Upgrading from 15.6 to 15.10 gives you 9.6 months worth of fixes (155 of them)

List of changes:

• ⇑ Upgrade to 15.7 released on 2024-05-09 - docs

  • Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner (Nathan Bossart)

    These views failed to hide statistics for expressions that involve columns the accessing user does not have permission to read. View columns such as most_common_vals might expose security-relevant data. The potential interactions here are not fully clear, so in the interest of erring on the side of safety, make rows in these views visible only to the owner of the associated table.

    The PostgreSQL Project thanks Lukas Fittl for reporting this problem. (CVE-2024-4317)

    By itself, this fix will only fix the behavior in newly initdb'd database clusters. If you wish to apply this change in an existing cluster, you will need to do the following:

    1. Find the SQL script fix-CVE-2024-4317.sql in the share directory of the PostgreSQL installation (typically located someplace like /usr/share/postgresql/). Be sure to use the script appropriate to your PostgreSQL major version. If you do not see this file, either your version is not vulnerable (only v14–v16 are affected) or your minor version is too old to have the fix.

    2. In each database of the cluster, run the fix-CVE-2024-4317.sql script as superuser. In psql this would look like

       \i /usr/share/postgresql/fix-CVE-2024-4317.sql
       

       (adjust the file path as appropriate). Any error probably indicates that you've used the wrong script version. It will not hurt to run the script more than once.

    3. Do not forget to include the template0 and template1 databases, or the vulnerability will still exist in databases you create later. To fix template0, you'll need to temporarily make it accept connections. Do that with

       ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;
       

       and then after fixing template0, undo it with

       ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;
       

  • Fix INSERT from multiple VALUES rows into a target column that is a domain over an array or composite type (Tom Lane)

    Such cases would either fail with surprising complaints about mismatched datatypes, or insert unexpected coercions that could lead to odd results.

  • Require SELECT privilege on the target table for MERGE with a DO NOTHING clause (Álvaro Herrera)

    SELECT privilege would be required in all practical cases anyway, but require it even if the query reads no columns of the target table. This avoids an edge case in which MERGE would require no privileges whatever, which seems undesirable even when it's a do-nothing command.

  • Fix handling of self-modified tuples in MERGE (Dean Rasheed)

    Throw an error if a target row joins to more than one source row, as required by the SQL standard. (The previous coding could silently ignore this condition if a concurrent update was involved.) Also, throw a non-misleading error if a target row is already updated by a later command in the current transaction, thanks to a BEFORE trigger or a volatile function used in the query.

  • Fix incorrect pruning of NULL partition when a table is partitioned on a boolean column and the query has a boolean IS NOT clause (David Rowley)

    A NULL value satisfies a clause such as boolcol IS NOT FALSE, so pruning away a partition containing NULLs yielded incorrect answers.

  • Make ALTER FOREIGN TABLE SET SCHEMA move any owned sequences into the new schema (Tom Lane)

    Moving a regular table to a new schema causes any sequences owned by the table to be moved to that schema too (along with indexes and constraints). This was overlooked for foreign tables, however.

  • Make ALTER TABLE ... ADD COLUMN create identity/serial sequences with the same persistence as their owning tables (Peter Eisentraut)

    CREATE UNLOGGED TABLE will make any owned sequences be unlogged too. ALTER TABLE missed that consideration, so that an added identity column would have a logged sequence, which seems pointless.

  • Improve ALTER TABLE ... ALTER COLUMN TYPE's error message when there is a dependent function or publication (Tom Lane)

  • In CREATE DATABASE, recognize strategy keywords case-insensitively for consistency with other options (Tomas Vondra)

  • Fix EXPLAIN's counting of heap pages accessed by a bitmap heap scan (Melanie Plageman)

    Previously, heap pages that contain no visible tuples were not counted; but it seems more consistent to count all pages returned by the bitmap index scan.

  • Fix EXPLAIN's output for subplans in MERGE (Dean Rasheed)

    EXPLAIN would sometimes fail to properly display subplan Params referencing variables in other parts of the plan tree.

  • Avoid deadlock during removal of orphaned temporary tables (Mikhail Zhilin)

    If the session that creates a temporary table crashes without removing the table, autovacuum will eventually try to remove the orphaned table. However, an incoming session that's been assigned the same temporary namespace will do that too. If a temporary table has a dependency (such as an owned sequence) then a deadlock could result between these two cleanup attempts.

  • Avoid race condition while examining per-relation frozen-XID values (Noah Misch)

    VACUUM's computation of per-database frozen-XID values from per-relation values could get confused by a concurrent update of those values by another VACUUM.

  • Fix buffer usage reporting for parallel vacuuming (Anthonin Bonnefoy)

    Buffer accesses performed by parallel workers were not getting counted in the statistics reported in VERBOSE mode.

  • Disallow converting a table to a view within an outer SQL command that is using that table (Tom Lane)

    This avoids possible crashes.

  • Ensure that join conditions generated from equivalence classes are applied at the correct plan level (Tom Lane)

    In versions before PostgreSQL 16, it was possible for generated conditions to be evaluated below outer joins when they should be evaluated above (after) the outer join, leading to incorrect query results. All versions have a similar hazard when considering joins to UNION ALL trees that have constant outputs for the join column in some SELECT arms.

