Upgrading from 9.4.4 to 9.4.25 gives you 4.4 years worth of fixes (669 of them)

List of changes:

• ⇑ Upgrade to 9.4.5 released on 2015-10-08 - docs

  • Guard against stack overflows in json parsing (Oskari Saarenmaa)

    If an application constructs PostgreSQL json or jsonb values from arbitrary user input, the application's users can reliably crash the PostgreSQL server, causing momentary denial of service. (CVE-2015-5289)

  • Fix contrib/pgcrypto to detect and report too-short crypt() salts (Josh Kupershmidt)

    Certain invalid salt arguments crashed the server or disclosed a few bytes of server memory. We have not ruled out the viability of attacks that arrange for presence of confidential information in the disclosed bytes, but they seem unlikely. (CVE-2015-5288)

  • Fix subtransaction cleanup after a portal (cursor) belonging to an outer subtransaction fails (Tom Lane, Michael Paquier)

    A function executed in an outer-subtransaction cursor could cause an assertion failure or crash by referencing a relation created within an inner subtransaction.

  • Fix possible deadlock during WAL insertion when commit_delay is set (Heikki Linnakangas)

  • Ensure all relations referred to by an updatable view are properly locked during an update statement (Dean Rasheed)

  • Fix insertion of relations into the relation cache "init file" (Tom Lane)

    An oversight in a patch in the most recent minor releases caused pg_trigger_tgrelid_tgname_index to be omitted from the init file. Subsequent sessions detected this, then deemed the init file to be broken and silently ignored it, resulting in a significant degradation in session startup time. In addition to fixing the bug, install some guards so that any similar future mistake will be more obvious.

  • Avoid O(N^2) behavior when inserting many tuples into a SPI query result (Neil Conway)

  • Improve LISTEN startup time when there are many unread notifications (Matt Newell)

  • Fix performance problem when a session alters large numbers of foreign key constraints (Jan Wieck, Tom Lane)

    This was seen primarily when restoring pg_dump output for databases with many thousands of tables.

  • Disable SSL renegotiation by default (Michael Paquier, Andres Freund)

    While use of SSL renegotiation is a good idea in theory, we have seen too many bugs in practice, both in the underlying OpenSSL library and in our usage of it. Renegotiation will be removed entirely in 9.5 and later. In the older branches, just change the default value of ssl_renegotiation_limit to zero (disabled).

  • Lower the minimum values of the *_freeze_max_age parameters (Andres Freund)

    This is mainly to make tests of related behavior less time-consuming, but it may also be of value for installations with limited disk space.

  • Limit the maximum value of wal_buffers to 2GB to avoid server crashes (Josh Berkus)

  • Avoid logging complaints when a parameter that can only be set at server start appears multiple times in postgresql.conf, and fix counting of line numbers after an include_dir directive (Tom Lane)

  • Fix rare internal overflow in multiplication of numeric values (Dean Rasheed)

  • Guard against hard-to-reach stack overflows involving record types, range types, json, jsonb, tsquery, ltxtquery and query_int (Noah Misch)

  • Fix handling of DOW and DOY in datetime input (Greg Stark)

    These tokens aren't meant to be used in datetime values, but previously they resulted in opaque internal error messages rather than "invalid input syntax".

  • Add more query-cancel checks to regular expression matching (Tom Lane)

  • Add recursion depth protections to regular expression, SIMILAR TO, and LIKE matching (Tom Lane)

    Suitable search patterns and a low stack depth limit could lead to stack-overrun crashes.

  • Fix potential infinite loop in regular expression execution (Tom Lane)

    A search pattern that can apparently match a zero-length string, but actually doesn't match because of a back reference, could lead to an infinite loop.

  • In regular expression execution, correctly record match data for capturing parentheses within a quantifier even when the match is zero-length (Tom Lane)

  • Fix low-memory failures in regular expression compilation (Andreas Seltenreich)

  • Fix low-probability memory leak during regular expression execution (Tom Lane)

  • Fix rare low-memory failure in lock cleanup during transaction abort (Tom Lane)

  • Fix "unexpected out-of-memory situation during sort" errors when using tuplestores with small work_mem settings (Tom Lane)

  • Fix very-low-probability stack overrun in qsort (Tom Lane)

  • Fix "invalid memory alloc request size" failure in hash joins with large work_mem settings (Tomas Vondra, Tom Lane)

  • Fix assorted planner bugs (Tom Lane)

    These mistakes could lead to incorrect query plans that would give wrong answers, or to assertion failures in assert-enabled builds, or to odd planner errors such as "could not devise a query plan for the given query", "could not find pathkey item to sort", "plan should not reference subplan's variable", or "failed to assign all NestLoopParams to plan nodes". Thanks are due to Andreas Seltenreich and Piotr Stefaniak for fuzz testing that exposed these problems.

  • Improve planner's performance for UPDATE/DELETE on large inheritance sets (Tom Lane, Dean Rasheed)

  • Ensure standby promotion trigger files are removed at postmaster startup (Michael Paquier, Fujii Masao)

    This prevents unwanted promotion from occurring if these files appear in a database backup that is used to initialize a new standby server.

  • During postmaster shutdown, ensure that per-socket lock files are removed and listen sockets are closed before we remove the postmaster.pid file (Tom Lane)

    This avoids race-condition failures if an external script attempts to start a new postmaster as soon as pg_ctl stop returns.

  • Ensure that the postmaster does not exit until all its child processes are gone, even in an immediate shutdown (Tom Lane)

    Like the previous item, this avoids possible race conditions against a subsequently-started postmaster.

  • Fix postmaster's handling of a startup-process crash during crash recovery (Tom Lane)

    If, during a crash recovery cycle, the startup process crashes without having restored database consistency, we'd try to launch a new startup process, which typically would just crash again, leading to an infinite loop.

  • Make emergency autovacuuming for multixact wraparound more robust (Andres Freund)

  • Do not print a WARNING when an autovacuum worker is already gone when we attempt to signal it, and reduce log verbosity for such signals (Tom Lane)

  • Prevent autovacuum launcher from sleeping unduly long if the server clock is moved backwards a large amount (Álvaro Herrera)

  • Ensure that cleanup of a GIN index's pending-insertions list is interruptable by cancel requests (Jeff Janes)

  • Allow all-zeroes pages in GIN indexes to be reused (Heikki Linnakangas)

    Such a page might be left behind after a crash.

  • Fix handling of all-zeroes pages in SP-GiST indexes (Heikki Linnakangas)

    VACUUM attempted to recycle such pages, but did so in a way that wasn't crash-safe.

  • Fix off-by-one error that led to otherwise-harmless warnings about "apparent wraparound" in subtrans/multixact truncation (Thomas Munro)

  • Fix misreporting of CONTINUE and MOVE statement types in PL/pgSQL's error context messages (Pavel Stehule, Tom Lane)

  • Fix PL/Perl to handle non-ASCII error message texts correctly (Alex Hunsaker)

  • Fix PL/Python crash when returning the string representation of a record result (Tom Lane)

  • Fix some places in PL/Tcl that neglected to check for failure of malloc() calls (Michael Paquier, Álvaro Herrera)

  • In contrib/isn, fix output of ISBN-13 numbers that begin with 979 (Fabien Coelho)

    EANs beginning with 979 (but not 9790) are considered ISBNs, but they must be printed in the new 13-digit format, not the 10-digit format.

  • Improve contrib/pg_stat_statements' handling of query-text garbage collection (Peter Geoghegan)

    The external file containing query texts could bloat to very large sizes; once it got past 1GB attempts to trim it would fail, soon leading to situations where the file could not be read at all.

  • Improve contrib/postgres_fdw's handling of collation-related decisions (Tom Lane)

    The main user-visible effect is expected to be that comparisons involving varchar columns will be sent to the remote server for execution in more cases than before.

  • Improve libpq's handling of out-of-memory conditions (Michael Paquier, Heikki Linnakangas)

  • Fix memory leaks and missing out-of-memory checks in ecpg (Michael Paquier)

  • Fix psql's code for locale-aware formatting of numeric output (Tom Lane)

    The formatting code invoked by \pset numericlocale on did the wrong thing for some uncommon cases such as numbers with an exponent but no decimal point. It could also mangle already-localized output from the money data type.

  • Prevent crash in psql's \c command when there is no current connection (Noah Misch)

  • Make pg_dump handle inherited NOT VALID check constraints correctly (Tom Lane)

  • Fix selection of default zlib compression level in pg_dump's directory output format (Andrew Dunstan)

  • Ensure that temporary files created during a pg_dump run with tar-format output are not world-readable (Michael Paquier)

  • Fix pg_dump and pg_upgrade to support cases where the postgres or template1 database is in a non-default tablespace (Marti Raudsepp, Bruce Momjian)

  • Fix pg_dump to handle object privileges sanely when dumping from a server too old to have a particular privilege type (Tom Lane)

    When dumping data types from pre-9.2 servers, and when dumping functions or procedural languages from pre-7.3 servers, pg_dump would produce GRANT/REVOKE commands that revoked the owner's grantable privileges and instead granted all privileges to PUBLIC. Since the privileges involved are just USAGE and EXECUTE, this isn't a security problem, but it's certainly a surprising representation of the older systems' behavior. Fix it to leave the default privilege state alone in these cases.

  • Fix pg_dump to dump shell types (Tom Lane)

    Shell types (that is, not-yet-fully-defined types) aren't useful for much, but nonetheless pg_dump should dump them.

  • Fix assorted minor memory leaks in pg_dump and other client-side programs (Michael Paquier)

  • Fix pgbench's progress-report behavior when a query, or pgbench itself, gets stuck (Fabien Coelho)

  • Fix spinlock assembly code for Alpha hardware (Tom Lane)

  • Fix spinlock assembly code for PPC hardware to be compatible with AIX's native assembler (Tom Lane)

    Building with gcc didn't work if gcc had been configured to use the native assembler, which is becoming more common.

  • On AIX, test the -qlonglong compiler option rather than just assuming it's safe to use (Noah Misch)

  • On AIX, use -Wl,-brtllib link option to allow symbols to be resolved at runtime (Noah Misch)

    Perl relies on this ability in 5.8.0 and later.

  • Avoid use of inline functions when compiling with 32-bit xlc, due to compiler bugs (Noah Misch)

  • Use librt for sched_yield() when necessary, which it is on some Solaris versions (Oskari Saarenmaa)

  • Translate encoding UHC as Windows code page 949 (Noah Misch)

    This fixes presentation of non-ASCII log messages from processes that are not attached to any particular database, such as the postmaster.

  • On Windows, avoid failure when doing encoding conversion to UTF16 outside a transaction, such as for log messages (Noah Misch)

  • Fix postmaster startup failure due to not copying setlocale()'s return value (Noah Misch)

    This has been reported on Windows systems with the ANSI code page set to CP936 ("Chinese (Simplified, PRC)"), and may occur with other multibyte code pages.

  • Fix Windows install.bat script to handle target directory names that contain spaces (Heikki Linnakangas)

  • Make the numeric form of the PostgreSQL version number (e.g., 90405) readily available to extension Makefiles, as a variable named VERSION_NUM (Michael Paquier)

  • Update time zone data files to tzdata release 2015g for DST law changes in Cayman Islands, Fiji, Moldova, Morocco, Norfolk Island, North Korea, Turkey, and Uruguay. There is a new zone name America/Fort_Nelson for the Canadian Northern Rockies.

• ⇑ Upgrade to 9.4.6 released on 2016-02-11 - docs

  • Fix inconsistent hash calculations in jsonb_path_ops GIN indexes (Tom Lane)

    When processing jsonb values that contain both scalars and sub-objects at the same nesting level, for example an array containing both scalars and sub-arrays, key hash values could be calculated differently than they would be for the same key in a different context. This could result in queries not finding entries that they should find. Fixing this means that existing indexes may now be inconsistent with the new hash calculation code. Users should REINDEX jsonb_path_ops GIN indexes after installing this update to make sure that all searches work as expected.

  • Fix infinite loops and buffer-overrun problems in regular expressions (Tom Lane)

    Very large character ranges in bracket expressions could cause infinite loops in some cases, and memory overwrites in other cases. (CVE-2016-0773)

  • Perform an immediate shutdown if the postmaster.pid file is removed (Tom Lane)

    The postmaster now checks every minute or so that postmaster.pid is still there and still contains its own PID. If not, it performs an immediate shutdown, as though it had received SIGQUIT. The main motivation for this change is to ensure that failed buildfarm runs will get cleaned up without manual intervention; but it also serves to limit the bad effects if a DBA forcibly removes postmaster.pid and then starts a new postmaster.

  • In SERIALIZABLE transaction isolation mode, serialization anomalies could be missed due to race conditions during insertions (Kevin Grittner, Thomas Munro)

  • Fix failure to emit appropriate WAL records when doing ALTER TABLE ... SET TABLESPACE for unlogged relations (Michael Paquier, Andres Freund)

    Even though the relation's data is unlogged, the move must be logged or the relation will be inaccessible after a standby is promoted to master.

  • Fix possible misinitialization of unlogged relations at the end of crash recovery (Andres Freund, Michael Paquier)

  • Ensure walsender slots are fully re-initialized when being re-used (Magnus Hagander)

  • Fix ALTER COLUMN TYPE to reconstruct inherited check constraints properly (Tom Lane)

  • Fix REASSIGN OWNED to change ownership of composite types properly (Álvaro Herrera)

  • Fix REASSIGN OWNED and ALTER OWNER to correctly update granted-permissions lists when changing owners of data types, foreign data wrappers, or foreign servers (Bruce Momjian, Álvaro Herrera)

  • Fix REASSIGN OWNED to ignore foreign user mappings, rather than fail (Álvaro Herrera)

  • Fix possible crash after doing query rewrite for an updatable view (Stephen Frost)

  • Fix planner's handling of LATERAL references (Tom Lane)

    This fixes some corner cases that led to "failed to build any N-way joins" or "could not devise a query plan" planner failures.

  • Add more defenses against bad planner cost estimates for GIN index scans when the index's internal statistics are very out-of-date (Tom Lane)

  • Make planner cope with hypothetical GIN indexes suggested by an index advisor plug-in (Julien Rouhaud)

  • Speed up generation of unique table aliases in EXPLAIN and rule dumping, and ensure that generated aliases do not exceed NAMEDATALEN (Tom Lane)

  • Fix dumping of whole-row Vars in ROW() and VALUES() lists (Tom Lane)

  • Translation of minus-infinity dates and timestamps to json or jsonb incorrectly rendered them as plus-infinity (Tom Lane)

  • Fix possible internal overflow in numeric division (Dean Rasheed)

  • Fix enforcement of restrictions inside parentheses within regular expression lookahead constraints (Tom Lane)

    Lookahead constraints aren't allowed to contain backrefs, and parentheses within them are always considered non-capturing, according to the manual. However, the code failed to handle these cases properly inside a parenthesized subexpression, and would give unexpected results.

  • Conversion of regular expressions to indexscan bounds could produce incorrect bounds from regexps containing lookahead constraints (Tom Lane)

  • Fix regular-expression compiler to handle loops of constraint arcs (Tom Lane)

    The code added for CVE-2007-4772 was both incomplete, in that it didn't handle loops involving more than one state, and incorrect, in that it could cause assertion failures (though there seem to be no bad consequences of that in a non-assert build). Multi-state loops would cause the compiler to run until the query was canceled or it reached the too-many-states error condition.

  • Improve memory-usage accounting in regular-expression compiler (Tom Lane)

    This causes the code to emit "regular expression is too complex" errors in some cases that previously used unreasonable amounts of time and memory.

  • Improve performance of regular-expression compiler (Tom Lane)

  • Make %h and %r escapes in log_line_prefix work for messages emitted due to log_connections (Tom Lane)

    Previously, %h/%r started to work just after a new session had emitted the "connection received" log message; now they work for that message too.

  • On Windows, ensure the shared-memory mapping handle gets closed in child processes that don't need it (Tom Lane, Amit Kapila)

    This oversight resulted in failure to recover from crashes whenever logging_collector is turned on.

  • Fix possible failure to detect socket EOF in non-blocking mode on Windows (Tom Lane)

    It's not entirely clear whether this problem can happen in pre-9.5 branches, but if it did, the symptom would be that a walsender process would wait indefinitely rather than noticing a loss of connection.

