrong key or corrupt data" (Noah Misch)
Previously, some cases of decryption with an incorrect key could report other error message texts. It has been shown that such variance in error reports can aid attackers in recovering keys from other systems. While it's unknown whether pgcrypto's specific behaviors are likewise exploitable, it seems better to avoid the risk by using a one-size-fits-all message. CVE-2015-3167 or CVE-2015-3167)
(9.0.20,9.3.7,9.2.11,9.1.16) Fix incorrect checking of deferred exclusion constraints after a HOT update (Tom Lane)
If a new row that potentially violates a deferred exclusion constraint is HOT-updated (that is, no indexed columns change and the row can be stored back onto the same table page) later in the same transaction, the exclusion constraint would be reported as violated when the check finally occurred, even if the row(s) the new row originally conflicted with had been deleted.
(9.0.20,9.3.7,9.2.11,9.1.16) Prevent improper reordering of antijoins (NOT EXISTS joins) versus other outer joins (Tom Lane)
This oversight in the planner has been observed to cause "could not find RelOptInfo for given relids" errors, but it seems possible that sometimes an incorrect query plan might get past that consistency check and result in silently-wrong query output.
(9.0.20,9.3.7,9.2.11,9.1.16) Fix incorrect matching of subexpressions in outer-join plan nodes (Tom Lane)
Previously, if textually identical non-strict subexpressions were used both above and below an outer join, the planner might try to re-use the value computed below the join, which would be incorrect because the executor would force the value to NULL in case of an unmatched outer row.
(9.0.20,9.3.7,9.2.11,9.1.16) Fix GEQO planner to cope with failure of its join order heuristic (Tom Lane)
This oversight has been seen to lead to "failed to join all relations together" errors in queries involving LATERAL, and that might happen in other cases as well.
(9.0.20,9.3.7,9.2.11,9.1.16) Fix possible deadlock at startup when max_prepared_transactions is too small (Heikki Linnakangas)
(9.0.20,9.3.7,9.2.11,9.1.16) Don't archive useless preallocated WAL files after a timeline switch (Heikki Linnakangas)
(9.0.20,9.2.11,9.1.16) Avoid "cannot GetMultiXactIdMembers() during recovery" error (Ãlvaro Herrera)
(9.0.20,9.3.7,9.2.11,9.1.16) Recursively fsync()
the data
directory after a crash (Abhijit Menon-Sen, Robert Haas)
This ensures consistency if another crash occurs shortly later. (The second crash would have to be a system-level crash, not just a database crash, for there to be a problem.)
(9.0.20,9.3.7,9.2.11,9.1.16) Fix autovacuum launcher's possible failure to shut down, if an error occurs after it receives SIGTERM (Ãlvaro Herrera)
(9.0.20,9.3.7,9.2.11,9.1.16) Cope with unexpected signals in LockBufferForCleanup()
(Andres Freund)
This oversight could result in spurious errors about "multiple backends attempting to wait for pincount 1".
(9.0.20,9.3.7,9.2.11,9.1.16) Avoid waiting for WAL flush or synchronous replication during commit of a transaction that was read-only so far as the user is concerned (Andres Freund)
Previously, a delay could occur at commit in transactions that had written WAL due to HOT page pruning, leading to undesirable effects such as sessions getting stuck at startup if all synchronous replicas are down. Sessions have also been observed to get stuck in catchup interrupt processing when using synchronous replication; this will fix that problem as well.
(9.0.20,9.3.7,9.2.11,9.1.16) Fix crash when manipulating hash indexes on temporary tables (Heikki Linnakangas)
(9.0.20,9.3.7,9.2.11,9.1.16) Fix possible failure during hash index bucket split, if other processes are modifying the index concurrently (Tom Lane)
(9.0.20,9.3.7,9.2.11,9.1.16) Check for interrupts while analyzing index expressions (Jeff Janes)
ANALYZE executes index expressions many times; if there are slow functions in such an expression, it's desirable to be able to cancel the ANALYZE before that loop finishes.
(9.0.20,9.3.7,9.2.11,9.1.16) Add the name of the target server to object description strings for foreign-server user mappings (Ãlvaro Herrera)
(9.0.20,9.3.7,9.2.11,9.1.16) Recommend setting include_realm to 1 when using Kerberos/GSSAPI/SSPI authentication (Stephen Frost)
Without this, identically-named users from different realms cannot be distinguished. For the moment this is only a documentation change, but it will become the default setting in PostgreSQL 9.5.
(9.0.20,9.3.7,9.2.11,9.1.16) Remove code for matching IPv4 pg_hba.conf entries to IPv4-in-IPv6 addresses (Tom Lane)
This hack was added in 2003 in response to a report that some Linux kernels of the time would report IPv4 connections as having IPv4-in-IPv6 addresses. However, the logic was accidentally broken in 9.0. The lack of any field complaints since then shows that it's not needed anymore. Now we have reports that the broken code causes crashes on some systems, so let's just remove it rather than fix it. (Had we chosen to fix it, that would make for a subtle and potentially security-sensitive change in the effective meaning of IPv4 pg_hba.conf entries, which does not seem like a good thing to do in minor releases.)
(9.0.20,9.3.7,9.2.11,9.1.16) While shutting down service on Windows, periodically send status updates to the Service Control Manager to prevent it from killing the service too soon; and ensure that pg_ctl will wait for shutdown (Krystian Bigaj)
(9.0.20,9.3.7,9.2.11,9.1.16) Reduce risk of network deadlock when using libpq's non-blocking mode (Heikki Linnakangas)
When sending large volumes of data, it's important to drain the
input buffer every so often, in case the server has sent enough
response data to cause it to block on output. (A typical scenario
is that the server is sending a stream of NOTICE messages during
COPY FROM STDIN.) This worked properly in
the normal blocking mode, but not so much in non-blocking mode.
We've modified libpq to
opportunistically drain input when it can, but a full defense
against this problem requires application cooperation: the
application should watch for socket read-ready as well as
write-ready conditions, and be sure to call PQconsumeInput()
upon read-ready.
(9.0.20,9.3.7,9.2.11,9.1.16) Fix array handling in ecpg (Michael Meskes)
(9.0.20,9.3.7,9.2.11,9.1.16) Fix psql to sanely handle URIs and conninfo strings as the first parameter to \connect (David Fetter, Andrew Dunstan, Ãlvaro Herrera)
This syntax has been accepted (but undocumented) for a long time, but previously some parameters might be taken from the old connection instead of the given string, which was agreed to be undesirable.
(9.0.20,9.3.7,9.2.11,9.1.16) Suppress incorrect complaints from psql on some platforms that it failed to write ~/.psql_history at exit (Tom Lane)
This misbehavior was caused by a workaround for a bug in very old (pre-2006) versions of libedit. We fixed it by removing the workaround, which will cause a similar failure to appear for anyone still using such versions of libedit. Recommendation: upgrade that library, or use libreadline.
(9.0.20,9.3.7,9.2.11,9.1.16) Fix pg_dump's rule for deciding which casts are system-provided casts that should not be dumped (Tom Lane)
(9.0.20,9.3.7,9.2.11,9.1.16) Fix dumping of views that are just VALUES(...) but have column aliases (Tom Lane)
(9.0.20,9.3.7,9.2.11,9.1.16) In pg_upgrade, force timeline 1 in the new cluster (Bruce Momjian)
This change prevents upgrade failures caused by bogus complaints about missing WAL history files.
(9.0.20,9.3.7,9.2.11,9.1.16) In pg_upgrade, check for improperly non-connectable databases before proceeding (Bruce Momjian)
(9.0.20,9.3.7,9.2.11,9.1.16) In pg_upgrade, quote directory paths properly in the generated delete_old_cluster script (Bruce Momjian)
(9.0.20,9.3.7,9.2.11,9.1.16) In pg_upgrade, preserve database-level freezing info properly (Bruce Momjian)
This oversight could cause missing-clog-file errors for tables within the postgres and template1 databases.
(9.0.20,9.3.7,9.2.11,9.1.16) Run pg_upgrade and pg_resetxlog with restricted privileges on Windows, so that they don't fail when run by an administrator (Muhammad Asif Naeem)
(9.0.20,9.3.7,9.2.11,9.1.16) Fix slow sorting algorithm in contrib/intarray (Tom Lane)
(9.0.20,9.4.2,9.3.7,9.2.11,9.1.16) Fix compile failure on Sparc V8 machines (Rob Rowan)
(9.0.20,9.3.7,9.2.11,9.1.16) Update time zone data files to tzdata release 2015d for DST law changes in Egypt, Mongolia, and Palestine, plus historical changes in Canada and Chile. Also adopt revised zone abbreviations for the America/Adak zone (HST/HDT not HAST/HADT).
Release date: 2015-02-05
This release contains a variety of fixes from 9.0.18. For information about new features in the 9.0 major release, see Version 9.0.0.
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.18, see Version 9.0.18.
(9.0.19,9.3.6,9.2.10,9.1.15) Fix buffer overruns in to_char()
(Bruce Momjian)
When to_char()
processes a numeric
formatting template calling for a large number of digits,
PostgreSQL would read past the end
of a buffer. When processing a crafted timestamp formatting
template, PostgreSQL would write
past the end of a buffer. Either case could crash the server. We
have not ruled out the possibility of attacks that lead to
privilege escalation, though they seem unlikely.
CVE-2015-0241 or CVE-2015-0241)
(9.0.19,9.3.6,9.2.10,9.1.15) Fix buffer overrun in replacement *printf()
functions (Tom Lane)
PostgreSQL includes a
replacement implementation of printf
and related functions. This code will overrun a stack buffer when
formatting a floating point number (conversion specifiers
e, E, f, F, g or G) with requested
precision greater than about 500. This will crash the server, and
we have not ruled out the possibility of attacks that lead to
privilege escalation. A database user can trigger such a buffer
overrun through the to_char()
SQL
function. While that is the only affected core PostgreSQL functionality, extension modules
that use printf-family functions may be at risk as well.
This issue primarily affects PostgreSQL on Windows. PostgreSQL uses the system implementation of these functions where adequate, which it is on other modern platforms. CVE-2015-0242 or CVE-2015-0242)
(9.0.19,9.3.6,9.2.10,9.1.15) Fix buffer overruns in contrib/pgcrypto (Marko Tiikkaja, Noah Misch)
Errors in memory size tracking within the pgcrypto module permitted stack buffer overruns and improper dependence on the contents of uninitialized memory. The buffer overrun cases can crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. CVE-2015-0243 or CVE-2015-0243)
(9.0.19,9.3.6,9.2.10,9.1.15) Fix possible loss of frontend/backend protocol synchronization after an error (Heikki Linnakangas)
If any error occurred while the server was in the middle of reading a protocol message from the client, it could lose synchronization and incorrectly try to interpret part of the message's data as a new protocol message. An attacker able to submit crafted binary data within a command parameter might succeed in injecting his own SQL commands this way. Statement timeout and query cancellation are the most likely sources of errors triggering this scenario. Particularly vulnerable are applications that use a timeout and also submit arbitrary user-crafted data as binary query parameters. Disabling statement timeout will reduce, but not eliminate, the risk of exploit. Our thanks to Emil Lenngren for reporting this issue. CVE-2015-0244 or CVE-2015-0244)
(9.0.19,9.3.6,9.2.10,9.1.15) Fix information leak via constraint-violation error messages (Stephen Frost)
Some server error messages show the values of columns that violate a constraint, such as a unique constraint. If the user does not have SELECT privilege on all columns of the table, this could mean exposing values that the user should not be able to see. Adjust the code so that values are displayed only when they came from the SQL command or could be selected by the user. CVE-2014-8161 or CVE-2014-8161)
(9.0.19,9.3.6,9.2.10,9.1.15) Lock down regression testing's temporary installations on Windows (Noah Misch)
Use SSPI authentication to allow connections only from the OS user who launched the test suite. This closes on Windows the same vulnerability previously closed on other platforms, namely that other users might be able to connect to the test postmaster. CVE-2014-0067 or CVE-2014-0067)
(9.0.19,9.3.6,9.2.10,9.1.15) Avoid possible data corruption if ALTER DATABASE SET TABLESPACE is used to move a database to a new tablespace and then shortly later move it back to its original tablespace (Tom Lane)
(9.0.19,9.3.6,9.2.10,9.1.15) Avoid corrupting tables when ANALYZE inside a transaction is rolled back (Andres Freund, Tom Lane, Michael Paquier)
If the failing transaction had earlier removed the last index, rule, or trigger from the table, the table would be left in a corrupted state with the relevant pg_class flags not set though they should be.
(9.0.19,9.3.6,9.2.10,9.1.15) Fix use-of-already-freed-memory problem in EvalPlanQual processing (Tom Lane)
In READ COMMITTED mode, queries that lock or update recently-updated rows could crash as a result of this bug.
(9.0.19,9.3.6,9.2.10,9.1.15) Fix planning of SELECT FOR UPDATE when using a partial index on a child table (Kyotaro Horiguchi)
In READ COMMITTED mode, SELECT FOR UPDATE must also recheck the partial index's WHERE condition when rechecking a recently-updated row to see if it still satisfies the query's WHERE condition. This requirement was missed if the index belonged to an inheritance child table, so that it was possible to incorrectly return rows that no longer satisfy the query condition.
(9.0.19,9.3.6,9.2.10,9.1.15) Fix corner case wherein SELECT FOR UPDATE could return a row twice, and possibly miss returning other rows (Tom Lane)
In READ COMMITTED mode, a SELECT FOR UPDATE that is scanning an inheritance tree could incorrectly return a row from a prior child table instead of the one it should return from a later child table.
(9.0.19,9.3.6,9.2.10,9.1.15) Reject duplicate column names in the referenced-columns list of a FOREIGN KEY declaration (David Rowley)
This restriction is per SQL standard. Previously we did not reject the case explicitly, but later on the code would fail with bizarre-looking errors.
(9.0.19,9.3.6,9.2.10,9.1.15) Fix bugs in raising a numeric value to a large integral power (Tom Lane)
The previous code could get a wrong answer, or consume excessive amounts of time and memory before realizing that the answer must overflow.
(9.0.19,9.3.6,9.2.10,9.1.15) In numeric_recv()
, truncate away
any fractional digits that would be hidden according to the value's
dscale field (Tom Lane)
A numeric value's display scale (dscale) should never be less than the number of nonzero fractional digits; but apparently there's at least one broken client application that transmits binary numeric values in which that's true. This leads to strange behavior since the extra digits are taken into account by arithmetic operations even though they aren't printed. The least risky fix seems to be to truncate away such "hidden" digits on receipt, so that the value is indeed what it prints as.
(9.0.19,9.3.6,9.2.10,9.1.15) Reject out-of-range numeric timezone specifications (Tom Lane)
Simple numeric timezone specifications exceeding +/- 168 hours (one week) would be accepted, but could then cause null-pointer dereference crashes in certain operations. There's no use-case for such large UTC offsets, so reject them.
(9.0.19,9.3.6,9.2.10,9.1.15) Fix bugs in tsquery @> tsquery operator (Heikki Linnakangas)
Two different terms would be considered to match if they had the same CRC. Also, if the second operand had more terms than the first, it would be assumed not to be contained in the first; which is wrong since it might contain duplicate terms.
(9.0.19,9.3.6,9.2.10,9.1.15) Improve ispell dictionary's defenses against bad affix files (Tom Lane)
(9.0.19,9.3.6,9.2.10,9.1.15) Allow more than 64K phrases in a thesaurus dictionary (David Boutin)
The previous coding could crash on an oversize dictionary, so this was deemed a back-patchable bug fix rather than a feature addition.
(9.0.19,9.3.6,9.2.10,9.1.15) Fix namespace handling in xpath()
(Ali Akbar)
Previously, the xml value resulting from
an xpath()
call would not have
namespace declarations if the namespace declarations were attached
to an ancestor element in the input xml
value, rather than to the specific element being returned.
Propagate the ancestral declaration so that the result is correct
when considered in isolation.
(9.0.19,9.3.6,9.2.10,9.1.15) Fix planner problems with nested append relations, such as inherited tables within UNION ALL subqueries (Tom Lane)
(9.0.19,9.3.6,9.2.10,9.1.15) Fail cleanly when a GiST index tuple doesn't fit on a page, rather than going into infinite recursion (Andrew Gierth)
(9.0.19,9.3.6,9.2.10,9.1.15) Exempt tables that have per-table cost_limit and/or cost_delay settings from autovacuum's global cost balancing rules (Ãlvaro Herrera)
The previous behavior resulted in basically ignoring these per-table settings, which was unintended. Now, a table having such settings will be vacuumed using those settings, independently of what is going on in other autovacuum workers. This may result in heavier total I/O load than before, so such settings should be re-examined for sanity.
(9.0.19,9.1.15) Avoid wholesale autovacuuming when autovacuum is nominally off (Tom Lane)
Even when autovacuum is nominally off, we will still launch autovacuum worker processes to vacuum tables that are at risk of XID wraparound. However, such a worker process then proceeded to vacuum all tables in the target database, if they met the usual thresholds for autovacuuming. This is at best pretty unexpected; at worst it delays response to the wraparound threat. Fix it so that if autovacuum is turned off, workers only do anti-wraparound vacuums and not any other work.
(9.0.19,9.3.6,9.2.10,9.1.15) Fix race condition between hot standby queries and replaying a full-page image (Heikki Linnakangas)
This mistake could result in transient errors in queries being executed in hot standby.
(9.0.19,9.3.6,9.2.10,9.1.15) Fix several cases where recovery logic improperly ignored WAL records for COMMIT/ABORT PREPARED (Heikki Linnakangas)
The most notable oversight was that recovery_target_xid could not be used to stop at a two-phase commit.
(9.0.19,9.3.6,9.2.10,9.1.15) Avoid creating unnecessary .ready marker files for timeline history files (Fujii Masao)
(9.0.19,9.3.6,9.2.10,9.1.15) Fix possible null pointer dereference when an empty prepared statement is used and the log_statement setting is mod or ddl (Fujii Masao)
(9.0.19,9.3.6,9.2.10,9.1.15) Change "pgstat wait timeout" warning message to be LOG level, and rephrase it to be more understandable (Tom Lane)
This message was originally thought to be essentially a can't-happen case, but it occurs often enough on our slower buildfarm members to be a nuisance. Reduce it to LOG level, and expend a bit more effort on the wording: it now reads "using stale statistics instead of current ones because stats collector is not responding".
(9.0.19,9.3.6,9.2.10,9.1.15) Fix SPARC spinlock implementation to ensure correctness if the CPU is being run in a non-TSO coherency mode, as some non-Solaris kernels do (Andres Freund)
(9.0.19) Warn if OS X's setlocale()
starts
an unwanted extra thread inside the postmaster (Noah Misch)
(9.0.19,9.3.6,9.2.10,9.1.15) Fix processing of repeated dbname
parameters in PQconnectdbParams()
(Alex Shulgin)
Unexpected behavior ensued if the first occurrence of dbname contained a connection string or URI to be expanded.
(9.0.19,9.3.6,9.2.10,9.1.15) Ensure that libpq reports a suitable error message on unexpected socket EOF (Marko Tiikkaja, Tom Lane)
Depending on kernel behavior, libpq might return an empty error string rather than something useful when the server unexpectedly closed the socket.
(9.0.19,9.3.6,9.2.10,9.1.15) Clear any old error message during PQreset()
(Heikki Linnakangas)
If PQreset()
is called repeatedly,
and the connection cannot be re-established, error messages from
the failed connection attempts kept accumulating in the PGconn's error string.
(9.0.19,9.3.6,9.2.10,9.1.15) Properly handle out-of-memory conditions while parsing connection options in libpq (Alex Shulgin, Heikki Linnakangas)
(9.0.19,9.3.6,9.2.10,9.1.15) Fix array overrun in ecpg's
version of ParseDateTime()
(Michael
Paquier)
(9.0.19,9.3.6,9.2.10,9.1.15) In initdb, give a clearer error message if a password file is specified but is empty (Mats Erik Andersson)
(9.0.19,9.3.6,9.2.10,9.1.15) Fix psql's \s command to work nicely with libedit, and add pager support (Stepan Rutz, Tom Lane)
When using libedit rather than readline, \s printed the command history in a fairly unreadable encoded format, and on recent libedit versions might fail altogether. Fix that by printing the history ourselves rather than having the library do it. A pleasant side-effect is that the pager is used if appropriate.
This patch also fixes a bug that caused newline encoding to be applied inconsistently when saving the command history with libedit. Multiline history entries written by older psql versions will be read cleanly with this patch, but perhaps not vice versa, depending on the exact libedit versions involved.
(9.0.19,9.3.6,9.2.10,9.1.15) Improve consistency of parsing of psql's special variables (Tom Lane)
Allow variant spellings of on and off (such as 1/0) for ECHO_HIDDEN and ON_ERROR_ROLLBACK. Report a warning for unrecognized values for COMP_KEYWORD_CASE, ECHO, ECHO_HIDDEN, HISTCONTROL, ON_ERROR_ROLLBACK, and VERBOSITY. Recognize all values for all these variables case-insensitively; previously there was a mishmash of case-sensitive and case-insensitive behaviors.
(9.0.19,9.3.6,9.2.10,9.1.15) Fix psql's expanded-mode display to work consistently when using border = 3 and linestyle = ascii or unicode (Stephen Frost)
(9.0.19,9.3.6,9.2.10,9.1.15) Fix possible deadlock during parallel restore of a schema-only dump (Robert Haas, Tom Lane)
(9.0.19,9.3.6,9.2.10,9.1.15) Fix core dump in pg_dump --binary-upgrade on zero-column composite type (Rushabh Lathia)
(9.0.19,9.3.6,9.2.10,9.1.15) Fix block number checking in contrib/pageinspect's get_raw_page()
(Tom Lane)
The incorrect checking logic could prevent access to some pages in non-main relation forks.
(9.0.19,9.3.6,9.2.10,9.1.15) Fix contrib/pgcrypto's pgp_sym_decrypt()
to not fail on messages whose
length is 6 less than a power of 2 (Marko Tiikkaja)
(9.0.19,9.3.6,9.2.10,9.1.15) Handle unexpected query results, especially NULLs, safely in
contrib/tablefunc's connectby()
(Michael Paquier)
connectby()
previously crashed if
it encountered a NULL key value. It now prints that row but doesn't
recurse further.
(9.0.19,9.3.6,9.2.10,9.1.15) Avoid a possible crash in contrib/xml2's xslt_process()
(Mark Simonetti)
libxslt seems to have an undocumented dependency on the order in which resources are freed; reorder our calls to avoid a crash.
(9.0.19,9.3.6,9.2.10,9.1.15) Numerous cleanups of warnings from Coverity static code analyzer (Andres Freund, Tatsuo Ishii, Marko Kreen, Tom Lane, Michael Paquier)
These changes are mostly cosmetic but in some cases fix corner-case bugs, for example a crash rather than a proper error report after an out-of-memory failure. None are believed to represent security issues.
(9.0.19,9.3.6,9.2.10,9.1.15) Detect incompatible OpenLDAP versions during build (Noah Misch)
With OpenLDAP versions 2.4.24 through 2.4.31, inclusive, PostgreSQL backends can crash at exit. Raise a warning during configure based on the compile-time OpenLDAP version number, and test the crashing scenario in the contrib/dblink regression test.
(9.0.19,9.3.6,9.2.10,9.1.15) In non-MSVC Windows builds, ensure libpq.dll is installed with execute permissions (Noah Misch)
(9.0.19,9.3.6,9.2.10,9.1.15) Make pg_regress remove any temporary installation it created upon successful exit (Tom Lane)
This results in a very substantial reduction in disk space usage during make check-world, since that sequence involves creation of numerous temporary installations.
(9.0.19,9.3.6,9.2.10,9.1.15) Support time zone abbreviations that change UTC offset from time to time (Tom Lane)
Previously, PostgreSQL assumed that the UTC offset associated with a time zone abbreviation (such as EST) never changes in the usage of any particular locale. However this assumption fails in the real world, so introduce the ability for a zone abbreviation to represent a UTC offset that sometimes changes. Update the zone abbreviation definition files to make use of this feature in timezone locales that have changed the UTC offset of their abbreviations since 1970 (according to the IANA timezone database). In such timezones, PostgreSQL will now associate the correct UTC offset with the abbreviation depending on the given date.
(9.0.19,9.3.6,9.2.10,9.1.15) Update time zone abbreviations lists (Tom Lane)
Add CST (China Standard Time) to our lists. Remove references to ADT as "Arabia Daylight Time", an abbreviation that's been out of use since 2007; therefore, claiming there is a conflict with "Atlantic Daylight Time" doesn't seem especially helpful. Fix entirely incorrect GMT offsets for CKT (Cook Islands), FJT, and FJST (Fiji); we didn't even have them on the proper side of the date line.
(9.0.19,9.1.15) Update time zone data files to tzdata release 2015a.
The IANA timezone database has adopted abbreviations of the form AxST/AxDT for all Australian time zones, reflecting what they believe to be current majority practice Down Under. These names do not conflict with usage elsewhere (other than ACST for Acre Summer Time, which has been in disuse since 1994). Accordingly, adopt these names into our "Default" timezone abbreviation set. The "Australia" abbreviation set now contains only CST, EAST, EST, SAST, SAT, and WST, all of which are thought to be mostly historical usage. Note that SAST has also been changed to be South Africa Standard Time in the "Default" abbreviation set.
Also, add zone abbreviations SRET (Asia/Srednekolymsk) and XJT (Asia/Urumqi), and use WSST/WSDT for western Samoa. Also, there were DST law changes in Chile, Mexico, the Turks & Caicos Islands (America/Grand_Turk), and Fiji. There is a new zone Pacific/Bougainville for portions of Papua New Guinea. Also, numerous corrections for historical (pre-1970) time zone data.
Release date: 2014-07-24
This release contains a variety of fixes from 9.0.17. For information about new features in the 9.0 major release, see Version 9.0.0.
A dump/restore is not required for those running 9.0.X.
However, this release corrects an index corruption problem in some GiST indexes. See the first changelog entry below to find out whether your installation has been affected and what steps you should take if so.
Also, if you are upgrading from a version earlier than 9.0.15, see Version 9.0.15.
(9.0.18,9.3.5,9.2.9,9.1.14,8.4.22) Correctly initialize padding bytes in contrib/btree_gist indexes on bit columns (Heikki Linnakangas)
This error could result in incorrect query results due to values that should compare equal not being seen as equal. Users with GiST indexes on bit or bit varying columns should REINDEX those indexes after installing this update.
(9.0.18,9.3.5,9.2.9,9.1.14,8.4.22) Protect against torn pages when deleting GIN list pages (Heikki Linnakangas)
This fix prevents possible index corruption if a system crash occurs while the page update is being written to disk.
(9.0.18,9.3.5,9.2.9,9.1.14) Don't clear the right-link of a GiST index page while replaying updates from WAL (Heikki Linnakangas)
This error could lead to transiently wrong answers from GiST index scans performed in Hot Standby.
(9.0.18,9.3.5,9.2.9,9.1.14,8.4.22) Fix possibly-incorrect cache invalidation during nested calls to
ReceiveSharedInvalidMessages
(Andres
Freund)
(9.0.18,9.3.5,9.2.9,9.1.14,8.4.22) Don't assume a subquery's output is unique if there's a set-returning function in its targetlist (David Rowley)
This oversight could lead to misoptimization of constructs like WHERE x IN (SELECT y, generate_series(1,10) FROM t GROUP BY y).
(9.0.18,9.3.5,9.2.9,9.1.14,8.4.22) Fix failure to detoast fields in composite elements of structured types (Tom Lane)
This corrects cases where TOAST pointers could be copied into other tables without being dereferenced. If the original data is later deleted, it would lead to errors like "missing chunk number 0 for toast value ..." when the now-dangling pointer is used.
(9.0.18,9.3.5,9.2.9,9.1.14,8.4.22) Fix "record type has not been registered" failures with whole-row references to the output of Append plan nodes (Tom Lane)
(9.0.18,9.3.5,9.2.9,9.1.14,8.4.22) Fix possible crash when invoking a user-defined function while rewinding a cursor (Tom Lane)
(9.0.18,9.3.5,9.2.9,9.1.14,8.4.22) Fix query-lifespan memory leak while evaluating the arguments for a function in FROM (Tom Lane)
(9.0.18,9.3.5,9.2.9,9.1.14,8.4.22) Fix session-lifespan memory leaks in regular-expression processing (Tom Lane, Arthur O'Dwyer, Greg Stark)
(9.0.18,9.3.5,9.2.9,9.1.14,8.4.22) Fix data encoding error in hungarian.stop (Tom Lane)
(9.0.18,9.3.5,9.2.9,9.1.14,8.4.22) Fix liveness checks for rows that were inserted in the current transaction and then deleted by a now-rolled-back subtransaction (Andres Freund)
This could cause problems (at least spurious warnings, and at worst an infinite loop) if CREATE INDEX or CLUSTER were done later in the same transaction.
(9.0.18,9.3.5,9.2.9,9.1.14,8.4.22) Clear pg_stat_activity.xact_start during PREPARE TRANSACTION (Andres Freund)
After the PREPARE, the originating session is no longer in a transaction, so it should not continue to display a transaction start time.
(9.0.18,9.3.5,9.2.9,9.1.14,8.4.22) Fix REASSIGN OWNED to not fail for text search objects (Ãlvaro Herrera)
(9.0.18,9.3.5,9.2.9,9.1.14,8.4.22) Block signals during postmaster startup (Tom Lane)
This ensures that the postmaster will properly clean up after itself if, for example, it receives SIGINT while still starting up.
(9.0.18,9.3.5,9.2.9,9.1.14,8.4.22) Secure Unix-domain sockets of temporary postmasters started during make check (Noah Misch)
Any local user able to access the socket file could connect as the server's bootstrap superuser, then proceed to execute arbitrary code as the operating-system user running the test, as we previously noted inCVE-2014-0067 or CVE-2014-0067. This change defends against that risk by placing the server's socket in a temporary, mode 0700 subdirectory of /tmp. The hazard remains however on platforms where Unix sockets are not supported, notably Windows, because then the temporary postmaster must accept local TCP connections.
A useful side effect of this change is to simplify make check testing in builds that override DEFAULT_PGSOCKET_DIR. Popular non-default values like /var/run/postgresql are often not writable by the build user, requiring workarounds that will no longer be necessary.
(9.0.18,9.3.5,9.2.9,9.1.14) Fix tablespace creation WAL replay to work on Windows (MauMau)
(9.0.18,9.3.5,9.2.9,9.1.14) Fix detection of socket creation failures on Windows (Bruce Momjian)
(9.0.18,9.3.5,9.2.9,9.1.14,8.4.22) On Windows, allow new sessions to absorb values of PGC_BACKEND parameters (such as log_connections) from the configuration file (Amit Kapila)
Previously, if such a parameter were changed in the file post-startup, the change would have no effect.
(9.0.18,9.3.5,9.2.9,9.1.14,8.4.22) Properly quote executable path names on Windows (Nikhil Deshpande)
This oversight could cause initdb and pg_upgrade to fail on Windows, if the installation path contained both spaces and @ signs.
(9.0.18,8.4.22) Fix linking of libpython on OS X (Tom Lane)
The method we previously used can fail with the Python library supplied by Xcode 5.0 and later.
(9.0.18,9.3.5,9.2.9,9.1.14,8.4.22) Avoid buffer bloat in libpq when the server consistently sends data faster than the client can absorb it (Shin-ichi Morita, Tom Lane)
libpq could be coerced into
enlarging its input buffer until it runs out of memory (which would
be reported misleadingly as "lost
synchronization with server"). Under ordinary circumstances
it's quite far-fetched that data could be continuously transmitted
more quickly than the recv()
loop can
absorb it, but this has been observed when the client is
artificially slowed by scheduler constraints.
(9.0.18,9.3.5,9.2.9,9.1.14,8.4.22) Ensure that LDAP lookup attempts in libpq time out as intended (Laurenz Albe)
(9.0.18,9.3.5,9.2.9,9.1.14) Fix ecpg to do the right thing when an array of char * is the target for a FETCH statement returning more than one row, as well as some other array-handling fixes (Ashutosh Bapat)
(9.0.18,9.3.5,9.2.9,9.1.14,8.4.22) Fix pg_restore's processing of old-style large object comments (Tom Lane)
A direct-to-database restore from an archive file generated by a pre-9.0 version of pg_dump would usually fail if the archive contained more than a few comments for large objects.
(9.0.18,9.3.5,9.2.9,9.1.14,8.4.22) In contrib/pgcrypto functions, ensure sensitive information is cleared from stack variables before returning (Marko Kreen)
(9.0.18,9.3.5,9.2.9,9.1.14,8.4.22) In contrib/uuid-ossp, cache the state of the OSSP UUID library across calls (Tom Lane)
This improves the efficiency of UUID generation and reduces the amount of entropy drawn from /dev/urandom, on platforms that have that.
(9.0.18,9.3.5,9.2.9,9.1.14,8.4.22) Update time zone data files to tzdata release 2014e for DST law changes in Crimea, Egypt, and Morocco.
Release date: 2014-03-20
This release contains a variety of fixes from 9.0.16. For information about new features in the 9.0 major release, see Version 9.0.0.
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.15, see Version 9.0.15.
(9.0.17,9.3.4,9.2.8,9.1.13,8.4.21) Restore GIN metapages unconditionally to avoid torn-page risk (Heikki Linnakangas)
Although this oversight could theoretically result in a corrupted index, it is unlikely to have caused any problems in practice, since the active part of a GIN metapage is smaller than a standard 512-byte disk sector.
(9.0.17,9.3.4,9.2.8,9.1.13) Avoid race condition in checking transaction commit status during receipt of a NOTIFY message (Marko Tiikkaja)
This prevents a scenario wherein a sufficiently fast client might respond to a notification before database updates made by the notifier have become visible to the recipient.
(9.0.17,9.3.4,9.2.8,9.1.13,8.4.21) Allow regular-expression operators to be terminated early by query cancel requests (Tom Lane)
This prevents scenarios wherein a pathological regular expression could lock up a server process uninterruptibly for a long time.
(9.0.17,9.3.4,9.2.8,9.1.13,8.4.21) Remove incorrect code that tried to allow OVERLAPS with single-element row arguments (Joshua Yanovski)
This code never worked correctly, and since the case is neither specified by the SQL standard nor documented, it seemed better to remove it than fix it.
(9.0.17,9.3.4,9.2.8,9.1.13,8.4.21) Avoid getting more than AccessShareLock when de-parsing a rule or view (Dean Rasheed)
This oversight resulted in pg_dump unexpectedly acquiring RowExclusiveLock locks on tables mentioned as the targets of INSERT/UPDATE/DELETE commands in rules. While usually harmless, that could interfere with concurrent transactions that tried to acquire, for example, ShareLock on those tables.
(9.0.17,9.3.4,9.2.8,9.1.13) Improve performance of index endpoint probes during planning (Tom Lane)
This change fixes a significant performance problem that occurred when there were many not-yet-committed rows at the end of the index, which is a common situation for indexes on sequentially-assigned values such as timestamps or sequence-generated identifiers.
(9.0.17,9.3.4,9.2.8,9.1.13) Fix test to see if hot standby connections can be allowed immediately after a crash (Heikki Linnakangas)
(9.0.17,9.3.4,9.2.8,9.1.13,8.4.21) Prevent interrupts while reporting non-ERROR messages (Tom Lane)
This guards against rare server-process freezeups due to
recursive entry to syslog()
, and
perhaps other related problems.
(9.0.17,9.3.4,9.2.8,9.1.13) Prevent intermittent "could not reserve shared memory region" failures on recent Windows versions (MauMau)
(9.0.17,9.3.4,9.2.8,9.1.13,8.4.21) Update time zone data files to tzdata release 2014a for DST law changes in Fiji and Turkey, plus historical changes in Israel and Ukraine.
Release date: 2014-02-20
This release contains a variety of fixes from 9.0.15. For information about new features in the 9.0 major release, see Version 9.0.0.
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.15, see Version 9.0.15.
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch)
Granting a role without ADMIN OPTION is supposed to prevent the grantee from adding or removing members from the granted role, but this restriction was easily bypassed by doing SET ROLE first. The security impact is mostly that a role member can revoke the access of others, contrary to the wishes of his grantor. Unapproved role member additions are a lesser concern, since an uncooperative role member could provide most of his rights to others anyway by creating views or SECURITY DEFINER functions. CVE-2014-0060 or CVE-2014-0060)
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Prevent privilege escalation via manual calls to PL validator functions (Andres Freund)
The primary role of PL validator functions is to be called implicitly during CREATE FUNCTION, but they are also normal SQL functions that a user can call explicitly. Calling a validator on a function actually written in some other language was not checked for and could be exploited for privilege-escalation purposes. The fix involves adding a call to a privilege-checking function in each validator function. Non-core procedural languages will also need to make this change to their own validator functions, if any. CVE-2014-0061 or CVE-2014-0061)
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Avoid multiple name lookups during table and index DDL (Robert Haas, Andres Freund)
If the name lookups come to different conclusions due to concurrent activity, we might perform some parts of the DDL on a different table than other parts. At least in the case of CREATE INDEX, this can be used to cause the permissions checks to be performed against a different table than the index creation, allowing for a privilege escalation attack. CVE-2014-0062 or CVE-2014-0062)
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Prevent buffer overrun with long datetime strings (Noah Misch)
The MAXDATELEN constant was too small
for the longest possible value of type interval, allowing a buffer overrun in interval_out()
. Although the datetime input
functions were more careful about avoiding buffer overrun, the
limit was short enough to cause them to reject some valid inputs,
such as input containing a very long timezone name. The
ecpg library contained these
vulnerabilities along with some of its own. CVE-2014-0063 or CVE-2014-0063)
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Prevent buffer overrun due to integer overflow in size calculations (Noah Misch, Heikki Linnakangas)
Several functions, mostly type input functions, calculated an allocation size without checking for overflow. If overflow did occur, a too-small buffer would be allocated and then written past. CVE-2014-0064 or CVE-2014-0064)
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich)
Use strlcpy()
and related
functions to provide a clear guarantee that fixed-size buffers are
not overrun. Unlike the preceding items, it is unclear whether
these cases really represent live issues, since in most cases there
appear to be previous constraints on the size of the input string.
Nonetheless it seems prudent to silence all Coverity warnings of
this type. CVE-2014-0065 or CVE-2014-0065)
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Avoid crashing if crypt()
returns
NULL (Honza Horak, Bruce Momjian)
There are relatively few scenarios in which crypt()
could return NULL, but contrib/chkpass would crash if it did. One
practical case in which this could be an issue is if libc is configured to refuse to execute
unapproved hashing algorithms (e.g., "FIPS
mode"). CVE-2014-0066 or CVE-2014-0066)
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Document risks of make check in the regression testing instructions (Noah Misch, Tom Lane)
Since the temporary server started by make check uses "trust" authentication, another user on the same machine could connect to it as database superuser, and then potentially exploit the privileges of the operating-system user who started the tests. A future release will probably incorporate changes in the testing procedure to prevent this risk, but some public discussion is needed first. So for the moment, just warn people against using make check when there are untrusted users on the same machine. CVE-2014-0067 or CVE-2014-0067)
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Fix possible mis-replay of WAL records when some segments of a relation aren't full size (Greg Stark, Tom Lane)
The WAL update could be applied to the wrong page, potentially many pages past where it should have been. Aside from corrupting data, this error has been observed to result in significant "bloat" of standby servers compared to their masters, due to updates being applied far beyond where the end-of-file should have been. This failure mode does not appear to be a significant risk during crash recovery, only when initially synchronizing a standby created from a base backup taken from a quickly-changing master.
(9.0.16,9.3.3,9.2.7,9.1.12) Fix bug in determining when recovery has reached consistency (Tomonari Katsumata, Heikki Linnakangas)
In some cases WAL replay would mistakenly conclude that the database was already consistent at the start of replay, thus possibly allowing hot-standby queries before the database was really consistent. Other symptoms such as "PANIC: WAL contains references to invalid pages" were also possible.
(9.0.16,9.3.3,9.2.7,9.1.12) Fix improper locking of btree index pages while replaying a VACUUM operation in hot-standby mode (Andres Freund, Heikki Linnakangas, Tom Lane)
This error could result in "PANIC: WAL contains references to invalid pages" failures.
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Ensure that insertions into non-leaf GIN index pages write a full-page WAL record when appropriate (Heikki Linnakangas)
The previous coding risked index corruption in the event of a partial-page write during a system crash.
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Fix race conditions during server process exit (Robert Haas)
Ensure that signal handlers don't attempt to use the process's MyProc pointer after it's no longer valid.
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Fix unsafe references to errno within error reporting logic (Christian Kruse)
This would typically lead to odd behaviors such as missing or inappropriate HINT fields.
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Fix possible crashes from using ereport()
too early during server startup (Tom
Lane)
The principal case we've seen in the field is a crash if the server is started in a directory it doesn't have permission to read.
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Clear retry flags properly in OpenSSL socket write function (Alexander Kukushkin)
This omission could result in a server lockup after unexpected loss of an SSL-encrypted connection.
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Fix length checking for Unicode identifiers (U&"..." syntax) containing escapes (Tom Lane)
A spurious truncation warning would be printed for such identifiers if the escaped form of the identifier was too long, but the identifier actually didn't need truncation after de-escaping.
(9.0.16,9.3.3,9.2.7,9.1.12) Allow keywords that are type names to be used in lists of roles (Stephen Frost)
A previous patch allowed such keywords to be used without quoting in places such as role identifiers; but it missed cases where a list of role identifiers was permitted, such as DROP ROLE.
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Fix possible crash due to invalid plan for nested sub-selects, such as WHERE (... x IN (SELECT ...) ...) IN (SELECT ...) (Tom Lane)
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Ensure that ANALYZE creates statistics for a table column even when all the values in it are "too wide" (Tom Lane)
ANALYZE intentionally omits very wide values from its histogram and most-common-values calculations, but it neglected to do something sane in the case that all the sampled entries are too wide.
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) In ALTER TABLE ... SET TABLESPACE, allow the database's default tablespace to be used without a permissions check (Stephen Frost)
CREATE TABLE has always allowed such usage, but ALTER TABLE didn't get the memo.
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Fix "cannot accept a set" error when some arms of a CASE return a set and others don't (Tom Lane)
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Fix checks for all-zero client addresses in pgstat functions (Kevin Grittner)
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Fix possible misclassification of multibyte characters by the text search parser (Tom Lane)
Non-ASCII characters could be misclassified when using C locale with a multibyte encoding. On Cygwin, non-C locales could fail as well.
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Fix possible misbehavior in plainto_tsquery()
(Heikki Linnakangas)
Use memmove()
not memcpy()
for copying overlapping memory regions.
There have been no field reports of this actually causing trouble,
but it's certainly risky.
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Accept SHIFT_JIS as an encoding name for locale checking purposes (Tatsuo Ishii)
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Fix misbehavior of PQhost()
on
Windows (Fujii Masao)
It should return localhost if no host has been specified.
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Improve error handling in libpq and psql for failures during COPY TO STDOUT/FROM STDIN (Tom Lane)
In particular this fixes an infinite loop that could occur in 9.2 and up if the server connection was lost during COPY FROM STDIN. Variants of that scenario might be possible in older versions, or with other client applications.
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Fix misaligned descriptors in ecpg (MauMau)
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) In ecpg, handle lack of a hostname in the connection parameters properly (Michael Meskes)
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Fix performance regression in contrib/dblink connection startup (Joe Conway)
Avoid an unnecessary round trip when client and server encodings match.
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) In contrib/isn, fix incorrect calculation of the check digit for ISMN values (Fabien Coelho)
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Ensure client-code-only installation procedure works as documented (Peter Eisentraut)
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) In Mingw and Cygwin builds, install the libpq DLL in the bin directory (Andrew Dunstan)
This duplicates what the MSVC build has long done. It should fix problems with programs like psql failing to start because they can't find the DLL.
(9.0.16,9.3.3,9.2.7,9.1.12) Avoid using the deprecated dllwrap tool in Cygwin builds (Marco Atzeri)
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Don't generate plain-text HISTORY and src/test/regress/README files anymore (Tom Lane)
These text files duplicated the main HTML and PDF documentation formats. The trouble involved in maintaining them greatly outweighs the likely audience for plain-text format. Distribution tarballs will still contain files by these names, but they'll just be stubs directing the reader to consult the main documentation. The plain-text INSTALL file will still be maintained, as there is arguably a use-case for that.
(9.0.16,9.3.3,9.2.7,9.1.12,8.4.20) Update time zone data files to tzdata release 2013i for DST law changes in Jordan and historical changes in Cuba.
In addition, the zones Asia/Riyadh87, Asia/Riyadh88, and Asia/Riyadh89 have been removed, as they are no longer maintained by IANA, and never represented actual civil timekeeping practice.
Release date: 2013-12-05
This release contains a variety of fixes from 9.0.14. For information about new features in the 9.0 major release, see Version 9.0.0.
A dump/restore is not required for those running 9.0.X.
However, this release corrects a number of potential data corruption issues. See the first two changelog entries below to find out whether your installation has been affected and what steps you can take if so.
Also, if you are upgrading from a version earlier than 9.0.13, see Version 9.0.13.
(9.0.15,9.1.11) Fix VACUUM's tests to see whether it can update relfrozenxid (Andres Freund)
In some cases VACUUM (either manual or autovacuum) could incorrectly advance a table's relfrozenxid value, allowing tuples to escape freezing, causing those rows to become invisible once 2^31 transactions have elapsed. The probability of data loss is fairly low since multiple incorrect advancements would need to happen before actual loss occurs, but it's not zero. Users upgrading from releases 9.0.4 or 8.4.8 or earlier are not affected, but all later versions contain the bug.
The issue can be ameliorated by, after upgrading, vacuuming all tables in all databases while having vacuum_freeze_table_age set to zero. This will fix any latent corruption but will not be able to fix all pre-existing data errors. However, an installation can be presumed safe after performing this vacuuming if it has executed fewer than 2^31 update transactions in its lifetime (check this with SELECT txid_current() < 2^31).
(9.0.15,9.3.2,9.2.6,9.1.11) Fix initialization of pg_clog and pg_subtrans during hot standby startup (Andres Freund, Heikki Linnakangas)
This bug can cause data loss on standby servers at the moment they start to accept hot-standby queries, by marking committed transactions as uncommitted. The likelihood of such corruption is small unless, at the time of standby startup, the primary server has executed many updating transactions since its last checkpoint. Symptoms include missing rows, rows that should have been deleted being still visible, and obsolete versions of updated rows being still visible alongside their newer versions.
This bug was introduced in versions 9.3.0, 9.2.5, 9.1.10, and 9.0.14. Standby servers that have only been running earlier releases are not at risk. It's recommended that standby servers that have ever run any of the buggy releases be re-cloned from the primary (e.g., with a new base backup) after upgrading.
(9.0.15,9.3.2,9.2.6,9.1.11) Truncate pg_multixact contents during WAL replay (Andres Freund)
This avoids ever-increasing disk space consumption in standby servers.
(9.0.15,9.3.2,9.2.6,9.1.11,8.4.19) Fix race condition in GIN index posting tree page deletion (Heikki Linnakangas)
This could lead to transient wrong answers or query failures.
(9.0.15,9.3.2,9.2.6,9.1.11,8.4.19) Avoid flattening a subquery whose SELECT list contains a volatile function wrapped inside a sub-SELECT (Tom Lane)
This avoids unexpected results due to extra evaluations of the volatile function.
(9.0.15,9.3.2,9.2.6,9.1.11,8.4.19) Fix planner's processing of non-simple-variable subquery outputs nested within outer joins (Tom Lane)
This error could lead to incorrect plans for queries involving multiple levels of subqueries within JOIN syntax.
(9.0.15,9.3.2,9.2.6,9.1.11,8.4.19) Fix premature deletion of temporary files (Andres Freund)
(9.0.15,9.3.2,9.2.6,9.1.11,8.4.19) Fix possible read past end of memory in rule printing (Peter Eisentraut)
(9.0.15,9.3.2,9.2.6,9.1.11,8.4.19) Fix array slicing of int2vector and oidvector values (Tom Lane)
Expressions of this kind are now implicitly promoted to regular int2 or oid arrays.
(9.0.15,9.3.2,9.2.6,9.1.11,8.4.19) Fix incorrect behaviors when using a SQL-standard, simple GMT offset timezone (Tom Lane)
In some cases, the system would use the simple GMT offset value
when it should have used the regular timezone setting that had
prevailed before the simple offset was selected. This change also
causes the timeofday
function to
honor the simple GMT offset zone.
(9.0.15,9.3.2,9.2.6,9.1.11,8.4.19) Prevent possible misbehavior when logging translations of Windows error codes (Tom Lane)
(9.0.15,9.3.2,9.2.6,9.1.11,8.4.19) Properly quote generated command lines in pg_ctl (Naoya Anzai and Tom Lane)
This fix applies only to Windows.
(9.0.15,9.3.2,9.2.6,9.1.11,8.4.19) Fix pg_dumpall to work when a source database sets default_transaction_read_only via ALTER DATABASE SET (Kevin Grittner)
Previously, the generated script would fail during restore.
(9.0.15,9.3.2,9.2.6,9.1.11,8.4.19) Fix ecpg's processing of lists of variables declared varchar (Zoltán Böszörményi)
(9.0.15,9.3.2,9.2.6,9.1.11,8.4.19) Make contrib/lo defend against incorrect trigger definitions (Marc Cousin)
(9.0.15,9.3.2,9.2.6,9.1.11,8.4.19) Update time zone data files to tzdata release 2013h for DST law changes in Argentina, Brazil, Jordan, Libya, Liechtenstein, Morocco, and Palestine. Also, new timezone abbreviations WIB, WIT, WITA for Indonesia.
Release date: 2013-10-10
This release contains a variety of fixes from 9.0.13. For information about new features in the 9.0 major release, see Version 9.0.0.
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.13, see Version 9.0.13.
(9.0.14,9.2.5,9.1.10,8.4.18) Prevent corruption of multi-byte characters when attempting to case-fold identifiers (Andrew Dunstan)
PostgreSQL case-folds non-ASCII characters only when using a single-byte server encoding.
(9.0.14,9.2.5,9.1.10) Fix checkpoint memory leak in background writer when wal_level = hot_standby (Naoya Anzai)
(9.0.14,9.3.1,9.2.5,9.1.10,8.4.18) Fix memory leak caused by lo_open()
failure (Heikki Linnakangas)
(9.0.14,9.2.5,9.1.10,8.4.18) Fix memory overcommit bug when work_mem is using more than 24GB of memory (Stephen Frost)
(9.0.14,9.3.1,9.2.5,9.1.10,8.4.18) Fix deadlock bug in libpq when using SSL (Stephen Frost)
(9.0.14,9.2.5,9.1.10) Fix possible SSL state corruption in threaded libpq applications (Nick Phillips, Stephen Frost)
(9.0.14,9.2.5,9.1.10,8.4.18) Properly compute row estimates for boolean columns containing many NULL values (Andrew Gierth)
Previously tests like col IS NOT TRUE and col IS NOT FALSE did not properly factor in NULL values when estimating plan costs.
(9.0.14,9.2.5,9.1.10,8.4.18) Prevent pushing down WHERE clauses into unsafe UNION/INTERSECT subqueries (Tom Lane)
Subqueries of a UNION or INTERSECT that contain set-returning functions or volatile functions in their SELECT lists could be improperly optimized, leading to run-time errors or incorrect query results.
(9.0.14,9.2.5,9.1.10,8.4.18) Fix rare case of "failed to locate grouping columns" planner failure (Tom Lane)
(9.0.14,9.2.5,9.1.10,8.4.18) Improve view dumping code's handling of dropped columns in referenced tables (Tom Lane)
(9.0.14,9.2.5,9.1.10) Properly record index comments created using UNIQUE and PRIMARY KEY syntax (Andres Freund)
This fixes a parallel pg_restore failure.
(9.0.14,9.2.5,9.1.10) Fix REINDEX TABLE and REINDEX DATABASE to properly revalidate constraints and mark invalidated indexes as valid (Noah Misch)
REINDEX INDEX has always worked properly.
(9.0.14,9.2.5,9.1.10,8.4.18) Fix possible deadlock during concurrent CREATE INDEX CONCURRENTLY operations (Tom Lane)
(9.0.14,9.2.5,9.1.10,8.4.18) Fix regexp_matches()
handling of
zero-length matches (Jeevan Chalke)
Previously, zero-length matches like '^' could return too many matches.
(9.0.14,9.2.5,9.1.10,8.4.18) Fix crash for overly-complex regular expressions (Heikki Linnakangas)
(9.0.14,9.2.5,9.1.10,8.4.18) Fix regular expression match failures for back references combined with non-greedy quantifiers (Jeevan Chalke)
(9.0.14,9.3.1,9.2.5,9.1.10,8.4.18) Prevent CREATE FUNCTION from checking SET variables unless function body checking is enabled (Tom Lane)
(9.0.14,9.2.5,9.1.10) Allow ALTER DEFAULT PRIVILEGES to operate on schemas without requiring CREATE permission (Tom Lane)
(9.0.14,9.2.5,9.1.10) Loosen restriction on keywords used in queries (Tom Lane)
Specifically, lessen keyword restrictions for role names, language names, EXPLAIN and COPY options, and SET values. This allows COPY ... (FORMAT BINARY) to work as expected; previously BINARY needed to be quoted.
(9.0.14,9.2.5,9.1.10,8.4.18) Fix pgp_pub_decrypt()
so it works
for secret keys with passwords (Marko Kreen)
(9.0.14,9.3.1,9.2.5,9.1.10,8.4.18) Remove rare inaccurate warning during vacuum of index-less tables (Heikki Linnakangas)
(9.0.14,9.2.5,9.1.10) Ensure that VACUUM ANALYZE still runs the ANALYZE phase if its attempt to truncate the file is cancelled due to lock conflicts (Kevin Grittner)
(9.0.14) Avoid possible failure when performing transaction control commands (e.g ROLLBACK) in prepared queries (Tom Lane)
(9.0.14,9.2.5,9.1.10,8.4.18) Ensure that floating-point data input accepts standard spellings of "infinity" on all platforms (Tom Lane)
The C99 standard says that allowable spellings are inf, +inf, -inf, infinity, +infinity, and -infinity.
Make sure we recognize these even if the platform's strtod
function doesn't.
(9.0.14,9.2.5,9.1.10,8.4.18) Expand ability to compare rows to records and arrays (Rafal Rzepecki, Tom Lane)
(9.0.14,9.2.5,9.1.10,8.4.18) Update time zone data files to tzdata release 2013d for DST law changes in Israel, Morocco, Palestine, and Paraguay. Also, historical zone data corrections for Macquarie Island.
Release date: 2013-04-04
This release contains a variety of fixes from 9.0.12. For information about new features in the 9.0 major release, see Version 9.0.0.
A dump/restore is not required for those running 9.0.X.
However, this release corrects several errors in management of GiST indexes. After installing this update, it is advisable to REINDEX any GiST indexes that meet one or more of the conditions described below.
Also, if you are upgrading from a version earlier than 9.0.6, see Version 9.0.6.
(9.0.13,9.2.4,9.1.9) Fix insecure parsing of server command-line switches (Mitsumasa Kondo, Kyotaro Horiguchi)
A connection request containing a database name that begins with "-" could be crafted to damage or destroy files within the server's data directory, even if the request is eventually rejected. CVE-2013-1899 or CVE-2013-1899)
(9.0.13,9.2.4,9.1.9,8.4.17) Reset OpenSSL randomness state in each postmaster child process (Marko Kreen)
This avoids a scenario wherein random numbers generated by contrib/pgcrypto functions might be relatively easy for another database user to guess. The risk is only significant when the postmaster is configured with ssl = on but most connections don't use SSL encryption. CVE-2013-1900 or CVE-2013-1900)
(9.0.13,9.2.4,9.1.9,8.4.17) Fix GiST indexes to not use "fuzzy" geometric comparisons when it's not appropriate to do so (Alexander Korotkov)
The core geometric types perform comparisons using "fuzzy" equality, but gist_box_same
must do exact comparisons, else
GiST indexes using it might become inconsistent. After installing
this update, users should REINDEX any GiST
indexes on box, polygon, circle, or point columns, since all of these use gist_box_same
.
(9.0.13,9.2.4,9.1.9,8.4.17) Fix erroneous range-union and penalty logic in GiST indexes that use contrib/btree_gist for variable-width data types, that is text, bytea, bit, and numeric columns (Tom Lane)
These errors could result in inconsistent indexes in which some keys that are present would not be found by searches, and also in useless index bloat. Users are advised to REINDEX such indexes after installing this update.
(9.0.13,9.2.4,9.1.9,8.4.17) Fix bugs in GiST page splitting code for multi-column indexes (Tom Lane)
These errors could result in inconsistent indexes in which some keys that are present would not be found by searches, and also in indexes that are unnecessarily inefficient to search. Users are advised to REINDEX multi-column GiST indexes after installing this update.
(9.0.13,9.2.4,9.1.9) Fix gist_point_consistent
to
handle fuzziness consistently (Alexander Korotkov)
Index scans on GiST indexes on point
columns would sometimes yield results different from a sequential
scan, because gist_point_consistent
disagreed with the underlying operator code about whether to do
comparisons exactly or fuzzily.
(9.0.13,9.2.4,9.1.9) Fix buffer leak in WAL replay (Heikki Linnakangas)
This bug could result in "incorrect local pin count" errors during replay, making recovery impossible.
(9.0.13,9.2.4,9.1.9) Fix race condition in DELETE RETURNING (Tom Lane)
Under the right circumstances, DELETE RETURNING could attempt to fetch data from a shared buffer that the current process no longer has any pin on. If some other process changed the buffer meanwhile, this would lead to garbage RETURNING output, or even a crash.
(9.0.13,9.2.4,9.1.9,8.4.17) Fix infinite-loop risk in regular expression compilation (Tom Lane, Don Porter)
(9.0.13,9.2.4,9.1.9,8.4.17) Fix potential null-pointer dereference in regular expression compilation (Tom Lane)
(9.0.13,9.2.4,9.1.9,8.4.17) Fix to_char()
to use ASCII-only
case-folding rules where appropriate (Tom Lane)
This fixes misbehavior of some template patterns that should be locale-independent, but mishandled "I" and "i" in Turkish locales.
(9.0.13,9.2.4,9.1.9,8.4.17) Fix unwanted rejection of timestamp 1999-12-31 24:00:00 (Tom Lane)
(9.0.13,9.2.4,9.1.9) Fix logic error when a single transaction does UNLISTEN then LISTEN (Tom Lane)
The session wound up not listening for notify events at all, though it surely should listen in this case.
(9.0.13,9.2.4,9.1.9,8.4.17) Remove useless "picksplit doesn't support secondary split" log messages (Josh Hansen, Tom Lane)
This message seems to have been added in expectation of code that was never written, and probably never will be, since GiST's default handling of secondary splits is actually pretty good. So stop nagging end users about it.
(9.0.13,9.2.4,9.1.9,8.4.17) Fix possible failure to send a session's last few transaction commit/abort counts to the statistics collector (Tom Lane)
(9.0.13,9.2.4,9.1.9,8.4.17) Eliminate memory leaks in PL/Perl's spi_prepare()
function (Alex Hunsaker, Tom
Lane)
(9.0.13,9.2.4,9.1.9,8.4.17) Fix pg_dumpall to handle database names containing "=" correctly (Heikki Linnakangas)
(9.0.13,9.2.4,9.1.9,8.4.17) Avoid crash in pg_dump when an incorrect connection string is given (Heikki Linnakangas)
(9.0.13,9.2.4,9.1.9) Ignore invalid indexes in pg_dump and pg_upgrade (Michael Paquier, Bruce Momjian)
Dumping invalid indexes can cause problems at restore time, for example if the reason the index creation failed was because it tried to enforce a uniqueness condition not satisfied by the table's data. Also, if the index creation is in fact still in progress, it seems reasonable to consider it to be an uncommitted DDL change, which pg_dump wouldn't be expected to dump anyway. pg_upgrade now also skips invalid indexes rather than failing.
(9.0.13,9.2.4,9.1.9,8.4.17) Fix contrib/pg_trgm's similarity()
function to return zero for
trigram-less strings (Tom Lane)
Previously it returned NaN due to internal division by zero.
(9.0.13,9.2.4,9.1.9,8.4.17) Update time zone data files to tzdata release 2013b for DST law changes in Chile, Haiti, Morocco, Paraguay, and some Russian areas. Also, historical zone data corrections for numerous places.
Also, update the time zone abbreviation files for recent changes in Russia and elsewhere: CHOT, GET, IRKT, KGT, KRAT, MAGT, MAWT, MSK, NOVT, OMST, TKT, VLAT, WST, YAKT, YEKT now follow their current meanings, and VOLT (Europe/Volgograd) and MIST (Antarctica/Macquarie) are added to the default abbreviations list.
Release date: 2013-02-07
This release contains a variety of fixes from 9.0.11. For information about new features in the 9.0 major release, see Version 9.0.0.
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.6, see Version 9.0.6.
(9.0.12,9.2.3,9.1.8,8.4.16,8.3.23) Prevent execution of enum_recv
from SQL (Tom Lane)
The function was misdeclared, allowing a simple SQL command to crash the server. In principle an attacker might be able to use it to examine the contents of server memory. Our thanks to Sumit Soni (via Secunia SVCRP) for reporting this issue. CVE-2013-0255 or CVE-2013-0255)
(9.0.12,9.2.3,9.1.8) Fix multiple problems in detection of when a consistent database state has been reached during WAL replay (Fujii Masao, Heikki Linnakangas, Simon Riggs, Andres Freund)
(9.0.12,9.2.3,9.1.8,8.4.16) Update minimum recovery point when truncating a relation file (Heikki Linnakangas)
Once data has been discarded, it's no longer safe to stop recovery at an earlier point in the timeline.
(9.0.12,9.2.3,9.1.8) Fix missing cancellations in hot standby mode (Noah Misch, Simon Riggs)
The need to cancel conflicting hot-standby queries would sometimes be missed, allowing those queries to see inconsistent data.
(9.0.12,9.2.3,9.1.8,8.4.16,8.3.23) Fix SQL grammar to allow subscripting or field selection from a sub-SELECT result (Tom Lane)
(9.0.12,9.2.3,9.1.8) Fix performance problems with autovacuum truncation in busy workloads (Jan Wieck)
Truncation of empty pages at the end of a table requires exclusive lock, but autovacuum was coded to fail (and release the table lock) when there are conflicting lock requests. Under load, it is easily possible that truncation would never occur, resulting in table bloat. Fix by performing a partial truncation, releasing the lock, then attempting to re-acquire the lock and continue. This fix also greatly reduces the average time before autovacuum releases the lock after a conflicting request arrives.
(9.0.12,9.2.3,9.1.8,8.4.16,8.3.23) Protect against race conditions when scanning pg_tablespace (Stephen Frost, Tom Lane)
CREATE DATABASE and DROP DATABASE could misbehave if there were concurrent updates of pg_tablespace entries.
(9.0.12,9.2.3,9.1.8,8.4.16,8.3.23) Prevent DROP OWNED from trying to drop whole databases or tablespaces (Ãlvaro Herrera)
For safety, ownership of these objects must be reassigned, not dropped.
(9.0.12,9.2.3,9.1.8,8.4.16) Fix error in vacuum_freeze_table_age implementation (Andres Freund)
In installations that have existed for more than vacuum_freeze_min_age transactions, this mistake prevented autovacuum from using partial-table scans, so that a full-table scan would always happen instead.
(9.0.12,9.2.3,9.1.8,8.4.16,8.3.23) Prevent misbehavior when a RowExpr or XmlExpr is parse-analyzed twice (Andres Freund, Tom Lane)
This mistake could be user-visible in contexts such as CREATE TABLE LIKE INCLUDING INDEXES.
(9.0.12,9.2.3,9.1.8,8.4.16,8.3.23) Improve defenses against integer overflow in hashtable sizing calculations (Jeff Davis)
(9.0.12,9.2.3,9.1.8,8.4.16) Reject out-of-range dates in to_date()
(Hitoshi Harada)
(9.0.12,9.2.3,9.1.8,8.4.16,8.3.23) Ensure that non-ASCII prompt strings are translated to the correct code page on Windows (Alexander Law, Noah Misch)
This bug affected psql and some other client programs.
(9.0.12,9.2.3,9.1.8,8.4.16,8.3.23) Fix possible crash in psql's \? command when not connected to a database (Meng Qingzhong)
(9.0.12,9.2.3,9.1.8) Fix pg_upgrade to deal with invalid indexes safely (Bruce Momjian)
(9.0.12,9.2.3,9.1.8,8.4.16,8.3.23) Fix one-byte buffer overrun in libpq's PQprintTuples
(Xi Wang)
This ancient function is not used anywhere by PostgreSQL itself, but it might still be used by some client code.
(9.0.12,9.2.3,9.1.8,8.4.16) Make ecpglib use translated messages properly (Chen Huajun)
(9.0.12,9.2.3,9.1.8,8.4.16) Properly install ecpg_compat and pgtypes libraries on MSVC (Jiang Guiqing)
(9.0.12,9.2.3,9.1.8) Include our version of isinf()
in
libecpg if it's not provided by
the system (Jiang Guiqing)
(9.0.12,9.2.3,9.1.8,8.4.16,8.3.23) Rearrange configure's tests for supplied functions so it is not fooled by bogus exports from libedit/libreadline (Christoph Berg)
(9.0.12,9.2.3,9.1.8,8.4.16,8.3.23) Ensure Windows build number increases over time (Magnus Hagander)
(9.0.12,9.2.3,9.1.8,8.4.16,8.3.23) Make pgxs build executables with the right .exe suffix when cross-compiling for Windows (Zoltan Boszormenyi)
(9.0.12,9.2.3,9.1.8,8.4.16,8.3.23) Add new timezone abbreviation FET (Tom Lane)
This is now used in some eastern-European time zones.
Release date: 2012-12-06
This release contains a variety of fixes from 9.0.10. For information about new features in the 9.0 major release, see Version 9.0.0.
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.6, see Version 9.0.6.
(9.0.11,9.1.7,8.4.15,8.3.22) Fix multiple bugs associated with CREATE INDEX CONCURRENTLY (Andres Freund, Tom Lane)
Fix CREATE INDEX CONCURRENTLY to use in-place updates when changing the state of an index's pg_index row. This prevents race conditions that could cause concurrent sessions to miss updating the target index, thus resulting in corrupt concurrently-created indexes.
Also, fix various other operations to ensure that they ignore invalid indexes resulting from a failed CREATE INDEX CONCURRENTLY command. The most important of these is VACUUM, because an auto-vacuum could easily be launched on the table before corrective action can be taken to fix or remove the invalid index.
(9.0.11,9.2.2,9.1.7) Fix buffer locking during WAL replay (Tom Lane)
The WAL replay code was insufficiently careful about locking buffers when replaying WAL records that affect more than one page. This could result in hot standby queries transiently seeing inconsistent states, resulting in wrong answers or unexpected failures.
(9.0.11,9.2.2,9.1.7) Fix an error in WAL generation logic for GIN indexes (Tom Lane)
This could result in index corruption, if a torn-page failure occurred.
(9.0.11,9.2.2,9.1.7) Properly remove startup process's virtual XID lock when promoting a hot standby server to normal running (Simon Riggs)
This oversight could prevent subsequent execution of certain operations such as CREATE INDEX CONCURRENTLY.
(9.0.11,9.2.2,9.1.7) Avoid bogus "out-of-sequence timeline ID" errors in standby mode (Heikki Linnakangas)
(9.0.11,9.2.2,9.1.7) Prevent the postmaster from launching new child processes after it's received a shutdown signal (Tom Lane)
This mistake could result in shutdown taking longer than it should, or even never completing at all without additional user action.
(9.0.11,9.2.2,9.1.7,8.4.15,8.3.22) Avoid corruption of internal hash tables when out of memory (Hitoshi Harada)
(9.0.11,9.1.7,8.4.15,8.3.22) Fix planning of non-strict equivalence clauses above outer joins (Tom Lane)
The planner could derive incorrect constraints from a clause equating a non-strict construct to something else, for example WHERE COALESCE(foo, 0) = 0 when foo is coming from the nullable side of an outer join.
(9.0.11,9.2.2,9.1.7,8.4.15,8.3.22) Improve planner's ability to prove exclusion constraints from equivalence classes (Tom Lane)
(9.0.11,9.2.2,9.1.7,8.4.15,8.3.22) Fix partial-row matching in hashed subplans to handle cross-type cases correctly (Tom Lane)
This affects multicolumn NOT IN subplans, such as WHERE (a, b) NOT IN (SELECT x, y FROM ...) when for instance b and y are int4 and int8 respectively. This mistake led to wrong answers or crashes depending on the specific datatypes involved.
(9.0.11,8.4.15,8.3.22) Acquire buffer lock when re-fetching the old tuple for an AFTER ROW UPDATE/DELETE trigger (Andres Freund)
In very unusual circumstances, this oversight could result in passing incorrect data to the precheck logic for a foreign-key enforcement trigger. That could result in a crash, or in an incorrect decision about whether to fire the trigger.
(9.0.11,9.2.2,9.1.7,8.4.15) Fix ALTER COLUMN TYPE to handle inherited check constraints properly (Pavan Deolasee)
This worked correctly in pre-8.4 releases, and now works correctly in 8.4 and later.
(9.0.11,9.2.2,9.1.7,8.4.15,8.3.22) Fix REASSIGN OWNED to handle grants on tablespaces (Ãlvaro Herrera)
(9.0.11,9.2.2,9.1.7,8.4.15,8.3.22) Ignore incorrect pg_attribute entries for system columns for views (Tom Lane)
Views do not have any system columns. However, we forgot to remove such entries when converting a table to a view. That's fixed properly for 9.3 and later, but in previous branches we need to defend against existing mis-converted views.
(9.0.11,9.2.2,9.1.7,8.4.15,8.3.22) Fix rule printing to dump INSERT INTO table DEFAULT VALUES correctly (Tom Lane)
(9.0.11,9.2.2,9.1.7,8.4.15,8.3.22) Guard against stack overflow when there are too many UNION/INTERSECT/EXCEPT clauses in a query (Tom Lane)
(9.0.11,9.2.2,9.1.7,8.4.15,8.3.22) Prevent platform-dependent failures when dividing the minimum possible integer value by -1 (Xi Wang, Tom Lane)
(9.0.11,9.2.2,9.1.7,8.4.15,8.3.22) Fix possible access past end of string in date parsing (Hitoshi Harada)
(9.0.11,9.2.2,9.1.7) Fix failure to advance XID epoch if XID wraparound happens during a checkpoint and wal_level is hot_standby (Tom Lane, Andres Freund)
While this mistake had no particular impact on PostgreSQL itself, it was bad for applications
that rely on txid_current()
and
related functions: the TXID value would appear to go backwards.
(9.0.11,9.2.2,9.1.7,8.4.15,8.3.22) Produce an understandable error message if the length of the path name for a Unix-domain socket exceeds the platform-specific limit (Tom Lane, Andrew Dunstan)
Formerly, this would result in something quite unhelpful, such as "Non-recoverable failure in name resolution".
(9.0.11,9.2.2,9.1.7,8.4.15,8.3.22) Fix memory leaks when sending composite column values to the client (Tom Lane)
(9.0.11,9.1.7,8.4.15,8.3.22) Make pg_ctl more robust about reading the postmaster.pid file (Heikki Linnakangas)
Fix race conditions and possible file descriptor leakage.
(9.0.11,9.2.2,9.1.7,8.4.15,8.3.22) Fix possible crash in psql if incorrectly-encoded data is presented and the client_encoding setting is a client-only encoding, such as SJIS (Jiang Guiqing)
(9.0.11,9.2.2,9.1.7,8.4.15,8.3.22) Fix bugs in the restore.sql script emitted by pg_dump in tar output format (Tom Lane)
The script would fail outright on tables whose names include upper-case characters. Also, make the script capable of restoring data in --inserts mode as well as the regular COPY mode.
(9.0.11,9.2.2,9.1.7,8.4.15,8.3.22) Fix pg_restore to accept POSIX-conformant tar files (Brian Weaver, Tom Lane)
The original coding of pg_dump's tar output mode produced files that are not fully conformant with the POSIX standard. This has been corrected for version 9.3. This patch updates previous branches so that they will accept both the incorrect and the corrected formats, in hopes of avoiding compatibility problems when 9.3 comes out.
(9.0.11,9.2.2,9.1.7,8.4.15,8.3.22) Fix pg_resetxlog to locate postmaster.pid correctly when given a relative path to the data directory (Tom Lane)
This mistake could lead to pg_resetxlog not noticing that there is an active postmaster using the data directory.
(9.0.11,9.2.2,9.1.7,8.4.15,8.3.22) Fix libpq's lo_import()
and lo_export()
functions to report file I/O errors
properly (Tom Lane)
(9.0.11,9.2.2,9.1.7,8.4.15,8.3.22) Fix ecpg's processing of nested structure pointer variables (Muhammad Usama)
(9.0.11,9.2.2,9.1.7) Fix ecpg's ecpg_get_data
function to handle arrays properly
(Michael Meskes)
(9.0.11,9.2.2,9.1.7,8.4.15,8.3.22) Make contrib/pageinspect's btree page inspection functions take buffer locks while examining pages (Tom Lane)
(9.0.11,9.2.2,9.1.7,8.4.15,8.3.22) Fix pgxs support for building loadable modules on AIX (Tom Lane)
Building modules outside the original source tree didn't work on AIX.
(9.0.11,9.2.2,9.1.7,8.4.15,8.3.22) Update time zone data files to tzdata release 2012j for DST law changes in Cuba, Israel, Jordan, Libya, Palestine, Western Samoa, and portions of Brazil.
Release date: 2012-09-24
This release contains a variety of fixes from 9.0.9. For information about new features in the 9.0 major release, see Version 9.0.0.
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.6, see Version 9.0.6.
(9.0.10,9.1.6,8.4.14) Fix planner's assignment of executor parameters, and fix executor's rescan logic for CTE plan nodes (Tom Lane)
These errors could result in wrong answers from queries that scan the same WITH subquery multiple times.
(9.0.10,9.1.6,8.4.14,8.3.21) Improve page-splitting decisions in GiST indexes (Alexander Korotkov, Robert Haas, Tom Lane)
Multi-column GiST indexes might suffer unexpected bloat due to this error.
(9.0.10,9.1.6,8.4.14,8.3.21) Fix cascading privilege revoke to stop if privileges are still held (Tom Lane)
If we revoke a grant option from some role X, but X still holds that option via a grant from someone else, we should not recursively revoke the corresponding privilege from role(s) Y that X had granted it to.
(9.0.10,9.1.6) Improve error messages for Hot Standby misconfiguration errors (Gurjeet Singh)
(9.0.10,9.1.6,8.4.14,8.3.21) Fix handling of SIGFPE when PL/Perl is in use (Andres Freund)
Perl resets the process's SIGFPE handler to SIG_IGN, which could result in crashes later on. Restore the normal Postgres signal handler after initializing PL/Perl.
(9.0.10,9.2.1,9.1.6,8.4.14,8.3.21) Prevent PL/Perl from crashing if a recursive PL/Perl function is redefined while being executed (Tom Lane)
(9.0.10,9.2.1,9.1.6,8.4.14,8.3.21) Work around possible misoptimization in PL/Perl (Tom Lane)
Some Linux distributions contain an incorrect version of pthread.h that results in incorrect compiled code in PL/Perl, leading to crashes if a PL/Perl function calls another one that throws an error.
(9.0.10,9.1.6) Fix pg_upgrade's handling of line endings on Windows (Andrew Dunstan)
Previously, pg_upgrade might add or remove carriage returns in places such as function bodies.
(9.0.10,9.1.6) On Windows, make pg_upgrade use backslash path separators in the scripts it emits (Andrew Dunstan)
(9.0.10,9.2.1,9.1.6,8.4.14,8.3.21) Update time zone data files to tzdata release 2012f for DST law changes in Fiji
Release date: 2012-08-17
This release contains a variety of fixes from 9.0.8. For information about new features in the 9.0 major release, see Version 9.0.0.
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.6, see Version 9.0.6.
(9.0.9,9.1.5,8.4.13,8.3.20) Prevent access to external files/URLs via XML entity references (Noah Misch, Tom Lane)
xml_parse()
would attempt to fetch
external files or URLs as needed to resolve DTD and entity
references in an XML value, thus allowing unprivileged database
users to attempt to fetch data with the privileges of the database
server. While the external data wouldn't get returned directly to
the user, portions of it could be exposed in error messages if the
data didn't parse as valid XML; and in any case the mere ability to
check existence of a file might be useful to an attacker.
CVE-2012-3489 or CVE-2012-3489)
(9.0.9,9.1.5,8.4.13,8.3.20) Prevent access to external files/URLs via contrib/xml2's xslt_process()
(Peter Eisentraut)
libxslt offers the ability to read and write both files and URLs through stylesheet commands, thus allowing unprivileged database users to both read and write data with the privileges of the database server. Disable that through proper use of libxslt's security options. CVE-2012-3488 or CVE-2012-3488)
Also, remove xslt_process()
's
ability to fetch documents and stylesheets from external
files/URLs. While this was a documented "feature", it was long regarded as a bad idea. The
fix forCVE-2012-3489 or CVE-2012-3489 broke that capability, and rather than expend
effort on trying to fix it, we're just going to summarily remove
it.
(9.0.9,9.1.5,8.4.13,8.3.20) Prevent too-early recycling of btree index pages (Noah Misch)
When we allowed read-only transactions to skip assigning XIDs, we introduced the possibility that a deleted btree page could be recycled while a read-only transaction was still in flight to it. This would result in incorrect index search results. The probability of such an error occurring in the field seems very low because of the timing requirements, but nonetheless it should be fixed.
(9.0.9,9.1.5,8.4.13,8.3.20) Fix crash-safety bug with newly-created-or-reset sequences (Tom Lane)
If ALTER SEQUENCE was executed on a
freshly created or reset sequence, and then precisely one
nextval()
call was made on it, and
then the server crashed, WAL replay would restore the sequence to a
state in which it appeared that no nextval()
had been done, thus allowing the first
sequence value to be returned again by the next nextval()
call. In particular this could manifest
for serial columns, since creation of a
serial column's sequence includes an ALTER
SEQUENCE OWNED BY step.
(9.0.9,9.1.5) Fix txid_current()
to report the
correct epoch when not in hot standby (Heikki Linnakangas)
This fixes a regression introduced in the previous minor release.
(9.0.9,9.1.5) Fix bug in startup of Hot Standby when a master transaction has many subtransactions (Andres Freund)
This mistake led to failures reported as "out-of-order XID insertion in KnownAssignedXids".
(9.0.9,9.1.5,8.4.13,8.3.20) Ensure the backup_label file is
fsync'd after pg_start_backup()
(Dave
Kerr)
(9.0.9,9.1.5) Fix timeout handling in walsender processes (Tom Lane)
WAL sender background processes neglected to establish a SIGALRM handler, meaning they would wait forever in some corner cases where a timeout ought to happen.
(9.0.9,8.4.13,8.3.20) Back-patch 9.1 improvement to compress the fsync request queue (Robert Haas)
This improves performance during checkpoints. The 9.1 change has now seen enough field testing to seem safe to back-patch.
(9.0.9,9.1.5) Fix LISTEN/NOTIFY to cope better with I/O problems, such as out of disk space (Tom Lane)
After a write failure, all subsequent attempts to send more NOTIFY messages would fail with messages like "Could not read from file "pg_notify/nnnn" at offset nnnnn: Success".
(9.0.9,9.1.5,8.4.13,8.3.20) Only allow autovacuum to be auto-canceled by a directly blocked process (Tom Lane)
The original coding could allow inconsistent behavior in some cases; in particular, an autovacuum could get canceled after less than deadlock_timeout grace period.
(9.0.9,9.1.5,8.4.13,8.3.20) Improve logging of autovacuum cancels (Robert Haas)
(9.0.9,9.1.5,8.4.13,8.3.20) Fix log collector so that log_truncate_on_rotation works during the very first log rotation after server start (Tom Lane)
(9.0.9,9.1.5,8.4.13) Fix WITH attached to a nested set operation (UNION/INTERSECT/EXCEPT) (Tom Lane)
(9.0.9,9.1.5,8.4.13,8.3.20) Ensure that a whole-row reference to a subquery doesn't include any extra GROUP BY or ORDER BY columns (Tom Lane)
(9.0.9,9.1.5,8.4.13,8.3.20) Disallow copying whole-row references in CHECK constraints and index definitions during CREATE TABLE (Tom Lane)
This situation can arise in CREATE TABLE with LIKE or INHERITS. The copied whole-row variable was incorrectly labeled with the row type of the original table not the new one. Rejecting the case seems reasonable for LIKE, since the row types might well diverge later. For INHERITS we should ideally allow it, with an implicit coercion to the parent table's row type; but that will require more work than seems safe to back-patch.
(9.0.9,9.1.5,8.4.13,8.3.20) Fix memory leak in ARRAY (SELECT ...) subqueries (Heikki Linnakangas, Tom Lane)
(9.0.9,9.1.5,8.4.13,8.3.20) Fix extraction of common prefixes from regular expressions (Tom Lane)
The code could get confused by quantified parenthesized subexpressions, such as ^(foo)?bar. This would lead to incorrect index optimization of searches for such patterns.
(9.0.9,9.1.5,8.4.13) Fix bugs with parsing signed hh:mm and hh:mm:ss fields in interval constants (Amit Kapila, Tom Lane)
(9.0.9,9.1.5) Use Postgres' encoding conversion functions, not Python's, when converting a Python Unicode string to the server encoding in PL/Python (Jan Urbanski)
This avoids some corner-case problems, notably that Python doesn't support all the encodings Postgres does. A notable functional change is that if the server encoding is SQL_ASCII, you will get the UTF-8 representation of the string; formerly, any non-ASCII characters in the string would result in an error.
(9.0.9,9.1.5) Fix mapping of PostgreSQL encodings to Python encodings in PL/Python (Jan Urbanski)
(9.0.9,9.1.5,8.4.13,8.3.20) Report errors properly in contrib/xml2's xslt_process()
(Tom Lane)
(9.0.9,9.1.5,8.4.13,8.3.20) Update time zone data files to tzdata release 2012e for DST law changes in Morocco and Tokelau
Release date: 2012-06-04
This release contains a variety of fixes from 9.0.7. For information about new features in the 9.0 major release, see Version 9.0.0.
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.6, see Version 9.0.6.
(9.0.8,9.1.4,8.4.12,8.3.19) Fix incorrect password transformation in contrib/pgcrypto's DES crypt()
function (Solar Designer)
If a password string contained the byte value 0x80, the remainder of the password was ignored, causing the password to be much weaker than it appeared. With this fix, the rest of the string is properly included in the DES hash. Any stored password values that are affected by this bug will thus no longer match, so the stored values may need to be updated. CVE-2012-2143 or CVE-2012-2143)
(9.0.8,9.1.4,8.4.12,8.3.19) Ignore SECURITY DEFINER and SET attributes for a procedural language's call handler (Tom Lane)
Applying such attributes to a call handler could crash the server. CVE-2012-2655 or CVE-2012-2655)
(9.0.8,9.1.4,8.4.12,8.3.19) Allow numeric timezone offsets in timestamp input to be up to 16 hours away from UTC (Tom Lane)
Some historical time zones have offsets larger than 15 hours, the previous limit. This could result in dumped data values being rejected during reload.
(9.0.8,9.1.4,8.4.12,8.3.19) Fix timestamp conversion to cope when the given time is exactly the last DST transition time for the current timezone (Tom Lane)
This oversight has been there a long time, but was not noticed previously because most DST-using zones are presumed to have an indefinite sequence of future DST transitions.
(9.0.8,9.1.4,8.4.12,8.3.19) Fix text to name and char to name casts to perform string truncation correctly in multibyte encodings (Karl Schnaitter)
(9.0.8,9.1.4,8.4.12,8.3.19) Fix memory copying bug in to_tsquery()
(Heikki Linnakangas)
(9.0.8,9.1.4) Ensure txid_current()
reports the
correct epoch when executed in hot standby (Simon Riggs)
(9.0.8,9.1.4,8.4.12) Fix planner's handling of outer PlaceHolderVars within subqueries (Tom Lane)
This bug concerns sub-SELECTs that reference variables coming from the nullable side of an outer join of the surrounding query. In 9.1, queries affected by this bug would fail with "ERROR: Upper-level PlaceHolderVar found where not expected". But in 9.0 and 8.4, you'd silently get possibly-wrong answers, since the value transmitted into the subquery wouldn't go to null when it should.
(9.0.8,9.1.4,8.4.12,8.3.19) Fix slow session startup when pg_attribute is very large (Tom Lane)
If pg_attribute exceeds one-fourth of shared_buffers, cache rebuilding code that is sometimes needed during session start would trigger the synchronized-scan logic, causing it to take many times longer than normal. The problem was particularly acute if many new sessions were starting at once.
(9.0.8,9.1.4,8.4.12,8.3.19) Ensure sequential scans check for query cancel reasonably often (Merlin Moncure)
A scan encountering many consecutive pages that contain no live tuples would not respond to interrupts meanwhile.
(9.0.8,9.1.4,8.4.12,8.3.19) Ensure the Windows implementation of PGSemaphoreLock()
clears ImmediateInterruptOK before returning (Tom Lane)
This oversight meant that a query-cancel interrupt received later in the same query could be accepted at an unsafe time, with unpredictable but not good consequences.
(9.0.8,9.1.4,8.4.12,8.3.19) Show whole-row variables safely when printing views or rules (Abbas Butt, Tom Lane)
Corner cases involving ambiguous names (that is, the name could be either a table or column name of the query) were printed in an ambiguous way, risking that the view or rule would be interpreted differently after dump and reload. Avoid the ambiguous case by attaching a no-op cast.
(9.0.8,9.1.4,8.4.12) Fix COPY FROM to properly handle null marker strings that correspond to invalid encoding (Tom Lane)
A null marker string such as E'\\0' should work, and did work in the past, but the case got broken in 8.4.
(9.0.8,9.1.4,8.4.12,8.3.19) Ensure autovacuum worker processes perform stack depth checking properly (Heikki Linnakangas)
Previously, infinite recursion in a function invoked by auto-ANALYZE could crash worker processes.
(9.0.8,9.1.4,8.4.12,8.3.19) Fix logging collector to not lose log coherency under high load (Andrew Dunstan)
The collector previously could fail to reassemble large messages if it got too busy.
(9.0.8,9.1.4,8.4.12,8.3.19) Fix logging collector to ensure it will restart file rotation after receiving SIGHUP (Tom Lane)
(9.0.8,9.1.4,8.4.12) Fix WAL replay logic for GIN indexes to not fail if the index was subsequently dropped (Tom Lane)
(9.0.8,9.1.4,8.4.12) Fix memory leak in PL/pgSQL's RETURN NEXT command (Joe Conway)
(9.0.8,9.1.4,8.4.12,8.3.19) Fix PL/pgSQL's GET DIAGNOSTICS command when the target is the function's first variable (Tom Lane)
(9.0.8,9.1.4,8.4.12) Fix potential access off the end of memory in psql's expanded display (\x) mode (Peter Eisentraut)
(9.0.8,9.1.4,8.4.12,8.3.19) Fix several performance problems in pg_dump when the database contains many objects (Jeff Janes, Tom Lane)
pg_dump could get very slow if the database contained many schemas, or if many objects are in dependency loops, or if there are many owned sequences.
(9.0.8,9.1.4) Fix pg_upgrade for the case that a database stored in a non-default tablespace contains a table in the cluster's default tablespace (Bruce Momjian)
(9.0.8,9.1.4) In ecpg, fix rare memory leaks and possible overwrite of one byte after the sqlca_t structure (Peter Eisentraut)
(9.0.8,9.1.4,8.4.12,8.3.19) Fix contrib/dblink's dblink_exec()
to not leak temporary database
connections upon error (Tom Lane)
(9.0.8,9.1.4,8.4.12) Fix contrib/dblink to report the correct connection name in error messages (Kyotaro Horiguchi)
(9.0.8,9.1.4) Fix contrib/vacuumlo to use multiple transactions when dropping many large objects (Tim Lewis, Robert Haas, Tom Lane)
This change avoids exceeding max_locks_per_transaction when many objects need to be dropped. The behavior can be adjusted with the new -l (limit) option.
(9.0.8,9.1.4,8.4.12,8.3.19) Update time zone data files to tzdata release 2012c for DST law changes in Antarctica, Armenia, Chile, Cuba, Falkland Islands, Gaza, Haiti, Hebron, Morocco, Syria, and Tokelau Islands; also historical corrections for Canada.
Release date: 2012-02-27
This release contains a variety of fixes from 9.0.6. For information about new features in the 9.0 major release, see Version 9.0.0.
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.6, see Version 9.0.6.
(9.0.7,9.1.3,8.4.11,8.3.18) Require execute permission on the trigger function for CREATE TRIGGER (Robert Haas)
This missing check could allow another user to execute a trigger function with forged input data, by installing it on a table he owns. This is only of significance for trigger functions marked SECURITY DEFINER, since otherwise trigger functions run as the table owner anyway. CVE-2012-0866 or CVE-2012-0866)
(9.0.7,9.1.3,8.4.11) Remove arbitrary limitation on length of common name in SSL certificates (Heikki Linnakangas)
Both libpq and the server truncated the common name extracted from an SSL certificate at 32 bytes. Normally this would cause nothing worse than an unexpected verification failure, but there are some rather-implausible scenarios in which it might allow one certificate holder to impersonate another. The victim would have to have a common name exactly 32 bytes long, and the attacker would have to persuade a trusted CA to issue a certificate in which the common name has that string as a prefix. Impersonating a server would also require some additional exploit to redirect client connections. CVE-2012-0867 or CVE-2012-0867)
(9.0.7,9.1.3,8.4.11,8.3.18) Convert newlines to spaces in names written in pg_dump comments (Robert Haas)
pg_dump was incautious about sanitizing object names that are emitted within SQL comments in its output script. A name containing a newline would at least render the script syntactically incorrect. Maliciously crafted object names could present a SQL injection risk when the script is reloaded. CVE-2012-0868 or CVE-2012-0868)
(9.0.7,9.1.3,8.4.11,8.3.18) Fix btree index corruption from insertions concurrent with vacuuming (Tom Lane)
An index page split caused by an insertion could sometimes cause a concurrently-running VACUUM to miss removing index entries that it should remove. After the corresponding table rows are removed, the dangling index entries would cause errors (such as "could not read block N in file ...") or worse, silently wrong query results after unrelated rows are re-inserted at the now-free table locations. This bug has been present since release 8.2, but occurs so infrequently that it was not diagnosed until now. If you have reason to suspect that it has happened in your database, reindexing the affected index will fix things.
(9.0.7,9.1.3) Fix transient zeroing of shared buffers during WAL replay (Tom Lane)
The replay logic would sometimes zero and refill a shared buffer, so that the contents were transiently invalid. In hot standby mode this can result in a query that's executing in parallel seeing garbage data. Various symptoms could result from that, but the most common one seems to be "invalid memory alloc request size".
(9.0.7,9.1.3) Fix postmaster to attempt restart after a hot-standby crash (Tom Lane)
A logic error caused the postmaster to terminate, rather than attempt to restart the cluster, if any backend process crashed while operating in hot standby mode.
(9.0.7,9.1.3) Fix CLUSTER/VACUUM FULL handling of toast values owned by recently-updated rows (Tom Lane)
This oversight could lead to "duplicate key value violates unique constraint" errors being reported against the toast table's index during one of these commands.
(9.0.7,9.1.3,8.4.11) Update per-column permissions, not only per-table permissions, when changing table owner (Tom Lane)
Failure to do this meant that any previously granted column permissions were still shown as having been granted by the old owner. This meant that neither the new owner nor a superuser could revoke the now-untraceable-to-table-owner permissions.
(9.0.7,9.1.3) Support foreign data wrappers and foreign servers in REASSIGN OWNED (Álvaro Herrera)
This command failed with "unexpected classid" errors if it needed to change the ownership of any such objects.
(9.0.7,9.1.3,8.4.11,8.3.18) Allow non-existent values for some settings in ALTER USER/DATABASE SET (Heikki Linnakangas)
Allow default_text_search_config, default_tablespace, and temp_tablespaces to be set to names that are not known. This is because they might be known in another database where the setting is intended to be used, or for the tablespace cases because the tablespace might not be created yet. The same issue was previously recognized for search_path, and these settings now act like that one.
(9.0.7,9.1.3,8.4.11) Avoid crashing when we have problems deleting table files post-commit (Tom Lane)
Dropping a table should lead to deleting the underlying disk files only after the transaction commits. In event of failure then (for instance, because of wrong file permissions) the code is supposed to just emit a warning message and go on, since it's too late to abort the transaction. This logic got broken as of release 8.4, causing such situations to result in a PANIC and an unrestartable database.
(9.0.7,9.1.3) Recover from errors occurring during WAL replay of DROP TABLESPACE (Tom Lane)
Replay will attempt to remove the tablespace's directories, but there are various reasons why this might fail (for example, incorrect ownership or permissions on those directories). Formerly the replay code would panic, rendering the database unrestartable without manual intervention. It seems better to log the problem and continue, since the only consequence of failure to remove the directories is some wasted disk space.
(9.0.7,9.1.3) Fix race condition in logging AccessExclusiveLocks for hot standby (Simon Riggs)
Sometimes a lock would be logged as being held by "transaction zero". This is at least known to produce assertion failures on slave servers, and might be the cause of more serious problems.
(9.0.7,9.1.3,8.4.11,8.3.18) Track the OID counter correctly during WAL replay, even when it wraps around (Tom Lane)
Previously the OID counter would remain stuck at a high value until the system exited replay mode. The practical consequences of that are usually nil, but there are scenarios wherein a standby server that's been promoted to master might take a long time to advance the OID counter to a reasonable value once values are needed.
(9.0.7,9.1.3) Prevent emitting misleading "consistent recovery state reached" log message at the beginning of crash recovery (Heikki Linnakangas)
(9.0.7,9.1.3) Fix initial value of pg_stat_replication.replay_location (Fujii Masao)
Previously, the value shown would be wrong until at least one WAL record had been replayed.
(9.0.7,9.1.3,8.4.11,8.3.18) Fix regular expression back-references with * attached (Tom Lane)
Rather than enforcing an exact string match, the code would effectively accept any string that satisfies the pattern sub-expression referenced by the back-reference symbol.
A similar problem still afflicts back-references that are embedded in a larger quantified expression, rather than being the immediate subject of the quantifier. This will be addressed in a future PostgreSQL release.
(9.0.7,9.1.3,8.4.11,8.3.18) Fix recently-introduced memory leak in processing of inet/cidr values (Heikki Linnakangas)
A patch in the December 2011 releases of PostgreSQL caused memory leakage in these operations, which could be significant in scenarios such as building a btree index on such a column.
(9.0.7,9.1.3,8.4.11) Fix dangling pointer after CREATE TABLE AS/SELECT INTO in a SQL-language function (Tom Lane)
In most cases this only led to an assertion failure in assert-enabled builds, but worse consequences seem possible.
(9.0.7,9.1.3,8.4.11,8.3.18) Avoid double close of file handle in syslogger on Windows (MauMau)
Ordinarily this error was invisible, but it would cause an exception when running on a debug version of Windows.
(9.0.7,9.1.3,8.4.11,8.3.18) Fix I/O-conversion-related memory leaks in plpgsql (Andres Freund, Jan Urbanski, Tom Lane)
Certain operations would leak memory until the end of the current function.
(9.0.7,9.1.3,8.4.11,8.3.18) Improve pg_dump's handling of inherited table columns (Tom Lane)
pg_dump mishandled situations where a child column has a different default expression than its parent column. If the default is textually identical to the parent's default, but not actually the same (for instance, because of schema search path differences) it would not be recognized as different, so that after dump and restore the child would be allowed to inherit the parent's default. Child columns that are NOT NULL where their parent is not could also be restored subtly incorrectly.
(9.0.7,9.1.3,8.4.11,8.3.18) Fix pg_restore's direct-to-database mode for INSERT-style table data (Tom Lane)
Direct-to-database restores from archive files made with --inserts or --column-inserts options fail when using pg_restore from a release dated September or December 2011, as a result of an oversight in a fix for another problem. The archive file itself is not at fault, and text-mode output is okay.
(9.0.7,9.1.3) Allow pg_upgrade to process tables containing regclass columns (Bruce Momjian)
Since pg_upgrade now takes care to preserve pg_class OIDs, there was no longer any reason for this restriction.
(9.0.7,9.1.3) Make libpq ignore ENOTDIR errors when looking for an SSL client certificate file (Magnus Hagander)
This allows SSL connections to be established, though without a certificate, even when the user's home directory is set to something like /dev/null.
(9.0.7,9.1.3) Fix some more field alignment issues in ecpg's SQLDA area (Zoltan Boszormenyi)
(9.0.7,9.1.3,8.4.11) Allow AT option in ecpg DEALLOCATE statements (Michael Meskes)
The infrastructure to support this has been there for awhile, but through an oversight there was still an error check rejecting the case.
(9.0.7,9.1.3) Do not use the variable name when defining a varchar structure in ecpg (Michael Meskes)
(9.0.7,9.1.3) Fix contrib/auto_explain's JSON output mode to produce valid JSON (Andrew Dunstan)
The output used brackets at the top level, when it should have used braces.
(9.0.7,9.1.3,8.4.11,8.3.18) Fix error in contrib/intarray's int[] & int[] operator (Guillaume Lelarge)
If the smallest integer the two input arrays have in common is 1, and there are smaller values in either array, then 1 would be incorrectly omitted from the result.
(9.0.7,9.1.3,8.4.11,8.3.18) Fix error detection in contrib/pgcrypto's encrypt_iv()
and decrypt_iv()
(Marko Kreen)
These functions failed to report certain types of invalid-input errors, and would instead return random garbage values for incorrect input.
(9.0.7,9.1.3,8.4.11,8.3.18) Fix one-byte buffer overrun in contrib/test_parser (Paul Guyot)
The code would try to read one more byte than it should, which would crash in corner cases. Since contrib/test_parser is only example code, this is not a security issue in itself, but bad example code is still bad.
(9.0.7,9.1.3,8.4.11,8.3.18) Use __sync_lock_test_and_set()
for
spinlocks on ARM, if available (Martin Pitt)
This function replaces our previous use of the SWPB instruction, which is deprecated and not available on ARMv6 and later. Reports suggest that the old code doesn't fail in an obvious way on recent ARM boards, but simply doesn't interlock concurrent accesses, leading to bizarre failures in multiprocess operation.
(9.0.7,9.1.3,8.4.11,8.3.18) Use -fexcess-precision=standard option when building with gcc versions that accept it (Andrew Dunstan)
This prevents assorted scenarios wherein recent versions of gcc will produce creative results.
(9.0.7,9.1.3,8.4.11,8.3.18) Allow use of threaded Python on FreeBSD (Chris Rees)
Our configure script previously believed that this combination wouldn't work; but FreeBSD fixed the problem, so remove that error check.
Release date: 2011-12-05
This release contains a variety of fixes from 9.0.5. For information about new features in the 9.0 major release, see Version 9.0.0.
A dump/restore is not required for those running 9.0.X.
However, a longstanding error was discovered in the definition of the information_schema.referential_constraints view. If you rely on correct results from that view, you should replace its definition as explained in the first changelog item below.
Also, if you are upgrading from a version earlier than 9.0.4, see Version 9.0.4.
(9.0.6,9.1.2,8.4.10,8.3.17,8.2.23) Fix bugs in information_schema.referential_constraints view (Tom Lane)
This view was being insufficiently careful about matching the foreign-key constraint to the depended-on primary or unique key constraint. That could result in failure to show a foreign key constraint at all, or showing it multiple times, or claiming that it depends on a different constraint than the one it really does.
Since the view definition is installed by initdb, merely upgrading will not fix the problem. If you need to fix this in an existing installation, you can (as a superuser) drop the information_schema schema then re-create it by sourcing SHAREDIR/information_schema.sql. (Run pg_config --sharedir if you're uncertain where SHAREDIR is.) This must be repeated in each database to be fixed.
(9.0.6,9.1.2) Fix possible crash during UPDATE or DELETE that joins to the output of a scalar-returning function (Tom Lane)
A crash could only occur if the target row had been concurrently updated, so this problem surfaced only intermittently.
(9.0.6,9.1.2,8.4.10) Fix incorrect replay of WAL records for GIN index updates (Tom Lane)
This could result in transiently failing to find index entries after a crash, or on a hot-standby server. The problem would be repaired by the next VACUUM of the index, however.
(9.0.6,9.1.2,8.4.10,8.3.17,8.2.23) Fix TOAST-related data corruption during CREATE TABLE dest AS SELECT * FROM src or INSERT INTO dest SELECT * FROM src (Tom Lane)
If a table has been modified by ALTER TABLE ADD COLUMN, attempts to copy its data verbatim to another table could produce corrupt results in certain corner cases. The problem can only manifest in this precise form in 8.4 and later, but we patched earlier versions as well in case there are other code paths that could trigger the same bug.
(9.0.6,9.1.2) Fix possible failures during hot standby startup (Simon Riggs)
(9.0.6,9.1.2) Start hot standby faster when initial snapshot is incomplete (Simon Riggs)
(9.0.6,9.1.2,8.4.10,8.3.17,8.2.23) Fix race condition during toast table access from stale syscache entries (Tom Lane)
The typical symptom was transient errors like "missing chunk number 0 for toast value NNNNN in pg_toast_2619", where the cited toast table would always belong to a system catalog.
(9.0.6,9.1.2,8.4.10) Track dependencies of functions on items used in parameter default expressions (Tom Lane)
Previously, a referenced object could be dropped without having dropped or modified the function, leading to misbehavior when the function was used. Note that merely installing this update will not fix the missing dependency entries; to do that, you'd need to CREATE OR REPLACE each such function afterwards. If you have functions whose defaults depend on non-built-in objects, doing so is recommended.
(9.0.6,9.1.2,8.4.10) Allow inlining of set-returning SQL functions with multiple OUT parameters (Tom Lane)
(9.0.6,9.1.2) Don't trust deferred-unique indexes for join removal (Tom Lane and Marti Raudsepp)
A deferred uniqueness constraint might not hold intra-transaction, so assuming that it does could give incorrect query results.
(9.0.6,9.1.2,8.4.10,8.3.17) Make DatumGetInetP()
unpack inet
datums that have a 1-byte header, and add a new macro, DatumGetInetPP()
, that does not (Heikki
Linnakangas)
This change affects no core code, but might prevent crashes in
add-on code that expects DatumGetInetP()
to produce an unpacked datum as
per usual convention.
(9.0.6,9.1.2,8.4.10,8.3.17,8.2.23) Improve locale support in money type's input and output (Tom Lane)
Aside from not supporting all standard lc_monetary formatting options, the input and output functions were inconsistent, meaning there were locales in which dumped money values could not be re-read.
(9.0.6,9.1.2,8.4.10,8.3.17,8.2.23) Don't let transform_null_equals affect CASE foo WHEN NULL ... constructs (Heikki Linnakangas)
transform_null_equals is only supposed to affect foo = NULL expressions written directly by the user, not equality checks generated internally by this form of CASE.
(9.0.6,9.1.2,8.4.10,8.3.17,8.2.23) Change foreign-key trigger creation order to better support self-referential foreign keys (Tom Lane)
For a cascading foreign key that references its own table, a row update will fire both the ON UPDATE trigger and the CHECK trigger as one event. The ON UPDATE trigger must execute first, else the CHECK will check a non-final state of the row and possibly throw an inappropriate error. However, the firing order of these triggers is determined by their names, which generally sort in creation order since the triggers have auto-generated names following the convention "RI_ConstraintTrigger_NNNN". A proper fix would require modifying that convention, which we will do in 9.2, but it seems risky to change it in existing releases. So this patch just changes the creation order of the triggers. Users encountering this type of error should drop and re-create the foreign key constraint to get its triggers into the right order.
(9.0.6,9.1.2,8.4.10,8.3.17) Avoid floating-point underflow while tracking buffer allocation rate (Greg Matthews)
While harmless in itself, on certain platforms this would result in annoying kernel log messages.
(9.0.6,9.1.2,8.4.10) Preserve configuration file name and line number values when starting child processes under Windows (Tom Lane)
Formerly, these would not be displayed correctly in the pg_settings view.
(9.0.6,9.1.2) Fix incorrect field alignment in ecpg's SQLDA area (Zoltan Boszormenyi)
(9.0.6,9.1.2,8.4.10,8.3.17,8.2.23) Preserve blank lines within commands in psql's command history (Robert Haas)
The former behavior could cause problems if an empty line was removed from within a string literal, for example.
(9.0.6,9.1.2,8.4.10,8.3.17) Fix pg_dump to dump user-defined casts between auto-generated types, such as table rowtypes (Tom Lane)
(9.0.6,9.1.2) Assorted fixes for pg_upgrade (Bruce Momjian)
Handle exclusion constraints correctly, avoid failures on Windows, don't complain about mismatched toast table names in 8.4 databases.
(9.0.6,9.1.2,8.4.10,8.3.17,8.2.23) Use the preferred version of xsubpp to build PL/Perl, not necessarily the operating system's main copy (David Wheeler and Alex Hunsaker)
(9.0.6,9.1.2,8.4.10,8.3.17) Fix incorrect coding in contrib/dict_int and contrib/dict_xsyn (Tom Lane)
Some functions incorrectly assumed that memory returned by
palloc()
is guaranteed zeroed.
(9.0.6,9.1.2) Fix assorted errors in contrib/unaccent's configuration file parsing (Tom Lane)
(9.0.6,9.1.2,8.4.10,8.3.17,8.2.23) Honor query cancel interrupts promptly in pgstatindex()
(Robert Haas)
(9.0.6) Fix incorrect quoting of log file name in Mac OS X start script (Sidar Lopez)
(9.0.6,9.1.2,8.4.10,8.3.17,8.2.23) Ensure VPATH builds properly install all server header files (Peter Eisentraut)
(9.0.6,9.1.2,8.4.10,8.3.17,8.2.23) Shorten file names reported in verbose error messages (Peter Eisentraut)
Regular builds have always reported just the name of the C file containing the error message call, but VPATH builds formerly reported an absolute path name.
(9.0.6,9.1.2,8.4.10,8.3.17,8.2.23) Fix interpretation of Windows timezone names for Central America (Tom Lane)
Map "Central America Standard Time" to CST6, not CST6CDT, because DST is generally not observed anywhere in Central America.
(9.0.6,9.1.2,8.4.10,8.3.17,8.2.23) Update time zone data files to tzdata release 2011n for DST law changes in Brazil, Cuba, Fiji, Palestine, Russia, and Samoa; also historical corrections for Alaska and British East Africa.
Release date: 2011-09-26
This release contains a variety of fixes from 9.0.4. For information about new features in the 9.0 major release, see Version 9.0.0.
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.4, see Version 9.0.4.
(9.0.5) Fix catalog cache invalidation after a VACUUM FULL or CLUSTER on a system catalog (Tom Lane)
In some cases the relocation of a system catalog row to another place would not be recognized by concurrent server processes, allowing catalog corruption to occur if they then tried to update that row. The worst-case outcome could be as bad as complete loss of a table.
(9.0.5) Fix incorrect order of operations during sinval reset processing, and ensure that TOAST OIDs are preserved in system catalogs (Tom Lane)
These mistakes could lead to transient failures after a VACUUM FULL or CLUSTER on a system catalog.
(9.0.5,8.4.9,8.3.16) Fix bugs in indexing of in-doubt HOT-updated tuples (Tom Lane)
These bugs could result in index corruption after reindexing a system catalog. They are not believed to affect user indexes.
(9.0.5,8.4.9,8.3.16,8.2.22) Fix multiple bugs in GiST index page split processing (Heikki Linnakangas)
The probability of occurrence was low, but these could lead to index corruption.
(9.0.5,8.4.9,8.3.16) Fix possible buffer overrun in tsvector_concat()
(Tom Lane)
The function could underestimate the amount of memory needed for its result, leading to server crashes.
(9.0.5,8.4.9,8.3.16) Fix crash in xml_recv
when
processing a "standalone" parameter (Tom
Lane)
(9.0.5,9.1.1,8.4.9) Make pg_options_to_table
return
NULL for an option with no value (Tom Lane)
Previously such cases would result in a server crash.
(9.0.5,8.4.9,8.3.16) Avoid possibly accessing off the end of memory in ANALYZE and in SJIS-2004 encoding conversion (Noah Misch)
This fixes some very-low-probability server crash scenarios.
(9.0.5) Protect pg_stat_reset_shared()
against NULL input (Magnus Hagander)
(9.0.5) Fix possible failure when a recovery conflict deadlock is detected within a sub-transaction (Tom Lane)
(9.0.5) Avoid spurious conflicts while recycling btree index pages during hot standby (Noah Misch, Simon Riggs)
(9.0.5) Shut down WAL receiver if it's still running at end of recovery (Heikki Linnakangas)
The postmaster formerly panicked in this situation, but it's actually a legitimate case.
(9.0.5,8.4.9,8.3.16,8.2.22) Fix race condition in relcache init file invalidation (Tom Lane)
There was a window wherein a new backend process could read a stale init file but miss the inval messages that would tell it the data is stale. The result would be bizarre failures in catalog accesses, typically "could not read block 0 in file ..." later during startup.
(9.0.5,9.1.1,8.4.9,8.3.16,8.2.22) Fix memory leak at end of a GiST index scan (Tom Lane)
Commands that perform many separate GiST index scans, such as verification of a new GiST-based exclusion constraint on a table already containing many rows, could transiently require large amounts of memory due to this leak.
(9.0.5) Fix memory leak when encoding conversion has to be done on incoming command strings and LISTEN is active (Tom Lane)
(9.0.5,8.4.9) Fix incorrect memory accounting (leading to possible memory bloat) in tuplestores supporting holdable cursors and plpgsql's RETURN NEXT command (Tom Lane)
(9.0.5) Fix trigger WHEN conditions when both BEFORE and AFTER triggers exist (Tom Lane)
Evaluation of WHEN conditions for AFTER ROW UPDATE triggers could crash if there had been a BEFORE ROW trigger fired for the same update.
(9.0.5,8.4.9,8.3.16,8.2.22) Fix performance problem when constructing a large, lossy bitmap (Tom Lane)
(9.0.5,8.4.9) Fix join selectivity estimation for unique columns (Tom Lane)
This fixes an erroneous planner heuristic that could lead to poor estimates of the result size of a join.
(9.0.5,8.4.9) Fix nested PlaceHolderVar expressions that appear only in sub-select target lists (Tom Lane)
This mistake could result in outputs of an outer join incorrectly appearing as NULL.
(9.0.5) Allow the planner to assume that empty parent tables really are empty (Tom Lane)
Normally an empty table is assumed to have a certain minimum size for planning purposes; but this heuristic seems to do more harm than good for the parent table of an inheritance hierarchy, which often is permanently empty.
(9.0.5,8.4.9) Allow nested EXISTS queries to be optimized properly (Tom Lane)
(9.0.5,8.4.9,8.3.16,8.2.22) Fix array- and path-creating functions to ensure padding bytes are zeroes (Tom Lane)
This avoids some situations where the planner will think that semantically-equal constants are not equal, resulting in poor optimization.
(9.0.5,8.4.9) Fix EXPLAIN to handle gating Result nodes within inner-indexscan subplans (Tom Lane)
The usual symptom of this oversight was "bogus varno" errors.
(9.0.5) Fix btree preprocessing of indexedcol IS NULL conditions (Dean Rasheed)
Such a condition is unsatisfiable if combined with any other type of btree-indexable condition on the same index column. The case was handled incorrectly in 9.0.0 and later, leading to query output where there should be none.
(9.0.5,8.4.9,8.3.16,8.2.22) Work around gcc 4.6.0 bug that breaks WAL replay (Tom Lane)
This could lead to loss of committed transactions after a server crash.
(9.0.5,8.4.9,8.3.16,8.2.22) Fix dump bug for VALUES in a view (Tom Lane)
(9.0.5,8.4.9,8.3.16,8.2.22) Disallow SELECT FOR UPDATE/SHARE on sequences (Tom Lane)
This operation doesn't work as expected and can lead to failures.
(9.0.5,8.4.9) Fix VACUUM so that it always updates pg_class.reltuples/relpages (Tom Lane)
This fixes some scenarios where autovacuum could make increasingly poor decisions about when to vacuum tables.
(9.0.5,8.4.9,8.3.16,8.2.22) Defend against integer overflow when computing size of a hash table (Tom Lane)
(9.0.5,8.4.9,8.3.16) Fix cases where CLUSTER might attempt to access already-removed TOAST data (Tom Lane)
(9.0.5) Fix premature timeout failures during initial authentication transaction (Tom Lane)
(9.0.5,8.4.9,8.3.16,8.2.22) Fix portability bugs in use of credentials control messages for "peer" authentication (Tom Lane)
(9.0.5,8.4.9,8.3.16) Fix SSPI login when multiple roundtrips are required (Ahmed Shinwari, Magnus Hagander)
The typical symptom of this problem was "The function requested is not supported" errors during SSPI login.
(9.0.5) Fix failure when adding a new variable of a custom variable class to postgresql.conf (Tom Lane)
(9.0.5,8.4.9) Throw an error if pg_hba.conf contains hostssl but SSL is disabled (Tom Lane)
This was concluded to be more user-friendly than the previous behavior of silently ignoring such lines.
(9.0.5) Fix failure when DROP OWNED BY attempts to remove default privileges on sequences (Shigeru Hanada)
(9.0.5,8.4.9,8.3.16,8.2.22) Fix typo in pg_srand48
seed
initialization (Andres Freund)
This led to failure to use all bits of the provided seed. This
function is not used on most platforms (only those without
srandom
), and the potential security
exposure from a less-random-than-expected seed seems minimal in any
case.
(9.0.5,8.4.9,8.3.16,8.2.22) Avoid integer overflow when the sum of LIMIT and OFFSET values exceeds 2^63 (Heikki Linnakangas)
(9.0.5,8.4.9,8.3.16,8.2.22) Add overflow checks to int4 and int8 versions of generate_series()
(Robert Haas)
(9.0.5,8.4.9,8.3.16,8.2.22) Fix trailing-zero removal in to_char()
(Marti Raudsepp)
In a format with FM and no digit positions after the decimal point, zeroes to the left of the decimal point could be removed incorrectly.
(9.0.5,8.4.9,8.3.16,8.2.22) Fix pg_size_pretty()
to avoid
overflow for inputs close to 2^63 (Tom Lane)
(9.0.5,8.4.9) Weaken plpgsql's check for typmod matching in record values (Tom Lane)
An overly enthusiastic check could lead to discarding length modifiers that should have been kept.
(9.0.5,8.4.9) Correctly handle quotes in locale names during initdb (Heikki Linnakangas)
The case can arise with some Windows locales, such as "People's Republic of China".
(9.0.5) In pg_upgrade, avoid dumping orphaned temporary tables (Bruce Momjian)
This prevents situations wherein table OID assignments could get out of sync between old and new installations.
(9.0.5,8.4.9) Fix pg_upgrade to preserve toast tables' relfrozenxids during an upgrade from 8.3 (Bruce Momjian)
Failure to do this could lead to pg_clog files being removed too soon after the upgrade.
(9.0.5) In pg_upgrade, fix the -l (log) option to work on Windows (Bruce Momjian)
(9.0.5,8.4.9,8.3.16) In pg_ctl, support silent mode for service registrations on Windows (MauMau)
(9.0.5,8.4.9,8.3.16,8.2.22) Fix psql's counting of script file line numbers during COPY from a different file (Tom Lane)
(9.0.5,8.4.9,8.3.16,8.2.22) Fix pg_restore's direct-to-database mode for standard_conforming_strings (Tom Lane)
pg_restore could emit incorrect commands when restoring directly to a database server from an archive file that had been made with standard_conforming_strings set to on.
(9.0.5,8.4.9) Be more user-friendly about unsupported cases for parallel pg_restore (Tom Lane)
This change ensures that such cases are detected and reported before any restore actions have been taken.
(9.0.5,8.4.9,8.3.16,8.2.22) Fix write-past-buffer-end and memory leak in libpq's LDAP service lookup code (Albe Laurenz)
(9.0.5,8.4.9,8.3.16,8.2.22) In libpq, avoid failures when using nonblocking I/O and an SSL connection (Martin Pihlak, Tom Lane)
(9.0.5,8.4.9,8.3.16,8.2.22) Improve libpq's handling of failures during connection startup (Tom Lane)
In particular, the response to a server report of fork()
failure during SSL connection startup is
now saner.
(9.0.5,8.4.9,8.3.16) Improve libpq's error reporting for SSL failures (Tom Lane)
(9.0.5,8.4.9) Fix PQsetvalue()
to avoid possible
crash when adding a new tuple to a PGresult originally obtained from a server query
(Andrew Chernow)
(9.0.5,8.4.9,8.3.16,8.2.22) Make ecpglib write double values with 15 digits precision (Akira Kurosawa)
(9.0.5,8.4.9,8.3.16) In ecpglib, be sure LC_NUMERIC setting is restored after an error (Michael Meskes)
(9.0.5,8.4.9,8.3.16,8.2.22) Apply upstream fix for blowfish signed-character bug CVE-2011-2483 or CVE-2011-2483) (Tom Lane)
contrib/pg_crypto's blowfish encryption code could give wrong results on platforms where char is signed (which is most), leading to encrypted passwords being weaker than they should be.
(9.0.5,8.4.9,8.3.16,8.2.22) Fix memory leak in contrib/seg (Heikki Linnakangas)
(9.0.5,8.4.9,8.3.16,8.2.22) Fix pgstatindex()
to give
consistent results for empty indexes (Tom Lane)
(9.0.5,8.4.9,8.3.16,8.2.22) Allow building with perl 5.14 (Alex Hunsaker)
(9.0.5,8.4.9,8.3.16,8.2.22) Fix assorted issues with build and install file paths containing spaces (Tom Lane)
(9.0.5,8.4.9,8.3.16,8.2.22) Update time zone data files to tzdata release 2011i for DST law changes in Canada, Egypt, Russia, Samoa, and South Sudan.
Release date: 2011-04-18
This release contains a variety of fixes from 9.0.3. For information about new features in the 9.0 major release, see Version 9.0.0.
A dump/restore is not required for those running 9.0.X.
However, if your installation was upgraded from a previous major release by running pg_upgrade, you should take action to prevent possible data loss due to a now-fixed bug in pg_upgrade. The recommended solution is to run VACUUM FREEZE on all TOAST tables. More information is available at http://wiki.postgresql.org/wiki/20110408pg_upgrade_fix.
(9.0.4,8.4.8) Fix pg_upgrade's handling of TOAST tables (Bruce Momjian)
The pg_class.relfrozenxid value for TOAST tables was not correctly copied into the new installation during pg_upgrade. This could later result in pg_clog files being discarded while they were still needed to validate tuples in the TOAST tables, leading to "could not access status of transaction" failures.
This error poses a significant risk of data loss for installations that have been upgraded with pg_upgrade. This patch corrects the problem for future uses of pg_upgrade, but does not in itself cure the issue in installations that have been processed with a buggy version of pg_upgrade.
(9.0.4,8.4.8) Suppress incorrect "PD_ALL_VISIBLE flag was incorrectly set" warning (Heikki Linnakangas)
VACUUM would sometimes issue this warning in cases that are actually valid.
(9.0.4) Use better SQLSTATE error codes for hot standby conflict cases (Tatsuo Ishii and Simon Riggs)
All retryable conflict errors now have an error code that indicates that a retry is possible. Also, session closure due to the database being dropped on the master is now reported as ERRCODE_DATABASE_DROPPED, rather than ERRCODE_ADMIN_SHUTDOWN, so that connection poolers can handle the situation correctly.
(9.0.4,8.4.9) Prevent intermittent hang in interactions of startup process with bgwriter process (Simon Riggs)
This affected recovery in non-hot-standby cases.
(9.0.4,8.4.8,8.3.15) Disallow including a composite type in itself (Tom Lane)
This prevents scenarios wherein the server could recurse infinitely while processing the composite type. While there are some possible uses for such a structure, they don't seem compelling enough to justify the effort required to make sure it always works safely.
(9.0.4,8.4.8,8.3.15,8.2.21) Avoid potential deadlock during catalog cache initialization (Nikhil Sontakke)
In some cases the cache loading code would acquire share lock on a system index before locking the index's catalog. This could deadlock against processes trying to acquire exclusive locks in the other, more standard order.
(9.0.4,8.4.8,8.3.15,8.2.21) Fix dangling-pointer problem in BEFORE ROW UPDATE trigger handling when there was a concurrent update to the target tuple (Tom Lane)
This bug has been observed to result in intermittent "cannot extract system attribute from virtual tuple" failures while trying to do UPDATE RETURNING ctid. There is a very small probability of more serious errors, such as generating incorrect index entries for the updated tuple.
(9.0.4,8.4.8,8.3.15,8.2.21) Disallow DROP TABLE when there are pending deferred trigger events for the table (Tom Lane)
Formerly the DROP would go through, leading to "could not open relation with OID nnn" errors when the triggers were eventually fired.
(9.0.4) Allow "replication" as a user name in pg_hba.conf (Andrew Dunstan)
"replication" is special in the database name column, but it was mistakenly also treated as special in the user name column.
(9.0.4,8.4.8) Prevent crash triggered by constant-false WHERE conditions during GEQO optimization (Tom Lane)
(9.0.4,8.4.8) Improve planner's handling of semi-join and anti-join cases (Tom Lane)
(9.0.4) Fix handling of SELECT FOR UPDATE in a sub-SELECT (Tom Lane)
This bug typically led to "cannot extract system attribute from virtual tuple" errors.
(9.0.4,8.4.8) Fix selectivity estimation for text search to account for NULLs (Jesper Krogh)
(9.0.4) Fix get_actual_variable_range() to support hypothetical indexes injected by an index adviser plugin (Gurjeet Singh)
(9.0.4,8.4.8,8.3.15,8.2.21) Fix PL/Python memory leak involving array slices (Daniel Popowich)
(9.0.4) Allow libpq's SSL initialization to succeed when user's home directory is unavailable (Tom Lane)
If the SSL mode is such that a root certificate file is not required, there is no need to fail. This change restores the behavior to what it was in pre-9.0 releases.
(9.0.4) Fix libpq to return a useful
error message for errors detected in conninfo_array_parse
(Joseph Adams)
A typo caused the library to return NULL, rather than the PGconn structure containing the error message, to the application.
(9.0.4) Fix ecpg preprocessor's handling of float constants (Heikki Linnakangas)
(9.0.4) Fix parallel pg_restore to handle comments on POST_DATA items correctly (Arnd Hannemann)
(9.0.4,8.4.8,8.3.15,8.2.21) Fix pg_restore to cope with long lines (over 1KB) in TOC files (Tom Lane)
(9.0.4,8.4.8,8.3.15,8.2.21) Put in more safeguards against crashing due to division-by-zero with overly enthusiastic compiler optimization (Aurelien Jarno)
(9.0.4,8.4.8,8.3.15,8.2.21) Support use of dlopen() in FreeBSD and OpenBSD on MIPS (Tom Lane)
There was a hard-wired assumption that this system function was not available on MIPS hardware on these systems. Use a compile-time test instead, since more recent versions have it.
(9.0.4,8.4.8,8.3.15,8.2.21) Fix compilation failures on HP-UX (Heikki Linnakangas)
(9.0.4) Avoid crash when trying to write to the Windows console very early in process startup (Rushabh Lathia)
(9.0.4) Support building with MinGW 64 bit compiler for Windows (Andrew Dunstan)
(9.0.4,8.4.8,8.3.15) Fix version-incompatibility problem with libintl on Windows (Hiroshi Inoue)
(9.0.4,8.4.8,8.3.15) Fix usage of xcopy in Windows build scripts to work correctly under Windows 7 (Andrew Dunstan)
This affects the build scripts only, not installation or usage.
(9.0.4,8.4.8,8.3.15,8.2.21) Fix path separator used by pg_regress on Cygwin (Andrew Dunstan)
(9.0.4,8.4.8,8.3.15,8.2.21) Update time zone data files to tzdata release 2011f for DST law changes in Chile, Cuba, Falkland Islands, Morocco, Samoa, and Turkey; also historical corrections for South Australia, Alaska, and Hawaii.
Release date: 2011-01-31
This release contains a variety of fixes from 9.0.2. For information about new features in the 9.0 major release, see Version 9.0.0.
A dump/restore is not required for those running 9.0.X.
(9.0.3) Before exiting walreceiver, ensure all the received WAL is fsync'd to disk (Heikki Linnakangas)
Otherwise the standby server could replay some un-synced WAL, conceivably leading to data corruption if the system crashes just at that point.
(9.0.3) Avoid excess fsync activity in walreceiver (Heikki Linnakangas)
(9.0.3) Make ALTER TABLE revalidate uniqueness and exclusion constraints when needed (Noah Misch)
This was broken in 9.0 by a change that was intended to suppress revalidation during VACUUM FULL and CLUSTER, but unintentionally affected ALTER TABLE as well.
(9.0.3) Fix EvalPlanQual for UPDATE of an inheritance tree in which the tables are not all alike (Tom Lane)
Any variation in the table row types (including dropped columns present in only some child tables) would confuse the EvalPlanQual code, leading to misbehavior or even crashes. Since EvalPlanQual is only executed during concurrent updates to the same row, the problem was only seen intermittently.
(9.0.3,8.4.7,8.3.14,8.2.20) Avoid failures when EXPLAIN tries to display a simple-form CASE expression (Tom Lane)
If the CASE's test expression was a constant, the planner could simplify the CASE into a form that confused the expression-display code, resulting in "unexpected CASE WHEN clause" errors.
(9.0.3,8.4.7,8.3.14,8.2.20) Fix assignment to an array slice that is before the existing range of subscripts (Tom Lane)
If there was a gap between the newly added subscripts and the first pre-existing subscript, the code miscalculated how many entries needed to be copied from the old array's null bitmap, potentially leading to data corruption or crash.
(9.0.3,8.4.7,8.3.14,8.2.20) Avoid unexpected conversion overflow in planner for very distant date values (Tom Lane)
The date type supports a wider range of dates than can be represented by the timestamp types, but the planner assumed it could always convert a date to timestamp with impunity.
(9.0.3) Fix PL/Python crash when an array contains null entries (Alex Hunsaker)
(9.0.3) Remove ecpg's fixed length limit for constants defining an array dimension (Michael Meskes)
(9.0.3,8.4.7,8.3.14,8.2.20) Fix erroneous parsing of tsquery values containing ... & !(subexpression) | ... (Tom Lane)
Queries containing this combination of operators were not executed correctly. The same error existed in contrib/intarray's query_int type and contrib/ltree's ltxtquery type.
(9.0.3,8.4.7,8.3.14,8.2.20) Fix buffer overrun in contrib/intarray's input function for the query_int type (Apple)
This bug is a security risk since the function's return address could be overwritten. Thanks to Apple Inc's security team for reporting this issue and supplying the fix. CVE-2010-4015 or CVE-2010-4015)
(9.0.3,8.4.7,8.3.14,8.2.20) Fix bug in contrib/seg's GiST picksplit algorithm (Alexander Korotkov)
This could result in considerable inefficiency, though not actually incorrect answers, in a GiST index on a seg column. If you have such an index, consider REINDEXing it after installing this update. (This is identical to the bug that was fixed in contrib/cube in the previous update.)
Release date: 2010-12-16
This release contains a variety of fixes from 9.0.1. For information about new features in the 9.0 major release, see Version 9.0.0.
A dump/restore is not required for those running 9.0.X.
(9.0.2,8.4.6,8.3.13,8.2.19,8.1.23) Force the default wal_sync_method to be fdatasync on Linux (Tom Lane, Marti Raudsepp)
The default on Linux has actually been fdatasync for many years, but recent kernel changes caused PostgreSQL to choose open_datasync instead. This choice did not result in any performance improvement, and caused outright failures on certain filesystems, notably ext4 with the data=journal mount option.
(9.0.2) Fix "too many KnownAssignedXids" error during Hot Standby replay (Heikki Linnakangas)
(9.0.2) Fix race condition in lock acquisition during Hot Standby (Simon Riggs)
(9.0.2) Avoid unnecessary conflicts during Hot Standby (Simon Riggs)
This fixes some cases where replay was considered to conflict with standby queries (causing delay of replay or possibly cancellation of the queries), but there was no real conflict.
(9.0.2,8.4.6,8.3.13,8.2.19) Fix assorted bugs in WAL replay logic for GIN indexes (Tom Lane)
This could result in "bad buffer id: 0" failures or corruption of index contents during replication.
(9.0.2,8.4.6,8.3.13,8.2.19,8.1.23) Fix recovery from base backup when the starting checkpoint WAL record is not in the same WAL segment as its redo point (Jeff Davis)
(9.0.2) Fix corner-case bug when streaming replication is enabled immediately after creating the master database cluster (Heikki Linnakangas)
(9.0.2,8.4.6,8.3.13) Fix persistent slowdown of autovacuum workers when multiple workers remain active for a long time (Tom Lane)
The effective vacuum_cost_limit for an autovacuum worker could drop to nearly zero if it processed enough tables, causing it to run extremely slowly.
(9.0.2) Fix long-term memory leak in autovacuum launcher (Álvaro Herrera)
(9.0.2) Avoid failure when trying to report an impending transaction wraparound condition from outside a transaction (Tom Lane)
This oversight prevented recovery after transaction wraparound got too close, because database startup processing would fail.
(9.0.2,8.4.6,8.3.13,8.2.19,8.1.23) Add support for detecting register-stack overrun on IA64 (Tom Lane)
The IA64 architecture has two hardware stacks. Full prevention of stack-overrun failures requires checking both.
(9.0.2,8.4.6,8.3.13,8.2.19,8.1.23) Add a check for stack overflow in copyObject()
(Tom Lane)
Certain code paths could crash due to stack overflow given a sufficiently complex query.
(9.0.2,8.4.6,8.3.13,8.2.19,8.1.23) Fix detection of page splits in temporary GiST indexes (Heikki Linnakangas)
It is possible to have a "concurrent" page split in a temporary index, if for example there is an open cursor scanning the index when an insertion is done. GiST failed to detect this case and hence could deliver wrong results when execution of the cursor continued.
(9.0.2,8.4.6) Fix error checking during early connection processing (Tom Lane)
The check for too many child processes was skipped in some cases, possibly leading to postmaster crash when attempting to add the new child process to fixed-size arrays.
(9.0.2,8.4.6) Improve efficiency of window functions (Tom Lane)
Certain cases where a large number of tuples needed to be read
in advance, but work_mem was large enough
to allow them all to be held in memory, were unexpectedly slow.
percent_rank()
, cume_dist()
and ntile()
in particular were subject to this
problem.
(9.0.2,8.4.6,8.3.13,8.2.19,8.1.23) Avoid memory leakage while ANALYZE'ing complex index expressions (Tom Lane)
(9.0.2,8.4.6,8.3.13,8.2.19,8.1.23) Ensure an index that uses a whole-row Var still depends on its table (Tom Lane)
An index declared like create index i on t (foo(t.*)) would not automatically get dropped when its table was dropped.
