Upgrading from 9.1.2 to 9.1.24 gives you 4.9 years worth of fixes (637 of them)

List of changes:

• ⇑ Upgrade to 9.1.3 released on 2012-02-27 - docs

  • Require execute permission on the trigger function for CREATE TRIGGER (Robert Haas)

    This missing check could allow another user to execute a trigger function with forged input data, by installing it on a table he owns. This is only of significance for trigger functions marked SECURITY DEFINER, since otherwise trigger functions run as the table owner anyway. (CVE-2012-0866)

  • Remove arbitrary limitation on length of common name in SSL certificates (Heikki Linnakangas)

    Both libpq and the server truncated the common name extracted from an SSL certificate at 32 bytes. Normally this would cause nothing worse than an unexpected verification failure, but there are some rather-implausible scenarios in which it might allow one certificate holder to impersonate another. The victim would have to have a common name exactly 32 bytes long, and the attacker would have to persuade a trusted CA to issue a certificate in which the common name has that string as a prefix. Impersonating a server would also require some additional exploit to redirect client connections. (CVE-2012-0867)

  • Convert newlines to spaces in names written in pg_dump comments (Robert Haas)

    pg_dump was incautious about sanitizing object names that are emitted within SQL comments in its output script. A name containing a newline would at least render the script syntactically incorrect. Maliciously crafted object names could present a SQL injection risk when the script is reloaded. (CVE-2012-0868)

  • Fix btree index corruption from insertions concurrent with vacuuming (Tom Lane)

    An index page split caused by an insertion could sometimes cause a concurrently-running VACUUM to miss removing index entries that it should remove. After the corresponding table rows are removed, the dangling index entries would cause errors (such as “could not read block N in file ...”) or worse, silently wrong query results after unrelated rows are re-inserted at the now-free table locations. This bug has been present since release 8.2, but occurs so infrequently that it was not diagnosed until now. If you have reason to suspect that it has happened in your database, reindexing the affected index will fix things.

  • Fix transient zeroing of shared buffers during WAL replay (Tom Lane)

    The replay logic would sometimes zero and refill a shared buffer, so that the contents were transiently invalid. In hot standby mode this can result in a query that's executing in parallel seeing garbage data. Various symptoms could result from that, but the most common one seems to be “invalid memory alloc request size”.

  • Fix handling of data-modifying WITH subplans in READ COMMITTED rechecking (Tom Lane)

    A WITH clause containing INSERT/UPDATE/DELETE would crash if the parent UPDATE or DELETE command needed to be re-evaluated at one or more rows due to concurrent updates in READ COMMITTED mode.

  • Fix corner case in SSI transaction cleanup (Dan Ports)

    When finishing up a read-write serializable transaction, a crash could occur if all remaining active serializable transactions are read-only.

  • Fix postmaster to attempt restart after a hot-standby crash (Tom Lane)

    A logic error caused the postmaster to terminate, rather than attempt to restart the cluster, if any backend process crashed while operating in hot standby mode.

  • Fix CLUSTER/VACUUM FULL handling of toast values owned by recently-updated rows (Tom Lane)

    This oversight could lead to “duplicate key value violates unique constraint” errors being reported against the toast table's index during one of these commands.

  • Update per-column permissions, not only per-table permissions, when changing table owner (Tom Lane)

    Failure to do this meant that any previously granted column permissions were still shown as having been granted by the old owner. This meant that neither the new owner nor a superuser could revoke the now-untraceable-to-table-owner permissions.

  • Support foreign data wrappers and foreign servers in REASSIGN OWNED (Alvaro Herrera)

    This command failed with “unexpected classid” errors if it needed to change the ownership of any such objects.

  • Allow non-existent values for some settings in ALTER USER/DATABASE SET (Heikki Linnakangas)

    Allow default_text_search_config, default_tablespace, and temp_tablespaces to be set to names that are not known. This is because they might be known in another database where the setting is intended to be used, or for the tablespace cases because the tablespace might not be created yet. The same issue was previously recognized for search_path, and these settings now act like that one.

  • Fix “unsupported node type” error caused by COLLATE in an INSERT expression (Tom Lane)

  • Avoid crashing when we have problems deleting table files post-commit (Tom Lane)

    Dropping a table should lead to deleting the underlying disk files only after the transaction commits. In event of failure then (for instance, because of wrong file permissions) the code is supposed to just emit a warning message and go on, since it's too late to abort the transaction. This logic got broken as of release 8.4, causing such situations to result in a PANIC and an unrestartable database.

  • Recover from errors occurring during WAL replay of DROP TABLESPACE (Tom Lane)

    Replay will attempt to remove the tablespace's directories, but there are various reasons why this might fail (for example, incorrect ownership or permissions on those directories). Formerly the replay code would panic, rendering the database unrestartable without manual intervention. It seems better to log the problem and continue, since the only consequence of failure to remove the directories is some wasted disk space.

  • Fix race condition in logging AccessExclusiveLocks for hot standby (Simon Riggs)

    Sometimes a lock would be logged as being held by “transaction zero”. This is at least known to produce assertion failures on slave servers, and might be the cause of more serious problems.

  • Track the OID counter correctly during WAL replay, even when it wraps around (Tom Lane)

    Previously the OID counter would remain stuck at a high value until the system exited replay mode. The practical consequences of that are usually nil, but there are scenarios wherein a standby server that's been promoted to master might take a long time to advance the OID counter to a reasonable value once values are needed.

  • Prevent emitting misleading “consistent recovery state reached” log message at the beginning of crash recovery (Heikki Linnakangas)

  • Fix initial value of pg_stat_replication.replay_location (Fujii Masao)

    Previously, the value shown would be wrong until at least one WAL record had been replayed.

  • Fix regular expression back-references with * attached (Tom Lane)

    Rather than enforcing an exact string match, the code would effectively accept any string that satisfies the pattern sub-expression referenced by the back-reference symbol.

    A similar problem still afflicts back-references that are embedded in a larger quantified expression, rather than being the immediate subject of the quantifier. This will be addressed in a future PostgreSQL release.

  • Fix recently-introduced memory leak in processing of inet/cidr values (Heikki Linnakangas)

    A patch in the December 2011 releases of PostgreSQL caused memory leakage in these operations, which could be significant in scenarios such as building a btree index on such a column.

  • Fix planner's ability to push down index-expression restrictions through UNION ALL (Tom Lane)

    This type of optimization was inadvertently disabled by a fix for another problem in 9.1.2.

  • Fix planning of WITH clauses referenced in UPDATE/DELETE on an inherited table (Tom Lane)

    This bug led to “could not find plan for CTE” failures.

  • Fix GIN cost estimation to handle column IN (...) index conditions (Marti Raudsepp)

    This oversight would usually lead to crashes if such a condition could be used with a GIN index.

  • Prevent assertion failure when exiting a session with an open, failed transaction (Tom Lane)

    This bug has no impact on normal builds with asserts not enabled.

  • Fix dangling pointer after CREATE TABLE AS/SELECT INTO in a SQL-language function (Tom Lane)

    In most cases this only led to an assertion failure in assert-enabled builds, but worse consequences seem possible.

  • Avoid double close of file handle in syslogger on Windows (MauMau)

    Ordinarily this error was invisible, but it would cause an exception when running on a debug version of Windows.

  • Fix I/O-conversion-related memory leaks in plpgsql (Andres Freund, Jan Urbanski, Tom Lane)

    Certain operations would leak memory until the end of the current function.

  • Work around bug in perl's SvPVutf8() function (Andrew Dunstan)

    This function crashes when handed a typeglob or certain read-only objects such as $^V. Make plperl avoid passing those to it.

  • In pg_dump, don't dump contents of an extension's configuration tables if the extension itself is not being dumped (Tom Lane)

  • Improve pg_dump's handling of inherited table columns (Tom Lane)

    pg_dump mishandled situations where a child column has a different default expression than its parent column. If the default is textually identical to the parent's default, but not actually the same (for instance, because of schema search path differences) it would not be recognized as different, so that after dump and restore the child would be allowed to inherit the parent's default. Child columns that are NOT NULL where their parent is not could also be restored subtly incorrectly.

  • Fix pg_restore's direct-to-database mode for INSERT-style table data (Tom Lane)

    Direct-to-database restores from archive files made with --inserts or --column-inserts options fail when using pg_restore from a release dated September or December 2011, as a result of an oversight in a fix for another problem. The archive file itself is not at fault, and text-mode output is okay.

  • Teach pg_upgrade to handle renaming of plpython's shared library (Bruce Momjian)

    Upgrading a pre-9.1 database that included plpython would fail because of this oversight.

  • Allow pg_upgrade to process tables containing regclass columns (Bruce Momjian)

    Since pg_upgrade now takes care to preserve pg_class OIDs, there was no longer any reason for this restriction.

  • Make libpq ignore ENOTDIR errors when looking for an SSL client certificate file (Magnus Hagander)

    This allows SSL connections to be established, though without a certificate, even when the user's home directory is set to something like /dev/null.

  • Fix some more field alignment issues in ecpg's SQLDA area (Zoltan Boszormenyi)

  • Allow AT option in ecpg DEALLOCATE statements (Michael Meskes)

    The infrastructure to support this has been there for awhile, but through an oversight there was still an error check rejecting the case.

  • Do not use the variable name when defining a varchar structure in ecpg (Michael Meskes)

  • Fix contrib/auto_explain's JSON output mode to produce valid JSON (Andrew Dunstan)

    The output used brackets at the top level, when it should have used braces.

  • Fix error in contrib/intarray's int[] & int[] operator (Guillaume Lelarge)

    If the smallest integer the two input arrays have in common is 1, and there are smaller values in either array, then 1 would be incorrectly omitted from the result.

  • Fix error detection in contrib/pgcrypto's encrypt_iv() and decrypt_iv() (Marko Kreen)

    These functions failed to report certain types of invalid-input errors, and would instead return random garbage values for incorrect input.

  • Fix one-byte buffer overrun in contrib/test_parser (Paul Guyot)

    The code would try to read one more byte than it should, which would crash in corner cases. Since contrib/test_parser is only example code, this is not a security issue in itself, but bad example code is still bad.

  • Use __sync_lock_test_and_set() for spinlocks on ARM, if available (Martin Pitt)

    This function replaces our previous use of the SWPB instruction, which is deprecated and not available on ARMv6 and later. Reports suggest that the old code doesn't fail in an obvious way on recent ARM boards, but simply doesn't interlock concurrent accesses, leading to bizarre failures in multiprocess operation.

  • Use -fexcess-precision=standard option when building with gcc versions that accept it (Andrew Dunstan)

    This prevents assorted scenarios wherein recent versions of gcc will produce creative results.

  • Allow use of threaded Python on FreeBSD (Chris Rees)

    Our configure script previously believed that this combination wouldn't work; but FreeBSD fixed the problem, so remove that error check.

  • Allow MinGW builds to use standardly-named OpenSSL libraries (Tomasz Ostrowski)

• ⇑ Upgrade to 9.1.4 released on 2012-06-04 - docs

  • Fix incorrect password transformation in contrib/pgcrypto's DES crypt() function (Solar Designer)

    If a password string contained the byte value 0x80, the remainder of the password was ignored, causing the password to be much weaker than it appeared. With this fix, the rest of the string is properly included in the DES hash. Any stored password values that are affected by this bug will thus no longer match, so the stored values may need to be updated. (CVE-2012-2143)

  • Ignore SECURITY DEFINER and SET attributes for a procedural language's call handler (Tom Lane)

    Applying such attributes to a call handler could crash the server. (CVE-2012-2655)

  • Make contrib/citext's upgrade script fix collations of citext arrays and domains over citext (Tom Lane)

    Release 9.1.2 provided a fix for collations of citext columns and indexes in databases upgraded or reloaded from pre-9.1 installations, but that fix was incomplete: it neglected to handle arrays and domains over citext. This release extends the module's upgrade script to handle these cases. As before, if you have already run the upgrade script, you'll need to run the collation update commands by hand instead. See the 9.1.2 release notes for more information about doing this.

  • Allow numeric timezone offsets in timestamp input to be up to 16 hours away from UTC (Tom Lane)

    Some historical time zones have offsets larger than 15 hours, the previous limit. This could result in dumped data values being rejected during reload.

  • Fix timestamp conversion to cope when the given time is exactly the last DST transition time for the current timezone (Tom Lane)

    This oversight has been there a long time, but was not noticed previously because most DST-using zones are presumed to have an indefinite sequence of future DST transitions.

  • Fix text to name and char to name casts to perform string truncation correctly in multibyte encodings (Karl Schnaitter)

  • Fix memory copying bug in to_tsquery() (Heikki Linnakangas)

  • Ensure txid_current() reports the correct epoch when executed in hot standby (Simon Riggs)

  • Fix planner's handling of outer PlaceHolderVars within subqueries (Tom Lane)

    This bug concerns sub-SELECTs that reference variables coming from the nullable side of an outer join of the surrounding query. In 9.1, queries affected by this bug would fail with “ERROR: Upper-level PlaceHolderVar found where not expected”. But in 9.0 and 8.4, you'd silently get possibly-wrong answers, since the value transmitted into the subquery wouldn't go to null when it should.

  • Fix planning of UNION ALL subqueries with output columns that are not simple variables (Tom Lane)

    Planning of such cases got noticeably worse in 9.1 as a result of a misguided fix for “MergeAppend child's targetlist doesn't match MergeAppend” errors. Revert that fix and do it another way.

  • Fix slow session startup when pg_attribute is very large (Tom Lane)

    If pg_attribute exceeds one-fourth of shared_buffers, cache rebuilding code that is sometimes needed during session start would trigger the synchronized-scan logic, causing it to take many times longer than normal. The problem was particularly acute if many new sessions were starting at once.

  • Ensure sequential scans check for query cancel reasonably often (Merlin Moncure)

    A scan encountering many consecutive pages that contain no live tuples would not respond to interrupts meanwhile.

  • Ensure the Windows implementation of PGSemaphoreLock() clears ImmediateInterruptOK before returning (Tom Lane)

    This oversight meant that a query-cancel interrupt received later in the same query could be accepted at an unsafe time, with unpredictable but not good consequences.

  • Show whole-row variables safely when printing views or rules (Abbas Butt, Tom Lane)

    Corner cases involving ambiguous names (that is, the name could be either a table or column name of the query) were printed in an ambiguous way, risking that the view or rule would be interpreted differently after dump and reload. Avoid the ambiguous case by attaching a no-op cast.

  • Fix COPY FROM to properly handle null marker strings that correspond to invalid encoding (Tom Lane)

    A null marker string such as E'\\0' should work, and did work in the past, but the case got broken in 8.4.

  • Fix EXPLAIN VERBOSE for writable CTEs containing RETURNING clauses (Tom Lane)

  • Fix PREPARE TRANSACTION to work correctly in the presence of advisory locks (Tom Lane)

    Historically, PREPARE TRANSACTION has simply ignored any session-level advisory locks the session holds, but this case was accidentally broken in 9.1.

  • Fix truncation of unlogged tables (Robert Haas)

  • Ignore missing schemas during non-interactive assignments of search_path (Tom Lane)

    This re-aligns 9.1's behavior with that of older branches. Previously 9.1 would throw an error for nonexistent schemas mentioned in search_path settings obtained from places such as ALTER DATABASE SET.

  • Fix bugs with temporary or transient tables used in extension scripts (Tom Lane)

    This includes cases such as a rewriting ALTER TABLE within an extension update script, since that uses a transient table behind the scenes.

  • Ensure autovacuum worker processes perform stack depth checking properly (Heikki Linnakangas)

    Previously, infinite recursion in a function invoked by auto-ANALYZE could crash worker processes.

  • Fix logging collector to not lose log coherency under high load (Andrew Dunstan)

    The collector previously could fail to reassemble large messages if it got too busy.

  • Fix logging collector to ensure it will restart file rotation after receiving SIGHUP (Tom Lane)

  • Fix “too many LWLocks taken” failure in GiST indexes (Heikki Linnakangas)

  • Fix WAL replay logic for GIN indexes to not fail if the index was subsequently dropped (Tom Lane)

  • Correctly detect SSI conflicts of prepared transactions after a crash (Dan Ports)

  • Avoid synchronous replication delay when committing a transaction that only modified temporary tables (Heikki Linnakangas)

    In such a case the transaction's commit record need not be flushed to standby servers, but some of the code didn't know that and waited for it to happen anyway.