  • Avoid leaking a token handle during SSPI authentication (Christian Ullrich)

  • In psql, ensure that libreadline's idea of the screen size is updated when the terminal window size changes (Merlin Moncure)

    Previously, libreadline did not notice if the window was resized during query output, leading to strange behavior during later input of multiline queries.

  • Fix psql's \det command to interpret its pattern argument the same way as other \d commands with potentially schema-qualified patterns do (Reece Hart)

  • Avoid possible crash in psql's \c command when previous connection was via Unix socket and command specifies a new hostname and same username (Tom Lane)

  • In pg_ctl start -w, test child process status directly rather than relying on heuristics (Tom Lane, Michael Paquier)

    Previously, pg_ctl relied on an assumption that the new postmaster would always create postmaster.pid within five seconds. But that can fail on heavily-loaded systems, causing pg_ctl to report incorrectly that the postmaster failed to start.

    Except on Windows, this change also means that a pg_ctl start -w done immediately after another such command will now reliably fail, whereas previously it would report success if done within two seconds of the first command.

  • In pg_ctl start -w, don't attempt to use a wildcard listen address to connect to the postmaster (Kondo Yuta)

    On Windows, pg_ctl would fail to detect postmaster startup if listen_addresses is set to 0.0.0.0 or ::, because it would try to use that value verbatim as the address to connect to, which doesn't work. Instead assume that 127.0.0.1 or ::1, respectively, is the right thing to use.

  • In pg_ctl on Windows, check service status to decide where to send output, rather than checking if standard output is a terminal (Michael Paquier)

  • In pg_dump and pg_basebackup, adopt the GNU convention for handling tar-archive members exceeding 8GB (Tom Lane)

    The POSIX standard for tar file format does not allow archive member files to exceed 8GB, but most modern implementations of tar support an extension that fixes that. Adopt this extension so that pg_dump with -Ft no longer fails on tables with more than 8GB of data, and so that pg_basebackup can handle files larger than 8GB. In addition, fix some portability issues that could cause failures for members between 4GB and 8GB on some platforms. Potentially these problems could cause unrecoverable data loss due to unreadable backup files.

  • Fix assorted corner-case bugs in pg_dump's processing of extension member objects (Tom Lane)

  • Make pg_dump mark a view's triggers as needing to be processed after its rule, to prevent possible failure during parallel pg_restore (Tom Lane)

  • Ensure that relation option values are properly quoted in pg_dump (Kouhei Sutou, Tom Lane)

    A reloption value that isn't a simple identifier or number could lead to dump/reload failures due to syntax errors in CREATE statements issued by pg_dump. This is not an issue with any reloption currently supported by core PostgreSQL, but extensions could allow reloptions that cause the problem.

  • Avoid repeated password prompts during parallel pg_dump (Zeus Kronion)

  • Fix pg_upgrade's file-copying code to handle errors properly on Windows (Bruce Momjian)

  • Install guards in pgbench against corner-case overflow conditions during evaluation of script-specified division or modulo operators (Fabien Coelho, Michael Paquier)

  • Fix failure to localize messages emitted by pg_receivexlog and pg_recvlogical (Ioseph Kim)

  • Avoid dump/reload problems when using both plpython2 and plpython3 (Tom Lane)

    In principle, both versions of PL/Python can be used in the same database, though not in the same session (because the two versions of libpython cannot safely be used concurrently). However, pg_restore and pg_upgrade both do things that can fall foul of the same-session restriction. Work around that by changing the timing of the check.

  • Fix PL/Python regression tests to pass with Python 3.5 (Peter Eisentraut)

  • Fix premature clearing of libpq's input buffer when socket EOF is seen (Tom Lane)

    This mistake caused libpq to sometimes not report the backend's final error message before reporting "server closed the connection unexpectedly".

  • Prevent certain PL/Java parameters from being set by non-superusers (Noah Misch)

    This change mitigates a PL/Java security bug (CVE-2016-0766), which was fixed in PL/Java by marking these parameters as superuser-only. To fix the security hazard for sites that update PostgreSQL more frequently than PL/Java, make the core code aware of them also.

  • Improve libpq's handling of out-of-memory situations (Michael Paquier, Amit Kapila, Heikki Linnakangas)

  • Fix order of arguments in ecpg-generated typedef statements (Michael Meskes)

  • Use %g not %f format in ecpg's PGTYPESnumeric_from_double() (Tom Lane)

  • Fix ecpg-supplied header files to not contain comments continued from a preprocessor directive line onto the next line (Michael Meskes)

    Such a comment is rejected by ecpg. It's not yet clear whether ecpg itself should be changed.

  • Fix hstore_to_json_loose()'s test for whether an hstore value can be converted to a JSON number (Tom Lane)

    Previously this function could be fooled by non-alphanumeric trailing characters, leading to emitting syntactically-invalid JSON.

  • Ensure that contrib/pgcrypto's crypt() function can be interrupted by query cancel (Andreas Karlsson)

  • In contrib/postgres_fdw, fix bugs triggered by use of tableoid in data-modifying commands (Etsuro Fujita, Robert Haas)

  • Accept flex versions later than 2.5.x (Tom Lane, Michael Paquier)

    Now that flex 2.6.0 has been released, the version checks in our build scripts needed to be adjusted.

  • Improve reproducibility of build output by ensuring filenames are given to the linker in a fixed order (Christoph Berg)

    This avoids possible bitwise differences in the produced executable files from one build to the next.

  • Install our missing script where PGXS builds can find it (Jim Nasby)

    This allows sane behavior in a PGXS build done on a machine where build tools such as bison are missing.

  • Ensure that dynloader.h is included in the installed header files in MSVC builds (Bruce Momjian, Michael Paquier)

  • Add variant regression test expected-output file to match behavior of current libxml2 (Tom Lane)

    The fix for libxml2's CVE-2015-7499 causes it not to output error context reports in some cases where it used to do so. This seems to be a bug, but we'll probably have to live with it for some time, so work around it.

  • Update time zone data files to tzdata release 2016a for DST law changes in Cayman Islands, Metlakatla, and Trans-Baikal Territory (Zabaykalsky Krai), plus historical corrections for Pakistan.

• ⇑ Upgrade to 9.4.7 released on 2016-03-31 - docs

  • Fix incorrect handling of NULL index entries in indexed ROW() comparisons (Tom Lane)

    An index search using a row comparison such as ROW(a, b) > ROW('x', 'y') would stop upon reaching a NULL entry in the b column, ignoring the fact that there might be non-NULL b values associated with later values of a.

  • Avoid unlikely data-loss scenarios due to renaming files without adequate fsync() calls before and after (Michael Paquier, Tomas Vondra, Andres Freund)

  • Fix bug in json_to_record() when a field of its input object contains a sub-object with a field name matching one of the requested output column names (Tom Lane)

  • Fix misformatting of negative time zone offsets by to_char()'s OF format code (Thomas Munro, Tom Lane)

  • Ignore recovery_min_apply_delay parameter until recovery has reached a consistent state (Michael Paquier)

    Previously, standby servers would delay application of WAL records in response to recovery_min_apply_delay even while replaying the initial portion of WAL needed to make their database state valid. Since the standby is useless until it's reached a consistent database state, this was deemed unhelpful.

  • Correctly handle cases where pg_subtrans is close to XID wraparound during server startup (Jeff Janes)

  • Fix assorted bugs in logical decoding (Andres Freund)

    Trouble cases included tuples larger than one page when replica identity is FULL, UPDATEs that change a primary key within a transaction large enough to be spooled to disk, incorrect reports of "subxact logged without previous toplevel record", and incorrect reporting of a transaction's commit time.

  • Fix planner error with nested security barrier views when the outer view has a WHERE clause containing a correlated subquery (Dean Rasheed)

  • Fix corner-case crash due to trying to free localeconv() output strings more than once (Tom Lane)

  • Fix parsing of affix files for ispell dictionaries (Tom Lane)

    The code could go wrong if the affix file contained any characters whose byte length changes during case-folding, for example I in Turkish UTF8 locales.

  • Avoid use of sscanf() to parse ispell dictionary files (Artur Zakirov)

    This dodges a portability problem on FreeBSD-derived platforms (including macOS).

  • Avoid a crash on old Windows versions (before 7SP1/2008R2SP1) with an AVX2-capable CPU and a Postgres build done with Visual Studio 2013 (Christian Ullrich)

    This is a workaround for a bug in Visual Studio 2013's runtime library, which Microsoft have stated they will not fix in that version.

  • Fix psql's tab completion logic to handle multibyte characters properly (Kyotaro Horiguchi, Robert Haas)

  • Fix psql's tab completion for SECURITY LABEL (Tom Lane)

    Pressing TAB after SECURITY LABEL might cause a crash or offering of inappropriate keywords.

  • Make pg_ctl accept a wait timeout from the PGCTLTIMEOUT environment variable, if none is specified on the command line (Noah Misch)

    This eases testing of slower buildfarm members by allowing them to globally specify a longer-than-normal timeout for postmaster startup and shutdown.

  • Fix incorrect test for Windows service status in pg_ctl (Manuel Mathar)

    The previous set of minor releases attempted to fix pg_ctl to properly determine whether to send log messages to Window's Event Log, but got the test backwards.

  • Fix pgbench to correctly handle the combination of -C and -M prepared options (Tom Lane)

  • In pg_upgrade, skip creating a deletion script when the new data directory is inside the old data directory (Bruce Momjian)

    Blind application of the script in such cases would result in loss of the new data directory.

  • In PL/Perl, properly translate empty Postgres arrays into empty Perl arrays (Alex Hunsaker)

  • Make PL/Python cope with function names that aren't valid Python identifiers (Jim Nasby)

  • Fix multiple mistakes in the statistics returned by contrib/pgstattuple's pgstatindex() function (Tom Lane)

  • Remove dependency on psed in MSVC builds, since it's no longer provided by core Perl (Michael Paquier, Andrew Dunstan)

  • Update time zone data files to tzdata release 2016c for DST law changes in Azerbaijan, Chile, Haiti, Palestine, and Russia (Altai, Astrakhan, Kirov, Sakhalin, Ulyanovsk regions), plus historical corrections for Lithuania, Moldova, and Russia (Kaliningrad, Samara, Volgograd).

• ⇑ Upgrade to 9.4.8 released on 2016-05-12 - docs

  • Clear the OpenSSL error queue before OpenSSL calls, rather than assuming it's clear already; and make sure we leave it clear afterwards (Peter Geoghegan, Dave Vitek, Peter Eisentraut)

    This change prevents problems when there are multiple connections using OpenSSL within a single process and not all the code involved follows the same rules for when to clear the error queue. Failures have been reported specifically when a client application uses SSL connections in libpq concurrently with SSL connections using the PHP, Python, or Ruby wrappers for OpenSSL. It's possible for similar problems to arise within the server as well, if an extension module establishes an outgoing SSL connection.

  • Fix "failed to build any N-way joins" planner error with a full join enclosed in the right-hand side of a left join (Tom Lane)

  • Fix incorrect handling of equivalence-class tests in multilevel nestloop plans (Tom Lane)

    Given a three-or-more-way equivalence class of variables, such as X.X = Y.Y = Z.Z, it was possible for the planner to omit some of the tests needed to enforce that all the variables are actually equal, leading to join rows being output that didn't satisfy the WHERE clauses. For various reasons, erroneous plans were seldom selected in practice, so that this bug has gone undetected for a long time.

  • Fix query-lifespan memory leak in GIN index scans (Julien Rouhaud)

  • Fix query-lifespan memory leak and potential index corruption hazard in GIN index insertion (Tom Lane)

    The memory leak would typically not amount to much in simple queries, but it could be very substantial during a large GIN index build with high maintenance_work_mem.

  • Fix possible misbehavior of TH, th, and Y,YYY format codes in to_timestamp() (Tom Lane)

    These could advance off the end of the input string, causing subsequent format codes to read garbage.

  • Fix dumping of rules and views in which the array argument of a value operator ANY (array) construct is a sub-SELECT (Tom Lane)

  • Disallow newlines in ALTER SYSTEM parameter values (Tom Lane)

    The configuration-file parser doesn't support embedded newlines in string literals, so we mustn't allow them in values to be inserted by ALTER SYSTEM.

  • Fix ALTER TABLE ... REPLICA IDENTITY USING INDEX to work properly if an index on OID is selected (David Rowley)

  • Fix crash in logical decoding on alignment-picky platforms (Tom Lane, Andres Freund)

    The failure occurred only with a transaction large enough to spill to disk and a primary-key change within that transaction.

  • Avoid repeated requests for feedback from receiver while shutting down walsender (Nick Cleaton)

  • Make pg_regress use a startup timeout from the PGCTLTIMEOUT environment variable, if that's set (Tom Lane)

    This is for consistency with a behavior recently added to pg_ctl; it eases automated testing on slow machines.

  • Fix pg_upgrade to correctly restore extension membership for operator families containing only one operator class (Tom Lane)

    In such a case, the operator family was restored into the new database, but it was no longer marked as part of the extension. This had no immediate ill effects, but would cause later pg_dump runs to emit output that would cause (harmless) errors on restore.

  • Fix pg_upgrade to not fail when new-cluster TOAST rules differ from old (Tom Lane)

    pg_upgrade had special-case code to handle the situation where the new PostgreSQL version thinks that a table should have a TOAST table while the old version did not. That code was broken, so remove it, and instead do nothing in such cases; there seems no reason to believe that we can't get along fine without a TOAST table if that was okay according to the old version's rules.

  • Reduce the number of SysV semaphores used by a build configured with --disable-spinlocks (Tom Lane)

  • Rename internal function strtoi() to strtoint() to avoid conflict with a NetBSD library function (Thomas Munro)

  • Fix reporting of errors from bind() and listen() system calls on Windows (Tom Lane)

  • Reduce verbosity of compiler output when building with Microsoft Visual Studio (Christian Ullrich)

  • Fix putenv() to work properly with Visual Studio 2013 (Michael Paquier)

  • Avoid possibly-unsafe use of Windows' FormatMessage() function (Christian Ullrich)

    Use the FORMAT_MESSAGE_IGNORE_INSERTS flag where appropriate. No live bug is known to exist here, but it seems like a good idea to be careful.

  • Update time zone data files to tzdata release 2016d for DST law changes in Russia and Venezuela. There are new zone names Europe/Kirov and Asia/Tomsk to reflect the fact that these regions now have different time zone histories from adjacent regions.

• ⇑ Upgrade to 9.4.9 released on 2016-08-11 - docs

  • Fix possible mis-evaluation of nested CASE-WHEN expressions (Heikki Linnakangas, Michael Paquier, Tom Lane)

    A CASE expression appearing within the test value subexpression of another CASE could become confused about whether its own test value was null or not. Also, inlining of a SQL function implementing the equality operator used by a CASE expression could result in passing the wrong test value to functions called within a CASE expression in the SQL function's body. If the test values were of different data types, a crash might result; moreover such situations could be abused to allow disclosure of portions of server memory. (CVE-2016-5423)

  • Fix client programs' handling of special characters in database and role names (Noah Misch, Nathan Bossart, Michael Paquier)

    Numerous places in vacuumdb and other client programs could become confused by database and role names containing double quotes or backslashes. Tighten up quoting rules to make that safe. Also, ensure that when a conninfo string is used as a database name parameter to these programs, it is correctly treated as such throughout.

    Fix handling of paired double quotes in psql's \connect and \password commands to match the documentation.

    Introduce a new -reuse-previous option in psql's \connect command to allow explicit control of whether to re-use connection parameters from a previous connection. (Without this, the choice is based on whether the database name looks like a conninfo string, as before.) This allows secure handling of database names containing special characters in pg_dumpall scripts.

    pg_dumpall now refuses to deal with database and role names containing carriage returns or newlines, as it seems impractical to quote those characters safely on Windows. In future we may reject such names on the server side, but that step has not been taken yet.

    These are considered security fixes because crafted object names containing special characters could have been used to execute commands with superuser privileges the next time a superuser executes pg_dumpall or other routine maintenance operations. (CVE-2016-5424)

  • Fix corner-case misbehaviors for IS NULL/IS NOT NULL applied to nested composite values (Andrew Gierth, Tom Lane)

    The SQL standard specifies that IS NULL should return TRUE for a row of all null values (thus ROW(NULL,NULL) IS NULL yields TRUE), but this is not meant to apply recursively (thus ROW(NULL, ROW(NULL,NULL)) IS NULL yields FALSE). The core executor got this right, but certain planner optimizations treated the test as recursive (thus producing TRUE in both cases), and contrib/postgres_fdw could produce remote queries that misbehaved similarly.