(9.0.2) Add missing support in DROP OWNED BY for removing foreign data wrapper/server privileges belonging to a user (Heikki Linnakangas)
(9.0.2,8.4.6,8.3.13,8.2.19,8.1.23) Do not "inline" a SQL function with multiple OUT parameters (Tom Lane)
This avoids a possible crash due to loss of information about the expected result rowtype.
(9.0.2) Fix crash when inline-ing a set-returning function whose argument list contains a reference to an inline-able user function (Tom Lane)
(9.0.2,8.4.6,8.3.13,8.2.19) Behave correctly if ORDER BY, LIMIT, FOR UPDATE, or WITH is attached to the VALUES part of INSERT ... VALUES (Tom Lane)
(9.0.2) Make the OFF keyword unreserved (Heikki Linnakangas)
This prevents problems with using off as a variable name in PL/pgSQL. That worked before 9.0, but was now broken because PL/pgSQL now treats all core reserved words as reserved.
(9.0.2,8.4.6,8.3.13,8.2.19,8.1.23) Fix constant-folding of COALESCE() expressions (Tom Lane)
The planner would sometimes attempt to evaluate sub-expressions that in fact could never be reached, possibly leading to unexpected errors.
(9.0.2) Fix "could not find pathkey item to sort" planner failure with comparison of whole-row Vars (Tom Lane)
(9.0.2,8.4.6,8.3.13) Fix postmaster crash when connection acceptance (accept()
or one of the calls made immediately
after it) fails, and the postmaster was compiled with GSSAPI
support (Alexander Chernikov)
(9.0.2) Retry after receiving an invalid response packet from a RADIUS authentication server (Magnus Hagander)
This fixes a low-risk potential denial of service condition.
(9.0.2,8.4.6,8.3.13) Fix missed unlink of temporary files when log_temp_files is active (Tom Lane)
If an error occurred while attempting to emit the log message, the unlink was not done, resulting in accumulation of temp files.
(9.0.2,8.4.6,8.3.13,8.2.19,8.1.23) Add print functionality for InhRelation nodes (Tom Lane)
This avoids a failure when debug_print_parse is enabled and certain types of query are executed.
(9.0.2,8.4.6,8.3.13,8.2.19,8.1.23) Fix incorrect calculation of distance from a point to a horizontal line segment (Tom Lane)
This bug affected several different geometric distance-measurement operators.
(9.0.2,8.4.6) Fix incorrect calculation of transaction status in ecpg (Itagaki Takahiro)
(9.0.2) Fix errors in psql's Unicode-escape support (Tom Lane)
(9.0.2) Speed up parallel pg_restore when the archive contains many large objects (blobs) (Tom Lane)
(9.0.2,8.4.6,8.3.13,8.2.19,8.1.23) Fix PL/pgSQL's handling of "simple" expressions to not fail in recursion or error-recovery cases (Tom Lane)
(9.0.2) Fix PL/pgSQL's error reporting for no-such-column cases (Tom Lane)
As of 9.0, it would sometimes report "missing FROM-clause entry for table foo" when "record foo has no field bar" would be more appropriate.
(9.0.2) Fix PL/Python to honor typmod (i.e., length or precision restrictions) when assigning to tuple fields (Tom Lane)
This fixes a regression from 8.4.
(9.0.2,8.4.6,8.3.13,8.2.19) Fix PL/Python's handling of set-returning functions (Jan Urbanski)
Attempts to call SPI functions within the iterator generating a set result would fail.
(9.0.2,8.4.6,8.3.13,8.2.19,8.1.23) Fix bug in contrib/cube's GiST picksplit algorithm (Alexander Korotkov)
This could result in considerable inefficiency, though not actually incorrect answers, in a GiST index on a cube column. If you have such an index, consider REINDEXing it after installing this update.
(9.0.2,8.4.6,8.3.13,8.2.19,8.1.23) Don't emit "identifier will be truncated" notices in contrib/dblink except when creating new connections (Itagaki Takahiro)
(9.0.2,8.4.6,8.3.13,8.2.19,8.1.23) Fix potential coredump on missing public key in contrib/pgcrypto (Marti Raudsepp)
(9.0.2) Fix buffer overrun in contrib/pg_upgrade (Hernan Gonzalez)
(9.0.2,8.4.6,8.3.13,8.2.19,8.1.23) Fix memory leak in contrib/xml2's XPath query functions (Tom Lane)
(9.0.2,8.4.6,8.3.13,8.2.19,8.1.23) Update time zone data files to tzdata release 2010o for DST law changes in Fiji and Samoa; also historical corrections for Hong Kong.
Release date: 2010-10-04
This release contains a variety of fixes from 9.0.0. For information about new features in the 9.0 major release, see Version 9.0.0.
A dump/restore is not required for those running 9.0.X.
(9.0.1,8.4.5,8.3.12,8.2.18,8.1.22,8.0.26,7.4.30) Use a separate interpreter for each calling SQL userid in PL/Perl and PL/Tcl (Tom Lane)
This change prevents security problems that can be caused by subverting Perl or Tcl code that will be executed later in the same session under another SQL user identity (for example, within a SECURITY DEFINER function). Most scripting languages offer numerous ways that that might be done, such as redefining standard functions or operators called by the target function. Without this change, any SQL user with Perl or Tcl language usage rights can do essentially anything with the SQL privileges of the target function's owner.
The cost of this change is that intentional communication among Perl and Tcl functions becomes more difficult. To provide an escape hatch, PL/PerlU and PL/TclU functions continue to use only one interpreter per session. This is not considered a security issue since all such functions execute at the trust level of a database superuser already.
It is likely that third-party procedural languages that claim to offer trusted execution have similar security issues. We advise contacting the authors of any PL you are depending on for security-critical purposes.
Our thanks to Tim Bunce for pointing out this issue CVE-2010-3433 or CVE-2010-3433).
(9.0.1) Improve pg_get_expr()
security fix
so that the function can still be used on the output of a
sub-select (Tom Lane)
(9.0.1,8.4.5) Fix incorrect placement of placeholder evaluation (Tom Lane)
This bug could result in query outputs being non-null when they should be null, in cases where the inner side of an outer join is a sub-select with non-strict expressions in its output list.
(9.0.1) Fix join removal's handling of placeholder expressions (Tom Lane)
(9.0.1,8.4.5,8.3.12,8.2.18) Fix possible duplicate scans of UNION ALL member relations (Tom Lane)
(9.0.1) Prevent infinite loop in ProcessIncomingNotify() after unlistening (Jeff Davis)
(9.0.1,8.4.5,8.3.12,8.2.18,8.1.22) Prevent show_session_authorization() from crashing within autovacuum processes (Tom Lane)
(9.0.1,8.4.5) Re-allow input of Julian dates prior to 0001-01-01 AD (Tom Lane)
Input such as 'J100000'::date worked before 8.4, but was unintentionally broken by added error-checking.
(9.0.1,8.4.5,8.3.12) Make psql recognize DISCARD ALL as a command that should not be encased in a transaction block in autocommit-off mode (Itagaki Takahiro)
(9.0.1,8.4.5,8.3.12,8.2.18,8.1.22,8.0.26,7.4.30) Update build infrastructure and documentation to reflect the source code repository's move from CVS to Git (Magnus Hagander and others)
Release date: 2010-09-20
This release of PostgreSQL adds features that have been requested for years, such as easy-to-use replication, a mass permission-changing facility, and anonymous code blocks. While past major releases have been conservative in their scope, this release shows a bold new desire to provide facilities that new and existing users of PostgreSQL will embrace. This has all been done with few incompatibilities. Major enhancements include:
(9.0.0) Built-in replication based on log shipping. This advance consists of two features: Streaming Replication, allowing continuous archive (WAL) files to be streamed over a network connection to a standby server, and Hot Standby, allowing continuous archive standby servers to execute read-only queries. The net effect is to support a single master with multiple read-only slave servers.
(9.0.0) Easier database object permissions management. GRANT/REVOKE IN SCHEMA supports mass permissions changes on existing objects, while ALTER DEFAULT PRIVILEGES allows control of privileges for objects created in the future. Large objects (BLOBs) now support permissions management as well.
(9.0.0) Broadly enhanced stored procedure support. The DO statement supports ad-hoc or "anonymous" code blocks. Functions can now be called using named parameters. PL/pgSQL is now installed by default, and PL/Perl and PL/Python have been enhanced in several ways, including support for Python3.
(9.0.0) Full support for 64-bit Windows.
(9.0.0) More advanced reporting queries, including additional windowing options (PRECEDING and FOLLOWING) and the ability to control the order in which values are fed to aggregate functions.
(9.0.0) New trigger features, including SQL-standard-compliant per-column triggers and conditional trigger execution.
(9.0.0) Deferrable unique constraints. Mass updates to unique keys are now possible without trickery.
(9.0.0) Exclusion constraints. These provide a generalized version of unique constraints, allowing enforcement of complex conditions.
(9.0.0) New and enhanced security features, including RADIUS authentication, LDAP authentication improvements, and a new contrib module passwordcheck for testing password strength.
(9.0.0) New high-performance implementation of the LISTEN/NOTIFY feature. Pending events are now stored in a memory-based queue rather than a table. Also, a "payload" string can be sent with each event, rather than transmitting just an event name as before.
(9.0.0) New implementation of VACUUM FULL. This command now rewrites the entire table and indexes, rather than moving individual rows to compact space. It is substantially faster in most cases, and no longer results in index bloat.
(9.0.0) New contrib module pg_upgrade to support in-place upgrades from 8.3 or 8.4 to 9.0.
(9.0.0) Multiple performance enhancements for specific types of queries, including elimination of unnecessary joins. This helps optimize some automatically-generated queries, such as those produced by object-relational mappers (ORMs).
(9.0.0) EXPLAIN enhancements. The output is now available in JSON, XML, or YAML format, and includes buffer utilization and other data not previously available.
(9.0.0) hstore improvements, including new functions and greater data capacity.
The above items are explained in more detail in the sections below.
A dump/restore using pg_dump, or use of pg_upgrade, is required for those wishing to migrate data from any previous release.
Version 9.0 contains a number of changes that selectively break backwards compatibility in order to support new features and code quality improvements. In particular, users who make extensive use of PL/pgSQL, Point-In-Time Recovery (PITR), or Warm Standby should test their applications because of slight user-visible changes in those areas. Observe the following incompatibilities:
(9.0.0) Remove server parameter add_missing_from, which was defaulted to off for many years (Tom Lane)
(9.0.0) Remove server parameter regex_flavor, which was defaulted to advanced for many years (Tom Lane)
(9.0.0) archive_mode now only affects archive_command; a new setting, wal_level, affects the contents of the write-ahead log (Heikki Linnakangas)
(9.0.0) log_temp_files now uses default file size units of kilobytes (Robert Haas)
(9.0.0) When querying a parent table, do not do any separate permission checks on child tables scanned as part of the query (Peter Eisentraut)
The SQL standard specifies this behavior, and it is also much more convenient in practice than the former behavior of checking permissions on each child as well as the parent.
(9.0.0) bytea output now appears in hex format by default (Peter Eisentraut)
The server parameter bytea_output can be used to select the traditional output format if needed for compatibility.
(9.0.0) Array input now considers only plain ASCII whitespace characters to be potentially ignorable; it will never ignore non-ASCII characters, even if they are whitespace according to some locales (Tom Lane)
This avoids some corner cases where array values could be interpreted differently depending on the server's locale settings.
(9.0.0) Improve standards compliance of SIMILAR TO patterns and SQL-style substring()
patterns (Tom Lane)
This includes treating ? and {...} as pattern metacharacters, while they were
simple literal characters before; that corresponds to new features
added in SQL:2008. Also, ^ and $ are now treated as simple literal characters;
formerly they were treated as metacharacters, as if the pattern
were following POSIX rather than SQL rules. Also, in SQL-standard
substring()
, use of parentheses for
nesting no longer interferes with capturing of a substring. Also,
processing of bracket expressions (character classes) is now more
standards-compliant.
(9.0.0) Reject negative length values in 3-parameter substring()
for bit strings, per the SQL
standard (Tom Lane)
(9.0.0) Make date_trunc
truncate rather
than round when reducing precision of fractional seconds (Tom
Lane)
The code always acted this way for integer-based dates/times. Now float-based dates/times behave similarly.
(9.0.0) Tighten enforcement of column name consistency during RENAME when a child table inherits the same column from multiple unrelated parents (KaiGai Kohei)
(9.0.0) No longer automatically rename indexes and index columns when the underlying table columns are renamed (Tom Lane)
Administrators can still rename such indexes and columns manually. This change will require an update of the JDBC driver, and possibly other drivers, so that unique indexes are correctly recognized after a rename.
(9.0.0) CREATE OR REPLACE FUNCTION can no longer change the declared names of function parameters (Pavel Stehule)
In order to avoid creating ambiguity in named-parameter calls, it is no longer allowed to change the aliases for input parameters in the declaration of an existing function (although names can still be assigned to previously unnamed parameters). You now have to DROP and recreate the function to do that.
(9.0.0) PL/pgSQL now throws an error if a variable name conflicts with a column name used in a query (Tom Lane)
The former behavior was to bind ambiguous names to PL/pgSQL variables in preference to query columns, which often resulted in surprising misbehavior. Throwing an error allows easy detection of ambiguous situations. Although it's recommended that functions encountering this type of error be modified to remove the conflict, the old behavior can be restored if necessary via the configuration parameter plpgsql.variable_conflict, or via the per-function option #variable_conflict.
(9.0.0) PL/pgSQL no longer allows variable names that match certain SQL reserved words (Tom Lane)
This is a consequence of aligning the PL/pgSQL parser to match the core SQL parser more closely. If necessary, variable names can be double-quoted to avoid this restriction.
(9.0.0) PL/pgSQL now requires columns of composite results to match the expected type modifier as well as base type (Pavel Stehule, Tom Lane)
For example, if a column of the result type is declared as NUMERIC(30,2), it is no longer acceptable to return a NUMERIC of some other precision in that column. Previous versions neglected to check the type modifier and would thus allow result rows that didn't actually conform to the declared restrictions.
(9.0.0) PL/pgSQL now treats selection into composite fields more consistently (Tom Lane)
Formerly, a statement like SELECT ... INTO rec.fld FROM ... was treated as a scalar assignment even if the record field fld was of composite type. Now it is treated as a record assignment, the same as when the INTO target is a regular variable of composite type. So the values to be assigned to the field's subfields should be written as separate columns of the SELECT list, not as a ROW(...) construct as in previous versions.
If you need to do this in a way that will work in both 9.0 and previous releases, you can write something like rec.fld := ROW(...) FROM ....
(9.0.0) Remove PL/pgSQL's RENAME declaration (Tom Lane)
Instead of RENAME, use ALIAS, which can now create an alias for any variable, not only dollar sign parameter names (such as $1) as before.
(9.0.0) Deprecate use of => as an operator name (Robert Haas)
Future versions of PostgreSQL will probably reject this operator name entirely, in order to support the SQL-standard notation for named function parameters. For the moment, it is still allowed, but a warning is emitted when such an operator is defined.
(9.0.0) Remove support for platforms that don't have a working 64-bit integer data type (Tom Lane)
It is believed all still-supported platforms have working 64-bit integer data types.
Version 9.0 has an unprecedented number of new major features, and over 200 enhancements, improvements, new commands, new functions, and other changes.
PostgreSQL's existing standby-server capability has been expanded both to support read-only queries on standby servers and to greatly reduce the lag between master and standby servers. For many users, this will be a useful and low-administration form of replication, either for high availability or for horizontal scalability.
(9.0.0) Allow a standby server to accept read-only queries (Simon Riggs, Heikki Linnakangas)
This feature is called Hot Standby. There are new postgresql.conf and recovery.conf settings to control this feature, as well as extensive documentation.
(9.0.0) Allow write-ahead log (WAL) data to be streamed to a standby server (Fujii Masao, Heikki Linnakangas)
This feature is called Streaming Replication. Previously WAL data could be sent to standby servers only in units of entire WAL files (normally 16 megabytes each). Streaming Replication eliminates this inefficiency and allows updates on the master to be propagated to standby servers with very little delay. There are new postgresql.conf and recovery.conf settings to control this feature, as well as extensive documentation.
(9.0.0) Add pg_last_xlog_receive_location()
and
pg_last_xlog_replay_location()
, which
can be used to monitor standby server WAL activity (Simon Riggs, Fujii Masao, Heikki
Linnakangas)
(9.0.0) Allow per-tablespace values to be set for sequential and random page cost estimates (seq_page_cost/random_page_cost) via ALTER TABLESPACE ... SET/RESET (Robert Haas)
(9.0.0) Improve performance and reliability of EvalPlanQual rechecks in join queries (Tom Lane)
UPDATE, DELETE, and SELECT FOR UPDATE/SHARE queries that involve joins will now behave much better when encountering freshly-updated rows.
(9.0.0) Improve performance of TRUNCATE when the table was created or truncated earlier in the same transaction (Tom Lane)
(9.0.0) Improve performance of finding inheritance child tables (Tom Lane)
(9.0.0) Remove unnecessary outer joins (Robert Haas)
Outer joins where the inner side is unique and not referenced above the join are unnecessary and are therefore now removed. This will accelerate many automatically generated queries, such as those created by object-relational mappers (ORMs).
(9.0.0) Allow IS NOT NULL restrictions to use indexes (Tom Lane)
This is particularly useful for finding MAX()
/MIN()
values
in indexes that contain many null values.
(9.0.0) Improve the optimizer's choices about when to use materialize nodes, and when to use sorting versus hashing for DISTINCT (Tom Lane)
(9.0.0) Improve the optimizer's equivalence detection for expressions involving boolean <> operators (Tom Lane)
(9.0.0) Use the same random seed every time GEQO plans a query (Andres Freund)
While the Genetic Query Optimizer (GEQO) still selects random plans, it now always selects the same random plans for identical queries, thus giving more consistent performance. You can modify geqo_seed to experiment with alternative plans.
(9.0.0) Improve GEQO plan selection (Tom Lane)
This avoids the rare error "failed to make a valid plan", and should also improve planning speed.
(9.0.0) Improve ANALYZE to support inheritance-tree statistics (Tom Lane)
This is particularly useful for partitioned tables. However, autovacuum does not yet automatically re-analyze parent tables when child tables change.
(9.0.0) Improve autovacuum's detection of when re-analyze is necessary (Tom Lane)
(9.0.0) Improve optimizer's estimation for greater/less-than comparisons (Tom Lane)
When looking up statistics for greater/less-than comparisons, if the comparison value is in the first or last histogram bucket, use an index (if available) to fetch the current actual column minimum or maximum. This greatly improves the accuracy of estimates for comparison values near the ends of the data range, particularly if the range is constantly changing due to addition of new data.
(9.0.0) Allow setting of number-of-distinct-values statistics using ALTER TABLE (Robert Haas)
This allows users to override the estimated number or percentage of distinct values for a column. This statistic is normally computed by ANALYZE, but the estimate can be poor, especially on tables with very large numbers of rows.
(9.0.0) Add support for RADIUS (Remote Authentication Dial In User Service) authentication (Magnus Hagander)
(9.0.0) Allow LDAP (Lightweight Directory Access Protocol) authentication to operate in "search/bind" mode (Robert Fleming, Magnus Hagander)
This allows the user to be looked up first, then the system uses the DN (Distinguished Name) returned for that user.
(9.0.0) Add samehost and samenet designations to pg_hba.conf (Stef Walter)
These match the server's IP address and subnet address respectively.
(9.0.0) Pass trusted SSL root certificate names to the client so the client can return an appropriate client certificate (Craig Ringer)
(9.0.0) Add the ability for clients to set an application name, which is displayed in pg_stat_activity (Dave Page)
This allows administrators to characterize database traffic and troubleshoot problems by source application.
(9.0.0) Add a SQLSTATE option (%e) to log_line_prefix (Guillaume Smet)
This allows users to compile statistics on errors and messages by error code number.
(9.0.0) Write to the Windows event log in UTF16 encoding (Itagaki Takahiro)
Now there is true multilingual support for PostgreSQL log messages on Windows.
(9.0.0) Add pg_stat_reset_shared('bgwriter')
to reset the
cluster-wide shared statistics for the background writer (Greg
Smith)
(9.0.0) Add pg_stat_reset_single_table_counters()
and
pg_stat_reset_single_function_counters()
to allow
resetting the statistics counters for individual tables and
functions (Magnus Hagander)
(9.0.0) Allow setting of configuration parameters based on database/role combinations (Álvaro Herrera)
Previously only per-database and per-role settings were possible, not combinations. All role and database settings are now stored in the new pg_db_role_setting system catalog. A new psql command \drds shows these settings. The legacy system views pg_roles, pg_shadow, and pg_user do not show combination settings, and therefore no longer completely represent the configuration for a user or database.
(9.0.0) Add server parameter bonjour, which controls whether a Bonjour-enabled server advertises itself via Bonjour (Tom Lane)
The default is off, meaning it does not advertise. This allows packagers to distribute Bonjour-enabled builds without worrying that individual users might not want the feature.
(9.0.0) Add server parameter enable_material, which controls the use of materialize nodes in the optimizer (Robert Haas)
The default is on. When off, the optimizer will not add materialize nodes purely for performance reasons, though they will still be used when necessary for correctness.
(9.0.0) Change server parameter log_temp_files to use default file size units of kilobytes (Robert Haas)
Previously this setting was interpreted in bytes if no units were specified.
(9.0.0) Log changes of parameter values when postgresql.conf is reloaded (Peter Eisentraut)
This lets administrators and security staff audit changes of database settings, and is also very convenient for checking the effects of postgresql.conf edits.
(9.0.0) Properly enforce superuser permissions for custom server parameters (Tom Lane)
Non-superusers can no longer issue ALTER ROLE/DATABASE SET for parameters that are not currently known to the server. This allows the server to correctly check that superuser-only parameters are only set by superusers. Previously, the SET would be allowed and then ignored at session start, making superuser-only custom parameters much less useful than they should be.
(9.0.0) Perform SELECT FOR UPDATE/SHARE processing after applying LIMIT, so the number of rows returned is always predictable (Tom Lane)
Previously, changes made by concurrent transactions could cause a SELECT FOR UPDATE to unexpectedly return fewer rows than specified by its LIMIT. FOR UPDATE in combination with ORDER BY can still produce surprising results, but that can be corrected by placing FOR UPDATE in a subquery.
(9.0.0) Allow mixing of traditional and SQL-standard LIMIT/OFFSET syntax (Tom Lane)
(9.0.0) Extend the supported frame options in window functions (Hitoshi Harada)
Frames can now start with CURRENT ROW, and the ROWS n PRECEDING/FOLLOWING options are now supported.
(9.0.0) Make SELECT INTO and CREATE TABLE AS return row counts to the client in their command tags (Boszormenyi Zoltan)
This can save an entire round-trip to the client, allowing result counts and pagination to be calculated without an additional COUNT query.
(9.0.0) Support Unicode surrogate pairs (dual 16-bit representation) in U& strings and identifiers (Peter Eisentraut)
(9.0.0) Support Unicode escapes in E'...' strings (Marko Kreen)
(9.0.0) Speed up CREATE DATABASE by deferring flushes to disk (Andres Freund, Greg Stark)
(9.0.0) Allow comments on columns of tables, views, and composite types only, not other relation types such as indexes and TOAST tables (Tom Lane)
(9.0.0) Allow the creation of enumerated types containing no values (Bruce Momjian)
(9.0.0) Let values of columns having storage type MAIN remain on the main heap page unless the row cannot fit on a page (Kevin Grittner)
Previously MAIN values were forced out to TOAST tables until the row size was less than one-quarter of the page size.
(9.0.0) Implement IF EXISTS for ALTER TABLE DROP COLUMN and ALTER TABLE DROP CONSTRAINT (Andres Freund)
(9.0.0) Allow ALTER TABLE commands that rewrite tables to skip WAL logging (Itagaki Takahiro)
Such operations either produce a new copy of the table or are rolled back, so WAL archiving can be skipped, unless running in continuous archiving mode. This reduces I/O overhead and improves performance.
(9.0.0) Fix failure of ALTER TABLE table ADD COLUMN col serial when done by non-owner of table (Tom Lane)
(9.0.0) Add support for copying COMMENTS and STORAGE settings in CREATE TABLE ... LIKE commands (Itagaki Takahiro)
(9.0.0) Add a shortcut for copying all properties in CREATE TABLE ... LIKE commands (Itagaki Takahiro)
(9.0.0) Add the SQL-standard CREATE TABLE ... OF type command (Peter Eisentraut)
This allows creation of a table that matches an existing composite type. Additional constraints and defaults can be specified in the command.
(9.0.0) Add deferrable unique constraints (Dean Rasheed)
This allows mass updates, such as UPDATE tab SET col = col + 1, to work reliably on columns that have unique indexes or are marked as primary keys. If the constraint is specified as DEFERRABLE it will be checked at the end of the statement, rather than after each row is updated. The constraint check can also be deferred until the end of the current transaction, allowing such updates to be spread over multiple SQL commands.
(9.0.0) Add exclusion constraints (Jeff Davis)
Exclusion constraints generalize uniqueness constraints by allowing arbitrary comparison operators, not just equality. They are created with the CREATE TABLE CONSTRAINT ... EXCLUDE clause. The most common use of exclusion constraints is to specify that column entries must not overlap, rather than simply not be equal. This is useful for time periods and other ranges, as well as arrays. This feature enhances checking of data integrity for many calendaring, time-management, and scientific applications.
(9.0.0) Improve uniqueness-constraint violation error messages to report the values causing the failure (Itagaki Takahiro)
For example, a uniqueness constraint violation might now report Key (x)=(2) already exists.
(9.0.0) Add the ability to make mass permission changes across a whole schema using the new GRANT/REVOKE IN SCHEMA clause (Petr Jelinek)
This simplifies management of object permissions and makes it easier to utilize database roles for application data security.
(9.0.0) Add ALTER DEFAULT PRIVILEGES command to control privileges of objects created later (Petr Jelinek)
This greatly simplifies the assignment of object privileges in a complex database application. Default privileges can be set for tables, views, sequences, and functions. Defaults may be assigned on a per-schema basis, or database-wide.
(9.0.0) Add the ability to control large object (BLOB) permissions with GRANT/REVOKE (KaiGai Kohei)
Formerly, any database user could read or modify any large object. Read and write permissions can now be granted and revoked per large object, and the ownership of large objects is tracked.
(9.0.0) Make LISTEN/NOTIFY store pending events in a memory queue, rather than in a system table (Joachim Wieland)
This substantially improves performance, while retaining the existing features of transactional support and guaranteed delivery.
(9.0.0) Allow NOTIFY to pass an optional "payload" string to listeners (Joachim Wieland)
This greatly improves the usefulness of LISTEN/NOTIFY as a general-purpose event queue system.
(9.0.0) Allow CLUSTER on all per-database system catalogs (Tom Lane)
Shared catalogs still cannot be clustered.
(9.0.0) Accept COPY ... CSV FORCE QUOTE * (Itagaki Takahiro)
Now * can be used as shorthand for "all columns" in the FORCE QUOTE clause.
(9.0.0) Add new COPY syntax that allows options to be specified inside parentheses (Robert Haas, Emmanuel Cecchet)
This allows greater flexibility for future COPY options. The old syntax is still supported, but only for pre-existing options.
(9.0.0) Allow EXPLAIN to output in XML, JSON, or YAML format (Robert Haas, Greg Sabino Mullane)
The new output formats are easily machine-readable, supporting the development of new tools for analysis of EXPLAIN output.
(9.0.0) Add new BUFFERS option to report query buffer usage during EXPLAIN ANALYZE (Itagaki Takahiro)
This allows better query profiling for individual queries. Buffer usage is no longer reported in the output for log_statement_stats and related settings.
(9.0.0) Add hash usage information to EXPLAIN output (Robert Haas)
(9.0.0) Add new EXPLAIN syntax that allows options to be specified inside parentheses (Robert Haas)
This allows greater flexibility for future EXPLAIN options. The old syntax is still supported, but only for pre-existing options.
(9.0.0) Change VACUUM FULL to rewrite the entire table and rebuild its indexes, rather than moving individual rows around to compact space (Itagaki Takahiro, Tom Lane)
The previous method was usually slower and caused index bloat. Note that the new method will use more disk space transiently during VACUUM FULL; potentially as much as twice the space normally occupied by the table and its indexes.
(9.0.0) Add new VACUUM syntax that allows options to be specified inside parentheses (Itagaki Takahiro)
This allows greater flexibility for future VACUUM options. The old syntax is still supported, but only for pre-existing options.
(9.0.0) Allow an index to be named automatically by omitting the index name in CREATE INDEX (Tom Lane)
(9.0.0) By default, multicolumn indexes are now named after all their columns; and index expression columns are now named based on their expressions (Tom Lane)
(9.0.0) Reindexing shared system catalogs is now fully transactional and crash-safe (Tom Lane)
Formerly, reindexing a shared index was only allowed in standalone mode, and a crash during the operation could leave the index in worse condition than it was before.
(9.0.0) Add point_ops operator class for GiST (Teodor Sigaev)
This feature permits GiST indexing of point columns. The index can be used for several types of queries such as point <@ polygon (point is in polygon). This should make many PostGIS queries faster.
(9.0.0) Use red-black binary trees for GIN index creation (Teodor Sigaev)
Red-black trees are self-balancing. This avoids slowdowns in cases where the input is in nonrandom order.
(9.0.0) Allow bytea values to be written in hex notation (Peter Eisentraut)
The server parameter bytea_output controls whether hex or traditional
format is used for bytea output. Libpq's
PQescapeByteaConn()
function
automatically uses the hex format when connected to PostgreSQL 9.0 or newer servers. However,
pre-9.0 libpq versions will not correctly process hex format from
newer servers.
The new hex format will be directly compatible with more applications that use binary data, allowing them to store and retrieve it without extra conversion. It is also significantly faster to read and write than the traditional format.
(9.0.0) Allow server parameter extra_float_digits to be increased to 3 (Tom Lane)
The previous maximum extra_float_digits setting was 2. There are cases where 3 digits are needed to dump and restore float4 values exactly. pg_dump will now use the setting of 3 when dumping from a server that allows it.
(9.0.0) Tighten input checking for int2vector values (Caleb Welton)
(9.0.0) Add prefix support in synonym dictionaries (Teodor Sigaev)
(9.0.0) Add filtering dictionaries (Teodor Sigaev)
Filtering dictionaries allow tokens to be modified then passed to subsequent dictionaries.
(9.0.0) Allow underscores in email-address tokens (Teodor Sigaev)
(9.0.0) Use more standards-compliant rules for parsing URL tokens (Tom Lane)
(9.0.0) Allow function calls to supply parameter names and match them to named parameters in the function definition (Pavel Stehule)
For example, if a function is defined to take parameters a and b, it can be called with func(a := 7, b := 12) or func(b := 12, a := 7).
(9.0.0) Support locale-specific regular expression processing with UTF-8 server encoding (Tom Lane)
Locale-specific regular expression functionality includes case-insensitive matching and locale-specific character classes. Previously, these features worked correctly for non-ASCII characters only if the database used a single-byte server encoding (such as LATIN1). They will still misbehave in multi-byte encodings other than UTF-8.
(9.0.0) Add support for scientific notation in to_char()
(EEEE
specification) (Pavel Stehule, Brendan Jurd)
(9.0.0) Make to_char()
honor
FM (fill mode) in Y, YY, and YYY specifications
(Bruce Momjian, Tom Lane)
It was already honored by YYYY.
(9.0.0) Fix to_char()
to output localized
numeric and monetary strings in the correct encoding on
Windows (Hiroshi Inoue, Itagaki
Takahiro, Bruce Momjian)
(9.0.0) Correct calculations of "overlaps" and "contains" operations for polygons (Teodor Sigaev)
The polygon && (overlaps) operator formerly just checked to see if the two polygons' bounding boxes overlapped. It now does a more correct check. The polygon @> and <@ (contains/contained by) operators formerly checked to see if one polygon's vertexes were all contained in the other; this can wrongly report "true" for some non-convex polygons. Now they check that all line segments of one polygon are contained in the other.
(9.0.0) Allow aggregate functions to use ORDER BY (Andrew Gierth)
For example, this is now supported: array_agg(a ORDER BY b). This is useful with aggregates for which the order of input values is significant, and eliminates the need to use a nonstandard subquery to determine the ordering.
(9.0.0) Multi-argument aggregate functions can now use DISTINCT (Andrew Gierth)
(9.0.0) Add the string_agg()
aggregate function to combine
values into a single string (Pavel Stehule)
(9.0.0) Aggregate functions that are called with DISTINCT are now passed NULL values if the aggregate transition function is not marked as STRICT (Andrew Gierth)
For example, agg (DISTINCT x) might pass
a NULL x value to agg()
. This is more consistent with the behavior
in non-DISTINCT cases.
(9.0.0) Add
get_bit()
and set_bit()
functions for bit strings, mirroring those
for bytea (Leonardo F)
(9.0.0) Implement OVERLAY()
(replace) for bit strings and bytea (Leonardo
F)
(9.0.0) Add pg_table_size()
and pg_indexes_size()
to provide a more user-friendly
interface to the pg_relation_size()
function (Bernd Helmle)
(9.0.0) Add has_sequence_privilege()
for sequence
permission checking (Abhijit Menon-Sen)
(9.0.0) Update the information_schema views to conform to SQL:2008 (Peter Eisentraut)
(9.0.0) Make the information_schema views correctly display maximum octet lengths for char and varchar columns (Peter Eisentraut)
(9.0.0) Speed up information_schema privilege views (Joachim Wieland)
(9.0.0) Support execution of anonymous code blocks using the DO statement (Petr Jelinek, Joshua Tolley, Hannu Valtonen)
This allows execution of server-side code without the need to create and delete a temporary function definition. Code can be executed in any language for which the user has permissions to define a function.
(9.0.0) Implement SQL-standard-compliant per-column triggers (Itagaki Takahiro)
Such triggers are fired only when the specified column(s) are affected by the query, e.g. appear in an UPDATE's SET list.
(9.0.0) Add the WHEN clause to CREATE TRIGGER to allow control over whether a trigger is fired (Itagaki Takahiro)
While the same type of check can always be performed inside the trigger, doing it in an external WHEN clause can have performance benefits.
(9.0.0) Add the OR REPLACE clause to CREATE LANGUAGE (Tom Lane)
This is helpful to optionally install a language if it does not already exist, and is particularly helpful now that PL/pgSQL is installed by default.
(9.0.0) Install PL/pgSQL by default (Bruce Momjian)
The language can still be removed from a particular database if the administrator has security or performance concerns about making it available.
(9.0.0) Improve handling of cases where PL/pgSQL variable names conflict with identifiers used in queries within a function (Tom Lane)
The default behavior is now to throw an error when there is a conflict, so as to avoid surprising behaviors. This can be modified, via the configuration parameter plpgsql.variable_conflict or the per-function option #variable_conflict, to allow either the variable or the query-supplied column to be used. In any case PL/pgSQL will no longer attempt to substitute variables in places where they would not be syntactically valid.
(9.0.0) Make PL/pgSQL use the main lexer, rather than its own version (Tom Lane)
This ensures accurate tracking of the main system's behavior for details such as string escaping. Some user-visible details, such as the set of keywords considered reserved in PL/pgSQL, have changed in consequence.
(9.0.0) Avoid throwing an unnecessary error for an invalid record reference (Tom Lane)
An error is now thrown only if the reference is actually fetched, rather than whenever the enclosing expression is reached. For example, many people have tried to do this in triggers:
if TG_OP = 'INSERT' and NEW.col1 = ... then
This will now actually work as expected.
(9.0.0) Improve PL/pgSQL's ability to handle row types with dropped columns (Pavel Stehule)
(9.0.0) Allow input parameters to be assigned values within PL/pgSQL functions (Steve Prentice)
Formerly, input parameters were treated as being declared CONST, so the function's code could not change their values. This restriction has been removed to simplify porting of functions from other DBMSes that do not impose the equivalent restriction. An input parameter now acts like a local variable initialized to the passed-in value.
(9.0.0) Improve error location reporting in PL/pgSQL (Tom Lane)
(9.0.0) Add count and ALL options to MOVE FORWARD/BACKWARD in PL/pgSQL (Pavel Stehule)
(9.0.0) Allow PL/pgSQL's WHERE CURRENT OF to use a cursor variable (Tom Lane)
(9.0.0) Allow PL/pgSQL's OPEN cursor FOR EXECUTE to use parameters (Pavel Stehule, Itagaki Takahiro)
This is accomplished with a new USING clause.
(9.0.0) Add new PL/Perl functions: quote_literal()
, quote_nullable()
, quote_ident()
, encode_bytea()
, decode_bytea()
, looks_like_number()
, encode_array_literal()
, encode_array_constructor()
(Tim Bunce)
(9.0.0) Add server parameter plperl.on_init to specify a PL/Perl initialization function (Tim Bunce)
plperl.on_plperl_init and plperl.on_plperlu_init are also available for initialization that is specific to the trusted or untrusted language respectively.
(9.0.0) Support END blocks in PL/Perl (Tim Bunce)
END blocks do not currently allow database access.
(9.0.0) Allow use strict in PL/Perl (Tim Bunce)
Perl strict checks can also be globally enabled with the new server parameter plperl.use_strict.
(9.0.0) Allow require in PL/Perl (Tim Bunce)
This basically tests to see if the module is loaded, and if not, generates an error. It will not allow loading of modules that the administrator has not preloaded via the initialization parameters.
(9.0.0) Allow use feature in PL/Perl if Perl version 5.10 or later is used (Tim Bunce)
(9.0.0) Verify that PL/Perl return values are valid in the server encoding (Andrew Dunstan)
(9.0.0) Add Unicode support in PL/Python (Peter Eisentraut)
Strings are automatically converted from/to the server encoding as necessary.
(9.0.0) Improve bytea support in PL/Python (Caleb Welton)
Bytea values passed into PL/Python are now represented as binary, rather than the PostgreSQL bytea text format. Bytea values containing null bytes are now also output properly from PL/Python. Passing of boolean, integer, and float values was also improved.
(9.0.0) Support arrays as parameters and return values in PL/Python (Peter Eisentraut)
(9.0.0) Improve mapping of SQL domains to Python types (Peter Eisentraut)
(9.0.0) Add Python 3 support to PL/Python (Peter Eisentraut)
The new server-side language is called plpython3u. This cannot be used in the same session with the Python 2 server-side language.
(9.0.0) Improve error location and exception reporting in PL/Python (Peter Eisentraut)
(9.0.0) Add an --analyze-only option to vacuumdb, to analyze without vacuuming (Bruce Momjian)
(9.0.0) Add support for quoting/escaping the values of psql variables as SQL strings or identifiers (Pavel Stehule, Robert Haas)
For example, :'var' will produce the value of var quoted and properly escaped as a literal string, while :"var" will produce its value quoted and escaped as an identifier.
(9.0.0) Ignore a leading UTF-8-encoded Unicode byte-order marker in script files read by psql (Itagaki Takahiro)
This is enabled when the client encoding is UTF-8. It improves compatibility with certain editors, mostly on Windows, that insist on inserting such markers.
(9.0.0) Fix psql --file - to properly honor --single-transaction (Bruce Momjian)
(9.0.0) Avoid overwriting of psql's command-line history when two psql sessions are run concurrently (Tom Lane)
(9.0.0) Improve psql's tab completion support (Itagaki Takahiro)
(9.0.0) Show \timing output when it is enabled, regardless of "quiet" mode (Peter Eisentraut)
(9.0.0) Improve display of wrapped columns in psql (Roger Leigh)
This behavior is now the default. The previous formatting is available by using \pset linestyle old-ascii.
(9.0.0) Allow psql to use fancy Unicode line-drawing characters via \pset linestyle unicode (Roger Leigh)
(9.0.0) Make \d show child tables that inherit from the specified parent (Damien Clochard)
\d shows only the number of child tables, while \d+ shows the names of all child tables.
(9.0.0) Show definitions of index columns in \d index_name (Khee Chin)
The definition is useful for expression indexes.
(9.0.0) Show a view's defining query only in \d+, not in \d (Peter Eisentraut)
Always including the query was deemed overly verbose.
(9.0.0) Make pg_dump/pg_restore --clean also remove large objects (Itagaki Takahiro)
(9.0.0) Fix pg_dump to properly dump large objects when standard_conforming_strings is enabled (Tom Lane)
The previous coding could fail when dumping to an archive file and then generating script output from pg_restore.
(9.0.0) pg_restore now emits large-object data in hex format when generating script output (Tom Lane)
This could cause compatibility problems if the script is then loaded into a pre-9.0 server. To work around that, restore directly to the server, instead.
(9.0.0) Allow pg_dump to dump comments attached to columns of composite types (Taro Minowa (Higepon))
(9.0.0) Make pg_dump --verbose output the pg_dump and server versions in text output mode (Jim Cox, Tom Lane)
These were already provided in custom output mode.
(9.0.0) pg_restore now complains if any command-line arguments remain after the switches and optional file name (Tom Lane)
Previously, it silently ignored any such arguments.
(9.0.0) Allow pg_ctl to be used safely to start the postmaster during a system reboot (Tom Lane)
Previously, pg_ctl's parent process could have been mistakenly identified as a running postmaster based on a stale postmaster lock file, resulting in a transient failure to start the database.
(9.0.0) Give pg_ctl the ability to initialize the database (by invoking initdb) (Zdenek Kotala)
(9.0.0) Add new libpq functions
PQconnectdbParams()
and PQconnectStartParams()
(Guillaume Lelarge)
These functions are similar to PQconnectdb()
and PQconnectStart()
except that they accept a
null-terminated array of connection options, rather than requiring
all options to be provided in a single string.
(9.0.0) Add libpq functions PQescapeLiteral()
and PQescapeIdentifier()
(Robert Haas)
These functions return appropriately quoted and escaped SQL
string literals and identifiers. The caller is not required to
pre-allocate the string result, as is required by PQescapeStringConn()
.
(9.0.0) Add support for a per-user service file (.pg_service.conf), which is checked before the site-wide service file (Peter Eisentraut)
(9.0.0) Properly report an error if the specified libpq service cannot be found (Peter Eisentraut)
(9.0.0) Add TCP keepalive settings in libpq (Tollef Fog Heen, Fujii Masao, Robert Haas)
Keepalive settings were already supported on the server end of TCP connections.
(9.0.0) Avoid extra system calls to block and unblock SIGPIPE in libpq, on platforms that offer alternative methods (Jeremy Kerr)
(9.0.0) When a .pgpass-supplied password fails, mention where the password came from in the error message (Bruce Momjian)
(9.0.0) Load all SSL certificates given in the client certificate file (Tom Lane)
This improves support for indirectly-signed SSL certificates.
(9.0.0) Add SQLDA (SQL Descriptor Area) support to ecpg (Boszormenyi Zoltan)
(9.0.0) Add the DESCRIBE [ OUTPUT ] statement to ecpg (Boszormenyi Zoltan)
(9.0.0) Add an ECPGtransactionStatus function to return the current transaction status (Bernd Helmle)
(9.0.0) Add the string data type in ecpg Informix-compatibility mode (Boszormenyi Zoltan)
(9.0.0) Allow ecpg to use new and old variable names without restriction (Michael Meskes)
(9.0.0) Allow ecpg to use variable
names in free()
(Michael Meskes)
(9.0.0) Make ecpg_dynamic_type()
return
zero for non-SQL3 data types (Michael Meskes)
Previously it returned the negative of the data type OID. This could be confused with valid type OIDs, however.
(9.0.0) Support long long types on platforms that already have 64-bit long (Michael Meskes)
(9.0.0) Add out-of-scope cursor support in ecpg's native mode (Boszormenyi Zoltan)
This allows DECLARE to use variables that are not in scope when OPEN is called. This facility already existed in ecpg's Informix-compatibility mode.
(9.0.0) Allow dynamic cursor names in ecpg (Boszormenyi Zoltan)
(9.0.0) Allow ecpg to use noise words FROM and IN in FETCH and MOVE (Boszormenyi Zoltan)
(9.0.0) Enable client thread safety by default (Bruce Momjian)
The thread-safety option can be disabled with configure --disable-thread-safety.
(9.0.0) Add support for controlling the Linux out-of-memory killer (Alex Hunsaker, Tom Lane)
Now that /proc/self/oom_adj allows disabling of the Linux out-of-memory (OOM) killer, it's recommendable to disable OOM kills for the postmaster. It may then be desirable to re-enable OOM kills for the postmaster's child processes. The new compile-time option LINUX_OOM_ADJ allows the killer to be reactivated for child processes.
(9.0.0) New Makefile targets world, install-world, and installcheck-world (Andrew Dunstan)
These are similar to the existing all, install, and installcheck targets, but they also build the HTML documentation, build and test contrib, and test server-side languages and ecpg.
(9.0.0) Add data and documentation installation location control to PGXS Makefiles (Mark Cave-Ayland)
(9.0.0) Add Makefile rules to build the PostgreSQL documentation as a single HTML file or as a single plain-text file (Peter Eisentraut, Bruce Momjian)
(9.0.0) Support compiling on 64-bit Windows and running in 64-bit mode (Tsutomu Yamada, Magnus Hagander)
This allows for large shared memory sizes on Windows.
(9.0.0) Support server builds using Visual Studio 2008 (Magnus Hagander)
(9.0.0) Distribute prebuilt documentation in a subdirectory tree, rather than as tar archive files inside the distribution tarball (Peter Eisentraut)
For example, the prebuilt HTML documentation is now in doc/src/sgml/html/; the manual pages are packaged similarly.
(9.0.0) Make the server's lexer reentrant (Tom Lane)
This was needed for use of the lexer by PL/pgSQL.
(9.0.0) Improve speed of memory allocation (Tom Lane, Greg Stark)
(9.0.0) User-defined constraint triggers now have entries in pg_constraint as well as pg_trigger (Tom Lane)
Because of this change, pg_constraint.pgconstrname is now redundant and has been removed.
(9.0.0) Add system catalog columns pg_constraint.conindid and pg_trigger.tgconstrindid to better document the use of indexes for constraint enforcement (Tom Lane)
(9.0.0) Allow multiple conditions to be communicated to backends using a single operating system signal (Fujii Masao)
This allows new features to be added without a platform-specific constraint on the number of signal conditions.
(9.0.0) Improve source code test coverage, including contrib, PL/Python, and PL/Perl (Peter Eisentraut, Andrew Dunstan)
(9.0.0) Remove the use of flat files for system table bootstrapping (Tom Lane, Álvaro Herrera)
This improves performance when using many roles or databases, and eliminates some possible failure conditions.
(9.0.0) Automatically generate the initial contents of pg_attribute for "bootstrapped" catalogs (John Naylor)
This greatly simplifies changes to these catalogs.
(9.0.0) Split the processing of INSERT/UPDATE/DELETE operations out of execMain.c (Marko Tiikkaja)
Updates are now executed in a separate ModifyTable node. This change is necessary infrastructure for future improvements.
(9.0.0) Simplify translation of psql's SQL help text (Peter Eisentraut)
(9.0.0) Reduce the lengths of some file names so that all file paths in the distribution tarball are less than 100 characters (Tom Lane)
Some decompression programs have problems with longer file paths.
(9.0.0) Add a new ERRCODE_INVALID_PASSWORD SQLSTATE error code (Bruce Momjian)
(9.0.0) With authors' permissions, remove the few remaining personal source code copyright notices (Bruce Momjian)
The personal copyright notices were insignificant but the community occasionally had to answer questions about them.
(9.0.0) Add new documentation section about running PostgreSQL in non-durable mode to improve performance (Bruce Momjian)
(9.0.0) Restructure the HTML documentation Makefile rules to make their dependency checks work correctly, avoiding unnecessary rebuilds (Peter Eisentraut)
(9.0.0) Use DocBook XSL stylesheets for man page building, rather than Docbook2X (Peter Eisentraut)
This changes the set of tools needed to build the man pages.
(9.0.0) Improve PL/Perl code structure (Tim Bunce)
(9.0.0) Improve error context reports in PL/Perl (Alexey Klyukin)
Note that these requirements do not apply when building from a distribution tarball, since tarballs include the files that these programs are used to build.
(9.0.0) Require Autoconf 2.63 to build configure (Peter Eisentraut)
(9.0.0) Require Flex 2.5.31 or later to build from a CVS checkout (Tom Lane)
(9.0.0) Require Perl version 5.8 or later to build from a CVS checkout (John Naylor, Andrew Dunstan)
(9.0.0) Use a more modern API for Bonjour (Tom Lane)
Bonjour support now requires OS X 10.3 or later. The older API has been deprecated by Apple.
(9.0.0) Add spinlock support for the SuperH architecture (Nobuhiro Iwamatsu)
(9.0.0) Allow non-GCC compilers to use inline functions if they support them (Kurt Harriman)
(9.0.0) Remove support for platforms that don't have a working 64-bit integer data type (Tom Lane)
(9.0.0) Restructure use of LDFLAGS to be more consistent across platforms (Tom Lane)
LDFLAGS is now used for linking both executables and shared libraries, and we add on LDFLAGS_EX when linking executables, or LDFLAGS_SL when linking shared libraries.
(9.0.0) Make backend header files safe to include in C++ (Kurt Harriman, Peter Eisentraut)
These changes remove keyword conflicts that previously made C++ usage difficult in backend code. However, there are still other complexities when using C++ for backend functions. extern "C" { } is still necessary in appropriate places, and memory management and error handling are still problematic.
(9.0.0) Add AggCheckCallContext()
for use in detecting if
a C function is being called as an
aggregate (Hitoshi Harada)
(9.0.0) Change calling convention for SearchSysCache()
and related functions to avoid
hard-wiring the maximum number of cache keys (Robert Haas)
Existing calls will still work for the moment, but can be expected to break in 9.1 or later if not converted to the new style.
(9.0.0) Require calls of fastgetattr()
and
heap_getattr()
backend macros to
provide a non-NULL fourth argument (Robert Haas)
(9.0.0) Custom typanalyze functions should no longer rely on VacAttrStats.attr to determine the type of data they will be passed (Tom Lane)
This was changed to allow collection of statistics on index columns for which the storage type is different from the underlying column data type. There are new fields that tell the actual datatype being analyzed.
(9.0.0) Add parser hooks for processing ColumnRef and ParamRef nodes (Tom Lane)
(9.0.0) Add a ProcessUtility hook so loadable modules can control utility commands (Itagaki Takahiro)
(9.0.0) Add contrib/pg_upgrade to support in-place upgrades (Bruce Momjian)
This avoids the requirement of dumping/reloading the database when upgrading to a new major release of PostgreSQL, thus reducing downtime by orders of magnitude. It supports upgrades to 9.0 from PostgreSQL 8.3 and 8.4.
(9.0.0) Add support for preserving relation relfilenode values during binary upgrades (Bruce Momjian)
(9.0.0) Add support for preserving pg_type and pg_enum OIDs during binary upgrades (Bruce Momjian)
(9.0.0) Move data files within tablespaces into PostgreSQL-version-specific subdirectories (Bruce Momjian)
This simplifies binary upgrades.
(9.0.0) Add multithreading option (-j) to contrib/pgbench (Itagaki Takahiro)
This allows multiple CPUs to be used by pgbench, reducing the risk of pgbench itself becoming the test bottleneck.
(9.0.0) Add \shell and \setshell meta commands to contrib/pgbench (Michael Paquier)
(9.0.0) New features for contrib/dict_xsyn (Sergey Karpov)
The new options are matchorig, matchsynonyms, and keepsynonyms.
(9.0.0) Add full text dictionary contrib/unaccent (Teodor Sigaev)
This filtering dictionary removes accents from letters, which makes full-text searches over multiple languages much easier.
(9.0.0) Add dblink_get_notify()
to contrib/dblink (Marcus Kempe)
This allows asynchronous notifications in dblink.
(9.0.0) Improve contrib/dblink's handling of dropped columns (Tom Lane)
This affects dblink_build_sql_insert()
and related
functions. These functions now number columns according to logical
not physical column numbers.
(9.0.0) Greatly increase contrib/hstore's data length limit, and add B-tree and hash support so GROUP BY and DISTINCT operations are possible on hstore columns (Andrew Gierth)
New functions and operators were also added. These improvements make hstore a full-function key-value store embedded in PostgreSQL.
(9.0.0) Add contrib/passwordcheck to support site-specific password strength policies (Laurenz Albe)
The source code of this module should be modified to implement site-specific password policies.
(9.0.0) Add contrib/pg_archivecleanup tool (Simon Riggs)
This is designed to be used in the archive_cleanup_command server parameter, to remove no-longer-needed archive files.
(9.0.0) Add query text to contrib/auto_explain output (Andrew Dunstan)
(9.0.0) Add buffer access counters to contrib/pg_stat_statements (Itagaki Takahiro)
(9.0.0) Update contrib/start-scripts/linux to use /proc/self/oom_adj to disable the Linux out-of-memory (OOM) killer (Alex Hunsaker, Tom Lane)
Release date: 2014-07-24
This release contains a variety of fixes from 8.4.21. For information about new features in the 8.4 major release, see Version 8.4.0.
This is expected to be the last PostgreSQL release in the 8.4.X series. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 8.4.X.
However, this release corrects an index corruption problem in some GiST indexes. See the first changelog entry below to find out whether your installation has been affected and what steps you should take if so.
Also, if you are upgrading from a version earlier than 8.4.19, see Version 8.4.19.
(8.4.22,9.3.5,9.2.9,9.1.14,9.0.18) Correctly initialize padding bytes in contrib/btree_gist indexes on bit columns (Heikki Linnakangas)
This error could result in incorrect query results due to values that should compare equal not being seen as equal. Users with GiST indexes on bit or bit varying columns should REINDEX those indexes after installing this update.
(8.4.22,9.3.5,9.2.9,9.1.14,9.0.18) Protect against torn pages when deleting GIN list pages (Heikki Linnakangas)
This fix prevents possible index corruption if a system crash occurs while the page update is being written to disk.
(8.4.22,9.3.5,9.2.9,9.1.14,9.0.18) Fix possibly-incorrect cache invalidation during nested calls to
ReceiveSharedInvalidMessages
(Andres
Freund)
(8.4.22,9.3.5,9.2.9,9.1.14,9.0.18) Don't assume a subquery's output is unique if there's a set-returning function in its targetlist (David Rowley)
This oversight could lead to misoptimization of constructs like WHERE x IN (SELECT y, generate_series(1,10) FROM t GROUP BY y).
(8.4.22,9.3.5,9.2.9,9.1.14,9.0.18) Fix failure to detoast fields in composite elements of structured types (Tom Lane)
This corrects cases where TOAST pointers could be copied into other tables without being dereferenced. If the original data is later deleted, it would lead to errors like "missing chunk number 0 for toast value ..." when the now-dangling pointer is used.
(8.4.22,9.3.5,9.2.9,9.1.14,9.0.18) Fix "record type has not been registered" failures with whole-row references to the output of Append plan nodes (Tom Lane)
(8.4.22,9.3.5,9.2.9,9.1.14,9.0.18) Fix possible crash when invoking a user-defined function while rewinding a cursor (Tom Lane)
(8.4.22,9.3.5,9.2.9,9.1.14,9.0.18) Fix query-lifespan memory leak while evaluating the arguments for a function in FROM (Tom Lane)
(8.4.22,9.3.5,9.2.9,9.1.14,9.0.18) Fix session-lifespan memory leaks in regular-expression processing (Tom Lane, Arthur O'Dwyer, Greg Stark)
(8.4.22,9.3.5,9.2.9,9.1.14,9.0.18) Fix data encoding error in hungarian.stop (Tom Lane)
(8.4.22,9.3.5,9.2.9,9.1.14,9.0.18) Fix liveness checks for rows that were inserted in the current transaction and then deleted by a now-rolled-back subtransaction (Andres Freund)
This could cause problems (at least spurious warnings, and at worst an infinite loop) if CREATE INDEX or CLUSTER were done later in the same transaction.
(8.4.22,9.3.5,9.2.9,9.1.14,9.0.18) Clear pg_stat_activity.xact_start during PREPARE TRANSACTION (Andres Freund)
After the PREPARE, the originating session is no longer in a transaction, so it should not continue to display a transaction start time.
(8.4.22,9.3.5,9.2.9,9.1.14,9.0.18) Fix REASSIGN OWNED to not fail for text search objects (Ãlvaro Herrera)
(8.4.22,9.3.5,9.2.9,9.1.14,9.0.18) Block signals during postmaster startup (Tom Lane)
This ensures that the postmaster will properly clean up after itself if, for example, it receives SIGINT while still starting up.
(8.4.22,9.3.5,9.2.9,9.1.14,9.0.18) Secure Unix-domain sockets of temporary postmasters started during make check (Noah Misch)
Any local user able to access the socket file could connect as the server's bootstrap superuser, then proceed to execute arbitrary code as the operating-system user running the test, as we previously noted inCVE-2014-0067 or CVE-2014-0067. This change defends against that risk by placing the server's socket in a temporary, mode 0700 subdirectory of /tmp. The hazard remains however on platforms where Unix sockets are not supported, notably Windows, because then the temporary postmaster must accept local TCP connections.
A useful side effect of this change is to simplify make check testing in builds that override DEFAULT_PGSOCKET_DIR. Popular non-default values like /var/run/postgresql are often not writable by the build user, requiring workarounds that will no longer be necessary.
(8.4.22,9.3.5,9.2.9,9.1.14,9.0.18) On Windows, allow new sessions to absorb values of PGC_BACKEND parameters (such as log_connections) from the configuration file (Amit Kapila)
Previously, if such a parameter were changed in the file post-startup, the change would have no effect.
(8.4.22,9.3.5,9.2.9,9.1.14,9.0.18) Properly quote executable path names on Windows (Nikhil Deshpande)
This oversight could cause initdb and pg_upgrade to fail on Windows, if the installation path contained both spaces and @ signs.
(8.4.22,9.0.18) Fix linking of libpython on OS X (Tom Lane)
The method we previously used can fail with the Python library supplied by Xcode 5.0 and later.
(8.4.22,9.3.5,9.2.9,9.1.14,9.0.18) Avoid buffer bloat in libpq when the server consistently sends data faster than the client can absorb it (Shin-ichi Morita, Tom Lane)
libpq could be coerced into
enlarging its input buffer until it runs out of memory (which would
be reported misleadingly as "lost
synchronization with server"). Under ordinary circumstances
it's quite far-fetched that data could be continuously transmitted
more quickly than the recv()
loop can
absorb it, but this has been observed when the client is
artificially slowed by scheduler constraints.
(8.4.22,9.3.5,9.2.9,9.1.14,9.0.18) Ensure that LDAP lookup attempts in libpq time out as intended (Laurenz Albe)
(8.4.22,9.3.5,9.2.9,9.1.14,9.0.18) Fix pg_restore's processing of old-style large object comments (Tom Lane)
A direct-to-database restore from an archive file generated by a pre-9.0 version of pg_dump would usually fail if the archive contained more than a few comments for large objects.
(8.4.22,9.3.5,9.2.9,9.1.14,9.0.18) In contrib/pgcrypto functions, ensure sensitive information is cleared from stack variables before returning (Marko Kreen)
(8.4.22,9.3.5,9.2.9,9.1.14,9.0.18) In contrib/uuid-ossp, cache the state of the OSSP UUID library across calls (Tom Lane)
This improves the efficiency of UUID generation and reduces the amount of entropy drawn from /dev/urandom, on platforms that have that.
(8.4.22,9.3.5,9.2.9,9.1.14,9.0.18) Update time zone data files to tzdata release 2014e for DST law changes in Crimea, Egypt, and Morocco.
Release date: 2014-03-20
This release contains a variety of fixes from 8.4.20. For information about new features in the 8.4 major release, see Version 8.4.0.
The PostgreSQL community will stop releasing updates for the 8.4.X release series in July 2014. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 8.4.X.
However, if you are upgrading from a version earlier than 8.4.19, see Version 8.4.19.
(8.4.21,9.3.4,9.2.8,9.1.13,9.0.17) Restore GIN metapages unconditionally to avoid torn-page risk (Heikki Linnakangas)
Although this oversight could theoretically result in a corrupted index, it is unlikely to have caused any problems in practice, since the active part of a GIN metapage is smaller than a standard 512-byte disk sector.
(8.4.21,9.3.4,9.2.8,9.1.13,9.0.17) Allow regular-expression operators to be terminated early by query cancel requests (Tom Lane)
This prevents scenarios wherein a pathological regular expression could lock up a server process uninterruptibly for a long time.
(8.4.21,9.3.4,9.2.8,9.1.13,9.0.17) Remove incorrect code that tried to allow OVERLAPS with single-element row arguments (Joshua Yanovski)
This code never worked correctly, and since the case is neither specified by the SQL standard nor documented, it seemed better to remove it than fix it.
(8.4.21,9.3.4,9.2.8,9.1.13,9.0.17) Avoid getting more than AccessShareLock when de-parsing a rule or view (Dean Rasheed)
This oversight resulted in pg_dump unexpectedly acquiring RowExclusiveLock locks on tables mentioned as the targets of INSERT/UPDATE/DELETE commands in rules. While usually harmless, that could interfere with concurrent transactions that tried to acquire, for example, ShareLock on those tables.
(8.4.21,9.3.4,9.2.8,9.1.13,9.0.17) Prevent interrupts while reporting non-ERROR messages (Tom Lane)
This guards against rare server-process freezeups due to
recursive entry to syslog()
, and
perhaps other related problems.
(8.4.21,9.3.4,9.2.8,9.1.13,9.0.17) Update time zone data files to tzdata release 2014a for DST law changes in Fiji and Turkey, plus historical changes in Israel and Ukraine.
Release date: 2014-02-20
This release contains a variety of fixes from 8.4.19. For information about new features in the 8.4 major release, see Version 8.4.0.
The PostgreSQL community will stop releasing updates for the 8.4.X release series in July 2014. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 8.4.X.
However, if you are upgrading from a version earlier than 8.4.19, see Version 8.4.19.
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch)
Granting a role without ADMIN OPTION is supposed to prevent the grantee from adding or removing members from the granted role, but this restriction was easily bypassed by doing SET ROLE first. The security impact is mostly that a role member can revoke the access of others, contrary to the wishes of his grantor. Unapproved role member additions are a lesser concern, since an uncooperative role member could provide most of his rights to others anyway by creating views or SECURITY DEFINER functions. CVE-2014-0060 or CVE-2014-0060)
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Prevent privilege escalation via manual calls to PL validator functions (Andres Freund)
The primary role of PL validator functions is to be called implicitly during CREATE FUNCTION, but they are also normal SQL functions that a user can call explicitly. Calling a validator on a function actually written in some other language was not checked for and could be exploited for privilege-escalation purposes. The fix involves adding a call to a privilege-checking function in each validator function. Non-core procedural languages will also need to make this change to their own validator functions, if any. CVE-2014-0061 or CVE-2014-0061)
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Avoid multiple name lookups during table and index DDL (Robert Haas, Andres Freund)
If the name lookups come to different conclusions due to concurrent activity, we might perform some parts of the DDL on a different table than other parts. At least in the case of CREATE INDEX, this can be used to cause the permissions checks to be performed against a different table than the index creation, allowing for a privilege escalation attack. CVE-2014-0062 or CVE-2014-0062)
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Prevent buffer overrun with long datetime strings (Noah Misch)
The MAXDATELEN constant was too small
for the longest possible value of type interval, allowing a buffer overrun in interval_out()
. Although the datetime input
functions were more careful about avoiding buffer overrun, the
limit was short enough to cause them to reject some valid inputs,
such as input containing a very long timezone name. The
ecpg library contained these
vulnerabilities along with some of its own. CVE-2014-0063 or CVE-2014-0063)
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Prevent buffer overrun due to integer overflow in size calculations (Noah Misch, Heikki Linnakangas)
Several functions, mostly type input functions, calculated an allocation size without checking for overflow. If overflow did occur, a too-small buffer would be allocated and then written past. CVE-2014-0064 or CVE-2014-0064)
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich)
Use strlcpy()
and related
functions to provide a clear guarantee that fixed-size buffers are
not overrun. Unlike the preceding items, it is unclear whether
these cases really represent live issues, since in most cases there
appear to be previous constraints on the size of the input string.
Nonetheless it seems prudent to silence all Coverity warnings of
this type. CVE-2014-0065 or CVE-2014-0065)
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Avoid crashing if crypt()
returns
NULL (Honza Horak, Bruce Momjian)
There are relatively few scenarios in which crypt()
could return NULL, but contrib/chkpass would crash if it did. One
practical case in which this could be an issue is if libc is configured to refuse to execute
unapproved hashing algorithms (e.g., "FIPS
mode"). CVE-2014-0066 or CVE-2014-0066)
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Document risks of make check in the regression testing instructions (Noah Misch, Tom Lane)
Since the temporary server started by make check uses "trust" authentication, another user on the same machine could connect to it as database superuser, and then potentially exploit the privileges of the operating-system user who started the tests. A future release will probably incorporate changes in the testing procedure to prevent this risk, but some public discussion is needed first. So for the moment, just warn people against using make check when there are untrusted users on the same machine. CVE-2014-0067 or CVE-2014-0067)
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Fix possible mis-replay of WAL records when some segments of a relation aren't full size (Greg Stark, Tom Lane)
The WAL update could be applied to the wrong page, potentially many pages past where it should have been. Aside from corrupting data, this error has been observed to result in significant "bloat" of standby servers compared to their masters, due to updates being applied far beyond where the end-of-file should have been. This failure mode does not appear to be a significant risk during crash recovery, only when initially synchronizing a standby created from a base backup taken from a quickly-changing master.
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Ensure that insertions into non-leaf GIN index pages write a full-page WAL record when appropriate (Heikki Linnakangas)
The previous coding risked index corruption in the event of a partial-page write during a system crash.
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Fix race conditions during server process exit (Robert Haas)
Ensure that signal handlers don't attempt to use the process's MyProc pointer after it's no longer valid.
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Fix unsafe references to errno within error reporting logic (Christian Kruse)
This would typically lead to odd behaviors such as missing or inappropriate HINT fields.
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Fix possible crashes from using ereport()
too early during server startup (Tom
Lane)
The principal case we've seen in the field is a crash if the server is started in a directory it doesn't have permission to read.
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Clear retry flags properly in OpenSSL socket write function (Alexander Kukushkin)
This omission could result in a server lockup after unexpected loss of an SSL-encrypted connection.
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Fix length checking for Unicode identifiers (U&"..." syntax) containing escapes (Tom Lane)
A spurious truncation warning would be printed for such identifiers if the escaped form of the identifier was too long, but the identifier actually didn't need truncation after de-escaping.
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Fix possible crash due to invalid plan for nested sub-selects, such as WHERE (... x IN (SELECT ...) ...) IN (SELECT ...) (Tom Lane)
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Ensure that ANALYZE creates statistics for a table column even when all the values in it are "too wide" (Tom Lane)
ANALYZE intentionally omits very wide values from its histogram and most-common-values calculations, but it neglected to do something sane in the case that all the sampled entries are too wide.
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) In ALTER TABLE ... SET TABLESPACE, allow the database's default tablespace to be used without a permissions check (Stephen Frost)
CREATE TABLE has always allowed such usage, but ALTER TABLE didn't get the memo.
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Fix "cannot accept a set" error when some arms of a CASE return a set and others don't (Tom Lane)
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Fix checks for all-zero client addresses in pgstat functions (Kevin Grittner)
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Fix possible misclassification of multibyte characters by the text search parser (Tom Lane)
Non-ASCII characters could be misclassified when using C locale with a multibyte encoding. On Cygwin, non-C locales could fail as well.
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Fix possible misbehavior in plainto_tsquery()
(Heikki Linnakangas)
Use memmove()
not memcpy()
for copying overlapping memory regions.
There have been no field reports of this actually causing trouble,
but it's certainly risky.
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Accept SHIFT_JIS as an encoding name for locale checking purposes (Tatsuo Ishii)
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Fix misbehavior of PQhost()
on
Windows (Fujii Masao)
It should return localhost if no host has been specified.
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Improve error handling in libpq and psql for failures during COPY TO STDOUT/FROM STDIN (Tom Lane)
In particular this fixes an infinite loop that could occur in 9.2 and up if the server connection was lost during COPY FROM STDIN. Variants of that scenario might be possible in older versions, or with other client applications.
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Fix misaligned descriptors in ecpg (MauMau)
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) In ecpg, handle lack of a hostname in the connection parameters properly (Michael Meskes)
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Fix performance regression in contrib/dblink connection startup (Joe Conway)
Avoid an unnecessary round trip when client and server encodings match.
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) In contrib/isn, fix incorrect calculation of the check digit for ISMN values (Fabien Coelho)
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Ensure client-code-only installation procedure works as documented (Peter Eisentraut)
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) In Mingw and Cygwin builds, install the libpq DLL in the bin directory (Andrew Dunstan)
This duplicates what the MSVC build has long done. It should fix problems with programs like psql failing to start because they can't find the DLL.
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Don't generate plain-text HISTORY and src/test/regress/README files anymore (Tom Lane)
These text files duplicated the main HTML and PDF documentation formats. The trouble involved in maintaining them greatly outweighs the likely audience for plain-text format. Distribution tarballs will still contain files by these names, but they'll just be stubs directing the reader to consult the main documentation. The plain-text INSTALL file will still be maintained, as there is arguably a use-case for that.
(8.4.20,9.3.3,9.2.7,9.1.12,9.0.16) Update time zone data files to tzdata release 2013i for DST law changes in Jordan and historical changes in Cuba.
In addition, the zones Asia/Riyadh87, Asia/Riyadh88, and Asia/Riyadh89 have been removed, as they are no longer maintained by IANA, and never represented actual civil timekeeping practice.
Release date: 2013-12-05
This release contains a variety of fixes from 8.4.18. For information about new features in the 8.4 major release, see Version 8.4.0.
A dump/restore is not required for those running 8.4.X.
However, this release corrects a potential data corruption issue. See the first changelog entry below to find out whether your installation has been affected and what steps you can take if so.
Also, if you are upgrading from a version earlier than 8.4.17, see Version 8.4.17.
(8.4.19) Fix VACUUM's tests to see whether it can update relfrozenxid (Andres Freund)
In some cases VACUUM (either manual or autovacuum) could incorrectly advance a table's relfrozenxid value, allowing tuples to escape freezing, causing those rows to become invisible once 2^31 transactions have elapsed. The probability of data loss is fairly low since multiple incorrect advancements would need to happen before actual loss occurs, but it's not zero. Users upgrading from release 8.4.8 or earlier are not affected, but all later versions contain the bug.
The issue can be ameliorated by, after upgrading, vacuuming all tables in all databases while having vacuum_freeze_table_age set to zero. This will fix any latent corruption but will not be able to fix all pre-existing data errors. However, an installation can be presumed safe after performing this vacuuming if it has executed fewer than 2^31 update transactions in its lifetime (check this with SELECT txid_current() < 2^31).
(8.4.19,9.3.2,9.2.6,9.1.11,9.0.15) Fix race condition in GIN index posting tree page deletion (Heikki Linnakangas)
This could lead to transient wrong answers or query failures.
(8.4.19,9.3.2,9.2.6,9.1.11,9.0.15) Avoid flattening a subquery whose SELECT list contains a volatile function wrapped inside a sub-SELECT (Tom Lane)
This avoids unexpected results due to extra evaluations of the volatile function.
(8.4.19,9.3.2,9.2.6,9.1.11,9.0.15) Fix planner's processing of non-simple-variable subquery outputs nested within outer joins (Tom Lane)
This error could lead to incorrect plans for queries involving multiple levels of subqueries within JOIN syntax.
(8.4.19,9.3.2,9.2.6,9.1.11,9.0.15) Fix premature deletion of temporary files (Andres Freund)
(8.4.19,9.3.2,9.2.6,9.1.11,9.0.15) Fix possible read past end of memory in rule printing (Peter Eisentraut)
(8.4.19,9.3.2,9.2.6,9.1.11,9.0.15) Fix array slicing of int2vector and oidvector values (Tom Lane)
Expressions of this kind are now implicitly promoted to regular int2 or oid arrays.
(8.4.19,9.3.2,9.2.6,9.1.11,9.0.15) Fix incorrect behaviors when using a SQL-standard, simple GMT offset timezone (Tom Lane)
In some cases, the system would use the simple GMT offset value
when it should have used the regular timezone setting that had
prevailed before the simple offset was selected. This change also
causes the timeofday
function to
honor the simple GMT offset zone.
(8.4.19,9.3.2,9.2.6,9.1.11,9.0.15) Prevent possible misbehavior when logging translations of Windows error codes (Tom Lane)
(8.4.19,9.3.2,9.2.6,9.1.11,9.0.15) Properly quote generated command lines in pg_ctl (Naoya Anzai and Tom Lane)
This fix applies only to Windows.
(8.4.19,9.3.2,9.2.6,9.1.11,9.0.15) Fix pg_dumpall to work when a source database sets default_transaction_read_only via ALTER DATABASE SET (Kevin Grittner)
Previously, the generated script would fail during restore.
(8.4.19,9.3.2,9.2.6,9.1.11,9.0.15) Fix ecpg's processing of lists of variables declared varchar (Zoltán Böszörményi)
(8.4.19,9.3.2,9.2.6,9.1.11,9.0.15) Make contrib/lo defend against incorrect trigger definitions (Marc Cousin)
(8.4.19,9.3.2,9.2.6,9.1.11,9.0.15) Update time zone data files to tzdata release 2013h for DST law changes in Argentina, Brazil, Jordan, Libya, Liechtenstein, Morocco, and Palestine. Also, new timezone abbreviations WIB, WIT, WITA for Indonesia.
Release date: 2013-10-10
This release contains a variety of fixes from 8.4.17. For information about new features in the 8.4 major release, see Version 8.4.0.
A dump/restore is not required for those running 8.4.X.
However, if you are upgrading from a version earlier than 8.4.17, see Version 8.4.17.
(8.4.18,9.2.5,9.1.10,9.0.14) Prevent corruption of multi-byte characters when attempting to case-fold identifiers (Andrew Dunstan)
PostgreSQL case-folds non-ASCII characters only when using a single-byte server encoding.
(8.4.18,9.3.1,9.2.5,9.1.10,9.0.14) Fix memory leak caused by lo_open()
failure (Heikki Linnakangas)
(8.4.18,9.2.5,9.1.10,9.0.14) Fix memory overcommit bug when work_mem is using more than 24GB of memory (Stephen Frost)
(8.4.18,9.3.1,9.2.5,9.1.10,9.0.14) Fix deadlock bug in libpq when using SSL (Stephen Frost)
(8.4.18,9.2.5,9.1.10,9.0.14) Properly compute row estimates for boolean columns containing many NULL values (Andrew Gierth)
Previously tests like col IS NOT TRUE and col IS NOT FALSE did not properly factor in NULL values when estimating plan costs.
(8.4.18,9.2.5,9.1.10,9.0.14) Prevent pushing down WHERE clauses into unsafe UNION/INTERSECT subqueries (Tom Lane)
Subqueries of a UNION or INTERSECT that contain set-returning functions or volatile functions in their SELECT lists could be improperly optimized, leading to run-time errors or incorrect query results.
(8.4.18,9.2.5,9.1.10,9.0.14) Fix rare case of "failed to locate grouping columns" planner failure (Tom Lane)
(8.4.18,9.2.5,9.1.10,9.0.14) Improve view dumping code's handling of dropped columns in referenced tables (Tom Lane)
(8.4.18,9.2.5,9.1.10,9.0.14) Fix possible deadlock during concurrent CREATE INDEX CONCURRENTLY operations (Tom Lane)
(8.4.18,9.2.5,9.1.10,9.0.14) Fix regexp_matches()
handling of
zero-length matches (Jeevan Chalke)
Previously, zero-length matches like '^' could return too many matches.
(8.4.18,9.2.5,9.1.10,9.0.14) Fix crash for overly-complex regular expressions (Heikki Linnakangas)
(8.4.18,9.2.5,9.1.10,9.0.14) Fix regular expression match failures for back references combined with non-greedy quantifiers (Jeevan Chalke)
(8.4.18,9.3.1,9.2.5,9.1.10,9.0.14) Prevent CREATE FUNCTION from checking SET variables unless function body checking is enabled (Tom Lane)
(8.4.18,9.2.5,9.1.10,9.0.14) Fix pgp_pub_decrypt()
so it works
for secret keys with passwords (Marko Kreen)
(8.4.18,9.3.1,9.2.5,9.1.10,9.0.14) Remove rare inaccurate warning during vacuum of index-less tables (Heikki Linnakangas)
(8.4.18,9.2.5,9.1.10) Avoid possible failure when performing transaction control commands (e.g ROLLBACK) in prepared queries (Tom Lane)
(8.4.18,9.2.5,9.1.10,9.0.14) Ensure that floating-point data input accepts standard spellings of "infinity" on all platforms (Tom Lane)
The C99 standard says that allowable spellings are inf, +inf, -inf, infinity, +infinity, and -infinity.
Make sure we recognize these even if the platform's strtod
function doesn't.
(8.4.18,9.2.5,9.1.10,9.0.14) Expand ability to compare rows to records and arrays (Rafal Rzepecki, Tom Lane)
(8.4.18,9.2.5,9.1.10,9.0.14) Update time zone data files to tzdata release 2013d for DST law changes in Israel, Morocco, Palestine, and Paraguay. Also, historical zone data corrections for Macquarie Island.
Release date: 2013-04-04
This release contains a variety of fixes from 8.4.16. For information about new features in the 8.4 major release, see Version 8.4.0.
A dump/restore is not required for those running 8.4.X.
However, this release corrects several errors in management of GiST indexes. After installing this update, it is advisable to REINDEX any GiST indexes that meet one or more of the conditions described below.
Also, if you are upgrading from a version earlier than 8.4.10, see Version 8.4.10.
(8.4.17,9.2.4,9.1.9,9.0.13) Reset OpenSSL randomness state in each postmaster child process (Marko Kreen)
This avoids a scenario wherein random numbers generated by contrib/pgcrypto functions might be relatively easy for another database user to guess. The risk is only significant when the postmaster is configured with ssl = on but most connections don't use SSL encryption. CVE-2013-1900 or CVE-2013-1900)
(8.4.17,9.2.4,9.1.9,9.0.13) Fix GiST indexes to not use "fuzzy" geometric comparisons when it's not appropriate to do so (Alexander Korotkov)
The core geometric types perform comparisons using "fuzzy" equality, but gist_box_same
must do exact comparisons, else
GiST indexes using it might become inconsistent. After installing
this update, users should REINDEX any GiST
indexes on box, polygon, circle, or point columns, since all of these use gist_box_same
.
(8.4.17,9.2.4,9.1.9,9.0.13) Fix erroneous range-union and penalty logic in GiST indexes that use contrib/btree_gist for variable-width data types, that is text, bytea, bit, and numeric columns (Tom Lane)
These errors could result in inconsistent indexes in which some keys that are present would not be found by searches, and also in useless index bloat. Users are advised to REINDEX such indexes after installing this update.
(8.4.17,9.2.4,9.1.9,9.0.13) Fix bugs in GiST page splitting code for multi-column indexes (Tom Lane)
These errors could result in inconsistent indexes in which some keys that are present would not be found by searches, and also in indexes that are unnecessarily inefficient to search. Users are advised to REINDEX multi-column GiST indexes after installing this update.
(8.4.17,9.2.4,9.1.9,9.0.13) Fix infinite-loop risk in regular expression compilation (Tom Lane, Don Porter)
(8.4.17,9.2.4,9.1.9,9.0.13) Fix potential null-pointer dereference in regular expression compilation (Tom Lane)
(8.4.17,9.2.4,9.1.9,9.0.13) Fix to_char()
to use ASCII-only
case-folding rules where appropriate (Tom Lane)
This fixes misbehavior of some template patterns that should be locale-independent, but mishandled "I" and "i" in Turkish locales.
(8.4.17,9.2.4,9.1.9,9.0.13) Fix unwanted rejection of timestamp 1999-12-31 24:00:00 (Tom Lane)
(8.4.17,9.2.4,9.1.9,9.0.13) Remove useless "picksplit doesn't support secondary split" log messages (Josh Hansen, Tom Lane)
This message seems to have been added in expectation of code that was never written, and probably never will be, since GiST's default handling of secondary splits is actually pretty good. So stop nagging end users about it.
(8.4.17,9.2.4,9.1.9,9.0.13) Fix possible failure to send a session's last few transaction commit/abort counts to the statistics collector (Tom Lane)
(8.4.17,9.2.4,9.1.9,9.0.13) Eliminate memory leaks in PL/Perl's spi_prepare()
function (Alex Hunsaker, Tom
Lane)
(8.4.17,9.2.4,9.1.9,9.0.13) Fix pg_dumpall to handle database names containing "=" correctly (Heikki Linnakangas)
(8.4.17,9.2.4,9.1.9,9.0.13) Avoid crash in pg_dump when an incorrect connection string is given (Heikki Linnakangas)
(8.4.17) Ignore invalid indexes in pg_dump (Michael Paquier)
Dumping invalid indexes can cause problems at restore time, for example if the reason the index creation failed was because it tried to enforce a uniqueness condition not satisfied by the table's data. Also, if the index creation is in fact still in progress, it seems reasonable to consider it to be an uncommitted DDL change, which pg_dump wouldn't be expected to dump anyway.
(8.4.17,9.2.4,9.1.9,9.0.13) Fix contrib/pg_trgm's similarity()
function to return zero for
trigram-less strings (Tom Lane)
Previously it returned NaN due to internal division by zero.
(8.4.17,9.2.4,9.1.9,9.0.13) Update time zone data files to tzdata release 2013b for DST law changes in Chile, Haiti, Morocco, Paraguay, and some Russian areas. Also, historical zone data corrections for numerous places.
Also, update the time zone abbreviation files for recent changes in Russia and elsewhere: CHOT, GET, IRKT, KGT, KRAT, MAGT, MAWT, MSK, NOVT, OMST, TKT, VLAT, WST, YAKT, YEKT now follow their current meanings, and VOLT (Europe/Volgograd) and MIST (Antarctica/Macquarie) are added to the default abbreviations list.
Release date: 2013-02-07
This release contains a variety of fixes from 8.4.15. For information about new features in the 8.4 major release, see Version 8.4.0.
A dump/restore is not required for those running 8.4.X.
However, if you are upgrading from a version earlier than 8.4.10, see Version 8.4.10.
(8.4.16,9.2.3,9.1.8,9.0.12,8.3.23) Prevent execution of enum_recv
from SQL (Tom Lane)
The function was misdeclared, allowing a simple SQL command to crash the server. In principle an attacker might be able to use it to examine the contents of server memory. Our thanks to Sumit Soni (via Secunia SVCRP) for reporting this issue. CVE-2013-0255 or CVE-2013-0255)
(8.4.16,9.2.3,9.1.8,9.0.12) Update minimum recovery point when truncating a relation file (Heikki Linnakangas)
Once data has been discarded, it's no longer safe to stop recovery at an earlier point in the timeline.
(8.4.16,9.2.3,9.1.8,9.0.12,8.3.23) Fix SQL grammar to allow subscripting or field selection from a sub-SELECT result (Tom Lane)
(8.4.16,9.2.3,9.1.8,9.0.12,8.3.23) Protect against race conditions when scanning pg_tablespace (Stephen Frost, Tom Lane)
CREATE DATABASE and DROP DATABASE could misbehave if there were concurrent updates of pg_tablespace entries.
(8.4.16,9.2.3,9.1.8,9.0.12,8.3.23) Prevent DROP OWNED from trying to drop whole databases or tablespaces (Ãlvaro Herrera)
For safety, ownership of these objects must be reassigned, not dropped.
(8.4.16,9.2.3,9.1.8,9.0.12) Fix error in vacuum_freeze_table_age implementation (Andres Freund)
In installations that have existed for more than vacuum_freeze_min_age transactions, this mistake prevented autovacuum from using partial-table scans, so that a full-table scan would always happen instead.
(8.4.16,9.2.3,9.1.8,9.0.12,8.3.23) Prevent misbehavior when a RowExpr or XmlExpr is parse-analyzed twice (Andres Freund, Tom Lane)
This mistake could be user-visible in contexts such as CREATE TABLE LIKE INCLUDING INDEXES.
(8.4.16,9.2.3,9.1.8,9.0.12,8.3.23) Improve defenses against integer overflow in hashtable sizing calculations (Jeff Davis)
(8.4.16,9.2.3,9.1.8,9.0.12) Reject out-of-range dates in to_date()
(Hitoshi Harada)
(8.4.16,9.2.3,9.1.8,9.0.12,8.3.23) Ensure that non-ASCII prompt strings are translated to the correct code page on Windows (Alexander Law, Noah Misch)
This bug affected psql and some other client programs.
(8.4.16,9.2.3,9.1.8,9.0.12,8.3.23) Fix possible crash in psql's \? command when not connected to a database (Meng Qingzhong)
(8.4.16,9.2.3,9.1.8,9.0.12,8.3.23) Fix one-byte buffer overrun in libpq's PQprintTuples
(Xi Wang)
This ancient function is not used anywhere by PostgreSQL itself, but it might still be used by some client code.
(8.4.16,9.2.3,9.1.8,9.0.12) Make ecpglib use translated messages properly (Chen Huajun)
(8.4.16,9.2.3,9.1.8,9.0.12) Properly install ecpg_compat and pgtypes libraries on MSVC (Jiang Guiqing)
(8.4.16,9.2.3,9.1.8,9.0.12,8.3.23) Rearrange configure's tests for supplied functions so it is not fooled by bogus exports from libedit/libreadline (Christoph Berg)
(8.4.16,9.2.3,9.1.8,9.0.12,8.3.23) Ensure Windows build number increases over time (Magnus Hagander)
(8.4.16,9.2.3,9.1.8,9.0.12,8.3.23) Make pgxs build executables with the right .exe suffix when cross-compiling for Windows (Zoltan Boszormenyi)
(8.4.16,9.2.3,9.1.8,9.0.12,8.3.23) Add new timezone abbreviation FET (Tom Lane)
This is now used in some eastern-European time zones.
Release date: 2012-12-06
This release contains a variety of fixes from 8.4.14. For information about new features in the 8.4 major release, see Version 8.4.0.
A dump/restore is not required for those running 8.4.X.
However, if you are upgrading from a version earlier than 8.4.10, see Version 8.4.10.
(8.4.15,9.1.7,9.0.11,8.3.22) Fix multiple bugs associated with CREATE INDEX CONCURRENTLY (Andres Freund, Tom Lane)
Fix CREATE INDEX CONCURRENTLY to use in-place updates when changing the state of an index's pg_index row. This prevents race conditions that could cause concurrent sessions to miss updating the target index, thus resulting in corrupt concurrently-created indexes.
Also, fix various other operations to ensure that they ignore invalid indexes resulting from a failed CREATE INDEX CONCURRENTLY command. The most important of these is VACUUM, because an auto-vacuum could easily be launched on the table before corrective action can be taken to fix or remove the invalid index.
(8.4.15,9.2.2,9.1.7,9.0.11,8.3.22) Avoid corruption of internal hash tables when out of memory (Hitoshi Harada)
(8.4.15,9.1.7,9.0.11,8.3.22) Fix planning of non-strict equivalence clauses above outer joins (Tom Lane)
The planner could derive incorrect constraints from a clause equating a non-strict construct to something else, for example WHERE COALESCE(foo, 0) = 0 when foo is coming from the nullable side of an outer join.
(8.4.15,9.2.2,9.1.7,9.0.11,8.3.22) Improve planner's ability to prove exclusion constraints from equivalence classes (Tom Lane)
(8.4.15,9.2.2,9.1.7,9.0.11,8.3.22) Fix partial-row matching in hashed subplans to handle cross-type cases correctly (Tom Lane)
This affects multicolumn NOT IN subplans, such as WHERE (a, b) NOT IN (SELECT x, y FROM ...) when for instance b and y are int4 and int8 respectively. This mistake led to wrong answers or crashes depending on the specific datatypes involved.
(8.4.15,9.0.11,8.3.22) Acquire buffer lock when re-fetching the old tuple for an AFTER ROW UPDATE/DELETE trigger (Andres Freund)
In very unusual circumstances, this oversight could result in passing incorrect data to the precheck logic for a foreign-key enforcement trigger. That could result in a crash, or in an incorrect decision about whether to fire the trigger.
(8.4.15,9.2.2,9.1.7,9.0.11) Fix ALTER COLUMN TYPE to handle inherited check constraints properly (Pavan Deolasee)
This worked correctly in pre-8.4 releases, and now works correctly in 8.4 and later.
(8.4.15,9.2.2,9.1.7,9.0.11,8.3.22) Fix REASSIGN OWNED to handle grants on tablespaces (Ãlvaro Herrera)
(8.4.15,9.2.2,9.1.7,9.0.11,8.3.22) Ignore incorrect pg_attribute entries for system columns for views (Tom Lane)
Views do not have any system columns. However, we forgot to remove such entries when converting a table to a view. That's fixed properly for 9.3 and later, but in previous branches we need to defend against existing mis-converted views.
(8.4.15,9.2.2,9.1.7,9.0.11,8.3.22) Fix rule printing to dump INSERT INTO table DEFAULT VALUES correctly (Tom Lane)
(8.4.15,9.2.2,9.1.7,9.0.11,8.3.22) Guard against stack overflow when there are too many UNION/INTERSECT/EXCEPT clauses in a query (Tom Lane)
(8.4.15,9.2.2,9.1.7,9.0.11,8.3.22) Prevent platform-dependent failures when dividing the minimum possible integer value by -1 (Xi Wang, Tom Lane)
(8.4.15,9.2.2,9.1.7,9.0.11,8.3.22) Fix possible access past end of string in date parsing (Hitoshi Harada)
(8.4.15,9.2.2,9.1.7,9.0.11,8.3.22) Produce an understandable error message if the length of the path name for a Unix-domain socket exceeds the platform-specific limit (Tom Lane, Andrew Dunstan)
Formerly, this would result in something quite unhelpful, such as "Non-recoverable failure in name resolution".
(8.4.15,9.2.2,9.1.7,9.0.11,8.3.22) Fix memory leaks when sending composite column values to the client (Tom Lane)
(8.4.15,9.1.7,9.0.11,8.3.22) Make pg_ctl more robust about reading the postmaster.pid file (Heikki Linnakangas)
Fix race conditions and possible file descriptor leakage.
(8.4.15,9.2.2,9.1.7,9.0.11,8.3.22) Fix possible crash in psql if incorrectly-encoded data is presented and the client_encoding setting is a client-only encoding, such as SJIS (Jiang Guiqing)
(8.4.15,9.2.2,9.1.7,9.0.11,8.3.22) Fix bugs in the restore.sql script emitted by pg_dump in tar output format (Tom Lane)
The script would fail outright on tables whose names include upper-case characters. Also, make the script capable of restoring data in --inserts mode as well as the regular COPY mode.
(8.4.15,9.2.2,9.1.7,9.0.11,8.3.22) Fix pg_restore to accept POSIX-conformant tar files (Brian Weaver, Tom Lane)
The original coding of pg_dump's tar output mode produced files that are not fully conformant with the POSIX standard. This has been corrected for version 9.3. This patch updates previous branches so that they will accept both the incorrect and the corrected formats, in hopes of avoiding compatibility problems when 9.3 comes out.
(8.4.15,9.2.2,9.1.7,9.0.11,8.3.22) Fix pg_resetxlog to locate postmaster.pid correctly when given a relative path to the data directory (Tom Lane)
This mistake could lead to pg_resetxlog not noticing that there is an active postmaster using the data directory.
(8.4.15,9.2.2,9.1.7,9.0.11,8.3.22) Fix libpq's lo_import()
and lo_export()
functions to report file I/O errors
properly (Tom Lane)
(8.4.15,9.2.2,9.1.7,9.0.11,8.3.22) Fix ecpg's processing of nested structure pointer variables (Muhammad Usama)
(8.4.15,9.2.2,9.1.7,9.0.11,8.3.22) Make contrib/pageinspect's btree page inspection functions take buffer locks while examining pages (Tom Lane)
(8.4.15,9.2.2,9.1.7,9.0.11,8.3.22) Fix pgxs support for building loadable modules on AIX (Tom Lane)
Building modules outside the original source tree didn't work on AIX.
(8.4.15,9.2.2,9.1.7,9.0.11,8.3.22) Update time zone data files to tzdata release 2012j for DST law changes in Cuba, Israel, Jordan, Libya, Palestine, Western Samoa, and portions of Brazil.
Release date: 2012-09-24
This release contains a variety of fixes from 8.4.13. For information about new features in the 8.4 major release, see Version 8.4.0.
A dump/restore is not required for those running 8.4.X.
However, if you are upgrading from a version earlier than 8.4.10, see Version 8.4.10.
(8.4.14,9.1.6,9.0.10) Fix planner's assignment of executor parameters, and fix executor's rescan logic for CTE plan nodes (Tom Lane)
These errors could result in wrong answers from queries that scan the same WITH subquery multiple times.
(8.4.14,9.1.6,9.0.10,8.3.21) Improve page-splitting decisions in GiST indexes (Alexander Korotkov, Robert Haas, Tom Lane)
Multi-column GiST indexes might suffer unexpected bloat due to this error.
(8.4.14,9.1.6,9.0.10,8.3.21) Fix cascading privilege revoke to stop if privileges are still held (Tom Lane)
If we revoke a grant option from some role X, but X still holds that option via a grant from someone else, we should not recursively revoke the corresponding privilege from role(s) Y that X had granted it to.
(8.4.14,9.1.6,9.0.10,8.3.21) Fix handling of SIGFPE when PL/Perl is in use (Andres Freund)
Perl resets the process's SIGFPE handler to SIG_IGN, which could result in crashes later on. Restore the normal Postgres signal handler after initializing PL/Perl.
(8.4.14,9.2.1,9.1.6,9.0.10,8.3.21) Prevent PL/Perl from crashing if a recursive PL/Perl function is redefined while being executed (Tom Lane)
(8.4.14,9.2.1,9.1.6,9.0.10,8.3.21) Work around possible misoptimization in PL/Perl (Tom Lane)
Some Linux distributions contain an incorrect version of pthread.h that results in incorrect compiled code in PL/Perl, leading to crashes if a PL/Perl function calls another one that throws an error.
(8.4.14,9.2.1,9.1.6,9.0.10,8.3.21) Update time zone data files to tzdata release 2012f for DST law changes in Fiji
Release date: 2012-08-17
This release contains a variety of fixes from 8.4.12. For information about new features in the 8.4 major release, see Version 8.4.0.
A dump/restore is not required for those running 8.4.X.
However, if you are upgrading from a version earlier than 8.4.10, see Version 8.4.10.
(8.4.13,9.1.5,9.0.9,8.3.20) Prevent access to external files/URLs via XML entity references (Noah Misch, Tom Lane)
xml_parse()
would attempt to fetch
external files or URLs as needed to resolve DTD and entity
references in an XML value, thus allowing unprivileged database
users to attempt to fetch data with the privileges of the database
server. While the external data wouldn't get returned directly to
the user, portions of it could be exposed in error messages if the
data didn't parse as valid XML; and in any case the mere ability to
check existence of a file might be useful to an attacker.
CVE-2012-3489 or CVE-2012-3489)
(8.4.13,9.1.5,9.0.9,8.3.20) Prevent access to external files/URLs via contrib/xml2's xslt_process()
(Peter Eisentraut)
libxslt offers the ability to read and write both files and URLs through stylesheet commands, thus allowing unprivileged database users to both read and write data with the privileges of the database server. Disable that through proper use of libxslt's security options. CVE-2012-3488 or CVE-2012-3488)
Also, remove xslt_process()
's
ability to fetch documents and stylesheets from external
files/URLs. While this was a documented "feature", it was long regarded as a bad idea. The
fix forCVE-2012-3489 or CVE-2012-3489 broke that capability, and rather than expend
effort on trying to fix it, we're just going to summarily remove
it.
(8.4.13,9.1.5,9.0.9,8.3.20) Prevent too-early recycling of btree index pages (Noah Misch)
When we allowed read-only transactions to skip assigning XIDs, we introduced the possibility that a deleted btree page could be recycled while a read-only transaction was still in flight to it. This would result in incorrect index search results. The probability of such an error occurring in the field seems very low because of the timing requirements, but nonetheless it should be fixed.
(8.4.13,9.1.5,9.0.9,8.3.20) Fix crash-safety bug with newly-created-or-reset sequences (Tom Lane)
If ALTER SEQUENCE was executed on a
freshly created or reset sequence, and then precisely one
nextval()
call was made on it, and
then the server crashed, WAL replay would restore the sequence to a
state in which it appeared that no nextval()
had been done, thus allowing the first
sequence value to be returned again by the next nextval()
call. In particular this could manifest
for serial columns, since creation of a
serial column's sequence includes an ALTER
SEQUENCE OWNED BY step.
(8.4.13,9.1.5,9.0.9,8.3.20) Ensure the backup_label file is
fsync'd after pg_start_backup()
(Dave
Kerr)
(8.4.13,9.0.9,8.3.20) Back-patch 9.1 improvement to compress the fsync request queue (Robert Haas)
This improves performance during checkpoints. The 9.1 change has now seen enough field testing to seem safe to back-patch.
(8.4.13,9.1.5,9.0.9,8.3.20) Only allow autovacuum to be auto-canceled by a directly blocked process (Tom Lane)
The original coding could allow inconsistent behavior in some cases; in particular, an autovacuum could get canceled after less than deadlock_timeout grace period.
(8.4.13,9.1.5,9.0.9,8.3.20) Improve logging of autovacuum cancels (Robert Haas)
(8.4.13,9.1.5,9.0.9,8.3.20) Fix log collector so that log_truncate_on_rotation works during the very first log rotation after server start (Tom Lane)
(8.4.13,9.1.5,9.0.9) Fix WITH attached to a nested set operation (UNION/INTERSECT/EXCEPT) (Tom Lane)
(8.4.13,9.1.5,9.0.9,8.3.20) Ensure that a whole-row reference to a subquery doesn't include any extra GROUP BY or ORDER BY columns (Tom Lane)
(8.4.13,9.1.5,9.0.9,8.3.20) Disallow copying whole-row references in CHECK constraints and index definitions during CREATE TABLE (Tom Lane)
This situation can arise in CREATE TABLE with LIKE or INHERITS. The copied whole-row variable was incorrectly labeled with the row type of the original table not the new one. Rejecting the case seems reasonable for LIKE, since the row types might well diverge later. For INHERITS we should ideally allow it, with an implicit coercion to the parent table's row type; but that will require more work than seems safe to back-patch.
(8.4.13,9.1.5,9.0.9,8.3.20) Fix memory leak in ARRAY (SELECT ...) subqueries (Heikki Linnakangas, Tom Lane)
(8.4.13,9.1.5,9.0.9,8.3.20) Fix extraction of common prefixes from regular expressions (Tom Lane)
The code could get confused by quantified parenthesized subexpressions, such as ^(foo)?bar. This would lead to incorrect index optimization of searches for such patterns.
(8.4.13,9.1.5,9.0.9) Fix bugs with parsing signed hh:mm and hh:mm:ss fields in interval constants (Amit Kapila, Tom Lane)
(8.4.13,9.1.5,9.0.9,8.3.20) Report errors properly in contrib/xml2's xslt_process()
(Tom Lane)
(8.4.13,9.1.5,9.0.9,8.3.20) Update time zone data files to tzdata release 2012e for DST law changes in Morocco and Tokelau
Release date: 2012-06-04
This release contains a variety of fixes from 8.4.11. For information about new features in the 8.4 major release, see Version 8.4.0.
A dump/restore is not required for those running 8.4.X.
However, if you are upgrading from a version earlier than 8.4.10, see Version 8.4.10.
(8.4.12,9.1.4,9.0.8,8.3.19) Fix incorrect password transformation in contrib/pgcrypto's DES crypt()
function (Solar Designer)
If a password string contained the byte value 0x80, the remainder of the password was ignored, causing the password to be much weaker than it appeared. With this fix, the rest of the string is properly included in the DES hash. Any stored password values that are affected by this bug will thus no longer match, so the stored values may need to be updated. CVE-2012-2143 or CVE-2012-2143)
(8.4.12,9.1.4,9.0.8,8.3.19) Ignore SECURITY DEFINER and SET attributes for a procedural language's call handler (Tom Lane)
Applying such attributes to a call handler could crash the server. CVE-2012-2655 or CVE-2012-2655)
(8.4.12,9.1.4,9.0.8,8.3.19) Allow numeric timezone offsets in timestamp input to be up to 16 hours away from UTC (Tom Lane)
Some historical time zones have offsets larger than 15 hours, the previous limit. This could result in dumped data values being rejected during reload.
(8.4.12,9.1.4,9.0.8,8.3.19) Fix timestamp conversion to cope when the given time is exactly the last DST transition time for the current timezone (Tom Lane)
This oversight has been there a long time, but was not noticed previously because most DST-using zones are presumed to have an indefinite sequence of future DST transitions.
(8.4.12,9.1.4,9.0.8,8.3.19) Fix text to name and char to name casts to perform string truncation correctly in multibyte encodings (Karl Schnaitter)
(8.4.12,9.1.4,9.0.8,8.3.19) Fix memory copying bug in to_tsquery()
(Heikki Linnakangas)
(8.4.12,9.1.4,9.0.8) Fix planner's handling of outer PlaceHolderVars within subqueries (Tom Lane)
This bug concerns sub-SELECTs that reference variables coming from the nullable side of an outer join of the surrounding query. In 9.1, queries affected by this bug would fail with "ERROR: Upper-level PlaceHolderVar found where not expected". But in 9.0 and 8.4, you'd silently get possibly-wrong answers, since the value transmitted into the subquery wouldn't go to null when it should.
(8.4.12,9.1.4,9.0.8,8.3.19) Fix slow session startup when pg_attribute is very large (Tom Lane)
If pg_attribute exceeds one-fourth of shared_buffers, cache rebuilding code that is sometimes needed during session start would trigger the synchronized-scan logic, causing it to take many times longer than normal. The problem was particularly acute if many new sessions were starting at once.
(8.4.12,9.1.4,9.0.8,8.3.19) Ensure sequential scans check for query cancel reasonably often (Merlin Moncure)
A scan encountering many consecutive pages that contain no live tuples would not respond to interrupts meanwhile.
(8.4.12,9.1.4,9.0.8,8.3.19) Ensure the Windows implementation of PGSemaphoreLock()
clears ImmediateInterruptOK before returning (Tom Lane)
This oversight meant that a query-cancel interrupt received later in the same query could be accepted at an unsafe time, with unpredictable but not good consequences.
(8.4.12,9.1.4,9.0.8,8.3.19) Show whole-row variables safely when printing views or rules (Abbas Butt, Tom Lane)
Corner cases involving ambiguous names (that is, the name could be either a table or column name of the query) were printed in an ambiguous way, risking that the view or rule would be interpreted differently after dump and reload. Avoid the ambiguous case by attaching a no-op cast.
(8.4.12,9.1.4,9.0.8) Fix COPY FROM to properly handle null marker strings that correspond to invalid encoding (Tom Lane)
A null marker string such as E'\\0' should work, and did work in the past, but the case got broken in 8.4.
(8.4.12,9.1.4,9.0.8,8.3.19) Ensure autovacuum worker processes perform stack depth checking properly (Heikki Linnakangas)
Previously, infinite recursion in a function invoked by auto-ANALYZE could crash worker processes.
(8.4.12,9.1.4,9.0.8,8.3.19) Fix logging collector to not lose log coherency under high load (Andrew Dunstan)
The collector previously could fail to reassemble large messages if it got too busy.
(8.4.12,9.1.4,9.0.8,8.3.19) Fix logging collector to ensure it will restart file rotation after receiving SIGHUP (Tom Lane)
(8.4.12,9.1.4,9.0.8) Fix WAL replay logic for GIN indexes to not fail if the index was subsequently dropped (Tom Lane)
(8.4.12,9.1.4,9.0.8) Fix memory leak in PL/pgSQL's RETURN NEXT command (Joe Conway)
(8.4.12,9.1.4,9.0.8,8.3.19) Fix PL/pgSQL's GET DIAGNOSTICS command when the target is the function's first variable (Tom Lane)
(8.4.12,9.1.4,9.0.8) Fix potential access off the end of memory in psql's expanded display (\x) mode (Peter Eisentraut)
(8.4.12,9.1.4,9.0.8,8.3.19) Fix several performance problems in pg_dump when the database contains many objects (Jeff Janes, Tom Lane)
pg_dump could get very slow if the database contained many schemas, or if many objects are in dependency loops, or if there are many owned sequences.
(8.4.12,9.1.4,9.0.8,8.3.19) Fix contrib/dblink's dblink_exec()
to not leak temporary database
connections upon error (Tom Lane)
(8.4.12,9.1.4,9.0.8) Fix contrib/dblink to report the correct connection name in error messages (Kyotaro Horiguchi)
(8.4.12,9.1.4,9.0.8,8.3.19) Update time zone data files to tzdata release 2012c for DST law changes in Antarctica, Armenia, Chile, Cuba, Falkland Islands, Gaza, Haiti, Hebron, Morocco, Syria, and Tokelau Islands; also historical corrections for Canada.
Release date: 2012-02-27
This release contains a variety of fixes from 8.4.10. For information about new features in the 8.4 major release, see Version 8.4.0.
A dump/restore is not required for those running 8.4.X.
However, if you are upgrading from a version earlier than 8.4.10, see Version 8.4.10.
(8.4.11,9.1.3,9.0.7,8.3.18) Require execute permission on the trigger function for CREATE TRIGGER (Robert Haas)
This missing check could allow another user to execute a trigger function with forged input data, by installing it on a table he owns. This is only of significance for trigger functions marked SECURITY DEFINER, since otherwise trigger functions run as the table owner anyway. CVE-2012-0866 or CVE-2012-0866)
(8.4.11,9.1.3,9.0.7) Remove arbitrary limitation on length of common name in SSL certificates (Heikki Linnakangas)
Both libpq and the server truncated the common name extracted from an SSL certificate at 32 bytes. Normally this would cause nothing worse than an unexpected verification failure, but there are some rather-implausible scenarios in which it might allow one certificate holder to impersonate another. The victim would have to have a common name exactly 32 bytes long, and the attacker would have to persuade a trusted CA to issue a certificate in which the common name has that string as a prefix. Impersonating a server would also require some additional exploit to redirect client connections. CVE-2012-0867 or CVE-2012-0867)
(8.4.11,9.1.3,9.0.7,8.3.18) Convert newlines to spaces in names written in pg_dump comments (Robert Haas)
pg_dump was incautious about sanitizing object names that are emitted within SQL comments in its output script. A name containing a newline would at least render the script syntactically incorrect. Maliciously crafted object names could present a SQL injection risk when the script is reloaded. CVE-2012-0868 or CVE-2012-0868)
(8.4.11,9.1.3,9.0.7,8.3.18) Fix btree index corruption from insertions concurrent with vacuuming (Tom Lane)
An index page split caused by an insertion could sometimes cause a concurrently-running VACUUM to miss removing index entries that it should remove. After the corresponding table rows are removed, the dangling index entries would cause errors (such as "could not read block N in file ...") or worse, silently wrong query results after unrelated rows are re-inserted at the now-free table locations. This bug has been present since release 8.2, but occurs so infrequently that it was not diagnosed until now. If you have reason to suspect that it has happened in your database, reindexing the affected index will fix things.
(8.4.11,9.1.3,9.0.7) Update per-column permissions, not only per-table permissions, when changing table owner (Tom Lane)
Failure to do this meant that any previously granted column permissions were still shown as having been granted by the old owner. This meant that neither the new owner nor a superuser could revoke the now-untraceable-to-table-owner permissions.
(8.4.11,9.1.3,9.0.7,8.3.18) Allow non-existent values for some settings in ALTER USER/DATABASE SET (Heikki Linnakangas)
Allow default_text_search_config, default_tablespace, and temp_tablespaces to be set to names that are not known. This is because they might be known in another database where the setting is intended to be used, or for the tablespace cases because the tablespace might not be created yet. The same issue was previously recognized for search_path, and these settings now act like that one.
(8.4.11,9.1.3,9.0.7) Avoid crashing when we have problems deleting table files post-commit (Tom Lane)
Dropping a table should lead to deleting the underlying disk files only after the transaction commits. In event of failure then (for instance, because of wrong file permissions) the code is supposed to just emit a warning message and go on, since it's too late to abort the transaction. This logic got broken as of release 8.4, causing such situations to result in a PANIC and an unrestartable database.
(8.4.11,9.1.3,9.0.7,8.3.18) Track the OID counter correctly during WAL replay, even when it wraps around (Tom Lane)
Previously the OID counter would remain stuck at a high value until the system exited replay mode. The practical consequences of that are usually nil, but there are scenarios wherein a standby server that's been promoted to master might take a long time to advance the OID counter to a reasonable value once values are needed.
(8.4.11,9.1.3,9.0.7,8.3.18) Fix regular expression back-references with * attached (Tom Lane)
Rather than enforcing an exact string match, the code would effectively accept any string that satisfies the pattern sub-expression referenced by the back-reference symbol.
A similar problem still afflicts back-references that are embedded in a larger quantified expression, rather than being the immediate subject of the quantifier. This will be addressed in a future PostgreSQL release.
(8.4.11,9.1.3,9.0.7,8.3.18) Fix recently-introduced memory leak in processing of inet/cidr values (Heikki Linnakangas)
A patch in the December 2011 releases of PostgreSQL caused memory leakage in these operations, which could be significant in scenarios such as building a btree index on such a column.
(8.4.11,9.1.3,9.0.7) Fix dangling pointer after CREATE TABLE AS/SELECT INTO in a SQL-language function (Tom Lane)
In most cases this only led to an assertion failure in assert-enabled builds, but worse consequences seem possible.
(8.4.11,9.1.3,9.0.7,8.3.18) Avoid double close of file handle in syslogger on Windows (MauMau)
Ordinarily this error was invisible, but it would cause an exception when running on a debug version of Windows.
(8.4.11,9.1.3,9.0.7,8.3.18) Fix I/O-conversion-related memory leaks in plpgsql (Andres Freund, Jan Urbanski, Tom Lane)
Certain operations would leak memory until the end of the current function.
(8.4.11,9.1.3,9.0.7,8.3.18) Improve pg_dump's handling of inherited table columns (Tom Lane)
pg_dump mishandled situations where a child column has a different default expression than its parent column. If the default is textually identical to the parent's default, but not actually the same (for instance, because of schema search path differences) it would not be recognized as different, so that after dump and restore the child would be allowed to inherit the parent's default. Child columns that are NOT NULL where their parent is not could also be restored subtly incorrectly.
(8.4.11,9.1.3,9.0.7,8.3.18) Fix pg_restore's direct-to-database mode for INSERT-style table data (Tom Lane)
Direct-to-database restores from archive files made with --inserts or --column-inserts options fail when using pg_restore from a release dated September or December 2011, as a result of an oversight in a fix for another problem. The archive file itself is not at fault, and text-mode output is okay.
(8.4.11,9.1.3,9.0.7) Allow AT option in ecpg DEALLOCATE statements (Michael Meskes)
The infrastructure to support this has been there for awhile, but through an oversight there was still an error check rejecting the case.
(8.4.11,9.1.3,9.0.7,8.3.18) Fix error in contrib/intarray's int[] & int[] operator (Guillaume Lelarge)
If the smallest integer the two input arrays have in common is 1, and there are smaller values in either array, then 1 would be incorrectly omitted from the result.
(8.4.11,9.1.3,9.0.7,8.3.18) Fix error detection in contrib/pgcrypto's encrypt_iv()
and decrypt_iv()
(Marko Kreen)
These functions failed to report certain types of invalid-input errors, and would instead return random garbage values for incorrect input.
(8.4.11,9.1.3,9.0.7,8.3.18) Fix one-byte buffer overrun in contrib/test_parser (Paul Guyot)
The code would try to read one more byte than it should, which would crash in corner cases. Since contrib/test_parser is only example code, this is not a security issue in itself, but bad example code is still bad.
(8.4.11,9.1.3,9.0.7,8.3.18) Use __sync_lock_test_and_set()
for
spinlocks on ARM, if available (Martin Pitt)
This function replaces our previous use of the SWPB instruction, which is deprecated and not available on ARMv6 and later. Reports suggest that the old code doesn't fail in an obvious way on recent ARM boards, but simply doesn't interlock concurrent accesses, leading to bizarre failures in multiprocess operation.
(8.4.11,9.1.3,9.0.7,8.3.18) Use -fexcess-precision=standard option when building with gcc versions that accept it (Andrew Dunstan)
This prevents assorted scenarios wherein recent versions of gcc will produce creative results.
(8.4.11,9.1.3,9.0.7,8.3.18) Allow use of threaded Python on FreeBSD (Chris Rees)
Our configure script previously believed that this combination wouldn't work; but FreeBSD fixed the problem, so remove that error check.
Release date: 2011-12-05
This release contains a variety of fixes from 8.4.9. For information about new features in the 8.4 major release, see Version 8.4.0.
A dump/restore is not required for those running 8.4.X.
However, a longstanding error was discovered in the definition of the information_schema.referential_constraints view. If you rely on correct results from that view, you should replace its definition as explained in the first changelog item below.
Also, if you are upgrading from a version earlier than 8.4.8, see Version 8.4.8.
(8.4.10,9.1.2,9.0.6,8.3.17,8.2.23) Fix bugs in information_schema.referential_constraints view (Tom Lane)
This view was being insufficiently careful about matching the foreign-key constraint to the depended-on primary or unique key constraint. That could result in failure to show a foreign key constraint at all, or showing it multiple times, or claiming that it depends on a different constraint than the one it really does.
Since the view definition is installed by initdb, merely upgrading will not fix the problem. If you need to fix this in an existing installation, you can (as a superuser) drop the information_schema schema then re-create it by sourcing SHAREDIR/information_schema.sql. (Run pg_config --sharedir if you're uncertain where SHAREDIR is.) This must be repeated in each database to be fixed.
(8.4.10,9.1.2,9.0.6) Fix incorrect replay of WAL records for GIN index updates (Tom Lane)
This could result in transiently failing to find index entries after a crash, or on a hot-standby server. The problem would be repaired by the next VACUUM of the index, however.
(8.4.10,9.1.2,9.0.6,8.3.17,8.2.23) Fix TOAST-related data corruption during CREATE TABLE dest AS SELECT * FROM src or INSERT INTO dest SELECT * FROM src (Tom Lane)
If a table has been modified by ALTER TABLE ADD COLUMN, attempts to copy its data verbatim to another table could produce corrupt results in certain corner cases. The problem can only manifest in this precise form in 8.4 and later, but we patched earlier versions as well in case there are other code paths that could trigger the same bug.
(8.4.10,9.1.2,9.0.6,8.3.17,8.2.23) Fix race condition during toast table access from stale syscache entries (Tom Lane)
The typical symptom was transient errors like "missing chunk number 0 for toast value NNNNN in pg_toast_2619", where the cited toast table would always belong to a system catalog.
(8.4.10,9.1.2,9.0.6) Track dependencies of functions on items used in parameter default expressions (Tom Lane)
Previously, a referenced object could be dropped without having dropped or modified the function, leading to misbehavior when the function was used. Note that merely installing this update will not fix the missing dependency entries; to do that, you'd need to CREATE OR REPLACE each such function afterwards. If you have functions whose defaults depend on non-built-in objects, doing so is recommended.
(8.4.10,9.1.2,9.0.6) Allow inlining of set-returning SQL functions with multiple OUT parameters (Tom Lane)
(8.4.10,9.1.2,9.0.6,8.3.17) Make DatumGetInetP()
unpack inet
datums that have a 1-byte header, and add a new macro, DatumGetInetPP()
, that does not (Heikki
Linnakangas)
This change affects no core code, but might prevent crashes in
add-on code that expects DatumGetInetP()
to produce an unpacked datum as
per usual convention.
(8.4.10,9.1.2,9.0.6,8.3.17,8.2.23) Improve locale support in money type's input and output (Tom Lane)
Aside from not supporting all standard lc_monetary formatting options, the input and output functions were inconsistent, meaning there were locales in which dumped money values could not be re-read.
(8.4.10,9.1.2,9.0.6,8.3.17,8.2.23) Don't let transform_null_equals affect CASE foo WHEN NULL ... constructs (Heikki Linnakangas)
transform_null_equals is only supposed to affect foo = NULL expressions written directly by the user, not equality checks generated internally by this form of CASE.
(8.4.10,9.1.2,9.0.6,8.3.17,8.2.23) Change foreign-key trigger creation order to better support self-referential foreign keys (Tom Lane)
For a cascading foreign key that references its own table, a row update will fire both the ON UPDATE trigger and the CHECK trigger as one event. The ON UPDATE trigger must execute first, else the CHECK will check a non-final state of the row and possibly throw an inappropriate error. However, the firing order of these triggers is determined by their names, which generally sort in creation order since the triggers have auto-generated names following the convention "RI_ConstraintTrigger_NNNN". A proper fix would require modifying that convention, which we will do in 9.2, but it seems risky to change it in existing releases. So this patch just changes the creation order of the triggers. Users encountering this type of error should drop and re-create the foreign key constraint to get its triggers into the right order.
(8.4.10,9.1.2,9.0.6,8.3.17) Avoid floating-point underflow while tracking buffer allocation rate (Greg Matthews)
While harmless in itself, on certain platforms this would result in annoying kernel log messages.
(8.4.10,9.1.2,9.0.6) Preserve configuration file name and line number values when starting child processes under Windows (Tom Lane)
Formerly, these would not be displayed correctly in the pg_settings view.
(8.4.10,9.1.2,9.0.6,8.3.17,8.2.23) Preserve blank lines within commands in psql's command history (Robert Haas)
The former behavior could cause problems if an empty line was removed from within a string literal, for example.
(8.4.10,9.1.2,9.0.6,8.3.17) Fix pg_dump to dump user-defined casts between auto-generated types, such as table rowtypes (Tom Lane)
(8.4.10,9.1.2,9.0.6,8.3.17,8.2.23) Use the preferred version of xsubpp to build PL/Perl, not necessarily the operating system's main copy (David Wheeler and Alex Hunsaker)
(8.4.10,9.1.2,9.0.6,8.3.17) Fix incorrect coding in contrib/dict_int and contrib/dict_xsyn (Tom Lane)
Some functions incorrectly assumed that memory returned by
palloc()
is guaranteed zeroed.
(8.4.10,9.1.2,9.0.6,8.3.17,8.2.23) Honor query cancel interrupts promptly in pgstatindex()
(Robert Haas)
(8.4.10,9.1.2,9.0.6,8.3.17,8.2.23) Ensure VPATH builds properly install all server header files (Peter Eisentraut)
(8.4.10,9.1.2,9.0.6,8.3.17,8.2.23) Shorten file names reported in verbose error messages (Peter Eisentraut)
Regular builds have always reported just the name of the C file containing the error message call, but VPATH builds formerly reported an absolute path name.
(8.4.10,9.1.2,9.0.6,8.3.17,8.2.23) Fix interpretation of Windows timezone names for Central America (Tom Lane)
Map "Central America Standard Time" to CST6, not CST6CDT, because DST is generally not observed anywhere in Central America.
(8.4.10,9.1.2,9.0.6,8.3.17,8.2.23) Update time zone data files to tzdata release 2011n for DST law changes in Brazil, Cuba, Fiji, Palestine, Russia, and Samoa; also historical corrections for Alaska and British East Africa.
Release date: 2011-09-26
This release contains a variety of fixes from 8.4.8. For information about new features in the 8.4 major release, see Version 8.4.0.
A dump/restore is not required for those running 8.4.X.
However, if you are upgrading from a version earlier than 8.4.8, see Version 8.4.8.
(8.4.9,9.0.5,8.3.16) Fix bugs in indexing of in-doubt HOT-updated tuples (Tom Lane)
These bugs could result in index corruption after reindexing a system catalog. They are not believed to affect user indexes.
(8.4.9,9.0.5,8.3.16,8.2.22) Fix multiple bugs in GiST index page split processing (Heikki Linnakangas)
The probability of occurrence was low, but these could lead to index corruption.
(8.4.9,9.0.5,8.3.16) Fix possible buffer overrun in tsvector_concat()
(Tom Lane)
The function could underestimate the amount of memory needed for its result, leading to server crashes.
(8.4.9,9.0.5,8.3.16) Fix crash in xml_recv
when
processing a "standalone" parameter (Tom
Lane)
(8.4.9,9.1.1,9.0.5) Make pg_options_to_table
return
NULL for an option with no value (Tom Lane)
Previously such cases would result in a server crash.
(8.4.9,9.0.5,8.3.16) Avoid possibly accessing off the end of memory in ANALYZE and in SJIS-2004 encoding conversion (Noah Misch)
This fixes some very-low-probability server crash scenarios.
(8.4.9,9.0.4) Prevent intermittent hang in interactions of startup process with bgwriter process (Simon Riggs)
This affected recovery in non-hot-standby cases.
(8.4.9,9.0.5,8.3.16,8.2.22) Fix race condition in relcache init file invalidation (Tom Lane)
There was a window wherein a new backend process could read a stale init file but miss the inval messages that would tell it the data is stale. The result would be bizarre failures in catalog accesses, typically "could not read block 0 in file ..." later during startup.
(8.4.9,9.1.1,9.0.5,8.3.16,8.2.22) Fix memory leak at end of a GiST index scan (Tom Lane)
Commands that perform many separate GiST index scans, such as verification of a new GiST-based exclusion constraint on a table already containing many rows, could transiently require large amounts of memory due to this leak.
(8.4.9,9.0.5) Fix incorrect memory accounting (leading to possible memory bloat) in tuplestores supporting holdable cursors and plpgsql's RETURN NEXT command (Tom Lane)
(8.4.9,9.0.5,8.3.16,8.2.22) Fix performance problem when constructing a large, lossy bitmap (Tom Lane)
(8.4.9,9.0.5) Fix join selectivity estimation for unique columns (Tom Lane)
This fixes an erroneous planner heuristic that could lead to poor estimates of the result size of a join.
(8.4.9,9.0.5) Fix nested PlaceHolderVar expressions that appear only in sub-select target lists (Tom Lane)
This mistake could result in outputs of an outer join incorrectly appearing as NULL.
(8.4.9,9.0.5) Allow nested EXISTS queries to be optimized properly (Tom Lane)
(8.4.9,9.0.5,8.3.16,8.2.22) Fix array- and path-creating functions to ensure padding bytes are zeroes (Tom Lane)
This avoids some situations where the planner will think that semantically-equal constants are not equal, resulting in poor optimization.
(8.4.9,9.0.5) Fix EXPLAIN to handle gating Result nodes within inner-indexscan subplans (Tom Lane)
The usual symptom of this oversight was "bogus varno" errors.
(8.4.9,9.0.5,8.3.16,8.2.22) Work around gcc 4.6.0 bug that breaks WAL replay (Tom Lane)
This could lead to loss of committed transactions after a server crash.
(8.4.9,9.0.5,8.3.16,8.2.22) Fix dump bug for VALUES in a view (Tom Lane)
(8.4.9,9.0.5,8.3.16,8.2.22) Disallow SELECT FOR UPDATE/SHARE on sequences (Tom Lane)
This operation doesn't work as expected and can lead to failures.
(8.4.9,9.0.5) Fix VACUUM so that it always updates pg_class.reltuples/relpages (Tom Lane)
This fixes some scenarios where autovacuum could make increasingly poor decisions about when to vacuum tables.
(8.4.9,9.0.5,8.3.16,8.2.22) Defend against integer overflow when computing size of a hash table (Tom Lane)
(8.4.9,9.0.5,8.3.16) Fix cases where CLUSTER might attempt to access already-removed TOAST data (Tom Lane)
(8.4.9,9.0.5,8.3.16,8.2.22) Fix portability bugs in use of credentials control messages for "peer" authentication (Tom Lane)
(8.4.9,9.0.5,8.3.16) Fix SSPI login when multiple roundtrips are required (Ahmed Shinwari, Magnus Hagander)
The typical symptom of this problem was "The function requested is not supported" errors during SSPI login.
(8.4.9,9.0.5) Throw an error if pg_hba.conf contains hostssl but SSL is disabled (Tom Lane)
This was concluded to be more user-friendly than the previous behavior of silently ignoring such lines.
(8.4.9,9.0.5,8.3.16,8.2.22) Fix typo in pg_srand48
seed
initialization (Andres Freund)
This led to failure to use all bits of the provided seed. This
function is not used on most platforms (only those without
srandom
), and the potential security
exposure from a less-random-than-expected seed seems minimal in any
case.
(8.4.9,9.0.5,8.3.16,8.2.22) Avoid integer overflow when the sum of LIMIT and OFFSET values exceeds 2^63 (Heikki Linnakangas)
(8.4.9,9.0.5,8.3.16,8.2.22) Add overflow checks to int4 and int8 versions of generate_series()
(Robert Haas)
(8.4.9,9.0.5,8.3.16,8.2.22) Fix trailing-zero removal in to_char()
(Marti Raudsepp)
In a format with FM and no digit positions after the decimal point, zeroes to the left of the decimal point could be removed incorrectly.
(8.4.9,9.0.5,8.3.16,8.2.22) Fix pg_size_pretty()
to avoid
overflow for inputs close to 2^63 (Tom Lane)
(8.4.9,9.0.5) Weaken plpgsql's check for typmod matching in record values (Tom Lane)
An overly enthusiastic check could lead to discarding length modifiers that should have been kept.
(8.4.9,9.0.5) Correctly handle quotes in locale names during initdb (Heikki Linnakangas)
The case can arise with some Windows locales, such as "People's Republic of China".
(8.4.9,9.0.5) Fix pg_upgrade to preserve toast tables' relfrozenxids during an upgrade from 8.3 (Bruce Momjian)
Failure to do this could lead to pg_clog files being removed too soon after the upgrade.
(8.4.9,9.0.5,8.3.16) In pg_ctl, support silent mode for service registrations on Windows (MauMau)
(8.4.9,9.0.5,8.3.16,8.2.22) Fix psql's counting of script file line numbers during COPY from a different file (Tom Lane)
(8.4.9,9.0.5,8.3.16,8.2.22) Fix pg_restore's direct-to-database mode for standard_conforming_strings (Tom Lane)
pg_restore could emit incorrect commands when restoring directly to a database server from an archive file that had been made with standard_conforming_strings set to on.
(8.4.9,9.0.5) Be more user-friendly about unsupported cases for parallel pg_restore (Tom Lane)
This change ensures that such cases are detected and reported before any restore actions have been taken.
(8.4.9,9.0.5,8.3.16,8.2.22) Fix write-past-buffer-end and memory leak in libpq's LDAP service lookup code (Albe Laurenz)
(8.4.9,9.0.5,8.3.16,8.2.22) In libpq, avoid failures when using nonblocking I/O and an SSL connection (Martin Pihlak, Tom Lane)
(8.4.9,9.0.5,8.3.16,8.2.22) Improve libpq's handling of failures during connection startup (Tom Lane)
In particular, the response to a server report of fork()
failure during SSL connection startup is
now saner.
(8.4.9,9.0.5,8.3.16) Improve libpq's error reporting for SSL failures (Tom Lane)
(8.4.9,9.0.5) Fix PQsetvalue()
to avoid possible
crash when adding a new tuple to a PGresult originally obtained from a server query
(Andrew Chernow)
(8.4.9,9.0.5,8.3.16,8.2.22) Make ecpglib write double values with 15 digits precision (Akira Kurosawa)
(8.4.9,9.0.5,8.3.16) In ecpglib, be sure LC_NUMERIC setting is restored after an error (Michael Meskes)
(8.4.9,9.0.5,8.3.16,8.2.22) Apply upstream fix for blowfish signed-character bug CVE-2011-2483 or CVE-2011-2483) (Tom Lane)
contrib/pg_crypto's blowfish encryption code could give wrong results on platforms where char is signed (which is most), leading to encrypted passwords being weaker than they should be.
(8.4.9,9.0.5,8.3.16,8.2.22) Fix memory leak in contrib/seg (Heikki Linnakangas)
(8.4.9,9.0.5,8.3.16,8.2.22) Fix pgstatindex()
to give
consistent results for empty indexes (Tom Lane)
(8.4.9,9.0.5,8.3.16,8.2.22) Allow building with perl 5.14 (Alex Hunsaker)
(8.4.9,8.3.16,8.2.22) Update configure script's method for probing existence of system functions (Tom Lane)
The version of autoconf we used in 8.3 and 8.2 could be fooled by compilers that perform link-time optimization.
(8.4.9,9.0.5,8.3.16,8.2.22) Fix assorted issues with build and install file paths containing spaces (Tom Lane)
(8.4.9,9.0.5,8.3.16,8.2.22) Update time zone data files to tzdata release 2011i for DST law changes in Canada, Egypt, Russia, Samoa, and South Sudan.
Release date: 2011-04-18
This release contains a variety of fixes from 8.4.7. For information about new features in the 8.4 major release, see Version 8.4.0.
A dump/restore is not required for those running 8.4.X.
However, if your installation was upgraded from a previous major release by running pg_upgrade, you should take action to prevent possible data loss due to a now-fixed bug in pg_upgrade. The recommended solution is to run VACUUM FREEZE on all TOAST tables. More information is available at http://wiki.postgresql.org/wiki/20110408pg_upgrade_fix.
Also, if you are upgrading from a version earlier than 8.4.2, see Version 8.4.2.
(8.4.8,9.0.4) Fix pg_upgrade's handling of TOAST tables (Bruce Momjian)
The pg_class.relfrozenxid value for TOAST tables was not correctly copied into the new installation during pg_upgrade. This could later result in pg_clog files being discarded while they were still needed to validate tuples in the TOAST tables, leading to "could not access status of transaction" failures.
This error poses a significant risk of data loss for installations that have been upgraded with pg_upgrade. This patch corrects the problem for future uses of pg_upgrade, but does not in itself cure the issue in installations that have been processed with a buggy version of pg_upgrade.
(8.4.8,9.0.4) Suppress incorrect "PD_ALL_VISIBLE flag was incorrectly set" warning (Heikki Linnakangas)
VACUUM would sometimes issue this warning in cases that are actually valid.
(8.4.8,9.0.4,8.3.15) Disallow including a composite type in itself (Tom Lane)
This prevents scenarios wherein the server could recurse infinitely while processing the composite type. While there are some possible uses for such a structure, they don't seem compelling enough to justify the effort required to make sure it always works safely.
(8.4.8,9.0.4,8.3.15,8.2.21) Avoid potential deadlock during catalog cache initialization (Nikhil Sontakke)
In some cases the cache loading code would acquire share lock on a system index before locking the index's catalog. This could deadlock against processes trying to acquire exclusive locks in the other, more standard order.
(8.4.8,9.0.4,8.3.15,8.2.21) Fix dangling-pointer problem in BEFORE ROW UPDATE trigger handling when there was a concurrent update to the target tuple (Tom Lane)
This bug has been observed to result in intermittent "cannot extract system attribute from virtual tuple" failures while trying to do UPDATE RETURNING ctid. There is a very small probability of more serious errors, such as generating incorrect index entries for the updated tuple.
(8.4.8,9.0.4,8.3.15,8.2.21) Disallow DROP TABLE when there are pending deferred trigger events for the table (Tom Lane)
Formerly the DROP would go through, leading to "could not open relation with OID nnn" errors when the triggers were eventually fired.