  • Prevent potentially-incorrect optimization of some window functions (David Rowley)

    Disable “run condition” optimization of ntile() and count() with non-constant arguments. This avoids possible misbehavior with sub-selects, typically leading to errors like “WindowFunc not found in subplan target lists”.

  • Avoid unnecessary use of moving-aggregate mode with a non-moving window frame (Vallimaharajan G)

    When a plain aggregate is used as a window function, and the window frame start is specified as UNBOUNDED PRECEDING, the frame's head cannot move so we do not need to use the special (and more expensive) moving-aggregate mode. This optimization was intended all along, but due to a coding error it never triggered.

  • Avoid use of already-freed data while planning partition-wise joins under GEQO (Tom Lane)

    This would typically end in a crash or unexpected error message.

  • Avoid freeing still-in-use data in Memoize (Tender Wang, Andrei Lepikhov)

    In production builds this error frequently didn't cause any problems, as the freed data would most likely not get overwritten before it was used.

  • Fix incorrectly-reported statistics kind codes in “requested statistics kind X is not yet built” error messages (David Rowley)

  • Be more careful with RECORD-returning functions in FROM (Tom Lane)

    The output columns of such a function call must be defined by an AS clause that specifies the column names and data types. If the actual function output value doesn't match that, an error is supposed to be thrown at runtime. However, some code paths would examine the actual value prematurely, and potentially issue strange errors or suffer assertion failures if it doesn't match expectations.

  • Fix confusion about the return rowtype of SQL-language procedures (Tom Lane)

    A procedure implemented in SQL language that returns a single composite-type column would cause an assertion failure or core dump.

  • Add protective stack depth checks to some recursive functions (Egor Chindyaskin)

  • Fix mis-rounding and overflow hazards in date_bin() (Moaaz Assali)

    In the case where the source timestamp is before the origin timestamp and their difference is already an exact multiple of the stride, the code incorrectly subtracted the stride anyway. Also, detect some integer-overflow cases that would have produced incorrect results.

  • Detect integer overflow when adding or subtracting an interval to/from a timestamp (Joseph Koshakow)

    Some cases that should cause an out-of-range error produced an incorrect result instead.

  • Avoid race condition in pg_get_expr() (Tom Lane)

    If the relation referenced by the argument is dropped concurrently, the function's intention is to return NULL, but sometimes it failed instead.

  • Fix detection of old transaction IDs in XID status functions (Karina Litskevich)

    Transaction IDs more than 2³¹ transactions in the past could be misidentified as recent, leading to misbehavior of pg_xact_status() or txid_status().

  • Ensure that a table's freespace map won't return a page that's past the end of the table (Ronan Dunklau)

    Because the freespace map isn't WAL-logged, this was possible in edge cases involving an OS crash, a replica promote, or a PITR restore. The result would be a “could not read block” error.

  • Fix file descriptor leakage when an error is thrown while waiting in WaitEventSetWait (Etsuro Fujita)

  • Avoid corrupting exception stack if an FDW implements async append but doesn't configure any wait conditions for the Append plan node to wait for (Alexander Pyhalov)

  • Throw an error if an index is accessed while it is being reindexed (Tom Lane)

    Previously this was just an assertion check, but promote it into a regular runtime error. This will provide a more on-point error message when reindexing a user-defined index expression that attempts to access its own table.

  • Ensure that index-only scans on name columns return a fully-padded value (David Rowley)

    The value physically stored in the index is truncated, and previously a pointer to that value was returned to callers. This provoked complaints when testing under valgrind. In theory it could result in crashes, though none have been reported.

  • Fix race condition in deciding whether a table sync operation is needed in logical replication (Vignesh C)

    An invalidation event arriving while a subscriber identifies which tables need to be synced would be forgotten about, so that any tables newly in need of syncing might not get processed in a timely fashion.

  • Fix crash with DSM allocations larger than 4GB (Heikki Linnakangas)

  • Disconnect if a new server session's client socket cannot be put into non-blocking mode (Heikki Linnakangas)

    It was once theoretically possible for us to operate with a socket that's in blocking mode; but that hasn't worked fully in a long time, so fail at connection start rather than misbehave later.

  • Fix inadequate error reporting with OpenSSL 3.0.0 and later (Heikki Linnakangas, Tom Lane)

    System-reported errors passed through by OpenSSL were reported with a numeric error code rather than anything readable.

  • Avoid concurrent calls to bindtextdomain() in libpq and ecpglib (Tom Lane)

    Although GNU gettext's implementation seems to be fine with concurrent calls, the version available on Windows is not.

  • Fix crash in ecpg's preprocessor if the program tries to redefine a macro that was defined on the preprocessor command line (Tom Lane)

  • In ecpg, avoid issuing false “unsupported feature will be passed to server” warnings (Tom Lane)

  • Ensure that the string result of ecpg's intoasc() function is correctly zero-terminated (Oleg Tselebrovskiy)

  • In psql, avoid leaking a query result after the query is cancelled (Tom Lane)

    This happened only when cancelling a non-last query in a query string made with \; separators.