  • Fix error handling in pg_basebackup (Thomas Ogrisegg, Fujii Masao)

  • Fix walsender to not go into a busy loop if connection is terminated (Fujii Masao)

  • Fix memory leak in PL/pgSQL's RETURN NEXT command (Joe Conway)

  • Fix PL/pgSQL's GET DIAGNOSTICS command when the target is the function's first variable (Tom Lane)

  • Ensure that PL/Perl package-qualifies the _TD variable (Alex Hunsaker)

    This bug caused trigger invocations to fail when they are nested within a function invocation that changes the current package.

  • Fix PL/Python functions returning composite types to accept a string for their result value (Jan Urbanski)

    This case was accidentally broken by the 9.1 additions to allow a composite result value to be supplied in other formats, such as dictionaries.

  • Fix potential access off the end of memory in psql's expanded display (\x) mode (Peter Eisentraut)

  • Fix several performance problems in pg_dump when the database contains many objects (Jeff Janes, Tom Lane)

    pg_dump could get very slow if the database contained many schemas, or if many objects are in dependency loops, or if there are many owned sequences.

  • Fix memory and file descriptor leaks in pg_restore when reading a directory-format archive (Peter Eisentraut)

  • Fix pg_upgrade for the case that a database stored in a non-default tablespace contains a table in the cluster's default tablespace (Bruce Momjian)

  • In ecpg, fix rare memory leaks and possible overwrite of one byte after the sqlca_t structure (Peter Eisentraut)

  • Fix contrib/dblink's dblink_exec() to not leak temporary database connections upon error (Tom Lane)

  • Fix contrib/dblink to report the correct connection name in error messages (Kyotaro Horiguchi)

  • Fix contrib/vacuumlo to use multiple transactions when dropping many large objects (Tim Lewis, Robert Haas, Tom Lane)

    This change avoids exceeding max_locks_per_transaction when many objects need to be dropped. The behavior can be adjusted with the new -l (limit) option.

  • Update time zone data files to tzdata release 2012c for DST law changes in Antarctica, Armenia, Chile, Cuba, Falkland Islands, Gaza, Haiti, Hebron, Morocco, Syria, and Tokelau Islands; also historical corrections for Canada.

• ⇑ Upgrade to 9.1.5 released on 2012-08-17 - docs

  • Prevent access to external files/URLs via XML entity references (Noah Misch, Tom Lane)

    xml_parse() would attempt to fetch external files or URLs as needed to resolve DTD and entity references in an XML value, thus allowing unprivileged database users to attempt to fetch data with the privileges of the database server. While the external data wouldn't get returned directly to the user, portions of it could be exposed in error messages if the data didn't parse as valid XML; and in any case the mere ability to check existence of a file might be useful to an attacker. (CVE-2012-3489)

  • Prevent access to external files/URLs via contrib/xml2's xslt_process() (Peter Eisentraut)

    libxslt offers the ability to read and write both files and URLs through stylesheet commands, thus allowing unprivileged database users to both read and write data with the privileges of the database server. Disable that through proper use of libxslt's security options. (CVE-2012-3488)

    Also, remove xslt_process()'s ability to fetch documents and stylesheets from external files/URLs. While this was a documented “feature”, it was long regarded as a bad idea. The fix for CVE-2012-3489 broke that capability, and rather than expend effort on trying to fix it, we're just going to summarily remove it.

  • Prevent too-early recycling of btree index pages (Noah Misch)

    When we allowed read-only transactions to skip assigning XIDs, we introduced the possibility that a deleted btree page could be recycled while a read-only transaction was still in flight to it. This would result in incorrect index search results. The probability of such an error occurring in the field seems very low because of the timing requirements, but nonetheless it should be fixed.

  • Fix crash-safety bug with newly-created-or-reset sequences (Tom Lane)

    If ALTER SEQUENCE was executed on a freshly created or reset sequence, and then precisely one nextval() call was made on it, and then the server crashed, WAL replay would restore the sequence to a state in which it appeared that no nextval() had been done, thus allowing the first sequence value to be returned again by the next nextval() call. In particular this could manifest for serial columns, since creation of a serial column's sequence includes an ALTER SEQUENCE OWNED BY step.

  • Fix race condition in enum-type value comparisons (Robert Haas, Tom Lane)

    Comparisons could fail when encountering an enum value added since the current query started.

  • Fix txid_current() to report the correct epoch when not in hot standby (Heikki Linnakangas)

    This fixes a regression introduced in the previous minor release.

  • Prevent selection of unsuitable replication connections as the synchronous standby (Fujii Masao)

    The master might improperly choose pseudo-servers such as pg_receivexlog or pg_basebackup as the synchronous standby, and then wait indefinitely for them.

  • Fix bug in startup of Hot Standby when a master transaction has many subtransactions (Andres Freund)

    This mistake led to failures reported as “out-of-order XID insertion in KnownAssignedXids”.

  • Ensure the backup_label file is fsync'd after pg_start_backup() (Dave Kerr)

  • Fix timeout handling in walsender processes (Tom Lane)

    WAL sender background processes neglected to establish a SIGALRM handler, meaning they would wait forever in some corner cases where a timeout ought to happen.

  • Wake walsenders after each background flush by walwriter (Andres Freund, Simon Riggs)

    This greatly reduces replication delay when the workload contains only asynchronously-committed transactions.

  • Fix LISTEN/NOTIFY to cope better with I/O problems, such as out of disk space (Tom Lane)

    After a write failure, all subsequent attempts to send more NOTIFY messages would fail with messages like “Could not read from file "pg_notify/nnnn" at offset nnnnn: Success”.

  • Only allow autovacuum to be auto-canceled by a directly blocked process (Tom Lane)

    The original coding could allow inconsistent behavior in some cases; in particular, an autovacuum could get canceled after less than deadlock_timeout grace period.

  • Improve logging of autovacuum cancels (Robert Haas)

  • Fix log collector so that log_truncate_on_rotation works during the very first log rotation after server start (Tom Lane)

  • Fix WITH attached to a nested set operation (UNION/INTERSECT/EXCEPT) (Tom Lane)

  • Ensure that a whole-row reference to a subquery doesn't include any extra GROUP BY or ORDER BY columns (Tom Lane)

  • Fix dependencies generated during ALTER TABLE ... ADD CONSTRAINT USING INDEX (Tom Lane)

    This command left behind a redundant pg_depend entry for the index, which could confuse later operations, notably ALTER TABLE ... ALTER COLUMN TYPE on one of the indexed columns.

  • Fix REASSIGN OWNED to work on extensions (Alvaro Herrera)

  • Disallow copying whole-row references in CHECK constraints and index definitions during CREATE TABLE (Tom Lane)

    This situation can arise in CREATE TABLE with LIKE or INHERITS. The copied whole-row variable was incorrectly labeled with the row type of the original table not the new one. Rejecting the case seems reasonable for LIKE, since the row types might well diverge later. For INHERITS we should ideally allow it, with an implicit coercion to the parent table's row type; but that will require more work than seems safe to back-patch.

  • Fix memory leak in ARRAY(SELECT ...) subqueries (Heikki Linnakangas, Tom Lane)

  • Fix planner to pass correct collation to operator selectivity estimators (Tom Lane)

    This was not previously required by any core selectivity estimation function, but third-party code might need it.

  • Fix extraction of common prefixes from regular expressions (Tom Lane)

    The code could get confused by quantified parenthesized subexpressions, such as ^(foo)?bar. This would lead to incorrect index optimization of searches for such patterns.

  • Fix bugs with parsing signed hh:mm and hh:mm:ss fields in interval constants (Amit Kapila, Tom Lane)

  • Fix pg_dump to better handle views containing partial GROUP BY lists (Tom Lane)

    A view that lists only a primary key column in GROUP BY, but uses other table columns as if they were grouped, gets marked as depending on the primary key. Improper handling of such primary key dependencies in pg_dump resulted in poorly-ordered dumps, which at best would be inefficient to restore and at worst could result in outright failure of a parallel pg_restore run.

  • In PL/Perl, avoid setting UTF8 flag when in SQL_ASCII encoding (Alex Hunsaker, Kyotaro Horiguchi, Alvaro Herrera)

  • Use Postgres' encoding conversion functions, not Python's, when converting a Python Unicode string to the server encoding in PL/Python (Jan Urbanski)

    This avoids some corner-case problems, notably that Python doesn't support all the encodings Postgres does. A notable functional change is that if the server encoding is SQL_ASCII, you will get the UTF-8 representation of the string; formerly, any non-ASCII characters in the string would result in an error.

  • Fix mapping of PostgreSQL encodings to Python encodings in PL/Python (Jan Urbanski)

  • Report errors properly in contrib/xml2's xslt_process() (Tom Lane)

  • Update time zone data files to tzdata release 2012e for DST law changes in Morocco and Tokelau

• ⇑ Upgrade to 9.1.6 released on 2012-09-24 - docs

  • Fix persistence marking of shared buffers during WAL replay (Jeff Davis)

    This mistake can result in buffers not being written out during checkpoints, resulting in data corruption if the server later crashes without ever having written those buffers. Corruption can occur on any server following crash recovery, but it is significantly more likely to occur on standby slave servers since those perform much more WAL replay. There is a low probability of corruption of btree and GIN indexes. There is a much higher probability of corruption of table “visibility maps”. Fortunately, visibility maps are non-critical data in 9.1, so the worst consequence of such corruption in 9.1 installations is transient inefficiency of vacuuming. Table data proper cannot be corrupted by this bug.

    While no index corruption due to this bug is known to have occurred in the field, as a precautionary measure it is recommended that production installations REINDEX all btree and GIN indexes at a convenient time after upgrading to 9.1.6.

    Also, if you intend to do an in-place upgrade to 9.2.X, before doing so it is recommended to perform a VACUUM of all tables while having vacuum_freeze_table_age set to zero. This will ensure that any lingering wrong data in the visibility maps is corrected before 9.2.X can depend on it. vacuum_cost_delay can be adjusted to reduce the performance impact of vacuuming, while causing it to take longer to finish.

  • Fix planner's assignment of executor parameters, and fix executor's rescan logic for CTE plan nodes (Tom Lane)

    These errors could result in wrong answers from queries that scan the same WITH subquery multiple times.

  • Fix misbehavior when default_transaction_isolation is set to serializable (Kevin Grittner, Tom Lane, Heikki Linnakangas)

    Symptoms include crashes at process start on Windows, and crashes in hot standby operation.

  • Improve selectivity estimation for text search queries involving prefixes, i.e. word:* patterns (Tom Lane)

  • Improve page-splitting decisions in GiST indexes (Alexander Korotkov, Robert Haas, Tom Lane)

    Multi-column GiST indexes might suffer unexpected bloat due to this error.

  • Fix cascading privilege revoke to stop if privileges are still held (Tom Lane)

    If we revoke a grant option from some role X, but X still holds that option via a grant from someone else, we should not recursively revoke the corresponding privilege from role(s) Y that X had granted it to.

  • Disallow extensions from containing the schema they are assigned to (Thom Brown)

    This situation creates circular dependencies that confuse pg_dump and probably other things. It's confusing for humans too, so disallow it.

  • Improve error messages for Hot Standby misconfiguration errors (Gurjeet Singh)

  • Make configure probe for mbstowcs_l (Tom Lane)

    This fixes build failures on some versions of AIX.

  • Fix handling of SIGFPE when PL/Perl is in use (Andres Freund)

    Perl resets the process's SIGFPE handler to SIG_IGN, which could result in crashes later on. Restore the normal Postgres signal handler after initializing PL/Perl.

  • Prevent PL/Perl from crashing if a recursive PL/Perl function is redefined while being executed (Tom Lane)

  • Work around possible misoptimization in PL/Perl (Tom Lane)

    Some Linux distributions contain an incorrect version of pthread.h that results in incorrect compiled code in PL/Perl, leading to crashes if a PL/Perl function calls another one that throws an error.

  • Fix bugs in contrib/pg_trgm's LIKE pattern analysis code (Fujii Masao)

    LIKE queries using a trigram index could produce wrong results if the pattern contained LIKE escape characters.

  • Fix pg_upgrade's handling of line endings on Windows (Andrew Dunstan)

    Previously, pg_upgrade might add or remove carriage returns in places such as function bodies.

  • On Windows, make pg_upgrade use backslash path separators in the scripts it emits (Andrew Dunstan)

  • Remove unnecessary dependency on pg_config from pg_upgrade (Peter Eisentraut)

  • Update time zone data files to tzdata release 2012f for DST law changes in Fiji

• ⇑ Upgrade to 9.1.7 released on 2012-12-06 - docs

  • Fix multiple bugs associated with CREATE INDEX CONCURRENTLY (Andres Freund, Tom Lane)

    Fix CREATE INDEX CONCURRENTLY to use in-place updates when changing the state of an index's pg_index row. This prevents race conditions that could cause concurrent sessions to miss updating the target index, thus resulting in corrupt concurrently-created indexes.

    Also, fix various other operations to ensure that they ignore invalid indexes resulting from a failed CREATE INDEX CONCURRENTLY command. The most important of these is VACUUM, because an auto-vacuum could easily be launched on the table before corrective action can be taken to fix or remove the invalid index.

  • Fix buffer locking during WAL replay (Tom Lane)

    The WAL replay code was insufficiently careful about locking buffers when replaying WAL records that affect more than one page. This could result in hot standby queries transiently seeing inconsistent states, resulting in wrong answers or unexpected failures.

  • Fix an error in WAL generation logic for GIN indexes (Tom Lane)

    This could result in index corruption, if a torn-page failure occurred.

  • Properly remove startup process's virtual XID lock when promoting a hot standby server to normal running (Simon Riggs)

    This oversight could prevent subsequent execution of certain operations such as CREATE INDEX CONCURRENTLY.

  • Avoid bogus “out-of-sequence timeline ID” errors in standby mode (Heikki Linnakangas)

  • Prevent the postmaster from launching new child processes after it's received a shutdown signal (Tom Lane)

    This mistake could result in shutdown taking longer than it should, or even never completing at all without additional user action.

  • Avoid corruption of internal hash tables when out of memory (Hitoshi Harada)

  • Prevent file descriptors for dropped tables from being held open past transaction end (Tom Lane)

    This should reduce problems with long-since-dropped tables continuing to occupy disk space.

  • Prevent database-wide crash and restart when a new child process is unable to create a pipe for its latch (Tom Lane)

    Although the new process must fail, there is no good reason to force a database-wide restart, so avoid that. This improves robustness when the kernel is nearly out of file descriptors.

  • Fix planning of non-strict equivalence clauses above outer joins (Tom Lane)

    The planner could derive incorrect constraints from a clause equating a non-strict construct to something else, for example WHERE COALESCE(foo, 0) = 0 when foo is coming from the nullable side of an outer join.

  • Fix SELECT DISTINCT with index-optimized MIN/MAX on an inheritance tree (Tom Lane)

    The planner would fail with “failed to re-find MinMaxAggInfo record” given this combination of factors.

  • Improve planner's ability to prove exclusion constraints from equivalence classes (Tom Lane)

  • Fix partial-row matching in hashed subplans to handle cross-type cases correctly (Tom Lane)

    This affects multicolumn NOT IN subplans, such as WHERE (a, b) NOT IN (SELECT x, y FROM ...) when for instance b and y are int4 and int8 respectively. This mistake led to wrong answers or crashes depending on the specific datatypes involved.

  • Acquire buffer lock when re-fetching the old tuple for an AFTER ROW UPDATE/DELETE trigger (Andres Freund)

    In very unusual circumstances, this oversight could result in passing incorrect data to a trigger WHEN condition, or to the precheck logic for a foreign-key enforcement trigger. That could result in a crash, or in an incorrect decision about whether to fire the trigger.

  • Fix ALTER COLUMN TYPE to handle inherited check constraints properly (Pavan Deolasee)

    This worked correctly in pre-8.4 releases, and now works correctly in 8.4 and later.

  • Fix ALTER EXTENSION SET SCHEMA's failure to move some subsidiary objects into the new schema (Álvaro Herrera, Dimitri Fontaine)

  • Fix REASSIGN OWNED to handle grants on tablespaces (Álvaro Herrera)

  • Ignore incorrect pg_attribute entries for system columns for views (Tom Lane)

    Views do not have any system columns. However, we forgot to remove such entries when converting a table to a view. That's fixed properly for 9.3 and later, but in previous branches we need to defend against existing mis-converted views.

