Upgrading from 17 to 17.6 gives you 10.7 months worth of fixes (254 of them)

List of changes:

• ⇑ Upgrade to 17.1 released on 2024-11-14 - docs

  • Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart) §

    If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead.

    The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2024-10976)

  • Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Champion) §

    An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure.

    The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2024-10977)

  • Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE (Tom Lane) § §

    The SQL standard mandates that SET SESSION AUTHORIZATION have a side-effect of doing SET ROLE NONE. Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION would revert ROLE to NONE even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction. Transiently setting session_authorization in a function SET clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role'), it saw none even when it should see something else.

    The PostgreSQL Project thanks Tom Lane for reporting this problem. (CVE-2024-10978)

  • Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch) § § §

    The ability to manipulate process environment variables such as PATH gives an attacker opportunities to execute arbitrary code. Therefore, “trusted” PLs must not offer the ability to do that. To fix plperl, replace %ENV with a tied hash that rejects any modification attempt with a warning. Untrusted plperlu retains the ability to change the environment.

    The PostgreSQL Project thanks Coby Abrams for reporting this problem. (CVE-2024-10979)

  • Fix updates of catalog state for foreign-key constraints when attaching or detaching table partitions (Jehan-Guillaume de Rorthais, Tender Wang, Álvaro Herrera) § §

    If the referenced table is partitioned, then different catalog entries are needed for a referencing table that is stand-alone versus one that is a partition. ATTACH/DETACH PARTITION commands failed to perform this conversion correctly. In particular, after DETACH the now stand-alone table would be missing foreign-key enforcement triggers, which could result in the table later containing rows that fail the foreign-key constraint. A subsequent re-ATTACH could fail with surprising errors, too.

    The way to fix this is to do ALTER TABLE DROP CONSTRAINT on the now stand-alone table for each faulty constraint, and then re-add the constraint. If re-adding the constraint fails, then some erroneous data has crept in. You will need to manually re-establish consistency between the referencing and referenced tables, then re-add the constraint.

    This query can be used to identify broken constraints and construct the commands needed to recreate them:

    SELECT conrelid::pg_catalog.regclass AS "constrained table",
           conname AS constraint,
           confrelid::pg_catalog.regclass AS "references",
           pg_catalog.format('ALTER TABLE %s DROP CONSTRAINT %I;',
                             conrelid::pg_catalog.regclass, conname) AS "drop",
           pg_catalog.format('ALTER TABLE %s ADD CONSTRAINT %I %s;',
                             conrelid::pg_catalog.regclass, conname,
                             pg_catalog.pg_get_constraintdef(oid)) AS "add"
    FROM pg_catalog.pg_constraint c
    WHERE contype = 'f' AND conparentid = 0 AND
       (SELECT count(*) FROM pg_catalog.pg_constraint c2
        WHERE c2.conparentid = c.oid) <>
       (SELECT count(*) FROM pg_catalog.pg_inherits i
        WHERE (i.inhparent = c.conrelid OR i.inhparent = c.confrelid) AND
          EXISTS (SELECT 1 FROM pg_catalog.pg_partitioned_table
                  WHERE partrelid = i.inhparent));
    

    Since it is possible that one or more of the ADD CONSTRAINT steps will fail, you should save the query's output in a file and then attempt to perform each step.

  • Fix test for C locale when LC_COLLATE is different from LC_CTYPE (Jeff Davis) §

    When using libc as the default collation provider, the test to see if C locale is in use for collation accidentally checked LC_CTYPE not LC_COLLATE. This has no impact in the typical case where those settings are the same, nor if both are not C (nor its alias POSIX). However, if LC_CTYPE is C while LC_COLLATE is some other locale, wrong query answers could ensue, and corruption of indexes on strings was possible. Users of databases with such settings should reindex affected indexes after installing this update. The converse case with LC_COLLATE being C while LC_CTYPE is some other locale would cause performance degradation, but no actual errors.

  • Don't use partitionwise joins or grouping if the query's collation for the key column doesn't match the partition key's collation (Jian He, Webbo Han) § §

    Such plans could produce incorrect results.

  • Avoid planner failure after converting an IS NULL test on a NOT NULL column to constant FALSE (Richard Guo) §

    This bug typically led to errors such as “variable not found in subplan target lists”.

  • Avoid possible planner crash while inlining a SQL function whose arguments contain certain array-related constructs (Tom Lane, Nathan Bossart) §

  • Fix possible wrong answers or “wrong varnullingrels” planner errors for MERGE ... WHEN NOT MATCHED BY SOURCE actions (Dean Rasheed) § §

  • Fix possible “could not find pathkey item to sort” error when the output of a UNION ALL member query needs to be sorted, and the sort column is an expression (Andrei Lepikhov, Tom Lane) §

  • Fix edge case in B-tree ScalarArrayOp index scans (Peter Geoghegan) §

    When a scrollable cursor with a plan of this kind was backed up to its starting point and then run forward again, wrong answers were possible.

  • Fix assertion failure or confusing error message for COPY (query) TO ..., when the query is rewritten by a DO INSTEAD NOTIFY rule (Tender Wang, Tom Lane) §

  • Fix validation of COPY's FORCE_NOT_NULL and FORCE_NULL options (Joel Jacobson) §

    Some incorrect usages are now rejected as they should be.

  • Fix server crash when a json_objectagg() call contains a volatile function (Amit Langote) §

  • Fix detection of skewed data during parallel hash join (Thomas Munro) §

    After repartitioning the inner side of a hash join because one partition has accumulated too many tuples, we check to see if all the partition's tuples went into the same child partition, which suggests that they all have the same hash value and further repartitioning cannot improve matters. This check malfunctioned in some cases, allowing repeated futile repartitioning which would eventually end in a resource-exhaustion error.

  • Avoid crash when ALTER DATABASE SET is used to set a server parameter that requires search-path-based lookup, such as default_text_search_config (Jeff Davis) §

  • Avoid repeated lookups of opclasses and collations while creating a new index on a partitioned table (Tom Lane) §

    This was problematic mainly because some of the lookups would be done with a restricted search_path, leading to unexpected failures if the CREATE INDEX command referenced objects outside pg_catalog.

    This fix also prevents comments on the parent partitioned index from being copied to child indexes.

  • Add missing dependency from a partitioned table to a non-built-in access method specified in CREATE TABLE ... USING (Michael Paquier) §

    Dropping the access method should be blocked when a table exists that depends on it, but it was not, allowing subsequent odd behavior. Note that this fix only prevents problems for partitioned tables created after this update.

  • Disallow locale names containing non-ASCII characters (Thomas Munro) §

    This is only an issue on Windows, as such locale names are not used elsewhere. They are problematic because it's quite unclear what encoding such names are represented in (since the locale itself defines the encoding to use). In recent PostgreSQL releases, an abort in the Windows runtime library could occur because of confusion about that.

    Anyone who encounters the new error message should either create a new duplicated locale with an ASCII-only name using Windows Locale Builder, or consider using BCP 47-compliant locale names like tr-TR.

  • Fix race condition in committing a serializable transaction (Heikki Linnakangas) §

    Mis-processing of a recently committed transaction could lead to an assertion failure or a “could not access status of transaction” error.

  • Fix race condition in COMMIT PREPARED that resulted in orphaned 2PC files (wuchengwen) §

    A concurrent PREPARE TRANSACTION could cause COMMIT PREPARED to not remove the on-disk two-phase state file for the completed transaction. There was no immediate ill effect, but a subsequent crash-and-recovery could fail with “could not access status of transaction”, requiring manual removal of the orphaned file to restore service.

  • Avoid invalid memory accesses after skipping an invalid toast index during VACUUM FULL (Tender Wang) §

    A list tracking yet-to-be-rebuilt indexes was not properly updated in this code path, risking assertion failures or crashes later on.

