Jump to:
Add missing permissions checks for ALTER ... DEPENDS ON EXTENSION (Álvaro Herrera)
Marking an object as dependent on an extension did not have any privilege check whatsoever. This oversight allowed any user to mark routines, triggers, materialized views, or indexes as droppable by anyone able to drop an extension. Require that the calling user own the specified object (and hence have privilege to drop it). (CVE-2020-1720)
Allow the planner to apply potentially-leaky tests to child-table statistics, if the user can read the corresponding column of the table that's actually named in the query (Dilip Kumar, Amit Langote)
This change fixes a performance problem for partitioned tables that was created by the fix for CVE-2017-7484. That security fix disallowed applying leaky operators to statistics for columns that the current user doesn't have permission to read directly. However, it's somewhat common to grant permissions only on the parent partitioned table and not bother to do so on individual partitions. In such cases, the user can read the column via the parent, so there's no point in this security restriction; it only results in poorer planner estimates than necessary.
Set a secure search_path in logical replication walsenders and apply workers (Noah Misch)
A malicious user of either the publisher or subscriber database could potentially cause execution of arbitrary SQL code by the role running replication, which is often a superuser. Some of the risks here are equivalent to those described in CVE-2018-1058, and are mitigated in this patch by ensuring that the replication sender and receiver execute with empty search_path settings. (As with CVE-2018-1058, that change might cause problems for under-qualified names used in replicated tables' DDL.) Other risks are inherent in replicating objects that belong to untrusted roles; the most we can do is document that there is a hazard to consider. (CVE-2020-14349)
Make contrib modules' installation scripts more secure (Tom Lane)
Attacks similar to those described in CVE-2018-1058 could be carried out against an extension installation script, if the attacker can create objects in either the extension's target schema or the schema of some prerequisite extension. Since extensions often require superuser privilege to install, this can open a path to obtaining superuser privilege. To mitigate this risk, be more careful about the search_path used to run an installation script; disable check_function_bodies within the script; and fix catalog-adjustment queries used in some contrib modules to ensure they are secure. Also provide documentation to help third-party extension authors make their installation scripts secure. This is not a complete solution; extensions that depend on other extensions can still be at risk if installed carelessly. (CVE-2020-14350)
⇑ Upgrade to 11.7 released on 2020-02-13 - docs
Add missing permissions checks for ALTER ... DEPENDS ON EXTENSION (Álvaro Herrera)
Marking an object as dependent on an extension did not have any privilege check whatsoever. This oversight allowed any user to mark routines, triggers, materialized views, or indexes as droppable by anyone able to drop an extension. Require that the calling user own the specified object (and hence have privilege to drop it). (CVE-2020-1720)
Ensure that row triggers on partitioned tables are correctly cloned to sub-partitions when appropriate (Álvaro Herrera)
User-defined triggers (but not triggers for foreign key or deferred unique constraints) might be missed when creating or attaching a partition.
Fix logical replication subscriber code to execute per-column UPDATE triggers when appropriate (Peter Eisentraut)
Avoid failure in logical decoding when a large transaction must be spilled into many separate temporary files (Amit Khandekar)
Fix possible crash or data corruption when a logical replication subscriber processes a row update (Tom Lane, Tomas Vondra)
This bug caused visible problems only if the subscriber's table contained columns that were not being copied from the publisher and had pass-by-reference data types.
Fix crash in logical replication subscriber after DDL changes on a subscribed relation (Jehan-Guillaume de Rorthais, Vignesh C)
Fix failure in logical replication publisher after a database crash and restart (Vignesh C)
Ensure that the effect of pg_replication_slot_advance() on a physical replication slot will persist across restarts (Alexey Kondratov, Michael Paquier)
Improve efficiency of logical replication with REPLICA IDENTITY FULL (Konstantin Knizhnik)
When searching for an existing tuple during an update or delete operation, return the first matching tuple not the last one.
Ensure parallel plans are always shut down at the correct time (Kyotaro Horiguchi)
This oversight is known to result in “temporary file leak” warnings from multi-batch parallel hash joins.
Prevent premature shutdown of a Gather or GatherMerge plan node that is underneath a Limit node (Amit Kapila)
This avoids failure if such a plan node needs to be scanned more than once, as for instance if it is on the inside of a nestloop.