  • Fix rule printing to dump INSERT INTO table DEFAULT VALUES correctly (Tom Lane)

  • Guard against stack overflow when there are too many UNION/INTERSECT/EXCEPT clauses in a query (Tom Lane)

  • Prevent platform-dependent failures when dividing the minimum possible integer value by -1 (Xi Wang, Tom Lane)

  • Fix possible access past end of string in date parsing (Hitoshi Harada)

  • Fix failure to advance XID epoch if XID wraparound happens during a checkpoint and wal_level is hot_standby (Tom Lane, Andres Freund)

    While this mistake had no particular impact on PostgreSQL itself, it was bad for applications that rely on txid_current() and related functions: the TXID value would appear to go backwards.

  • Fix display of pg_stat_replication.sync_state at a page boundary (Kyotaro Horiguchi)

  • Produce an understandable error message if the length of the path name for a Unix-domain socket exceeds the platform-specific limit (Tom Lane, Andrew Dunstan)

    Formerly, this would result in something quite unhelpful, such as “Non-recoverable failure in name resolution”.

  • Fix memory leaks when sending composite column values to the client (Tom Lane)

  • Make pg_ctl more robust about reading the postmaster.pid file (Heikki Linnakangas)

    Fix race conditions and possible file descriptor leakage.

  • Fix possible crash in psql if incorrectly-encoded data is presented and the client_encoding setting is a client-only encoding, such as SJIS (Jiang Guiqing)

  • Make pg_dump dump SEQUENCE SET items in the data not pre-data section of the archive (Tom Lane)

    This change fixes dumping of sequences that are marked as extension configuration tables.

  • Fix bugs in the restore.sql script emitted by pg_dump in tar output format (Tom Lane)

    The script would fail outright on tables whose names include upper-case characters. Also, make the script capable of restoring data in --inserts mode as well as the regular COPY mode.

  • Fix pg_restore to accept POSIX-conformant tar files (Brian Weaver, Tom Lane)

    The original coding of pg_dump's tar output mode produced files that are not fully conformant with the POSIX standard. This has been corrected for version 9.3. This patch updates previous branches so that they will accept both the incorrect and the corrected formats, in hopes of avoiding compatibility problems when 9.3 comes out.

  • Fix tar files emitted by pg_basebackup to be POSIX conformant (Brian Weaver, Tom Lane)

  • Fix pg_resetxlog to locate postmaster.pid correctly when given a relative path to the data directory (Tom Lane)

    This mistake could lead to pg_resetxlog not noticing that there is an active postmaster using the data directory.

  • Fix libpq's lo_import() and lo_export() functions to report file I/O errors properly (Tom Lane)

  • Fix ecpg's processing of nested structure pointer variables (Muhammad Usama)

  • Fix ecpg's ecpg_get_data function to handle arrays properly (Michael Meskes)

  • Make contrib/pageinspect's btree page inspection functions take buffer locks while examining pages (Tom Lane)

  • Ensure that make install for an extension creates the extension installation directory (Cédric Villemain)

    Previously, this step was missed if MODULEDIR was set in the extension's Makefile.

  • Fix pgxs support for building loadable modules on AIX (Tom Lane)

    Building modules outside the original source tree didn't work on AIX.

  • Update time zone data files to tzdata release 2012j for DST law changes in Cuba, Israel, Jordan, Libya, Palestine, Western Samoa, and portions of Brazil.

• ⇑ Upgrade to 9.1.8 released on 2013-02-07 - docs

  • Prevent execution of enum_recv from SQL (Tom Lane)

    The function was misdeclared, allowing a simple SQL command to crash the server. In principle an attacker might be able to use it to examine the contents of server memory. Our thanks to Sumit Soni (via Secunia SVCRP) for reporting this issue. (CVE-2013-0255)

  • Fix multiple problems in detection of when a consistent database state has been reached during WAL replay (Fujii Masao, Heikki Linnakangas, Simon Riggs, Andres Freund)

  • Update minimum recovery point when truncating a relation file (Heikki Linnakangas)

    Once data has been discarded, it's no longer safe to stop recovery at an earlier point in the timeline.

  • Fix recycling of WAL segments after changing recovery target timeline (Heikki Linnakangas)

  • Fix missing cancellations in hot standby mode (Noah Misch, Simon Riggs)

    The need to cancel conflicting hot-standby queries would sometimes be missed, allowing those queries to see inconsistent data.

  • Prevent recovery pause feature from pausing before users can connect (Tom Lane)

  • Fix SQL grammar to allow subscripting or field selection from a sub-SELECT result (Tom Lane)

  • Fix performance problems with autovacuum truncation in busy workloads (Jan Wieck)

    Truncation of empty pages at the end of a table requires exclusive lock, but autovacuum was coded to fail (and release the table lock) when there are conflicting lock requests. Under load, it is easily possible that truncation would never occur, resulting in table bloat. Fix by performing a partial truncation, releasing the lock, then attempting to re-acquire the lock and continue. This fix also greatly reduces the average time before autovacuum releases the lock after a conflicting request arrives.

  • Protect against race conditions when scanning pg_tablespace (Stephen Frost, Tom Lane)

    CREATE DATABASE and DROP DATABASE could misbehave if there were concurrent updates of pg_tablespace entries.

  • Prevent DROP OWNED from trying to drop whole databases or tablespaces (Álvaro Herrera)

    For safety, ownership of these objects must be reassigned, not dropped.

  • Fix error in vacuum_freeze_table_age implementation (Andres Freund)

    In installations that have existed for more than vacuum_freeze_min_age transactions, this mistake prevented autovacuum from using partial-table scans, so that a full-table scan would always happen instead.

  • Prevent misbehavior when a RowExpr or XmlExpr is parse-analyzed twice (Andres Freund, Tom Lane)

    This mistake could be user-visible in contexts such as CREATE TABLE LIKE INCLUDING INDEXES.

  • Improve defenses against integer overflow in hashtable sizing calculations (Jeff Davis)

  • Fix failure to ignore leftover temporary tables after a server crash (Tom Lane)

  • Reject out-of-range dates in to_date() (Hitoshi Harada)

  • Fix pg_extension_config_dump() to handle extension-update cases properly (Tom Lane)

    This function will now replace any existing entry for the target table, making it usable in extension update scripts.

  • Fix PL/Python's handling of functions used as triggers on multiple tables (Andres Freund)

  • Ensure that non-ASCII prompt strings are translated to the correct code page on Windows (Alexander Law, Noah Misch)

    This bug affected psql and some other client programs.

  • Fix possible crash in psql's \? command when not connected to a database (Meng Qingzhong)

  • Fix possible error if a relation file is removed while pg_basebackup is running (Heikki Linnakangas)

  • Make pg_dump exclude data of unlogged tables when running on a hot-standby server (Magnus Hagander)

    This would fail anyway because the data is not available on the standby server, so it seems most convenient to assume --no-unlogged-table-data automatically.

  • Fix pg_upgrade to deal with invalid indexes safely (Bruce Momjian)

  • Fix one-byte buffer overrun in libpq's PQprintTuples (Xi Wang)

    This ancient function is not used anywhere by PostgreSQL itself, but it might still be used by some client code.

  • Make ecpglib use translated messages properly (Chen Huajun)

  • Properly install ecpg_compat and pgtypes libraries on MSVC (Jiang Guiqing)

  • Include our version of isinf() in libecpg if it's not provided by the system (Jiang Guiqing)

  • Rearrange configure's tests for supplied functions so it is not fooled by bogus exports from libedit/libreadline (Christoph Berg)

  • Ensure Windows build number increases over time (Magnus Hagander)

  • Make pgxs build executables with the right .exe suffix when cross-compiling for Windows (Zoltan Boszormenyi)

  • Add new timezone abbreviation FET (Tom Lane)

    This is now used in some eastern-European time zones.

• ⇑ Upgrade to 9.1.9 released on 2013-04-04 - docs

  • Fix insecure parsing of server command-line switches (Mitsumasa Kondo, Kyotaro Horiguchi)

    A connection request containing a database name that begins with “-” could be crafted to damage or destroy files within the server's data directory, even if the request is eventually rejected. (CVE-2013-1899)

  • Reset OpenSSL randomness state in each postmaster child process (Marko Kreen)

    This avoids a scenario wherein random numbers generated by contrib/pgcrypto functions might be relatively easy for another database user to guess. The risk is only significant when the postmaster is configured with ssl = on but most connections don't use SSL encryption. (CVE-2013-1900)

  • Make REPLICATION privilege checks test current user not authenticated user (Noah Misch)

    An unprivileged database user could exploit this mistake to call pg_start_backup() or pg_stop_backup(), thus possibly interfering with creation of routine backups. (CVE-2013-1901)

  • Fix GiST indexes to not use “fuzzy” geometric comparisons when it's not appropriate to do so (Alexander Korotkov)

    The core geometric types perform comparisons using “fuzzy” equality, but gist_box_same must do exact comparisons, else GiST indexes using it might become inconsistent. After installing this update, users should REINDEX any GiST indexes on box, polygon, circle, or point columns, since all of these use gist_box_same.

  • Fix erroneous range-union and penalty logic in GiST indexes that use contrib/btree_gist for variable-width data types, that is text, bytea, bit, and numeric columns (Tom Lane)

    These errors could result in inconsistent indexes in which some keys that are present would not be found by searches, and also in useless index bloat. Users are advised to REINDEX such indexes after installing this update.

  • Fix bugs in GiST page splitting code for multi-column indexes (Tom Lane)

    These errors could result in inconsistent indexes in which some keys that are present would not be found by searches, and also in indexes that are unnecessarily inefficient to search. Users are advised to REINDEX multi-column GiST indexes after installing this update.

  • Fix gist_point_consistent to handle fuzziness consistently (Alexander Korotkov)

    Index scans on GiST indexes on point columns would sometimes yield results different from a sequential scan, because gist_point_consistent disagreed with the underlying operator code about whether to do comparisons exactly or fuzzily.

  • Fix buffer leak in WAL replay (Heikki Linnakangas)

    This bug could result in “incorrect local pin count” errors during replay, making recovery impossible.

  • Fix race condition in DELETE RETURNING (Tom Lane)

    Under the right circumstances, DELETE RETURNING could attempt to fetch data from a shared buffer that the current process no longer has any pin on. If some other process changed the buffer meanwhile, this would lead to garbage RETURNING output, or even a crash.

  • Fix infinite-loop risk in regular expression compilation (Tom Lane, Don Porter)

  • Fix potential null-pointer dereference in regular expression compilation (Tom Lane)

  • Fix to_char() to use ASCII-only case-folding rules where appropriate (Tom Lane)

    This fixes misbehavior of some template patterns that should be locale-independent, but mishandled “I” and “i” in Turkish locales.

  • Fix unwanted rejection of timestamp 1999-12-31 24:00:00 (Tom Lane)

  • Fix logic error when a single transaction does UNLISTEN then LISTEN (Tom Lane)

    The session wound up not listening for notify events at all, though it surely should listen in this case.

  • Fix possible planner crash after columns have been added to a view that's depended on by another view (Tom Lane)

  • Remove useless “picksplit doesn't support secondary split” log messages (Josh Hansen, Tom Lane)

    This message seems to have been added in expectation of code that was never written, and probably never will be, since GiST's default handling of secondary splits is actually pretty good. So stop nagging end users about it.

  • Fix possible failure to send a session's last few transaction commit/abort counts to the statistics collector (Tom Lane)

  • Eliminate memory leaks in PL/Perl's spi_prepare() function (Alex Hunsaker, Tom Lane)

  • Fix pg_dumpall to handle database names containing “=” correctly (Heikki Linnakangas)

  • Avoid crash in pg_dump when an incorrect connection string is given (Heikki Linnakangas)

  • Ignore invalid indexes in pg_dump and pg_upgrade (Michael Paquier, Bruce Momjian)

    Dumping invalid indexes can cause problems at restore time, for example if the reason the index creation failed was because it tried to enforce a uniqueness condition not satisfied by the table's data. Also, if the index creation is in fact still in progress, it seems reasonable to consider it to be an uncommitted DDL change, which pg_dump wouldn't be expected to dump anyway. pg_upgrade now also skips invalid indexes rather than failing.

  • In pg_basebackup, include only the current server version's subdirectory when backing up a tablespace (Heikki Linnakangas)

  • Add a server version check in pg_basebackup and pg_receivexlog, so they fail cleanly with version combinations that won't work (Heikki Linnakangas)

  • Fix contrib/pg_trgm's similarity() function to return zero for trigram-less strings (Tom Lane)

    Previously it returned NaN due to internal division by zero.

  • Update time zone data files to tzdata release 2013b for DST law changes in Chile, Haiti, Morocco, Paraguay, and some Russian areas. Also, historical zone data corrections for numerous places.

    Also, update the time zone abbreviation files for recent changes in Russia and elsewhere: CHOT, GET, IRKT, KGT, KRAT, MAGT, MAWT, MSK, NOVT, OMST, TKT, VLAT, WST, YAKT, YEKT now follow their current meanings, and VOLT (Europe/Volgograd) and MIST (Antarctica/Macquarie) are added to the default abbreviations list.

• ⇑ Upgrade to 9.1.10 released on 2013-10-10 - docs

  • Prevent corruption of multi-byte characters when attempting to case-fold identifiers (Andrew Dunstan)

    PostgreSQL case-folds non-ASCII characters only when using a single-byte server encoding.

  • Fix checkpoint memory leak in background writer when wal_level = hot_standby (Naoya Anzai)

  • Fix memory leak caused by lo_open() failure (Heikki Linnakangas)

  • Fix memory overcommit bug when work_mem is using more than 24GB of memory (Stephen Frost)

  • Serializable snapshot fixes (Kevin Grittner, Heikki Linnakangas)

  • Fix deadlock bug in libpq when using SSL (Stephen Frost)

  • Fix possible SSL state corruption in threaded libpq applications (Nick Phillips, Stephen Frost)

  • Properly compute row estimates for boolean columns containing many NULL values (Andrew Gierth)

    Previously tests like col IS NOT TRUE and col IS NOT FALSE did not properly factor in NULL values when estimating plan costs.

  • Prevent pushing down WHERE clauses into unsafe UNION/INTERSECT subqueries (Tom Lane)

    Subqueries of a UNION or INTERSECT that contain set-returning functions or volatile functions in their SELECT lists could be improperly optimized, leading to run-time errors or incorrect query results.

  • Fix rare case of “failed to locate grouping columns” planner failure (Tom Lane)

  • Fix pg_dump of foreign tables with dropped columns (Andrew Dunstan)

    Previously such cases could cause a pg_upgrade error.

  • Reorder pg_dump processing of extension-related rules and event triggers (Joe Conway)

  • Force dumping of extension tables if specified by pg_dump -t or -n (Joe Conway)

  • Improve view dumping code's handling of dropped columns in referenced tables (Tom Lane)

  • Fix pg_restore -l with the directory archive to display the correct format name (Fujii Masao)

  • Properly record index comments created using UNIQUE and PRIMARY KEY syntax (Andres Freund)

    This fixes a parallel pg_restore failure.

  • Properly guarantee transmission of WAL files before clean switchover (Fujii Masao)

    Previously, the streaming replication connection might close before all WAL files had been replayed on the standby.

  • Fix WAL segment timeline handling during recovery (Mitsumasa Kondo, Heikki Linnakangas)

    WAL file recycling during standby recovery could lead to premature recovery completion, resulting in data loss.

  • Fix REINDEX TABLE and REINDEX DATABASE to properly revalidate constraints and mark invalidated indexes as valid (Noah Misch)

    REINDEX INDEX has always worked properly.

  • Fix possible deadlock during concurrent CREATE INDEX CONCURRENTLY operations (Tom Lane)

  • Fix regexp_matches() handling of zero-length matches (Jeevan Chalke)

    Previously, zero-length matches like '^' could return too many matches.