  • Fix ways in which an “in place” catalog update could be lost (Noah Misch) § § § § § § §

    Normal row updates write a new version of the row to preserve rollback-ability of the transaction. However, certain system catalog updates are intentionally non-transactional and are done with an in-place update of the row. These patches fix race conditions that could cause the effects of an in-place update to be lost. As an example, it was possible to forget having set pg_class.relhasindex to true, preventing updates of the new index and thus causing index corruption.

  • Reset catalog caches at end of recovery (Noah Misch) §

    This prevents scenarios wherein an in-place catalog update could be lost due to using stale data from a catalog cache.

  • Avoid using parallel query while holding off interrupts (Francesco Degrassi, Noah Misch, Tom Lane) § §

    This situation cannot arise normally, but it can be reached with test scenarios such as using a SQL-language function as B-tree support (which would be far too slow for production usage). If it did occur it would result in an indefinite wait.

  • Ignore not-yet-defined Portals in the pg_cursors view (Tom Lane) §

    It is possible for user-defined code that inspects this view to be called while a new cursor is being set up, and if that happens a null pointer dereference would ensue. Avoid the problem by defining the view to exclude incompletely-set-up cursors.

  • Avoid “unexpected table_index_fetch_tuple call during logical decoding” error while decoding a transaction involving insertion of a column default value (Takeshi Ideriha, Hou Zhijie) § §

  • Reduce memory consumption of logical decoding (Masahiko Sawada) §

    Use a smaller default block size to store tuple data received during logical replication. This reduces memory wastage, which has been reported to be severe while processing long-running transactions, even leading to out-of-memory failures.

  • Fix behavior of stable functions called from a CALL statement's argument list, when the CALL is within a PL/pgSQL EXCEPTION block (Tom Lane) §

    As with a similar fix in our previous quarterly releases, this case allowed such functions to be passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.

  • Parse libpq's keepalives connection option in the same way as other integer-valued options (Yuto Sasaki) §

    The coding used here rejected trailing whitespace in the option value, unlike other cases. This turns out to be problematic in ecpg's usage, for example.

  • In ecpglib, fix out-of-bounds read when parsing incorrect datetime input (Bruce Momjian, Pavel Nekrasov) §

    It was possible to try to read the location just before the start of a constant array. Real-world consequences seem minimal, though.

  • Fix psql's describe commands to again work with pre-9.4 servers (Tom Lane) §

    Commands involving display of an ACL (permissions) column failed with very old PostgreSQL servers, due to use of a function not present in those versions.

  • Avoid hanging if an interval less than 1ms is specified in psql's \watch command (Andrey Borodin, Michael Paquier) §

    Instead, treat this the same as an interval of zero (no wait between executions).

  • Fix failure to find replication password in ~/.pgpass (Tom Lane) §

    pg_basebackup and pg_receivewal failed to match an entry in ~/.pgpass that had replication in the database name field, if no -d or --dbname switch was supplied. This resulted in an unexpected prompt for password.

  • In pg_combinebackup, throw an error if an incremental backup file is present in a directory that is supposed to contain a full backup (Robert Haas) §

  • In pg_combinebackup, don't construct filenames containing double slashes (Robert Haas) §

    This caused no functional problems, but the duplicate slashes were visible in error messages, which could create confusion.

  • Avoid trying to reindex temporary tables and indexes in vacuumdb and in parallel reindexdb (VaibhaveS, Michael Paquier, Fujii Masao, Nathan Bossart) § § §

    Reindexing other sessions' temporary tables cannot work, but the check to skip them was missing in some code paths, leading to unwanted failures.

  • Fix incorrect LLVM-generated code on ARM64 platforms (Thomas Munro, Anthonin Bonnefoy) §

    When using JIT compilation on ARM platforms, the generated code could not support relocation distances exceeding 32 bits, allowing unlucky placement of generated code to cause server crashes on large-memory systems.

  • Fix a few places that assumed that process start time (represented as a time_t) will fit into a long value (Max Johnson, Nathan Bossart) §

    On platforms where long is 32 bits (notably Windows), this coding would fail after Y2038. Most of the failures appear only cosmetic, but notably pg_ctl start would hang.

  • Update time zone data files to tzdata release 2024b (Tom Lane) § §

    This tzdata release changes the old System-V-compatibility zone names to duplicate the corresponding geographic zones; for example PST8PDT is now an alias for America/Los_Angeles. The main visible consequence is that for timestamps before the introduction of standardized time zones, the zone is considered to represent local mean solar time for the named location. For example, in PST8PDT, timestamptz input such as 1801-01-01 00:00 would previously have been rendered as 1801-01-01 00:00:00-08, but now it is rendered as 1801-01-01 00:00:00-07:52:58.

    Also, historical corrections for Mexico, Mongolia, and Portugal. Notably, Asia/Choibalsan is now an alias for Asia/Ulaanbaatar rather than being a separate zone, mainly because the differences between those zones were found to be based on untrustworthy data.

• ⇑ Upgrade to 17.2 released on 2024-11-21 - docs

  • Repair ABI break for extensions that work with struct ResultRelInfo (Tom Lane) §

    Last week's minor releases unintentionally broke binary compatibility with timescaledb and several other extensions. Restore the affected structure to its previous size, so that such extensions need not be rebuilt.

  • Restore functionality of ALTER {ROLE|DATABASE} SET role (Tom Lane, Noah Misch) §

    The fix for CVE-2024-10978 accidentally caused settings for role to not be applied if they come from non-interactive sources, including previous ALTER {ROLE|DATABASE} commands and the PGOPTIONS environment variable.

  • Fix cases where a logical replication slot's restart_lsn could go backwards (Masahiko Sawada) §

    Previously, restarting logical replication could sometimes cause the slot's restart point to be recomputed as an older value than had previously been advertised in pg_replication_slots. This is bad, since for example WAL files might have been removed on the basis of the later restart_lsn value, in which case replication would fail to restart.

  • Avoid deleting still-needed WAL files during pg_rewind (Polina Bungina, Alexander Kukushkin) §

    Previously, in unlucky cases, it was possible for pg_rewind to remove important WAL files from the rewound demoted primary. In particular this happens if those files have been marked for archival (i.e., their .ready files were created) but not yet archived. Then the newly promoted node no longer has such files because of them having been recycled, but likely they are needed for recovery in the demoted node. If pg_rewind removes them, recovery is not possible anymore.

  • Fix race conditions associated with dropping shared statistics entries (Kyotaro Horiguchi, Michael Paquier) §

    These bugs could lead to loss of statistics data, assertion failures, or “can only drop stats once” errors.

  • Count index scans in contrib/bloom indexes in the statistics views, such as the pg_stat_user_indexes.idx_scan counter (Masahiro Ikeda) §

  • Fix crash when checking to see if an index's opclass options have changed (Alexander Korotkov) §

    Some forms of ALTER TABLE would fail if the table has an index with non-default operator class options.

  • Avoid assertion failure caused by disconnected NFA sub-graphs in regular expression parsing (Tom Lane) §

    This bug does not appear to have any visible consequences in non-assert builds.

• ⇑ Upgrade to 17.3 released on 2025-02-13 - docs

  • Harden PQescapeString and allied functions against invalidly-encoded input strings (Andres Freund, Noah Misch) § § § § § §

    Data-quoting functions supplied by libpq now fully check the encoding validity of their input. If invalid characters are detected, they report an error if possible. For the ones that lack an error return convention, the output string is adjusted to ensure that the server will report invalid encoding and no intervening processing will be fooled by bytes that might happen to match single quote, backslash, etc.

    The purpose of this change is to guard against SQL-injection attacks that are possible if one of these functions is used to quote crafted input. There is no hazard when the resulting string is sent directly to a PostgreSQL server (which would check its encoding anyway), but there is a risk when it is passed through psql or other client-side code. Historically such code has not carefully vetted encoding, and in many cases it's not clear what it should do if it did detect such a problem.