(8.4.8,9.0.4) Prevent crash triggered by constant-false WHERE conditions during GEQO optimization (Tom Lane)
(8.4.8,9.0.4) Improve planner's handling of semi-join and anti-join cases (Tom Lane)
(8.4.8,9.0.4) Fix selectivity estimation for text search to account for NULLs (Jesper Krogh)
(8.4.8) Improve PL/pgSQL's ability to handle row types with dropped columns (Pavel Stehule)
This is a back-patch of fixes previously made in 9.0.
(8.4.8,9.0.4,8.3.15,8.2.21) Fix PL/Python memory leak involving array slices (Daniel Popowich)
(8.4.8,9.0.4,8.3.15,8.2.21) Fix pg_restore to cope with long lines (over 1KB) in TOC files (Tom Lane)
(8.4.8,9.0.4,8.3.15,8.2.21) Put in more safeguards against crashing due to division-by-zero with overly enthusiastic compiler optimization (Aurelien Jarno)
(8.4.8,9.0.4,8.3.15,8.2.21) Support use of dlopen() in FreeBSD and OpenBSD on MIPS (Tom Lane)
There was a hard-wired assumption that this system function was not available on MIPS hardware on these systems. Use a compile-time test instead, since more recent versions have it.
(8.4.8,9.0.4,8.3.15,8.2.21) Fix compilation failures on HP-UX (Heikki Linnakangas)
(8.4.8,9.0.4,8.3.15) Fix version-incompatibility problem with libintl on Windows (Hiroshi Inoue)
(8.4.8,9.0.4,8.3.15) Fix usage of xcopy in Windows build scripts to work correctly under Windows 7 (Andrew Dunstan)
This affects the build scripts only, not installation or usage.
(8.4.8,9.0.4,8.3.15,8.2.21) Fix path separator used by pg_regress on Cygwin (Andrew Dunstan)
(8.4.8,9.0.4,8.3.15,8.2.21) Update time zone data files to tzdata release 2011f for DST law changes in Chile, Cuba, Falkland Islands, Morocco, Samoa, and Turkey; also historical corrections for South Australia, Alaska, and Hawaii.
Release date: 2011-01-31
This release contains a variety of fixes from 8.4.6. For information about new features in the 8.4 major release, see Version 8.4.0.
A dump/restore is not required for those running 8.4.X. However, if you are upgrading from a version earlier than 8.4.2, see Version 8.4.2.
(8.4.7,9.0.3,8.3.14,8.2.20) Avoid failures when EXPLAIN tries to display a simple-form CASE expression (Tom Lane)
If the CASE's test expression was a constant, the planner could simplify the CASE into a form that confused the expression-display code, resulting in "unexpected CASE WHEN clause" errors.
(8.4.7,9.0.3,8.3.14,8.2.20) Fix assignment to an array slice that is before the existing range of subscripts (Tom Lane)
If there was a gap between the newly added subscripts and the first pre-existing subscript, the code miscalculated how many entries needed to be copied from the old array's null bitmap, potentially leading to data corruption or crash.
(8.4.7,9.0.3,8.3.14,8.2.20) Avoid unexpected conversion overflow in planner for very distant date values (Tom Lane)
The date type supports a wider range of dates than can be represented by the timestamp types, but the planner assumed it could always convert a date to timestamp with impunity.
(8.4.7,8.3.14,8.2.20) Fix pg_restore's text output for large objects (BLOBs) when standard_conforming_strings is on (Tom Lane)
Although restoring directly to a database worked correctly, string escaping was incorrect if pg_restore was asked for SQL text output and standard_conforming_strings had been enabled in the source database.
(8.4.7,9.0.3,8.3.14,8.2.20) Fix erroneous parsing of tsquery values containing ... & !(subexpression) | ... (Tom Lane)
Queries containing this combination of operators were not executed correctly. The same error existed in contrib/intarray's query_int type and contrib/ltree's ltxtquery type.
(8.4.7,9.0.3,8.3.14,8.2.20) Fix buffer overrun in contrib/intarray's input function for the query_int type (Apple)
This bug is a security risk since the function's return address could be overwritten. Thanks to Apple Inc's security team for reporting this issue and supplying the fix. CVE-2010-4015 or CVE-2010-4015)
(8.4.7,9.0.3,8.3.14,8.2.20) Fix bug in contrib/seg's GiST picksplit algorithm (Alexander Korotkov)
This could result in considerable inefficiency, though not actually incorrect answers, in a GiST index on a seg column. If you have such an index, consider REINDEXing it after installing this update. (This is identical to the bug that was fixed in contrib/cube in the previous update.)
Release date: 2010-12-16
This release contains a variety of fixes from 8.4.5. For information about new features in the 8.4 major release, see Version 8.4.0.
A dump/restore is not required for those running 8.4.X. However, if you are upgrading from a version earlier than 8.4.2, see Version 8.4.2.
(8.4.6,9.0.2,8.3.13,8.2.19,8.1.23) Force the default wal_sync_method to be fdatasync on Linux (Tom Lane, Marti Raudsepp)
The default on Linux has actually been fdatasync for many years, but recent kernel changes caused PostgreSQL to choose open_datasync instead. This choice did not result in any performance improvement, and caused outright failures on certain filesystems, notably ext4 with the data=journal mount option.
(8.4.6,9.0.2,8.3.13,8.2.19) Fix assorted bugs in WAL replay logic for GIN indexes (Tom Lane)
This could result in "bad buffer id: 0" failures or corruption of index contents during replication.
(8.4.6,9.0.2,8.3.13,8.2.19,8.1.23) Fix recovery from base backup when the starting checkpoint WAL record is not in the same WAL segment as its redo point (Jeff Davis)
(8.4.6,9.0.2,8.3.13) Fix persistent slowdown of autovacuum workers when multiple workers remain active for a long time (Tom Lane)
The effective vacuum_cost_limit for an autovacuum worker could drop to nearly zero if it processed enough tables, causing it to run extremely slowly.
(8.4.6,9.0.2,8.3.13,8.2.19,8.1.23) Add support for detecting register-stack overrun on IA64 (Tom Lane)
The IA64 architecture has two hardware stacks. Full prevention of stack-overrun failures requires checking both.
(8.4.6,9.0.2,8.3.13,8.2.19,8.1.23) Add a check for stack overflow in copyObject()
(Tom Lane)
Certain code paths could crash due to stack overflow given a sufficiently complex query.
(8.4.6,9.0.2,8.3.13,8.2.19,8.1.23) Fix detection of page splits in temporary GiST indexes (Heikki Linnakangas)
It is possible to have a "concurrent" page split in a temporary index, if for example there is an open cursor scanning the index when an insertion is done. GiST failed to detect this case and hence could deliver wrong results when execution of the cursor continued.
(8.4.6,9.0.2) Fix error checking during early connection processing (Tom Lane)
The check for too many child processes was skipped in some cases, possibly leading to postmaster crash when attempting to add the new child process to fixed-size arrays.
(8.4.6,9.0.2) Improve efficiency of window functions (Tom Lane)
Certain cases where a large number of tuples needed to be read
in advance, but work_mem was large enough
to allow them all to be held in memory, were unexpectedly slow.
percent_rank()
, cume_dist()
and ntile()
in particular were subject to this
problem.
(8.4.6,9.0.2,8.3.13,8.2.19,8.1.23) Avoid memory leakage while ANALYZE'ing complex index expressions (Tom Lane)
(8.4.6,9.0.2,8.3.13,8.2.19,8.1.23) Ensure an index that uses a whole-row Var still depends on its table (Tom Lane)
An index declared like create index i on t (foo(t.*)) would not automatically get dropped when its table was dropped.
(8.4.6,9.0.2,8.3.13,8.2.19,8.1.23) Do not "inline" a SQL function with multiple OUT parameters (Tom Lane)
This avoids a possible crash due to loss of information about the expected result rowtype.
(8.4.6,9.0.2,8.3.13,8.2.19) Behave correctly if ORDER BY, LIMIT, FOR UPDATE, or WITH is attached to the VALUES part of INSERT ... VALUES (Tom Lane)
(8.4.6,9.0.2,8.3.13,8.2.19,8.1.23) Fix constant-folding of COALESCE() expressions (Tom Lane)
The planner would sometimes attempt to evaluate sub-expressions that in fact could never be reached, possibly leading to unexpected errors.
(8.4.6,9.0.2,8.3.13) Fix postmaster crash when connection acceptance (accept()
or one of the calls made immediately
after it) fails, and the postmaster was compiled with GSSAPI
support (Alexander Chernikov)
(8.4.6,9.0.2,8.3.13) Fix missed unlink of temporary files when log_temp_files is active (Tom Lane)
If an error occurred while attempting to emit the log message, the unlink was not done, resulting in accumulation of temp files.
(8.4.6,9.0.2,8.3.13,8.2.19,8.1.23) Add print functionality for InhRelation nodes (Tom Lane)
This avoids a failure when debug_print_parse is enabled and certain types of query are executed.
(8.4.6,9.0.2,8.3.13,8.2.19,8.1.23) Fix incorrect calculation of distance from a point to a horizontal line segment (Tom Lane)
This bug affected several different geometric distance-measurement operators.
(8.4.6,9.0.2) Fix incorrect calculation of transaction status in ecpg (Itagaki Takahiro)
(8.4.6,9.0.2,8.3.13,8.2.19,8.1.23) Fix PL/pgSQL's handling of "simple" expressions to not fail in recursion or error-recovery cases (Tom Lane)
(8.4.6,9.0.2,8.3.13,8.2.19) Fix PL/Python's handling of set-returning functions (Jan Urbanski)
Attempts to call SPI functions within the iterator generating a set result would fail.
(8.4.6,9.0.2,8.3.13,8.2.19,8.1.23) Fix bug in contrib/cube's GiST picksplit algorithm (Alexander Korotkov)
This could result in considerable inefficiency, though not actually incorrect answers, in a GiST index on a cube column. If you have such an index, consider REINDEXing it after installing this update.
(8.4.6,9.0.2,8.3.13,8.2.19,8.1.23) Don't emit "identifier will be truncated" notices in contrib/dblink except when creating new connections (Itagaki Takahiro)
(8.4.6,9.0.2,8.3.13,8.2.19,8.1.23) Fix potential coredump on missing public key in contrib/pgcrypto (Marti Raudsepp)
(8.4.6,9.0.2,8.3.13,8.2.19,8.1.23) Fix memory leak in contrib/xml2's XPath query functions (Tom Lane)
(8.4.6,9.0.2,8.3.13,8.2.19,8.1.23) Update time zone data files to tzdata release 2010o for DST law changes in Fiji and Samoa; also historical corrections for Hong Kong.
Release date: 2010-10-04
This release contains a variety of fixes from 8.4.4. For information about new features in the 8.4 major release, see Version 8.4.0.
A dump/restore is not required for those running 8.4.X. However, if you are upgrading from a version earlier than 8.4.2, see Version 8.4.2.
(8.4.5,9.0.1,8.3.12,8.2.18,8.1.22,8.0.26,7.4.30) Use a separate interpreter for each calling SQL userid in PL/Perl and PL/Tcl (Tom Lane)
This change prevents security problems that can be caused by subverting Perl or Tcl code that will be executed later in the same session under another SQL user identity (for example, within a SECURITY DEFINER function). Most scripting languages offer numerous ways that that might be done, such as redefining standard functions or operators called by the target function. Without this change, any SQL user with Perl or Tcl language usage rights can do essentially anything with the SQL privileges of the target function's owner.
The cost of this change is that intentional communication among Perl and Tcl functions becomes more difficult. To provide an escape hatch, PL/PerlU and PL/TclU functions continue to use only one interpreter per session. This is not considered a security issue since all such functions execute at the trust level of a database superuser already.
It is likely that third-party procedural languages that claim to offer trusted execution have similar security issues. We advise contacting the authors of any PL you are depending on for security-critical purposes.
Our thanks to Tim Bunce for pointing out this issue CVE-2010-3433 or CVE-2010-3433).
(8.4.5,8.3.12,8.2.18,8.1.22,8.0.26,7.4.30) Prevent possible crashes in pg_get_expr()
by disallowing it from being called
with an argument that is not one of the system catalog columns it's
intended to be used with (Heikki Linnakangas, Tom Lane)
(8.4.5,8.3.12,8.2.18) Treat exit code 128 (ERROR_WAIT_NO_CHILDREN) as non-fatal on Windows (Magnus Hagander)
Under high load, Windows processes will sometimes fail at startup with this error code. Formerly the postmaster treated this as a panic condition and restarted the whole database, but that seems to be an overreaction.
(8.4.5,9.0.1) Fix incorrect placement of placeholder evaluation (Tom Lane)
This bug could result in query outputs being non-null when they should be null, in cases where the inner side of an outer join is a sub-select with non-strict expressions in its output list.
(8.4.5,9.0.1,8.3.12,8.2.18) Fix possible duplicate scans of UNION ALL member relations (Tom Lane)
(8.4.5,8.3.12,8.2.18,8.1.22,8.0.26,7.4.30) Fix "cannot handle unplanned sub-select" error (Tom Lane)
This occurred when a sub-select contains a join alias reference that expands into an expression containing another sub-select.
(8.4.5) Fix mishandling of whole-row Vars that reference a view or sub-select and appear within a nested sub-select (Tom Lane)
(8.4.5) Fix mishandling of cross-type IN comparisons (Tom Lane)
This could result in failures if the planner tried to implement an IN join with a sort-then-unique-then-plain-join plan.
(8.4.5) Fix computation of ANALYZE statistics for tsvector columns (Jan Urbanski)
The original coding could produce incorrect statistics, leading to poor plan choices later.
(8.4.5) Improve planner's estimate of memory used by array_agg()
, string_agg()
, and similar aggregate functions
(Hitoshi Harada)
The previous drastic underestimate could lead to out-of-memory failures due to inappropriate choice of a hash-aggregation plan.
(8.4.5,8.3.12) Fix failure to mark cached plans as transient (Tom Lane)
If a plan is prepared while CREATE INDEX CONCURRENTLY is in progress for one of the referenced tables, it is supposed to be re-planned once the index is ready for use. This was not happening reliably.
(8.4.5,8.3.12,8.2.18) Reduce PANIC to ERROR in some occasionally-reported btree failure cases, and provide additional detail in the resulting error messages (Tom Lane)
This should improve the system's robustness with corrupted indexes.
(8.4.5) Fix incorrect search logic for partial-match queries with GIN indexes (Tom Lane)
Cases involving AND/OR combination of several GIN index conditions didn't always give the right answer, and were sometimes much slower than necessary.
(8.4.5,9.0.1,8.3.12,8.2.18,8.1.22) Prevent show_session_authorization() from crashing within autovacuum processes (Tom Lane)
(8.4.5,8.3.12,8.2.18,8.1.22,8.0.26) Defend against functions returning setof record where not all the returned rows are actually of the same rowtype (Tom Lane)
(8.4.5) Fix possible corruption of pending trigger event lists during subtransaction rollback (Tom Lane)
This could lead to a crash or incorrect firing of triggers.
(8.4.5,8.3.12,8.2.18,8.1.22) Fix possible failure when hashing a pass-by-reference function result (Tao Ma, Tom Lane)
(8.4.5,8.3.12) Improve merge join's handling of NULLs in the join columns (Tom Lane)
A merge join can now stop entirely upon reaching the first NULL, if the sort order is such that NULLs sort high.
(8.4.5,8.3.12,8.2.18,8.1.22,8.0.26,7.4.30) Take care to fsync the contents of lockfiles (both postmaster.pid and the socket lockfile) while writing them (Tom Lane)
This omission could result in corrupted lockfile contents if the machine crashes shortly after postmaster start. That could in turn prevent subsequent attempts to start the postmaster from succeeding, until the lockfile is manually removed.
(8.4.5,8.3.12,8.2.18,8.1.22,8.0.26) Avoid recursion while assigning XIDs to heavily-nested subtransactions (Andres Freund, Robert Haas)
The original coding could result in a crash if there was limited stack space.
(8.4.5,8.3.12) Avoid holding open old WAL segments in the walwriter process (Magnus Hagander, Heikki Linnakangas)
The previous coding would prevent removal of no-longer-needed segments.
(8.4.5,8.3.12,8.2.18,8.1.22,8.0.26) Fix log_line_prefix's %i escape, which could produce junk early in backend startup (Tom Lane)
(8.4.5) Prevent misinterpretation of partially-specified relation options for TOAST tables (Itagaki Takahiro)
In particular, fillfactor would be read as zero if any other reloption had been set for the table, leading to serious bloat.
(8.4.5) Fix inheritance count tracking in ALTER TABLE ... ADD CONSTRAINT (Robert Haas)
(8.4.5,8.3.12,8.2.18,8.1.22,8.0.26) Fix possible data corruption in ALTER TABLE ... SET TABLESPACE when archiving is enabled (Jeff Davis)
(8.4.5,8.3.12,8.2.18,8.1.22,8.0.26) Allow CREATE DATABASE and ALTER DATABASE ... SET TABLESPACE to be interrupted by query-cancel (Guillaume Lelarge)
(8.4.5) Improve CREATE INDEX's checking of whether proposed index expressions are immutable (Tom Lane)
(8.4.5,8.3.12) Fix REASSIGN OWNED to handle operator classes and families (Asko Tiidumaa)
(8.4.5,8.3.12) Fix possible core dump when comparing two empty tsquery values (Tom Lane)
(8.4.5,8.3.12) Fix LIKE's handling of patterns containing % followed by _ (Tom Lane)
We've fixed this before, but there were still some incorrectly-handled cases.
(8.4.5,9.0.1) Re-allow input of Julian dates prior to 0001-01-01 AD (Tom Lane)
Input such as 'J100000'::date worked before 8.4, but was unintentionally broken by added error-checking.
(8.4.5) Fix PL/pgSQL to throw an error, not crash, if a cursor is closed within a FOR loop that is iterating over that cursor (Heikki Linnakangas)
(8.4.5,8.3.12,8.2.18,8.1.22,8.0.26) In PL/Python, defend against null pointer results from
PyCObject_AsVoidPtr
and PyCObject_FromVoidPtr
(Peter Eisentraut)
(8.4.5) In libpq, fix full SSL certificate verification for the case where both host and hostaddr are specified (Tom Lane)
(8.4.5,9.0.1,8.3.12) Make psql recognize DISCARD ALL as a command that should not be encased in a transaction block in autocommit-off mode (Itagaki Takahiro)
(8.4.5) Fix some issues in pg_dump's handling of SQL/MED objects (Tom Lane)
Notably, pg_dump would always fail if run by a non-superuser, which was not intended.
(8.4.5) Improve pg_dump and pg_restore's handling of non-seekable archive files (Tom Lane, Robert Haas)
This is important for proper functioning of parallel restore.
(8.4.5) Improve parallel pg_restore's ability to cope with selective restore (-L option) (Tom Lane)
The original code tended to fail if the -L file commanded a non-default restore ordering.
(8.4.5,8.3.12) Fix ecpg to process data from RETURNING clauses correctly (Michael Meskes)
(8.4.5) Fix some memory leaks in ecpg (Zoltan Boszormenyi)
(8.4.5,8.3.12,8.2.18,8.1.22,8.0.26,7.4.30) Improve contrib/dblink's handling of tables containing dropped columns (Tom Lane)
(8.4.5,8.3.12,8.2.18,8.1.22,8.0.26,7.4.30) Fix connection leak after "duplicate connection name" errors in contrib/dblink (Itagaki Takahiro)
(8.4.5,8.3.12,8.2.18,8.1.22,8.0.26) Fix contrib/dblink to handle connection names longer than 62 bytes correctly (Itagaki Takahiro)
(8.4.5,8.3.12,8.2.18) Add hstore(text, text)
function to
contrib/hstore (Robert Haas)
This function is the recommended substitute for the now-deprecated => operator. It was back-patched so that future-proofed code can be used with older server versions. Note that the patch will be effective only after contrib/hstore is installed or reinstalled in a particular database. Users might prefer to execute the CREATE FUNCTION command by hand, instead.
(8.4.5,9.0.1,8.3.12,8.2.18,8.1.22,8.0.26,7.4.30) Update build infrastructure and documentation to reflect the source code repository's move from CVS to Git (Magnus Hagander and others)
(8.4.5,8.3.12,8.2.18,8.1.22,8.0.26) Update time zone data files to tzdata release 2010l for DST law changes in Egypt and Palestine; also historical corrections for Finland.
This change also adds new names for two Micronesian timezones: Pacific/Chuuk is now preferred over Pacific/Truk (and the preferred abbreviation is CHUT not TRUT) and Pacific/Pohnpei is preferred over Pacific/Ponape.
(8.4.5,8.3.12,8.2.18) Make Windows' "N. Central Asia Standard Time" timezone map to Asia/Novosibirsk, not Asia/Almaty (Magnus Hagander)
Microsoft changed the DST behavior of this zone in the timezone update from KB976098. Asia/Novosibirsk is a better match to its new behavior.
Release date: 2010-05-17
This release contains a variety of fixes from 8.4.3. For information about new features in the 8.4 major release, see Version 8.4.0.
A dump/restore is not required for those running 8.4.X. However, if you are upgrading from a version earlier than 8.4.2, see Version 8.4.2.
(8.4.4,8.3.11,8.2.17,8.1.21,8.0.25,7.4.29) Enforce restrictions in plperl using an opmask applied to the whole interpreter, instead of using Safe.pm (Tim Bunce, Andrew Dunstan)
Recent developments have convinced us that Safe.pm is too insecure to rely on for making plperl trustable. This change removes use of Safe.pm altogether, in favor of using a separate interpreter with an opcode mask that is always applied. Pleasant side effects of the change include that it is now possible to use Perl's strict pragma in a natural way in plperl, and that Perl's $a and $b variables work as expected in sort routines, and that function compilation is significantly faster. CVE-2010-1169 or CVE-2010-1169)
(8.4.4,8.3.11,8.2.17,8.1.21,8.0.25,7.4.29) Prevent PL/Tcl from executing untrustworthy code from pltcl_modules (Tom Lane)
PL/Tcl's feature for autoloading Tcl code from a database table could be exploited for trojan-horse attacks, because there was no restriction on who could create or insert into that table. This change disables the feature unless pltcl_modules is owned by a superuser. (However, the permissions on the table are not checked, so installations that really need a less-than-secure modules table can still grant suitable privileges to trusted non-superusers.) Also, prevent loading code into the unrestricted "normal" Tcl interpreter unless we are really going to execute a pltclu function. CVE-2010-1170 or CVE-2010-1170)
(8.4.4) Fix data corruption during WAL replay of ALTER ... SET TABLESPACE (Tom Lane)
When archive_mode is on, ALTER ... SET TABLESPACE generates a WAL record whose replay logic was incorrect. It could write the data to the wrong place, leading to possibly-unrecoverable data corruption. Data corruption would be observed on standby slaves, and could occur on the master as well if a database crash and recovery occurred after committing the ALTER and before the next checkpoint.
(8.4.4) Fix possible crash if a cache reset message is received during rebuild of a relcache entry (Heikki Linnakangas)
This error was introduced in 8.4.3 while fixing a related failure.
(8.4.4,8.3.11) Apply per-function GUC settings while running the language validator for the function (Itagaki Takahiro)
This avoids failures if the function's code is invalid without the setting; an example is that SQL functions may not parse if the search_path is not correct.
(8.4.4) Do constraint exclusion for inherited UPDATE and DELETE target tables when constraint_exclusion = partition (Tom Lane)
Due to an oversight, this setting previously only caused constraint exclusion to be checked in SELECT commands.
(8.4.4,8.3.11,8.2.17,8.1.21,8.0.25,7.4.29) Do not allow an unprivileged user to reset superuser-only parameter settings (Álvaro Herrera)
Previously, if an unprivileged user ran ALTER USER ... RESET ALL for himself, or ALTER DATABASE ... RESET ALL for a database he owns, this would remove all special parameter settings for the user or database, even ones that are only supposed to be changeable by a superuser. Now, the ALTER will only remove the parameters that the user has permission to change.
(8.4.4,8.3.11,8.2.17,8.1.21,8.0.25,7.4.29) Avoid possible crash during backend shutdown if shutdown occurs when a CONTEXT addition would be made to log entries (Tom Lane)
In some cases the context-printing function would fail because the current transaction had already been rolled back when it came time to print a log message.
(8.4.4) Fix erroneous handling of %r parameter in recovery_end_command (Heikki Linnakangas)
The value always came out zero.
(8.4.4,8.3.11) Ensure the archiver process responds to changes in archive_command as soon as possible (Tom Lane)
(8.4.4) Fix pl/pgsql's CASE statement to not fail when the case expression is a query that returns no rows (Tom Lane)
(8.4.4,8.3.11,8.2.17,8.1.21,8.0.25,7.4.29) Update pl/perl's ppport.h for modern Perl versions (Andrew Dunstan)
(8.4.4,8.3.11,8.2.17,8.1.21,8.0.25,7.4.29) Fix assorted memory leaks in pl/python (Andreas Freund, Tom Lane)
(8.4.4) Handle empty-string connect parameters properly in ecpg (Michael Meskes)
(8.4.4,8.3.11,8.2.17,8.1.21,8.0.25) Prevent infinite recursion in psql when expanding a variable that refers to itself (Tom Lane)
(8.4.4,8.3.11,8.2.17) Fix psql's \copy to not add spaces around a dot within \copy (select ...) (Tom Lane)
Addition of spaces around the decimal point in a numeric literal would result in a syntax error.
(8.4.4) Avoid formatting failure in psql when running in a locale context that doesn't match the client_encoding (Tom Lane)
(8.4.4,8.3.11) Fix unnecessary "GIN indexes do not support whole-index scans" errors for unsatisfiable queries using contrib/intarray operators (Tom Lane)
(8.4.4,8.3.11,8.2.17,8.1.21,8.0.25,7.4.29) Ensure that contrib/pgstattuple functions respond to cancel interrupts promptly (Tatsuhito Kasahara)
(8.4.4,8.3.11,8.2.17,8.1.21,8.0.25,7.4.29) Make server startup deal properly with the case that
shmget()
returns EINVAL for an existing shared memory segment
(Tom Lane)
This behavior has been observed on BSD-derived kernels including OS X. It resulted in an entirely-misleading startup failure complaining that the shared memory request size was too large.
(8.4.4,8.3.11,8.2.17) Avoid possible crashes in syslogger process on Windows (Heikki Linnakangas)
(8.4.4,8.3.11,8.2.17) Deal more robustly with incomplete time zone information in the Windows registry (Magnus Hagander)
(8.4.4,8.3.11,8.2.17) Update the set of known Windows time zone names (Magnus Hagander)
(8.4.4,8.3.11,8.2.17) Update time zone data files to tzdata release 2010j for DST law changes in Argentina, Australian Antarctic, Bangladesh, Mexico, Morocco, Pakistan, Palestine, Russia, Syria, Tunisia; also historical corrections for Taiwan.
Also, add PKST (Pakistan Summer Time) to the default set of timezone abbreviations.
Release date: 2010-03-15
This release contains a variety of fixes from 8.4.2. For information about new features in the 8.4 major release, see Version 8.4.0.
A dump/restore is not required for those running 8.4.X. However, if you are upgrading from a version earlier than 8.4.2, see Version 8.4.2.
(8.4.3,8.3.10,8.2.16,8.1.20,8.0.24,7.4.28) Add new configuration parameter ssl_renegotiation_limit to control how often we do session key renegotiation for an SSL connection (Magnus Hagander)
This can be set to zero to disable renegotiation completely, which may be required if a broken SSL library is used. In particular, some vendors are shipping stopgap patches forCVE-2009-3555 or CVE-2009-3555 that cause renegotiation attempts to fail.
(8.4.3,8.3.10,8.2.16) Fix possible deadlock during backend startup (Tom Lane)
(8.4.3,8.3.10,8.2.16) Fix possible crashes due to not handling errors during relcache reload cleanly (Tom Lane)
(8.4.3,8.3.10) Fix possible crash due to use of dangling pointer to a cached plan (Tatsuo Ishii)
(8.4.3) Fix possible crash due to overenthusiastic invalidation of cached plan for ROLLBACK (Tom Lane)
(8.4.3,8.3.10,8.2.16,8.1.20,8.0.24) Fix possible crashes when trying to recover from a failure in subtransaction start (Tom Lane)
(8.4.3,8.3.10,8.2.16,8.1.20,8.0.24) Fix server memory leak associated with use of savepoints and a client encoding different from server's encoding (Tom Lane)
(8.4.3,8.3.10,8.2.16) Fix incorrect WAL data emitted during end-of-recovery cleanup of a GIST index page split (Yoichi Hirai)
This would result in index corruption, or even more likely an error during WAL replay, if we were unlucky enough to crash during end-of-recovery cleanup after having completed an incomplete GIST insertion.
(8.4.3) Fix bug in WAL redo cleanup method for GIN indexes (Heikki Linnakangas)
(8.4.3) Fix incorrect comparison of scan key in GIN index search (Teodor Sigaev)
(8.4.3,8.3.10,8.2.16,8.1.20,8.0.24,7.4.28) Make substring()
for bit types treat any negative length as meaning
"all the rest of the string" (Tom Lane)
The previous coding treated only -1 that way, and would produce an invalid result value for other negative values, possibly leading to a crash CVE-2010-0442 or CVE-2010-0442).
(8.4.3,8.3.10,8.2.16,8.1.20,8.0.24) Fix integer-to-bit-string conversions to handle the first fractional byte correctly when the output bit width is wider than the given integer by something other than a multiple of 8 bits (Tom Lane)
(8.4.3,8.3.10,8.2.16,8.1.20,8.0.24,7.4.28) Fix some cases of pathologically slow regular expression matching (Tom Lane)
(8.4.3) Fix bug occurring when trying to inline a SQL function that returns a set of a composite type that contains dropped columns (Tom Lane)
(8.4.3,8.3.10) Fix bug with trying to update a field of an element of a composite-type array column (Tom Lane)
(8.4.3) Avoid failure when EXPLAIN has to print a FieldStore or assignment ArrayRef expression (Tom Lane)
These cases can arise now that EXPLAIN VERBOSE tries to print plan node target lists.
(8.4.3) Avoid an unnecessary coercion failure in some cases where an undecorated literal string appears in a subquery within UNION/INTERSECT/EXCEPT (Tom Lane)
This fixes a regression for some cases that worked before 8.4.
(8.4.3) Avoid undesirable rowtype compatibility check failures in some cases where a whole-row Var has a rowtype that contains dropped columns (Tom Lane)
(8.4.3,8.3.10,8.2.16,8.1.20,8.0.24) Fix the STOP WAL LOCATION entry in backup history files to report the next WAL segment's name when the end location is exactly at a segment boundary (Itagaki Takahiro)
(8.4.3) Always pass the catalog ID to an option validator function specified in CREATE FOREIGN DATA WRAPPER (Martin Pihlak)
(8.4.3,8.3.10,8.2.16,8.1.20) Fix some more cases of temporary-file leakage (Heikki Linnakangas)
This corrects a problem introduced in the previous minor release. One case that failed is when a plpgsql function returning set is called within another function's exception handler.
(8.4.3) Add support for doing FULL JOIN ON FALSE (Tom Lane)
This prevents a regression from pre-8.4 releases for some queries that can now be simplified to a constant-false join condition.
(8.4.3,8.3.10,8.2.16) Improve constraint exclusion processing of boolean-variable cases, in particular make it possible to exclude a partition that has a "bool_column = false" constraint (Tom Lane)
(8.4.3) Prevent treating an INOUT cast as representing binary compatibility (Heikki Linnakangas)
(8.4.3) Include column name in the message when warning about inability to grant or revoke column-level privileges (Stephen Frost)
This is more useful than before and helps to prevent confusion when a REVOKE generates multiple messages, which formerly appeared to be duplicates.
(8.4.3,8.3.10,8.2.16,8.1.20,8.0.24,7.4.28) When reading pg_hba.conf and related files, do not treat @something as a file inclusion request if the @ appears inside quote marks; also, never treat @ by itself as a file inclusion request (Tom Lane)
This prevents erratic behavior if a role or database name starts with @. If you need to include a file whose path name contains spaces, you can still do so, but you must write @"/path to/file" rather than putting the quotes around the whole construct.
(8.4.3,8.3.10,8.2.16,8.1.20,8.0.24,7.4.28) Prevent infinite loop on some platforms if a directory is named as an inclusion target in pg_hba.conf and related files (Tom Lane)
(8.4.3,8.3.10,8.2.16) Fix possible infinite loop if SSL_read
or SSL_write
fails without setting errno (Tom Lane)
This is reportedly possible with some Windows versions of openssl.
(8.4.3,8.3.10) Disallow GSSAPI authentication on local connections, since it requires a hostname to function correctly (Magnus Hagander)
(8.4.3) Protect ecpg against applications freeing strings unexpectedly (Michael Meskes)
(8.4.3,8.3.10) Make ecpg report the proper SQLSTATE if the connection disappears (Michael Meskes)
(8.4.3) Fix translation of cell contents in psql \d output (Heikki Linnakangas)
(8.4.3,8.3.10,8.2.16,8.1.20) Fix psql's numericlocale option to not format strings it shouldn't in latex and troff output formats (Heikki Linnakangas)
(8.4.3) Fix a small per-query memory leak in psql (Tom Lane)
(8.4.3,8.3.10,8.2.16) Make psql return the correct exit status (3) when ON_ERROR_STOP and --single-transaction are both specified and an error occurs during the implied COMMIT (Bruce Momjian)
(8.4.3) Fix pg_dump's output of permissions for foreign servers (Heikki Linnakangas)
(8.4.3) Fix possible crash in parallel pg_restore due to out-of-range dependency IDs (Tom Lane)
(8.4.3,8.3.10,8.2.16,8.1.20,8.0.24) Fix plpgsql failure in one case where a composite column is set to NULL (Tom Lane)
(8.4.3,8.3.10,8.2.16) Fix possible failure when calling PL/Perl functions from PL/PerlU or vice versa (Tim Bunce)
(8.4.3,8.3.10,8.2.16,8.1.20,8.0.24) Add volatile markings in PL/Python to avoid possible compiler-specific misbehavior (Zdenek Kotala)
(8.4.3,8.3.10,8.2.16,8.1.20,8.0.24,7.4.28) Ensure PL/Tcl initializes the Tcl interpreter fully (Tom Lane)
The only known symptom of this oversight is that the Tcl clock command misbehaves if using Tcl 8.5 or later.
(8.4.3) Prevent ExecutorEnd
from being run
on portals created within a failed transaction or subtransaction
(Tom Lane)
This is known to cause issues when using contrib/auto_explain.
(8.4.3,8.3.10,8.2.16,8.1.20,8.0.24,7.4.28) Prevent crash in contrib/dblink when
too many key columns are specified to a dblink_build_sql_*
function (Rushabh Lathia, Joe
Conway)
(8.4.3,8.3.10) Allow zero-dimensional arrays in contrib/ltree operations (Tom Lane)
This case was formerly rejected as an error, but it's more convenient to treat it the same as a zero-element array. In particular this avoids unnecessary failures when an ltree operation is applied to the result of ARRAY (SELECT ...) and the sub-select returns no rows.
(8.4.3,8.3.10,8.2.16,8.1.20,8.0.24) Fix assorted crashes in contrib/xml2 caused by sloppy memory management (Tom Lane)
(8.4.3,8.3.10,8.2.16) Make building of contrib/xml2 more robust on Windows (Andrew Dunstan)
(8.4.3,8.3.10,8.2.16) Fix race condition in Windows signal handling (Radu Ilie)
One known symptom of this bug is that rows in pg_listener could be dropped under heavy load.
(8.4.3) Make the configure script report failure if the C compiler does not provide a working 64-bit integer datatype (Tom Lane)
This case has been broken for some time, and no longer seems worth supporting, so just reject it at configure time instead.
(8.4.3,8.3.10,8.2.16,8.1.20,8.0.24) Update time zone data files to tzdata release 2010e for DST law changes in Bangladesh, Chile, Fiji, Mexico, Paraguay, Samoa.
Release date: 2009-12-14
This release contains a variety of fixes from 8.4.1. For information about new features in the 8.4 major release, see Version 8.4.0.
A dump/restore is not required for those running 8.4.X. However, if you have any hash indexes, you should REINDEX them after updating to 8.4.2, to repair possible damage.
(8.4.2,8.3.9,8.2.15,8.1.19,8.0.23,7.4.27) Protect against indirect security threats caused by index functions changing session-local state (Gurjeet Singh, Tom Lane)
This change prevents allegedly-immutable index functions from possibly subverting a superuser's session CVE-2009-4136 or CVE-2009-4136).
(8.4.2,8.3.9,8.2.15,8.1.19,8.0.23,7.4.27) Reject SSL certificates containing an embedded null byte in the common name (CN) field (Magnus Hagander)
This prevents unintended matching of a certificate to a server or client name during SSL validation CVE-2009-4034 or CVE-2009-4034).
(8.4.2) Fix hash index corruption (Tom Lane)
The 8.4 change that made hash indexes keep entries sorted by hash value failed to update the bucket splitting and compaction routines to preserve the ordering. So application of either of those operations could lead to permanent corruption of an index, in the sense that searches might fail to find entries that are present. To deal with this, it is recommended to REINDEX any hash indexes you may have after installing this update.
(8.4.2,8.3.9,8.2.15,8.1.19,8.0.23,7.4.27) Fix possible crash during backend-startup-time cache initialization (Tom Lane)
(8.4.2,8.3.9) Avoid crash on empty thesaurus dictionary (Tom Lane)
(8.4.2,8.3.9,8.2.15,8.1.19,8.0.23,7.4.27) Prevent signals from interrupting VACUUM at unsafe times (Álvaro Herrera)
This fix prevents a PANIC if a VACUUM FULL is canceled after it's already committed its tuple movements, as well as transient errors if a plain VACUUM is interrupted after having truncated the table.
(8.4.2,8.3.9,8.2.15,8.1.19,8.0.23,7.4.27) Fix possible crash due to integer overflow in hash table size calculation (Tom Lane)
This could occur with extremely large planner estimates for the size of a hashjoin's result.
(8.4.2) Fix crash if a DROP is attempted on an internally-dependent object (Tom Lane)
(8.4.2,8.3.9,8.2.15,8.1.19,8.0.23,7.4.27) Fix very rare crash in inet/cidr comparisons (Chris Mikkelson)
(8.4.2,8.3.9,8.2.15,8.1.19) Ensure that shared tuple-level locks held by prepared transactions are not ignored (Heikki Linnakangas)
(8.4.2,8.3.9,8.2.15,8.1.19,8.0.23) Fix premature drop of temporary files used for a cursor that is accessed within a subtransaction (Heikki Linnakangas)
(8.4.2,8.3.9) Fix memory leak in syslogger process when rotating to a new CSV logfile (Tom Lane)
(8.4.2) Fix memory leak in postmaster when re-parsing pg_hba.conf (Tom Lane)
(8.4.2,8.3.9) Fix Windows permission-downgrade logic (Jesse Morris)
This fixes some cases where the database failed to start on Windows, often with misleading error messages such as "could not locate matching postgres executable".
(8.4.2) Make FOR UPDATE/SHARE in the primary query not propagate into WITH queries (Tom Lane)
For example, in
WITH w AS (SELECT * FROM foo) SELECT * FROM w, bar ... FOR UPDATE
the FOR UPDATE will now affect bar but not foo. This is more useful and consistent than the original 8.4 behavior, which tried to propagate FOR UPDATE into the WITH query but always failed due to assorted implementation restrictions. It also follows the design rule that WITH queries are executed as if independent of the main query.
(8.4.2) Fix bug with a WITH RECURSIVE query immediately inside another one (Tom Lane)
(8.4.2) Fix concurrency bug in hash indexes (Tom Lane)
Concurrent insertions could cause index scans to transiently report wrong results.
(8.4.2,8.3.9,8.2.15) Fix incorrect logic for GiST index page splits, when the split depends on a non-first column of the index (Paul Ramsey)
(8.4.2) Fix wrong search results for a multi-column GIN index with fastupdate enabled (Teodor Sigaev)
(8.4.2) Fix bugs in WAL entry creation for GIN indexes (Tom Lane)
These bugs were masked when full_page_writes was on, but with it off a WAL replay failure was certain if a crash occurred before the next checkpoint.
(8.4.2,8.3.9,8.2.15) Don't error out if recycling or removing an old WAL file fails at the end of checkpoint (Heikki Linnakangas)
It's better to treat the problem as non-fatal and allow the checkpoint to complete. Future checkpoints will retry the removal. Such problems are not expected in normal operation, but have been seen to be caused by misdesigned Windows anti-virus and backup software.
(8.4.2,8.3.9,8.2.15) Ensure WAL files aren't repeatedly archived on Windows (Heikki Linnakangas)
This is another symptom that could happen if some other process interfered with deletion of a no-longer-needed file.
(8.4.2,8.3.9,8.2.15,8.1.19,8.0.23,7.4.27) Fix PAM password processing to be more robust (Tom Lane)
The previous code is known to fail with the combination of the Linux pam_krb5 PAM module with Microsoft Active Directory as the domain controller. It might have problems elsewhere too, since it was making unjustified assumptions about what arguments the PAM stack would pass to it.
(8.4.2,8.3.9) Raise the maximum authentication token (Kerberos ticket) size in GSSAPI and SSPI authentication methods (Ian Turner)
While the old 2000-byte limit was more than enough for Unix Kerberos implementations, tickets issued by Windows Domain Controllers can be much larger.
(8.4.2) Ensure that domain constraints are enforced in constructs like ARRAY[...]::domain, where the domain is over an array type (Heikki Linnakangas)
(8.4.2) Fix foreign-key logic for some cases involving composite-type columns as foreign keys (Tom Lane)
(8.4.2) Ensure that a cursor's snapshot is not modified after it is created (Álvaro Herrera)
This could lead to a cursor delivering wrong results if later operations in the same transaction modify the data the cursor is supposed to return.
(8.4.2) Fix CREATE TABLE to properly merge default expressions coming from different inheritance parent tables (Tom Lane)
This used to work but was broken in 8.4.
(8.4.2,8.3.9) Re-enable collection of access statistics for sequences (Akira Kurosawa)
This used to work but was broken in 8.3.
(8.4.2,8.3.9,8.2.15,8.1.19) Fix processing of ownership dependencies during CREATE OR REPLACE FUNCTION (Tom Lane)
(8.4.2,8.3.9) Fix incorrect handling of WHERE x=x conditions (Tom Lane)
In some cases these could get ignored as redundant, but they aren't — they're equivalent to x IS NOT NULL.
(8.4.2) Fix incorrect plan construction when using hash aggregation to implement DISTINCT for textually identical volatile expressions (Tom Lane)
(8.4.2) Fix Assert failure for a volatile SELECT DISTINCT ON expression (Tom Lane)
(8.4.2) Fix ts_stat()
to not fail on an
empty tsvector value (Tom Lane)
(8.4.2,8.3.9) Make text search parser accept underscores in XML attributes (Peter T. Mount)
(8.4.2,8.3.9) Fix encoding handling in xml binary input (Heikki Linnakangas)
If the XML header doesn't specify an encoding, we now assume UTF-8 by default; the previous handling was inconsistent.
(8.4.2,8.3.9,8.2.15) Fix bug with calling plperl from plperlu or vice versa (Tom Lane)
An error exit from the inner function could result in crashes due to failure to re-select the correct Perl interpreter for the outer function.
(8.4.2,8.3.9,8.2.15) Fix session-lifespan memory leak when a PL/Perl function is redefined (Tom Lane)
(8.4.2,8.3.9,8.2.15,8.1.19) Ensure that Perl arrays are properly converted to PostgreSQL arrays when returned by a set-returning PL/Perl function (Andrew Dunstan, Abhijit Menon-Sen)
This worked correctly already for non-set-returning functions.
(8.4.2,8.3.9,8.2.15,8.1.19,8.0.23) Fix rare crash in exception processing in PL/Python (Peter T. Mount)
(8.4.2) Fix ecpg problem with comments in DECLARE CURSOR statements (Michael Meskes)
(8.4.2) Fix ecpg to not treat recently-added keywords as reserved words (Tom Lane)
This affected the keywords CALLED, CATALOG, DEFINER, ENUM, FOLLOWING, INVOKER, OPTIONS, PARTITION, PRECEDING, RANGE, SECURITY, SERVER, UNBOUNDED, and WRAPPER.
(8.4.2) Re-allow regular expression special characters in psql's \df function name parameter (Tom Lane)
(8.4.2) In contrib/fuzzystrmatch, correct the
calculation of levenshtein
distances
with non-default costs (Marcin Mank)
(8.4.2,8.3.9) In contrib/pg_standby, disable triggering failover with a signal on Windows (Fujii Masao)
This never did anything useful, because Windows doesn't have Unix-style signals, but recent changes made it actually crash.
(8.4.2) Put FREEZE and VERBOSE options in the right order in the VACUUM command that contrib/vacuumdb produces (Heikki Linnakangas)
(8.4.2) Fix possible leak of connections when contrib/dblink encounters an error (Tatsuhito Kasahara)
(8.4.2,8.3.9,8.2.15,8.1.19,8.0.23) Ensure psql's flex module is compiled with the correct system header definitions (Tom Lane)
This fixes build failures on platforms where --enable-largefile causes incompatible changes in the generated code.
(8.4.2,8.3.9,8.2.15,8.1.19,8.0.23,7.4.27) Make the postmaster ignore any application_name parameter in connection request packets, to improve compatibility with future libpq versions (Tom Lane)
(8.4.2) Update the timezone abbreviation files to match current reality (Joachim Wieland)
This includes adding IDT to the default timezone abbreviation set.
(8.4.2,8.3.9,8.2.15,8.1.19,8.0.23) Update time zone data files to tzdata release 2009s for DST law changes in Antarctica, Argentina, Bangladesh, Fiji, Novokuznetsk, Pakistan, Palestine, Samoa, Syria; also historical corrections for Hong Kong.
Release date: 2009-09-09
This release contains a variety of fixes from 8.4. For information about new features in the 8.4 major release, see Version 8.4.0.
A dump/restore is not required for those running 8.4.X.
(8.4.1) Fix WAL page header initialization at the end of archive recovery (Heikki Linnakangas)
This could lead to failure to process the WAL in a subsequent archive recovery.
(8.4.1) Fix "cannot make new WAL entries during recovery" error (Tom Lane)
(8.4.1) Fix problem that could make expired rows visible after a crash (Tom Lane)
This bug involved a page status bit potentially not being set correctly after a server crash.
(8.4.1,8.3.8,8.2.14,8.1.18,8.0.22,7.4.26) Disallow RESET ROLE and RESET SESSION AUTHORIZATION inside security-definer functions (Tom Lane, Heikki Linnakangas)
This covers a case that was missed in the previous patch that disallowed SET ROLE and SET SESSION AUTHORIZATION inside security-definer functions. (SeeCVE-2007-6600 or CVE-2007-6600)
(8.4.1,8.3.8,8.2.14) Make LOAD of an already-loaded loadable module into a no-op (Tom Lane)
Formerly, LOAD would attempt to unload and re-load the module, but this is unsafe and not all that useful.
(8.4.1) Make window function PARTITION BY and ORDER BY items always be interpreted as simple expressions (Tom Lane)
In 8.4.0 these lists were parsed following the rules used for top-level GROUP BY and ORDER BY lists. But this was not correct per the SQL standard, and it led to possible circularity.
(8.4.1) Fix several errors in planning of semi-joins (Tom Lane)
These led to wrong query results in some cases where IN or EXISTS was used together with another join.
(8.4.1) Fix handling of whole-row references to subqueries that are within an outer join (Tom Lane)
An example is SELECT COUNT(ss.*) FROM ... LEFT JOIN (SELECT ...) ss ON .... Here, ss.* would be treated as ROW (NULL,NULL,...) for null-extended join rows, which is not the same as a simple NULL. Now it is treated as a simple NULL.
(8.4.1,8.3.8) Fix Windows shared-memory allocation code (Tsutomu Yamada, Magnus Hagander)
This bug led to the often-reported "could not reattach to shared memory" error message.
(8.4.1) Fix locale handling with plperl (Heikki Linnakangas)
This bug could cause the server's locale setting to change when a plperl function is called, leading to data corruption.
(8.4.1) Fix handling of reloptions to ensure setting one option doesn't force default values for others (Itagaki Takahiro)
(8.4.1,8.3.8) Ensure that a "fast shutdown" request will forcibly terminate open sessions, even if a "smart shutdown" was already in progress (Fujii Masao)
(8.4.1) Avoid memory leak for array_agg()
in GROUP BY queries (Tom Lane)
(8.4.1,8.3.8,8.2.14,8.1.18,8.0.22) Treat to_char(..., 'TH')
as an
uppercase ordinal suffix with 'HH'/'HH12' (Heikki Linnakangas)
It was previously handled as 'th' (lowercase).
(8.4.1) Include the fractional part in the result of EXTRACT(second)
and EXTRACT(milliseconds)
for time and time with time zone
inputs (Tom Lane)
This has always worked for floating-point datetime configurations, but was broken in the integer datetime code.
(8.4.1,8.3.8,8.2.14,8.1.18,8.0.22,7.4.26) Fix overflow for INTERVAL 'x ms' when x is more than 2 million and integer datetimes are in use (Alex Hunsaker)
(8.4.1) Improve performance when processing toasted values in index scans (Tom Lane)
This is particularly useful for PostGIS.
(8.4.1) Fix a typo that disabled commit_delay (Jeff Janes)
(8.4.1) Output early-startup messages to postmaster.log if the server is started in silent mode (Tom Lane)
Previously such error messages were discarded, leading to difficulty in debugging.
(8.4.1) Remove translated FAQs (Peter T. Mount)
They are now on the wiki. The main FAQ was moved to the wiki some time ago.
(8.4.1,8.3.8,8.2.14,8.1.18,8.0.22) Fix pg_ctl to not go into an infinite loop if postgresql.conf is empty (Jeff Davis)
(8.4.1) Fix several errors in pg_dump's --binary-upgrade mode (Bruce Momjian, Tom Lane)
pg_dump --binary-upgrade is used by pg_migrator.
(8.4.1,8.3.8,8.2.14,8.1.18,8.0.22) Fix contrib/xml2's xslt_process()
to properly handle the maximum
number of parameters (twenty) (Tom Lane)
(8.4.1,8.3.8,8.2.14,8.1.18,8.0.22,7.4.26) Improve robustness of libpq's code to recover from errors during COPY FROM STDIN (Tom Lane)
(8.4.1,8.3.8,8.2.14,8.1.18,8.0.22,7.4.26) Avoid including conflicting readline and editline header files when both libraries are installed (Zdenek Kotala)
(8.4.1) Work around gcc bug that causes "floating-point exception" instead of "division by zero" on some platforms (Tom Lane)
(8.4.1) Update time zone data files to tzdata release 2009l for DST law changes in Bangladesh, Egypt, Mauritius.
Release date: 2009-07-01
After many years of development, PostgreSQL has become feature-complete in many areas. This release shows a targeted approach to adding features (e.g., authentication, monitoring, space reuse), and adds capabilities defined in the later SQL standards. The major areas of enhancement are:
(8.4.0) Windowing Functions
(8.4.0) Common Table Expressions and Recursive Queries
(8.4.0) Default and variadic parameters for functions
(8.4.0) Parallel Restore
(8.4.0) Column Permissions
(8.4.0) Per-database locale settings
(8.4.0) Improved hash indexes
(8.4.0) Improved join performance for EXISTS and NOT EXISTS queries
(8.4.0) Easier-to-use Warm Standby
(8.4.0) Automatic sizing of the Free Space Map
(8.4.0) Visibility Map (greatly reduces vacuum overhead for slowly-changing tables)
(8.4.0) Version-aware psql (backslash commands work against older servers)
(8.4.0) Support SSL certificates for user authentication
(8.4.0) Per-function runtime statistics
(8.4.0) Easy editing of functions in psql
(8.4.0) New contrib modules: pg_stat_statements, auto_explain, citext, btree_gin
The above items are explained in more detail in the sections below.
A dump/restore using pg_dump is required for those wishing to migrate data from any previous release.
Observe the following incompatibilities:
(8.4.0) Use 64-bit integer datetimes by default (Neil Conway)
Previously this was selected by configure's --enable-integer-datetimes option. To retain the old behavior, build with --disable-integer-datetimes.
(8.4.0) Remove ipcclean utility command (Bruce Momjian)
The utility only worked on a few platforms. Users should use their operating system tools instead.
(8.4.0) Change default setting for log_min_messages to warning (previously it was notice) to reduce log file volume (Tom Lane)
(8.4.0) Change default setting for max_prepared_transactions to zero (previously it was 5) (Tom Lane)
(8.4.0) Make debug_print_parse, debug_print_rewritten, and debug_print_plan output appear at LOG message level, not DEBUG1 as formerly (Tom Lane)
(8.4.0) Make debug_pretty_print default to on (Tom Lane)
(8.4.0) Remove explain_pretty_print parameter (no longer needed) (Tom Lane)
(8.4.0) Make log_temp_files settable by superusers only, like other logging options (Simon Riggs)
(8.4.0) Remove automatic appending of the epoch timestamp when no % escapes are present in log_filename (Robert Haas)
This change was made because some users wanted a fixed log filename, for use with an external log rotation tool.
(8.4.0) Remove log_restartpoints from recovery.conf; instead use log_checkpoints (Simon Riggs)
(8.4.0) Remove krb_realm and krb_server_hostname; these are now set in pg_hba.conf instead (Magnus Hagander)
(8.4.0) There are also significant changes in pg_hba.conf, as described below.
(8.4.0) Change TRUNCATE and LOCK to apply to child tables of the specified table(s) (Peter T. Mount)
These commands now accept an ONLY option that prevents processing child tables; this option must be used if the old behavior is needed.
(8.4.0) SELECT DISTINCT and UNION/INTERSECT/EXCEPT no longer always produce sorted output (Tom Lane)
Previously, these types of queries always removed duplicate rows by means of Sort/Unique processing (i.e., sort then remove adjacent duplicates). Now they can be implemented by hashing, which will not produce sorted output. If an application relied on the output being in sorted order, the recommended fix is to add an ORDER BY clause. As a short-term workaround, the previous behavior can be restored by disabling enable_hashagg, but that is a very performance-expensive fix. SELECT DISTINCT ON never uses hashing, however, so its behavior is unchanged.
(8.4.0) Force child tables to inherit CHECK constraints from parents (Alex Hunsaker, Nikhil Sontakke, Tom Lane)
Formerly it was possible to drop such a constraint from a child table, allowing rows that violate the constraint to be visible when scanning the parent table. This was deemed inconsistent, as well as contrary to SQL standard.
(8.4.0) Disallow negative LIMIT or OFFSET values, rather than treating them as zero (Simon Riggs)
(8.4.0) Disallow LOCK TABLE outside a transaction block (Tom Lane)
Such an operation is useless because the lock would be released immediately.
(8.4.0) Sequences now contain an additional start_value column (Zoltan Boszormenyi)
This supports ALTER SEQUENCE ... RESTART.
(8.4.0) Make numeric zero raised to a fractional power return 0, rather than throwing an error, and make numeric zero raised to the zero power return 1, rather than error (Bruce Momjian)
This matches the longstanding float8 behavior.
(8.4.0) Allow unary minus of floating-point values to produce minus zero (Tom Lane)
The changed behavior is more IEEE-standard compliant.
(8.4.0) Throw an error if an escape character is the last character in a LIKE pattern (i.e., it has nothing to escape) (Tom Lane)
Previously, such an escape character was silently ignored, thus possibly masking application logic errors.
(8.4.0) Remove ~=~ and ~<>~ operators formerly used for LIKE index comparisons (Tom Lane)
Pattern indexes now use the regular equality operator.
(8.4.0) xpath()
now passes its arguments
to libxml without any changes
(Andrew Dunstan)
This means that the XML argument must be a well-formed XML document. The previous coding attempted to allow XML fragments, but it did not work well.
(8.4.0) Make xmlelement()
format attribute
values just like content values (Peter T. Mount)
Previously, attribute values were formatted according to the normal SQL output behavior, which is sometimes at odds with XML rules.
(8.4.0) Rewrite memory management for libxml-using functions (Tom Lane)
This change should avoid some compatibility problems with use of libxml in PL/Perl and other add-on code.
(8.4.0) Adopt a faster algorithm for hash functions (Kenneth Marshall, based on work of Bob Jenkins)
Many of the built-in hash functions now deliver different results on little-endian and big-endian platforms.
(8.4.0) DateStyle no longer controls interval output formatting; instead there is a new variable IntervalStyle (Ron Mayer)
(8.4.0) Improve consistency of handling of fractional seconds in timestamp and interval output (Ron Mayer)
This may result in displaying a different number of fractional digits than before, or rounding instead of truncating.
(8.4.0) Make to_char()
's localized
month/day names depend on LC_TIME, not
LC_MESSAGES (Euler Taveira de
Oliveira)
(8.4.0) Cause to_date()
and to_timestamp()
to more consistently report errors
for invalid input (Brendan Jurd)
Previous versions would often ignore or silently misread input that did not match the format string. Such cases will now result in an error.
(8.4.0) Fix to_timestamp()
to not require
upper/lower case matching for meridian (AM/PM) and era (BC/AD) format designations
(Brendan Jurd)
For example, input value ad now matches the format string AD.
Below you will find a detailed account of the changes between PostgreSQL 8.4 and the previous major release.
(8.4.0) Improve optimizer statistics calculations (Jan Urbanski, Tom Lane)
In particular, estimates for full-text-search operators are greatly improved.
(8.4.0) Allow SELECT DISTINCT and UNION/INTERSECT/EXCEPT to use hashing (Tom Lane)
This means that these types of queries no longer automatically produce sorted output.
(8.4.0) Create explicit concepts of semi-joins and anti-joins (Tom Lane)
This work formalizes our previous ad-hoc treatment of IN (SELECT ...) clauses, and extends it to EXISTS and NOT EXISTS clauses. It should result in significantly better planning of EXISTS and NOT EXISTS queries. In general, logically equivalent IN and EXISTS clauses should now have similar performance, whereas previously IN often won.
(8.4.0) Improve optimization of sub-selects beneath outer joins (Tom Lane)
Formerly, a sub-select or view could not be optimized very well if it appeared within the nullable side of an outer join and contained non-strict expressions (for instance, constants) in its result list.
(8.4.0) Improve the performance of text_position()
and related functions by using
Boyer-Moore-Horspool searching (David Rowley)
This is particularly helpful for long search patterns.
(8.4.0) Reduce I/O load of writing the statistics collection file by writing the file only when requested (Martin Pihlak)
(8.4.0) Improve performance for bulk inserts (Robert Haas, Simon Riggs)
(8.4.0) Increase the default value of default_statistics_target from 10 to 100 (Greg Sabino Mullane, Tom Lane)
The maximum value was also increased from 1000 to 10000.
(8.4.0) Perform constraint_exclusion checking by default in queries involving inheritance or UNION ALL (Tom Lane)
A new constraint_exclusion setting, partition, was added to specify this behavior.
(8.4.0) Allow I/O read-ahead for bitmap index scans (Greg Stark)
The amount of read-ahead is controlled by effective_io_concurrency. This feature is available
only if the kernel has posix_fadvise()
support.
(8.4.0) Inline simple set-returning SQL functions in FROM clauses (Richard Rowell)
(8.4.0) Improve performance of multi-batch hash joins by providing a special case for join key values that are especially common in the outer relation (Bryce Cutt, Ramon Lawrence)
(8.4.0) Reduce volume of temporary data in multi-batch hash joins by suppressing "physical tlist" optimization (Michael Henderson, Ramon Lawrence)
(8.4.0) Avoid waiting for idle-in-transaction sessions during CREATE INDEX CONCURRENTLY (Simon Riggs)
(8.4.0) Improve performance of shared cache invalidation (Tom Lane)
(8.4.0) Convert many postgresql.conf settings to enumerated values so that pg_settings can display the valid values (Magnus Hagander)
(8.4.0) Add cursor_tuple_fraction parameter to control the fraction of a cursor's rows that the planner assumes will be fetched (Robert Hell)
(8.4.0) Allow underscores in the names of custom variable classes in postgresql.conf (Tom Lane)
(8.4.0) Remove support for the (insecure) crypt authentication method (Magnus Hagander)
This effectively obsoletes pre-PostgreSQL 7.2 client libraries, as there is no longer any non-plaintext password method that they can use.
(8.4.0) Support regular expressions in pg_ident.conf (Magnus Hagander)
(8.4.0) Allow Kerberos/GSSAPI parameters to be changed without restarting the postmaster (Magnus Hagander)
(8.4.0) Support SSL certificate chains in server certificate file (Andrew Gierth)
Including the full certificate chain makes the client able to verify the certificate without having all intermediate CA certificates present in the local store, which is often the case for commercial CAs.
(8.4.0) Report appropriate error message for combination of MD5 authentication and db_user_namespace enabled (Bruce Momjian)
(8.4.0) Change all authentication options to use name=value syntax (Magnus Hagander)
This makes incompatible changes to the ldap, pam and ident authentication methods. All pg_hba.conf entries with these methods need to be rewritten using the new format.
(8.4.0) Remove the ident sameuser option, instead making that behavior the default if no usermap is specified (Magnus Hagander)
(8.4.0) Allow a usermap parameter for all external authentication methods (Magnus Hagander)
Previously a usermap was only supported for ident authentication.
(8.4.0) Add clientcert option to control requesting of a client certificate (Magnus Hagander)
Previously this was controlled by the presence of a root certificate file in the server's data directory.
(8.4.0) Add cert authentication method to allow user authentication via SSL certificates (Magnus Hagander)
Previously SSL certificates could only verify that the client had access to a certificate, not authenticate a user.
(8.4.0) Allow krb5, gssapi and sspi realm and krb5 host settings to be specified in pg_hba.conf (Magnus Hagander)
These override the settings in postgresql.conf.
(8.4.0) Add include_realm parameter for krb5, gssapi, and sspi methods (Magnus Hagander)
This allows identical usernames from different realms to be authenticated as different database users using usermaps.
(8.4.0) Parse pg_hba.conf fully when it is loaded, so that errors are reported immediately (Magnus Hagander)
Previously, most errors in the file wouldn't be detected until clients tried to connect, so an erroneous file could render the system unusable. With the new behavior, if an error is detected during reload then the bad file is rejected and the postmaster continues to use its old copy.
(8.4.0) Show all parsing errors in pg_hba.conf instead of aborting after the first one (Selena Deckelmann)
(8.4.0) Support ident authentication over Unix-domain sockets on Solaris (Garick Hamlin)
(8.4.0) Provide an option to pg_start_backup()
to force its implied checkpoint
to finish as quickly as possible (Tom Lane)
The default behavior avoids excess I/O consumption, but that is pointless if no concurrent query activity is going on.
(8.4.0) Make pg_stop_backup()
wait for
modified WAL files to be
archived (Simon Riggs)
This guarantees that the backup is valid at the time
pg_stop_backup()
completes.
(8.4.0) When archiving is enabled, rotate the last WAL segment at shutdown so that all transactions can be archived immediately (Guillaume Smet, Heikki Linnakangas)
(8.4.0) Delay "smart" shutdown while a continuous archiving base backup is in progress (Laurenz Albe)
(8.4.0) Cancel a continuous archiving base backup if "fast" shutdown is requested (Laurenz Albe)
(8.4.0) Allow recovery.conf boolean variables to take the same range of string values as postgresql.conf boolean variables (Bruce Momjian)
(8.4.0) Add pg_conf_load_time()
to report
when the PostgreSQL configuration
files were last loaded (George Gensure)
(8.4.0) Add pg_terminate_backend()
to
safely terminate a backend (the SIGTERM
signal works also) (Tom Lane, Bruce Momjian)
While it's always been possible to SIGTERM a single backend, this was previously considered unsupported; and testing of the case found some bugs that are now fixed.
(8.4.0) Add ability to track user-defined functions' call counts and runtimes (Martin Pihlak)
Function statistics appear in a new system view, pg_stat_user_functions. Tracking is controlled by the new parameter track_functions.
(8.4.0) Allow specification of the maximum query string size in pg_stat_activity via new track_activity_query_size parameter (Thomas Lee)
(8.4.0) Increase the maximum line length sent to syslog, in hopes of improving performance (Tom Lane)
(8.4.0) Add read-only configuration variables segment_size, wal_block_size, and wal_segment_size (Bernd Helmle)
(8.4.0) When reporting a deadlock, report the text of all queries involved in the deadlock to the server log (Itagaki Takahiro)
(8.4.0) Add pg_stat_get_activity(pid)
function to return information about a specific process id
(Magnus Hagander)
(8.4.0) Allow the location of the server's statistics file to be specified via stats_temp_directory (Magnus Hagander)
This allows the statistics file to be placed in a RAM-resident directory to reduce I/O requirements. On startup/shutdown, the file is copied to its traditional location ($PGDATA/global/) so it is preserved across restarts.
(8.4.0) Add support for WINDOW functions (Hitoshi Harada)
(8.4.0) Add support for WITH clauses (CTEs), including WITH RECURSIVE (Yoshiyuki Asaba, Tatsuo Ishii, Tom Lane)
(8.4.0) Add TABLE command (Peter T. Mount)
TABLE tablename is a SQL standard short-hand for SELECT * FROM tablename.
(8.4.0) Allow AS to be optional when specifying a SELECT (or RETURNING) column output label (Hiroshi Saito)
This works so long as the column label is not any PostgreSQL keyword; otherwise AS is still needed.
(8.4.0) Support set-returning functions in SELECT result lists even for functions that return their result via a tuplestore (Tom Lane)
In particular, this means that functions written in PL/pgSQL and other PL languages can now be called this way.
(8.4.0) Support set-returning functions in the output of aggregation and grouping queries (Tom Lane)
(8.4.0) Allow SELECT FOR UPDATE/SHARE to work on inheritance trees (Tom Lane)
(8.4.0) Add infrastructure for SQL/MED (Martin Pihlak, Peter T. Mount)
There are no remote or external SQL/MED capabilities yet, but this change provides a standardized and future-proof system for managing connection information for modules like dblink and plproxy.
(8.4.0) Invalidate cached plans when referenced schemas, functions, operators, or operator classes are modified (Martin Pihlak, Tom Lane)
This improves the system's ability to respond to on-the-fly DDL changes.
(8.4.0) Allow comparison of composite types and allow arrays of anonymous composite types (Tom Lane)
This allows constructs such as row(1, 1.1) = any (array[row(7, 7.7), row(1, 1.0)]). This is particularly useful in recursive queries.
(8.4.0) Add support for Unicode string literal and identifier specifications using code points, e.g. U&'d\0061t\+000061' (Peter T. Mount)
(8.4.0) Reject \000 in string literals and COPY data (Tom Lane)
Previously, this was accepted but had the effect of terminating the string contents.
(8.4.0) Improve the parser's ability to report error locations (Tom Lane)
An error location is now reported for many semantic errors, such as mismatched datatypes, that previously could not be localized.
(8.4.0) Support statement-level ON TRUNCATE triggers (Simon Riggs)
(8.4.0) Add RESTART/CONTINUE IDENTITY options for TRUNCATE TABLE (Zoltan Boszormenyi)
The start value of a sequence can be changed by ALTER SEQUENCE START WITH.
(8.4.0) Allow TRUNCATE tab1, tab1 to succeed (Bruce Momjian)
(8.4.0) Add a separate TRUNCATE permission (Robert Haas)
(8.4.0) Make EXPLAIN VERBOSE show the output columns of each plan node (Tom Lane)
Previously EXPLAIN VERBOSE output an internal representation of the query plan. (That behavior is now available via debug_print_plan.)
(8.4.0) Make EXPLAIN identify subplans and initplans with individual labels (Tom Lane)
(8.4.0) Make EXPLAIN honor debug_print_plan (Tom Lane)
(8.4.0) Allow EXPLAIN on CREATE TABLE AS (Peter T. Mount)
(8.4.0) Allow sub-selects in LIMIT and OFFSET (Tom Lane)
(8.4.0) Add SQL-standard syntax for LIMIT/OFFSET capabilities (Peter T. Mount)
To wit, OFFSET num {ROW|ROWS} FETCH {FIRST|NEXT} [num] {ROW|ROWS} ONLY.
(8.4.0) Add support for column-level privileges (Stephen Frost, KaiGai Kohei)
(8.4.0) Refactor multi-object DROP operations to reduce the need for CASCADE (Alex Hunsaker)
For example, if table B has a dependency on table A, the command DROP TABLE A, B no longer requires the CASCADE option.
(8.4.0) Fix various problems with concurrent DROP commands by ensuring that locks are taken before we begin to drop dependencies of an object (Tom Lane)
(8.4.0) Improve reporting of dependencies during DROP commands (Tom Lane)
(8.4.0) Add WITH [NO] DATA clause to CREATE TABLE AS, per the SQL standard (Peter T. Mount, Tom Lane)
(8.4.0) Add support for user-defined I/O conversion casts (Heikki Linnakangas)
(8.4.0) Allow CREATE AGGREGATE to use an internal transition datatype (Tom Lane)
(8.4.0) Add LIKE clause to CREATE TYPE (Tom Lane)
This simplifies creation of data types that use the same internal representation as an existing type.
(8.4.0) Allow specification of the type category and "preferred" status for user-defined base types (Tom Lane)
This allows more control over the coercion behavior of user-defined types.
(8.4.0) Allow CREATE OR REPLACE VIEW to add columns to the end of a view (Robert Haas)
(8.4.0) Add ALTER TYPE RENAME (Petr Jelinek)
(8.4.0) Add ALTER SEQUENCE ... RESTART (with no parameter) to reset a sequence to its initial value (Zoltan Boszormenyi)
(8.4.0) Modify the ALTER TABLE syntax to allow all reasonable combinations for tables, indexes, sequences, and views (Tom Lane)
This change allows the following new syntaxes:
ALTER SEQUENCE OWNER TO
(8.4.0) ALTER VIEW ALTER COLUMN SET/DROP DEFAULT
(8.4.0) ALTER VIEW OWNER TO
(8.4.0) ALTER VIEW SET SCHEMA
There is no actual new functionality here, but formerly you had to say ALTER TABLE to do these things, which was confusing.
(8.4.0) Add support for the syntax ALTER TABLE ... ALTER COLUMN ... SET DATA TYPE (Peter T. Mount)
This is SQL-standard syntax for functionality that was already supported.
(8.4.0) Make ALTER TABLE SET WITHOUT OIDS rewrite the table to physically remove OID values (Tom Lane)
Also, add ALTER TABLE SET WITH OIDS to rewrite the table to add OIDs.
(8.4.0) Improve reporting of CREATE/DROP/RENAME DATABASE failure when uncommitted prepared transactions are the cause (Tom Lane)
(8.4.0) Make LC_COLLATE and LC_CTYPE into per-database settings (Radek Strnad, Heikki Linnakangas)
This makes collation similar to encoding, which was always configurable per database.
(8.4.0) Improve checks that the database encoding, collation (LC_COLLATE), and character classes (LC_CTYPE) match (Heikki Linnakangas, Tom Lane)
Note in particular that a new database's encoding and locale settings can be changed only when copying from template0. This prevents possibly copying data that doesn't match the settings.
(8.4.0) Add ALTER DATABASE SET TABLESPACE to move a database to a new tablespace (Guillaume Lelarge, Bernd Helmle)
(8.4.0) Add a VERBOSE option to the CLUSTER command and clusterdb (Jim Cox)
(8.4.0) Decrease memory requirements for recording pending trigger events (Tom Lane)
(8.4.0) Dramatically improve the speed of building and accessing hash indexes (Tom Raney, Shreya Bhargava)
This allows hash indexes to be sometimes faster than btree indexes. However, hash indexes are still not crash-safe.
(8.4.0) Make hash indexes store only the hash code, not the full value of the indexed column (Xiao Meng)
This greatly reduces the size of hash indexes for long indexed values, improving performance.
(8.4.0) Implement fast update option for GIN indexes (Teodor Sigaev, Oleg Bartunov)
This option greatly improves update speed at a small penalty in search speed.
(8.4.0) xxx_pattern_ops indexes can now be used for simple equality comparisons, not only for LIKE (Tom Lane)
(8.4.0) Remove the requirement to use @@@ when doing GIN weighted lookups on full text indexes (Tom Lane, Teodor Sigaev)
The normal @@ text search operator can be used instead.
(8.4.0) Add an optimizer selectivity function for @@ text search operations (Jan Urbanski)
(8.4.0) Allow prefix matching in full text searches (Teodor Sigaev, Oleg Bartunov)
(8.4.0) Support multi-column GIN indexes (Teodor Sigaev)
(8.4.0) Improve support for Nepali language and Devanagari alphabet (Teodor Sigaev)
(8.4.0) Track free space in separate per-relation "fork" files (Heikki Linnakangas)
Free space discovered by VACUUM is now recorded in *_fsm files, rather than in a fixed-sized shared memory area. The max_fsm_pages and max_fsm_relations settings have been removed, greatly simplifying administration of free space management.
(8.4.0) Add a visibility map to track pages that do not require vacuuming (Heikki Linnakangas)
This allows VACUUM to avoid scanning all of a table when only a portion of the table needs vacuuming. The visibility map is stored in per-relation "fork" files.
(8.4.0) Add vacuum_freeze_table_age parameter to control when VACUUM should ignore the visibility map and do a full table scan to freeze tuples (Heikki Linnakangas)
(8.4.0) Track transaction snapshots more carefully (Álvaro Herrera)
This improves VACUUM's ability to reclaim space in the presence of long-running transactions.
(8.4.0) Add ability to specify per-relation autovacuum and TOAST parameters in CREATE TABLE (Álvaro Herrera, Euler Taveira de Oliveira)
Autovacuum options used to be stored in a system table.
(8.4.0) Add --freeze option to vacuumdb (Bruce Momjian)
(8.4.0) Add a CaseSensitive option for text search synonym dictionaries (Simon Riggs)
(8.4.0) Improve the precision of NUMERIC division (Tom Lane)
(8.4.0) Add basic arithmetic operators for int2 with int8 (Tom Lane)
This eliminates the need for explicit casting in some situations.
(8.4.0) Allow UUID input to accept an optional hyphen after every fourth digit (Robert Haas)
(8.4.0) Allow on/off as input for the boolean data type (Itagaki Takahiro)
(8.4.0) Allow spaces around NaN in the input string for type numeric (Sam Mason)
(8.4.0) Reject year 0 BC and years 000 and 0000 (Tom Lane)
Previously these were interpreted as 1 BC. (Note: years 0 and 00 are still assumed to be the year 2000.)
(8.4.0) Include SGT (Singapore time) in the default list of known time zone abbreviations (Tom Lane)
(8.4.0) Support infinity and -infinity as values of type date (Tom Lane)
(8.4.0) Make parsing of interval literals more standard-compliant (Tom Lane, Ron Mayer)
For example, INTERVAL '1' YEAR now does what it's supposed to.
(8.4.0) Allow interval fractional-seconds precision to be specified after the second keyword, for SQL standard compliance (Tom Lane)
Formerly the precision had to be specified after the keyword interval. (For backwards compatibility, this syntax is still supported, though deprecated.) Data type definitions will now be output using the standard format.
(8.4.0) Support the IS0 8601 interval syntax (Ron Mayer, Kevin Grittner)
For example, INTERVAL 'P1Y2M3DT4H5M6.7S' is now supported.
(8.4.0) Add IntervalStyle parameter which controls how interval values are output (Ron Mayer)
Valid values are: postgres, postgres_verbose, sql_standard, iso_8601. This setting also controls the handling of negative interval input when only some fields have positive/negative designations.
(8.4.0) Improve consistency of handling of fractional seconds in timestamp and interval output (Ron Mayer)
(8.4.0) Improve the handling of casts applied to ARRAY[] constructs, such as ARRAY[...]::integer[] (Brendan Jurd)
Formerly PostgreSQL attempted to determine a data type for the ARRAY[] construct without reference to the ensuing cast. This could fail unnecessarily in many cases, in particular when the ARRAY[] construct was empty or contained only ambiguous entries such as NULL. Now the cast is consulted to determine the type that the array elements must be.
(8.4.0) Make SQL-syntax ARRAY dimensions optional to match the SQL standard (Peter T. Mount)
(8.4.0) Add array_ndims()
to return the
number of dimensions of an array (Robert Haas)
(8.4.0) Add array_length()
to return the
length of an array for a specified dimension (Jim Nasby, Robert
Haas, Peter Eisentraut)
(8.4.0) Add aggregate function array_agg()
, which returns all aggregated values
as a single array (Robert Haas, Jeff Davis, Peter T. Mount)
(8.4.0) Add unnest()
, which converts an
array to individual row values (Tom Lane)
This is the opposite of array_agg()
.
(8.4.0) Add array_fill()
to create arrays
initialized with a value (Pavel Stehule)
(8.4.0) Add generate_subscripts()
to
simplify generating the range of an array's subscripts (Pavel
Stehule)
(8.4.0) Consider TOAST compression on values as short as 32 bytes (previously 256 bytes) (Greg Stark)
(8.4.0) Require 25% minimum space savings before using TOAST compression (previously 20% for small values and any-savings-at-all for large values) (Greg Stark)
(8.4.0) Improve TOAST heuristics for rows that have a mix of large and small toastable fields, so that we prefer to push large values out of line and don't compress small values unnecessarily (Greg Stark, Tom Lane)
(8.4.0) Document that setseed()
allows
values from -1 to 1 (not just 0 to 1), and enforce the valid range (Kris Jurka)
(8.4.0) Add server-side function lo_import(filename, oid)
(Tatsuo Ishii)
(8.4.0) Add quote_nullable()
, which
behaves like quote_literal()
but
returns the string NULL for a null
argument (Brendan Jurd)
(8.4.0) Improve full text search headline()
function to allow extracting several
fragments of text (Sushant Sinha)
(8.4.0) Add suppress_redundant_updates_trigger()
trigger
function to avoid overhead for non-data-changing updates
(Andrew Dunstan)
(8.4.0) Add div(numeric, numeric)
to
perform numeric division without rounding
(Tom Lane)
(8.4.0) Add timestamp and timestamptz versions of generate_series()
(Hitoshi Harada)
(8.4.0) Implement current_query()
for use
by functions that need to know the currently running query (Tomas
Doran)
(8.4.0) Add pg_get_keywords()
to return a
list of the parser keywords (Dave Page)
(8.4.0) Add pg_get_functiondef()
to see a
function's definition (Abhijit Menon-Sen)
(8.4.0) Allow the second argument of pg_get_expr()
to be zero when deparsing an
expression that does not contain variables (Tom Lane)
(8.4.0) Modify pg_relation_size()
to use
regclass (Heikki Linnakangas)
pg_relation_size(data_type_name)
no longer works.
(8.4.0) Add boot_val and reset_val columns to pg_settings output (Greg Smith)
(8.4.0) Add source file name and line number columns to pg_settings output for variables set in a configuration file (Magnus Hagander, Álvaro Herrera)
For security reasons, these columns are only visible to superusers.
(8.4.0) Add support for CURRENT_CATALOG, CURRENT_SCHEMA, SET CATALOG, SET SCHEMA (Peter T. Mount)
These provide SQL-standard syntax for existing features.
(8.4.0) Add pg_typeof()
which returns the
data type of any value (Brendan Jurd)
(8.4.0) Make version()
return information
about whether the server is a 32- or 64-bit binary (Bruce Momjian)
(8.4.0) Fix the behavior of information schema columns is_insertable_into and is_updatable to be consistent (Peter T. Mount)
(8.4.0) Improve the behavior of information schema datetime_precision columns (Peter T. Mount)
These columns now show zero for date columns, and 6 (the default precision) for time, timestamp, and interval without a declared precision, rather than showing null as formerly.
(8.4.0) Convert remaining builtin set-returning functions to use OUT parameters (Jaime Casanova)
This makes it possible to call these functions without
specifying a column list: pg_show_all_settings()
, pg_lock_status()
, pg_prepared_xact()
, pg_prepared_statement()
, pg_cursor()
(8.4.0) Make pg_*_is_visible()
and
has_*_privilege()
functions return
NULL for invalid OIDs, rather than
reporting an error (Tom Lane)
(8.4.0) Extend has_*_privilege()
functions
to allow inquiring about the OR of multiple privileges in one call
(Stephen Frost, Tom Lane)
(8.4.0) Add has_column_privilege()
and
has_any_column_privilege()
functions
(Stephen Frost, Tom Lane)
(8.4.0) Support variadic functions (functions with a variable number of arguments) (Pavel Stehule)
Only trailing arguments can be optional, and they all must be of the same data type.
(8.4.0) Support default values for function arguments (Pavel Stehule)
(8.4.0) Add CREATE FUNCTION ... RETURNS TABLE clause (Pavel Stehule)
(8.4.0) Allow SQL-language functions to return the output of an INSERT/UPDATE/DELETE RETURNING clause (Tom Lane)
(8.4.0) Support EXECUTE USING for easier insertion of data values into a dynamic query string (Pavel Stehule)
(8.4.0) Allow looping over the results of a cursor using a FOR loop (Pavel Stehule)
(8.4.0) Support RETURN QUERY EXECUTE (Pavel Stehule)
(8.4.0) Improve the RAISE command (Pavel Stehule)
Support DETAIL and HINT fields
(8.4.0) Support specification of the SQLSTATE error code
(8.4.0) Support an exception name parameter
(8.4.0) Allow RAISE without parameters in an exception block to re-throw the current error
(8.4.0) Allow specification of SQLSTATE codes in EXCEPTION lists (Pavel Stehule)
This is useful for handling custom SQLSTATE codes.
(8.4.0) Support the CASE statement (Pavel Stehule)
(8.4.0) Make RETURN QUERY set the special FOUND and GET DIAGNOSTICS ROW_COUNT variables (Pavel Stehule)
(8.4.0) Make FETCH and MOVE set the GET DIAGNOSTICS ROW_COUNT variable (Andrew Gierth)
(8.4.0) Make EXIT without a label always exit the innermost loop (Tom Lane)
Formerly, if there were a BEGIN block more closely nested than any loop, it would exit that block instead. The new behavior matches Oracle (TM) and is also what was previously stated by our own documentation.
(8.4.0) Make processing of string literals and nested block comments match the main SQL parser's processing (Tom Lane)
In particular, the format string in RAISE now works the same as any other string literal, including being subject to standard_conforming_strings. This change also fixes other cases in which valid commands would fail when standard_conforming_strings is on.
(8.4.0) Avoid memory leakage when the same function is called at varying exception-block nesting depths (Tom Lane)
(8.4.0) Fix pg_ctl restart to preserve command-line arguments (Bruce Momjian)
(8.4.0) Add -w/--no-password option that prevents password prompting in all utilities that have a -W/--password option (Peter T. Mount)
(8.4.0) Remove -q (quiet) option of createdb, createuser, dropdb, dropuser (Peter T. Mount)
These options have had no effect since PostgreSQL 8.3.
(8.4.0) Remove verbose startup banner; now just suggest help (Joshua Drake)
(8.4.0) Make help show common backslash commands (Greg Sabino Mullane)
(8.4.0) Add \pset format wrapped mode to wrap output to the screen width, or file/pipe output too if \pset columns is set (Bryce Nesbitt)
(8.4.0) Allow all supported spellings of boolean values in \pset, rather than just on and off (Bruce Momjian)
Formerly, any string other than "off" was silently taken to mean true. psql will now complain about unrecognized spellings (but still take them as true).
(8.4.0) Use the pager for wide output (Bruce Momjian)
(8.4.0) Require a space between a one-letter backslash command and its first argument (Bernd Helmle)
This removes a historical source of ambiguity.
(8.4.0) Improve tab completion support for schema-qualified and quoted identifiers (Greg Sabino Mullane)
(8.4.0) Add optional on/off argument for \timing (David Fetter)
(8.4.0) Display access control rights on multiple lines (Brendan Jurd, Andreas Scherbaum)
(8.4.0) Make \l show database access privileges (Andrew Gilligan)
(8.4.0) Make \l+ show database sizes, if permissions allow (Andrew Gilligan)
(8.4.0) Add the \ef command to edit function definitions (Abhijit Menon-Sen)
(8.4.0) Make \d* commands that do not have a pattern argument show system objects only if the S modifier is specified (Greg Sabino Mullane, Bruce Momjian)
The former behavior was inconsistent across different variants of \d, and in most cases it provided no easy way to see just user objects.
(8.4.0) Improve \d* commands to work with older PostgreSQL server versions (back to 7.4), not only the current server version (Guillaume Lelarge)
(8.4.0) Make \d show foreign-key constraints that reference the selected table (Kenneth D'Souza)
(8.4.0) Make \d on a sequence show its column values (Euler Taveira de Oliveira)
(8.4.0) Add column storage type and other relation options to the \d+ display (Gregory Stark, Euler Taveira de Oliveira)
(8.4.0) Show relation size in \dt+ output (Dickson S. Guedes)
(8.4.0) Show the possible values of enum types in \dT+ (David Fetter)
(8.4.0) Allow \dC to accept a wildcard pattern, which matches either datatype involved in the cast (Tom Lane)
(8.4.0) Add a function type column to \df's output, and add options to list only selected types of functions (David Fetter)
(8.4.0) Make \df not hide functions that take or return type cstring (Tom Lane)
Previously, such functions were hidden because most of them are datatype I/O functions, which were deemed uninteresting. The new policy about hiding system functions by default makes this wart unnecessary.
(8.4.0) Add a --no-tablespaces option to pg_dump/pg_dumpall/pg_restore so that dumps can be restored to clusters that have non-matching tablespace layouts (Gavin Roy)
(8.4.0) Remove -d and -D options from pg_dump and pg_dumpall (Tom Lane)
These options were too frequently confused with the option to select a database name in other PostgreSQL client applications. The functionality is still available, but you must now spell out the long option name --inserts or --column-inserts.
(8.4.0) Remove -i/--ignore-version option from pg_dump and pg_dumpall (Tom Lane)
Use of this option does not throw an error, but it has no effect. This option was removed because the version checks are necessary for safety.
(8.4.0) Disable statement_timeout during dump and restore (Joshua Drake)
(8.4.0) Add pg_dump/pg_dumpall option --lock-wait-timeout (David Gould)
This allows dumps to fail if unable to acquire a shared lock within the specified amount of time.
(8.4.0) Reorder pg_dump --data-only output to dump tables referenced by foreign keys before the referencing tables (Tom Lane)
This allows data loads when foreign keys are already present. If circular references make a safe ordering impossible, a NOTICE is issued.
(8.4.0) Allow pg_dump, pg_dumpall, and pg_restore to use a specified role (Benedek László)
(8.4.0) Allow pg_restore to use multiple concurrent connections to do the restore (Andrew Dunstan)
The number of concurrent connections is controlled by the option --jobs. This is supported only for custom-format archives.
(8.4.0) Allow the OID to be specified when
importing a large object, via new function lo_import_with_oid()
(Tatsuo Ishii)
(8.4.0) Add "events" support (Andrew Chernow, Merlin Moncure)
This adds the ability to register callbacks to manage private data associated with PGconn and PGresult objects.
(8.4.0) Improve error handling to allow the return of multiple error messages as multi-line error reports (Magnus Hagander)
(8.4.0) Make PQexecParams()
and related
functions return PGRES_EMPTY_QUERY for an
empty query (Tom Lane)
They previously returned PGRES_COMMAND_OK.
(8.4.0) Document how to avoid the overhead of WSACleanup()
on Windows (Andrew Chernow)
(8.4.0) Do not rely on Kerberos tickets to determine the default database username (Magnus Hagander)
Previously, a Kerberos-capable build of libpq would use the principal name from any available Kerberos ticket as default database username, even if the connection wasn't using Kerberos authentication. This was deemed inconsistent and confusing. The default username is now determined the same way with or without Kerberos. Note however that the database username must still match the ticket when Kerberos authentication is used.
(8.4.0) Fix certificate validation for SSL connections (Magnus Hagander)
libpq now supports verifying both the certificate and the name of the server when making SSL connections. If a root certificate is not available to use for verification, SSL connections will fail. The sslmode parameter is used to enable certificate verification and set the level of checking. The default is still not to do any verification, allowing connections to SSL-enabled servers without requiring a root certificate on the client.
(8.4.0) Support wildcard server certificates (Magnus Hagander)
If a certificate CN starts with *, it will be treated as a wildcard when matching the hostname, allowing the use of the same certificate for multiple servers.
(8.4.0) Allow the file locations for client certificates to be specified (Mark Woodward, Álvaro Herrera, Magnus Hagander)
(8.4.0) Add a PQinitOpenSSL
function to
allow greater control over OpenSSL/libcrypto initialization (Andrew
Chernow)
(8.4.0) Make libpq unregister its OpenSSL callbacks when no database connections remain open (Bruce Momjian, Magnus Hagander, Russell Smith)
This is required for applications that unload the libpq library, otherwise invalid OpenSSL callbacks will remain.
(8.4.0) Add localization support for messages (Euler Taveira de Oliveira)
(8.4.0) ecpg parser is now automatically generated from the server parser (Michael Meskes)
Previously the ecpg parser was hand-maintained.
(8.4.0) Add support for single-use plans with out-of-line parameters (Tom Lane)
(8.4.0) Add new SPI_OK_REWRITTEN return code
for SPI_execute()
(Heikki Linnakangas)
This is used when a command is rewritten to another type of command.
(8.4.0) Remove unnecessary inclusions from executor/spi.h (Tom Lane)
SPI-using modules might need to add some #include lines if they were depending on spi.h to include things for them.
(8.4.0) Update build system to use Autoconf 2.61 (Peter T. Mount)
(8.4.0) Require GNU bison for source code builds (Peter T. Mount)
This has effectively been required for several years, but now there is no infrastructure claiming to support other parser tools.
(8.4.0) Add pg_config --htmldir option (Peter T. Mount)
(8.4.0) Pass float4 by value inside the server (Zoltan Boszormenyi)
Add configure option --disable-float4-byval to use the old behavior. External C functions that use old-style (version 0) call convention and pass or return float4 values will be broken by this change, so you may need the configure option if you have such functions and don't want to update them.
(8.4.0) Pass float8, int8, and related datatypes by value inside the server on 64-bit platforms (Zoltan Boszormenyi)
Add configure option --disable-float8-byval to use the old behavior. As above, this change might break old-style external C functions.
(8.4.0) Add configure options --with-segsize, --with-blocksize, --with-wal-blocksize, --with-wal-segsize (Zdenek Kotala, Tom Lane)
This simplifies build-time control over several constants that previously could only be changed by editing pg_config_manual.h.
(8.4.0) Allow threaded builds on Solaris 2.5 (Bruce Momjian)
(8.4.0) Use the system's getopt_long()
on
Solaris (Zdenek Kotala, Tom Lane)
This makes option processing more consistent with what Solaris users expect.
(8.4.0) Add support for the Sun Studio compiler on Linux (Julius Stroffek)
(8.4.0) Append the major version number to the backend gettext domain, and the soname major version number to libraries' gettext domain (Peter T. Mount)
This simplifies parallel installations of multiple versions.
(8.4.0) Add support for code coverage testing with gcov (Michelle Caisse)
(8.4.0) Allow out-of-tree builds on Mingw and Cygwin (Richard Evans)
(8.4.0) Fix the use of Mingw as a cross-compiling source platform (Peter T. Mount)
(8.4.0) Support 64-bit time zone data files (Heikki Linnakangas)
This adds support for daylight saving time (DST) calculations beyond the year 2038.
(8.4.0) Deprecate use of platform's time_t data type (Tom Lane)
Some platforms have migrated to 64-bit time_t, some have not, and Windows can't make up its mind what it's doing. Define pg_time_t to have the same meaning as time_t, but always be 64 bits (unless the platform has no 64-bit integer type), and use that type in all module APIs and on-disk data formats.
(8.4.0) Fix bug in handling of the time zone database when cross-compiling (Richard Evans)
(8.4.0) Link backend object files in one step, rather than in stages (Peter T. Mount)
(8.4.0) Improve gettext support to allow better translation of plurals (Peter T. Mount)
(8.4.0) Add message translation support to the PL languages (Álvaro Herrera, Peter T. Mount)
(8.4.0) Add more DTrace probes (Robert Lor)
(8.4.0) Enable DTrace support on Mac OS X Leopard and other non-Solaris platforms (Robert Lor)
(8.4.0) Simplify and standardize conversions between C strings and text datums, by providing common functions for the purpose (Brendan Jurd, Tom Lane)
(8.4.0) Clean up the include/catalog/ header files so that frontend programs can include them without including postgres.h (Zdenek Kotala)
(8.4.0) Make name char-aligned, and suppress zero-padding of name entries in indexes (Tom Lane)
(8.4.0) Recover better if dynamically-loaded code executes exit()
(Tom Lane)
(8.4.0) Add a hook to let plug-ins monitor the executor (Itagaki Takahiro)
(8.4.0) Add a hook to allow the planner's statistics lookup behavior to be overridden (Simon Riggs)
(8.4.0) Add shmem_startup_hook()
for
custom shared memory requirements (Tom Lane)
(8.4.0) Replace the index access method amgetmulti
entry point with amgetbitmap
, and extend the API for amgettuple
to support run-time determination of
operator lossiness (Heikki Linnakangas, Tom Lane, Teodor Sigaev)
The API for GIN and GiST opclass consistent
functions has been extended as
well.
(8.4.0) Add support for partial-match searches in GIN indexes (Teodor Sigaev, Oleg Bartunov)
(8.4.0) Replace pg_class column reltriggers with boolean relhastriggers (Simon Riggs)
Also remove unused pg_class columns relukeys, relfkeys, and relrefs.
(8.4.0) Add a relistemp column to pg_class to ease identification of temporary tables (Tom Lane)
(8.4.0) Move platform FAQs into the main documentation (Peter T. Mount)
(8.4.0) Prevent parser input files from being built with any conflicts (Peter T. Mount)
(8.4.0) Add support for the KOI8U (Ukrainian) encoding (Peter T. Mount)
(8.4.0) Add Japanese message translations (Japan PostgreSQL Users Group)
This used to be maintained as a separate project.
(8.4.0) Fix problem when setting LC_MESSAGES on MSVC-built systems (Hiroshi Inoue, Hiroshi Saito, Magnus Hagander)
(8.4.0) Add contrib/auto_explain to automatically run EXPLAIN on queries exceeding a specified duration (Itagaki Takahiro, Tom Lane)
(8.4.0) Add contrib/btree_gin to allow GIN indexes to handle more datatypes (Oleg Bartunov, Teodor Sigaev)
(8.4.0) Add contrib/citext to provide a case-insensitive, multibyte-aware text data type (David Wheeler)
(8.4.0) Add contrib/pg_stat_statements for server-wide tracking of statement execution statistics (Itagaki Takahiro)
(8.4.0) Add duration and query mode options to contrib/pgbench (Itagaki Takahiro)
(8.4.0) Make contrib/pgbench use table names pgbench_accounts, pgbench_branches, pgbench_history, and pgbench_tellers, rather than just accounts, branches, history, and tellers (Tom Lane)
This is to reduce the risk of accidentally destroying real data by running pgbench.
(8.4.0) Fix contrib/pgstattuple to handle tables and indexes with over 2 billion pages (Tatsuhito Kasahara)
(8.4.0) In contrib/fuzzystrmatch, add a version of the Levenshtein string-distance function that allows the user to specify the costs of insertion, deletion, and substitution (Volkan Yazici)
(8.4.0) Make contrib/ltree support multibyte encodings (laser)
(8.4.0) Enable contrib/dblink to use connection information stored in the SQL/MED catalogs (Joe Conway)
(8.4.0) Improve contrib/dblink's reporting of errors from the remote server (Joe Conway)
(8.4.0) Make contrib/dblink set client_encoding to match the local database's encoding (Joe Conway)
This prevents encoding problems when communicating with a remote database that uses a different encoding.
(8.4.0) Make sure contrib/dblink uses a password supplied by the user, and not accidentally taken from the server's .pgpass file (Joe Conway)
This is a minor security enhancement.
(8.4.0) Add fsm_page_contents()
to
contrib/pageinspect (Heikki Linnakangas)
(8.4.0) Modify get_raw_page()
to support
free space map (*_fsm) files. Also update
contrib/pg_freespacemap.
(8.4.0) Add support for multibyte encodings to contrib/pg_trgm (Teodor Sigaev)
(8.4.0) Rewrite contrib/intagg to use new
functions array_agg()
and
unnest()
(Tom Lane)
(8.4.0) Make contrib/pg_standby recover all available WAL before failover (Fujii Masao, Simon Riggs, Heikki Linnakangas)
To make this work safely, you now need to set the new recovery_end_command option in recovery.conf to clean up the trigger file after failover. pg_standby will no longer remove the trigger file itself.
(8.4.0) contrib/pg_standby's -l option is now a no-op, because it is unsafe to use a symlink (Simon Riggs)
Release date: 2013-02-07
This release contains a variety of fixes from 8.3.22. For information about new features in the 8.3 major release, see Version 8.3.0.
This is expected to be the last PostgreSQL release in the 8.3.X series. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 8.3.X.
However, if you are upgrading from a version earlier than 8.3.17, see Version 8.3.17.
(8.3.23,9.2.3,9.1.8,9.0.12,8.4.16) Prevent execution of enum_recv
from SQL (Tom Lane)
The function was misdeclared, allowing a simple SQL command to crash the server. In principle an attacker might be able to use it to examine the contents of server memory. Our thanks to Sumit Soni (via Secunia SVCRP) for reporting this issue. CVE-2013-0255 or CVE-2013-0255)
(8.3.23,9.2.3,9.1.8,9.0.12,8.4.16) Fix SQL grammar to allow subscripting or field selection from a sub-SELECT result (Tom Lane)
(8.3.23,9.2.3,9.1.8,9.0.12,8.4.16) Protect against race conditions when scanning pg_tablespace (Stephen Frost, Tom Lane)
CREATE DATABASE and DROP DATABASE could misbehave if there were concurrent updates of pg_tablespace entries.
(8.3.23,9.2.3,9.1.8,9.0.12,8.4.16) Prevent DROP OWNED from trying to drop whole databases or tablespaces (Ãlvaro Herrera)
For safety, ownership of these objects must be reassigned, not dropped.
(8.3.23,9.2.3,9.1.8,9.0.12,8.4.16) Prevent misbehavior when a RowExpr or XmlExpr is parse-analyzed twice (Andres Freund, Tom Lane)
This mistake could be user-visible in contexts such as CREATE TABLE LIKE INCLUDING INDEXES.
(8.3.23,9.2.3,9.1.8,9.0.12,8.4.16) Improve defenses against integer overflow in hashtable sizing calculations (Jeff Davis)
(8.3.23,9.2.3,9.1.8,9.0.12,8.4.16) Ensure that non-ASCII prompt strings are translated to the correct code page on Windows (Alexander Law, Noah Misch)
This bug affected psql and some other client programs.
(8.3.23,9.2.3,9.1.8,9.0.12,8.4.16) Fix possible crash in psql's \? command when not connected to a database (Meng Qingzhong)
(8.3.23,9.2.3,9.1.8,9.0.12,8.4.16) Fix one-byte buffer overrun in libpq's PQprintTuples
(Xi Wang)
This ancient function is not used anywhere by PostgreSQL itself, but it might still be used by some client code.
(8.3.23,9.2.3,9.1.8,9.0.12,8.4.16) Rearrange configure's tests for supplied functions so it is not fooled by bogus exports from libedit/libreadline (Christoph Berg)
(8.3.23,9.2.3,9.1.8,9.0.12,8.4.16) Ensure Windows build number increases over time (Magnus Hagander)
(8.3.23,9.2.3,9.1.8,9.0.12,8.4.16) Make pgxs build executables with the right .exe suffix when cross-compiling for Windows (Zoltan Boszormenyi)
(8.3.23,9.2.3,9.1.8,9.0.12,8.4.16) Add new timezone abbreviation FET (Tom Lane)
This is now used in some eastern-European time zones.
Release date: 2012-12-06
This release contains a variety of fixes from 8.3.21. For information about new features in the 8.3 major release, see Version 8.3.0.
The PostgreSQL community will stop releasing updates for the 8.3.X release series in February 2013. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 8.3.X.
However, if you are upgrading from a version earlier than 8.3.17, see Version 8.3.17.
(8.3.22,9.1.7,9.0.11,8.4.15) Fix multiple bugs associated with CREATE INDEX CONCURRENTLY (Andres Freund, Tom Lane)
Fix CREATE INDEX CONCURRENTLY to use in-place updates when changing the state of an index's pg_index row. This prevents race conditions that could cause concurrent sessions to miss updating the target index, thus resulting in corrupt concurrently-created indexes.
Also, fix various other operations to ensure that they ignore invalid indexes resulting from a failed CREATE INDEX CONCURRENTLY command. The most important of these is VACUUM, because an auto-vacuum could easily be launched on the table before corrective action can be taken to fix or remove the invalid index.
(8.3.22,9.2.2,9.1.7,9.0.11,8.4.15) Avoid corruption of internal hash tables when out of memory (Hitoshi Harada)
(8.3.22,9.1.7,9.0.11,8.4.15) Fix planning of non-strict equivalence clauses above outer joins (Tom Lane)
The planner could derive incorrect constraints from a clause equating a non-strict construct to something else, for example WHERE COALESCE(foo, 0) = 0 when foo is coming from the nullable side of an outer join.
(8.3.22,9.2.2,9.1.7,9.0.11,8.4.15) Improve planner's ability to prove exclusion constraints from equivalence classes (Tom Lane)
(8.3.22,9.2.2,9.1.7,9.0.11,8.4.15) Fix partial-row matching in hashed subplans to handle cross-type cases correctly (Tom Lane)
This affects multicolumn NOT IN subplans, such as WHERE (a, b) NOT IN (SELECT x, y FROM ...) when for instance b and y are int4 and int8 respectively. This mistake led to wrong answers or crashes depending on the specific datatypes involved.
(8.3.22,9.0.11,8.4.15) Acquire buffer lock when re-fetching the old tuple for an AFTER ROW UPDATE/DELETE trigger (Andres Freund)
In very unusual circumstances, this oversight could result in passing incorrect data to the precheck logic for a foreign-key enforcement trigger. That could result in a crash, or in an incorrect decision about whether to fire the trigger.
(8.3.22,9.2.2,9.1.7,9.0.11,8.4.15) Fix REASSIGN OWNED to handle grants on tablespaces (Ãlvaro Herrera)
(8.3.22,9.2.2,9.1.7,9.0.11,8.4.15) Ignore incorrect pg_attribute entries for system columns for views (Tom Lane)
Views do not have any system columns. However, we forgot to remove such entries when converting a table to a view. That's fixed properly for 9.3 and later, but in previous branches we need to defend against existing mis-converted views.
(8.3.22,9.2.2,9.1.7,9.0.11,8.4.15) Fix rule printing to dump INSERT INTO table DEFAULT VALUES correctly (Tom Lane)
(8.3.22,9.2.2,9.1.7,9.0.11,8.4.15) Guard against stack overflow when there are too many UNION/INTERSECT/EXCEPT clauses in a query (Tom Lane)
(8.3.22,9.2.2,9.1.7,9.0.11,8.4.15) Prevent platform-dependent failures when dividing the minimum possible integer value by -1 (Xi Wang, Tom Lane)
(8.3.22,9.2.2,9.1.7,9.0.11,8.4.15) Fix possible access past end of string in date parsing (Hitoshi Harada)
(8.3.22,9.2.2,9.1.7,9.0.11,8.4.15) Produce an understandable error message if the length of the path name for a Unix-domain socket exceeds the platform-specific limit (Tom Lane, Andrew Dunstan)
Formerly, this would result in something quite unhelpful, such as "Non-recoverable failure in name resolution".
(8.3.22,9.2.2,9.1.7,9.0.11,8.4.15) Fix memory leaks when sending composite column values to the client (Tom Lane)
(8.3.22,9.1.7,9.0.11,8.4.15) Make pg_ctl more robust about reading the postmaster.pid file (Heikki Linnakangas)
Fix race conditions and possible file descriptor leakage.
(8.3.22,9.2.2,9.1.7,9.0.11,8.4.15) Fix possible crash in psql if incorrectly-encoded data is presented and the client_encoding setting is a client-only encoding, such as SJIS (Jiang Guiqing)
(8.3.22,9.2.2,9.1.7,9.0.11,8.4.15) Fix bugs in the restore.sql script emitted by pg_dump in tar output format (Tom Lane)
The script would fail outright on tables whose names include upper-case characters. Also, make the script capable of restoring data in --inserts mode as well as the regular COPY mode.
(8.3.22,9.2.2,9.1.7,9.0.11,8.4.15) Fix pg_restore to accept POSIX-conformant tar files (Brian Weaver, Tom Lane)
The original coding of pg_dump's tar output mode produced files that are not fully conformant with the POSIX standard. This has been corrected for version 9.3. This patch updates previous branches so that they will accept both the incorrect and the corrected formats, in hopes of avoiding compatibility problems when 9.3 comes out.
(8.3.22,9.2.2,9.1.7,9.0.11,8.4.15) Fix pg_resetxlog to locate postmaster.pid correctly when given a relative path to the data directory (Tom Lane)
This mistake could lead to pg_resetxlog not noticing that there is an active postmaster using the data directory.
(8.3.22,9.2.2,9.1.7,9.0.11,8.4.15) Fix libpq's lo_import()
and lo_export()
functions to report file I/O errors
properly (Tom Lane)
(8.3.22,9.2.2,9.1.7,9.0.11,8.4.15) Fix ecpg's processing of nested structure pointer variables (Muhammad Usama)
(8.3.22,9.2.2,9.1.7,9.0.11,8.4.15) Make contrib/pageinspect's btree page inspection functions take buffer locks while examining pages (Tom Lane)
(8.3.22,9.2.2,9.1.7,9.0.11,8.4.15) Fix pgxs support for building loadable modules on AIX (Tom Lane)
Building modules outside the original source tree didn't work on AIX.
(8.3.22,9.2.2,9.1.7,9.0.11,8.4.15) Update time zone data files to tzdata release 2012j for DST law changes in Cuba, Israel, Jordan, Libya, Palestine, Western Samoa, and portions of Brazil.
Release date: 2012-09-24
This release contains a variety of fixes from 8.3.20. For information about new features in the 8.3 major release, see Version 8.3.0.
The PostgreSQL community will stop releasing updates for the 8.3.X release series in February 2013. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 8.3.X.
However, if you are upgrading from a version earlier than 8.3.17, see Version 8.3.17.
(8.3.21,9.1.6,9.0.10,8.4.14) Improve page-splitting decisions in GiST indexes (Alexander Korotkov, Robert Haas, Tom Lane)
Multi-column GiST indexes might suffer unexpected bloat due to this error.
(8.3.21,9.1.6,9.0.10,8.4.14) Fix cascading privilege revoke to stop if privileges are still held (Tom Lane)
If we revoke a grant option from some role X, but X still holds that option via a grant from someone else, we should not recursively revoke the corresponding privilege from role(s) Y that X had granted it to.
(8.3.21,9.1.6,9.0.10,8.4.14) Fix handling of SIGFPE when PL/Perl is in use (Andres Freund)
Perl resets the process's SIGFPE handler to SIG_IGN, which could result in crashes later on. Restore the normal Postgres signal handler after initializing PL/Perl.
(8.3.21,9.2.1,9.1.6,9.0.10,8.4.14) Prevent PL/Perl from crashing if a recursive PL/Perl function is redefined while being executed (Tom Lane)
(8.3.21,9.2.1,9.1.6,9.0.10,8.4.14) Work around possible misoptimization in PL/Perl (Tom Lane)
Some Linux distributions contain an incorrect version of pthread.h that results in incorrect compiled code in PL/Perl, leading to crashes if a PL/Perl function calls another one that throws an error.
(8.3.21,9.2.1,9.1.6,9.0.10,8.4.14) Update time zone data files to tzdata release 2012f for DST law changes in Fiji
Release date: 2012-08-17
This release contains a variety of fixes from 8.3.19. For information about new features in the 8.3 major release, see Version 8.3.0.
The PostgreSQL community will stop releasing updates for the 8.3.X release series in February 2013. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 8.3.X.
However, if you are upgrading from a version earlier than 8.3.17, see Version 8.3.17.
(8.3.20,9.1.5,9.0.9,8.4.13) Prevent access to external files/URLs via XML entity references (Noah Misch, Tom Lane)
xml_parse()
would attempt to fetch
external files or URLs as needed to resolve DTD and entity
references in an XML value, thus allowing unprivileged database
users to attempt to fetch data with the privileges of the database
server. While the external data wouldn't get returned directly to
the user, portions of it could be exposed in error messages if the
data didn't parse as valid XML; and in any case the mere ability to
check existence of a file might be useful to an attacker.
CVE-2012-3489 or CVE-2012-3489)
(8.3.20,9.1.5,9.0.9,8.4.13) Prevent access to external files/URLs via contrib/xml2's xslt_process()
(Peter Eisentraut)
libxslt offers the ability to read and write both files and URLs through stylesheet commands, thus allowing unprivileged database users to both read and write data with the privileges of the database server. Disable that through proper use of libxslt's security options. CVE-2012-3488 or CVE-2012-3488)
Also, remove xslt_process()
's
ability to fetch documents and stylesheets from external
files/URLs. While this was a documented "feature", it was long regarded as a bad idea. The
fix forCVE-2012-3489 or CVE-2012-3489 broke that capability, and rather than expend
effort on trying to fix it, we're just going to summarily remove
it.
(8.3.20,9.1.5,9.0.9,8.4.13) Prevent too-early recycling of btree index pages (Noah Misch)
When we allowed read-only transactions to skip assigning XIDs, we introduced the possibility that a deleted btree page could be recycled while a read-only transaction was still in flight to it. This would result in incorrect index search results. The probability of such an error occurring in the field seems very low because of the timing requirements, but nonetheless it should be fixed.
(8.3.20,9.1.5,9.0.9,8.4.13) Fix crash-safety bug with newly-created-or-reset sequences (Tom Lane)
If ALTER SEQUENCE was executed on a
freshly created or reset sequence, and then precisely one
nextval()
call was made on it, and
then the server crashed, WAL replay would restore the sequence to a
state in which it appeared that no nextval()
had been done, thus allowing the first
sequence value to be returned again by the next nextval()
call. In particular this could manifest
for serial columns, since creation of a
serial column's sequence includes an ALTER
SEQUENCE OWNED BY step.
(8.3.20,9.1.5,9.0.9,8.4.13) Ensure the backup_label file is
fsync'd after pg_start_backup()
(Dave
Kerr)
(8.3.20,9.0.9,8.4.13) Back-patch 9.1 improvement to compress the fsync request queue (Robert Haas)
This improves performance during checkpoints. The 9.1 change has now seen enough field testing to seem safe to back-patch.
(8.3.20,9.1.5,9.0.9,8.4.13) Only allow autovacuum to be auto-canceled by a directly blocked process (Tom Lane)
The original coding could allow inconsistent behavior in some cases; in particular, an autovacuum could get canceled after less than deadlock_timeout grace period.
(8.3.20,9.1.5,9.0.9,8.4.13) Improve logging of autovacuum cancels (Robert Haas)
(8.3.20,9.1.5,9.0.9,8.4.13) Fix log collector so that log_truncate_on_rotation works during the very first log rotation after server start (Tom Lane)
(8.3.20,9.1.5,9.0.9,8.4.13) Ensure that a whole-row reference to a subquery doesn't include any extra GROUP BY or ORDER BY columns (Tom Lane)
(8.3.20,9.1.5,9.0.9,8.4.13) Disallow copying whole-row references in CHECK constraints and index definitions during CREATE TABLE (Tom Lane)
This situation can arise in CREATE TABLE with LIKE or INHERITS. The copied whole-row variable was incorrectly labeled with the row type of the original table not the new one. Rejecting the case seems reasonable for LIKE, since the row types might well diverge later. For INHERITS we should ideally allow it, with an implicit coercion to the parent table's row type; but that will require more work than seems safe to back-patch.
(8.3.20,9.1.5,9.0.9,8.4.13) Fix memory leak in ARRAY (SELECT ...) subqueries (Heikki Linnakangas, Tom Lane)
(8.3.20,9.1.5,9.0.9,8.4.13) Fix extraction of common prefixes from regular expressions (Tom Lane)
The code could get confused by quantified parenthesized subexpressions, such as ^(foo)?bar. This would lead to incorrect index optimization of searches for such patterns.
(8.3.20,9.1.5,9.0.9,8.4.13) Report errors properly in contrib/xml2's xslt_process()
(Tom Lane)
(8.3.20,9.1.5,9.0.9,8.4.13) Update time zone data files to tzdata release 2012e for DST law changes in Morocco and Tokelau
Release date: 2012-06-04
This release contains a variety of fixes from 8.3.18. For information about new features in the 8.3 major release, see Version 8.3.0.
A dump/restore is not required for those running 8.3.X.
However, if you are upgrading from a version earlier than 8.3.17, see Version 8.3.17.
(8.3.19,9.1.4,9.0.8,8.4.12) Fix incorrect password transformation in contrib/pgcrypto's DES crypt()
function (Solar Designer)
If a password string contained the byte value 0x80, the remainder of the password was ignored, causing the password to be much weaker than it appeared. With this fix, the rest of the string is properly included in the DES hash. Any stored password values that are affected by this bug will thus no longer match, so the stored values may need to be updated. CVE-2012-2143 or CVE-2012-2143)
(8.3.19,9.1.4,9.0.8,8.4.12) Ignore SECURITY DEFINER and SET attributes for a procedural language's call handler (Tom Lane)
Applying such attributes to a call handler could crash the server. CVE-2012-2655 or CVE-2012-2655)
(8.3.19,9.1.4,9.0.8,8.4.12) Allow numeric timezone offsets in timestamp input to be up to 16 hours away from UTC (Tom Lane)
Some historical time zones have offsets larger than 15 hours, the previous limit. This could result in dumped data values being rejected during reload.
(8.3.19,9.1.4,9.0.8,8.4.12) Fix timestamp conversion to cope when the given time is exactly the last DST transition time for the current timezone (Tom Lane)
This oversight has been there a long time, but was not noticed previously because most DST-using zones are presumed to have an indefinite sequence of future DST transitions.
(8.3.19,9.1.4,9.0.8,8.4.12) Fix text to name and char to name casts to perform string truncation correctly in multibyte encodings (Karl Schnaitter)
(8.3.19,9.1.4,9.0.8,8.4.12) Fix memory copying bug in to_tsquery()
(Heikki Linnakangas)
(8.3.19,9.1.4,9.0.8,8.4.12) Fix slow session startup when pg_attribute is very large (Tom Lane)
If pg_attribute exceeds one-fourth of shared_buffers, cache rebuilding code that is sometimes needed during session start would trigger the synchronized-scan logic, causing it to take many times longer than normal. The problem was particularly acute if many new sessions were starting at once.
(8.3.19,9.1.4,9.0.8,8.4.12) Ensure sequential scans check for query cancel reasonably often (Merlin Moncure)
A scan encountering many consecutive pages that contain no live tuples would not respond to interrupts meanwhile.
(8.3.19,9.1.4,9.0.8,8.4.12) Ensure the Windows implementation of PGSemaphoreLock()
clears ImmediateInterruptOK before returning (Tom Lane)
This oversight meant that a query-cancel interrupt received later in the same query could be accepted at an unsafe time, with unpredictable but not good consequences.
(8.3.19,9.1.4,9.0.8,8.4.12) Show whole-row variables safely when printing views or rules (Abbas Butt, Tom Lane)
Corner cases involving ambiguous names (that is, the name could be either a table or column name of the query) were printed in an ambiguous way, risking that the view or rule would be interpreted differently after dump and reload. Avoid the ambiguous case by attaching a no-op cast.
(8.3.19,9.1.4,9.0.8,8.4.12) Ensure autovacuum worker processes perform stack depth checking properly (Heikki Linnakangas)
Previously, infinite recursion in a function invoked by auto-ANALYZE could crash worker processes.
(8.3.19,9.1.4,9.0.8,8.4.12) Fix logging collector to not lose log coherency under high load (Andrew Dunstan)
The collector previously could fail to reassemble large messages if it got too busy.
(8.3.19,9.1.4,9.0.8,8.4.12) Fix logging collector to ensure it will restart file rotation after receiving SIGHUP (Tom Lane)
(8.3.19,9.1.4,9.0.8,8.4.12) Fix PL/pgSQL's GET DIAGNOSTICS command when the target is the function's first variable (Tom Lane)
(8.3.19,9.1.4,9.0.8,8.4.12) Fix several performance problems in pg_dump when the database contains many objects (Jeff Janes, Tom Lane)
pg_dump could get very slow if the database contained many schemas, or if many objects are in dependency loops, or if there are many owned sequences.
(8.3.19,9.1.4,9.0.8,8.4.12) Fix contrib/dblink's dblink_exec()
to not leak temporary database
connections upon error (Tom Lane)
(8.3.19,9.1.4,9.0.8,8.4.12) Update time zone data files to tzdata release 2012c for DST law changes in Antarctica, Armenia, Chile, Cuba, Falkland Islands, Gaza, Haiti, Hebron, Morocco, Syria, and Tokelau Islands; also historical corrections for Canada.
Release date: 2012-02-27
This release contains a variety of fixes from 8.3.17. For information about new features in the 8.3 major release, see Version 8.3.0.
A dump/restore is not required for those running 8.3.X.
However, if you are upgrading from a version earlier than 8.3.17, see Version 8.3.17.
(8.3.18,9.1.3,9.0.7,8.4.11) Require execute permission on the trigger function for CREATE TRIGGER (Robert Haas)
This missing check could allow another user to execute a trigger function with forged input data, by installing it on a table he owns. This is only of significance for trigger functions marked SECURITY DEFINER, since otherwise trigger functions run as the table owner anyway. CVE-2012-0866 or CVE-2012-0866)
(8.3.18,9.1.3,9.0.7,8.4.11) Convert newlines to spaces in names written in pg_dump comments (Robert Haas)
pg_dump was incautious about sanitizing object names that are emitted within SQL comments in its output script. A name containing a newline would at least render the script syntactically incorrect. Maliciously crafted object names could present a SQL injection risk when the script is reloaded. CVE-2012-0868 or CVE-2012-0868)
(8.3.18,9.1.3,9.0.7,8.4.11) Fix btree index corruption from insertions concurrent with vacuuming (Tom Lane)
An index page split caused by an insertion could sometimes cause a concurrently-running VACUUM to miss removing index entries that it should remove. After the corresponding table rows are removed, the dangling index entries would cause errors (such as "could not read block N in file ...") or worse, silently wrong query results after unrelated rows are re-inserted at the now-free table locations. This bug has been present since release 8.2, but occurs so infrequently that it was not diagnosed until now. If you have reason to suspect that it has happened in your database, reindexing the affected index will fix things.
(8.3.18,9.1.3,9.0.7,8.4.11) Allow non-existent values for some settings in ALTER USER/DATABASE SET (Heikki Linnakangas)
Allow default_text_search_config, default_tablespace, and temp_tablespaces to be set to names that are not known. This is because they might be known in another database where the setting is intended to be used, or for the tablespace cases because the tablespace might not be created yet. The same issue was previously recognized for search_path, and these settings now act like that one.
(8.3.18,9.1.3,9.0.7,8.4.11) Track the OID counter correctly during WAL replay, even when it wraps around (Tom Lane)
Previously the OID counter would remain stuck at a high value until the system exited replay mode. The practical consequences of that are usually nil, but there are scenarios wherein a standby server that's been promoted to master might take a long time to advance the OID counter to a reasonable value once values are needed.
(8.3.18,9.1.3,9.0.7,8.4.11) Fix regular expression back-references with * attached (Tom Lane)
Rather than enforcing an exact string match, the code would effectively accept any string that satisfies the pattern sub-expression referenced by the back-reference symbol.
A similar problem still afflicts back-references that are embedded in a larger quantified expression, rather than being the immediate subject of the quantifier. This will be addressed in a future PostgreSQL release.
(8.3.18,9.1.3,9.0.7,8.4.11) Fix recently-introduced memory leak in processing of inet/cidr values (Heikki Linnakangas)
A patch in the December 2011 releases of PostgreSQL caused memory leakage in these operations, which could be significant in scenarios such as building a btree index on such a column.
(8.3.18,9.1.3,9.0.7,8.4.11) Avoid double close of file handle in syslogger on Windows (MauMau)
Ordinarily this error was invisible, but it would cause an exception when running on a debug version of Windows.
(8.3.18,9.1.3,9.0.7,8.4.11) Fix I/O-conversion-related memory leaks in plpgsql (Andres Freund, Jan Urbanski, Tom Lane)
Certain operations would leak memory until the end of the current function.
(8.3.18,9.1.3,9.0.7,8.4.11) Improve pg_dump's handling of inherited table columns (Tom Lane)
pg_dump mishandled situations where a child column has a different default expression than its parent column. If the default is textually identical to the parent's default, but not actually the same (for instance, because of schema search path differences) it would not be recognized as different, so that after dump and restore the child would be allowed to inherit the parent's default. Child columns that are NOT NULL where their parent is not could also be restored subtly incorrectly.
(8.3.18,9.1.3,9.0.7,8.4.11) Fix pg_restore's direct-to-database mode for INSERT-style table data (Tom Lane)
Direct-to-database restores from archive files made with --inserts or --column-inserts options fail when using pg_restore from a release dated September or December 2011, as a result of an oversight in a fix for another problem. The archive file itself is not at fault, and text-mode output is okay.
(8.3.18,9.1.3,9.0.7,8.4.11) Fix error in contrib/intarray's int[] & int[] operator (Guillaume Lelarge)
If the smallest integer the two input arrays have in common is 1, and there are smaller values in either array, then 1 would be incorrectly omitted from the result.
(8.3.18,9.1.3,9.0.7,8.4.11) Fix error detection in contrib/pgcrypto's encrypt_iv()
and decrypt_iv()
(Marko Kreen)
These functions failed to report certain types of invalid-input errors, and would instead return random garbage values for incorrect input.
(8.3.18,9.1.3,9.0.7,8.4.11) Fix one-byte buffer overrun in contrib/test_parser (Paul Guyot)
The code would try to read one more byte than it should, which would crash in corner cases. Since contrib/test_parser is only example code, this is not a security issue in itself, but bad example code is still bad.
(8.3.18,9.1.3,9.0.7,8.4.11) Use __sync_lock_test_and_set()
for
spinlocks on ARM, if available (Martin Pitt)
This function replaces our previous use of the SWPB instruction, which is deprecated and not available on ARMv6 and later. Reports suggest that the old code doesn't fail in an obvious way on recent ARM boards, but simply doesn't interlock concurrent accesses, leading to bizarre failures in multiprocess operation.
(8.3.18,9.1.3,9.0.7,8.4.11) Use -fexcess-precision=standard option when building with gcc versions that accept it (Andrew Dunstan)
This prevents assorted scenarios wherein recent versions of gcc will produce creative results.
(8.3.18,9.1.3,9.0.7,8.4.11) Allow use of threaded Python on FreeBSD (Chris Rees)
Our configure script previously believed that this combination wouldn't work; but FreeBSD fixed the problem, so remove that error check.
Release date: 2011-12-05
This release contains a variety of fixes from 8.3.16. For information about new features in the 8.3 major release, see Version 8.3.0.
A dump/restore is not required for those running 8.3.X.
However, a longstanding error was discovered in the definition of the information_schema.referential_constraints view. If you rely on correct results from that view, you should replace its definition as explained in the first changelog item below.
Also, if you are upgrading from a version earlier than 8.3.8, see Version 8.3.8.
(8.3.17,9.1.2,9.0.6,8.4.10,8.2.23) Fix bugs in information_schema.referential_constraints view (Tom Lane)
This view was being insufficiently careful about matching the foreign-key constraint to the depended-on primary or unique key constraint. That could result in failure to show a foreign key constraint at all, or showing it multiple times, or claiming that it depends on a different constraint than the one it really does.
Since the view definition is installed by initdb, merely upgrading will not fix the problem. If you need to fix this in an existing installation, you can (as a superuser) drop the information_schema schema then re-create it by sourcing SHAREDIR/information_schema.sql. (Run pg_config --sharedir if you're uncertain where SHAREDIR is.) This must be repeated in each database to be fixed.
(8.3.17,9.1.2,9.0.6,8.4.10,8.2.23) Fix TOAST-related data corruption during CREATE TABLE dest AS SELECT * FROM src or INSERT INTO dest SELECT * FROM src (Tom Lane)
If a table has been modified by ALTER TABLE ADD COLUMN, attempts to copy its data verbatim to another table could produce corrupt results in certain corner cases. The problem can only manifest in this precise form in 8.4 and later, but we patched earlier versions as well in case there are other code paths that could trigger the same bug.
(8.3.17,9.1.2,9.0.6,8.4.10,8.2.23) Fix race condition during toast table access from stale syscache entries (Tom Lane)
The typical symptom was transient errors like "missing chunk number 0 for toast value NNNNN in pg_toast_2619", where the cited toast table would always belong to a system catalog.
(8.3.17,9.1.2,9.0.6,8.4.10) Make DatumGetInetP()
unpack inet
datums that have a 1-byte header, and add a new macro, DatumGetInetPP()
, that does not (Heikki
Linnakangas)
This change affects no core code, but might prevent crashes in
add-on code that expects DatumGetInetP()
to produce an unpacked datum as
per usual convention.
(8.3.17,9.1.2,9.0.6,8.4.10,8.2.23) Improve locale support in money type's input and output (Tom Lane)
Aside from not supporting all standard lc_monetary formatting options, the input and output functions were inconsistent, meaning there were locales in which dumped money values could not be re-read.
(8.3.17,9.1.2,9.0.6,8.4.10,8.2.23) Don't let transform_null_equals affect CASE foo WHEN NULL ... constructs (Heikki Linnakangas)
transform_null_equals is only supposed to affect foo = NULL expressions written directly by the user, not equality checks generated internally by this form of CASE.
(8.3.17,9.1.2,9.0.6,8.4.10,8.2.23) Change foreign-key trigger creation order to better support self-referential foreign keys (Tom Lane)
For a cascading foreign key that references its own table, a row update will fire both the ON UPDATE trigger and the CHECK trigger as one event. The ON UPDATE trigger must execute first, else the CHECK will check a non-final state of the row and possibly throw an inappropriate error. However, the firing order of these triggers is determined by their names, which generally sort in creation order since the triggers have auto-generated names following the convention "RI_ConstraintTrigger_NNNN". A proper fix would require modifying that convention, which we will do in 9.2, but it seems risky to change it in existing releases. So this patch just changes the creation order of the triggers. Users encountering this type of error should drop and re-create the foreign key constraint to get its triggers into the right order.
(8.3.17,9.1.2,9.0.6,8.4.10) Avoid floating-point underflow while tracking buffer allocation rate (Greg Matthews)
While harmless in itself, on certain platforms this would result in annoying kernel log messages.
(8.3.17,9.1.2,9.0.6,8.4.10,8.2.23) Preserve blank lines within commands in psql's command history (Robert Haas)
The former behavior could cause problems if an empty line was removed from within a string literal, for example.
(8.3.17,9.1.2,9.0.6,8.4.10) Fix pg_dump to dump user-defined casts between auto-generated types, such as table rowtypes (Tom Lane)
(8.3.17,9.1.2,9.0.6,8.4.10,8.2.23) Use the preferred version of xsubpp to build PL/Perl, not necessarily the operating system's main copy (David Wheeler and Alex Hunsaker)
(8.3.17,9.1.2,9.0.6,8.4.10) Fix incorrect coding in contrib/dict_int and contrib/dict_xsyn (Tom Lane)
Some functions incorrectly assumed that memory returned by
palloc()
is guaranteed zeroed.
(8.3.17,9.1.2,9.0.6,8.4.10,8.2.23) Honor query cancel interrupts promptly in pgstatindex()
(Robert Haas)
(8.3.17,9.1.2,9.0.6,8.4.10,8.2.23) Ensure VPATH builds properly install all server header files (Peter Eisentraut)
(8.3.17,9.1.2,9.0.6,8.4.10,8.2.23) Shorten file names reported in verbose error messages (Peter Eisentraut)
Regular builds have always reported just the name of the C file containing the error message call, but VPATH builds formerly reported an absolute path name.
(8.3.17,9.1.2,9.0.6,8.4.10,8.2.23) Fix interpretation of Windows timezone names for Central America (Tom Lane)
Map "Central America Standard Time" to CST6, not CST6CDT, because DST is generally not observed anywhere in Central America.
(8.3.17,9.1.2,9.0.6,8.4.10,8.2.23) Update time zone data files to tzdata release 2011n for DST law changes in Brazil, Cuba, Fiji, Palestine, Russia, and Samoa; also historical corrections for Alaska and British East Africa.
Release date: 2011-09-26
This release contains a variety of fixes from 8.3.15. For information about new features in the 8.3 major release, see Version 8.3.0.
A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.8, see Version 8.3.8.
(8.3.16,9.0.5,8.4.9) Fix bugs in indexing of in-doubt HOT-updated tuples (Tom Lane)
These bugs could result in index corruption after reindexing a system catalog. They are not believed to affect user indexes.
(8.3.16,9.0.5,8.4.9,8.2.22) Fix multiple bugs in GiST index page split processing (Heikki Linnakangas)
The probability of occurrence was low, but these could lead to index corruption.
(8.3.16,9.0.5,8.4.9) Fix possible buffer overrun in tsvector_concat()
(Tom Lane)
The function could underestimate the amount of memory needed for its result, leading to server crashes.
(8.3.16,9.0.5,8.4.9) Fix crash in xml_recv
when
processing a "standalone" parameter (Tom
Lane)
(8.3.16,9.0.5,8.4.9) Avoid possibly accessing off the end of memory in ANALYZE and in SJIS-2004 encoding conversion (Noah Misch)
This fixes some very-low-probability server crash scenarios.
(8.3.16,9.0.5,8.4.9,8.2.22) Fix race condition in relcache init file invalidation (Tom Lane)
There was a window wherein a new backend process could read a stale init file but miss the inval messages that would tell it the data is stale. The result would be bizarre failures in catalog accesses, typically "could not read block 0 in file ..." later during startup.
(8.3.16,9.1.1,9.0.5,8.4.9,8.2.22) Fix memory leak at end of a GiST index scan (Tom Lane)
Commands that perform many separate GiST index scans, such as verification of a new GiST-based exclusion constraint on a table already containing many rows, could transiently require large amounts of memory due to this leak.
(8.3.16,9.0.5,8.4.9,8.2.22) Fix performance problem when constructing a large, lossy bitmap (Tom Lane)
(8.3.16,9.0.5,8.4.9,8.2.22) Fix array- and path-creating functions to ensure padding bytes are zeroes (Tom Lane)
This avoids some situations where the planner will think that semantically-equal constants are not equal, resulting in poor optimization.
(8.3.16,9.0.5,8.4.9,8.2.22) Work around gcc 4.6.0 bug that breaks WAL replay (Tom Lane)
This could lead to loss of committed transactions after a server crash.
(8.3.16,9.0.5,8.4.9,8.2.22) Fix dump bug for VALUES in a view (Tom Lane)
(8.3.16,9.0.5,8.4.9,8.2.22) Disallow SELECT FOR UPDATE/SHARE on sequences (Tom Lane)
This operation doesn't work as expected and can lead to failures.