  • Fix crash for overly-complex regular expressions (Heikki Linnakangas)

  • Fix regular expression match failures for back references combined with non-greedy quantifiers (Jeevan Chalke)

  • Prevent CREATE FUNCTION from checking SET variables unless function body checking is enabled (Tom Lane)

  • Allow ALTER DEFAULT PRIVILEGES to operate on schemas without requiring CREATE permission (Tom Lane)

  • Loosen restriction on keywords used in queries (Tom Lane)

    Specifically, lessen keyword restrictions for role names, language names, EXPLAIN and COPY options, and SET values. This allows COPY ... (FORMAT BINARY) to work as expected; previously BINARY needed to be quoted.

  • Fix pgp_pub_decrypt() so it works for secret keys with passwords (Marko Kreen)

  • Make pg_upgrade use pg_dump --quote-all-identifiers to avoid problems with keyword changes between releases (Tom Lane)

  • Remove rare inaccurate warning during vacuum of index-less tables (Heikki Linnakangas)

  • Ensure that VACUUM ANALYZE still runs the ANALYZE phase if its attempt to truncate the file is cancelled due to lock conflicts (Kevin Grittner)

  • Avoid possible failure when performing transaction control commands (e.g ROLLBACK) in prepared queries (Tom Lane)

  • Ensure that floating-point data input accepts standard spellings of “infinity” on all platforms (Tom Lane)

    The C99 standard says that allowable spellings are inf, +inf, -inf, infinity, +infinity, and -infinity. Make sure we recognize these even if the platform's strtod function doesn't.

  • Expand ability to compare rows to records and arrays (Rafal Rzepecki, Tom Lane)

  • Update time zone data files to tzdata release 2013d for DST law changes in Israel, Morocco, Palestine, and Paraguay. Also, historical zone data corrections for Macquarie Island.

• ⇑ Upgrade to 9.1.11 released on 2013-12-05 - docs

  • Fix VACUUM's tests to see whether it can update relfrozenxid (Andres Freund)

    In some cases VACUUM (either manual or autovacuum) could incorrectly advance a table's relfrozenxid value, allowing tuples to escape freezing, causing those rows to become invisible once 2^31 transactions have elapsed. The probability of data loss is fairly low since multiple incorrect advancements would need to happen before actual loss occurs, but it's not zero. Users upgrading from releases 9.0.4 or 8.4.8 or earlier are not affected, but all later versions contain the bug.

    The issue can be ameliorated by, after upgrading, vacuuming all tables in all databases while having vacuum_freeze_table_age set to zero. This will fix any latent corruption but will not be able to fix all pre-existing data errors. However, an installation can be presumed safe after performing this vacuuming if it has executed fewer than 2^31 update transactions in its lifetime (check this with SELECT txid_current() < 2^31).

  • Fix initialization of pg_clog and pg_subtrans during hot standby startup (Andres Freund, Heikki Linnakangas)

    This bug can cause data loss on standby servers at the moment they start to accept hot-standby queries, by marking committed transactions as uncommitted. The likelihood of such corruption is small unless, at the time of standby startup, the primary server has executed many updating transactions since its last checkpoint. Symptoms include missing rows, rows that should have been deleted being still visible, and obsolete versions of updated rows being still visible alongside their newer versions.

    This bug was introduced in versions 9.3.0, 9.2.5, 9.1.10, and 9.0.14. Standby servers that have only been running earlier releases are not at risk. It's recommended that standby servers that have ever run any of the buggy releases be re-cloned from the primary (e.g., with a new base backup) after upgrading.

  • Truncate pg_multixact contents during WAL replay (Andres Freund)

    This avoids ever-increasing disk space consumption in standby servers.

  • Fix race condition in GIN index posting tree page deletion (Heikki Linnakangas)

    This could lead to transient wrong answers or query failures.

  • Avoid flattening a subquery whose SELECT list contains a volatile function wrapped inside a sub-SELECT (Tom Lane)

    This avoids unexpected results due to extra evaluations of the volatile function.

  • Fix planner's processing of non-simple-variable subquery outputs nested within outer joins (Tom Lane)

    This error could lead to incorrect plans for queries involving multiple levels of subqueries within JOIN syntax.

  • Fix incorrect generation of optimized MIN()/MAX() plans for inheritance trees (Tom Lane)

    The planner could fail in cases where the MIN()/MAX() argument was an expression rather than a simple variable.

  • Fix premature deletion of temporary files (Andres Freund)

  • Fix possible read past end of memory in rule printing (Peter Eisentraut)

  • Fix array slicing of int2vector and oidvector values (Tom Lane)

    Expressions of this kind are now implicitly promoted to regular int2 or oid arrays.

  • Fix incorrect behaviors when using a SQL-standard, simple GMT offset timezone (Tom Lane)

    In some cases, the system would use the simple GMT offset value when it should have used the regular timezone setting that had prevailed before the simple offset was selected. This change also causes the timeofday function to honor the simple GMT offset zone.

  • Prevent possible misbehavior when logging translations of Windows error codes (Tom Lane)

  • Properly quote generated command lines in pg_ctl (Naoya Anzai and Tom Lane)

    This fix applies only to Windows.

  • Fix pg_dumpall to work when a source database sets default_transaction_read_only via ALTER DATABASE SET (Kevin Grittner)

    Previously, the generated script would fail during restore.

  • Make ecpg search for quoted cursor names case-sensitively (Zoltán Böszörményi)

  • Fix ecpg's processing of lists of variables declared varchar (Zoltán Böszörményi)

  • Make contrib/lo defend against incorrect trigger definitions (Marc Cousin)

  • Update time zone data files to tzdata release 2013h for DST law changes in Argentina, Brazil, Jordan, Libya, Liechtenstein, Morocco, and Palestine. Also, new timezone abbreviations WIB, WIT, WITA for Indonesia.

• ⇑ Upgrade to 9.1.12 released on 2014-02-20 - docs

  • Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch)

    Granting a role without ADMIN OPTION is supposed to prevent the grantee from adding or removing members from the granted role, but this restriction was easily bypassed by doing SET ROLE first. The security impact is mostly that a role member can revoke the access of others, contrary to the wishes of his grantor. Unapproved role member additions are a lesser concern, since an uncooperative role member could provide most of his rights to others anyway by creating views or SECURITY DEFINER functions. (CVE-2014-0060)

  • Prevent privilege escalation via manual calls to PL validator functions (Andres Freund)

    The primary role of PL validator functions is to be called implicitly during CREATE FUNCTION, but they are also normal SQL functions that a user can call explicitly. Calling a validator on a function actually written in some other language was not checked for and could be exploited for privilege-escalation purposes. The fix involves adding a call to a privilege-checking function in each validator function. Non-core procedural languages will also need to make this change to their own validator functions, if any. (CVE-2014-0061)

  • Avoid multiple name lookups during table and index DDL (Robert Haas, Andres Freund)

    If the name lookups come to different conclusions due to concurrent activity, we might perform some parts of the DDL on a different table than other parts. At least in the case of CREATE INDEX, this can be used to cause the permissions checks to be performed against a different table than the index creation, allowing for a privilege escalation attack. (CVE-2014-0062)

  • Prevent buffer overrun with long datetime strings (Noah Misch)

    The MAXDATELEN constant was too small for the longest possible value of type interval, allowing a buffer overrun in interval_out(). Although the datetime input functions were more careful about avoiding buffer overrun, the limit was short enough to cause them to reject some valid inputs, such as input containing a very long timezone name. The ecpg library contained these vulnerabilities along with some of its own. (CVE-2014-0063)

  • Prevent buffer overrun due to integer overflow in size calculations (Noah Misch, Heikki Linnakangas)

    Several functions, mostly type input functions, calculated an allocation size without checking for overflow. If overflow did occur, a too-small buffer would be allocated and then written past. (CVE-2014-0064)

  • Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich)

    Use strlcpy() and related functions to provide a clear guarantee that fixed-size buffers are not overrun. Unlike the preceding items, it is unclear whether these cases really represent live issues, since in most cases there appear to be previous constraints on the size of the input string. Nonetheless it seems prudent to silence all Coverity warnings of this type. (CVE-2014-0065)

  • Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian)

    There are relatively few scenarios in which crypt() could return NULL, but contrib/chkpass would crash if it did. One practical case in which this could be an issue is if libc is configured to refuse to execute unapproved hashing algorithms (e.g., “FIPS mode”). (CVE-2014-0066)

  • Document risks of make check in the regression testing instructions (Noah Misch, Tom Lane)

    Since the temporary server started by make check uses “trust” authentication, another user on the same machine could connect to it as database superuser, and then potentially exploit the privileges of the operating-system user who started the tests. A future release will probably incorporate changes in the testing procedure to prevent this risk, but some public discussion is needed first. So for the moment, just warn people against using make check when there are untrusted users on the same machine. (CVE-2014-0067)

  • Fix possible mis-replay of WAL records when some segments of a relation aren't full size (Greg Stark, Tom Lane)

    The WAL update could be applied to the wrong page, potentially many pages past where it should have been. Aside from corrupting data, this error has been observed to result in significant “bloat” of standby servers compared to their masters, due to updates being applied far beyond where the end-of-file should have been. This failure mode does not appear to be a significant risk during crash recovery, only when initially synchronizing a standby created from a base backup taken from a quickly-changing master.

  • Fix bug in determining when recovery has reached consistency (Tomonari Katsumata, Heikki Linnakangas)

    In some cases WAL replay would mistakenly conclude that the database was already consistent at the start of replay, thus possibly allowing hot-standby queries before the database was really consistent. Other symptoms such as “PANIC: WAL contains references to invalid pages” were also possible.

  • Fix improper locking of btree index pages while replaying a VACUUM operation in hot-standby mode (Andres Freund, Heikki Linnakangas, Tom Lane)

    This error could result in “PANIC: WAL contains references to invalid pages” failures.

  • Ensure that insertions into non-leaf GIN index pages write a full-page WAL record when appropriate (Heikki Linnakangas)

    The previous coding risked index corruption in the event of a partial-page write during a system crash.

  • When pause_at_recovery_target and recovery_target_inclusive are both set, ensure the target record is applied before pausing, not after (Heikki Linnakangas)

  • Fix race conditions during server process exit (Robert Haas)

    Ensure that signal handlers don't attempt to use the process's MyProc pointer after it's no longer valid.

  • Fix race conditions in walsender shutdown logic and walreceiver SIGHUP signal handler (Tom Lane)

  • Fix unsafe references to errno within error reporting logic (Christian Kruse)

    This would typically lead to odd behaviors such as missing or inappropriate HINT fields.

  • Fix possible crashes from using ereport() too early during server startup (Tom Lane)

    The principal case we've seen in the field is a crash if the server is started in a directory it doesn't have permission to read.

  • Clear retry flags properly in OpenSSL socket write function (Alexander Kukushkin)

    This omission could result in a server lockup after unexpected loss of an SSL-encrypted connection.

  • Fix length checking for Unicode identifiers (U&"..." syntax) containing escapes (Tom Lane)

    A spurious truncation warning would be printed for such identifiers if the escaped form of the identifier was too long, but the identifier actually didn't need truncation after de-escaping.

  • Allow keywords that are type names to be used in lists of roles (Stephen Frost)

    A previous patch allowed such keywords to be used without quoting in places such as role identifiers; but it missed cases where a list of role identifiers was permitted, such as DROP ROLE.

  • Fix parser crash for EXISTS(SELECT * FROM zero_column_table) (Tom Lane)

  • Fix possible crash due to invalid plan for nested sub-selects, such as WHERE (... x IN (SELECT ...) ...) IN (SELECT ...) (Tom Lane)

  • Ensure that ANALYZE creates statistics for a table column even when all the values in it are “too wide” (Tom Lane)

    ANALYZE intentionally omits very wide values from its histogram and most-common-values calculations, but it neglected to do something sane in the case that all the sampled entries are too wide.

  • In ALTER TABLE ... SET TABLESPACE, allow the database's default tablespace to be used without a permissions check (Stephen Frost)

    CREATE TABLE has always allowed such usage, but ALTER TABLE didn't get the memo.

  • Fix “cannot accept a set” error when some arms of a CASE return a set and others don't (Tom Lane)

  • Fix checks for all-zero client addresses in pgstat functions (Kevin Grittner)

  • Fix possible misclassification of multibyte characters by the text search parser (Tom Lane)

    Non-ASCII characters could be misclassified when using C locale with a multibyte encoding. On Cygwin, non-C locales could fail as well.

  • Fix possible misbehavior in plainto_tsquery() (Heikki Linnakangas)

    Use memmove() not memcpy() for copying overlapping memory regions. There have been no field reports of this actually causing trouble, but it's certainly risky.

  • Fix placement of permissions checks in pg_start_backup() and pg_stop_backup() (Andres Freund, Magnus Hagander)

    The previous coding might attempt to do catalog access when it shouldn't.

  • Accept SHIFT_JIS as an encoding name for locale checking purposes (Tatsuo Ishii)

  • Fix misbehavior of PQhost() on Windows (Fujii Masao)

    It should return localhost if no host has been specified.

  • Improve error handling in libpq and psql for failures during COPY TO STDOUT/FROM STDIN (Tom Lane)

    In particular this fixes an infinite loop that could occur in 9.2 and up if the server connection was lost during COPY FROM STDIN. Variants of that scenario might be possible in older versions, or with other client applications.

  • Fix possible incorrect printing of filenames in pg_basebackup's verbose mode (Magnus Hagander)

  • Avoid including tablespaces inside PGDATA twice in base backups (Dimitri Fontaine, Magnus Hagander)

  • Fix misaligned descriptors in ecpg (MauMau)

  • In ecpg, handle lack of a hostname in the connection parameters properly (Michael Meskes)

  • Fix performance regression in contrib/dblink connection startup (Joe Conway)

    Avoid an unnecessary round trip when client and server encodings match.

  • In contrib/isn, fix incorrect calculation of the check digit for ISMN values (Fabien Coelho)

  • Ensure client-code-only installation procedure works as documented (Peter Eisentraut)

  • In Mingw and Cygwin builds, install the libpq DLL in the bin directory (Andrew Dunstan)

    This duplicates what the MSVC build has long done. It should fix problems with programs like psql failing to start because they can't find the DLL.

  • Avoid using the deprecated dllwrap tool in Cygwin builds (Marco Atzeri)

  • Don't generate plain-text HISTORY and src/test/regress/README files anymore (Tom Lane)

    These text files duplicated the main HTML and PDF documentation formats. The trouble involved in maintaining them greatly outweighs the likely audience for plain-text format. Distribution tarballs will still contain files by these names, but they'll just be stubs directing the reader to consult the main documentation. The plain-text INSTALL file will still be maintained, as there is arguably a use-case for that.

  • Update time zone data files to tzdata release 2013i for DST law changes in Jordan and historical changes in Cuba.

    In addition, the zones Asia/Riyadh87, Asia/Riyadh88, and Asia/Riyadh89 have been removed, as they are no longer maintained by IANA, and never represented actual civil timekeeping practice.

• ⇑ Upgrade to 9.1.13 released on 2014-03-20 - docs

  • Restore GIN metapages unconditionally to avoid torn-page risk (Heikki Linnakangas)

    Although this oversight could theoretically result in a corrupted index, it is unlikely to have caused any problems in practice, since the active part of a GIN metapage is smaller than a standard 512-byte disk sector.

  • Avoid race condition in checking transaction commit status during receipt of a NOTIFY message (Marko Tiikkaja)

    This prevents a scenario wherein a sufficiently fast client might respond to a notification before database updates made by the notifier have become visible to the recipient.

  • Allow regular-expression operators to be terminated early by query cancel requests (Tom Lane)

    This prevents scenarios wherein a pathological regular expression could lock up a server process uninterruptibly for a long time.

  • Remove incorrect code that tried to allow OVERLAPS with single-element row arguments (Joshua Yanovski)

    This code never worked correctly, and since the case is neither specified by the SQL standard nor documented, it seemed better to remove it than fix it.

  • Avoid getting more than AccessShareLock when de-parsing a rule or view (Dean Rasheed)

    This oversight resulted in pg_dump unexpectedly acquiring RowExclusiveLock locks on tables mentioned as the targets of INSERT/UPDATE/DELETE commands in rules. While usually harmless, that could interfere with concurrent transactions that tried to acquire, for example, ShareLock on those tables.

  • Improve performance of index endpoint probes during planning (Tom Lane)

    This change fixes a significant performance problem that occurred when there were many not-yet-committed rows at the end of the index, which is a common situation for indexes on sequentially-assigned values such as timestamps or sequence-generated identifiers.