    This fix is effective only if the data-quoting function, the server, and any intermediate processing agree on the character encoding that's being used. Applications that insert untrusted input into SQL commands should take special care to ensure that that's true.

    Applications and drivers that quote untrusted input without using these libpq functions may be at risk of similar problems. They should first confirm the data is valid in the encoding expected by the server.

    The PostgreSQL Project thanks Stephen Fewer for reporting this problem. (CVE-2025-1094)

  • Restore auto-truncation of database and user names appearing in connection requests (Nathan Bossart) §

    This reverts a v17 change that proved to cause trouble for some users. Over-length names should be truncated in an encoding-aware fashion, but for now just return to the former behavior of blind truncation at NAMEDATALEN-1 bytes.

  • Exclude parallel workers from connection privilege checks and limits (Tom Lane) §

    Do not check datallowconn, rolcanlogin, and ACL_CONNECT privileges when starting a parallel worker, instead assuming that it's enough for the leader process to have passed similar checks originally. This avoids, for example, unexpected failures of parallelized queries when the leader is running as a role that lacks login privilege. In the same vein, enforce ReservedConnections, datconnlimit, and rolconnlimit limits only against regular backends, and count only regular backends while checking if the limits were already reached. Those limits are meant to prevent excessive consumption of process slots for regular backends --- but parallel workers and other special processes have their own pools of process slots with their own limit checks.

  • Drop “Lock” suffix from LWLock wait event names (Bertrand Drouvot) §

    Refactoring unintentionally caused the pg_stat_activity view to show lock-related wait event names with a “Lock” suffix, which among other things broke joining it to pg_wait_events.

  • Fix possible failure to return all matching tuples for a btree index scan with a ScalarArrayOp (= ANY) condition (Peter Geoghegan) §

  • Fix possible re-use of stale results in window aggregates (David Rowley) §

    A window aggregate with a “run condition” optimization and a pass-by-reference result type might incorrectly return the result from the previous partition instead of performing a fresh calculation.

  • Keep TransactionXmin in sync with MyProc->xmin (Heikki Linnakangas) §

    This oversight could permit a process to try to access data that had already been vacuumed away. One known consequence is transient “could not access status of transaction” errors.

  • Fix race condition that could cause failure to add a newly-inserted catalog entry to a catalog cache list (Heikki Linnakangas) §

    This could result, for example, in failure to use a newly-created function within an existing session.

  • Prevent possible catalog corruption when a system catalog is vacuumed concurrently with an update (Noah Misch) § §

  • Fix data corruption when relation truncation fails (Thomas Munro) § § §

    The filesystem calls needed to perform relation truncation could fail, leaving inconsistent state on disk (for example, effectively reviving deleted data). We can't really prevent that, but we can recover by dint of making such failures into PANICs, so that consistency is restored by replaying from WAL up to just before the attempted truncation. This isn't a hugely desirable behavior, but such failures are rare enough that it seems an acceptable solution.

  • Prevent checkpoints from starting during relation truncation (Robert Haas) §

    This avoids a race condition wherein the modified file might not get fsync'd before completing the checkpoint, creating a risk of data corruption if the operating system crashes soon after.

  • Avoid possibly losing an update of pg_database.datfrozenxid when VACUUM runs concurrently with a REASSIGN OWNED that changes that database's owner (Kirill Reshke) §

  • Fix incorrect tg_updatedcols values passed to AFTER UPDATE triggers (Tom Lane) §

    In some cases the tg_updatedcols bitmap could describe the set of columns updated by an earlier command in the same transaction, fooling the trigger into doing the wrong thing.

    Also, prevent memory bloat caused by making too many copies of the tg_updatedcols bitmap.

  • Fix detach of a partition that has its own foreign-key constraint referencing a partitioned table (Amul Sul) §

    In common cases, foreign keys are defined on a partitioned table's top level; but if instead one is defined on a partition and references a partitioned table, and the referencing partition is detached, the relevant pg_constraint entries were updated incorrectly. This led to errors like “could not find ON INSERT check triggers of foreign key constraint”.

  • Fix pg_get_constraintdef's support for NOT NULL constraints on domains (Álvaro Herrera) §

  • Fix mis-processing of to_timestamp's FFn format codes (Tom Lane) §

    An integer format code immediately preceding FFn would consume all available digits, leaving none for FFn.

  • When deparsing a PASSING clause in a SQL/JSON query function, ensure that variable names are double-quoted when necessary (Dean Rasheed) §

  • When deparsing an XMLTABLE() expression, ensure that XML namespace names are double-quoted when necessary (Dean Rasheed) §

  • Include the ldapscheme option in pg_hba_file_rules() output (Laurenz Albe) § §

  • Fix planning of pre-sorted UNION operations for cases where the input column datatypes don't all match (David Rowley) §

    This error could lead to sorting data with the wrong sort operator, with consequences ranging from no visible problem to core dumps.

  • Don't merge UNION operations if their column collations aren't consistent (Tom Lane) §

    Previously we ignored collations when deciding if it's safe to merge UNION steps into a single N-way UNION operation. This was arguably valid before the introduction of nondeterministic collations, but it's not anymore, since the collation in use can affect the definition of uniqueness.

  • Prevent “wrong varnullingrels” planner errors after pulling up a subquery that's underneath an outer join (Tom Lane) § §

  • Ignore nulling-relation marker bits when looking up statistics (Richard Guo) §

    This oversight could lead to failure to use relevant statistics about expressions, or to “corrupt MVNDistinct entry” errors.

  • Fix missed expression processing for partition pruning steps (Tom Lane) §

    This oversight could lead to “unrecognized node type” errors, and perhaps other problems, in queries accessing partitioned tables.

  • Give the slotsync worker process its own process slot (Tom Lane, Hou Zhijie) §

    This was overlooked in the addition of the slotsync worker, with the result that its process slot effectively came out of the pool meant for regular backend processes. This could result in failure to launch the worker, or to subsequent failures of connection requests that should have succeeded according to the configured settings, if the number of regular backend processes approached max_connections.

  • Allow dshash tables to grow past 1GB (Matthias van de Meent) §

    This avoids errors like “invalid DSA memory alloc request size”. The case can occur for example in transactions that process several million tables.

  • Avoid possible integer overflow in bringetbitmap() (James Hunter, Evgeniy Gorbanyov) §

    Since the result is only used for statistical purposes, the effects of this error were mostly cosmetic.

  • Correct miscalculation of SLRU bank numbers (Yura Sokolov) §

    This error led to using a smaller number of banks than intended, causing more contention but no functional misbehavior.

  • Ensure that an already-set process latch doesn't prevent the postmaster from noticing socket events (Thomas Munro) §

    An extremely heavy workload of backends launching workers and workers exiting could prevent the postmaster from responding to incoming client connections in a timely fashion.

  • Prevent streaming standby servers from looping infinitely when reading a WAL record that crosses pages (Kyotaro Horiguchi, Alexander Kukushkin) §

    This would happen when the record's continuation is on a page that needs to be read from a different WAL source.

  • Fix unintended promotion of FATAL errors to PANIC during early process startup (Noah Misch) §

    This fixes some unlikely cases that would result in “PANIC: proc_exit() called in child process”.

  • Fix cases where an operator family member operator or support procedure could become a dangling reference (Tom Lane) § §

    In some cases a data type could be dropped while references to its OID still remain in pg_amop or pg_amproc. While that caused no immediate issues, an attempt to drop the owning operator family would fail, and pg_dump would produce bogus output when dumping the operator family. This fix causes creation and modification of operator families/classes to add needed dependency entries so that dropping a data type will also drop any dependent operator family elements. That does not help vulnerable pre-existing operator families, though, so a band-aid has also been added to DROP OPERATOR FAMILY to prevent failure when dropping a family that has dangling members.