Improve efficiency of parallel hash join on CPUs with many cores (Gang Deng, Thomas Munro)
Avoid crash in parallel CREATE INDEX when there are no free dynamic shared memory slots (Thomas Munro)
Fall back to a non-parallel index build, instead.
Avoid memory leak when there are no free dynamic shared memory slots (Thomas Munro)
Ignore the CONCURRENTLY option when performing an index creation, drop, or rebuild on a temporary table (Michael Paquier, Heikki Linnakangas, Andres Freund)
This avoids strange failures if the temporary table has an ON COMMIT action. There is no benefit in using CONCURRENTLY for a temporary table anyway, since other sessions cannot access the table, making the extra processing pointless.
Fix possible failure when resetting expression indexes on temporary tables that are marked ON COMMIT DELETE ROWS (Tom Lane)
Fix possible crash in BRIN index operations with box, range and inet data types (Heikki Linnakangas)
Fix handling of deleted pages in GIN indexes (Alexander Korotkov)
Avoid possible deadlocks, incorrect updates of a deleted page's state, and failure to traverse through a recently-deleted page.
Fix possible crash with a SubPlan (sub-SELECT) within a multi-row VALUES list (Tom Lane)
Fix failure to insert default values for “missing” attributes during tuple conversion (Vik Fearing, Andrew Gierth)
This could result in values incorrectly reading as NULL, when they come from columns that had been added by ALTER TABLE ADD COLUMN with a constant default.
Fix crash after FileClose() failure (Noah Misch)
This issue could only be observed with data_sync_retry enabled, since otherwise FileClose() failure would be reported as a PANIC.
Fix unlikely crash with pass-by-reference aggregate transition states (Andres Freund, Teodor Sigaev)
Improve error reporting in to_date() and to_timestamp() (Tom Lane, Álvaro Herrera)
Reports about incorrect month or day names in input strings could truncate the input in the middle of a multi-byte character, leading to an improperly encoded error message that could cause follow-on failures. Truncate at the next whitespace instead.
Fix off-by-one result for EXTRACT(ISOYEAR FROM for BC dates (Tom Lane)timestamp)
Avoid stack overflow in information_schema views when a self-referential view exists in the system catalogs (Tom Lane)
A self-referential view can't work; it will always result in infinite recursion. We handled that situation correctly when trying to execute the view, but not when inquiring whether it is automatically updatable.
Ensure that walsender processes always show NULL for transaction start time in pg_stat_activity (Álvaro Herrera)
Previously, the xact_start column would sometimes show the process start time.
Improve performance of hash joins with very large inner relations (Thomas Munro)
Fix placement of “Subplans Removed” field in EXPLAIN output (Daniel Gustafsson, Tom Lane)
In non-text output formats, this field was emitted inside the “Plans” sub-group, resulting in syntactically invalid output. Attach it to the parent Append or MergeAppend plan node as intended. This causes the field to change position in text output format too: if there are any InitPlans attached to the same plan node, “Subplans Removed” will now appear before those.
Allow the planner to apply potentially-leaky tests to child-table statistics, if the user can read the corresponding column of the table that's actually named in the query (Dilip Kumar, Amit Langote)
This change fixes a performance problem for partitioned tables that was created by the fix for CVE-2017-7484. That security fix disallowed applying leaky operators to statistics for columns that the current user doesn't have permission to read directly. However, it's somewhat common to grant permissions only on the parent partitioned table and not bother to do so on individual partitions. In such cases, the user can read the column via the parent, so there's no point in this security restriction; it only results in poorer planner estimates than necessary.
Fix edge-case crashes and misestimations in selectivity calculations for the <@ and @> range operators (Michael Paquier, Andrey Borodin, Tom Lane)
Ignore system columns when applying most-common-value extended statistics (Tomas Vondra)
This prevents “negative bitmapset member not allowed” planner errors for affected queries.
Fix BRIN index logic to support hypothetical BRIN indexes (Julien Rouhaud, Heikki Linnakangas)
Previously, if an “index adviser” extension tried to get the planner to produce a plan involving a hypothetical BRIN index, that would fail, because the BRIN cost estimation code would always try to physically access the index's metapage. Now it checks to see if the index is only hypothetical, and uses default assumptions about the index parameters if so.