  • Fix walsender's failure to shut down cleanly when client is pg_receivexlog (Fujii Masao)

  • Fix test to see if hot standby connections can be allowed immediately after a crash (Heikki Linnakangas)

  • Prevent interrupts while reporting non-ERROR messages (Tom Lane)

    This guards against rare server-process freezeups due to recursive entry to syslog(), and perhaps other related problems.

  • Fix memory leak in PL/Perl when returning a composite result, including multiple-OUT-parameter cases (Alex Hunsaker)

  • Prevent intermittent “could not reserve shared memory region” failures on recent Windows versions (MauMau)

  • Update time zone data files to tzdata release 2014a for DST law changes in Fiji and Turkey, plus historical changes in Israel and Ukraine.

• ⇑ Upgrade to 9.1.14 released on 2014-07-24 - docs

  • Correctly initialize padding bytes in contrib/btree_gist indexes on bit columns (Heikki Linnakangas)

    This error could result in incorrect query results due to values that should compare equal not being seen as equal. Users with GiST indexes on bit or bit varying columns should REINDEX those indexes after installing this update.

  • Protect against torn pages when deleting GIN list pages (Heikki Linnakangas)

    This fix prevents possible index corruption if a system crash occurs while the page update is being written to disk.

  • Don't clear the right-link of a GiST index page while replaying updates from WAL (Heikki Linnakangas)

    This error could lead to transiently wrong answers from GiST index scans performed in Hot Standby.

  • Fix feedback status when hot_standby_feedback is turned off on-the-fly (Simon Riggs)

  • Fix possibly-incorrect cache invalidation during nested calls to ReceiveSharedInvalidMessages (Andres Freund)

  • Fix “could not find pathkey item to sort” planner failures with UNION ALL over subqueries reading from tables with inheritance children (Tom Lane)

  • Don't assume a subquery's output is unique if there's a set-returning function in its targetlist (David Rowley)

    This oversight could lead to misoptimization of constructs like WHERE x IN (SELECT y, generate_series(1,10) FROM t GROUP BY y).

  • Fix failure to detoast fields in composite elements of structured types (Tom Lane)

    This corrects cases where TOAST pointers could be copied into other tables without being dereferenced. If the original data is later deleted, it would lead to errors like “missing chunk number 0 for toast value ...” when the now-dangling pointer is used.

  • Fix “record type has not been registered” failures with whole-row references to the output of Append plan nodes (Tom Lane)

  • Fix possible crash when invoking a user-defined function while rewinding a cursor (Tom Lane)

  • Fix query-lifespan memory leak while evaluating the arguments for a function in FROM (Tom Lane)

  • Fix session-lifespan memory leaks in regular-expression processing (Tom Lane, Arthur O'Dwyer, Greg Stark)

  • Fix data encoding error in hungarian.stop (Tom Lane)

  • Prevent foreign tables from being created with OIDS when default_with_oids is true (Etsuro Fujita)

  • Fix liveness checks for rows that were inserted in the current transaction and then deleted by a now-rolled-back subtransaction (Andres Freund)

    This could cause problems (at least spurious warnings, and at worst an infinite loop) if CREATE INDEX or CLUSTER were done later in the same transaction.

  • Clear pg_stat_activity.xact_start during PREPARE TRANSACTION (Andres Freund)

    After the PREPARE, the originating session is no longer in a transaction, so it should not continue to display a transaction start time.

  • Fix REASSIGN OWNED to not fail for text search objects (Álvaro Herrera)

  • Block signals during postmaster startup (Tom Lane)

    This ensures that the postmaster will properly clean up after itself if, for example, it receives SIGINT while still starting up.

  • Fix client host name lookup when processing pg_hba.conf entries that specify host names instead of IP addresses (Tom Lane)

    Ensure that reverse-DNS lookup failures are reported, instead of just silently not matching such entries. Also ensure that we make only one reverse-DNS lookup attempt per connection, not one per host name entry, which is what previously happened if the lookup attempts failed.

  • Secure Unix-domain sockets of temporary postmasters started during make check (Noah Misch)

    Any local user able to access the socket file could connect as the server's bootstrap superuser, then proceed to execute arbitrary code as the operating-system user running the test, as we previously noted in CVE-2014-0067. This change defends against that risk by placing the server's socket in a temporary, mode 0700 subdirectory of /tmp. The hazard remains however on platforms where Unix sockets are not supported, notably Windows, because then the temporary postmaster must accept local TCP connections.

    A useful side effect of this change is to simplify make check testing in builds that override DEFAULT_PGSOCKET_DIR. Popular non-default values like /var/run/postgresql are often not writable by the build user, requiring workarounds that will no longer be necessary.

  • Fix tablespace creation WAL replay to work on Windows (MauMau)

  • Fix detection of socket creation failures on Windows (Bruce Momjian)

  • On Windows, allow new sessions to absorb values of PGC_BACKEND parameters (such as log_connections) from the configuration file (Amit Kapila)

    Previously, if such a parameter were changed in the file post-startup, the change would have no effect.

  • Properly quote executable path names on Windows (Nikhil Deshpande)

    This oversight could cause initdb and pg_upgrade to fail on Windows, if the installation path contained both spaces and @ signs.

  • Fix linking of libpython on macOS (Tom Lane)

    The method we previously used can fail with the Python library supplied by Xcode 5.0 and later.

  • Avoid buffer bloat in libpq when the server consistently sends data faster than the client can absorb it (Shin-ichi Morita, Tom Lane)

    libpq could be coerced into enlarging its input buffer until it runs out of memory (which would be reported misleadingly as “lost synchronization with server”). Under ordinary circumstances it's quite far-fetched that data could be continuously transmitted more quickly than the recv() loop can absorb it, but this has been observed when the client is artificially slowed by scheduler constraints.

  • Ensure that LDAP lookup attempts in libpq time out as intended (Laurenz Albe)

  • Fix ecpg to do the right thing when an array of char * is the target for a FETCH statement returning more than one row, as well as some other array-handling fixes (Ashutosh Bapat)

  • Fix pg_restore's processing of old-style large object comments (Tom Lane)

    A direct-to-database restore from an archive file generated by a pre-9.0 version of pg_dump would usually fail if the archive contained more than a few comments for large objects.

  • In contrib/pgcrypto functions, ensure sensitive information is cleared from stack variables before returning (Marko Kreen)

  • In contrib/uuid-ossp, cache the state of the OSSP UUID library across calls (Tom Lane)

    This improves the efficiency of UUID generation and reduces the amount of entropy drawn from /dev/urandom, on platforms that have that.

  • Update time zone data files to tzdata release 2014e for DST law changes in Crimea, Egypt, and Morocco.

• ⇑ Upgrade to 9.1.15 released on 2015-02-05 - docs

  • Fix buffer overruns in to_char() (Bruce Momjian)

    When to_char() processes a numeric formatting template calling for a large number of digits, PostgreSQL would read past the end of a buffer. When processing a crafted timestamp formatting template, PostgreSQL would write past the end of a buffer. Either case could crash the server. We have not ruled out the possibility of attacks that lead to privilege escalation, though they seem unlikely. (CVE-2015-0241)

  • Fix buffer overrun in replacement *printf() functions (Tom Lane)

    PostgreSQL includes a replacement implementation of printf and related functions. This code will overrun a stack buffer when formatting a floating point number (conversion specifiers e, E, f, F, g or G) with requested precision greater than about 500. This will crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. A database user can trigger such a buffer overrun through the to_char() SQL function. While that is the only affected core PostgreSQL functionality, extension modules that use printf-family functions may be at risk as well.

    This issue primarily affects PostgreSQL on Windows. PostgreSQL uses the system implementation of these functions where adequate, which it is on other modern platforms. (CVE-2015-0242)

  • Fix buffer overruns in contrib/pgcrypto (Marko Tiikkaja, Noah Misch)

    Errors in memory size tracking within the pgcrypto module permitted stack buffer overruns and improper dependence on the contents of uninitialized memory. The buffer overrun cases can crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. (CVE-2015-0243)

  • Fix possible loss of frontend/backend protocol synchronization after an error (Heikki Linnakangas)

    If any error occurred while the server was in the middle of reading a protocol message from the client, it could lose synchronization and incorrectly try to interpret part of the message's data as a new protocol message. An attacker able to submit crafted binary data within a command parameter might succeed in injecting his own SQL commands this way. Statement timeout and query cancellation are the most likely sources of errors triggering this scenario. Particularly vulnerable are applications that use a timeout and also submit arbitrary user-crafted data as binary query parameters. Disabling statement timeout will reduce, but not eliminate, the risk of exploit. Our thanks to Emil Lenngren for reporting this issue. (CVE-2015-0244)

  • Fix information leak via constraint-violation error messages (Stephen Frost)

    Some server error messages show the values of columns that violate a constraint, such as a unique constraint. If the user does not have SELECT privilege on all columns of the table, this could mean exposing values that the user should not be able to see. Adjust the code so that values are displayed only when they came from the SQL command or could be selected by the user. (CVE-2014-8161)

  • Lock down regression testing's temporary installations on Windows (Noah Misch)

    Use SSPI authentication to allow connections only from the OS user who launched the test suite. This closes on Windows the same vulnerability previously closed on other platforms, namely that other users might be able to connect to the test postmaster. (CVE-2014-0067)

  • Avoid possible data corruption if ALTER DATABASE SET TABLESPACE is used to move a database to a new tablespace and then shortly later move it back to its original tablespace (Tom Lane)

  • Avoid corrupting tables when ANALYZE inside a transaction is rolled back (Andres Freund, Tom Lane, Michael Paquier)

    If the failing transaction had earlier removed the last index, rule, or trigger from the table, the table would be left in a corrupted state with the relevant pg_class flags not set though they should be.

  • Ensure that unlogged tables are copied correctly during CREATE DATABASE or ALTER DATABASE SET TABLESPACE (Pavan Deolasee, Andres Freund)

  • Fix DROP's dependency searching to correctly handle the case where a table column is recursively visited before its table (Petr Jelinek, Tom Lane)

    This case is only known to arise when an extension creates both a datatype and a table using that datatype. The faulty code might refuse a DROP EXTENSION unless CASCADE is specified, which should not be required.

  • Fix use-of-already-freed-memory problem in EvalPlanQual processing (Tom Lane)

    In READ COMMITTED mode, queries that lock or update recently-updated rows could crash as a result of this bug.

  • Fix planning of SELECT FOR UPDATE when using a partial index on a child table (Kyotaro Horiguchi)

    In READ COMMITTED mode, SELECT FOR UPDATE must also recheck the partial index's WHERE condition when rechecking a recently-updated row to see if it still satisfies the query's WHERE condition. This requirement was missed if the index belonged to an inheritance child table, so that it was possible to incorrectly return rows that no longer satisfy the query condition.

  • Fix corner case wherein SELECT FOR UPDATE could return a row twice, and possibly miss returning other rows (Tom Lane)

    In READ COMMITTED mode, a SELECT FOR UPDATE that is scanning an inheritance tree could incorrectly return a row from a prior child table instead of the one it should return from a later child table.

  • Reject duplicate column names in the referenced-columns list of a FOREIGN KEY declaration (David Rowley)

    This restriction is per SQL standard. Previously we did not reject the case explicitly, but later on the code would fail with bizarre-looking errors.

  • Fix bugs in raising a numeric value to a large integral power (Tom Lane)

    The previous code could get a wrong answer, or consume excessive amounts of time and memory before realizing that the answer must overflow.

  • In numeric_recv(), truncate away any fractional digits that would be hidden according to the value's dscale field (Tom Lane)

    A numeric value's display scale (dscale) should never be less than the number of nonzero fractional digits; but apparently there's at least one broken client application that transmits binary numeric values in which that's true. This leads to strange behavior since the extra digits are taken into account by arithmetic operations even though they aren't printed. The least risky fix seems to be to truncate away such “hidden” digits on receipt, so that the value is indeed what it prints as.

  • Reject out-of-range numeric timezone specifications (Tom Lane)

    Simple numeric timezone specifications exceeding +/- 168 hours (one week) would be accepted, but could then cause null-pointer dereference crashes in certain operations. There's no use-case for such large UTC offsets, so reject them.

  • Fix bugs in tsquery @> tsquery operator (Heikki Linnakangas)

    Two different terms would be considered to match if they had the same CRC. Also, if the second operand had more terms than the first, it would be assumed not to be contained in the first; which is wrong since it might contain duplicate terms.

  • Improve ispell dictionary's defenses against bad affix files (Tom Lane)

  • Allow more than 64K phrases in a thesaurus dictionary (David Boutin)

    The previous coding could crash on an oversize dictionary, so this was deemed a back-patchable bug fix rather than a feature addition.

  • Fix namespace handling in xpath() (Ali Akbar)

    Previously, the xml value resulting from an xpath() call would not have namespace declarations if the namespace declarations were attached to an ancestor element in the input xml value, rather than to the specific element being returned. Propagate the ancestral declaration so that the result is correct when considered in isolation.

  • Fix planner problems with nested append relations, such as inherited tables within UNION ALL subqueries (Tom Lane)

  • Fail cleanly when a GiST index tuple doesn't fit on a page, rather than going into infinite recursion (Andrew Gierth)

  • Exempt tables that have per-table cost_limit and/or cost_delay settings from autovacuum's global cost balancing rules (Álvaro Herrera)

    The previous behavior resulted in basically ignoring these per-table settings, which was unintended. Now, a table having such settings will be vacuumed using those settings, independently of what is going on in other autovacuum workers. This may result in heavier total I/O load than before, so such settings should be re-examined for sanity.

  • Avoid wholesale autovacuuming when autovacuum is nominally off (Tom Lane)

    Even when autovacuum is nominally off, we will still launch autovacuum worker processes to vacuum tables that are at risk of XID wraparound. However, such a worker process then proceeded to vacuum all tables in the target database, if they met the usual thresholds for autovacuuming. This is at best pretty unexpected; at worst it delays response to the wraparound threat. Fix it so that if autovacuum is turned off, workers only do anti-wraparound vacuums and not any other work.

  • During crash recovery, ensure that unlogged relations are rewritten as empty and are synced to disk before recovery is considered complete (Abhijit Menon-Sen, Andres Freund)

    This prevents scenarios in which unlogged relations might contain garbage data following database crash recovery.

  • Fix race condition between hot standby queries and replaying a full-page image (Heikki Linnakangas)

    This mistake could result in transient errors in queries being executed in hot standby.

  • Fix several cases where recovery logic improperly ignored WAL records for COMMIT/ABORT PREPARED (Heikki Linnakangas)

    The most notable oversight was that recovery_target_xid could not be used to stop at a two-phase commit.

  • Avoid creating unnecessary .ready marker files for timeline history files (Fujii Masao)

  • Fix possible null pointer dereference when an empty prepared statement is used and the log_statement setting is mod or ddl (Fujii Masao)

  • Change “pgstat wait timeout” warning message to be LOG level, and rephrase it to be more understandable (Tom Lane)

    This message was originally thought to be essentially a can't-happen case, but it occurs often enough on our slower buildfarm members to be a nuisance. Reduce it to LOG level, and expend a bit more effort on the wording: it now reads “using stale statistics instead of current ones because stats collector is not responding”.

  • Fix SPARC spinlock implementation to ensure correctness if the CPU is being run in a non-TSO coherency mode, as some non-Solaris kernels do (Andres Freund)

  • Warn if macOS's setlocale() starts an unwanted extra thread inside the postmaster (Noah Misch)

  • Fix processing of repeated dbname parameters in PQconnectdbParams() (Alex Shulgin)

    Unexpected behavior ensued if the first occurrence of dbname contained a connection string or URI to be expanded.

  • Ensure that libpq reports a suitable error message on unexpected socket EOF (Marko Tiikkaja, Tom Lane)

    Depending on kernel behavior, libpq might return an empty error string rather than something useful when the server unexpectedly closed the socket.

  • Clear any old error message during PQreset() (Heikki Linnakangas)

    If PQreset() is called repeatedly, and the connection cannot be re-established, error messages from the failed connection attempts kept accumulating in the PGconn's error string.