  • Make the inet and cidr data types properly reject IPv6 addresses with too many colon-separated fields (Tom Lane)

  • Prevent crash in close_ps() (the point ## lseg operator) for NaN input coordinates (Tom Lane)

    Make it return NULL instead of crashing.

  • Avoid possible crash in pg_get_expr() when inconsistent values are passed to it (Michael Paquier, Thomas Munro)

  • Fix several one-byte buffer over-reads in to_number() (Peter Eisentraut)

    In several cases the to_number() function would read one more character than it should from the input string. There is a small chance of a crash, if the input happens to be adjacent to the end of memory.

  • Do not run the planner on the query contained in CREATE MATERIALIZED VIEW or CREATE TABLE AS when WITH NO DATA is specified (Michael Paquier, Tom Lane)

    This avoids some unnecessary failure conditions, for example if a stable function invoked by the materialized view depends on a table that doesn't exist yet.

  • Avoid unsafe intermediate state during expensive paths through heap_update() (Masahiko Sawada, Andres Freund)

    Previously, these cases locked the target tuple (by setting its XMAX) but did not WAL-log that action, thus risking data integrity problems if the page were spilled to disk and then a database crash occurred before the tuple update could be completed.

  • Fix hint bit update during WAL replay of row locking operations (Andres Freund)

    The only known consequence of this problem is that row locks held by a prepared, but uncommitted, transaction might fail to be enforced after a crash and restart.

  • Avoid unnecessary "could not serialize access" errors when acquiring FOR KEY SHARE row locks in serializable mode (Álvaro Herrera)

  • Avoid crash in postgres -C when the specified variable has a null string value (Michael Paquier)

  • Fix possible loss of large subtransactions in logical decoding (Petru-Florin Mihancea)

  • Fix failure of logical decoding when a subtransaction contains no actual changes (Marko Tiikkaja, Andrew Gierth)

  • Ensure that backends see up-to-date statistics for shared catalogs (Tom Lane)

    The statistics collector failed to update the statistics file for shared catalogs after a request from a regular backend. This problem was partially masked because the autovacuum launcher regularly makes requests that did cause such updates; however, it became obvious with autovacuum disabled.

  • Avoid redundant writes of the statistics files when multiple backends request updates close together (Tom Lane, Tomas Vondra)

  • Avoid consuming a transaction ID during VACUUM (Alexander Korotkov)

    Some cases in VACUUM unnecessarily caused an XID to be assigned to the current transaction. Normally this is negligible, but if one is up against the XID wraparound limit, consuming more XIDs during anti-wraparound vacuums is a very bad thing.

  • Avoid canceling hot-standby queries during VACUUM FREEZE (Simon Riggs, Álvaro Herrera)

    VACUUM FREEZE on an otherwise-idle master server could result in unnecessary cancellations of queries on its standby servers.

  • Prevent possible failure when vacuuming multixact IDs in an installation that has been pg_upgrade'd from pre-9.3 (Andrew Gierth, Álvaro Herrera)

    The usual symptom of this bug is errors like "MultiXactId NNN has not been created yet -- apparent wraparound".

  • When a manual ANALYZE specifies a column list, don't reset the table's changes_since_analyze counter (Tom Lane)

    If we're only analyzing some columns, we should not prevent routine auto-analyze from happening for the other columns.

  • Fix ANALYZE's overestimation of n_distinct for a unique or nearly-unique column with many null entries (Tom Lane)

    The nulls could get counted as though they were themselves distinct values, leading to serious planner misestimates in some types of queries.

  • Prevent autovacuum from starting multiple workers for the same shared catalog (Álvaro Herrera)

    Normally this isn't much of a problem because the vacuum doesn't take long anyway; but in the case of a severely bloated catalog, it could result in all but one worker uselessly waiting instead of doing useful work on other tables.

  • Avoid duplicate buffer lock release when abandoning a b-tree index page deletion attempt (Tom Lane)

    This mistake prevented VACUUM from completing in some cases involving corrupt b-tree indexes.

  • Prevent infinite loop in GiST index build for geometric columns containing NaN component values (Tom Lane)

  • Fix contrib/btree_gin to handle the smallest possible bigint value correctly (Peter Eisentraut)

  • Teach libpq to correctly decode server version from future servers (Peter Eisentraut)

    It's planned to switch to two-part instead of three-part server version numbers for releases after 9.6. Make sure that PQserverVersion() returns the correct value for such cases.

  • Fix ecpg's code for unsigned long long array elements (Michael Meskes)

  • In pg_dump with both -c and -C options, avoid emitting an unwanted CREATE SCHEMA public command (David Johnston, Tom Lane)

  • Improve handling of SIGTERM/control-C in parallel pg_dump and pg_restore (Tom Lane)

    Make sure that the worker processes will exit promptly, and also arrange to send query-cancel requests to the connected backends, in case they are doing something long-running such as a CREATE INDEX.

  • Fix error reporting in parallel pg_dump and pg_restore (Tom Lane)

    Previously, errors reported by pg_dump or pg_restore worker processes might never make it to the user's console, because the messages went through the master process, and there were various deadlock scenarios that would prevent the master process from passing on the messages. Instead, just print everything to stderr. In some cases this will result in duplicate messages (for instance, if all the workers report a server shutdown), but that seems better than no message.

  • Ensure that parallel pg_dump or pg_restore on Windows will shut down properly after an error (Kyotaro Horiguchi)

    Previously, it would report the error, but then just sit until manually stopped by the user.

  • Make pg_dump behave better when built without zlib support (Kyotaro Horiguchi)

    It didn't work right for parallel dumps, and emitted some rather pointless warnings in other cases.

  • Make pg_basebackup accept -Z 0 as specifying no compression (Fujii Masao)

  • Fix makefiles' rule for building AIX shared libraries to be safe for parallel make (Noah Misch)

  • Fix TAP tests and MSVC scripts to work when build directory's path name contains spaces (Michael Paquier, Kyotaro Horiguchi)

  • Be more predictable about reporting "statement timeout" versus "lock timeout" (Tom Lane)

    On heavily loaded machines, the regression tests sometimes failed due to reporting "lock timeout" even though the statement timeout should have occurred first.

  • Make regression tests safe for Danish and Welsh locales (Jeff Janes, Tom Lane)

    Change some test data that triggered the unusual sorting rules of these locales.

  • Update our copy of the timezone code to match IANA's tzcode release 2016c (Tom Lane)

    This is needed to cope with anticipated future changes in the time zone data files. It also fixes some corner-case bugs in coping with unusual time zones.

  • Update time zone data files to tzdata release 2016f for DST law changes in Kemerovo and Novosibirsk, plus historical corrections for Azerbaijan, Belarus, and Morocco.

• ⇑ Upgrade to 9.4.10 released on 2016-10-27 - docs

  • Fix WAL-logging of truncation of relation free space maps and visibility maps (Pavan Deolasee, Heikki Linnakangas)

    It was possible for these files to not be correctly restored during crash recovery, or to be written incorrectly on a standby server. Bogus entries in a free space map could lead to attempts to access pages that have been truncated away from the relation itself, typically producing errors like "could not read block XXX: read only 0 of 8192 bytes". Checksum failures in the visibility map are also possible, if checksumming is enabled.

    Procedures for determining whether there is a problem and repairing it if so are discussed at https://wiki.postgresql.org/wiki/Free_Space_Map_Problems.

  • Fix incorrect creation of GIN index WAL records on big-endian machines (Tom Lane)

    The typical symptom was "unexpected GIN leaf action" errors during WAL replay.

  • Fix SELECT FOR UPDATE/SHARE to correctly lock tuples that have been updated by a subsequently-aborted transaction (Álvaro Herrera)

    In 9.5 and later, the SELECT would sometimes fail to return such tuples at all. A failure has not been proven to occur in earlier releases, but might be possible with concurrent updates.

  • Fix EvalPlanQual rechecks involving CTE scans (Tom Lane)

    The recheck would always see the CTE as returning no rows, typically leading to failure to update rows that were recently updated.

  • Fix improper repetition of previous results from hashed aggregation in a subquery (Andrew Gierth)

    The test to see if we can reuse a previously-computed hash table of the aggregate state values neglected the possibility of an outer query reference appearing in an aggregate argument expression. A change in the value of such a reference should lead to recalculating the hash table, but did not.

  • Fix query-lifespan memory leak in a bulk UPDATE on a table with a PRIMARY KEY or REPLICA IDENTITY index (Tom Lane)

  • Fix EXPLAIN to emit valid XML when track_io_timing is on (Markus Winand)

    Previously the XML output-format option produced syntactically invalid tags such as <I/O-Read-Time>. That is now rendered as <I-O-Read-Time>.

  • Suppress printing of zeroes for unmeasured times in EXPLAIN (Maksim Milyutin)

    Certain option combinations resulted in printing zero values for times that actually aren't ever measured in that combination. Our general policy in EXPLAIN is not to print such fields at all, so do that consistently in all cases.

  • Fix timeout length when VACUUM is waiting for exclusive table lock so that it can truncate the table (Simon Riggs)

    The timeout was meant to be 50 milliseconds, but it was actually only 50 microseconds, causing VACUUM to give up on truncation much more easily than intended. Set it to the intended value.

  • Fix bugs in merging inherited CHECK constraints while creating or altering a table (Tom Lane, Amit Langote)

    Allow identical CHECK constraints to be added to a parent and child table in either order. Prevent merging of a valid constraint from the parent table with a NOT VALID constraint on the child. Likewise, prevent merging of a NO INHERIT child constraint with an inherited constraint.

  • Remove artificial restrictions on the values accepted by numeric_in() and numeric_recv() (Tom Lane)

    We allow numeric values up to the limit of the storage format (more than 1e100000), so it seems fairly pointless that numeric_in() rejected scientific-notation exponents above 1000. Likewise, it was silly for numeric_recv() to reject more than 1000 digits in an input value.

  • Avoid very-low-probability data corruption due to testing tuple visibility without holding buffer lock (Thomas Munro, Peter Geoghegan, Tom Lane)

  • Fix logical WAL decoding to work properly when a subtransaction's WAL output is large enough to spill to disk (Andres Freund)

  • Fix buffer overread in logical WAL decoding (Tom Lane)

    Logical decoding of a tuple update record read 23 bytes too many, which was usually harmless but with very bad luck could result in a crash.

  • Fix file descriptor leakage when truncating a temporary relation of more than 1GB (Andres Freund)

  • Disallow starting a standalone backend with standby_mode turned on (Michael Paquier)

    This can't do anything useful, since there will be no WAL receiver process to fetch more WAL data; and it could result in misbehavior in code that wasn't designed with this situation in mind.

  • Properly initialize replication slot state when recycling a previously-used slot (Michael Paquier)

    This failure to reset all of the fields of the slot could prevent VACUUM from removing dead tuples.

  • Round shared-memory allocation request to a multiple of the actual huge page size when attempting to use huge pages on Linux (Tom Lane)

    This avoids possible failures during munmap() on systems with atypical default huge page sizes. Except in crash-recovery cases, there were no ill effects other than a log message.

  • Use a more random value for the dynamic shared memory control segment's ID (Robert Haas, Tom Lane)

    Previously, the same value would be chosen every time, because it was derived from random() but srandom() had not yet been called. While relatively harmless, this was not the intended behavior.

  • On Windows, retry creation of the dynamic shared memory control segment after an access-denied error (Kyotaro Horiguchi, Amit Kapila)

    Windows sometimes returns ERROR_ACCESS_DENIED rather than ERROR_ALREADY_EXISTS when there is an existing segment. This led to postmaster startup failure due to believing that the former was an unrecoverable error.

  • Don't try to share SSL contexts across multiple connections in libpq (Heikki Linnakangas)

    This led to assorted corner-case bugs, particularly when trying to use different SSL parameters for different connections.

  • Avoid corner-case memory leak in libpq (Tom Lane)

    The reported problem involved leaking an error report during PQreset(), but there might be related cases.

  • Make ecpg's --help and --version options work consistently with our other executables (Haribabu Kommi)

  • Fix pgbench's calculation of average latency (Fabien Coelho)

    The calculation was incorrect when there were \sleep commands in the script, or when the test duration was specified in number of transactions rather than total time.

  • In pg_dump, never dump range constructor functions (Tom Lane)

    This oversight led to pg_upgrade failures with extensions containing range types, due to duplicate creation of the constructor functions.

  • In pg_xlogdump, retry opening new WAL segments when using --follow option (Magnus Hagander)

    This allows for a possible delay in the server's creation of the next segment.

  • Fix pg_xlogdump to cope with a WAL file that begins with a continuation record spanning more than one page (Pavan Deolasee)

  • Fix contrib/pg_buffercache to work when shared_buffers exceeds 256GB (KaiGai Kohei)

  • Fix contrib/intarray/bench/bench.pl to print the results of the EXPLAIN it does when given the -e option (Daniel Gustafsson)

  • Install TAP test infrastructure so that it's available for extension testing (Craig Ringer)

    When PostgreSQL has been configured with --enable-tap-tests, "make install" will now install the Perl support files for TAP testing where PGXS can find them. This allows non-core extensions to use $(prove_check) without extra tests.

  • In MSVC builds, include pg_recvlogical in a client-only installation (MauMau)

  • Update Windows time zone mapping to recognize some time zone names added in recent Windows versions (Michael Paquier)

  • Prevent failure of obsolete dynamic time zone abbreviations (Tom Lane)

    If a dynamic time zone abbreviation does not match any entry in the referenced time zone, treat it as equivalent to the time zone name. This avoids unexpected failures when IANA removes abbreviations from their time zone database, as they did in tzdata release 2016f and seem likely to do again in the future. The consequences were not limited to not recognizing the individual abbreviation; any mismatch caused the pg_timezone_abbrevs view to fail altogether.

  • Update time zone data files to tzdata release 2016h for DST law changes in Palestine and Turkey, plus historical corrections for Turkey and some regions of Russia. Switch to numeric abbreviations for some time zones in Antarctica, the former Soviet Union, and Sri Lanka.

    The IANA time zone database previously provided textual abbreviations for all time zones, sometimes making up abbreviations that have little or no currency among the local population. They are in process of reversing that policy in favor of using numeric UTC offsets in zones where there is no evidence of real-world use of an English abbreviation. At least for the time being, PostgreSQL will continue to accept such removed abbreviations for timestamp input. But they will not be shown in the pg_timezone_names view nor used for output.

    In this update, AMT is no longer shown as being in use to mean Armenia Time. Therefore, we have changed the Default abbreviation set to interpret it as Amazon Time, thus UTC-4 not UTC+4.

• ⇑ Upgrade to 9.4.11 released on 2017-02-09 - docs

  • Fix a race condition that could cause indexes built with CREATE INDEX CONCURRENTLY to be corrupt (Pavan Deolasee, Tom Lane)

    If CREATE INDEX CONCURRENTLY was used to build an index that depends on a column not previously indexed, then rows updated by transactions that ran concurrently with the CREATE INDEX command could have received incorrect index entries. If you suspect this may have happened, the most reliable solution is to rebuild affected indexes after installing this update.

  • Ensure that the special snapshot used for catalog scans is not invalidated by premature data pruning (Tom Lane)

    Backends failed to account for this snapshot when advertising their oldest xmin, potentially allowing concurrent vacuuming operations to remove data that was still needed. This led to transient failures along the lines of "cache lookup failed for relation 1255".

  • Unconditionally WAL-log creation of the "init fork" for an unlogged table (Michael Paquier)

    Previously, this was skipped when wal_level = minimal, but actually it's necessary even in that case to ensure that the unlogged table is properly reset to empty after a crash.

  • Reduce interlocking on standby servers during the replay of btree index vacuuming operations (Simon Riggs)

    This change avoids substantial replication delays that sometimes occurred while replaying such operations.

  • If the stats collector dies during hot standby, restart it (Takayuki Tsunakawa)

  • Ensure that hot standby feedback works correctly when it's enabled at standby server start (Ants Aasma, Craig Ringer)

  • Check for interrupts while hot standby is waiting for a conflicting query (Simon Riggs)

  • Avoid constantly respawning the autovacuum launcher in a corner case (Amit Khandekar)

    This fix avoids problems when autovacuum is nominally off and there are some tables that require freezing, but all such tables are already being processed by autovacuum workers.