Improve error reporting for attempts to use automatic updating of views with conditional INSTEAD rules (Dean Rasheed)
This has never been supported, but previously the error was thrown only at execution time, so that it could be masked by planner errors.
Prevent a composite type from being included in itself indirectly via a range type (Tom Lane, Julien Rouhaud)
Disallow partition key expressions that return pseudo-types, such as record (Tom Lane)
Fix error reporting for index expressions of prohibited types (Amit Langote)
Fix dumping of views that contain only a VALUES list to handle cases where a view output column has been renamed (Tom Lane)
Ensure that data types and collations used in XMLTABLE constructs are accounted for when computing dependencies of a view or rule (Tom Lane)
Previously it was possible to break a view using XMLTABLE by dropping a type, if the type was not otherwise referenced in the view. This fix does not correct the dependencies already recorded for existing views, only for newly-created ones.
Prevent unwanted downcasing and truncation of RADIUS authentication parameters (Marcos David)
The pg_hba.conf parser mistakenly treated these fields as SQL identifiers, which in general they aren't.
Transmit incoming NOTIFY messages to the client before sending ReadyForQuery, rather than after (Tom Lane)
This change ensures that, with libpq and other client libraries that act similarly to it, any notifications received during a transaction will be available by the time the client thinks the transaction is complete. This probably makes no difference in practical applications (which would need to cope with asynchronous notifications in any case); but it makes it easier to build test cases with reproducible behavior.
Allow libpq to parse all GSS-related connection parameters even when the GSSAPI code hasn't been compiled in (Tom Lane)
This makes the behavior similar to our SSL support, where it was long ago deemed to be a good idea to always accept all the related parameters, even if some are ignored or restricted due to lack of the feature in a particular build.
Fix incorrect handling of %b and %B format codes in ecpg's PGTYPEStimestamp_fmt_asc() function (Tomas Vondra)
Due to an off-by-one error, these codes would print the wrong month name, or possibly crash.
Fix parallel pg_dump/pg_restore to more gracefully handle failure to create worker processes (Tom Lane)
Prevent possible crash or lockup when attempting to terminate a parallel pg_dump/pg_restore run via a signal (Tom Lane)
In pg_upgrade, look inside arrays and ranges while searching for non-upgradable data types in tables (Tom Lane)
Apply more thorough syntax checking to createuser's --connection-limit option (Álvaro Herrera)
Cope with changes of the specific type referenced by a PL/pgSQL composite-type variable in more cases (Ashutosh Sharma, Tom Lane)
Dropping and re-creating the composite type referenced by a PL/pgSQL variable could lead to “could not open relation with OID NNNN” errors.
Avoid crash in postgres_fdw when trying to send a command like UPDATE remote_tab SET (x,y) = (SELECT ...) to the remote server (Tom Lane)
In contrib/dict_int, reject maxlen settings less than one (Tomas Vondra)
This prevents a possible crash with silly settings for that parameter.
Disallow NULL category values in contrib/tablefunc's crosstab() function (Joe Conway)
This case never worked usefully, and it would crash on some platforms.
Fix configure's probe for OpenSSL's SSL_clear_options() function so that it works with OpenSSL versions before 1.1.0 (Michael Paquier, Daniel Gustafsson)
This problem could lead to failure to set the SSL compression option as desired, when PostgreSQL is built against an old version of OpenSSL.
Mark some timeout and statistics-tracking GUC variables as PGDLLIMPORT, to allow extensions to access them on Windows (Pascal Legrand)
This applies to idle_in_transaction_session_timeout, lock_timeout, statement_timeout, track_activities, track_counts, and track_functions.
Avoid memory leak in sanity checks for “slab” memory contexts (Tomas Vondra)
This isn't an issue for production builds, since they wouldn't ordinarily have memory context checking enabled; but the leak could be quite severe in a debug build.
Fix multiple statistics entries reported by the LWLock statistics mechanism (Fujii Masao)
The LWLock statistics code (which is not built by default; it requires compiling with -DLWLOCK_STATS) could report multiple entries for the same LWLock and backend process, as a result of faulty hashtable key creation.