  • Fix multiple memory leaks in logical decoding output (Vignesh C, Masahiko Sawada, Boyu Yang) § § §

  • Fix small memory leak when updating the application_name or cluster_name settings (Tofig Aliev) §

  • Avoid crash when a background process tries to check a new value of synchronized_standby_slots (Álvaro Herrera) §

  • Avoid integer overflow while testing wal_skip_threshold condition (Tom Lane) §

    A transaction that created a very large relation could mistakenly decide to ensure durability by copying the relation into WAL instead of fsync'ing it, thereby negating the point of wal_skip_threshold. (This only matters when wal_level is set to minimal, else a WAL copy is required anyway.)

  • Fix unsafe order of operations during cache lookups (Noah Misch) §

    The only known consequence was a usually-harmless “you don't own a lock of type ExclusiveLock” warning during GRANT TABLESPACE.

  • Avoid potential use-after-free in parallel vacuum (Vallimaharajan G, John Naylor) §

    This bug seems to have no consequences in standard builds, but it's theoretically a hazard.

  • Fix possible “failed to resolve name” failures when using JIT on older ARM platforms (Thomas Munro) §

    This could occur as a consequence of inconsistency about the default setting of -moutline-atomics between gcc and clang. At least Debian and Ubuntu are known to ship gcc and clang compilers that target armv8-a but differ on the use of outline atomics by default.

  • Fix assertion failure in WITH RECURSIVE ... UNION queries (David Rowley) §

  • Avoid assertion failure in rule deparsing if a set operation leaf query contains set operations (Man Zeng, Tom Lane) §

  • Avoid edge-case assertion failure in parallel query startup (Tom Lane) §

  • Fix assertion failure at shutdown when writing out the statistics file (Michael Paquier) §

  • Avoid valgrind complaints about string hashing code (John Naylor) §

  • In NULLIF(), avoid passing a read-write expanded object pointer to the data type's equality function (Tom Lane) §

    The equality function could modify or delete the object if it's given a read-write pointer, which would be bad if we decide to return it as the NULLIF() result. There is probably no problem with any built-in equality function, but it's easy to demonstrate a failure with one coded in PL/pgSQL.

  • Ensure that expression preprocessing is applied to a default null value in INSERT (Tom Lane) §

    If the target column is of a domain type, the planner must insert a coerce-to-domain step not just a null constant, and this expression missed going through some required processing steps. There is no known consequence with domains based on core data types, but in theory an error could occur with domains based on extension types.

  • Avoid data loss when starting a bulk write on a relation fork that already contains data (Matthias van de Meent) §

    Any pre-existing data was overwritten with zeroes. This is not an issue for core PostgreSQL, which never does that. Some extensions would like to, however.

  • Avoid crash if a server process tried to iterate over a shared radix tree that it didn't create (Masahiko Sawada) §

    There is no code in core PostgreSQL that does this, but an extension might wish to.

  • Repair memory leaks in PL/Python (Mat Arye, Tom Lane) §

    Repeated use of PLyPlan.execute or plpy.cursor resulted in memory leakage for the duration of the calling PL/Python function.

  • Fix PL/Tcl to compile with Tcl 9 (Peter Eisentraut) §

  • In the ecpg preprocessor, fix possible misprocessing of cursors that reference out-of-scope variables (Tom Lane) §

  • In ecpg, fix compile-time warnings about unsupported use of COPY ... FROM STDIN (Ryo Kanbayashi) §

    Previously, the intended warning was not issued due to a typo.

  • Fix psql to safely handle file path names that are encoded in SJIS (Tom Lane) §

    Some two-byte characters in SJIS have a second byte that is equal to ASCII backslash (\). These characters were corrupted by path name normalization, preventing access to files whose names include such characters.

  • Add psql tab completion for COPY (MERGE INTO) (Jian He) §

  • Fix use of wrong version of pqsignal() in pgbench and psql (Fujii Masao, Tom Lane) §

    This error could lead to misbehavior when using the -T option in pgbench or the \watch command in psql, due to interrupted system calls not being resumed as expected.

  • Fix misexecution of some nested \if constructs in pgbench (Michail Nikolaev) §

    An \if command appearing within a false (not-being-executed) \if branch was incorrectly treated the same as \elif.

  • In pgbench, fix possible misdisplay of progress messages during table initialization (Yushi Ogiwara, Tatsuo Ishii, Fujii Masao) § §

  • Make pg_controldata more robust against corrupted pg_control files (Ilyasov Ian, Anton Voloshin) §

    Since pg_controldata will attempt to print the contents of pg_control even if the CRC check fails, it must take care not to misbehave for invalid field values. This patch fixes some issues triggered by invalid timestamps and apparently-negative WAL segment sizes.

  • Fix possible crash in pg_dump with identity sequences attached to tables that are extension members (Tom Lane) §

  • Fix memory leak in pg_restore with zstd-compressed data (Tom Lane) §

    The leak was per-decompression-operation, so would be most noticeable with a dump containing many tables or large objects.

  • Fix pg_basebackup to correctly handle pg_wal.tar files exceeding 2GB on Windows (Davinder Singh, Thomas Munro) § §

  • Use SQL-standard function bodies in the declarations of contrib/earthdistance's SQL-language functions (Tom Lane, Ronan Dunklau) §

    This change allows their references to contrib/cube to be resolved during extension creation, reducing the risk of search-path-based failures and possible attacks.

    In particular, this restores their usability in contexts like generated columns, for which PostgreSQL v17 restricts the search path on security grounds. We have received reports of databases failing to be upgraded to v17 because of that. This patch has been included in v16 to provide a workaround: updating the earthdistance extension to this version beforehand should allow an upgrade to succeed.

  • Detect version mismatch between contrib/pageinspect's SQL declarations and the underlying shared library (Tomas Vondra) §

    Previously, such a mismatch could result in a crash while calling brin_page_items(). Instead throw an error recommending updating the extension.

  • When trying to cancel a remote query in contrib/postgres_fdw, re-issue the cancel request a few times if it didn't seem to do anything (Tom Lane) §

    This fixes a race condition where we might try to cancel a just-sent query before the remote server has started to process it, so that the initial cancel request is ignored.

  • Update configuration probes that determine the compiler switches needed to access ARM CRC instructions (Tom Lane) §

    On ARM platforms where the baseline CPU target lacks CRC instructions, we need to supply a -march switch to persuade the compiler to compile such instructions. Recent versions of gcc reject the value we were trying, leading to silently falling back to software CRC.

  • Fix meson build system to support old OpenSSL libraries on Windows (Darek Slusarczyk) §

    Add support for the legacy library names ssleay32 and libeay32.

  • In Windows builds using meson, ensure all libcommon and libpgport functions are exported (Vladlen Popolitov, Heikki Linnakangas) § §

    This fixes “unresolved external symbol” build errors for extensions.

  • Fix meson configuration process to correctly detect OSSP's uuid.h header file under MSVC (Andrew Dunstan) §

  • When building with meson, install pgevent in pkglibdir not bindir (Peter Eisentraut) §

    This matches the behavior of the make-based build system and the old MSVC build system.

  • When building with meson, install sepgsql.sql under share/contrib/ not share/extension/ (Peter Eisentraut) §

    This matches what the make-based build system does.

  • Update time zone data files to tzdata release 2025a for DST law changes in Paraguay, plus historical corrections for the Philippines (Tom Lane) §

• ⇑ Upgrade to 17.4 released on 2025-02-20 - docs

  • Improve behavior of libpq's quoting functions (Andres Freund, Tom Lane) § § §

    The changes made for CVE-2025-1094 had one serious oversight: PQescapeLiteral() and PQescapeIdentifier() failed to honor their string length parameter, instead always reading to the input string's trailing null. This resulted in including unwanted text in the output, if the caller intended to truncate the string via the length parameter. With very bad luck it could cause a crash due to reading off the end of memory.