  • Fix check for when an extension member object can be dropped (Tom Lane)

    Extension upgrade scripts should be able to drop member objects, but this was disallowed for serial-column sequences, and possibly other cases.

  • Make sure ALTER TABLE preserves index tablespace assignments when rebuilding indexes (Tom Lane, Michael Paquier)

    Previously, non-default settings of default_tablespace could result in broken indexes.

  • Fix incorrect updating of trigger function properties when changing a foreign-key constraint's deferrability properties with ALTER TABLE ... ALTER CONSTRAINT (Tom Lane)

    This led to odd failures during subsequent exercise of the foreign key, as the triggers were fired at the wrong times.

  • Prevent dropping a foreign-key constraint if there are pending trigger events for the referenced relation (Tom Lane)

    This avoids "could not find trigger NNN" or "relation NNN has no triggers" errors.

  • Fix processing of OID column when a table with OIDs is associated to a parent with OIDs via ALTER TABLE ... INHERIT (Amit Langote)

    The OID column should be treated the same as regular user columns in this case, but it wasn't, leading to odd behavior in later inheritance changes.

  • Fix CREATE OR REPLACE VIEW to update the view query before attempting to apply the new view options (Dean Rasheed)

    Previously the command would fail if the new options were inconsistent with the old view definition.

  • Report correct object identity during ALTER TEXT SEARCH CONFIGURATION (Artur Zakirov)

    The wrong catalog OID was reported to extensions such as logical decoding.

  • Check for serializability conflicts before reporting constraint-violation failures (Thomas Munro)

    When using serializable transaction isolation, it is desirable that any error due to concurrent transactions should manifest as a serialization failure, thereby cueing the application that a retry might succeed. Unfortunately, this does not reliably happen for duplicate-key failures caused by concurrent insertions. This change ensures that such an error will be reported as a serialization error if the application explicitly checked for the presence of a conflicting key (and did not find it) earlier in the transaction.

  • Prevent multicolumn expansion of foo.* in an UPDATE source expression (Tom Lane)

    This led to "UPDATE target count mismatch --- internal error". Now the syntax is understood as a whole-row variable, as it would be in other contexts.

  • Ensure that column typmods are determined accurately for multi-row VALUES constructs (Tom Lane)

    This fixes problems occurring when the first value in a column has a determinable typmod (e.g., length for a varchar value) but later values don't share the same limit.

  • Throw error for an unfinished Unicode surrogate pair at the end of a Unicode string (Tom Lane)

    Normally, a Unicode surrogate leading character must be followed by a Unicode surrogate trailing character, but the check for this was missed if the leading character was the last character in a Unicode string literal (U&'...') or Unicode identifier (U&"...").

  • Ensure that a purely negative text search query, such as !foo, matches empty tsvectors (Tom Dunstan)

    Such matches were found by GIN index searches, but not by sequential scans or GiST index searches.

  • Prevent crash when ts_rewrite() replaces a non-top-level subtree with an empty query (Artur Zakirov)

  • Fix performance problems in ts_rewrite() (Tom Lane)

  • Fix ts_rewrite()'s handling of nested NOT operators (Tom Lane)

  • Fix array_fill() to handle empty arrays properly (Tom Lane)

  • Fix one-byte buffer overrun in quote_literal_cstr() (Heikki Linnakangas)

    The overrun occurred only if the input consisted entirely of single quotes and/or backslashes.

  • Prevent multiple calls of pg_start_backup() and pg_stop_backup() from running concurrently (Michael Paquier)

    This avoids an assertion failure, and possibly worse things, if someone tries to run these functions in parallel.

  • Avoid discarding interval-to-interval casts that aren't really no-ops (Tom Lane)

    In some cases, a cast that should result in zeroing out low-order interval fields was mistakenly deemed to be a no-op and discarded. An example is that casting from INTERVAL MONTH to INTERVAL YEAR failed to clear the months field.

  • Ensure that cached plans are invalidated by changes in foreign-table options (Amit Langote, Etsuro Fujita, Ashutosh Bapat)

  • Fix pg_dump to dump user-defined casts and transforms that use built-in functions (Stephen Frost)

  • Fix pg_restore with --create --if-exists to behave more sanely if an archive contains unrecognized DROP commands (Tom Lane)

    This doesn't fix any live bug, but it may improve the behavior in future if pg_restore is used with an archive generated by a later pg_dump version.

  • Fix pg_basebackup's rate limiting in the presence of slow I/O (Antonin Houska)

    If disk I/O was transiently much slower than the specified rate limit, the calculation overflowed, effectively disabling the rate limit for the rest of the run.

  • Fix pg_basebackup's handling of symlinked pg_stat_tmp and pg_replslot subdirectories (Magnus Hagander, Michael Paquier)

  • Fix possible pg_basebackup failure on standby server when including WAL files (Amit Kapila, Robert Haas)

  • Ensure that the Python exception objects we create for PL/Python are properly reference-counted (Rafa de la Torre, Tom Lane)

    This avoids failures if the objects are used after a Python garbage collection cycle has occurred.

  • Fix PL/Tcl to support triggers on tables that have .tupno as a column name (Tom Lane)

    This matches the (previously undocumented) behavior of PL/Tcl's spi_exec and spi_execp commands, namely that a magic .tupno column is inserted only if there isn't a real column named that.

  • Allow DOS-style line endings in ~/.pgpass files, even on Unix (Vik Fearing)

    This change simplifies use of the same password file across Unix and Windows machines.

  • Fix one-byte buffer overrun if ecpg is given a file name that ends with a dot (Takayuki Tsunakawa)

  • Fix psql's tab completion for ALTER DEFAULT PRIVILEGES (Gilles Darold, Stephen Frost)

  • In psql, treat an empty or all-blank setting of the PAGER environment variable as meaning "no pager" (Tom Lane)

    Previously, such a setting caused output intended for the pager to vanish entirely.

  • Improve contrib/dblink's reporting of low-level libpq errors, such as out-of-memory (Joe Conway)

  • Teach contrib/dblink to ignore irrelevant server options when it uses a contrib/postgres_fdw foreign server as the source of connection options (Corey Huinker)

    Previously, if the foreign server object had options that were not also libpq connection options, an error occurred.

  • On Windows, ensure that environment variable changes are propagated to DLLs built with debug options (Christian Ullrich)

  • Sync our copy of the timezone library with IANA release tzcode2016j (Tom Lane)

    This fixes various issues, most notably that timezone data installation failed if the target directory didn't support hard links.

  • Update time zone data files to tzdata release 2016j for DST law changes in northern Cyprus (adding a new zone Asia/Famagusta), Russia (adding a new zone Europe/Saratov), Tonga, and Antarctica/Casey. Historical corrections for Italy, Kazakhstan, Malta, and Palestine. Switch to preferring numeric zone abbreviations for Tonga.

• ⇑ Upgrade to 9.4.12 released on 2017-05-11 - docs

  • Restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options (Michael Paquier, Feike Steenbergen)

    The previous coding allowed the owner of a foreign server object, or anyone he has granted server USAGE permission to, to see the options for all user mappings associated with that server. This might well include passwords for other users. Adjust the view definition to match the behavior of information_schema.user_mapping_options, namely that these options are visible to the user being mapped, or if the mapping is for PUBLIC and the current user is the server owner, or if the current user is a superuser. (CVE-2017-7486)

    By itself, this patch will only fix the behavior in newly initdb'd databases. If you wish to apply this change in an existing database, follow the corrected procedure shown in the changelog entry for CVE-2017-7547, in Section E.13.

  • Prevent exposure of statistical information via leaky operators (Peter Eisentraut)

    Some selectivity estimation functions in the planner will apply user-defined operators to values obtained from pg_statistic, such as most common values and histogram entries. This occurs before table permissions are checked, so a nefarious user could exploit the behavior to obtain these values for table columns he does not have permission to read. To fix, fall back to a default estimate if the operator's implementation function is not certified leak-proof and the calling user does not have permission to read the table column whose statistics are needed. At least one of these criteria is satisfied in most cases in practice. (CVE-2017-7484)

  • Restore libpq's recognition of the PGREQUIRESSL environment variable (Daniel Gustafsson)

    Processing of this environment variable was unintentionally dropped in PostgreSQL 9.3, but its documentation remained. This creates a security hazard, since users might be relying on the environment variable to force SSL-encrypted connections, but that would no longer be guaranteed. Restore handling of the variable, but give it lower priority than PGSSLMODE, to avoid breaking configurations that work correctly with post-9.3 code. (CVE-2017-7485)

  • Fix possibly-invalid initial snapshot during logical decoding (Petr Jelinek, Andres Freund)

    The initial snapshot created for a logical decoding replication slot was potentially incorrect. This could cause third-party tools that use logical decoding to copy incomplete/inconsistent initial data. This was more likely to happen if the source server was busy at the time of slot creation, or if another logical slot already existed.

    If you are using a replication tool that depends on logical decoding, and it should have copied a nonempty data set at the start of replication, it is advisable to recreate the replica after installing this update, or to verify its contents against the source server.

  • Fix possible corruption of "init forks" of unlogged indexes (Robert Haas, Michael Paquier)

    This could result in an unlogged index being set to an invalid state after a crash and restart. Such a problem would persist until the index was dropped and rebuilt.

  • Fix incorrect reconstruction of pg_subtrans entries when a standby server replays a prepared but uncommitted two-phase transaction (Tom Lane)

    In most cases this turned out to have no visible ill effects, but in corner cases it could result in circular references in pg_subtrans, potentially causing infinite loops in queries that examine rows modified by the two-phase transaction.

  • Avoid possible crash in walsender due to failure to initialize a string buffer (Stas Kelvich, Fujii Masao)

  • Fix postmaster's handling of fork() failure for a background worker process (Tom Lane)

    Previously, the postmaster updated portions of its state as though the process had been launched successfully, resulting in subsequent confusion.

  • Ensure parsing of queries in extension scripts sees the results of immediately-preceding DDL (Julien Rouhaud, Tom Lane)

    Due to lack of a cache flush step between commands in an extension script file, non-utility queries might not see the effects of an immediately preceding catalog change, such as ALTER TABLE ... RENAME.

  • Skip tablespace privilege checks when ALTER TABLE ... ALTER COLUMN TYPE rebuilds an existing index (Noah Misch)

    The command failed if the calling user did not currently have CREATE privilege for the tablespace containing the index. That behavior seems unhelpful, so skip the check, allowing the index to be rebuilt where it is.

  • Fix ALTER TABLE ... VALIDATE CONSTRAINT to not recurse to child tables when the constraint is marked NO INHERIT (Amit Langote)

    This fix prevents unwanted "constraint does not exist" failures when no matching constraint is present in the child tables.

  • Fix VACUUM to account properly for pages that could not be scanned due to conflicting page pins (Andrew Gierth)

    This tended to lead to underestimation of the number of tuples in the table. In the worst case of a small heavily-contended table, VACUUM could incorrectly report that the table contained no tuples, leading to very bad planning choices.

  • Ensure that bulk-tuple-transfer loops within a hash join are interruptible by query cancel requests (Tom Lane, Thomas Munro)

  • Fix integer-overflow problems in interval comparison (Kyotaro Horiguchi, Tom Lane)

    The comparison operators for type interval could yield wrong answers for intervals larger than about 296000 years. Indexes on columns containing such large values should be reindexed, since they may be corrupt.

  • Fix cursor_to_xml() to produce valid output with tableforest = false (Thomas Munro, Peter Eisentraut)

    Previously it failed to produce a wrapping <table> element.

  • Fix roundoff problems in float8_timestamptz() and make_interval() (Tom Lane)

    These functions truncated, rather than rounded, when converting a floating-point value to integer microseconds; that could cause unexpectedly off-by-one results.

  • Improve performance of pg_timezone_names view (Tom Lane, David Rowley)

  • Reduce memory management overhead for contexts containing many large blocks (Tom Lane)

  • Fix sloppy handling of corner-case errors from lseek() and close() (Tom Lane)

    Neither of these system calls are likely to fail in typical situations, but if they did, fd.c could get quite confused.

  • Fix incorrect check for whether postmaster is running as a Windows service (Michael Paquier)

    This could result in attempting to write to the event log when that isn't accessible, so that no logging happens at all.

  • Fix ecpg to support COMMIT PREPARED and ROLLBACK PREPARED (Masahiko Sawada)

  • Fix a double-free error when processing dollar-quoted string literals in ecpg (Michael Meskes)

  • In pg_dump, fix incorrect schema and owner marking for comments and security labels of some types of database objects (Giuseppe Broccolo, Tom Lane)

    In simple cases this caused no ill effects; but for example, a schema-selective restore might omit comments it should include, because they were not marked as belonging to the schema of their associated object.

  • Avoid emitting an invalid list file in pg_restore -l when SQL object names contain newlines (Tom Lane)

    Replace newlines by spaces, which is sufficient to make the output valid for pg_restore -L's purposes.

  • Fix pg_upgrade to transfer comments and security labels attached to "large objects" (blobs) (Stephen Frost)

    Previously, blobs were correctly transferred to the new database, but any comments or security labels attached to them were lost.

  • Improve error handling in contrib/adminpack's pg_file_write() function (Noah Misch)

    Notably, it failed to detect errors reported by fclose().

  • In contrib/dblink, avoid leaking the previous unnamed connection when establishing a new unnamed connection (Joe Conway)

  • Fix contrib/pg_trgm's extraction of trigrams from regular expressions (Tom Lane)

    In some cases it would produce a broken data structure that could never match anything, leading to GIN or GiST indexscans that use a trigram index not finding any matches to the regular expression.

  • In contrib/postgres_fdw, transmit query cancellation requests to the remote server (Michael Paquier, Etsuro Fujita)

    Previously, a local query cancellation request did not cause an already-sent remote query to terminate early. This is a back-patch of work originally done for 9.6.

  • Support OpenSSL 1.1.0 (Heikki Linnakangas, Andreas Karlsson, Tom Lane)

    This is a back-patch of work previously done in newer branches; it's needed since many platforms are adopting newer OpenSSL versions.

  • Support Tcl 8.6 in MSVC builds (Álvaro Herrera)

  • Sync our copy of the timezone library with IANA release tzcode2017b (Tom Lane)

    This fixes a bug affecting some DST transitions in January 2038.

  • Update time zone data files to tzdata release 2017b for DST law changes in Chile, Haiti, and Mongolia, plus historical corrections for Ecuador, Kazakhstan, Liberia, and Spain. Switch to numeric abbreviations for numerous time zones in South America, the Pacific and Indian oceans, and some Asian and Middle Eastern countries.

    The IANA time zone database previously provided textual abbreviations for all time zones, sometimes making up abbreviations that have little or no currency among the local population. They are in process of reversing that policy in favor of using numeric UTC offsets in zones where there is no evidence of real-world use of an English abbreviation. At least for the time being, PostgreSQL will continue to accept such removed abbreviations for timestamp input. But they will not be shown in the pg_timezone_names view nor used for output.

  • Use correct daylight-savings rules for POSIX-style time zone names in MSVC builds (David Rowley)

    The Microsoft MSVC build scripts neglected to install the posixrules file in the timezone directory tree. This resulted in the timezone code falling back to its built-in rule about what DST behavior to assume for a POSIX-style time zone name. For historical reasons that still corresponds to the DST rules the USA was using before 2007 (i.e., change on first Sunday in April and last Sunday in October). With this fix, a POSIX-style zone name will use the current and historical DST transition dates of the US/Eastern zone. If you don't want that, remove the posixrules file, or replace it with a copy of some other zone file (see Section 8.5.3). Note that due to caching, you may need to restart the server to get such changes to take effect.

• ⇑ Upgrade to 9.4.13 released on 2017-08-10 - docs

  • Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options (Noah Misch)

    The fix for CVE-2017-7486 was incorrect: it allowed a user to see the options in her own user mapping, even if she did not have USAGE permission on the associated foreign server. Such options might include a password that had been provided by the server owner rather than the user herself. Since information_schema.user_mapping_options does not show the options in such cases, pg_user_mappings should not either. (CVE-2017-7547)

    By itself, this patch will only fix the behavior in newly initdb'd databases. If you wish to apply this change in an existing database, you will need to do the following:

    1. Restart the postmaster after adding allow_system_table_mods = true to postgresql.conf. (In versions supporting ALTER SYSTEM, you can use that to make the configuration change, but you'll still need a restart.)