  • Fix pg_dumpall so that role comments, if present, will be dumped regardless of the setting of --no-role-passwords (Daniel Gustafsson, Álvaro Herrera)

  • Skip files named .DS_Store in pg_basebackup, pg_checksums, and pg_rewind (Daniel Gustafsson)

    This avoids problems on macOS, where the Finder may create such files.

  • Fix PL/pgSQL's parsing of single-line comments (---style comments) following expressions (Erik Wienhold, Tom Lane)

    This mistake caused parse errors if such a comment followed a WHEN expression in a PL/pgSQL CASE statement.

  • In contrib/amcheck, don't report false match failures due to short- versus long-header values (Andrey Borodin, Michael Zhilin)

    A variable-length datum in a heap tuple or index tuple could have either a short or a long header, depending on compression parameters that applied when it was made. Treat these cases as equivalent rather than complaining if there's a difference.

  • Fix bugs in BRIN output functions (Tomas Vondra)

    These output functions are only used for displaying index entries in contrib/pageinspect, so the errors are of limited practical concern.

  • In contrib/postgres_fdw, avoid emitting requests to sort by a constant (David Rowley)

    This could occur in cases involving UNION ALL with constant-emitting subqueries. Sorting by a constant is useless of course, but it also risks being misinterpreted by the remote server, leading to “ORDER BY position N is not in select list” errors.

  • Make contrib/postgres_fdw set the remote session's time zone to GMT not UTC (Tom Lane)

    This should have the same results for practical purposes. However, GMT is recognized by hard-wired code in the server, while UTC is looked up in the timezone database. So the old code could fail in the unlikely event that the remote server's timezone database is missing entries.

  • In contrib/xml2, avoid use of library functions that have been deprecated in recent versions of libxml2 (Dmitry Koval)

  • Fix incompatibility with LLVM 18 (Thomas Munro, Dmitry Dolgov)

  • Allow make check to work with the musl C library (Thomas Munro, Bruce Momjian, Tom Lane)

• ⇑ Upgrade to 15.8 released on 2024-08-08 - docs

  • Prevent unauthorized code execution during pg_dump (Masahiko Sawada)

    An attacker able to create and drop non-temporary objects could inject SQL code that would be executed by a concurrent pg_dump session with the privileges of the role running pg_dump (which is often a superuser). The attack involves replacing a sequence or similar object with a view or foreign table that will execute malicious code. To prevent this, introduce a new server parameter restrict_nonsystem_relation_kind that can disable expansion of non-builtin views as well as access to foreign tables, and teach pg_dump to set it when available. Note that the attack is prevented only if both pg_dump and the server it is dumping from are new enough to have this fix.

    The PostgreSQL Project thanks Noah Misch for reporting this problem. (CVE-2024-7348)

  • Prevent infinite loop in VACUUM (Melanie Plageman)

    After a disconnected standby server with an old running transaction reconnected to the primary, it was possible for VACUUM on the primary to get confused about which tuples are removable, resulting in an infinite loop.

  • Fix failure after attaching a table as a partition, if the table had previously had inheritance children (Álvaro Herrera)

  • Fix ALTER TABLE DETACH PARTITION for cases involving inconsistent index-based constraints (Álvaro Herrera, Tender Wang)

    When a partitioned table has an index that is not associated with a constraint, but a partition has an equivalent index that is, then detaching the partition would misbehave, leaving the ex-partition's constraint with an incorrect coninhcount value. This would cause trouble during any further manipulations of that constraint.

  • Fix partition pruning setup during ALTER TABLE DETACH PARTITION CONCURRENTLY (Álvaro Herrera)

    The executor assumed that no partition could be detached between planning and execution of a query on a partitioned table. This is no longer true since the introduction of DETACH PARTITION's CONCURRENTLY option, making it possible for query execution to fail transiently when that is used.

  • Correctly update a partitioned table's pg_class.reltuples field to zero after its last child partition is dropped (Noah Misch)

    The first ANALYZE on such a partitioned table must update relhassubclass as well, and that caused the reltuples update to be lost.

  • Fix handling of polymorphic output arguments for procedures (Tom Lane)

    The SQL CALL statement did not resolve the correct data types for such arguments, leading to errors such as “cannot display a value of type anyelement”, or even outright crashes. (But CALL in PL/pgSQL worked correctly.)

  • Fix behavior of stable functions called from a CALL statement's argument list (Tom Lane)

    If the CALL is within an atomic context (e.g. there's an outer transaction block), such functions were passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.

  • Detect integer overflow in money calculations (Joseph Koshakow)

    None of the arithmetic functions for the money type checked for overflow before, so they would silently give wrong answers for overflowing cases.

  • Fix over-aggressive clamping of the scale argument in round(numeric) and trunc(numeric) (Dean Rasheed)

    These functions clamped their scale argument to +/-2000, but there are valid use-cases for it to be larger; the functions returned incorrect results in such cases. Instead clamp to the actual allowed range of type numeric.