Fix race condition that led to delayed delivery of interprocess signals on Windows (Amit Kapila)
This caused visible timing oddities in NOTIFY, and perhaps other misbehavior.
On Windows, retry a few times after an ERROR_ACCESS_DENIED file access failure (Alexander Lakhin, Tom Lane)
This helps cope with cases where a file open attempt fails because the targeted file is flagged for deletion but not yet actually gone. pg_ctl, for example, frequently failed with such an error when probing to see if the postmaster had shut down yet.
⇑ Upgrade to 11.8 released on 2020-05-14 - docs
Propagate ALTER TABLE ... SET STORAGE to indexes (Peter Eisentraut)
Non-expression index columns have always copied the attstorage property of their table column at creation. Update them when ALTER TABLE ... SET STORAGE is done, to maintain consistency.
Preserve the indisclustered setting of indexes rewritten by ALTER TABLE (Amit Langote, Justin Pryzby)
Previously, ALTER TABLE lost track of which index had been used for CLUSTER.
Preserve the replica identity properties of indexes rewritten by ALTER TABLE (Quan Zongliang, Peter Eisentraut)
Lock objects sooner during DROP OWNED BY (Álvaro Herrera)
This avoids failures in race-condition cases where another session is deleting some of the same objects.
Fix error-case processing for CREATE ROLE ... IN ROLE (Andrew Gierth)
Some error cases would be reported as “unexpected node type” or the like, instead of the intended message.
Ensure that when a partition is detached, any triggers cloned from its formerly-parent table are removed (Justin Pryzby)
Ensure that unique indexes over partitioned tables match the equality semantics of the partitioning key (Guancheng Luo)
This would only be an issue with index opclasses that have unusual notions of equality, but it's wrong in theory, so check.
Ensure that members of the pg_read_all_stats role can read all statistics views, as expected (Magnus Hagander)
The functions underlying the pg_stat_progress_* views had not gotten this memo.
Repair performance regression in information_schema.triggers view (Tom Lane)
This patch redefines that view so that an outer WHERE clause constraining the table name can be pushed down into the view, allowing its calculations to be done only for triggers belonging to the table of interest rather than all triggers in the database. In a database with many triggers this would make a significant speed difference for queries of that form. Since things worked that way before v11, this is a potential performance regression. Users who find this to be a problem can fix it by replacing the view definition (or, perhaps, just deleting and reinstalling the whole information_schema schema).
Fix full text search to handle NOT above a phrase search correctly (Tom Lane)
Queries such as !(foo<->bar) failed to find matching rows when implemented as a GiST or GIN index search.
Fix full text search for cases where a phrase search includes an item with both prefix matching and a weight restriction (Tom Lane)
Fix ts_headline() to make better headline selections when working with phrase queries (Tom Lane)
Fix bugs in gin_fuzzy_search_limit processing (Adé Heyward, Tom Lane)
A small value of gin_fuzzy_search_limit could result in unexpected slowness due to unintentionally rescanning the same index page many times. Another code path failed to apply the intended filtering at all, possibly returning too many values.
Allow input of type circle to accept the format “(” as the documentation says it does (David Zhang)x,y),r
Make the get_bit() and set_bit() functions cope with bytea strings longer than 256MB (Movead Li)
Since the bit number argument is only int4, it's impossible to use these functions to access bits beyond the first 256MB of a long bytea. We'll widen the argument to int8 in v13, but in the meantime, allow these functions to work on the initial substring of a long bytea.
Ignore file-not-found errors in pg_ls_waldir() and allied functions (Tom Lane)
This prevents a race condition failure if a file is removed between when we see its directory entry and when we attempt to stat() it.
Avoid possibly leaking an open-file descriptor for a directory in pg_ls_dir(), pg_timezone_names(), pg_tablespace_databases(), and allied functions (Justin Pryzby)
Fix polymorphic-function type resolution to correctly infer the actual type of an anyarray output when given only an anyrange input (Tom Lane)
Avoid leakage of a hashed subplan's hash tables across multiple executions (Andreas Karlsson, Tom Lane)
This mistake could result in severe memory bloat if a query re-executed a hashed subplan enough times.