(8.3.16,9.0.5,8.4.9,8.2.22) Defend against integer overflow when computing size of a hash table (Tom Lane)
(8.3.16,9.0.5,8.4.9) Fix cases where CLUSTER might attempt to access already-removed TOAST data (Tom Lane)
(8.3.16,9.0.5,8.4.9,8.2.22) Fix portability bugs in use of credentials control messages for "peer" authentication (Tom Lane)
(8.3.16,9.0.5,8.4.9) Fix SSPI login when multiple roundtrips are required (Ahmed Shinwari, Magnus Hagander)
The typical symptom of this problem was "The function requested is not supported" errors during SSPI login.
(8.3.16,9.0.5,8.4.9,8.2.22) Fix typo in pg_srand48
seed
initialization (Andres Freund)
This led to failure to use all bits of the provided seed. This
function is not used on most platforms (only those without
srandom
), and the potential security
exposure from a less-random-than-expected seed seems minimal in any
case.
(8.3.16,9.0.5,8.4.9,8.2.22) Avoid integer overflow when the sum of LIMIT and OFFSET values exceeds 2^63 (Heikki Linnakangas)
(8.3.16,9.0.5,8.4.9,8.2.22) Add overflow checks to int4 and int8 versions of generate_series()
(Robert Haas)
(8.3.16,9.0.5,8.4.9,8.2.22) Fix trailing-zero removal in to_char()
(Marti Raudsepp)
In a format with FM and no digit positions after the decimal point, zeroes to the left of the decimal point could be removed incorrectly.
(8.3.16,9.0.5,8.4.9,8.2.22) Fix pg_size_pretty()
to avoid
overflow for inputs close to 2^63 (Tom Lane)
(8.3.16,9.0.5,8.4.9) In pg_ctl, support silent mode for service registrations on Windows (MauMau)
(8.3.16,9.0.5,8.4.9,8.2.22) Fix psql's counting of script file line numbers during COPY from a different file (Tom Lane)
(8.3.16,9.0.5,8.4.9,8.2.22) Fix pg_restore's direct-to-database mode for standard_conforming_strings (Tom Lane)
pg_restore could emit incorrect commands when restoring directly to a database server from an archive file that had been made with standard_conforming_strings set to on.
(8.3.16,9.0.5,8.4.9,8.2.22) Fix write-past-buffer-end and memory leak in libpq's LDAP service lookup code (Albe Laurenz)
(8.3.16,9.0.5,8.4.9,8.2.22) In libpq, avoid failures when using nonblocking I/O and an SSL connection (Martin Pihlak, Tom Lane)
(8.3.16,9.0.5,8.4.9,8.2.22) Improve libpq's handling of failures during connection startup (Tom Lane)
In particular, the response to a server report of fork()
failure during SSL connection startup is
now saner.
(8.3.16,9.0.5,8.4.9) Improve libpq's error reporting for SSL failures (Tom Lane)
(8.3.16,9.0.5,8.4.9,8.2.22) Make ecpglib write double values with 15 digits precision (Akira Kurosawa)
(8.3.16,9.0.5,8.4.9) In ecpglib, be sure LC_NUMERIC setting is restored after an error (Michael Meskes)
(8.3.16,9.0.5,8.4.9,8.2.22) Apply upstream fix for blowfish signed-character bug CVE-2011-2483 or CVE-2011-2483) (Tom Lane)
contrib/pg_crypto's blowfish encryption code could give wrong results on platforms where char is signed (which is most), leading to encrypted passwords being weaker than they should be.
(8.3.16,9.0.5,8.4.9,8.2.22) Fix memory leak in contrib/seg (Heikki Linnakangas)
(8.3.16,9.0.5,8.4.9,8.2.22) Fix pgstatindex()
to give
consistent results for empty indexes (Tom Lane)
(8.3.16,9.0.5,8.4.9,8.2.22) Allow building with perl 5.14 (Alex Hunsaker)
(8.3.16,8.4.9,8.2.22) Update configure script's method for probing existence of system functions (Tom Lane)
The version of autoconf we used in 8.3 and 8.2 could be fooled by compilers that perform link-time optimization.
(8.3.16,9.0.5,8.4.9,8.2.22) Fix assorted issues with build and install file paths containing spaces (Tom Lane)
(8.3.16,9.0.5,8.4.9,8.2.22) Update time zone data files to tzdata release 2011i for DST law changes in Canada, Egypt, Russia, Samoa, and South Sudan.
Release date: 2011-04-18
This release contains a variety of fixes from 8.3.14. For information about new features in the 8.3 major release, see Version 8.3.0.
A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.8, see Version 8.3.8.
(8.3.15,9.0.4,8.4.8) Disallow including a composite type in itself (Tom Lane)
This prevents scenarios wherein the server could recurse infinitely while processing the composite type. While there are some possible uses for such a structure, they don't seem compelling enough to justify the effort required to make sure it always works safely.
(8.3.15,9.0.4,8.4.8,8.2.21) Avoid potential deadlock during catalog cache initialization (Nikhil Sontakke)
In some cases the cache loading code would acquire share lock on a system index before locking the index's catalog. This could deadlock against processes trying to acquire exclusive locks in the other, more standard order.
(8.3.15,9.0.4,8.4.8,8.2.21) Fix dangling-pointer problem in BEFORE ROW UPDATE trigger handling when there was a concurrent update to the target tuple (Tom Lane)
This bug has been observed to result in intermittent "cannot extract system attribute from virtual tuple" failures while trying to do UPDATE RETURNING ctid. There is a very small probability of more serious errors, such as generating incorrect index entries for the updated tuple.
(8.3.15,9.0.4,8.4.8,8.2.21) Disallow DROP TABLE when there are pending deferred trigger events for the table (Tom Lane)
Formerly the DROP would go through, leading to "could not open relation with OID nnn" errors when the triggers were eventually fired.
(8.3.15,9.0.4,8.4.8,8.2.21) Fix PL/Python memory leak involving array slices (Daniel Popowich)
(8.3.15,9.0.4,8.4.8,8.2.21) Fix pg_restore to cope with long lines (over 1KB) in TOC files (Tom Lane)
(8.3.15,9.0.4,8.4.8,8.2.21) Put in more safeguards against crashing due to division-by-zero with overly enthusiastic compiler optimization (Aurelien Jarno)
(8.3.15,9.0.4,8.4.8,8.2.21) Support use of dlopen() in FreeBSD and OpenBSD on MIPS (Tom Lane)
There was a hard-wired assumption that this system function was not available on MIPS hardware on these systems. Use a compile-time test instead, since more recent versions have it.
(8.3.15,9.0.4,8.4.8,8.2.21) Fix compilation failures on HP-UX (Heikki Linnakangas)
(8.3.15,9.0.4,8.4.8) Fix version-incompatibility problem with libintl on Windows (Hiroshi Inoue)
(8.3.15,9.0.4,8.4.8) Fix usage of xcopy in Windows build scripts to work correctly under Windows 7 (Andrew Dunstan)
This affects the build scripts only, not installation or usage.
(8.3.15,9.0.4,8.4.8,8.2.21) Fix path separator used by pg_regress on Cygwin (Andrew Dunstan)
(8.3.15,9.0.4,8.4.8,8.2.21) Update time zone data files to tzdata release 2011f for DST law changes in Chile, Cuba, Falkland Islands, Morocco, Samoa, and Turkey; also historical corrections for South Australia, Alaska, and Hawaii.
Release date: 2011-01-31
This release contains a variety of fixes from 8.3.13. For information about new features in the 8.3 major release, see Version 8.3.0.
A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.8, see Version 8.3.8.
(8.3.14,9.0.3,8.4.7,8.2.20) Avoid failures when EXPLAIN tries to display a simple-form CASE expression (Tom Lane)
If the CASE's test expression was a constant, the planner could simplify the CASE into a form that confused the expression-display code, resulting in "unexpected CASE WHEN clause" errors.
(8.3.14,9.0.3,8.4.7,8.2.20) Fix assignment to an array slice that is before the existing range of subscripts (Tom Lane)
If there was a gap between the newly added subscripts and the first pre-existing subscript, the code miscalculated how many entries needed to be copied from the old array's null bitmap, potentially leading to data corruption or crash.
(8.3.14,9.0.3,8.4.7,8.2.20) Avoid unexpected conversion overflow in planner for very distant date values (Tom Lane)
The date type supports a wider range of dates than can be represented by the timestamp types, but the planner assumed it could always convert a date to timestamp with impunity.
(8.3.14,8.4.7,8.2.20) Fix pg_restore's text output for large objects (BLOBs) when standard_conforming_strings is on (Tom Lane)
Although restoring directly to a database worked correctly, string escaping was incorrect if pg_restore was asked for SQL text output and standard_conforming_strings had been enabled in the source database.
(8.3.14,9.0.3,8.4.7,8.2.20) Fix erroneous parsing of tsquery values containing ... & !(subexpression) | ... (Tom Lane)
Queries containing this combination of operators were not executed correctly. The same error existed in contrib/intarray's query_int type and contrib/ltree's ltxtquery type.
(8.3.14,9.0.3,8.4.7,8.2.20) Fix buffer overrun in contrib/intarray's input function for the query_int type (Apple)
This bug is a security risk since the function's return address could be overwritten. Thanks to Apple Inc's security team for reporting this issue and supplying the fix. CVE-2010-4015 or CVE-2010-4015)
(8.3.14,9.0.3,8.4.7,8.2.20) Fix bug in contrib/seg's GiST picksplit algorithm (Alexander Korotkov)
This could result in considerable inefficiency, though not actually incorrect answers, in a GiST index on a seg column. If you have such an index, consider REINDEXing it after installing this update. (This is identical to the bug that was fixed in contrib/cube in the previous update.)
Release date: 2010-12-16
This release contains a variety of fixes from 8.3.12. For information about new features in the 8.3 major release, see Version 8.3.0.
A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.8, see Version 8.3.8.
(8.3.13,9.0.2,8.4.6,8.2.19,8.1.23) Force the default wal_sync_method to be fdatasync on Linux (Tom Lane, Marti Raudsepp)
The default on Linux has actually been fdatasync for many years, but recent kernel changes caused PostgreSQL to choose open_datasync instead. This choice did not result in any performance improvement, and caused outright failures on certain filesystems, notably ext4 with the data=journal mount option.
(8.3.13,9.0.2,8.4.6,8.2.19) Fix assorted bugs in WAL replay logic for GIN indexes (Tom Lane)
This could result in "bad buffer id: 0" failures or corruption of index contents during replication.
(8.3.13,9.0.2,8.4.6,8.2.19,8.1.23) Fix recovery from base backup when the starting checkpoint WAL record is not in the same WAL segment as its redo point (Jeff Davis)
(8.3.13,9.0.2,8.4.6) Fix persistent slowdown of autovacuum workers when multiple workers remain active for a long time (Tom Lane)
The effective vacuum_cost_limit for an autovacuum worker could drop to nearly zero if it processed enough tables, causing it to run extremely slowly.
(8.3.13,9.0.2,8.4.6,8.2.19,8.1.23) Add support for detecting register-stack overrun on IA64 (Tom Lane)
The IA64 architecture has two hardware stacks. Full prevention of stack-overrun failures requires checking both.
(8.3.13,9.0.2,8.4.6,8.2.19,8.1.23) Add a check for stack overflow in copyObject()
(Tom Lane)
Certain code paths could crash due to stack overflow given a sufficiently complex query.
(8.3.13,9.0.2,8.4.6,8.2.19,8.1.23) Fix detection of page splits in temporary GiST indexes (Heikki Linnakangas)
It is possible to have a "concurrent" page split in a temporary index, if for example there is an open cursor scanning the index when an insertion is done. GiST failed to detect this case and hence could deliver wrong results when execution of the cursor continued.
(8.3.13,9.0.2,8.4.6,8.2.19,8.1.23) Avoid memory leakage while ANALYZE'ing complex index expressions (Tom Lane)
(8.3.13,9.0.2,8.4.6,8.2.19,8.1.23) Ensure an index that uses a whole-row Var still depends on its table (Tom Lane)
An index declared like create index i on t (foo(t.*)) would not automatically get dropped when its table was dropped.
(8.3.13,9.0.2,8.4.6,8.2.19,8.1.23) Do not "inline" a SQL function with multiple OUT parameters (Tom Lane)
This avoids a possible crash due to loss of information about the expected result rowtype.
(8.3.13,9.0.2,8.4.6,8.2.19) Behave correctly if ORDER BY, LIMIT, FOR UPDATE, or WITH is attached to the VALUES part of INSERT ... VALUES (Tom Lane)
(8.3.13,9.0.2,8.4.6,8.2.19,8.1.23) Fix constant-folding of COALESCE() expressions (Tom Lane)
The planner would sometimes attempt to evaluate sub-expressions that in fact could never be reached, possibly leading to unexpected errors.
(8.3.13,9.0.2,8.4.6) Fix postmaster crash when connection acceptance (accept()
or one of the calls made immediately
after it) fails, and the postmaster was compiled with GSSAPI
support (Alexander Chernikov)
(8.3.13,9.0.2,8.4.6) Fix missed unlink of temporary files when log_temp_files is active (Tom Lane)
If an error occurred while attempting to emit the log message, the unlink was not done, resulting in accumulation of temp files.
(8.3.13,9.0.2,8.4.6,8.2.19,8.1.23) Add print functionality for InhRelation nodes (Tom Lane)
This avoids a failure when debug_print_parse is enabled and certain types of query are executed.
(8.3.13,9.0.2,8.4.6,8.2.19,8.1.23) Fix incorrect calculation of distance from a point to a horizontal line segment (Tom Lane)
This bug affected several different geometric distance-measurement operators.
(8.3.13,9.0.2,8.4.6,8.2.19,8.1.23) Fix PL/pgSQL's handling of "simple" expressions to not fail in recursion or error-recovery cases (Tom Lane)
(8.3.13,9.0.2,8.4.6,8.2.19) Fix PL/Python's handling of set-returning functions (Jan Urbanski)
Attempts to call SPI functions within the iterator generating a set result would fail.
(8.3.13,9.0.2,8.4.6,8.2.19,8.1.23) Fix bug in contrib/cube's GiST picksplit algorithm (Alexander Korotkov)
This could result in considerable inefficiency, though not actually incorrect answers, in a GiST index on a cube column. If you have such an index, consider REINDEXing it after installing this update.
(8.3.13,9.0.2,8.4.6,8.2.19,8.1.23) Don't emit "identifier will be truncated" notices in contrib/dblink except when creating new connections (Itagaki Takahiro)
(8.3.13,9.0.2,8.4.6,8.2.19,8.1.23) Fix potential coredump on missing public key in contrib/pgcrypto (Marti Raudsepp)
(8.3.13,9.0.2,8.4.6,8.2.19,8.1.23) Fix memory leak in contrib/xml2's XPath query functions (Tom Lane)
(8.3.13,9.0.2,8.4.6,8.2.19,8.1.23) Update time zone data files to tzdata release 2010o for DST law changes in Fiji and Samoa; also historical corrections for Hong Kong.
Release date: 2010-10-04
This release contains a variety of fixes from 8.3.11. For information about new features in the 8.3 major release, see Version 8.3.0.
A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.8, see Version 8.3.8.
(8.3.12,9.0.1,8.4.5,8.2.18,8.1.22,8.0.26,7.4.30) Use a separate interpreter for each calling SQL userid in PL/Perl and PL/Tcl (Tom Lane)
This change prevents security problems that can be caused by subverting Perl or Tcl code that will be executed later in the same session under another SQL user identity (for example, within a SECURITY DEFINER function). Most scripting languages offer numerous ways that that might be done, such as redefining standard functions or operators called by the target function. Without this change, any SQL user with Perl or Tcl language usage rights can do essentially anything with the SQL privileges of the target function's owner.
The cost of this change is that intentional communication among Perl and Tcl functions becomes more difficult. To provide an escape hatch, PL/PerlU and PL/TclU functions continue to use only one interpreter per session. This is not considered a security issue since all such functions execute at the trust level of a database superuser already.
It is likely that third-party procedural languages that claim to offer trusted execution have similar security issues. We advise contacting the authors of any PL you are depending on for security-critical purposes.
Our thanks to Tim Bunce for pointing out this issue CVE-2010-3433 or CVE-2010-3433).
(8.3.12,8.4.5,8.2.18,8.1.22,8.0.26,7.4.30) Prevent possible crashes in pg_get_expr()
by disallowing it from being called
with an argument that is not one of the system catalog columns it's
intended to be used with (Heikki Linnakangas, Tom Lane)
(8.3.12,8.4.5,8.2.18) Treat exit code 128 (ERROR_WAIT_NO_CHILDREN) as non-fatal on Windows (Magnus Hagander)
Under high load, Windows processes will sometimes fail at startup with this error code. Formerly the postmaster treated this as a panic condition and restarted the whole database, but that seems to be an overreaction.
(8.3.12) Fix incorrect usage of non-strict OR joinclauses in Append indexscans (Tom Lane)
This is a back-patch of an 8.4 fix that was missed in the 8.3 branch. This corrects an error introduced in 8.3.8 that could cause incorrect results for outer joins when the inner relation is an inheritance tree or UNION ALL subquery.
(8.3.12,9.0.1,8.4.5,8.2.18) Fix possible duplicate scans of UNION ALL member relations (Tom Lane)
(8.3.12,8.4.5,8.2.18,8.1.22,8.0.26,7.4.30) Fix "cannot handle unplanned sub-select" error (Tom Lane)
This occurred when a sub-select contains a join alias reference that expands into an expression containing another sub-select.
(8.3.12,8.4.5) Fix failure to mark cached plans as transient (Tom Lane)
If a plan is prepared while CREATE INDEX CONCURRENTLY is in progress for one of the referenced tables, it is supposed to be re-planned once the index is ready for use. This was not happening reliably.
(8.3.12,8.4.5,8.2.18) Reduce PANIC to ERROR in some occasionally-reported btree failure cases, and provide additional detail in the resulting error messages (Tom Lane)
This should improve the system's robustness with corrupted indexes.
(8.3.12,9.0.1,8.4.5,8.2.18,8.1.22) Prevent show_session_authorization() from crashing within autovacuum processes (Tom Lane)
(8.3.12,8.4.5,8.2.18,8.1.22,8.0.26) Defend against functions returning setof record where not all the returned rows are actually of the same rowtype (Tom Lane)
(8.3.12,8.4.5,8.2.18,8.1.22) Fix possible failure when hashing a pass-by-reference function result (Tao Ma, Tom Lane)
(8.3.12,8.4.5) Improve merge join's handling of NULLs in the join columns (Tom Lane)
A merge join can now stop entirely upon reaching the first NULL, if the sort order is such that NULLs sort high.
(8.3.12,8.4.5,8.2.18,8.1.22,8.0.26,7.4.30) Take care to fsync the contents of lockfiles (both postmaster.pid and the socket lockfile) while writing them (Tom Lane)
This omission could result in corrupted lockfile contents if the machine crashes shortly after postmaster start. That could in turn prevent subsequent attempts to start the postmaster from succeeding, until the lockfile is manually removed.
(8.3.12,8.4.5,8.2.18,8.1.22,8.0.26) Avoid recursion while assigning XIDs to heavily-nested subtransactions (Andres Freund, Robert Haas)
The original coding could result in a crash if there was limited stack space.
(8.3.12,8.4.5) Avoid holding open old WAL segments in the walwriter process (Magnus Hagander, Heikki Linnakangas)
The previous coding would prevent removal of no-longer-needed segments.
(8.3.12,8.4.5,8.2.18,8.1.22,8.0.26) Fix log_line_prefix's %i escape, which could produce junk early in backend startup (Tom Lane)
(8.3.12,8.4.5,8.2.18,8.1.22,8.0.26) Fix possible data corruption in ALTER TABLE ... SET TABLESPACE when archiving is enabled (Jeff Davis)
(8.3.12,8.4.5,8.2.18,8.1.22,8.0.26) Allow CREATE DATABASE and ALTER DATABASE ... SET TABLESPACE to be interrupted by query-cancel (Guillaume Lelarge)
(8.3.12,8.4.5) Fix REASSIGN OWNED to handle operator classes and families (Asko Tiidumaa)
(8.3.12,8.4.5) Fix possible core dump when comparing two empty tsquery values (Tom Lane)
(8.3.12,8.4.5) Fix LIKE's handling of patterns containing % followed by _ (Tom Lane)
We've fixed this before, but there were still some incorrectly-handled cases.
(8.3.12,8.4.5,8.2.18,8.1.22,8.0.26) In PL/Python, defend against null pointer results from
PyCObject_AsVoidPtr
and PyCObject_FromVoidPtr
(Peter Eisentraut)
(8.3.12,9.0.1,8.4.5) Make psql recognize DISCARD ALL as a command that should not be encased in a transaction block in autocommit-off mode (Itagaki Takahiro)
(8.3.12,8.4.5) Fix ecpg to process data from RETURNING clauses correctly (Michael Meskes)
(8.3.12,8.4.5,8.2.18,8.1.22,8.0.26,7.4.30) Improve contrib/dblink's handling of tables containing dropped columns (Tom Lane)
(8.3.12,8.4.5,8.2.18,8.1.22,8.0.26,7.4.30) Fix connection leak after "duplicate connection name" errors in contrib/dblink (Itagaki Takahiro)
(8.3.12,8.4.5,8.2.18,8.1.22,8.0.26) Fix contrib/dblink to handle connection names longer than 62 bytes correctly (Itagaki Takahiro)
(8.3.12,8.4.5,8.2.18) Add hstore(text, text)
function to
contrib/hstore (Robert Haas)
This function is the recommended substitute for the now-deprecated => operator. It was back-patched so that future-proofed code can be used with older server versions. Note that the patch will be effective only after contrib/hstore is installed or reinstalled in a particular database. Users might prefer to execute the CREATE FUNCTION command by hand, instead.
(8.3.12,9.0.1,8.4.5,8.2.18,8.1.22,8.0.26,7.4.30) Update build infrastructure and documentation to reflect the source code repository's move from CVS to Git (Magnus Hagander and others)
(8.3.12,8.4.5,8.2.18,8.1.22,8.0.26) Update time zone data files to tzdata release 2010l for DST law changes in Egypt and Palestine; also historical corrections for Finland.
This change also adds new names for two Micronesian timezones: Pacific/Chuuk is now preferred over Pacific/Truk (and the preferred abbreviation is CHUT not TRUT) and Pacific/Pohnpei is preferred over Pacific/Ponape.
(8.3.12,8.4.5,8.2.18) Make Windows' "N. Central Asia Standard Time" timezone map to Asia/Novosibirsk, not Asia/Almaty (Magnus Hagander)
Microsoft changed the DST behavior of this zone in the timezone update from KB976098. Asia/Novosibirsk is a better match to its new behavior.
Release date: 2010-05-17
This release contains a variety of fixes from 8.3.10. For information about new features in the 8.3 major release, see Version 8.3.0.
A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.8, see Version 8.3.8.
(8.3.11,8.4.4,8.2.17,8.1.21,8.0.25,7.4.29) Enforce restrictions in plperl using an opmask applied to the whole interpreter, instead of using Safe.pm (Tim Bunce, Andrew Dunstan)
Recent developments have convinced us that Safe.pm is too insecure to rely on for making plperl trustable. This change removes use of Safe.pm altogether, in favor of using a separate interpreter with an opcode mask that is always applied. Pleasant side effects of the change include that it is now possible to use Perl's strict pragma in a natural way in plperl, and that Perl's $a and $b variables work as expected in sort routines, and that function compilation is significantly faster. CVE-2010-1169 or CVE-2010-1169)
(8.3.11,8.4.4,8.2.17,8.1.21,8.0.25,7.4.29) Prevent PL/Tcl from executing untrustworthy code from pltcl_modules (Tom Lane)
PL/Tcl's feature for autoloading Tcl code from a database table could be exploited for trojan-horse attacks, because there was no restriction on who could create or insert into that table. This change disables the feature unless pltcl_modules is owned by a superuser. (However, the permissions on the table are not checked, so installations that really need a less-than-secure modules table can still grant suitable privileges to trusted non-superusers.) Also, prevent loading code into the unrestricted "normal" Tcl interpreter unless we are really going to execute a pltclu function. CVE-2010-1170 or CVE-2010-1170)
(8.3.11) Fix possible crash if a cache reset message is received during rebuild of a relcache entry (Heikki Linnakangas)
This error was introduced in 8.3.10 while fixing a related failure.
(8.3.11,8.4.4) Apply per-function GUC settings while running the language validator for the function (Itagaki Takahiro)
This avoids failures if the function's code is invalid without the setting; an example is that SQL functions may not parse if the search_path is not correct.
(8.3.11,8.4.4,8.2.17,8.1.21,8.0.25,7.4.29) Do not allow an unprivileged user to reset superuser-only parameter settings (Álvaro Herrera)
Previously, if an unprivileged user ran ALTER USER ... RESET ALL for himself, or ALTER DATABASE ... RESET ALL for a database he owns, this would remove all special parameter settings for the user or database, even ones that are only supposed to be changeable by a superuser. Now, the ALTER will only remove the parameters that the user has permission to change.
(8.3.11,8.4.4,8.2.17,8.1.21,8.0.25,7.4.29) Avoid possible crash during backend shutdown if shutdown occurs when a CONTEXT addition would be made to log entries (Tom Lane)
In some cases the context-printing function would fail because the current transaction had already been rolled back when it came time to print a log message.
(8.3.11,8.4.4) Ensure the archiver process responds to changes in archive_command as soon as possible (Tom Lane)
(8.3.11,8.4.4,8.2.17,8.1.21,8.0.25,7.4.29) Update pl/perl's ppport.h for modern Perl versions (Andrew Dunstan)
(8.3.11,8.4.4,8.2.17,8.1.21,8.0.25,7.4.29) Fix assorted memory leaks in pl/python (Andreas Freund, Tom Lane)
(8.3.11,8.4.4,8.2.17,8.1.21,8.0.25) Prevent infinite recursion in psql when expanding a variable that refers to itself (Tom Lane)
(8.3.11,8.4.4,8.2.17) Fix psql's \copy to not add spaces around a dot within \copy (select ...) (Tom Lane)
Addition of spaces around the decimal point in a numeric literal would result in a syntax error.
(8.3.11,8.4.4) Fix unnecessary "GIN indexes do not support whole-index scans" errors for unsatisfiable queries using contrib/intarray operators (Tom Lane)
(8.3.11,8.4.4,8.2.17,8.1.21,8.0.25,7.4.29) Ensure that contrib/pgstattuple functions respond to cancel interrupts promptly (Tatsuhito Kasahara)
(8.3.11,8.4.4,8.2.17,8.1.21,8.0.25,7.4.29) Make server startup deal properly with the case that
shmget()
returns EINVAL for an existing shared memory segment
(Tom Lane)
This behavior has been observed on BSD-derived kernels including OS X. It resulted in an entirely-misleading startup failure complaining that the shared memory request size was too large.
(8.3.11,8.4.4,8.2.17) Avoid possible crashes in syslogger process on Windows (Heikki Linnakangas)
(8.3.11,8.4.4,8.2.17) Deal more robustly with incomplete time zone information in the Windows registry (Magnus Hagander)
(8.3.11,8.4.4,8.2.17) Update the set of known Windows time zone names (Magnus Hagander)
(8.3.11,8.4.4,8.2.17) Update time zone data files to tzdata release 2010j for DST law changes in Argentina, Australian Antarctic, Bangladesh, Mexico, Morocco, Pakistan, Palestine, Russia, Syria, Tunisia; also historical corrections for Taiwan.
Also, add PKST (Pakistan Summer Time) to the default set of timezone abbreviations.
Release date: 2010-03-15
This release contains a variety of fixes from 8.3.9. For information about new features in the 8.3 major release, see Version 8.3.0.
A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.8, see Version 8.3.8.
(8.3.10,8.4.3,8.2.16,8.1.20,8.0.24,7.4.28) Add new configuration parameter ssl_renegotiation_limit to control how often we do session key renegotiation for an SSL connection (Magnus Hagander)
This can be set to zero to disable renegotiation completely, which may be required if a broken SSL library is used. In particular, some vendors are shipping stopgap patches forCVE-2009-3555 or CVE-2009-3555 that cause renegotiation attempts to fail.
(8.3.10,8.4.3,8.2.16) Fix possible deadlock during backend startup (Tom Lane)
(8.3.10,8.4.3,8.2.16) Fix possible crashes due to not handling errors during relcache reload cleanly (Tom Lane)
(8.3.10,8.4.3) Fix possible crash due to use of dangling pointer to a cached plan (Tatsuo Ishii)
(8.3.10,8.4.3,8.2.16,8.1.20,8.0.24) Fix possible crashes when trying to recover from a failure in subtransaction start (Tom Lane)
(8.3.10,8.4.3,8.2.16,8.1.20,8.0.24) Fix server memory leak associated with use of savepoints and a client encoding different from server's encoding (Tom Lane)
(8.3.10,8.4.3,8.2.16) Fix incorrect WAL data emitted during end-of-recovery cleanup of a GIST index page split (Yoichi Hirai)
This would result in index corruption, or even more likely an error during WAL replay, if we were unlucky enough to crash during end-of-recovery cleanup after having completed an incomplete GIST insertion.
(8.3.10,8.4.3,8.2.16,8.1.20,8.0.24,7.4.28) Make substring()
for bit types treat any negative length as meaning
"all the rest of the string" (Tom Lane)
The previous coding treated only -1 that way, and would produce an invalid result value for other negative values, possibly leading to a crash CVE-2010-0442 or CVE-2010-0442).
(8.3.10,8.4.3,8.2.16,8.1.20,8.0.24) Fix integer-to-bit-string conversions to handle the first fractional byte correctly when the output bit width is wider than the given integer by something other than a multiple of 8 bits (Tom Lane)
(8.3.10,8.4.3,8.2.16,8.1.20,8.0.24,7.4.28) Fix some cases of pathologically slow regular expression matching (Tom Lane)
(8.3.10) Fix assorted crashes in xml processing caused by sloppy memory management (Tom Lane)
This is a back-patch of changes first applied in 8.4. The 8.3 code was known buggy, but the new code was sufficiently different to not want to back-patch it until it had gotten some field testing.
(8.3.10,8.4.3) Fix bug with trying to update a field of an element of a composite-type array column (Tom Lane)
(8.3.10,8.4.3,8.2.16,8.1.20,8.0.24) Fix the STOP WAL LOCATION entry in backup history files to report the next WAL segment's name when the end location is exactly at a segment boundary (Itagaki Takahiro)
(8.3.10,8.4.3,8.2.16,8.1.20) Fix some more cases of temporary-file leakage (Heikki Linnakangas)
This corrects a problem introduced in the previous minor release. One case that failed is when a plpgsql function returning set is called within another function's exception handler.
(8.3.10,8.4.3,8.2.16) Improve constraint exclusion processing of boolean-variable cases, in particular make it possible to exclude a partition that has a "bool_column = false" constraint (Tom Lane)
(8.3.10,8.4.3,8.2.16,8.1.20,8.0.24,7.4.28) When reading pg_hba.conf and related files, do not treat @something as a file inclusion request if the @ appears inside quote marks; also, never treat @ by itself as a file inclusion request (Tom Lane)
This prevents erratic behavior if a role or database name starts with @. If you need to include a file whose path name contains spaces, you can still do so, but you must write @"/path to/file" rather than putting the quotes around the whole construct.
(8.3.10,8.4.3,8.2.16,8.1.20,8.0.24,7.4.28) Prevent infinite loop on some platforms if a directory is named as an inclusion target in pg_hba.conf and related files (Tom Lane)
(8.3.10,8.4.3,8.2.16) Fix possible infinite loop if SSL_read
or SSL_write
fails without setting errno (Tom Lane)
This is reportedly possible with some Windows versions of openssl.
(8.3.10,8.4.3) Disallow GSSAPI authentication on local connections, since it requires a hostname to function correctly (Magnus Hagander)
(8.3.10,8.4.3) Make ecpg report the proper SQLSTATE if the connection disappears (Michael Meskes)
(8.3.10,8.4.3,8.2.16,8.1.20) Fix psql's numericlocale option to not format strings it shouldn't in latex and troff output formats (Heikki Linnakangas)
(8.3.10,8.4.3,8.2.16) Make psql return the correct exit status (3) when ON_ERROR_STOP and --single-transaction are both specified and an error occurs during the implied COMMIT (Bruce Momjian)
(8.3.10,8.4.3,8.2.16,8.1.20,8.0.24) Fix plpgsql failure in one case where a composite column is set to NULL (Tom Lane)
(8.3.10,8.4.3,8.2.16) Fix possible failure when calling PL/Perl functions from PL/PerlU or vice versa (Tim Bunce)
(8.3.10,8.4.3,8.2.16,8.1.20,8.0.24) Add volatile markings in PL/Python to avoid possible compiler-specific misbehavior (Zdenek Kotala)
(8.3.10,8.4.3,8.2.16,8.1.20,8.0.24,7.4.28) Ensure PL/Tcl initializes the Tcl interpreter fully (Tom Lane)
The only known symptom of this oversight is that the Tcl clock command misbehaves if using Tcl 8.5 or later.
(8.3.10,8.4.3,8.2.16,8.1.20,8.0.24,7.4.28) Prevent crash in contrib/dblink when
too many key columns are specified to a dblink_build_sql_*
function (Rushabh Lathia, Joe
Conway)
(8.3.10,8.4.3) Allow zero-dimensional arrays in contrib/ltree operations (Tom Lane)
This case was formerly rejected as an error, but it's more convenient to treat it the same as a zero-element array. In particular this avoids unnecessary failures when an ltree operation is applied to the result of ARRAY (SELECT ...) and the sub-select returns no rows.
(8.3.10,8.4.3,8.2.16,8.1.20,8.0.24) Fix assorted crashes in contrib/xml2 caused by sloppy memory management (Tom Lane)
(8.3.10,8.4.3,8.2.16) Make building of contrib/xml2 more robust on Windows (Andrew Dunstan)
(8.3.10,8.4.3,8.2.16) Fix race condition in Windows signal handling (Radu Ilie)
One known symptom of this bug is that rows in pg_listener could be dropped under heavy load.
(8.3.10,8.4.3,8.2.16,8.1.20,8.0.24) Update time zone data files to tzdata release 2010e for DST law changes in Bangladesh, Chile, Fiji, Mexico, Paraguay, Samoa.
Release date: 2009-12-14
This release contains a variety of fixes from 8.3.8. For information about new features in the 8.3 major release, see Version 8.3.0.
A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.8, see Version 8.3.8.
(8.3.9,8.4.2,8.2.15,8.1.19,8.0.23,7.4.27) Protect against indirect security threats caused by index functions changing session-local state (Gurjeet Singh, Tom Lane)
This change prevents allegedly-immutable index functions from possibly subverting a superuser's session CVE-2009-4136 or CVE-2009-4136).
(8.3.9,8.4.2,8.2.15,8.1.19,8.0.23,7.4.27) Reject SSL certificates containing an embedded null byte in the common name (CN) field (Magnus Hagander)
This prevents unintended matching of a certificate to a server or client name during SSL validation CVE-2009-4034 or CVE-2009-4034).
(8.3.9,8.4.2,8.2.15,8.1.19,8.0.23,7.4.27) Fix possible crash during backend-startup-time cache initialization (Tom Lane)
(8.3.9,8.4.2) Avoid crash on empty thesaurus dictionary (Tom Lane)
(8.3.9,8.4.2,8.2.15,8.1.19,8.0.23,7.4.27) Prevent signals from interrupting VACUUM at unsafe times (Álvaro Herrera)
This fix prevents a PANIC if a VACUUM FULL is canceled after it's already committed its tuple movements, as well as transient errors if a plain VACUUM is interrupted after having truncated the table.
(8.3.9,8.4.2,8.2.15,8.1.19,8.0.23,7.4.27) Fix possible crash due to integer overflow in hash table size calculation (Tom Lane)
This could occur with extremely large planner estimates for the size of a hashjoin's result.
(8.3.9,8.4.2,8.2.15,8.1.19,8.0.23,7.4.27) Fix very rare crash in inet/cidr comparisons (Chris Mikkelson)
(8.3.9,8.4.2,8.2.15,8.1.19) Ensure that shared tuple-level locks held by prepared transactions are not ignored (Heikki Linnakangas)
(8.3.9,8.4.2,8.2.15,8.1.19,8.0.23) Fix premature drop of temporary files used for a cursor that is accessed within a subtransaction (Heikki Linnakangas)
(8.3.9,8.4.2) Fix memory leak in syslogger process when rotating to a new CSV logfile (Tom Lane)
(8.3.9,8.4.2) Fix Windows permission-downgrade logic (Jesse Morris)
This fixes some cases where the database failed to start on Windows, often with misleading error messages such as "could not locate matching postgres executable".
(8.3.9,8.4.2,8.2.15) Fix incorrect logic for GiST index page splits, when the split depends on a non-first column of the index (Paul Ramsey)
(8.3.9,8.4.2,8.2.15) Don't error out if recycling or removing an old WAL file fails at the end of checkpoint (Heikki Linnakangas)
It's better to treat the problem as non-fatal and allow the checkpoint to complete. Future checkpoints will retry the removal. Such problems are not expected in normal operation, but have been seen to be caused by misdesigned Windows anti-virus and backup software.
(8.3.9,8.4.2,8.2.15) Ensure WAL files aren't repeatedly archived on Windows (Heikki Linnakangas)
This is another symptom that could happen if some other process interfered with deletion of a no-longer-needed file.
(8.3.9,8.4.2,8.2.15,8.1.19,8.0.23,7.4.27) Fix PAM password processing to be more robust (Tom Lane)
The previous code is known to fail with the combination of the Linux pam_krb5 PAM module with Microsoft Active Directory as the domain controller. It might have problems elsewhere too, since it was making unjustified assumptions about what arguments the PAM stack would pass to it.
(8.3.9,8.4.2) Raise the maximum authentication token (Kerberos ticket) size in GSSAPI and SSPI authentication methods (Ian Turner)
While the old 2000-byte limit was more than enough for Unix Kerberos implementations, tickets issued by Windows Domain Controllers can be much larger.
(8.3.9,8.4.2) Re-enable collection of access statistics for sequences (Akira Kurosawa)
This used to work but was broken in 8.3.
(8.3.9,8.4.2,8.2.15,8.1.19) Fix processing of ownership dependencies during CREATE OR REPLACE FUNCTION (Tom Lane)
(8.3.9,8.4.2) Fix incorrect handling of WHERE x=x conditions (Tom Lane)
In some cases these could get ignored as redundant, but they aren't — they're equivalent to x IS NOT NULL.
(8.3.9,8.4.2) Make text search parser accept underscores in XML attributes (Peter T. Mount)
(8.3.9,8.4.2) Fix encoding handling in xml binary input (Heikki Linnakangas)
If the XML header doesn't specify an encoding, we now assume UTF-8 by default; the previous handling was inconsistent.
(8.3.9,8.4.2,8.2.15) Fix bug with calling plperl from plperlu or vice versa (Tom Lane)
An error exit from the inner function could result in crashes due to failure to re-select the correct Perl interpreter for the outer function.
(8.3.9,8.4.2,8.2.15) Fix session-lifespan memory leak when a PL/Perl function is redefined (Tom Lane)
(8.3.9,8.4.2,8.2.15,8.1.19) Ensure that Perl arrays are properly converted to PostgreSQL arrays when returned by a set-returning PL/Perl function (Andrew Dunstan, Abhijit Menon-Sen)
This worked correctly already for non-set-returning functions.
(8.3.9,8.4.2,8.2.15,8.1.19,8.0.23) Fix rare crash in exception processing in PL/Python (Peter T. Mount)
(8.3.9,8.4.2) In contrib/pg_standby, disable triggering failover with a signal on Windows (Fujii Masao)
This never did anything useful, because Windows doesn't have Unix-style signals, but recent changes made it actually crash.
(8.3.9,8.4.2,8.2.15,8.1.19,8.0.23) Ensure psql's flex module is compiled with the correct system header definitions (Tom Lane)
This fixes build failures on platforms where --enable-largefile causes incompatible changes in the generated code.
(8.3.9,8.4.2,8.2.15,8.1.19,8.0.23,7.4.27) Make the postmaster ignore any application_name parameter in connection request packets, to improve compatibility with future libpq versions (Tom Lane)
(8.3.9,8.2.15) Update the timezone abbreviation files to match current reality (Joachim Wieland)
This includes adding IDT and SGT to the default timezone abbreviation set.
(8.3.9,8.4.2,8.2.15,8.1.19,8.0.23) Update time zone data files to tzdata release 2009s for DST law changes in Antarctica, Argentina, Bangladesh, Fiji, Novokuznetsk, Pakistan, Palestine, Samoa, Syria; also historical corrections for Hong Kong.
Release date: 2009-09-09
This release contains a variety of fixes from 8.3.7. For information about new features in the 8.3 major release, see Version 8.3.0.
A dump/restore is not required for those running 8.3.X. However, if you have any hash indexes on interval columns, you must REINDEX them after updating to 8.3.8. Also, if you are upgrading from a version earlier than 8.3.5, see Version 8.3.5.
(8.3.8,8.4.1) Fix Windows shared-memory allocation code (Tsutomu Yamada, Magnus Hagander)
This bug led to the often-reported "could not reattach to shared memory" error message.
(8.3.8,8.2.14) Force WAL segment switch during pg_start_backup()
(Heikki Linnakangas)
This avoids corner cases that could render a base backup unusable.
(8.3.8,8.4.1,8.2.14,8.1.18,8.0.22,7.4.26) Disallow RESET ROLE and RESET SESSION AUTHORIZATION inside security-definer functions (Tom Lane, Heikki Linnakangas)
This covers a case that was missed in the previous patch that disallowed SET ROLE and SET SESSION AUTHORIZATION inside security-definer functions. (SeeCVE-2007-6600 or CVE-2007-6600)
(8.3.8,8.4.1,8.2.14) Make LOAD of an already-loaded loadable module into a no-op (Tom Lane)
Formerly, LOAD would attempt to unload and re-load the module, but this is unsafe and not all that useful.
(8.3.8,8.2.14) Disallow empty passwords during LDAP authentication (Magnus Hagander)
(8.3.8,8.2.14,8.1.18,8.0.22,7.4.26) Fix handling of sub-SELECTs appearing in the arguments of an outer-level aggregate function (Tom Lane)
(8.3.8,8.2.14) Fix bugs associated with fetching a whole-row value from the output of a Sort or Materialize plan node (Tom Lane)
(8.3.8) Prevent synchronize_seqscans from changing the results of scrollable and WITH HOLD cursors (Tom Lane)
(8.3.8,8.2.14) Revert planner change that disabled partial-index and constraint exclusion optimizations when there were more than 100 clauses in an AND or OR list (Tom Lane)
(8.3.8,8.2.14,8.1.18,8.0.22,7.4.26) Fix hash calculation for data type interval (Tom Lane)
This corrects wrong results for hash joins on interval values. It also changes the contents of hash indexes on interval columns. If you have any such indexes, you must REINDEX them after updating.
(8.3.8,8.4.1,8.2.14,8.1.18,8.0.22) Treat to_char(..., 'TH')
as an
uppercase ordinal suffix with 'HH'/'HH12' (Heikki Linnakangas)
It was previously handled as 'th' (lowercase).
(8.3.8,8.4.1,8.2.14,8.1.18,8.0.22,7.4.26) Fix overflow for INTERVAL 'x ms' when x is more than 2 million and integer datetimes are in use (Alex Hunsaker)
(8.3.8,8.2.14,8.1.18,8.0.22,7.4.26) Fix calculation of distance between a point and a line segment (Tom Lane)
This led to incorrect results from a number of geometric operators.
(8.3.8,8.2.14,8.1.18,8.0.22,7.4.26) Fix money data type to work in locales where currency amounts have no fractional digits, e.g. Japan (Itagaki Takahiro)
(8.3.8) Fix LIKE for case where pattern contains %_ (Tom Lane)
(8.3.8,8.2.14,8.1.18,8.0.22,7.4.26) Properly round datetime input like 00:12:57.9999999999999999999999999999 (Tom Lane)
(8.3.8) Fix memory leaks in XML operations (Tom Lane)
(8.3.8,8.2.14,8.1.18,8.0.22,7.4.26) Fix poor choice of page split point in GiST R-tree operator classes (Teodor Sigaev)
(8.3.8,8.4.1) Ensure that a "fast shutdown" request will forcibly terminate open sessions, even if a "smart shutdown" was already in progress (Fujii Masao)
(8.3.8,8.2.14) Avoid performance degradation in bulk inserts into GIN indexes when the input values are (nearly) in sorted order (Tom Lane)
(8.3.8,8.2.14) Correctly enforce NOT NULL domain constraints in some contexts in PL/pgSQL (Tom Lane)
(8.3.8,8.2.14,8.1.18,8.0.22,7.4.26) Fix portability issues in plperl initialization (Andrew Dunstan)
(8.3.8,8.4.1,8.2.14,8.1.18,8.0.22) Fix pg_ctl to not go into an infinite loop if postgresql.conf is empty (Jeff Davis)
(8.3.8) Improve pg_dump's efficiency when there are many large objects (Tamas Vincze)
(8.3.8) Use SIGUSR1, not SIGQUIT, as the failover signal for pg_standby (Heikki Linnakangas)
(8.3.8) Make pg_standby's maxretries option behave as documented (Fujii Masao)
(8.3.8,8.2.14) Make contrib/hstore throw an error when a key or value is too long to fit in its data structure, rather than silently truncating it (Andrew Gierth)
(8.3.8,8.4.1,8.2.14,8.1.18,8.0.22) Fix contrib/xml2's xslt_process()
to properly handle the maximum
number of parameters (twenty) (Tom Lane)
(8.3.8,8.4.1,8.2.14,8.1.18,8.0.22,7.4.26) Improve robustness of libpq's code to recover from errors during COPY FROM STDIN (Tom Lane)
(8.3.8,8.4.1,8.2.14,8.1.18,8.0.22,7.4.26) Avoid including conflicting readline and editline header files when both libraries are installed (Zdenek Kotala)
(8.3.8,8.2.14,8.1.18,8.0.22) Update time zone data files to tzdata release 2009l for DST law changes in Bangladesh, Egypt, Jordan, Pakistan, Argentina/San_Luis, Cuba, Jordan (historical correction only), Mauritius, Morocco, Palestine, Syria, Tunisia.
Release date: 2009-03-16
This release contains a variety of fixes from 8.3.6. For information about new features in the 8.3 major release, see Version 8.3.0.
A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.5, see Version 8.3.5.
(8.3.7,8.2.13,8.1.17,8.0.21,7.4.25) Prevent error recursion crashes when encoding conversion fails (Tom Lane)
This change extends fixes made in the last two minor releases for related failure scenarios. The previous fixes were narrowly tailored for the original problem reports, but we have now recognized that any error thrown by an encoding conversion function could potentially lead to infinite recursion while trying to report the error. The solution therefore is to disable translation and encoding conversion and report the plain-ASCII form of any error message, if we find we have gotten into a recursive error reporting situation. CVE-2009-0922 or CVE-2009-0922)
(8.3.7,8.2.13,8.1.17,8.0.21,7.4.25) Disallow CREATE CONVERSION with the wrong encodings for the specified conversion function (Heikki Linnakangas)
This prevents one possible scenario for encoding conversion failure. The previous change is a backstop to guard against other kinds of failures in the same area.
(8.3.7) Fix xpath()
to not modify the path
expression unless necessary, and to make a saner attempt at it when
necessary (Andrew Dunstan)
The SQL standard suggests that xpath
should work on data that is a document
fragment, but libxml doesn't
support that, and indeed it's not clear that this is sensible
according to the XPath standard. xpath
attempted to work around this mismatch by
modifying both the data and the path expression, but the
modification was buggy and could cause valid searches to fail. Now,
xpath
checks whether the data is in
fact a well-formed document, and if so invokes libxml with no change to the data or path
expression. Otherwise, a different modification method that is
somewhat less likely to fail is used.
Note: The new modification method is still not 100% satisfactory, and it seems likely that no real solution is possible. This patch should therefore be viewed as a band-aid to keep from breaking existing applications unnecessarily. It is likely that PostgreSQL 8.4 will simply reject use of
xpath
on data that is not a well-formed document.
(8.3.7,8.2.13,8.1.17,8.0.21,7.4.25) Fix core dump when to_char()
is
given format codes that are inappropriate for the type of the data
argument (Tom Lane)
(8.3.7) Fix possible failure in text search when C locale is used with a multi-byte encoding (Teodor Sigaev)
Crashes were possible on platforms where wchar_t is narrower than int; Windows in particular.
(8.3.7) Fix extreme inefficiency in text search parser's handling of an email-like string containing multiple @ characters (Heikki Linnakangas)
(8.3.7) Fix planner problem with sub-SELECT in the output list of a larger subquery (Tom Lane)
The known symptom of this bug is a "failed to locate grouping columns" error that is dependent on the datatype involved; but there could be other issues as well.
(8.3.7,8.2.13,8.1.17) Fix decompilation of CASE WHEN with an implicit coercion (Tom Lane)
This mistake could lead to Assert failures in an Assert-enabled build, or an "unexpected CASE WHEN clause" error message in other cases, when trying to examine or dump a view.
(8.3.7,8.2.13,8.1.17) Fix possible misassignment of the owner of a TOAST table's rowtype (Tom Lane)
If CLUSTER or a rewriting variant of ALTER TABLE were executed by someone other than the table owner, the pg_type entry for the table's TOAST table would end up marked as owned by that someone. This caused no immediate problems, since the permissions on the TOAST rowtype aren't examined by any ordinary database operation. However, it could lead to unexpected failures if one later tried to drop the role that issued the command (in 8.1 or 8.2), or "owner of data type appears to be invalid" warnings from pg_dump after having done so (in 8.3).
(8.3.7) Change UNLISTEN to exit quickly if the current session has never executed any LISTEN command (Tom Lane)
Most of the time this is not a particularly useful optimization, but since DISCARD ALL invokes UNLISTEN, the previous coding caused a substantial performance problem for applications that made heavy use of DISCARD ALL.
(8.3.7,8.2.13) Fix PL/pgSQL to not treat INTO after INSERT as an INTO-variables clause anywhere in the string, not only at the start; in particular, don't fail for INSERT INTO within CREATE RULE (Tom Lane)
(8.3.7,8.2.13,8.1.17) Clean up PL/pgSQL error status variables fully at block exit (Ashesh Vashi and Dave Page)
This is not a problem for PL/pgSQL itself, but the omission could cause the PL/pgSQL Debugger to crash while examining the state of a function.
(8.3.7,8.2.13) Retry failed calls to CallNamedPipe()
on Windows (Steve Marshall,
Magnus Hagander)
It appears that this function can sometimes fail transiently; we previously treated any failure as a hard error, which could confuse LISTEN/NOTIFY as well as other operations.
(8.3.7,8.2.13,8.1.17,8.0.21,7.4.25) Add MUST (Mauritius Island Summer Time) to the default list of known timezone abbreviations (Xavier Bugaud)
Release date: 2009-02-02
This release contains a variety of fixes from 8.3.5. For information about new features in the 8.3 major release, see Version 8.3.0.
A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.5, see Version 8.3.5.
(8.3.6) Make DISCARD ALL release advisory locks, in addition to everything it already did (Tom Lane)
This was decided to be the most appropriate behavior. This could affect existing applications, however.
(8.3.6) Fix whole-index GiST scans to work correctly (Teodor Sigaev)
This error could cause rows to be lost if a table is clustered on a GiST index.
(8.3.6) Fix crash of xmlconcat (NULL) (Peter T. Mount)
(8.3.6) Fix possible crash in ispell dictionary if high-bit-set characters are used as flags (Teodor Sigaev)
This is known to be done by one widely available Norwegian dictionary, and the same condition may exist in others.
(8.3.6) Fix misordering of pg_dump output for composite types (Tom Lane)
The most likely problem was for user-defined operator classes to be dumped after indexes or views that needed them.
(8.3.6,8.2.12,8.1.16,8.0.20,7.4.24) Improve handling of URLs in headline()
function (Teodor Sigaev)
(8.3.6,8.2.12,8.1.16,8.0.20,7.4.24) Improve handling of overlength headlines in headline()
function (Teodor Sigaev)
(8.3.6,8.2.12,8.1.16,8.0.20,7.4.24) Prevent possible Assert failure or misconversion if an encoding conversion is created with the wrong conversion function for the specified pair of encodings (Tom Lane, Heikki Linnakangas)
(8.3.6,8.2.12) Fix possible Assert failure if a statement executed in PL/pgSQL is rewritten into another kind of statement, for example if an INSERT is rewritten into an UPDATE (Heikki Linnakangas)
(8.3.6,8.2.12) Ensure that a snapshot is available to datatype input functions (Tom Lane)
This primarily affects domains that are declared with CHECK constraints involving user-defined stable or immutable functions. Such functions typically fail if no snapshot has been set.
(8.3.6,8.2.12) Make it safer for SPI-using functions to be used within datatype I/O; in particular, to be used in domain check constraints (Tom Lane)
(8.3.6,8.2.12,8.1.16,8.0.20,7.4.24) Avoid unnecessary locking of small tables in VACUUM (Heikki Linnakangas)
(8.3.6) Fix a problem that sometimes kept ALTER TABLE ENABLE/DISABLE RULE from being recognized by active sessions (Tom Lane)
(8.3.6,8.2.12) Fix a problem that made UPDATE RETURNING tableoid return zero instead of the correct OID (Tom Lane)
(8.3.6) Allow functions declared as taking ANYARRAY to work on the pg_statistic columns of that type (Tom Lane)
This used to work, but was unintentionally broken in 8.3.
(8.3.6,8.2.12) Fix planner misestimation of selectivity when transitive equality is applied to an outer-join clause (Tom Lane)
This could result in bad plans for queries like ... from a left join b on a.a1 = b.b1 where a.a1 = 42 ...
(8.3.6,8.2.12) Improve optimizer's handling of long IN lists (Tom Lane)
This change avoids wasting large amounts of time on such lists when constraint exclusion is enabled.
(8.3.6) Prevent synchronous scan during GIN index build (Tom Lane)
Because GIN is optimized for inserting tuples in increasing TID order, choosing to use a synchronous scan could slow the build by a factor of three or more.
(8.3.6,8.2.12,8.1.16) Ensure that the contents of a holdable cursor don't depend on the contents of TOAST tables (Tom Lane)
Previously, large field values in a cursor result might be represented as TOAST pointers, which would fail if the referenced table got dropped before the cursor is read, or if the large value is deleted and then vacuumed away. This cannot happen with an ordinary cursor, but it could with a cursor that is held past its creating transaction.
(8.3.6,8.2.12) Fix memory leak when a set-returning function is terminated without reading its whole result (Tom Lane)
(8.3.6) Fix encoding conversion problems in XML functions when the database encoding isn't UTF-8 (Tom Lane)
(8.3.6,8.2.12) Fix contrib/dblink's dblink_get_result(text,bool)
function (Joe Conway)
(8.3.6,8.2.12) Fix possible garbage output from contrib/sslinfo functions (Tom Lane)
(8.3.6) Fix incorrect behavior of contrib/tsearch2 compatibility trigger when it's fired more than once in a command (Teodor Sigaev)
(8.3.6) Fix possible mis-signaling in autovacuum (Heikki Linnakangas)
(8.3.6) Support running as a service on Windows 7 beta (Dave and Magnus Hagander)
(8.3.6) Fix ecpg's handling of varchar structs (Michael Meskes)
(8.3.6,8.2.12,8.1.16) Fix configure script to properly report failure when unable to obtain linkage information for PL/Perl (Andrew Dunstan)
(8.3.6,8.2.12,8.1.16,8.0.20,7.4.24) Make all documentation reference pgsql-bugs and/or pgsql-hackers as appropriate, instead of the now-decommissioned pgsql-ports and pgsql-patches mailing lists (Tom Lane)
(8.3.6,8.2.12,8.1.16,8.0.20) Update time zone data files to tzdata release 2009a (for Kathmandu and historical DST corrections in Switzerland, Cuba)
Release date: 2008-11-03
This release contains a variety of fixes from 8.3.4. For information about new features in the 8.3 major release, see Version 8.3.0.
A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.1, see Version 8.3.1. Also, if you were running a previous 8.3.X release, it is recommended to REINDEX all GiST indexes after the upgrade.
(8.3.5,8.2.11,8.1.15) Fix GiST index corruption due to marking the wrong index entry "dead" after a deletion (Teodor Sigaev)
This would result in index searches failing to find rows they should have found. Corrupted indexes can be fixed with REINDEX.
(8.3.5,8.2.11,8.1.15,8.0.19,7.4.23) Fix backend crash when the client encoding cannot represent a localized error message (Tom Lane)
We have addressed similar issues before, but it would still fail if the "character has no equivalent" message itself couldn't be converted. The fix is to disable localization and send the plain ASCII error message when we detect such a situation.
(8.3.5) Fix possible crash in bytea-to-XML mapping (Michael McMaster)
(8.3.5,8.2.11,8.1.15,8.0.19) Fix possible crash when deeply nested functions are invoked from a trigger (Tom Lane)
(8.3.5,8.2.11) Improve optimization of expression IN (expression-list) queries (Tom Lane, per an idea from Robert Haas)
Cases in which there are query variables on the right-hand side had been handled less efficiently in 8.2.x and 8.3.x than in prior versions. The fix restores 8.1 behavior for such cases.
(8.3.5,8.2.11,8.1.15) Fix mis-expansion of rule queries when a sub-SELECT appears in a function call in FROM, a multi-row VALUES list, or a RETURNING list (Tom Lane)
The usual symptom of this problem is an "unrecognized node type" error.
(8.3.5) Fix Assert failure during rescan of an IS NULL search of a GiST index (Teodor Sigaev)
(8.3.5,8.2.11) Fix memory leak during rescan of a hashed aggregation plan (Neil Conway)
(8.3.5,8.2.11,8.1.15,8.0.19) Ensure an error is reported when a newly-defined PL/pgSQL trigger function is invoked as a normal function (Tom Lane)
(8.3.5) Force a checkpoint before CREATE DATABASE starts to copy files (Heikki Linnakangas)
This prevents a possible failure if files had recently been deleted in the source database.
(8.3.5,8.2.11,8.1.15) Prevent possible collision of relfilenode numbers when moving a table to another tablespace with ALTER SET TABLESPACE (Heikki Linnakangas)
The command tried to re-use the existing filename, instead of picking one that is known unused in the destination directory.
(8.3.5) Fix incorrect text search headline generation when single query item matches first word of text (Sushant Sinha)
(8.3.5,8.2.11,8.1.15,8.0.19,7.4.23) Fix improper display of fractional seconds in interval values when using a non-ISO datestyle in an --enable-integer-datetimes build (Ron Mayer)
(8.3.5) Make ILIKE compare characters case-insensitively even when they're escaped (Andrew Dunstan)
(8.3.5) Ensure DISCARD is handled properly by statement logging (Tom Lane)
(8.3.5) Fix incorrect logging of last-completed-transaction time during PITR recovery (Tom Lane)
(8.3.5,8.2.11,8.1.15,8.0.19,7.4.23) Ensure SPI_getvalue
and
SPI_getbinval
behave correctly when
the passed tuple and tuple descriptor have different numbers of
columns (Tom Lane)
This situation is normal when a table has had columns added or removed, but these two functions didn't handle it properly. The only likely consequence is an incorrect error indication.
(8.3.5) Mark SessionReplicationRole as PGDLLIMPORT so it can be used by Slony on Windows (Magnus Hagander)
(8.3.5) Fix small memory leak when using libpq's gsslib parameter (Magnus Hagander)
The space used by the parameter string was not freed at connection close.
(8.3.5) Ensure libgssapi is linked into libpq if needed (Markus Schaaf)
(8.3.5,8.2.11,8.1.15) Fix ecpg's parsing of CREATE ROLE (Michael Meskes)
(8.3.5,8.2.11,8.1.15,8.0.19) Fix recent breakage of pg_ctl restart (Tom Lane)
(8.3.5,8.2.11) Ensure pg_control is opened in binary mode (Itagaki Takahiro)
pg_controldata and pg_resetxlog did this incorrectly, and so could fail on Windows.
(8.3.5,8.2.11,8.1.15,8.0.19) Update time zone data files to tzdata release 2008i (for DST law changes in Argentina, Brazil, Mauritius, Syria)
Release date: 2008-09-22
This release contains a variety of fixes from 8.3.3. For information about new features in the 8.3 major release, see Version 8.3.0.
A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.1, see Version 8.3.1.
(8.3.4,8.2.10) Fix bug in btree WAL recovery code (Heikki Linnakangas)
Recovery failed if the WAL ended partway through a page split operation.
(8.3.4) Fix potential use of wrong cutoff XID for HOT page pruning (Álvaro Herrera)
This error created a risk of corruption in system catalogs that are consulted by VACUUM: dead tuple versions might be removed too soon. The impact of this on actual database operations would be minimal, since the system doesn't follow MVCC rules while examining catalogs, but it might result in transiently wrong output from pg_dump or other client programs.
(8.3.4,8.2.10) Fix potential miscalculation of datfrozenxid (Álvaro Herrera)
This error may explain some recent reports of failure to remove old pg_clog data.
(8.3.4) Fix incorrect HOT updates after pg_class is reindexed (Tom Lane)
Corruption of pg_class could occur if REINDEX TABLE pg_class was followed in the same session by an ALTER TABLE RENAME or ALTER TABLE SET SCHEMA command.
(8.3.4) Fix missed "combo cid" case (Karl Schnaitter)
This error made rows incorrectly invisible to a transaction in which they had been deleted by multiple subtransactions that all aborted.
(8.3.4) Prevent autovacuum from crashing if the table it's currently checking is deleted at just the wrong time (Álvaro Herrera)
(8.3.4,8.2.10,8.1.14,8.0.18) Widen local lock counters from 32 to 64 bits (Tom Lane)
This responds to reports that the counters could overflow in sufficiently long transactions, leading to unexpected "lock is already held" errors.
(8.3.4,8.2.10,8.1.14) Fix possible duplicate output of tuples during a GiST index scan (Teodor Sigaev)
(8.3.4) Regenerate foreign key checking queries from scratch when either table is modified (Tom Lane)
Previously, 8.3 would attempt to replan the query, but would work from previously generated query text. This led to failures if a table or column was renamed.
(8.3.4,8.2.10) Fix missed permissions checks when a view contains a simple UNION ALL construct (Heikki Linnakangas)
Permissions for the referenced tables were checked properly, but not permissions for the view itself.
(8.3.4) Add checks in executor startup to ensure that the tuples produced by an INSERT or UPDATE will match the target table's current rowtype (Tom Lane)
This situation is believed to be impossible in 8.3, but it can happen in prior releases, so a check seems prudent.
(8.3.4,8.2.10) Fix possible repeated drops during DROP OWNED (Tom Lane)
This would typically result in strange errors such as "cache lookup failed for relation NNN".
(8.3.4) Fix several memory leaks in XML operations (Kris Jurka, Tom Lane)
(8.3.4) Fix xmlserialize()
to raise error
properly for unacceptable target data type (Tom Lane)
(8.3.4) Fix a couple of places that mis-handled multibyte characters in text search configuration file parsing (Tom Lane)
Certain characters occurring in configuration files would always cause "invalid byte sequence for encoding" failures.
(8.3.4) Provide file name and line number location for all errors reported in text search configuration files (Tom Lane)
(8.3.4,8.2.10,8.1.14) Fix AT TIME ZONE to first try to interpret its timezone argument as a timezone abbreviation, and only try it as a full timezone name if that fails, rather than the other way around as formerly (Tom Lane)
The timestamp input functions have always resolved ambiguous zone names in this order. Making AT TIME ZONE do so as well improves consistency, and fixes a compatibility bug introduced in 8.1: in ambiguous cases we now behave the same as 8.0 and before did, since in the older versions AT TIME ZONE accepted only abbreviations.
(8.3.4,8.2.10,8.1.14,8.0.18,7.4.22) Fix datetime input functions to correctly detect integer overflow when running on a 64-bit platform (Tom Lane)
(8.3.4,8.2.10) Prevent integer overflows during units conversion when displaying a configuration parameter that has units (Tom Lane)
(8.3.4,8.2.10,8.1.14,8.0.18,7.4.22) Improve performance of writing very long log messages to syslog (Tom Lane)
(8.3.4,8.2.10) Allow spaces in the suffix part of an LDAP URL in pg_hba.conf (Tom Lane)
(8.3.4,8.2.10,8.1.14,8.0.18,7.4.22) Fix bug in backwards scanning of a cursor on a SELECT DISTINCT ON query (Tom Lane)
(8.3.4) Fix planner bug that could improperly push down IS NULL tests below an outer join (Tom Lane)
This was triggered by occurrence of IS NULL tests for the same relation in all arms of an upper OR clause.
(8.3.4,8.2.10,8.1.14) Fix planner bug with nested sub-select expressions (Tom Lane)
If the outer sub-select has no direct dependency on the parent query, but the inner one does, the outer value might not get recalculated for new parent query rows.
(8.3.4,8.2.10,8.1.14) Fix planner to estimate that GROUP BY expressions yielding boolean results always result in two groups, regardless of the expressions' contents (Tom Lane)
This is very substantially more accurate than the regular GROUP BY estimate for certain boolean tests like col IS NULL.
(8.3.4,8.2.10,8.1.14) Fix PL/pgSQL to not fail when a FOR loop's target variable is a record containing composite-type fields (Tom Lane)
(8.3.4,8.2.10,8.1.14,8.0.18) Fix PL/Tcl to behave correctly with Tcl 8.5, and to be more careful about the encoding of data sent to or from Tcl (Tom Lane)
(8.3.4) Improve performance of PQescapeBytea()
(Rudolf Leitgeb)
(8.3.4,8.2.10) On Windows, work around a Microsoft bug by preventing libpq from trying to send more than 64kB per system call (Magnus Hagander)
(8.3.4) Fix ecpg to handle variables properly in SET commands (Michael Meskes)
(8.3.4,8.2.10,8.1.14,8.0.18,7.4.22) Improve pg_dump and pg_restore's error reporting after failure to send a SQL command (Tom Lane)
(8.3.4,8.2.10,8.1.14,8.0.18) Fix pg_ctl to properly preserve postmaster command-line arguments across a restart (Bruce Momjian)
(8.3.4) Fix erroneous WAL file cutoff point calculation in pg_standby (Simon Riggs)
(8.3.4,8.2.10,8.1.14,8.0.18) Update time zone data files to tzdata release 2008f (for DST law changes in Argentina, Bahamas, Brazil, Mauritius, Morocco, Pakistan, Palestine, and Paraguay)
Release date: 2008-06-12
This release contains one serious and one minor bug fix over 8.3.2. For information about new features in the 8.3 major release, see Version 8.3.0.
A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.1, see Version 8.3.1.
(8.3.3,8.2.9,8.1.13,8.0.17,7.4.21) Make pg_get_ruledef()
parenthesize
negative constants (Tom Lane)
Before this fix, a negative constant in a view or rule might be dumped as, say, -42::integer, which is subtly incorrect: it should be (-42)::integer due to operator precedence rules. Usually this would make little difference, but it could interact with another recent patch to cause PostgreSQL to reject what had been a valid SELECT DISTINCT view query. Since this could result in pg_dump output failing to reload, it is being treated as a high-priority fix. The only released versions in which dump output is actually incorrect are 8.3.1 and 8.2.7.
(8.3.3,8.2.9,8.1.13) Make ALTER AGGREGATE ... OWNER TO update pg_shdepend (Tom Lane)
This oversight could lead to problems if the aggregate was later involved in a DROP OWNED or REASSIGN OWNED operation.
Release date: never released
This release contains a variety of fixes from 8.3.1. For information about new features in the 8.3 major release, see Version 8.3.0.
A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.1, see Version 8.3.1.
(8.3.2,8.2.8) Fix ERRORDATA_STACK_SIZE exceeded crash that occurred on Windows when using UTF-8 database encoding and a different client encoding (Tom Lane)
(8.3.2) Fix incorrect archive truncation point calculation for the %r macro in recovery_command parameters (Simon Riggs)
This could lead to data loss if a warm-standby script relied on %r to decide when to throw away WAL segment files.
(8.3.2,8.2.8,8.1.12,8.0.16) Fix ALTER TABLE ADD COLUMN ... PRIMARY KEY so that the new column is correctly checked to see if it's been initialized to all non-nulls (Brendan Jurd)
Previous versions neglected to check this requirement at all.
(8.3.2) Fix REASSIGN OWNED so that it works on procedural languages too (Álvaro Herrera)
(8.3.2) Fix problems with SELECT FOR UPDATE/SHARE occurring as a subquery in a query with a non-SELECT top-level operation (Tom Lane)
(8.3.2,8.2.8,8.1.12,8.0.16) Fix possible CREATE TABLE failure when inheriting the "same" constraint from multiple parent relations that inherited that constraint from a common ancestor (Tom Lane)
(8.3.2,8.2.8) Fix pg_get_ruledef()
to show the
alias, if any, attached to the target table of an UPDATE or DELETE (Tom Lane)
(8.3.2) Restore the pre-8.3 behavior that an out-of-range block number in a TID being used in a TidScan plan results in silently not matching any rows (Tom Lane)
8.3.0 and 8.3.1 threw an error instead.
(8.3.2,8.2.8) Fix GIN bug that could result in a too many LWLocks taken failure (Teodor Sigaev)
(8.3.2) Fix broken GiST comparison function for tsquery (Teodor Sigaev)
(8.3.2) Fix tsvector_update_trigger()
and
ts_stat()
to accept domains over the
types they expect to work with (Tom Lane)
(8.3.2) Fix failure to support enum data types as foreign keys (Tom Lane)
(8.3.2,8.2.8) Avoid possible crash when decompressing corrupted data (Zdenek Kotala)
(8.3.2) Fix race conditions between delayed unlinks and DROP DATABASE (Heikki Linnakangas)
In the worst case this could result in deleting a newly created table in a new database that happened to get the same OID as the recently-dropped one; but of course that is an extremely low-probability scenario.
(8.3.2,8.2.8) Repair two places where SIGTERM exit of a backend could leave corrupted state in shared memory (Tom Lane)
Neither case is very important if SIGTERM is used to shut down the whole database cluster together, but there was a problem if someone tried to SIGTERM individual backends.
(8.3.2) Fix possible crash due to incorrect plan generated for an x IN (SELECT y FROM ...) clause when x and y have different data types; and make sure the behavior is semantically correct when the conversion from y's type to x's type is lossy (Tom Lane)
(8.3.2) Fix oversight that prevented the planner from substituting known Param values as if they were constants (Tom Lane)
This mistake partially disabled optimization of unnamed extended-Query statements in 8.3.0 and 8.3.1: in particular the LIKE-to-indexscan optimization would never be applied if the LIKE pattern was passed as a parameter, and constraint exclusion depending on a parameter value didn't work either.
(8.3.2) Fix planner failure when an indexable MIN
or MAX
aggregate is used with DISTINCT or
ORDER BY (Tom Lane)
(8.3.2) Fix planner to ensure it never uses a "physical tlist" for a plan node that is feeding a Sort node (Tom Lane)
This led to the sort having to push around more data than it really needed to, since unused column values were included in the sorted data.
(8.3.2) Avoid unnecessary copying of query strings (Tom Lane)
This fixes a performance problem introduced in 8.3.0 when a very large number of commands are submitted as a single query string.
(8.3.2) Make TransactionIdIsCurrentTransactionId()
use binary
search instead of linear search when checking child-transaction
XIDs (Heikki Linnakangas)
This fixes some cases in which 8.3.0 was significantly slower than earlier releases.
(8.3.2,8.2.8,8.1.12,8.0.16,7.4.20) Fix conversions between ISO-8859-5 and other encodings to handle Cyrillic "Yo" characters (e and E with two dots) (Sergey Burladyan)
(8.3.2,8.2.8) Fix several datatype input functions, notably array_in()
, that were allowing unused bytes in
their results to contain uninitialized, unpredictable values
(Tom Lane)
This could lead to failures in which two apparently identical literal values were not seen as equal, resulting in the parser complaining about unmatched ORDER BY and DISTINCT expressions.
(8.3.2,8.2.8,8.1.12,8.0.16,7.4.20) Fix a corner case in regular-expression substring matching (substring(string from pattern)) (Tom Lane)
The problem occurs when there is a match to the pattern overall but the user has specified a parenthesized subexpression and that subexpression hasn't got a match. An example is substring('foo' from 'foo(bar)?'). This should return NULL, since (bar) isn't matched, but it was mistakenly returning the whole-pattern match instead (ie, foo).
(8.3.2) Prevent cancellation of an auto-vacuum that was launched to prevent XID wraparound (Álvaro Herrera)
(8.3.2) Improve ANALYZE's handling of in-doubt tuples (those inserted or deleted by a not-yet-committed transaction) so that the counts it reports to the stats collector are more likely to be correct (Pavan Deolasee)
(8.3.2) Fix initdb to reject a relative path for its --xlogdir (-X) option (Tom Lane)
(8.3.2) Make psql print tab characters as an appropriate number of spaces, rather than \x09 as was done in 8.3.0 and 8.3.1 (Bruce Momjian)
(8.3.2,8.2.8) Update time zone data files to tzdata release 2008c (for DST law changes in Morocco, Iraq, Choibalsan, Pakistan, Syria, Cuba, and Argentina/San_Luis)
(8.3.2) Add ECPGget_PGconn()
function to
ecpglib (Michael Meskes)
(8.3.2,8.2.8,8.1.12,8.0.16,7.4.20) Fix incorrect result from ecpg's PGTYPEStimestamp_sub()
function (Michael Meskes)
(8.3.2) Fix handling of continuation line markers in ecpg (Michael Meskes)
(8.3.2,8.2.8) Fix possible crashes in contrib/cube functions (Tom Lane)
(8.3.2,8.2.8,8.1.12,8.0.16) Fix core dump in contrib/xml2's
xpath_table()
function when the input
query returns a NULL value (Tom Lane)
(8.3.2) Fix contrib/xml2's makefile to not override CFLAGS, and make it auto-configure properly for libxslt present or not (Tom Lane)
Release date: 2008-03-17
This release contains a variety of fixes from 8.3.0. For information about new features in the 8.3 major release, see Version 8.3.0.
A dump/restore is not required for those running 8.3.X. However, you might need to REINDEX indexes on textual columns after updating, if you are affected by the Windows locale issue described below.
(8.3.1,8.2.7) Fix character string comparison for Windows locales that consider different character combinations as equal (Tom Lane)
This fix applies only on Windows and only when using UTF-8 database encoding. The same fix was made for all other cases over two years ago, but Windows with UTF-8 uses a separate code path that was not updated. If you are using a locale that considers some non-identical strings as equal, you may need to REINDEX to fix existing indexes on textual columns.
(8.3.1) Repair corner-case bugs in VACUUM FULL (Tom Lane)
A potential deadlock between concurrent VACUUM FULL operations on different system catalogs was introduced in 8.2. This has now been corrected. 8.3 made this worse because the deadlock could occur within a critical code section, making it a PANIC rather than just ERROR condition.
Also, a VACUUM FULL that failed partway through vacuuming a system catalog could result in cache corruption in concurrent database sessions.
Another VACUUM FULL bug introduced in 8.3 could result in a crash or out-of-memory report when dealing with pages containing no live tuples.
(8.3.1) Fix misbehavior of foreign key checks involving character or bit columns (Tom Lane)
If the referencing column were of a different but compatible type (for instance varchar), the constraint was enforced incorrectly.
(8.3.1) Avoid needless deadlock failures in no-op foreign-key checks (Stephan Szabo, Tom Lane)
(8.3.1) Fix possible core dump when re-planning a prepared query (Tom Lane)
This bug affected only protocol-level prepare operations, not SQL PREPARE, and so tended to be seen only with JDBC, DBI, and other client-side drivers that use prepared statements heavily.
(8.3.1) Fix possible failure when re-planning a query that calls an SPI-using function (Tom Lane)
(8.3.1) Fix failure in row-wise comparisons involving columns of different datatypes (Tom Lane)
(8.3.1,8.2.7,8.1.12,8.0.16,7.4.20) Fix longstanding LISTEN/NOTIFY race condition (Tom Lane)
In rare cases a session that had just executed a LISTEN might not get a notification, even though one would be expected because the concurrent transaction executing NOTIFY was observed to commit later.
A side effect of the fix is that a transaction that has executed a not-yet-committed LISTEN command will not see any row in pg_listener for the LISTEN, should it choose to look; formerly it would have. This behavior was never documented one way or the other, but it is possible that some applications depend on the old behavior.
(8.3.1,8.2.7,8.1.12) Disallow LISTEN and UNLISTEN within a prepared transaction (Tom Lane)
This was formerly allowed but trying to do it had various unpleasant consequences, notably that the originating backend could not exit as long as an UNLISTEN remained uncommitted.
(8.3.1) Disallow dropping a temporary table within a prepared transaction (Heikki Linnakangas)
This was correctly disallowed by 8.1, but the check was inadvertently broken in 8.2 and 8.3.
(8.3.1,8.2.7,8.1.12,8.0.16) Fix rare crash when an error occurs during a query using a hash index (Heikki Linnakangas)
(8.3.1) Fix incorrect comparison of tsquery values (Teodor Sigaev)
(8.3.1) Fix incorrect behavior of LIKE with non-ASCII characters in single-byte encodings (Rolf Jentsch)
(8.3.1) Disable xmlvalidate
(Tom Lane)
This function should have been removed before 8.3 release, but was inadvertently left in the source code. It poses a small security risk since unprivileged users could use it to read the first few characters of any file accessible to the server.
(8.3.1,8.2.7) Fix memory leaks in certain usages of set-returning functions (Neil Conway)
(8.3.1) Make encode(bytea, 'escape')
convert all
high-bit-set byte values into \nnn octal escape sequences (Tom Lane)
This is necessary to avoid encoding problems when the database
encoding is multi-byte. This change could pose compatibility issues
for applications that are expecting specific results from
encode
.
(8.3.1,8.2.7,8.1.12,8.0.16) Fix input of datetime values for February 29 in years BC (Tom Lane)
The former coding was mistaken about which years were leap years.
(8.3.1,8.2.7,8.1.12,8.0.16) Fix "unrecognized node type" error in some variants of ALTER OWNER (Tom Lane)
(8.3.1) Avoid tablespace permissions errors in CREATE TABLE LIKE INCLUDING INDEXES (Tom Lane)
(8.3.1,8.2.7) Ensure pg_stat_activity.waiting flag is cleared when a lock wait is aborted (Tom Lane)
(8.3.1,8.2.7) Fix handling of process permissions on Windows Vista (Dave Cramer, Magnus Hagander)
In particular, this fix allows starting the server as the Administrator user.
(8.3.1,8.2.7) Update time zone data files to tzdata release 2008a (in particular, recent Chile changes); adjust timezone abbreviation VET (Venezuela) to mean UTC-4:30, not UTC-4:00 (Tom Lane)
(8.3.1) Fix ecpg problems with arrays (Michael Meskes)
(8.3.1,8.2.7,8.1.12,8.0.16) Fix pg_ctl to correctly extract the postmaster's port number from command-line options (Itagaki Takahiro, Tom Lane)
Previously, pg_ctl start -w could try to contact the postmaster on the wrong port, leading to bogus reports of startup failure.
(8.3.1,8.2.7,8.1.12,8.0.16) Use -fwrapv to defend against possible misoptimization in recent gcc versions (Tom Lane)
This is known to be necessary when building PostgreSQL with gcc 4.3 or later.
(8.3.1) Enable building contrib/uuid-ossp with MSVC (Hiroshi Saito)
Release date: 2008-02-04
With significant new functionality and performance enhancements, this release represents a major leap forward for PostgreSQL. This was made possible by a growing community that has dramatically accelerated the pace of development. This release adds the following major features:
(8.3.0) Full text search is integrated into the core database system
(8.3.0) Support for the SQL/XML standard, including new operators and an XML data type
(8.3.0) Enumerated data types (ENUM)
(8.3.0) Arrays of composite types
(8.3.0) Universally Unique Identifier (UUID) data type
(8.3.0) Add control over whether NULLs sort first or last
(8.3.0) Updatable cursors
(8.3.0) Server configuration parameters can now be set on a per-function basis
(8.3.0) User-defined types can now have type modifiers
(8.3.0) Automatically re-plan cached queries when table definitions change or statistics are updated
(8.3.0) Numerous improvements in logging and statistics collection
(8.3.0) Support Security Service Provider Interface (SSPI) for authentication on Windows
(8.3.0) Support multiple concurrent autovacuum processes, and other autovacuum improvements
(8.3.0) Allow the whole PostgreSQL distribution to be compiled with Microsoft Visual C++
Major performance improvements are listed below. Most of these enhancements are automatic and do not require user changes or tuning:
(8.3.0) Asynchronous commit delays writes to WAL during transaction commit
(8.3.0) Checkpoint writes can be spread over a longer time period to smooth the I/O spike during each checkpoint
(8.3.0) Heap-Only Tuples (HOT) accelerate space reuse for most UPDATEs and DELETEs
(8.3.0) Just-in-time background writer strategy improves disk write efficiency
(8.3.0) Using non-persistent transaction IDs for read-only transactions reduces overhead and VACUUM requirements
(8.3.0) Per-field and per-row storage overhead has been reduced
(8.3.0) Large sequential scans no longer force out frequently used cached pages
(8.3.0) Concurrent large sequential scans can now share disk reads
(8.3.0) ORDER BY ... LIMIT can be done without sorting
The above items are explained in more detail in the sections below.
A dump/restore using pg_dump is required for those wishing to migrate data from any previous release.
Observe the following incompatibilities:
(8.3.0) Non-character data types are no longer automatically cast to TEXT (Peter T. Mount, Tom Lane)
Previously, if a non-character value was supplied to an operator or function that requires text input, it was automatically cast to text, for most (though not all) built-in data types. This no longer happens: an explicit cast to text is now required for all non-character-string types. For example, these expressions formerly worked:
substr(current_date, 1, 4) 23 LIKE '2%'
but will now draw "function does not exist" and "operator does not exist" errors respectively. Use an explicit cast instead:
substr(current_date::text, 1, 4) 23::text LIKE '2%'
(Of course, you can use the more verbose CAST() syntax too.) The reason for the change is that these automatic casts too often caused surprising behavior. An example is that in previous releases, this expression was accepted but did not do what was expected:
current_date < 2017-11-17
This is actually comparing a date to an integer, which should be (and now is) rejected — but in the presence of automatic casts both sides were cast to text and a textual comparison was done, because the text < text operator was able to match the expression when no other < operator could.
Types char(n) and varchar(n) still cast to text automatically. Also, automatic casting to text still works for inputs to the concatenation (||) operator, so long as least one input is a character-string type.
(8.3.0) Full text search features from contrib/tsearch2 have been moved into the core server, with some minor syntax changes
contrib/tsearch2 now contains a compatibility interface.
(8.3.0) ARRAY (SELECT ...), where the SELECT returns no rows, now returns an empty array, rather than NULL (Tom Lane)
(8.3.0) The array type name for a base data type is no longer always the base type's name with an underscore prefix
The old naming convention is still honored when possible, but application code should no longer depend on it. Instead use the new pg_type.typarray column to identify the array data type associated with a given type.
(8.3.0) ORDER BY ... USING operator must now use a less-than or greater-than operator that is defined in a btree operator class
This restriction was added to prevent inconsistent results.
(8.3.0) SET LOCAL changes now persist until the end of the outermost transaction, unless rolled back (Tom Lane)
Previously SET LOCAL's effects were lost after subtransaction commit (RELEASE SAVEPOINT or exit from a PL/pgSQL exception block).
(8.3.0) Commands rejected in transaction blocks are now also rejected in multiple-statement query strings (Tom Lane)
For example, "BEGIN; DROP DATABASE; COMMIT" will now be rejected even if submitted as a single query message.
(8.3.0) ROLLBACK outside a transaction block now issues NOTICE instead of WARNING (Bruce Momjian)
(8.3.0) Prevent NOTIFY/LISTEN/UNLISTEN from accepting schema-qualified names (Bruce Momjian)
Formerly, these commands accepted schema.relation but ignored the schema part, which was confusing.
(8.3.0) ALTER SEQUENCE no longer affects the
sequence's currval()
state (Tom Lane)
(8.3.0) Foreign keys now must match indexable conditions for cross-data-type references (Tom Lane)
This improves semantic consistency and helps avoid performance problems.
(8.3.0) Restrict object size functions to users who have reasonable permissions to view such information (Tom Lane)
For example, pg_database_size()
now requires CONNECT permission, which is
granted to everyone by default. pg_tablespace_size()
requires CREATE permission in the tablespace, or is allowed
if the tablespace is the default tablespace for the database.
(8.3.0) Remove the undocumented !!= (not in) operator (Tom Lane)
NOT IN (SELECT ...) is the proper way to perform this operation.
(8.3.0) Internal hashing functions are now more uniformly-distributed (Tom Lane)
If application code was computing and storing hash values using internal PostgreSQL hashing functions, the hash values must be regenerated.
(8.3.0) C-code conventions for handling variable-length data values have changed (Greg Stark, Tom Lane)
The new SET_VARSIZE()
macro
must be used to set the
length of generated varlena values. Also, it
might be necessary to expand ("de-TOAST") input values in more cases.
(8.3.0) Continuous archiving no longer reports each successful archive operation to the server logs unless DEBUG level is used (Simon Riggs)
(8.3.0) Numerous changes in administrative server parameters
bgwriter_lru_percent, bgwriter_all_percent, bgwriter_all_maxpages, stats_start_collector, and stats_reset_on_server_start are removed. redirect_stderr is renamed to logging_collector. stats_command_string is renamed to track_activities. stats_block_level and stats_row_level are merged into track_counts. A new boolean configuration parameter, archive_mode, controls archiving. Autovacuum's default settings have changed.
(8.3.0) Remove stats_start_collector parameter (Tom Lane)
We now always start the collector process, unless UDP socket creation fails.
(8.3.0) Remove stats_reset_on_server_start parameter (Tom Lane)
This was removed because pg_stat_reset()
can be used for this purpose.
(8.3.0) Commenting out a parameter in postgresql.conf now causes it to revert to its default value (Joachim Wieland)
Previously, commenting out an entry left the parameter's value unchanged until the next server restart.
(8.3.0) Add more checks for invalidly-encoded data (Andrew Dunstan)
This change plugs some holes that existed in literal backslash escape string processing and COPY escape processing. Now the de-escaped string is rechecked to see if the result created an invalid multi-byte character.
(8.3.0) Disallow database encodings that are inconsistent with the server's locale setting (Tom Lane)
On most platforms, C locale is the only
locale that will work with any database encoding. Other locale
settings imply a specific encoding and will misbehave if the
database encoding is something different. (Typical symptoms include
bogus textual sort order and wrong results from upper()
or lower()
.) The server now rejects attempts to
create databases that have an incompatible encoding.
(8.3.0) Ensure that chr()
cannot create
invalidly-encoded values (Andrew Dunstan)
In UTF8-encoded databases the argument of chr()
is now treated as a Unicode code point. In
other multi-byte encodings chr()
's
argument must designate a 7-bit ASCII character. Zero is no longer
accepted. ascii()
has been adjusted
to match.
(8.3.0) Adjust convert()
behavior to
ensure encoding validity (Andrew Dunstan)
The two argument form of convert()
has been removed. The three argument form now takes a bytea first argument and returns a bytea. To cover the loss of functionality, three new
functions have been added:
convert_from(bytea, name)
returns
text — converts the first argument from the
named encoding to the database encoding
(8.3.0) convert_to(text, name)
returns
bytea — converts the first argument from the
database encoding to the named encoding
(8.3.0) length(bytea, name)
returns
integer — gives the length of the first
argument in characters in the named encoding
(8.3.0) Remove convert(argument USING conversion_name) (Andrew Dunstan)
Its behavior did not match the SQL standard.
(8.3.0) Make JOHAB encoding client-only (Tatsuo Ishii)
JOHAB is not safe as a server-side encoding.
Below you will find a detailed account of the changes between PostgreSQL 8.3 and the previous major release.
(8.3.0) Asynchronous commit delays writes to WAL during transaction commit (Simon Riggs)
This feature dramatically increases performance for short data-modifying transactions. The disadvantage is that because disk writes are delayed, if the database or operating system crashes before data is written to the disk, committed data will be lost. This feature is useful for applications that can accept some data loss. Unlike turning off fsync, using asynchronous commit does not put database consistency at risk; the worst case is that after a crash the last few reportedly-committed transactions might not be committed after all. This feature is enabled by turning off synchronous_commit (which can be done per-session or per-transaction, if some transactions are critical and others are not). wal_writer_delay can be adjusted to control the maximum delay before transactions actually reach disk.
(8.3.0) Checkpoint writes can be spread over a longer time period to smooth the I/O spike during each checkpoint (Itagaki Takahiro and Heikki Linnakangas)
Previously all modified buffers were forced to disk as quickly as possible during a checkpoint, causing an I/O spike that decreased server performance. This new approach spreads out disk writes during checkpoints, reducing peak I/O usage. (User-requested and shutdown checkpoints are still written as quickly as possible.)
(8.3.0) Heap-Only Tuples (HOT) accelerate space reuse for most UPDATEs and DELETEs (Pavan Deolasee, with ideas from many others)
UPDATEs and DELETEs leave dead tuples behind, as do failed INSERTs. Previously only VACUUM could reclaim space taken by dead tuples. With HOT dead tuple space can be automatically reclaimed at the time of INSERT or UPDATE if no changes are made to indexed columns. This allows for more consistent performance. Also, HOT avoids adding duplicate index entries.
(8.3.0) Just-in-time background writer strategy improves disk write efficiency (Greg Smith, Itagaki Takahiro)
This greatly reduces the need for manual tuning of the background writer.
(8.3.0) Per-field and per-row storage overhead have been reduced (Greg Stark, Heikki Linnakangas)
Variable-length data types with data values less than 128 bytes long will see a storage decrease of 3 to 6 bytes. For example, two adjacent char(1) fields now use 4 bytes instead of 16. Row headers are also 4 bytes shorter than before.
(8.3.0) Using non-persistent transaction IDs for read-only transactions reduces overhead and VACUUM requirements (Florian Pflug)
Non-persistent transaction IDs do not increment the global transaction counter. Therefore, they reduce the load on pg_clog and increase the time between forced vacuums to prevent transaction ID wraparound. Other performance improvements were also made that should improve concurrency.
(8.3.0) Avoid incrementing the command counter after a read-only command (Tom Lane)
There was formerly a hard limit of 232 (4 billion) commands per transaction. Now only commands that actually changed the database count, so while this limit still exists, it should be significantly less annoying.
(8.3.0) Create a dedicated WAL writer process to off-load work from backends (Simon Riggs)
(8.3.0) Skip unnecessary WAL writes for CLUSTER and COPY (Simon Riggs)
Unless WAL archiving is enabled, the system now avoids WAL
writes for CLUSTER and just fsync()
s the table at the end of the command. It
also does the same for COPY if the table
was created in the same transaction.
(8.3.0) Large sequential scans no longer force out frequently used cached pages (Simon Riggs, Heikki Linnakangas, Tom Lane)
(8.3.0) Concurrent large sequential scans can now share disk reads (Jeff Davis)
This is accomplished by starting the new sequential scan in the middle of the table (where another sequential scan is already in-progress) and wrapping around to the beginning to finish. This can affect the order of returned rows in a query that does not specify ORDER BY. The synchronize_seqscans configuration parameter can be used to disable this if necessary.
(8.3.0) ORDER BY ... LIMIT can be done without sorting (Greg Stark)
This is done by sequentially scanning the table and tracking just the "top N" candidate rows, rather than performing a full sort of the entire table. This is useful when there is no matching index and the LIMIT is not large.
(8.3.0) Put a rate limit on messages sent to the statistics collector by backends (Tom Lane)
This reduces overhead for short transactions, but might sometimes increase the delay before statistics are tallied.
(8.3.0) Improve hash join performance for cases with many NULLs (Tom Lane)
(8.3.0) Speed up operator lookup for cases with non-exact datatype matches (Tom Lane)
(8.3.0) Autovacuum is now enabled by default (Álvaro Herrera)
Several changes were made to eliminate disadvantages of having autovacuum enabled, thereby justifying the change in default. Several other autovacuum parameter defaults were also modified.
(8.3.0) Support multiple concurrent autovacuum processes (Álvaro Herrera, Itagaki Takahiro)
This allows multiple vacuums to run concurrently. This prevents vacuuming of a large table from delaying vacuuming of smaller tables.
(8.3.0) Automatically re-plan cached queries when table definitions change or statistics are updated (Tom Lane)
Previously PL/pgSQL functions that referenced temporary tables would fail if the temporary table was dropped and recreated between function invocations, unless EXECUTE was used. This improvement fixes that problem and many related issues.
(8.3.0) Add a temp_tablespaces parameter to control the tablespaces for temporary tables and files (Jaime Casanova, Albert Cervera, Bernd Helmle)
This parameter defines a list of tablespaces to be used. This enables spreading the I/O load across multiple tablespaces. A random tablespace is chosen each time a temporary object is created. Temporary files are no longer stored in per-database pgsql_tmp/ directories but in per-tablespace directories.
(8.3.0) Place temporary tables' TOAST tables in special schemas named pg_toast_temp_nnn (Tom Lane)
This allows low-level code to recognize these tables as temporary, which enables various optimizations such as not WAL-logging changes and using local rather than shared buffers for access. This also fixes a bug wherein backends unexpectedly held open file references to temporary TOAST tables.
(8.3.0) Fix problem that a constant flow of new connection requests could indefinitely delay the postmaster from completing a shutdown or a crash restart (Tom Lane)
(8.3.0) Guard against a very-low-probability data loss scenario by preventing re-use of a deleted table's relfilenode until after the next checkpoint (Heikki Linnakangas)
(8.3.0) Fix CREATE CONSTRAINT TRIGGER to convert old-style foreign key trigger definitions into regular foreign key constraints (Tom Lane)
This will ease porting of foreign key constraints carried forward from pre-7.3 databases, if they were never converted using contrib/adddepend.
(8.3.0) Fix DEFAULT NULL to override inherited defaults (Tom Lane)
DEFAULT NULL was formerly considered a noise phrase, but it should (and now does) override non-null defaults that would otherwise be inherited from a parent table or domain.
(8.3.0) Add new encodings EUC_JIS_2004 and SHIFT_JIS_2004 (Tatsuo Ishii)
These new encodings can be converted to and from UTF-8.
(8.3.0) Change server startup log message from "database system is ready" to "database system is ready to accept connections", and adjust its timing
The message now appears only when the postmaster is really ready to accept connections.
(8.3.0) Add log_autovacuum_min_duration parameter to support configurable logging of autovacuum activity (Simon Riggs, Álvaro Herrera)
(8.3.0) Add log_lock_waits parameter to log lock waiting (Simon Riggs)
(8.3.0) Add log_temp_files parameter to log temporary file usage (Bill Moran)
(8.3.0) Add log_checkpoints parameter to improve logging of checkpoints (Greg Smith, Heikki Linnakangas)
(8.3.0) log_line_prefix now supports %s and %c escapes in all processes (Andrew Dunstan)
Previously these escapes worked only for user sessions, not for background database processes.
(8.3.0) Add log_restartpoints to control logging of point-in-time recovery restart points (Simon Riggs)
(8.3.0) Last transaction end time is now logged at end of recovery and at each logged restart point (Simon Riggs)
(8.3.0) Autovacuum now reports its activity start time in pg_stat_activity (Tom Lane)
(8.3.0) Allow server log output in comma-separated value (CSV) format (Arul Shaji, Greg Smith, Andrew Dunstan)
CSV-format log files can easily be loaded into a database table for subsequent analysis.
(8.3.0) Use PostgreSQL-supplied timezone support for formatting timestamps displayed in the server log (Tom Lane)
This avoids Windows-specific problems with localized time zone names that are in the wrong encoding. There is a new log_timezone parameter that controls the timezone used in log messages, independently of the client-visible timezone parameter.
(8.3.0) New system view pg_stat_bgwriter displays statistics about background writer activity (Magnus Hagander)
(8.3.0) Add new columns for database-wide tuple statistics to pg_stat_database (Magnus Hagander)
(8.3.0) Add an xact_start (transaction start time) column to pg_stat_activity (Neil Conway)
This makes it easier to identify long-running transactions.
(8.3.0) Add n_live_tuples and n_dead_tuples columns to pg_stat_all_tables and related views (Glen Parker)
(8.3.0) Merge stats_block_level and stats_row_level parameters into a single parameter track_counts, which controls all messages sent to the statistics collector process (Tom Lane)
(8.3.0) Rename stats_command_string parameter to track_activities (Tom Lane)
(8.3.0) Fix statistical counting of live and dead tuples to recognize that committed and aborted transactions have different effects (Tom Lane)
(8.3.0) Support Security Service Provider Interface (SSPI) for authentication on Windows (Magnus Hagander)
(8.3.0) Support GSSAPI authentication (Henry Hotz, Magnus Hagander)
This should be preferred to native Kerberos authentication because GSSAPI is an industry standard.
(8.3.0) Support a global SSL configuration file (Victor Wagner)
(8.3.0) Add ssl_ciphers parameter to control accepted SSL ciphers (Victor Wagner)
(8.3.0) Add a Kerberos realm parameter, krb_realm (Magnus Hagander)
(8.3.0) Change the timestamps recorded in transaction WAL records from time_t to TimestampTz representation (Tom Lane)
This provides sub-second resolution in WAL, which can be useful for point-in-time recovery.
(8.3.0) Reduce WAL disk space needed by warm standby servers (Simon Riggs)
This change allows a warm standby server to pass the name of the earliest still-needed WAL file to the recovery script, allowing automatic removal of no-longer-needed WAL files. This is done using %r in the restore_command parameter of recovery.conf.
(8.3.0) New boolean configuration parameter, archive_mode, controls archiving (Simon Riggs)
Previously setting archive_command to an empty string turned off archiving. Now archive_mode turns archiving on and off, independently of archive_command. This is useful for stopping archiving temporarily.
(8.3.0) Full text search is integrated into the core database system (Teodor Sigaev, Oleg Bartunov)
Text search has been improved, moved into the core code, and is now installed by default. contrib/tsearch2 now contains a compatibility interface.
(8.3.0) Add control over whether NULLs sort first or last (Teodor Sigaev, Tom Lane)
The syntax is ORDER BY ... NULLS FIRST/LAST.
(8.3.0) Allow per-column ascending/descending (ASC/DESC) ordering options for indexes (Teodor Sigaev, Tom Lane)
Previously a query using ORDER BY with mixed ASC/DESC specifiers could not fully use an index. Now an index can be fully used in such cases if the index was created with matching ASC/DESC specifications. NULL sort order within an index can be controlled, too.
(8.3.0) Allow col IS NULL to use an index (Teodor Sigaev)
(8.3.0) Updatable cursors (Arul Shaji, Tom Lane)
This eliminates the need to reference a primary key to UPDATE or DELETE rows returned by a cursor. The syntax is UPDATE/DELETE WHERE CURRENT OF.
(8.3.0) Allow FOR UPDATE in cursors (Arul Shaji, Tom Lane)
(8.3.0) Create a general mechanism that supports casts to and from the standard string types (TEXT, VARCHAR, CHAR) for every datatype, by invoking the datatype's I/O functions (Tom Lane)
Previously, such casts were available only for types that had specialized function(s) for the purpose. These new casts are assignment-only in the to-string direction, explicit-only in the other direction, and therefore should create no surprising behavior.
(8.3.0) Allow UNION and related constructs to return a domain type, when all inputs are of that domain type (Tom Lane)
Formerly, the output would be considered to be of the domain's base type.
(8.3.0) Allow limited hashing when using two different data types (Tom Lane)
This allows hash joins, hash indexes, hashed subplans, and hash aggregation to be used in situations involving cross-data-type comparisons, if the data types have compatible hash functions. Currently, cross-data-type hashing support exists for smallint/integer/bigint, and for float4/float8.
(8.3.0) Improve optimizer logic for detecting when variables are equal in a WHERE clause (Tom Lane)
This allows mergejoins to work with descending sort orders, and improves recognition of redundant sort columns.
(8.3.0) Improve performance when planning large inheritance trees in cases where most tables are excluded by constraints (Tom Lane)
(8.3.0) Arrays of composite types (David Fetter, Andrew Dunstan, Tom Lane)
In addition to arrays of explicitly-declared composite types, arrays of the rowtypes of regular tables and views are now supported, except for rowtypes of system catalogs, sequences, and TOAST tables.
(8.3.0) Server configuration parameters can now be set on a per-function basis (Tom Lane)
For example, functions can now set their own search_path to prevent unexpected behavior if a different search_path exists at run-time. Security definer functions should set search_path to avoid security loopholes.
(8.3.0) CREATE/ALTER FUNCTION now supports COST and ROWS options (Tom Lane)
COST allows specification of the cost of a function call. ROWS allows specification of the average number or rows returned by a set-returning function. These values are used by the optimizer in choosing the best plan.
(8.3.0) Implement CREATE TABLE LIKE ... INCLUDING INDEXES (Trevor Hardcastle, Nikhil Sontakke, Neil Conway)
(8.3.0) Allow CREATE INDEX CONCURRENTLY to ignore transactions in other databases (Simon Riggs)
(8.3.0) Add ALTER VIEW ... RENAME TO and ALTER SEQUENCE ... RENAME TO (David Fetter, Neil Conway)
Previously this could only be done via ALTER TABLE ... RENAME TO.
(8.3.0) Make CREATE/DROP/RENAME DATABASE wait briefly for conflicting backends to exit before failing (Tom Lane)
This increases the likelihood that these commands will succeed.
(8.3.0) Allow triggers and rules to be deactivated in groups using a configuration parameter, for replication purposes (Jan Wieck)
This allows replication systems to disable triggers and rewrite rules as a group without modifying the system catalogs directly. The behavior is controlled by ALTER TABLE and a new parameter session_replication_role.
(8.3.0) User-defined types can now have type modifiers (Teodor Sigaev, Tom Lane)
This allows a user-defined type to take a modifier, like ssnum(7). Previously only built-in data types could have modifiers.
(8.3.0) Non-superuser database owners now are able to add trusted procedural languages to their databases by default (Jeremy Drake)
While this is reasonably safe, some administrators might wish to revoke the privilege. It is controlled by pg_pltemplate.tmpldbacreate.
(8.3.0) Allow a session's current parameter setting to be used as the default for future sessions (Tom Lane)
This is done with SET ... FROM CURRENT in CREATE/ALTER FUNCTION, ALTER DATABASE, or ALTER ROLE.
(8.3.0) Implement new commands DISCARD ALL, DISCARD PLANS, DISCARD TEMPORARY, CLOSE ALL, and DEALLOCATE ALL (Marko Kreen, Neil Conway)
These commands simplify resetting a database session to its initial state, and are particularly useful for connection-pooling software.
(8.3.0) Make CLUSTER MVCC-safe (Heikki Linnakangas)
Formerly, CLUSTER would discard all tuples that were committed dead, even if there were still transactions that should be able to see them under MVCC visibility rules.
(8.3.0) Add new CLUSTER syntax: CLUSTER table USING index (Holger Schurig)
The old CLUSTER syntax is still supported, but the new form is considered more logical.
(8.3.0) Fix EXPLAIN so it can show complex plans more accurately (Tom Lane)
References to subplan outputs are now always shown correctly, instead of using ?columnN? for complicated cases.
(8.3.0) Limit the amount of information reported when a user is dropped (Álvaro Herrera)
Previously, dropping (or attempting to drop) a user who owned many objects could result in large NOTICE or ERROR messages listing all these objects; this caused problems for some client applications. The length of the message is now limited, although a full list is still sent to the server log.
(8.3.0) Support for the SQL/XML standard, including new operators and an XML data type (Nikolay Samokhvalov, Pavel Stehule, Peter T. Mount)
(8.3.0) Enumerated data types (ENUM) (Tom Dunstan)
This feature provides convenient support for fields that have a small, fixed set of allowed values. An example of creating an ENUM type is CREATE TYPE mood AS ENUM ('sad', 'ok', 'happy').
(8.3.0) Universally Unique Identifier (UUID) data type (Gevik Babakhani, Neil Conway)
This closely matches RFC 4122.
(8.3.0) Widen the MONEY data type to 64 bits (D'Arcy Cain)
This greatly increases the range of supported MONEY values.
(8.3.0) Fix float4/float8 to handle Infinity and NAN (Not A Number) consistently (Bruce Momjian)
The code formerly was not consistent about distinguishing Infinity from overflow conditions.
(8.3.0) Allow leading and trailing whitespace during input of boolean values (Neil Conway)
(8.3.0) Prevent COPY from using digits and lowercase letters as delimiters (Tom Lane)
(8.3.0) Add new regular expression functions regexp_matches()
, regexp_split_to_array()
, and regexp_split_to_table()
(Jeremy Drake, Neil Conway)
These functions provide extraction of regular expression subexpressions and allow splitting a string using a POSIX regular expression.
(8.3.0,8.3.0) Add lo_truncate()
for large object
truncation (Kris Jurka)
(8.3.0) Implement width_bucket()
for the
float8 data type (Neil Conway)
(8.3.0) Add pg_stat_clear_snapshot()
to
discard statistics snapshots collected during the current
transaction (Tom Lane)
The first request for statistics in a transaction takes a statistics snapshot that does not change during the transaction. This function allows the snapshot to be discarded and a new snapshot loaded during the next statistics query. This is particularly useful for PL/pgSQL functions, which are confined to a single transaction.
(8.3.0) Add isodow option to EXTRACT()
and date_part()
(Bruce Momjian)
This returns the day of the week, with Sunday as seven. (dow returns Sunday as zero.)
(8.3.0) Add ID (ISO day of week) and IDDD (ISO day of year) format codes for to_char()
, to_date()
, and to_timestamp()
(Brendan Jurd)
(8.3.0) Make to_timestamp()
and
to_date()
assume TM (trim) option for potentially variable-width
fields (Bruce Momjian)
This matches Oracle's behavior.
(8.3.0) Fix off-by-one conversion error in to_date()
/to_timestamp()
D
(non-ISO day of week) fields (Bruce Momjian)
(8.3.0) Make setseed()
return void, rather
than a useless integer value (Neil Conway)
(8.3.0) Add a hash function for NUMERIC (Neil Conway)
This allows hash indexes and hash-based plans to be used with NUMERIC columns.
(8.3.0) Improve efficiency of LIKE/ILIKE, especially for multi-byte character sets like UTF-8 (Andrew Dunstan, Itagaki Takahiro)
(8.3.0) Make currtid()
functions require
SELECT privileges on the target table
(Tom Lane)
(8.3.0) Add several txid_*()
functions to
query active transaction IDs (Jan Wieck)
This is useful for various replication solutions.
(8.3.0) Add scrollable cursor support, including directional control in FETCH (Pavel Stehule)
(8.3.0) Allow IN as an alternative to FROM in PL/pgSQL's FETCH statement, for consistency with the backend's FETCH command (Pavel Stehule)
(8.3.0) Add MOVE to PL/pgSQL (Magnus Hagander, Pavel Stehule, Neil Conway)
(8.3.0) Implement RETURN QUERY (Pavel Stehule, Neil Conway)
This adds convenient syntax for PL/pgSQL set-returning functions that want to return the result of a query. RETURN QUERY is easier and more efficient than a loop around RETURN NEXT.
(8.3.0) Allow function parameter names to be qualified with the function's name (Tom Lane)
For example, myfunc.myvar. This is particularly useful for specifying variables in a query where the variable name might match a column name.
(8.3.0) Make qualification of variables with block labels work properly (Tom Lane)
Formerly, outer-level block labels could unexpectedly interfere with recognition of inner-level record or row references.
(8.3.0) Tighten requirements for FOR loop STEP values (Tom Lane)
Prevent non-positive STEP values, and handle loop overflows.
(8.3.0) Improve accuracy when reporting syntax error locations (Tom Lane)
(8.3.0) Allow type-name arguments to PL/Perl spi_prepare()
to be data type aliases in addition
to names found in pg_type (Andrew Dunstan)
(8.3.0) Allow type-name arguments to PL/Python plpy.prepare()
to be data type aliases in
addition to names found in pg_type
(Andrew Dunstan)
(8.3.0) Allow type-name arguments to PL/Tcl spi_prepare
to be data type aliases in addition
to names found in pg_type (Andrew Dunstan)
(8.3.0) Enable PL/PythonU to compile on Python 2.5 (Marko Kreen)
(8.3.0) Support a true PL/Python boolean type in compatible Python versions (Python 2.3 and later) (Marko Kreen)
(8.3.0) Fix PL/Tcl problems with thread-enabled libtcl spawning multiple threads within the backend (Steve Marshall, Paul Bayer, Doug Knight)
This caused all sorts of unpleasantness.
(8.3.0) List disabled triggers separately in \d output (Brendan Jurd)
(8.3.0) In \d patterns, always match $ literally (Tom Lane)
(8.3.0) Show aggregate return types in \da output (Greg Sabino Mullane)
(8.3.0) Add the function's volatility status to the output of \df+ (Neil Conway)
(8.3.0) Add \prompt capability (Chad Wagner)
(8.3.0) Allow \pset, \t, and \x to specify on or off, rather than just toggling (Chad Wagner)
(8.3.0) Add \sleep capability (Jan Wieck)
(8.3.0) Enable \timing output for \copy (Andrew Dunstan)
(8.3.0) Improve \timing resolution on Windows (Itagaki Takahiro)
(8.3.0) Flush \o output after each backslash command (Tom Lane)
(8.3.0) Correctly detect and report errors while reading a -f input file (Peter T. Mount)
(8.3.0,8.3.0) Remove -u option (this option has long been deprecated) (Tom Lane)
(8.3.0) Add --tablespaces-only and --roles-only options to pg_dumpall (Dave Page)
(8.3.0) Add an output file option to pg_dumpall (Dave Page)
This is primarily useful on Windows, where output redirection of child pg_dump processes does not work.
(8.3.0) Allow pg_dumpall to accept an initial-connection database name rather than the default template1 (Dave Page)
(8.3.0) In -n and -t switches, always match $ literally (Tom Lane)
(8.3.0) Improve performance when a database has thousands of objects (Tom Lane)
(8.3.0,8.3.0) Remove -u option (this option has long been deprecated) (Tom Lane)
(8.3.0) In initdb, allow the location of the pg_xlog directory to be specified (Euler Taveira de Oliveira)
(8.3.0) Enable server core dump generation in pg_regress on supported operating systems (Andrew Dunstan)
(8.3.0) Add a -t (timeout) parameter to pg_ctl (Bruce Momjian)
This controls how long pg_ctl will wait when waiting for server startup or shutdown. Formerly the timeout was hard-wired as 60 seconds.
(8.3.0) Add a pg_ctl option to control generation of server core dumps (Andrew Dunstan)
(8.3.0) Allow Control-C to cancel clusterdb, reindexdb, and vacuumdb (Itagaki Takahiro, Magnus Hagander)
(8.3.0) Suppress command tag output for createdb, createuser, dropdb, and dropuser (Peter T. Mount)
The --quiet option is ignored and will be removed in 8.4. Progress messages when acting on all databases now go to stdout instead of stderr because they are not actually errors.
(8.3.0) Interpret the dbName parameter of
PQsetdbLogin()
as a conninfo string if it contains an equals sign
(Andrew Dunstan)
This allows use of conninfo strings in client programs that still use PQsetdbLogin().
(8.3.0) Support a global SSL configuration file (Victor Wagner)
(8.3.0) Add environment variable PGSSLKEY to control SSL hardware keys (Victor Wagner)
(8.3.0,8.3.0) Add lo_truncate()
for large object
truncation (Kris Jurka)
(8.3.0) Add PQconnectionNeedsPassword()
that returns true if the server required a password but none was
supplied (Joe Conway, Tom Lane)
If this returns true after a failed connection attempt, a client application should prompt the user for a password. In the past applications have had to check for a specific error message string to decide whether a password is needed; that approach is now deprecated.
(8.3.0) Add PQconnectionUsedPassword()
that returns true if the supplied password was actually used (Joe
Conway, Tom Lane)
This is useful in some security contexts where it is important to know whether a user-supplied password is actually valid.
(8.3.0) Use V3 frontend/backend protocol (Michael Meskes)
This adds support for server-side prepared statements.
(8.3.0) Use native threads, instead of pthreads, on Windows (Magnus Hagander)
(8.3.0) Improve thread-safety of ecpglib (Itagaki Takahiro)
(8.3.0) Make the ecpg libraries export only necessary API symbols (Michael Meskes)
(8.3.0) Allow the whole PostgreSQL distribution to be compiled with Microsoft Visual C++ (Magnus and others)
This allows Windows-based developers to use familiar development and debugging tools. Windows executables made with Visual C++ might also have better stability and performance than those made with other tool sets. The client-only Visual C++ build scripts have been removed.
(8.3.0) Drastically reduce postmaster's memory usage when it has many child processes (Magnus Hagander)
(8.3.0) Allow regression tests to be started by an administrative user (Magnus Hagander)
(8.3.0) Add native shared memory implementation (Magnus Hagander)
(8.3.0) Add cursor-related functionality in SPI (Pavel Stehule)
Allow access to the cursor-related planning options, and add FETCH/MOVE routines.
(8.3.0) Allow execution of cursor commands through SPI_execute
(Tom Lane)
The macro SPI_ERROR_CURSOR still exists but will never be returned.
(8.3.0) SPI plan pointers are now declared as SPIPlanPtr instead of void * (Tom Lane)
This does not break application code, but switching is recommended to help catch simple programming mistakes.
(8.3.0) Add configure option --enable-profiling to enable code profiling (works only with gcc) (Korry Douglas and Nikhil Sontakke)
(8.3.0) Add configure option --with-system-tzdata to use the operating system's time zone database (Peter T. Mount)
(8.3.0) Fix PGXS so extensions can be built against PostgreSQL installations whose pg_config program does not appear first in the PATH (Tom Lane)
(8.3.0) Support gmake draft when building the SGML documentation (Bruce Momjian)
Unless draft is used, the documentation build will now be repeated if necessary to ensure the index is up-to-date.
(8.3.0) Rename macro DLLIMPORT to PGDLLIMPORT to avoid conflicting with third party includes (like Tcl) that define DLLIMPORT (Magnus Hagander)
(8.3.0) Create "operator families" to improve planning of queries involving cross-data-type comparisons (Tom Lane)
(8.3.0) Update GIN extractQuery()
API to
allow signalling that nothing can satisfy the query (Teodor Sigaev)
(8.3.0) Move NAMEDATALEN definition from postgres_ext.h to pg_config_manual.h (Peter T. Mount)
(8.3.0) Provide strlcpy()
and strlcat()
on all platforms, and replace
error-prone uses of strncpy()
,
strncat()
, etc (Peter T. Mount)
(8.3.0) Create hooks to let an external plugin monitor (or even replace) the planner and create plans for hypothetical situations (Gurjeet Singh, Tom Lane)
(8.3.0) Create a function variable join_search_hook to let plugins override the join search order portion of the planner (Julius Stroffek)
(8.3.0) Add tas()
support for Renesas'
M32R processor (Kazuhiro Inaoka)
(8.3.0) quote_identifier()
and
pg_dump no longer quote keywords
that are unreserved according to the grammar (Tom Lane)
(8.3.0) Change the on-disk representation of the NUMERIC data type so that the sign_dscale word comes before the weight (Tom Lane)
(8.3.0) Use SYSV semaphores rather than POSIX on Darwin >= 6.0, i.e., OS X 10.2 and up (Chris Marcellino)
(8.3.0) Add acronym and NFS documentation sections (Bruce Momjian)
(8.3.0) "Postgres" is now documented as an accepted alias for "PostgreSQL" (Peter T. Mount)
(8.3.0) Add documentation about preventing database server spoofing when the server is down (Bruce Momjian)
(8.3.0) Move contrib README content into the main PostgreSQL documentation (Albert Cervera i Areny)
(8.3.0) Add contrib/pageinspect module for low-level page inspection (Simon Riggs, Heikki Linnakangas)
(8.3.0) Add contrib/pg_standby module for controlling warm standby operation (Simon Riggs)
(8.3.0) Add contrib/uuid-ossp module for generating UUID values using the OSSP UUID library (Peter T. Mount)
Use configure --with-ossp-uuid to activate. This takes advantage of the new UUID builtin type.
(8.3.0) Add contrib/dict_int, contrib/dict_xsyn, and contrib/test_parser modules to provide sample add-on text search dictionary templates and parsers (Sergey Karpov)
(8.3.0) Allow contrib/pgbench to set the fillfactor (Pavan Deolasee)
(8.3.0) Add timestamps to contrib/pgbench -l (Greg Smith)
(8.3.0) Add usage count statistics to contrib/pgbuffercache (Greg Smith)
(8.3.0) Add GIN support for contrib/hstore (Teodor Sigaev)
(8.3.0) Add GIN support for contrib/pg_trgm (Guillaume Smet, Teodor Sigaev)
(8.3.0) Update OS/X startup scripts in contrib/start-scripts (Mark Cotner, David Fetter)
(8.3.0) Restrict pgrowlocks()
and
dblink_get_pkey()
to users who have
SELECT privilege on the target table
(Tom Lane)
(8.3.0) Restrict contrib/pgstattuple functions to superusers (Tom Lane)
(8.3.0) contrib/xml2 is deprecated and planned for removal in 8.4 (Peter T. Mount)
The new XML support in core PostgreSQL supersedes this module.
Release date: 2011-12-05
This release contains a variety of fixes from 8.2.22. For information about new features in the 8.2 major release, see Version 8.2.0.
This is expected to be the last PostgreSQL release in the 8.2.X series. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 8.2.X.
However, a longstanding error was discovered in the definition of the information_schema.referential_constraints view. If you rely on correct results from that view, you should replace its definition as explained in the first changelog item below.
Also, if you are upgrading from a version earlier than 8.2.14, see Version 8.2.14.
(8.2.23,9.1.2,9.0.6,8.4.10,8.3.17) Fix bugs in information_schema.referential_constraints view (Tom Lane)
This view was being insufficiently careful about matching the foreign-key constraint to the depended-on primary or unique key constraint. That could result in failure to show a foreign key constraint at all, or showing it multiple times, or claiming that it depends on a different constraint than the one it really does.
Since the view definition is installed by initdb, merely upgrading will not fix the problem. If you need to fix this in an existing installation, you can (as a superuser) drop the information_schema schema then re-create it by sourcing SHAREDIR/information_schema.sql. (Run pg_config --sharedir if you're uncertain where SHAREDIR is.) This must be repeated in each database to be fixed.
(8.2.23,9.1.2,9.0.6,8.4.10,8.3.17) Fix TOAST-related data corruption during CREATE TABLE dest AS SELECT * FROM src or INSERT INTO dest SELECT * FROM src (Tom Lane)
If a table has been modified by ALTER TABLE ADD COLUMN, attempts to copy its data verbatim to another table could produce corrupt results in certain corner cases. The problem can only manifest in this precise form in 8.4 and later, but we patched earlier versions as well in case there are other code paths that could trigger the same bug.
(8.2.23,9.1.2,9.0.6,8.4.10,8.3.17) Fix race condition during toast table access from stale syscache entries (Tom Lane)
The typical symptom was transient errors like "missing chunk number 0 for toast value NNNNN in pg_toast_2619", where the cited toast table would always belong to a system catalog.
(8.2.23,9.1.2,9.0.6,8.4.10,8.3.17) Improve locale support in money type's input and output (Tom Lane)
Aside from not supporting all standard lc_monetary formatting options, the input and output functions were inconsistent, meaning there were locales in which dumped money values could not be re-read.
(8.2.23,9.1.2,9.0.6,8.4.10,8.3.17) Don't let transform_null_equals affect CASE foo WHEN NULL ... constructs (Heikki Linnakangas)
transform_null_equals is only supposed to affect foo = NULL expressions written directly by the user, not equality checks generated internally by this form of CASE.
(8.2.23,9.1.2,9.0.6,8.4.10,8.3.17) Change foreign-key trigger creation order to better support self-referential foreign keys (Tom Lane)
For a cascading foreign key that references its own table, a row update will fire both the ON UPDATE trigger and the CHECK trigger as one event. The ON UPDATE trigger must execute first, else the CHECK will check a non-final state of the row and possibly throw an inappropriate error. However, the firing order of these triggers is determined by their names, which generally sort in creation order since the triggers have auto-generated names following the convention "RI_ConstraintTrigger_NNNN". A proper fix would require modifying that convention, which we will do in 9.2, but it seems risky to change it in existing releases. So this patch just changes the creation order of the triggers. Users encountering this type of error should drop and re-create the foreign key constraint to get its triggers into the right order.
(8.2.23,9.1.2,9.0.6,8.4.10,8.3.17) Preserve blank lines within commands in psql's command history (Robert Haas)
The former behavior could cause problems if an empty line was removed from within a string literal, for example.
(8.2.23,9.1.2,9.0.6,8.4.10,8.3.17) Use the preferred version of xsubpp to build PL/Perl, not necessarily the operating system's main copy (David Wheeler and Alex Hunsaker)
(8.2.23,9.1.2,9.0.6,8.4.10,8.3.17) Honor query cancel interrupts promptly in pgstatindex()
(Robert Haas)
(8.2.23,9.1.2,9.0.6,8.4.10,8.3.17) Ensure VPATH builds properly install all server header files (Peter Eisentraut)
(8.2.23,9.1.2,9.0.6,8.4.10,8.3.17) Shorten file names reported in verbose error messages (Peter Eisentraut)
Regular builds have always reported just the name of the C file containing the error message call, but VPATH builds formerly reported an absolute path name.
(8.2.23,9.1.2,9.0.6,8.4.10,8.3.17) Fix interpretation of Windows timezone names for Central America (Tom Lane)
Map "Central America Standard Time" to CST6, not CST6CDT, because DST is generally not observed anywhere in Central America.
(8.2.23,9.1.2,9.0.6,8.4.10,8.3.17) Update time zone data files to tzdata release 2011n for DST law changes in Brazil, Cuba, Fiji, Palestine, Russia, and Samoa; also historical corrections for Alaska and British East Africa.
Release date: 2011-09-26
This release contains a variety of fixes from 8.2.21. For information about new features in the 8.2 major release, see Version 8.2.0.
The PostgreSQL community will stop releasing updates for the 8.2.X release series in December 2011. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 8.2.X. However, if you are upgrading from a version earlier than 8.2.14, see Version 8.2.14.
(8.2.22,9.0.5,8.4.9,8.3.16) Fix multiple bugs in GiST index page split processing (Heikki Linnakangas)
The probability of occurrence was low, but these could lead to index corruption.
(8.2.22) Avoid possibly accessing off the end of memory in ANALYZE (Noah Misch)
This fixes a very-low-probability server crash scenario.
(8.2.22,9.0.5,8.4.9,8.3.16) Fix race condition in relcache init file invalidation (Tom Lane)
There was a window wherein a new backend process could read a stale init file but miss the inval messages that would tell it the data is stale. The result would be bizarre failures in catalog accesses, typically "could not read block 0 in file ..." later during startup.
(8.2.22,9.1.1,9.0.5,8.4.9,8.3.16) Fix memory leak at end of a GiST index scan (Tom Lane)
Commands that perform many separate GiST index scans, such as verification of a new GiST-based exclusion constraint on a table already containing many rows, could transiently require large amounts of memory due to this leak.
(8.2.22,9.0.5,8.4.9,8.3.16) Fix performance problem when constructing a large, lossy bitmap (Tom Lane)
(8.2.22,9.0.5,8.4.9,8.3.16) Fix array- and path-creating functions to ensure padding bytes are zeroes (Tom Lane)
This avoids some situations where the planner will think that semantically-equal constants are not equal, resulting in poor optimization.
(8.2.22,9.0.5,8.4.9,8.3.16) Work around gcc 4.6.0 bug that breaks WAL replay (Tom Lane)
This could lead to loss of committed transactions after a server crash.
(8.2.22,9.0.5,8.4.9,8.3.16) Fix dump bug for VALUES in a view (Tom Lane)
(8.2.22,9.0.5,8.4.9,8.3.16) Disallow SELECT FOR UPDATE/SHARE on sequences (Tom Lane)
This operation doesn't work as expected and can lead to failures.
(8.2.22,9.0.5,8.4.9,8.3.16) Defend against integer overflow when computing size of a hash table (Tom Lane)
(8.2.22,9.0.5,8.4.9,8.3.16) Fix portability bugs in use of credentials control messages for "peer" authentication (Tom Lane)
(8.2.22,9.0.5,8.4.9,8.3.16) Fix typo in pg_srand48
seed
initialization (Andres Freund)
This led to failure to use all bits of the provided seed. This
function is not used on most platforms (only those without
srandom
), and the potential security
exposure from a less-random-than-expected seed seems minimal in any
case.
(8.2.22,9.0.5,8.4.9,8.3.16) Avoid integer overflow when the sum of LIMIT and OFFSET values exceeds 2^63 (Heikki Linnakangas)
(8.2.22,9.0.5,8.4.9,8.3.16) Add overflow checks to int4 and int8 versions of generate_series()
(Robert Haas)
(8.2.22,9.0.5,8.4.9,8.3.16) Fix trailing-zero removal in to_char()
(Marti Raudsepp)
In a format with FM and no digit positions after the decimal point, zeroes to the left of the decimal point could be removed incorrectly.
(8.2.22,9.0.5,8.4.9,8.3.16) Fix pg_size_pretty()
to avoid
overflow for inputs close to 2^63 (Tom Lane)
(8.2.22,9.0.5,8.4.9,8.3.16) Fix psql's counting of script file line numbers during COPY from a different file (Tom Lane)
(8.2.22,9.0.5,8.4.9,8.3.16) Fix pg_restore's direct-to-database mode for standard_conforming_strings (Tom Lane)
pg_restore could emit incorrect commands when restoring directly to a database server from an archive file that had been made with standard_conforming_strings set to on.
(8.2.22,9.0.5,8.4.9,8.3.16) Fix write-past-buffer-end and memory leak in libpq's LDAP service lookup code (Albe Laurenz)
(8.2.22,9.0.5,8.4.9,8.3.16) In libpq, avoid failures when using nonblocking I/O and an SSL connection (Martin Pihlak, Tom Lane)
(8.2.22,9.0.5,8.4.9,8.3.16) Improve libpq's handling of failures during connection startup (Tom Lane)
In particular, the response to a server report of fork()
failure during SSL connection startup is
now saner.
(8.2.22,9.0.5,8.4.9,8.3.16) Make ecpglib write double values with 15 digits precision (Akira Kurosawa)
(8.2.22,9.0.5,8.4.9,8.3.16) Apply upstream fix for blowfish signed-character bug CVE-2011-2483 or CVE-2011-2483) (Tom Lane)
contrib/pg_crypto's blowfish encryption code could give wrong results on platforms where char is signed (which is most), leading to encrypted passwords being weaker than they should be.
(8.2.22,9.0.5,8.4.9,8.3.16) Fix memory leak in contrib/seg (Heikki Linnakangas)
(8.2.22,9.0.5,8.4.9,8.3.16) Fix pgstatindex()
to give
consistent results for empty indexes (Tom Lane)
(8.2.22,9.0.5,8.4.9,8.3.16) Allow building with perl 5.14 (Alex Hunsaker)
(8.2.22,8.4.9,8.3.16) Update configure script's method for probing existence of system functions (Tom Lane)
The version of autoconf we used in 8.3 and 8.2 could be fooled by compilers that perform link-time optimization.
(8.2.22,9.0.5,8.4.9,8.3.16) Fix assorted issues with build and install file paths containing spaces (Tom Lane)
(8.2.22,9.0.5,8.4.9,8.3.16) Update time zone data files to tzdata release 2011i for DST law changes in Canada, Egypt, Russia, Samoa, and South Sudan.
Release date: 2011-04-18
This release contains a variety of fixes from 8.2.20. For information about new features in the 8.2 major release, see Version 8.2.0.
A dump/restore is not required for those running 8.2.X. However, if you are upgrading from a version earlier than 8.2.14, see Version 8.2.14.
(8.2.21,9.0.4,8.4.8,8.3.15) Avoid potential deadlock during catalog cache initialization (Nikhil Sontakke)
In some cases the cache loading code would acquire share lock on a system index before locking the index's catalog. This could deadlock against processes trying to acquire exclusive locks in the other, more standard order.
(8.2.21,9.0.4,8.4.8,8.3.15) Fix dangling-pointer problem in BEFORE ROW UPDATE trigger handling when there was a concurrent update to the target tuple (Tom Lane)
This bug has been observed to result in intermittent "cannot extract system attribute from virtual tuple" failures while trying to do UPDATE RETURNING ctid. There is a very small probability of more serious errors, such as generating incorrect index entries for the updated tuple.
(8.2.21,9.0.4,8.4.8,8.3.15) Disallow DROP TABLE when there are pending deferred trigger events for the table (Tom Lane)
Formerly the DROP would go through, leading to "could not open relation with OID nnn" errors when the triggers were eventually fired.
(8.2.21,9.0.4,8.4.8,8.3.15) Fix PL/Python memory leak involving array slices (Daniel Popowich)
(8.2.21,9.0.4,8.4.8,8.3.15) Fix pg_restore to cope with long lines (over 1KB) in TOC files (Tom Lane)
(8.2.21,9.0.4,8.4.8,8.3.15) Put in more safeguards against crashing due to division-by-zero with overly enthusiastic compiler optimization (Aurelien Jarno)
(8.2.21,9.0.4,8.4.8,8.3.15) Support use of dlopen() in FreeBSD and OpenBSD on MIPS (Tom Lane)
There was a hard-wired assumption that this system function was not available on MIPS hardware on these systems. Use a compile-time test instead, since more recent versions have it.
(8.2.21,9.0.4,8.4.8,8.3.15) Fix compilation failures on HP-UX (Heikki Linnakangas)
(8.2.21,9.0.4,8.4.8,8.3.15) Fix path separator used by pg_regress on Cygwin (Andrew Dunstan)
(8.2.21,9.0.4,8.4.8,8.3.15) Update time zone data files to tzdata release 2011f for DST law changes in Chile, Cuba, Falkland Islands, Morocco, Samoa, and Turkey; also historical corrections for South Australia, Alaska, and Hawaii.
Release date: 2011-01-31
This release contains a variety of fixes from 8.2.19. For information about new features in the 8.2 major release, see Version 8.2.0.
A dump/restore is not required for those running 8.2.X. However, if you are upgrading from a version earlier than 8.2.14, see Version 8.2.14.
(8.2.20,9.0.3,8.4.7,8.3.14) Avoid failures when EXPLAIN tries to display a simple-form CASE expression (Tom Lane)
If the CASE's test expression was a constant, the planner could simplify the CASE into a form that confused the expression-display code, resulting in "unexpected CASE WHEN clause" errors.
(8.2.20,9.0.3,8.4.7,8.3.14) Fix assignment to an array slice that is before the existing range of subscripts (Tom Lane)
If there was a gap between the newly added subscripts and the first pre-existing subscript, the code miscalculated how many entries needed to be copied from the old array's null bitmap, potentially leading to data corruption or crash.
(8.2.20,9.0.3,8.4.7,8.3.14) Avoid unexpected conversion overflow in planner for very distant date values (Tom Lane)
The date type supports a wider range of dates than can be represented by the timestamp types, but the planner assumed it could always convert a date to timestamp with impunity.