  • Fix result for pg_size_pretty() when applied to the smallest possible bigint value (Joseph Koshakow)

  • Prevent pg_sequence_last_value() from failing on unlogged sequences on standby servers and on temporary sequences of other sessions (Nathan Bossart)

    Make it return NULL in these cases instead of throwing an error.

  • Fix parsing of ignored operators in websearch_to_tsquery() (Tom Lane)

    Per the manual, punctuation in the input of websearch_to_tsquery() is ignored except for the special cases of dashes and quotes. However, parentheses and a few other characters appearing immediately before an or could cause or to be treated as a data word, rather than as an OR operator as expected.

  • Detect another integer overflow case while computing new array dimensions (Joseph Koshakow)

    Reject applying array dimensions [-2147483648:2147483647] to an empty array. This is closely related to CVE-2023-5869, but appears harmless since the array still ends up empty.

  • Detect another case of a new catalog cache entry becoming stale while detoasting its fields (Noah Misch)

    An in-place update occurring while we expand out-of-line fields in a catalog tuple could be missed, leading to a catalog cache entry that lacks the in-place change but is not known to be stale. This is only possible in the pg_database catalog, so the effects are narrow, but misbehavior is possible.

  • Correctly check updatability of view columns targeted by INSERT ... DEFAULT (Tom Lane)

    If such a column is non-updatable, we should give an error reporting that. But the check was missed and then later code would report an unhelpful error such as “attribute number N not found in view targetlist”.

  • Avoid reporting an unhelpful internal error for incorrect recursive queries (Tom Lane)

    Rearrange the order of error checks so that we throw an on-point error when a WITH RECURSIVE query does not have a self-reference within the second arm of the UNION, but does have one self-reference in some other place such as ORDER BY.

  • Lock owned sequences during ALTER TABLE SET LOGGED|UNLOGGED (Noah Misch)

    These commands change the persistence of a table's owned sequences along with the table, but they failed to acquire lock on the sequences while doing so. This could result in losing the effects of concurrent nextval() calls.

  • Don't throw an error if a queued AFTER trigger no longer exists (Tom Lane)

    It's possible for a transaction to execute an operation that queues a deferred AFTER trigger for later execution, and then to drop the trigger before that happens. Formerly this led to weird errors such as “could not find trigger NNNN”. It seems better to silently do nothing if the trigger no longer exists at the time when it would have been executed.

  • Fix failure to remove pg_init_privs entries for column-level privileges when their table is dropped (Tom Lane)

    If an extension grants some column-level privileges on a table it creates, relevant catalog entries would remain behind after the extension is dropped. This was harmless until/unless the table's OID was re-used for another relation, when it could interfere with what pg_dump dumps for that relation.

  • Fix selection of an arbiter index for ON CONFLICT when the desired index has expressions or predicates (Tom Lane)

    If a query using ON CONFLICT accesses the target table through an updatable view, it could fail with “there is no unique or exclusion constraint matching the ON CONFLICT specification”, even though a matching index does exist.

  • Refuse to modify a temporary table of another session with ALTER TABLE (Tom Lane)

    Permissions checks normally would prevent this case from arising, but it is possible to reach it by altering a parent table whose child is another session's temporary table. Throw an error if we discover that such a child table belongs to another session.

  • Fix handling of extended statistics on expressions in CREATE TABLE LIKE STATISTICS (Tom Lane)

    The CREATE command failed to adjust column references in statistics expressions to the possibly-different column numbering of the new table. This resulted in invalid statistics objects that would cause problems later. A typical scenario where renumbering columns is needed is when the source table contains some dropped columns.

  • Fix failure to recalculate sub-queries generated from MIN() or MAX() aggregates (Tom Lane)

    In some cases the aggregate result computed at one row of the outer query could be re-used for later rows when it should not be. This has only been seen to happen when the outer query uses DISTINCT that is implemented with hash aggregation, but other cases may exist.

  • Avoid crashing when a JIT-inlined backend function throws an error (Tom Lane)

    The error state can include pointers into the dynamically loaded module holding the JIT-compiled code (for error location strings). In some code paths the module could get unloaded before the error report is processed, leading to SIGSEGV when the location strings are accessed.

  • Cope with behavioral changes in libxml2 version 2.13.x (Erik Wienhold, Tom Lane)

    Notably, we now suppress “chunk is not well balanced” errors from libxml2, unless that is the only reported error. This is to make error reports consistent between 2.13.x and earlier libxml2 versions. In earlier versions, that message was almost always redundant or outright incorrect, so 2.13.x substantially reduced the number of cases in which it's reported.

  • Fix handling of subtransactions of prepared transactions when starting a hot standby server (Heikki Linnakangas)

    When starting a standby's replay at a shutdown checkpoint WAL record, transactions that had been prepared but not yet committed on the primary are correctly understood as being still in progress. But subtransactions of a prepared transaction (created by savepoints or PL/pgSQL exception blocks) were not accounted for and would be treated as aborted. That led to inconsistency if the prepared transaction was later committed.

  • Prevent incorrect initialization of logical replication slots (Masahiko Sawada)

    In some cases a replication slot's start point within the WAL stream could be set to a point within a transaction, leading to assertion failures or incorrect decoding results.