  • Properly handle out-of-memory conditions while parsing connection options in libpq (Alex Shulgin, Heikki Linnakangas)

  • Fix array overrun in ecpg's version of ParseDateTime() (Michael Paquier)

  • In initdb, give a clearer error message if a password file is specified but is empty (Mats Erik Andersson)

  • Fix psql's \s command to work nicely with libedit, and add pager support (Stepan Rutz, Tom Lane)

    When using libedit rather than readline, \s printed the command history in a fairly unreadable encoded format, and on recent libedit versions might fail altogether. Fix that by printing the history ourselves rather than having the library do it. A pleasant side-effect is that the pager is used if appropriate.

    This patch also fixes a bug that caused newline encoding to be applied inconsistently when saving the command history with libedit. Multiline history entries written by older psql versions will be read cleanly with this patch, but perhaps not vice versa, depending on the exact libedit versions involved.

  • Improve consistency of parsing of psql's special variables (Tom Lane)

    Allow variant spellings of on and off (such as 1/0) for ECHO_HIDDEN and ON_ERROR_ROLLBACK. Report a warning for unrecognized values for COMP_KEYWORD_CASE, ECHO, ECHO_HIDDEN, HISTCONTROL, ON_ERROR_ROLLBACK, and VERBOSITY. Recognize all values for all these variables case-insensitively; previously there was a mishmash of case-sensitive and case-insensitive behaviors.

  • Fix psql's expanded-mode display to work consistently when using border = 3 and linestyle = ascii or unicode (Stephen Frost)

  • Improve performance of pg_dump when the database contains many instances of multiple dependency paths between the same two objects (Tom Lane)

  • Fix possible deadlock during parallel restore of a schema-only dump (Robert Haas, Tom Lane)

  • Fix core dump in pg_dump --binary-upgrade on zero-column composite type (Rushabh Lathia)

  • Prevent WAL files created by pg_basebackup -x/-X from being archived again when the standby is promoted (Andres Freund)

  • Fix upgrade-from-unpackaged script for contrib/citext (Tom Lane)

  • Fix block number checking in contrib/pageinspect's get_raw_page() (Tom Lane)

    The incorrect checking logic could prevent access to some pages in non-main relation forks.

  • Fix contrib/pgcrypto's pgp_sym_decrypt() to not fail on messages whose length is 6 less than a power of 2 (Marko Tiikkaja)

  • Fix file descriptor leak in contrib/pg_test_fsync (Jeff Janes)

    This could cause failure to remove temporary files on Windows.

  • Handle unexpected query results, especially NULLs, safely in contrib/tablefunc's connectby() (Michael Paquier)

    connectby() previously crashed if it encountered a NULL key value. It now prints that row but doesn't recurse further.

  • Avoid a possible crash in contrib/xml2's xslt_process() (Mark Simonetti)

    libxslt seems to have an undocumented dependency on the order in which resources are freed; reorder our calls to avoid a crash.

  • Mark some contrib I/O functions with correct volatility properties (Tom Lane)

    The previous over-conservative marking was immaterial in normal use, but could cause optimization problems or rejection of valid index expression definitions. Since the consequences are not large, we've just adjusted the function definitions in the extension modules' scripts, without changing version numbers.

  • Numerous cleanups of warnings from Coverity static code analyzer (Andres Freund, Tatsuo Ishii, Marko Kreen, Tom Lane, Michael Paquier)

    These changes are mostly cosmetic but in some cases fix corner-case bugs, for example a crash rather than a proper error report after an out-of-memory failure. None are believed to represent security issues.

  • Detect incompatible OpenLDAP versions during build (Noah Misch)

    With OpenLDAP versions 2.4.24 through 2.4.31, inclusive, PostgreSQL backends can crash at exit. Raise a warning during configure based on the compile-time OpenLDAP version number, and test the crashing scenario in the contrib/dblink regression test.

  • In non-MSVC Windows builds, ensure libpq.dll is installed with execute permissions (Noah Misch)

  • Make pg_regress remove any temporary installation it created upon successful exit (Tom Lane)

    This results in a very substantial reduction in disk space usage during make check-world, since that sequence involves creation of numerous temporary installations.

  • Support time zone abbreviations that change UTC offset from time to time (Tom Lane)

    Previously, PostgreSQL assumed that the UTC offset associated with a time zone abbreviation (such as EST) never changes in the usage of any particular locale. However this assumption fails in the real world, so introduce the ability for a zone abbreviation to represent a UTC offset that sometimes changes. Update the zone abbreviation definition files to make use of this feature in timezone locales that have changed the UTC offset of their abbreviations since 1970 (according to the IANA timezone database). In such timezones, PostgreSQL will now associate the correct UTC offset with the abbreviation depending on the given date.

  • Update time zone abbreviations lists (Tom Lane)

    Add CST (China Standard Time) to our lists. Remove references to ADT as “Arabia Daylight Time”, an abbreviation that's been out of use since 2007; therefore, claiming there is a conflict with “Atlantic Daylight Time” doesn't seem especially helpful. Fix entirely incorrect GMT offsets for CKT (Cook Islands), FJT, and FJST (Fiji); we didn't even have them on the proper side of the date line.

  • Update time zone data files to tzdata release 2015a.

    The IANA timezone database has adopted abbreviations of the form AxST/AxDT for all Australian time zones, reflecting what they believe to be current majority practice Down Under. These names do not conflict with usage elsewhere (other than ACST for Acre Summer Time, which has been in disuse since 1994). Accordingly, adopt these names into our “Default” timezone abbreviation set. The “Australia” abbreviation set now contains only CST, EAST, EST, SAST, SAT, and WST, all of which are thought to be mostly historical usage. Note that SAST has also been changed to be South Africa Standard Time in the “Default” abbreviation set.

    Also, add zone abbreviations SRET (Asia/Srednekolymsk) and XJT (Asia/Urumqi), and use WSST/WSDT for western Samoa. Also, there were DST law changes in Chile, Mexico, the Turks & Caicos Islands (America/Grand_Turk), and Fiji. There is a new zone Pacific/Bougainville for portions of Papua New Guinea. Also, numerous corrections for historical (pre-1970) time zone data.

• ⇑ Upgrade to 9.1.16 released on 2015-05-22 - docs

  • Avoid possible crash when client disconnects just before the authentication timeout expires (Benkocs Norbert Attila)

    If the timeout interrupt fired partway through the session shutdown sequence, SSL-related state would be freed twice, typically causing a crash and hence denial of service to other sessions. Experimentation shows that an unauthenticated remote attacker could trigger the bug somewhat consistently, hence treat as security issue. (CVE-2015-3165)

  • Improve detection of system-call failures (Noah Misch)

    Our replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure, due to our code assuming that a buffer had been overwritten when it hadn't been. Also, there were a few places in which security-relevant calls of other system library functions did not check for failure.

    It remains possible that some calls of the *printf() family of functions are vulnerable to information disclosure if an out-of-memory error occurs at just the wrong time. We judge the risk to not be large, but will continue analysis in this area. (CVE-2015-3166)

  • In contrib/pgcrypto, uniformly report decryption failures as “Wrong key or corrupt data” (Noah Misch)

    Previously, some cases of decryption with an incorrect key could report other error message texts. It has been shown that such variance in error reports can aid attackers in recovering keys from other systems. While it's unknown whether pgcrypto's specific behaviors are likewise exploitable, it seems better to avoid the risk by using a one-size-fits-all message. (CVE-2015-3167)

  • Fix incorrect declaration of contrib/citext's regexp_matches() functions (Tom Lane)

    These functions should return setof text[], like the core functions they are wrappers for; but they were incorrectly declared as returning just text[]. This mistake had two results: first, if there was no match you got a scalar null result, whereas what you should get is an empty set (zero rows). Second, the g flag was effectively ignored, since you would get only one result array even if there were multiple matches.

    While the latter behavior is clearly a bug, there might be applications depending on the former behavior; therefore the function declarations will not be changed by default until PostgreSQL 9.5. In pre-9.5 branches, the old behavior exists in version 1.0 of the citext extension, while we have provided corrected declarations in version 1.1 (which is not installed by default). To adopt the fix in pre-9.5 branches, execute ALTER EXTENSION citext UPDATE TO '1.1' in each database in which citext is installed. (You can also “update” back to 1.0 if you need to undo that.) Be aware that either update direction will require dropping and recreating any views or rules that use citext's regexp_matches() functions.

  • Fix incorrect checking of deferred exclusion constraints after a HOT update (Tom Lane)

    If a new row that potentially violates a deferred exclusion constraint is HOT-updated (that is, no indexed columns change and the row can be stored back onto the same table page) later in the same transaction, the exclusion constraint would be reported as violated when the check finally occurred, even if the row(s) the new row originally conflicted with had been deleted.

  • Prevent improper reordering of antijoins (NOT EXISTS joins) versus other outer joins (Tom Lane)

    This oversight in the planner has been observed to cause “could not find RelOptInfo for given relids” errors, but it seems possible that sometimes an incorrect query plan might get past that consistency check and result in silently-wrong query output.

  • Fix incorrect matching of subexpressions in outer-join plan nodes (Tom Lane)

    Previously, if textually identical non-strict subexpressions were used both above and below an outer join, the planner might try to re-use the value computed below the join, which would be incorrect because the executor would force the value to NULL in case of an unmatched outer row.

  • Fix GEQO planner to cope with failure of its join order heuristic (Tom Lane)

    This oversight has been seen to lead to “failed to join all relations together” errors in queries involving LATERAL, and that might happen in other cases as well.

  • Fix possible deadlock at startup when max_prepared_transactions is too small (Heikki Linnakangas)

  • Don't archive useless preallocated WAL files after a timeline switch (Heikki Linnakangas)

  • Avoid “cannot GetMultiXactIdMembers() during recovery” error (Álvaro Herrera)

  • Recursively fsync() the data directory after a crash (Abhijit Menon-Sen, Robert Haas)

    This ensures consistency if another crash occurs shortly later. (The second crash would have to be a system-level crash, not just a database crash, for there to be a problem.)

  • Fix autovacuum launcher's possible failure to shut down, if an error occurs after it receives SIGTERM (Álvaro Herrera)

  • Cope with unexpected signals in LockBufferForCleanup() (Andres Freund)

    This oversight could result in spurious errors about “multiple backends attempting to wait for pincount 1”.

  • Avoid waiting for WAL flush or synchronous replication during commit of a transaction that was read-only so far as the user is concerned (Andres Freund)

    Previously, a delay could occur at commit in transactions that had written WAL due to HOT page pruning, leading to undesirable effects such as sessions getting stuck at startup if all synchronous replicas are down. Sessions have also been observed to get stuck in catchup interrupt processing when using synchronous replication; this will fix that problem as well.

  • Fix crash when manipulating hash indexes on temporary tables (Heikki Linnakangas)

  • Fix possible failure during hash index bucket split, if other processes are modifying the index concurrently (Tom Lane)

  • Check for interrupts while analyzing index expressions (Jeff Janes)

    ANALYZE executes index expressions many times; if there are slow functions in such an expression, it's desirable to be able to cancel the ANALYZE before that loop finishes.

  • Ensure tableoid of a foreign table is reported correctly when a READ COMMITTED recheck occurs after locking rows in SELECT FOR UPDATE, UPDATE, or DELETE (Etsuro Fujita)

  • Add the name of the target server to object description strings for foreign-server user mappings (Álvaro Herrera)

  • Recommend setting include_realm to 1 when using Kerberos/GSSAPI/SSPI authentication (Stephen Frost)

    Without this, identically-named users from different realms cannot be distinguished. For the moment this is only a documentation change, but it will become the default setting in PostgreSQL 9.5.

  • Remove code for matching IPv4 pg_hba.conf entries to IPv4-in-IPv6 addresses (Tom Lane)

    This hack was added in 2003 in response to a report that some Linux kernels of the time would report IPv4 connections as having IPv4-in-IPv6 addresses. However, the logic was accidentally broken in 9.0. The lack of any field complaints since then shows that it's not needed anymore. Now we have reports that the broken code causes crashes on some systems, so let's just remove it rather than fix it. (Had we chosen to fix it, that would make for a subtle and potentially security-sensitive change in the effective meaning of IPv4 pg_hba.conf entries, which does not seem like a good thing to do in minor releases.)

  • Report WAL flush, not insert, position in IDENTIFY_SYSTEM replication command (Heikki Linnakangas)

    This avoids a possible startup failure in pg_receivexlog.

  • While shutting down service on Windows, periodically send status updates to the Service Control Manager to prevent it from killing the service too soon; and ensure that pg_ctl will wait for shutdown (Krystian Bigaj)

  • Reduce risk of network deadlock when using libpq's non-blocking mode (Heikki Linnakangas)

    When sending large volumes of data, it's important to drain the input buffer every so often, in case the server has sent enough response data to cause it to block on output. (A typical scenario is that the server is sending a stream of NOTICE messages during COPY FROM STDIN.) This worked properly in the normal blocking mode, but not so much in non-blocking mode. We've modified libpq to opportunistically drain input when it can, but a full defense against this problem requires application cooperation: the application should watch for socket read-ready as well as write-ready conditions, and be sure to call PQconsumeInput() upon read-ready.

  • Fix array handling in ecpg (Michael Meskes)

  • Fix psql to sanely handle URIs and conninfo strings as the first parameter to \connect (David Fetter, Andrew Dunstan, Álvaro Herrera)

    This syntax has been accepted (but undocumented) for a long time, but previously some parameters might be taken from the old connection instead of the given string, which was agreed to be undesirable.

  • Suppress incorrect complaints from psql on some platforms that it failed to write ~/.psql_history at exit (Tom Lane)

    This misbehavior was caused by a workaround for a bug in very old (pre-2006) versions of libedit. We fixed it by removing the workaround, which will cause a similar failure to appear for anyone still using such versions of libedit. Recommendation: upgrade that library, or use libreadline.

  • Fix pg_dump's rule for deciding which casts are system-provided casts that should not be dumped (Tom Lane)

  • In pg_dump, fix failure to honor -Z compression level option together with -Fd (Michael Paquier)

  • Make pg_dump consider foreign key relationships between extension configuration tables while choosing dump order (Gilles Darold, Michael Paquier, Stephen Frost)

    This oversight could result in producing dumps that fail to reload because foreign key constraints are transiently violated.

  • Fix dumping of views that are just VALUES(...) but have column aliases (Tom Lane)

  • In pg_upgrade, force timeline 1 in the new cluster (Bruce Momjian)

    This change prevents upgrade failures caused by bogus complaints about missing WAL history files.

  • In pg_upgrade, check for improperly non-connectable databases before proceeding (Bruce Momjian)

  • In pg_upgrade, quote directory paths properly in the generated delete_old_cluster script (Bruce Momjian)

  • In pg_upgrade, preserve database-level freezing info properly (Bruce Momjian)

    This oversight could cause missing-clog-file errors for tables within the postgres and template1 databases.

  • Run pg_upgrade and pg_resetxlog with restricted privileges on Windows, so that they don't fail when run by an administrator (Muhammad Asif Naeem)

  • Improve handling of readdir() failures when scanning directories in initdb and pg_basebackup (Marco Nenciarini)

  • Fix slow sorting algorithm in contrib/intarray (Tom Lane)

  • Fix compile failure on Sparc V8 machines (Rob Rowan)

  • Update time zone data files to tzdata release 2015d for DST law changes in Egypt, Mongolia, and Palestine, plus historical changes in Canada and Chile. Also adopt revised zone abbreviations for the America/Adak zone (HST/HDT not HAST/HADT).

• ⇑ Upgrade to 9.1.17 released on 2015-06-04 - docs

  • Avoid failures while fsync'ing data directory during crash restart (Abhijit Menon-Sen, Tom Lane)

    In the previous minor releases we added a patch to fsync everything in the data directory after a crash. Unfortunately its response to any error condition was to fail, thereby preventing the server from starting up, even when the problem was quite harmless. An example is that an unwritable file in the data directory would prevent restart on some platforms; but it is common to make SSL certificate files unwritable by the server. Revise this behavior so that permissions failures are ignored altogether, and other types of failures are logged but do not prevent continuing.

  • Remove configure's check prohibiting linking to a threaded libpython on OpenBSD (Tom Lane)

    The failure this restriction was meant to prevent seems to not be a problem anymore on current OpenBSD versions.

  • Allow libpq to use TLS protocol versions beyond v1 (Noah Misch)

    For a long time, libpq was coded so that the only SSL protocol it would allow was TLS v1. Now that newer TLS versions are becoming popular, allow it to negotiate the highest commonly-supported TLS version with the server. (PostgreSQL servers were already capable of such negotiation, so no change is needed on the server side.) This is a back-patch of a change already released in 9.4.0.