Avoid unlikely crash when REINDEX is terminated by a session-shutdown signal (Tom Lane)
Fix low-probability crash after constraint violation errors in partitioned tables (Andres Freund)
Prevent printout of possibly-incorrect hash join table statistics in EXPLAIN (Konstantin Knizhnik, Tom Lane, Thomas Munro)
Fix reporting of elapsed time for heap truncation steps in VACUUM VERBOSE (Tatsuhito Kasahara)
Fix possible undercounting of deleted B-tree index pages in VACUUM VERBOSE output (Peter Geoghegan)
Fix wrong bookkeeping for oldest deleted page in a B-tree index (Peter Geoghegan)
This could cause subtly wrong decisions about when VACUUM can skip an index cleanup scan; although it appears there may be no significant user-visible effects from that.
Ensure that TimelineHistoryRead and TimelineHistoryWrite wait states are reported in all code paths that read or write timeline history files (Masahiro Ikeda)
Avoid possibly showing “waiting” twice in a process's PS status (Masahiko Sawada)
Avoid failure if autovacuum tries to access a just-dropped temporary schema (Tom Lane)
This hazard only arises if a superuser manually drops a temporary schema; which isn't normal practice, but should work.
Avoid premature recycling of WAL segments during crash recovery (Jehan-Guillaume de Rorthais)
WAL segments that become ready to be archived during crash recovery were potentially recycled without being archived.
Avoid scanning irrelevant timelines during archive recovery (Kyotaro Horiguchi)
This can eliminate many attempts to fetch non-existent WAL files from archive storage, which is helpful if archive access is slow.
Remove bogus “subtransaction logged without previous top-level txn record” error check in logical decoding (Arseny Sher, Amit Kapila)
This condition is legitimately reachable in various scenarios, so remove the check.
Ensure that a replication slot's io_in_progress_lock is released in failure code paths (Pavan Deolasee)
This could result in a walsender later becoming stuck waiting for the lock.
Fix race conditions in synchronous standby management (Tom Lane)
During a change in the synchronous_standby_names setting, there was a window in which wrong decisions could be made about whether it is OK to release transactions that are waiting for synchronous commit. Another hazard for similarly wrong decisions existed if a walsender process exited and was immediately replaced by another.
Ensure nextXid can't go backwards on a standby server (Eka Palamadai)
This race condition could allow incorrect hot standby feedback messages to be sent back to the primary server, potentially allowing VACUUM to run too soon on the primary.
Add missing SQLSTATE values to a few error reports (Sawada Masahiko)
Fix PL/pgSQL to reliably refuse to execute an event trigger function as a plain function (Tom Lane)
Fix memory leak in libpq when using sslmode=verify-full (Roman Peshkurov)
Certificate verification during connection startup could leak some memory. This would become an issue if a client process opened many database connections during its lifetime.
Fix ecpg to treat an argument of just “-” as meaning “read from stdin” on all platforms (Tom Lane)
Allow tab-completion of the filename argument to psql's \gx command (Vik Fearing)
Add pg_dump support for ALTER ... DEPENDS ON EXTENSION (Álvaro Herrera)
pg_dump previously ignored dependencies added this way, causing them to be forgotten during dump/restore or pg_upgrade.
Fix pg_dump to dump comments on RLS policy objects (Tom Lane)
In pg_dump, postpone restore of event triggers till the end (Fabrízio de Royes Mello, Hamid Akhtar, Tom Lane)
This minimizes the risk that an event trigger could interfere with the restoration of other objects.
Make pg_verify_checksums skip tablespace subdirectories that belong to a different PostgreSQL major version (Michael Banck, Bernd Helmle)
Such subdirectories don't really belong to our database cluster, and so must not be processed.
Ignore temporary copies of pg_internal.init in pg_verify_checksums and related programs (Michael Paquier)
Fix quoting of --encoding, --lc-ctype and --lc-collate values in createdb utility (Michael Paquier)
contrib/lo's lo_manage() function crashed if called directly rather than as a trigger (Tom Lane)
In contrib/ltree, protect against overflow of ltree and lquery length fields (Nikita Glukhov)
Work around failure in contrib/pageinspect's bt_metap() function when an oldest_xact value exceeds 2^31-1 (Peter Geoghegan)
Such XIDs will now be reported as negative integers, which isn't great but it beats throwing an error. v13 will widen the output argument to int8 to provide saner reporting.