  • Avoid “can only drop stats once” error during replication slot creation and drop (Floris Van Nee)

  • Fix resource leakage in logical replication WAL sender (Hou Zhijie)

    The walsender process leaked memory when publishing changes to a partitioned table whose partitions have row types physically different from the partitioned table's.

  • Avoid memory leakage after servicing a notify or sinval interrupt (Tom Lane)

    The processing functions for these events could switch the current memory context to TopMemoryContext, resulting in session-lifespan leakage of any data allocated before the incorrect setting gets replaced. There were observable leaks associated with (at least) encoding conversion of incoming queries and parameters attached to Bind messages.

  • Prevent leakage of reference counts for the shared memory block used for statistics (Anthonin Bonnefoy)

    A new backend process attaching to the statistics shared memory incremented its reference count, but failed to decrement the count when exiting. After 2³² sessions had been created, the reference count would overflow to zero, causing failures in all subsequent backend process starts.

  • Prevent deadlocks and assertion failures during truncation of the multixact SLRU log (Heikki Linnakangas)

    A process trying to delete SLRU segments could deadlock with the checkpointer process.

  • Avoid possibly missing end-of-input events on Windows sockets (Thomas Munro)

    Windows reports an FD_CLOSE event only once after the remote end of the connection disconnects. With unlucky timing, we could miss that report and wait indefinitely, or at least until a timeout elapsed, expecting more input.

  • Fix buffer overread in JSON parse error reports for incomplete byte sequences (Jacob Champion)

    It was possible to walk off the end of the input buffer by a few bytes when the last bytes comprise an incomplete multi-byte character. While usually harmless, in principle this could cause a crash.

  • Disable creation of stateful TLS session tickets by OpenSSL (Daniel Gustafsson)

    This avoids possible failures with clients that think receipt of a session ticket means that TLS session resumption is supported.

  • When replanning a PL/pgSQL “simple expression”, check it's still simple (Tom Lane)

    Certain fairly-artificial cases, such as dropping a referenced function and recreating it as an aggregate, could lead to surprising failures such as “unexpected plan node type”.

  • Fix incompatibility between PL/Perl and Perl 5.40 (Andrew Dunstan)

  • Fix recursive RECORD-returning PL/Python functions (Tom Lane)

    If we recurse to a new call of the same function that passes a different column definition list (AS clause), it would fail because the inner call would overwrite the outer call's idea of what rowtype to return.

  • Don't corrupt PL/Python's TD dictionary during a recursive trigger call (Tom Lane)

    If a PL/Python-language trigger caused another one to be invoked, the TD dictionary created for the inner one would overwrite the outer one's TD dictionary.

  • Fix PL/Tcl's reporting of invalid list syntax in the result of a function returning tuple (Erik Wienhold, Tom Lane)

    Such a case could result in a crash, or in emission of misleading context information that actually refers to the previous Tcl error.

  • Avoid non-thread-safe usage of strerror() in libpq (Peter Eisentraut)

    Certain error messages returned by OpenSSL could become garbled in multi-threaded applications.

  • Avoid memory leak within pg_dump during a binary upgrade (Daniel Gustafsson)

  • Ensure that pg_restore -l reports dependent TOC entries correctly (Tom Lane)

    If -l was specified together with selective-restore options such as -n or -N, dependent TOC entries such as comments would be omitted from the listing, even when an actual restore would have selected them.

  • Avoid “cursor can only scan forward” error in contrib/postgres_fdw (Etsuro Fujita)

    This error could occur if the remote server is v15 or later and a foreign table is mapped to a non-trivial remote view.

  • In contrib/postgres_fdw, do not send FETCH FIRST WITH TIES clauses to the remote server (Japin Li)

    The remote server might not implement this clause, or might interpret it differently than we would locally, so don't risk attempting remote execution.

  • Avoid clashing with system-provided <regex.h> headers (Thomas Munro)

    This fixes a compilation failure on macOS version 15 and up.

  • Fix otherwise-harmless assertion failure in Memoize cost estimation (David Rowley)

  • Fix otherwise-harmless assertion failures in REINDEX CONCURRENTLY applied to an SP-GiST index (Tom Lane)

• ⇑ Upgrade to 15.9 released on 2024-11-14 - docs

  • Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart) §

    If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead.

    The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2024-10976)

  • Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Champion) §

    An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure.

    The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2024-10977)

  • Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE (Tom Lane) § §

    The SQL standard mandates that SET SESSION AUTHORIZATION have a side-effect of doing SET ROLE NONE. Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION would revert ROLE to NONE even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction. Transiently setting session_authorization in a function SET clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role'), it saw none even when it should see something else.

    The PostgreSQL Project thanks Tom Lane for reporting this problem. (CVE-2024-10978)

  • Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch) § § §

    The ability to manipulate process environment variables such as PATH gives an attacker opportunities to execute arbitrary code. Therefore, “trusted” PLs must not offer the ability to do that. To fix plperl, replace %ENV with a tied hash that rejects any modification attempt with a warning. Untrusted plperlu retains the ability to change the environment.