    In addition, modify all these quoting functions so that when invalid encoding is detected, an invalid sequence is substituted for just the first byte of the presumed character, not all of it. This reduces the risk of problems if a calling application performs additional processing on the quoted string.

  • Fix small memory leak in pg_createsubscriber (Ranier Vilela) §

  • Fix meson build system to correctly detect availability of the bsd_auth.h system header (Nazir Bilal Yavuz) §

• ⇑ Upgrade to 17.5 released on 2025-05-08 - docs

  • Avoid one-byte buffer overread when examining invalidly-encoded strings that are claimed to be in GB18030 encoding (Noah Misch, Andres Freund) § §

    While unlikely, a SIGSEGV crash could occur if an incomplete multibyte character appeared at the end of memory. This was possible both in the server and in libpq-using applications. (CVE-2025-4207)

  • Handle self-referential foreign keys on partitioned tables correctly (Álvaro Herrera) §

    Creating or attaching partitions failed to make the required catalog entries for a foreign-key constraint, if the table referenced by the constraint was the same partitioned table. This resulted in failure to enforce the constraint fully.

    To fix this, you should drop and recreate any self-referential foreign keys on partitioned tables, if partitions have been created or attached since the constraint was created. Bear in mind that violating rows might already be present, in which case recreating the constraint will fail, and you'll need to fix up those rows before trying again.

  • Avoid data loss when merging compressed BRIN summaries in brin_bloom_union() (Tomas Vondra) §

    The code failed to account for decompression results not being identical to the input objects, which would result in failure to add some of the data to the merged summary, leading to missed rows in index searches.

    This mistake was present back to v14 where BRIN bloom indexes were introduced, but this code path was only rarely reached then. It's substantially more likely to be hit in v17 because parallel index builds now use the code.

  • Fix unexpected “attribute has wrong type” errors in UPDATE, DELETE, and MERGE queries that use whole-row table references to views or functions in FROM (Tom Lane) §

  • Fix MERGE into a partitioned table with DO NOTHING actions (Tender Wang) §

    Some cases failed with “unknown action in MERGE WHEN clause” errors.

  • Prevent failure in INSERT commands when the table has a GENERATED column of a domain data type and the domain's constraints disallow null values (Jian He) §

    Constraint failure was reported even if the generation expression produced a perfectly okay result.

  • Correctly process references to outer CTE names that appear within a WITH clause attached to an INSERT/UPDATE/DELETE/MERGE command that's inside WITH (Tom Lane) §

    The parser failed to detect disallowed recursion cases, nor did it account for such references when sorting CTEs into a usable order.

  • Fix misprocessing of casts within the keys of JSON constructor expressions (Amit Langote) §

  • Don't try to parallelize array_agg() when the argument is of an anonymous record type (Richard Guo, Tom Lane) §

    The protocol for communicating with parallel workers doesn't support identifying the concrete record type that a worker is returning.

  • Fix ARRAY(subquery) and ARRAY[expression, ...] constructs to produce sane results when the input is of type int2vector or oidvector (Tom Lane) §

    This patch restores the behavior that existed before PostgreSQL 9.5: the result is of type int2vector[] or oidvector[].

  • Fix possible erroneous reports of invalid affixes while parsing Ispell dictionaries (Jacob Brazeal) §

  • Fix ALTER TABLE ADD COLUMN to correctly handle the case of a domain type that has a default (Jian He, Tom Lane, Tender Wang) § §

    If a domain type has a default, adding a column of that type (without any explicit DEFAULT clause) failed to install the domain's default value in existing rows, instead leaving the new column null.

  • Repair misbehavior when there are duplicate column names in a foreign key constraint's ON DELETE SET DEFAULT or SET NULL action (Tom Lane) §

  • Improve the error message for disallowed attempts to alter the properties of a foreign key constraint (Álvaro Herrera) §

  • Avoid error when resetting the relhassubclass flag of a temporary table that's marked ON COMMIT DELETE ROWS (Noah Misch) §

  • Add missing deparsing of the INDENT option of XMLSERIALIZE() (Jim Jones) § §

    Previously, views or rules using XMLSERIALIZE(... INDENT) were dumped without the INDENT clause, causing incorrect results after restore.

  • Avoid premature evaluation of the arguments of an aggregate function that has both FILTER and ORDER BY (or DISTINCT) options (David Rowley) §

    If there is ORDER BY or DISTINCT, we consider pre-sorting the aggregate input values rather than doing the sort within the Agg plan node. But this is problematic if the aggregate inputs include expressions that could fail (for example, a division where some of the input divisors could be zero) and there is a FILTER clause that's meant to prevent such failures. Pre-sorting would push the expression evaluations to before the FILTER test, allowing the failures to happen anyway. Avoid this by not pre-sorting if there's a FILTER and the input expressions are anything more complex than a simple Var or Const.

  • Fix erroneous deductions from column NOT NULL constraints in the presence of outer joins (Richard Guo) §

    In some cases the planner would discard an IS NOT NULL query condition, even though the condition applies after an outer join and thus is not redundant.

  • Avoid incorrect optimizations based on IS [NOT] NULL tests that are applied to composite values (Bruce Momjian) §

  • Fix planner's failure to identify more than one hashable ScalarArrayOpExpr subexpression within a top-level expression (David Geier) §

    This resulted in unnecessarily-inefficient execution of any additional subexpressions that could have been processed with a hash table (that is, IN, NOT IN, or = ANY clauses with all-constant right-hand sides).

  • Fix incorrect table size estimate with low fill factor (Tomas Vondra) §

    When the planner estimates the number of rows in a never-yet-analyzed table, it uses the table's fillfactor setting in the estimation, but it neglected to clamp the result to at least one row per page. A low fillfactor could thus result in an unreasonably small estimate.

  • Disable “skip fetch” optimization in bitmap heap scan (Matthias van de Meent) §

    It turns out that this optimization can result in returning dead tuples when a concurrent vacuum marks a page all-visible.

  • Fix performance issues in GIN index search startup when there are many search keys (Tom Lane, Vinod Sridharan) § §

    An indexable clause with many keys (for example, jsonbcol ?| array[...] with tens of thousands of array elements) took O(N²) time to start up, and was uncancelable for that interval too.

  • Detect missing support procedures in a BRIN index operator class, and report an error instead of crashing (Álvaro Herrera) §

  • Respond to interrupts (such as query cancel) while waiting for asynchronous subplans of an Append plan node (Heikki Linnakangas) §

    Previously, nothing would happen until one of the subplans becomes ready.

  • Report the I/O statistics of active WAL senders more frequently (Bertrand Drouvot) §

    Previously, the pg_stat_io view failed to accumulate I/O performed by a WAL sender until that process exited. Now such I/O will be reported after at most one second's delay.

  • Fix race condition in handling of synchronous_standby_names immediately after startup (Melnikov Maksim, Michael Paquier) §

    For a short period after system startup, backends might fail to wait for synchronous commit even though synchronous_standby_names is enabled.

  • Cope with possible intra-query changes of io_combine_limit (Thomas Munro) §

  • Avoid infinite loop if scram_iterations is set to INT_MAX (Kevin K Biju) §

  • Avoid possible crashes due to double transformation of json_array()'s subquery (Tom Lane) §

  • Fix pg_strtof() to not crash with null endptr (Alexander Lakhin, Tom Lane) §

  • Fix crash after out-of-memory in certain GUC assignments (Daniel Gustafsson) §

  • Avoid crash when a Snowball stemmer encounters an out-of-memory condition (Maksim Korotkov) §

  • Fix over-enthusiastic freeing of SpecialJoinInfo structs during planning (Richard Guo) §

    This led to crashes during planning if partitionwise joining is enabled.