(8.2.20,8.4.7,8.3.14) Fix pg_restore's text output for large objects (BLOBs) when standard_conforming_strings is on (Tom Lane)
Although restoring directly to a database worked correctly, string escaping was incorrect if pg_restore was asked for SQL text output and standard_conforming_strings had been enabled in the source database.
(8.2.20,9.0.3,8.4.7,8.3.14) Fix erroneous parsing of tsquery values containing ... & !(subexpression) | ... (Tom Lane)
Queries containing this combination of operators were not executed correctly. The same error existed in contrib/intarray's query_int type and contrib/ltree's ltxtquery type.
(8.2.20,9.0.3,8.4.7,8.3.14) Fix buffer overrun in contrib/intarray's input function for the query_int type (Apple)
This bug is a security risk since the function's return address could be overwritten. Thanks to Apple Inc's security team for reporting this issue and supplying the fix. CVE-2010-4015 or CVE-2010-4015)
(8.2.20,9.0.3,8.4.7,8.3.14) Fix bug in contrib/seg's GiST picksplit algorithm (Alexander Korotkov)
This could result in considerable inefficiency, though not actually incorrect answers, in a GiST index on a seg column. If you have such an index, consider REINDEXing it after installing this update. (This is identical to the bug that was fixed in contrib/cube in the previous update.)
Release date: 2010-12-16
This release contains a variety of fixes from 8.2.18. For information about new features in the 8.2 major release, see Version 8.2.0.
A dump/restore is not required for those running 8.2.X. However, if you are upgrading from a version earlier than 8.2.14, see Version 8.2.14.
(8.2.19,9.0.2,8.4.6,8.3.13,8.1.23) Force the default wal_sync_method to be fdatasync on Linux (Tom Lane, Marti Raudsepp)
The default on Linux has actually been fdatasync for many years, but recent kernel changes caused PostgreSQL to choose open_datasync instead. This choice did not result in any performance improvement, and caused outright failures on certain filesystems, notably ext4 with the data=journal mount option.
(8.2.19,9.0.2,8.4.6,8.3.13) Fix assorted bugs in WAL replay logic for GIN indexes (Tom Lane)
This could result in "bad buffer id: 0" failures or corruption of index contents during replication.
(8.2.19,9.0.2,8.4.6,8.3.13,8.1.23) Fix recovery from base backup when the starting checkpoint WAL record is not in the same WAL segment as its redo point (Jeff Davis)
(8.2.19,9.0.2,8.4.6,8.3.13,8.1.23) Add support for detecting register-stack overrun on IA64 (Tom Lane)
The IA64 architecture has two hardware stacks. Full prevention of stack-overrun failures requires checking both.
(8.2.19,9.0.2,8.4.6,8.3.13,8.1.23) Add a check for stack overflow in copyObject()
(Tom Lane)
Certain code paths could crash due to stack overflow given a sufficiently complex query.
(8.2.19,9.0.2,8.4.6,8.3.13,8.1.23) Fix detection of page splits in temporary GiST indexes (Heikki Linnakangas)
It is possible to have a "concurrent" page split in a temporary index, if for example there is an open cursor scanning the index when an insertion is done. GiST failed to detect this case and hence could deliver wrong results when execution of the cursor continued.
(8.2.19,9.0.2,8.4.6,8.3.13,8.1.23) Avoid memory leakage while ANALYZE'ing complex index expressions (Tom Lane)
(8.2.19,9.0.2,8.4.6,8.3.13,8.1.23) Ensure an index that uses a whole-row Var still depends on its table (Tom Lane)
An index declared like create index i on t (foo(t.*)) would not automatically get dropped when its table was dropped.
(8.2.19,9.0.2,8.4.6,8.3.13,8.1.23) Do not "inline" a SQL function with multiple OUT parameters (Tom Lane)
This avoids a possible crash due to loss of information about the expected result rowtype.
(8.2.19,9.0.2,8.4.6,8.3.13) Behave correctly if ORDER BY, LIMIT, FOR UPDATE, or WITH is attached to the VALUES part of INSERT ... VALUES (Tom Lane)
(8.2.19,9.0.2,8.4.6,8.3.13,8.1.23) Fix constant-folding of COALESCE() expressions (Tom Lane)
The planner would sometimes attempt to evaluate sub-expressions that in fact could never be reached, possibly leading to unexpected errors.
(8.2.19,9.0.2,8.4.6,8.3.13,8.1.23) Add print functionality for InhRelation nodes (Tom Lane)
This avoids a failure when debug_print_parse is enabled and certain types of query are executed.
(8.2.19,9.0.2,8.4.6,8.3.13,8.1.23) Fix incorrect calculation of distance from a point to a horizontal line segment (Tom Lane)
This bug affected several different geometric distance-measurement operators.
(8.2.19,9.0.2,8.4.6,8.3.13,8.1.23) Fix PL/pgSQL's handling of "simple" expressions to not fail in recursion or error-recovery cases (Tom Lane)
(8.2.19,9.0.2,8.4.6,8.3.13) Fix PL/Python's handling of set-returning functions (Jan Urbanski)
Attempts to call SPI functions within the iterator generating a set result would fail.
(8.2.19,9.0.2,8.4.6,8.3.13,8.1.23) Fix bug in contrib/cube's GiST picksplit algorithm (Alexander Korotkov)
This could result in considerable inefficiency, though not actually incorrect answers, in a GiST index on a cube column. If you have such an index, consider REINDEXing it after installing this update.
(8.2.19,9.0.2,8.4.6,8.3.13,8.1.23) Don't emit "identifier will be truncated" notices in contrib/dblink except when creating new connections (Itagaki Takahiro)
(8.2.19,9.0.2,8.4.6,8.3.13,8.1.23) Fix potential coredump on missing public key in contrib/pgcrypto (Marti Raudsepp)
(8.2.19,9.0.2,8.4.6,8.3.13,8.1.23) Fix memory leak in contrib/xml2's XPath query functions (Tom Lane)
(8.2.19,9.0.2,8.4.6,8.3.13,8.1.23) Update time zone data files to tzdata release 2010o for DST law changes in Fiji and Samoa; also historical corrections for Hong Kong.
Release date: 2010-10-04
This release contains a variety of fixes from 8.2.17. For information about new features in the 8.2 major release, see Version 8.2.0.
A dump/restore is not required for those running 8.2.X. However, if you are upgrading from a version earlier than 8.2.14, see Version 8.2.14.
(8.2.18,9.0.1,8.4.5,8.3.12,8.1.22,8.0.26,7.4.30) Use a separate interpreter for each calling SQL userid in PL/Perl and PL/Tcl (Tom Lane)
This change prevents security problems that can be caused by subverting Perl or Tcl code that will be executed later in the same session under another SQL user identity (for example, within a SECURITY DEFINER function). Most scripting languages offer numerous ways that that might be done, such as redefining standard functions or operators called by the target function. Without this change, any SQL user with Perl or Tcl language usage rights can do essentially anything with the SQL privileges of the target function's owner.
The cost of this change is that intentional communication among Perl and Tcl functions becomes more difficult. To provide an escape hatch, PL/PerlU and PL/TclU functions continue to use only one interpreter per session. This is not considered a security issue since all such functions execute at the trust level of a database superuser already.
It is likely that third-party procedural languages that claim to offer trusted execution have similar security issues. We advise contacting the authors of any PL you are depending on for security-critical purposes.
Our thanks to Tim Bunce for pointing out this issue CVE-2010-3433 or CVE-2010-3433).
(8.2.18,8.4.5,8.3.12,8.1.22,8.0.26,7.4.30) Prevent possible crashes in pg_get_expr()
by disallowing it from being called
with an argument that is not one of the system catalog columns it's
intended to be used with (Heikki Linnakangas, Tom Lane)
(8.2.18) Fix Windows shared-memory allocation code (Tsutomu Yamada, Magnus Hagander)
This bug led to the often-reported "could not reattach to shared memory" error message. This is a back-patch of a fix that was applied to newer branches some time ago.
(8.2.18,8.4.5,8.3.12) Treat exit code 128 (ERROR_WAIT_NO_CHILDREN) as non-fatal on Windows (Magnus Hagander)
Under high load, Windows processes will sometimes fail at startup with this error code. Formerly the postmaster treated this as a panic condition and restarted the whole database, but that seems to be an overreaction.
(8.2.18,9.0.1,8.4.5,8.3.12) Fix possible duplicate scans of UNION ALL member relations (Tom Lane)
(8.2.18,8.4.5,8.3.12,8.1.22,8.0.26,7.4.30) Fix "cannot handle unplanned sub-select" error (Tom Lane)
This occurred when a sub-select contains a join alias reference that expands into an expression containing another sub-select.
(8.2.18,8.4.5,8.3.12) Reduce PANIC to ERROR in some occasionally-reported btree failure cases, and provide additional detail in the resulting error messages (Tom Lane)
This should improve the system's robustness with corrupted indexes.
(8.2.18,9.0.1,8.4.5,8.3.12,8.1.22) Prevent show_session_authorization() from crashing within autovacuum processes (Tom Lane)
(8.2.18,8.4.5,8.3.12,8.1.22,8.0.26) Defend against functions returning setof record where not all the returned rows are actually of the same rowtype (Tom Lane)
(8.2.18,8.4.5,8.3.12,8.1.22) Fix possible failure when hashing a pass-by-reference function result (Tao Ma, Tom Lane)
(8.2.18,8.4.5,8.3.12,8.1.22,8.0.26,7.4.30) Take care to fsync the contents of lockfiles (both postmaster.pid and the socket lockfile) while writing them (Tom Lane)
This omission could result in corrupted lockfile contents if the machine crashes shortly after postmaster start. That could in turn prevent subsequent attempts to start the postmaster from succeeding, until the lockfile is manually removed.
(8.2.18,8.4.5,8.3.12,8.1.22,8.0.26) Avoid recursion while assigning XIDs to heavily-nested subtransactions (Andres Freund, Robert Haas)
The original coding could result in a crash if there was limited stack space.
(8.2.18,8.4.5,8.3.12,8.1.22,8.0.26) Fix log_line_prefix's %i escape, which could produce junk early in backend startup (Tom Lane)
(8.2.18,8.4.5,8.3.12,8.1.22,8.0.26) Fix possible data corruption in ALTER TABLE ... SET TABLESPACE when archiving is enabled (Jeff Davis)
(8.2.18,8.4.5,8.3.12,8.1.22,8.0.26) Allow CREATE DATABASE and ALTER DATABASE ... SET TABLESPACE to be interrupted by query-cancel (Guillaume Lelarge)
(8.2.18,8.4.5,8.3.12,8.1.22,8.0.26) In PL/Python, defend against null pointer results from
PyCObject_AsVoidPtr
and PyCObject_FromVoidPtr
(Peter Eisentraut)
(8.2.18,8.4.5,8.3.12,8.1.22,8.0.26,7.4.30) Improve contrib/dblink's handling of tables containing dropped columns (Tom Lane)
(8.2.18,8.4.5,8.3.12,8.1.22,8.0.26,7.4.30) Fix connection leak after "duplicate connection name" errors in contrib/dblink (Itagaki Takahiro)
(8.2.18,8.4.5,8.3.12,8.1.22,8.0.26) Fix contrib/dblink to handle connection names longer than 62 bytes correctly (Itagaki Takahiro)
(8.2.18,8.4.5,8.3.12) Add hstore(text, text)
function to
contrib/hstore (Robert Haas)
This function is the recommended substitute for the now-deprecated => operator. It was back-patched so that future-proofed code can be used with older server versions. Note that the patch will be effective only after contrib/hstore is installed or reinstalled in a particular database. Users might prefer to execute the CREATE FUNCTION command by hand, instead.
(8.2.18,9.0.1,8.4.5,8.3.12,8.1.22,8.0.26,7.4.30) Update build infrastructure and documentation to reflect the source code repository's move from CVS to Git (Magnus Hagander and others)
(8.2.18,8.4.5,8.3.12,8.1.22,8.0.26) Update time zone data files to tzdata release 2010l for DST law changes in Egypt and Palestine; also historical corrections for Finland.
This change also adds new names for two Micronesian timezones: Pacific/Chuuk is now preferred over Pacific/Truk (and the preferred abbreviation is CHUT not TRUT) and Pacific/Pohnpei is preferred over Pacific/Ponape.
(8.2.18,8.4.5,8.3.12) Make Windows' "N. Central Asia Standard Time" timezone map to Asia/Novosibirsk, not Asia/Almaty (Magnus Hagander)
Microsoft changed the DST behavior of this zone in the timezone update from KB976098. Asia/Novosibirsk is a better match to its new behavior.
Release date: 2010-05-17
This release contains a variety of fixes from 8.2.16. For information about new features in the 8.2 major release, see Version 8.2.0.
A dump/restore is not required for those running 8.2.X. However, if you are upgrading from a version earlier than 8.2.14, see Version 8.2.14.
(8.2.17,8.4.4,8.3.11,8.1.21,8.0.25,7.4.29) Enforce restrictions in plperl using an opmask applied to the whole interpreter, instead of using Safe.pm (Tim Bunce, Andrew Dunstan)
Recent developments have convinced us that Safe.pm is too insecure to rely on for making plperl trustable. This change removes use of Safe.pm altogether, in favor of using a separate interpreter with an opcode mask that is always applied. Pleasant side effects of the change include that it is now possible to use Perl's strict pragma in a natural way in plperl, and that Perl's $a and $b variables work as expected in sort routines, and that function compilation is significantly faster. CVE-2010-1169 or CVE-2010-1169)
(8.2.17,8.4.4,8.3.11,8.1.21,8.0.25,7.4.29) Prevent PL/Tcl from executing untrustworthy code from pltcl_modules (Tom Lane)
PL/Tcl's feature for autoloading Tcl code from a database table could be exploited for trojan-horse attacks, because there was no restriction on who could create or insert into that table. This change disables the feature unless pltcl_modules is owned by a superuser. (However, the permissions on the table are not checked, so installations that really need a less-than-secure modules table can still grant suitable privileges to trusted non-superusers.) Also, prevent loading code into the unrestricted "normal" Tcl interpreter unless we are really going to execute a pltclu function. CVE-2010-1170 or CVE-2010-1170)
(8.2.17) Fix possible crash if a cache reset message is received during rebuild of a relcache entry (Heikki Linnakangas)
This error was introduced in 8.2.16 while fixing a related failure.
(8.2.17,8.4.4,8.3.11,8.1.21,8.0.25,7.4.29) Do not allow an unprivileged user to reset superuser-only parameter settings (Álvaro Herrera)
Previously, if an unprivileged user ran ALTER USER ... RESET ALL for himself, or ALTER DATABASE ... RESET ALL for a database he owns, this would remove all special parameter settings for the user or database, even ones that are only supposed to be changeable by a superuser. Now, the ALTER will only remove the parameters that the user has permission to change.
(8.2.17,8.4.4,8.3.11,8.1.21,8.0.25,7.4.29) Avoid possible crash during backend shutdown if shutdown occurs when a CONTEXT addition would be made to log entries (Tom Lane)
In some cases the context-printing function would fail because the current transaction had already been rolled back when it came time to print a log message.
(8.2.17,8.4.4,8.3.11,8.1.21,8.0.25,7.4.29) Update pl/perl's ppport.h for modern Perl versions (Andrew Dunstan)
(8.2.17,8.4.4,8.3.11,8.1.21,8.0.25,7.4.29) Fix assorted memory leaks in pl/python (Andreas Freund, Tom Lane)
(8.2.17,8.4.4,8.3.11,8.1.21,8.0.25) Prevent infinite recursion in psql when expanding a variable that refers to itself (Tom Lane)
(8.2.17,8.4.4,8.3.11) Fix psql's \copy to not add spaces around a dot within \copy (select ...) (Tom Lane)
Addition of spaces around the decimal point in a numeric literal would result in a syntax error.
(8.2.17,8.4.4,8.3.11,8.1.21,8.0.25,7.4.29) Ensure that contrib/pgstattuple functions respond to cancel interrupts promptly (Tatsuhito Kasahara)
(8.2.17,8.4.4,8.3.11,8.1.21,8.0.25,7.4.29) Make server startup deal properly with the case that
shmget()
returns EINVAL for an existing shared memory segment
(Tom Lane)
This behavior has been observed on BSD-derived kernels including OS X. It resulted in an entirely-misleading startup failure complaining that the shared memory request size was too large.
(8.2.17,8.4.4,8.3.11) Avoid possible crashes in syslogger process on Windows (Heikki Linnakangas)
(8.2.17,8.4.4,8.3.11) Deal more robustly with incomplete time zone information in the Windows registry (Magnus Hagander)
(8.2.17,8.4.4,8.3.11) Update the set of known Windows time zone names (Magnus Hagander)
(8.2.17,8.4.4,8.3.11) Update time zone data files to tzdata release 2010j for DST law changes in Argentina, Australian Antarctic, Bangladesh, Mexico, Morocco, Pakistan, Palestine, Russia, Syria, Tunisia; also historical corrections for Taiwan.
Also, add PKST (Pakistan Summer Time) to the default set of timezone abbreviations.
Release date: 2010-03-15
This release contains a variety of fixes from 8.2.15. For information about new features in the 8.2 major release, see Version 8.2.0.
A dump/restore is not required for those running 8.2.X. However, if you are upgrading from a version earlier than 8.2.14, see Version 8.2.14.
(8.2.16,8.4.3,8.3.10,8.1.20,8.0.24,7.4.28) Add new configuration parameter ssl_renegotiation_limit to control how often we do session key renegotiation for an SSL connection (Magnus Hagander)
This can be set to zero to disable renegotiation completely, which may be required if a broken SSL library is used. In particular, some vendors are shipping stopgap patches forCVE-2009-3555 or CVE-2009-3555 that cause renegotiation attempts to fail.
(8.2.16,8.4.3,8.3.10) Fix possible deadlock during backend startup (Tom Lane)
(8.2.16,8.4.3,8.3.10) Fix possible crashes due to not handling errors during relcache reload cleanly (Tom Lane)
(8.2.16,8.4.3,8.3.10,8.1.20,8.0.24) Fix possible crashes when trying to recover from a failure in subtransaction start (Tom Lane)
(8.2.16,8.4.3,8.3.10,8.1.20,8.0.24) Fix server memory leak associated with use of savepoints and a client encoding different from server's encoding (Tom Lane)
(8.2.16,8.4.3,8.3.10) Fix incorrect WAL data emitted during end-of-recovery cleanup of a GIST index page split (Yoichi Hirai)
This would result in index corruption, or even more likely an error during WAL replay, if we were unlucky enough to crash during end-of-recovery cleanup after having completed an incomplete GIST insertion.
(8.2.16,8.4.3,8.3.10,8.1.20,8.0.24,7.4.28) Make substring()
for bit types treat any negative length as meaning
"all the rest of the string" (Tom Lane)
The previous coding treated only -1 that way, and would produce an invalid result value for other negative values, possibly leading to a crash CVE-2010-0442 or CVE-2010-0442).
(8.2.16,8.4.3,8.3.10,8.1.20,8.0.24) Fix integer-to-bit-string conversions to handle the first fractional byte correctly when the output bit width is wider than the given integer by something other than a multiple of 8 bits (Tom Lane)
(8.2.16,8.4.3,8.3.10,8.1.20,8.0.24,7.4.28) Fix some cases of pathologically slow regular expression matching (Tom Lane)
(8.2.16,8.4.3,8.3.10,8.1.20,8.0.24) Fix the STOP WAL LOCATION entry in backup history files to report the next WAL segment's name when the end location is exactly at a segment boundary (Itagaki Takahiro)
(8.2.16,8.4.3,8.3.10,8.1.20) Fix some more cases of temporary-file leakage (Heikki Linnakangas)
This corrects a problem introduced in the previous minor release. One case that failed is when a plpgsql function returning set is called within another function's exception handler.
(8.2.16,8.4.3,8.3.10) Improve constraint exclusion processing of boolean-variable cases, in particular make it possible to exclude a partition that has a "bool_column = false" constraint (Tom Lane)
(8.2.16,8.4.3,8.3.10,8.1.20,8.0.24,7.4.28) When reading pg_hba.conf and related files, do not treat @something as a file inclusion request if the @ appears inside quote marks; also, never treat @ by itself as a file inclusion request (Tom Lane)
This prevents erratic behavior if a role or database name starts with @. If you need to include a file whose path name contains spaces, you can still do so, but you must write @"/path to/file" rather than putting the quotes around the whole construct.
(8.2.16,8.4.3,8.3.10,8.1.20,8.0.24,7.4.28) Prevent infinite loop on some platforms if a directory is named as an inclusion target in pg_hba.conf and related files (Tom Lane)
(8.2.16,8.4.3,8.3.10) Fix possible infinite loop if SSL_read
or SSL_write
fails without setting errno (Tom Lane)
This is reportedly possible with some Windows versions of openssl.
(8.2.16,8.4.3,8.3.10,8.1.20) Fix psql's numericlocale option to not format strings it shouldn't in latex and troff output formats (Heikki Linnakangas)
(8.2.16,8.4.3,8.3.10) Make psql return the correct exit status (3) when ON_ERROR_STOP and --single-transaction are both specified and an error occurs during the implied COMMIT (Bruce Momjian)
(8.2.16,8.4.3,8.3.10,8.1.20,8.0.24) Fix plpgsql failure in one case where a composite column is set to NULL (Tom Lane)
(8.2.16,8.4.3,8.3.10) Fix possible failure when calling PL/Perl functions from PL/PerlU or vice versa (Tim Bunce)
(8.2.16,8.4.3,8.3.10,8.1.20,8.0.24) Add volatile markings in PL/Python to avoid possible compiler-specific misbehavior (Zdenek Kotala)
(8.2.16,8.4.3,8.3.10,8.1.20,8.0.24,7.4.28) Ensure PL/Tcl initializes the Tcl interpreter fully (Tom Lane)
The only known symptom of this oversight is that the Tcl clock command misbehaves if using Tcl 8.5 or later.
(8.2.16,8.4.3,8.3.10,8.1.20,8.0.24,7.4.28) Prevent crash in contrib/dblink when
too many key columns are specified to a dblink_build_sql_*
function (Rushabh Lathia, Joe
Conway)
(8.2.16,8.4.3,8.3.10,8.1.20,8.0.24) Fix assorted crashes in contrib/xml2 caused by sloppy memory management (Tom Lane)
(8.2.16,8.4.3,8.3.10) Make building of contrib/xml2 more robust on Windows (Andrew Dunstan)
(8.2.16,8.4.3,8.3.10) Fix race condition in Windows signal handling (Radu Ilie)
One known symptom of this bug is that rows in pg_listener could be dropped under heavy load.
(8.2.16,8.4.3,8.3.10,8.1.20,8.0.24) Update time zone data files to tzdata release 2010e for DST law changes in Bangladesh, Chile, Fiji, Mexico, Paraguay, Samoa.
Release date: 2009-12-14
This release contains a variety of fixes from 8.2.14. For information about new features in the 8.2 major release, see Version 8.2.0.
A dump/restore is not required for those running 8.2.X. However, if you are upgrading from a version earlier than 8.2.14, see Version 8.2.14.
(8.2.15,8.4.2,8.3.9,8.1.19,8.0.23,7.4.27) Protect against indirect security threats caused by index functions changing session-local state (Gurjeet Singh, Tom Lane)
This change prevents allegedly-immutable index functions from possibly subverting a superuser's session CVE-2009-4136 or CVE-2009-4136).
(8.2.15,8.4.2,8.3.9,8.1.19,8.0.23,7.4.27) Reject SSL certificates containing an embedded null byte in the common name (CN) field (Magnus Hagander)
This prevents unintended matching of a certificate to a server or client name during SSL validation CVE-2009-4034 or CVE-2009-4034).
(8.2.15,8.4.2,8.3.9,8.1.19,8.0.23,7.4.27) Fix possible crash during backend-startup-time cache initialization (Tom Lane)
(8.2.15,8.4.2,8.3.9,8.1.19,8.0.23,7.4.27) Prevent signals from interrupting VACUUM at unsafe times (Álvaro Herrera)
This fix prevents a PANIC if a VACUUM FULL is canceled after it's already committed its tuple movements, as well as transient errors if a plain VACUUM is interrupted after having truncated the table.
(8.2.15,8.4.2,8.3.9,8.1.19,8.0.23,7.4.27) Fix possible crash due to integer overflow in hash table size calculation (Tom Lane)
This could occur with extremely large planner estimates for the size of a hashjoin's result.
(8.2.15,8.4.2,8.3.9,8.1.19,8.0.23,7.4.27) Fix very rare crash in inet/cidr comparisons (Chris Mikkelson)
(8.2.15,8.4.2,8.3.9,8.1.19) Ensure that shared tuple-level locks held by prepared transactions are not ignored (Heikki Linnakangas)
(8.2.15,8.4.2,8.3.9,8.1.19,8.0.23) Fix premature drop of temporary files used for a cursor that is accessed within a subtransaction (Heikki Linnakangas)
(8.2.15,8.4.2,8.3.9) Fix incorrect logic for GiST index page splits, when the split depends on a non-first column of the index (Paul Ramsey)
(8.2.15,8.4.2,8.3.9) Don't error out if recycling or removing an old WAL file fails at the end of checkpoint (Heikki Linnakangas)
It's better to treat the problem as non-fatal and allow the checkpoint to complete. Future checkpoints will retry the removal. Such problems are not expected in normal operation, but have been seen to be caused by misdesigned Windows anti-virus and backup software.
(8.2.15,8.4.2,8.3.9) Ensure WAL files aren't repeatedly archived on Windows (Heikki Linnakangas)
This is another symptom that could happen if some other process interfered with deletion of a no-longer-needed file.
(8.2.15,8.4.2,8.3.9,8.1.19,8.0.23,7.4.27) Fix PAM password processing to be more robust (Tom Lane)
The previous code is known to fail with the combination of the Linux pam_krb5 PAM module with Microsoft Active Directory as the domain controller. It might have problems elsewhere too, since it was making unjustified assumptions about what arguments the PAM stack would pass to it.
(8.2.15,8.4.2,8.3.9,8.1.19) Fix processing of ownership dependencies during CREATE OR REPLACE FUNCTION (Tom Lane)
(8.2.15,8.4.2,8.3.9) Fix bug with calling plperl from plperlu or vice versa (Tom Lane)
An error exit from the inner function could result in crashes due to failure to re-select the correct Perl interpreter for the outer function.
(8.2.15,8.4.2,8.3.9) Fix session-lifespan memory leak when a PL/Perl function is redefined (Tom Lane)
(8.2.15,8.4.2,8.3.9,8.1.19) Ensure that Perl arrays are properly converted to PostgreSQL arrays when returned by a set-returning PL/Perl function (Andrew Dunstan, Abhijit Menon-Sen)
This worked correctly already for non-set-returning functions.
(8.2.15,8.4.2,8.3.9,8.1.19,8.0.23) Fix rare crash in exception processing in PL/Python (Peter T. Mount)
(8.2.15,8.4.2,8.3.9,8.1.19,8.0.23) Ensure psql's flex module is compiled with the correct system header definitions (Tom Lane)
This fixes build failures on platforms where --enable-largefile causes incompatible changes in the generated code.
(8.2.15,8.4.2,8.3.9,8.1.19,8.0.23,7.4.27) Make the postmaster ignore any application_name parameter in connection request packets, to improve compatibility with future libpq versions (Tom Lane)
(8.2.15,8.3.9) Update the timezone abbreviation files to match current reality (Joachim Wieland)
This includes adding IDT and SGT to the default timezone abbreviation set.
(8.2.15,8.4.2,8.3.9,8.1.19,8.0.23) Update time zone data files to tzdata release 2009s for DST law changes in Antarctica, Argentina, Bangladesh, Fiji, Novokuznetsk, Pakistan, Palestine, Samoa, Syria; also historical corrections for Hong Kong.
Release date: 2009-09-09
This release contains a variety of fixes from 8.2.13. For information about new features in the 8.2 major release, see Version 8.2.0.
A dump/restore is not required for those running 8.2.X. However, if you have any hash indexes on interval columns, you must REINDEX them after updating to 8.2.14. Also, if you are upgrading from a version earlier than 8.2.11, see Version 8.2.11.
(8.2.14,8.3.8) Force WAL segment switch during pg_start_backup()
(Heikki Linnakangas)
This avoids corner cases that could render a base backup unusable.
(8.2.14,8.4.1,8.3.8,8.1.18,8.0.22,7.4.26) Disallow RESET ROLE and RESET SESSION AUTHORIZATION inside security-definer functions (Tom Lane, Heikki Linnakangas)
This covers a case that was missed in the previous patch that disallowed SET ROLE and SET SESSION AUTHORIZATION inside security-definer functions. (SeeCVE-2007-6600 or CVE-2007-6600)
(8.2.14,8.4.1,8.3.8) Make LOAD of an already-loaded loadable module into a no-op (Tom Lane)
Formerly, LOAD would attempt to unload and re-load the module, but this is unsafe and not all that useful.
(8.2.14,8.3.8) Disallow empty passwords during LDAP authentication (Magnus Hagander)
(8.2.14,8.3.8,8.1.18,8.0.22,7.4.26) Fix handling of sub-SELECTs appearing in the arguments of an outer-level aggregate function (Tom Lane)
(8.2.14,8.3.8) Fix bugs associated with fetching a whole-row value from the output of a Sort or Materialize plan node (Tom Lane)
(8.2.14,8.3.8) Revert planner change that disabled partial-index and constraint exclusion optimizations when there were more than 100 clauses in an AND or OR list (Tom Lane)
(8.2.14,8.3.8,8.1.18,8.0.22,7.4.26) Fix hash calculation for data type interval (Tom Lane)
This corrects wrong results for hash joins on interval values. It also changes the contents of hash indexes on interval columns. If you have any such indexes, you must REINDEX them after updating.
(8.2.14,8.4.1,8.3.8,8.1.18,8.0.22) Treat to_char(..., 'TH')
as an
uppercase ordinal suffix with 'HH'/'HH12' (Heikki Linnakangas)
It was previously handled as 'th' (lowercase).
(8.2.14,8.4.1,8.3.8,8.1.18,8.0.22,7.4.26) Fix overflow for INTERVAL 'x ms' when x is more than 2 million and integer datetimes are in use (Alex Hunsaker)
(8.2.14,8.3.8,8.1.18,8.0.22,7.4.26) Fix calculation of distance between a point and a line segment (Tom Lane)
This led to incorrect results from a number of geometric operators.
(8.2.14,8.3.8,8.1.18,8.0.22,7.4.26) Fix money data type to work in locales where currency amounts have no fractional digits, e.g. Japan (Itagaki Takahiro)
(8.2.14,8.3.8,8.1.18,8.0.22,7.4.26) Properly round datetime input like 00:12:57.9999999999999999999999999999 (Tom Lane)
(8.2.14,8.3.8,8.1.18,8.0.22,7.4.26) Fix poor choice of page split point in GiST R-tree operator classes (Teodor Sigaev)
(8.2.14,8.3.8) Avoid performance degradation in bulk inserts into GIN indexes when the input values are (nearly) in sorted order (Tom Lane)
(8.2.14,8.3.8) Correctly enforce NOT NULL domain constraints in some contexts in PL/pgSQL (Tom Lane)
(8.2.14,8.3.8,8.1.18,8.0.22,7.4.26) Fix portability issues in plperl initialization (Andrew Dunstan)
(8.2.14,8.4.1,8.3.8,8.1.18,8.0.22) Fix pg_ctl to not go into an infinite loop if postgresql.conf is empty (Jeff Davis)
(8.2.14,8.3.8) Make contrib/hstore throw an error when a key or value is too long to fit in its data structure, rather than silently truncating it (Andrew Gierth)
(8.2.14,8.4.1,8.3.8,8.1.18,8.0.22) Fix contrib/xml2's xslt_process()
to properly handle the maximum
number of parameters (twenty) (Tom Lane)
(8.2.14,8.4.1,8.3.8,8.1.18,8.0.22,7.4.26) Improve robustness of libpq's code to recover from errors during COPY FROM STDIN (Tom Lane)
(8.2.14,8.4.1,8.3.8,8.1.18,8.0.22,7.4.26) Avoid including conflicting readline and editline header files when both libraries are installed (Zdenek Kotala)
(8.2.14,8.3.8,8.1.18,8.0.22) Update time zone data files to tzdata release 2009l for DST law changes in Bangladesh, Egypt, Jordan, Pakistan, Argentina/San_Luis, Cuba, Jordan (historical correction only), Mauritius, Morocco, Palestine, Syria, Tunisia.
Release date: 2009-03-16
This release contains a variety of fixes from 8.2.12. For information about new features in the 8.2 major release, see Version 8.2.0.
A dump/restore is not required for those running 8.2.X. However, if you are upgrading from a version earlier than 8.2.11, see Version 8.2.11.
(8.2.13,8.3.7,8.1.17,8.0.21,7.4.25) Prevent error recursion crashes when encoding conversion fails (Tom Lane)
This change extends fixes made in the last two minor releases for related failure scenarios. The previous fixes were narrowly tailored for the original problem reports, but we have now recognized that any error thrown by an encoding conversion function could potentially lead to infinite recursion while trying to report the error. The solution therefore is to disable translation and encoding conversion and report the plain-ASCII form of any error message, if we find we have gotten into a recursive error reporting situation. CVE-2009-0922 or CVE-2009-0922)
(8.2.13,8.3.7,8.1.17,8.0.21,7.4.25) Disallow CREATE CONVERSION with the wrong encodings for the specified conversion function (Heikki Linnakangas)
This prevents one possible scenario for encoding conversion failure. The previous change is a backstop to guard against other kinds of failures in the same area.
(8.2.13,8.3.7,8.1.17,8.0.21,7.4.25) Fix core dump when to_char()
is
given format codes that are inappropriate for the type of the data
argument (Tom Lane)
(8.2.13) Fix possible failure in contrib/tsearch2 when C locale is used with a multi-byte encoding (Teodor Sigaev)
Crashes were possible on platforms where wchar_t is narrower than int; Windows in particular.
(8.2.13) Fix extreme inefficiency in contrib/tsearch2 parser's handling of an email-like string containing multiple @ characters (Heikki Linnakangas)
(8.2.13,8.3.7,8.1.17) Fix decompilation of CASE WHEN with an implicit coercion (Tom Lane)
This mistake could lead to Assert failures in an Assert-enabled build, or an "unexpected CASE WHEN clause" error message in other cases, when trying to examine or dump a view.
(8.2.13,8.3.7,8.1.17) Fix possible misassignment of the owner of a TOAST table's rowtype (Tom Lane)
If CLUSTER or a rewriting variant of ALTER TABLE were executed by someone other than the table owner, the pg_type entry for the table's TOAST table would end up marked as owned by that someone. This caused no immediate problems, since the permissions on the TOAST rowtype aren't examined by any ordinary database operation. However, it could lead to unexpected failures if one later tried to drop the role that issued the command (in 8.1 or 8.2), or "owner of data type appears to be invalid" warnings from pg_dump after having done so (in 8.3).
(8.2.13,8.3.7) Fix PL/pgSQL to not treat INTO after INSERT as an INTO-variables clause anywhere in the string, not only at the start; in particular, don't fail for INSERT INTO within CREATE RULE (Tom Lane)
(8.2.13,8.3.7,8.1.17) Clean up PL/pgSQL error status variables fully at block exit (Ashesh Vashi and Dave Page)
This is not a problem for PL/pgSQL itself, but the omission could cause the PL/pgSQL Debugger to crash while examining the state of a function.
(8.2.13,8.3.7) Retry failed calls to CallNamedPipe()
on Windows (Steve Marshall,
Magnus Hagander)
It appears that this function can sometimes fail transiently; we previously treated any failure as a hard error, which could confuse LISTEN/NOTIFY as well as other operations.
(8.2.13,8.3.7,8.1.17,8.0.21,7.4.25) Add MUST (Mauritius Island Summer Time) to the default list of known timezone abbreviations (Xavier Bugaud)
Release date: 2009-02-02
This release contains a variety of fixes from 8.2.11. For information about new features in the 8.2 major release, see Version 8.2.0.
A dump/restore is not required for those running 8.2.X. However, if you are upgrading from a version earlier than 8.2.11, see Version 8.2.11.
(8.2.12,8.3.6,8.1.16,8.0.20,7.4.24) Improve handling of URLs in headline()
function (Teodor Sigaev)
(8.2.12,8.3.6,8.1.16,8.0.20,7.4.24) Improve handling of overlength headlines in headline()
function (Teodor Sigaev)
(8.2.12,8.3.6,8.1.16,8.0.20,7.4.24) Prevent possible Assert failure or misconversion if an encoding conversion is created with the wrong conversion function for the specified pair of encodings (Tom Lane, Heikki Linnakangas)
(8.2.12,8.3.6) Fix possible Assert failure if a statement executed in PL/pgSQL is rewritten into another kind of statement, for example if an INSERT is rewritten into an UPDATE (Heikki Linnakangas)
(8.2.12,8.3.6) Ensure that a snapshot is available to datatype input functions (Tom Lane)
This primarily affects domains that are declared with CHECK constraints involving user-defined stable or immutable functions. Such functions typically fail if no snapshot has been set.
(8.2.12,8.3.6) Make it safer for SPI-using functions to be used within datatype I/O; in particular, to be used in domain check constraints (Tom Lane)
(8.2.12,8.3.6,8.1.16,8.0.20,7.4.24) Avoid unnecessary locking of small tables in VACUUM (Heikki Linnakangas)
(8.2.12,8.3.6) Fix a problem that made UPDATE RETURNING tableoid return zero instead of the correct OID (Tom Lane)
(8.2.12,8.3.6) Fix planner misestimation of selectivity when transitive equality is applied to an outer-join clause (Tom Lane)
This could result in bad plans for queries like ... from a left join b on a.a1 = b.b1 where a.a1 = 42 ...
(8.2.12,8.3.6) Improve optimizer's handling of long IN lists (Tom Lane)
This change avoids wasting large amounts of time on such lists when constraint exclusion is enabled.
(8.2.12,8.3.6,8.1.16) Ensure that the contents of a holdable cursor don't depend on the contents of TOAST tables (Tom Lane)
Previously, large field values in a cursor result might be represented as TOAST pointers, which would fail if the referenced table got dropped before the cursor is read, or if the large value is deleted and then vacuumed away. This cannot happen with an ordinary cursor, but it could with a cursor that is held past its creating transaction.
(8.2.12,8.3.6) Fix memory leak when a set-returning function is terminated without reading its whole result (Tom Lane)
(8.2.12,8.3.6) Fix contrib/dblink's dblink_get_result(text,bool)
function (Joe Conway)
(8.2.12,8.3.6) Fix possible garbage output from contrib/sslinfo functions (Tom Lane)
(8.2.12,8.3.6,8.1.16) Fix configure script to properly report failure when unable to obtain linkage information for PL/Perl (Andrew Dunstan)
(8.2.12,8.3.6,8.1.16,8.0.20,7.4.24) Make all documentation reference pgsql-bugs and/or pgsql-hackers as appropriate, instead of the now-decommissioned pgsql-ports and pgsql-patches mailing lists (Tom Lane)
(8.2.12,8.3.6,8.1.16,8.0.20) Update time zone data files to tzdata release 2009a (for Kathmandu and historical DST corrections in Switzerland, Cuba)
Release date: 2008-11-03
This release contains a variety of fixes from 8.2.10. For information about new features in the 8.2 major release, see Version 8.2.0.
A dump/restore is not required for those running 8.2.X. However, if you are upgrading from a version earlier than 8.2.7, see Version 8.2.7. Also, if you were running a previous 8.2.X release, it is recommended to REINDEX all GiST indexes after the upgrade.
(8.2.11,8.3.5,8.1.15) Fix GiST index corruption due to marking the wrong index entry "dead" after a deletion (Teodor Sigaev)
This would result in index searches failing to find rows they should have found. Corrupted indexes can be fixed with REINDEX.
(8.2.11,8.3.5,8.1.15,8.0.19,7.4.23) Fix backend crash when the client encoding cannot represent a localized error message (Tom Lane)
We have addressed similar issues before, but it would still fail if the "character has no equivalent" message itself couldn't be converted. The fix is to disable localization and send the plain ASCII error message when we detect such a situation.
(8.2.11,8.3.5,8.1.15,8.0.19) Fix possible crash when deeply nested functions are invoked from a trigger (Tom Lane)
(8.2.11,8.3.5) Improve optimization of expression IN (expression-list) queries (Tom Lane, per an idea from Robert Haas)
Cases in which there are query variables on the right-hand side had been handled less efficiently in 8.2.x and 8.3.x than in prior versions. The fix restores 8.1 behavior for such cases.
(8.2.11,8.3.5,8.1.15) Fix mis-expansion of rule queries when a sub-SELECT appears in a function call in FROM, a multi-row VALUES list, or a RETURNING list (Tom Lane)
The usual symptom of this problem is an "unrecognized node type" error.
(8.2.11,8.3.5) Fix memory leak during rescan of a hashed aggregation plan (Neil Conway)
(8.2.11,8.3.5,8.1.15,8.0.19) Ensure an error is reported when a newly-defined PL/pgSQL trigger function is invoked as a normal function (Tom Lane)
(8.2.11,8.3.5,8.1.15) Prevent possible collision of relfilenode numbers when moving a table to another tablespace with ALTER SET TABLESPACE (Heikki Linnakangas)
The command tried to re-use the existing filename, instead of picking one that is known unused in the destination directory.
(8.2.11,8.1.15,8.0.19,7.4.23) Fix incorrect tsearch2 headline generation when single query item matches first word of text (Sushant Sinha)
(8.2.11,8.3.5,8.1.15,8.0.19,7.4.23) Fix improper display of fractional seconds in interval values when using a non-ISO datestyle in an --enable-integer-datetimes build (Ron Mayer)
(8.2.11,8.3.5,8.1.15,8.0.19,7.4.23) Ensure SPI_getvalue
and
SPI_getbinval
behave correctly when
the passed tuple and tuple descriptor have different numbers of
columns (Tom Lane)
This situation is normal when a table has had columns added or removed, but these two functions didn't handle it properly. The only likely consequence is an incorrect error indication.
(8.2.11,8.3.5,8.1.15) Fix ecpg's parsing of CREATE ROLE (Michael Meskes)
(8.2.11,8.3.5,8.1.15,8.0.19) Fix recent breakage of pg_ctl restart (Tom Lane)
(8.2.11,8.3.5) Ensure pg_control is opened in binary mode (Itagaki Takahiro)
pg_controldata and pg_resetxlog did this incorrectly, and so could fail on Windows.
(8.2.11,8.3.5,8.1.15,8.0.19) Update time zone data files to tzdata release 2008i (for DST law changes in Argentina, Brazil, Mauritius, Syria)
Release date: 2008-09-22
This release contains a variety of fixes from 8.2.9. For information about new features in the 8.2 major release, see Version 8.2.0.
A dump/restore is not required for those running 8.2.X. However, if you are upgrading from a version earlier than 8.2.7, see Version 8.2.7.
(8.2.10,8.3.4) Fix bug in btree WAL recovery code (Heikki Linnakangas)
Recovery failed if the WAL ended partway through a page split operation.
(8.2.10,8.3.4) Fix potential miscalculation of datfrozenxid (Álvaro Herrera)
This error may explain some recent reports of failure to remove old pg_clog data.
(8.2.10,8.3.4,8.1.14,8.0.18) Widen local lock counters from 32 to 64 bits (Tom Lane)
This responds to reports that the counters could overflow in sufficiently long transactions, leading to unexpected "lock is already held" errors.
(8.2.10,8.3.4,8.1.14) Fix possible duplicate output of tuples during a GiST index scan (Teodor Sigaev)
(8.2.10,8.3.4) Fix missed permissions checks when a view contains a simple UNION ALL construct (Heikki Linnakangas)
Permissions for the referenced tables were checked properly, but not permissions for the view itself.
(8.2.10,8.1.14,8.0.18) Add checks in executor startup to ensure that the tuples produced by an INSERT or UPDATE will match the target table's current rowtype (Tom Lane)
ALTER COLUMN TYPE, followed by re-use of a previously cached plan, could produce this type of situation. The check protects against data corruption and/or crashes that could ensue.
(8.2.10,8.3.4) Fix possible repeated drops during DROP OWNED (Tom Lane)
This would typically result in strange errors such as "cache lookup failed for relation NNN".
(8.2.10,8.3.4,8.1.14) Fix AT TIME ZONE to first try to interpret its timezone argument as a timezone abbreviation, and only try it as a full timezone name if that fails, rather than the other way around as formerly (Tom Lane)
The timestamp input functions have always resolved ambiguous zone names in this order. Making AT TIME ZONE do so as well improves consistency, and fixes a compatibility bug introduced in 8.1: in ambiguous cases we now behave the same as 8.0 and before did, since in the older versions AT TIME ZONE accepted only abbreviations.
(8.2.10,8.3.4,8.1.14,8.0.18,7.4.22) Fix datetime input functions to correctly detect integer overflow when running on a 64-bit platform (Tom Lane)
(8.2.10,8.3.4) Prevent integer overflows during units conversion when displaying a configuration parameter that has units (Tom Lane)
(8.2.10,8.3.4,8.1.14,8.0.18,7.4.22) Improve performance of writing very long log messages to syslog (Tom Lane)
(8.2.10,8.3.4) Allow spaces in the suffix part of an LDAP URL in pg_hba.conf (Tom Lane)
(8.2.10,8.3.4,8.1.14,8.0.18,7.4.22) Fix bug in backwards scanning of a cursor on a SELECT DISTINCT ON query (Tom Lane)
(8.2.10,8.3.4,8.1.14) Fix planner bug with nested sub-select expressions (Tom Lane)
If the outer sub-select has no direct dependency on the parent query, but the inner one does, the outer value might not get recalculated for new parent query rows.
(8.2.10,8.3.4,8.1.14) Fix planner to estimate that GROUP BY expressions yielding boolean results always result in two groups, regardless of the expressions' contents (Tom Lane)
This is very substantially more accurate than the regular GROUP BY estimate for certain boolean tests like col IS NULL.
(8.2.10,8.3.4,8.1.14) Fix PL/pgSQL to not fail when a FOR loop's target variable is a record containing composite-type fields (Tom Lane)
(8.2.10,8.3.4,8.1.14,8.0.18) Fix PL/Tcl to behave correctly with Tcl 8.5, and to be more careful about the encoding of data sent to or from Tcl (Tom Lane)
(8.2.10,8.3.4) On Windows, work around a Microsoft bug by preventing libpq from trying to send more than 64kB per system call (Magnus Hagander)
(8.2.10,8.3.4,8.1.14,8.0.18,7.4.22) Improve pg_dump and pg_restore's error reporting after failure to send a SQL command (Tom Lane)
(8.2.10,8.3.4,8.1.14,8.0.18) Fix pg_ctl to properly preserve postmaster command-line arguments across a restart (Bruce Momjian)
(8.2.10,8.3.4,8.1.14,8.0.18) Update time zone data files to tzdata release 2008f (for DST law changes in Argentina, Bahamas, Brazil, Mauritius, Morocco, Pakistan, Palestine, and Paraguay)
Release date: 2008-06-12
This release contains one serious and one minor bug fix over 8.2.8. For information about new features in the 8.2 major release, see Version 8.2.0.
A dump/restore is not required for those running 8.2.X. However, if you are upgrading from a version earlier than 8.2.7, see Version 8.2.7.
(8.2.9,8.3.3,8.1.13,8.0.17,7.4.21) Make pg_get_ruledef()
parenthesize
negative constants (Tom Lane)
Before this fix, a negative constant in a view or rule might be dumped as, say, -42::integer, which is subtly incorrect: it should be (-42)::integer due to operator precedence rules. Usually this would make little difference, but it could interact with another recent patch to cause PostgreSQL to reject what had been a valid SELECT DISTINCT view query. Since this could result in pg_dump output failing to reload, it is being treated as a high-priority fix. The only released versions in which dump output is actually incorrect are 8.3.1 and 8.2.7.
(8.2.9,8.3.3,8.1.13) Make ALTER AGGREGATE ... OWNER TO update pg_shdepend (Tom Lane)
This oversight could lead to problems if the aggregate was later involved in a DROP OWNED or REASSIGN OWNED operation.
Release date: never released
This release contains a variety of fixes from 8.2.7. For information about new features in the 8.2 major release, see Version 8.2.0.
A dump/restore is not required for those running 8.2.X. However, if you are upgrading from a version earlier than 8.2.7, see Version 8.2.7.
(8.2.8,8.3.2) Fix ERRORDATA_STACK_SIZE exceeded crash that occurred on Windows when using UTF-8 database encoding and a different client encoding (Tom Lane)
(8.2.8,8.3.2,8.1.12,8.0.16) Fix ALTER TABLE ADD COLUMN ... PRIMARY KEY so that the new column is correctly checked to see if it's been initialized to all non-nulls (Brendan Jurd)
Previous versions neglected to check this requirement at all.
(8.2.8,8.3.2,8.1.12,8.0.16) Fix possible CREATE TABLE failure when inheriting the "same" constraint from multiple parent relations that inherited that constraint from a common ancestor (Tom Lane)
(8.2.8,8.3.2) Fix pg_get_ruledef()
to show the
alias, if any, attached to the target table of an UPDATE or DELETE (Tom Lane)
(8.2.8,8.3.2) Fix GIN bug that could result in a too many LWLocks taken failure (Teodor Sigaev)
(8.2.8,8.3.2) Avoid possible crash when decompressing corrupted data (Zdenek Kotala)
(8.2.8,8.3.2) Repair two places where SIGTERM exit of a backend could leave corrupted state in shared memory (Tom Lane)
Neither case is very important if SIGTERM is used to shut down the whole database cluster together, but there was a problem if someone tried to SIGTERM individual backends.
(8.2.8,8.3.2,8.1.12,8.0.16,7.4.20) Fix conversions between ISO-8859-5 and other encodings to handle Cyrillic "Yo" characters (e and E with two dots) (Sergey Burladyan)
(8.2.8,8.3.2) Fix several datatype input functions, notably array_in()
, that were allowing unused bytes in
their results to contain uninitialized, unpredictable values
(Tom Lane)
This could lead to failures in which two apparently identical literal values were not seen as equal, resulting in the parser complaining about unmatched ORDER BY and DISTINCT expressions.
(8.2.8,8.3.2,8.1.12,8.0.16,7.4.20) Fix a corner case in regular-expression substring matching (substring(string from pattern)) (Tom Lane)
The problem occurs when there is a match to the pattern overall but the user has specified a parenthesized subexpression and that subexpression hasn't got a match. An example is substring('foo' from 'foo(bar)?'). This should return NULL, since (bar) isn't matched, but it was mistakenly returning the whole-pattern match instead (ie, foo).
(8.2.8,8.3.2) Update time zone data files to tzdata release 2008c (for DST law changes in Morocco, Iraq, Choibalsan, Pakistan, Syria, Cuba, and Argentina/San_Luis)
(8.2.8,8.3.2,8.1.12,8.0.16,7.4.20) Fix incorrect result from ecpg's PGTYPEStimestamp_sub()
function (Michael Meskes)
(8.2.8) Fix broken GiST comparison function for contrib/tsearch2's tsquery type (Teodor Sigaev)
(8.2.8,8.3.2) Fix possible crashes in contrib/cube functions (Tom Lane)
(8.2.8,8.3.2,8.1.12,8.0.16) Fix core dump in contrib/xml2's
xpath_table()
function when the input
query returns a NULL value (Tom Lane)
(8.2.8,8.1.12,8.0.16) Fix contrib/xml2's makefile to not override CFLAGS (Tom Lane)
(8.2.8,8.1.12,8.0.16,7.4.20) Fix DatumGetBool macro to not fail with gcc 4.3 (Tom Lane)
This problem affects "old style" (V0) C functions that return boolean. The fix is already in 8.3, but the need to back-patch it was not realized at the time.
Release date: 2008-03-17
This release contains a variety of fixes from 8.2.6. For information about new features in the 8.2 major release, see Version 8.2.0.
A dump/restore is not required for those running 8.2.X. However, you might need to REINDEX indexes on textual columns after updating, if you are affected by the Windows locale issue described below.
(8.2.7,8.3.1) Fix character string comparison for Windows locales that consider different character combinations as equal (Tom Lane)
This fix applies only on Windows and only when using UTF-8 database encoding. The same fix was made for all other cases over two years ago, but Windows with UTF-8 uses a separate code path that was not updated. If you are using a locale that considers some non-identical strings as equal, you may need to REINDEX to fix existing indexes on textual columns.
(8.2.7) Repair potential deadlock between concurrent VACUUM FULL operations on different system catalogs (Tom Lane)
(8.2.7,8.3.1,8.1.12,8.0.16,7.4.20) Fix longstanding LISTEN/NOTIFY race condition (Tom Lane)
In rare cases a session that had just executed a LISTEN might not get a notification, even though one would be expected because the concurrent transaction executing NOTIFY was observed to commit later.
A side effect of the fix is that a transaction that has executed a not-yet-committed LISTEN command will not see any row in pg_listener for the LISTEN, should it choose to look; formerly it would have. This behavior was never documented one way or the other, but it is possible that some applications depend on the old behavior.
(8.2.7,8.3.1,8.1.12) Disallow LISTEN and UNLISTEN within a prepared transaction (Tom Lane)
This was formerly allowed but trying to do it had various unpleasant consequences, notably that the originating backend could not exit as long as an UNLISTEN remained uncommitted.
(8.2.7) Disallow dropping a temporary table within a prepared transaction (Heikki Linnakangas)
This was correctly disallowed by 8.1, but the check was inadvertently broken in 8.2.
(8.2.7,8.3.1,8.1.12,8.0.16) Fix rare crash when an error occurs during a query using a hash index (Heikki Linnakangas)
(8.2.7,8.3.1) Fix memory leaks in certain usages of set-returning functions (Neil Conway)
(8.2.7,8.3.1,8.1.12,8.0.16) Fix input of datetime values for February 29 in years BC (Tom Lane)
The former coding was mistaken about which years were leap years.
(8.2.7,8.3.1,8.1.12,8.0.16) Fix "unrecognized node type" error in some variants of ALTER OWNER (Tom Lane)
(8.2.7,8.3.1) Ensure pg_stat_activity.waiting flag is cleared when a lock wait is aborted (Tom Lane)
(8.2.7,8.3.1) Fix handling of process permissions on Windows Vista (Dave Cramer, Magnus Hagander)
In particular, this fix allows starting the server as the Administrator user.
(8.2.7,8.3.1) Update time zone data files to tzdata release 2008a (in particular, recent Chile changes); adjust timezone abbreviation VET (Venezuela) to mean UTC-4:30, not UTC-4:00 (Tom Lane)
(8.2.7,8.3.1,8.1.12,8.0.16) Fix pg_ctl to correctly extract the postmaster's port number from command-line options (Itagaki Takahiro, Tom Lane)
Previously, pg_ctl start -w could try to contact the postmaster on the wrong port, leading to bogus reports of startup failure.
(8.2.7,8.3.1,8.1.12,8.0.16) Use -fwrapv to defend against possible misoptimization in recent gcc versions (Tom Lane)
This is known to be necessary when building PostgreSQL with gcc 4.3 or later.
(8.2.7) Correctly enforce statement_timeout values longer than INT_MAX microseconds (about 35 minutes) (Tom Lane)
This bug affects only builds with --enable-integer-datetimes.
(8.2.7) Fix "unexpected PARAM_SUBLINK ID" planner error when constant-folding simplifies a sub-select (Tom Lane)
(8.2.7) Fix logical errors in constraint-exclusion handling of IS NULL and NOT expressions (Tom Lane)
The planner would sometimes exclude partitions that should not have been excluded because of the possibility of NULL results.
(8.2.7) Fix another cause of "failed to build any N-way joins" planner errors (Tom Lane)
This could happen in cases where a clauseless join needed to be forced before a join clause could be exploited.
(8.2.7) Fix incorrect constant propagation in outer-join planning (Tom Lane)
The planner could sometimes incorrectly conclude that a variable could be constrained to be equal to a constant, leading to wrong query results.
(8.2.7,8.1.12,8.0.16,7.4.20) Fix display of constant expressions in ORDER BY and GROUP BY (Tom Lane)
An explicitly casted constant would be shown incorrectly. This could for example lead to corruption of a view definition during dump and reload.
(8.2.7,8.1.12,8.0.16,7.4.20) Fix libpq to handle NOTICE messages correctly during COPY OUT (Tom Lane)
This failure has only been observed to occur when a user-defined datatype's output routine issues a NOTICE, but there is no guarantee it couldn't happen due to other causes.
Release date: 2008-01-07
This release contains a variety of fixes from 8.2.5, including fixes for significant security issues. For information about new features in the 8.2 major release, see Version 8.2.0.
A dump/restore is not required for those running 8.2.X.
(8.2.6,8.1.11,8.0.15,7.4.19,7.3.21) Prevent functions in indexes from executing with the privileges of the user running VACUUM, ANALYZE, etc (Tom Lane)
Functions used in index expressions and partial-index predicates are evaluated whenever a new table entry is made. It has long been understood that this poses a risk of trojan-horse code execution if one modifies a table owned by an untrustworthy user. (Note that triggers, defaults, check constraints, etc. pose the same type of risk.) But functions in indexes pose extra danger because they will be executed by routine maintenance operations such as VACUUM FULL, which are commonly performed automatically under a superuser account. For example, a nefarious user can execute code with superuser privileges by setting up a trojan-horse index definition and waiting for the next routine vacuum. The fix arranges for standard maintenance operations (including VACUUM, ANALYZE, REINDEX, and CLUSTER) to execute as the table owner rather than the calling user, using the same privilege-switching mechanism already used for SECURITY DEFINER functions. To prevent bypassing this security measure, execution of SET SESSION AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context. CVE-2007-6600 or CVE-2007-6600)
(8.2.6,8.1.11,8.0.15,7.4.19) Repair assorted bugs in the regular-expression package (Tom Lane, Will Drewry)
Suitably crafted regular-expression patterns could cause crashes, infinite or near-infinite looping, and/or massive memory consumption, all of which pose denial-of-service hazards for applications that accept regex search patterns from untrustworthy sources. CVE-2007-4769 or CVE-2007-4769,CVE-2007-4772 or CVE-2007-4772,CVE-2007-6067 or CVE-2007-6067)
(8.2.6) Require non-superusers who use /contrib/dblink to use only password authentication, as a security measure (Joe Conway)
The fix that appeared for this in 8.2.5 was incomplete, as it plugged the hole for only some dblink functions. CVE-2007-6601 or CVE-2007-6601,CVE-2007-3278 or CVE-2007-3278)
(8.2.6) Fix bugs in WAL replay for GIN indexes (Teodor Sigaev)
(8.2.6) Fix GIN index build to work properly when maintenance_work_mem is 4GB or more (Tom Lane)
(8.2.6,8.1.11,8.0.15) Update time zone data files to tzdata release 2007k (in particular, recent Argentina changes) (Tom Lane)
(8.2.6,8.1.11) Improve planner's handling of LIKE/regex estimation in non-C locales (Tom Lane)
(8.2.6) Fix planning-speed problem for deep outer-join nests, as well as possible poor choice of join order (Tom Lane)
(8.2.6,8.1.11,8.0.15,7.4.19) Fix planner failure in some cases of WHERE false AND var IN (SELECT ...) (Tom Lane)
(8.2.6) Make CREATE TABLE ... SERIAL and
ALTER SEQUENCE ... OWNED BY not change the
currval()
state of the sequence
(Tom Lane)
(8.2.6) Preserve the tablespace and storage parameters of indexes that are rebuilt by ALTER TABLE ... ALTER COLUMN TYPE (Tom Lane)
(8.2.6,8.1.11,8.0.15) Make archive recovery always start a new WAL timeline, rather than only when a recovery stop time was used (Simon Riggs)
This avoids a corner-case risk of trying to overwrite an existing archived copy of the last WAL segment, and seems simpler and cleaner than the original definition.
(8.2.6,8.1.11,8.0.15) Make VACUUM not use all of maintenance_work_mem when the table is too small for it to be useful (Álvaro Herrera)
(8.2.6,8.1.11,8.0.15,7.4.19,7.3.21) Fix potential crash in translate()
when using a multibyte database encoding (Tom Lane)
(8.2.6) Make corr()
return the correct
result for negative correlation values (Neil Conway)
(8.2.6,8.1.11) Fix overflow in extract(epoch from interval) for intervals exceeding 68 years (Tom Lane)
(8.2.6,8.1.11) Fix PL/Perl to not fail when a UTF-8 regular expression is used in a trusted function (Andrew Dunstan)
(8.2.6,8.1.11,8.0.15) Fix PL/Perl to cope when platform's Perl defines type bool as int rather than char (Tom Lane)
While this could theoretically happen anywhere, no standard build of Perl did things this way ... until Mac OS X 10.5.
(8.2.6) Fix PL/Python to work correctly with Python 2.5 on 64-bit machines (Marko Kreen)
(8.2.6,8.1.11,8.0.15,7.4.19) Fix PL/Python to not crash on long exception messages (Álvaro Herrera)
(8.2.6,8.1.11,8.0.15) Fix pg_dump to correctly handle inheritance child tables that have default expressions different from their parent's (Tom Lane)
(8.2.6,8.1.11) Fix libpq crash when PGPASSFILE refers to a file that is not a plain file (Martin Pitt)
(8.2.6,8.1.11,8.0.15,7.4.19) ecpg parser fixes (Michael Meskes)
(8.2.6,8.1.11) Make contrib/pgcrypto defend against OpenSSL libraries that fail on keys longer than 128 bits; which is the case at least on some Solaris versions (Marko Kreen)
(8.2.6,8.1.11,8.0.15,7.4.19,7.3.21) Make contrib/tablefunc's crosstab()
handle NULL rowid as a category in its
own right, rather than crashing (Joe Conway)
(8.2.6,8.1.11,8.0.15,7.4.19) Fix tsvector and tsquery output routines to escape backslashes correctly (Teodor Sigaev, Bruce Momjian)
(8.2.6,8.1.11,8.0.15,7.4.19) Fix crash of to_tsvector()
on huge
input strings (Teodor Sigaev)
(8.2.6,8.1.11,8.0.15,7.4.19,7.3.21) Require a specific version of Autoconf to be used when re-generating the configure script (Peter T. Mount)
This affects developers and packagers only. The change was made to prevent accidental use of untested combinations of Autoconf and PostgreSQL versions. You can remove the version check if you really want to use a different Autoconf version, but it's your responsibility whether the result works or not.
(8.2.6) Update gettimeofday
configuration
check so that PostgreSQL can be
built on newer versions of MinGW
(Magnus Hagander)
Release date: 2007-09-17
This release contains a variety of fixes from 8.2.4. For information about new features in the 8.2 major release, see Version 8.2.0.
A dump/restore is not required for those running 8.2.X.
(8.2.5,8.1.10,8.0.14,7.4.18,7.3.20) Prevent index corruption when a transaction inserts rows and then aborts close to the end of a concurrent VACUUM on the same table (Tom Lane)
(8.2.5) Fix ALTER DOMAIN ADD CONSTRAINT for cases involving domains over domains (Tom Lane)
(8.2.5,8.1.10,8.0.14,7.4.18,7.3.20) Make CREATE DOMAIN ... DEFAULT NULL work properly (Tom Lane)
(8.2.5) Fix some planner problems with outer joins, notably poor size estimation for t1 LEFT JOIN t2 WHERE t2.col IS NULL (Tom Lane)
(8.2.5,8.1.10) Allow the interval data type to accept input consisting only of milliseconds or microseconds (Neil Conway)
(8.2.5) Allow timezone name to appear before the year in timestamp input (Tom Lane)
(8.2.5) Fixes for GIN indexes used by /contrib/tsearch2 (Teodor Sigaev)
(8.2.5,8.1.10) Speed up rtree index insertion (Teodor Sigaev)
(8.2.5,8.1.10,8.0.14,7.4.18) Fix excessive logging of SSL error messages (Tom Lane)
(8.2.5,8.1.10,8.0.14) Fix logging so that log messages are never interleaved when using the syslogger process (Andrew Dunstan)
(8.2.5,8.1.10,8.0.14,7.4.18,7.3.20) Fix crash when log_min_error_statement logging runs out of memory (Tom Lane)
(8.2.5,8.1.10,8.0.14) Fix incorrect handling of some foreign-key corner cases (Tom Lane)
(8.2.5) Fix stddev_pop(numeric)
and
var_pop(numeric)
(Tom Lane)
(8.2.5,8.1.10) Prevent REINDEX and CLUSTER from failing due to attempting to process temporary tables of other sessions (Álvaro Herrera)
(8.2.5,8.1.10,8.0.14) Update the time zone database rules, particularly New Zealand's upcoming changes (Tom Lane)
(8.2.5) Windows socket and semaphore improvements (Magnus Hagander)
(8.2.5) Make pg_ctl -w work properly in Windows service mode (Dave Page)
(8.2.5) Fix memory allocation bug when using MIT Kerberos on Windows (Magnus Hagander)
(8.2.5,8.1.10,8.0.14) Suppress timezone name (%Z) in log timestamps on Windows because of possible encoding mismatches (Tom Lane)
(8.2.5,8.1.10,8.0.14,7.4.18,7.3.20) Require non-superusers who use /contrib/dblink to use only password authentication, as a security measure (Joe Conway)
(8.2.5) Restrict /contrib/pgstattuple functions to superusers, for security reasons (Tom Lane)
(8.2.5) Do not let /contrib/intarray try to make its GIN opclass the default (this caused problems at dump/restore) (Tom Lane)
Release date: 2007-04-23
This release contains a variety of fixes from 8.2.3, including a security fix. For information about new features in the 8.2 major release, see Version 8.2.0.
A dump/restore is not required for those running 8.2.X.
(8.2.4,8.1.9,8.0.13,7.4.17,7.3.19) Support explicit placement of the temporary-table schema within search_path, and disable searching it for functions and operators (Tom Lane)
This is needed to allow a security-definer function to set a truly secure value of search_path. Without it, an unprivileged SQL user can use temporary objects to execute code with the privileges of the security-definer function CVE-2007-2138 or CVE-2007-2138). See CREATE FUNCTION for more information.
(8.2.4) Fix shared_preload_libraries for Windows by forcing reload in each backend (Korry Douglas)
(8.2.4) Fix to_char()
so it properly
upper/lower cases localized day or month names (Pavel Stehule)
(8.2.4,8.1.9,8.0.13,7.4.17) /contrib/tsearch2 crash fixes (Teodor Sigaev)
(8.2.4,8.1.9) Require COMMIT PREPARED to be executed in the same database as the transaction was prepared in (Heikki Linnakangas)
(8.2.4) Allow pg_dump to do binary backups larger than two gigabytes on Windows (Magnus Hagander)
(8.2.4) New traditional (Taiwan) Chinese FAQ (Zhou Daojing)
(8.2.4) Prevent the statistics collector from writing to disk too frequently (Tom Lane)
(8.2.4,8.1.9,8.0.13,7.4.17,7.3.19) Fix potential-data-corruption bug in how VACUUM FULL handles UPDATE chains (Tom Lane, Pavan Deolasee)
(8.2.4) Fix bug in domains that use array types (Tom Lane)
(8.2.4) Fix pg_dump so it can dump a serial column's sequence using -t when not also dumping the owning table (Tom Lane)
(8.2.4,8.1.9) Planner fixes, including improving outer join and bitmap scan selection logic (Tom Lane)
(8.2.4) Fix possible wrong answers or crash when a PL/pgSQL function tries to RETURN from within an EXCEPTION block (Tom Lane)
(8.2.4) Fix PANIC during enlargement of a hash index (Tom Lane)
(8.2.4,8.1.9,8.0.13) Fix POSIX-style timezone specs to follow new USA DST rules (Tom Lane)
Release date: 2007-02-07
This release contains two fixes from 8.2.2. For information about new features in the 8.2 major release, see Version 8.2.0.
A dump/restore is not required for those running 8.2.X.
(8.2.3,8.1.8,8.0.12) Remove overly-restrictive check for type length in constraints and functional indexes (Tom Lane)
(8.2.3) Fix optimization so MIN/MAX in subqueries can again use indexes (Tom Lane)
Release date: 2007-02-05
This release contains a variety of fixes from 8.2.1, including a security fix. For information about new features in the 8.2 major release, see Version 8.2.0.
A dump/restore is not required for those running 8.2.X.
(8.2.2,8.1.7,8.0.11) Remove security vulnerabilities that allowed connected users to read backend memory (Tom Lane)
The vulnerabilities involve suppressing the normal check that a SQL function returns the data type it's declared to, and changing the data type of a table column CVE-2007-0555 or CVE-2007-0555,CVE-2007-0556 or CVE-2007-0556). These errors can easily be exploited to cause a backend crash, and in principle might be used to read database content that the user should not be able to access.
(8.2.2) Fix not-so-rare-anymore bug wherein btree index page splits could fail due to choosing an infeasible split point (Heikki Linnakangas)
(8.2.2) Fix Borland C compile scripts (L Bayuk)
(8.2.2) Properly handle to_char('CC')
for
years ending in 00 (Tom Lane)
Year 2000 is in the twentieth century, not the twenty-first.
(8.2.2) /contrib/tsearch2 localization improvements (Tatsuo Ishii, Teodor Sigaev)
(8.2.2) Fix incorrect permission check in information_schema.key_column_usage view (Tom Lane)
The symptom is "relation with OID nnnnn does not exist" errors. To get this fix without using initdb, use CREATE OR REPLACE VIEW to install the corrected definition found in share/information_schema.sql. Note you will need to do this in each database.
(8.2.2,8.1.7) Improve VACUUM performance for databases with many tables (Tom Lane)
(8.2.2,8.1.7,8.0.11,7.4.16) Fix for rare Assert() crash triggered by UNION (Tom Lane)
(8.2.2) Fix potentially incorrect results from index searches using ROW inequality conditions (Tom Lane)
(8.2.2,8.1.7,8.0.11,7.4.16,7.3.18) Tighten security of multi-byte character processing for UTF8 sequences over three bytes long (Tom Lane)
(8.2.2,8.1.7) Fix bogus "permission denied" failures occurring on Windows due to attempts to fsync already-deleted files (Magnus Hagander, Tom Lane)
(8.2.2) Fix bug that could cause the statistics collector to hang on Windows (Magnus Hagander)
This would in turn lead to autovacuum not working.
(8.2.2,8.1.7) Fix possible crashes when an already-in-use PL/pgSQL function is updated (Tom Lane)
(8.2.2) Improve PL/pgSQL handling of domain types (Sergiy Vyshnevetskiy, Tom Lane)
(8.2.2) Fix possible errors in processing PL/pgSQL exception blocks (Tom Lane)
Release date: 2007-01-08
This release contains a variety of fixes from 8.2. For information about new features in the 8.2 major release, see Version 8.2.0.
A dump/restore is not required for those running 8.2.
(8.2.1) Fix crash with SELECT ... LIMIT ALL (also LIMIT NULL) (Tom Lane)
(8.2.1) Several /contrib/tsearch2 fixes (Teodor Sigaev)
(8.2.1) On Windows, make log messages coming from the operating system use ASCII encoding (Hiroshi Saito)
This fixes a conversion problem when there is a mismatch between the encoding of the operating system and database server.
(8.2.1) Fix Windows linking of pg_dump using win32.mak (Hiroshi Saito)
(8.2.1) Fix planner mistakes for outer join queries (Tom Lane)
(8.2.1) Fix several problems in queries involving sub-SELECTs (Tom Lane)
(8.2.1) Fix potential crash in SPI during subtransaction abort (Tom Lane)
This affects all PL functions since they all use SPI.
(8.2.1) Improve build speed of PDF documentation (Peter T. Mount)
(8.2.1) Re-add JST (Japan) timezone abbreviation (Tom Lane)
(8.2.1) Improve optimization decisions related to index scans (Tom Lane)
(8.2.1) Have psql print multi-byte combining characters as before, rather than output as \u (Tom Lane)
(8.2.1,8.1.6,8.0.10,7.4.15,7.3.17) Improve index usage of regular expressions that use parentheses (Tom Lane)
This improves psql \d performance also.
(8.2.1) Make pg_dumpall assume that databases have public CONNECT privilege, when dumping from a pre-8.2 server (Tom Lane)
This preserves the previous behavior that anyone can connect to a database if allowed by pg_hba.conf.
Release date: 2006-12-05
This release adds many functionality and performance improvements that were requested by users, including:
(8.2.0) Query language enhancements including INSERT/UPDATE/DELETE RETURNING, multirow VALUES lists, and optional target-table alias in UPDATE/DELETE
(8.2.0) Index creation without blocking concurrent INSERT/UPDATE/DELETE operations
(8.2.0) Many query optimization improvements, including support for reordering outer joins
(8.2.0) Improved sorting performance with lower memory usage
(8.2.0) More efficient locking with better concurrency
(8.2.0) More efficient vacuuming
(8.2.0) Easier administration of warm standby servers
(8.2.0) New FILLFACTOR support for tables and indexes
(8.2.0) Monitoring, logging, and performance tuning additions
(8.2.0) More control over creating and dropping objects
(8.2.0) Table inheritance relationships can be defined for and removed from pre-existing tables
(8.2.0) COPY TO can copy the output of an arbitrary SELECT statement
(8.2.0) Array improvements, including nulls in arrays
(8.2.0) Aggregate-function improvements, including multiple-input aggregates and SQL:2003 statistical functions
(8.2.0) Many contrib/ improvements
A dump/restore using pg_dump is required for those wishing to migrate data from any previous release.
Observe the following incompatibilities:
(8.2.0) Set escape_string_warning to on by default (Bruce Momjian)
This issues a warning if backslash escapes are used in non-escape (non-E'') strings.
(8.2.0) Change the row constructor syntax (ROW(...)) so that list elements foo.* will be expanded to a list of their member fields, rather than creating a nested row type field as formerly (Tom Lane)
The new behavior is substantially more useful since it allows, for example, triggers to check for data changes with IF row(new.*) IS DISTINCT FROM row(old.*). The old behavior is still available by omitting .*.
(8.2.0) Make row comparisons follow SQL standard semantics and allow them to be used in index scans (Tom Lane)
Previously, row = and <> comparisons followed the standard but < <= > >= did not. A row comparison can now be used as an index constraint for a multicolumn index matching the row value.
(8.2.0) Make row IS [NOT] NULL tests follow SQL standard semantics (Tom Lane)
The former behavior conformed to the standard for simple cases with IS NULL, but IS NOT NULL would return true if any row field was non-null, whereas the standard says it should return true only when all fields are non-null.
(8.2.0) Make SET CONSTRAINT affect only one constraint (Kris Jurka)
In previous releases, SET CONSTRAINT modified all constraints with a matching name. In this release, the schema search path is used to modify only the first matching constraint. A schema specification is also supported. This more nearly conforms to the SQL standard.
(8.2.0) Remove RULE permission for tables, for security reasons (Tom Lane)
As of this release, only a table's owner can create or modify rules for the table. For backwards compatibility, GRANT/REVOKE RULE is still accepted, but it does nothing.
(8.2.0) Array comparison improvements (Tom Lane)
Now array dimensions are also compared.
(8.2.0) Change array concatenation to match documented behavior (Tom Lane)
This changes the previous behavior where concatenation would modify the array lower bound.
(8.2.0) Make command-line options of postmaster and postgres identical (Peter T. Mount)
This allows the postmaster to pass arguments to each backend without using -o. Note that some options are now only available as long-form options, because there were conflicting single-letter options.
(8.2.0) Deprecate use of postmaster symbolic link (Peter T. Mount)
postmaster and postgres commands now act identically, with the behavior determined by command-line options. The postmaster symbolic link is kept for compatibility, but is not really needed.
(8.2.0) Change log_duration to output even if the query is not output (Tom Lane)
In prior releases, log_duration only printed if the query appeared earlier in the log.
(8.2.0) Make to_char(time)
and to_char(interval)
treat HH and HH12 as 12-hour
intervals
Most applications should use HH24 unless they want a 12-hour display.
(8.2.0) Zero unmasked bits in conversion from INET to CIDR (Tom Lane)
This ensures that the converted value is actually valid for CIDR.
(8.2.0) Remove australian_timezones configuration variable (Joachim Wieland)
This variable has been superseded by a more general facility for configuring timezone abbreviations.
(8.2.0) Improve cost estimation for nested-loop index scans (Tom Lane)
This might eliminate the need to set unrealistically small values of random_page_cost. If you have been using a very small random_page_cost, please recheck your test cases.
(8.2.0) Change behavior of pg_dump -n and -t options. (Greg Sabino Mullane)
See the pg_dump manual page for details.
(8.2.0) Change libpq PQdsplen()
to return a useful value (Martijn van
Oosterhout)
(8.2.0) Declare libpq PQgetssl()
as returning void
*, rather than SSL * (Martijn van
Oosterhout)
This allows applications to use the function without including the OpenSSL headers.
(8.2.0) C-language loadable modules must now include a PG_MODULE_MAGIC macro call for version compatibility checking (Martijn van Oosterhout)
(8.2.0) For security's sake, modules used by a PL/PerlU function are no longer available to PL/Perl functions (Andrew Dunstan)
Note: This also implies that data can no longer be shared between a PL/Perl function and a PL/PerlU function. Some Perl installations have not been compiled with the correct flags to allow multiple interpreters to exist within a single process. In this situation PL/Perl and PL/PerlU cannot both be used in a single backend. The solution is to get a Perl installation which supports multiple interpreters.
(8.2.0) In contrib/xml2/, rename xml_valid()
to xml_is_well_formed()
(Tom Lane)
xml_valid()
will remain for
backward compatibility, but its behavior will change to do schema
checking in a future release.
(8.2.0) Remove contrib/ora2pg/, now at http://www.samse.fr/GPL/ora2pg
(8.2.0) Remove contrib modules that have been migrated to PgFoundry: adddepend, dbase, dbmirror, fulltextindex, mac, userlock
(8.2.0) Remove abandoned contrib modules: mSQL-interface, tips
(8.2.0) Remove QNX and BEOS ports (Bruce Momjian)
These ports no longer had active maintainers.
Below you will find a detailed account of the changes between PostgreSQL 8.2 and the previous major release.
(8.2.0) Allow the planner to reorder outer joins in some circumstances (Tom Lane)
In previous releases, outer joins would always be evaluated in the order written in the query. This change allows the query optimizer to consider reordering outer joins, in cases where it can determine that the join order can be changed without altering the meaning of the query. This can make a considerable performance difference for queries involving multiple outer joins or mixed inner and outer joins.
(8.2.0) Improve efficiency of IN (list-of-expressions) clauses (Tom Lane)
(8.2.0) Improve sorting speed and reduce memory usage (Simon Riggs, Tom Lane)
(8.2.0) Improve subtransaction performance (Álvaro Herrera, Itagaki Takahiro, Tom Lane)
(8.2.0) Add FILLFACTOR to table and index creation (ITAGAKI Takahiro)
This leaves extra free space in each table or index page, allowing improved performance as the database grows. This is particularly valuable to maintain clustering.
(8.2.0) Increase default values for shared_buffers and max_fsm_pages (Andrew Dunstan)
(8.2.0) Improve locking performance by breaking the lock manager tables into sections (Tom Lane)
This allows locking to be more fine-grained, reducing contention.
(8.2.0) Reduce locking requirements of sequential scans (Qingqing Zhou)
(8.2.0) Reduce locking required for database creation and destruction (Tom Lane)
(8.2.0) Improve the optimizer's selectivity estimates for LIKE, ILIKE, and regular expression operations (Tom Lane)
(8.2.0) Improve planning of joins to inherited tables and UNION ALL views (Tom Lane)
(8.2.0) Allow constraint exclusion to be applied to inherited UPDATE and DELETE queries (Tom Lane)
SELECT already honored constraint exclusion.
(8.2.0) Improve planning of constant WHERE clauses, such as a condition that depends only on variables inherited from an outer query level (Tom Lane)
(8.2.0) Protocol-level unnamed prepared statements are re-planned for each set of BIND values (Tom Lane)
This improves performance because the exact parameter values can be used in the plan.
(8.2.0) Speed up vacuuming of B-Tree indexes (Heikki Linnakangas, Tom Lane)
(8.2.0) Avoid extra scan of tables without indexes during VACUUM (Greg Stark)
(8.2.0) Improve multicolumn GiST indexing (Oleg Bartunov, Teodor Sigaev)
(8.2.0) Remove dead index entries before B-Tree page split (Junji Teramoto)
(8.2.0) Allow a forced switch to a new transaction log file (Simon Riggs, Tom Lane)
This is valuable for keeping warm standby slave servers in sync
with the master. Transaction log file switching now also happens
automatically during pg_stop_backup()
. This ensures that all
transaction log files needed for recovery can be archived
immediately.
(8.2.0) Add WAL informational functions (Simon Riggs)
Add functions for interrogating the current transaction log
insertion point and determining WAL filenames from the hex WAL locations displayed by pg_stop_backup()
and related functions.
(8.2.0) Improve recovery from a crash during WAL replay (Simon Riggs)
The server now does periodic checkpoints during WAL recovery, so if there is a crash, future WAL recovery is shortened. This also eliminates the need for warm standby servers to replay the entire log since the base backup if they crash.
(8.2.0) Improve reliability of long-term WAL replay (Heikki Linnakangas, Simon Riggs, Tom Lane)
Formerly, trying to roll forward through more than 2 billion transactions would not work due to XID wraparound. This meant warm standby servers had to be reloaded from fresh base backups periodically.
(8.2.0) Add archive_timeout to force transaction log file switches at a given interval (Simon Riggs)
This enforces a maximum replication delay for warm standby servers.
(8.2.0) Add native LDAP authentication (Magnus Hagander)
This is particularly useful for platforms that do not support PAM, such as Windows.
(8.2.0) Add GRANT CONNECT ON DATABASE (Gevik Babakhani)
This gives SQL-level control over database access. It works as an additional filter on top of the existing pg_hba.conf controls.
(8.2.0) Add support for SSL Certificate Revocation List (CRL) files (Libor Hohoš)
The server and libpq both recognize CRL files now.
(8.2.0) GiST indexes are now clusterable (Teodor Sigaev)
(8.2.0) Remove routine autovacuum server log entries (Bruce Momjian)
pg_stat_activity now shows autovacuum activity.
(8.2.0) Track maximum XID age within individual tables, instead of whole databases (Álvaro Herrera)
This reduces the overhead involved in preventing transaction ID wraparound, by avoiding unnecessary VACUUMs.
(8.2.0) Add last vacuum and analyze timestamp columns to the stats collector (Larry Rosenman)
These values now appear in the pg_stat_*_tables system views.
(8.2.0) Improve performance of statistics monitoring, especially stats_command_string (Tom Lane, Bruce Momjian)
This release enables stats_command_string by default, now that its overhead is minimal. This means pg_stat_activity will now show all active queries by default.
(8.2.0) Add a waiting column to pg_stat_activity (Tom Lane)
This allows pg_stat_activity to show all the information included in the ps display.
(8.2.0) Add configuration parameter update_process_title to control whether the ps display is updated for every command (Bruce Momjian)
On platforms where it is expensive to update the ps display, it might be worthwhile to turn this off and rely solely on pg_stat_activity for status information.
(8.2.0) Allow units to be specified in configuration settings (Peter T. Mount)
For example, you can now set shared_buffers to 32MB rather than mentally converting sizes.
(8.2.0) Add support for include directives in postgresql.conf (Joachim Wieland)
(8.2.0) Improve logging of protocol-level prepare/bind/execute messages (Bruce Momjian, Tom Lane)
Such logging now shows statement names, bind parameter values, and the text of the query being executed. Also, the query text is properly included in logged error messages when enabled by log_min_error_statement.
(8.2.0) Prevent max_stack_depth from being set to unsafe values
On platforms where we can determine the actual kernel stack depth limit (which is most), make sure that the initial default value of max_stack_depth is safe, and reject attempts to set it to unsafely large values.
(8.2.0) Enable highlighting of error location in query in more cases (Tom Lane)
The server is now able to report a specific error location for some semantic errors (such as unrecognized column name), rather than just for basic syntax errors as before.
(8.2.0,8.1.6,8.0.10,7.4.15) Fix "failed to re-find parent key" errors in VACUUM (Tom Lane)
(8.2.0,8.1.6) Clean out pg_internal.init cache files during server restart (Simon Riggs)
This avoids a hazard that the cache files might contain stale data after PITR recovery.
(8.2.0,8.1.6,8.0.10) Fix race condition for truncation of a large relation across a gigabyte boundary by VACUUM (Tom Lane)
(8.2.0,8.1.6) Fix bug causing needless deadlock errors on row-level locks (Tom Lane)
(8.2.0,8.1.6,8.0.10,7.4.15) Fix bugs affecting multi-gigabyte hash indexes (Tom Lane)
(8.2.0) Each backend process is now its own process group leader (Tom Lane)
This allows query cancel to abort subprocesses invoked from a backend or archive/recovery process.
(8.2.0) Add INSERT/UPDATE/DELETE RETURNING (Jonah Harris, Tom Lane)
This allows these commands to return values, such as the computed serial key for a new row. In the UPDATE case, values from the updated version of the row are returned.
(8.2.0) Add support for multiple-row VALUES clauses, per SQL standard (Joe Conway, Tom Lane)
This allows INSERT to insert multiple rows of constants, or queries to generate result sets using constants. For example, INSERT ... VALUES (...), (...), ...., and SELECT * FROM (VALUES (...), (...), ....) AS alias(f1, ...).
(8.2.0) Allow UPDATE and DELETE to use an alias for the target table (Atsushi Ogawa)
The SQL standard does not permit an alias in these commands, but many database systems allow one anyway for notational convenience.
(8.2.0) Allow UPDATE to set multiple columns with a list of values (Susanne Ebrecht)
This is basically a short-hand for assigning the columns and values in pairs. The syntax is UPDATE tab SET (column, ...) = (val, ...).
(8.2.0) Make row comparisons work per standard (Tom Lane)
The forms <, <=, >, >= now compare rows lexicographically, that is, compare the first elements, if equal compare the second elements, and so on. Formerly they expanded to an AND condition across all the elements, which was neither standard nor very useful.
(8.2.0) Add CASCADE option to TRUNCATE (Joachim Wieland)
This causes TRUNCATE to automatically include all tables that reference the specified table(s) via foreign keys. While convenient, this is a dangerous tool — use with caution!
(8.2.0) Support FOR UPDATE and FOR SHARE in the same SELECT command (Tom Lane)
(8.2.0) Add IS NOT DISTINCT FROM (Pavel Stehule)
This operator is similar to equality (=), but evaluates to true when both left and right operands are NULL, and to false when just one is, rather than yielding NULL in these cases.
(8.2.0) Improve the length output used by UNION/INTERSECT/EXCEPT (Tom Lane)
When all corresponding columns are of the same defined length, that length is used for the result, rather than a generic length.
(8.2.0) Allow ILIKE to work for multi-byte encodings (Tom Lane)
Internally, ILIKE now calls
lower()
and then uses LIKE. Locale-specific regular expression patterns
still do not work in these encodings.
(8.2.0) Enable standard_conforming_strings to be turned on (Kevin Grittner)
This allows backslash escaping in strings to be disabled, making PostgreSQL more standards-compliant. The default is off for backwards compatibility, but future releases will default this to on.
(8.2.0) Do not flatten subqueries that contain volatile functions in their target lists (Jaime Casanova)
This prevents surprising behavior due to multiple evaluation of
a volatile function (such as random()
or nextval()
). It might cause performance
degradation in the presence of functions that are unnecessarily
marked as volatile.
(8.2.0) Add system views pg_prepared_statements and pg_cursors to show prepared statements and open cursors (Joachim Wieland, Neil Conway)
These are very useful in pooled connection setups.
(8.2.0) Support portal parameters in EXPLAIN and EXECUTE (Tom Lane)
This allows, for example, JDBC ? parameters to work in these commands.
(8.2.0) If SQL-level PREPARE parameters are unspecified, infer their types from the content of the query (Neil Conway)
Protocol-level PREPARE already did this.
(8.2.0) Allow LIMIT and OFFSET to exceed two billion (Dhanaraj M)
(8.2.0) Add TABLESPACE clause to CREATE TABLE AS (Neil Conway)
This allows a tablespace to be specified for the new table.
(8.2.0) Add ON COMMIT clause to CREATE TABLE AS (Neil Conway)
This allows temporary tables to be truncated or dropped on transaction commit. The default behavior is for the table to remain until the session ends.
(8.2.0) Add INCLUDING CONSTRAINTS to CREATE TABLE LIKE (Greg Stark)
This allows easy copying of CHECK constraints to a new table.
(8.2.0) Allow the creation of placeholder (shell) types (Martijn van Oosterhout)
A shell type declaration creates a type name, without specifying any of the details of the type. Making a shell type is useful because it allows cleaner declaration of the type's input/output functions, which must exist before the type can be defined "for real". The syntax is CREATE TYPE typename.
(8.2.0) Aggregate functions now support multiple input parameters (Sergey Koposov, Tom Lane)
(8.2.0) Add new aggregate creation syntax (Tom Lane)
The new syntax is CREATE AGGREGATE aggname (input_type) (parameter_list). This more naturally supports the new multi-parameter aggregate functionality. The previous syntax is still supported.
(8.2.0) Add ALTER ROLE PASSWORD NULL to remove a previously set role password (Peter T. Mount)
(8.2.0) Add DROP object IF EXISTS for many object types (Andrew Dunstan)
This allows DROP operations on non-existent objects without generating an error.
(8.2.0) Add DROP OWNED to drop all objects owned by a role (Álvaro Herrera)
(8.2.0) Add REASSIGN OWNED to reassign ownership of all objects owned by a role (Álvaro Herrera)
This, and DROP OWNED above, facilitate dropping roles.
(8.2.0) Add GRANT ON SEQUENCE syntax (Bruce Momjian)
This was added for setting sequence-specific permissions. GRANT ON TABLE for sequences is still supported for backward compatibility.
(8.2.0) Add USAGE
permission for sequences that allows only currval()
and nextval()
, not setval()
(Bruce Momjian)
USAGE permission allows more
fine-grained control over sequence access. Granting USAGE allows users to increment a sequence, but
prevents them from setting the sequence to an arbitrary value using
setval()
.
(8.2.0) Add ALTER TABLE [ NO ] INHERIT (Greg Stark)
This allows inheritance to be adjusted dynamically, rather than just at table creation and destruction. This is very valuable when using inheritance to implement table partitioning.
(8.2.0) Allow comments on global objects to be stored globally (Kris Jurka)
Previously, comments attached to databases were stored in individual databases, making them ineffective, and there was no provision at all for comments on roles or tablespaces. This change adds a new shared catalog pg_shdescription and stores comments on databases, roles, and tablespaces therein.
(8.2.0) Add option to allow indexes to be created without blocking concurrent writes to the table (Greg Stark, Tom Lane)
The new syntax is CREATE INDEX CONCURRENTLY. The default behavior is still to block table modification while an index is being created.
(8.2.0) Provide advisory locking functionality (Abhijit Menon-Sen, Tom Lane)
This is a new locking API designed to replace what used to be in /contrib/userlock. The userlock code is now on pgfoundry.
(8.2.0) Allow COPY to dump a SELECT query (Zoltan Boszormenyi, Karel Zak)
This allows COPY to dump arbitrary SQL queries. The syntax is COPY (SELECT ...) TO.
(8.2.0) Make the COPY command return a command tag that includes the number of rows copied (Volkan YAZICI)
(8.2.0) Allow VACUUM to expire rows without being affected by other concurrent VACUUM operations (Hannu Krossing, Álvaro Herrera, Tom Lane)
(8.2.0) Make initdb detect the operating system locale and set the default DateStyle accordingly (Peter T. Mount)
This makes it more likely that the installed postgresql.conf DateStyle value will be as desired.
(8.2.0) Reduce number of progress messages displayed by initdb (Tom Lane)
(8.2.0) Allow full timezone names in timestamp input values (Joachim Wieland)
For example, '2006-05-24 21:11 America/New_York'::timestamptz.
(8.2.0) Support configurable timezone abbreviations (Joachim Wieland)
A desired set of timezone abbreviations can be chosen via the configuration parameter timezone_abbreviations.
(8.2.0) Add pg_timezone_abbrevs and pg_timezone_names views to show supported timezones (Magnus Hagander)
(8.2.0) Add clock_timestamp()
, statement_timestamp()
, and transaction_timestamp()
(Bruce Momjian)
clock_timestamp()
is the current
wall-clock time, statement_timestamp()
is the time the current
statement arrived at the server, and transaction_timestamp()
is an alias for
now()
.
(8.2.0) Allow to_char()
to print localized month and day
names (Euler Taveira de Oliveira)
(8.2.0) Allow to_char(time)
and to_char(interval)
to output AM/PM
specifications (Bruce Momjian)
Intervals and times are treated as 24-hour periods, e.g. 25 hours is considered AM.
(8.2.0) Add new function justify_interval()
to adjust interval units
(Mark Dilger)
(8.2.0) Allow timezone offsets up to 14:59 away from GMT
Kiribati uses GMT+14, so we'd better accept that.
(8.2.0) Interval computation improvements (Michael Glaesemann, Bruce Momjian)
(8.2.0) Allow arrays to contain NULL elements (Tom Lane)
(8.2.0) Allow assignment to array elements not contiguous with the existing entries (Tom Lane)
The intervening array positions will be filled with nulls. This is per SQL standard.
(8.2.0) New built-in operators for array-subset comparisons (@>, <@, &&) (Teodor Sigaev, Tom Lane)
These operators can be indexed for many data types using GiST or GIN indexes.
(8.2.0) Add convenient arithmetic operations on INET/CIDR values (Stephen R. van den Berg)
The new operators are & (and), | (or), ~ (not), inet + int8, inet - int8, and inet - inet.
(8.2.0) Add new aggregate functions from SQL:2003 (Neil Conway)
The new functions are var_pop()
,
var_samp()
, stddev_pop()
, and stddev_samp()
. var_samp()
and stddev_samp()
are merely renamings of the
existing aggregates variance()
and
stddev()
. The latter names remain
available for backward compatibility.
(8.2.0) Add SQL:2003 statistical aggregates (Sergey Koposov)
New functions: regr_intercept()
,
regr_slope()
, regr_r2()
, corr()
,
covar_samp()
, covar_pop()
, regr_avgx()
, regr_avgy()
, regr_sxy()
, regr_sxx()
, regr_syy()
, regr_count()
.
(8.2.0) Allow domains to be based on other domains (Tom Lane)
(8.2.0) Properly enforce domain CHECK constraints everywhere (Neil Conway, Tom Lane)
For example, the result of a user-defined function that is declared to return a domain type is now checked against the domain's constraints. This closes a significant hole in the domain implementation.
(8.2.0) Fix problems with dumping renamed SERIAL columns (Tom Lane)
The fix is to dump a SERIAL column by explicitly specifying its DEFAULT and sequence elements, and reconstructing the SERIAL column on reload using a new ALTER SEQUENCE OWNED BY command. This also allows dropping a SERIAL column specification.
(8.2.0) Add a server-side sleep function pg_sleep()
(Joachim Wieland)
(8.2.0) Add all comparison operators for the tid (tuple id) data type (Mark Kirkwood, Greg Stark, Tom Lane)
(8.2.0) Add TG_table_name and TG_table_schema to trigger parameters (Andrew Dunstan)
TG_relname is now deprecated. Comparable changes have been made in the trigger parameters for the other PLs as well.
(8.2.0) Allow FOR statements to return values to scalars as well as records and row types (Pavel Stehule)
(8.2.0) Add a BY clause to the FOR loop, to control the iteration increment (Jaime Casanova)
(8.2.0) Add STRICT to SELECT INTO (Matt Miller)
STRICT mode throws an exception if more or less than one row is returned by the SELECT, for Oracle PL/SQL compatibility.
(8.2.0) Add table_name and table_schema to trigger parameters (Adam Sjøgren)
(8.2.0) Add prepared queries (Dmitry Karasik)
(8.2.0) Make $_TD trigger data a global variable (Andrew Dunstan)
Previously, it was lexical, which caused unexpected sharing violations.
(8.2.0) Run PL/Perl and PL/PerlU in separate interpreters, for security reasons (Andrew Dunstan)
In consequence, they can no longer share data nor loaded modules. Also, if Perl has not been compiled with the requisite flags to allow multiple interpreters, only one of these languages can be used in any given backend process.
(8.2.0) Named parameters are passed as ordinary variables, as well as in the args[] array (Sven Suursoho)
(8.2.0) Add table_name and table_schema to trigger parameters (Andrew Dunstan)
(8.2.0) Allow returning of composite types and result sets (Sven Suursoho)
(8.2.0) Return result-set as list, iterator, or generator (Sven Suursoho)
(8.2.0) Allow functions to return void (Neil Conway)
(8.2.0) Python 2.5 is now supported (Tom Lane)
(8.2.0) Add new command \password for changing role password with client-side password encryption (Peter T. Mount)
(8.2.0) Allow \c to connect to a new host and port number (David Hartwig, Volkan YAZICI)
(8.2.0) Add tablespace display to \l+ (Philip Yarra)
(8.2.0) Improve \df slash command to include the argument names and modes (OUT or INOUT) of the function (David Fetter)
(8.2.0) Support binary COPY (Andreas Pflug)
(8.2.0) Add option to run the entire session in a single transaction (Simon Riggs)
Use option -1 or --single-transaction.
(8.2.0) Support for automatically retrieving SELECT results in batches using a cursor (Chris Mair)
This is enabled using \set FETCH_COUNT n. This feature allows large result sets to be retrieved in psql without attempting to buffer the entire result set in memory.
(8.2.0) Make multi-line values align in the proper column (Martijn van Oosterhout)
Field values containing newlines are now displayed in a more readable fashion.
(8.2.0) Save multi-line statements as a single entry, rather than one line at a time (Sergey E. Koposov)
This makes up-arrow recall of queries easier. (This is not available on Windows, because that platform uses the native command-line editing present in the operating system.)
(8.2.0) Make the line counter 64-bit so it can handle files with more than two billion lines (David Fetter)
(8.2.0) Report both the returned data and the command status tag for INSERT/UPDATE/DELETE RETURNING (Tom Lane)
(8.2.0) Allow complex selection of objects to be included or excluded by pg_dump (Greg Sabino Mullane)
pg_dump now supports multiple -n (schema) and -t (table) options, and adds -N and -T options to exclude objects. Also, the arguments of these switches can now be wild-card expressions rather than single object names, for example -t 'foo*', and a schema can be part of a -t or -T switch, for example -t schema1.table1.
(8.2.0) Add pg_restore --no-data-for-failed-tables option to suppress loading data if table creation failed (i.e., the table already exists) (Martin Pitt)
(8.2.0) Add pg_restore option to run the entire session in a single transaction (Simon Riggs)
Use option -1 or --single-transaction.
(8.2.0) Add PQencryptPassword()
to encrypt passwords
(Tom Lane)
This allows passwords to be sent pre-encrypted for commands like ALTER ROLE ... PASSWORD.
(8.2.0) Add function PQisthreadsafe()
(Bruce Momjian)
This allows applications to query the thread-safety status of the library.
(8.2.0) Add PQdescribePrepared()
, PQdescribePortal()
, and related functions to
return information about previously prepared statements and open
cursors (Volkan YAZICI)
(8.2.0) Allow LDAP lookups from pg_service.conf (Laurenz Albe)
(8.2.0) Allow a hostname in ~/.pgpass to match the default socket directory (Bruce Momjian)
A blank hostname continues to match any Unix-socket connection, but this addition allows entries that are specific to one of several postmasters on the machine.
(8.2.0) Allow SHOW to put its result into a variable (Joachim Wieland)
(8.2.0) Add COPY TO STDOUT (Joachim Wieland)
(8.2.0) Add regression tests (Joachim Wieland, Michael Meskes)
(8.2.0) Major source code cleanups (Joachim Wieland, Michael Meskes)
(8.2.0) Allow MSVC to compile the PostgreSQL server (Magnus Hagander, Hiroshi Saito)
(8.2.0) Add MSVC support for utility commands and pg_dump (Hiroshi Saito)
(8.2.0) Add support for Windows code pages 1253, 1254, 1255, and 1257 (Kris Jurka)
(8.2.0) Drop privileges on startup, so that the server can be started from an administrative account (Magnus Hagander)
(8.2.0) Stability fixes (Qingqing Zhou, Magnus Hagander)
(8.2.0) Add native semaphore implementation (Qingqing Zhou)
The previous code mimicked SysV semaphores.
(8.2.0) Add GIN (Generalized Inverted iNdex) index access method (Teodor Sigaev, Oleg Bartunov)
(8.2.0) Remove R-tree indexing (Tom Lane)
Rtree has been re-implemented using GiST. Among other differences, this means that rtree indexes now have support for crash recovery via write-ahead logging (WAL).
(8.2.0) Reduce libraries needlessly linked into the backend (Martijn van Oosterhout, Tom Lane)
(8.2.0) Add a configure flag to allow libedit to be preferred over GNU readline (Bruce Momjian)
Use configure --with-libedit-preferred.
(8.2.0) Allow installation into directories containing spaces (Peter T. Mount)
(8.2.0) Improve ability to relocate installation directories (Tom Lane)
(8.2.0) Add support for Solaris x86_64 using the Solaris compiler (Pierre Girard, Theo Schlossnagle, Bruce Momjian)
(8.2.0) Add DTrace support (Robert Lor)
(8.2.0) Add PG_VERSION_NUM for use by third-party applications wanting to test the backend version in C using > and < comparisons (Bruce Momjian)
(8.2.0) Add XLOG_BLCKSZ as independent from BLCKSZ (Mark Wong)
(8.2.0) Add LWLOCK_STATS define to report locking activity (Tom Lane)
(8.2.0) Emit warnings for unknown configure options (Martijn van Oosterhout)
(8.2.0) Add server support for "plugin" libraries that can be used for add-on tasks such as debugging and performance measurement (Korry Douglas)
This consists of two features: a table of "rendezvous variables" that allows separately-loaded shared libraries to communicate, and a new configuration parameter local_preload_libraries that allows libraries to be loaded into specific sessions without explicit cooperation from the client application. This allows external add-ons to implement features such as a PL/pgSQL debugger.
(8.2.0) Rename existing configuration parameter preload_libraries to shared_preload_libraries (Tom Lane)
This was done for clarity in comparison to local_preload_libraries.
(8.2.0) Add new configuration parameter server_version_num (Greg Sabino Mullane)
This is like server_version, but is an integer, e.g. 80200. This allows applications to make version checks more easily.
(8.2.0) Add a configuration parameter seq_page_cost (Tom Lane)
(8.2.0) Re-implement the regression test script as a C program (Magnus Hagander, Tom Lane)
(8.2.0) Allow loadable modules to allocate shared memory and lightweight locks (Marc Munro)
(8.2.0) Add automatic initialization and finalization of dynamically loaded libraries (Ralf Engelschall, Tom Lane)
New functions
_PG_init()
and _PG_fini()
are called if the library defines such
symbols. Hence we no longer need to specify an initialization
function in shared_preload_libraries; we
can assume that the library used the _PG_init()
convention instead.
(8.2.0) Add PG_MODULE_MAGIC header block to all shared object files (Martijn van Oosterhout)
The magic block prevents version mismatches between loadable object files and servers.
(8.2.0) Add shared library support for AIX (Laurenz Albe)
(8.2.0) New XML documentation section (Bruce Momjian)
(8.2.0) Major tsearch2 improvements (Oleg Bartunov, Teodor Sigaev)
multibyte encoding support, including UTF8
(8.2.0) query rewriting support
(8.2.0) improved ranking functions
(8.2.0) thesaurus dictionary support
(8.2.0) Ispell dictionaries now recognize MySpell format, used by OpenOffice
(8.2.0) GIN support
(8.2.0) Add adminpack module containing Pgadmin administration functions (Dave Cramer)
These functions provide additional file system access routines not present in the default PostgreSQL server.
(8.2.0) Add sslinfo module (Victor Wagner)
Reports information about the current connection's SSL certificate.
(8.2.0) Add pgrowlocks module (Tatsuo Ishii)
This shows row locking information for a specified table.
(8.2.0) Add hstore module (Oleg Bartunov, Teodor Sigaev)
(8.2.0) Add isn module, replacing isbn_issn (Jeremy Kronuz)
This new implementation supports EAN13, UPC, ISBN (books), ISMN (music), and ISSN (serials).
(8.2.0) Add index information functions to pgstattuple (ITAGAKI Takahiro, Satoshi Nagayasu)
(8.2.0) Add pg_freespacemap module to display free space map information (Mark Kirkwood)
(8.2.0) pgcrypto now has all planned functionality (Marko Kreen)
Include iMath library in pgcrypto to have the public-key encryption functions always available.
(8.2.0) Add SHA224 algorithm that was missing in OpenBSD code.
(8.2.0) Activate builtin code for SHA224/256/384/512 hashes on older OpenSSL to have those algorithms always available.
(8.2.0) New function gen_random_bytes() that returns cryptographically strong randomness. Useful for generating encryption keys.
(8.2.0) Remove digest_exists(), hmac_exists() and cipher_exists() functions.
(8.2.0) Improvements to cube module (Joshua Reich)
New functions are cube(float[])
,
cube(float[], float[])
, and
cube_subset(cube, int4[])
.
(8.2.0) Add async query capability to dblink (Kai Londenberg, Joe Conway)
(8.2.0) New operators for array-subset comparisons (@>, <@, &&) (Tom Lane)
Various contrib packages already had these operators for their datatypes, but the naming wasn't consistent. We have now added consistently named array-subset comparison operators to the core code and all the contrib packages that have such functionality. (The old names remain available, but are deprecated.)
(8.2.0) Add uninstall scripts for all contrib packages that have install scripts (David Hartwig, Josh Drake)
Release date: 2010-12-16
This release contains a variety of fixes from 8.1.22. For information about new features in the 8.1 major release, see Version 8.1.0.
This is expected to be the last PostgreSQL release in the 8.1.X series. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 8.1.X. However, if you are upgrading from a version earlier than 8.1.18, see Version 8.1.18.
(8.1.23,9.0.2,8.4.6,8.3.13,8.2.19) Force the default wal_sync_method to be fdatasync on Linux (Tom Lane, Marti Raudsepp)
The default on Linux has actually been fdatasync for many years, but recent kernel changes caused PostgreSQL to choose open_datasync instead. This choice did not result in any performance improvement, and caused outright failures on certain filesystems, notably ext4 with the data=journal mount option.
(8.1.23,9.0.2,8.4.6,8.3.13,8.2.19) Fix recovery from base backup when the starting checkpoint WAL record is not in the same WAL segment as its redo point (Jeff Davis)
(8.1.23,9.0.2,8.4.6,8.3.13,8.2.19) Add support for detecting register-stack overrun on IA64 (Tom Lane)
The IA64 architecture has two hardware stacks. Full prevention of stack-overrun failures requires checking both.
(8.1.23,9.0.2,8.4.6,8.3.13,8.2.19) Add a check for stack overflow in copyObject()
(Tom Lane)
Certain code paths could crash due to stack overflow given a sufficiently complex query.
(8.1.23,9.0.2,8.4.6,8.3.13,8.2.19) Fix detection of page splits in temporary GiST indexes (Heikki Linnakangas)
It is possible to have a "concurrent" page split in a temporary index, if for example there is an open cursor scanning the index when an insertion is done. GiST failed to detect this case and hence could deliver wrong results when execution of the cursor continued.
(8.1.23,9.0.2,8.4.6,8.3.13,8.2.19) Avoid memory leakage while ANALYZE'ing complex index expressions (Tom Lane)
(8.1.23,9.0.2,8.4.6,8.3.13,8.2.19) Ensure an index that uses a whole-row Var still depends on its table (Tom Lane)
An index declared like create index i on t (foo(t.*)) would not automatically get dropped when its table was dropped.
(8.1.23,9.0.2,8.4.6,8.3.13,8.2.19) Do not "inline" a SQL function with multiple OUT parameters (Tom Lane)
This avoids a possible crash due to loss of information about the expected result rowtype.
(8.1.23,9.0.2,8.4.6,8.3.13,8.2.19) Fix constant-folding of COALESCE() expressions (Tom Lane)
The planner would sometimes attempt to evaluate sub-expressions that in fact could never be reached, possibly leading to unexpected errors.
(8.1.23,9.0.2,8.4.6,8.3.13,8.2.19) Add print functionality for InhRelation nodes (Tom Lane)
This avoids a failure when debug_print_parse is enabled and certain types of query are executed.
(8.1.23,9.0.2,8.4.6,8.3.13,8.2.19) Fix incorrect calculation of distance from a point to a horizontal line segment (Tom Lane)
This bug affected several different geometric distance-measurement operators.
(8.1.23,9.0.2,8.4.6,8.3.13,8.2.19) Fix PL/pgSQL's handling of "simple" expressions to not fail in recursion or error-recovery cases (Tom Lane)
(8.1.23,9.0.2,8.4.6,8.3.13,8.2.19) Fix bug in contrib/cube's GiST picksplit algorithm (Alexander Korotkov)
This could result in considerable inefficiency, though not actually incorrect answers, in a GiST index on a cube column. If you have such an index, consider REINDEXing it after installing this update.
(8.1.23,9.0.2,8.4.6,8.3.13,8.2.19) Don't emit "identifier will be truncated" notices in contrib/dblink except when creating new connections (Itagaki Takahiro)
(8.1.23,9.0.2,8.4.6,8.3.13,8.2.19) Fix potential coredump on missing public key in contrib/pgcrypto (Marti Raudsepp)
(8.1.23,9.0.2,8.4.6,8.3.13,8.2.19) Fix memory leak in contrib/xml2's XPath query functions (Tom Lane)
(8.1.23,9.0.2,8.4.6,8.3.13,8.2.19) Update time zone data files to tzdata release 2010o for DST law changes in Fiji and Samoa; also historical corrections for Hong Kong.
Release date: 2010-10-04
This release contains a variety of fixes from 8.1.21. For information about new features in the 8.1 major release, see Version 8.1.0.
The PostgreSQL community will stop releasing updates for the 8.1.X release series in November 2010. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 8.1.X. However, if you are upgrading from a version earlier than 8.1.18, see Version 8.1.18.
(8.1.22,9.0.1,8.4.5,8.3.12,8.2.18,8.0.26,7.4.30) Use a separate interpreter for each calling SQL userid in PL/Perl and PL/Tcl (Tom Lane)
This change prevents security problems that can be caused by subverting Perl or Tcl code that will be executed later in the same session under another SQL user identity (for example, within a SECURITY DEFINER function). Most scripting languages offer numerous ways that that might be done, such as redefining standard functions or operators called by the target function. Without this change, any SQL user with Perl or Tcl language usage rights can do essentially anything with the SQL privileges of the target function's owner.
The cost of this change is that intentional communication among Perl and Tcl functions becomes more difficult. To provide an escape hatch, PL/PerlU and PL/TclU functions continue to use only one interpreter per session. This is not considered a security issue since all such functions execute at the trust level of a database superuser already.
It is likely that third-party procedural languages that claim to offer trusted execution have similar security issues. We advise contacting the authors of any PL you are depending on for security-critical purposes.
Our thanks to Tim Bunce for pointing out this issue CVE-2010-3433 or CVE-2010-3433).
(8.1.22,8.4.5,8.3.12,8.2.18,8.0.26,7.4.30) Prevent possible crashes in pg_get_expr()
by disallowing it from being called
with an argument that is not one of the system catalog columns it's
intended to be used with (Heikki Linnakangas, Tom Lane)
(8.1.22,8.4.5,8.3.12,8.2.18,8.0.26,7.4.30) Fix "cannot handle unplanned sub-select" error (Tom Lane)
This occurred when a sub-select contains a join alias reference that expands into an expression containing another sub-select.
(8.1.22,9.0.1,8.4.5,8.3.12,8.2.18) Prevent show_session_authorization() from crashing within autovacuum processes (Tom Lane)
(8.1.22,8.4.5,8.3.12,8.2.18,8.0.26) Defend against functions returning setof record where not all the returned rows are actually of the same rowtype (Tom Lane)
(8.1.22,8.4.5,8.3.12,8.2.18) Fix possible failure when hashing a pass-by-reference function result (Tao Ma, Tom Lane)
(8.1.22,8.4.5,8.3.12,8.2.18,8.0.26,7.4.30) Take care to fsync the contents of lockfiles (both postmaster.pid and the socket lockfile) while writing them (Tom Lane)
This omission could result in corrupted lockfile contents if the machine crashes shortly after postmaster start. That could in turn prevent subsequent attempts to start the postmaster from succeeding, until the lockfile is manually removed.
(8.1.22,8.4.5,8.3.12,8.2.18,8.0.26) Avoid recursion while assigning XIDs to heavily-nested subtransactions (Andres Freund, Robert Haas)
The original coding could result in a crash if there was limited stack space.
(8.1.22,8.4.5,8.3.12,8.2.18,8.0.26) Fix log_line_prefix's %i escape, which could produce junk early in backend startup (Tom Lane)
(8.1.22,8.4.5,8.3.12,8.2.18,8.0.26) Fix possible data corruption in ALTER TABLE ... SET TABLESPACE when archiving is enabled (Jeff Davis)
(8.1.22,8.4.5,8.3.12,8.2.18,8.0.26) Allow CREATE DATABASE and ALTER DATABASE ... SET TABLESPACE to be interrupted by query-cancel (Guillaume Lelarge)
(8.1.22,8.4.5,8.3.12,8.2.18,8.0.26) In PL/Python, defend against null pointer results from
PyCObject_AsVoidPtr
and PyCObject_FromVoidPtr
(Peter Eisentraut)
(8.1.22,8.4.5,8.3.12,8.2.18,8.0.26,7.4.30) Improve contrib/dblink's handling of tables containing dropped columns (Tom Lane)
(8.1.22,8.4.5,8.3.12,8.2.18,8.0.26,7.4.30) Fix connection leak after "duplicate connection name" errors in contrib/dblink (Itagaki Takahiro)
(8.1.22,8.4.5,8.3.12,8.2.18,8.0.26) Fix contrib/dblink to handle connection names longer than 62 bytes correctly (Itagaki Takahiro)
(8.1.22,9.0.1,8.4.5,8.3.12,8.2.18,8.0.26,7.4.30) Update build infrastructure and documentation to reflect the source code repository's move from CVS to Git (Magnus Hagander and others)
(8.1.22,8.4.5,8.3.12,8.2.18,8.0.26) Update time zone data files to tzdata release 2010l for DST law changes in Egypt and Palestine; also historical corrections for Finland.
This change also adds new names for two Micronesian timezones: Pacific/Chuuk is now preferred over Pacific/Truk (and the preferred abbreviation is CHUT not TRUT) and Pacific/Pohnpei is preferred over Pacific/Ponape.
Release date: 2010-05-17
This release contains a variety of fixes from 8.1.20. For information about new features in the 8.1 major release, see Version 8.1.0.
A dump/restore is not required for those running 8.1.X. However, if you are upgrading from a version earlier than 8.1.18, see Version 8.1.18.
(8.1.21,8.4.4,8.3.11,8.2.17,8.0.25,7.4.29) Enforce restrictions in plperl using an opmask applied to the whole interpreter, instead of using Safe.pm (Tim Bunce, Andrew Dunstan)
Recent developments have convinced us that Safe.pm is too insecure to rely on for making plperl trustable. This change removes use of Safe.pm altogether, in favor of using a separate interpreter with an opcode mask that is always applied. Pleasant side effects of the change include that it is now possible to use Perl's strict pragma in a natural way in plperl, and that Perl's $a and $b variables work as expected in sort routines, and that function compilation is significantly faster. CVE-2010-1169 or CVE-2010-1169)
(8.1.21,8.4.4,8.3.11,8.2.17,8.0.25,7.4.29) Prevent PL/Tcl from executing untrustworthy code from pltcl_modules (Tom Lane)
PL/Tcl's feature for autoloading Tcl code from a database table could be exploited for trojan-horse attacks, because there was no restriction on who could create or insert into that table. This change disables the feature unless pltcl_modules is owned by a superuser. (However, the permissions on the table are not checked, so installations that really need a less-than-secure modules table can still grant suitable privileges to trusted non-superusers.) Also, prevent loading code into the unrestricted "normal" Tcl interpreter unless we are really going to execute a pltclu function. CVE-2010-1170 or CVE-2010-1170)
(8.1.21,8.4.4,8.3.11,8.2.17,8.0.25,7.4.29) Do not allow an unprivileged user to reset superuser-only parameter settings (Álvaro Herrera)
Previously, if an unprivileged user ran ALTER USER ... RESET ALL for himself, or ALTER DATABASE ... RESET ALL for a database he owns, this would remove all special parameter settings for the user or database, even ones that are only supposed to be changeable by a superuser. Now, the ALTER will only remove the parameters that the user has permission to change.
(8.1.21,8.4.4,8.3.11,8.2.17,8.0.25,7.4.29) Avoid possible crash during backend shutdown if shutdown occurs when a CONTEXT addition would be made to log entries (Tom Lane)
In some cases the context-printing function would fail because the current transaction had already been rolled back when it came time to print a log message.
(8.1.21,8.4.4,8.3.11,8.2.17,8.0.25,7.4.29) Update pl/perl's ppport.h for modern Perl versions (Andrew Dunstan)
(8.1.21,8.4.4,8.3.11,8.2.17,8.0.25,7.4.29) Fix assorted memory leaks in pl/python (Andreas Freund, Tom Lane)
(8.1.21,8.4.4,8.3.11,8.2.17,8.0.25) Prevent infinite recursion in psql when expanding a variable that refers to itself (Tom Lane)
(8.1.21,8.4.4,8.3.11,8.2.17,8.0.25,7.4.29) Ensure that contrib/pgstattuple functions respond to cancel interrupts promptly (Tatsuhito Kasahara)
(8.1.21,8.4.4,8.3.11,8.2.17,8.0.25,7.4.29) Make server startup deal properly with the case that
shmget()
returns EINVAL for an existing shared memory segment
(Tom Lane)
This behavior has been observed on BSD-derived kernels including OS X. It resulted in an entirely-misleading startup failure complaining that the shared memory request size was too large.
(8.1.21,8.0.25) Update time zone data files to tzdata release 2010j for DST law changes in Argentina, Australian Antarctic, Bangladesh, Mexico, Morocco, Pakistan, Palestine, Russia, Syria, Tunisia; also historical corrections for Taiwan.
Release date: 2010-03-15
This release contains a variety of fixes from 8.1.19. For information about new features in the 8.1 major release, see Version 8.1.0.
A dump/restore is not required for those running 8.1.X. However, if you are upgrading from a version earlier than 8.1.18, see Version 8.1.18.
(8.1.20,8.4.3,8.3.10,8.2.16,8.0.24,7.4.28) Add new configuration parameter ssl_renegotiation_limit to control how often we do session key renegotiation for an SSL connection (Magnus Hagander)
This can be set to zero to disable renegotiation completely, which may be required if a broken SSL library is used. In particular, some vendors are shipping stopgap patches forCVE-2009-3555 or CVE-2009-3555 that cause renegotiation attempts to fail.
(8.1.20,8.4.3,8.3.10,8.2.16,8.0.24) Fix possible crashes when trying to recover from a failure in subtransaction start (Tom Lane)
(8.1.20,8.4.3,8.3.10,8.2.16,8.0.24) Fix server memory leak associated with use of savepoints and a client encoding different from server's encoding (Tom Lane)
(8.1.20,8.4.3,8.3.10,8.2.16,8.0.24,7.4.28) Make substring()
for bit types treat any negative length as meaning
"all the rest of the string" (Tom Lane)
The previous coding treated only -1 that way, and would produce an invalid result value for other negative values, possibly leading to a crash CVE-2010-0442 or CVE-2010-0442).
(8.1.20,8.4.3,8.3.10,8.2.16,8.0.24) Fix integer-to-bit-string conversions to handle the first fractional byte correctly when the output bit width is wider than the given integer by something other than a multiple of 8 bits (Tom Lane)
(8.1.20,8.4.3,8.3.10,8.2.16,8.0.24,7.4.28) Fix some cases of pathologically slow regular expression matching (Tom Lane)
(8.1.20,8.4.3,8.3.10,8.2.16,8.0.24) Fix the STOP WAL LOCATION entry in backup history files to report the next WAL segment's name when the end location is exactly at a segment boundary (Itagaki Takahiro)
(8.1.20,8.4.3,8.3.10,8.2.16) Fix some more cases of temporary-file leakage (Heikki Linnakangas)
This corrects a problem introduced in the previous minor release. One case that failed is when a plpgsql function returning set is called within another function's exception handler.
(8.1.20,8.4.3,8.3.10,8.2.16,8.0.24,7.4.28) When reading pg_hba.conf and related files, do not treat @something as a file inclusion request if the @ appears inside quote marks; also, never treat @ by itself as a file inclusion request (Tom Lane)
This prevents erratic behavior if a role or database name starts with @. If you need to include a file whose path name contains spaces, you can still do so, but you must write @"/path to/file" rather than putting the quotes around the whole construct.
(8.1.20,8.4.3,8.3.10,8.2.16,8.0.24,7.4.28) Prevent infinite loop on some platforms if a directory is named as an inclusion target in pg_hba.conf and related files (Tom Lane)
(8.1.20,8.4.3,8.3.10,8.2.16) Fix psql's numericlocale option to not format strings it shouldn't in latex and troff output formats (Heikki Linnakangas)
(8.1.20,8.4.3,8.3.10,8.2.16,8.0.24) Fix plpgsql failure in one case where a composite column is set to NULL (Tom Lane)
(8.1.20,8.4.3,8.3.10,8.2.16,8.0.24) Add volatile markings in PL/Python to avoid possible compiler-specific misbehavior (Zdenek Kotala)
(8.1.20,8.4.3,8.3.10,8.2.16,8.0.24,7.4.28) Ensure PL/Tcl initializes the Tcl interpreter fully (Tom Lane)
The only known symptom of this oversight is that the Tcl clock command misbehaves if using Tcl 8.5 or later.
(8.1.20,8.4.3,8.3.10,8.2.16,8.0.24,7.4.28) Prevent crash in contrib/dblink when
too many key columns are specified to a dblink_build_sql_*
function (Rushabh Lathia, Joe
Conway)
(8.1.20,8.4.3,8.3.10,8.2.16,8.0.24) Fix assorted crashes in contrib/xml2 caused by sloppy memory management (Tom Lane)
(8.1.20,8.4.3,8.3.10,8.2.16,8.0.24) Update time zone data files to tzdata release 2010e for DST law changes in Bangladesh, Chile, Fiji, Mexico, Paraguay, Samoa.
Release date: 2009-12-14
This release contains a variety of fixes from 8.1.18. For information about new features in the 8.1 major release, see Version 8.1.0.
A dump/restore is not required for those running 8.1.X. However, if you are upgrading from a version earlier than 8.1.18, see Version 8.1.18.
(8.1.19,8.4.2,8.3.9,8.2.15,8.0.23,7.4.27) Protect against indirect security threats caused by index functions changing session-local state (Gurjeet Singh, Tom Lane)
This change prevents allegedly-immutable index functions from possibly subverting a superuser's session CVE-2009-4136 or CVE-2009-4136).
(8.1.19,8.4.2,8.3.9,8.2.15,8.0.23,7.4.27) Reject SSL certificates containing an embedded null byte in the common name (CN) field (Magnus Hagander)
This prevents unintended matching of a certificate to a server or client name during SSL validation CVE-2009-4034 or CVE-2009-4034).
(8.1.19,8.4.2,8.3.9,8.2.15,8.0.23,7.4.27) Fix possible crash during backend-startup-time cache initialization (Tom Lane)
(8.1.19,8.4.2,8.3.9,8.2.15,8.0.23,7.4.27) Prevent signals from interrupting VACUUM at unsafe times (Álvaro Herrera)
This fix prevents a PANIC if a VACUUM FULL is canceled after it's already committed its tuple movements, as well as transient errors if a plain VACUUM is interrupted after having truncated the table.
(8.1.19,8.4.2,8.3.9,8.2.15,8.0.23,7.4.27) Fix possible crash due to integer overflow in hash table size calculation (Tom Lane)
This could occur with extremely large planner estimates for the size of a hashjoin's result.
(8.1.19,8.4.2,8.3.9,8.2.15,8.0.23,7.4.27) Fix very rare crash in inet/cidr comparisons (Chris Mikkelson)
(8.1.19,8.4.2,8.3.9,8.2.15) Ensure that shared tuple-level locks held by prepared transactions are not ignored (Heikki Linnakangas)
(8.1.19,8.4.2,8.3.9,8.2.15,8.0.23) Fix premature drop of temporary files used for a cursor that is accessed within a subtransaction (Heikki Linnakangas)
(8.1.19,8.4.2,8.3.9,8.2.15,8.0.23,7.4.27) Fix PAM password processing to be more robust (Tom Lane)
The previous code is known to fail with the combination of the Linux pam_krb5 PAM module with Microsoft Active Directory as the domain controller. It might have problems elsewhere too, since it was making unjustified assumptions about what arguments the PAM stack would pass to it.
(8.1.19,8.4.2,8.3.9,8.2.15) Fix processing of ownership dependencies during CREATE OR REPLACE FUNCTION (Tom Lane)
(8.1.19,8.4.2,8.3.9,8.2.15) Ensure that Perl arrays are properly converted to PostgreSQL arrays when returned by a set-returning PL/Perl function (Andrew Dunstan, Abhijit Menon-Sen)
This worked correctly already for non-set-returning functions.
(8.1.19,8.4.2,8.3.9,8.2.15,8.0.23) Fix rare crash in exception processing in PL/Python (Peter T. Mount)
(8.1.19,8.4.2,8.3.9,8.2.15,8.0.23) Ensure psql's flex module is compiled with the correct system header definitions (Tom Lane)
This fixes build failures on platforms where --enable-largefile causes incompatible changes in the generated code.
(8.1.19,8.4.2,8.3.9,8.2.15,8.0.23,7.4.27) Make the postmaster ignore any application_name parameter in connection request packets, to improve compatibility with future libpq versions (Tom Lane)
(8.1.19,8.4.2,8.3.9,8.2.15,8.0.23) Update time zone data files to tzdata release 2009s for DST law changes in Antarctica, Argentina, Bangladesh, Fiji, Novokuznetsk, Pakistan, Palestine, Samoa, Syria; also historical corrections for Hong Kong.
Release date: 2009-09-09
This release contains a variety of fixes from 8.1.17. For information about new features in the 8.1 major release, see Version 8.1.0.
A dump/restore is not required for those running 8.1.X. However, if you have any hash indexes on interval columns, you must REINDEX them after updating to 8.1.18. Also, if you are upgrading from a version earlier than 8.1.15, see Version 8.1.15.
(8.1.18,8.4.1,8.3.8,8.2.14,8.0.22,7.4.26) Disallow RESET ROLE and RESET SESSION AUTHORIZATION inside security-definer functions (Tom Lane, Heikki Linnakangas)
This covers a case that was missed in the previous patch that disallowed SET ROLE and SET SESSION AUTHORIZATION inside security-definer functions. (SeeCVE-2007-6600 or CVE-2007-6600)
(8.1.18,8.3.8,8.2.14,8.0.22,7.4.26) Fix handling of sub-SELECTs appearing in the arguments of an outer-level aggregate function (Tom Lane)
(8.1.18,8.3.8,8.2.14,8.0.22,7.4.26) Fix hash calculation for data type interval (Tom Lane)
This corrects wrong results for hash joins on interval values. It also changes the contents of hash indexes on interval columns. If you have any such indexes, you must REINDEX them after updating.
(8.1.18,8.4.1,8.3.8,8.2.14,8.0.22) Treat to_char(..., 'TH')
as an
uppercase ordinal suffix with 'HH'/'HH12' (Heikki Linnakangas)
It was previously handled as 'th' (lowercase).
(8.1.18,8.4.1,8.3.8,8.2.14,8.0.22,7.4.26) Fix overflow for INTERVAL 'x ms' when x is more than 2 million and integer datetimes are in use (Alex Hunsaker)
(8.1.18,8.3.8,8.2.14,8.0.22,7.4.26) Fix calculation of distance between a point and a line segment (Tom Lane)
This led to incorrect results from a number of geometric operators.
(8.1.18,8.3.8,8.2.14,8.0.22,7.4.26) Fix money data type to work in locales where currency amounts have no fractional digits, e.g. Japan (Itagaki Takahiro)
(8.1.18,8.3.8,8.2.14,8.0.22,7.4.26) Properly round datetime input like 00:12:57.9999999999999999999999999999 (Tom Lane)
(8.1.18,8.3.8,8.2.14,8.0.22,7.4.26) Fix poor choice of page split point in GiST R-tree operator classes (Teodor Sigaev)
(8.1.18,8.3.8,8.2.14,8.0.22,7.4.26) Fix portability issues in plperl initialization (Andrew Dunstan)
(8.1.18,8.4.1,8.3.8,8.2.14,8.0.22) Fix pg_ctl to not go into an infinite loop if postgresql.conf is empty (Jeff Davis)
(8.1.18,8.4.1,8.3.8,8.2.14,8.0.22) Fix contrib/xml2's xslt_process()
to properly handle the maximum
number of parameters (twenty) (Tom Lane)
(8.1.18,8.4.1,8.3.8,8.2.14,8.0.22,7.4.26) Improve robustness of libpq's code to recover from errors during COPY FROM STDIN (Tom Lane)
(8.1.18,8.4.1,8.3.8,8.2.14,8.0.22,7.4.26) Avoid including conflicting readline and editline header files when both libraries are installed (Zdenek Kotala)
(8.1.18,8.3.8,8.2.14,8.0.22) Update time zone data files to tzdata release 2009l for DST law changes in Bangladesh, Egypt, Jordan, Pakistan, Argentina/San_Luis, Cuba, Jordan (historical correction only), Mauritius, Morocco, Palestine, Syria, Tunisia.
Release date: 2009-03-16
This release contains a variety of fixes from 8.1.16. For information about new features in the 8.1 major release, see Version 8.1.0.
A dump/restore is not required for those running 8.1.X. However, if you are upgrading from a version earlier than 8.1.15, see Version 8.1.15.
(8.1.17,8.3.7,8.2.13,8.0.21,7.4.25) Prevent error recursion crashes when encoding conversion fails (Tom Lane)
This change extends fixes made in the last two minor releases for related failure scenarios. The previous fixes were narrowly tailored for the original problem reports, but we have now recognized that any error thrown by an encoding conversion function could potentially lead to infinite recursion while trying to report the error. The solution therefore is to disable translation and encoding conversion and report the plain-ASCII form of any error message, if we find we have gotten into a recursive error reporting situation. CVE-2009-0922 or CVE-2009-0922)
(8.1.17,8.3.7,8.2.13,8.0.21,7.4.25) Disallow CREATE CONVERSION with the wrong encodings for the specified conversion function (Heikki Linnakangas)
This prevents one possible scenario for encoding conversion failure. The previous change is a backstop to guard against other kinds of failures in the same area.
(8.1.17,8.3.7,8.2.13,8.0.21,7.4.25) Fix core dump when to_char()
is
given format codes that are inappropriate for the type of the data
argument (Tom Lane)
(8.1.17,8.3.7,8.2.13) Fix decompilation of CASE WHEN with an implicit coercion (Tom Lane)
This mistake could lead to Assert failures in an Assert-enabled build, or an "unexpected CASE WHEN clause" error message in other cases, when trying to examine or dump a view.