    The PostgreSQL Project thanks Coby Abrams for reporting this problem. (CVE-2024-10979)

  • Fix updates of catalog state for foreign-key constraints when attaching or detaching table partitions (Jehan-Guillaume de Rorthais, Tender Wang, Álvaro Herrera) § §

    If the referenced table is partitioned, then different catalog entries are needed for a referencing table that is stand-alone versus one that is a partition. ATTACH/DETACH PARTITION commands failed to perform this conversion correctly. In particular, after DETACH the now stand-alone table would be missing foreign-key enforcement triggers, which could result in the table later containing rows that fail the foreign-key constraint. A subsequent re-ATTACH could fail with surprising errors, too.

    The way to fix this is to do ALTER TABLE DROP CONSTRAINT on the now stand-alone table for each faulty constraint, and then re-add the constraint. If re-adding the constraint fails, then some erroneous data has crept in. You will need to manually re-establish consistency between the referencing and referenced tables, then re-add the constraint.

    This query can be used to identify broken constraints and construct the commands needed to recreate them:

    SELECT conrelid::pg_catalog.regclass AS "constrained table",
           conname AS constraint,
           confrelid::pg_catalog.regclass AS "references",
           pg_catalog.format('ALTER TABLE %s DROP CONSTRAINT %I;',
                             conrelid::pg_catalog.regclass, conname) AS "drop",
           pg_catalog.format('ALTER TABLE %s ADD CONSTRAINT %I %s;',
                             conrelid::pg_catalog.regclass, conname,
                             pg_catalog.pg_get_constraintdef(oid)) AS "add"
    FROM pg_catalog.pg_constraint c
    WHERE contype = 'f' AND conparentid = 0 AND
       (SELECT count(*) FROM pg_catalog.pg_constraint c2
        WHERE c2.conparentid = c.oid) <>
       (SELECT count(*) FROM pg_catalog.pg_inherits i
        WHERE (i.inhparent = c.conrelid OR i.inhparent = c.confrelid) AND
          EXISTS (SELECT 1 FROM pg_catalog.pg_partitioned_table
                  WHERE partrelid = i.inhparent));
    

    Since it is possible that one or more of the ADD CONSTRAINT steps will fail, you should save the query's output in a file and then attempt to perform each step.

  • Avoid possible crashes and “could not open relation” errors in queries on a partitioned table occurring concurrently with a DETACH CONCURRENTLY and immediate drop of a partition (Álvaro Herrera, Kuntal Gosh) § §

  • Disallow ALTER TABLE ATTACH PARTITION if the table to be attached has a foreign key referencing the partitioned table (Álvaro Herrera) § §

    This arrangement is not supported, and other ways of creating it already fail.

  • Don't use partitionwise joins or grouping if the query's collation for the key column doesn't match the partition key's collation (Jian He, Webbo Han) § §

    Such plans could produce incorrect results.

  • Fix possible “could not find pathkey item to sort” error when the output of a UNION ALL member query needs to be sorted, and the sort column is an expression (Andrei Lepikhov, Tom Lane) §

  • Allow cancellation of the second stage of index build for large hash indexes (Pavel Borisov) §

  • Fix assertion failure or confusing error message for COPY (query) TO ..., when the query is rewritten by a DO INSTEAD NOTIFY rule (Tender Wang, Tom Lane) §

  • Fix detection of skewed data during parallel hash join (Thomas Munro) §

    After repartitioning the inner side of a hash join because one partition has accumulated too many tuples, we check to see if all the partition's tuples went into the same child partition, which suggests that they all have the same hash value and further repartitioning cannot improve matters. This check malfunctioned in some cases, allowing repeated futile repartitioning which would eventually end in a resource-exhaustion error.

  • Fix race condition in committing a serializable transaction (Heikki Linnakangas) §

    Mis-processing of a recently committed transaction could lead to an assertion failure or a “could not access status of transaction” error.

  • Fix race condition in COMMIT PREPARED that resulted in orphaned 2PC files (wuchengwen) §

    A concurrent PREPARE TRANSACTION could cause COMMIT PREPARED to not remove the on-disk two-phase state file for the completed transaction. There was no immediate ill effect, but a subsequent crash-and-recovery could fail with “could not access status of transaction”, requiring manual removal of the orphaned file to restore service.

  • Avoid invalid memory accesses after skipping an invalid toast index during VACUUM FULL (Tender Wang) §

    A list tracking yet-to-be-rebuilt indexes was not properly updated in this code path, risking assertion failures or crashes later on.

  • Fix ways in which an “in place” catalog update could be lost (Noah Misch) § § § § § § §

    Normal row updates write a new version of the row to preserve rollback-ability of the transaction. However, certain system catalog updates are intentionally non-transactional and are done with an in-place update of the row. These patches fix race conditions that could cause the effects of an in-place update to be lost. As an example, it was possible to forget having set pg_class.relhasindex to true, preventing updates of the new index and thus causing index corruption.

  • Reset catalog caches at end of recovery (Noah Misch) §

    This prevents scenarios wherein an in-place catalog update could be lost due to using stale data from a catalog cache.