Fix cache reference leak in contrib/sepgsql (Michael Luo)
Avoid failures when dealing with Unix-style locale names on Windows (Juan José Santamaría Flecha)
Use pkg-config, if available, to locate libxml2 during configure (Hugh McMaster, Tom Lane, Peter Eisentraut)
If pkg-config is not present or lacks knowledge of libxml2, we still query xml2-config as before.
This change could break build processes that try to make PostgreSQL use a non-default version of libxml2 by putting that version's xml2-config into the PATH. Instead, set XML2_CONFIG to point to the non-default xml2-config. That method will work with either older or newer PostgreSQL releases.
In MSVC builds, cope with spaces in the path name for Python (Victor Wagner)
In MSVC builds, fix detection of Visual Studio version to work with more language settings (Andrew Dunstan)
In MSVC builds, use -Wno-deprecated with bison versions newer than 3.0, as non-Windows builds already do (Andrew Dunstan)
Update time zone data files to tzdata release 2020a for DST law changes in Morocco and the Canadian Yukon, plus historical corrections for Shanghai.
The America/Godthab zone has been renamed to America/Nuuk to reflect current English usage; however, the old name remains available as a compatibility link.
Also, update initdb's list of known Windows time zone names to include recent additions, improving the odds that it will correctly translate the system time zone setting on that platform.
⇑ Upgrade to 11.9 released on 2020-08-13 - docs
Set a secure search_path in logical replication walsenders and apply workers (Noah Misch)
A malicious user of either the publisher or subscriber database could potentially cause execution of arbitrary SQL code by the role running replication, which is often a superuser. Some of the risks here are equivalent to those described in CVE-2018-1058, and are mitigated in this patch by ensuring that the replication sender and receiver execute with empty search_path settings. (As with CVE-2018-1058, that change might cause problems for under-qualified names used in replicated tables' DDL.) Other risks are inherent in replicating objects that belong to untrusted roles; the most we can do is document that there is a hazard to consider. (CVE-2020-14349)
Make contrib modules' installation scripts more secure (Tom Lane)
Attacks similar to those described in CVE-2018-1058 could be carried out against an extension installation script, if the attacker can create objects in either the extension's target schema or the schema of some prerequisite extension. Since extensions often require superuser privilege to install, this can open a path to obtaining superuser privilege. To mitigate this risk, be more careful about the search_path used to run an installation script; disable check_function_bodies within the script; and fix catalog-adjustment queries used in some contrib modules to ensure they are secure. Also provide documentation to help third-party extension authors make their installation scripts secure. This is not a complete solution; extensions that depend on other extensions can still be at risk if installed carelessly. (CVE-2020-14350)
Fix edge cases in partition pruning (Etsuro Fujita, Dmitry Dolgov)
When there are multiple partition key columns, generation of pruning tests could misbehave if some columns had no constraining WHERE clauses or multiple constraining clauses. This could lead to server crashes, incorrect query results, or assertion failures.
Fix construction of parameterized BitmapAnd and BitmapOr index scans on the inside of partition-wise nestloop joins (Tom Lane)
A plan in which such a scan needed to use a value from the outside of the join would usually crash at execution.
In logical replication walsender, fix failure to send feedback messages after sending a keepalive message (Álvaro Herrera)
This is a relatively minor problem when using built-in logical replication, because the built-in walreceiver will send a feedback reply (which clears the incorrect state) fairly frequently anyway. But with some other replication systems, such as pglogical, it causes significant performance issues.
Fix firing of column-specific UPDATE triggers in logical replication subscribers (Tom Lane)
The code neglected to account for the possibility of column numbers being different between the publisher and subscriber tables, so that if those were indeed different, wrong decisions might be made about which triggers to fire.
Update oldest xmin and LSN values during pg_replication_slot_advance() (Michael Paquier)
This function previously failed to do that, possibly preventing resource cleanup (such as removal of no-longer-needed WAL segments) after manual advancement of a replication slot.