    2. In each database of the cluster, run the following commands as superuser:

       SET search_path = pg_catalog;
       CREATE OR REPLACE VIEW pg_user_mappings AS
           SELECT
               U.oid       AS umid,
               S.oid       AS srvid,
               S.srvname   AS srvname,
               U.umuser    AS umuser,
               CASE WHEN U.umuser = 0 THEN
                   'public'
               ELSE
                   A.rolname
               END AS usename,
               CASE WHEN (U.umuser <> 0 AND A.rolname = current_user
                            AND (pg_has_role(S.srvowner, 'USAGE')
                                 OR has_server_privilege(S.oid, 'USAGE')))
                           OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE'))
                           OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user)
                           THEN U.umoptions
                        ELSE NULL END AS umoptions
           FROM pg_user_mapping U
                LEFT JOIN pg_authid A ON (A.oid = U.umuser) JOIN
               pg_foreign_server S ON (U.umserver = S.oid);

    3. Do not forget to include the template0 and template1 databases, or the vulnerability will still exist in databases you create later. To fix template0, you'll need to temporarily make it accept connections. In PostgreSQL 9.5 and later, you can use

       ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;

       and then after fixing template0, undo that with

       ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;

       In prior versions, instead use

       UPDATE pg_database SET datallowconn = true WHERE datname = 'template0';
       UPDATE pg_database SET datallowconn = false WHERE datname = 'template0';

    4. Finally, remove the allow_system_table_mods configuration setting, and again restart the postmaster.

  • Disallow empty passwords in all password-based authentication methods (Heikki Linnakangas)

    libpq ignores empty password specifications, and does not transmit them to the server. So, if a user's password has been set to the empty string, it's impossible to log in with that password via psql or other libpq-based clients. An administrator might therefore believe that setting the password to empty is equivalent to disabling password login. However, with a modified or non-libpq-based client, logging in could be possible, depending on which authentication method is configured. In particular the most common method, md5, accepted empty passwords. Change the server to reject empty passwords in all cases. (CVE-2017-7546)

  • Make lo_put() check for UPDATE privilege on the target large object (Tom Lane, Michael Paquier)

    lo_put() should surely require the same permissions as lowrite(), but the check was missing, allowing any user to change the data in a large object. (CVE-2017-7548)

  • Fix concurrent locking of tuple update chains (Álvaro Herrera)

    If several sessions concurrently lock a tuple update chain with nonconflicting lock modes using an old snapshot, and they all succeed, it was possible for some of them to nonetheless fail (and conclude there is no live tuple version) due to a race condition. This had consequences such as foreign-key checks failing to see a tuple that definitely exists but is being updated concurrently.

  • Fix potential data corruption when freezing a tuple whose XMAX is a multixact with exactly one still-interesting member (Teodor Sigaev)

  • Avoid integer overflow and ensuing crash when sorting more than one billion tuples in-memory (Sergey Koposov)

  • On Windows, retry process creation if we fail to reserve the address range for our shared memory in the new process (Tom Lane, Amit Kapila)

    This is expected to fix infrequent child-process-launch failures that are probably due to interference from antivirus products.

  • Fix low-probability corruption of shared predicate-lock hash table in Windows builds (Thomas Munro, Tom Lane)

  • Avoid logging clean closure of an SSL connection as though it were a connection reset (Michael Paquier)

  • Prevent sending SSL session tickets to clients (Tom Lane)

    This fix prevents reconnection failures with ticket-aware client-side SSL code.

  • Fix code for setting tcp_keepalives_idle on Solaris (Tom Lane)

  • Fix statistics collector to honor inquiry messages issued just after a postmaster shutdown and immediate restart (Tom Lane)

    Statistics inquiries issued within half a second of the previous postmaster shutdown were effectively ignored.

  • Ensure that the statistics collector's receive buffer size is at least 100KB (Tom Lane)

    This reduces the risk of dropped statistics data on older platforms whose default receive buffer size is less than that.

  • Fix possible creation of an invalid WAL segment when a standby is promoted just after it processes an XLOG_SWITCH WAL record (Andres Freund)

  • Fix walsender to exit promptly when client requests shutdown (Tom Lane)

  • Fix SIGHUP and SIGUSR1 handling in walsender processes (Petr Jelinek, Andres Freund)

  • Prevent walsender-triggered panics during shutdown checkpoints (Andres Freund, Michael Paquier)

  • Fix unnecessarily slow restarts of walreceiver processes due to race condition in postmaster (Tom Lane)

  • Fix logical decoding failure with very wide tuples (Andres Freund)

    Logical decoding crashed on tuples that are wider than 64KB (after compression, but with all data in-line). The case arises only when REPLICA IDENTITY FULL is enabled for a table containing such tuples.

  • Fix leakage of small subtransactions spilled to disk during logical decoding (Andres Freund)

    This resulted in temporary files consuming excessive disk space.

  • Reduce the work needed to build snapshots during creation of logical-decoding slots (Andres Freund, Petr Jelinek)

    The previous algorithm was infeasibly expensive on a server with a lot of open transactions.

  • Fix race condition that could indefinitely delay creation of logical-decoding slots (Andres Freund, Petr Jelinek)

  • Reduce overhead in processing syscache invalidation events (Tom Lane)

    This is particularly helpful for logical decoding, which triggers frequent cache invalidation.

  • Fix cases where an INSERT or UPDATE assigns to more than one element of a column that is of domain-over-array type (Tom Lane)

  • Allow window functions to be used in sub-SELECTs that are within the arguments of an aggregate function (Tom Lane)

  • Move autogenerated array types out of the way during ALTER ... RENAME (Vik Fearing)

    Previously, we would rename a conflicting autogenerated array type out of the way during CREATE; this fix extends that behavior to renaming operations.

  • Ensure that ALTER USER ... SET accepts all the syntax variants that ALTER ROLE ... SET does (Peter Eisentraut)

  • Properly update dependency info when changing a datatype I/O function's argument or return type from opaque to the correct type (Heikki Linnakangas)

    CREATE TYPE updates I/O functions declared in this long-obsolete style, but it forgot to record a dependency on the type, allowing a subsequent DROP TYPE to leave broken function definitions behind.

  • Reduce memory usage when ANALYZE processes a tsvector column (Heikki Linnakangas)

  • Fix unnecessary precision loss and sloppy rounding when multiplying or dividing money values by integers or floats (Tom Lane)

  • Tighten checks for whitespace in functions that parse identifiers, such as regprocedurein() (Tom Lane)

    Depending on the prevailing locale, these functions could misinterpret fragments of multibyte characters as whitespace.

  • Use relevant #define symbols from Perl while compiling PL/Perl (Ashutosh Sharma, Tom Lane)

    This avoids portability problems, typically manifesting as a "handshake" mismatch during library load, when working with recent Perl versions.

  • In libpq, reset GSS/SASL and SSPI authentication state properly after a failed connection attempt (Michael Paquier)

    Failure to do this meant that when falling back from SSL to non-SSL connections, a GSS/SASL failure in the SSL attempt would always cause the non-SSL attempt to fail. SSPI did not fail, but it leaked memory.

  • In psql, fix failure when COPY FROM STDIN is ended with a keyboard EOF signal and then another COPY FROM STDIN is attempted (Thomas Munro)

    This misbehavior was observed on BSD-derived platforms (including macOS), but not on most others.

  • Fix pg_dump and pg_restore to emit REFRESH MATERIALIZED VIEW commands last (Tom Lane)

    This prevents errors during dump/restore when a materialized view refers to tables owned by a different user.

  • Improve pg_dump/pg_restore's reporting of error conditions originating in zlib (Vladimir Kunschikov, Álvaro Herrera)

  • Fix pg_dump with the --clean option to drop event triggers as expected (Tom Lane)

    It also now correctly assigns ownership of event triggers; before, they were restored as being owned by the superuser running the restore script.

  • Fix pg_dump to not emit invalid SQL for an empty operator class (Daniel Gustafsson)

  • Fix pg_dump output to stdout on Windows (Kuntal Ghosh)

    A compressed plain-text dump written to stdout would contain corrupt data due to failure to put the file descriptor into binary mode.

  • Fix pg_get_ruledef() to print correct output for the ON SELECT rule of a view whose columns have been renamed (Tom Lane)

    In some corner cases, pg_dump relies on pg_get_ruledef() to dump views, so that this error could result in dump/reload failures.

  • Fix dumping of outer joins with empty constraints, such as the result of a NATURAL LEFT JOIN with no common columns (Tom Lane)

  • Fix dumping of function expressions in the FROM clause in cases where the expression does not deparse into something that looks like a function call (Tom Lane)

  • Fix pg_basebackup output to stdout on Windows (Haribabu Kommi)

    A backup written to stdout would contain corrupt data due to failure to put the file descriptor into binary mode.

  • Fix pg_upgrade to ensure that the ending WAL record does not have wal_level = minimum (Bruce Momjian)

    This condition could prevent upgraded standby servers from reconnecting.

  • In postgres_fdw, re-establish connections to remote servers after ALTER SERVER or ALTER USER MAPPING commands (Kyotaro Horiguchi)

    This ensures that option changes affecting connection parameters will be applied promptly.

  • In postgres_fdw, allow cancellation of remote transaction control commands (Robert Haas, Rafia Sabih)

    This change allows us to quickly escape a wait for an unresponsive remote server in many more cases than previously.

  • Increase MAX_SYSCACHE_CALLBACKS to provide more room for extensions (Tom Lane)

  • Always use -fPIC, not -fpic, when building shared libraries with gcc (Tom Lane)

    This supports larger extension libraries on platforms where it makes a difference.

  • Fix unescaped-braces issue in our build scripts for Microsoft MSVC, to avoid a warning or error from recent Perl versions (Andrew Dunstan)

  • In MSVC builds, handle the case where the openssl library is not within a VC subdirectory (Andrew Dunstan)

  • In MSVC builds, add proper include path for libxml2 header files (Andrew Dunstan)

    This fixes a former need to move things around in standard Windows installations of libxml2.

  • In MSVC builds, recognize a Tcl library that is named tcl86.lib (Noah Misch)

  • In MSVC builds, honor PROVE_FLAGS settings on vcregress.pl's command line (Andrew Dunstan)

• ⇑ Upgrade to 9.4.14 released on 2017-08-31 - docs

  • Fix failure of walsender processes to respond to shutdown signals (Marco Nenciarini)

    A missed flag update resulted in walsenders continuing to run as long as they had a standby server connected, preventing primary-server shutdown unless immediate shutdown mode is used.

  • Show foreign tables in information_schema.table_privileges view (Peter Eisentraut)

    All other relevant information_schema views include foreign tables, but this one ignored them.

    Since this view definition is installed by initdb, merely upgrading will not fix the problem. If you need to fix this in an existing installation, you can, as a superuser, do this in psql:

    SET search_path TO information_schema;
    CREATE OR REPLACE VIEW table_privileges AS
        SELECT CAST(u_grantor.rolname AS sql_identifier) AS grantor,
               CAST(grantee.rolname AS sql_identifier) AS grantee,
               CAST(current_database() AS sql_identifier) AS table_catalog,
               CAST(nc.nspname AS sql_identifier) AS table_schema,
               CAST(c.relname AS sql_identifier) AS table_name,
               CAST(c.prtype AS character_data) AS privilege_type,
               CAST(
                 CASE WHEN
                      -- object owner always has grant options
                      pg_has_role(grantee.oid, c.relowner, 'USAGE')
                      OR c.grantable
                      THEN 'YES' ELSE 'NO' END AS yes_or_no) AS is_grantable,
               CAST(CASE WHEN c.prtype = 'SELECT' THEN 'YES' ELSE 'NO' END AS yes_or_no) AS with_hierarchy
    
        FROM (
                SELECT oid, relname, relnamespace, relkind, relowner, (aclexplode(coalesce(relacl, acldefault('r', relowner)))).* FROM pg_class
             ) AS c (oid, relname, relnamespace, relkind, relowner, grantor, grantee, prtype, grantable),
             pg_namespace nc,
             pg_authid u_grantor,
             (
               SELECT oid, rolname FROM pg_authid
               UNION ALL
               SELECT 0::oid, 'PUBLIC'
             ) AS grantee (oid, rolname)
    
        WHERE c.relnamespace = nc.oid
              AND c.relkind IN ('r', 'v', 'f')
              AND c.grantee = grantee.oid
              AND c.grantor = u_grantor.oid
              AND c.prtype IN ('INSERT', 'SELECT', 'UPDATE', 'DELETE', 'TRUNCATE', 'REFERENCES', 'TRIGGER')
              AND (pg_has_role(u_grantor.oid, 'USAGE')
                   OR pg_has_role(grantee.oid, 'USAGE')
                   OR grantee.rolname = 'PUBLIC');

    This must be repeated in each database to be fixed, including template0.

  • Clean up handling of a fatal exit (e.g., due to receipt of SIGTERM) that occurs while trying to execute a ROLLBACK of a failed transaction (Tom Lane)

    This situation could result in an assertion failure. In production builds, the exit would still occur, but it would log an unexpected message about "cannot drop active portal".

  • Remove assertion that could trigger during a fatal exit (Tom Lane)

  • Correctly identify columns that are of a range type or domain type over a composite type or domain type being searched for (Tom Lane)

    Certain ALTER commands that change the definition of a composite type or domain type are supposed to fail if there are any stored values of that type in the database, because they lack the infrastructure needed to update or check such values. Previously, these checks could miss relevant values that are wrapped inside range types or sub-domains, possibly allowing the database to become inconsistent.

  • Fix crash in pg_restore when using parallel mode and using a list file to select a subset of items to restore (Fabrízio de Royes Mello)

  • Change ecpg's parser to allow RETURNING clauses without attached C variables (Michael Meskes)

    This allows ecpg programs to contain SQL constructs that use RETURNING internally (for example, inside a CTE) rather than using it to define values to be returned to the client.

  • Improve selection of compiler flags for PL/Perl on Windows (Tom Lane)

    This fix avoids possible crashes of PL/Perl due to inconsistent assumptions about the width of time_t values. A side-effect that may be visible to extension developers is that _USE_32BIT_TIME_T is no longer defined globally in PostgreSQL Windows builds. This is not expected to cause problems, because type time_t is not used in any PostgreSQL API definitions.

• ⇑ Upgrade to 9.4.15 released on 2017-11-09 - docs

  • Fix crash due to rowtype mismatch in json{b}_populate_recordset() (Michael Paquier, Tom Lane)

    These functions used the result rowtype specified in the FROM ... AS clause without checking that it matched the actual rowtype of the supplied tuple value. If it didn't, that would usually result in a crash, though disclosure of server memory contents seems possible as well. (CVE-2017-15098)

  • Fix sample server-start scripts to become $PGUSER before opening $PGLOG (Noah Misch)

    Previously, the postmaster log file was opened while still running as root. The database owner could therefore mount an attack against another system user by making $PGLOG be a symbolic link to some other file, which would then become corrupted by appending log messages.

    By default, these scripts are not installed anywhere. Users who have made use of them will need to manually recopy them, or apply the same changes to their modified versions. If the existing $PGLOG file is root-owned, it will need to be removed or renamed out of the way before restarting the server with the corrected script. (CVE-2017-12172)

  • Fix crash when logical decoding is invoked from a SPI-using function, in particular any function written in a PL language (Tom Lane)

  • Fix json_build_array(), json_build_object(), and their jsonb equivalents to handle explicit VARIADIC arguments correctly (Michael Paquier)

  • Properly reject attempts to convert infinite float values to type numeric (Tom Lane, KaiGai Kohei)

    Previously the behavior was platform-dependent.

  • Fix corner-case crashes when columns have been added to the end of a view (Tom Lane)

  • Record proper dependencies when a view or rule contains FieldSelect or FieldStore expression nodes (Tom Lane)

    Lack of these dependencies could allow a column or data type DROP to go through when it ought to fail, thereby causing later uses of the view or rule to get errors. This patch does not do anything to protect existing views/rules, only ones created in the future.

  • Correctly detect hashability of range data types (Tom Lane)

    The planner mistakenly assumed that any range type could be hashed for use in hash joins or hash aggregation, but actually it must check whether the range's subtype has hash support. This does not affect any of the built-in range types, since they're all hashable anyway.

  • Fix low-probability loss of NOTIFY messages due to XID wraparound (Marko Tiikkaja, Tom Lane)

    If a session executed no queries, but merely listened for notifications, for more than 2 billion transactions, it started to miss some notifications from concurrently-committing transactions.