  • Disallow copying of invalidated replication slots (Shlok Kyal) §

    This prevents trouble when the invalid slot points to WAL that's already been removed.

  • Disallow restoring logical replication slots on standby servers that are not in hot-standby mode (Masahiko Sawada) §

    This prevents a scenario where the slot could remain valid after promotion even if wal_level is too low.

  • Prevent over-advancement of catalog xmin in “fast forward” mode of logical decoding (Zhijie Hou) §

    This mistake could allow deleted catalog entries to be vacuumed away even though they were still potentially needed by the WAL-reading process.

  • Avoid data loss when DDL operations that don't take a strong lock affect tables that are being logically replicated (Shlok Kyal, Hayato Kuroda) § §

    The catalog changes caused by the DDL command were not reflected into WAL-decoding processes, allowing them to decode subsequent changes using stale catalog data, probably resulting in data corruption.

  • Prevent incorrect reset of replication origin when an apply worker encounters an error but the error is caught and does not result in worker exit (Hayato Kuroda) §

    This mistake could allow duplicate data to be applied.

  • Fix crash in logical replication if the subscriber's partitioned table has a BRIN index (Tom Lane) §

  • Avoid duplicate snapshot creation in logical replication index lookups (Heikki Linnakangas) § §

  • Improve detection of mixed-origin subscriptions (Hou Zhijie, Shlok Kyal) §

    Subscription creation gives a warning if a subscribed-to table is also being followed through other publications, since that could cause duplicate data to be received. This change improves that logic to also detect cases where a partition parent or child table is the one being followed through another publication.

  • Fix wrong checkpoint details in error message about incorrect recovery timeline choice (David Steele) §

    If the requested recovery timeline is not reachable, the reported checkpoint and timeline should be the values read from the backup_label, if there is one. This message previously reported values from the control file, which is correct when recovering from the control file without a backup_label, but not when there is a backup_label.

  • Fix order of operations in smgropen() (Andres Freund) §

    Ensure that the SMgrRelation object is fully initialized before calling the smgr_open callback, so that it can be cleaned up properly if the callback fails.

  • Remove incorrect assertion in pgstat_report_stat() (Michael Paquier) §

  • Fix overly-strict assertion in gistFindCorrectParent() (Heikki Linnakangas) §

  • Avoid assertion failure in parallel vacuum when maintenance_work_mem has a very small value (Masahiko Sawada) §

  • Fix rare assertion failure in standby servers when the primary is restarted (Heikki Linnakangas) §

  • In PL/pgSQL, avoid “unexpected plan node type” error when a scrollable cursor is defined on a simple SELECT expression query (Andrei Lepikhov) §

  • Don't try to drop individual index partitions in pg_dump's --clean mode (Jian He) §

    The server rejects such DROP commands. That has no real consequences, since the partitions will go away anyway in the subsequent DROPs of either their parent tables or their partitioned index. However, the error reported for the attempted drop causes problems when restoring in --single-transaction mode.

  • In pg_dumpall, avoid emitting invalid role GRANT commands if pg_auth_members contains invalid role OIDs (Tom Lane) §

    Instead, print a warning and skip the entry. This copes better with catalog corruption that has been seen to occur in back branches as a result of race conditions between GRANT and DROP ROLE.

  • In pg_amcheck and pg_upgrade, use the correct function to free allocations made by libpq (Michael Paquier, Ranier Vilela) § § §

    These oversights could result in crashes in certain Windows build configurations, such as a debug build of libpq used by a non-debug build of the calling application.

  • Fix reindexdb's scheduling of parallel reindex operations (Alexander Korotkov) §

    The original coding failed to achieve the expected amount of parallelism.

  • Avoid crashing with corrupt input data in contrib/pageinspect's heap_page_items() (Dmitry Kovalenko) §

  • Prevent assertion failure in contrib/pg_freespacemap's pg_freespacemap() (Tender Wang) §

    Applying pg_freespacemap() to a relation lacking storage (such as a view) caused an assertion failure, although there was no ill effect in non-assert builds. Add an error check to reject that case.

  • In contrib/postgres_fdw, avoid pulling up restriction conditions from subqueries (Alexander Pyhalov) §

    This fix prevents rare cases of “unexpected expression in subquery output” errors.

  • Fix build failure when an old version of libpq_fe.h is present in system include directories (Tom Lane) §

  • Fix build failure on macOS 15.4 (Tom Lane, Peter Eisentraut) §

    This macOS update broke our configuration probe for strchrnul().

  • Fix valgrind labeling of per-buffer data of read streams (Thomas Munro) §

    This affects no core code in released versions of PostgreSQL, but an extension using the per-buffer data feature might have encountered spurious failures when being tested under valgrind.

  • Update time zone data files to tzdata release 2025b for DST law changes in Chile, plus historical corrections for Iran (Tom Lane) §

    There is a new time zone America/Coyhaique for Chile's Aysén Region, to account for it changing to UTC-03 year-round and thus diverging from America/Santiago.

• ⇑ Upgrade to 17.6 released on 2025-08-14 - docs

  • Tighten security checks in planner estimation functions (Dean Rasheed) §

    The fix for CVE-2017-7484, plus followup fixes, intended to prevent leaky functions from being applied to statistics data for columns that the calling user does not have permission to read. Two gaps in that protection have been found. One gap applies to partitioning and inheritance hierarchies where RLS policies on the tables should restrict access to statistics data, but did not.

    The other gap applies to cases where the query accesses a table via a view, and the view owner has permissions to read the underlying table but the calling user does not have permissions on the view. The view owner's permissions satisfied the security checks, and the leaky function would get applied to the underlying table's statistics before we check the calling user's permissions on the view. This has been fixed by making security checks on views occur at the start of planning. That might cause permissions failures to occur earlier than before.

    The PostgreSQL Project thanks Dean Rasheed for reporting this problem. (CVE-2025-8713)

  • Prevent pg_dump scripts from being used to attack the user running the restore (Nathan Bossart) §

    Since dump/restore operations typically involve running SQL commands as superuser, the target database installation must trust the source server. However, it does not follow that the operating system user who executes psql to perform the restore should have to trust the source server. The risk here is that an attacker who has gained superuser-level control over the source server might be able to cause it to emit text that would be interpreted as psql meta-commands. That would provide shell-level access to the restoring user's own account, independently of access to the target database.

    To provide a positive guarantee that this can't happen, extend psql with a \restrict command that prevents execution of further meta-commands, and teach pg_dump to issue that before any data coming from the source server.

    The PostgreSQL Project thanks Martin Rakhmanov, Matthieu Denais, and RyotaK for reporting this problem. (CVE-2025-8714)

  • Convert newlines to spaces in names included in comments in pg_dump output (Noah Misch) §

    Object names containing newlines offered the ability to inject arbitrary SQL commands into the output script. (Without the preceding fix, injection of psql meta-commands would also be possible this way.) CVE-2012-0868 fixed this class of problem at the time, but later work reintroduced several cases.

    The PostgreSQL Project thanks Noah Misch for reporting this problem. (CVE-2025-8715)

  • Fix incorrect distance calculation in BRIN numeric_minmax_multi_ops support function (Peter Eisentraut, Tom Lane) §

    The results were sometimes wrong on 64-bit platforms, and wildly wrong on 32-bit platforms. This did not produce obvious failures because the logic is only used to choose how to merge values into ranges; at worst the index would become inefficient and bloated. Nonetheless it's recommended to reindex any BRIN indexes that use the numeric_minmax_multi_ops operator class.

  • Avoid regression in the size of XML input that we will accept (Michael Paquier, Erik Wienhold) § §

    Our workaround for a bug in early 2.13.x releases of libxml2 made use of a code path that rejects text chunks exceeding 10MB, whereas the previous coding did not. Those early releases are presumably extinct in the wild by now, so revert to the previous coding.