(8.1.17,8.3.7,8.2.13) Fix possible misassignment of the owner of a TOAST table's rowtype (Tom Lane)
If CLUSTER or a rewriting variant of ALTER TABLE were executed by someone other than the table owner, the pg_type entry for the table's TOAST table would end up marked as owned by that someone. This caused no immediate problems, since the permissions on the TOAST rowtype aren't examined by any ordinary database operation. However, it could lead to unexpected failures if one later tried to drop the role that issued the command (in 8.1 or 8.2), or "owner of data type appears to be invalid" warnings from pg_dump after having done so (in 8.3).
(8.1.17,8.3.7,8.2.13) Clean up PL/pgSQL error status variables fully at block exit (Ashesh Vashi and Dave Page)
This is not a problem for PL/pgSQL itself, but the omission could cause the PL/pgSQL Debugger to crash while examining the state of a function.
(8.1.17,8.3.7,8.2.13,8.0.21,7.4.25) Add MUST (Mauritius Island Summer Time) to the default list of known timezone abbreviations (Xavier Bugaud)
Release date: 2009-02-02
This release contains a variety of fixes from 8.1.15. For information about new features in the 8.1 major release, see Version 8.1.0.
A dump/restore is not required for those running 8.1.X. However, if you are upgrading from a version earlier than 8.1.15, see Version 8.1.15.
(8.1.16) Fix crash in autovacuum (Álvaro Herrera)
The crash occurs only after vacuuming a whole database for anti-transaction-wraparound purposes, which means that it occurs infrequently and is hard to track down.
(8.1.16,8.3.6,8.2.12,8.0.20,7.4.24) Improve handling of URLs in headline()
function (Teodor Sigaev)
(8.1.16,8.3.6,8.2.12,8.0.20,7.4.24) Improve handling of overlength headlines in headline()
function (Teodor Sigaev)
(8.1.16,8.3.6,8.2.12,8.0.20,7.4.24) Prevent possible Assert failure or misconversion if an encoding conversion is created with the wrong conversion function for the specified pair of encodings (Tom Lane, Heikki Linnakangas)
(8.1.16,8.3.6,8.2.12,8.0.20,7.4.24) Avoid unnecessary locking of small tables in VACUUM (Heikki Linnakangas)
(8.1.16,8.3.6,8.2.12) Ensure that the contents of a holdable cursor don't depend on the contents of TOAST tables (Tom Lane)
Previously, large field values in a cursor result might be represented as TOAST pointers, which would fail if the referenced table got dropped before the cursor is read, or if the large value is deleted and then vacuumed away. This cannot happen with an ordinary cursor, but it could with a cursor that is held past its creating transaction.
(8.1.16,8.0.20,7.4.24) Fix uninitialized variables in contrib/tsearch2's get_covers()
function (Teodor Sigaev)
(8.1.16,8.3.6,8.2.12) Fix configure script to properly report failure when unable to obtain linkage information for PL/Perl (Andrew Dunstan)
(8.1.16,8.3.6,8.2.12,8.0.20,7.4.24) Make all documentation reference pgsql-bugs and/or pgsql-hackers as appropriate, instead of the now-decommissioned pgsql-ports and pgsql-patches mailing lists (Tom Lane)
(8.1.16,8.3.6,8.2.12,8.0.20) Update time zone data files to tzdata release 2009a (for Kathmandu and historical DST corrections in Switzerland, Cuba)
Release date: 2008-11-03
This release contains a variety of fixes from 8.1.14. For information about new features in the 8.1 major release, see Version 8.1.0.
A dump/restore is not required for those running 8.1.X. However, if you are upgrading from a version earlier than 8.1.2, see Version 8.1.2. Also, if you were running a previous 8.1.X release, it is recommended to REINDEX all GiST indexes after the upgrade.
(8.1.15,8.3.5,8.2.11) Fix GiST index corruption due to marking the wrong index entry "dead" after a deletion (Teodor Sigaev)
This would result in index searches failing to find rows they should have found. Corrupted indexes can be fixed with REINDEX.
(8.1.15,8.3.5,8.2.11,8.0.19,7.4.23) Fix backend crash when the client encoding cannot represent a localized error message (Tom Lane)
We have addressed similar issues before, but it would still fail if the "character has no equivalent" message itself couldn't be converted. The fix is to disable localization and send the plain ASCII error message when we detect such a situation.
(8.1.15,8.3.5,8.2.11,8.0.19) Fix possible crash when deeply nested functions are invoked from a trigger (Tom Lane)
(8.1.15,8.3.5,8.2.11) Fix mis-expansion of rule queries when a sub-SELECT appears in a function call in FROM, a multi-row VALUES list, or a RETURNING list (Tom Lane)
The usual symptom of this problem is an "unrecognized node type" error.
(8.1.15,8.3.5,8.2.11,8.0.19) Ensure an error is reported when a newly-defined PL/pgSQL trigger function is invoked as a normal function (Tom Lane)
(8.1.15,8.3.5,8.2.11) Prevent possible collision of relfilenode numbers when moving a table to another tablespace with ALTER SET TABLESPACE (Heikki Linnakangas)
The command tried to re-use the existing filename, instead of picking one that is known unused in the destination directory.
(8.1.15,8.2.11,8.0.19,7.4.23) Fix incorrect tsearch2 headline generation when single query item matches first word of text (Sushant Sinha)
(8.1.15,8.3.5,8.2.11,8.0.19,7.4.23) Fix improper display of fractional seconds in interval values when using a non-ISO datestyle in an --enable-integer-datetimes build (Ron Mayer)
(8.1.15,8.3.5,8.2.11,8.0.19,7.4.23) Ensure SPI_getvalue
and
SPI_getbinval
behave correctly when
the passed tuple and tuple descriptor have different numbers of
columns (Tom Lane)
This situation is normal when a table has had columns added or removed, but these two functions didn't handle it properly. The only likely consequence is an incorrect error indication.
(8.1.15,8.3.5,8.2.11) Fix ecpg's parsing of CREATE ROLE (Michael Meskes)
(8.1.15,8.3.5,8.2.11,8.0.19) Fix recent breakage of pg_ctl restart (Tom Lane)
(8.1.15,8.3.5,8.2.11,8.0.19) Update time zone data files to tzdata release 2008i (for DST law changes in Argentina, Brazil, Mauritius, Syria)
Release date: 2008-09-22
This release contains a variety of fixes from 8.1.13. For information about new features in the 8.1 major release, see Version 8.1.0.
A dump/restore is not required for those running 8.1.X. However, if you are upgrading from a version earlier than 8.1.2, see Version 8.1.2.
(8.1.14,8.3.4,8.2.10,8.0.18) Widen local lock counters from 32 to 64 bits (Tom Lane)
This responds to reports that the counters could overflow in sufficiently long transactions, leading to unexpected "lock is already held" errors.
(8.1.14,8.3.4,8.2.10) Fix possible duplicate output of tuples during a GiST index scan (Teodor Sigaev)
(8.1.14,8.2.10,8.0.18) Add checks in executor startup to ensure that the tuples produced by an INSERT or UPDATE will match the target table's current rowtype (Tom Lane)
ALTER COLUMN TYPE, followed by re-use of a previously cached plan, could produce this type of situation. The check protects against data corruption and/or crashes that could ensue.
(8.1.14,8.3.4,8.2.10) Fix AT TIME ZONE to first try to interpret its timezone argument as a timezone abbreviation, and only try it as a full timezone name if that fails, rather than the other way around as formerly (Tom Lane)
The timestamp input functions have always resolved ambiguous zone names in this order. Making AT TIME ZONE do so as well improves consistency, and fixes a compatibility bug introduced in 8.1: in ambiguous cases we now behave the same as 8.0 and before did, since in the older versions AT TIME ZONE accepted only abbreviations.
(8.1.14,8.3.4,8.2.10,8.0.18,7.4.22) Fix datetime input functions to correctly detect integer overflow when running on a 64-bit platform (Tom Lane)
(8.1.14,8.3.4,8.2.10,8.0.18,7.4.22) Improve performance of writing very long log messages to syslog (Tom Lane)
(8.1.14,8.3.4,8.2.10,8.0.18,7.4.22) Fix bug in backwards scanning of a cursor on a SELECT DISTINCT ON query (Tom Lane)
(8.1.14,8.3.4,8.2.10) Fix planner bug with nested sub-select expressions (Tom Lane)
If the outer sub-select has no direct dependency on the parent query, but the inner one does, the outer value might not get recalculated for new parent query rows.
(8.1.14,8.3.4,8.2.10) Fix planner to estimate that GROUP BY expressions yielding boolean results always result in two groups, regardless of the expressions' contents (Tom Lane)
This is very substantially more accurate than the regular GROUP BY estimate for certain boolean tests like col IS NULL.
(8.1.14,8.3.4,8.2.10) Fix PL/pgSQL to not fail when a FOR loop's target variable is a record containing composite-type fields (Tom Lane)
(8.1.14,8.3.4,8.2.10,8.0.18) Fix PL/Tcl to behave correctly with Tcl 8.5, and to be more careful about the encoding of data sent to or from Tcl (Tom Lane)
(8.1.14,8.0.18) Fix PL/Python to work with Python 2.5
This is a back-port of fixes made during the 8.2 development cycle.
(8.1.14,8.3.4,8.2.10,8.0.18,7.4.22) Improve pg_dump and pg_restore's error reporting after failure to send a SQL command (Tom Lane)
(8.1.14,8.3.4,8.2.10,8.0.18) Fix pg_ctl to properly preserve postmaster command-line arguments across a restart (Bruce Momjian)
(8.1.14,8.3.4,8.2.10,8.0.18) Update time zone data files to tzdata release 2008f (for DST law changes in Argentina, Bahamas, Brazil, Mauritius, Morocco, Pakistan, Palestine, and Paraguay)
Release date: 2008-06-12
This release contains one serious and one minor bug fix over 8.1.12. For information about new features in the 8.1 major release, see Version 8.1.0.
A dump/restore is not required for those running 8.1.X. However, if you are upgrading from a version earlier than 8.1.2, see Version 8.1.2.
(8.1.13,8.3.3,8.2.9,8.0.17,7.4.21) Make pg_get_ruledef()
parenthesize
negative constants (Tom Lane)
Before this fix, a negative constant in a view or rule might be dumped as, say, -42::integer, which is subtly incorrect: it should be (-42)::integer due to operator precedence rules. Usually this would make little difference, but it could interact with another recent patch to cause PostgreSQL to reject what had been a valid SELECT DISTINCT view query. Since this could result in pg_dump output failing to reload, it is being treated as a high-priority fix. The only released versions in which dump output is actually incorrect are 8.3.1 and 8.2.7.
(8.1.13,8.3.3,8.2.9) Make ALTER AGGREGATE ... OWNER TO update pg_shdepend (Tom Lane)
This oversight could lead to problems if the aggregate was later involved in a DROP OWNED or REASSIGN OWNED operation.
Release date: never released
This release contains a variety of fixes from 8.1.11. For information about new features in the 8.1 major release, see Version 8.1.0.
A dump/restore is not required for those running 8.1.X. However, if you are upgrading from a version earlier than 8.1.2, see Version 8.1.2.
(8.1.12,8.3.2,8.2.8,8.0.16) Fix ALTER TABLE ADD COLUMN ... PRIMARY KEY so that the new column is correctly checked to see if it's been initialized to all non-nulls (Brendan Jurd)
Previous versions neglected to check this requirement at all.
(8.1.12,8.3.2,8.2.8,8.0.16) Fix possible CREATE TABLE failure when inheriting the "same" constraint from multiple parent relations that inherited that constraint from a common ancestor (Tom Lane)
(8.1.12,8.3.2,8.2.8,8.0.16,7.4.20) Fix conversions between ISO-8859-5 and other encodings to handle Cyrillic "Yo" characters (e and E with two dots) (Sergey Burladyan)
(8.1.12,8.0.16,7.4.20) Fix a few datatype input functions that were allowing unused bytes in their results to contain uninitialized, unpredictable values (Tom Lane)
This could lead to failures in which two apparently identical literal values were not seen as equal, resulting in the parser complaining about unmatched ORDER BY and DISTINCT expressions.
(8.1.12,8.3.2,8.2.8,8.0.16,7.4.20) Fix a corner case in regular-expression substring matching (substring(string from pattern)) (Tom Lane)
The problem occurs when there is a match to the pattern overall but the user has specified a parenthesized subexpression and that subexpression hasn't got a match. An example is substring('foo' from 'foo(bar)?'). This should return NULL, since (bar) isn't matched, but it was mistakenly returning the whole-pattern match instead (ie, foo).
(8.1.12,8.0.16) Update time zone data files to tzdata release 2008c (for DST law changes in Morocco, Iraq, Choibalsan, Pakistan, Syria, Cuba, Argentina/San_Luis, and Chile)
(8.1.12,8.3.2,8.2.8,8.0.16,7.4.20) Fix incorrect result from ecpg's PGTYPEStimestamp_sub()
function (Michael Meskes)
(8.1.12,8.3.2,8.2.8,8.0.16) Fix core dump in contrib/xml2's
xpath_table()
function when the input
query returns a NULL value (Tom Lane)
(8.1.12,8.2.8,8.0.16) Fix contrib/xml2's makefile to not override CFLAGS (Tom Lane)
(8.1.12,8.2.8,8.0.16,7.4.20) Fix DatumGetBool macro to not fail with gcc 4.3 (Tom Lane)
This problem affects "old style" (V0) C functions that return boolean. The fix is already in 8.3, but the need to back-patch it was not realized at the time.
(8.1.12,8.3.1,8.2.7,8.0.16,7.4.20) Fix longstanding LISTEN/NOTIFY race condition (Tom Lane)
In rare cases a session that had just executed a LISTEN might not get a notification, even though one would be expected because the concurrent transaction executing NOTIFY was observed to commit later.
A side effect of the fix is that a transaction that has executed a not-yet-committed LISTEN command will not see any row in pg_listener for the LISTEN, should it choose to look; formerly it would have. This behavior was never documented one way or the other, but it is possible that some applications depend on the old behavior.
(8.1.12,8.3.1,8.2.7) Disallow LISTEN and UNLISTEN within a prepared transaction (Tom Lane)
This was formerly allowed but trying to do it had various unpleasant consequences, notably that the originating backend could not exit as long as an UNLISTEN remained uncommitted.
(8.1.12,8.3.1,8.2.7,8.0.16) Fix rare crash when an error occurs during a query using a hash index (Heikki Linnakangas)
(8.1.12,8.3.1,8.2.7,8.0.16) Fix input of datetime values for February 29 in years BC (Tom Lane)
The former coding was mistaken about which years were leap years.
(8.1.12,8.3.1,8.2.7,8.0.16) Fix "unrecognized node type" error in some variants of ALTER OWNER (Tom Lane)
(8.1.12,8.3.1,8.2.7,8.0.16) Fix pg_ctl to correctly extract the postmaster's port number from command-line options (Itagaki Takahiro, Tom Lane)
Previously, pg_ctl start -w could try to contact the postmaster on the wrong port, leading to bogus reports of startup failure.
(8.1.12,8.3.1,8.2.7,8.0.16) Use -fwrapv to defend against possible misoptimization in recent gcc versions (Tom Lane)
This is known to be necessary when building PostgreSQL with gcc 4.3 or later.
(8.1.12,8.2.7,8.0.16,7.4.20) Fix display of constant expressions in ORDER BY and GROUP BY (Tom Lane)
An explicitly casted constant would be shown incorrectly. This could for example lead to corruption of a view definition during dump and reload.
(8.1.12,8.2.7,8.0.16,7.4.20) Fix libpq to handle NOTICE messages correctly during COPY OUT (Tom Lane)
This failure has only been observed to occur when a user-defined datatype's output routine issues a NOTICE, but there is no guarantee it couldn't happen due to other causes.
Release date: 2008-01-07
This release contains a variety of fixes from 8.1.10, including fixes for significant security issues. For information about new features in the 8.1 major release, see Version 8.1.0.
This is the last 8.1.X release for which the PostgreSQL community will produce binary packages for Windows. Windows users are encouraged to move to 8.2.X or later, since there are Windows-specific fixes in 8.2.X that are impractical to back-port. 8.1.X will continue to be supported on other platforms.
A dump/restore is not required for those running 8.1.X. However, if you are upgrading from a version earlier than 8.1.2, see Version 8.1.2.
(8.1.11,8.2.6,8.0.15,7.4.19,7.3.21) Prevent functions in indexes from executing with the privileges of the user running VACUUM, ANALYZE, etc (Tom Lane)
Functions used in index expressions and partial-index predicates are evaluated whenever a new table entry is made. It has long been understood that this poses a risk of trojan-horse code execution if one modifies a table owned by an untrustworthy user. (Note that triggers, defaults, check constraints, etc. pose the same type of risk.) But functions in indexes pose extra danger because they will be executed by routine maintenance operations such as VACUUM FULL, which are commonly performed automatically under a superuser account. For example, a nefarious user can execute code with superuser privileges by setting up a trojan-horse index definition and waiting for the next routine vacuum. The fix arranges for standard maintenance operations (including VACUUM, ANALYZE, REINDEX, and CLUSTER) to execute as the table owner rather than the calling user, using the same privilege-switching mechanism already used for SECURITY DEFINER functions. To prevent bypassing this security measure, execution of SET SESSION AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context. CVE-2007-6600 or CVE-2007-6600)
(8.1.11,8.2.6,8.0.15,7.4.19) Repair assorted bugs in the regular-expression package (Tom Lane, Will Drewry)
Suitably crafted regular-expression patterns could cause crashes, infinite or near-infinite looping, and/or massive memory consumption, all of which pose denial-of-service hazards for applications that accept regex search patterns from untrustworthy sources. CVE-2007-4769 or CVE-2007-4769,CVE-2007-4772 or CVE-2007-4772,CVE-2007-6067 or CVE-2007-6067)
(8.1.11) Require non-superusers who use /contrib/dblink to use only password authentication, as a security measure (Joe Conway)
The fix that appeared for this in 8.1.10 was incomplete, as it plugged the hole for only some dblink functions. CVE-2007-6601 or CVE-2007-6601,CVE-2007-3278 or CVE-2007-3278)
(8.1.11,8.2.6,8.0.15) Update time zone data files to tzdata release 2007k (in particular, recent Argentina changes) (Tom Lane)
(8.1.11,8.2.6) Improve planner's handling of LIKE/regex estimation in non-C locales (Tom Lane)
(8.1.11,8.2.6,8.0.15,7.4.19) Fix planner failure in some cases of WHERE false AND var IN (SELECT ...) (Tom Lane)
(8.1.11,8.0.15) Preserve the tablespace of indexes that are rebuilt by ALTER TABLE ... ALTER COLUMN TYPE (Tom Lane)
(8.1.11,8.2.6,8.0.15) Make archive recovery always start a new WAL timeline, rather than only when a recovery stop time was used (Simon Riggs)
This avoids a corner-case risk of trying to overwrite an existing archived copy of the last WAL segment, and seems simpler and cleaner than the original definition.
(8.1.11,8.2.6,8.0.15) Make VACUUM not use all of maintenance_work_mem when the table is too small for it to be useful (Álvaro Herrera)
(8.1.11,8.2.6,8.0.15,7.4.19,7.3.21) Fix potential crash in translate()
when using a multibyte database encoding (Tom Lane)
(8.1.11,8.2.6) Fix overflow in extract(epoch from interval) for intervals exceeding 68 years (Tom Lane)
(8.1.11,8.2.6) Fix PL/Perl to not fail when a UTF-8 regular expression is used in a trusted function (Andrew Dunstan)
(8.1.11,8.2.6,8.0.15) Fix PL/Perl to cope when platform's Perl defines type bool as int rather than char (Tom Lane)
While this could theoretically happen anywhere, no standard build of Perl did things this way ... until Mac OS X 10.5.
(8.1.11,8.2.6,8.0.15,7.4.19) Fix PL/Python to not crash on long exception messages (Álvaro Herrera)
(8.1.11,8.2.6,8.0.15) Fix pg_dump to correctly handle inheritance child tables that have default expressions different from their parent's (Tom Lane)
(8.1.11,8.2.6) Fix libpq crash when PGPASSFILE refers to a file that is not a plain file (Martin Pitt)
(8.1.11,8.2.6,8.0.15,7.4.19) ecpg parser fixes (Michael Meskes)
(8.1.11,8.2.6) Make contrib/pgcrypto defend against OpenSSL libraries that fail on keys longer than 128 bits; which is the case at least on some Solaris versions (Marko Kreen)
(8.1.11,8.2.6,8.0.15,7.4.19,7.3.21) Make contrib/tablefunc's crosstab()
handle NULL rowid as a category in its
own right, rather than crashing (Joe Conway)
(8.1.11,8.2.6,8.0.15,7.4.19) Fix tsvector and tsquery output routines to escape backslashes correctly (Teodor Sigaev, Bruce Momjian)
(8.1.11,8.2.6,8.0.15,7.4.19) Fix crash of to_tsvector()
on huge
input strings (Teodor Sigaev)
(8.1.11,8.2.6,8.0.15,7.4.19,7.3.21) Require a specific version of Autoconf to be used when re-generating the configure script (Peter T. Mount)
This affects developers and packagers only. The change was made to prevent accidental use of untested combinations of Autoconf and PostgreSQL versions. You can remove the version check if you really want to use a different Autoconf version, but it's your responsibility whether the result works or not.
Release date: 2007-09-17
This release contains a variety of fixes from 8.1.9. For information about new features in the 8.1 major release, see Version 8.1.0.
A dump/restore is not required for those running 8.1.X. However, if you are upgrading from a version earlier than 8.1.2, see Version 8.1.2.
(8.1.10,8.2.5,8.0.14,7.4.18,7.3.20) Prevent index corruption when a transaction inserts rows and then aborts close to the end of a concurrent VACUUM on the same table (Tom Lane)
(8.1.10,8.2.5,8.0.14,7.4.18,7.3.20) Make CREATE DOMAIN ... DEFAULT NULL work properly (Tom Lane)
(8.1.10,8.2.5) Allow the interval data type to accept input consisting only of milliseconds or microseconds (Neil Conway)
(8.1.10,8.2.5) Speed up rtree index insertion (Teodor Sigaev)
(8.1.10,8.2.5,8.0.14,7.4.18) Fix excessive logging of SSL error messages (Tom Lane)
(8.1.10,8.2.5,8.0.14) Fix logging so that log messages are never interleaved when using the syslogger process (Andrew Dunstan)
(8.1.10,8.2.5,8.0.14,7.4.18,7.3.20) Fix crash when log_min_error_statement logging runs out of memory (Tom Lane)
(8.1.10,8.2.5,8.0.14) Fix incorrect handling of some foreign-key corner cases (Tom Lane)
(8.1.10,8.2.5) Prevent REINDEX and CLUSTER from failing due to attempting to process temporary tables of other sessions (Álvaro Herrera)
(8.1.10,8.2.5,8.0.14) Update the time zone database rules, particularly New Zealand's upcoming changes (Tom Lane)
(8.1.10,8.0.14) Windows socket improvements (Magnus Hagander)
(8.1.10,8.2.5,8.0.14) Suppress timezone name (%Z) in log timestamps on Windows because of possible encoding mismatches (Tom Lane)
(8.1.10,8.2.5,8.0.14,7.4.18,7.3.20) Require non-superusers who use /contrib/dblink to use only password authentication, as a security measure (Joe Conway)
Release date: 2007-04-23
This release contains a variety of fixes from 8.1.8, including a security fix. For information about new features in the 8.1 major release, see Version 8.1.0.
A dump/restore is not required for those running 8.1.X. However, if you are upgrading from a version earlier than 8.1.2, see Version 8.1.2.
(8.1.9,8.2.4,8.0.13,7.4.17,7.3.19) Support explicit placement of the temporary-table schema within search_path, and disable searching it for functions and operators (Tom Lane)
This is needed to allow a security-definer function to set a truly secure value of search_path. Without it, an unprivileged SQL user can use temporary objects to execute code with the privileges of the security-definer function CVE-2007-2138 or CVE-2007-2138). See CREATE FUNCTION for more information.
(8.1.9,8.2.4,8.0.13,7.4.17) /contrib/tsearch2 crash fixes (Teodor Sigaev)
(8.1.9,8.2.4) Require COMMIT PREPARED to be executed in the same database as the transaction was prepared in (Heikki Linnakangas)
(8.1.9,8.2.4,8.0.13,7.4.17,7.3.19) Fix potential-data-corruption bug in how VACUUM FULL handles UPDATE chains (Tom Lane, Pavan Deolasee)
(8.1.9,8.2.4) Planner fixes, including improving outer join and bitmap scan selection logic (Tom Lane)
(8.1.9) Fix PANIC during enlargement of a hash index (bug introduced in 8.1.6) (Tom Lane)
(8.1.9,8.2.4,8.0.13) Fix POSIX-style timezone specs to follow new USA DST rules (Tom Lane)
Release date: 2007-02-07
This release contains one fix from 8.1.7. For information about new features in the 8.1 major release, see Version 8.1.0.
A dump/restore is not required for those running 8.1.X. However, if you are upgrading from a version earlier than 8.1.2, see Version 8.1.2.
(8.1.8,8.2.3,8.0.12) Remove overly-restrictive check for type length in constraints and functional indexes (Tom Lane)
Release date: 2007-02-05
This release contains a variety of fixes from 8.1.6, including a security fix. For information about new features in the 8.1 major release, see Version 8.1.0.
A dump/restore is not required for those running 8.1.X. However, if you are upgrading from a version earlier than 8.1.2, see Version 8.1.2.
(8.1.7,8.2.2,8.0.11) Remove security vulnerabilities that allowed connected users to read backend memory (Tom Lane)
The vulnerabilities involve suppressing the normal check that a SQL function returns the data type it's declared to, and changing the data type of a table column CVE-2007-0555 or CVE-2007-0555,CVE-2007-0556 or CVE-2007-0556). These errors can easily be exploited to cause a backend crash, and in principle might be used to read database content that the user should not be able to access.
(8.1.7,8.0.11,7.4.16,7.3.18) Fix rare bug wherein btree index page splits could fail due to choosing an infeasible split point (Heikki Linnakangas)
(8.1.7,8.2.2) Improve VACUUM performance for databases with many tables (Tom Lane)
(8.1.7) Fix autovacuum to avoid leaving non-permanent transaction IDs in non-connectable databases (Álvaro Herrera)
This bug affects the 8.1 branch only.
(8.1.7,8.2.2,8.0.11,7.4.16) Fix for rare Assert() crash triggered by UNION (Tom Lane)
(8.1.7,8.2.2,8.0.11,7.4.16,7.3.18) Tighten security of multi-byte character processing for UTF8 sequences over three bytes long (Tom Lane)
(8.1.7,8.2.2) Fix bogus "permission denied" failures occurring on Windows due to attempts to fsync already-deleted files (Magnus Hagander, Tom Lane)
(8.1.7,8.2.2) Fix possible crashes when an already-in-use PL/pgSQL function is updated (Tom Lane)
Release date: 2007-01-08
This release contains a variety of fixes from 8.1.5. For information about new features in the 8.1 major release, see Version 8.1.0.
A dump/restore is not required for those running 8.1.X. However, if you are upgrading from a version earlier than 8.1.2, see Version 8.1.2.
(8.1.6,8.0.10,7.4.15) Improve handling of getaddrinfo()
on AIX (Tom Lane)
This fixes a problem with starting the statistics collector, among other things.
(8.1.6) Fix pg_restore to handle a tar-format backup that contains large objects (blobs) with comments (Tom Lane)
(8.1.6,8.2.0,8.0.10,7.4.15) Fix "failed to re-find parent key" errors in VACUUM (Tom Lane)
(8.1.6,8.2.0) Clean out pg_internal.init cache files during server restart (Simon Riggs)
This avoids a hazard that the cache files might contain stale data after PITR recovery.
(8.1.6,8.2.0,8.0.10) Fix race condition for truncation of a large relation across a gigabyte boundary by VACUUM (Tom Lane)
(8.1.6,8.2.0) Fix bug causing needless deadlock errors on row-level locks (Tom Lane)
(8.1.6,8.2.0,8.0.10,7.4.15) Fix bugs affecting multi-gigabyte hash indexes (Tom Lane)
(8.1.6,8.0.10) Fix possible deadlock in Windows signal handling (Teodor Sigaev)
(8.1.6,8.0.10,7.4.15) Fix error when constructing an ARRAY[] made up of multiple empty elements (Tom Lane)
(8.1.6,8.0.10) Fix ecpg memory leak during connection (Michael Meskes)
(8.1.6) Fix for Darwin (OS X) compilation (Tom Lane)
(8.1.6,8.0.10,7.4.15,7.3.17) to_number()
and to_char(numeric)
are now STABLE, not IMMUTABLE, for
new initdb installs (Tom Lane)
This is because lc_numeric can potentially change the output of these functions.
(8.1.6,8.2.1,8.0.10,7.4.15,7.3.17) Improve index usage of regular expressions that use parentheses (Tom Lane)
This improves psql \d performance also.
(8.1.6,8.0.10) Update timezone database
This affects Australian and Canadian daylight-savings rules in particular.
Release date: 2006-10-16
This release contains a variety of fixes from 8.1.4. For information about new features in the 8.1 major release, see Version 8.1.0.
A dump/restore is not required for those running 8.1.X. However, if you are upgrading from a version earlier than 8.1.2, see Version 8.1.2.
(8.1.5) Disallow aggregate functions in UPDATE commands, except within sub-SELECTs (Tom Lane)
The behavior of such an aggregate was unpredictable, and in 8.1.X could cause a crash, so it has been disabled. The SQL standard does not allow this either.
(8.1.5,8.0.9,7.4.14) Fix core dump when an untyped literal is taken as ANYARRAY
(8.1.5) Fix core dump in duration logging for extended query protocol when a COMMIT or ROLLBACK is executed
(8.1.5,8.0.9) Fix mishandling of AFTER triggers when query contains a SQL function returning multiple rows (Tom Lane)
(8.1.5,8.0.9) Fix ALTER TABLE ... TYPE to recheck NOT NULL for USING clause (Tom Lane)
(8.1.5,8.0.9,7.4.14) Fix string_to_array()
to handle
overlapping matches for the separator string
For example, string_to_array('123xx456xxx789', 'xx').
(8.1.5) Fix to_timestamp()
for AM/PM formats (Bruce Momjian)
(8.1.5) Fix autovacuum's calculation that decides whether ANALYZE is needed (Álvaro Herrera)
(8.1.5,8.0.9,7.4.14,7.3.16) Fix corner cases in pattern matching for psql's \d commands
(8.1.5,8.0.9,7.4.14,7.3.16) Fix index-corrupting bugs in /contrib/ltree (Teodor Sigaev)
(8.1.5,8.0.9) Numerous robustness fixes in ecpg (Joachim Wieland)
(8.1.5,8.0.9,7.4.14,7.3.16) Fix backslash escaping in /contrib/dbmirror
(8.1.5) Minor fixes in /contrib/dblink and /contrib/tsearch2
(8.1.5) Efficiency improvements in hash tables and bitmap index scans (Tom Lane)
(8.1.5) Fix instability of statistics collection on Windows (Tom Lane, Andrew Dunstan)
(8.1.5) Fix statement_timeout to use the proper units on Win32 (Bruce Momjian)
In previous Win32 8.1.X versions, the delay was off by a factor of 100.
(8.1.5) Fixes for MSVC and Borland C++ compilers (Hiroshi Saito)
(8.1.5,8.0.9) Fixes for AIX and Intel compilers (Tom Lane)
(8.1.5) Fix rare bug in continuous archiving (Tom Lane)
Release date: 2006-05-23
This release contains a variety of fixes from 8.1.3, including patches for extremely serious security issues. For information about new features in the 8.1 major release, see Version 8.1.0.
A dump/restore is not required for those running 8.1.X. However, if you are upgrading from a version earlier than 8.1.2, see Version 8.1.2.
Full security against the SQL-injection attacks described inCVE-2006-2313 or CVE-2006-2313 andCVE-2006-2314 or CVE-2006-2314 might require changes in
application code. If you have applications that embed untrustworthy
strings into SQL commands, you should examine them as soon as
possible to ensure that they are using recommended escaping
techniques. In most cases, applications should be using subroutines
provided by libraries or drivers (such as libpq's PQescapeStringConn()
) to perform string escaping,
rather than relying on ad hoc code to
do it.
(8.1.4,8.0.8,7.4.13,7.3.15) Change the server to reject invalidly-encoded multibyte characters in all cases (Tatsuo Ishii, Tom Lane)
While PostgreSQL has been moving in this direction for some time, the checks are now applied uniformly to all encodings and all textual input, and are now always errors not merely warnings. This change defends against SQL-injection attacks of the type described inCVE-2006-2313 or CVE-2006-2313.
(8.1.4,8.0.8,7.4.13,7.3.15) Reject unsafe uses of \' in string literals
As a server-side defense against SQL-injection attacks of the type described inCVE-2006-2314 or CVE-2006-2314, the server now only accepts '' and not \' as a representation of ASCII single quote in SQL string literals. By default, \' is rejected only when client_encoding is set to a client-only encoding (SJIS, BIG5, GBK, GB18030, or UHC), which is the scenario in which SQL injection is possible. A new configuration parameter backslash_quote is available to adjust this behavior when needed. Note that full security againstCVE-2006-2314 or CVE-2006-2314 might require client-side changes; the purpose of backslash_quote is in part to make it obvious that insecure clients are insecure.
(8.1.4,8.0.8,7.4.13) Modify libpq's string-escaping routines to be aware of encoding considerations and standard_conforming_strings
This fixes libpq-using
applications for the security issues described inCVE-2006-2313 or CVE-2006-2313 andCVE-2006-2314 or CVE-2006-2314, and also future-proofs them against the planned
changeover to SQL-standard string literal syntax. Applications that
use multiple PostgreSQL
connections concurrently should migrate to PQescapeStringConn()
and PQescapeByteaConn()
to ensure that escaping is
done correctly for the settings in use in each database connection.
Applications that do string escaping "by
hand" should be modified to rely on library routines
instead.
(8.1.4) Fix weak key selection in pgcrypto (Marko Kreen)
Errors in fortuna PRNG reseeding logic could cause a predictable
session key to be selected by pgp_sym_encrypt()
in some cases. This only
affects non-OpenSSL-using builds.
(8.1.4) Fix some incorrect encoding conversion functions
win1251_to_iso
, win866_to_iso
, euc_tw_to_big5
, euc_tw_to_mic
, mic_to_euc_tw
were all broken to varying
extents.
(8.1.4,8.0.8,7.4.13,7.3.15) Clean up stray remaining uses of \' in strings (Bruce Momjian, Jan Wieck)
(8.1.4) Make autovacuum visible in pg_stat_activity (Álvaro Herrera)
(8.1.4) Disable full_page_writes (Tom Lane)
In certain cases, having full_page_writes off would cause crash recovery to fail. A proper fix will appear in 8.2; for now it's just disabled.
(8.1.4) Various planner fixes, particularly for bitmap index scans and MIN/MAX optimization (Tom Lane)
(8.1.4) Fix incorrect optimization in merge join (Tom Lane)
Outer joins could sometimes emit multiple copies of unmatched rows.
(8.1.4) Fix crash from using and modifying a plpgsql function in the same transaction
(8.1.4) Fix WAL replay for case where a B-Tree index has been truncated
(8.1.4,8.0.8,7.4.13) Fix SIMILAR TO for patterns involving | (Tom Lane)
(8.1.4,8.0.8) Fix SELECT INTO and CREATE TABLE AS to create tables in the default tablespace, not the base directory (Kris Jurka)
(8.1.4,8.0.8,7.4.13,7.3.15) Fix server to use custom DH SSL parameters correctly (Michael Fuhr)
(8.1.4) Improve qsort performance (Dann Corbit)
Currently this code is only used on Solaris.
(8.1.4) Fix for OS/X Bonjour on x86 systems (Ashley Clark C. Evans)
(8.1.4,8.0.8,7.4.13,7.3.15) Fix various minor memory leaks
(8.1.4,8.0.8) Fix problem with password prompting on some Win32 systems (Robert Kinberg)
(8.1.4) Improve pg_dump's handling of default values for domains
(8.1.4) Fix pg_dumpall to handle identically-named users and groups reasonably (only possible when dumping from a pre-8.1 server) (Tom Lane)
The user and group will be merged into a single role with LOGIN permission. Formerly the merged role wouldn't have LOGIN permission, making it unusable as a user.
(8.1.4) Fix pg_restore -n to work as documented (Tom Lane)
Release date: 2006-02-14
This release contains a variety of fixes from 8.1.2, including one very serious security issue. For information about new features in the 8.1 major release, see Version 8.1.0.
A dump/restore is not required for those running 8.1.X. However, if you are upgrading from a version earlier than 8.1.2, see Version 8.1.2.
(8.1.3) Fix bug that allowed any logged-in user to SET ROLE to any other database user id CVE-2006-0553 or CVE-2006-0553)
Due to inadequate validity checking, a user could exploit the special case that SET ROLE normally uses to restore the previous role setting after an error. This allowed ordinary users to acquire superuser status, for example. The escalation-of-privilege risk exists only in 8.1.0-8.1.2. However, in all releases back to 7.3 there is a related bug in SET SESSION AUTHORIZATION that allows unprivileged users to crash the server, if it has been compiled with Asserts enabled (which is not the default). Thanks to Akio Ishida for reporting this problem.
(8.1.3,8.0.7) Fix bug with row visibility logic in self-inserted rows (Tom Lane)
Under rare circumstances a row inserted by the current command could be seen as already valid, when it should not be. Repairs bug created in 8.0.4, 7.4.9, and 7.3.11 releases.
(8.1.3,8.0.7) Fix race condition that could lead to "file already exists" errors during pg_clog and pg_subtrans file creation (Tom Lane)
(8.1.3,8.0.7) Fix cases that could lead to crashes if a cache-invalidation message arrives at just the wrong time (Tom Lane)
(8.1.3,8.0.7,7.4.12) Properly check DOMAIN constraints for UNKNOWN parameters in prepared statements (Neil Conway)
(8.1.3,8.0.7) Ensure ALTER COLUMN TYPE will process FOREIGN KEY, UNIQUE, and PRIMARY KEY constraints in the proper order (Nakano Yoshihisa)
(8.1.3,8.0.7) Fixes to allow restoring dumps that have cross-schema references to custom operators or operator classes (Tom Lane)
(8.1.3,8.0.7) Allow pg_restore to continue properly after a COPY failure; formerly it tried to treat the remaining COPY data as SQL commands (Stephen Frost)
(8.1.3,8.0.7) Fix pg_ctl unregister crash when the data directory is not specified (Magnus Hagander)
(8.1.3) Fix libpq PQprint
HTML tags (Christoph Zwerschke)
(8.1.3,8.0.7) Fix ecpg crash on AMD64 and PPC (Neil Conway)
(8.1.3) Allow SETOF and %TYPE to be used together in function result type declarations
(8.1.3,8.0.7) Recover properly if error occurs during argument passing in PL/python (Neil Conway)
(8.1.3) Fix memory leak in plperl_return_next
(Neil Conway)
(8.1.3,8.0.7) Fix PL/perl's handling of locales on Win32 to match the backend (Andrew Dunstan)
(8.1.3) Various optimizer fixes (Tom Lane)
(8.1.3,8.0.7) Fix crash when log_min_messages is set to DEBUG3 or above in postgresql.conf on Win32 (Bruce Momjian)
(8.1.3,8.0.7) Fix pgxs -L library path specification for Win32, Cygwin, OS X, AIX (Bruce Momjian)
(8.1.3,8.0.7) Check that SID is enabled while checking for Win32 admin privileges (Magnus Hagander)
(8.1.3,8.0.7) Properly reject out-of-range date inputs (Kris Jurka)
(8.1.3,8.0.7,7.4.12,7.3.14) Portability fix for testing presence of finite
and isinf
during configure (Tom Lane)
(8.1.3) Improve speed of COPY IN via libpq, by avoiding a kernel call per data line (Alon Goldshuv)
(8.1.3) Improve speed of /contrib/tsearch2 index creation (Tom Lane)
Release date: 2006-01-09
This release contains a variety of fixes from 8.1.1. For information about new features in the 8.1 major release, see Version 8.1.0.
A dump/restore is not required for those running 8.1.X. However, you might need to REINDEX indexes on textual columns after updating, if you are affected by the locale or plperl issues described below.
(8.1.2,8.0.6) Fix Windows code so that postmaster will continue rather than exit if there is no more room in ShmemBackendArray (Magnus Hagander)
The previous behavior could lead to a denial-of-service situation if too many connection requests arrive close together. This applies only to the Windows port.
(8.1.2,8.0.6) Fix bug introduced in 8.0 that could allow ReadBuffer to return an already-used page as new, potentially causing loss of recently-committed data (Tom Lane)
(8.1.2,8.0.6,7.4.11) Fix for protocol-level Describe messages issued outside a transaction or in a failed transaction (Tom Lane)
(8.1.2,8.0.6,7.4.11,7.3.13) Fix character string comparison for locales that consider different character combinations as equal, such as Hungarian (Tom Lane)
This might require REINDEX to fix existing indexes on textual columns.
(8.1.2,8.0.6,7.4.11,7.3.13) Set locale environment variables during postmaster startup to ensure that plperl won't change the locale later
This fixes a problem that occurred if the postmaster was started with environment variables specifying a different locale than what initdb had been told. Under these conditions, any use of plperl was likely to lead to corrupt indexes. You might need REINDEX to fix existing indexes on textual columns if this has happened to you.
(8.1.2,8.0.6) Allow more flexible relocation of installation directories (Tom Lane)
Previous releases supported relocation only if all installation directory paths were the same except for the last component.
(8.1.2) Prevent crashes caused by the use of ISO-8859-5 and ISO-8859-9 encodings (Tatsuo Ishii)
(8.1.2,8.0.6,7.4.11,7.3.13) Fix longstanding bug in strpos() and regular expression handling in certain rarely used Asian multi-byte character sets (Tatsuo Ishii)
(8.1.2) Fix bug where COPY CSV mode considered any \. to terminate the copy data
The new code requires \. to appear alone on a line, as per documentation.
(8.1.2) Make COPY CSV mode quote a literal data value of \. to ensure it cannot be interpreted as the end-of-data marker (Bruce Momjian)
(8.1.2,8.0.6) Various fixes for functions returning RECORDs (Tom Lane)
(8.1.2) Fix processing of postgresql.conf so a final line with no newline is processed properly (Tom Lane)
(8.1.2,8.0.6,7.4.11,7.3.13) Fix bug in /contrib/pgcrypto gen_salt, which caused it not to use all available salt space for MD5 and XDES algorithms (Marko Kreen, Solar Designer)
Salts for Blowfish and standard DES are unaffected.
(8.1.2) Fix autovacuum crash when processing expression indexes
(8.1.2,8.0.6,7.4.11,7.3.13) Fix /contrib/dblink to throw an error, rather than crashing, when the number of columns specified is different from what's actually returned by the query (Joe Conway)
Release date: 2005-12-12
This release contains a variety of fixes from 8.1.0. For information about new features in the 8.1 major release, see Version 8.1.0.
A dump/restore is not required for those running 8.1.X.
(8.1.1) Fix incorrect optimizations of outer-join conditions (Tom Lane)
(8.1.1) Fix problems with wrong reported column names in cases involving sub-selects flattened by the optimizer (Tom Lane)
(8.1.1) Fix update failures in scenarios involving CHECK constraints, toasted columns, and indexes (Tom Lane)
(8.1.1,8.0.5) Fix bgwriter problems after recovering from errors (Tom Lane)
The background writer was found to leak buffer pins after write errors. While not fatal in itself, this might lead to mysterious blockages of later VACUUM commands.
(8.1.1,8.0.5,7.4.10) Prevent failure if client sends Bind protocol message when current transaction is already aborted
(8.1.1) /contrib/tsearch2 and /contrib/ltree fixes (Teodor Sigaev)
(8.1.1) Fix problems with translated error messages in languages that require word reordering, such as Turkish; also problems with unexpected truncation of output strings and wrong display of the smallest possible bigint value (Andrew Dunstan, Tom Lane)
These problems only appeared on platforms that were using our port/snprintf.c code, which includes BSD variants if --enable-nls was given, and perhaps others. In addition, a different form of the translated-error-message problem could appear on Windows depending on which version of libintl was used.
(8.1.1) Re-allow AM/PM, HH, HH12, and D format
specifiers for to_char(time)
and
to_char(interval)
. (to_char(interval)
should probably use HH24.) (Bruce Momjian)
(8.1.1) AIX, HPUX, and MSVC compile fixes (Tom Lane, Hiroshi Saito)
(8.1.1,7.2.1,7.2.0) Optimizer improvements (Tom Lane)
(8.1.1,8.0.5) Retry file reads and writes after Windows NO_SYSTEM_RESOURCES error (Qingqing Zhou)
(8.1.1) Prevent autovacuum from crashing during ANALYZE of expression index (Álvaro Herrera)
(8.1.1) Fix problems with ON COMMIT DELETE ROWS temp tables
(8.1.1) Fix problems when a trigger alters the output of a SELECT DISTINCT query
(8.1.1) Add 8.1.0 release note item on how to migrate invalid UTF-8 byte sequences (Paul Lindner)
Release date: 2005-11-08
Major changes in this release:
Access to the shared buffer cache was identified as a significant scalability problem, particularly on multi-CPU systems. In this release, the way that locking is done in the buffer manager has been overhauled to reduce lock contention and improve scalability. The buffer manager has also been changed to use a "clock sweep" replacement policy.
In previous releases, only a single index could be used to do lookups on a table. With this feature, if a query has WHERE tab.col1 = 4 and tab.col2 = 9, and there is no multicolumn index on col1 and col2, but there is an index on col1 and another on col2, it is possible to search both indexes and combine the results in memory, then do heap fetches for only the rows matching both the col1 and col2 restrictions. This is very useful in environments that have a lot of unstructured queries where it is impossible to create indexes that match all possible access conditions. Bitmap scans are useful even with a single index, as they reduce the amount of random access needed; a bitmap index scan is efficient for retrieving fairly large fractions of the complete table, whereas plain index scans are not.
Two-phase commit allows transactions to be "prepared" on several computers, and once all computers have successfully prepared their transactions (none failed), all transactions can be committed. Even if a machine crashes after a prepare, the prepared transaction can be committed after the machine is restarted. New syntax includes PREPARE TRANSACTION and COMMIT/ROLLBACK PREPARED. A new system view pg_prepared_xacts has also been added.
Roles are a combination of users and groups. Like users, they can have login capability, and like groups, a role can have other roles as members. Roles basically remove the distinction between users and groups. For example, a role can:
(8.1.0) Have login capability (optionally)
(8.1.0) Own objects
(8.1.0) Hold access permissions for database objects
(8.1.0) Inherit permissions from other roles it is a member of
Once a user logs into a role, she obtains capabilities of the login role plus any inherited roles, and can use SET ROLE to switch to other roles she is a member of. This feature is a generalization of the SQL standard's concept of roles. This change also replaces pg_shadow and pg_group by new role-capable catalogs pg_authid and pg_auth_members. The old tables are redefined as read-only views on the new role tables.
MIN()
and MAX()
(Tom Lane)In previous releases, the only way to use an index for
MIN()
or MAX()
was to rewrite the query as SELECT col FROM tab ORDER BY col LIMIT 1. Index
usage now happens automatically.
Integrating autovacuum into the server allows it to be automatically started and stopped in sync with the database server, and allows autovacuum to be configured from postgresql.conf.
While PostgreSQL's MVCC locking allows SELECT to never be blocked by writers and therefore does not need shared row locks for typical operations, shared locks are useful for applications that require shared row locking. In particular this reduces the locking requirements imposed by referential integrity checks.
This extension of the dependency mechanism prevents roles from being dropped while there are still database objects they own. Formerly it was possible to accidentally "orphan" objects by deleting their owner. While this could be recovered from, it was messy and unpleasant.
The new constraint_exclusion configuration parameter avoids lookups on child tables where constraints indicate that no matching rows exist in the child table.
This allows for a basic type of table partitioning. If child tables store separate key ranges and this is enforced using appropriate CHECK constraints, the optimizer will skip child table accesses when the constraint guarantees no matching rows exist in the child table.
A dump/restore using pg_dump is required for those wishing to migrate data from any previous release.
The 8.0 release announced that the to_char()
function for intervals would be removed
in 8.1. However, since no better API has been suggested,
to_char(interval)
has been enhanced
in 8.1 and will remain in the server.
Observe the following incompatibilities:
(8.1.0) add_missing_from is now false by default (Neil Conway)
By default, we now generate an error if a table is used in a query without a FROM reference. The old behavior is still available, but the parameter must be set to 'true' to obtain it.
It might be necessary to set add_missing_from to true in order to load an existing dump file, if the dump contains any views or rules created using the implicit-FROM syntax. This should be a one-time annoyance, because PostgreSQL 8.1 will convert such views and rules to standard explicit-FROM syntax. Subsequent dumps will therefore not have the problem.
(8.1.0) Cause input of a zero-length string ('') for float4/float8/oid to throw an error, rather than treating it as a zero (Neil Conway)
This change is consistent with the current handling of zero-length strings for integers. The schedule for this change was announced in 8.0.
(8.1.0) default_with_oids is now false by default (Neil Conway)
With this option set to false, user-created tables no longer have an OID column unless WITH OIDS is specified in CREATE TABLE. Though OIDs have existed in all releases of PostgreSQL, their use is limited because they are only four bytes long and the counter is shared across all installed databases. The preferred way of uniquely identifying rows is via sequences and the SERIAL type, which have been supported since PostgreSQL 6.4.
(8.1.0) Add E'' syntax so eventually ordinary strings can treat backslashes literally (Bruce Momjian)
Currently PostgreSQL processes a backslash in a string literal as introducing a special escape sequence, e.g. \n or \010. While this allows easy entry of special values, it is nonstandard and makes porting of applications from other databases more difficult. For this reason, the PostgreSQL project is planning to remove the special meaning of backslashes in strings. For backward compatibility and for users who want special backslash processing, a new string syntax has been created. This new string syntax is formed by writing an E immediately preceding the single quote that starts the string, e.g. E'hi\n'. While this release does not change the handling of backslashes in strings, it does add new configuration parameters to help users migrate applications for future releases:
standard_conforming_strings — does this release treat backslashes literally in ordinary strings?
(8.1.0) escape_string_warning — warn about backslashes in ordinary (non-E) strings
The standard_conforming_strings value is read-only. Applications can retrieve the value to know how backslashes are processed. (Presence of the parameter can also be taken as an indication that E'' string syntax is supported.) In a future release, standard_conforming_strings will be true, meaning backslashes will be treated literally in non-E strings. To prepare for this change, use E'' strings in places that need special backslash processing, and turn on escape_string_warning to find additional strings that need to be converted to use E''. Also, use two single-quotes ('') to embed a literal single-quote in a string, rather than the PostgreSQL-supported syntax of backslash single-quote (\'). The former is standards-conforming and does not require the use of the E'' string syntax. You can also use the $$ string syntax, which does not treat backslashes specially.
(8.1.0) Make REINDEX DATABASE reindex all indexes in the database (Tom Lane)
Formerly, REINDEX DATABASE reindexed only system tables. This new behavior seems more intuitive. A new command REINDEX SYSTEM provides the old functionality of reindexing just the system tables.
(8.1.0) Read-only large object descriptors now obey MVCC snapshot semantics
When a large object is opened with INV_READ (and not INV_WRITE), the data read from the descriptor will
now reflect a "snapshot" of the large
object's state at the time of the transaction snapshot in use by
the query that called lo_open()
. To
obtain the old behavior of always returning the latest committed
data, include INV_WRITE in the mode flags
for lo_open()
.
(8.1.0) Add proper dependencies for arguments of sequence functions (Tom Lane)
In previous releases, sequence names passed to nextval()
, currval()
, and setval()
were stored as simple text strings,
meaning that renaming or dropping a sequence used in a DEFAULT clause made the clause invalid. This release
stores all newly-created sequence function arguments as internal
OIDs, allowing them to track sequence renaming, and adding
dependency information that prevents improper sequence removal. It
also makes such DEFAULT clauses immune to
schema renaming and search path changes.
Some applications might rely on the old behavior of run-time lookup for sequence names. This can still be done by explicitly casting the argument to text, for example nextval('myseq'::text).
Pre-8.1 database dumps loaded into 8.1 will use the old text-based representation and therefore will not have the features of OID-stored arguments. However, it is possible to update a database containing text-based DEFAULT clauses. First, save this query into a file, such as fixseq.sql:
SELECT 'ALTER TABLE ' || pg_catalog.quote_ident(n.nspname) || '.' || pg_catalog.quote_ident(c.relname) || ' ALTER COLUMN ' || pg_catalog.quote_ident(a.attname) || ' SET DEFAULT ' || regexp_replace(d.adsrc, $$val\(\(('[^']*')::text\)::regclass$$, $$val(\1$$, 'g') || ';' FROM pg_namespace n, pg_class c, pg_attribute a, pg_attrdef d WHERE n.oid = c.relnamespace AND c.oid = a.attrelid AND a.attrelid = d.adrelid AND a.attnum = d.adnum AND d.adsrc ~ $$val\(\('[^']*'::text\)::regclass$$;
Next, run the query against a database to find what adjustments are required, like this for database db1:
psql -t -f fixseq.sql db1
This will show the ALTER TABLE commands needed to convert the database to the newer OID-based representation. If the commands look reasonable, run this to update the database:
psql -t -f fixseq.sql db1 | psql -e db1
This process must be repeated in each database to be updated.
(8.1.0) In psql, treat unquoted \{digit}+ sequences as octal (Bruce Momjian)
In previous releases, \{digit}+ sequences were treated as decimal, and only \0{digit}+ were treated as octal. This change was made for consistency.
(8.1.0) Remove grammar productions for prefix and postfix % and ^ operators (Tom Lane)
These have never been documented and complicated the use of the modulus operator (%) with negative numbers.
(8.1.0) Make &< and &> for polygons consistent with the box "over" operators (Tom Lane)
(8.1.0) CREATE LANGUAGE can ignore the provided arguments in favor of information from pg_pltemplate (Tom Lane)
A new system catalog pg_pltemplate has been defined to carry information about the preferred definitions of procedural languages (such as whether they have validator functions). When an entry exists in this catalog for the language being created, CREATE LANGUAGE will ignore all its parameters except the language name and instead use the catalog information. This measure was taken because of increasing problems with obsolete language definitions being loaded by old dump files. As of 8.1, pg_dump will dump procedural language definitions as just CREATE LANGUAGE name, relying on a template entry to exist at load time. We expect this will be a more future-proof representation.
(8.1.0) Make pg_cancel_backend(int)
return
a boolean rather than an integer (Neil Conway)
(8.1.0) Some users are having problems loading UTF-8 data into 8.1.X. This is because previous versions allowed invalid UTF-8 byte sequences to be entered into the database, and this release properly accepts only valid UTF-8 sequences. One way to correct a dumpfile is to run the command iconv -c -f UTF-8 -t UTF-8 -o cleanfile.sql dumpfile.sql. The -c option removes invalid character sequences. A diff of the two files will show the sequences that are invalid. iconv reads the entire input file into memory so it might be necessary to use split to break up the dump into multiple smaller files for processing.
Below you will find a detailed account of the additional changes between PostgreSQL 8.1 and the previous major release.
(8.1.0) Improve GiST and R-tree index performance (Neil Conway)
(8.1.0) Improve the optimizer, including auto-resizing of hash joins (Tom Lane)
(8.1.0) Overhaul internal API in several areas
(8.1.0) Change WAL record CRCs from 64-bit to 32-bit (Tom Lane)
We determined that the extra cost of computing 64-bit CRCs was significant, and the gain in reliability too marginal to justify it.
(8.1.0) Prevent writing large empty gaps in WAL pages (Tom Lane)
(8.1.0) Improve spinlock behavior on SMP machines, particularly Opterons (Tom Lane)
(8.1.0) Allow nonconsecutive index columns to be used in a multicolumn index (Tom Lane)
For example, this allows an index on columns a,b,c to be used in a query with WHERE a = 4 and c = 10.
(8.1.0) Skip WAL logging for CREATE TABLE AS / SELECT INTO (Simon Riggs)
Since a crash during CREATE TABLE AS would cause the table to be dropped during recovery, there is no reason to WAL log as the table is loaded. (Logging still happens if WAL archiving is enabled, however.)
(8.1.0) Allow concurrent GiST index access (Teodor Sigaev, Oleg Bartunov)
(8.1.0) Add configuration parameter full_page_writes to control writing full pages to WAL (Bruce Momjian)
To prevent partial disk writes from corrupting the database, PostgreSQL writes a complete copy of each database disk page to WAL the first time it is modified after a checkpoint. This option turns off that functionality for more speed. This is safe to use with battery-backed disk caches where partial page writes cannot happen.
(8.1.0) Use O_DIRECT if available when using O_SYNC for wal_sync_method (Itagaki Takahiro)
O_DIRECT causes disk writes to bypass the kernel cache, and for WAL writes, this improves performance.
(8.1.0) Improve COPY FROM performance (Alon Goldshuv)
This was accomplished by reading COPY input in larger chunks, rather than character by character.
(8.1.0) Improve the performance of COUNT()
, SUM
,
AVG()
, STDDEV()
, and VARIANCE()
(Neil Conway, Tom Lane)
(8.1.0) Prevent problems due to transaction ID (XID) wraparound (Tom Lane)
The server will now warn when the transaction counter approaches the wraparound point. If the counter becomes too close to wraparound, the server will stop accepting queries. This ensures that data is not lost before needed vacuuming is performed.
(8.1.0) Fix problems with object IDs (OIDs) conflicting with existing system objects after the OID counter has wrapped around (Tom Lane)
(8.1.0) Add warning about the need to increase max_fsm_relations and max_fsm_pages during VACUUM (Ron Mayer)
(8.1.0) Add temp_buffers configuration parameter to allow users to determine the size of the local buffer area for temporary table access (Tom Lane)
(8.1.0) Add session start time and client IP address to pg_stat_activity (Magnus Hagander)
(8.1.0) Adjust pg_stat views for bitmap scans (Tom Lane)
The meanings of some of the fields have changed slightly.
(8.1.0) Enhance pg_locks view (Tom Lane)
(8.1.0) Log queries for client-side PREPARE and EXECUTE (Simon Riggs)
(8.1.0) Allow Kerberos name and user name case sensitivity to be specified in postgresql.conf (Magnus Hagander)
(8.1.0) Add configuration parameter krb_server_hostname so that the server host name can be specified as part of service principal (Todd Kover)
If not set, any service principal matching an entry in the keytab can be used. This is new Kerberos matching behavior in this release.
(8.1.0) Add log_line_prefix options for millisecond timestamps (%m) and remote host (%h) (Ed L.)
(8.1.0) Add WAL logging for GiST indexes (Teodor Sigaev, Oleg Bartunov)
GiST indexes are now safe for crash and point-in-time recovery.
(8.1.0) Remove old *.backup files when we do
pg_stop_backup()
(Bruce Momjian)
This prevents a large number of *.backup files from existing in pg_xlog/.
(8.1.0) Add configuration parameters to control TCP/IP keep-alive times for idle, interval, and count (Oliver Jowett)
These values can be changed to allow more rapid detection of lost client connections.
(8.1.0) Add per-user and per-database connection limits (Petr Jelinek)
Using ALTER USER and ALTER DATABASE, limits can now be enforced on the maximum number of sessions that can concurrently connect as a specific user or to a specific database. Setting the limit to zero disables user or database connections.
(8.1.0) Allow more than two gigabytes of shared memory and per-backend work memory on 64-bit machines (Koichi Suzuki)
(8.1.0) New system catalog pg_pltemplate allows overriding obsolete procedural-language definitions in dump files (Tom Lane)
(8.1.0) Add temporary views (Koju Iijima, Neil Conway)
(8.1.0) Fix HAVING without any aggregate functions or GROUP BY so that the query returns a single group (Tom Lane)
Previously, such a case would treat the HAVING clause the same as a WHERE clause. This was not per spec.
(8.1.0) Add USING clause to allow additional tables to be specified to DELETE (Euler Taveira de Oliveira, Neil Conway)
In prior releases, there was no clear method for specifying additional tables to be used for joins in a DELETE statement. UPDATE already has a FROM clause for this purpose.
(8.1.0) Add support for \x hex escapes in backend and ecpg strings (Bruce Momjian)
This is just like the standard C \x escape syntax. Octal escapes were already supported.
(8.1.0) Add BETWEEN SYMMETRIC query syntax (Pavel Stehule)
This feature allows BETWEEN comparisons without requiring the first value to be less than the second. For example, 2 BETWEEN [ASYMMETRIC] 3 AND 1 returns false, while 2 BETWEEN SYMMETRIC 3 AND 1 returns true. BETWEEN ASYMMETRIC was already supported.
(8.1.0) Add NOWAIT option to SELECT ... FOR UPDATE/SHARE (Hans-Jürgen Schoenig)
While the statement_timeout configuration parameter allows a query taking more than a certain amount of time to be canceled, the NOWAIT option allows a query to be canceled as soon as a SELECT ... FOR UPDATE/SHARE command cannot immediately acquire a row lock.
(8.1.0) Track dependencies of shared objects (Álvaro Herrera)
PostgreSQL allows global tables (users, databases, tablespaces) to reference information in multiple databases. This addition adds dependency information for global tables, so, for example, user ownership can be tracked across databases, so a user who owns something in any database can no longer be removed. Dependency tracking already existed for database-local objects.
(8.1.0) Allow limited ALTER OWNER commands to be performed by the object owner (Stephen Frost)
Prior releases allowed only superusers to change object owners. Now, ownership can be transferred if the user executing the command owns the object and would be able to create it as the new owner (that is, the user is a member of the new owning role and that role has the CREATE permission that would be needed to create the object afresh).
(8.1.0) Add ALTER object SET SCHEMA capability for some object types (tables, functions, types) (Bernd Helmle)
This allows objects to be moved to different schemas.
(8.1.0) Add ALTER TABLE ENABLE/DISABLE TRIGGER to disable triggers (Satoshi Nagayasu)
(8.1.0) Allow TRUNCATE to truncate multiple tables in a single command (Álvaro Herrera)
Because of referential integrity checks, it is not allowed to truncate a table that is part of a referential integrity constraint. Using this new functionality, TRUNCATE can be used to truncate such tables, if both tables involved in a referential integrity constraint are truncated in a single TRUNCATE command.
(8.1.0) Properly process carriage returns and line feeds in COPY CSV mode (Andrew Dunstan)
In release 8.0, carriage returns and line feeds in CSV COPY TO were processed in an inconsistent manner. (This was documented on the TODO list.)
(8.1.0) Add COPY WITH CSV HEADER to allow a header line as the first line in COPY (Andrew Dunstan)
This allows handling of the common CSV usage of placing the column names on the first line of the data file. For COPY TO, the first line contains the column names, and for COPY FROM, the first line is ignored.
(8.1.0) On Windows, display better sub-second precision in EXPLAIN ANALYZE (Magnus Hagander)
(8.1.0) Add trigger duration display to EXPLAIN ANALYZE (Tom Lane)
Prior releases included trigger execution time as part of the total execution time, but did not show it separately. It is now possible to see how much time is spent in each trigger.
(8.1.0) Add support for \x hex escapes in COPY (Sergey Ten)
Previous releases only supported octal escapes.
(8.1.0) Make SHOW ALL include variable descriptions (Matthias Schmidt)
SHOW varname still only displays the variable's value and does not include the description.
(8.1.0) Make initdb create a new standard database called postgres, and convert utilities to use postgres rather than template1 for standard lookups (Dave Cramer)
In prior releases, template1 was used both as a default connection for utilities like createuser, and as a template for new databases. This caused CREATE DATABASE to sometimes fail, because a new database cannot be created if anyone else is in the template database. With this change, the default connection database is now postgres, meaning it is much less likely someone will be using template1 during CREATE DATABASE.
(8.1.0) Create new reindexdb command-line utility by moving /contrib/reindexdb into the server (Euler Taveira de Oliveira)
(8.1.0) Add MAX()
and MIN()
aggregates for array types (Koju
Iijima)
(8.1.0) Fix to_date()
and to_timestamp()
to behave reasonably when
CC and YY fields
are both used (Karel Zak)
If the format specification contains CC and a year specification is YYY or longer, ignore the CC. If the year specification is YY or shorter, interpret CC as the previous century.
(8.1.0) Add md5(bytea)
(Abhijit
Menon-Sen)
md5(text)
already existed.
(8.1.0) Add support for numeric ^ numeric based
on power(numeric, numeric)
The function already existed, but there was no operator assigned to it.
(8.1.0) Fix NUMERIC modulus by properly truncating the quotient during computation (Bruce Momjian)
In previous releases, modulus for large values sometimes returned negative results due to rounding of the quotient.
(8.1.0) Add a function lastval()
(Dennis
Björklund)
lastval()
is a simplified version
of currval()
. It automatically
determines the proper sequence name based on the most recent
nextval()
or setval()
call performed by the current
session.
(8.1.0) Add to_timestamp (DOUBLE PRECISION)
(Michael Glaesemann)
Converts Unix seconds since 1970 to a TIMESTAMP WITH TIMEZONE.
(8.1.0) Add pg_postmaster_start_time()
function (Euler Taveira de Oliveira, Matthias Schmidt)
(8.1.0) Allow the full use of time zone names in AT TIME ZONE, not just the short list previously available (Magnus Hagander)
Previously, only a predefined list of time zone names were supported by AT TIME ZONE. Now any supported time zone name can be used, e.g.:
SELECT CURRENT_TIMESTAMP AT TIME ZONE 'Europe/London';
In the above query, the time zone used is adjusted based on the daylight saving time rules that were in effect on the supplied date.
(8.1.0) Add GREATEST()
and LEAST()
variadic functions (Pavel Stehule)
These functions take a variable number of arguments and return the greatest or least value among the arguments.
(8.1.0) Add pg_column_size()
(Mark
Kirkwood)
This returns storage size of a column, which might be compressed.
(8.1.0) Add regexp_replace()
(Atsushi
Ogawa)
This allows regular expression replacement, like sed. An optional flag argument allows selection of global (replace all) and case-insensitive modes.
(8.1.0) Fix interval division and multiplication (Bruce Momjian)
Previous versions sometimes returned unjustified results, like '4 months'::interval / 5 returning '1 mon -6 days'.
(8.1.0) Fix roundoff behavior in timestamp, time, and interval output (Tom Lane)
This fixes some cases in which the seconds field would be shown as 60 instead of incrementing the higher-order fields.
(8.1.0) Add a separate day field to type interval so a one day interval can be distinguished from a 24 hour interval (Michael Glaesemann)
Days that contain a daylight saving time adjustment are not 24 hours long, but typically 23 or 25 hours. This change creates a conceptual distinction between intervals of "so many days" and intervals of "so many hours". Adding 1 day to a timestamp now gives the same local time on the next day even if a daylight saving time adjustment occurs between, whereas adding 24 hours will give a different local time when this happens. For example, under US DST rules:
'2005-04-03 00:00:00-05' + '1 day' = '2005-04-04 00:00:00-04' '2005-04-03 00:00:00-05' + '24 hours' = '2005-04-04 01:00:00-04'
(8.1.0) Add justify_days()
and
justify_hours()
(Michael
Glaesemann)
These functions, respectively, adjust days to an appropriate number of full months and days, and adjust hours to an appropriate number of full days and hours.
(8.1.0) Move /contrib/dbsize into the backend, and rename some of the functions (Dave Page, Andreas Pflug)
pg_tablespace_size()
(8.1.0) pg_database_size()
(8.1.0) pg_relation_size()
(8.1.0) pg_total_relation_size()
(8.1.0) pg_size_pretty()
pg_total_relation_size()
includes
indexes and TOAST tables.
(8.1.0) Add functions for read-only file access to the cluster directory (Dave Page, Andreas Pflug)
pg_stat_file()
(8.1.0) pg_read_file()
(8.1.0) pg_ls_dir()
(8.1.0) Add pg_reload_conf()
to force
reloading of the configuration files (Dave Page, Andreas Pflug)
(8.1.0) Add pg_rotate_logfile()
to force
rotation of the server log file (Dave Page, Andreas Pflug)
(8.1.0) Change pg_stat_* views to include TOAST tables (Tom Lane)
(8.1.0) Rename some encodings to be more consistent and to follow international standards (Bruce Momjian)
UNICODE is now UTF8
(8.1.0) ALT is now WIN866
(8.1.0) WIN is now WIN1251
(8.1.0) TCVN is now WIN1258
The original names still work.
(8.1.0) Add support for WIN1252 encoding (Roland Volkmann)
(8.1.0) Add support for four-byte UTF8 characters (John Hansen)
Previously only one, two, and three-byte UTF8 characters were supported. This is particularly important for support for some Chinese character sets.
(8.1.0) Allow direct conversion between EUC_JP and SJIS to improve performance (Atsushi Ogawa)
(8.1.0) Allow the UTF8 encoding to work on Windows (Magnus Hagander)
This is done by mapping UTF8 to the Windows-native UTF16 implementation.
(8.1.0) Fix ALTER LANGUAGE RENAME (Sergey Yatskevich)
(8.1.0) Allow function characteristics, like strictness and volatility, to be modified via ALTER FUNCTION (Neil Conway)
(8.1.0) Increase the maximum number of function arguments to 100 (Tom Lane)
(8.1.0) Allow SQL and PL/pgSQL functions to use OUT and INOUT parameters (Tom Lane)
OUT is an alternate way for a function to return values. Instead of using RETURN, values can be returned by assigning to parameters declared as OUT or INOUT. This is notationally simpler in some cases, particularly so when multiple values need to be returned. While returning multiple values from a function was possible in previous releases, this greatly simplifies the process. (The feature will be extended to other server-side languages in future releases.)
(8.1.0) Move language handler functions into the pg_catalog schema
This makes it easier to drop the public schema if desired.
(8.1.0) Add SPI_getnspname()
to SPI
(Neil Conway)
(8.1.0) Overhaul the memory management of PL/pgSQL functions (Neil Conway)
The parsetree of each function is now stored in a separate memory context. This allows this memory to be easily reclaimed when it is no longer needed.
(8.1.0) Check function syntax at CREATE FUNCTION time, rather than at runtime (Neil Conway)
Previously, most syntax errors were reported only when the function was executed.
(8.1.0) Allow OPEN to open non-SELECT queries like EXPLAIN and SHOW (Tom Lane)
(8.1.0) No longer require functions to issue a RETURN statement (Tom Lane)
This is a byproduct of the newly added OUT and INOUT functionality. RETURN can be omitted when it is not needed to provide the function's return value.
(8.1.0) Add support for an optional INTO clause to PL/pgSQL's EXECUTE statement (Pavel Stehule, Neil Conway)
(8.1.0) Make CREATE TABLE AS set ROW_COUNT (Tom Lane)
(8.1.0) Define SQLSTATE and SQLERRM to return the SQLSTATE and error message of the current exception (Pavel Stehule, Neil Conway)
These variables are only defined inside exception blocks.
(8.1.0) Allow the parameters to the RAISE statement to be expressions (Pavel Stehule, Neil Conway)
(8.1.0) Add a loop CONTINUE statement (Pavel Stehule, Neil Conway)
(8.1.0) Allow block and loop labels (Pavel Stehule)
(8.1.0) Allow large result sets to be returned efficiently (Abhijit Menon-Sen)
This allows functions to use return_next()
to avoid building the entire result
set in memory.
(8.1.0) Allow one-row-at-a-time retrieval of query results (Abhijit Menon-Sen)
This allows functions to use spi_query()
and spi_fetchrow()
to avoid accumulating the entire
result set in memory.
(8.1.0) Force PL/Perl to handle strings as UTF8 if the server encoding is UTF8 (David Kamholz)
(8.1.0) Add a validator function for PL/Perl (Andrew Dunstan)
This allows syntax errors to be reported at definition time, rather than execution time.
(8.1.0) Allow PL/Perl to return a Perl array when the function returns an array type (Andrew Dunstan)
This basically maps PostgreSQL arrays to Perl arrays.
(8.1.0) Allow Perl nonfatal warnings to generate NOTICE messages (Andrew Dunstan)
(8.1.0) Allow Perl's strict mode to be enabled (Andrew Dunstan)
(8.1.0) Add \set ON_ERROR_ROLLBACK to allow statements in a transaction to error without affecting the rest of the transaction (Greg Sabino Mullane)
This is basically implemented by wrapping every statement in a sub-transaction.
(8.1.0) Add support for \x hex strings in psql variables (Bruce Momjian)
Octal escapes were already supported.
(8.1.0) Add support for troff -ms output format (Roger Leigh)
(8.1.0) Allow the history file location to be controlled by HISTFILE (Andreas Seltenreich)
This allows configuration of per-database history storage.
(8.1.0) Prevent \x (expanded mode) from affecting the output of \d tablename (Neil Conway)
(8.1.0) Add -L option to psql to log sessions (Lorne Sunley)
This option was added because some operating systems do not have simple command-line activity logging functionality.
(8.1.0) Make \d show the tablespaces of indexes (Qingqing Zhou)
(8.1.0) Allow psql help (\h) to make a best guess on the proper help information (Greg Sabino Mullane)
This allows the user to just add \h to the front of the syntax error query and get help on the supported syntax. Previously any additional query text beyond the command name had to be removed to use \h.
(8.1.0) Add \pset numericlocale to allow numbers to be output in a locale-aware format (Eugen Nedelcu)
For example, using C locale 100000 would be output as 100,000.0 while a European locale might output this value as 100.000,0.
(8.1.0) Make startup banner show both server version number and psql's version number, when they are different (Bruce Momjian)
Also, a warning will be shown if the server and psql are from different major releases.
(8.1.0) Add -n / --schema switch to pg_restore (Richard van den Berg)
This allows just the objects in a specified schema to be restored.
(8.1.0) Allow pg_dump to dump large objects even in text mode (Tom Lane)
With this change, large objects are now always dumped; the former -b switch is a no-op.
(8.1.0) Allow pg_dump to dump a consistent snapshot of large objects (Tom Lane)
(8.1.0) Dump comments for large objects (Tom Lane)
(8.1.0) Add --encoding to pg_dump (Magnus Hagander)
This allows a database to be dumped in an encoding that is different from the server's encoding. This is valuable when transferring the dump to a machine with a different encoding.
(8.1.0) Rely on pg_pltemplate for procedural languages (Tom Lane)
If the call handler for a procedural language is in the pg_catalog schema, pg_dump does not dump the handler. Instead, it dumps the language using just CREATE LANGUAGE name, relying on the pg_pltemplate catalog to provide the language's creation parameters at load time.
(8.1.0) Add a PGPASSFILE environment variable to specify the password file's filename (Andrew Dunstan)
(8.1.0) Add lo_create()
, that is similar
to lo_creat()
but allows the OID of
the large object to be specified (Tom Lane)
(8.1.0) Make libpq consistently return
an error to the client application on malloc()
failure (Neil Conway)
(8.1.0) Fix pgxs to support building against a relocated installation
(8.1.0) Add spinlock support for the Itanium processor using Intel compiler (Vikram Kalsi)
(8.1.0) Add Kerberos 5 support for Windows (Magnus Hagander)
(8.1.0) Add Chinese FAQ (laser@pgsqldb.com)
(8.1.0) Rename Rendezvous to Bonjour to match OS/X feature renaming (Bruce Momjian)
(8.1.0) Add support for fsync_writethrough on Darwin (Chris Campbell)
(8.1.0) Streamline the passing of information within the server, the optimizer, and the lock system (Tom Lane)
(8.1.0) Allow pg_config to be compiled using MSVC (Andrew Dunstan)
This is required to build DBD::Pg using MSVC.
(8.1.0) Remove support for Kerberos V4 (Magnus Hagander)
Kerberos 4 had security vulnerabilities and is no longer maintained.
(8.1.0) Code cleanups (Coverity static analysis performed by EnterpriseDB)
(8.1.0) Modify postgresql.conf to use documentation defaults on/off rather than true/false (Bruce Momjian)
(8.1.0) Enhance pg_config to be able to report more build-time values (Tom Lane)
(8.1.0) Allow libpq to be built thread-safe on Windows (Dave Page)
(8.1.0) Allow IPv6 connections to be used on Windows (Andrew Dunstan)
(8.1.0) Add Server Administration documentation about I/O subsystem reliability (Bruce Momjian)
(8.1.0) Move private declarations from gist.h to gist_private.h (Neil Conway)
In previous releases, gist.h contained both the public GiST API (intended for use by authors of GiST index implementations) as well as some private declarations used by the implementation of GiST itself. The latter have been moved to a separate file, gist_private.h. Most GiST index implementations should be unaffected.
(8.1.0) Overhaul GiST memory management (Neil Conway)
GiST methods are now always invoked in a short-lived memory
context. Therefore, memory allocated via palloc()
will be reclaimed automatically, so GiST
index implementations do not need to manually release allocated
memory via pfree()
.
(8.1.0) Add /contrib/pg_buffercache contrib module (Mark Kirkwood)
This displays the contents of the buffer cache, for debugging and performance tuning purposes.
(8.1.0) Remove /contrib/array because it is obsolete (Tom Lane)
(8.1.0) Clean up the /contrib/lo module (Tom Lane)
(8.1.0) Move /contrib/findoidjoins to /src/tools (Tom Lane)
(8.1.0) Remove the <<, >>, &<, and &> operators from /contrib/cube
These operators were not useful.
(8.1.0) Improve /contrib/btree_gist (Janko Richter)
(8.1.0) Improve /contrib/pgbench (Tomoaki Sato, Tatsuo Ishii)
There is now a facility for testing with SQL command scripts given by the user, instead of only a hard-wired command sequence.
(8.1.0) Improve /contrib/pgcrypto (Marko Kreen)
Implementation of OpenPGP symmetric-key and public-key encryption
Both RSA and Elgamal public-key algorithms are supported.
(8.1.0) Stand alone build: include SHA256/384/512 hashes, Fortuna PRNG
(8.1.0) OpenSSL build: support 3DES, use internal AES with OpenSSL < 0.9.7
(8.1.0) Take build parameters (OpenSSL, zlib) from configure result
There is no need to edit the Makefile anymore.
(8.1.0) Remove support for libmhash and libmcrypt
Release date: 2010-10-04
This release contains a variety of fixes from 8.0.25. For information about new features in the 8.0 major release, see Version 8.0.0.
This is expected to be the last PostgreSQL release in the 8.0.X series. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 8.0.X. However, if you are upgrading from a version earlier than 8.0.22, see Version 8.0.22.
(8.0.26,9.0.1,8.4.5,8.3.12,8.2.18,8.1.22,7.4.30) Use a separate interpreter for each calling SQL userid in PL/Perl and PL/Tcl (Tom Lane)
This change prevents security problems that can be caused by subverting Perl or Tcl code that will be executed later in the same session under another SQL user identity (for example, within a SECURITY DEFINER function). Most scripting languages offer numerous ways that that might be done, such as redefining standard functions or operators called by the target function. Without this change, any SQL user with Perl or Tcl language usage rights can do essentially anything with the SQL privileges of the target function's owner.
The cost of this change is that intentional communication among Perl and Tcl functions becomes more difficult. To provide an escape hatch, PL/PerlU and PL/TclU functions continue to use only one interpreter per session. This is not considered a security issue since all such functions execute at the trust level of a database superuser already.
It is likely that third-party procedural languages that claim to offer trusted execution have similar security issues. We advise contacting the authors of any PL you are depending on for security-critical purposes.
Our thanks to Tim Bunce for pointing out this issue CVE-2010-3433 or CVE-2010-3433).
(8.0.26,8.4.5,8.3.12,8.2.18,8.1.22,7.4.30) Prevent possible crashes in pg_get_expr()
by disallowing it from being called
with an argument that is not one of the system catalog columns it's
intended to be used with (Heikki Linnakangas, Tom Lane)
(8.0.26,8.4.5,8.3.12,8.2.18,8.1.22,7.4.30) Fix "cannot handle unplanned sub-select" error (Tom Lane)
This occurred when a sub-select contains a join alias reference that expands into an expression containing another sub-select.
(8.0.26,8.4.5,8.3.12,8.2.18,8.1.22) Defend against functions returning setof record where not all the returned rows are actually of the same rowtype (Tom Lane)
(8.0.26,8.4.5,8.3.12,8.2.18,8.1.22,7.4.30) Take care to fsync the contents of lockfiles (both postmaster.pid and the socket lockfile) while writing them (Tom Lane)
This omission could result in corrupted lockfile contents if the machine crashes shortly after postmaster start. That could in turn prevent subsequent attempts to start the postmaster from succeeding, until the lockfile is manually removed.
(8.0.26,8.4.5,8.3.12,8.2.18,8.1.22) Avoid recursion while assigning XIDs to heavily-nested subtransactions (Andres Freund, Robert Haas)
The original coding could result in a crash if there was limited stack space.
(8.0.26,8.4.5,8.3.12,8.2.18,8.1.22) Fix log_line_prefix's %i escape, which could produce junk early in backend startup (Tom Lane)
(8.0.26,8.4.5,8.3.12,8.2.18,8.1.22) Fix possible data corruption in ALTER TABLE ... SET TABLESPACE when archiving is enabled (Jeff Davis)
(8.0.26,8.4.5,8.3.12,8.2.18,8.1.22) Allow CREATE DATABASE and ALTER DATABASE ... SET TABLESPACE to be interrupted by query-cancel (Guillaume Lelarge)
(8.0.26,8.4.5,8.3.12,8.2.18,8.1.22) In PL/Python, defend against null pointer results from
PyCObject_AsVoidPtr
and PyCObject_FromVoidPtr
(Peter Eisentraut)
(8.0.26,8.4.5,8.3.12,8.2.18,8.1.22,7.4.30) Improve contrib/dblink's handling of tables containing dropped columns (Tom Lane)
(8.0.26,8.4.5,8.3.12,8.2.18,8.1.22,7.4.30) Fix connection leak after "duplicate connection name" errors in contrib/dblink (Itagaki Takahiro)
(8.0.26,8.4.5,8.3.12,8.2.18,8.1.22) Fix contrib/dblink to handle connection names longer than 62 bytes correctly (Itagaki Takahiro)
(8.0.26,9.0.1,8.4.5,8.3.12,8.2.18,8.1.22,7.4.30) Update build infrastructure and documentation to reflect the source code repository's move from CVS to Git (Magnus Hagander and others)
(8.0.26,8.4.5,8.3.12,8.2.18,8.1.22) Update time zone data files to tzdata release 2010l for DST law changes in Egypt and Palestine; also historical corrections for Finland.
This change also adds new names for two Micronesian timezones: Pacific/Chuuk is now preferred over Pacific/Truk (and the preferred abbreviation is CHUT not TRUT) and Pacific/Pohnpei is preferred over Pacific/Ponape.
Release date: 2010-05-17
This release contains a variety of fixes from 8.0.24. For information about new features in the 8.0 major release, see Version 8.0.0.
The PostgreSQL community will stop releasing updates for the 8.0.X release series in July 2010. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 8.0.X. However, if you are upgrading from a version earlier than 8.0.22, see Version 8.0.22.
(8.0.25,8.4.4,8.3.11,8.2.17,8.1.21,7.4.29) Enforce restrictions in plperl using an opmask applied to the whole interpreter, instead of using Safe.pm (Tim Bunce, Andrew Dunstan)
Recent developments have convinced us that Safe.pm is too insecure to rely on for making plperl trustable. This change removes use of Safe.pm altogether, in favor of using a separate interpreter with an opcode mask that is always applied. Pleasant side effects of the change include that it is now possible to use Perl's strict pragma in a natural way in plperl, and that Perl's $a and $b variables work as expected in sort routines, and that function compilation is significantly faster. CVE-2010-1169 or CVE-2010-1169)
(8.0.25,8.4.4,8.3.11,8.2.17,8.1.21,7.4.29) Prevent PL/Tcl from executing untrustworthy code from pltcl_modules (Tom Lane)
PL/Tcl's feature for autoloading Tcl code from a database table could be exploited for trojan-horse attacks, because there was no restriction on who could create or insert into that table. This change disables the feature unless pltcl_modules is owned by a superuser. (However, the permissions on the table are not checked, so installations that really need a less-than-secure modules table can still grant suitable privileges to trusted non-superusers.) Also, prevent loading code into the unrestricted "normal" Tcl interpreter unless we are really going to execute a pltclu function. CVE-2010-1170 or CVE-2010-1170)
(8.0.25,8.4.4,8.3.11,8.2.17,8.1.21,7.4.29) Do not allow an unprivileged user to reset superuser-only parameter settings (Álvaro Herrera)
Previously, if an unprivileged user ran ALTER USER ... RESET ALL for himself, or ALTER DATABASE ... RESET ALL for a database he owns, this would remove all special parameter settings for the user or database, even ones that are only supposed to be changeable by a superuser. Now, the ALTER will only remove the parameters that the user has permission to change.
(8.0.25,8.4.4,8.3.11,8.2.17,8.1.21,7.4.29) Avoid possible crash during backend shutdown if shutdown occurs when a CONTEXT addition would be made to log entries (Tom Lane)
In some cases the context-printing function would fail because the current transaction had already been rolled back when it came time to print a log message.
(8.0.25,8.4.4,8.3.11,8.2.17,8.1.21,7.4.29) Update pl/perl's ppport.h for modern Perl versions (Andrew Dunstan)
(8.0.25,8.4.4,8.3.11,8.2.17,8.1.21,7.4.29) Fix assorted memory leaks in pl/python (Andreas Freund, Tom Lane)
(8.0.25,8.4.4,8.3.11,8.2.17,8.1.21) Prevent infinite recursion in psql when expanding a variable that refers to itself (Tom Lane)
(8.0.25,8.4.4,8.3.11,8.2.17,8.1.21,7.4.29) Ensure that contrib/pgstattuple functions respond to cancel interrupts promptly (Tatsuhito Kasahara)
(8.0.25,8.4.4,8.3.11,8.2.17,8.1.21,7.4.29) Make server startup deal properly with the case that
shmget()
returns EINVAL for an existing shared memory segment
(Tom Lane)
This behavior has been observed on BSD-derived kernels including OS X. It resulted in an entirely-misleading startup failure complaining that the shared memory request size was too large.
(8.0.25,8.1.21) Update time zone data files to tzdata release 2010j for DST law changes in Argentina, Australian Antarctic, Bangladesh, Mexico, Morocco, Pakistan, Palestine, Russia, Syria, Tunisia; also historical corrections for Taiwan.
Release date: 2010-03-15
This release contains a variety of fixes from 8.0.23. For information about new features in the 8.0 major release, see Version 8.0.0.
The PostgreSQL community will stop releasing updates for the 8.0.X release series in July 2010. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 8.0.X. However, if you are upgrading from a version earlier than 8.0.22, see Version 8.0.22.
(8.0.24,8.4.3,8.3.10,8.2.16,8.1.20,7.4.28) Add new configuration parameter ssl_renegotiation_limit to control how often we do session key renegotiation for an SSL connection (Magnus Hagander)
This can be set to zero to disable renegotiation completely, which may be required if a broken SSL library is used. In particular, some vendors are shipping stopgap patches forCVE-2009-3555 or CVE-2009-3555 that cause renegotiation attempts to fail.
(8.0.24,8.4.3,8.3.10,8.2.16,8.1.20) Fix possible crashes when trying to recover from a failure in subtransaction start (Tom Lane)
(8.0.24,8.4.3,8.3.10,8.2.16,8.1.20) Fix server memory leak associated with use of savepoints and a client encoding different from server's encoding (Tom Lane)
(8.0.24,8.4.3,8.3.10,8.2.16,8.1.20,7.4.28) Make substring()
for bit types treat any negative length as meaning
"all the rest of the string" (Tom Lane)
The previous coding treated only -1 that way, and would produce an invalid result value for other negative values, possibly leading to a crash CVE-2010-0442 or CVE-2010-0442).
(8.0.24,8.4.3,8.3.10,8.2.16,8.1.20) Fix integer-to-bit-string conversions to handle the first fractional byte correctly when the output bit width is wider than the given integer by something other than a multiple of 8 bits (Tom Lane)
(8.0.24,8.4.3,8.3.10,8.2.16,8.1.20,7.4.28) Fix some cases of pathologically slow regular expression matching (Tom Lane)
(8.0.24,8.4.3,8.3.10,8.2.16,8.1.20) Fix the STOP WAL LOCATION entry in backup history files to report the next WAL segment's name when the end location is exactly at a segment boundary (Itagaki Takahiro)
(8.0.24,8.4.3,8.3.10,8.2.16,8.1.20,7.4.28) When reading pg_hba.conf and related files, do not treat @something as a file inclusion request if the @ appears inside quote marks; also, never treat @ by itself as a file inclusion request (Tom Lane)
This prevents erratic behavior if a role or database name starts with @. If you need to include a file whose path name contains spaces, you can still do so, but you must write @"/path to/file" rather than putting the quotes around the whole construct.
(8.0.24,8.4.3,8.3.10,8.2.16,8.1.20,7.4.28) Prevent infinite loop on some platforms if a directory is named as an inclusion target in pg_hba.conf and related files (Tom Lane)
(8.0.24,8.4.3,8.3.10,8.2.16,8.1.20) Fix plpgsql failure in one case where a composite column is set to NULL (Tom Lane)
(8.0.24,8.4.3,8.3.10,8.2.16,8.1.20) Add volatile markings in PL/Python to avoid possible compiler-specific misbehavior (Zdenek Kotala)
(8.0.24,8.4.3,8.3.10,8.2.16,8.1.20,7.4.28) Ensure PL/Tcl initializes the Tcl interpreter fully (Tom Lane)
The only known symptom of this oversight is that the Tcl clock command misbehaves if using Tcl 8.5 or later.
(8.0.24,8.4.3,8.3.10,8.2.16,8.1.20,7.4.28) Prevent crash in contrib/dblink when
too many key columns are specified to a dblink_build_sql_*
function (Rushabh Lathia, Joe
Conway)
(8.0.24,8.4.3,8.3.10,8.2.16,8.1.20) Fix assorted crashes in contrib/xml2 caused by sloppy memory management (Tom Lane)
(8.0.24,8.4.3,8.3.10,8.2.16,8.1.20) Update time zone data files to tzdata release 2010e for DST law changes in Bangladesh, Chile, Fiji, Mexico, Paraguay, Samoa.
Release date: 2009-12-14
This release contains a variety of fixes from 8.0.22. For information about new features in the 8.0 major release, see Version 8.0.0.
A dump/restore is not required for those running 8.0.X. However, if you are upgrading from a version earlier than 8.0.22, see Version 8.0.22.
(8.0.23,8.4.2,8.3.9,8.2.15,8.1.19,7.4.27) Protect against indirect security threats caused by index functions changing session-local state (Gurjeet Singh, Tom Lane)
This change prevents allegedly-immutable index functions from possibly subverting a superuser's session CVE-2009-4136 or CVE-2009-4136).
(8.0.23,8.4.2,8.3.9,8.2.15,8.1.19,7.4.27) Reject SSL certificates containing an embedded null byte in the common name (CN) field (Magnus Hagander)
This prevents unintended matching of a certificate to a server or client name during SSL validation CVE-2009-4034 or CVE-2009-4034).
(8.0.23,8.4.2,8.3.9,8.2.15,8.1.19,7.4.27) Fix possible crash during backend-startup-time cache initialization (Tom Lane)
(8.0.23,8.4.2,8.3.9,8.2.15,8.1.19,7.4.27) Prevent signals from interrupting VACUUM at unsafe times (Álvaro Herrera)
This fix prevents a PANIC if a VACUUM FULL is canceled after it's already committed its tuple movements, as well as transient errors if a plain VACUUM is interrupted after having truncated the table.
(8.0.23,8.4.2,8.3.9,8.2.15,8.1.19,7.4.27) Fix possible crash due to integer overflow in hash table size calculation (Tom Lane)
This could occur with extremely large planner estimates for the size of a hashjoin's result.
(8.0.23,8.4.2,8.3.9,8.2.15,8.1.19,7.4.27) Fix very rare crash in inet/cidr comparisons (Chris Mikkelson)
(8.0.23,8.4.2,8.3.9,8.2.15,8.1.19) Fix premature drop of temporary files used for a cursor that is accessed within a subtransaction (Heikki Linnakangas)
(8.0.23,8.4.2,8.3.9,8.2.15,8.1.19,7.4.27) Fix PAM password processing to be more robust (Tom Lane)
The previous code is known to fail with the combination of the Linux pam_krb5 PAM module with Microsoft Active Directory as the domain controller. It might have problems elsewhere too, since it was making unjustified assumptions about what arguments the PAM stack would pass to it.
(8.0.23,8.4.2,8.3.9,8.2.15,8.1.19) Fix rare crash in exception processing in PL/Python (Peter T. Mount)
(8.0.23,8.4.2,8.3.9,8.2.15,8.1.19) Ensure psql's flex module is compiled with the correct system header definitions (Tom Lane)
This fixes build failures on platforms where --enable-largefile causes incompatible changes in the generated code.
(8.0.23,8.4.2,8.3.9,8.2.15,8.1.19,7.4.27) Make the postmaster ignore any application_name parameter in connection request packets, to improve compatibility with future libpq versions (Tom Lane)
(8.0.23,8.4.2,8.3.9,8.2.15,8.1.19) Update time zone data files to tzdata release 2009s for DST law changes in Antarctica, Argentina, Bangladesh, Fiji, Novokuznetsk, Pakistan, Palestine, Samoa, Syria; also historical corrections for Hong Kong.
Release date: 2009-09-09
This release contains a variety of fixes from 8.0.21. For information about new features in the 8.0 major release, see Version 8.0.0.
A dump/restore is not required for those running 8.0.X. However, if you have any hash indexes on interval columns, you must REINDEX them after updating to 8.0.22. Also, if you are upgrading from a version earlier than 8.0.6, see Version 8.0.6.
(8.0.22,8.4.1,8.3.8,8.2.14,8.1.18,7.4.26) Disallow RESET ROLE and RESET SESSION AUTHORIZATION inside security-definer functions (Tom Lane, Heikki Linnakangas)
This covers a case that was missed in the previous patch that disallowed SET ROLE and SET SESSION AUTHORIZATION inside security-definer functions. (SeeCVE-2007-6600 or CVE-2007-6600)
(8.0.22,8.3.8,8.2.14,8.1.18,7.4.26) Fix handling of sub-SELECTs appearing in the arguments of an outer-level aggregate function (Tom Lane)
(8.0.22,8.3.8,8.2.14,8.1.18,7.4.26) Fix hash calculation for data type interval (Tom Lane)
This corrects wrong results for hash joins on interval values. It also changes the contents of hash indexes on interval columns. If you have any such indexes, you must REINDEX them after updating.
(8.0.22,8.4.1,8.3.8,8.2.14,8.1.18) Treat to_char(..., 'TH')
as an
uppercase ordinal suffix with 'HH'/'HH12' (Heikki Linnakangas)
It was previously handled as 'th' (lowercase).
(8.0.22,8.4.1,8.3.8,8.2.14,8.1.18,7.4.26) Fix overflow for INTERVAL 'x ms' when x is more than 2 million and integer datetimes are in use (Alex Hunsaker)
(8.0.22,8.3.8,8.2.14,8.1.18,7.4.26) Fix calculation of distance between a point and a line segment (Tom Lane)
This led to incorrect results from a number of geometric operators.
(8.0.22,8.3.8,8.2.14,8.1.18,7.4.26) Fix money data type to work in locales where currency amounts have no fractional digits, e.g. Japan (Itagaki Takahiro)
(8.0.22,8.3.8,8.2.14,8.1.18,7.4.26) Properly round datetime input like 00:12:57.9999999999999999999999999999 (Tom Lane)
(8.0.22,8.3.8,8.2.14,8.1.18,7.4.26) Fix poor choice of page split point in GiST R-tree operator classes (Teodor Sigaev)
(8.0.22,8.3.8,8.2.14,8.1.18,7.4.26) Fix portability issues in plperl initialization (Andrew Dunstan)
(8.0.22,8.4.1,8.3.8,8.2.14,8.1.18) Fix pg_ctl to not go into an infinite loop if postgresql.conf is empty (Jeff Davis)
(8.0.22,8.4.1,8.3.8,8.2.14,8.1.18) Fix contrib/xml2's xslt_process()
to properly handle the maximum
number of parameters (twenty) (Tom Lane)
(8.0.22,8.4.1,8.3.8,8.2.14,8.1.18,7.4.26) Improve robustness of libpq's code to recover from errors during COPY FROM STDIN (Tom Lane)
(8.0.22,8.4.1,8.3.8,8.2.14,8.1.18,7.4.26) Avoid including conflicting readline and editline header files when both libraries are installed (Zdenek Kotala)
(8.0.22,8.3.8,8.2.14,8.1.18) Update time zone data files to tzdata release 2009l for DST law changes in Bangladesh, Egypt, Jordan, Pakistan, Argentina/San_Luis, Cuba, Jordan (historical correction only), Mauritius, Morocco, Palestine, Syria, Tunisia.
Release date: 2009-03-16
This release contains a variety of fixes from 8.0.20. For information about new features in the 8.0 major release, see Version 8.0.0.
A dump/restore is not required for those running 8.0.X. However, if you are upgrading from a version earlier than 8.0.6, see Version 8.0.6.
(8.0.21,8.3.7,8.2.13,8.1.17,7.4.25) Prevent error recursion crashes when encoding conversion fails (Tom Lane)
This change extends fixes made in the last two minor releases for related failure scenarios. The previous fixes were narrowly tailored for the original problem reports, but we have now recognized that any error thrown by an encoding conversion function could potentially lead to infinite recursion while trying to report the error. The solution therefore is to disable translation and encoding conversion and report the plain-ASCII form of any error message, if we find we have gotten into a recursive error reporting situation. CVE-2009-0922 or CVE-2009-0922)
(8.0.21,8.3.7,8.2.13,8.1.17,7.4.25) Disallow CREATE CONVERSION with the wrong encodings for the specified conversion function (Heikki Linnakangas)
This prevents one possible scenario for encoding conversion failure. The previous change is a backstop to guard against other kinds of failures in the same area.
(8.0.21,8.3.7,8.2.13,8.1.17,7.4.25) Fix core dump when to_char()
is
given format codes that are inappropriate for the type of the data
argument (Tom Lane)
(8.0.21,8.3.7,8.2.13,8.1.17,7.4.25) Add MUST (Mauritius Island Summer Time) to the default list of known timezone abbreviations (Xavier Bugaud)
Release date: 2009-02-02
This release contains a variety of fixes from 8.0.19. For information about new features in the 8.0 major release, see Version 8.0.0.
A dump/restore is not required for those running 8.0.X. However, if you are upgrading from a version earlier than 8.0.6, see Version 8.0.6.
(8.0.20,8.3.6,8.2.12,8.1.16,7.4.24) Improve handling of URLs in headline()
function (Teodor Sigaev)
(8.0.20,8.3.6,8.2.12,8.1.16,7.4.24) Improve handling of overlength headlines in headline()
function (Teodor Sigaev)
(8.0.20,8.3.6,8.2.12,8.1.16,7.4.24) Prevent possible Assert failure or misconversion if an encoding conversion is created with the wrong conversion function for the specified pair of encodings (Tom Lane, Heikki Linnakangas)
(8.0.20,8.3.6,8.2.12,8.1.16,7.4.24) Avoid unnecessary locking of small tables in VACUUM (Heikki Linnakangas)
(8.0.20,8.1.16,7.4.24) Fix uninitialized variables in contrib/tsearch2's get_covers()
function (Teodor Sigaev)
(8.0.20,8.3.6,8.2.12,8.1.16,7.4.24) Make all documentation reference pgsql-bugs and/or pgsql-hackers as appropriate, instead of the now-decommissioned pgsql-ports and pgsql-patches mailing lists (Tom Lane)
(8.0.20,8.3.6,8.2.12,8.1.16) Update time zone data files to tzdata release 2009a (for Kathmandu and historical DST corrections in Switzerland, Cuba)
Release date: 2008-11-03
This release contains a variety of fixes from 8.0.18. For information about new features in the 8.0 major release, see Version 8.0.0.
A dump/restore is not required for those running 8.0.X. However, if you are upgrading from a version earlier than 8.0.6, see Version 8.0.6.
(8.0.19,8.3.5,8.2.11,8.1.15,7.4.23) Fix backend crash when the client encoding cannot represent a localized error message (Tom Lane)
We have addressed similar issues before, but it would still fail if the "character has no equivalent" message itself couldn't be converted. The fix is to disable localization and send the plain ASCII error message when we detect such a situation.
(8.0.19,8.3.5,8.2.11,8.1.15) Fix possible crash when deeply nested functions are invoked from a trigger (Tom Lane)
(8.0.19,8.3.5,8.2.11,8.1.15) Ensure an error is reported when a newly-defined PL/pgSQL trigger function is invoked as a normal function (Tom Lane)
(8.0.19,8.2.11,8.1.15,7.4.23) Fix incorrect tsearch2 headline generation when single query item matches first word of text (Sushant Sinha)
(8.0.19,8.3.5,8.2.11,8.1.15,7.4.23) Fix improper display of fractional seconds in interval values when using a non-ISO datestyle in an --enable-integer-datetimes build (Ron Mayer)
(8.0.19,8.3.5,8.2.11,8.1.15,7.4.23) Ensure SPI_getvalue
and
SPI_getbinval
behave correctly when
the passed tuple and tuple descriptor have different numbers of
columns (Tom Lane)
This situation is normal when a table has had columns added or removed, but these two functions didn't handle it properly. The only likely consequence is an incorrect error indication.
(8.0.19,7.4.23) Fix ecpg's parsing of CREATE USER (Michael Meskes)
(8.0.19,8.3.5,8.2.11,8.1.15) Fix recent breakage of pg_ctl restart (Tom Lane)
(8.0.19,8.3.5,8.2.11,8.1.15) Update time zone data files to tzdata release 2008i (for DST law changes in Argentina, Brazil, Mauritius, Syria)
Release date: 2008-09-22
This release contains a variety of fixes from 8.0.17. For information about new features in the 8.0 major release, see Version 8.0.0.
A dump/restore is not required for those running 8.0.X. However, if you are upgrading from a version earlier than 8.0.6, see Version 8.0.6.
(8.0.18,8.3.4,8.2.10,8.1.14) Widen local lock counters from 32 to 64 bits (Tom Lane)
This responds to reports that the counters could overflow in sufficiently long transactions, leading to unexpected "lock is already held" errors.
(8.0.18,8.2.10,8.1.14) Add checks in executor startup to ensure that the tuples produced by an INSERT or UPDATE will match the target table's current rowtype (Tom Lane)
ALTER COLUMN TYPE, followed by re-use of a previously cached plan, could produce this type of situation. The check protects against data corruption and/or crashes that could ensue.
(8.0.18,8.3.4,8.2.10,8.1.14,7.4.22) Fix datetime input functions to correctly detect integer overflow when running on a 64-bit platform (Tom Lane)
(8.0.18,8.3.4,8.2.10,8.1.14,7.4.22) Improve performance of writing very long log messages to syslog (Tom Lane)
(8.0.18,8.3.4,8.2.10,8.1.14,7.4.22) Fix bug in backwards scanning of a cursor on a SELECT DISTINCT ON query (Tom Lane)
(8.0.18,7.4.22) Fix planner to estimate that GROUP BY expressions yielding boolean results always result in two groups, regardless of the expressions' contents (Tom Lane)
This is very substantially more accurate than the regular GROUP BY estimate for certain boolean tests like col IS NULL.
(8.0.18,8.3.4,8.2.10,8.1.14) Fix PL/Tcl to behave correctly with Tcl 8.5, and to be more careful about the encoding of data sent to or from Tcl (Tom Lane)
(8.0.18,8.1.14) Fix PL/Python to work with Python 2.5
This is a back-port of fixes made during the 8.2 development cycle.
(8.0.18,8.3.4,8.2.10,8.1.14,7.4.22) Improve pg_dump and pg_restore's error reporting after failure to send a SQL command (Tom Lane)
(8.0.18,8.3.4,8.2.10,8.1.14) Fix pg_ctl to properly preserve postmaster command-line arguments across a restart (Bruce Momjian)
(8.0.18,8.3.4,8.2.10,8.1.14) Update time zone data files to tzdata release 2008f (for DST law changes in Argentina, Bahamas, Brazil, Mauritius, Morocco, Pakistan, Palestine, and Paraguay)
Release date: 2008-06-12
This release contains one serious bug fix over 8.0.16. For information about new features in the 8.0 major release, see Version 8.0.0.
A dump/restore is not required for those running 8.0.X. However, if you are upgrading from a version earlier than 8.0.6, see Version 8.0.6.
(8.0.17,8.3.3,8.2.9,8.1.13,7.4.21) Make pg_get_ruledef()
parenthesize
negative constants (Tom Lane)
Before this fix, a negative constant in a view or rule might be dumped as, say, -42::integer, which is subtly incorrect: it should be (-42)::integer due to operator precedence rules. Usually this would make little difference, but it could interact with another recent patch to cause PostgreSQL to reject what had been a valid SELECT DISTINCT view query. Since this could result in pg_dump output failing to reload, it is being treated as a high-priority fix. The only released versions in which dump output is actually incorrect are 8.3.1 and 8.2.7.
Release date: never released
This release contains a variety of fixes from 8.0.15. For information about new features in the 8.0 major release, see Version 8.0.0.
A dump/restore is not required for those running 8.0.X. However, if you are upgrading from a version earlier than 8.0.6, see Version 8.0.6.
(8.0.16,8.3.2,8.2.8,8.1.12) Fix ALTER TABLE ADD COLUMN ... PRIMARY KEY so that the new column is correctly checked to see if it's been initialized to all non-nulls (Brendan Jurd)
Previous versions neglected to check this requirement at all.
(8.0.16,8.3.2,8.2.8,8.1.12) Fix possible CREATE TABLE failure when inheriting the "same" constraint from multiple parent relations that inherited that constraint from a common ancestor (Tom Lane)
(8.0.16,8.3.2,8.2.8,8.1.12,7.4.20) Fix conversions between ISO-8859-5 and other encodings to handle Cyrillic "Yo" characters (e and E with two dots) (Sergey Burladyan)
(8.0.16,8.1.12,7.4.20) Fix a few datatype input functions that were allowing unused bytes in their results to contain uninitialized, unpredictable values (Tom Lane)
This could lead to failures in which two apparently identical literal values were not seen as equal, resulting in the parser complaining about unmatched ORDER BY and DISTINCT expressions.
(8.0.16,8.3.2,8.2.8,8.1.12,7.4.20) Fix a corner case in regular-expression substring matching (substring(string from pattern)) (Tom Lane)
The problem occurs when there is a match to the pattern overall but the user has specified a parenthesized subexpression and that subexpression hasn't got a match. An example is substring('foo' from 'foo(bar)?'). This should return NULL, since (bar) isn't matched, but it was mistakenly returning the whole-pattern match instead (ie, foo).
(8.0.16,8.1.12) Update time zone data files to tzdata release 2008c (for DST law changes in Morocco, Iraq, Choibalsan, Pakistan, Syria, Cuba, Argentina/San_Luis, and Chile)
(8.0.16,8.3.2,8.2.8,8.1.12,7.4.20) Fix incorrect result from ecpg's PGTYPEStimestamp_sub()
function (Michael Meskes)
(8.0.16,8.3.2,8.2.8,8.1.12) Fix core dump in contrib/xml2's
xpath_table()
function when the input
query returns a NULL value (Tom Lane)
(8.0.16,8.2.8,8.1.12) Fix contrib/xml2's makefile to not override CFLAGS (Tom Lane)
(8.0.16,8.2.8,8.1.12,7.4.20) Fix DatumGetBool macro to not fail with gcc 4.3 (Tom Lane)
This problem affects "old style" (V0) C functions that return boolean. The fix is already in 8.3, but the need to back-patch it was not realized at the time.
(8.0.16,8.3.1,8.2.7,8.1.12,7.4.20) Fix longstanding LISTEN/NOTIFY race condition (Tom Lane)
In rare cases a session that had just executed a LISTEN might not get a notification, even though one would be expected because the concurrent transaction executing NOTIFY was observed to commit later.
A side effect of the fix is that a transaction that has executed a not-yet-committed LISTEN command will not see any row in pg_listener for the LISTEN, should it choose to look; formerly it would have. This behavior was never documented one way or the other, but it is possible that some applications depend on the old behavior.
(8.0.16,8.3.1,8.2.7,8.1.12) Fix rare crash when an error occurs during a query using a hash index (Heikki Linnakangas)
(8.0.16,8.3.1,8.2.7,8.1.12) Fix input of datetime values for February 29 in years BC (Tom Lane)
The former coding was mistaken about which years were leap years.
(8.0.16,8.3.1,8.2.7,8.1.12) Fix "unrecognized node type" error in some variants of ALTER OWNER (Tom Lane)
(8.0.16,8.3.1,8.2.7,8.1.12) Fix pg_ctl to correctly extract the postmaster's port number from command-line options (Itagaki Takahiro, Tom Lane)
Previously, pg_ctl start -w could try to contact the postmaster on the wrong port, leading to bogus reports of startup failure.
(8.0.16,8.3.1,8.2.7,8.1.12) Use -fwrapv to defend against possible misoptimization in recent gcc versions (Tom Lane)
This is known to be necessary when building PostgreSQL with gcc 4.3 or later.
(8.0.16,8.2.7,8.1.12,7.4.20) Fix display of constant expressions in ORDER BY and GROUP BY (Tom Lane)
An explicitly casted constant would be shown incorrectly. This could for example lead to corruption of a view definition during dump and reload.
(8.0.16,8.2.7,8.1.12,7.4.20) Fix libpq to handle NOTICE messages correctly during COPY OUT (Tom Lane)
This failure has only been observed to occur when a user-defined datatype's output routine issues a NOTICE, but there is no guarantee it couldn't happen due to other causes.
Release date: 2008-01-07
This release contains a variety of fixes from 8.0.14, including fixes for significant security issues. For information about new features in the 8.0 major release, see Version 8.0.0.
This is the last 8.0.X release for which the PostgreSQL community will produce binary packages for Windows. Windows users are encouraged to move to 8.2.X or later, since there are Windows-specific fixes in 8.2.X that are impractical to back-port. 8.0.X will continue to be supported on other platforms.
A dump/restore is not required for those running 8.0.X. However, if you are upgrading from a version earlier than 8.0.6, see Version 8.0.6.
(8.0.15,8.2.6,8.1.11,7.4.19,7.3.21) Prevent functions in indexes from executing with the privileges of the user running VACUUM, ANALYZE, etc (Tom Lane)
Functions used in index expressions and partial-index predicates are evaluated whenever a new table entry is made. It has long been understood that this poses a risk of trojan-horse code execution if one modifies a table owned by an untrustworthy user. (Note that triggers, defaults, check constraints, etc. pose the same type of risk.) But functions in indexes pose extra danger because they will be executed by routine maintenance operations such as VACUUM FULL, which are commonly performed automatically under a superuser account. For example, a nefarious user can execute code with superuser privileges by setting up a trojan-horse index definition and waiting for the next routine vacuum. The fix arranges for standard maintenance operations (including VACUUM, ANALYZE, REINDEX, and CLUSTER) to execute as the table owner rather than the calling user, using the same privilege-switching mechanism already used for SECURITY DEFINER functions. To prevent bypassing this security measure, execution of SET SESSION AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context. CVE-2007-6600 or CVE-2007-6600)
(8.0.15,8.2.6,8.1.11,7.4.19) Repair assorted bugs in the regular-expression package (Tom Lane, Will Drewry)
Suitably crafted regular-expression patterns could cause crashes, infinite or near-infinite looping, and/or massive memory consumption, all of which pose denial-of-service hazards for applications that accept regex search patterns from untrustworthy sources. CVE-2007-4769 or CVE-2007-4769,CVE-2007-4772 or CVE-2007-4772,CVE-2007-6067 or CVE-2007-6067)
(8.0.15) Require non-superusers who use /contrib/dblink to use only password authentication, as a security measure (Joe Conway)
The fix that appeared for this in 8.0.14 was incomplete, as it plugged the hole for only some dblink functions. CVE-2007-6601 or CVE-2007-6601,CVE-2007-3278 or CVE-2007-3278)
(8.0.15,8.2.6,8.1.11) Update time zone data files to tzdata release 2007k (in particular, recent Argentina changes) (Tom Lane)
(8.0.15,8.2.6,8.1.11,7.4.19) Fix planner failure in some cases of WHERE false AND var IN (SELECT ...) (Tom Lane)
(8.0.15,8.1.11) Preserve the tablespace of indexes that are rebuilt by ALTER TABLE ... ALTER COLUMN TYPE (Tom Lane)
(8.0.15,8.2.6,8.1.11) Make archive recovery always start a new WAL timeline, rather than only when a recovery stop time was used (Simon Riggs)
This avoids a corner-case risk of trying to overwrite an existing archived copy of the last WAL segment, and seems simpler and cleaner than the original definition.
(8.0.15,8.2.6,8.1.11) Make VACUUM not use all of maintenance_work_mem when the table is too small for it to be useful (Álvaro Herrera)
(8.0.15,8.2.6,8.1.11,7.4.19,7.3.21) Fix potential crash in translate()
when using a multibyte database encoding (Tom Lane)
(8.0.15,8.2.6,8.1.11) Fix PL/Perl to cope when platform's Perl defines type bool as int rather than char (Tom Lane)
While this could theoretically happen anywhere, no standard build of Perl did things this way ... until Mac OS X 10.5.
(8.0.15,8.2.6,8.1.11,7.4.19) Fix PL/Python to not crash on long exception messages (Álvaro Herrera)
(8.0.15,8.2.6,8.1.11) Fix pg_dump to correctly handle inheritance child tables that have default expressions different from their parent's (Tom Lane)
(8.0.15,8.2.6,8.1.11,7.4.19) ecpg parser fixes (Michael Meskes)
(8.0.15,8.2.6,8.1.11,7.4.19,7.3.21) Make contrib/tablefunc's crosstab()
handle NULL rowid as a category in its
own right, rather than crashing (Joe Conway)
(8.0.15,8.2.6,8.1.11,7.4.19) Fix tsvector and tsquery output routines to escape backslashes correctly (Teodor Sigaev, Bruce Momjian)
(8.0.15,8.2.6,8.1.11,7.4.19) Fix crash of to_tsvector()
on huge
input strings (Teodor Sigaev)
(8.0.15,8.2.6,8.1.11,7.4.19,7.3.21) Require a specific version of Autoconf to be used when re-generating the configure script (Peter T. Mount)
This affects developers and packagers only. The change was made to prevent accidental use of untested combinations of Autoconf and PostgreSQL versions. You can remove the version check if you really want to use a different Autoconf version, but it's your responsibility whether the result works or not.
Release date: 2007-09-17
This release contains a variety of fixes from 8.0.13. For information about new features in the 8.0 major release, see Version 8.0.0.
A dump/restore is not required for those running 8.0.X. However, if you are upgrading from a version earlier than 8.0.6, see Version 8.0.6.
(8.0.14,8.2.5,8.1.10,7.4.18,7.3.20) Prevent index corruption when a transaction inserts rows and then aborts close to the end of a concurrent VACUUM on the same table (Tom Lane)
(8.0.14,8.2.5,8.1.10,7.4.18,7.3.20) Make CREATE DOMAIN ... DEFAULT NULL work properly (Tom Lane)
(8.0.14,8.2.5,8.1.10,7.4.18) Fix excessive logging of SSL error messages (Tom Lane)
(8.0.14,8.2.5,8.1.10) Fix logging so that log messages are never interleaved when using the syslogger process (Andrew Dunstan)
(8.0.14,8.2.5,8.1.10,7.4.18,7.3.20) Fix crash when log_min_error_statement logging runs out of memory (Tom Lane)
(8.0.14,8.2.5,8.1.10) Fix incorrect handling of some foreign-key corner cases (Tom Lane)
(8.0.14,7.4.18) Prevent CLUSTER from failing due to attempting to process temporary tables of other sessions (Álvaro Herrera)
(8.0.14,8.2.5,8.1.10) Update the time zone database rules, particularly New Zealand's upcoming changes (Tom Lane)
(8.0.14,8.1.10) Windows socket improvements (Magnus Hagander)
(8.0.14,8.2.5,8.1.10) Suppress timezone name (%Z) in log timestamps on Windows because of possible encoding mismatches (Tom Lane)
(8.0.14,8.2.5,8.1.10,7.4.18,7.3.20) Require non-superusers who use /contrib/dblink to use only password authentication, as a security measure (Joe Conway)
Release date: 2007-04-23
This release contains a variety of fixes from 8.0.12, including a security fix. For information about new features in the 8.0 major release, see Version 8.0.0.
A dump/restore is not required for those running 8.0.X. However, if you are upgrading from a version earlier than 8.0.6, see Version 8.0.6.
(8.0.13,8.2.4,8.1.9,7.4.17,7.3.19) Support explicit placement of the temporary-table schema within search_path, and disable searching it for functions and operators (Tom Lane)
This is needed to allow a security-definer function to set a truly secure value of search_path. Without it, an unprivileged SQL user can use temporary objects to execute code with the privileges of the security-definer function CVE-2007-2138 or CVE-2007-2138). See CREATE FUNCTION for more information.
(8.0.13,8.2.4,8.1.9,7.4.17) /contrib/tsearch2 crash fixes (Teodor Sigaev)
(8.0.13,8.2.4,8.1.9,7.4.17,7.3.19) Fix potential-data-corruption bug in how VACUUM FULL handles UPDATE chains (Tom Lane, Pavan Deolasee)
(8.0.13) Fix PANIC during enlargement of a hash index (bug introduced in 8.0.10) (Tom Lane)
(8.0.13,8.2.4,8.1.9) Fix POSIX-style timezone specs to follow new USA DST rules (Tom Lane)
Release date: 2007-02-07
This release contains one fix from 8.0.11. For information about new features in the 8.0 major release, see Version 8.0.0.
A dump/restore is not required for those running 8.0.X. However, if you are upgrading from a version earlier than 8.0.6, see Version 8.0.6.
(8.0.12,8.2.3,8.1.8) Remove overly-restrictive check for type length in constraints and functional indexes (Tom Lane)
Release date: 2007-02-05
This release contains a variety of fixes from 8.0.10, including a security fix. For information about new features in the 8.0 major release, see Version 8.0.0.
A dump/restore is not required for those running 8.0.X. However, if you are upgrading from a version earlier than 8.0.6, see Version 8.0.6.
(8.0.11,8.2.2,8.1.7) Remove security vulnerabilities that allowed connected users to read backend memory (Tom Lane)
The vulnerabilities involve suppressing the normal check that a SQL function returns the data type it's declared to, and changing the data type of a table column CVE-2007-0555 or CVE-2007-0555,CVE-2007-0556 or CVE-2007-0556). These errors can easily be exploited to cause a backend crash, and in principle might be used to read database content that the user should not be able to access.
(8.0.11,8.1.7,7.4.16,7.3.18) Fix rare bug wherein btree index page splits could fail due to choosing an infeasible split point (Heikki Linnakangas)
(8.0.11,8.2.2,8.1.7,7.4.16) Fix for rare Assert() crash triggered by UNION (Tom Lane)
(8.0.11,8.2.2,8.1.7,7.4.16,7.3.18) Tighten security of multi-byte character processing for UTF8 sequences over three bytes long (Tom Lane)
Release date: 2007-01-08
This release contains a variety of fixes from 8.0.9. For information about new features in the 8.0 major release, see Version 8.0.0.
A dump/restore is not required for those running 8.0.X. However, if you are upgrading from a version earlier than 8.0.6, see Version 8.0.6.
(8.0.10,8.1.6,7.4.15) Improve handling of getaddrinfo()
on AIX (Tom Lane)
This fixes a problem with starting the statistics collector, among other things.
(8.0.10,8.2.0,8.1.6,7.4.15) Fix "failed to re-find parent key" errors in VACUUM (Tom Lane)
(8.0.10,8.2.0,8.1.6) Fix race condition for truncation of a large relation across a gigabyte boundary by VACUUM (Tom Lane)
(8.0.10,8.2.0,8.1.6,7.4.15) Fix bugs affecting multi-gigabyte hash indexes (Tom Lane)
(8.0.10,8.1.6) Fix possible deadlock in Windows signal handling (Teodor Sigaev)
(8.0.10,8.1.6,7.4.15) Fix error when constructing an ARRAY[] made up of multiple empty elements (Tom Lane)
(8.0.10,8.1.6) Fix ecpg memory leak during connection (Michael Meskes)
(8.0.10,8.1.6,7.4.15,7.3.17) to_number()
and to_char(numeric)
are now STABLE, not IMMUTABLE, for
new initdb installs (Tom Lane)
This is because lc_numeric can potentially change the output of these functions.
(8.0.10,8.2.1,8.1.6,7.4.15,7.3.17) Improve index usage of regular expressions that use parentheses (Tom Lane)
This improves psql \d performance also.
(8.0.10,8.1.6) Update timezone database
This affects Australian and Canadian daylight-savings rules in particular.
Release date: 2006-10-16
This release contains a variety of fixes from 8.0.8. For information about new features in the 8.0 major release, see Version 8.0.0.
A dump/restore is not required for those running 8.0.X. However, if you are upgrading from a version earlier than 8.0.6, see Version 8.0.6.
(8.0.9) Fix crash when referencing NEW row values in rule WHERE expressions (Tom Lane)
(8.0.9,8.1.5,7.4.14) Fix core dump when an untyped literal is taken as ANYARRAY
(8.0.9,8.1.5) Fix mishandling of AFTER triggers when query contains a SQL function returning multiple rows (Tom Lane)
(8.0.9,8.1.5) Fix ALTER TABLE ... TYPE to recheck NOT NULL for USING clause (Tom Lane)
(8.0.9,8.1.5,7.4.14) Fix string_to_array()
to handle
overlapping matches for the separator string
For example, string_to_array('123xx456xxx789', 'xx').
(8.0.9,8.1.5,7.4.14,7.3.16) Fix corner cases in pattern matching for psql's \d commands
(8.0.9,8.1.5,7.4.14,7.3.16) Fix index-corrupting bugs in /contrib/ltree (Teodor Sigaev)
(8.0.9,8.1.5) Numerous robustness fixes in ecpg (Joachim Wieland)
(8.0.9,8.1.5,7.4.14,7.3.16) Fix backslash escaping in /contrib/dbmirror
(8.0.9) Fix instability of statistics collection on Win32 (Tom Lane, Andrew Dunstan)
(8.0.9,8.1.5) Fixes for AIX and Intel compilers (Tom Lane)
Release date: 2006-05-23
This release contains a variety of fixes from 8.0.7, including patches for extremely serious security issues. For information about new features in the 8.0 major release, see Version 8.0.0.
A dump/restore is not required for those running 8.0.X. However, if you are upgrading from a version earlier than 8.0.6, see Version 8.0.6.
Full security against the SQL-injection attacks described inCVE-2006-2313 or CVE-2006-2313 andCVE-2006-2314 or CVE-2006-2314 might require changes in
application code. If you have applications that embed untrustworthy
strings into SQL commands, you should examine them as soon as
possible to ensure that they are using recommended escaping
techniques. In most cases, applications should be using subroutines
provided by libraries or drivers (such as libpq's PQescapeStringConn()
) to perform string escaping,
rather than relying on ad hoc code to
do it.
(8.0.8,8.1.4,7.4.13,7.3.15) Change the server to reject invalidly-encoded multibyte characters in all cases (Tatsuo Ishii, Tom Lane)
While PostgreSQL has been moving in this direction for some time, the checks are now applied uniformly to all encodings and all textual input, and are now always errors not merely warnings. This change defends against SQL-injection attacks of the type described inCVE-2006-2313 or CVE-2006-2313.
(8.0.8,8.1.4,7.4.13,7.3.15) Reject unsafe uses of \' in string literals
As a server-side defense against SQL-injection attacks of the type described inCVE-2006-2314 or CVE-2006-2314, the server now only accepts '' and not \' as a representation of ASCII single quote in SQL string literals. By default, \' is rejected only when client_encoding is set to a client-only encoding (SJIS, BIG5, GBK, GB18030, or UHC), which is the scenario in which SQL injection is possible. A new configuration parameter backslash_quote is available to adjust this behavior when needed. Note that full security againstCVE-2006-2314 or CVE-2006-2314 might require client-side changes; the purpose of backslash_quote is in part to make it obvious that insecure clients are insecure.
(8.0.8,8.1.4,7.4.13) Modify libpq's string-escaping routines to be aware of encoding considerations and standard_conforming_strings
This fixes libpq-using
applications for the security issues described inCVE-2006-2313 or CVE-2006-2313 andCVE-2006-2314 or CVE-2006-2314, and also future-proofs them against the planned
changeover to SQL-standard string literal syntax. Applications that
use multiple PostgreSQL
connections concurrently should migrate to PQescapeStringConn()
and PQescapeByteaConn()
to ensure that escaping is
done correctly for the settings in use in each database connection.
Applications that do string escaping "by
hand" should be modified to rely on library routines
instead.
(8.0.8,7.4.13,7.3.15) Fix some incorrect encoding conversion functions
win1251_to_iso
, alt_to_iso
, euc_tw_to_big5
, euc_tw_to_mic
, mic_to_euc_tw
were all broken to varying
extents.
(8.0.8,8.1.4,7.4.13,7.3.15) Clean up stray remaining uses of \' in strings (Bruce Momjian, Jan Wieck)
(8.0.8,7.4.13) Fix bug that sometimes caused OR'd index scans to miss rows they should have returned
(8.0.8,7.4.13) Fix WAL replay for case where a btree index has been truncated
(8.0.8,8.1.4,7.4.13) Fix SIMILAR TO for patterns involving | (Tom Lane)
(8.0.8,8.1.4) Fix SELECT INTO and CREATE TABLE AS to create tables in the default tablespace, not the base directory (Kris Jurka)
(8.0.8,8.1.4,7.4.13,7.3.15) Fix server to use custom DH SSL parameters correctly (Michael Fuhr)
(8.0.8,7.4.13) Fix for Bonjour on Intel Macs (Ashley Clark C. Evans)
(8.0.8,8.1.4,7.4.13,7.3.15) Fix various minor memory leaks
(8.0.8,8.1.4) Fix problem with password prompting on some Win32 systems (Robert Kinberg)
Release date: 2006-02-14
This release contains a variety of fixes from 8.0.6. For information about new features in the 8.0 major release, see Version 8.0.0.
A dump/restore is not required for those running 8.0.X. However, if you are upgrading from a version earlier than 8.0.6, see Version 8.0.6.
(8.0.7,7.4.12,7.3.14) Fix potential crash in SET SESSION AUTHORIZATION CVE-2006-0553 or CVE-2006-0553)
An unprivileged user could crash the server process, resulting in momentary denial of service to other users, if the server has been compiled with Asserts enabled (which is not the default). Thanks to Akio Ishida for reporting this problem.
(8.0.7,8.1.3) Fix bug with row visibility logic in self-inserted rows (Tom Lane)
Under rare circumstances a row inserted by the current command could be seen as already valid, when it should not be. Repairs bug created in 8.0.4, 7.4.9, and 7.3.11 releases.
(8.0.7,8.1.3) Fix race condition that could lead to "file already exists" errors during pg_clog and pg_subtrans file creation (Tom Lane)
(8.0.7,8.1.3) Fix cases that could lead to crashes if a cache-invalidation message arrives at just the wrong time (Tom Lane)
(8.0.7,8.1.3,7.4.12) Properly check DOMAIN constraints for UNKNOWN parameters in prepared statements (Neil Conway)
(8.0.7,8.1.3) Ensure ALTER COLUMN TYPE will process FOREIGN KEY, UNIQUE, and PRIMARY KEY constraints in the proper order (Nakano Yoshihisa)
(8.0.7,8.1.3) Fixes to allow restoring dumps that have cross-schema references to custom operators or operator classes (Tom Lane)
(8.0.7,8.1.3) Allow pg_restore to continue properly after a COPY failure; formerly it tried to treat the remaining COPY data as SQL commands (Stephen Frost)
(8.0.7,8.1.3) Fix pg_ctl unregister crash when the data directory is not specified (Magnus Hagander)
(8.0.7,8.1.3) Fix ecpg crash on AMD64 and PPC (Neil Conway)
(8.0.7,8.1.3) Recover properly if error occurs during argument passing in PL/python (Neil Conway)
(8.0.7,8.1.3) Fix PL/perl's handling of locales on Win32 to match the backend (Andrew Dunstan)
(8.0.7,8.1.3) Fix crash when log_min_messages is set to DEBUG3 or above in postgresql.conf on Win32 (Bruce Momjian)
(8.0.7,8.1.3) Fix pgxs -L library path specification for Win32, Cygwin, OS X, AIX (Bruce Momjian)
(8.0.7,8.1.3) Check that SID is enabled while checking for Win32 admin privileges (Magnus Hagander)
(8.0.7,8.1.3) Properly reject out-of-range date inputs (Kris Jurka)
(8.0.7,8.1.3,7.4.12,7.3.14) Portability fix for testing presence of finite
and isinf
during configure (Tom Lane)
Release date: 2006-01-09
This release contains a variety of fixes from 8.0.5. For information about new features in the 8.0 major release, see Version 8.0.0.
A dump/restore is not required for those running 8.0.X. However, if you are upgrading from a version earlier than 8.0.3, see Version 8.0.3. Also, you might need to REINDEX indexes on textual columns after updating, if you are affected by the locale or plperl issues described below.
(8.0.6,8.1.2) Fix Windows code so that postmaster will continue rather than exit if there is no more room in ShmemBackendArray (Magnus Hagander)
The previous behavior could lead to a denial-of-service situation if too many connection requests arrive close together. This applies only to the Windows port.
(8.0.6,8.1.2) Fix bug introduced in 8.0 that could allow ReadBuffer to return an already-used page as new, potentially causing loss of recently-committed data (Tom Lane)
(8.0.6,8.1.2,7.4.11) Fix for protocol-level Describe messages issued outside a transaction or in a failed transaction (Tom Lane)
(8.0.6,8.1.2,7.4.11,7.3.13) Fix character string comparison for locales that consider different character combinations as equal, such as Hungarian (Tom Lane)
This might require REINDEX to fix existing indexes on textual columns.
(8.0.6,8.1.2,7.4.11,7.3.13) Set locale environment variables during postmaster startup to ensure that plperl won't change the locale later
This fixes a problem that occurred if the postmaster was started with environment variables specifying a different locale than what initdb had been told. Under these conditions, any use of plperl was likely to lead to corrupt indexes. You might need REINDEX to fix existing indexes on textual columns if this has happened to you.
(8.0.6,8.1.2) Allow more flexible relocation of installation directories (Tom Lane)
Previous releases supported relocation only if all installation directory paths were the same except for the last component.
(8.0.6,8.1.2,7.4.11,7.3.13) Fix longstanding bug in strpos() and regular expression handling in certain rarely used Asian multi-byte character sets (Tatsuo Ishii)
(8.0.6,8.1.2) Various fixes for functions returning RECORDs (Tom Lane)
(8.0.6,8.1.2,7.4.11,7.3.13) Fix bug in /contrib/pgcrypto gen_salt, which caused it not to use all available salt space for MD5 and XDES algorithms (Marko Kreen, Solar Designer)
Salts for Blowfish and standard DES are unaffected.