  • Avoid SIGBUS crash on Linux when a DSM memory request exceeds the space available in tmpfs (Thomas Munro)

  • Prevent low-probability crash in processing of nested trigger firings (Tom Lane)

  • Allow COPY's FREEZE option to work when the transaction isolation level is REPEATABLE READ or higher (Noah Misch)

    This case was unintentionally broken by a previous bug fix.

  • Correctly restore the umask setting when file creation fails in COPY or lo_export() (Peter Eisentraut)

  • Give a better error message for duplicate column names in ANALYZE (Nathan Bossart)

  • Fix mis-parsing of the last line in a non-newline-terminated pg_hba.conf file (Tom Lane)

  • Fix libpq to not require user's home directory to exist (Tom Lane)

    In v10, failure to find the home directory while trying to read ~/.pgpass was treated as a hard error, but it should just cause that file to not be found. Both v10 and previous release branches made the same mistake when reading ~/.pg_service.conf, though this was less obvious since that file is not sought unless a service name is specified.

  • Fix libpq to guard against integer overflow in the row count of a PGresult (Michael Paquier)

  • Fix ecpg's handling of out-of-scope cursor declarations with pointer or array variables (Michael Meskes)

  • In ecpglib, correctly handle backslashes in string literals depending on whether standard_conforming_strings is set (Tsunakawa Takayuki)

  • Make ecpglib's Informix-compatibility mode ignore fractional digits in integer input strings, as expected (Gao Zengqi, Michael Meskes)

  • Sync our copy of the timezone library with IANA release tzcode2017c (Tom Lane)

    This fixes various issues; the only one likely to be user-visible is that the default DST rules for a POSIX-style zone name, if no posixrules file exists in the timezone data directory, now match current US law rather than what it was a dozen years ago.

  • Update time zone data files to tzdata release 2017c for DST law changes in Fiji, Namibia, Northern Cyprus, Sudan, Tonga, and Turks & Caicos Islands, plus historical corrections for Alaska, Apia, Burma, Calcutta, Detroit, Ireland, Namibia, and Pago Pago.

• ⇑ Upgrade to 9.4.16 released on 2018-02-08 - docs

  • Ensure that all temporary files made by pg_upgrade are non-world-readable (Tom Lane, Noah Misch)

    pg_upgrade normally restricts its temporary files to be readable and writable only by the calling user. But the temporary file containing pg_dumpall -g output would be group- or world-readable, or even writable, if the user's umask setting allows. In typical usage on multi-user machines, the umask and/or the working directory's permissions would be tight enough to prevent problems; but there may be people using pg_upgrade in scenarios where this oversight would permit disclosure of database passwords to unfriendly eyes. (CVE-2018-1053)

  • Fix vacuuming of tuples that were updated while key-share locked (Andres Freund, Álvaro Herrera)

    In some cases VACUUM would fail to remove such tuples even though they are now dead, leading to assorted data corruption scenarios.

  • Fix inadequate buffer locking in some LSN fetches (Jacob Champion, Asim Praveen, Ashwin Agrawal)

    These errors could result in misbehavior under concurrent load. The potential consequences have not been characterized fully.

  • Avoid unnecessary failure in a query on an inheritance tree that occurs concurrently with some child table being removed from the tree by ALTER TABLE NO INHERIT (Tom Lane)

  • Fix spurious deadlock failures when multiple sessions are running CREATE INDEX CONCURRENTLY (Jeff Janes)

  • Repair failure with correlated sub-SELECT inside VALUES inside a LATERAL subquery (Tom Lane)

  • Fix "could not devise a query plan for the given query" planner failure for some cases involving nested UNION ALL inside a lateral subquery (Tom Lane)

  • Fix logical decoding to correctly clean up disk files for crashed transactions (Atsushi Torikoshi)

    Logical decoding may spill WAL records to disk for transactions generating many WAL records. Normally these files are cleaned up after the transaction's commit or abort record arrives; but if no such record is ever seen, the removal code misbehaved.

  • Fix walsender timeout failure and failure to respond to interrupts when processing a large transaction (Petr Jelinek)

  • Fix has_sequence_privilege() to support WITH GRANT OPTION tests, as other privilege-testing functions do (Joe Conway)

  • In databases using UTF8 encoding, ignore any XML declaration that asserts a different encoding (Pavel Stehule, Noah Misch)

    We always store XML strings in the database encoding, so allowing libxml to act on a declaration of another encoding gave wrong results. In encodings other than UTF8, we don't promise to support non-ASCII XML data anyway, so retain the previous behavior for bug compatibility. This change affects only xpath() and related functions; other XML code paths already acted this way.

  • Provide for forward compatibility with future minor protocol versions (Robert Haas, Badrul Chowdhury)

    Up to now, PostgreSQL servers simply rejected requests to use protocol versions newer than 3.0, so that there was no functional difference between the major and minor parts of the protocol version number. Allow clients to request versions 3.x without failing, sending back a message showing that the server only understands 3.0. This makes no difference at the moment, but back-patching this change should allow speedier introduction of future minor protocol upgrades.

  • Cope with failure to start a parallel worker process (Amit Kapila, Robert Haas)

    Parallel query previously tended to hang indefinitely if a worker could not be started, as the result of fork() failure or other low-probability problems.

  • Prevent stack-overflow crashes when planning extremely deeply nested set operations (UNION/INTERSECT/EXCEPT) (Tom Lane)

  • Fix null-pointer crashes for some types of LDAP URLs appearing in pg_hba.conf (Thomas Munro)

  • Fix sample INSTR() functions in the PL/pgSQL documentation (Yugo Nagata, Tom Lane)

    These functions are stated to be Oracle® compatible, but they weren't exactly. In particular, there was a discrepancy in the interpretation of a negative third parameter: Oracle thinks that a negative value indicates the last place where the target substring can begin, whereas our functions took it as the last place where the target can end. Also, Oracle throws an error for a zero or negative fourth parameter, whereas our functions returned zero.

    The sample code has been adjusted to match Oracle's behavior more precisely. Users who have copied this code into their applications may wish to update their copies.

  • Fix pg_dump to make ACL (permissions), comment, and security label entries reliably identifiable in archive output formats (Tom Lane)

    The "tag" portion of an ACL archive entry was usually just the name of the associated object. Make it start with the object type instead, bringing ACLs into line with the convention already used for comment and security label archive entries. Also, fix the comment and security label entries for the whole database, if present, to make their tags start with DATABASE so that they also follow this convention. This prevents false matches in code that tries to identify large-object-related entries by seeing if the tag starts with LARGE OBJECT. That could have resulted in misclassifying entries as data rather than schema, with undesirable results in a schema-only or data-only dump.

    Note that this change has user-visible results in the output of pg_restore --list.

  • In ecpg, detect indicator arrays that do not have the correct length and report an error (David Rader)

  • Avoid triggering a libc assertion in contrib/hstore, due to use of memcpy() with equal source and destination pointers (Tomas Vondra)

  • Provide modern examples of how to auto-start Postgres on macOS (Tom Lane)

    The scripts in contrib/start-scripts/osx use infrastructure that's been deprecated for over a decade, and which no longer works at all in macOS releases of the last couple of years. Add a new subdirectory contrib/start-scripts/macos containing scripts that use the newer launchd infrastructure.

  • Fix incorrect selection of configuration-specific libraries for OpenSSL on Windows (Andrew Dunstan)

  • Support linking to MinGW-built versions of libperl (Noah Misch)

    This allows building PL/Perl with some common Perl distributions for Windows.

  • Fix MSVC build to test whether 32-bit libperl needs -D_USE_32BIT_TIME_T (Noah Misch)

    Available Perl distributions are inconsistent about what they expect, and lack any reliable means of reporting it, so resort to a build-time test on what the library being used actually does.

  • On Windows, install the crash dump handler earlier in postmaster startup (Takayuki Tsunakawa)

    This may allow collection of a core dump for some early-startup failures that did not produce a dump before.

  • On Windows, avoid encoding-conversion-related crashes when emitting messages very early in postmaster startup (Takayuki Tsunakawa)

  • Use our existing Motorola 68K spinlock code on OpenBSD as well as NetBSD (David Carlier)

  • Add support for spinlocks on Motorola 88K (David Carlier)

  • Update time zone data files to tzdata release 2018c for DST law changes in Brazil, Sao Tome and Principe, plus historical corrections for Bolivia, Japan, and South Sudan. The US/Pacific-New zone has been removed (it was only an alias for America/Los_Angeles anyway).

• ⇑ Upgrade to 9.4.17 released on 2018-03-01 - docs

  • Document how to configure installations and applications to guard against search-path-dependent trojan-horse attacks from other users (Noah Misch)

    Using a search_path setting that includes any schemas writable by a hostile user enables that user to capture control of queries and then run arbitrary SQL code with the permissions of the attacked user. While it is possible to write queries that are proof against such hijacking, it is notationally tedious, and it's very easy to overlook holes. Therefore, we now recommend configurations in which no untrusted schemas appear in one's search path. Relevant documentation appears in Section 5.7.6 (for database administrators and users), Section 31.1 (for application authors), Section 35.15.1 (for extension authors), and CREATE FUNCTION (for authors of SECURITY DEFINER functions). (CVE-2018-1058)

  • Avoid use of insecure search_path settings in pg_dump and other client programs (Noah Misch, Tom Lane)

    pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications were themselves vulnerable to the type of hijacking described in the previous changelog entry; since these applications are commonly run by superusers, they present particularly attractive targets. To make them secure whether or not the installation as a whole has been secured, modify them to include only the pg_catalog schema in their search_path settings. Autovacuum worker processes now do the same, as well.

    In cases where user-provided functions are indirectly executed by these programs — for example, user-provided functions in index expressions — the tighter search_path may result in errors, which will need to be corrected by adjusting those user-provided functions to not assume anything about what search path they are invoked under. That has always been good practice, but now it will be necessary for correct behavior. (CVE-2018-1058)

  • Fix misbehavior of concurrent-update rechecks with CTE references appearing in subplans (Tom Lane)

    If a CTE (WITH clause reference) is used in an InitPlan or SubPlan, and the query requires a recheck due to trying to update or lock a concurrently-updated row, incorrect results could be obtained.

  • Fix planner failures with overlapping mergejoin clauses in an outer join (Tom Lane)

    These mistakes led to "left and right pathkeys do not match in mergejoin" or "outer pathkeys do not match mergeclauses" planner errors in corner cases.

  • Repair pg_upgrade's failure to preserve relfrozenxid for materialized views (Tom Lane, Andres Freund)

    This oversight could lead to data corruption in materialized views after an upgrade, manifesting as "could not access status of transaction" or "found xmin from before relfrozenxid" errors. The problem would be more likely to occur in seldom-refreshed materialized views, or ones that were maintained only with REFRESH MATERIALIZED VIEW CONCURRENTLY.

    If such corruption is observed, it can be repaired by refreshing the materialized view (without CONCURRENTLY).

  • Fix incorrect reporting of PL/Python function names in error CONTEXT stacks (Tom Lane)

    An error occurring within a nested PL/Python function call (that is, one reached via a SPI query from another PL/Python function) would result in a stack trace showing the inner function's name twice, rather than the expected results. Also, an error in a nested PL/Python DO block could result in a null pointer dereference crash on some platforms.

  • Allow contrib/auto_explain's log_min_duration setting to range up to INT_MAX, or about 24 days instead of 35 minutes (Tom Lane)

• ⇑ Upgrade to 9.4.18 released on 2018-05-10 - docs

  • Fix incorrect volatility markings on a few built-in functions (Thomas Munro, Tom Lane)

    The functions query_to_xml, cursor_to_xml, cursor_to_xmlschema, query_to_xmlschema, and query_to_xml_and_xmlschema should be marked volatile because they execute user-supplied queries that might contain volatile operations. They were not, leading to a risk of incorrect query optimization. This has been repaired for new installations by correcting the initial catalog data, but existing installations will continue to contain the incorrect markings. Practical use of these functions seems to pose little hazard, but in case of trouble, it can be fixed by manually updating these functions' pg_proc entries, for example ALTER FUNCTION pg_catalog.query_to_xml(text, boolean, boolean, text) VOLATILE. (Note that that will need to be done in each database of the installation.) Another option is to pg_upgrade the database to a version containing the corrected initial data.

  • Avoid re-using TOAST value OIDs that match dead-but-not-yet-vacuumed TOAST entries (Pavan Deolasee)

    Once the OID counter has wrapped around, it's possible to assign a TOAST value whose OID matches a previously deleted entry in the same TOAST table. If that entry were not yet vacuumed away, this resulted in "unexpected chunk number 0 (expected 1) for toast value nnnnn" errors, which would persist until the dead entry was removed by VACUUM. Fix by not selecting such OIDs when creating a new TOAST entry.

  • Change ANALYZE's algorithm for updating pg_class.reltuples (David Gould)

    Previously, pages not actually scanned by ANALYZE were assumed to retain their old tuple density. In a large table where ANALYZE samples only a small fraction of the pages, this meant that the overall tuple density estimate could not change very much, so that reltuples would change nearly proportionally to changes in the table's physical size (relpages) regardless of what was actually happening in the table. This has been observed to result in reltuples becoming so much larger than reality as to effectively shut off autovacuuming. To fix, assume that ANALYZE's sample is a statistically unbiased sample of the table (as it should be), and just extrapolate the density observed within those pages to the whole table.

  • Avoid deadlocks in concurrent CREATE INDEX CONCURRENTLY commands that are run under SERIALIZABLE or REPEATABLE READ transaction isolation (Tom Lane)

  • Fix possible slow execution of REFRESH MATERIALIZED VIEW CONCURRENTLY (Thomas Munro)

  • Fix UPDATE/DELETE ... WHERE CURRENT OF to not fail when the referenced cursor uses an index-only-scan plan (Yugo Nagata, Tom Lane)

  • Fix incorrect planning of join clauses pushed into parameterized paths (Andrew Gierth, Tom Lane)

    This error could result in misclassifying a condition as a "join filter" for an outer join when it should be a plain "filter" condition, leading to incorrect join output.

  • Fix misoptimization of CHECK constraints having provably-NULL subclauses of top-level AND/OR conditions (Tom Lane, Dean Rasheed)

    This could, for example, allow constraint exclusion to exclude a child table that should not be excluded from a query.

  • Avoid failure if a query-cancel or session-termination interrupt occurs while committing a prepared transaction (Stas Kelvich)

  • Fix query-lifespan memory leakage in repeatedly executed hash joins (Tom Lane)

  • Fix overly strict sanity check in heap_prepare_freeze_tuple (Álvaro Herrera)

    This could result in incorrect "cannot freeze committed xmax" failures in databases that have been pg_upgrade'd from 9.2 or earlier.

  • Prevent dangling-pointer dereference when a C-coded before-update row trigger returns the "old" tuple (Rushabh Lathia)

  • Reduce locking during autovacuum worker scheduling (Jeff Janes)

    The previous behavior caused drastic loss of potential worker concurrency in databases with many tables.

  • Ensure client hostname is copied while copying pg_stat_activity data to local memory (Edmund Horner)

    Previously the supposedly-local snapshot contained a pointer into shared memory, allowing the client hostname column to change unexpectedly if any existing session disconnected.

  • Fix incorrect processing of multiple compound affixes in ispell dictionaries (Arthur Zakirov)

  • Fix collation-aware searches (that is, indexscans using inequality operators) in SP-GiST indexes on text columns (Tom Lane)

    Such searches would return the wrong set of rows in most non-C locales.

  • Count the number of index tuples correctly during initial build of an SP-GiST index (Tomas Vondra)

    Previously, the tuple count was reported to be the same as that of the underlying table, which is wrong if the index is partial.

  • Count the number of index tuples correctly during vacuuming of a GiST index (Andrey Borodin)

    Previously it reported the estimated number of heap tuples, which might be inaccurate, and is certainly wrong if the index is partial.

  • Fix a corner case where a streaming standby gets stuck at a WAL continuation record (Kyotaro Horiguchi)

  • In logical decoding, avoid possible double processing of WAL data when a walsender restarts (Craig Ringer)

  • Allow scalarltsel and scalargtsel to be used on non-core datatypes (Tomas Vondra)

  • Reduce libpq's memory consumption when a server error is reported after a large amount of query output has been collected (Tom Lane)

    Discard the previous output before, not after, processing the error message. On some platforms, notably Linux, this can make a difference in the application's subsequent memory footprint.