  • Fix MERGE problems with concurrent updates (Dean Rasheed) §

    If a MERGE inside a CTE attempts an update or delete on a table with BEFORE ROW triggers, and a concurrent UPDATE or DELETE changes the target row, the MERGE command would fail (crashing in the case of an update action, and potentially executing the wrong action in the case of a delete action).

  • Fix MERGE into a plain-inheritance parent table (Dean Rasheed) §

    Insertions into such a target table could crash or produce incorrect query results due to failing to handle WITH CHECK OPTION and RETURNING actions.

  • Allow tables with statement-level triggers to become partitions or inheritance children (Etsuro Fujita) §

    We do not allow partitions or inheritance child tables to have row-level triggers with transition tables, because an operation on the whole inheritance tree would need to maintain a separate transition table for each such child table. But that problem does not apply for statement-level triggers, because only the parent's statement-level triggers will be fired. The code that checks whether an existing table can become a partition or inheritance child nonetheless rejected both kinds of trigger.

  • Disallow collecting transition tuples from child foreign tables (Etsuro Fujita) §

    We do not support triggers with transition tables on foreign tables. However, the case of a partition or inheritance child that is a foreign table was overlooked. If the parent has such a trigger, incorrect transition tuples were collected from the foreign child. Instead throw an error, reporting that the case is not supported.

  • Allow resetting unknown custom parameters with reserved prefixes (Nathan Bossart) §

    Previously, if a parameter setting had been stored using ALTER DATABASE/ROLE/SYSTEM, the stored setting could not be removed if the parameter was unknown but had a reserved prefix. This case could arise if an extension used to have a parameter, but that parameter had been removed in an upgrade.

  • Fix a potential deadlock during ALTER SUBSCRIPTION ... DROP PUBLICATION (Ajin Cherian) §

    Ensure that server processes acquire catalog locks in a consistent order during replication origin drops.

  • Shorten the race condition window for creating indexes with conflicting names (Tom Lane) §

    When choosing an auto-generated name for an index, avoid conflicting with not-yet-committed pg_class rows as well as fully-valid ones. This avoids possibly choosing the same name as some concurrent CREATE INDEX did, when that command is still in process of filling its index, or is done but is part of a not-yet-committed transaction. There's still a window for trouble, but it's only as long as the time needed to validate a new index's parameters and insert its pg_class row.

  • Prevent usage of incorrect VACUUM options in some cases where multiple tables are vacuumed in a single command (Nathan Bossart, Michael Paquier) §

    The TRUNCATE and INDEX_CLEANUP options of one table could be applied to others.

  • Ensure that the table's free-space map is updated in a timely way when vacuuming a table that has no indexes (Masahiko Sawada) §

    A previous optimization caused FSM vacuuming to sometimes be skipped for such tables.

  • Fix processing of character classes within SIMILAR TO regular expressions (Laurenz Albe) § §

    The code that translates SIMILAR TO pattern matching expressions to POSIX-style regular expressions did not consider that square brackets can be nested. For example, in a pattern like [[:alpha:]%_], the code treated the % and _ characters as metacharacters when they should be literals.

  • When deparsing queries, always add parentheses around the expression in FETCH FIRST expression ROWS WITH TIES clauses (Heikki Linnakangas) § §

    This avoids some cases where the deparsed result wasn't syntactically valid.

  • Limit the checkpointer process's fsync request queue size (Alexander Korotkov, Xuneng Zhou) § §

    With very large shared_buffers settings, it was possible for the checkpointer to attempt to allocate more than 1GB for fsync requests, leading to failure and an infinite loop. Clamp the queue size to prevent this scenario.

  • Avoid infinite wait in logical decoding when reading a partially-written WAL record (Vignesh C) §

    If the server crashes after writing the first part of a WAL record that would span multiple pages, subsequent logical decoding of the WAL stream would wait for data to arrive on the next WAL page. That might never happen if the server is now idle.

  • Fix inconsistent spelling of LWLock names for MultiXactOffsetSLRU and MultiXactMemberSLRU (Bertrand Drouvot) §

    This resulted in different wait-event names being displayed in pg_wait_events and pg_stat_activity, potentially breaking monitoring queries that join those views.

  • Fix inconsistent quoting of role names in ACL strings (Tom Lane) §

    The previous quoting rule was locale-sensitive, which could lead to portability problems when transferring aclitem values across installations. (pg_dump does not do that, but other tools might.) To ensure consistency, always quote non-ASCII characters in aclitem output; but to preserve backward compatibility, never require that they be quoted during aclitem input.

  • Reject equal signs (=) in the names of relation options and foreign-data options (Tom Lane) §

    There's no evident use-case for option names like this, and allowing them creates ambiguity in the stored representation.

  • Fix potentially-incorrect decompression of LZ4-compressed archive data (Mikhail Gribkov) §

    This error seems to manifest only with not-very-compressible input data, which may explain why it escaped detection.

  • Avoid a rare scenario where a btree index scan could mark the wrong index entries as dead (Peter Geoghegan) §

  • Avoid re-distributing cache invalidation messages from other transactions during logical replication (vignesh C) §

    Our previous round of minor releases included a bug fix to ensure that replication receiver processes would respond to cross-process cache invalidation messages, preventing them from using stale catalog data while performing replication updates. However, the fix unintentionally made them also redistribute those messages again, leading to an exponential increase in the number of invalidation messages, which would often end in a memory allocation failure. Fix by not redistributing received messages.

  • Avoid unexpected server shutdown when replication slot synchronization is misconfigured (Fujii Masao) §

    The postmaster process would report an error (and then stop) if sync_replication_slots was set to true while wal_level was less than logical. The desired behavior is just that slot synchronization should be disabled, so reduce this error message's level to avoid postmaster shutdown.

  • Avoid premature removal of old WAL during checkpoints (Vitaly Davydov) §

    If a replication slot's restart point is advanced while a checkpoint is in progress, no-longer-needed WAL segments could get removed too soon, leading to recovery failure if the database crashes immediately afterwards. Fix by keeping them for one additional checkpoint cycle.

  • Never move a replication slot's confirmed-flush position backwards (Shveta Malik) §

    In some cases a replication client could acknowledge an LSN that's past what it has stored persistently, and then perhaps send an older LSN after a restart. We consider this not-a-bug so long as the client did not have anything it needed to do for the WAL between the two points. However, we should not re-send that WAL for fear of data duplication, so make sure we always believe the latest confirmed LSN for a given slot.

  • Prevent excessive delays before launching new logical replication workers (Tom Lane) §

    In some cases the logical replication launcher could sleep considerably longer than the configured wal_retrieve_retry_interval before launching a new worker.

  • Fix use-after-free during logical replication of INSERT ... ON CONFLICT (Ethan Mertz, Michael Paquier) §

    This could result in incorrect progress reporting, or with very bad luck it could result in a crash of the WAL sender process.

  • Allow waiting for a transaction on a standby server to be interrupted (Kevin K Biju) §

    Creation of a replication slot on a standby server may require waiting for some active transaction(s) to finish on the primary and then be replayed on the standby. Since that could be an indefinite wait, it's desirable to allow the operation to be cancelled, but there was no check for query cancel in the loop.

  • Do not let cascading logical WAL senders try to send data that's beyond what has been replayed on their standby server (Alexey Makhmutov) §

    This avoids a situation where such WAL senders could get stuck at standby server shutdown, waiting for replay work that will not happen because the server's startup process is already shut down.

  • Fix per-relation memory leakage in autovacuum (Tom Lane) §

  • Fix session-lifespan memory leaks in XMLSERIALIZE(... INDENT) (Dmitry Kovalenko, Tom Lane) § §

  • Fix possible crash after out-of-memory when allocating large chunks with the “bump” allocator (Tom Lane) §

  • Fix some places that might try to fetch toasted fields of system catalogs without any snapshot (Nathan Bossart) §

    This could result in an assertion failure or “cannot fetch toast data without an active snapshot” error.