(8.0.6,8.1.2,7.4.11,7.3.13) Fix /contrib/dblink to throw an error, rather than crashing, when the number of columns specified is different from what's actually returned by the query (Joe Conway)
Release date: 2005-12-12
This release contains a variety of fixes from 8.0.4. For information about new features in the 8.0 major release, see Version 8.0.0.
A dump/restore is not required for those running 8.0.X. However, if you are upgrading from a version earlier than 8.0.3, see Version 8.0.3.
(8.0.5,7.4.10,7.3.12) Fix race condition in transaction log management
There was a narrow window in which an I/O operation could be initiated for the wrong page, leading to an Assert failure or data corruption.
(8.0.5,8.1.1) Fix bgwriter problems after recovering from errors (Tom Lane)
The background writer was found to leak buffer pins after write errors. While not fatal in itself, this might lead to mysterious blockages of later VACUUM commands.
(8.0.5,8.1.1,7.4.10) Prevent failure if client sends Bind protocol message when current transaction is already aborted
(8.0.5,7.4.10,7.3.12) /contrib/ltree fixes (Teodor Sigaev)
(8.0.5,7.4.10) AIX and HPUX compile fixes (Tom Lane)
(8.0.5,8.1.1) Retry file reads and writes after Windows NO_SYSTEM_RESOURCES error (Qingqing Zhou)
(8.0.5) Fix intermittent failure when log_line_prefix includes %i
(8.0.5) Fix psql performance issue with long scripts on Windows (Merlin Moncure)
(8.0.5) Fix missing updates of pg_group flat file
(8.0.5,7.4.10,7.3.12) Fix longstanding planning error for outer joins
This bug sometimes caused a bogus error "RIGHT JOIN is only supported with merge-joinable join conditions".
(8.0.5) Postpone timezone initialization until after postmaster.pid is created
This avoids confusing startup scripts that expect the pid file to appear quickly.
(8.0.5,7.4.10,7.3.12) Prevent core dump in pg_autovacuum when a table has been dropped
(8.0.5) Fix problems with whole-row references (foo.*) to subquery results
Release date: 2005-10-04
This release contains a variety of fixes from 8.0.3. For information about new features in the 8.0 major release, see Version 8.0.0.
A dump/restore is not required for those running 8.0.X. However, if you are upgrading from a version earlier than 8.0.3, see Version 8.0.3.
(8.0.4,7.4.9,7.3.11) Fix error that allowed VACUUM to remove ctid chains too soon, and add more checking in code that follows ctid links
This fixes a long-standing problem that could cause crashes in very rare circumstances.
(8.0.4,7.4.9,7.3.11) Fix CHAR() to properly pad spaces to the specified length when using a multiple-byte character set (Yoshiyuki Asaba)
In prior releases, the padding of CHAR() was incorrect because it only padded to the specified number of bytes without considering how many characters were stored.
(8.0.4) Force a checkpoint before committing CREATE DATABASE
This should fix recent reports of "index is not a btree" failures when a crash occurs shortly after CREATE DATABASE.
(8.0.4,7.4.9) Fix the sense of the test for read-only transaction in COPY
The code formerly prohibited COPY TO, where it should prohibit COPY FROM.
(8.0.4) Handle consecutive embedded newlines in COPY CSV-mode input
(8.0.4) Fix date_trunc(week)
for dates
near year end
(8.0.4,7.4.9) Fix planning problem with outer-join ON clauses that reference only the inner-side relation
(8.0.4,7.4.9) Further fixes for x FULL JOIN y ON true corner cases
(8.0.4) Fix overenthusiastic optimization of x IN (SELECT DISTINCT ...) and related cases
(8.0.4) Fix mis-planning of queries with small LIMIT values due to poorly thought out "fuzzy" cost comparison
(8.0.4,7.4.9) Make array_in
and array_recv
more paranoid about validating their
OID parameter
(8.0.4,7.4.9,7.3.11) Fix missing rows in queries like UPDATE a=... WHERE a... with GiST index on column a
(8.0.4,7.4.9) Improve robustness of datetime parsing
(8.0.4,7.4.9,7.3.11) Improve checking for partially-written WAL pages
(8.0.4,7.4.9,7.3.11) Improve robustness of signal handling when SSL is enabled
(8.0.4) Improve MIPS and M68K spinlock code
(8.0.4,7.4.9) Don't try to open more than max_files_per_process files during postmaster startup
(8.0.4,7.4.9,7.3.11) Various memory leakage fixes
(8.0.4,7.4.9,7.3.11) Various portability improvements
(8.0.4) Update timezone data files
(8.0.4) Improve handling of DLL load failures on Windows
(8.0.4) Improve random-number generation on Windows
(8.0.4) Make psql -f filename return a nonzero exit code when opening the file fails
(8.0.4) Change pg_dump to handle inherited check constraints more reliably
(8.0.4) Fix password prompting in pg_restore on Windows
(8.0.4,7.4.9,7.3.11) Fix PL/pgSQL to handle var := var correctly when the variable is of pass-by-reference type
(8.0.4) Fix PL/Perl %_SHARED so it's actually shared
(8.0.4) Fix contrib/pg_autovacuum to allow sleep intervals over 2000 sec
(8.0.4,7.4.9) Update contrib/tsearch2 to use current Snowball code
Release date: 2005-05-09
This release contains a variety of fixes from 8.0.2, including several security-related issues. For information about new features in the 8.0 major release, see Version 8.0.0.
A dump/restore is not required for those running 8.0.X. However, it is one possible way of handling two significant security problems that have been found in the initial contents of 8.0.X system catalogs. A dump/initdb/reload sequence using 8.0.3's initdb will automatically correct these problems.
The larger security problem is that the built-in character set encoding conversion functions can be invoked from SQL commands by unprivileged users, but the functions were not designed for such use and are not secure against malicious choices of arguments. The fix involves changing the declared parameter list of these functions so that they can no longer be invoked from SQL commands. (This does not affect their normal use by the encoding conversion machinery.)
The lesser problem is that the contrib/tsearch2 module creates several functions that are improperly declared to return internal when they do not accept internal arguments. This breaks type safety for all functions using internal arguments.
It is strongly recommended that all installations repair these errors, either by initdb or by following the manual repair procedure given below. The errors at least allow unprivileged database users to crash their server process, and might allow unprivileged users to gain the privileges of a database superuser.
If you wish not to do an initdb, perform the same manual repair procedures shown in the 7.4.8 release notes.
(8.0.3,7.4.8,7.3.10) Change encoding function signature to prevent misuse
(8.0.3,7.4.8) Change contrib/tsearch2 to avoid unsafe use of INTERNAL function results
(8.0.3) Guard against incorrect second parameter to record_out
(8.0.3,7.4.8,7.3.10,7.2.8) Repair ancient race condition that allowed a transaction to be seen as committed for some purposes (eg SELECT FOR UPDATE) slightly sooner than for other purposes
This is an extremely serious bug since it could lead to apparent data inconsistencies being briefly visible to applications.
(8.0.3,7.4.8,7.3.10,7.2.8) Repair race condition between relation extension and VACUUM
This could theoretically have caused loss of a page's worth of freshly-inserted data, although the scenario seems of very low probability. There are no known cases of it having caused more than an Assert failure.
(8.0.3,7.4.8,7.3.10) Fix comparisons of TIME WITH TIME ZONE values
The comparison code was wrong in the case where the --enable-integer-datetimes configuration switch had been used. NOTE: if you have an index on a TIME WITH TIME ZONE column, it will need to be REINDEXed after installing this update, because the fix corrects the sort order of column values.
(8.0.3,7.4.8,7.3.10,7.2.8) Fix EXTRACT (EPOCH)
for TIME WITH TIME ZONE values
(8.0.3,7.4.8,7.3.10) Fix mis-display of negative fractional seconds in INTERVAL values
This error only occurred when the --enable-integer-datetimes configuration switch had been used.
(8.0.3,7.4.8,7.3.10) Fix pg_dump to dump trigger names containing % correctly (Neil Conway)
(8.0.3,7.4.8,7.3.10) Still more 64-bit fixes for contrib/intagg
(8.0.3,7.4.8,7.3.10) Prevent incorrect optimization of functions returning RECORD
(8.0.3,7.4.8) Prevent crash on COALESCE (NULL,NULL)
(8.0.3) Fix Borland makefile for libpq
(8.0.3) Fix contrib/btree_gist for timetz type (Teodor Sigaev)
(8.0.3) Make pg_ctl check the PID found in postmaster.pid to see if it is still a live process
(8.0.3) Fix pg_dump/pg_restore problems caused by addition of dump timestamps
(8.0.3) Fix interaction between materializing holdable cursors and firing deferred triggers during transaction commit
(8.0.3) Fix memory leak in SQL functions returning pass-by-reference data types
Release date: 2005-04-07
This release contains a variety of fixes from 8.0.1. For information about new features in the 8.0 major release, see Version 8.0.0.
A dump/restore is not required for those running 8.0.*. This release updates the major version number of the PostgreSQL libraries, so it might be necessary to re-link some user applications if they cannot find the properly-numbered shared library.
(8.0.2) Increment the major version number of all interface libraries (Bruce Momjian)
This should have been done in 8.0.0. It is required so 7.4.X versions of PostgreSQL client applications, like psql, can be used on the same machine as 8.0.X applications. This might require re-linking user applications that use these libraries.
(8.0.2) Add Windows-only wal_sync_method setting of fsync_writethrough (Magnus Hagander, Bruce Momjian)
This setting causes PostgreSQL to write through any disk-drive write cache when writing to WAL. This behavior was formerly called fsync, but was renamed because it acts quite differently from fsync on other platforms.
(8.0.2) Enable the wal_sync_method setting of open_datasync on Windows, and make it the default for that platform (Magnus Hagander, Bruce Momjian)
Because the default is no longer fsync_writethrough, data loss is possible during a power failure if the disk drive has write caching enabled. To turn off the write cache on Windows, from the Device Manager, choose the drive properties, then Policies.
(8.0.2) New cache management algorithm 2Q replaces ARC (Tom Lane)
This was done to avoid a pending US patent on ARC. The 2Q code might be a few percentage points slower than ARC for some work loads. A better cache management algorithm will appear in 8.1.
(8.0.2) Planner adjustments to improve behavior on freshly-created tables (Tom Lane)
(8.0.2) Allow plpgsql to assign to an element of an array that is initially NULL (Tom Lane)
Formerly the array would remain NULL, but now it becomes a single-element array. The main SQL engine was changed to handle UPDATE of a null array value this way in 8.0, but the similar case in plpgsql was overlooked.
(8.0.2) Convert \r\n and \r to \n in plpython function bodies (Michael Fuhr)
This prevents syntax errors when plpython code is written on a Windows or Mac client.
(8.0.2) Allow SPI cursors to handle utility commands that return rows, such as EXPLAIN (Tom Lane)
(8.0.2) Fix CLUSTER failure after ALTER TABLE SET WITHOUT OIDS (Tom Lane)
(8.0.2) Reduce memory usage of ALTER TABLE ADD COLUMN (Neil Conway)
(8.0.2) Fix ALTER LANGUAGE RENAME (Tom Lane)
(8.0.2) Document the Windows-only register and unregister options of pg_ctl (Magnus Hagander)
(8.0.2,7.4.8) Ensure operations done during backend shutdown are counted by statistics collector
This is expected to resolve reports of pg_autovacuum not vacuuming the system catalogs often enough — it was not being told about catalog deletions caused by temporary table removal during backend exit.
(8.0.2) Change the Windows default for configuration parameter log_destination to eventlog (Magnus Hagander)
By default, a server running on Windows will now send log output to the Windows event logger rather than standard error.
(8.0.2) Make Kerberos authentication work on Windows (Magnus Hagander)
(8.0.2) Allow ALTER DATABASE RENAME by superusers who aren't flagged as having CREATEDB privilege (Tom Lane)
(8.0.2) Modify WAL log entries for CREATE and DROP DATABASE to not specify absolute paths (Tom Lane)
This allows point-in-time recovery on a different machine with possibly different database location. Note that CREATE TABLESPACE still poses a hazard in such situations.
(8.0.2) Fix crash from a backend exiting with an open transaction that created a table and opened a cursor on it (Tom Lane)
(8.0.2) Fix array_map()
so it can call PL
functions (Tom Lane)
(8.0.2) Several contrib/tsearch2 and contrib/btree_gist fixes (Teodor Sigaev)
(8.0.2) Fix crash of some contrib/pgcrypto functions on some platforms (Marko Kreen)
(8.0.2) Fix contrib/intagg for 64-bit platforms (Tom Lane)
(8.0.2) Fix ecpg bugs in parsing of CREATE statement (Michael Meskes)
(8.0.2) Work around gcc bug on powerpc and amd64 causing problems in ecpg (Christof Petig)
(8.0.2) Do not use locale-aware versions of upper()
, lower()
,
and initcap()
when the locale is
C (Bruce Momjian)
This allows these functions to work on platforms that generate errors for non-7-bit data when the locale is C.
(8.0.2) Fix quote_ident()
to quote names
that match keywords (Tom Lane)
(8.0.2) Fix to_date()
to behave reasonably
when CC and YY
fields are both used (Karel Zak)
(8.0.2) Prevent to_char(interval)
from
failing when given a zero-month interval (Tom Lane)
(8.0.2) Fix wrong week returned by date_trunc('week')
(Bruce Momjian)
date_trunc('week')
returned the
wrong year for the first few days of January in some years.
(8.0.2) Use the correct default mask length for class D addresses in INET data types (Tom Lane)
Release date: 2005-01-31
This release contains a variety of fixes from 8.0.0, including several security-related issues. For information about new features in the 8.0 major release, see Version 8.0.0.
A dump/restore is not required for those running 8.0.0.
(8.0.1,7.4.7,7.3.9,7.2.7) Disallow LOAD to non-superusers
On platforms that will automatically execute initialization functions of a shared library (this includes at least Windows and ELF-based Unixen), LOAD can be used to make the server execute arbitrary code. Thanks to NGS Software for reporting this.
(8.0.1,7.4.7,7.3.9) Check that creator of an aggregate function has the right to execute the specified transition functions
This oversight made it possible to bypass denial of EXECUTE permission on a function.
(8.0.1,7.4.7,7.3.9) Fix security and 64-bit issues in contrib/intagg
(8.0.1,7.4.7,7.3.9,7.2.7) Add needed STRICT marking to some contrib functions (Kris Jurka)
(8.0.1,7.4.7,7.3.9,7.2.7) Avoid buffer overrun when plpgsql cursor declaration has too many parameters (Neil Conway)
(8.0.1) Make ALTER TABLE ADD COLUMN enforce domain constraints in all cases
(8.0.1,7.4.7,7.3.9,7.2.7) Fix planning error for FULL and RIGHT outer joins
The result of the join was mistakenly supposed to be sorted the same as the left input. This could not only deliver mis-sorted output to the user, but in case of nested merge joins could give outright wrong answers.
(8.0.1) Improve planning of grouped aggregate queries
(8.0.1) ROLLBACK TO savepoint closes cursors created since the savepoint
(8.0.1) Fix inadequate backend stack size on Windows
(8.0.1) Avoid SHGetSpecialFolderPath() on Windows (Magnus Hagander)
(8.0.1) Fix some problems in running pg_autovacuum as a Windows service (Dave Page)
(8.0.1) Multiple minor bug fixes in pg_dump/pg_restore
(8.0.1) Fix ecpg segfault with named structs used in typedefs (Michael Meskes)
Release date: 2005-01-19
Major changes in this release:
This is the first PostgreSQL release to run natively on Microsoft Windows® as a server. It can run as a Windows service. This release supports NT-based Windows releases like Windows 2000 SP4, Windows XP, and Windows 2003. Older releases like Windows 95, Windows 98, and Windows ME are not supported because these operating systems do not have the infrastructure to support PostgreSQL. A separate installer project has been created to ease installation on Windows — see http://www.postgresql.org/ftp/win32/.
Although tested throughout our release cycle, the Windows port does not have the benefit of years of use in production environments that PostgreSQL has on Unix platforms. Therefore it should be treated with the same level of caution as you would a new product.
Previous releases required the Unix emulation toolkit Cygwin in order to run the server on Windows operating systems. PostgreSQL has supported native clients on Windows for many years.
Savepoints allow specific parts of a transaction to be aborted without affecting the remainder of the transaction. Prior releases had no such capability; there was no way to recover from a statement failure within a transaction except by aborting the whole transaction. This feature is valuable for application writers who require error recovery within a complex transaction.
In previous releases there was no way to recover from disk drive failure except to restore from a previous backup or use a standby replication server. Point-in-time recovery allows continuous backup of the server. You can recover either to the point of failure or to some transaction in the past.
Tablespaces allow administrators to select different file systems for storage of individual tables, indexes, and databases. This improves performance and control over disk space usage. Prior releases used initlocation and manual symlink management for such tasks.
This release has a more intelligent buffer replacement strategy, which will make better use of available shared buffers and improve performance. The performance impact of vacuum and checkpoints is also lessened.
A column's data type can now be changed with ALTER TABLE.
A new version of the plperl server-side language now supports a persistent shared storage area, triggers, returning records and arrays of records, and SPI calls to access the database.
COPY can now read and write comma-separated-value files. It has the flexibility to interpret nonstandard quoting and separation characters too.
A dump/restore using pg_dump is required for those wishing to migrate data from any previous release.
Observe the following incompatibilities:
(8.0.0) In READ COMMITTED serialization mode, volatile functions now see the results of concurrent transactions committed up to the beginning of each statement within the function, rather than up to the beginning of the interactive command that called the function.
(8.0.0) Functions declared STABLE or IMMUTABLE always use the snapshot of the calling query, and therefore do not see the effects of actions taken after the calling query starts, whether in their own transaction or other transactions. Such a function must be read-only, too, meaning that it cannot use any SQL commands other than SELECT.
(8.0.0) Nondeferred AFTER triggers are now fired immediately after completion of the triggering query, rather than upon finishing the current interactive command. This makes a difference when the triggering query occurred within a function: the trigger is invoked before the function proceeds to its next operation.
(8.0.0) Server configuration parameters virtual_host and tcpip_socket have been replaced with a more general parameter listen_addresses. Also, the server now listens on localhost by default, which eliminates the need for the -i postmaster switch in many scenarios.
(8.0.0) Server configuration parameters SortMem and VacuumMem have been renamed to work_mem and maintenance_work_mem to better reflect their use. The original names are still supported in SET and SHOW.
(8.0.0) Server configuration parameters log_pid, log_timestamp, and log_source_port have been replaced with a more general parameter log_line_prefix.
(8.0.0) Server configuration parameter syslog has been replaced with a more logical log_destination variable to control the log output destination.
(8.0.0) Server configuration parameter log_statement has been changed so it can selectively log just database modification or data definition statements. Server configuration parameter log_duration now prints only when log_statement prints the query.
(8.0.0) Server configuration parameter max_expr_depth parameter has been replaced with max_stack_depth which measures the physical stack size rather than the expression nesting depth. This helps prevent session termination due to stack overflow caused by recursive functions.
(8.0.0) The length()
function no longer
counts trailing spaces in CHAR(n) values.
(8.0.0) Casting an integer to BIT (N) selects the rightmost N bits of the integer, not the leftmost N bits as before.
(8.0.0) Updating an element or slice of a NULL array value now produces a nonnull array result, namely an array containing just the assigned-to positions.
(8.0.0) Syntax checking of array input values has been tightened up considerably. Junk that was previously allowed in odd places with odd results now causes an error. Empty-string element values must now be written as "", rather than writing nothing. Also changed behavior with respect to whitespace surrounding array elements: trailing whitespace is now ignored, for symmetry with leading whitespace (which has always been ignored).
(8.0.0) Overflow in integer arithmetic operations is now detected and reported as an error.
(8.0.0) The arithmetic operators associated with the single-byte "char" data type have been removed.
(8.0.0) The extract()
function (also
called date_part
) now returns the
proper year for BC dates. It previously returned one less than the
correct year. The function now also returns the proper values for
millennium and century.
(8.0.0) CIDR values now must have their nonmasked bits be zero. For example, we no longer allow 204.248.199.1/31 as a CIDR value. Such values should never have been accepted by PostgreSQL and will now be rejected.
(8.0.0) EXECUTE now returns a completion tag that matches the executed statement.
(8.0.0) psql's \copy command now reads or writes to the query's stdin/stdout, rather than psql's stdin/stdout. The previous behavior can be accessed via new pstdin/pstdout parameters.
(8.0.0) The JDBC client interface has been removed from the core distribution, and is now hosted at http://jdbc.postgresql.org.
(8.0.0) The Tcl client interface has also been removed. There are several Tcl interfaces now hosted at http://gborg.postgresql.org.
(8.0.0) The server now uses its own time zone database, rather than the one supplied by the operating system. This will provide consistent behavior across all platforms. In most cases, there should be little noticeable difference in time zone behavior, except that the time zone names used by SET/SHOW TimeZone might be different from what your platform provides.
(8.0.0) Configure's threading option no longer requires users to run tests or edit configuration files; threading options are now detected automatically.
(8.0.0) Now that tablespaces have been implemented, initlocation has been removed.
(8.0.0) The API for user-defined GiST indexes has been changed. The Union and PickSplit methods are now passed a pointer to a special GistEntryVector structure, rather than a bytea.
Some aspects of PostgreSQL's behavior have been determined to be suboptimal. For the sake of backward compatibility these have not been removed in 8.0, but they are considered deprecated and will be removed in the next major release.
(8.0.0) The 8.1 release will remove the to_char()
function for intervals.
(8.0.0) The server now warns of empty strings passed to oid/float4/float8 data types, but continues to interpret them as zeroes as before. In the next major release, empty strings will be considered invalid input for these data types.
(8.0.0) By default, tables in PostgreSQL 8.0 and earlier are created with OIDs. In the next release, this will not be the case: to create a table that contains OIDs, the WITH OIDS clause must be specified or the default_with_oids configuration parameter must be set. Users are encouraged to explicitly specify WITH OIDS if their tables require OIDs for compatibility with future releases of PostgreSQL.
Below you will find a detailed account of the changes between release 8.0 and the previous major release.
(8.0.0) Support cross-data-type index usage (Tom Lane)
Before this change, many queries would not use an index if the data types did not match exactly. This improvement makes index usage more intuitive and consistent.
(8.0.0) New buffer replacement strategy that improves caching (Jan Wieck)
Prior releases used a least-recently-used (LRU) cache to keep recently referenced pages in memory. The LRU algorithm did not consider the number of times a specific cache entry was accessed, so large table scans could force out useful cache pages. The new cache algorithm uses four separate lists to track most recently used and most frequently used cache pages and dynamically optimize their replacement based on the work load. This should lead to much more efficient use of the shared buffer cache. Administrators who have tested shared buffer sizes in the past should retest with this new cache replacement policy.
(8.0.0) Add subprocess to write dirty buffers periodically to reduce checkpoint writes (Jan Wieck)
In previous releases, the checkpoint process, which runs every
few minutes, would write all dirty buffers to the operating
system's buffer cache then flush all dirty operating system buffers
to disk. This resulted in a periodic spike in disk usage that often
hurt performance. The new code uses a background writer to trickle
disk writes at a steady pace so checkpoints have far fewer dirty
pages to write to disk. Also, the new code does not issue a global
sync()
call, but instead fsync()
s just the files written since the last
checkpoint. This should improve performance and minimize
degradation during checkpoints.
(8.0.0) Add ability to prolong vacuum to reduce performance impact (Jan Wieck)
On busy systems, VACUUM performs many I/O requests which can hurt performance for other users. This release allows you to slow down VACUUM to reduce its impact on other users, though this increases the total duration of VACUUM.
(8.0.0) Improve B-tree index performance for duplicate keys (Dmitry Tkach, Tom Lane)
This improves the way indexes are scanned when many duplicate values exist in the index.
(8.0.0) Use dynamically-generated table size estimates while planning (Tom Lane)
Formerly the planner estimated table sizes using the values seen by the last VACUUM or ANALYZE, both as to physical table size (number of pages) and number of rows. Now, the current physical table size is obtained from the kernel, and the number of rows is estimated by multiplying the table size by the row density (rows per page) seen by the last VACUUM or ANALYZE. This should produce more reliable estimates in cases where the table size has changed significantly since the last housekeeping command.
(8.0.0) Improved index usage with OR clauses (Tom Lane)
This allows the optimizer to use indexes in statements with many OR clauses that would not have been indexed in the past. It can also use multi-column indexes where the first column is specified and the second column is part of an OR clause.
(8.0.0) Improve matching of partial index clauses (Tom Lane)
The server is now smarter about using partial indexes in queries involving complex WHERE clauses.
(8.0.0) Improve performance of the GEQO optimizer (Tom Lane)
The GEQO optimizer is used to plan queries involving many tables (by default, twelve or more). This release speeds up the way queries are analyzed to decrease time spent in optimization.
(8.0.0) Miscellaneous optimizer improvements
There is not room here to list all the minor improvements made, but numerous special cases work better than in prior releases.
(8.0.0) Improve lookup speed for C functions (Tom Lane)
This release uses a hash table to lookup information for dynamically loaded C functions. This improves their speed so they perform nearly as quickly as functions that are built into the server executable.
(8.0.0) Add type-specific ANALYZE statistics capability (Mark Cave-Ayland)
This feature allows more flexibility in generating statistics for nonstandard data types.
(8.0.0) ANALYZE now collects statistics for expression indexes (Tom Lane)
Expression indexes (also called functional indexes) allow users to index not just columns but the results of expressions and function calls. With this release, the optimizer can gather and use statistics about the contents of expression indexes. This will greatly improve the quality of planning for queries in which an expression index is relevant.
(8.0.0) New two-stage sampling method for ANALYZE (Manfred Koizar)
This gives better statistics when the density of valid rows is very different in different regions of a table.
(8.0.0) Speed up TRUNCATE (Tom Lane)
This buys back some of the performance loss observed in 7.4, while still keeping TRUNCATE transaction-safe.
(8.0.0) Add WAL file archiving and point-in-time recovery (Simon Riggs)
(8.0.0) Add tablespaces so admins can control disk layout (Gavin Sherry)
(8.0.0) Add a built-in log rotation program (Andreas Pflug)
It is now possible to log server messages conveniently without relying on either syslog or an external log rotation program.
(8.0.0) Add new read-only server configuration parameters to show server compile-time settings: block_size, integer_datetimes, max_function_args, max_identifier_length, max_index_keys (Joe Conway)
(8.0.0) Make quoting of sameuser, samegroup, and all remove special meaning of these terms in pg_hba.conf (Andrew Dunstan)
(8.0.0) Use clearer IPv6 name ::1/128 for localhost in default pg_hba.conf (Andrew Dunstan)
(8.0.0) Use CIDR format in pg_hba.conf examples (Andrew Dunstan)
(8.0.0) Rename server configuration parameters SortMem and VacuumMem to work_mem and maintenance_work_mem (Old names still supported) (Tom Lane)
This change was made to clarify that bulk operations such as index and foreign key creation use maintenance_work_mem, while work_mem is for workspaces used during query execution.
(8.0.0) Allow logging of session disconnections using server configuration log_disconnections (Andrew Dunstan)
(8.0.0) Add new server configuration parameter log_line_prefix to allow control of information emitted in each log line (Andrew Dunstan)
Available information includes user name, database name, remote IP address, and session start time.
(8.0.0) Remove server configuration parameters log_pid, log_timestamp, log_source_port; functionality superseded by log_line_prefix (Andrew Dunstan)
(8.0.0) Replace the virtual_host and tcpip_socket parameters with a unified listen_addresses parameter (Andrew Dunstan, Tom Lane)
virtual_host could only specify a single IP address to listen on. listen_addresses allows multiple addresses to be specified.
(8.0.0) Listen on localhost by default, which eliminates the need for the -i postmaster switch in many scenarios (Andrew Dunstan)
Listening on localhost (127.0.0.1) opens no new security holes but allows configurations like Windows and JDBC, which do not support local sockets, to work without special adjustments.
(8.0.0) Remove syslog server configuration parameter, and add more logical log_destination variable to control log output location (Magnus Hagander)
(8.0.0) Change server configuration parameter log_statement to take values all, mod, ddl, or none to select which queries are logged (Bruce Momjian)
This allows administrators to log only data definition changes or only data modification statements.
(8.0.0) Some logging-related configuration parameters could formerly be adjusted by ordinary users, but only in the "more verbose" direction. They are now treated more strictly: only superusers can set them. However, a superuser can use ALTER USER to provide per-user settings of these values for non-superusers. Also, it is now possible for superusers to set values of superuser-only configuration parameters via PGOPTIONS.
(8.0.0) Allow configuration files to be placed outside the data directory (mlw)
By default, configuration files are kept in the cluster's top directory. With this addition, configuration files can be placed outside the data directory, easing administration.
(8.0.0) Plan prepared queries only when first executed so constants can be used for statistics (Oliver Jowett)
Prepared statements plan queries once and execute them many times. While prepared queries avoid the overhead of re-planning on each use, the quality of the plan suffers from not knowing the exact parameters to be used in the query. In this release, planning of unnamed prepared statements is delayed until the first execution, and the actual parameter values of that execution are used as optimization hints. This allows use of out-of-line parameter passing without incurring a performance penalty.
(8.0.0) Allow DECLARE CURSOR to take parameters (Oliver Jowett)
It is now useful to issue DECLARE
CURSOR in a Parse
message with
parameters. The parameter values sent at Bind
time will be substituted into the execution
of the cursor's query.
(8.0.0) Fix hash joins and aggregates of inet and cidr data types (Tom Lane)
Release 7.4 handled hashing of mixed inet and cidr values incorrectly. (This bug did not exist in prior releases because they wouldn't try to hash either data type.)
(8.0.0) Make log_duration print only when log_statement prints the query (Ed L.)
(8.0.0) Add savepoints (nested transactions) (Álvaro Herrera)
(8.0.0) Unsupported isolation levels are now accepted and promoted to the nearest supported level (Peter T. Mount)
The SQL specification states that if a database doesn't support a specific isolation level, it should use the next more restrictive level. This change complies with that recommendation.
(8.0.0) Allow BEGIN WORK to specify transaction isolation levels like START TRANSACTION does (Bruce Momjian)
(8.0.0) Fix table permission checking for cases in which rules generate a query type different from the originally submitted query (Tom Lane)
(8.0.0) Implement dollar quoting to simplify single-quote usage (Andrew Dunstan, Tom Lane, David Fetter)
In previous releases, because single quotes had to be used to quote a function's body, the use of single quotes inside the function text required use of two single quotes or other error-prone notations. With this release we add the ability to use "dollar quoting" to quote a block of text. The ability to use different quoting delimiters at different nesting levels greatly simplifies the task of quoting correctly, especially in complex functions. Dollar quoting can be used anywhere quoted text is needed.
(8.0.0) Make CASE val WHEN compval1 THEN ... evaluate val only once (Tom Lane)
CASE no longer evaluates the tested expression multiple times. This has benefits when the expression is complex or is volatile.
(8.0.0) Test HAVING before computing target list of an aggregate query (Tom Lane)
Fixes improper failure of cases such as SELECT SUM(win)/SUM(lose) ... GROUP BY ... HAVING SUM(lose) > 0. This should work but formerly could fail with divide-by-zero.
(8.0.0) Replace max_expr_depth parameter with max_stack_depth parameter, measured in kilobytes of stack size (Tom Lane)
This gives us a fairly bulletproof defense against crashing due to runaway recursive functions. Instead of measuring the depth of expression nesting, we now directly measure the size of the execution stack.
(8.0.0) Allow arbitrary row expressions (Tom Lane)
This release allows SQL expressions to contain arbitrary composite types, that is, row values. It also allows functions to more easily take rows as arguments and return row values.
(8.0.0) Allow LIKE/ILIKE to be used as the operator in row and subselect comparisons (Fabien Coelho)
(8.0.0) Avoid locale-specific case conversion of basic ASCII letters in identifiers and keywords (Tom Lane)
This solves the "Turkish problem" with mangling of words containing I and i. Folding of characters outside the 7-bit-ASCII set is still locale-aware.
(8.0.0) Improve syntax error reporting (Fabien Coelho, Tom Lane)
Syntax error reports are more useful than before.
(8.0.0) Change EXECUTE to return a completion tag matching the executed statement (Kris Jurka)
Previous releases return an EXECUTE tag for any EXECUTE call. In this release, the tag returned will reflect the command executed.
(8.0.0) Avoid emitting NATURAL CROSS JOIN in rule listings (Tom Lane)
Such a clause makes no logical sense, but in some cases the rule decompiler formerly produced this syntax.
(8.0.0) Add COMMENT ON for casts, conversions, languages, operator classes, and large objects (Christopher Kings-Lynne)
(8.0.0) Add new server configuration parameter default_with_oids to control whether tables are created with OIDs by default (Neil Conway)
This allows administrators to control whether CREATE TABLE commands create tables with or without OID columns by default. (Note: the current factory default setting for default_with_oids is TRUE, but the default will become FALSE in future releases.)
(8.0.0) Add WITH / WITHOUT OIDS clause to CREATE TABLE AS (Neil Conway)
(8.0.0) Allow ALTER TABLE DROP COLUMN to drop an OID column (ALTER TABLE SET WITHOUT OIDS still works) (Tom Lane)
(8.0.0) Allow composite types as table columns (Tom Lane)
(8.0.0) Allow ALTER ... ADD COLUMN with defaults and NOT NULL constraints; works per SQL spec (Rod Taylor)
It is now possible for ADD COLUMN to create a column that is not initially filled with NULLs, but with a specified default value.
(8.0.0) Add ALTER COLUMN TYPE to change column's type (Rod Taylor)
It is now possible to alter a column's data type without dropping and re-adding the column.
(8.0.0) Allow multiple ALTER actions in a single ALTER TABLE command (Rod Taylor)
This is particularly useful for ALTER commands that rewrite the table (which include ALTER COLUMN TYPE and ADD COLUMN with a default). By grouping ALTER commands together, the table need be rewritten only once.
(8.0.0) Allow ALTER TABLE to add SERIAL columns (Tom Lane)
This falls out from the new capability of specifying defaults for new columns.
(8.0.0) Allow changing the owners of aggregates, conversions, databases, functions, operators, operator classes, schemas, types, and tablespaces (Christopher Kings-Lynne, Euler Taveira de Oliveira)
Previously this required modifying the system tables directly.
(8.0.0) Allow temporary object creation to be limited to SECURITY DEFINER functions (Sean Chittenden)
(8.0.0) Add ALTER TABLE ... SET WITHOUT CLUSTER (Christopher Kings-Lynne)
Prior to this release, there was no way to clear an auto-cluster specification except to modify the system tables.
(8.0.0) Constraint/Index/SERIAL names are now table_column_type with numbers appended to guarantee uniqueness within the schema (Tom Lane)
The SQL specification states that such names should be unique within a schema.
(8.0.0) Add pg_get_serial_sequence()
to
return a SERIAL column's sequence name
(Christopher Kings-Lynne)
This allows automated scripts to reliably find the SERIAL sequence name.
(8.0.0) Warn when primary/foreign key data type mismatch requires costly lookup
(8.0.0) New ALTER INDEX command to allow moving of indexes between tablespaces (Gavin Sherry)
(8.0.0) Make ALTER TABLE OWNER change dependent sequence ownership too (Álvaro Herrera)
(8.0.0) Allow CREATE SCHEMA to create triggers, indexes, and sequences (Neil Conway)
(8.0.0) Add ALSO keyword to CREATE RULE (Fabien Coelho)
This allows ALSO to be added to rule creation to contrast it with INSTEAD rules.
(8.0.0) Add NOWAIT option to LOCK (Tatsuo Ishii)
This allows the LOCK command to fail if it would have to wait for the requested lock.
(8.0.0) Allow COPY to read and write comma-separated-value (CSV) files (Andrew Dunstan, Bruce Momjian)
(8.0.0) Generate error if the COPY delimiter and NULL string conflict (Bruce Momjian)
(8.0.0) GRANT/REVOKE behavior follows the SQL spec more closely
(8.0.0) Avoid locking conflict between CREATE INDEX and CHECKPOINT (Tom Lane)
In 7.3 and 7.4, a long-running B-tree index build could block concurrent CHECKPOINTs from completing, thereby causing WAL bloat because the WAL log could not be recycled.
(8.0.0) Database-wide ANALYZE does not hold locks across tables (Tom Lane)
This reduces the potential for deadlocks against other backends that want exclusive locks on tables. To get the benefit of this change, do not execute database-wide ANALYZE inside a transaction block (BEGIN block); it must be able to commit and start a new transaction for each table.
(8.0.0) REINDEX does not exclusively lock the index's parent table anymore
The index itself is still exclusively locked, but readers of the table can continue if they are not using the particular index being rebuilt.
(8.0.0) Erase MD5 user passwords when a user is renamed (Bruce Momjian)
PostgreSQL uses the user name as salt when encrypting passwords via MD5. When a user's name is changed, the salt will no longer match the stored MD5 password, so the stored password becomes useless. In this release a notice is generated and the password is cleared. A new password must then be assigned if the user is to be able to log in with a password.
(8.0.0) New pg_ctl kill option for Windows (Andrew Dunstan)
Windows does not have a kill command to send signals to backends so this capability was added to pg_ctl.
(8.0.0) Information schema improvements
(8.0.0) Add --pwfile option to initdb so the initial password can be set by GUI tools (Magnus Hagander)
(8.0.0) Detect locale/encoding mismatch in initdb (Peter T. Mount)
(8.0.0) Add register command to pg_ctl to register Windows operating system service (Dave Page)
(8.0.0) More complete support for composite types (row types) (Tom Lane)
Composite values can be used in many places where only scalar values worked before.
(8.0.0) Reject nonrectangular array values as erroneous (Joe Conway)
Formerly, array_in
would silently
build a surprising result.
(8.0.0) Overflow in integer arithmetic operations is now detected (Tom Lane)
(8.0.0) The arithmetic operators associated with the single-byte "char" data type have been removed.
Formerly, the parser would select these operators in many situations where an "unable to select an operator" error would be more appropriate, such as null * null. If you actually want to do arithmetic on a "char" column, you can cast it to integer explicitly.
(8.0.0) Syntax checking of array input values considerably tightened up (Joe Conway)
Junk that was previously allowed in odd places with odd results now causes an ERROR, for example, non-whitespace after the closing right brace.
(8.0.0) Empty-string array element values must now be written as "", rather than writing nothing (Joe Conway)
Formerly, both ways of writing an empty-string element value were allowed, but now a quoted empty string is required. The case where nothing at all appears will probably be considered to be a NULL element value in some future release.
(8.0.0) Array element trailing whitespace is now ignored (Joe Conway)
Formerly leading whitespace was ignored, but trailing whitespace between an element value and the delimiter or right brace was significant. Now trailing whitespace is also ignored.
(8.0.0) Emit array values with explicit array bounds when lower bound is not one (Joe Conway)
(8.0.0) Accept YYYY-monthname-DD as a date string (Tom Lane)
(8.0.0) Make netmask
and hostmask
functions return maximum-length mask
length (Tom Lane)
(8.0.0) Change factorial function to return numeric (Gavin Sherry)
Returning numeric allows the factorial function to work for a wider range of input values.
(8.0.0) to_char
/to_date()
date conversion improvements (Kurt
Roeckx, Fabien Coelho)
(8.0.0) Make length()
disregard trailing
spaces in CHAR(n) (Gavin Sherry)
This change was made to improve consistency: trailing spaces are
semantically insignificant in CHAR(n) data,
so they should not be counted by length()
.
(8.0.0) Warn about empty string being passed to OID/float4/float8 data types (Neil Conway)
8.1 will throw an error instead.
(8.0.0) Allow leading or trailing whitespace in int2/int4/int8/float4/float8 input routines (Neil Conway)
(8.0.0) Better support for IEEE Infinity and NaN values in float4/float8 (Neil Conway)
These should now work on all platforms that support IEEE-compliant floating point arithmetic.
(8.0.0) Add week option to date_trunc()
(Robert Creager)
(8.0.0) Fix to_char
for 1 BC (previously it returned 1
AD) (Bruce Momjian)
(8.0.0) Fix date_part(year)
for BC dates
(previously it returned one less than the correct year) (Bruce Momjian)
(8.0.0) Fix date_part()
to return the
proper millennium and century (Fabien Coelho)
In previous versions, the century and millennium results had a wrong number and started in the wrong year, as compared to standard reckoning of such things.
(8.0.0) Add ceiling()
as an alias for
ceil()
, and power()
as an alias for pow()
for standards compliance (Neil Conway)
(8.0.0) Change ln()
, log()
, power()
, and
sqrt()
to emit the correct SQLSTATE error codes for certain error conditions,
as specified by SQL:2003 (Neil Conway)
(8.0.0) Add width_bucket()
function as
defined by SQL:2003 (Neil Conway)
(8.0.0) Add generate_series()
functions to
simplify working with numeric sets (Joe Conway)
(8.0.0) Fix upper/lower/initcap()
functions to work with multibyte encodings (Tom Lane)
(8.0.0) Add boolean and bitwise integer AND/OR aggregates (Fabien Coelho)
(8.0.0) New session information functions to return network addresses for client and server (Sean Chittenden)
(8.0.0) Add function to determine the area of a closed path (Sean Chittenden)
(8.0.0) Add function to send cancel request to other backends (Magnus Hagander)
(8.0.0) Add interval plus datetime operators (Tom Lane)
The reverse ordering, datetime plus interval, was already supported, but both are required by the SQL standard.
(8.0.0) Casting an integer to BIT (N) selects the rightmost N bits of the integer (Tom Lane)
In prior releases, the leftmost N bits were selected, but this was deemed unhelpful, not to mention inconsistent with casting from bit to int.
(8.0.0) Require CIDR values to have all nonmasked bits be zero (Kevin Brintnall)
(8.0.0) In READ COMMITTED serialization mode, volatile functions now see the results of concurrent transactions committed up to the beginning of each statement within the function, rather than up to the beginning of the interactive command that called the function.
(8.0.0) Functions declared STABLE or IMMUTABLE always use the snapshot of the calling query, and therefore do not see the effects of actions taken after the calling query starts, whether in their own transaction or other transactions. Such a function must be read-only, too, meaning that it cannot use any SQL commands other than SELECT. There is a considerable performance gain from declaring a function STABLE or IMMUTABLE rather than VOLATILE.
(8.0.0) Nondeferred AFTER triggers are now fired immediately after completion of the triggering query, rather than upon finishing the current interactive command. This makes a difference when the triggering query occurred within a function: the trigger is invoked before the function proceeds to its next operation. For example, if a function inserts a new row into a table, any nondeferred foreign key checks occur before proceeding with the function.
(8.0.0) Allow function parameters to be declared with names (Dennis Björklund)
This allows better documentation of functions. Whether the names actually do anything depends on the specific function language being used.
(8.0.0) Allow PL/pgSQL parameter names to be referenced in the function (Dennis Björklund)
This basically creates an automatic alias for each named parameter.
(8.0.0) Do minimal syntax checking of PL/pgSQL functions at creation time (Tom Lane)
This allows us to catch simple syntax errors sooner.
(8.0.0) More support for composite types (row and record variables) in PL/pgSQL
For example, it now works to pass a rowtype variable to another function as a single variable.
(8.0.0) Default values for PL/pgSQL variables can now reference previously declared variables
(8.0.0) Improve parsing of PL/pgSQL FOR loops (Tom Lane)
Parsing is now driven by presence of ".." rather than data type of FOR variable. This makes no difference for correct functions, but should result in more understandable error messages when a mistake is made.
(8.0.0) Major overhaul of PL/Perl server-side language (Command Prompt, Andrew Dunstan)
(8.0.0) In PL/Tcl, SPI commands are now run in subtransactions. If an error occurs, the subtransaction is cleaned up and the error is reported as an ordinary Tcl error, which can be trapped with catch. Formerly, it was not possible to catch such errors.
(8.0.0) Accept ELSEIF in PL/pgSQL (Neil Conway)
Previously PL/pgSQL only allowed ELSIF, but many people are accustomed to spelling this keyword ELSEIF.
(8.0.0) Improve psql information display about database objects (Christopher Kings-Lynne)
(8.0.0) Allow psql to display group membership in \du and \dg (Markus Bertheau)
(8.0.0) Prevent psql \dn from showing temporary schemas (Bruce Momjian)
(8.0.0) Allow psql to handle tilde user expansion for file names (Zach Irmen)
(8.0.0) Allow psql to display fancy prompts, including color, via readline (Reece Hart, Chet Ramey)
(8.0.0) Make psql \copy match COPY command syntax fully (Tom Lane)
(8.0.0) Show the location of syntax errors (Fabien Coelho, Tom Lane)
(8.0.0) Add CLUSTER information to psql \d display (Bruce Momjian)
(8.0.0) Change psql \copy stdin/stdout to read from command input/output (Bruce Momjian)
(8.0.0) Add pstdin/pstdout to read from psql's stdin/stdout (Mark Feit)
(8.0.0) Add global psql configuration file, psqlrc.sample (Bruce Momjian)
This allows a central file where global psql startup commands can be stored.
(8.0.0) Have psql \d+ indicate if the table has an OID column (Neil Conway)
(8.0.0) On Windows, use binary mode in psql when reading files so control-Z is not seen as end-of-file
(8.0.0) Have \dn+ show permissions and description for schemas (Dennis Björklund)
(8.0.0) Improve tab completion support (Stefan Kaltenbrunn, Greg Sabino Mullane)
(8.0.0) Allow boolean settings to be set using upper or lower case (Michael Paesold)
(8.0.0) Use dependency information to improve the reliability of pg_dump (Tom Lane)
This should solve the longstanding problems with related objects sometimes being dumped in the wrong order.
(8.0.0) Have pg_dump output objects in alphabetical order if possible (Tom Lane)
This should make it easier to identify changes between dump files.
(8.0.0) Allow pg_restore to ignore some SQL errors (Fabien Coelho)
This makes pg_restore's behavior similar to the results of feeding a pg_dump output script to psql. In most cases, ignoring errors and plowing ahead is the most useful thing to do. Also added was a pg_restore option to give the old behavior of exiting on an error.
(8.0.0) pg_restore -l display now includes objects' schema names
(8.0.0) New begin/end markers in pg_dump text output (Bruce Momjian)
(8.0.0) Add start/stop times for pg_dump/pg_dumpall in verbose mode (Bruce Momjian)
(8.0.0) Allow most pg_dump options in pg_dumpall (Christopher Kings-Lynne)
(8.0.0) Have pg_dump use ALTER OWNER rather than SET SESSION AUTHORIZATION by default (Christopher Kings-Lynne)
(8.0.0) Make libpq's SIGPIPE handling thread-safe (Bruce Momjian)
(8.0.0) Add PQmbdsplen()
which returns the
display length of a character (Tatsuo Ishii)
(8.0.0) Add thread locking to SSL and Kerberos connections (Manfred Spraul)
(8.0.0) Allow PQoidValue()
, PQcmdTuples()
, and PQoidStatus()
to work on EXECUTE commands (Neil Conway)
(8.0.0) Add PQserverVersion()
to provide
more convenient access to the server version number (Greg Sabino
Mullane)
(8.0.0) Add PQprepare/PQsendPrepared()
functions to support preparing statements without necessarily
specifying the data types of their parameters (Abhijit
Menon-Sen)
(8.0.0) Many ECPG improvements, including SET DESCRIPTOR (Michael Meskes)
(8.0.0) Allow the database server to run natively on Windows (Claudio Natoli, Magnus Hagander, Andrew Dunstan)
(8.0.0) Shell script commands converted to C versions for Windows support (Andrew Dunstan)
(8.0.0) Create an extension makefile framework (Fabien Coelho, Peter T. Mount)
This simplifies the task of building extensions outside the original source tree.
(8.0.0) Support relocatable installations (Bruce Momjian)
Directory paths for installed files (such as the /share directory) are now computed relative to the actual location of the executables, so that an installation tree can be moved to another place without reconfiguring and rebuilding.
(8.0.0) Use --with-docdir to choose installation location of documentation; also allow --infodir (Peter T. Mount)
(8.0.0) Add --without-docdir to prevent installation of documentation (Peter T. Mount)
(8.0.0) Upgrade to DocBook V4.2 SGML (Peter T. Mount)
(8.0.0) New PostgreSQL CVS tag (Marc Fournier)
This was done to make it easier for organizations to manage their own copies of the PostgreSQL CVS repository. File version stamps from the master repository will not get munged by checking into or out of a copied repository.
(8.0.0) Clarify locking code (Manfred Koizar)
(8.0.0) Buffer manager cleanup (Neil Conway)
(8.0.0) Decouple platform tests from CPU spinlock code (Bruce Momjian, Tom Lane)
(8.0.0) Add inlined test-and-set code on PA-RISC for gcc (ViSolve, Tom Lane)
(8.0.0) Improve i386 spinlock code (Manfred Spraul)
(8.0.0) Clean up spinlock assembly code to avoid warnings from newer gcc releases (Tom Lane)
(8.0.0) Remove JDBC from source tree; now a separate project
(8.0.0) Remove the libpgtcl client interface; now a separate project
(8.0.0) More accurately estimate memory and file descriptor usage (Tom Lane)
(8.0.0) Improvements to the Mac OS X startup scripts (Ray A.)
(8.0.0) New fsync()
test program
(Bruce Momjian)
(8.0.0) Major documentation improvements (Neil Conway, Peter T. Mount)
(8.0.0) Remove pg_encoding; not needed anymore
(8.0.0) Remove pg_id; not needed anymore
(8.0.0) Remove initlocation; not needed anymore
(8.0.0) Auto-detect thread flags (no more manual testing) (Bruce Momjian)
(8.0.0) Use Olson's public domain timezone library (Magnus Hagander)
(8.0.0) With threading enabled, use thread flags on Unixware for backend executables too (Bruce Momjian)
Unixware cannot mix threaded and nonthreaded object files in the same executable, so everything must be compiled as threaded.
(8.0.0) psql now uses a flex-generated lexical analyzer to process command strings
(8.0.0) Reimplement the linked list data structure used throughout the backend (Neil Conway)
This improves performance by allowing list append and length operations to be more efficient.
(8.0.0) Allow dynamically loaded modules to create their own server configuration parameters (Thomas Hallgren)
(8.0.0) New Brazilian version of FAQ (Euler Taveira de Oliveira)
(8.0.0) Add French FAQ (Guillaume Lelarge)
(8.0.0) New pgevent for Windows logging
(8.0.0) Make libpq and ECPG build as proper shared libraries on OS X (Tom Lane)
(8.0.0) Overhaul of contrib/dblink (Joe Conway)
(8.0.0) contrib/dbmirror improvements (Steven Singer)
(8.0.0) New contrib/xml2 (John Gray, Torchbox)
(8.0.0) Updated contrib/mysql
(8.0.0) New version of contrib/btree_gist (Teodor Sigaev)
(8.0.0) New contrib/trgm, trigram matching for PostgreSQL (Teodor Sigaev)
(8.0.0) Many contrib/tsearch2 improvements (Teodor Sigaev)
(8.0.0) Add double metaphone to contrib/fuzzystrmatch (Andrew Dunstan)
(8.0.0) Allow contrib/pg_autovacuum to run as a Windows service (Dave Page)
(8.0.0) Add functions to contrib/dbsize (Andreas Pflug)
(8.0.0) Removed contrib/pg_logger: obsoleted by integrated logging subprocess
(8.0.0) Removed contrib/rserv: obsoleted by various separate projects
Release date: 2010-10-04
This release contains a variety of fixes from 7.4.29. For information about new features in the 7.4 major release, see Version 7.4.0.
This is expected to be the last PostgreSQL release in the 7.4.X series. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 7.4.X. However, if you are upgrading from a version earlier than 7.4.26, see Version 7.4.26.
(7.4.30,9.0.1,8.4.5,8.3.12,8.2.18,8.1.22,8.0.26) Use a separate interpreter for each calling SQL userid in PL/Perl and PL/Tcl (Tom Lane)
This change prevents security problems that can be caused by subverting Perl or Tcl code that will be executed later in the same session under another SQL user identity (for example, within a SECURITY DEFINER function). Most scripting languages offer numerous ways that that might be done, such as redefining standard functions or operators called by the target function. Without this change, any SQL user with Perl or Tcl language usage rights can do essentially anything with the SQL privileges of the target function's owner.
The cost of this change is that intentional communication among Perl and Tcl functions becomes more difficult. To provide an escape hatch, PL/PerlU and PL/TclU functions continue to use only one interpreter per session. This is not considered a security issue since all such functions execute at the trust level of a database superuser already.
It is likely that third-party procedural languages that claim to offer trusted execution have similar security issues. We advise contacting the authors of any PL you are depending on for security-critical purposes.
Our thanks to Tim Bunce for pointing out this issue CVE-2010-3433 or CVE-2010-3433).
(7.4.30,8.4.5,8.3.12,8.2.18,8.1.22,8.0.26) Prevent possible crashes in pg_get_expr()
by disallowing it from being called
with an argument that is not one of the system catalog columns it's
intended to be used with (Heikki Linnakangas, Tom Lane)
(7.4.30,8.4.5,8.3.12,8.2.18,8.1.22,8.0.26) Fix "cannot handle unplanned sub-select" error (Tom Lane)
This occurred when a sub-select contains a join alias reference that expands into an expression containing another sub-select.
(7.4.30,8.4.5,8.3.12,8.2.18,8.1.22,8.0.26) Take care to fsync the contents of lockfiles (both postmaster.pid and the socket lockfile) while writing them (Tom Lane)
This omission could result in corrupted lockfile contents if the machine crashes shortly after postmaster start. That could in turn prevent subsequent attempts to start the postmaster from succeeding, until the lockfile is manually removed.
(7.4.30,8.4.5,8.3.12,8.2.18,8.1.22,8.0.26) Improve contrib/dblink's handling of tables containing dropped columns (Tom Lane)
(7.4.30,8.4.5,8.3.12,8.2.18,8.1.22,8.0.26) Fix connection leak after "duplicate connection name" errors in contrib/dblink (Itagaki Takahiro)
(7.4.30,9.0.1,8.4.5,8.3.12,8.2.18,8.1.22,8.0.26) Update build infrastructure and documentation to reflect the source code repository's move from CVS to Git (Magnus Hagander and others)
Release date: 2010-05-17
This release contains a variety of fixes from 7.4.28. For information about new features in the 7.4 major release, see Version 7.4.0.
The PostgreSQL community will stop releasing updates for the 7.4.X release series in July 2010. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 7.4.X. However, if you are upgrading from a version earlier than 7.4.26, see Version 7.4.26.
(7.4.29,8.4.4,8.3.11,8.2.17,8.1.21,8.0.25) Enforce restrictions in plperl using an opmask applied to the whole interpreter, instead of using Safe.pm (Tim Bunce, Andrew Dunstan)
Recent developments have convinced us that Safe.pm is too insecure to rely on for making plperl trustable. This change removes use of Safe.pm altogether, in favor of using a separate interpreter with an opcode mask that is always applied. Pleasant side effects of the change include that it is now possible to use Perl's strict pragma in a natural way in plperl, and that Perl's $a and $b variables work as expected in sort routines, and that function compilation is significantly faster. CVE-2010-1169 or CVE-2010-1169)
(7.4.29,8.4.4,8.3.11,8.2.17,8.1.21,8.0.25) Prevent PL/Tcl from executing untrustworthy code from pltcl_modules (Tom Lane)
PL/Tcl's feature for autoloading Tcl code from a database table could be exploited for trojan-horse attacks, because there was no restriction on who could create or insert into that table. This change disables the feature unless pltcl_modules is owned by a superuser. (However, the permissions on the table are not checked, so installations that really need a less-than-secure modules table can still grant suitable privileges to trusted non-superusers.) Also, prevent loading code into the unrestricted "normal" Tcl interpreter unless we are really going to execute a pltclu function. CVE-2010-1170 or CVE-2010-1170)
(7.4.29,8.4.4,8.3.11,8.2.17,8.1.21,8.0.25) Do not allow an unprivileged user to reset superuser-only parameter settings (Álvaro Herrera)
Previously, if an unprivileged user ran ALTER USER ... RESET ALL for himself, or ALTER DATABASE ... RESET ALL for a database he owns, this would remove all special parameter settings for the user or database, even ones that are only supposed to be changeable by a superuser. Now, the ALTER will only remove the parameters that the user has permission to change.
(7.4.29,8.4.4,8.3.11,8.2.17,8.1.21,8.0.25) Avoid possible crash during backend shutdown if shutdown occurs when a CONTEXT addition would be made to log entries (Tom Lane)
In some cases the context-printing function would fail because the current transaction had already been rolled back when it came time to print a log message.
(7.4.29,8.4.4,8.3.11,8.2.17,8.1.21,8.0.25) Update pl/perl's ppport.h for modern Perl versions (Andrew Dunstan)
(7.4.29,8.4.4,8.3.11,8.2.17,8.1.21,8.0.25) Fix assorted memory leaks in pl/python (Andreas Freund, Tom Lane)
(7.4.29,8.4.4,8.3.11,8.2.17,8.1.21,8.0.25) Ensure that contrib/pgstattuple functions respond to cancel interrupts promptly (Tatsuhito Kasahara)
(7.4.29,8.4.4,8.3.11,8.2.17,8.1.21,8.0.25) Make server startup deal properly with the case that
shmget()
returns EINVAL for an existing shared memory segment
(Tom Lane)
This behavior has been observed on BSD-derived kernels including OS X. It resulted in an entirely-misleading startup failure complaining that the shared memory request size was too large.
Release date: 2010-03-15
This release contains a variety of fixes from 7.4.27. For information about new features in the 7.4 major release, see Version 7.4.0.
The PostgreSQL community will stop releasing updates for the 7.4.X release series in July 2010. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 7.4.X. However, if you are upgrading from a version earlier than 7.4.26, see Version 7.4.26.
(7.4.28,8.4.3,8.3.10,8.2.16,8.1.20,8.0.24) Add new configuration parameter ssl_renegotiation_limit to control how often we do session key renegotiation for an SSL connection (Magnus Hagander)
This can be set to zero to disable renegotiation completely, which may be required if a broken SSL library is used. In particular, some vendors are shipping stopgap patches forCVE-2009-3555 or CVE-2009-3555 that cause renegotiation attempts to fail.
(7.4.28,8.4.3,8.3.10,8.2.16,8.1.20,8.0.24) Make substring()
for bit types treat any negative length as meaning
"all the rest of the string" (Tom Lane)
The previous coding treated only -1 that way, and would produce an invalid result value for other negative values, possibly leading to a crash CVE-2010-0442 or CVE-2010-0442).
(7.4.28,8.4.3,8.3.10,8.2.16,8.1.20,8.0.24) Fix some cases of pathologically slow regular expression matching (Tom Lane)
(7.4.28,8.4.3,8.3.10,8.2.16,8.1.20,8.0.24) When reading pg_hba.conf and related files, do not treat @something as a file inclusion request if the @ appears inside quote marks; also, never treat @ by itself as a file inclusion request (Tom Lane)
This prevents erratic behavior if a role or database name starts with @. If you need to include a file whose path name contains spaces, you can still do so, but you must write @"/path to/file" rather than putting the quotes around the whole construct.
(7.4.28,8.4.3,8.3.10,8.2.16,8.1.20,8.0.24) Prevent infinite loop on some platforms if a directory is named as an inclusion target in pg_hba.conf and related files (Tom Lane)
(7.4.28,8.4.3,8.3.10,8.2.16,8.1.20,8.0.24) Ensure PL/Tcl initializes the Tcl interpreter fully (Tom Lane)
The only known symptom of this oversight is that the Tcl clock command misbehaves if using Tcl 8.5 or later.
(7.4.28,8.4.3,8.3.10,8.2.16,8.1.20,8.0.24) Prevent crash in contrib/dblink when
too many key columns are specified to a dblink_build_sql_*
function (Rushabh Lathia, Joe
Conway)
Release date: 2009-12-14
This release contains a variety of fixes from 7.4.26. For information about new features in the 7.4 major release, see Version 7.4.0.
A dump/restore is not required for those running 7.4.X. However, if you are upgrading from a version earlier than 7.4.26, see Version 7.4.26.
(7.4.27,8.4.2,8.3.9,8.2.15,8.1.19,8.0.23) Protect against indirect security threats caused by index functions changing session-local state (Gurjeet Singh, Tom Lane)
This change prevents allegedly-immutable index functions from possibly subverting a superuser's session CVE-2009-4136 or CVE-2009-4136).
(7.4.27,8.4.2,8.3.9,8.2.15,8.1.19,8.0.23) Reject SSL certificates containing an embedded null byte in the common name (CN) field (Magnus Hagander)
This prevents unintended matching of a certificate to a server or client name during SSL validation CVE-2009-4034 or CVE-2009-4034).
(7.4.27,8.4.2,8.3.9,8.2.15,8.1.19,8.0.23) Fix possible crash during backend-startup-time cache initialization (Tom Lane)
(7.4.27,8.4.2,8.3.9,8.2.15,8.1.19,8.0.23) Prevent signals from interrupting VACUUM at unsafe times (Álvaro Herrera)
This fix prevents a PANIC if a VACUUM FULL is canceled after it's already committed its tuple movements, as well as transient errors if a plain VACUUM is interrupted after having truncated the table.
(7.4.27,8.4.2,8.3.9,8.2.15,8.1.19,8.0.23) Fix possible crash due to integer overflow in hash table size calculation (Tom Lane)
This could occur with extremely large planner estimates for the size of a hashjoin's result.
(7.4.27,8.4.2,8.3.9,8.2.15,8.1.19,8.0.23) Fix very rare crash in inet/cidr comparisons (Chris Mikkelson)
(7.4.27,8.4.2,8.3.9,8.2.15,8.1.19,8.0.23) Fix PAM password processing to be more robust (Tom Lane)
The previous code is known to fail with the combination of the Linux pam_krb5 PAM module with Microsoft Active Directory as the domain controller. It might have problems elsewhere too, since it was making unjustified assumptions about what arguments the PAM stack would pass to it.
(7.4.27,8.4.2,8.3.9,8.2.15,8.1.19,8.0.23) Make the postmaster ignore any application_name parameter in connection request packets, to improve compatibility with future libpq versions (Tom Lane)
Release date: 2009-09-09
This release contains a variety of fixes from 7.4.25. For information about new features in the 7.4 major release, see Version 7.4.0.
A dump/restore is not required for those running 7.4.X. However, if you have any hash indexes on interval columns, you must REINDEX them after updating to 7.4.26. Also, if you are upgrading from a version earlier than 7.4.11, see Version 7.4.11.
(7.4.26,8.4.1,8.3.8,8.2.14,8.1.18,8.0.22) Disallow RESET ROLE and RESET SESSION AUTHORIZATION inside security-definer functions (Tom Lane, Heikki Linnakangas)
This covers a case that was missed in the previous patch that disallowed SET ROLE and SET SESSION AUTHORIZATION inside security-definer functions. (SeeCVE-2007-6600 or CVE-2007-6600)
(7.4.26,8.3.8,8.2.14,8.1.18,8.0.22) Fix handling of sub-SELECTs appearing in the arguments of an outer-level aggregate function (Tom Lane)
(7.4.26,8.3.8,8.2.14,8.1.18,8.0.22) Fix hash calculation for data type interval (Tom Lane)
This corrects wrong results for hash joins on interval values. It also changes the contents of hash indexes on interval columns. If you have any such indexes, you must REINDEX them after updating.
(7.4.26,8.4.1,8.3.8,8.2.14,8.1.18,8.0.22) Fix overflow for INTERVAL 'x ms' when x is more than 2 million and integer datetimes are in use (Alex Hunsaker)
(7.4.26,8.3.8,8.2.14,8.1.18,8.0.22) Fix calculation of distance between a point and a line segment (Tom Lane)
This led to incorrect results from a number of geometric operators.
(7.4.26,8.3.8,8.2.14,8.1.18,8.0.22) Fix money data type to work in locales where currency amounts have no fractional digits, e.g. Japan (Itagaki Takahiro)
(7.4.26,8.3.8,8.2.14,8.1.18,8.0.22) Properly round datetime input like 00:12:57.9999999999999999999999999999 (Tom Lane)
(7.4.26,8.3.8,8.2.14,8.1.18,8.0.22) Fix poor choice of page split point in GiST R-tree operator classes (Teodor Sigaev)
(7.4.26,8.3.8,8.2.14,8.1.18,8.0.22) Fix portability issues in plperl initialization (Andrew Dunstan)
(7.4.26,8.4.1,8.3.8,8.2.14,8.1.18,8.0.22) Improve robustness of libpq's code to recover from errors during COPY FROM STDIN (Tom Lane)
(7.4.26,8.4.1,8.3.8,8.2.14,8.1.18,8.0.22) Avoid including conflicting readline and editline header files when both libraries are installed (Zdenek Kotala)
Release date: 2009-03-16
This release contains a variety of fixes from 7.4.24. For information about new features in the 7.4 major release, see Version 7.4.0.
A dump/restore is not required for those running 7.4.X. However, if you are upgrading from a version earlier than 7.4.11, see Version 7.4.11.
(7.4.25,8.3.7,8.2.13,8.1.17,8.0.21) Prevent error recursion crashes when encoding conversion fails (Tom Lane)
This change extends fixes made in the last two minor releases for related failure scenarios. The previous fixes were narrowly tailored for the original problem reports, but we have now recognized that any error thrown by an encoding conversion function could potentially lead to infinite recursion while trying to report the error. The solution therefore is to disable translation and encoding conversion and report the plain-ASCII form of any error message, if we find we have gotten into a recursive error reporting situation. CVE-2009-0922 or CVE-2009-0922)
(7.4.25,8.3.7,8.2.13,8.1.17,8.0.21) Disallow CREATE CONVERSION with the wrong encodings for the specified conversion function (Heikki Linnakangas)
This prevents one possible scenario for encoding conversion failure. The previous change is a backstop to guard against other kinds of failures in the same area.
(7.4.25,8.3.7,8.2.13,8.1.17,8.0.21) Fix core dump when to_char()
is
given format codes that are inappropriate for the type of the data
argument (Tom Lane)
(7.4.25,8.3.7,8.2.13,8.1.17,8.0.21) Add MUST (Mauritius Island Summer Time) to the default list of known timezone abbreviations (Xavier Bugaud)
Release date: 2009-02-02
This release contains a variety of fixes from 7.4.23. For information about new features in the 7.4 major release, see Version 7.4.0.
A dump/restore is not required for those running 7.4.X. However, if you are upgrading from a version earlier than 7.4.11, see Version 7.4.11.
(7.4.24,8.3.6,8.2.12,8.1.16,8.0.20) Improve handling of URLs in headline()
function (Teodor Sigaev)
(7.4.24,8.3.6,8.2.12,8.1.16,8.0.20) Improve handling of overlength headlines in headline()
function (Teodor Sigaev)
(7.4.24,8.3.6,8.2.12,8.1.16,8.0.20) Prevent possible Assert failure or misconversion if an encoding conversion is created with the wrong conversion function for the specified pair of encodings (Tom Lane, Heikki Linnakangas)
(7.4.24,8.3.6,8.2.12,8.1.16,8.0.20) Avoid unnecessary locking of small tables in VACUUM (Heikki Linnakangas)
(7.4.24,8.1.16,8.0.20) Fix uninitialized variables in contrib/tsearch2's get_covers()
function (Teodor Sigaev)
(7.4.24) Fix bug in to_char()
's handling of
TH format codes (Andreas Scherbaum)
(7.4.24,8.3.6,8.2.12,8.1.16,8.0.20) Make all documentation reference pgsql-bugs and/or pgsql-hackers as appropriate, instead of the now-decommissioned pgsql-ports and pgsql-patches mailing lists (Tom Lane)
Release date: 2008-11-03
This release contains a variety of fixes from 7.4.22. For information about new features in the 7.4 major release, see Version 7.4.0.
A dump/restore is not required for those running 7.4.X. However, if you are upgrading from a version earlier than 7.4.11, see Version 7.4.11.
(7.4.23,8.3.5,8.2.11,8.1.15,8.0.19) Fix backend crash when the client encoding cannot represent a localized error message (Tom Lane)
We have addressed similar issues before, but it would still fail if the "character has no equivalent" message itself couldn't be converted. The fix is to disable localization and send the plain ASCII error message when we detect such a situation.
(7.4.23,8.2.11,8.1.15,8.0.19) Fix incorrect tsearch2 headline generation when single query item matches first word of text (Sushant Sinha)
(7.4.23,8.3.5,8.2.11,8.1.15,8.0.19) Fix improper display of fractional seconds in interval values when using a non-ISO datestyle in an --enable-integer-datetimes build (Ron Mayer)
(7.4.23,8.3.5,8.2.11,8.1.15,8.0.19) Ensure SPI_getvalue
and
SPI_getbinval
behave correctly when
the passed tuple and tuple descriptor have different numbers of
columns (Tom Lane)
This situation is normal when a table has had columns added or removed, but these two functions didn't handle it properly. The only likely consequence is an incorrect error indication.
(7.4.23,8.0.19) Fix ecpg's parsing of CREATE USER (Michael Meskes)
Release date: 2008-09-22
This release contains a variety of fixes from 7.4.21. For information about new features in the 7.4 major release, see Version 7.4.0.
A dump/restore is not required for those running 7.4.X. However, if you are upgrading from a version earlier than 7.4.11, see Version 7.4.11.
(7.4.22,8.3.4,8.2.10,8.1.14,8.0.18) Fix datetime input functions to correctly detect integer overflow when running on a 64-bit platform (Tom Lane)
(7.4.22,8.3.4,8.2.10,8.1.14,8.0.18) Improve performance of writing very long log messages to syslog (Tom Lane)
(7.4.22,8.3.4,8.2.10,8.1.14,8.0.18) Fix bug in backwards scanning of a cursor on a SELECT DISTINCT ON query (Tom Lane)
(7.4.22,8.0.18) Fix planner to estimate that GROUP BY expressions yielding boolean results always result in two groups, regardless of the expressions' contents (Tom Lane)
This is very substantially more accurate than the regular GROUP BY estimate for certain boolean tests like col IS NULL.
(7.4.22,8.3.4,8.2.10,8.1.14,8.0.18) Improve pg_dump and pg_restore's error reporting after failure to send a SQL command (Tom Lane)
Release date: 2008-06-12
This release contains one serious bug fix over 7.4.20. For information about new features in the 7.4 major release, see Version 7.4.0.
A dump/restore is not required for those running 7.4.X. However, if you are upgrading from a version earlier than 7.4.11, see Version 7.4.11.
(7.4.21,8.3.3,8.2.9,8.1.13,8.0.17) Make pg_get_ruledef()
parenthesize
negative constants (Tom Lane)
Before this fix, a negative constant in a view or rule might be dumped as, say, -42::integer, which is subtly incorrect: it should be (-42)::integer due to operator precedence rules. Usually this would make little difference, but it could interact with another recent patch to cause PostgreSQL to reject what had been a valid SELECT DISTINCT view query. Since this could result in pg_dump output failing to reload, it is being treated as a high-priority fix. The only released versions in which dump output is actually incorrect are 8.3.1 and 8.2.7.
Release date: never released
This release contains a variety of fixes from 7.4.19. For information about new features in the 7.4 major release, see Version 7.4.0.
A dump/restore is not required for those running 7.4.X. However, if you are upgrading from a version earlier than 7.4.11, see Version 7.4.11.
(7.4.20,8.3.2,8.2.8,8.1.12,8.0.16) Fix conversions between ISO-8859-5 and other encodings to handle Cyrillic "Yo" characters (e and E with two dots) (Sergey Burladyan)
(7.4.20,8.1.12,8.0.16) Fix a few datatype input functions that were allowing unused bytes in their results to contain uninitialized, unpredictable values (Tom Lane)
This could lead to failures in which two apparently identical literal values were not seen as equal, resulting in the parser complaining about unmatched ORDER BY and DISTINCT expressions.
(7.4.20,8.3.2,8.2.8,8.1.12,8.0.16) Fix a corner case in regular-expression substring matching (substring(string from pattern)) (Tom Lane)
The problem occurs when there is a match to the pattern overall but the user has specified a parenthesized subexpression and that subexpression hasn't got a match. An example is substring('foo' from 'foo(bar)?'). This should return NULL, since (bar) isn't matched, but it was mistakenly returning the whole-pattern match instead (ie, foo).
(7.4.20,8.3.2,8.2.8,8.1.12,8.0.16) Fix incorrect result from ecpg's PGTYPEStimestamp_sub()
function (Michael Meskes)
(7.4.20,8.2.8,8.1.12,8.0.16) Fix DatumGetBool macro to not fail with gcc 4.3 (Tom Lane)
This problem affects "old style" (V0) C functions that return boolean. The fix is already in 8.3, but the need to back-patch it was not realized at the time.
(7.4.20,8.3.1,8.2.7,8.1.12,8.0.16) Fix longstanding LISTEN/NOTIFY race condition (Tom Lane)
In rare cases a session that had just executed a LISTEN might not get a notification, even though one would be expected because the concurrent transaction executing NOTIFY was observed to commit later.
A side effect of the fix is that a transaction that has executed a not-yet-committed LISTEN command will not see any row in pg_listener for the LISTEN, should it choose to look; formerly it would have. This behavior was never documented one way or the other, but it is possible that some applications depend on the old behavior.
(7.4.20,8.2.7,8.1.12,8.0.16) Fix display of constant expressions in ORDER BY and GROUP BY (Tom Lane)
An explicitly casted constant would be shown incorrectly. This could for example lead to corruption of a view definition during dump and reload.
(7.4.20,8.2.7,8.1.12,8.0.16) Fix libpq to handle NOTICE messages correctly during COPY OUT (Tom Lane)
This failure has only been observed to occur when a user-defined datatype's output routine issues a NOTICE, but there is no guarantee it couldn't happen due to other causes.
Release date: 2008-01-07
This release contains a variety of fixes from 7.4.18, including fixes for significant security issues. For information about new features in the 7.4 major release, see Version 7.4.0.
A dump/restore is not required for those running 7.4.X. However, if you are upgrading from a version earlier than 7.4.11, see Version 7.4.11.
(7.4.19,8.2.6,8.1.11,8.0.15,7.3.21) Prevent functions in indexes from executing with the privileges of the user running VACUUM, ANALYZE, etc (Tom Lane)
Functions used in index expressions and partial-index predicates are evaluated whenever a new table entry is made. It has long been understood that this poses a risk of trojan-horse code execution if one modifies a table owned by an untrustworthy user. (Note that triggers, defaults, check constraints, etc. pose the same type of risk.) But functions in indexes pose extra danger because they will be executed by routine maintenance operations such as VACUUM FULL, which are commonly performed automatically under a superuser account. For example, a nefarious user can execute code with superuser privileges by setting up a trojan-horse index definition and waiting for the next routine vacuum. The fix arranges for standard maintenance operations (including VACUUM, ANALYZE, REINDEX, and CLUSTER) to execute as the table owner rather than the calling user, using the same privilege-switching mechanism already used for SECURITY DEFINER functions. To prevent bypassing this security measure, execution of SET SESSION AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context. CVE-2007-6600 or CVE-2007-6600)
(7.4.19,8.2.6,8.1.11,8.0.15) Repair assorted bugs in the regular-expression package (Tom Lane, Will Drewry)
Suitably crafted regular-expression patterns could cause crashes, infinite or near-infinite looping, and/or massive memory consumption, all of which pose denial-of-service hazards for applications that accept regex search patterns from untrustworthy sources. CVE-2007-4769 or CVE-2007-4769,CVE-2007-4772 or CVE-2007-4772,CVE-2007-6067 or CVE-2007-6067)
(7.4.19) Require non-superusers who use /contrib/dblink to use only password authentication, as a security measure (Joe Conway)
The fix that appeared for this in 7.4.18 was incomplete, as it plugged the hole for only some dblink functions. CVE-2007-6601 or CVE-2007-6601,CVE-2007-3278 or CVE-2007-3278)
(7.4.19,8.2.6,8.1.11,8.0.15) Fix planner failure in some cases of WHERE false AND var IN (SELECT ...) (Tom Lane)
(7.4.19,8.2.6,8.1.11,8.0.15,7.3.21) Fix potential crash in translate()
when using a multibyte database encoding (Tom Lane)
(7.4.19,8.2.6,8.1.11,8.0.15) Fix PL/Python to not crash on long exception messages (Álvaro Herrera)
(7.4.19,8.2.6,8.1.11,8.0.15) ecpg parser fixes (Michael Meskes)
(7.4.19,8.2.6,8.1.11,8.0.15,7.3.21) Make contrib/tablefunc's crosstab()
handle NULL rowid as a category in its
own right, rather than crashing (Joe Conway)
(7.4.19,8.2.6,8.1.11,8.0.15) Fix tsvector and tsquery output routines to escape backslashes correctly (Teodor Sigaev, Bruce Momjian)
(7.4.19,8.2.6,8.1.11,8.0.15) Fix crash of to_tsvector()
on huge
input strings (Teodor Sigaev)
(7.4.19,8.2.6,8.1.11,8.0.15,7.3.21) Require a specific version of Autoconf to be used when re-generating the configure script (Peter T. Mount)
This affects developers and packagers only. The change was made to prevent accidental use of untested combinations of Autoconf and PostgreSQL versions. You can remove the version check if you really want to use a different Autoconf version, but it's your responsibility whether the result works or not.
Release date: 2007-09-17
This release contains fixes from 7.4.17. For information about new features in the 7.4 major release, see Version 7.4.0.
A dump/restore is not required for those running 7.4.X. However, if you are upgrading from a version earlier than 7.4.11, see Version 7.4.11.
(7.4.18,8.2.5,8.1.10,8.0.14,7.3.20) Prevent index corruption when a transaction inserts rows and then aborts close to the end of a concurrent VACUUM on the same table (Tom Lane)
(7.4.18,8.2.5,8.1.10,8.0.14,7.3.20) Make CREATE DOMAIN ... DEFAULT NULL work properly (Tom Lane)
(7.4.18,8.2.5,8.1.10,8.0.14) Fix excessive logging of SSL error messages (Tom Lane)
(7.4.18,8.2.5,8.1.10,8.0.14,7.3.20) Fix crash when log_min_error_statement logging runs out of memory (Tom Lane)
(7.4.18,8.0.14) Prevent CLUSTER from failing due to attempting to process temporary tables of other sessions (Álvaro Herrera)
(7.4.18,8.2.5,8.1.10,8.0.14,7.3.20) Require non-superusers who use /contrib/dblink to use only password authentication, as a security measure (Joe Conway)
Release date: 2007-04-23
This release contains fixes from 7.4.16, including a security fix. For information about new features in the 7.4 major release, see Version 7.4.0.
A dump/restore is not required for those running 7.4.X. However, if you are upgrading from a version earlier than 7.4.11, see Version 7.4.11.
(7.4.17,8.2.4,8.1.9,8.0.13,7.3.19) Support explicit placement of the temporary-table schema within search_path, and disable searching it for functions and operators (Tom Lane)
This is needed to allow a security-definer function to set a truly secure value of search_path. Without it, an unprivileged SQL user can use temporary objects to execute code with the privileges of the security-definer function CVE-2007-2138 or CVE-2007-2138). See CREATE FUNCTION for more information.
(7.4.17,8.2.4,8.1.9,8.0.13) /contrib/tsearch2 crash fixes (Teodor Sigaev)
(7.4.17,8.2.4,8.1.9,8.0.13,7.3.19) Fix potential-data-corruption bug in how VACUUM FULL handles UPDATE chains (Tom Lane, Pavan Deolasee)
(7.4.17) Fix PANIC during enlargement of a hash index (bug introduced in 7.4.15) (Tom Lane)
Release date: 2007-02-05
This release contains a variety of fixes from 7.4.15, including a security fix. For information about new features in the 7.4 major release, see Version 7.4.0.
A dump/restore is not required for those running 7.4.X. However, if you are upgrading from a version earlier than 7.4.11, see Version 7.4.11.
(7.4.16) Remove security vulnerability that allowed connected users to read backend memory (Tom Lane)
The vulnerability involves suppressing the normal check that a SQL function returns the data type it's declared to, or changing the data type of a table column used in a SQL function CVE-2007-0555 or CVE-2007-0555). This error can easily be exploited to cause a backend crash, and in principle might be used to read database content that the user should not be able to access.
(7.4.16,8.1.7,8.0.11,7.3.18) Fix rare bug wherein btree index page splits could fail due to choosing an infeasible split point (Heikki Linnakangas)
(7.4.16,8.2.2,8.1.7,8.0.11) Fix for rare Assert() crash triggered by UNION (Tom Lane)
(7.4.16,8.2.2,8.1.7,8.0.11,7.3.18) Tighten security of multi-byte character processing for UTF8 sequences over three bytes long (Tom Lane)
Release date: 2007-01-08
This release contains a variety of fixes from 7.4.14. For information about new features in the 7.4 major release, see Version 7.4.0.
A dump/restore is not required for those running 7.4.X. However, if you are upgrading from a version earlier than 7.4.11, see Version 7.4.11.
(7.4.15,8.1.6,8.0.10) Improve handling of getaddrinfo()
on AIX (Tom Lane)
This fixes a problem with starting the statistics collector, among other things.
(7.4.15,8.2.0,8.1.6,8.0.10) Fix "failed to re-find parent key" errors in VACUUM (Tom Lane)
(7.4.15,8.2.0,8.1.6,8.0.10) Fix bugs affecting multi-gigabyte hash indexes (Tom Lane)
(7.4.15,8.1.6,8.0.10) Fix error when constructing an ARRAY[] made up of multiple empty elements (Tom Lane)
(7.4.15,8.1.6,8.0.10,7.3.17) to_number()
and to_char(numeric)
are now STABLE, not IMMUTABLE, for
new initdb installs (Tom Lane)
This is because lc_numeric can potentially change the output of these functions.
(7.4.15,8.2.1,8.1.6,8.0.10,7.3.17) Improve index usage of regular expressions that use parentheses (Tom Lane)
This improves psql \d performance also.
Release date: 2006-10-16
This release contains a variety of fixes from 7.4.13. For information about new features in the 7.4 major release, see Version 7.4.0.
A dump/restore is not required for those running 7.4.X. However, if you are upgrading from a version earlier than 7.4.11, see Version 7.4.11.
(7.4.14,8.1.5,8.0.9) Fix core dump when an untyped literal is taken as ANYARRAY
(7.4.14,8.1.5,8.0.9) Fix string_to_array()
to handle
overlapping matches for the separator string
For example, string_to_array('123xx456xxx789', 'xx').
(7.4.14,8.1.5,8.0.9,7.3.16) Fix corner cases in pattern matching for psql's \d commands
(7.4.14,8.1.5,8.0.9,7.3.16) Fix index-corrupting bugs in /contrib/ltree (Teodor Sigaev)
(7.4.14,8.1.5,8.0.9,7.3.16) Fix backslash escaping in /contrib/dbmirror
(7.4.14,7.3.16) Adjust regression tests for recent changes in US DST laws
Release date: 2006-05-23
This release contains a variety of fixes from 7.4.12, including patches for extremely serious security issues. For information about new features in the 7.4 major release, see Version 7.4.0.
A dump/restore is not required for those running 7.4.X. However, if you are upgrading from a version earlier than 7.4.11, see Version 7.4.11.
Full security against the SQL-injection attacks described inCVE-2006-2313 or CVE-2006-2313 andCVE-2006-2314 or CVE-2006-2314 might require changes in
application code. If you have applications that embed untrustworthy
strings into SQL commands, you should examine them as soon as
possible to ensure that they are using recommended escaping
techniques. In most cases, applications should be using subroutines
provided by libraries or drivers (such as libpq's PQescapeStringConn()
) to perform string escaping,
rather than relying on ad hoc code to
do it.
(7.4.13,8.1.4,8.0.8,7.3.15) Change the server to reject invalidly-encoded multibyte characters in all cases (Tatsuo Ishii, Tom Lane)
While PostgreSQL has been moving in this direction for some time, the checks are now applied uniformly to all encodings and all textual input, and are now always errors not merely warnings. This change defends against SQL-injection attacks of the type described inCVE-2006-2313 or CVE-2006-2313.
(7.4.13,8.1.4,8.0.8,7.3.15) Reject unsafe uses of \' in string literals
As a server-side defense against SQL-injection attacks of the type described inCVE-2006-2314 or CVE-2006-2314, the server now only accepts '' and not \' as a representation of ASCII single quote in SQL string literals. By default, \' is rejected only when client_encoding is set to a client-only encoding (SJIS, BIG5, GBK, GB18030, or UHC), which is the scenario in which SQL injection is possible. A new configuration parameter backslash_quote is available to adjust this behavior when needed. Note that full security againstCVE-2006-2314 or CVE-2006-2314 might require client-side changes; the purpose of backslash_quote is in part to make it obvious that insecure clients are insecure.
(7.4.13,8.1.4,8.0.8) Modify libpq's string-escaping routines to be aware of encoding considerations and standard_conforming_strings
This fixes libpq-using
applications for the security issues described inCVE-2006-2313 or CVE-2006-2313 andCVE-2006-2314 or CVE-2006-2314, and also future-proofs them against the planned
changeover to SQL-standard string literal syntax. Applications that
use multiple PostgreSQL
connections concurrently should migrate to PQescapeStringConn()
and PQescapeByteaConn()
to ensure that escaping is
done correctly for the settings in use in each database connection.
Applications that do string escaping "by
hand" should be modified to rely on library routines
instead.
(7.4.13,8.0.8,7.3.15) Fix some incorrect encoding conversion functions
win1251_to_iso
, alt_to_iso
, euc_tw_to_big5
, euc_tw_to_mic
, mic_to_euc_tw
were all broken to varying
extents.
(7.4.13,8.1.4,8.0.8,7.3.15) Clean up stray remaining uses of \' in strings (Bruce Momjian, Jan Wieck)
(7.4.13,8.0.8) Fix bug that sometimes caused OR'd index scans to miss rows they should have returned
(7.4.13,8.0.8) Fix WAL replay for case where a btree index has been truncated
(7.4.13,8.1.4,8.0.8) Fix SIMILAR TO for patterns involving | (Tom Lane)
(7.4.13,8.1.4,8.0.8,7.3.15) Fix server to use custom DH SSL parameters correctly (Michael Fuhr)
(7.4.13,8.0.8) Fix for Bonjour on Intel Macs (Ashley Clark C. Evans)
(7.4.13,8.1.4,8.0.8,7.3.15) Fix various minor memory leaks
Release date: 2006-02-14
This release contains a variety of fixes from 7.4.11. For information about new features in the 7.4 major release, see Version 7.4.0.
A dump/restore is not required for those running 7.4.X. However, if you are upgrading from a version earlier than 7.4.11, see Version 7.4.11.
(7.4.12,8.0.7,7.3.14) Fix potential crash in SET SESSION AUTHORIZATION CVE-2006-0553 or CVE-2006-0553)
An unprivileged user could crash the server process, resulting in momentary denial of service to other users, if the server has been compiled with Asserts enabled (which is not the default). Thanks to Akio Ishida for reporting this problem.
(7.4.12) Fix bug with row visibility logic in self-inserted rows (Tom Lane)
Under rare circumstances a row inserted by the current command could be seen as already valid, when it should not be. Repairs bug created in 7.4.9 and 7.3.11 releases.
(7.4.12,7.3.14) Fix race condition that could lead to "file already exists" errors during pg_clog file creation (Tom Lane)
(7.4.12,8.1.3,8.0.7) Properly check DOMAIN constraints for UNKNOWN parameters in prepared statements (Neil Conway)
(7.4.12,7.3.14) Fix to allow restoring dumps that have cross-schema references to custom operators (Tom Lane)
(7.4.12,8.1.3,8.0.7,7.3.14) Portability fix for testing presence of finite
and isinf
during configure (Tom Lane)
Release date: 2006-01-09
This release contains a variety of fixes from 7.4.10. For information about new features in the 7.4 major release, see Version 7.4.0.
A dump/restore is not required for those running 7.4.X. However, if you are upgrading from a version earlier than 7.4.8, see Version 7.4.8. Also, you might need to REINDEX indexes on textual columns after updating, if you are affected by the locale or plperl issues described below.
(7.4.11,8.1.2,8.0.6) Fix for protocol-level Describe messages issued outside a transaction or in a failed transaction (Tom Lane)
(7.4.11,8.1.2,8.0.6,7.3.13) Fix character string comparison for locales that consider different character combinations as equal, such as Hungarian (Tom Lane)
This might require REINDEX to fix existing indexes on textual columns.
(7.4.11,8.1.2,8.0.6,7.3.13) Set locale environment variables during postmaster startup to ensure that plperl won't change the locale later
This fixes a problem that occurred if the postmaster was started with environment variables specifying a different locale than what initdb had been told. Under these conditions, any use of plperl was likely to lead to corrupt indexes. You might need REINDEX to fix existing indexes on textual columns if this has happened to you.
(7.4.11,8.1.2,8.0.6,7.3.13) Fix longstanding bug in strpos() and regular expression handling in certain rarely used Asian multi-byte character sets (Tatsuo Ishii)
(7.4.11,8.1.2,8.0.6,7.3.13) Fix bug in /contrib/pgcrypto gen_salt, which caused it not to use all available salt space for MD5 and XDES algorithms (Marko Kreen, Solar Designer)
Salts for Blowfish and standard DES are unaffected.
(7.4.11,8.1.2,8.0.6,7.3.13) Fix /contrib/dblink to throw an error, rather than crashing, when the number of columns specified is different from what's actually returned by the query (Joe Conway)
Release date: 2005-12-12
This release contains a variety of fixes from 7.4.9. For information about new features in the 7.4 major release, see Version 7.4.0.
A dump/restore is not required for those running 7.4.X. However, if you are upgrading from a version earlier than 7.4.8, see Version 7.4.8.
(7.4.10,8.0.5,7.3.12) Fix race condition in transaction log management
There was a narrow window in which an I/O operation could be initiated for the wrong page, leading to an Assert failure or data corruption.
(7.4.10,8.1.1,8.0.5) Prevent failure if client sends Bind protocol message when current transaction is already aborted
(7.4.10,8.0.5,7.3.12) /contrib/ltree fixes (Teodor Sigaev)
(7.4.10,8.0.5) AIX and HPUX compile fixes (Tom Lane)
(7.4.10,8.0.5,7.3.12) Fix longstanding planning error for outer joins
This bug sometimes caused a bogus error "RIGHT JOIN is only supported with merge-joinable join conditions".
(7.4.10,8.0.5,7.3.12) Prevent core dump in pg_autovacuum when a table has been dropped
Release date: 2005-10-04
This release contains a variety of fixes from 7.4.8. For information about new features in the 7.4 major release, see Version 7.4.0.
A dump/restore is not required for those running 7.4.X. However, if you are upgrading from a version earlier than 7.4.8, see Version 7.4.8.
(7.4.9,8.0.4,7.3.11) Fix error that allowed VACUUM to remove ctid chains too soon, and add more checking in code that follows ctid links
This fixes a long-standing problem that could cause crashes in very rare circumstances.
(7.4.9,8.0.4,7.3.11) Fix CHAR() to properly pad spaces to the specified length when using a multiple-byte character set (Yoshiyuki Asaba)
In prior releases, the padding of CHAR() was incorrect because it only padded to the specified number of bytes without considering how many characters were stored.
(7.4.9,8.0.4) Fix the sense of the test for read-only transaction in COPY
The code formerly prohibited COPY TO, where it should prohibit COPY FROM.
(7.4.9,8.0.4) Fix planning problem with outer-join ON clauses that reference only the inner-side relation
(7.4.9,8.0.4) Further fixes for x FULL JOIN y ON true corner cases
(7.4.9,8.0.4) Make array_in
and array_recv
more paranoid about validating their
OID parameter
(7.4.9,8.0.4,7.3.11) Fix missing rows in queries like UPDATE a=... WHERE a... with GiST index on column a
(7.4.9,8.0.4) Improve robustness of datetime parsing
(7.4.9,8.0.4,7.3.11) Improve checking for partially-written WAL pages
(7.4.9,8.0.4,7.3.11) Improve robustness of signal handling when SSL is enabled
(7.4.9,8.0.4) Don't try to open more than max_files_per_process files during postmaster startup
(7.4.9,8.0.4,7.3.11) Various memory leakage fixes
(7.4.9,8.0.4,7.3.11) Various portability improvements
(7.4.9,8.0.4,7.3.11) Fix PL/pgSQL to handle var := var correctly when the variable is of pass-by-reference type
(7.4.9,8.0.4) Update contrib/tsearch2 to use current Snowball code
Release date: 2005-05-09
This release contains a variety of fixes from 7.4.7, including several security-related issues. For information about new features in the 7.4 major release, see Version 7.4.0.
A dump/restore is not required for those running 7.4.X. However, it is one possible way of handling two significant security problems that have been found in the initial contents of 7.4.X system catalogs. A dump/initdb/reload sequence using 7.4.8's initdb will automatically correct these problems.
The larger security problem is that the built-in character set encoding conversion functions can be invoked from SQL commands by unprivileged users, but the functions were not designed for such use and are not secure against malicious choices of arguments. The fix involves changing the declared parameter list of these functions so that they can no longer be invoked from SQL commands. (This does not affect their normal use by the encoding conversion machinery.)
The lesser problem is that the contrib/tsearch2 module creates several functions that are misdeclared to return internal when they do not accept internal arguments. This breaks type safety for all functions using internal arguments.
It is strongly recommended that all installations repair these errors, either by initdb or by following the manual repair procedures given below. The errors at least allow unprivileged database users to crash their server process, and might allow unprivileged users to gain the privileges of a database superuser.
If you wish not to do an initdb, perform the following procedures instead. As the database superuser, do:
BEGIN; UPDATE pg_proc SET proargtypes[3] = 'internal'::regtype WHERE pronamespace = 11 AND pronargs = 5 AND proargtypes[2] = 'cstring'::regtype; -- The command should report having updated 90 rows; -- if not, rollback and investigate instead of committing! COMMIT;
Next, if you have installed contrib/tsearch2, do:
BEGIN; UPDATE pg_proc SET proargtypes[0] = 'internal'::regtype WHERE oid IN ( 'dex_init(text)'::regprocedure, 'snb_en_init(text)'::regprocedure, 'snb_ru_init(text)'::regprocedure, 'spell_init(text)'::regprocedure, 'syn_init(text)'::regprocedure ); -- The command should report having updated 5 rows; -- if not, rollback and investigate instead of committing! COMMIT;
If this command fails with a message like "function "dex_init(text)" does not exist", then either tsearch2 is not installed in this database, or you already did the update.
The above procedures must be carried out in each database of an installation, including template1, and ideally including template0 as well. If you do not fix the template databases then any subsequently created databases will contain the same errors. template1 can be fixed in the same way as any other database, but fixing template0 requires additional steps. First, from any database issue:
UPDATE pg_database SET datallowconn = true WHERE datname = 'template0';
Next connect to template0 and perform the above repair procedures. Finally, do:
-- re-freeze template0: VACUUM FREEZE; -- and protect it against future alterations: UPDATE pg_database SET datallowconn = false WHERE datname = 'template0';
(7.4.8,8.0.3,7.3.10) Change encoding function signature to prevent misuse
(7.4.8,8.0.3) Change contrib/tsearch2 to avoid unsafe use of INTERNAL function results
(7.4.8,8.0.3,7.3.10,7.2.8) Repair ancient race condition that allowed a transaction to be seen as committed for some purposes (eg SELECT FOR UPDATE) slightly sooner than for other purposes
This is an extremely serious bug since it could lead to apparent data inconsistencies being briefly visible to applications.
(7.4.8,8.0.3,7.3.10,7.2.8) Repair race condition between relation extension and VACUUM
This could theoretically have caused loss of a page's worth of freshly-inserted data, although the scenario seems of very low probability. There are no known cases of it having caused more than an Assert failure.
(7.4.8,8.0.3,7.3.10) Fix comparisons of TIME WITH TIME ZONE values
The comparison code was wrong in the case where the --enable-integer-datetimes configuration switch had been used. NOTE: if you have an index on a TIME WITH TIME ZONE column, it will need to be REINDEXed after installing this update, because the fix corrects the sort order of column values.
(7.4.8,8.0.3,7.3.10,7.2.8) Fix EXTRACT (EPOCH)
for TIME WITH TIME ZONE values
(7.4.8,8.0.3,7.3.10) Fix mis-display of negative fractional seconds in INTERVAL values
This error only occurred when the --enable-integer-datetimes configuration switch had been used.
(7.4.8,8.0.2) Ensure operations done during backend shutdown are counted by statistics collector
This is expected to resolve reports of pg_autovacuum not vacuuming the system catalogs often enough — it was not being told about catalog deletions caused by temporary table removal during backend exit.
(7.4.8,7.3.10,7.2.8) Additional buffer overrun checks in plpgsql (Neil Conway)
(7.4.8,8.0.3,7.3.10) Fix pg_dump to dump trigger names containing % correctly (Neil Conway)
(7.4.8,7.3.10,7.2.8) Fix contrib/pgcrypto for newer OpenSSL builds (Marko Kreen)
(7.4.8,8.0.3,7.3.10) Still more 64-bit fixes for contrib/intagg
(7.4.8,8.0.3,7.3.10) Prevent incorrect optimization of functions returning RECORD
(7.4.8,7.3.10,7.2.8) Prevent to_char(interval)
from
dumping core for month-related formats
(7.4.8,8.0.3) Prevent crash on COALESCE (NULL,NULL)
(7.4.8) Fix array_map
to call PL functions
correctly
(7.4.8) Fix permission checking in ALTER DATABASE RENAME
(7.4.8) Fix ALTER LANGUAGE RENAME
(7.4.8) Make RemoveFromWaitQueue
clean up
after itself
This fixes a lock management error that would only be visible if a transaction was kicked out of a wait for a lock (typically by query cancel) and then the holder of the lock released it within a very narrow window.
(7.4.8) Fix problem with untyped parameter appearing in INSERT ... SELECT
(7.4.8) Fix CLUSTER failure after ALTER TABLE SET WITHOUT OIDS
Release date: 2005-01-31
This release contains a variety of fixes from 7.4.6, including several security-related issues. For information about new features in the 7.4 major release, see Version 7.4.0.
A dump/restore is not required for those running 7.4.X.
(7.4.7,8.0.1,7.3.9,7.2.7) Disallow LOAD to non-superusers
On platforms that will automatically execute initialization functions of a shared library (this includes at least Windows and ELF-based Unixen), LOAD can be used to make the server execute arbitrary code. Thanks to NGS Software for reporting this.
(7.4.7,8.0.1,7.3.9) Check that creator of an aggregate function has the right to execute the specified transition functions
This oversight made it possible to bypass denial of EXECUTE permission on a function.
(7.4.7,8.0.1,7.3.9) Fix security and 64-bit issues in contrib/intagg
(7.4.7,8.0.1,7.3.9,7.2.7) Add needed STRICT marking to some contrib functions (Kris Jurka)
(7.4.7,8.0.1,7.3.9,7.2.7) Avoid buffer overrun when plpgsql cursor declaration has too many parameters (Neil Conway)
(7.4.7,8.0.1,7.3.9,7.2.7) Fix planning error for FULL and RIGHT outer joins
The result of the join was mistakenly supposed to be sorted the same as the left input. This could not only deliver mis-sorted output to the user, but in case of nested merge joins could give outright wrong answers.
(7.4.7,7.3.9) Fix plperl for quote marks in tuple fields
(7.4.7,7.3.9,7.2.7) Fix display of negative intervals in SQL and GERMAN datestyles
(7.4.7) Make age(timestamptz) do calculation in local timezone not GMT
Release date: 2004-10-22
This release contains a variety of fixes from 7.4.5. For information about new features in the 7.4 major release, see Version 7.4.0.
A dump/restore is not required for those running 7.4.X.
(7.4.6,7.3.8,7.2.6) Repair possible failure to update hint bits on disk
Under rare circumstances this oversight could lead to "could not access transaction status" failures, which qualifies it as a potential-data-loss bug.
(7.4.6,7.3.8,7.2.6) Ensure that hashed outer join does not miss tuples
Very large left joins using a hash join plan could fail to output unmatched left-side rows given just the right data distribution.
(7.4.6) Disallow running pg_ctl as root
This is to guard against any possible security issues.
(7.4.6) Avoid using temp files in /tmp in make_oidjoins_check
This has been reported as a security issue, though it's hardly worthy of concern since there is no reason for non-developers to use this script anyway.
(7.4.6) Prevent forced backend shutdown from re-emitting prior command result
In rare cases, a client might think that its last command had succeeded when it really had been aborted by forced database shutdown.
(7.4.6) Repair bug in pg_stat_get_backend_idset
This could lead to misbehavior in some of the system-statistics views.
(7.4.6) Fix small memory leak in postmaster
(7.4.6) Fix "expected both swapped tables to have TOAST tables" bug
This could arise in cases such as CLUSTER after ALTER TABLE DROP COLUMN.
(7.4.6) Prevent pg_ctl restart from adding -D multiple times
(7.4.6) Fix problem with NULL values in GiST indexes
(7.4.6) :: is no longer interpreted as a variable in an ECPG prepare statement
Release date: 2004-08-18
This release contains one serious bug fix over 7.4.4. For information about new features in the 7.4 major release, see Version 7.4.0.
A dump/restore is not required for those running 7.4.X.
(7.4.5) Repair possible crash during concurrent B-tree index insertions
This patch fixes a rare case in which concurrent insertions into a B-tree index could result in a server panic. No permanent damage would result, but it's still worth a re-release. The bug does not exist in pre-7.4 releases.
Release date: 2004-08-16
This release contains a variety of fixes from 7.4.3. For information about new features in the 7.4 major release, see Version 7.4.0.
A dump/restore is not required for those running 7.4.X.
(7.4.4,7.3.7,7.2.5) Prevent possible loss of committed transactions during crash
Due to insufficient interlocking between transaction commit and checkpointing, it was possible for transactions committed just before the most recent checkpoint to be lost, in whole or in part, following a database crash and restart. This is a serious bug that has existed since PostgreSQL 7.1.
(7.4.4) Check HAVING restriction before evaluating result list of an aggregate plan
(7.4.4) Avoid crash when session's current user ID is deleted
(7.4.4) Fix hashed crosstab for zero-rows case (Joe Conway)
(7.4.4) Force cache update after renaming a column in a foreign key
(7.4.4) Pretty-print UNION queries correctly
(7.4.4) Make psql handle \r\n newlines properly in COPY IN
(7.4.4) pg_dump handled ACLs with grant options incorrectly
(7.4.4) Fix thread support for OS X and Solaris
(7.4.4) Updated JDBC driver (build 215) with various fixes
(7.4.4) ECPG fixes
(7.4.4) Translation updates (various contributors)
Release date: 2004-06-14
This release contains a variety of fixes from 7.4.2. For information about new features in the 7.4 major release, see Version 7.4.0.
A dump/restore is not required for those running 7.4.X.
(7.4.3) Fix temporary memory leak when using non-hashed aggregates (Tom Lane)
(7.4.3) ECPG fixes, including some for Informix compatibility (Michael Meskes)
(7.4.3) Fixes for compiling with thread-safety, particularly Solaris (Bruce Momjian)
(7.4.3) Fix error in COPY IN termination when using the old network protocol (ljb)
(7.4.3) Several important fixes in pg_autovacuum, including fixes for large tables, unsigned oids, stability, temp tables, and debug mode (Matthew T. O'Connor)
(7.4.3) Fix problem with reading tar-format dumps on NetBSD and BSD/OS (Bruce Momjian)
(7.4.3) Several JDBC fixes
(7.4.3) Fix ALTER SEQUENCE RESTART where last_value equals the restart value (Tom Lane)
(7.4.3) Repair failure to recalculate nested sub-selects (Tom Lane)
(7.4.3) Fix problems with non-constant expressions in LIMIT/OFFSET
(7.4.3) Support FULL JOIN with no join clause, such as X FULL JOIN Y ON TRUE (Tom Lane)
(7.4.3) Fix another zero-column table bug (Tom Lane)
(7.4.3) Improve handling of non-qualified identifiers in GROUP BY clauses in sub-selects (Tom Lane)
Select-list aliases within the sub-select will now take precedence over names from outer query levels.
(7.4.3) Do not generate "NATURAL CROSS JOIN" when decompiling rules (Tom Lane)
(7.4.3) Add checks for invalid field length in binary COPY (Tom Lane)
This fixes a difficult-to-exploit security hole.
(7.4.3) Avoid locking conflict between ANALYZE and LISTEN/NOTIFY
(7.4.3) Numerous translation updates (various contributors)
Release date: 2004-03-08
This release contains a variety of fixes from 7.4.1. For information about new features in the 7.4 major release, see Version 7.4.0.
A dump/restore is not required for those running 7.4.X. However, it might be advisable as the easiest method of incorporating fixes for two errors that have been found in the initial contents of 7.4.X system catalogs. A dump/initdb/reload sequence using 7.4.2's initdb will automatically correct these problems.
The more severe of the two errors is that data type anyarray has the wrong alignment label; this is a problem because the pg_statistic system catalog uses anyarray columns. The mislabeling can cause planner misestimations and even crashes when planning queries that involve WHERE clauses on double-aligned columns (such as float8 and timestamp). It is strongly recommended that all installations repair this error, either by initdb or by following the manual repair procedure given below.
The lesser error is that the system view pg_settings ought to be marked as having public update access, to allow UPDATE pg_settings to be used as a substitute for SET. This can also be fixed either by initdb or manually, but it is not necessary to fix unless you want to use UPDATE pg_settings.
If you wish not to do an initdb, the following procedure will work for fixing pg_statistic. As the database superuser, do:
-- clear out old data in pg_statistic: DELETE FROM pg_statistic; VACUUM pg_statistic; -- this should update 1 row: UPDATE pg_type SET typalign = 'd' WHERE oid = 2277; -- this should update 6 rows: UPDATE pg_attribute SET attalign = 'd' WHERE atttypid = 2277; -- -- At this point you MUST start a fresh backend to avoid a crash! -- -- repopulate pg_statistic: ANALYZE;
This can be done in a live database, but beware that all backends running in the altered database must be restarted before it is safe to repopulate pg_statistic.
To repair the pg_settings error, simply do:
GRANT SELECT, UPDATE ON pg_settings TO PUBLIC;
The above procedures must be carried out in each database of an installation, including template1, and ideally including template0 as well. If you do not fix the template databases then any subsequently created databases will contain the same errors. template1 can be fixed in the same way as any other database, but fixing template0 requires additional steps. First, from any database issue:
UPDATE pg_database SET datallowconn = true WHERE datname = 'template0';
Next connect to template0 and perform the above repair procedures. Finally, do:
-- re-freeze template0: VACUUM FREEZE; -- and protect it against future alterations: UPDATE pg_database SET datallowconn = false WHERE datname = 'template0';
Release 7.4.2 incorporates all the fixes included in release 7.3.6, plus the following fixes:
(7.4.2) Fix pg_statistics alignment bug that could crash optimizer
See above for details about this problem.
(7.4.2) Allow non-super users to update pg_settings
(7.4.2) Fix several optimizer bugs, most of which led to "variable not found in subplan target lists" errors
(7.4.2) Avoid out-of-memory failure during startup of large multiple index scan
(7.4.2) Fix multibyte problem that could lead to "out of memory" error during COPY IN
(7.4.2) Fix problems with SELECT INTO / CREATE TABLE AS from tables without OIDs
(7.4.2) Fix problems with alter_table regression test during parallel testing
(7.4.2) Fix problems with hitting open file limit, especially on OS X (Tom Lane)
(7.4.2) Partial fix for Turkish-locale issues
initdb will succeed now in Turkish locale, but there are still some inconveniences associated with the i/I problem.
(7.4.2) Make pg_dump set client encoding on restore
(7.4.2) Other minor pg_dump fixes
(7.4.2) Allow ecpg to again use C keywords as column names (Michael Meskes)
(7.4.2) Added ecpg WHENEVER NOT_FOUND to SELECT/INSERT/UPDATE/DELETE (Michael Meskes)
(7.4.2) Fix ecpg crash for queries calling set-returning functions (Michael Meskes)
(7.4.2) Various other ecpg fixes (Michael Meskes)
(7.4.2) Fixes for Borland compiler
(7.4.2) Thread build improvements (Bruce Momjian)
(7.4.2) Various other build fixes
(7.4.2) Various JDBC fixes
Release date: 2003-12-22
This release contains a variety of fixes from 7.4. For information about new features in the 7.4 major release, see Version 7.4.0.
A dump/restore is not required for those running 7.4.
If you want to install the fixes in the information schema you need to reload it into the database. This is either accomplished by initializing a new cluster by running initdb, or by running the following sequence of SQL commands in each database (ideally including template1) as a superuser in psql, after installing the new release:
DROP SCHEMA information_schema CASCADE; \i /usr/local/pgsql/share/information_schema.sql
Substitute your installation path in the second command.
(7.4.1) Fixed bug in CREATE SCHEMA parsing in ECPG (Michael Meskes)
(7.4.1) Fix compile error when --enable-thread-safety and --with-perl are used together (Peter T. Mount)
(7.4.1) Fix for subqueries that used hash joins (Tom Lane)
Certain subqueries that used hash joins would crash because of improperly shared structures.
(7.4.1) Fix free space map compaction bug (Tom Lane)
This fixes a bug where compaction of the free space map could lead to a database server shutdown.
(7.4.1) Fix for Borland compiler build of libpq (Bruce Momjian)
(7.4.1) Fix netmask()
and hostmask()
to return the maximum-length masklen
(Tom Lane)
Fix these functions to return values consistent with pre-7.4 releases.
(7.4.1) Several contrib/pg_autovacuum fixes
Fixes include improper variable initialization, missing vacuum after TRUNCATE, and duration computation overflow for long vacuums.
(7.4.1) Allow compile of contrib/cube under Cygwin (Jason Tishler)
(7.4.1) Fix Solaris use of password file when no passwords are defined (Tom Lane)
Fix crash on Solaris caused by use of any type of password authentication when no passwords were defined.
(7.4.1) JDBC fix for thread problems, other fixes
(7.4.1) Fix for bytea index lookups (Joe Conway)
(7.4.1) Fix information schema for bit data types (Peter T. Mount)
(7.4.1,7.3.5) Force zero_damaged_pages to be on during recovery from WAL
(7.4.1,7.3.5) Prevent some obscure cases of "variable not in subplan target lists"
(7.4.1) Make PQescapeBytea
and
byteaout
consistent with each other
(Joe Conway)
(7.4.1) Escape bytea output for bytes > 0x7e (Joe Conway)
If different client encodings are used for bytea output and input, it is possible for bytea values to be corrupted by the differing encodings. This fix escapes all bytes that might be affected.
(7.4.1) Added missing SPI_finish()
calls
to dblink's get_tuple_of_interest()
(Joe Conway)
(7.4.1) New Czech FAQ
(7.4.1) Fix information schema view constraint_column_usage for foreign keys (Peter T. Mount)
(7.4.1) ECPG fixes (Michael Meskes)
(7.4.1) Fix bug with multiple IN subqueries and joins in the subqueries (Tom Lane)
(7.4.1) Allow COUNT('x') to work (Tom Lane)
(7.4.1) Install ECPG include files for Informix compatibility into separate directory (Peter T. Mount)
Some names of ECPG include files for Informix compatibility conflicted with operating system include files. By installing them in their own directory, name conflicts have been reduced.
(7.4.1) Fix SSL memory leak (Neil Conway)
This release fixes a bug in 7.4 where SSL didn't free all memory it allocated.
(7.4.1) Prevent pg_service.conf from using service name as default dbname (Bruce Momjian)
(7.4.1) Fix local ident authentication on FreeBSD (Tom Lane)
Release date: 2003-11-17
Major changes in this release:
In previous releases, IN/NOT IN subqueries were joined to the upper query by sequentially scanning the subquery looking for a match. The 7.4 code uses the same sophisticated techniques used by ordinary joins and so is much faster. An IN will now usually be as fast as or faster than an equivalent EXISTS subquery; this reverses the conventional wisdom that applied to previous releases.
In previous releases, rows to be grouped had to be sorted first. The 7.4 code can do GROUP BY without sorting, by accumulating results into a hash table with one entry per group. It will still use the sort technique, however, if the hash table is estimated to be too large to fit in sort_mem.
In previous releases, hash joins could only occur on single keys. This release allows multicolumn hash joins.
Prior releases evaluated queries using the explicit JOIN syntax only in the order implied by the syntax. 7.4 allows full optimization of these queries, meaning the optimizer considers all possible join orderings and chooses the most efficient. Outer joins, however, must still follow the declared ordering.
The entire regular expression module has been replaced with a new version by Henry Spencer, originally written for Tcl. The code greatly improves performance and supports several flavors of regular expressions.
Simple SQL functions can now be inlined by including their SQL in the main query. This improves performance by eliminating per-call overhead. That means simple SQL functions now behave like macros.
Previous releases allowed only IPv4 connections, and the IP data types only supported IPv4 addresses. This release adds full IPv6 support in both of these areas.
Several people very familiar with the SSL API have overhauled our SSL code to improve SSL key negotiation and error recovery.
In previous releases, B-tree index pages that were left empty because of deleted rows could only be reused by rows with index values similar to the rows originally indexed on that page. In 7.4, VACUUM records empty index pages and allows them to be reused for any future index rows.
The information schema provides a standardized and stable way to access information about the schema objects defined in a database.
The commands FETCH and MOVE have been overhauled to conform more closely to the SQL standard.
These cursors are also called holdable cursors.
The new protocol adds error codes, more status information, faster startup, better support for binary data transmission, parameter values separated from SQL commands, prepared statements available at the protocol level, and cleaner recovery from COPY failures. The older protocol is still supported by both server and clients.
While previous libpq releases already supported threads, this release improves thread safety by fixing some non-thread-safe code that was used during database connection startup. The configure option --enable-thread-safety must be used to enable this feature.
A new full-text indexing suite is available in contrib/tsearch2.
The new autovacuum tool in contrib/autovacuum monitors the database statistics tables for INSERT/UPDATE/DELETE activity and automatically vacuums tables when needed.
Many array limitations have been removed, and arrays behave more like fully-supported data types.
A dump/restore using pg_dump is required for those wishing to migrate data from any previous release.
Observe the following incompatibilities:
(7.4.0) The server-side autocommit setting was removed and reimplemented in client applications and languages. Server-side autocommit was causing too many problems with languages and applications that wanted to control their own autocommit behavior, so autocommit was removed from the server and added to individual client APIs as appropriate.
(7.4.0) Error message wording has changed substantially in this release. Significant effort was invested to make the messages more consistent and user-oriented. If your applications try to detect different error conditions by parsing the error message, you are strongly encouraged to use the new error code facility instead.
(7.4.0) Inner joins using the explicit JOIN syntax might behave differently because they are now better optimized.
(7.4.0) A number of server configuration parameters have been renamed for clarity, primarily those related to logging.
(7.4.0) FETCH 0 or MOVE 0 now does nothing. In prior releases, FETCH 0 would fetch all remaining rows, and MOVE 0 would move to the end of the cursor.
(7.4.0) FETCH and MOVE now return the actual number of rows fetched/moved, or zero if at the beginning/end of the cursor. Prior releases would return the row count passed to the command, not the number of rows actually fetched or moved.
(7.4.0) COPY now can process files that use carriage-return or carriage-return/line-feed end-of-line sequences. Literal carriage-returns and line-feeds are no longer accepted in data values; use \r and \n instead.
(7.4.0) Trailing spaces are now trimmed when converting from type char(n) to varchar(n) or text. This is what most people always expected to happen anyway.
(7.4.0) The data type float(p) now measures p in binary digits, not decimal digits. The new behavior follows the SQL standard.
(7.4.0) Ambiguous date values now must match the ordering specified by the datestyle setting. In prior releases, a date specification of 10/20/03 was interpreted as a date in October even if datestyle specified that the day should be first. 7.4 will throw an error if a date specification is invalid for the current setting of datestyle.
(7.4.0) The functions oidrand
,
oidsrand
, and userfntest
have been removed. These functions
were determined to be no longer useful.
(7.4.0) String literals specifying time-varying date/time values, such
as 'now' or 'today' will no longer work as expected in column
default expressions; they now cause the time of the table creation
to be the default, not the time of the insertion. Functions such as
now()
, current_timestamp
, or current_date
should be used instead.
In previous releases, there was special code so that strings
such as 'now' were interpreted at
INSERT time and not at table creation
time, but this work around didn't cover all cases. Release 7.4 now
requires that defaults be defined properly using functions such as
now()
or current_timestamp
. These will work in all
situations.
(7.4.0) The dollar sign ($) is no longer allowed in operator names. It can instead be a non-first character in identifiers. This was done to improve compatibility with other database systems, and to avoid syntax problems when parameter placeholders ($n) are written adjacent to operators.
Below you will find a detailed account of the changes between release 7.4 and the previous major release.
(7.4.0) Allow IPv6 server connections (Nigel Kukard, Johan Jordaan, Bruce Momjian, Tom Lane, Kurt Roeckx, Andrew Dunstan)
(7.4.0) Fix SSL to handle errors cleanly (Nathan Mueller)
In prior releases, certain SSL API error reports were not handled correctly. This release fixes those problems.
(7.4.0) SSL protocol security and performance improvements (Sean Chittenden)
SSL key renegotiation was happening too frequently, causing poor SSL performance. Also, initial key handling was improved.
(7.4.0) Print lock information when a deadlock is detected (Tom Lane)
This allows easier debugging of deadlock situations.
(7.4.0) Update /tmp socket modification times regularly to avoid their removal (Tom Lane)
This should help prevent /tmp directory cleaner administration scripts from removing server socket files.
(7.4.0) Enable PAM for Mac OS X (Aaron Hillegass)
(7.4.0) Make B-tree indexes fully WAL-safe (Tom Lane)
In prior releases, under certain rare cases, a server crash could cause B-tree indexes to become corrupt. This release removes those last few rare cases.
(7.4.0) Allow B-tree index compaction and empty page reuse (Tom Lane)
(7.4.0) Fix inconsistent index lookups during split of first root page (Tom Lane)
In prior releases, when a single-page index split into two pages, there was a brief period when another database session could miss seeing an index entry. This release fixes that rare failure case.
(7.4.0) Improve free space map allocation logic (Tom Lane)
(7.4.0) Preserve free space information between server restarts (Tom Lane)
In prior releases, the free space map was not saved when the postmaster was stopped, so newly started servers had no free space information. This release saves the free space map, and reloads it when the server is restarted.
(7.4.0) Add start time to pg_stat_activity (Neil Conway)
(7.4.0) New code to detect corrupt disk pages; erase with zero_damaged_pages (Tom Lane)
(7.4.0) New client/server protocol: faster, no username length limit, allow clean exit from COPY (Tom Lane)
(7.4.0) Add transaction status, table ID, column ID to client/server protocol (Tom Lane)
(7.4.0) Add binary I/O to client/server protocol (Tom Lane)
(7.4.0) Remove autocommit server setting; move to client applications (Tom Lane)
(7.4.0) New error message wording, error codes, and three levels of error detail (Tom Lane, Joe Conway, Peter T. Mount)
(7.4.0) Add hashing for GROUP BY aggregates (Tom Lane)
(7.4.0) Make nested-loop joins be smarter about multicolumn indexes (Tom Lane)
(7.4.0) Allow multikey hash joins (Tom Lane)
(7.4.0) Improve constant folding (Tom Lane)
(7.4.0) Add ability to inline simple SQL functions (Tom Lane)
(7.4.0) Reduce memory usage for queries using complex functions (Tom Lane)
In prior releases, functions returning allocated memory would not free it until the query completed. This release allows the freeing of function-allocated memory when the function call completes, reducing the total memory used by functions.
(7.4.0) Improve GEQO optimizer performance (Tom Lane)
This release fixes several inefficiencies in the way the GEQO optimizer manages potential query paths.
(7.4.0) Allow IN/NOT IN to be handled via hash tables (Tom Lane)
(7.4.0) Improve NOT IN (subquery) performance (Tom Lane)
(7.4.0) Allow most IN subqueries to be processed as joins (Tom Lane)
(7.4.0) Pattern matching operations can use indexes regardless of locale (Peter T. Mount)
There is no way for non-ASCII locales to use the standard indexes for LIKE comparisons. This release adds a way to create a special index for LIKE.
(7.4.0) Allow the postmaster to preload libraries using preload_libraries (Joe Conway)
For shared libraries that require a long time to load, this option is available so the library can be preloaded in the postmaster and inherited by all database sessions.
(7.4.0) Improve optimizer cost computations, particularly for subqueries (Tom Lane)
(7.4.0) Avoid sort when subquery ORDER BY matches upper query (Tom Lane)
(7.4.0) Deduce that WHERE a.x = b.y AND b.y = 42 also means a.x = 42 (Tom Lane)
(7.4.0) Allow hash/merge joins on complex joins (Tom Lane)
(7.4.0) Allow hash joins for more data types (Tom Lane)
(7.4.0) Allow join optimization of explicit inner joins, disable with join_collapse_limit (Tom Lane)
(7.4.0) Add parameter from_collapse_limit to control conversion of subqueries to joins (Tom Lane)
(7.4.0) Use faster and more powerful regular expression code from Tcl (Henry Spencer, Tom Lane)
(7.4.0) Use bit-mapped relation sets in the optimizer (Tom Lane)
(7.4.0) Improve connection startup time (Tom Lane)
The new client/server protocol requires fewer network packets to start a database session.
(7.4.0) Improve trigger/constraint performance (Stephan Szabo)
(7.4.0) Improve speed of col IN (const, const, const, ...) (Tom Lane)
(7.4.0) Fix hash indexes which were broken in rare cases (Tom Lane)
(7.4.0) Improve hash index concurrency and speed (Tom Lane)
Prior releases suffered from poor hash index performance, particularly for high concurrency situations. This release fixes that, and the development group is interested in reports comparing B-tree and hash index performance.
(7.4.0) Align shared buffers on 32-byte boundary for copy speed improvement (Manfred Spraul)
Certain CPU's perform faster data copies when addresses are 32-byte aligned.
(7.4.0) Data type numeric reimplemented for better performance (Tom Lane)
numeric used to be stored in base 100. The new code uses base 10000, for significantly better performance.
(7.4.0) Rename server parameter server_min_messages to log_min_messages (Bruce Momjian)
This was done so most parameters that control the server logs begin with log_.
(7.4.0) Rename show_*_stats to log_*_stats (Bruce Momjian)
(7.4.0) Rename show_source_port to log_source_port (Bruce Momjian)
(7.4.0) Rename hostname_lookup to log_hostname (Bruce Momjian)
(7.4.0) Add checkpoint_warning to warn of excessive checkpointing (Bruce Momjian)
In prior releases, it was difficult to determine if checkpoint was happening too frequently. This feature adds a warning to the server logs when excessive checkpointing happens.
(7.4.0) New read-only server parameters for localization (Tom Lane)
(7.4.0) Change debug server log messages to output as DEBUG rather than LOG (Bruce Momjian)
(7.4.0) Prevent server log variables from being turned off by non-superusers (Bruce Momjian)
This is a security feature so non-superusers cannot disable logging that was enabled by the administrator.
(7.4.0) log_min_messages/client_min_messages now controls debug_* output (Bruce Momjian)
This centralizes client debug information so all debug output can be sent to either the client or server logs.
(7.4.0) Add Mac OS X Rendezvous server support (Chris Campbell)
This allows Mac OS X hosts to query the network for available PostgreSQL servers.
(7.4.0) Add ability to print only slow statements using log_min_duration_statement (Christopher Kings-Lynne)
This is an often requested debugging feature that allows administrators to see only slow queries in their server logs.
(7.4.0) Allow pg_hba.conf to accept netmasks in CIDR format (Andrew Dunstan)
This allows administrators to merge the host IP address and netmask fields into a single CIDR field in pg_hba.conf.
(7.4.0) New read-only parameter is_superuser (Tom Lane)
(7.4.0) New parameter log_error_verbosity to control error detail (Tom Lane)
This works with the new error reporting feature to supply additional error information like hints, file names and line numbers.
(7.4.0) postgres --describe-config now dumps server config variables (Aizaz Ahmed, Peter T. Mount)
This option is useful for administration tools that need to know the configuration variable names and their minimums, maximums, defaults, and descriptions.
(7.4.0) Add new columns in pg_settings: context, type, source, min_val, max_val (Joe Conway)
(7.4.0) Make default shared_buffers 1000 and max_connections 100, if possible (Tom Lane)
Prior versions defaulted to 64 shared buffers so PostgreSQL would start on even very old systems. This release tests the amount of shared memory allowed by the platform and selects more reasonable default values if possible. Of course, users are still encouraged to evaluate their resource load and size shared_buffers accordingly.
(7.4.0) New pg_hba.conf record type hostnossl to prevent SSL connections (Jon Jensen)
In prior releases, there was no way to prevent SSL connections if both the client and server supported SSL. This option allows that capability.
(7.4.0) Remove parameter geqo_random_seed (Tom Lane)
(7.4.0) Add server parameter regex_flavor to control regular expression processing (Tom Lane)
(7.4.0) Make pg_ctl better handle nonstandard ports (Greg Sabino Mullane)
(7.4.0) New SQL-standard information schema (Peter T. Mount)
(7.4.0) Add read-only transactions (Peter T. Mount)
(7.4.0) Print key name and value in foreign-key violation messages (Dmitry Tkach)
(7.4.0) Allow users to see their own queries in pg_stat_activity (Kevin Brown)
In prior releases, only the superuser could see query strings using pg_stat_activity. Now ordinary users can see their own query strings.
(7.4.0) Fix aggregates in subqueries to match SQL standard (Tom Lane)
The SQL standard says that an aggregate function appearing within a nested subquery belongs to the outer query if its argument contains only outer-query variables. Prior PostgreSQL releases did not handle this fine point correctly.
(7.4.0) Add option to prevent auto-addition of tables referenced in query (Nigel J. Andrews)
By default, tables mentioned in the query are automatically added to the FROM clause if they are not already there. This is compatible with historic POSTGRES behavior but is contrary to the SQL standard. This option allows selecting standard-compatible behavior.
(7.4.0) Allow UPDATE ... SET col = DEFAULT (Rod Taylor)
This allows UPDATE to set a column to its declared default value.
(7.4.0) Allow expressions to be used in LIMIT/OFFSET (Tom Lane)
In prior releases, LIMIT/OFFSET could only use constants, not expressions.
(7.4.0) Implement CREATE TABLE AS EXECUTE (Neil Conway, Peter T. Mount)
(7.4.0) Make CREATE SEQUENCE grammar more conforming to SQL:2003 (Neil Conway)
(7.4.0) Add statement-level triggers (Neil Conway)
While this allows a trigger to fire at the end of a statement, it does not allow the trigger to access all rows modified by the statement. This capability is planned for a future release.
(7.4.0) Add check constraints for domains (Rod Taylor)
This greatly increases the usefulness of domains by allowing them to use check constraints.
(7.4.0) Add ALTER DOMAIN (Rod Taylor)
This allows manipulation of existing domains.
(7.4.0) Fix several zero-column table bugs (Tom Lane)
PostgreSQL supports zero-column tables. This fixes various bugs that occur when using such tables.
(7.4.0) Have ALTER TABLE ... ADD PRIMARY KEY add not-null constraint (Rod Taylor)
In prior releases, ALTER TABLE ... ADD PRIMARY would add a unique index, but not a not-null constraint. That is fixed in this release.
(7.4.0) Add ALTER TABLE ... WITHOUT OIDS (Rod Taylor)
This allows control over whether new and updated rows will have an OID column. This is most useful for saving storage space.
(7.4.0) Add ALTER SEQUENCE to modify minimum, maximum, increment, cache, cycle values (Rod Taylor)
(7.4.0) Add ALTER TABLE ... CLUSTER ON (Álvaro Herrera)
This command is used by pg_dump to record the cluster column for each table previously clustered. This information is used by database-wide cluster to cluster all previously clustered tables.
(7.4.0) Improve automatic type casting for domains (Rod Taylor, Tom Lane)
(7.4.0) Allow dollar signs in identifiers, except as first character (Tom Lane)
(7.4.0) Disallow dollar signs in operator names, so x=$1 works (Tom Lane)
(7.4.0) Allow copying table schema using LIKE subtable, also SQL:2003 feature INCLUDING DEFAULTS (Rod Taylor)
(7.4.0) Add WITH GRANT OPTION clause to GRANT (Peter T. Mount)
This enabled GRANT to give other users the ability to grant privileges on an object.
(7.4.0) Add ON COMMIT clause to CREATE TABLE for temporary tables (Gavin Sherry)
This adds the ability for a table to be dropped or all rows deleted on transaction commit.
(7.4.0) Allow cursors outside transactions using WITH HOLD (Neil Conway)
In previous releases, cursors were removed at the end of the transaction that created them. Cursors can now be created with the WITH HOLD option, which allows them to continue to be accessed after the creating transaction has committed.
(7.4.0) FETCH 0 and MOVE 0 now do nothing (Bruce Momjian)
In previous releases, FETCH 0 fetched all remaining rows, and MOVE 0 moved to the end of the cursor.
(7.4.0) Cause FETCH and MOVE to return the number of rows fetched/moved, or zero if at the beginning/end of cursor, per SQL standard (Bruce Momjian)
In prior releases, the row count returned by FETCH and MOVE did not accurately reflect the number of rows processed.
(7.4.0) Properly handle SCROLL with cursors, or report an error (Neil Conway)
Allowing random access (both forward and backward scrolling) to some kinds of queries cannot be done without some additional work. If SCROLL is specified when the cursor is created, this additional work will be performed. Furthermore, if the cursor has been created with NO SCROLL, no random access is allowed.
(7.4.0) Implement SQL-compatible options FIRST, LAST, ABSOLUTE n, RELATIVE n for FETCH and MOVE (Tom Lane)
(7.4.0) Allow EXPLAIN on DECLARE CURSOR (Tom Lane)
(7.4.0) Allow CLUSTER to use index marked as pre-clustered by default (Álvaro Herrera)
(7.4.0) Allow CLUSTER to cluster all tables (Álvaro Herrera)
This allows all previously clustered tables in a database to be reclustered with a single command.
(7.4.0) Prevent CLUSTER on partial indexes (Tom Lane)
(7.4.0) Allow DOS and Mac line-endings in COPY files (Bruce Momjian)
(7.4.0) Disallow literal carriage return as a data value, backslash-carriage-return and \r are still allowed (Bruce Momjian)
(7.4.0) COPY changes (binary, \.) (Tom Lane)
(7.4.0) Recover from COPY failure cleanly (Tom Lane)
(7.4.0) Prevent possible memory leaks in COPY (Tom Lane)
(7.4.0) Make TRUNCATE transaction-safe (Rod Taylor)
TRUNCATE can now be used inside a transaction. If the transaction aborts, the changes made by the TRUNCATE are automatically rolled back.
(7.4.0) Allow prepare/bind of utility commands like FETCH and EXPLAIN (Tom Lane)
(7.4.0) Add EXPLAIN EXECUTE (Neil Conway)
(7.4.0) Improve VACUUM performance on indexes by reducing WAL traffic (Tom Lane)
(7.4.0) Functional indexes have been generalized into indexes on expressions (Tom Lane)
In prior releases, functional indexes only supported a simple function applied to one or more column names. This release allows any type of scalar expression.