  • Fix double-free crashes in ecpg (Patrick Krecker, Jeevan Ladhe)

  • Fix ecpg to handle long long int variables correctly in MSVC builds (Michael Meskes, Andrew Gierth)

  • Fix mis-quoting of values for list-valued GUC variables in dumps (Michael Paquier, Tom Lane)

    The local_preload_libraries, session_preload_libraries, shared_preload_libraries, and temp_tablespaces variables were not correctly quoted in pg_dump output. This would cause problems if settings for these variables appeared in CREATE FUNCTION ... SET or ALTER DATABASE/ROLE ... SET clauses.

  • Fix pg_recvlogical to not fail against pre-v10 PostgreSQL servers (Michael Paquier)

    A previous fix caused pg_recvlogical to issue a command regardless of server version, but it should only be issued to v10 and later servers.

  • Fix overflow handling in PL/pgSQL integer FOR loops (Tom Lane)

    The previous coding failed to detect overflow of the loop variable on some non-gcc compilers, leading to an infinite loop.

  • Adjust PL/Python regression tests to pass under Python 3.7 (Peter Eisentraut)

  • Support testing PL/Python and related modules when building with Python 3 and MSVC (Andrew Dunstan)

  • Rename internal b64_encode and b64_decode functions to avoid conflict with Solaris 11.4 built-in functions (Rainer Orth)

  • Sync our copy of the timezone library with IANA tzcode release 2018e (Tom Lane)

    This fixes the zic timezone data compiler to cope with negative daylight-savings offsets. While the PostgreSQL project will not immediately ship such timezone data, zic might be used with timezone data obtained directly from IANA, so it seems prudent to update zic now.

  • Update time zone data files to tzdata release 2018d for DST law changes in Palestine and Antarctica (Casey Station), plus historical corrections for Portugal and its colonies, as well as Enderbury, Jamaica, Turks & Caicos Islands, and Uruguay.

• ⇑ Upgrade to 9.4.19 released on 2018-08-09 - docs

  • Fix failure to reset libpq's state fully between connection attempts (Tom Lane)

    An unprivileged user of dblink or postgres_fdw could bypass the checks intended to prevent use of server-side credentials, such as a ~/.pgpass file owned by the operating-system user running the server. Servers allowing peer authentication on local connections are particularly vulnerable. Other attacks such as SQL injection into a postgres_fdw session are also possible. Attacking postgres_fdw in this way requires the ability to create a foreign server object with selected connection parameters, but any user with access to dblink could exploit the problem. In general, an attacker with the ability to select the connection parameters for a libpq-using application could cause mischief, though other plausible attack scenarios are harder to think of. Our thanks to Andrew Krasichkov for reporting this issue. (CVE-2018-10915)

  • Ensure that updates to the relfrozenxid and relminmxid values for "nailed" system catalogs are processed in a timely fashion (Andres Freund)

    Overoptimistic caching rules could prevent these updates from being seen by other sessions, leading to spurious errors and/or data corruption. The problem was significantly worse for shared catalogs, such as pg_authid, because the stale cache data could persist into new sessions as well as existing ones.

  • Fix case where a freshly-promoted standby crashes before having completed its first post-recovery checkpoint (Michael Paquier, Kyotaro Horiguchi, Pavan Deolasee, Álvaro Herrera)

    This led to a situation where the server did not think it had reached a consistent database state during subsequent WAL replay, preventing restart.

  • Avoid emitting a bogus WAL record when recycling an all-zero btree page (Amit Kapila)

    This mistake has been seen to cause assertion failures, and potentially it could result in unnecessary query cancellations on hot standby servers.

  • Improve performance of WAL replay for transactions that drop many relations (Fujii Masao)

    This change reduces the number of times that shared buffers are scanned, so that it is of most benefit when that setting is large.

  • Improve performance of lock releasing in standby server WAL replay (Thomas Munro)

  • Make logical WAL senders report streaming state correctly (Simon Riggs, Sawada Masahiko)

    The code previously mis-detected whether or not it had caught up with the upstream server.

  • Fix bugs in snapshot handling during logical decoding, allowing wrong decoding results in rare cases (Arseny Sher, Álvaro Herrera)

  • Ensure a table's cached index list is correctly rebuilt after an index creation fails partway through (Peter Geoghegan)

    Previously, the failed index's OID could remain in the list, causing problems later in the same session.

  • Fix mishandling of empty uncompressed posting list pages in GIN indexes (Sivasubramanian Ramasubramanian, Alexander Korotkov)

    This could result in an assertion failure after pg_upgrade of a pre-9.4 GIN index (9.4 and later will not create such pages).

  • Ensure that VACUUM will respond to signals within btree page deletion loops (Andres Freund)

    Corrupted btree indexes could result in an infinite loop here, and that previously wasn't interruptible without forcing a crash.

  • Fix misoptimization of equivalence classes involving composite-type columns (Tom Lane)

    This resulted in failure to recognize that an index on a composite column could provide the sort order needed for a mergejoin on that column.

  • Fix SQL-standard FETCH FIRST syntax to allow parameters ($n), as the standard expects (Andrew Gierth)

  • Fix failure to schema-qualify some object names in getObjectDescription output (Kyotaro Horiguchi, Tom Lane)

    Names of collations, conversions, and text search objects were not schema-qualified when they should be.

  • Widen COPY FROM's current-line-number counter from 32 to 64 bits (David Rowley)

    This avoids two problems with input exceeding 4G lines: COPY FROM WITH HEADER would drop a line every 4G lines, not only the first line, and error reports could show a wrong line number.

  • Add a string freeing function to ecpg's pgtypes library, so that cross-module memory management problems can be avoided on Windows (Takayuki Tsunakawa)

    On Windows, crashes can ensue if the free call for a given chunk of memory is not made from the same DLL that malloc'ed the memory. The pgtypes library sometimes returns strings that it expects the caller to free, making it impossible to follow this rule. Add a PGTYPESchar_free() function that just wraps free, allowing applications to follow this rule.

  • Fix ecpg's support for long long variables on Windows, as well as other platforms that declare strtoll/strtoull nonstandardly or not at all (Dang Minh Huong, Tom Lane)

  • Fix misidentification of SQL statement type in PL/pgSQL, when a rule change causes a change in the semantics of a statement intra-session (Tom Lane)

    This error led to assertion failures, or in rare cases, failure to enforce the INTO STRICT option as expected.

  • Fix password prompting in client programs so that echo is properly disabled on Windows when stdin is not the terminal (Matthew Stickney)

  • Further fix mis-quoting of values for list-valued GUC variables in dumps (Tom Lane)

    The previous fix for quoting of search_path and other list-valued variables in pg_dump output turned out to misbehave for empty-string list elements, and it risked truncation of long file paths.

  • Fix pg_dump's failure to dump REPLICA IDENTITY properties for constraint indexes (Tom Lane)

    Manually created unique indexes were properly marked, but not those created by declaring UNIQUE or PRIMARY KEY constraints.

  • Make pg_upgrade check that the old server was shut down cleanly (Bruce Momjian)

    The previous check could be fooled by an immediate-mode shutdown.

  • Fix crash in contrib/ltree's lca() function when the input array is empty (Pierre Ducroquet)

  • Fix various error-handling code paths in which an incorrect error code might be reported (Michael Paquier, Tom Lane, Magnus Hagander)

  • Rearrange makefiles to ensure that programs link to freshly-built libraries (such as libpq.so) rather than ones that might exist in the system library directories (Tom Lane)

    This avoids problems when building on platforms that supply old copies of PostgreSQL libraries.

  • Update time zone data files to tzdata release 2018e for DST law changes in North Korea, plus historical corrections for Czechoslovakia.

    This update includes a redefinition of "daylight savings" in Ireland, as well as for some past years in Namibia and Czechoslovakia. In those jurisdictions, legally standard time is observed in summer, and daylight savings time in winter, so that the daylight savings offset is one hour behind standard time not one hour ahead. This does not affect either the actual UTC offset or the timezone abbreviations in use; the only known effect is that the is_dst column in the pg_timezone_names view will now be true in winter and false in summer in these cases.

• ⇑ Upgrade to 9.4.20 released on 2018-11-08 - docs

  • Fix corner-case failures in has_foo_privilege() family of functions (Tom Lane)

    Return NULL rather than throwing an error when an invalid object OID is provided. Some of these functions got that right already, but not all. has_column_privilege() was additionally capable of crashing on some platforms.

  • Avoid O(N^2) slowdown in regular expression match/split functions on long strings (Andrew Gierth)

  • Avoid O(N^3) slowdown in lexer for long strings of + or - characters (Andrew Gierth)

  • Fix mis-execution of SubPlans when the outer query is being scanned backwards (Andrew Gierth)

  • Fix failure of UPDATE/DELETE ... WHERE CURRENT OF ... after rewinding the referenced cursor (Tom Lane)

    A cursor that scans multiple relations (particularly an inheritance tree) could produce wrong behavior if rewound to an earlier relation.

  • Fix EvalPlanQual to handle conditionally-executed InitPlans properly (Andrew Gierth, Tom Lane)

    This resulted in hard-to-reproduce crashes or wrong answers in concurrent updates, if they contained code such as an uncorrelated sub-SELECT inside a CASE construct.

  • Fix character-class checks to not fail on Windows for Unicode characters above U+FFFF (Tom Lane, Kenji Uno)

    This bug affected full-text-search operations, as well as contrib/ltree and contrib/pg_trgm.

  • Ensure that sequences owned by a foreign table are processed by ALTER OWNER on the table (Peter Eisentraut)

    The ownership change should propagate to such sequences as well, but this was missed for foreign tables.

  • Fix over-allocation of space for array_out()'s result string (Keiichi Hirobe)

  • Fix memory leak in repeated SP-GiST index scans (Tom Lane)

    This is only known to amount to anything significant in cases where an exclusion constraint using SP-GiST receives many new index entries in a single command.

  • Ensure that ApplyLogicalMappingFile() closes the mapping file when done with it (Tomas Vondra)

    Previously, the file descriptor was leaked, eventually resulting in failures during logical decoding.

  • Fix logical decoding to handle cases where a mapped catalog table is repeatedly rewritten, e.g. by VACUUM FULL (Andres Freund)

  • Prevent starting the server with wal_level set to too low a value to support an existing replication slot (Andres Freund)

  • Avoid crash if a utility command causes infinite recursion (Tom Lane)

  • When initializing a hot standby, cope with duplicate XIDs caused by two-phase transactions on the master (Michael Paquier, Konstantin Knizhnik)

  • Randomize the random() seed in bootstrap and standalone backends, and in initdb (Noah Misch)

    The main practical effect of this change is that it avoids a scenario where initdb might mistakenly conclude that POSIX shared memory is not available, due to name collisions caused by always using the same random seed.

  • Allow DSM allocation to be interrupted (Chris Travers)

  • Avoid possible buffer overrun when replaying GIN page recompression from WAL (Alexander Korotkov, Sivasubramanian Ramasubramanian)

  • Fix missed fsync of a replication slot's directory (Konstantin Knizhnik, Michael Paquier)

  • Fix unexpected timeouts when using wal_sender_timeout on a slow server (Noah Misch)

  • Ensure that hot standby processes use the correct WAL consistency point (Alexander Kukushkin, Michael Paquier)

    This prevents possible misbehavior just after a standby server has reached a consistent database state during WAL replay.

  • Don't run atexit callbacks when servicing SIGQUIT (Heikki Linnakangas)

  • Don't record foreign-server user mappings as members of extensions (Tom Lane)

    If CREATE USER MAPPING is executed in an extension script, an extension dependency was created for the user mapping, which is unexpected. Roles can't be extension members, so user mappings shouldn't be either.

  • Make syslogger more robust against failures in opening CSV log files (Tom Lane)

  • Fix possible inconsistency in pg_dump's sorting of dissimilar object names (Jacob Champion)

  • Ensure that pg_restore will schema-qualify the table name when emitting DISABLE/ENABLE TRIGGER commands (Tom Lane)

    This avoids failures due to the new policy of running restores with restrictive search path.

  • Fix pg_upgrade to handle event triggers in extensions correctly (Haribabu Kommi)

    pg_upgrade failed to preserve an event trigger's extension-membership status.

  • Fix pg_upgrade's cluster state check to work correctly on a standby server (Bruce Momjian)

  • Enforce type cube's dimension limit in all contrib/cube functions (Andrey Borodin)

    Previously, some cube-related functions could construct values that would be rejected by cube_in(), leading to dump/reload failures.

  • Fix contrib/unaccent's unaccent() function to use the unaccent text search dictionary that is in the same schema as the function (Tom Lane)

    Previously it tried to look up the dictionary using the search path, which could fail if the search path has a restrictive value.

  • Fix build problems on macOS 10.14 (Mojave) (Tom Lane)

    Adjust configure to add an -isysroot switch to CPPFLAGS; without this, PL/Perl and PL/Tcl fail to configure or build on macOS 10.14. The specific sysroot used can be overridden at configure time or build time by setting the PG_SYSROOT variable in the arguments of configure or make.

    It is now recommended that Perl-related extensions write $(perl_includespec) rather than -I$(perl_archlibexp)/CORE in their compiler flags. The latter continues to work on most platforms, but not recent macOS.

    Also, it should no longer be necessary to specify --with-tclconfig manually to get PL/Tcl to build on recent macOS releases.

  • Fix MSVC build and regression-test scripts to work on recent Perl versions (Andrew Dunstan)

    Perl no longer includes the current directory in its search path by default; work around that.

  • Support building on Windows with Visual Studio 2015 or Visual Studio 2017 (Michael Paquier, Haribabu Kommi)

  • Allow btree comparison functions to return INT_MIN (Tom Lane)

    Up to now, we've forbidden datatype-specific comparison functions from returning INT_MIN, which allows callers to invert the sort order just by negating the comparison result. However, this was never safe for comparison functions that directly return the result of memcmp(), strcmp(), etc, as POSIX doesn't place any such restriction on those functions. At least some recent versions of memcmp() can return INT_MIN, causing incorrect sort ordering. Hence, we've removed this restriction. Callers must now use the INVERT_COMPARE_RESULT() macro if they wish to invert the sort order.

  • Fix recursion hazard in shared-invalidation message processing (Tom Lane)

    This error could, for example, result in failure to access a system catalog or index that had just been processed by VACUUM FULL.

    This change adds a new result code for LockAcquire, which might possibly affect external callers of that function, though only very unusual usage patterns would have an issue with it. The API of LockAcquireExtended is also changed.

  • Save and restore SPI's global variables during SPI_connect() and SPI_finish() (Chapman Flack, Tom Lane)

    This prevents possible interference when one SPI-using function calls another.

  • Provide ALLOCSET_DEFAULT_SIZES and sibling macros in back branches (Tom Lane)

    These macros have existed since 9.6, but there were requests to add them to older branches to allow extensions to rely on them without branch-specific coding.

  • Avoid using potentially-under-aligned page buffers (Tom Lane)

    Invent new union types PGAlignedBlock and PGAlignedXLogBlock, and use these in place of plain char arrays, ensuring that the compiler can't place the buffer at a misaligned start address. This fixes potential core dumps on alignment-picky platforms, and may improve performance even on platforms that allow misalignment.

  • Make src/port/snprintf.c follow the C99 standard's definition of snprintf()'s result value (Tom Lane)

    On platforms where this code is used (mostly Windows), its pre-C99 behavior could lead to failure to detect buffer overrun, if the calling code assumed C99 semantics.

  • When building on i386 with the clang compiler, require -msse2 to be used (Andres Freund)

    This avoids problems with missed floating point overflow checks.

  • Fix configure's detection of the result type of strerror_r() (Tom Lane)

    The previous coding got the wrong answer when building with icc on Linux (and perhaps in other cases), leading to libpq not returning useful error messages for system-reported errors.

  • Update time zone data files to tzdata release 2018g for DST law changes in Chile, Fiji, Morocco, and Russia (Volgograd), plus historical corrections for China, Hawaii, Japan, Macau, and North Korea.

• ⇑ Upgrade to 9.4.21 released on 2019-02-14 - docs

  • By default, panic instead of retrying after fsync() failure, to avoid possible data corruption (Craig Ringer, Thomas Munro)

    Some popular operating systems discard kernel data buffers when unable to write them out, reporting this as fsync() failure. If we reissue the fsync() request it will succeed, but in fact the data has been lost, so continuing risks database corruption. By raising a panic condition instead, we can replay from WAL, which may contain the only remaining copy of the data in such a situation. While this is surely ugly and inefficient, there are few alternatives, and fortunately the case happens very rarely.