  • Avoid using parallel query while holding off interrupts (Francesco Degrassi, Noah Misch, Tom Lane) § §

    This situation cannot arise normally, but it can be reached with test scenarios such as using a SQL-language function as B-tree support (which would be far too slow for production usage). If it did occur it would result in an indefinite wait.

  • Report the active query ID for statistics purposes at the start of processing of Bind and Execute protocol messages (Sami Imseih) §

    This allows more of the work done in extended query protocol to be attributed to the correct query.

  • Guard against stack overflow in libxml2 with too-deeply-nested XML input (Tom Lane, with hat tip to Nick Wellnhofer) §

    Use xmlXPathCtxtCompile() rather than xmlXPathCompile(), because the latter fails to protect itself against recursion-to-stack-overflow in libxml2 releases before 2.13.4.

  • Do not ignore a concurrent REINDEX CONCURRENTLY that is working on an index with predicates or expressions (Michail Nikolaev) §

    Normally, REINDEX CONCURRENTLY does not need to wait for other REINDEX CONCURRENTLY operations on other tables. However, this optimization is not applied if the other REINDEX CONCURRENTLY is processing an index with predicates or expressions, on the chance that such expressions contain user-defined code that accesses other tables. Careless coding created a race condition such that that rule was not applied uniformly, possibly allowing inconsistent behavior.

  • Fix “failed to find plan for subquery/CTE” errors in EXPLAIN (Richard Guo, Tom Lane) § §

    This case arose while trying to print references to fields of a RECORD-type output of a subquery when the subquery has been optimized out of the plan altogether (which is possible at least in the case that it has a constant-false WHERE condition). Nothing remains in the plan to identify the original field names, so fall back to printing fN for the N'th record column. (That's actually the right thing anyway, if the record output arose from a ROW() constructor.)

  • Disallow a USING clause when altering the type of a generated column (Peter Eisentraut) §

    A generated column already has an expression specifying the column contents, so including USING doesn't make sense.

  • Ignore not-yet-defined Portals in the pg_cursors view (Tom Lane) §

    It is possible for user-defined code that inspects this view to be called while a new cursor is being set up, and if that happens a null pointer dereference would ensue. Avoid the problem by defining the view to exclude incompletely-set-up cursors.

  • Prevent mis-encoding of “trailing junk after numeric literal” error messages (Karina Litskevich) §

    We do not allow identifiers to appear immediately following numeric literals (there must be some whitespace between). If a multibyte character immediately followed a numeric literal, the syntax error message about it included only the first byte of that character, causing bad-encoding problems both in the report to the client and in the postmaster log file.

  • Avoid “unexpected table_index_fetch_tuple call during logical decoding” error while decoding a transaction involving insertion of a column default value (Takeshi Ideriha, Hou Zhijie) § §

  • Reduce memory consumption of logical decoding (Masahiko Sawada) §

    Use a smaller default block size to store tuple data received during logical replication. This reduces memory wastage, which has been reported to be severe while processing long-running transactions, even leading to out-of-memory failures.

  • Re-disable sending of stateless (TLSv1.2) session tickets (Daniel Gustafsson) §

    A previous change to prevent sending of stateful (TLSv1.3) session tickets accidentally re-enabled sending of stateless ones. Thus, while we intended to prevent clients from thinking that TLS session resumption is supported, some still did.

  • Avoid “wrong tuple length” failure when dropping a database with many ACL (permission) entries (Ayush Tiwari) § §

  • Allow adjusting the session_authorization and role settings in parallel workers (Tom Lane) §

    Our code intends to allow modifiable server settings to be set by function SET clauses, but not otherwise within a parallel worker. SET clauses failed for these two settings, though.

  • Fix behavior of stable functions called from a CALL statement's argument list, when the CALL is within a PL/pgSQL EXCEPTION block (Tom Lane) §

    As with a similar fix in our previous quarterly releases, this case allowed such functions to be passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.

  • Fix “cache lookup failed for function” errors in edge cases in PL/pgSQL's CALL (Tom Lane) §

  • Fix thread safety of our fallback (non-OpenSSL) MD5 implementation on big-endian hardware (Heikki Linnakangas) §

    Thread safety is not currently a concern in the server, but it is for libpq.

  • Parse libpq's keepalives connection option in the same way as other integer-valued options (Yuto Sasaki) §

    The coding used here rejected trailing whitespace in the option value, unlike other cases. This turns out to be problematic in ecpg's usage, for example.

  • Avoid use of pnstrdup() in ecpglib (Jacob Champion) §

    That function will call exit() on out-of-memory, which is undesirable in a library. The calling code already handles allocation failures properly.

  • In ecpglib, fix out-of-bounds read when parsing incorrect datetime input (Bruce Momjian, Pavel Nekrasov) §

    It was possible to try to read the location just before the start of a constant array. Real-world consequences seem minimal, though.

  • Fix pg_dump's handling of identity sequences that have persistence different from their owning table's persistence (Tom Lane) §

    Since v15, it's been possible to set an identity sequence to be LOGGED when its owning table is UNLOGGED or vice versa. However, pg_dump's method for recreating that situation failed in binary-upgrade mode, causing pg_upgrade to fail when such sequences are present. Fix by introducing a new option for ADD/ALTER COLUMN GENERATED AS IDENTITY to allow the sequence's persistence to be set correctly at creation. Note that this means a dump from a database containing such a sequence will only load into a server of this minor version or newer.