Fix slow execution of ts_headline() (Tom Lane)
The phrase-search fix added in our previous set of minor releases could cause ts_headline() to take unreasonable amounts of time for long documents; to make matters worse, the query was not cancellable within the troublesome loop.
Ensure the repeat() function can be interrupted by query cancel (Joe Conway)
Fix pg_current_logfile() to not include a carriage return (\r) in its result on Windows (Tom Lane)
Ensure that pg_read_file() and related functions read until EOF is reached (Joe Conway)
Previously, if not given a specific data length to read, these functions would stop at whatever file length was reported by stat(). That's unhelpful for pipes and other sorts of virtual files.
Fix mis-handling of NaN inputs during parallel aggregation on numeric-type columns (Tom Lane)
If some partial aggregation workers found only NaNs while others found only non-NaNs, the results were combined incorrectly, possibly leading to the wrong overall result (i.e., not NaN when it should be).
Reject time-of-day values greater than 24 hours (Tom Lane)
The intention of the datetime input code is to allow “24:00:00” or equivalently “23:59:60”, but no larger value. However, the range check was miscoded so that it would accept “23:59:60.nnn” with nonzero fractional-second nnn. In timestamp values this would result in wrapping into the first second of the next day. In time and timetz values, the stored value would actually be more than 24 hours, causing dump/reload failures and possibly other misbehavior.
Undo double-quoting of index names in EXPLAIN's non-text output formats (Tom Lane, Euler Taveira)
Fix EXPLAIN's accounting for resource usage, particularly buffer accesses, in parallel workers in a plan using Gather Merge nodes (Jehan-Guillaume de Rorthais)
Fix timing of constraint revalidation in ALTER TABLE (David Rowley)
If ALTER TABLE needs to fully rewrite the table's contents (for example, due to change of a column's data type) and also needs to scan the table to re-validate foreign keys or CHECK constraints, it sometimes did things in the wrong order, leading to odd errors such as “could not read block 0 in file "base/nnnnn/nnnnn": read only 0 of 8192 bytes”.
Work around incorrect not-null markings for pg_subscription.subslotname and pg_subscription_rel.srsublsn (Tom Lane)
The bootstrap catalog data incorrectly marks these two catalog columns as always non-null. There's no easy way to correct that mistake in existing installations (though v13 and later will have the correct markings). The main place that depends on that marking being correct is JIT-enabled tuple deconstruction, so teach it to explicitly ignore the marking for these two columns. Also adjust some C code that accessed srsublsn without checking to see if it's null; a crash from that is improbable but perhaps not impossible.
Cope with LATERAL references in restriction clauses attached to an un-flattened sub-SELECT in the FROM clause (Tom Lane)
This oversight could result in assertion failures or crashes at query execution.
Avoid believing that a never-analyzed foreign table has zero tuples (Tom Lane)
This primarily affected the planner's estimate of the number of groups that would be obtained by GROUP BY.
Remove bogus warning about “leftover placeholder tuple” in BRIN index de-summarization (Álvaro Herrera)
The case can occur legitimately after a cancelled vacuum, so warning about it is overly noisy.
Fix selection of tablespaces for “shared fileset” temporary files (Magnus Hagander, Tom Lane)
If temp_tablespaces is empty or explicitly names the database's primary tablespace, such files got placed into the pg_default tablespace rather than the database's primary tablespace as expected.
Fix corner-case error in masking of SP-GiST index pages during WAL consistency checking (Alexander Korotkov)
This could cause false failure reports when wal_consistency_checking is enabled.
Improve error handling in the server's buffile module (Thomas Munro)
Fix some cases where I/O errors were indistinguishable from reaching EOF, or were not reported at all. Also add details such as block numbers and byte counts where appropriate.
Fix conflict-checking anomalies in SERIALIZABLE isolation mode (Peter Geoghegan)
If a concurrently-inserted tuple was updated by a different concurrent transaction, and neither tuple version was visible to the current transaction's snapshot, serialization conflict checking could draw the wrong conclusions about whether the tuple was relevant to the results of the current transaction. This could allow a serializable transaction to commit when it should have failed with a serialization error.