  • Avoid assertion failure during cross-table constraint updates (Tom Lane, Jian He) § §

  • Remove faulty assertion that a command tag must have been determined by the end of PortalRunMulti() (Álvaro Herrera) §

    This failed in edge cases such as an empty prepared statement.

  • Fix assertion failure in XMLTABLE parsing (Richard Guo) §

  • Restore the ability to run PL/pgSQL expressions in parallel (Dipesh Dhameliya) §

    PL/pgSQL's notion of an “expression” is very broad, encompassing any SQL SELECT query that returns a single column and no more than one row. So there are cases, for example evaluation of an aggregate function, where the query involves significant work and it'd be useful to run it with parallel workers. This used to be possible, but a previous bug fix unintentionally disabled it.

  • Fix edge-case resource leaks in PL/Python error reporting (Tom Lane) § §

    An out-of-memory failure while reporting an error from Python could result in failure to drop reference counts on Python objects, leading to session-lifespan memory leakage.

  • Fix libpq's PQcancelCreate() function for the case where the server's address was specified using hostaddr (Sergei Kornilov) §

    libpq would crash if the resulting cancel object was actually used.

  • Fix libpq's PQport() function to never return NULL unless the passed connection is NULL (Daniele Varrazzo) §

    This is the documented behavior, but recent libpq versions would return NULL in some cases where the user had not provided a port specification. Revert to our historical behavior of returning an empty string in such cases. (v18 and later will return the compiled-in default port number, typically "5432", instead.)

  • Avoid failure when GSSAPI authentication requires packets larger than 16kB (Jacob Champion, Tom Lane) §

    Larger authentication packets are needed for Active Directory users who belong to many AD groups. This limitation manifested in connection failures with unintelligible error messages, typically “GSSAPI context establishment error: The routine must be called again to complete its function: Unknown error”.

  • Fix timing-dependent failures in SSL and GSSAPI data transmission (Tom Lane) §

    When using SSL or GSSAPI encryption in non-blocking mode, libpq sometimes failed with “SSL error: bad length” or “GSSAPI caller failed to retransmit all data needing to be retried”.

  • Avoid null-pointer dereference during connection lookup in ecpg applications (Aleksander Alekseev) §

    The case could occur only if the application has some connections that are named and some that are not.

  • Improve psql's tab completion for COPY and \copy options (Atsushi Torikoshi) §

    The same completions were offered for both COPY FROM and COPY TO, although some options are only valid for one case or the other. Distinguish these cases to provide more accurate suggestions.

  • Avoid assertion failure in pgbench when multiple pipeline sync messages are received (Fujii Masao) §

  • Fix duplicate transaction replay when initializing a subscription with pg_createsubscriber (Shlok Kyal) §

    It was possible for the last transaction processed during subscriber recovery to be sent again once normal replication begins.

  • Ensure that pg_dump dumps comments on not-null constraints on domain types (Jian He, Álvaro Herrera) §

  • Ensure that pg_dump dumps comments on domain constraints in a valid order (Jian He) §

    In some cases the comment command could appear before creation of the constraint.

  • Ensure stable sort ordering in pg_dump for all types of database objects (Noah Misch, Andreas Karlsson) § § §

    pg_dump sorts objects by their logical names before performing dependency-driven reordering. This sort did not account for the full unique key identifying certain object types such as rules and constraints, and thus it could produce dissimilar sort orders for logically-identical databases. That made it difficult to compare databases by diff'ing pg_dump output, so improve the logic to ensure stable sort ordering in all cases.

  • Fix incorrect parsing of object types in pg_dump filter files (Fujii Masao) §

    Treat keywords as extending to the next whitespace, rather than stopping at the first non-alphanumeric character as before. This makes no difference for valid keywords, but it allows some error cases to be recognized properly. For example, table-data will now be rejected, whereas previously it was misinterpreted as table.

  • pg_restore failed to restore large objects (BLOBs) from directory-format dumps made by pg_dump versions before PostgreSQL v12 (Pavel Stehule) §

  • In pg_upgrade, check for inconsistent inherited not-null constraints (Ali Akbar) § § §

    PostgreSQL versions before 18 allow an inherited column not-null constraint to be dropped. However, this results in a schema that cannot be restored, leading to failure in pg_upgrade. Detect such cases during pg_upgrade's preflight checks to allow users to fix them before initiating the upgrade.

  • Don't require that the target installation have max_slot_wal_keep_size set to its default during pg_upgrade (Dilip Kumar) §

  • Avoid assertion failure if track_commit_timestamp is enabled during initdb (Hayato Kuroda, Andy Fan) §

  • Fix pg_waldump to show information about dropped statistics in PREPARE TRANSACTION WAL records (Daniil Davydov) §

  • Avoid possible leak of the open connection during contrib/dblink connection establishment (Tom Lane) §

    In the rare scenario where we hit out-of-memory while inserting the new connection object into dblink's hashtable, the open connection would be leaked until end of session, leaving an idle session sitting on the remote server.

  • Make contrib/pg_prewarm cope with very large shared_buffers settings (Daria Shanina) §

    Autoprewarm failed with a memory allocation error if shared_buffers was larger than about 50 million buffers (400GB).

  • Prevent assertion failure in contrib/pg_prewarm (Masahiro Ikeda) §

    Applying pg_prewarm() to a relation lacking storage (such as a view) caused an assertion failure, although there was no ill effect in non-assert builds. Add an error check to reject that case.

  • In contrib/pg_stat_statements, avoid leaving gaps in the set of parameter numbers used in a normalized query (Sami Imseih) §

  • Fix memory leakage in contrib/postgres_fdw's DirectModify methods (Tom Lane) §

    The PGresult holding the results of the remote modify command would be leaked for the rest of the session if the query fails between invocations of the DirectModify methods, which could happen when there's RETURNING data to process.

  • Ensure that directories listed in configure's --with-includes and --with-libraries options are searched before system-supplied directories (Tom Lane) §

    A common reason for using these options is to allow a user-built version of some library to override the system-supplied version. However, that failed to work in some environments because of careless ordering of switches in the commands issued by the makefiles.

  • Fix configure's checks for __cpuid() and __cpuidex() (Lukas Fittl, Michael Paquier) §

    configure failed to detect these Windows-specific functions, so that they would not be used, leading to slower-than-necessary CRC computations since the availability of hardware instructions could not be verified. The practical impact of this error was limited, because production builds for Windows typically do not use the Autoconf toolchain.

  • Fix build failure with --with-pam option on Solaris-based platforms (Tom Lane) §

    Solaris is inconsistent with other Unix platforms about the API for PAM authentication. This manifested as an “inconsistent pointer” compiler warning, which we never did anything about. But as of GCC 14 it's an error not warning by default, so fix it.

  • Make our code portable to GNU Hurd (Michael Banck, Christoph Berg, Samuel Thibault) § §

    Fix assumptions about IOV_MAX and O_RDONLY that don't hold on Hurd.

  • Make our usage of memset_s() conform strictly to the C11 standard (Tom Lane) §

    This avoids compile failures on some platforms.

  • Silence compatibility warning when using Meson to build with MSVC (Peter Eisentraut) §

  • Prevent uninitialized-value compiler warnings in JSONB comparison code (Tom Lane) §

  • Avoid deprecation warnings when building with libxml2 2.14 and later (Michael Paquier) §

  • Avoid problems when compiling pg_locale.h under C++ (John Naylor) §

    PostgreSQL header files generally need to be wrapped in extern "C" { ... } in order to be included in extensions written in C++. This failed for pg_locale.h because of its use of libicu headers, but we can work around that by suppressing C++-only declarations in those headers. C++ extensions that want to use libicu's C++ APIs can do so by including the libicu headers ahead of pg_locale.h.

• source repo
• author info
• meta-info