• ⇑ Upgrade to 9.1.18 released on 2015-06-12 - docs

  • Fix rare failure to invalidate relation cache init file (Tom Lane)

    With just the wrong timing of concurrent activity, a VACUUM FULL on a system catalog might fail to update the “init file” that's used to avoid cache-loading work for new sessions. This would result in later sessions being unable to access that catalog at all. This is a very ancient bug, but it's so hard to trigger that no reproducible case had been seen until recently.

  • Avoid deadlock between incoming sessions and CREATE/DROP DATABASE (Tom Lane)

    A new session starting in a database that is the target of a DROP DATABASE command, or is the template for a CREATE DATABASE command, could cause the command to wait for five seconds and then fail, even if the new session would have exited before that.

• ⇑ Upgrade to 9.1.19 released on 2015-10-08 - docs

  • Fix contrib/pgcrypto to detect and report too-short crypt() salts (Josh Kupershmidt)

    Certain invalid salt arguments crashed the server or disclosed a few bytes of server memory. We have not ruled out the viability of attacks that arrange for presence of confidential information in the disclosed bytes, but they seem unlikely. (CVE-2015-5288)

  • Fix subtransaction cleanup after a portal (cursor) belonging to an outer subtransaction fails (Tom Lane, Michael Paquier)

    A function executed in an outer-subtransaction cursor could cause an assertion failure or crash by referencing a relation created within an inner subtransaction.

  • Fix insertion of relations into the relation cache “init file” (Tom Lane)

    An oversight in a patch in the most recent minor releases caused pg_trigger_tgrelid_tgname_index to be omitted from the init file. Subsequent sessions detected this, then deemed the init file to be broken and silently ignored it, resulting in a significant degradation in session startup time. In addition to fixing the bug, install some guards so that any similar future mistake will be more obvious.

  • Avoid O(N^2) behavior when inserting many tuples into a SPI query result (Neil Conway)

  • Improve LISTEN startup time when there are many unread notifications (Matt Newell)

  • Back-patch 9.3-era addition of per-resource-owner lock caches (Jeff Janes)

    This substantially improves performance when pg_dump tries to dump a large number of tables.

  • Disable SSL renegotiation by default (Michael Paquier, Andres Freund)

    While use of SSL renegotiation is a good idea in theory, we have seen too many bugs in practice, both in the underlying OpenSSL library and in our usage of it. Renegotiation will be removed entirely in 9.5 and later. In the older branches, just change the default value of ssl_renegotiation_limit to zero (disabled).

  • Lower the minimum values of the *_freeze_max_age parameters (Andres Freund)

    This is mainly to make tests of related behavior less time-consuming, but it may also be of value for installations with limited disk space.

  • Limit the maximum value of wal_buffers to 2GB to avoid server crashes (Josh Berkus)

  • Fix rare internal overflow in multiplication of numeric values (Dean Rasheed)

  • Guard against hard-to-reach stack overflows involving record types, range types, json, jsonb, tsquery, ltxtquery and query_int (Noah Misch)

  • Fix handling of DOW and DOY in datetime input (Greg Stark)

    These tokens aren't meant to be used in datetime values, but previously they resulted in opaque internal error messages rather than “invalid input syntax”.

  • Add more query-cancel checks to regular expression matching (Tom Lane)

  • Add recursion depth protections to regular expression, SIMILAR TO, and LIKE matching (Tom Lane)

    Suitable search patterns and a low stack depth limit could lead to stack-overrun crashes.

  • Fix potential infinite loop in regular expression execution (Tom Lane)

    A search pattern that can apparently match a zero-length string, but actually doesn't match because of a back reference, could lead to an infinite loop.

  • Fix low-memory failures in regular expression compilation (Andreas Seltenreich)

  • Fix low-probability memory leak during regular expression execution (Tom Lane)

  • Fix rare low-memory failure in lock cleanup during transaction abort (Tom Lane)

  • Fix “unexpected out-of-memory situation during sort” errors when using tuplestores with small work_mem settings (Tom Lane)

  • Fix very-low-probability stack overrun in qsort (Tom Lane)

  • Fix “invalid memory alloc request size” failure in hash joins with large work_mem settings (Tomas Vondra, Tom Lane)

  • Fix assorted planner bugs (Tom Lane)

    These mistakes could lead to incorrect query plans that would give wrong answers, or to assertion failures in assert-enabled builds, or to odd planner errors such as “could not devise a query plan for the given query”, “could not find pathkey item to sort”, “plan should not reference subplan's variable”, or “failed to assign all NestLoopParams to plan nodes”. Thanks are due to Andreas Seltenreich and Piotr Stefaniak for fuzz testing that exposed these problems.

  • Use fuzzy path cost tiebreaking rule in all supported branches (Tom Lane)

    This change is meant to avoid platform-specific behavior when alternative plan choices have effectively-identical estimated costs.

  • Ensure standby promotion trigger files are removed at postmaster startup (Michael Paquier, Fujii Masao)

    This prevents unwanted promotion from occurring if these files appear in a database backup that is used to initialize a new standby server.

  • During postmaster shutdown, ensure that per-socket lock files are removed and listen sockets are closed before we remove the postmaster.pid file (Tom Lane)

    This avoids race-condition failures if an external script attempts to start a new postmaster as soon as pg_ctl stop returns.

  • Fix postmaster's handling of a startup-process crash during crash recovery (Tom Lane)

    If, during a crash recovery cycle, the startup process crashes without having restored database consistency, we'd try to launch a new startup process, which typically would just crash again, leading to an infinite loop.

  • Do not print a WARNING when an autovacuum worker is already gone when we attempt to signal it, and reduce log verbosity for such signals (Tom Lane)

  • Prevent autovacuum launcher from sleeping unduly long if the server clock is moved backwards a large amount (Álvaro Herrera)

  • Ensure that cleanup of a GIN index's pending-insertions list is interruptable by cancel requests (Jeff Janes)

  • Allow all-zeroes pages in GIN indexes to be reused (Heikki Linnakangas)

    Such a page might be left behind after a crash.

  • Fix off-by-one error that led to otherwise-harmless warnings about “apparent wraparound” in subtrans/multixact truncation (Thomas Munro)

  • Fix misreporting of CONTINUE and MOVE statement types in PL/pgSQL's error context messages (Pavel Stehule, Tom Lane)

  • Fix PL/Perl to handle non-ASCII error message texts correctly (Alex Hunsaker)

  • Fix PL/Python crash when returning the string representation of a record result (Tom Lane)

  • Fix some places in PL/Tcl that neglected to check for failure of malloc() calls (Michael Paquier, Álvaro Herrera)

  • In contrib/isn, fix output of ISBN-13 numbers that begin with 979 (Fabien Coelho)

    EANs beginning with 979 (but not 9790) are considered ISBNs, but they must be printed in the new 13-digit format, not the 10-digit format.

  • Improve libpq's handling of out-of-memory conditions (Michael Paquier, Heikki Linnakangas)

  • Fix memory leaks and missing out-of-memory checks in ecpg (Michael Paquier)

  • Fix psql's code for locale-aware formatting of numeric output (Tom Lane)

    The formatting code invoked by \pset numericlocale on did the wrong thing for some uncommon cases such as numbers with an exponent but no decimal point. It could also mangle already-localized output from the money data type.

  • Prevent crash in psql's \c command when there is no current connection (Noah Misch)

  • Fix selection of default zlib compression level in pg_dump's directory output format (Andrew Dunstan)

  • Ensure that temporary files created during a pg_dump run with tar-format output are not world-readable (Michael Paquier)

  • Fix pg_dump and pg_upgrade to support cases where the postgres or template1 database is in a non-default tablespace (Marti Raudsepp, Bruce Momjian)

  • Fix pg_dump to handle object privileges sanely when dumping from a server too old to have a particular privilege type (Tom Lane)

    When dumping functions or procedural languages from pre-7.3 servers, pg_dump would produce GRANT/REVOKE commands that revoked the owner's grantable privileges and instead granted all privileges to PUBLIC. Since the privileges involved are just USAGE and EXECUTE, this isn't a security problem, but it's certainly a surprising representation of the older systems' behavior. Fix it to leave the default privilege state alone in these cases.

  • Fix pg_dump to dump shell types (Tom Lane)

    Shell types (that is, not-yet-fully-defined types) aren't useful for much, but nonetheless pg_dump should dump them.

  • Fix assorted minor memory leaks in pg_dump and other client-side programs (Michael Paquier)

  • Fix spinlock assembly code for PPC hardware to be compatible with AIX's native assembler (Tom Lane)

    Building with gcc didn't work if gcc had been configured to use the native assembler, which is becoming more common.

  • On AIX, test the -qlonglong compiler option rather than just assuming it's safe to use (Noah Misch)

  • On AIX, use -Wl,-brtllib link option to allow symbols to be resolved at runtime (Noah Misch)

    Perl relies on this ability in 5.8.0 and later.

  • Avoid use of inline functions when compiling with 32-bit xlc, due to compiler bugs (Noah Misch)

  • Use librt for sched_yield() when necessary, which it is on some Solaris versions (Oskari Saarenmaa)

  • Fix Windows install.bat script to handle target directory names that contain spaces (Heikki Linnakangas)

  • Make the numeric form of the PostgreSQL version number (e.g., 90405) readily available to extension Makefiles, as a variable named VERSION_NUM (Michael Paquier)

  • Update time zone data files to tzdata release 2015g for DST law changes in Cayman Islands, Fiji, Moldova, Morocco, Norfolk Island, North Korea, Turkey, and Uruguay. There is a new zone name America/Fort_Nelson for the Canadian Northern Rockies.

• ⇑ Upgrade to 9.1.20 released on 2016-02-11 - docs

  • Fix infinite loops and buffer-overrun problems in regular expressions (Tom Lane)

    Very large character ranges in bracket expressions could cause infinite loops in some cases, and memory overwrites in other cases. (CVE-2016-0773)

  • Perform an immediate shutdown if the postmaster.pid file is removed (Tom Lane)

    The postmaster now checks every minute or so that postmaster.pid is still there and still contains its own PID. If not, it performs an immediate shutdown, as though it had received SIGQUIT. The main motivation for this change is to ensure that failed buildfarm runs will get cleaned up without manual intervention; but it also serves to limit the bad effects if a DBA forcibly removes postmaster.pid and then starts a new postmaster.

  • In SERIALIZABLE transaction isolation mode, serialization anomalies could be missed due to race conditions during insertions (Kevin Grittner, Thomas Munro)

  • Fix failure to emit appropriate WAL records when doing ALTER TABLE ... SET TABLESPACE for unlogged relations (Michael Paquier, Andres Freund)

    Even though the relation's data is unlogged, the move must be logged or the relation will be inaccessible after a standby is promoted to master.

  • Fix possible misinitialization of unlogged relations at the end of crash recovery (Andres Freund, Michael Paquier)

  • Fix ALTER COLUMN TYPE to reconstruct inherited check constraints properly (Tom Lane)

  • Fix REASSIGN OWNED to change ownership of composite types properly (Álvaro Herrera)

  • Fix REASSIGN OWNED and ALTER OWNER to correctly update granted-permissions lists when changing owners of data types, foreign data wrappers, or foreign servers (Bruce Momjian, Álvaro Herrera)

  • Fix REASSIGN OWNED to ignore foreign user mappings, rather than fail (Álvaro Herrera)

  • Add more defenses against bad planner cost estimates for GIN index scans when the index's internal statistics are very out-of-date (Tom Lane)

  • Make planner cope with hypothetical GIN indexes suggested by an index advisor plug-in (Julien Rouhaud)

  • Fix dumping of whole-row Vars in ROW() and VALUES() lists (Tom Lane)

  • Fix possible internal overflow in numeric division (Dean Rasheed)

  • Fix enforcement of restrictions inside parentheses within regular expression lookahead constraints (Tom Lane)

    Lookahead constraints aren't allowed to contain backrefs, and parentheses within them are always considered non-capturing, according to the manual. However, the code failed to handle these cases properly inside a parenthesized subexpression, and would give unexpected results.

  • Conversion of regular expressions to indexscan bounds could produce incorrect bounds from regexps containing lookahead constraints (Tom Lane)

  • Fix regular-expression compiler to handle loops of constraint arcs (Tom Lane)

    The code added for CVE-2007-4772 was both incomplete, in that it didn't handle loops involving more than one state, and incorrect, in that it could cause assertion failures (though there seem to be no bad consequences of that in a non-assert build). Multi-state loops would cause the compiler to run until the query was canceled or it reached the too-many-states error condition.

  • Improve memory-usage accounting in regular-expression compiler (Tom Lane)

    This causes the code to emit “regular expression is too complex” errors in some cases that previously used unreasonable amounts of time and memory.

  • Improve performance of regular-expression compiler (Tom Lane)

  • Make %h and %r escapes in log_line_prefix work for messages emitted due to log_connections (Tom Lane)

    Previously, %h/%r started to work just after a new session had emitted the “connection received” log message; now they work for that message too.

  • On Windows, ensure the shared-memory mapping handle gets closed in child processes that don't need it (Tom Lane, Amit Kapila)

    This oversight resulted in failure to recover from crashes whenever logging_collector is turned on.

  • Fix possible failure to detect socket EOF in non-blocking mode on Windows (Tom Lane)

    It's not entirely clear whether this problem can happen in pre-9.5 branches, but if it did, the symptom would be that a walsender process would wait indefinitely rather than noticing a loss of connection.

  • Avoid leaking a token handle during SSPI authentication (Christian Ullrich)

  • In psql, ensure that libreadline's idea of the screen size is updated when the terminal window size changes (Merlin Moncure)

    Previously, libreadline did not notice if the window was resized during query output, leading to strange behavior during later input of multiline queries.

  • Fix psql's \det command to interpret its pattern argument the same way as other \d commands with potentially schema-qualified patterns do (Reece Hart)

  • Avoid possible crash in psql's \c command when previous connection was via Unix socket and command specifies a new hostname and same username (Tom Lane)

  • In pg_ctl start -w, test child process status directly rather than relying on heuristics (Tom Lane, Michael Paquier)

    Previously, pg_ctl relied on an assumption that the new postmaster would always create postmaster.pid within five seconds. But that can fail on heavily-loaded systems, causing pg_ctl to report incorrectly that the postmaster failed to start.

    Except on Windows, this change also means that a pg_ctl start -w done immediately after another such command will now reliably fail, whereas previously it would report success if done within two seconds of the first command.

  • In pg_ctl start -w, don't attempt to use a wildcard listen address to connect to the postmaster (Kondo Yuta)

    On Windows, pg_ctl would fail to detect postmaster startup if listen_addresses is set to 0.0.0.0 or ::, because it would try to use that value verbatim as the address to connect to, which doesn't work. Instead assume that 127.0.0.1 or ::1, respectively, is the right thing to use.

  • In pg_ctl on Windows, check service status to decide where to send output, rather than checking if standard output is a terminal (Michael Paquier)

  • In pg_dump and pg_basebackup, adopt the GNU convention for handling tar-archive members exceeding 8GB (Tom Lane)

    The POSIX standard for tar file format does not allow archive member files to exceed 8GB, but most modern implementations of tar support an extension that fixes that. Adopt this extension so that pg_dump with -Ft no longer fails on tables with more than 8GB of data, and so that pg_basebackup can handle files larger than 8GB. In addition, fix some portability issues that could cause failures for members between 4GB and 8GB on some platforms. Potentially these problems could cause unrecoverable data loss due to unreadable backup files.

  • Fix assorted corner-case bugs in pg_dump's processing of extension member objects (Tom Lane)

  • Make pg_dump mark a view's triggers as needing to be processed after its rule, to prevent possible failure during parallel pg_restore (Tom Lane)

  • Ensure that relation option values are properly quoted in pg_dump (Kouhei Sutou, Tom Lane)

    A reloption value that isn't a simple identifier or number could lead to dump/reload failures due to syntax errors in CREATE statements issued by pg_dump. This is not an issue with any reloption currently supported by core PostgreSQL, but extensions could allow reloptions that cause the problem.