Avoid repeated marking of dead btree index entries as dead (Masahiko Sawada)
While functionally harmless, this led to useless WAL traffic when checksums are enabled or wal_log_hints is on.
Avoid trouble during cleanup of a non-exclusive backup when JIT compilation has been activated during the backup (Robert Haas)
Fix failure of some code paths to acquire the correct lock before modifying pg_control (Nathan Bossart, Fujii Masao)
This oversight could allow pg_control to be written out with an inconsistent checksum, possibly causing trouble later, including inability to restart the database if it crashed before the next pg_control update.
Fix errors in currtid() and currtid2() (Michael Paquier)
These functions (which are undocumented and used only by ancient versions of the ODBC driver) contained coding errors that could result in crashes, or in confusing error messages such as “could not open file” when applied to a relation having no storage.
Avoid calling elog() or palloc() while holding a spinlock (Michael Paquier, Tom Lane)
Logic associated with replication slots had several violations of this coding rule. While the odds of trouble are quite low, an error in the called function would lead to a stuck spinlock.
Fix assertion in logical replication subscriber to allow use of REPLICA IDENTITY FULL (Euler Taveira)
This was just an incorrect assertion, so it has no impact on standard production builds.
Report out-of-disk-space errors properly in pg_dump and pg_basebackup (Justin Pryzby, Tom Lane, Álvaro Herrera)
Some code paths could produce silly reports like “could not write file: Success”.
Fix parallel restore of tables having both table-level privileges and per-column privileges (Tom Lane)
The table-level privilege grants have to be applied first, but a parallel restore did not reliably order them that way; this could lead to “tuple concurrently updated” errors, or to disappearance of some per-column privilege grants. The fix for this is to include dependency links between such entries in the archive file, meaning that a new dump has to be taken with a corrected pg_dump to ensure that the problem will not recur.
Ensure that pg_upgrade runs with vacuum_defer_cleanup_age set to zero in the target cluster (Bruce Momjian)
If the target cluster's configuration has been modified to set vacuum_defer_cleanup_age to a nonzero value, that prevented freezing of the system catalogs from working properly, which caused the upgrade to fail in confusing ways. Ensure that any such setting is overridden for the duration of the upgrade.
Fix pg_recvlogical to drain pending messages before exiting (Noah Misch)
Without this, the replication sender might detect a send failure and exit without making the expected final update to the replication slot's LSN position. That led to re-transmitting data after the next connection. It was also possible to miss error messages sent after the last data that pg_recvlogical wants to consume.
Fix pg_rewind's handling of just-deleted files in the source data directory (Justin Pryzby, Michael Paquier)
When working with an on-line source database, concurrent file deletions are possible, but pg_rewind would get confused if deletion happened between seeing a file's directory entry and examining it with stat().
Make pg_test_fsync use binary I/O mode on Windows (Michael Paquier)
Previously it wrote the test file in text mode, which is not an accurate reflection of PostgreSQL's actual usage.
Fix contrib/amcheck to not complain about deleted index pages that are empty (Alexander Korotkov)
This state of affairs is normal during WAL replay.
Fix failure to initialize local state correctly in contrib/dblink (Joe Conway)
With the right combination of circumstances, this could lead to dblink_close() issuing an unexpected remote COMMIT.
Fix contrib/pgcrypto's misuse of deflate() (Tom Lane)
The pgp_sym_encrypt functions could produce incorrect compressed data due to mishandling of zlib's API requirements. We have no reports of this error manifesting with stock zlib, but it can be seen when using IBM's zlibNX implementation.
Fix corner case in decompression logic in contrib/pgcrypto's pgp_sym_decrypt functions (Kyotaro Horiguchi, Michael Paquier)
A compressed stream can validly end with an empty packet, but the decompressor failed to handle this and would complain about corrupt data.
Use POSIX-standard strsignal() in place of the BSD-ish sys_siglist[] (Tom Lane)
This avoids build failures with very recent versions of glibc.
Support building our NLS code with Microsoft Visual Studio 2015 or later (Juan José Santamaría Flecha, Davinder Singh, Amit Kapila)
Avoid possible failure of our MSVC install script when there is a file named configure several levels above the source code tree (Arnold Müller)
This could confuse some logic that looked for configure to identify the top level of the source tree.