  • Include the source timeline history in pg_rewind's debug output (Heikki Linnakangas) §

    This was the intention to begin with, but a coding error caused the source history to always print as empty.

  • Fix misbehavior with junction points on Windows, particularly in pg_rewind (Alexandra Wang) § § § §

    This entailed back-patching previous fixes by Thomas Munro, Peter Eisentraut, Alexander Lakhin, and Juan José Santamaría Flecha. Those changes were originally not back-patched out of caution, but they have been in use in later branches for long enough to deem them safe.

  • Avoid trying to reindex temporary tables and indexes in vacuumdb and in parallel reindexdb (VaibhaveS, Michael Paquier, Fujii Masao, Nathan Bossart) § § §

    Reindexing other sessions' temporary tables cannot work, but the check to skip them was missing in some code paths, leading to unwanted failures.

  • Allow inspection of sequence relations in relevant functions of contrib/pageinspect and contrib/pgstattuple (Nathan Bossart, Ayush Vatsa) § §

    This had been allowed in the past, but it got broken during the introduction of non-default access methods for tables.

  • Fix incorrect LLVM-generated code on ARM64 platforms (Thomas Munro, Anthonin Bonnefoy) §

    When using JIT compilation on ARM platforms, the generated code could not support relocation distances exceeding 32 bits, allowing unlucky placement of generated code to cause server crashes on large-memory systems.

  • Fix a few places that assumed that process start time (represented as a time_t) will fit into a long value (Max Johnson, Nathan Bossart) §

    On platforms where long is 32 bits (notably Windows), this coding would fail after Y2038. Most of the failures appear only cosmetic, but notably pg_ctl start would hang.

  • Fix building with Strawberry Perl on Windows (Andrew Dunstan) §

  • Prevent “missing declaration for inet_pton” compiler warning or error when building with MinGW (Thomas Munro, Andrew Dunstan) §

  • Update time zone data files to tzdata release 2024b (Tom Lane) § §

    This tzdata release changes the old System-V-compatibility zone names to duplicate the corresponding geographic zones; for example PST8PDT is now an alias for America/Los_Angeles. The main visible consequence is that for timestamps before the introduction of standardized time zones, the zone is considered to represent local mean solar time for the named location. For example, in PST8PDT, timestamptz input such as 1801-01-01 00:00 would previously have been rendered as 1801-01-01 00:00:00-08, but now it is rendered as 1801-01-01 00:00:00-07:52:58.

    Also, historical corrections for Mexico, Mongolia, and Portugal. Notably, Asia/Choibalsan is now an alias for Asia/Ulaanbaatar rather than being a separate zone, mainly because the differences between those zones were found to be based on untrustworthy data.

• ⇑ Upgrade to 15.10 released on 2024-11-21 - docs

  • Repair ABI break for extensions that work with struct ResultRelInfo (Tom Lane) §

    Last week's minor releases unintentionally broke binary compatibility with timescaledb and several other extensions. Restore the affected structure to its previous size, so that such extensions need not be rebuilt.

  • Restore functionality of ALTER {ROLE|DATABASE} SET role (Tom Lane, Noah Misch) §

    The fix for CVE-2024-10978 accidentally caused settings for role to not be applied if they come from non-interactive sources, including previous ALTER {ROLE|DATABASE} commands and the PGOPTIONS environment variable.

  • Fix cases where a logical replication slot's restart_lsn could go backwards (Masahiko Sawada) §

    Previously, restarting logical replication could sometimes cause the slot's restart point to be recomputed as an older value than had previously been advertised in pg_replication_slots. This is bad, since for example WAL files might have been removed on the basis of the later restart_lsn value, in which case replication would fail to restart.

  • Avoid deleting still-needed WAL files during pg_rewind (Polina Bungina, Alexander Kukushkin) §

    Previously, in unlucky cases, it was possible for pg_rewind to remove important WAL files from the rewound demoted primary. In particular this happens if those files have been marked for archival (i.e., their .ready files were created) but not yet archived. Then the newly promoted node no longer has such files because of them having been recycled, but likely they are needed for recovery in the demoted node. If pg_rewind removes them, recovery is not possible anymore.

  • Fix race conditions associated with dropping shared statistics entries (Kyotaro Horiguchi, Michael Paquier) §

    These bugs could lead to loss of statistics data, assertion failures, or “can only drop stats once” errors.

  • Count index scans in contrib/bloom indexes in the statistics views, such as the pg_stat_user_indexes.idx_scan counter (Masahiro Ikeda) §

  • Fix crash when checking to see if an index's opclass options have changed (Alexander Korotkov) §

    Some forms of ALTER TABLE would fail if the table has an index with non-default operator class options.

  • Avoid assertion failure caused by disconnected NFA sub-graphs in regular expression parsing (Tom Lane) §

    This bug does not appear to have any visible consequences in non-assert builds.

• source repo
• author info
• meta-info