(7.4.0) Have SHOW TRANSACTION ISOLATION match input to SET TRANSACTION ISOLATION (Tom Lane)
(7.4.0) Have COMMENT ON DATABASE on nonlocal database generate a warning, rather than an error (Rod Taylor)
Database comments are stored in database-local tables so comments on a database have to be stored in each database.
(7.4.0) Improve reliability of LISTEN/NOTIFY (Tom Lane)
(7.4.0) Allow REINDEX to reliably reindex nonshared system catalog indexes (Tom Lane)
This allows system tables to be reindexed without the requirement of a standalone session, which was necessary in previous releases. The only tables that now require a standalone session for reindexing are the global system tables pg_database, pg_shadow, and pg_group.
(7.4.0) New server parameter extra_float_digits to control precision display of floating-point numbers (Pedro Ferreira, Tom Lane)
This controls output precision which was causing regression testing problems.
(7.4.0) Allow +1300 as a numeric time-zone specifier, for FJST (Tom Lane)
(7.4.0) Remove rarely used functions oidrand
, oidsrand
,
and userfntest
functions (Neil Conway)
(7.4.0) Add md5()
function to main server,
already in contrib/pgcrypto (Joe Conway)
An MD5 function was frequently requested. For more complex encryption capabilities, use contrib/pgcrypto.
(7.4.0) Increase date range of timestamp (John Cochran)
(7.4.0) Change EXTRACT (EPOCH FROM timestamp) so timestamp without time zone is assumed to be in local time, not GMT (Tom Lane)
(7.4.0) Trap division by zero in case the operating system doesn't prevent it (Tom Lane)
(7.4.0) Change the numeric data type internally to base 10000 (Tom Lane)
(7.4.0) New hostmask()
function (Greg
Wickham)
(7.4.0) Fixes for to_char()
and
to_timestamp()
(Karel Zak)
(7.4.0) Allow functions that can take any argument data type and return any data type, using anyelement and anyarray (Joe Conway)
This allows the creation of functions that can work with any data type.
(7.4.0) Arrays can now be specified as ARRAY[1,2,3], ARRAY[['a','b'],['c','d']], or ARRAY[ARRAY[ARRAY[2]]] (Joe Conway)
(7.4.0) Allow proper comparisons for arrays, including ORDER BY and DISTINCT support (Joe Conway)
(7.4.0) Allow indexes on array columns (Joe Conway)
(7.4.0) Allow array concatenation with || (Joe Conway)
(7.4.0) Allow WHERE qualification expr op ANY/SOME/ALL (array_expr) (Joe Conway)
This allows arrays to behave like a list of values, for purposes like SELECT * FROM tab WHERE col IN (array_val).
(7.4.0) New array functions array_append
,
array_cat
, array_lower
, array_prepend
, array_to_string
, array_upper
, string_to_array
(Joe Conway)
(7.4.0) Allow user defined aggregates to use polymorphic functions (Joe Conway)
(7.4.0) Allow assignments to empty arrays (Joe Conway)
(7.4.0) Allow 60 in seconds fields of time, timestamp, and interval input values (Tom Lane)
Sixty-second values are needed for leap seconds.
(7.4.0) Allow cidr data type to be cast to text (Tom Lane)
(7.4.0) Disallow invalid time zone names in SET TIMEZONE
(7.4.0) Trim trailing spaces when char is cast to varchar or text (Tom Lane)
(7.4.0) Make float(p) measure the precision p in binary digits, not decimal digits (Tom Lane)
(7.4.0) Add IPv6 support to the inet and cidr data types (Michael Graff)
(7.4.0) Add family()
function to report
whether address is IPv4 or IPv6 (Michael Graff)
(7.4.0) Have SHOW datestyle generate output similar to that used by SET datestyle (Tom Lane)
(7.4.0) Make EXTRACT (TIMEZONE) and SET/SHOW TIME ZONE follow the SQL convention for the sign of time zone offsets, i.e., positive is east from UTC (Tom Lane)
(7.4.0) Fix date_trunc('quarter', ...) (Böjthe Zoltán)
Prior releases returned an incorrect value for this function call.
(7.4.0) Make initcap()
more compatible
with Oracle (Mike Nolan)
initcap()
now uppercases a letter
appearing after any non-alphanumeric character, rather than only
after whitespace.
(7.4.0) Allow only datestyle field order for date values not in ISO-8601 format (Greg Sabino Mullane)
(7.4.0) Add new datestyle values MDY, DMY, and YMD to set input field order; honor US and European for backward compatibility (Tom Lane)
(7.4.0) String literals like 'now' or
'today' will no longer work as a column
default. Use functions such as now()
,
current_timestamp
instead. (change
required for prepared statements) (Tom Lane)
(7.4.0) Treat NaN as larger than any other value in min()
/max()
(Tom Lane)
NaN was already sorted after ordinary numeric values for most
purposes, but min()
and max()
didn't get this right.
(7.4.0) Prevent interval from suppressing :00 seconds display
(7.4.0) New functions pg_get_triggerdef(prettyprint)
and pg_conversion_is_visible()
(Christopher Kings-Lynne)
(7.4.0) Allow time to be specified as 040506 or 0405 (Tom Lane)
(7.4.0) Input date order must now be YYYY-MM-DD (with 4-digit year) or match datestyle
(7.4.0) Make pg_get_constraintdef
support
unique, primary-key, and check constraints (Christopher Kings-Lynne)
(7.4.0) Prevent PL/pgSQL crash when RETURN NEXT is used on a zero-row record variable (Tom Lane)
(7.4.0) Make PL/Python's spi_execute
interface handle null values properly (Andrew Bosma)
(7.4.0) Allow PL/pgSQL to declare variables of composite types without %ROWTYPE (Tom Lane)
(7.4.0) Fix PL/Python's _quote()
function
to handle big integers
(7.4.0) Make PL/Python an untrusted language, now called plpythonu (Kevin Jacobs, Tom Lane)
The Python language no longer supports a restricted execution environment, so the trusted version of PL/Python was removed. If this situation changes, a version of PL/Python that can be used by non-superusers will be readded.
(7.4.0) Allow polymorphic PL/pgSQL functions (Joe Conway, Tom Lane)
(7.4.0) Allow polymorphic SQL functions (Joe Conway)
(7.4.0) Improved compiled function caching mechanism in PL/pgSQL with full support for polymorphism (Joe Conway)
(7.4.0) Add new parameter $0 in PL/pgSQL representing the function's actual return type (Joe Conway)
(7.4.0) Allow PL/Tcl and PL/Python to use the same trigger on multiple tables (Tom Lane)
(7.4.0) Fixed PL/Tcl's spi_prepare
to
accept fully qualified type names in the parameter type list
(Jan Wieck)
(7.4.0) Add \pset pager always to always use pager (Greg Sabino Mullane)
This forces the pager to be used even if the number of rows is less than the screen height. This is valuable for rows that wrap across several screen rows.
(7.4.0) Improve tab completion (Rod Taylor, Ross Reedstrom, Ian Barwick)
(7.4.0) Reorder \? help into groupings (Harald Armin Massa, Bruce Momjian)
(7.4.0) Add backslash commands for listing schemas, casts, and conversions (Christopher Kings-Lynne)
(7.4.0) \encoding now changes based on the server parameter client_encoding (Tom Lane)
In previous versions, \encoding was not aware of encoding changes made using SET client_encoding.
(7.4.0) Save editor buffer into readline history (Ross J. Reedstrom)
When \e is used to edit a query, the result is saved in the readline history for retrieval using the up arrow.
(7.4.0) Improve \d display (Christopher Kings-Lynne)
(7.4.0) Enhance HTML mode to be more standards-conforming (Greg Sabino Mullane)
(7.4.0) New \set AUTOCOMMIT off capability (Tom Lane)
This takes the place of the removed server parameter autocommit.
(7.4.0) New \set VERBOSITY to control error detail (Tom Lane)
This controls the new error reporting details.
(7.4.0) New prompt escape sequence %x to show transaction status (Tom Lane)
(7.4.0) Long options for psql are now available on all platforms
(7.4.0) Multiple pg_dump fixes, including tar format and large objects
(7.4.0) Allow pg_dump to dump specific schemas (Neil Conway)
(7.4.0) Make pg_dump preserve column storage characteristics (Christopher Kings-Lynne)
This preserves ALTER TABLE ... SET STORAGE information.
(7.4.0) Make pg_dump preserve CLUSTER characteristics (Christopher Kings-Lynne)
(7.4.0) Have pg_dumpall use GRANT/REVOKE to dump database-level privileges (Tom Lane)
(7.4.0) Allow pg_dumpall to support the options -a, -s, -x of pg_dump (Tom Lane)
(7.4.0) Prevent pg_dump from lowercasing identifiers specified on the command line (Tom Lane)
(7.4.0) pg_dump options --use-set-session-authorization and --no-reconnect now do nothing, all dumps use SET SESSION AUTHORIZATION
pg_dump no longer reconnects to switch users, but instead always uses SET SESSION AUTHORIZATION. This will reduce password prompting during restores.
(7.4.0) Long options for pg_dump are now available on all platforms
PostgreSQL now includes its own long-option processing routines.
(7.4.0) Add function PQfreemem
for freeing
memory on Windows, suggested for NOTIFY
(Bruce Momjian)
Windows requires that memory allocated in a library be freed by
a function in the same library, hence free()
doesn't work for freeing memory allocated
by libpq. PQfreemem
is the proper way
to free libpq memory, especially on Windows, and is recommended for
other platforms as well.
(7.4.0) Document service capability, and add sample file (Bruce Momjian)
This allows clients to look up connection information in a central file on the client machine.
(7.4.0) Make PQsetdbLogin
have the same
defaults as PQconnectdb
(Tom Lane)
(7.4.0) Allow libpq to cleanly fail when result sets are too large (Tom Lane)
(7.4.0) Improve performance of function PQunescapeBytea
(Ben Lamb)
(7.4.0) Allow thread-safe libpq with configure option --enable-thread-safety (Lee Kindness, Philip Yarra)
(7.4.0) Allow function pqInternalNotice
to
accept a format string and arguments instead of just a preformatted
message (Tom Lane, Sean Chittenden)
(7.4.0) Control SSL negotiation with sslmode values disable, allow, prefer, and require (Jon Jensen)
(7.4.0) Allow new error codes and levels of text (Tom Lane)
(7.4.0) Allow access to the underlying table and column of a query result (Tom Lane)
This is helpful for query-builder applications that want to know the underlying table and column names associated with a specific result set.
(7.4.0) Allow access to the current transaction status (Tom Lane)
(7.4.0) Add ability to pass binary data directly to the server (Tom Lane)
(7.4.0) Add function PQexecPrepared
and
PQsendQueryPrepared
functions which
perform bind/execute of previously prepared statements (Tom Lane)
(7.4.0) Allow setNull
on updateable result
sets
(7.4.0) Allow executeBatch
on a prepared
statement (Barry Lind)
(7.4.0) Support SSL connections (Barry Lind)
(7.4.0) Handle schema names in result sets (Paul Sorenson)
(7.4.0) Add refcursor support (Nic Ferrier)
(7.4.0) Prevent possible memory leak or core dump during libpgtcl shutdown (Tom Lane)
(7.4.0) Add Informix compatibility to ECPG (Michael Meskes)
This allows ECPG to process embedded C programs that were written using certain Informix extensions.
(7.4.0) Add type decimal to ECPG that is fixed length, for Informix (Michael Meskes)
(7.4.0) Allow thread-safe embedded SQL programs with configure option --enable-thread-safety (Lee Kindness, Bruce Momjian)
This allows multiple threads to access the database at the same time.
(7.4.0) Moved Python client PyGreSQL to http://www.pygresql.org (Marc Fournier)
(7.4.0) Prevent need for separate platform geometry regression result files (Tom Lane)
(7.4.0) Improved PPC locking primitive (Reinhard Max)
(7.4.0) New function palloc0
to allocate
and clear memory (Bruce Momjian)
(7.4.0) Fix locking code for s390x CPU (64-bit) (Tom Lane)
(7.4.0) Allow OpenBSD to use local ident credentials (William Ahern)
(7.4.0) Make query plan trees read-only to executor (Tom Lane)
(7.4.0) Add Darwin startup scripts (David Wheeler)
(7.4.0) Allow libpq to compile with Borland C++ compiler (Lester Godwin, Karl Waclawek)
(7.4.0) Use our own version of getopt_long()
if needed (Peter T. Mount)
(7.4.0) Convert administration scripts to C (Peter T. Mount)
(7.4.0) Bison >= 1.85 is now required to build the PostgreSQL grammar, if building from CVS
(7.4.0) Merge documentation into one book (Peter T. Mount)
(7.4.0) Add Windows compatibility functions (Bruce Momjian)
(7.4.0) Allow client interfaces to compile under MinGW (Bruce Momjian)
(7.4.0) New ereport()
function for error
reporting (Tom Lane)
(7.4.0) Support Intel compiler on Linux (Peter T. Mount)
(7.4.0) Improve Linux startup scripts (Slawomir Sudnik, Darko Prenosil)
(7.4.0) Add support for AMD Opteron and Itanium (Jeffrey W. Baker, Bruce Momjian)
(7.4.0) Remove --enable-recode option from configure
This was no longer needed now that we have CREATE CONVERSION.
(7.4.0) Generate a compile error if spinlock code is not found (Bruce Momjian)
Platforms without spinlock code will now fail to compile, rather than silently using semaphores. This failure can be disabled with a new configure option.
(7.4.0) Change dbmirror license to BSD
(7.4.0) Improve earthdistance (Bruno Wolff III)
(7.4.0) Portability improvements to pgcrypto (Marko Kreen)
(7.4.0) Prevent crash in xml (John Gray, Michael Richards)
(7.4.0) Update oracle
(7.4.0) Update mysql
(7.4.0) Update cube (Bruno Wolff III)
(7.4.0) Update earthdistance to use cube (Bruno Wolff III)
(7.4.0) Update btree_gist (Oleg Bartunov)
(7.4.0) New tsearch2 full-text search module (Oleg Bartunov, Teodor Sigaev)
(7.4.0) Add hash-based crosstab function to tablefuncs (Joe Conway)
(7.4.0) Add serial column to order connectby()
siblings in tablefuncs (Nabil
Sayegh,Joe Conway)
(7.4.0) Add named persistent connections to dblink (Shridhar Daithanka)
(7.4.0) New pg_autovacuum allows automatic VACUUM (Matthew T. O'Connor)
(7.4.0) Make pgbench honor environment variables PGHOST, PGPORT, PGUSER (Tatsuo Ishii)
(7.4.0) Improve intarray (Teodor Sigaev)
(7.4.0) Improve pgstattuple (Rod Taylor)
(7.4.0) Fix bug in metaphone()
in
fuzzystrmatch
(7.4.0) Improve adddepend (Rod Taylor)
(7.4.0) Update spi/timetravel (Böjthe Zoltán)
(7.4.0) Fix dbase -s option and improve non-ASCII handling (Thomas Behr, Márcio Smiderle)
(7.4.0) Remove array module because features now included by default (Joe Conway)
Release date: 2008-01-07
This release contains a variety of fixes from 7.3.20, including fixes for significant security issues.
This is expected to be the last PostgreSQL release in the 7.3.X series. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 7.3.X. However, if you are upgrading from a version earlier than 7.3.13, see Version 7.3.13.
(7.3.21,8.2.6,8.1.11,8.0.15,7.4.19) Prevent functions in indexes from executing with the privileges of the user running VACUUM, ANALYZE, etc (Tom Lane)
Functions used in index expressions and partial-index predicates are evaluated whenever a new table entry is made. It has long been understood that this poses a risk of trojan-horse code execution if one modifies a table owned by an untrustworthy user. (Note that triggers, defaults, check constraints, etc. pose the same type of risk.) But functions in indexes pose extra danger because they will be executed by routine maintenance operations such as VACUUM FULL, which are commonly performed automatically under a superuser account. For example, a nefarious user can execute code with superuser privileges by setting up a trojan-horse index definition and waiting for the next routine vacuum. The fix arranges for standard maintenance operations (including VACUUM, ANALYZE, REINDEX, and CLUSTER) to execute as the table owner rather than the calling user, using the same privilege-switching mechanism already used for SECURITY DEFINER functions. To prevent bypassing this security measure, execution of SET SESSION AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context. CVE-2007-6600 or CVE-2007-6600)
(7.3.21) Require non-superusers who use /contrib/dblink to use only password authentication, as a security measure (Joe Conway)
The fix that appeared for this in 7.3.20 was incomplete, as it plugged the hole for only some dblink functions. CVE-2007-6601 or CVE-2007-6601,CVE-2007-3278 or CVE-2007-3278)
(7.3.21,8.2.6,8.1.11,8.0.15,7.4.19) Fix potential crash in translate()
when using a multibyte database encoding (Tom Lane)
(7.3.21,8.2.6,8.1.11,8.0.15,7.4.19) Make contrib/tablefunc's crosstab()
handle NULL rowid as a category in its
own right, rather than crashing (Joe Conway)
(7.3.21,8.2.6,8.1.11,8.0.15,7.4.19) Require a specific version of Autoconf to be used when re-generating the configure script (Peter T. Mount)
This affects developers and packagers only. The change was made to prevent accidental use of untested combinations of Autoconf and PostgreSQL versions. You can remove the version check if you really want to use a different Autoconf version, but it's your responsibility whether the result works or not.
Release date: 2007-09-17
This release contains fixes from 7.3.19.
A dump/restore is not required for those running 7.3.X. However, if you are upgrading from a version earlier than 7.3.13, see Version 7.3.13.
(7.3.20,8.2.5,8.1.10,8.0.14,7.4.18) Prevent index corruption when a transaction inserts rows and then aborts close to the end of a concurrent VACUUM on the same table (Tom Lane)
(7.3.20,8.2.5,8.1.10,8.0.14,7.4.18) Make CREATE DOMAIN ... DEFAULT NULL work properly (Tom Lane)
(7.3.20,8.2.5,8.1.10,8.0.14,7.4.18) Fix crash when log_min_error_statement logging runs out of memory (Tom Lane)
(7.3.20,8.2.5,8.1.10,8.0.14,7.4.18) Require non-superusers who use /contrib/dblink to use only password authentication, as a security measure (Joe Conway)
Release date: 2007-04-23
This release contains fixes from 7.3.18, including a security fix.
A dump/restore is not required for those running 7.3.X. However, if you are upgrading from a version earlier than 7.3.13, see Version 7.3.13.
(7.3.19,8.2.4,8.1.9,8.0.13,7.4.17) Support explicit placement of the temporary-table schema within search_path, and disable searching it for functions and operators (Tom Lane)
This is needed to allow a security-definer function to set a truly secure value of search_path. Without it, an unprivileged SQL user can use temporary objects to execute code with the privileges of the security-definer function CVE-2007-2138 or CVE-2007-2138). See CREATE FUNCTION for more information.
(7.3.19,8.2.4,8.1.9,8.0.13,7.4.17) Fix potential-data-corruption bug in how VACUUM FULL handles UPDATE chains (Tom Lane, Pavan Deolasee)
Release date: 2007-02-05
This release contains a variety of fixes from 7.3.17, including a security fix.
A dump/restore is not required for those running 7.3.X. However, if you are upgrading from a version earlier than 7.3.13, see Version 7.3.13.
(7.3.18) Remove security vulnerability that allowed connected users to read backend memory (Tom Lane)
The vulnerability involves changing the data type of a table column used in a SQL function CVE-2007-0555 or CVE-2007-0555). This error can easily be exploited to cause a backend crash, and in principle might be used to read database content that the user should not be able to access.
(7.3.18,8.1.7,8.0.11,7.4.16) Fix rare bug wherein btree index page splits could fail due to choosing an infeasible split point (Heikki Linnakangas)
(7.3.18,8.2.2,8.1.7,8.0.11,7.4.16) Tighten security of multi-byte character processing for UTF8 sequences over three bytes long (Tom Lane)
Release date: 2007-01-08
This release contains a variety of fixes from 7.3.16.
A dump/restore is not required for those running 7.3.X. However, if you are upgrading from a version earlier than 7.3.13, see Version 7.3.13.
(7.3.17,8.1.6,8.0.10,7.4.15) to_number()
and to_char(numeric)
are now STABLE, not IMMUTABLE, for
new initdb installs (Tom Lane)
This is because lc_numeric can potentially change the output of these functions.
(7.3.17,8.2.1,8.1.6,8.0.10,7.4.15) Improve index usage of regular expressions that use parentheses (Tom Lane)
This improves psql \d performance also.
Release date: 2006-10-16
This release contains a variety of fixes from 7.3.15.
A dump/restore is not required for those running 7.3.X. However, if you are upgrading from a version earlier than 7.3.13, see Version 7.3.13.
(7.3.16,8.1.5,8.0.9,7.4.14) Fix corner cases in pattern matching for psql's \d commands
(7.3.16,8.1.5,8.0.9,7.4.14) Fix index-corrupting bugs in /contrib/ltree (Teodor Sigaev)
(7.3.16) Back-port 7.4 spinlock code to improve performance and support 64-bit architectures better
(7.3.16) Fix SSL-related memory leak in libpq
(7.3.16,8.1.5,8.0.9,7.4.14) Fix backslash escaping in /contrib/dbmirror
(7.3.16,7.4.14) Adjust regression tests for recent changes in US DST laws
Release date: 2006-05-23
This release contains a variety of fixes from 7.3.14, including patches for extremely serious security issues.
A dump/restore is not required for those running 7.3.X. However, if you are upgrading from a version earlier than 7.3.13, see Version 7.3.13.
Full security against the SQL-injection attacks described inCVE-2006-2313 or CVE-2006-2313 andCVE-2006-2314 or CVE-2006-2314 might require changes in
application code. If you have applications that embed untrustworthy
strings into SQL commands, you should examine them as soon as
possible to ensure that they are using recommended escaping
techniques. In most cases, applications should be using subroutines
provided by libraries or drivers (such as libpq's PQescapeStringConn()
) to perform string escaping,
rather than relying on ad hoc code to
do it.
(7.3.15,8.1.4,8.0.8,7.4.13) Change the server to reject invalidly-encoded multibyte characters in all cases (Tatsuo Ishii, Tom Lane)
While PostgreSQL has been moving in this direction for some time, the checks are now applied uniformly to all encodings and all textual input, and are now always errors not merely warnings. This change defends against SQL-injection attacks of the type described inCVE-2006-2313 or CVE-2006-2313.
(7.3.15,8.1.4,8.0.8,7.4.13) Reject unsafe uses of \' in string literals
As a server-side defense against SQL-injection attacks of the type described inCVE-2006-2314 or CVE-2006-2314, the server now only accepts '' and not \' as a representation of ASCII single quote in SQL string literals. By default, \' is rejected only when client_encoding is set to a client-only encoding (SJIS, BIG5, GBK, GB18030, or UHC), which is the scenario in which SQL injection is possible. A new configuration parameter backslash_quote is available to adjust this behavior when needed. Note that full security againstCVE-2006-2314 or CVE-2006-2314 might require client-side changes; the purpose of backslash_quote is in part to make it obvious that insecure clients are insecure.
(7.3.15) Modify libpq's string-escaping routines to be aware of encoding considerations
This fixes libpq-using
applications for the security issues described inCVE-2006-2313 or CVE-2006-2313 andCVE-2006-2314 or CVE-2006-2314. Applications that use multiple PostgreSQL connections concurrently should
migrate to PQescapeStringConn()
and
PQescapeByteaConn()
to ensure that
escaping is done correctly for the settings in use in each database
connection. Applications that do string escaping "by hand" should be modified to rely on library
routines instead.
(7.3.15,8.0.8,7.4.13) Fix some incorrect encoding conversion functions
win1251_to_iso
, alt_to_iso
, euc_tw_to_big5
, euc_tw_to_mic
, mic_to_euc_tw
were all broken to varying
extents.
(7.3.15,8.1.4,8.0.8,7.4.13) Clean up stray remaining uses of \' in strings (Bruce Momjian, Jan Wieck)
(7.3.15,8.1.4,8.0.8,7.4.13) Fix server to use custom DH SSL parameters correctly (Michael Fuhr)
(7.3.15,8.1.4,8.0.8,7.4.13) Fix various minor memory leaks
Release date: 2006-02-14
This release contains a variety of fixes from 7.3.13.
A dump/restore is not required for those running 7.3.X. However, if you are upgrading from a version earlier than 7.3.13, see Version 7.3.13.
(7.3.14,8.0.7,7.4.12) Fix potential crash in SET SESSION AUTHORIZATION CVE-2006-0553 or CVE-2006-0553)
An unprivileged user could crash the server process, resulting in momentary denial of service to other users, if the server has been compiled with Asserts enabled (which is not the default). Thanks to Akio Ishida for reporting this problem.
(7.3.14) Fix bug with row visibility logic in self-inserted rows (Tom Lane)
Under rare circumstances a row inserted by the current command could be seen as already valid, when it should not be. Repairs bug created in 7.3.11 release.
(7.3.14,7.4.12) Fix race condition that could lead to "file already exists" errors during pg_clog file creation (Tom Lane)
(7.3.14,7.4.12) Fix to allow restoring dumps that have cross-schema references to custom operators (Tom Lane)
(7.3.14,8.1.3,8.0.7,7.4.12) Portability fix for testing presence of finite
and isinf
during configure (Tom Lane)
Release date: 2006-01-09
This release contains a variety of fixes from 7.3.12.
A dump/restore is not required for those running 7.3.X. However, if you are upgrading from a version earlier than 7.3.10, see Version 7.3.10. Also, you might need to REINDEX indexes on textual columns after updating, if you are affected by the locale or plperl issues described below.
(7.3.13,8.1.2,8.0.6,7.4.11) Fix character string comparison for locales that consider different character combinations as equal, such as Hungarian (Tom Lane)
This might require REINDEX to fix existing indexes on textual columns.
(7.3.13,8.1.2,8.0.6,7.4.11) Set locale environment variables during postmaster startup to ensure that plperl won't change the locale later
This fixes a problem that occurred if the postmaster was started with environment variables specifying a different locale than what initdb had been told. Under these conditions, any use of plperl was likely to lead to corrupt indexes. You might need REINDEX to fix existing indexes on textual columns if this has happened to you.
(7.3.13,8.1.2,8.0.6,7.4.11) Fix longstanding bug in strpos() and regular expression handling in certain rarely used Asian multi-byte character sets (Tatsuo Ishii)
(7.3.13,8.1.2,8.0.6,7.4.11) Fix bug in /contrib/pgcrypto gen_salt, which caused it not to use all available salt space for MD5 and XDES algorithms (Marko Kreen, Solar Designer)
Salts for Blowfish and standard DES are unaffected.
(7.3.13,8.1.2,8.0.6,7.4.11) Fix /contrib/dblink to throw an error, rather than crashing, when the number of columns specified is different from what's actually returned by the query (Joe Conway)
Release date: 2005-12-12
This release contains a variety of fixes from 7.3.11.
A dump/restore is not required for those running 7.3.X. However, if you are upgrading from a version earlier than 7.3.10, see Version 7.3.10.
(7.3.12,8.0.5,7.4.10) Fix race condition in transaction log management
There was a narrow window in which an I/O operation could be initiated for the wrong page, leading to an Assert failure or data corruption.
(7.3.12,8.0.5,7.4.10) /contrib/ltree fixes (Teodor Sigaev)
(7.3.12,8.0.5,7.4.10) Fix longstanding planning error for outer joins
This bug sometimes caused a bogus error "RIGHT JOIN is only supported with merge-joinable join conditions".
(7.3.12,8.0.5,7.4.10) Prevent core dump in pg_autovacuum when a table has been dropped
Release date: 2005-10-04
This release contains a variety of fixes from 7.3.10.
A dump/restore is not required for those running 7.3.X. However, if you are upgrading from a version earlier than 7.3.10, see Version 7.3.10.
(7.3.11,8.0.4,7.4.9) Fix error that allowed VACUUM to remove ctid chains too soon, and add more checking in code that follows ctid links
This fixes a long-standing problem that could cause crashes in very rare circumstances.
(7.3.11,8.0.4,7.4.9) Fix CHAR() to properly pad spaces to the specified length when using a multiple-byte character set (Yoshiyuki Asaba)
In prior releases, the padding of CHAR() was incorrect because it only padded to the specified number of bytes without considering how many characters were stored.
(7.3.11,8.0.4,7.4.9) Fix missing rows in queries like UPDATE a=... WHERE a... with GiST index on column a
(7.3.11,8.0.4,7.4.9) Improve checking for partially-written WAL pages
(7.3.11,8.0.4,7.4.9) Improve robustness of signal handling when SSL is enabled
(7.3.11,8.0.4,7.4.9) Various memory leakage fixes
(7.3.11,8.0.4,7.4.9) Various portability improvements
(7.3.11,8.0.4,7.4.9) Fix PL/pgSQL to handle var := var correctly when the variable is of pass-by-reference type
Release date: 2005-05-09
This release contains a variety of fixes from 7.3.9, including several security-related issues.
A dump/restore is not required for those running 7.3.X. However, it is one possible way of handling a significant security problem that has been found in the initial contents of 7.3.X system catalogs. A dump/initdb/reload sequence using 7.3.10's initdb will automatically correct this problem.
The security problem is that the built-in character set encoding conversion functions can be invoked from SQL commands by unprivileged users, but the functions were not designed for such use and are not secure against malicious choices of arguments. The fix involves changing the declared parameter list of these functions so that they can no longer be invoked from SQL commands. (This does not affect their normal use by the encoding conversion machinery.) It is strongly recommended that all installations repair this error, either by initdb or by following the manual repair procedure given below. The error at least allows unprivileged database users to crash their server process, and might allow unprivileged users to gain the privileges of a database superuser.
If you wish not to do an initdb, perform the following procedure instead. As the database superuser, do:
BEGIN; UPDATE pg_proc SET proargtypes[3] = 'internal'::regtype WHERE pronamespace = 11 AND pronargs = 5 AND proargtypes[2] = 'cstring'::regtype; -- The command should report having updated 90 rows; -- if not, rollback and investigate instead of committing! COMMIT;
The above procedure must be carried out in each database of an installation, including template1, and ideally including template0 as well. If you do not fix the template databases then any subsequently created databases will contain the same error. template1 can be fixed in the same way as any other database, but fixing template0 requires additional steps. First, from any database issue:
UPDATE pg_database SET datallowconn = true WHERE datname = 'template0';
Next connect to template0 and perform the above repair procedure. Finally, do:
-- re-freeze template0: VACUUM FREEZE; -- and protect it against future alterations: UPDATE pg_database SET datallowconn = false WHERE datname = 'template0';
(7.3.10,8.0.3,7.4.8) Change encoding function signature to prevent misuse
(7.3.10,8.0.3,7.4.8,7.2.8) Repair ancient race condition that allowed a transaction to be seen as committed for some purposes (eg SELECT FOR UPDATE) slightly sooner than for other purposes
This is an extremely serious bug since it could lead to apparent data inconsistencies being briefly visible to applications.
(7.3.10,8.0.3,7.4.8,7.2.8) Repair race condition between relation extension and VACUUM
This could theoretically have caused loss of a page's worth of freshly-inserted data, although the scenario seems of very low probability. There are no known cases of it having caused more than an Assert failure.
(7.3.10,8.0.3,7.4.8) Fix comparisons of TIME WITH TIME ZONE values
The comparison code was wrong in the case where the --enable-integer-datetimes configuration switch had been used. NOTE: if you have an index on a TIME WITH TIME ZONE column, it will need to be REINDEXed after installing this update, because the fix corrects the sort order of column values.
(7.3.10,8.0.3,7.4.8,7.2.8) Fix EXTRACT (EPOCH)
for TIME WITH TIME ZONE values
(7.3.10,8.0.3,7.4.8) Fix mis-display of negative fractional seconds in INTERVAL values
This error only occurred when the --enable-integer-datetimes configuration switch had been used.
(7.3.10,7.4.8,7.2.8) Additional buffer overrun checks in plpgsql (Neil Conway)
(7.3.10,8.0.3,7.4.8) Fix pg_dump to dump trigger names containing % correctly (Neil Conway)
(7.3.10,7.4.8,7.2.8) Prevent to_char(interval)
from
dumping core for month-related formats
(7.3.10,7.4.8,7.2.8) Fix contrib/pgcrypto for newer OpenSSL builds (Marko Kreen)
(7.3.10,8.0.3,7.4.8) Still more 64-bit fixes for contrib/intagg
(7.3.10,8.0.3,7.4.8) Prevent incorrect optimization of functions returning RECORD
Release date: 2005-01-31
This release contains a variety of fixes from 7.3.8, including several security-related issues.
A dump/restore is not required for those running 7.3.X.
(7.3.9,8.0.1,7.4.7,7.2.7) Disallow LOAD to non-superusers
On platforms that will automatically execute initialization functions of a shared library (this includes at least Windows and ELF-based Unixen), LOAD can be used to make the server execute arbitrary code. Thanks to NGS Software for reporting this.
(7.3.9,8.0.1,7.4.7) Check that creator of an aggregate function has the right to execute the specified transition functions
This oversight made it possible to bypass denial of EXECUTE permission on a function.
(7.3.9,8.0.1,7.4.7) Fix security and 64-bit issues in contrib/intagg
(7.3.9,8.0.1,7.4.7,7.2.7) Add needed STRICT marking to some contrib functions (Kris Jurka)
(7.3.9,8.0.1,7.4.7,7.2.7) Avoid buffer overrun when plpgsql cursor declaration has too many parameters (Neil Conway)
(7.3.9,8.0.1,7.4.7,7.2.7) Fix planning error for FULL and RIGHT outer joins
The result of the join was mistakenly supposed to be sorted the same as the left input. This could not only deliver mis-sorted output to the user, but in case of nested merge joins could give outright wrong answers.
(7.3.9,7.4.7) Fix plperl for quote marks in tuple fields
(7.3.9,7.4.7,7.2.7) Fix display of negative intervals in SQL and GERMAN datestyles
Release date: 2004-10-22
This release contains a variety of fixes from 7.3.7.
A dump/restore is not required for those running 7.3.X.
(7.3.8,7.4.6,7.2.6) Repair possible failure to update hint bits on disk
Under rare circumstances this oversight could lead to "could not access transaction status" failures, which qualifies it as a potential-data-loss bug.
(7.3.8,7.4.6,7.2.6) Ensure that hashed outer join does not miss tuples
Very large left joins using a hash join plan could fail to output unmatched left-side rows given just the right data distribution.
(7.3.8,7.2.6) Disallow running pg_ctl as root
This is to guard against any possible security issues.
(7.3.8,7.2.6) Avoid using temp files in /tmp in make_oidjoins_check
This has been reported as a security issue, though it's hardly worthy of concern since there is no reason for non-developers to use this script anyway.
Release date: 2004-08-16
This release contains one critical fix over 7.3.6, and some minor items.
A dump/restore is not required for those running 7.3.X.
(7.3.7,7.4.4,7.2.5) Prevent possible loss of committed transactions during crash
Due to insufficient interlocking between transaction commit and checkpointing, it was possible for transactions committed just before the most recent checkpoint to be lost, in whole or in part, following a database crash and restart. This is a serious bug that has existed since PostgreSQL 7.1.
(7.3.7) Remove asymmetrical word processing in tsearch (Teodor Sigaev)
(7.3.7) Properly schema-qualify function names when pg_dump'ing a CAST
Release date: 2004-03-02
This release contains a variety of fixes from 7.3.5.
A dump/restore is not required for those running 7.3.*.
(7.3.6) Revert erroneous changes in rule permissions checking
A patch applied in 7.3.3 to fix a corner case in rule permissions checks turns out to have disabled rule-related permissions checks in many not-so-corner cases. This would for example allow users to insert into views they weren't supposed to have permission to insert into. We have therefore reverted the 7.3.3 patch. The original bug will be fixed in 8.0.
(7.3.6) Repair incorrect order of operations in GetNewTransactionId()
This bug could result in failure under out-of-disk-space conditions, including inability to restart even after disk space is freed.
(7.3.6) Ensure configure selects -fno-strict-aliasing even when an external value for CFLAGS is supplied
On some platforms, building with -fstrict-aliasing causes bugs.
(7.3.6) Make pg_restore handle 64-bit off_t correctly
This bug prevented proper restoration from archive files exceeding 4 GB.
(7.3.6) Make contrib/dblink not assume that local and remote type OIDs match (Joe Conway)
(7.3.6) Quote connectby()'s start_with argument properly (Joe Conway)
(7.3.6) Don't crash when a rowtype argument to a plpgsql function is NULL
(7.3.6) Avoid generating invalid character encoding sequences in corner cases when planning LIKE operations
(7.3.6) Ensure text_position() cannot scan past end of source string in multibyte cases (Korea PostgreSQL Users' Group)
(7.3.6) Fix index optimization and selectivity estimates for LIKE operations on bytea columns (Joe Conway)
Release date: 2003-12-03
This has a variety of fixes from 7.3.4.
A dump/restore is not required for those running 7.3.*.
(7.3.5,7.4.1) Force zero_damaged_pages to be on during recovery from WAL
(7.3.5,7.4.1) Prevent some obscure cases of "variable not in subplan target lists"
(7.3.5) Force stats processes to detach from shared memory, ensuring cleaner shutdown
(7.3.5) Make PQescapeBytea and byteaout consistent with each other (Joe Conway)
(7.3.5) Added missing SPI_finish() calls to dblink's get_tuple_of_interest() (Joe Conway)
(7.3.5) Fix for possible foreign key violation when rule rewrites INSERT (Jan Wieck)
(7.3.5) Support qualified type names in PL/Tcl's spi_prepare command (Jan Wieck)
(7.3.5) Make pg_dump handle a procedural language handler located in pg_catalog
(7.3.5) Make pg_dump handle cases where a custom opclass is in another schema
(7.3.5) Make pg_dump dump binary-compatible casts correctly (Jan Wieck)
(7.3.5) Fix insertion of expressions containing subqueries into rule bodies
(7.3.5) Fix incorrect argument processing in clusterdb script (Anand Ranganathan)
(7.3.5) Fix problems with dropped columns in plpython triggers
(7.3.5) Repair problems with to_char() reading past end of its input string (Karel Zak)
(7.3.5) Fix GB18030 mapping errors (Tatsuo Ishii)
(7.3.5) Fix several problems with SSL error handling and asynchronous SSL I/O
(7.3.5) Remove ability to bind a list of values to a single parameter in JDBC (prevents possible SQL-injection attacks)
(7.3.5) Fix some errors in HAVE_INT64_TIMESTAMP code paths
(7.3.5,7.2.5) Fix corner case for btree search in parallel with first root page split
Release date: 2003-07-24
This has a variety of fixes from 7.3.3.
A dump/restore is not required for those running 7.3.*.
(7.3.4) Repair breakage in timestamp-to-date conversion for dates before 2000
(7.3.4) Prevent rare possibility of server startup failure (Tom Lane)
(7.3.4) Fix bugs in interval-to-time conversion (Tom Lane)
(7.3.4) Add constraint names in a few places in pg_dump (Rod Taylor)
(7.3.4) Improve performance of functions with many parameters (Tom Lane)
(7.3.4) Fix to_ascii() buffer overruns (Tom Lane)
(7.3.4) Prevent restore of database comments from throwing an error (Tom Lane)
(7.3.4) Work around buggy strxfrm() present in some Solaris releases (Tom Lane)
(7.3.4) Properly escape jdbc setObject() strings to improve security (Barry Lind)
Release date: 2003-05-22
This release contains a variety of fixes for version 7.3.2.
A dump/restore is not required for those running version 7.3.*.
(7.3.3) Repair sometimes-incorrect computation of StartUpID after a crash
(7.3.3) Avoid slowness with lots of deferred triggers in one transaction (Stephan Szabo)
(7.3.3) Don't lock referenced row when UPDATE doesn't change foreign key's value (Jan Wieck)
(7.3.3) Use -fPIC not -fpic on Sparc (Tom Callaway)
(7.3.3) Repair lack of schema-awareness in contrib/reindexdb
(7.3.3) Fix contrib/intarray error for zero-element result array (Teodor Sigaev)
(7.3.3) Ensure createuser script will exit on control-C (Oliver Elphick)
(7.3.3) Fix errors when the type of a dropped column has itself been dropped
(7.3.3) CHECKPOINT does not cause database panic on failure in noncritical steps
(7.3.3) Accept 60 in seconds fields of timestamp, time, interval input values
(7.3.3) Issue notice, not error, if TIMESTAMP, TIME, or INTERVAL precision too large
(7.3.3) Fix abstime-to-time
cast function
(fix is not applied unless you initdb)
(7.3.3) Fix pg_proc entry for timestampt_izone (fix is not applied unless you initdb)
(7.3.3) Make EXTRACT (EPOCH FROM timestamp without
time zone)
treat input as local time
(7.3.3) 'now'::timestamptz gave wrong answer if timezone changed earlier in transaction
(7.3.3) HAVE_INT64_TIMESTAMP code for time with timezone overwrote its input
(7.3.3) Accept GLOBAL TEMP/TEMPORARY as a synonym for TEMPORARY
(7.3.3) Avoid improper schema-privilege-check failure in foreign-key triggers
(7.3.3) Fix bugs in foreign-key triggers for SET DEFAULT action
(7.3.3) Fix incorrect time-qual check in row fetch for UPDATE and DELETE triggers
(7.3.3) Foreign-key clauses were parsed but ignored in ALTER TABLE ADD COLUMN
(7.3.3) Fix createlang script breakage for case where handler function already exists
(7.3.3) Fix misbehavior on zero-column tables in pg_dump, COPY, ANALYZE, other places
(7.3.3) Fix misbehavior of func_error()
on
type names containing '%'
(7.3.3) Fix misbehavior of replace()
on
strings containing '%'
(7.3.3) Regular-expression patterns containing certain multibyte characters failed
(7.3.3) Account correctly for NULLs in more cases in join size estimation
(7.3.3,7.2.5) Avoid conflict with system definition of isblank()
function or macro
(7.3.3) Fix failure to convert large code point values in EUC_TW conversions (Tatsuo Ishii)
(7.3.3) Fix error recovery for SSL_read
/SSL_write
calls
(7.3.3) Don't do early constant-folding of type coercion expressions
(7.3.3) Validate page header fields immediately after reading in any page
(7.3.3) Repair incorrect check for ungrouped variables in unnamed joins
(7.3.3,7.2.5) Fix buffer overrun in to_ascii
(Guido Notari)
(7.3.3) contrib/ltree fixes (Teodor Sigaev)
(7.3.3,7.2.5) Fix core dump in deadlock detection on machines where char is unsigned
(7.3.3) Avoid running out of buffers in many-way indexscan (bug introduced in 7.3)
(7.3.3) Fix planner's selectivity estimation functions to handle domains properly
(7.3.3) Fix dbmirror memory-allocation bug (Steven Singer)
(7.3.3) Prevent infinite loop in ln(numeric)
due to roundoff error
(7.3.3) GROUP BY got confused if there were multiple equal GROUP BY items
(7.3.3) Fix bad plan when inherited UPDATE/DELETE references another inherited table
(7.3.3) Prevent clustering on incomplete (partial or non-NULL-storing) indexes
(7.3.3) Service shutdown request at proper time if it arrives while still starting up
(7.3.3) Fix left-links in temporary indexes (could make backwards scans miss entries)
(7.3.3) Fix incorrect handling of client_encoding setting in postgresql.conf (Tatsuo Ishii)
(7.3.3,7.2.5) Fix failure to respond to pg_ctl stop -m fast after Async_NotifyHandler runs
(7.3.3) Fix SPI for case where rule contains multiple statements of the same type
(7.3.3) Fix problem with checking for wrong type of access privilege in rule query
(7.3.3) Fix problem with EXCEPT in CREATE RULE
(7.3.3) Prevent problem with dropping temp tables having serial columns
(7.3.3) Fix replace_vars_with_subplan_refs failure in complex views
(7.3.3) Fix regexp slowness in single-byte encodings (Tatsuo Ishii)
(7.3.3) Allow qualified type names in CREATE CAST and DROP CAST
(7.3.3) Accept SETOF type[]
, which
formerly had to be written SETOF
_type
(7.3.3) Fix pg_dump core dump in some cases with procedural languages
(7.3.3) Force ISO datestyle in pg_dump output, for portability (Oliver Elphick)
(7.3.3) pg_dump failed to handle error
return from lo_read
(Oleg Drokin)
(7.3.3) pg_dumpall failed with groups having no members (Nick Eskelinen)
(7.3.3) pg_dumpall failed to recognize --globals-only switch
(7.3.3) pg_restore failed to restore blobs if -X disable-triggers is specified
(7.3.3) Repair intrafunction memory leak in plpgsql
(7.3.3) pltcl's elog command dumped core if given wrong parameters (Ian Harding)
(7.3.3) plpython used wrong value of atttypmod (Brad McLean)
(7.3.3) Fix improper quoting of boolean values in Python interface (D'Arcy J.M. Cain)
(7.3.3) Added addDataType()
method to
PGConnection interface for JDBC
(7.3.3) Fixed various problems with updateable ResultSets for JDBC (Shawn Green)
(7.3.3) Fixed various problems with DatabaseMetaData for JDBC (Kris Jurka, Peter Royal)
(7.3.3) Fixed problem with parsing table ACLs in JDBC
(7.3.3) Better error message for character set conversion problems in JDBC
Release date: 2003-02-04
This release contains a variety of fixes for version 7.3.1.
A dump/restore is not required for those running version 7.3.*.
(7.3.2) Restore creation of OID column in CREATE TABLE AS / SELECT INTO
(7.3.2) Fix pg_dump core dump when dumping views having comments
(7.3.2) Dump DEFERRABLE/INITIALLY DEFERRED constraints properly
(7.3.2) Fix UPDATE when child table's column numbering differs from parent
(7.3.2) Increase default value of max_fsm_relations
(7.3.2) Fix problem when fetching backwards in a cursor for a single-row query
(7.3.2) Make backward fetch work properly with cursor on SELECT DISTINCT query
(7.3.2) Fix problems with loading pg_dump files containing contrib/lo usage
(7.3.2) Fix problem with all-numeric user names
(7.3.2) Fix possible memory leak and core dump during disconnect in libpgtcl
(7.3.2) Make plpython's spi_execute command handle nulls properly (Andrew Bosma)
(7.3.2) Adjust plpython error reporting so that its regression test passes again
(7.3.2) Work with bison 1.875
(7.3.2) Handle mixed-case names properly in plpgsql's %type (Neil Conway)
(7.3.2) Fix core dump in pltcl when executing a query rewritten by a rule
(7.3.2) Repair array subscript overruns (per report from Yichen Xie)
(7.3.2) Reduce MAX_TIME_PRECISION from 13 to 10 in floating-point case
(7.3.2) Correctly case-fold variable names in per-database and per-user settings
(7.3.2) Fix coredump in plpgsql's RETURN NEXT when SELECT into record returns no rows
(7.3.2) Fix outdated use of pg_type.typprtlen in python client interface
(7.3.2) Correctly handle fractional seconds in timestamps in JDBC driver
(7.3.2) Improve performance of getImportedKeys() in JDBC
(7.3.2) Make shared-library symlinks work standardly on HPUX (Giles Lean)
(7.3.2) Repair inconsistent rounding behavior for timestamp, time, interval
(7.3.2) SSL negotiation fixes (Nathan Mueller)
(7.3.2) Make libpq's ~/.pgpass feature work when connecting with PQconnectDB
(7.3.2) Update my2pg, ora2pg
(7.3.2) Translation updates
(7.3.2) Add casts between types lo and oid in contrib/lo
(7.3.2) fastpath code now checks for privilege to call function
Release date: 2002-12-18
This release contains a variety of fixes for version 7.3.
A dump/restore is not required for those running version 7.3. However, it should be noted that the main PostgreSQL interface library, libpq, has a new major version number for this release, which might require recompilation of client code in certain cases.
(7.3.1) Fix a core dump of COPY TO when client/server encodings don't match (Tom Lane)
(7.3.1) Allow pg_dump to work with pre-7.2 servers (Philip Warner)
(7.3.1) contrib/adddepend fixes (Tom Lane)
(7.3.1) Fix problem with deletion of per-user/per-database config settings (Tom Lane)
(7.3.1) contrib/vacuumlo fix (Tom Lane)
(7.3.1) Allow 'password' encryption even when pg_shadow contains MD5 passwords (Bruce Momjian)
(7.3.1) contrib/dbmirror fix (Steven Singer)
(7.3.1) Optimizer fixes (Tom Lane)
(7.3.1) contrib/tsearch fixes (Teodor Sigaev, Magnus Hagander)
(7.3.1) Allow locale names to be mixed case (Nicolai Tufar)
(7.3.1) Increment libpq library's major version number (Bruce Momjian)
(7.3.1) pg_hba.conf error reporting fixes (Bruce Momjian, Neil Conway)
(7.3.1) Add SCO Openserver 5.0.4 as a supported platform (Bruce Momjian)
(7.3.1) Prevent EXPLAIN from crashing server (Tom Lane)
(7.3.1) SSL fixes (Nathan Mueller)
(7.3.1) Prevent composite column creation via ALTER TABLE (Tom Lane)
Release date: 2002-11-27
Major changes in this release:
Schemas allow users to create objects in separate namespaces, so two people or applications can have tables with the same name. There is also a public schema for shared tables. Table/index creation can be restricted by removing privileges on the public schema.
PostgreSQL now supports the ALTER TABLE ... DROP COLUMN functionality.
Functions returning multiple rows and/or multiple columns are now much easier to use than before. You can call such a "table function" in the SELECT FROM clause, treating its output like a table. Also, PL/pgSQL functions can now return sets.
PostgreSQL now supports prepared queries, for improved performance.
PostgreSQL now records object dependencies, which allows improvements in many areas. DROP statements now take either CASCADE or RESTRICT to control whether dependent objects are also dropped.
Functions and procedural languages now have privileges, and functions can be defined to run with the privileges of their creator.
Both multibyte and locale support are now always enabled.
A variety of logging options have been enhanced.
A large number of interfaces have been moved to http://gborg.postgresql.org where they can be developed and released independently.
By default, functions can now take up to 32 parameters, and identifiers can be up to 63 bytes long. Also, OPAQUE is now deprecated: there are specific "pseudo-datatypes" to represent each of the former meanings of OPAQUE in function argument and result types.
A dump/restore using pg_dump is required for those wishing to migrate data from any previous release. If your application examines the system catalogs, additional changes will be required due to the introduction of schemas in 7.3; for more information, see: http://developer.postgresql.org/~momjian/upgrade_tips_7.3.
Observe the following incompatibilities:
(7.3.0) Pre-6.3 clients are no longer supported.
(7.3.0) pg_hba.conf now has a column for the user name and additional features. Existing files need to be adjusted.
(7.3.0) Several postgresql.conf logging parameters have been renamed.
(7.3.0) LIMIT #,# has been disabled; use LIMIT # OFFSET #.
(7.3.0) INSERT statements with column lists must specify a value for each specified column. For example, INSERT INTO tab (col1, col2) VALUES ('val1') is now invalid. It's still allowed to supply fewer columns than expected if the INSERT does not have a column list.
(7.3.0) serial columns are no longer automatically UNIQUE; thus, an index will not automatically be created.
(7.3.0) A SET command inside an aborted transaction is now rolled back.
(7.3.0) COPY no longer considers missing trailing columns to be null. All columns need to be specified. (However, one can achieve a similar effect by specifying a column list in the COPY command.)
(7.3.0) The data type timestamp is now equivalent to timestamp without time zone, instead of timestamp with time zone.
(7.3.0) Pre-7.3 databases loaded into 7.3 will not have the new object dependencies for serial columns, unique constraints, and foreign keys. See the directory contrib/adddepend/ for a detailed description and a script that will add such dependencies.
(7.3.0) An empty string ('') is no longer allowed as the input into an integer field. Formerly, it was silently interpreted as 0.
(7.3.0) Add pg_locks view to show locks (Neil Conway)
(7.3.0) Security fixes for password negotiation memory allocation (Neil Conway)
(7.3.0) Remove support for version 0 FE/BE protocol (PostgreSQL 6.2 and earlier) (Tom Lane)
(7.3.0) Reserve the last few backend slots for superusers, add parameter superuser_reserved_connections to control this (Nigel J. Andrews)
(7.3.0) Improve startup by calling localtime() only once (Tom Lane)
(7.3.0) Cache system catalog information in flat files for faster startup (Tom Lane)
(7.3.0) Improve caching of index information (Tom Lane)
(7.3.0) Optimizer improvements (Tom Lane, Fernando Nasser)
(7.3.0) Catalog caches now store failed lookups (Tom Lane)
(7.3.0) Hash function improvements (Neil Conway)
(7.3.0) Improve performance of query tokenization and network handling (Peter T. Mount)
(7.3.0) Speed improvement for large object restore (Mario Weilguni)
(7.3.0) Mark expired index entries on first lookup, saving later heap fetches (Tom Lane)
(7.3.0) Avoid excessive NULL bitmap padding (Manfred Koizar)
(7.3.0) Add BSD-licensed qsort() for Solaris, for performance (Bruce Momjian)
(7.3.0) Reduce per-row overhead by four bytes (Manfred Koizar)
(7.3.0) Fix GEQO optimizer bug (Neil Conway)
(7.3.0) Make WITHOUT OID actually save four bytes per row (Manfred Koizar)
(7.3.0) Add default_statistics_target variable to specify ANALYZE buckets (Neil Conway)
(7.3.0) Use local buffer cache for temporary tables so no WAL overhead (Tom Lane)
(7.3.0) Improve free space map performance on large tables (Stephen Marshall, Tom Lane)
(7.3.0) Improved WAL write concurrency (Tom Lane)
(7.3.0) Add privileges on functions and procedural languages (Peter T. Mount)
(7.3.0) Add OWNER to CREATE DATABASE so superusers can create databases on behalf of unprivileged users (Gavin Sherry, Tom Lane)
(7.3.0) Add new object privilege bits EXECUTE and USAGE (Tom Lane)
(7.3.0) Add SET SESSION AUTHORIZATION DEFAULT and RESET SESSION AUTHORIZATION (Tom Lane)
(7.3.0) Allow functions to be executed with the privilege of the function owner (Peter T. Mount)
(7.3.0) Server log messages now tagged with LOG, not DEBUG (Bruce Momjian)
(7.3.0) Add user column to pg_hba.conf (Bruce Momjian)
(7.3.0) Have log_connections output two lines in log file (Tom Lane)
(7.3.0) Remove debug_level from postgresql.conf, now server_min_messages (Bruce Momjian)
(7.3.0) New ALTER DATABASE/USER ... SET command for per-user/database initialization (Peter T. Mount)
(7.3.0) New parameters server_min_messages and client_min_messages to control which messages are sent to the server logs or client applications (Bruce Momjian)
(7.3.0) Allow pg_hba.conf to specify lists of users/databases separated by commas, group names prepended with +, and file names prepended with @ (Bruce Momjian)
(7.3.0) Remove secondary password file capability and pg_password utility (Bruce Momjian)
(7.3.0) Add variable db_user_namespace for database-local user names (Bruce Momjian)
(7.3.0) SSL improvements (Bear Giles Lean)
(7.3.0) Make encryption of stored passwords the default (Bruce Momjian)
(7.3.0) Allow pg_statistics to be reset by calling pg_stat_reset() (Christopher Kings-Lynne)
(7.3.0) Add log_duration parameter (Bruce Momjian)
(7.3.0) Rename debug_print_query to log_statement (Bruce Momjian)
(7.3.0) Rename show_query_stats to show_statement_stats (Bruce Momjian)
(7.3.0) Add param log_min_error_statement to print commands to logs on error (Gavin Sherry)
(7.3.0) Make cursors insensitive, meaning their contents do not change (Tom Lane)
(7.3.0) Disable LIMIT #,# syntax; now only LIMIT # OFFSET # supported (Bruce Momjian)
(7.3.0) Increase identifier length to 63 (Neil Conway, Bruce Momjian)
(7.3.0) UNION fixes for merging >= 3 columns of different lengths (Tom Lane)
(7.3.0) Add DEFAULT key word to INSERT, e.g., INSERT ... (..., DEFAULT, ...) (Rod Taylor)
(7.3.0) Allow views to have default values using ALTER COLUMN ... SET DEFAULT (Neil Conway)
(7.3.0) Fail on INSERTs with column lists that don't supply all column values, e.g., INSERT INTO tab (col1, col2) VALUES ('val1'); (Rod Taylor)
(7.3.0) Fix for join aliases (Tom Lane)
(7.3.0) Fix for FULL OUTER JOINs (Tom Lane)
(7.3.0) Improve reporting of invalid identifier and location (Tom Lane, Gavin Sherry)
(7.3.0) Fix OPEN cursor(args) (Tom Lane)
(7.3.0) Allow 'ctid' to be used in a view and currtid(viewname) (Hiroshi Inoue)
(7.3.0) Fix for CREATE TABLE AS with UNION (Tom Lane)
(7.3.0) SQL99 syntax improvements (Thomas Lockhart)
(7.3.0) Add statement_timeout variable to cancel queries (Bruce Momjian)
(7.3.0) Allow prepared queries with PREPARE/EXECUTE (Neil Conway)
(7.3.0) Allow FOR UPDATE to appear after LIMIT/OFFSET (Bruce Momjian)
(7.3.0) Add variable autocommit (Tom Lane, David Van Wie)
(7.3.0) Make equals signs optional in CREATE DATABASE (Gavin Sherry)
(7.3.0) Make ALTER TABLE OWNER change index ownership too (Neil Conway)
(7.3.0) New ALTER TABLE tabname ALTER COLUMN colname SET STORAGE controls TOAST storage, compression (John Gray)
(7.3.0) Add schema support, CREATE/DROP SCHEMA (Tom Lane)
(7.3.0) Create schema for temporary tables (Tom Lane)
(7.3.0) Add variable search_path for schema search (Tom Lane)
(7.3.0) Add ALTER TABLE SET/DROP NOT NULL (Christopher Kings-Lynne)
(7.3.0) New CREATE FUNCTION volatility levels (Tom Lane)
(7.3.0) Make rule names unique only per table (Tom Lane)
(7.3.0) Add 'ON tablename' clause to DROP RULE and COMMENT ON RULE (Tom Lane)
(7.3.0) Add ALTER TRIGGER RENAME (Joe Conway)
(7.3.0) New current_schema() and current_schemas() inquiry functions (Tom Lane)
(7.3.0) Allow functions to return multiple rows (table functions) (Joe Conway)
(7.3.0) Make WITH optional in CREATE DATABASE, for consistency (Bruce Momjian)
(7.3.0) Add object dependency tracking (Rod Taylor, Tom Lane)
(7.3.0) Add RESTRICT/CASCADE to DROP commands (Rod Taylor)
(7.3.0) Add ALTER TABLE DROP for non-CHECK CONSTRAINT (Rod Taylor)
(7.3.0) Autodestroy sequence on DROP of table with SERIAL (Rod Taylor)
(7.3.0) Prevent column dropping if column is used by foreign key (Rod Taylor)
(7.3.0) Automatically drop constraints/functions when object is dropped (Rod Taylor)
(7.3.0) Add CREATE/DROP OPERATOR CLASS (Bill Studenmund, Tom Lane)
(7.3.0) Add ALTER TABLE DROP COLUMN (Christopher Kings-Lynne, Tom Lane, Hiroshi Inoue)
(7.3.0) Prevent inherited columns from being removed or renamed (Álvaro Herrera)
(7.3.0) Fix foreign key constraints to not error on intermediate database states (Stephan Szabo)
(7.3.0) Propagate column or table renaming to foreign key constraints
(7.3.0) Add CREATE OR REPLACE VIEW (Gavin Sherry, Neil Conway, Tom Lane)
(7.3.0) Add CREATE OR REPLACE RULE (Gavin Sherry, Neil Conway, Tom Lane)
(7.3.0) Have rules execute alphabetically, returning more predictable values (Tom Lane)
(7.3.0) Triggers are now fired in alphabetical order (Tom Lane)
(7.3.0) Add /contrib/adddepend to handle pre-7.3 object dependencies (Rod Taylor)
(7.3.0) Allow better casting when inserting/updating values (Tom Lane)
(7.3.0) Have COPY TO output embedded carriage returns and newlines as \r and \n (Tom Lane)
(7.3.0) Allow DELIMITER in COPY FROM to be 8-bit clean (Tatsuo Ishii)
(7.3.0) Make pg_dump use ALTER TABLE ADD PRIMARY KEY, for performance (Neil Conway)
(7.3.0) Disable brackets in multistatement rules (Bruce Momjian)
(7.3.0) Disable VACUUM from being called inside a function (Bruce Momjian)
(7.3.0) Allow dropdb and other scripts to use identifiers with spaces (Bruce Momjian)
(7.3.0) Restrict database comment changes to the current database
(7.3.0) Allow comments on operators, independent of the underlying function (Rod Taylor)
(7.3.0) Rollback SET commands in aborted transactions (Tom Lane)
(7.3.0) EXPLAIN now outputs as a query (Tom Lane)
(7.3.0) Display condition expressions and sort keys in EXPLAIN (Tom Lane)
(7.3.0) Add 'SET LOCAL var = value' to set configuration variables for a single transaction (Tom Lane)
(7.3.0) Allow ANALYZE to run in a transaction (Bruce Momjian)
(7.3.0) Improve COPY syntax using new WITH clauses, keep backward compatibility (Bruce Momjian)
(7.3.0) Fix pg_dump to consistently output tags in non-ASCII dumps (Bruce Momjian)
(7.3.0) Make foreign key constraints clearer in dump file (Rod Taylor)
(7.3.0) Add COMMENT ON CONSTRAINT (Rod Taylor)
(7.3.0) Allow COPY TO/FROM to specify column names (Brent Verner)
(7.3.0) Dump UNIQUE and PRIMARY KEY constraints as ALTER TABLE (Rod Taylor)
(7.3.0) Have SHOW output a query result (Joe Conway)
(7.3.0) Generate failure on short COPY lines rather than pad NULLs (Neil Conway)
(7.3.0) Fix CLUSTER to preserve all table attributes (Álvaro Herrera)
(7.3.0) New pg_settings table to view/modify GUC settings (Joe Conway)
(7.3.0) Add smart quoting, portability improvements to pg_dump output (Peter T. Mount)
(7.3.0) Dump serial columns out as SERIAL (Tom Lane)
(7.3.0) Enable large file support, >2G for pg_dump (Peter T. Mount, Philip Warner, Bruce Momjian)
(7.3.0) Disallow TRUNCATE on tables that are involved in referential constraints (Rod Taylor)
(7.3.0) Have TRUNCATE also auto-truncate the toast table of the relation (Tom Lane)
(7.3.0) Add clusterdb utility that will auto-cluster an entire database based on previous CLUSTER operations (Álvaro Herrera)
(7.3.0) Overhaul pg_dumpall (Peter T. Mount)
(7.3.0) Allow REINDEX of TOAST tables (Tom Lane)
(7.3.0) Implemented START TRANSACTION, per SQL99 (Neil Conway)
(7.3.0) Fix rare index corruption when a page split affects bulk delete (Tom Lane)
(7.3.0) Fix ALTER TABLE ... ADD COLUMN for inheritance (Álvaro Herrera)
(7.3.0) Fix factorial(0) to return 1 (Bruce Momjian)
(7.3.0) Date/time/timezone improvements (Thomas Lockhart)
(7.3.0) Fix for array slice extraction (Tom Lane)
(7.3.0) Fix extract/date_part to report proper microseconds for timestamp (Tatsuo Ishii)
(7.3.0) Allow text_substr() and bytea_substr() to read TOAST values more efficiently (John Gray)
(7.3.0) Add domain support (Rod Taylor)
(7.3.0) Make WITHOUT TIME ZONE the default for TIMESTAMP and TIME data types (Thomas Lockhart)
(7.3.0) Allow alternate storage scheme of 64-bit integers for date/time types using --enable-integer-datetimes in configure (Thomas Lockhart)
(7.3.0) Make timezone(timestamptz) return timestamp rather than a string (Thomas Lockhart)
(7.3.0) Allow fractional seconds in date/time types for dates prior to 1BC (Thomas Lockhart)
(7.3.0) Limit timestamp data types to 6 decimal places of precision (Thomas Lockhart)
(7.3.0) Change timezone conversion functions from timetz() to timezone() (Thomas Lockhart)
(7.3.0) Add configuration variables datestyle and timezone (Tom Lane)
(7.3.0) Add OVERLAY(), which allows substitution of a substring in a string (Thomas Lockhart)
(7.3.0) Add SIMILAR TO (Thomas Lockhart, Tom Lane)
(7.3.0) Add regular expression SUBSTRING(string FROM pat FOR escape) (Thomas Lockhart)
(7.3.0) Add LOCALTIME and LOCALTIMESTAMP functions (Thomas Lockhart)
(7.3.0) Add named composite types using CREATE TYPE typename AS (column) (Joe Conway)
(7.3.0) Allow composite type definition in the table alias clause (Joe Conway)
(7.3.0) Add new API to simplify creation of C language table functions (Joe Conway)
(7.3.0) Remove ODBC-compatible empty parentheses from calls to SQL99 functions for which these parentheses do not match the standard (Thomas Lockhart)
(7.3.0) Allow macaddr data type to accept 12 hex digits with no separators (Mike Wyer)
(7.3.0) Add CREATE/DROP CAST (Peter T. Mount)
(7.3.0) Add IS DISTINCT FROM operator (Thomas Lockhart)
(7.3.0) Add SQL99 TREAT() function, synonym for CAST() (Thomas Lockhart)
(7.3.0) Add pg_backend_pid() to output backend pid (Bruce Momjian)
(7.3.0) Add IS OF / IS NOT OF type predicate (Thomas Lockhart)
(7.3.0) Allow bit string constants without fully-specified length (Thomas Lockhart)
(7.3.0) Allow conversion between 8-byte integers and bit strings (Thomas Lockhart)
(7.3.0) Implement hex literal conversion to bit string literal (Thomas Lockhart)
(7.3.0) Allow table functions to appear in the FROM clause (Joe Conway)
(7.3.0) Increase maximum number of function parameters to 32 (Bruce Momjian)
(7.3.0) No longer automatically create index for SERIAL column (Tom Lane)
(7.3.0) Add current_database() (Rod Taylor)
(7.3.0) Fix cash_words() to not overflow buffer (Tom Lane)
(7.3.0) Add functions replace(), split_part(), to_hex() (Joe Conway)
(7.3.0) Fix LIKE for bytea as a right-hand argument (Joe Conway)
(7.3.0) Prevent crashes caused by SELECT cash_out(2) (Tom Lane)
(7.3.0) Fix to_char(1,'FM999.99') to return a period (Karel Zak)
(7.3.0) Fix trigger/type/language functions returning OPAQUE to return proper type (Tom Lane)
(7.3.0) Add additional encodings: Korean (JOHAB), Thai (WIN874), Vietnamese (TCVN), Arabic (WIN1256), Simplified Chinese (GBK), Korean (UHC) (Eiji Tokuya)
(7.3.0) Enable locale support by default (Peter T. Mount)
(7.3.0) Add locale variables (Peter T. Mount)
(7.3.0) Escape byes >= 0x7f for multibyte in PQescapeBytea/PQunescapeBytea (Tatsuo Ishii)
(7.3.0) Add locale awareness to regular expression character classes
(7.3.0) Enable multibyte support by default (Tatsuo Ishii)
(7.3.0) Add GB18030 multibyte support (Bill Huang)
(7.3.0) Add CREATE/DROP CONVERSION, allowing loadable encodings (Tatsuo Ishii, Kaori)
(7.3.0) Add pg_conversion table (Tatsuo Ishii)
(7.3.0) Add SQL99 CONVERT() function (Tatsuo Ishii)
(7.3.0) pg_dumpall, pg_controldata, and pg_resetxlog now national-language aware (Peter T. Mount)
(7.3.0) New and updated translations
(7.3.0) Allow recursive SQL function (Peter T. Mount)
(7.3.0) Change PL/Tcl build to use configured compiler and Makefile.shlib (Peter T. Mount)
(7.3.0) Overhaul the PL/pgSQL FOUND variable to be more Oracle-compatible (Neil Conway, Tom Lane)
(7.3.0) Allow PL/pgSQL to handle quoted identifiers (Tom Lane)
(7.3.0) Allow set-returning PL/pgSQL functions (Neil Conway)
(7.3.0) Make PL/pgSQL schema-aware (Joe Conway)
(7.3.0) Remove some memory leaks (Nigel J. Andrews, Tom Lane)
(7.3.0) Don't lowercase psql \connect database name for 7.2.0 compatibility (Tom Lane)
(7.3.0) Add psql \timing to time user queries (Greg Sabino Mullane)
(7.3.0) Have psql \d show index information (Greg Sabino Mullane)
(7.3.0) New psql \dD shows domains (Jonathan Eisler)
(7.3.0) Allow psql to show rules on views (Paul ?)
(7.3.0) Fix for psql variable substitution (Tom Lane)
(7.3.0) Allow psql \d to show temporary table structure (Tom Lane)
(7.3.0) Allow psql \d to show foreign keys (Rod Taylor)
(7.3.0) Fix \? to honor \pset pager (Bruce Momjian)
(7.3.0) Have psql reports its version number on startup (Tom Lane)
(7.3.0) Allow \copy to specify column names (Tom Lane)
(7.3.0) Add ~/.pgpass to store host/user password combinations (Álvaro Herrera)
(7.3.0) Add PQunescapeBytea() function to libpq (Patrick Welche)
(7.3.0) Fix for sending large queries over non-blocking connections (Bernhard Herzog)
(7.3.0) Fix for libpq using timers on Win9X (David Ford)
(7.3.0) Allow libpq notify to handle servers with different-length identifiers (Tom Lane)
(7.3.0) Add libpq PQescapeString() and PQescapeBytea() to Windows (Bruce Momjian)
(7.3.0) Fix for SSL with non-blocking connections (Jack Bates)
(7.3.0) Add libpq connection timeout parameter (Denis A Ustimenko)
(7.3.0) Allow JDBC to compile with JDK 1.4 (Dave Cramer)
(7.3.0) Add JDBC 3 support (Barry Lind)
(7.3.0) Allows JDBC to set loglevel by adding ?loglevel=X to the connection URL (Barry Lind)
(7.3.0) Add Driver.info() message that prints out the version number (Barry Lind)
(7.3.0) Add updateable result sets (Raghu Nidagal, Dave Cramer)
(7.3.0) Add support for callable statements (Paul Bethe)
(7.3.0) Add query cancel capability
(7.3.0) Add refresh row (Dave Cramer)
(7.3.0) Fix MD5 encryption handling for multibyte servers (Jun Kawai)
(7.3.0) Add support for prepared statements (Barry Lind)
(7.3.0) Fixed ECPG bug concerning octal numbers in single quotes (Michael Meskes)
(7.3.0,7.3.0) Move src/interfaces/libpgeasy to http://gborg.postgresql.org (Marc Fournier, Bruce Momjian)
(7.3.0) Improve Python interface (Elliot Lee, Andrew Johnson, Greg Copeland)
(7.3.0) Add libpgtcl connection close event (Gerhard Hintermayer)
(7.3.0) Move src/interfaces/libpq++ to http://gborg.postgresql.org (Marc Fournier, Bruce Momjian)
(7.3.0) Move src/interfaces/odbc to http://gborg.postgresql.org (Marc Fournier)
(7.3.0,7.3.0) Move src/interfaces/libpgeasy to http://gborg.postgresql.org (Marc Fournier, Bruce Momjian)
(7.3.0) Move src/interfaces/perl5 to http://gborg.postgresql.org (Marc Fournier, Bruce Momjian)
(7.3.0) Remove src/bin/pgaccess from main tree, now at http://www.pgaccess.org (Bruce Momjian)
(7.3.0) Add pg_on_connection_loss command to libpgtcl (Gerhard Hintermayer, Tom Lane)
(7.3.0) Fix for parallel make (Peter T. Mount)
(7.3.0) AIX fixes for linking Tcl (Andreas Andreas Zeugswetter)
(7.3.0) Allow PL/Perl to build under Cygwin (Jason Tishler)
(7.3.0) Improve MIPS compiles (Peter T. Mount, Oliver Elphick)
(7.3.0) Require Autoconf version 2.53 (Peter T. Mount)
(7.3.0) Require readline and zlib by default in configure (Peter T. Mount)
(7.3.0) Allow Solaris to use Intimate Shared Memory (ISM), for performance (Scott Brunza, P.J. Josh Rovero)
(7.3.0) Always enable syslog in compile, remove --enable-syslog option (Tatsuo Ishii)
(7.3.0) Always enable multibyte in compile, remove --enable-multibyte option (Tatsuo Ishii)
(7.3.0) Always enable locale in compile, remove --enable-locale option (Peter T. Mount)
(7.3.0) Fix for Win9x DLL creation (Magnus Naeslund)
(7.3.0) Fix for link() usage by WAL code on Windows, BeOS (Jason Tishler)
(7.3.0) Add sys/types.h to c.h, remove from main files (Peter T. Mount, Bruce Momjian)
(7.3.0) Fix AIX hang on SMP machines (Tomoyuki Niijima)
(7.3.0) AIX SMP hang fix (Tomoyuki Niijima)
(7.3.0) Fix pre-1970 date handling on newer glibc libraries (Tom Lane)
(7.3.0) Fix PowerPC SMP locking (Tom Lane)
(7.3.0) Prevent gcc -ffast-math from being used (Peter T. Mount, Tom Lane)
(7.3.0) Bison >= 1.50 now required for developer builds
(7.3.0) Kerberos 5 support now builds with Heimdal (Peter T. Mount)
(7.3.0) Add appendix in the User's Guide which lists SQL features (Thomas Lockhart)
(7.3.0) Improve loadable module linking to use RTLD_NOW (Tom Lane)
(7.3.0) New error levels WARNING, INFO, LOG, DEBUG[1-5] (Bruce Momjian)
(7.3.0) New src/port directory holds replaced libc functions (Peter T. Mount, Bruce Momjian)
(7.3.0) New pg_namespace system catalog for schemas (Tom Lane)
(7.3.0) Add pg_class.relnamespace for schemas (Tom Lane)
(7.3.0) Add pg_type.typnamespace for schemas (Tom Lane)
(7.3.0) Add pg_proc.pronamespace for schemas (Tom Lane)
(7.3.0) Restructure aggregates to have pg_proc entries (Tom Lane)
(7.3.0) System relations now have their own namespace, pg_* test not required (Fernando Nasser)
(7.3.0) Rename TOAST index names to be *_index rather than *_idx (Neil Conway)
(7.3.0) Add namespaces for operators, opclasses (Tom Lane)
(7.3.0) Add additional checks to server control file (Thomas Lockhart)
(7.3.0) New Polish FAQ (Marcin Mazurek)
(7.3.0) Add Posix semaphore support (Tom Lane)
(7.3.0) Document need for reindex (Bruce Momjian)
(7.3.0) Rename some internal identifiers to simplify Windows compile (Jan Wieck, Katherine Ward)
(7.3.0) Add documentation on computing disk space (Bruce Momjian)
(7.3.0) Remove KSQO from GUC (Bruce Momjian)
(7.3.0) Fix memory leak in rtree (Kenneth Been)
(7.3.0) Modify a few error messages for consistency (Bruce Momjian)
(7.3.0) Remove unused system table columns (Peter T. Mount)
(7.3.0) Make system columns NOT NULL where appropriate (Tom Lane)
(7.3.0) Clean up use of sprintf in favor of snprintf() (Neil Conway, Jukka Holappa)
(7.3.0) Remove OPAQUE and create specific subtypes (Tom Lane)
(7.3.0) Cleanups in array internal handling (Joe Conway, Tom Lane)
(7.3.0) Disallow pg_atoi('') (Bruce Momjian)
(7.3.0) Remove parameter wal_files because WAL files are now recycled (Bruce Momjian)
(7.3.0) Add version numbers to heap pages (Tom Lane)
(7.3.0) Allow inet arrays in /contrib/array (Neil Conway)
(7.3.0) GiST fixes (Teodor Sigaev, Neil Conway)
(7.3.0) Upgrade /contrib/mysql
(7.3.0) Add /contrib/dbsize which shows table sizes without vacuum (Peter T. Mount)
(7.3.0) Add /contrib/intagg, integer aggregator routines (mlw)
(7.3.0) Improve /contrib/oid2name (Neil Conway, Bruce Momjian)
(7.3.0) Improve /contrib/tsearch (Oleg Bartunov, Teodor Sigaev)
(7.3.0) Cleanups of /contrib/rserver (Alexey V. Borzov)
(7.3.0) Update /contrib/oracle conversion utility (Gilles Darold)
(7.3.0) Update /contrib/dblink (Joe Conway)
(7.3.0) Improve options supported by /contrib/vacuumlo (Mario Weilguni)
(7.3.0) Improvements to /contrib/intarray (Oleg Bartunov, Teodor Sigaev, Andrey Oktyabrski)
(7.3.0) Add /contrib/reindexdb utility (Shaun Thomas Lockhart)
(7.3.0) Add indexing to /contrib/isbn_issn (Dan Weston)
(7.3.0) Add /contrib/dbmirror (Steven Singer)
(7.3.0) Improve /contrib/pgbench (Neil Conway)
(7.3.0) Add /contrib/tablefunc table function examples (Joe Conway)
(7.3.0) Add /contrib/ltree data type for tree structures (Teodor Sigaev, Oleg Bartunov)
(7.3.0) Move /contrib/pg_controldata, pg_resetxlog into main tree (Bruce Momjian)
(7.3.0) Fixes to /contrib/cube (Bruno Wolff)
(7.3.0) Improve /contrib/fulltextindex (Christopher Kings-Lynne)
Release date: 2005-05-09
This release contains a variety of fixes from 7.2.7, including one security-related issue.
A dump/restore is not required for those running 7.2.X.
(7.2.8,8.0.3,7.4.8,7.3.10) Repair ancient race condition that allowed a transaction to be seen as committed for some purposes (eg SELECT FOR UPDATE) slightly sooner than for other purposes
This is an extremely serious bug since it could lead to apparent data inconsistencies being briefly visible to applications.
(7.2.8,8.0.3,7.4.8,7.3.10) Repair race condition between relation extension and VACUUM
This could theoretically have caused loss of a page's worth of freshly-inserted data, although the scenario seems of very low probability. There are no known cases of it having caused more than an Assert failure.
(7.2.8,8.0.3,7.4.8,7.3.10) Fix EXTRACT (EPOCH)
for TIME WITH TIME ZONE values
(7.2.8,7.4.8,7.3.10) Additional buffer overrun checks in plpgsql (Neil Conway)
(7.2.8) Fix pg_dump to dump index names and trigger names containing % correctly (Neil Conway)
(7.2.8,7.4.8,7.3.10) Prevent to_char(interval)
from
dumping core for month-related formats
(7.2.8,7.4.8,7.3.10) Fix contrib/pgcrypto for newer OpenSSL builds (Marko Kreen)
Release date: 2005-01-31
This release contains a variety of fixes from 7.2.6, including several security-related issues.
A dump/restore is not required for those running 7.2.X.
(7.2.7,8.0.1,7.4.7,7.3.9) Disallow LOAD to non-superusers
On platforms that will automatically execute initialization functions of a shared library (this includes at least Windows and ELF-based Unixen), LOAD can be used to make the server execute arbitrary code. Thanks to NGS Software for reporting this.
(7.2.7,8.0.1,7.4.7,7.3.9) Add needed STRICT marking to some contrib functions (Kris Jurka)
(7.2.7,8.0.1,7.4.7,7.3.9) Avoid buffer overrun when plpgsql cursor declaration has too many parameters (Neil Conway)
(7.2.7,8.0.1,7.4.7,7.3.9) Fix planning error for FULL and RIGHT outer joins
The result of the join was mistakenly supposed to be sorted the same as the left input. This could not only deliver mis-sorted output to the user, but in case of nested merge joins could give outright wrong answers.
(7.2.7,7.4.7,7.3.9) Fix display of negative intervals in SQL and GERMAN datestyles
Release date: 2004-10-22
This release contains a variety of fixes from 7.2.5.
A dump/restore is not required for those running 7.2.X.
(7.2.6,7.4.6,7.3.8) Repair possible failure to update hint bits on disk
Under rare circumstances this oversight could lead to "could not access transaction status" failures, which qualifies it as a potential-data-loss bug.
(7.2.6,7.4.6,7.3.8) Ensure that hashed outer join does not miss tuples
Very large left joins using a hash join plan could fail to output unmatched left-side rows given just the right data distribution.
(7.2.6,7.3.8) Disallow running pg_ctl as root
This is to guard against any possible security issues.
(7.2.6,7.3.8) Avoid using temp files in /tmp in make_oidjoins_check
This has been reported as a security issue, though it's hardly worthy of concern since there is no reason for non-developers to use this script anyway.
(7.2.6) Update to newer versions of Bison
Release date: 2004-08-16
This release contains a variety of fixes from 7.2.4.
A dump/restore is not required for those running 7.2.X.
(7.2.5,7.4.4,7.3.7) Prevent possible loss of committed transactions during crash
Due to insufficient interlocking between transaction commit and checkpointing, it was possible for transactions committed just before the most recent checkpoint to be lost, in whole or in part, following a database crash and restart. This is a serious bug that has existed since PostgreSQL 7.1.
(7.2.5,7.3.5) Fix corner case for btree search in parallel with first root page split
(7.2.5,7.3.3) Fix buffer overrun in to_ascii
(Guido Notari)
(7.2.5,7.3.3) Fix core dump in deadlock detection on machines where char is unsigned
(7.2.5,7.3.3) Fix failure to respond to pg_ctl stop -m fast after Async_NotifyHandler runs
(7.2.5) Repair memory leaks in pg_dump
(7.2.5,7.3.3) Avoid conflict with system definition of isblank()
function or macro
Release date: 2003-01-30
This release contains a variety of fixes for version 7.2.3, including fixes to prevent possible data loss.
A dump/restore is not required for those running version 7.2.*.
(7.2.4) Fix some additional cases of VACUUM "No one parent tuple was found" error
(7.2.4) Prevent VACUUM from being called inside a function (Bruce Momjian)
(7.2.4) Ensure pg_clog updates are sync'd to disk before marking checkpoint complete
(7.2.4) Avoid integer overflow during large hash joins
(7.2.4) Make GROUP commands work when pg_group.grolist is large enough to be toasted
(7.2.4) Fix errors in datetime tables; some timezone names weren't being recognized
(7.2.4) Fix integer overflows in circle_poly(), path_encode(), path_add() (Neil Conway)
(7.2.4) Repair long-standing logic errors in lseg_eq(), lseg_ne(), lseg_center()
Release date: 2002-10-01
This release contains a variety of fixes for version 7.2.2, including fixes to prevent possible data loss.
A dump/restore is not required for those running version 7.2.*.
(7.2.3) Prevent possible compressed transaction log loss (Tom Lane)
(7.2.3) Prevent non-superuser from increasing most recent vacuum info (Tom Lane)
(7.2.3) Handle pre-1970 date values in newer versions of glibc (Tom Lane)
(7.2.3) Fix possible hang during server shutdown
(7.2.3) Prevent spinlock hangs on SMP PPC machines (Tomoyuki Niijima)
(7.2.3) Fix pg_dump to properly dump FULL JOIN USING (Tom Lane)
Release date: 2002-08-23
This release contains a variety of fixes for version 7.2.1.
A dump/restore is not required for those running version 7.2.*.
(7.2.2,7.2.1) Allow EXECUTE of "CREATE TABLE AS ... SELECT" in PL/pgSQL (Tom Lane)
(7.2.2) Fix for compressed transaction log id wraparound (Tom Lane)
(7.2.2) Fix PQescapeBytea/PQunescapeBytea so that they handle bytes > 0x7f (Tatsuo Ishii)
(7.2.2) Fix for psql and pg_dump crashing when invoked with non-existent long options (Tatsuo Ishii)
(7.2.2) Fix crash when invoking geometric operators (Tom Lane)
(7.2.2) Allow OPEN cursor(args) (Tom Lane)
(7.2.2) Fix for rtree_gist index build (Teodor Sigaev)
(7.2.2) Fix for dumping user-defined aggregates (Tom Lane)
(7.2.2) contrib/intarray fixes (Oleg Bartunov)
(7.2.2) Fix for complex UNION/EXCEPT/INTERSECT queries using parens (Tom Lane)
(7.2.2) Fix to pg_convert (Tatsuo Ishii)
(7.2.2) Fix for crash with long DATA strings (Thomas Lockhart, Neil Conway)
(7.2.2) Fix for repeat(), lpad(), rpad() and long strings (Neil Conway)
Release date: 2002-03-21
This release contains a variety of fixes for version 7.2.
A dump/restore is not required for those running version 7.2.
(7.2.1) Ensure that sequence counters do not go backwards after a crash (Tom Lane)
(7.2.1) Fix pgaccess kanji-conversion key binding (Tatsuo Ishii)
(7.2.1,8.1.1,7.2.0) Optimizer improvements (Tom Lane)
(7.2.1) Cash I/O improvements (Tom Lane)
(7.2.1) New Russian FAQ
(7.2.1) Compile fix for missing AuthBlockSig (Heiko Lehmann)
(7.2.1) Additional time zones and time zone fixes (Thomas Lockhart)
(7.2.1) Allow psql \connect to handle mixed case database and user names (Tom Lane)
(7.2.1) Return proper OID on command completion even with ON INSERT rules (Tom Lane)
(7.2.1) Allow COPY FROM to use 8-bit DELIMITERS (Tatsuo Ishii)
(7.2.1) Fix bug in extract/date_part for milliseconds/microseconds (Tatsuo Ishii)
(7.2.1) Improve handling of multiple UNIONs with different lengths (Tom Lane)
(7.2.1) contrib/btree_gist improvements (Teodor Sigaev)
(7.2.1) contrib/tsearch dictionary improvements, see README.tsearch for an additional installation step (Thomas T. Thai, Teodor Sigaev)
(7.2.1) Fix for array subscripts handling (Tom Lane)
(7.2.1,7.2.2) Allow EXECUTE of "CREATE TABLE AS ... SELECT" in PL/pgSQL (Tom Lane)
Release date: 2002-02-04
This release improves PostgreSQL for use in high-volume applications.
Major changes in this release:
Vacuuming no longer locks tables, thus allowing normal user access during the vacuum. A new VACUUM FULL command does old-style vacuum by locking the table and shrinking the on-disk copy of the table.
There is no longer a problem with installations that exceed four billion transactions.
OIDs are now optional. Users can now create tables without OIDs for cases where OID usage is excessive.
The system now computes histogram column statistics during ANALYZE, allowing much better optimizer choices.
A new MD5 encryption option allows more secure storage and transfer of passwords. A new Unix-domain socket authentication option is available on Linux and BSD systems.
Administrators can use the new table access statistics module to get fine-grained information about table and index usage.
Program and library messages can now be displayed in several languages.
A dump/restore using pg_dump is required for those wishing to migrate data from any previous release.
Observe the following incompatibilities:
(7.2.0) The semantics of the VACUUM command have changed in this release. You might wish to update your maintenance procedures accordingly.
(7.2.0) In this release, comparisons using = NULL will always return false (or NULL, more precisely). Previous releases automatically transformed this syntax to IS NULL. The old behavior can be re-enabled using a postgresql.conf parameter.
(7.2.0) The pg_hba.conf and pg_ident.conf configuration is now only reloaded after receiving a SIGHUP signal, not with each connection.
(7.2.0) The function octet_length() now returns the uncompressed data length.
(7.2.0) The date/time value 'current' is no longer available. You will need to rewrite your applications.
(7.2.0) The timestamp(), time(), and interval() functions are no longer available. Instead of timestamp(), use timestamp 'string' or CAST.
The SELECT ... LIMIT #,# syntax will be removed in the next release. You should change your queries to use separate LIMIT and OFFSET clauses, e.g. LIMIT 10 OFFSET 20.
(7.2.0) Create temporary files in a separate directory (Bruce Momjian)
(7.2.0) Delete orphaned temporary files on postmaster startup (Bruce Momjian)
(7.2.0) Added unique indexes to some system tables (Tom Lane)
(7.2.0) System table operator reorganization (Oleg Bartunov, Teodor Sigaev, Tom Lane)
(7.2.0) Renamed pg_log to pg_clog (Tom Lane)
(7.2.0) Enable SIGTERM, SIGQUIT to kill backends (Jan Wieck)
(7.2.0) Removed compile-time limit on number of backends (Tom Lane)
(7.2.0) Better cleanup for semaphore resource failure (Tatsuo Ishii, Tom Lane)
(7.2.0) Allow safe transaction ID wraparound (Tom Lane)
(7.2.0) Removed OIDs from some system tables (Tom Lane)
(7.2.0) Removed "triggered data change violation" error check (Tom Lane)
(7.2.0) SPI portal creation of prepared/saved plans (Jan Wieck)
(7.2.0) Allow SPI column functions to work for system columns (Tom Lane)
(7.2.0) Long value compression improvement (Tom Lane)
(7.2.0) Statistics collector for table, index access (Jan Wieck)
(7.2.0) Truncate extra-long sequence names to a reasonable value (Tom Lane)
(7.2.0) Measure transaction times in milliseconds (Thomas Lockhart)
(7.2.0) Fix TID sequential scans (Hiroshi Inoue)
(7.2.0) Superuser ID now fixed at 1 (Peter Eisentraut)
(7.2.0) New pg_ctl "reload" option (Tom Lane)
(7.2.0,8.1.1,7.2.1) Optimizer improvements (Tom Lane)
(7.2.0) New histogram column statistics for optimizer (Tom Lane)
(7.2.0) Reuse write-ahead log files rather than discarding them (Tom Lane)
(7.2.0) Cache improvements (Tom Lane)
(7.2.0) IS NULL, IS NOT NULL optimizer improvement (Tom Lane)
(7.2.0) Improve lock manager to reduce lock contention (Tom Lane)
(7.2.0) Keep relcache entries for index access support functions (Tom Lane)
(7.2.0) Allow better selectivity with NaN and infinities in NUMERIC (Tom Lane)
(7.2.0) R-tree performance improvements (Kenneth Been)
(7.2.0) B-tree splits more efficient (Tom Lane)
(7.2.0) Change UPDATE, DELETE privileges to be distinct (Peter Eisentraut)
(7.2.0) New REFERENCES, TRIGGER privileges (Peter Eisentraut)
(7.2.0) Allow GRANT/REVOKE to/from more than one user at a time (Peter E)
(7.2.0) New has_table_privilege() function (Joe Conway)
(7.2.0) Allow non-superuser to vacuum database (Tom Lane)
(7.2.0) New SET SESSION AUTHORIZATION command (Peter Eisentraut)
(7.2.0) Fix bug in privilege modifications on newly created tables (Tom Lane)
(7.2.0) Disallow access to pg_statistic for non-superuser, add user-accessible views (Tom Lane)
(7.2.0) Fork postmaster before doing authentication to prevent hangs (Peter Eisentraut)
(7.2.0) Add ident authentication over Unix domain sockets on Linux, *BSD (Helge Bahmann, Oliver Elphick, Teodor Sigaev, Bruce Momjian)
(7.2.0) Add a password authentication method that uses MD5 encryption (Bruce Momjian)
(7.2.0) Allow encryption of stored passwords using MD5 (Bruce Momjian)
(7.2.0) PAM authentication (Dominic J. Eidson)
(7.2.0) Load pg_hba.conf and pg_ident.conf only on startup and SIGHUP (Bruce Momjian)
(7.2.0) Interpretation of some time zone abbreviations as Australian rather than North American now settable at run time (Bruce Momjian)
(7.2.0) New parameter to set default transaction isolation level (Peter E)
(7.2.0) New parameter to enable conversion of "expr = NULL" into "expr IS NULL", off by default (Peter Eisentraut)
(7.2.0) New parameter to control memory usage by VACUUM (Tom Lane)
(7.2.0) New parameter to set client authentication timeout (Tom Lane)
(7.2.0) New parameter to set maximum number of open files (Tom Lane)
(7.2.0) Statements added by INSERT rules now execute after the INSERT (Jan Wieck)
(7.2.0) Prevent unadorned relation names in target list (Bruce Momjian)
(7.2.0) NULLs now sort after all normal values in ORDER BY (Tom Lane)
(7.2.0) New IS UNKNOWN, IS NOT UNKNOWN Boolean tests (Tom Lane)
(7.2.0) New SHARE UPDATE EXCLUSIVE lock mode (Tom Lane)
(7.2.0) New EXPLAIN ANALYZE command that shows run times and row counts (Martijn van Oosterhout)
(7.2.0) Fix problem with LIMIT and subqueries (Tom Lane)
(7.2.0) Fix for LIMIT, DISTINCT ON pushed into subqueries (Tom Lane)
(7.2.0) Fix nested EXCEPT/INTERSECT (Tom Lane)
(7.2.0) Fix SERIAL in temporary tables (Bruce Momjian)
(7.2.0) Allow temporary sequences (Bruce Momjian)
(7.2.0) Sequences now use int8 internally (Tom Lane)
(7.2.0) New SERIAL8 creates int8 columns with sequences, default still SERIAL4 (Tom Lane)
(7.2.0) Make OIDs optional using WITHOUT OIDS (Tom Lane)
(7.2.0) Add %TYPE syntax to CREATE TYPE (Ian Lance Taylor)
(7.2.0) Add ALTER TABLE / DROP CONSTRAINT for CHECK constraints (Christopher Kings-Lynne)
(7.2.0) New CREATE OR REPLACE FUNCTION to alter existing function (preserving the function OID) (Gavin Sherry)
(7.2.0) Add ALTER TABLE / ADD [ UNIQUE | PRIMARY ] (Christopher Kings-Lynne)
(7.2.0) Allow column renaming in views
(7.2.0) Make ALTER TABLE / RENAME COLUMN update column names of indexes (Brent Verner)
(7.2.0) Fix for ALTER TABLE / ADD CONSTRAINT ... CHECK with inherited tables (Stephan Szabo)
(7.2.0) ALTER TABLE RENAME update foreign-key trigger arguments correctly (Brent Verner)
(7.2.0) DROP AGGREGATE and COMMENT ON AGGREGATE now accept an aggtype (Tom Lane)
(7.2.0) Add automatic return type data casting for SQL functions (Tom Lane)
(7.2.0) Allow GiST indexes to handle NULLs and multikey indexes (Oleg Bartunov, Teodor Sigaev, Tom Lane)
(7.2.0) Enable partial indexes (Martijn van Oosterhout)
(7.2.0) Add RESET ALL, SHOW ALL (Marko Kreen)
(7.2.0) CREATE/ALTER USER/GROUP now allow options in any order (Vince Vielhaber)
(7.2.0) Add LOCK A, B, C functionality (Neil Padgett)
(7.2.0) New ENCRYPTED/UNENCRYPTED option to CREATE/ALTER USER (Bruce Momjian)
(7.2.0) New light-weight VACUUM does not lock table; old semantics are available as VACUUM FULL (Tom Lane)
(7.2.0) Disable COPY TO/FROM on views (Bruce Momjian)
(7.2.0) COPY DELIMITERS string must be exactly one character (Tom Lane)
(7.2.0) VACUUM warning about index tuples fewer than heap now only appears when appropriate (Martijn van Oosterhout)
(7.2.0) Fix privilege checks for CREATE INDEX (Tom Lane)
(7.2.0) Disallow inappropriate use of CREATE/DROP INDEX/TRIGGER/VIEW (Tom Lane)
(7.2.0) SUM(), AVG(), COUNT() now uses int8 internally for speed (Tom Lane)
(7.2.0) Add convert(), convert2() (Tatsuo Ishii)
(7.2.0) New function bit_length() (Peter Eisentraut)
(7.2.0) Make the "n" in CHAR(n)/VARCHAR(n) represents letters, not bytes (Tatsuo Ishii)
(7.2.0) CHAR(), VARCHAR() now reject strings that are too long (Peter E)
(7.2.0) BIT VARYING now rejects bit strings that are too long (Peter E)
(7.2.0) BIT now rejects bit strings that do not match declared size (Peter Eisentraut)
(7.2.0) INET, CIDR text conversion functions (Alex Pilosov)
(7.2.0) INET, CIDR operators << and <<= indexable (Alex Pilosov)
(7.2.0) Bytea \### now requires valid three digit octal number
(7.2.0) Bytea comparison improvements, now supports =, <>, >, >=, <, and <=
(7.2.0) Bytea now supports B-tree indexes
(7.2.0) Bytea now supports LIKE, LIKE...ESCAPE, NOT LIKE, NOT LIKE...ESCAPE
(7.2.0) Bytea now supports concatenation
(7.2.0) New bytea functions: position, substring, trim, btrim, and length
(7.2.0) New encode() function mode, "escaped", converts minimally escaped bytea to/from text
(7.2.0) Add pg_database_encoding_max_length() (Tatsuo Ishii)
(7.2.0) Add pg_client_encoding() function (Tatsuo Ishii)
(7.2.0) now() returns time with millisecond precision (Thomas Lockhart)
(7.2.0) New TIMESTAMP WITHOUT TIMEZONE data type (Thomas Lockhart)
(7.2.0) Add ISO date/time specification with "T", yyyy-mm-ddThh:mm:ss (Thomas Lockhart)
(7.2.0) New xid/int comparison functions (Hiroshi Inoue)
(7.2.0) Add precision to TIME, TIMESTAMP, and INTERVAL data types (Thomas Lockhart)
(7.2.0) Modify type coercion logic to attempt binary-compatible functions first (Tom Lane)
(7.2.0) New encode() function installed by default (Marko Kreen)
(7.2.0) Improved to_*() conversion functions (Karel Zak)
(7.2.0) Optimize LIKE/ILIKE when using single-byte encodings (Tatsuo Ishii)
(7.2.0) New functions in contrib/pgcrypto: crypt(), hmac(), encrypt(), gen_salt() (Marko Kreen)
(7.2.0) Correct description of translate() function (Bruce Momjian)
(7.2.0) Add INTERVAL argument for SET TIME ZONE (Thomas Lockhart)
(7.2.0) Add INTERVAL YEAR TO MONTH (etc.) syntax (Thomas Lockhart)
(7.2.0) Optimize length functions when using single-byte encodings (Tatsuo Ishii)
(7.2.0) Fix path_inter, path_distance, path_length, dist_ppath to handle closed paths (Curtis Barrett, Tom Lane)
(7.2.0) octet_length(text) now returns non-compressed length (Tatsuo Ishii, Bruce Momjian)
(7.2.0) Handle "July" full name in date/time literals (Greg Sabino Mullane)
(7.2.0) Some datatype() function calls now evaluated differently
(7.2.0) Add support for Julian and ISO time specifications (Thomas Lockhart)
(7.2.0) National language support in psql, pg_dump, libpq, and server (Peter Eisentraut)
(7.2.0) Message translations in Chinese (simplified, traditional), Czech, French, German, Hungarian, Russian, Swedish (Peter Eisentraut, Serguei A. Mokhov, Karel Zak, Weiping He, Zhenbang Wei, Kovacs Zoltan)
(7.2.0) Make trim, ltrim, rtrim, btrim, lpad, rpad, translate multibyte aware (Tatsuo Ishii)
(7.2.0) Add LATIN5,6,7,8,9,10 support (Tatsuo Ishii)
(7.2.0) Add ISO 8859-5,6,7,8 support (Tatsuo Ishii)
(7.2.0) Correct LATIN5 to mean ISO-8859-9, not ISO-8859-5 (Tatsuo Ishii)
(7.2.0) Make mic2ascii() non-ASCII aware (Tatsuo Ishii)
(7.2.0) Reject invalid multibyte character sequences (Tatsuo Ishii)
(7.2.0) Now uses portals for SELECT loops, allowing huge result sets (Jan Wieck)
(7.2.0) CURSOR and REFCURSOR support (Jan Wieck)
(7.2.0) Can now return open cursors (Jan Wieck)
(7.2.0) Add ELSEIF (Klaus Reger)
(7.2.0) Improve PL/pgSQL error reporting, including location of error (Tom Lane)
(7.2.0) Allow IS or FOR key words in cursor declaration, for compatibility (Bruce Momjian)
(7.2.0) Fix for SELECT ... FOR UPDATE (Tom Lane)
(7.2.0) Fix for PERFORM returning multiple rows (Tom Lane)
(7.2.0) Make PL/pgSQL use the server's type coercion code (Tom Lane)
(7.2.0) Memory leak fix (Jan Wieck, Tom Lane)
(7.2.0) Make trailing semicolon optional (Tom Lane)
(7.2.0) New untrusted PL/Perl (Alex Pilosov)
(7.2.0) PL/Perl is now built on some platforms even if libperl is not shared (Peter Eisentraut)
(7.2.0) Now reports errorInfo (Vsevolod Lobko)
(7.2.0) Add spi_lastoid function (bob@redivi.com)
(7.2.0) ...is new (Andrew Bosma)
(7.2.0) \d displays indexes in unique, primary groupings (Christopher Kings-Lynne)
(7.2.0) Allow trailing semicolons in backslash commands (Greg Sabino Mullane)
(7.2.0) Read password from /dev/tty if possible
(7.2.0) Force new password prompt when changing user and database (Tatsuo Ishii, Tom Lane)
(7.2.0) Format the correct number of columns for Unicode (Patrice Hédé)
(7.2.0) New function PQescapeString() to escape quotes in command strings (Florian Weimer)
(7.2.0) New function PQescapeBytea() escapes binary strings for use as SQL string literals
(7.2.0) Return OID of INSERT (Ken K)
(7.2.0) Handle more data types (Ken K)
(7.2.0) Handle single quotes and newlines in strings (Ken K)
(7.2.0) Handle NULL variables (Ken K)
(7.2.0) Fix for time zone handling (Barry Lind)
(7.2.0) Improved Druid support
(7.2.0) Allow eight-bit characters with non-multibyte server (Barry Lind)
(7.2.0) Support BIT, BINARY types (Ned Wolpert)
(7.2.0) Reduce memory usage (Michael Stephens, Dave Cramer)
(7.2.0) Update DatabaseMetaData (Peter Eisentraut)
(7.2.0) Add DatabaseMetaData.getCatalogs() (Peter Eisentraut)
(7.2.0) Encoding fixes (Anders Bengtsson)
(7.2.0) Get/setCatalog methods (Jason Davies)
(7.2.0) DatabaseMetaData.getColumns() now returns column defaults (Jason Davies)
(7.2.0) DatabaseMetaData.getColumns() performance improvement (Jeroen van Vianen)
(7.2.0) Some JDBC1 and JDBC2 merging (Anders Bengtsson)
(7.2.0) Transaction performance improvements (Barry Lind)
(7.2.0) Array fixes (Greg Zoller)
(7.2.0) Serialize addition
(7.2.0) Fix batch processing (Rene Pijlman)
(7.2.0) ExecSQL method reorganization (Anders Bengtsson)
(7.2.0) GetColumn() fixes (Jeroen van Vianen)
(7.2.0) Fix isWriteable() function (Rene Pijlman)
(7.2.0) Improved passage of JDBC2 conformance tests (Rene Pijlman)
(7.2.0) Add bytea type capability (Barry Lind)
(7.2.0) Add isNullable() (Rene Pijlman)
(7.2.0) JDBC date/time test suite fixes (Liam Stewart)
(7.2.0) Fix for SELECT 'id' AS xxx FROM table (Dave Cramer)
(7.2.0) Fix DatabaseMetaData to show precision properly (Mark Lillywhite)
(7.2.0) New getImported/getExported keys (Jason Davies)
(7.2.0) MD5 password encryption support (Jeremy Wohl)
(7.2.0) Fix to actually use type cache (Ned Wolpert)
(7.2.0) Remove query size limit (Hiroshi Inoue)
(7.2.0) Remove text field size limit (Hiroshi Inoue)
(7.2.0) Fix for SQLPrimaryKeys in multibyte mode (Hiroshi Inoue)
(7.2.0) Allow ODBC procedure calls (Hiroshi Inoue)
(7.2.0) Improve boolean handing (Aidan Mountford)
(7.2.0) Most configuration options now settable via DSN (Hiroshi Inoue)
(7.2.0) Multibyte, performance fixes (Hiroshi Inoue)
(7.2.0) Allow driver to be used with iODBC or unixODBC (Peter Eisentraut)
(7.2.0) MD5 password encryption support (Bruce Momjian)
(7.2.0) Add more compatibility functions to odbc.sql (Peter Eisentraut)
(7.2.0) EXECUTE ... INTO implemented (Christof Petig)
(7.2.0) Multiple row descriptor support (e.g. CARDINALITY) (Christof Petig)
(7.2.0) Fix for GRANT parameters (Lee Kindness)
(7.2.0) Fix INITIALLY DEFERRED bug
(7.2.0) Various bug fixes (Michael Meskes, Christof Petig)
(7.2.0) Auto allocation for indicator variable arrays (int *ind_p=NULL)
(7.2.0) Auto allocation for string arrays (char **foo_pp=NULL)
(7.2.0) ECPGfree_auto_mem fixed
(7.2.0) All function names with external linkage are now prefixed by ECPG
(7.2.0) Fixes for arrays of structures (Michael Meskes)
(7.2.0) Python fix fetchone() (Gerhard Haring)
(7.2.0) Use UTF, Unicode in Tcl where appropriate (Vsevolod Lobko, Reinhard Max)
(7.2.0) Add Tcl COPY TO/FROM (ljb)
(7.2.0) Prevent output of default index op class in pg_dump (Tom Lane)
(7.2.0) Fix libpgeasy memory leak (Bruce Momjian)
(7.2.0) Configure, dynamic loader, and shared library fixes (Peter E)
(7.2.0) Fixes in QNX 4 port (Bernd Tegge)
(7.2.0) Fixes in Cygwin and Windows ports (Jason Tishler, Gerhard Haring, Dmitry Yurtaev, Darko Prenosil, Mikhail Terekhov)
(7.2.0) Fix for Windows socket communication failures (Magnus Hagander, Mikhail Terekhov)
(7.2.0) Hurd compile fix (Oliver Elphick)
(7.2.0) BeOS fixes (Cyril Velter)
(7.2.0) Remove configure --enable-unicode-conversion, now enabled by multibyte (Tatsuo Ishii)
(7.2.0) AIX fixes (Tatsuo Ishii, Andreas Andreas Zeugswetter)
(7.2.0) Fix parallel make (Peter Eisentraut)
(7.2.0) Install SQL language manual pages into OS-specific directories (Peter Eisentraut)
(7.2.0) Rename config.h to pg_config.h (Peter Eisentraut)
(7.2.0) Reorganize installation layout of header files (Peter Eisentraut)
(7.2.0) Remove SEP_CHAR (Bruce Momjian)
(7.2.0) New GUC hooks (Tom Lane)
(7.2.0) Merge GUC and command line handling (Marko Kreen)
(7.2.0) Remove EXTEND INDEX (Martijn van Oosterhout, Tom Lane)
(7.2.0) New pgjindent utility to indent java code (Bruce Momjian)
(7.2.0) Remove define of true/false when compiling under C++ (Leandro Fanzone, Tom Lane)
(7.2.0) pgindent fixes (Bruce Momjian, Tom Lane)
(7.2.0) Replace strcasecmp() with strcmp() where appropriate (Peter E)
(7.2.0) Dynahash portability improvements (Tom Lane)
(7.2.0) Add 'volatile' usage in spinlock structures
(7.2.0) Improve signal handling logic (Tom Lane)
(7.2.0) New contrib/rtree_gist (Oleg Bartunov, Teodor Sigaev)
(7.2.0) New contrib/tsearch full-text indexing (Oleg Bartunov, Teodor Sigaev)
(7.2.0) Add contrib/dblink for remote database access (Joe Conway)
(7.2.0) contrib/ora2pg Oracle conversion utility (Gilles Darold)
(7.2.0) contrib/xml XML conversion utility (John Gray)
(7.2.0) contrib/fulltextindex fixes (Christopher Kings-Lynne)
(7.2.0) New contrib/fuzzystrmatch with levenshtein and metaphone, soundex merged (Joe Conway)
(7.2.0) Add contrib/intarray boolean queries, binary search, fixes (Oleg Bartunov)
(7.2.0) New pg_upgrade utility (Bruce Momjian)
(7.2.0) Add new pg_resetxlog options (Bruce Momjian, Tom Lane)
Release date: 2001-08-15
A dump/restore is not required for those running 7.1.X.
Release date: 2001-05-11
This has one fix from 7.1.1.
A dump/restore is not required for those running 7.1.X.
Release date: 2001-05-05
This has a variety of fixes from 7.1.
A dump/restore is not required for those running 7.1.
Release date: 2001-04-13
This release focuses on removing limitations that have existed in the PostgreSQL code for many years.
Major changes in this release:
To maintain database consistency in case of an operating system crash, previous releases of PostgreSQL have forced all data modifications to disk before each transaction commit. With WAL, only one log file must be flushed to disk, greatly improving performance. If you have been using -F in previous releases to disable disk flushes, you might want to consider discontinuing its use.
TOAST - Previous releases had a compiled-in row length limit, typically 8k - 32k. This limit made storage of long text fields difficult. With TOAST, long rows of any length can be stored with good performance.
We now support outer joins. The UNION/NOT IN workaround for outer joins is no longer required. We use the SQL92 outer join syntax.
The previous C function manager did not handle null values properly, nor did it support 64-bit CPU's (Alpha). The new function manager does. You can continue using your old custom functions, but you might want to rewrite them in the future to use the new function manager call interface.
A large number of complex queries that were unsupported in previous releases now work. Many combinations of views, aggregates, UNION, LIMIT, cursors, subqueries, and inherited tables now work properly. Inherited tables are now accessed by default. Subqueries in FROM are now supported.
A dump/restore using pg_dump is required for those wishing to migrate data from any previous release.
Release date: 2000-11-11
This has a variety of fixes from 7.0.2.
A dump/restore is not required for those running 7.0.*.
Release date: 2000-06-05
This is a repackaging of 7.0.1 with added documentation.
A dump/restore is not required for those running 7.*.
Added documentation to tarball.
Release date: 2000-06-01
This is a cleanup release for 7.0.
A dump/restore is not required for those running 7.0.
Release date: 2000-05-08
This release contains improvements in many areas, demonstrating the continued growth of PostgreSQL. There are more improvements and fixes in 7.0 than in any previous release. The developers have confidence that this is the best release yet; we do our best to put out only solid releases, and this one is no exception.
Major changes in this release:
Foreign keys are now implemented, with the exception of PARTIAL MATCH foreign keys. Many users have been asking for this feature, and we are pleased to offer it.
Continuing on work started a year ago, the optimizer has been improved, allowing better query plan selection and faster performance with less memory usage.
psql, our interactive terminal monitor, has been updated with a variety of new features. See the psql manual page for details.
SQL92 join syntax is now supported, though only as INNER JOIN for this release. JOIN, NATURAL JOIN, JOIN/USING, and JOIN/ON are available, as are column correlation names.
A dump/restore using pg_dump is required for those wishing to migrate data from any previous release of PostgreSQL. For those upgrading from 6.5.*, you can instead use pg_upgrade to upgrade to this release; however, a full dump/reload installation is always the most robust method for upgrades.
Interface and compatibility issues to consider for the new release include:
(7.0.0) The date/time types datetime and timespan have been superseded by the SQL92-defined types timestamp and interval. Although there has been some effort to ease the transition by allowing PostgreSQL to recognize the deprecated type names and translate them to the new type names, this mechanism cannot be completely transparent to your existing application.
(7.0.0) The optimizer has been substantially improved in the area of query cost estimation. In some cases, this will result in decreased query times as the optimizer makes a better choice for the preferred plan. However, in a small number of cases, usually involving pathological distributions of data, your query times might go up. If you are dealing with large amounts of data, you might want to check your queries to verify performance.
(7.0.0) The JDBC and ODBC interfaces have been upgraded and extended.
(7.0.0) The string function CHAR_LENGTH
is
now a native function. Previous versions translated this into a
call to LENGTH
, which could result in
ambiguity with other types implementing LENGTH
such as the geometric types.
<jens@jens.de>
)
<mascarim@yahoo.com>
)
<gatgul@voicenet.com>
<lamj@stat.cmu.edu>
)
Release date: 1999-10-13
This is basically a cleanup release for 6.5.2. We have added a new PgAccess that was missing in 6.5.2, and installed an NT-specific fix.
A dump/restore is not required for those running 6.5.*.
Updated version of pgaccess 0.98 NT-specific patch Fix dumping rules on inherited tables
Release date: 1999-09-15
This is basically a cleanup release for 6.5.1. We have fixed a variety of problems reported by 6.5.1 users.
A dump/restore is not required for those running 6.5.*.
Release date: 1999-07-15
This is basically a cleanup release for 6.5. We have fixed a variety of problems reported by 6.5 users.
A dump/restore is not required for those running 6.5.
Release date: 1999-06-09
This release marks a major step in the development team's mastery of the source code we inherited from Berkeley. You will see we are now easily adding major features, thanks to the increasing size and experience of our world-wide development team.
Here is a brief summary of the more notable changes:
This removes our old table-level locking, and replaces it with a locking system that is superior to most commercial database systems. In a traditional system, each row that is modified is locked until committed, preventing reads by other users. MVCC uses the natural multiversion nature of PostgreSQL to allow readers to continue reading consistent data during writer activity. Writers continue to use the compact pg_log transaction system. This is all performed without having to allocate a lock for every row like traditional database systems. So, basically, we no longer are restricted by simple table-level locking; we have something better than row-level locking.
pg_dump takes advantage of the new MVCC features to give a consistent database dump/backup while the database stays online and available for queries.
We now have a true numeric data type, with user-specified precision.
Temporary tables are guaranteed to have unique names within a database session, and are destroyed on session exit.
We now have CASE, INTERSECT, and EXCEPT statement support. We have new LIMIT/OFFSET, SET TRANSACTION ISOLATION LEVEL, SELECT ... FOR UPDATE, and an improved LOCK TABLE command.
We continue to speed up PostgreSQL, thanks to the variety of talents within our team. We have sped up memory allocation, optimization, table joins, and row transfer routines.
We continue to expand our port list, this time including Windows NT/ix86 and NetBSD/arm32.
Most interfaces have new versions, and existing functionality has been improved.
New and updated material is present throughout the documentation. New FAQs have been contributed for SGI and AIX platforms. The Tutorial has introductory information on SQL from Stefan Simkovics. For the User's Guide, there are reference pages covering the postmaster and more utility programs, and a new appendix contains details on date/time behavior. The Administrator's Guide has a new chapter on troubleshooting from Tom Lane. And the Programmer's Guide has a description of query processing, also from Stefan Simkovics, and details on obtaining the PostgreSQL source tree via anonymous CVS and CVSup.
A dump/restore using pg_dump is required for those wishing to migrate data from any previous release of PostgreSQL. pg_upgrade can not be used to upgrade to this release because the on-disk structure of the tables has changed compared to previous releases.
The new Multiversion Concurrency Control (MVCC) features can give somewhat different behaviors in multiuser environments. Read and understand the following section to ensure that your existing applications will give you the behavior you need.
Because readers in 6.5 don't lock data, regardless of transaction isolation level, data read by one transaction can be overwritten by another. In other words, if a row is returned by SELECT it doesn't mean that this row really exists at the time it is returned (i.e. sometime after the statement or transaction began) nor that the row is protected from being deleted or updated by concurrent transactions before the current transaction does a commit or rollback.
To ensure the actual existence of a row and protect it against concurrent updates one must use SELECT FOR UPDATE or an appropriate LOCK TABLE statement. This should be taken into account when porting applications from previous releases of PostgreSQL and other environments.
Keep the above in mind if you are using contrib/refint.* triggers for referential integrity. Additional techniques are required now. One way is to use LOCK parent_table IN SHARE ROW EXCLUSIVE MODE command if a transaction is going to update/delete a primary key and use LOCK parent_table IN SHARE MODE command if a transaction is going to update/insert a foreign key.
Note: Note that if you run a transaction in SERIALIZABLE mode then you must execute the LOCK commands above before execution of any DML statement (SELECT/INSERT/DELETE/UPDATE/FETCH/COPY_TO) in the transaction.
These inconveniences will disappear in the future when the ability to read dirty (uncommitted) data (regardless of isolation level) and true referential integrity will be implemented.
Release date: 1998-12-20
The 6.4.1 release was improperly packaged. This also has one additional bug fix.
A dump/restore is not required for those running 6.4.*.
Fix for datetime constant problem on some platforms (Thomas Lockhart)
Release date: 1998-12-18
This is basically a cleanup release for 6.4. We have fixed a variety of problems reported by 6.4 users.
A dump/restore is not required for those running 6.4.
Release date: 1998-10-30
There are many new features and improvements in this release. Thanks to our developers and maintainers, nearly every aspect of the system has received some attention since the previous release. Here is a brief, incomplete summary:
(6.4.0) Views and rules are now functional thanks to extensive new code in the rewrite rules system from Jan Wieck. He also wrote a chapter on it for the Programmer's Guide.
(6.4.0) Jan also contributed a second procedural language, PL/pgSQL, to go with the original PL/pgTCL procedural language he contributed last release.
(6.4.0) We have optional multiple-byte character set support from Tatsuo Ishii to complement our existing locale support.
(6.4.0) Client/server communications has been cleaned up, with better support for asynchronous messages and interrupts thanks to Tom Lane.
(6.4.0) The parser will now perform automatic type coercion to match arguments to available operators and functions, and to match columns and expressions with target columns. This uses a generic mechanism which supports the type extensibility features of PostgreSQL. There is a new chapter in the User's Guide which covers this topic.
(6.4.0) Three new data types have been added. Two types, inet and cidr, support various forms of IP network, subnet, and machine addressing. There is now an 8-byte integer type available on some platforms. See the chapter on data types in the User's Guide for details. A fourth type, serial, is now supported by the parser as an amalgam of the int4 type, a sequence, and a unique index.
(6.4.0) Several more SQL92-compatible syntax features have been added, including INSERT DEFAULT VALUES
(6.4.0) The automatic configuration and installation system has received some attention, and should be more robust for more platforms than it has ever been.
A dump/restore using pg_dump or pg_dumpall is required for those wishing to migrate data from any previous release of PostgreSQL.
Release date: 1998-04-07
This is a bug-fix release for 6.3.x. Refer to the release notes for version 6.3 for a more complete summary of new features.
Summary:
(6.3.2) Repairs automatic configuration support for some platforms, including Linux, from breakage inadvertently introduced in version 6.3.1.
(6.3.2) Correctly handles function calls on the left side of BETWEEN and LIKE clauses.
A dump/restore is NOT required for those running 6.3 or 6.3.1. A make distclean, make, and make install is all that is required. This last step should be performed while the postmaster is not running. You should re-link any custom applications that use PostgreSQL libraries.
For upgrades from pre-6.3 installations, refer to the installation and migration instructions for version 6.3.
Release date: 1998-03-23
Summary:
(6.3.1) Additional support for multibyte character sets.
(6.3.1) Repair byte ordering for mixed-endian clients and servers.
(6.3.1) Minor updates to allowed SQL syntax.
(6.3.1) Improvements to the configuration autodetection for installation.
A dump/restore is NOT required for those running 6.3. A make distclean, make, and make install is all that is required. This last step should be performed while the postmaster is not running. You should re-link any custom applications that use PostgreSQL libraries.
For upgrades from pre-6.3 installations, refer to the installation and migration instructions for version 6.3.
Release date: 1998-03-01
There are many new features and improvements in this release. Here is a brief, incomplete summary:
(6.3.0) Many new SQL features, including full SQL92 subselect capability (everything is here but target-list subselects).
(6.3.0) Support for client-side environment variables to specify time zone and date style.
(6.3.0) Socket interface for client/server connection. This is the default now so you might need to start postmaster with the -i flag.
(6.3.0) Better password authorization mechanisms. Default table privileges have changed.
(6.3.0) Old-style time travel has been removed. Performance has been improved.
Note: Bruce Momjian wrote the following notes to introduce the new release.
There are some general 6.3 issues that I want to mention. These are only the big items that cannot be described in one sentence. A review of the detailed changes list is still needed.
First, we now have subselects. Now that we have them, I would like to mention that without subselects, SQL is a very limited language. Subselects are a major feature, and you should review your code for places where subselects provide a better solution for your queries. I think you will find that there are more uses for subselects than you might think. Vadim has put us on the big SQL map with subselects, and fully functional ones too. The only thing you cannot do with subselects is to use them in the target list.
Second, 6.3 uses Unix domain sockets rather than TCP/IP by default. To enable connections from other machines, you have to use the new postmaster -i option, and of course edit pg_hba.conf. Also, for this reason, the format of pg_hba.conf has changed.
Third, char() fields will now allow faster access than varchar() or text. Specifically, the text and varchar() have a penalty for access to any columns after the first column of this type. char() used to also have this access penalty, but it no longer does. This might suggest that you redesign some of your tables, especially if you have short character columns that you have defined as varchar() or text. This and other changes make 6.3 even faster than earlier releases.
We now have passwords definable independent of any Unix file. There are new SQL USER commands. See the Administrator's Guide for more information. There is a new table, pg_shadow, which is used to store user information and user passwords, and it by default only SELECT-able by the postgres super-user. pg_user is now a view of pg_shadow, and is SELECT-able by PUBLIC. You should keep using pg_user in your application without changes.
User-created tables now no longer have SELECT privilege to PUBLIC by default. This was done because the ANSI standard requires it. You can of course GRANT any privileges you want after the table is created. System tables continue to be SELECT-able by PUBLIC.
We also have real deadlock detection code. No more sixty-second timeouts. And the new locking code implements a FIFO better, so there should be less resource starvation during heavy use.
Many complaints have been made about inadequate documentation in previous releases. Thomas has put much effort into many new manuals for this release. Check out the doc/ directory.
For performance reasons, time travel is gone, but can be implemented using triggers (see pgsql/contrib/spi/README). Please check out the new \d command for types, operators, etc. Also, views have their own privileges now, not based on the underlying tables, so privileges on them have to be set separately. Check /pgsql/interfaces for some new ways to talk to PostgreSQL.
This is the first release that really required an explanation for existing users. In many ways, this was necessary because the new release removes many limitations, and the work-arounds people were using are no longer needed.
A dump/restore using pg_dump or pg_dumpall is required for those wishing to migrate data from any previous release of PostgreSQL.
Release date: 1997-10-17
6.2.1 is a bug-fix and usability release on 6.2.
Summary:
(6.2.1) Allow strings to span lines, per SQL92.
(6.2.1) Include example trigger function for inserting user names on table updates.
This is a minor bug-fix release on 6.2. For upgrades from pre-6.2 systems, a full dump/reload is required. Refer to the 6.2 release notes for instructions.
This is a minor bug-fix release. A dump/reload is not required from version 6.2, but is required from any release prior to 6.2.
In upgrading from version 6.2, if you choose to dump/reload you will find that avg(money) is now calculated correctly. All other bug fixes take effect upon updating the executables.
Another way to avoid dump/reload is to use the following SQL command from psql to update the existing system table:
update pg_aggregate set aggfinalfn = 'cash_div_flt8' where aggname = 'avg' and aggbasetype = 790;
This will need to be done to every existing database, including template1.
Release date: 1997-10-02
A dump/restore is required for those wishing to migrate data from previous releases of PostgreSQL.
This migration requires a complete dump of the 6.1 database and a restore of the database in 6.2.
Note that the pg_dump and pg_dumpall utility from 6.2 should be used to dump the 6.1 database.
Those migrating from earlier 1.* releases should first upgrade to 1.09 because the COPY output format was improved from the 1.02 release.
Release date: 1997-07-22
This is a minor bug-fix release. A dump/reload is not required from version 6.1, but is required from any release prior to 6.1. Refer to the release notes for 6.1 for more details.
Release date: 1997-06-08
The regression tests have been adapted and extensively modified for the 6.1 release of PostgreSQL.
Three new data types (datetime, timespan, and circle) have been added to the native set of PostgreSQL types. Points, boxes, paths, and polygons have had their output formats made consistent across the data types. The polygon output in misc.out has only been spot-checked for correctness relative to the original regression output.
PostgreSQL 6.1 introduces a new, alternate optimizer which uses genetic algorithms. These algorithms introduce a random behavior in the ordering of query results when the query contains multiple qualifiers or multiple tables (giving the optimizer a choice on order of evaluation). Several regression tests have been modified to explicitly order the results, and hence are insensitive to optimizer choices. A few regression tests are for data types which are inherently unordered (e.g. points and time intervals) and tests involving those types are explicitly bracketed with set geqo to 'off' and reset geqo.
The interpretation of array specifiers (the curly braces around atomic values) appears to have changed sometime after the original regression tests were generated. The current ./expected/*.out files reflect this new interpretation, which might not be correct!
The float8 regression test fails on at least some platforms.
This is due to differences in implementations of pow()
and exp()
and
the signaling mechanisms used for overflow and underflow
conditions.
The "random" results in the random test should cause the "random" test to be "failed", since the regression tests are evaluated using a simple diff. However, "random" does not seem to produce random results on my test machine (Linux/gcc/i686).
This migration requires a complete dump of the 6.0 database and a restore of the database in 6.1.
Those migrating from earlier 1.* releases should first upgrade to 1.09 because the COPY output format was improved from the 1.02 release.
Release date: 1997-01-29
A dump/restore is required for those wishing to migrate data from previous releases of PostgreSQL.
This migration requires a complete dump of the 1.09 database and a restore of the database in 6.0.
Those migrating from earlier 1.* releases should first upgrade to 1.09 because the COPY output format was improved from the 1.02 release.
Release date: 1996-11-04
Sorry, we didn't keep track of changes from 1.02 to 1.09. Some of the changes listed in 6.0 were actually included in the 1.02.1 to 1.09 releases.
Release date: 1996-08-01
Here is a new migration file for 1.02.1. It includes the 'copy' change and a script to convert old ASCII files.
Note: The following notes are for the benefit of users who want to migrate databases from Postgres95 1.01 and 1.02 to Postgres95 1.02.1.
If you are starting afresh with Postgres95 1.02.1 and do not need to migrate old databases, you do not need to read any further.
In order to upgrade older Postgres95 version 1.01 or 1.02 databases to version 1.02.1, the following steps are required:
Start up a new 1.02.1 postmaster
Add the new built-in functions and operators of 1.02.1 to 1.01 or 1.02 databases. This is done by running the new 1.02.1 server against your own 1.01 or 1.02 database and applying the queries attached at the end of the file. This can be done easily through psql. If your 1.01 or 1.02 database is named testdb and you have cut the commands from the end of this file and saved them in addfunc.sql:
% psql testdb -f addfunc.sql
Those upgrading 1.02 databases will get a warning when executing the last two statements in the file because they are already present in 1.02. This is not a cause for concern.
If you are trying to reload a pg_dump or text-mode, copy tablename to stdout generated with a previous version, you will need to run the attached sed script on the ASCII file before loading it into the database. The old format used '.' as end-of-data, while '\.' is now the end-of-data marker. Also, empty strings are now loaded in as '' rather than NULL. See the copy manual page for full details.
sed 's/^\.$/\\./g' <in_file >out_file
If you are loading an older binary copy or non-stdout copy, there is no end-of-data character, and hence no conversion necessary.
-- following lines added by agc to reflect the case-insensitive -- regexp searching for varchar (in 1.02), and bpchar (in 1.02.1) create operator ~* (leftarg = bpchar, rightarg = text, procedure = texticregexeq); create operator !~* (leftarg = bpchar, rightarg = text, procedure = texticregexne); create operator ~* (leftarg = varchar, rightarg = text, procedure = texticregexeq); create operator !~* (leftarg = varchar, rightarg = text, procedure = texticregexne);
Release date: 1996-02-23
The following notes are for the benefit of users who want to migrate databases from Postgres95 1.0 to Postgres95 1.01.
If you are starting afresh with Postgres95 1.01 and do not need to migrate old databases, you do not need to read any further.
In order to Postgres95 version 1.01 with databases created with Postgres95 version 1.0, the following steps are required:
Set the definition of NAMEDATALEN in src/Makefile.global to 16 and OIDNAMELEN to 20.
Decide whether you want to use Host based authentication.
If you do, you must create a file name pg_hba in your top-level data directory (typically the value of your $PGDATA). src/libpq/pg_hba shows an example syntax.
If you do not want host-based authentication, you can comment out the line:
HBA = 1
in src/Makefile.global
Note that host-based authentication is turned on by default, and if you do not take steps A or B above, the out-of-the-box 1.01 will not allow you to connect to 1.0 databases.
Compile and install 1.01, but DO NOT do the initdb step.
Before doing anything else, terminate your 1.0 postmaster, and backup your existing $PGDATA directory.
Set your PGDATA environment variable to your 1.0 databases, but set up path up so that 1.01 binaries are being used.
Modify the file $PGDATA/PG_VERSION from 5.0 to 5.1
Start up a new 1.01 postmaster
Add the new built-in functions and operators of 1.01 to 1.0 databases. This is done by running the new 1.01 server against your own 1.0 database and applying the queries attached and saving in the file 1.0_to_1.01.sql. This can be done easily through psql. If your 1.0 database is name testdb:
% psql testdb -f 1.0_to_1.01.sql
and then execute the following commands (cut and paste from here):
-- add builtin functions that are new to 1.01 create function int4eqoid (int4, oid) returns bool as 'foo' language 'internal'; create function oideqint4 (oid, int4) returns bool as 'foo' language 'internal'; create function char2icregexeq (char2, text) returns bool as 'foo' language 'internal'; create function char2icregexne (char2, text) returns bool as 'foo' language 'internal'; create function char4icregexeq (char4, text) returns bool as 'foo' language 'internal'; create function char4icregexne (char4, text) returns bool as 'foo' language 'internal'; create function char8icregexeq (char8, text) returns bool as 'foo' language 'internal'; create function char8icregexne (char8, text) returns bool as 'foo' language 'internal'; create function char16icregexeq (char16, text) returns bool as 'foo' language 'internal'; create function char16icregexne (char16, text) returns bool as 'foo' language 'internal'; create function texticregexeq (text, text) returns bool as 'foo' language 'internal'; create function texticregexne (text, text) returns bool as 'foo' language 'internal'; -- add builtin functions that are new to 1.01 create operator = (leftarg = int4, rightarg = oid, procedure = int4eqoid); create operator = (leftarg = oid, rightarg = int4, procedure = oideqint4); create operator ~* (leftarg = char2, rightarg = text, procedure = char2icregexeq); create operator !~* (leftarg = char2, rightarg = text, procedure = char2icregexne); create operator ~* (leftarg = char4, rightarg = text, procedure = char4icregexeq); create operator !~* (leftarg = char4, rightarg = text, procedure = char4icregexne); create operator ~* (leftarg = char8, rightarg = text, procedure = char8icregexeq); create operator !~* (leftarg = char8, rightarg = text, procedure = char8icregexne); create operator ~* (leftarg = char16, rightarg = text, procedure = char16icregexeq); create operator !~* (leftarg = char16, rightarg = text, procedure = char16icregexne); create operator ~* (leftarg = text, rightarg = text, procedure = texticregexeq); create operator !~* (leftarg = text, rightarg = text, procedure = texticregexne);
Release date: 1995-09-05
Release date: 1995-07-21
Release date: 1995-05-25
Release date: 1995-05-01
Initial release.