  • Fix pg_upgrade's file-copying code to handle errors properly on Windows (Bruce Momjian)

  • Install guards in pgbench against corner-case overflow conditions during evaluation of script-specified division or modulo operators (Fabien Coelho, Michael Paquier)

  • Prevent certain PL/Java parameters from being set by non-superusers (Noah Misch)

    This change mitigates a PL/Java security bug (CVE-2016-0766), which was fixed in PL/Java by marking these parameters as superuser-only. To fix the security hazard for sites that update PostgreSQL more frequently than PL/Java, make the core code aware of them also.

  • Improve libpq's handling of out-of-memory situations (Michael Paquier, Amit Kapila, Heikki Linnakangas)

  • Fix order of arguments in ecpg-generated typedef statements (Michael Meskes)

  • Use %g not %f format in ecpg's PGTYPESnumeric_from_double() (Tom Lane)

  • Fix ecpg-supplied header files to not contain comments continued from a preprocessor directive line onto the next line (Michael Meskes)

    Such a comment is rejected by ecpg. It's not yet clear whether ecpg itself should be changed.

  • Ensure that contrib/pgcrypto's crypt() function can be interrupted by query cancel (Andreas Karlsson)

  • Accept flex versions later than 2.5.x (Tom Lane, Michael Paquier)

    Now that flex 2.6.0 has been released, the version checks in our build scripts needed to be adjusted.

  • Install our missing script where PGXS builds can find it (Jim Nasby)

    This allows sane behavior in a PGXS build done on a machine where build tools such as bison are missing.

  • Ensure that dynloader.h is included in the installed header files in MSVC builds (Bruce Momjian, Michael Paquier)

  • Add variant regression test expected-output file to match behavior of current libxml2 (Tom Lane)

    The fix for libxml2's CVE-2015-7499 causes it not to output error context reports in some cases where it used to do so. This seems to be a bug, but we'll probably have to live with it for some time, so work around it.

  • Update time zone data files to tzdata release 2016a for DST law changes in Cayman Islands, Metlakatla, and Trans-Baikal Territory (Zabaykalsky Krai), plus historical corrections for Pakistan.

• ⇑ Upgrade to 9.1.21 released on 2016-03-31 - docs

  • Fix incorrect handling of NULL index entries in indexed ROW() comparisons (Tom Lane)

    An index search using a row comparison such as ROW(a, b) > ROW('x', 'y') would stop upon reaching a NULL entry in the b column, ignoring the fact that there might be non-NULL b values associated with later values of a.

  • Avoid unlikely data-loss scenarios due to renaming files without adequate fsync() calls before and after (Michael Paquier, Tomas Vondra, Andres Freund)

  • Correctly handle cases where pg_subtrans is close to XID wraparound during server startup (Jeff Janes)

  • Fix corner-case crash due to trying to free localeconv() output strings more than once (Tom Lane)

  • Fix parsing of affix files for ispell dictionaries (Tom Lane)

    The code could go wrong if the affix file contained any characters whose byte length changes during case-folding, for example I in Turkish UTF8 locales.

  • Avoid use of sscanf() to parse ispell dictionary files (Artur Zakirov)

    This dodges a portability problem on FreeBSD-derived platforms (including macOS).

  • Avoid a crash on old Windows versions (before 7SP1/2008R2SP1) with an AVX2-capable CPU and a Postgres build done with Visual Studio 2013 (Christian Ullrich)

    This is a workaround for a bug in Visual Studio 2013's runtime library, which Microsoft have stated they will not fix in that version.

  • Fix psql's tab completion logic to handle multibyte characters properly (Kyotaro Horiguchi, Robert Haas)

  • Fix psql's tab completion for SECURITY LABEL (Tom Lane)

    Pressing TAB after SECURITY LABEL might cause a crash or offering of inappropriate keywords.

  • Make pg_ctl accept a wait timeout from the PGCTLTIMEOUT environment variable, if none is specified on the command line (Noah Misch)

    This eases testing of slower buildfarm members by allowing them to globally specify a longer-than-normal timeout for postmaster startup and shutdown.

  • Fix incorrect test for Windows service status in pg_ctl (Manuel Mathar)

    The previous set of minor releases attempted to fix pg_ctl to properly determine whether to send log messages to Window's Event Log, but got the test backwards.

  • Fix pgbench to correctly handle the combination of -C and -M prepared options (Tom Lane)

  • In PL/Perl, properly translate empty Postgres arrays into empty Perl arrays (Alex Hunsaker)

  • Make PL/Python cope with function names that aren't valid Python identifiers (Jim Nasby)

  • Fix multiple mistakes in the statistics returned by contrib/pgstattuple's pgstatindex() function (Tom Lane)

  • Remove dependency on psed in MSVC builds, since it's no longer provided by core Perl (Michael Paquier, Andrew Dunstan)

  • Update time zone data files to tzdata release 2016c for DST law changes in Azerbaijan, Chile, Haiti, Palestine, and Russia (Altai, Astrakhan, Kirov, Sakhalin, Ulyanovsk regions), plus historical corrections for Lithuania, Moldova, and Russia (Kaliningrad, Samara, Volgograd).

• ⇑ Upgrade to 9.1.22 released on 2016-05-12 - docs

  • Clear the OpenSSL error queue before OpenSSL calls, rather than assuming it's clear already; and make sure we leave it clear afterwards (Peter Geoghegan, Dave Vitek, Peter Eisentraut)

    This change prevents problems when there are multiple connections using OpenSSL within a single process and not all the code involved follows the same rules for when to clear the error queue. Failures have been reported specifically when a client application uses SSL connections in libpq concurrently with SSL connections using the PHP, Python, or Ruby wrappers for OpenSSL. It's possible for similar problems to arise within the server as well, if an extension module establishes an outgoing SSL connection.

  • Fix “failed to build any N-way joins” planner error with a full join enclosed in the right-hand side of a left join (Tom Lane)

  • Fix possible misbehavior of TH, th, and Y,YYY format codes in to_timestamp() (Tom Lane)

    These could advance off the end of the input string, causing subsequent format codes to read garbage.

  • Fix dumping of rules and views in which the array argument of a value operator ANY (array) construct is a sub-SELECT (Tom Lane)

  • Make pg_regress use a startup timeout from the PGCTLTIMEOUT environment variable, if that's set (Tom Lane)

    This is for consistency with a behavior recently added to pg_ctl; it eases automated testing on slow machines.

  • Fix pg_upgrade to correctly restore extension membership for operator families containing only one operator class (Tom Lane)

    In such a case, the operator family was restored into the new database, but it was no longer marked as part of the extension. This had no immediate ill effects, but would cause later pg_dump runs to emit output that would cause (harmless) errors on restore.

  • Rename internal function strtoi() to strtoint() to avoid conflict with a NetBSD library function (Thomas Munro)

  • Fix reporting of errors from bind() and listen() system calls on Windows (Tom Lane)

  • Reduce verbosity of compiler output when building with Microsoft Visual Studio (Christian Ullrich)

  • Avoid possibly-unsafe use of Windows' FormatMessage() function (Christian Ullrich)

    Use the FORMAT_MESSAGE_IGNORE_INSERTS flag where appropriate. No live bug is known to exist here, but it seems like a good idea to be careful.

  • Update time zone data files to tzdata release 2016d for DST law changes in Russia and Venezuela. There are new zone names Europe/Kirov and Asia/Tomsk to reflect the fact that these regions now have different time zone histories from adjacent regions.

• ⇑ Upgrade to 9.1.23 released on 2016-08-11 - docs

  • Fix possible mis-evaluation of nested CASE-WHEN expressions (Heikki Linnakangas, Michael Paquier, Tom Lane)

    A CASE expression appearing within the test value subexpression of another CASE could become confused about whether its own test value was null or not. Also, inlining of a SQL function implementing the equality operator used by a CASE expression could result in passing the wrong test value to functions called within a CASE expression in the SQL function's body. If the test values were of different data types, a crash might result; moreover such situations could be abused to allow disclosure of portions of server memory. (CVE-2016-5423)

  • Fix client programs' handling of special characters in database and role names (Noah Misch, Nathan Bossart, Michael Paquier)

    Numerous places in vacuumdb and other client programs could become confused by database and role names containing double quotes or backslashes. Tighten up quoting rules to make that safe. Also, ensure that when a conninfo string is used as a database name parameter to these programs, it is correctly treated as such throughout.

    Fix handling of paired double quotes in psql's \connect and \password commands to match the documentation.

    Introduce a new -reuse-previous option in psql's \connect command to allow explicit control of whether to re-use connection parameters from a previous connection. (Without this, the choice is based on whether the database name looks like a conninfo string, as before.) This allows secure handling of database names containing special characters in pg_dumpall scripts.

    pg_dumpall now refuses to deal with database and role names containing carriage returns or newlines, as it seems impractical to quote those characters safely on Windows. In future we may reject such names on the server side, but that step has not been taken yet.

    These are considered security fixes because crafted object names containing special characters could have been used to execute commands with superuser privileges the next time a superuser executes pg_dumpall or other routine maintenance operations. (CVE-2016-5424)

  • Fix corner-case misbehaviors for IS NULL/IS NOT NULL applied to nested composite values (Andrew Gierth, Tom Lane)

    The SQL standard specifies that IS NULL should return TRUE for a row of all null values (thus ROW(NULL,NULL) IS NULL yields TRUE), but this is not meant to apply recursively (thus ROW(NULL, ROW(NULL,NULL)) IS NULL yields FALSE). The core executor got this right, but certain planner optimizations treated the test as recursive (thus producing TRUE in both cases), and contrib/postgres_fdw could produce remote queries that misbehaved similarly.

  • Make the inet and cidr data types properly reject IPv6 addresses with too many colon-separated fields (Tom Lane)

  • Prevent crash in close_ps() (the point ## lseg operator) for NaN input coordinates (Tom Lane)

    Make it return NULL instead of crashing.

  • Fix several one-byte buffer over-reads in to_number() (Peter Eisentraut)

    In several cases the to_number() function would read one more character than it should from the input string. There is a small chance of a crash, if the input happens to be adjacent to the end of memory.

  • Avoid unsafe intermediate state during expensive paths through heap_update() (Masahiko Sawada, Andres Freund)

    Previously, these cases locked the target tuple (by setting its XMAX) but did not WAL-log that action, thus risking data integrity problems if the page were spilled to disk and then a database crash occurred before the tuple update could be completed.

  • Avoid consuming a transaction ID during VACUUM (Alexander Korotkov)

    Some cases in VACUUM unnecessarily caused an XID to be assigned to the current transaction. Normally this is negligible, but if one is up against the XID wraparound limit, consuming more XIDs during anti-wraparound vacuums is a very bad thing.

  • Avoid canceling hot-standby queries during VACUUM FREEZE (Simon Riggs, Álvaro Herrera)

    VACUUM FREEZE on an otherwise-idle master server could result in unnecessary cancellations of queries on its standby servers.

  • When a manual ANALYZE specifies a column list, don't reset the table's changes_since_analyze counter (Tom Lane)

    If we're only analyzing some columns, we should not prevent routine auto-analyze from happening for the other columns.

  • Fix ANALYZE's overestimation of n_distinct for a unique or nearly-unique column with many null entries (Tom Lane)

    The nulls could get counted as though they were themselves distinct values, leading to serious planner misestimates in some types of queries.

  • Prevent autovacuum from starting multiple workers for the same shared catalog (Álvaro Herrera)

    Normally this isn't much of a problem because the vacuum doesn't take long anyway; but in the case of a severely bloated catalog, it could result in all but one worker uselessly waiting instead of doing useful work on other tables.

  • Fix contrib/btree_gin to handle the smallest possible bigint value correctly (Peter Eisentraut)

  • Teach libpq to correctly decode server version from future servers (Peter Eisentraut)

    It's planned to switch to two-part instead of three-part server version numbers for releases after 9.6. Make sure that PQserverVersion() returns the correct value for such cases.

  • Fix ecpg's code for unsigned long long array elements (Michael Meskes)

  • Make pg_basebackup accept -Z 0 as specifying no compression (Fujii Masao)

  • Revert to the old heuristic timeout for pg_ctl start -w (Tom Lane)

    The new method adopted as of release 9.1.20 does not work when silent_mode is enabled, so go back to the old way.

  • Fix makefiles' rule for building AIX shared libraries to be safe for parallel make (Noah Misch)

  • Fix TAP tests and MSVC scripts to work when build directory's path name contains spaces (Michael Paquier, Kyotaro Horiguchi)

  • Make regression tests safe for Danish and Welsh locales (Jeff Janes, Tom Lane)

    Change some test data that triggered the unusual sorting rules of these locales.

  • Update our copy of the timezone code to match IANA's tzcode release 2016c (Tom Lane)

    This is needed to cope with anticipated future changes in the time zone data files. It also fixes some corner-case bugs in coping with unusual time zones.

  • Update time zone data files to tzdata release 2016f for DST law changes in Kemerovo and Novosibirsk, plus historical corrections for Azerbaijan, Belarus, and Morocco.

• ⇑ Upgrade to 9.1.24 released on 2016-10-27 - docs

  • Fix EvalPlanQual rechecks involving CTE scans (Tom Lane)

    The recheck would always see the CTE as returning no rows, typically leading to failure to update rows that were recently updated.

  • Fix improper repetition of previous results from hashed aggregation in a subquery (Andrew Gierth)

    The test to see if we can reuse a previously-computed hash table of the aggregate state values neglected the possibility of an outer query reference appearing in an aggregate argument expression. A change in the value of such a reference should lead to recalculating the hash table, but did not.

  • Fix timeout length when VACUUM is waiting for exclusive table lock so that it can truncate the table (Simon Riggs)

    The timeout was meant to be 50 milliseconds, but it was actually only 50 microseconds, causing VACUUM to give up on truncation much more easily than intended. Set it to the intended value.

  • Remove artificial restrictions on the values accepted by numeric_in() and numeric_recv() (Tom Lane)

    We allow numeric values up to the limit of the storage format (more than 1e100000), so it seems fairly pointless that numeric_in() rejected scientific-notation exponents above 1000. Likewise, it was silly for numeric_recv() to reject more than 1000 digits in an input value.

  • Avoid very-low-probability data corruption due to testing tuple visibility without holding buffer lock (Thomas Munro, Peter Geoghegan, Tom Lane)

  • Fix file descriptor leakage when truncating a temporary relation of more than 1GB (Andres Freund)

  • Disallow starting a standalone backend with standby_mode turned on (Michael Paquier)

    This can't do anything useful, since there will be no WAL receiver process to fetch more WAL data; and it could result in misbehavior in code that wasn't designed with this situation in mind.

  • Don't try to share SSL contexts across multiple connections in libpq (Heikki Linnakangas)

    This led to assorted corner-case bugs, particularly when trying to use different SSL parameters for different connections.

  • Avoid corner-case memory leak in libpq (Tom Lane)

    The reported problem involved leaking an error report during PQreset(), but there might be related cases.

  • Make ecpg's --help and --version options work consistently with our other executables (Haribabu Kommi)

  • Fix contrib/intarray/bench/bench.pl to print the results of the EXPLAIN it does when given the -e option (Daniel Gustafsson)

  • Prevent failure of obsolete dynamic time zone abbreviations (Tom Lane)

    If a dynamic time zone abbreviation does not match any entry in the referenced time zone, treat it as equivalent to the time zone name. This avoids unexpected failures when IANA removes abbreviations from their time zone database, as they did in tzdata release 2016f and seem likely to do again in the future. The consequences were not limited to not recognizing the individual abbreviation; any mismatch caused the pg_timezone_abbrevs view to fail altogether.

  • Update time zone data files to tzdata release 2016h for DST law changes in Palestine and Turkey, plus historical corrections for Turkey and some regions of Russia. Switch to numeric abbreviations for some time zones in Antarctica, the former Soviet Union, and Sri Lanka.

    The IANA time zone database previously provided textual abbreviations for all time zones, sometimes making up abbreviations that have little or no currency among the local population. They are in process of reversing that policy in favor of using numeric UTC offsets in zones where there is no evidence of real-world use of an English abbreviation. At least for the time being, PostgreSQL will continue to accept such removed abbreviations for timestamp input. But they will not be shown in the pg_timezone_names view nor used for output.

    In this update, AMT is no longer shown as being in use to mean Armenia Time. Therefore, we have changed the Default abbreviation set to interpret it as Amazon Time, thus UTC-4 not UTC+4.

• source repo
• author info
• meta-info