    A new server parameter data_sync_retry has been added to control this; if you are certain that your kernel does not discard dirty data buffers in such scenarios, you can set data_sync_retry to on to restore the old behavior.

  • Include each major release branch's release notes in the documentation for only that branch, rather than that branch and all later ones (Tom Lane)

    The duplication induced by the previous policy was getting out of hand. Our plan is to provide a full archive of release notes on the project's web site, but not duplicate it within each release.

  • Avoid possible deadlock when acquiring multiple buffer locks (Nishant Fnu)

  • Avoid deadlock between hot-standby queries and replay of GIN index page deletion (Alexander Korotkov)

  • Fix possible crashes in logical replication when index expressions or predicates are in use (Peter Eisentraut)

  • Avoid useless and expensive logical decoding of TOAST data during a table rewrite (Tomas Vondra)

  • Fix logic for stopping a subset of WAL senders when synchronous replication is enabled (Paul Guo, Michael Paquier)

  • Avoid possibly writing an incorrect replica identity field in a tuple deletion WAL record (Stas Kelvich)

  • Avoid crash if libxml2 returns a null error message (Sergio Conde Gómez)

  • Fix spurious grouping-related parser errors caused by inconsistent handling of collation assignment (Andrew Gierth)

    In some cases, expressions that should be considered to match were not seen as matching, if they included operations on collatable data types.

  • Check whether the comparison function underlying LEAST() or GREATEST() is leakproof, rather than just assuming it is (Tom Lane)

    Actual information leaks from btree comparison functions are typically hard to provoke, but in principle they could happen.

  • Fix incorrect planning of queries in which a lateral reference must be evaluated at a foreign table scan (Tom Lane)

  • Fix corner-case underestimation of the cost of a merge join (Tom Lane)

    The planner could prefer a merge join when the outer key range is much smaller than the inner key range, even if there are so many duplicate keys on the inner side that this is a poor choice.

  • Avoid O(N^2) planning time growth when a query contains many thousand indexable clauses (Tom Lane)

  • Improve ANALYZE's handling of concurrently-updated rows (Jeff Janes, Tom Lane)

    Previously, rows deleted by an in-progress transaction were omitted from ANALYZE's sample, but this has been found to lead to more inconsistency than including them would do. In effect, the sample now corresponds to an MVCC snapshot as of ANALYZE's start time.

  • Make TRUNCATE ignore inheritance child tables that are temporary tables of other sessions (Amit Langote, Michael Paquier)

    This brings TRUNCATE into line with the behavior of other commands. Previously, such cases usually ended in failure.

  • Allow UNLISTEN in hot-standby mode (Shay Rojansky)

    This is necessarily a no-op, because LISTEN isn't allowed in hot-standby mode; but allowing the dummy operation simplifies session-state-reset logic in clients.

  • Fix missing role dependencies in some schema and data type permissions lists (Tom Lane)

    In some cases it was possible to drop a role to which permissions had been granted. This caused no immediate problem, but a subsequent dump/reload or upgrade would fail, with symptoms involving attempts to grant privileges to all-numeric role names.

  • Ensure relation caches are updated properly after renaming constraints (Amit Langote)

  • Make autovacuum more aggressive about removing leftover temporary tables, and also remove leftover temporary tables during DISCARD TEMP (Álvaro Herrera)

    This helps ensure that remnants from a crashed session are cleaned up more promptly.

  • Prevent empty GIN index pages from being reclaimed too quickly, causing failures of concurrent searches (Andrey Borodin, Alexander Korotkov)

  • Fix edge-case failures in float-to-integer coercions (Andrew Gierth, Tom Lane)

    Values very slightly above the maximum valid integer value might not be rejected, and then would overflow, producing the minimum valid integer instead. Also, values that should round to the minimum or maximum integer value might be incorrectly rejected.

  • Disallow setting client_min_messages higher than ERROR (Jonah Harris, Tom Lane)

    Previously, it was possible to set this variable to FATAL or PANIC, which had the effect of suppressing transmission of ordinary error messages to the client. However, that's contrary to guarantees that are given in the PostgreSQL wire protocol specification, and it caused some clients to become very confused. In released branches, fix this by silently treating such settings as meaning ERROR instead. Version 12 and later will reject those alternatives altogether.

  • Fix ecpglib to use uselocale() or _configthreadlocale() in preference to setlocale() (Michael Meskes, Tom Lane)

    Since setlocale() is not thread-local, and might not even be thread-safe, the previous coding caused problems in multi-threaded ecpg applications.

  • Fix incorrect results for numeric data passed through an ecpg SQLDA (SQL Descriptor Area) (Daisuke Higuchi)

    Values with leading zeroes were not copied correctly.

  • Make psql's LaTeX output formats render special characters properly (Tom Lane)

    Backslash and some other ASCII punctuation characters were not rendered correctly, leading to document syntax errors or wrong characters in the output.

  • Fix pg_dump's handling of materialized views with indirect dependencies on primary keys (Tom Lane)

    This led to mis-labeling of such views' dump archive entries, causing harmless warnings about "archive items not in correct section order"; less harmlessly, selective-restore options depending on those labels, such as --section, might misbehave.

  • Avoid null-pointer-dereference crash on some platforms when pg_dump or pg_restore tries to report an error (Tom Lane)

  • Fix contrib/hstore to calculate correct hash values for empty hstore values that were created in version 8.4 or before (Andrew Gierth)

    The previous coding did not give the same result as for an empty hstore value created by a newer version, thus potentially causing wrong results in hash joins or hash aggregation. It is advisable to reindex any hash indexes built on hstore columns, if the table might contain data that was originally stored as far back as 8.4 and was never dumped/reloaded since then.

  • Avoid crashes and excessive runtime with large inputs to contrib/intarray's gist__int_ops index support (Andrew Gierth)

  • Adjust configure's selection of threading-related compiler flags and libraries to match what later PostgreSQL releases do (Tom Lane)

    The coding previously used in the 9.4 and 9.5 branches fails outright on some newer platforms, so sync it with what 9.6 and later have been doing.

  • Support new Makefile variables PG_CFLAGS, PG_CXXFLAGS, and PG_LDFLAGS in pgxs builds (Christoph Berg)

    This simplifies customization of extension build processes.

  • Fix Perl-coded build scripts to not assume "." is in the search path, since recent Perl versions don't include that (Andrew Dunstan)

  • Fix server command-line option parsing problems on OpenBSD (Tom Lane)

  • Update time zone data files to tzdata release 2018i for DST law changes in Kazakhstan, Metlakatla, and Sao Tome and Principe. Kazakhstan's Qyzylorda zone is split in two, creating a new zone Asia/Qostanay, as some areas did not change UTC offset. Historical corrections for Hong Kong and numerous Pacific islands.

• ⇑ Upgrade to 9.4.22 released on 2019-05-09 - docs

  • Fix behavior for an UPDATE or DELETE on an inheritance tree or partitioned table in which every table can be excluded (Amit Langote, Tom Lane)

    In such cases, the query did not report the correct set of output columns when a RETURNING clause was present, and if there were any statement-level triggers that should be fired, it didn't fire them.

  • Fix handling of explicit DEFAULT items in an INSERT ... VALUES command with multiple VALUES rows, if the target relation is an updatable view (Amit Langote, Dean Rasheed)

    When the updatable view has no default for the column but its underlying table has one, a single-row INSERT ... VALUES will use the underlying table's default. In the multi-row case, however, NULL was always used. Correct it to act like the single-row case.

  • Fix CREATE VIEW to allow zero-column views (Ashutosh Sharma)

    We should allow this for consistency with allowing zero-column tables. Since a table can be converted to a view, zero-column views could be created even with the restriction in place, leading to dump/reload failures.

  • Accept XML documents as valid values of type xml when xmloption is set to content, as required by SQL:2006 and later (Chapman Flack)

    Previously PostgreSQL followed the SQL:2003 definition, which doesn't allow this. But that creates a serious problem for dump/restore: there is no setting of xmloption that will accept all valid XML data. Hence, switch to the 2006 definition.

    pg_dump is also modified to emit SET xmloption = content while restoring data, ensuring that dump/restore works even if the prevailing setting is document.

  • Improve server's startup-time checks for whether a pre-existing shared memory segment is still in use (Noah Misch)

    The postmaster is now more likely to detect that there are still active processes from a previous postmaster incarnation, even if the postmaster.pid file has been removed.

  • Fix incompatibility of GIN-index WAL records (Alexander Korotkov)

    A fix applied in February's minor releases was not sufficiently careful about backwards compatibility, leading to problems if a standby server of that vintage reads GIN page-deletion WAL records generated by a primary server of a previous minor release.

  • Tolerate EINVAL and ENOSYS error results, where appropriate, for fsync and sync_file_range calls (Thomas Munro, James Sewell)

    The previous change to panic on file synchronization failures turns out to have been excessively paranoid for certain cases where a failure is predictable and essentially means "operation not supported".

  • Fix "failed to build any N-way joins" planner failures with lateral references leading out of FULL outer joins (Tom Lane)

  • Check the appropriate user's permissions when enforcing rules about letting a leaky operator see pg_statistic data (Dean Rasheed)

    When an underlying table is being accessed via a view, consider the privileges of the view owner while deciding whether leaky operators may be applied to the table's statistics data, rather than the privileges of the user making the query. This makes the planner's rules about what data is visible match up with the executor's, avoiding unnecessarily-poor plans.

  • Avoid O(N^2) performance issue when rolling back a transaction that created many tables (Tomas Vondra)

  • Fix race conditions in management of dynamic shared memory (Thomas Munro)

    These could lead to "dsa_area could not attach to segment" or "cannot unpin a segment that is not pinned" errors.

  • Fix race condition in which a hot-standby postmaster could fail to shut down after receiving a smart-shutdown request (Tom Lane)

  • Tighten validation of encoded SCRAM-SHA-256 and MD5 passwords (Jonathan Katz)

    A password string that had the right initial characters could be mistaken for one that is correctly hashed into SCRAM-SHA-256 or MD5 format. The password would be accepted but would be unusable later.

  • Fix handling of lc_time settings that imply an encoding different from the database's encoding (Juan José Santamaría Flecha, Tom Lane)

    Localized month or day names that include non-ASCII characters previously caused unexpected errors or wrong output in such locales.

  • Disallow NaN as a value for floating-point server parameters (Tom Lane)

  • Rearrange REINDEX processing to avoid assertion failures when reindexing individual indexes of pg_class (Andres Freund, Tom Lane)

  • Fix planner assertion failure for parameterized dummy paths (Tom Lane)

  • Insert correct test function in the result of SnapBuildInitialSnapshot() (Antonin Houska)

    No core code cares about this, but some extensions do.

  • Fix intermittent "could not reattach to shared memory" session startup failures on Windows (Noah Misch)

    A previously unrecognized source of these failures is creation of thread stacks for a process's default thread pool. Arrange for such stacks to be allocated in a different memory region.

  • Fix error detection in directory scanning on Windows (Konstantin Knizhnik)

    Errors, such as lack of permissions to read the directory, were not detected or reported correctly; instead the code silently acted as though the directory were empty.

  • Fix grammar problems in ecpg (Tom Lane)

    A missing semicolon led to mistranslation of SET variable = DEFAULT (but not SET variable TO DEFAULT) in ecpg programs, producing syntactically invalid output that the server would reject. Additionally, in a DROP TYPE or DROP DOMAIN command that listed multiple type names, only the first type name was actually processed.

  • Fix possible buffer overruns in ecpg's processing of include filenames (Liu Huailing, Fei Wu)

  • Avoid crash in contrib/vacuumlo if an lo_unlink() call failed (Tom Lane)

  • Sync our copy of the timezone library with IANA tzcode release 2019a (Tom Lane)

    This corrects a small bug in zic that caused it to output an incorrect year-2440 transition in the Africa/Casablanca zone, and adds support for zic's new -r option.

  • Update time zone data files to tzdata release 2019a for DST law changes in Palestine and Metlakatla, plus historical corrections for Israel.

    Etc/UCT is now a backward-compatibility link to Etc/UTC, instead of being a separate zone that generates the abbreviation UCT, which nowadays is typically a typo. PostgreSQL will still accept UCT as an input zone abbreviation, but it won't output it.

• ⇑ Upgrade to 9.4.23 released on 2019-06-20 - docs

  • Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when the table has a partial exclusion constraint (Tom Lane)

  • Fix incorrect printing of queries with duplicate join names (Philip Dubé)

    This oversight caused a dump/restore failure for views containing such queries.

  • Fix misoptimization of {1,1} quantifiers in regular expressions (Tom Lane)

    Such quantifiers were treated as no-ops and optimized away; but the documentation specifies that they impose greediness, or non-greediness in the case of the non-greedy variant {1,1}?, on the subexpression they're attached to, and this did not happen. The misbehavior occurred only if the subexpression contained capturing parentheses or a back-reference.

  • Fix race condition in check to see whether a pre-existing shared memory segment is still in use by a conflicting postmaster (Tom Lane)

  • Avoid attempting to do database accesses for parameter checking in processes that are not connected to a specific database (Vignesh C, Andres Freund)

    This error could result in failures like "cannot read pg_class without having selected a database".

  • Improve initdb's handling of multiple equivalent names for the system time zone (Tom Lane, Andrew Gierth)

    Make initdb examine the /etc/localtime symbolic link, if that exists, to break ties between equivalent names for the system time zone. This makes initdb more likely to select the time zone name that the user would expect when multiple identical time zones exist. It will not change the behavior if /etc/localtime is not a symlink to a zone data file, nor if the time zone is determined from the TZ environment variable.

    Separately, prefer UTC over other spellings of that time zone, when neither TZ nor /etc/localtime provide a hint. This fixes an annoyance introduced by tzdata 2019a's change to make the UCT and UTC zone names equivalent: initdb was then preferring UCT, which almost nobody wants.

  • Fix misleading error reports from reindexdb (Julien Rouhaud)

  • In contrib/postgres_fdw, account for possible data modifications by local BEFORE ROW UPDATE triggers (Shohei Mochizuki)

    If a trigger modified a column that was otherwise not changed by the UPDATE, the new value was not transmitted to the remote server.

  • On Windows, avoid failure when the database encoding is set to SQL_ASCII and we attempt to log a non-ASCII string (Noah Misch)

    The code had been assuming that such strings must be in UTF-8, and would throw an error if they didn't appear to be validly encoded. Now, just transmit the untranslated bytes to the log.

  • Make PL/pgSQL's header files C++-safe (George Tarasov)

• ⇑ Upgrade to 9.4.24 released on 2019-08-08 - docs

  • Require schema qualification to cast to a temporary type when using functional cast syntax (Noah Misch)

    We have long required invocations of temporary functions to explicitly specify the temporary schema, that is pg_temp.func_name(args). Require this as well for casting to temporary types using functional notation, for example pg_temp.type_name(arg). Otherwise it's possible to capture a function call using a temporary object, allowing privilege escalation in much the same ways that we blocked in CVE-2007-2138. (CVE-2019-10208)

  • Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when altering multiple columns' types in one command (Tom Lane)

    This fixes a regression introduced in the most recent minor releases: indexes using the altered columns were not processed correctly, leading to strange failures during ALTER TABLE.

  • Fix mishandling of multi-column foreign keys when rebuilding a foreign key constraint (Tom Lane)

    ALTER TABLE could make an incorrect decision about whether revalidation of a foreign key is necessary, if not all columns of the key are of the same type. It seems likely that the error would always have been in the conservative direction, that is revalidating unnecessarily.

  • Prevent incorrect canonicalization of date ranges with infinity endpoints (Laurenz Albe)

    It's incorrect to try to convert an open range to a closed one or vice versa by incrementing or decrementing the endpoint value, if the endpoint is infinite; so leave the range alone in such cases.

  • Fix loss of fractional digits when converting very large money values to numeric (Tom Lane)

  • Fix spinlock assembly code for MIPS CPUs so that it works on MIPS r6 (YunQiang Su)

  • Make libpq ignore carriage return (\r) in connection service files (Tom Lane, Michael Paquier)

    In some corner cases, service files containing Windows-style newlines could be mis-parsed, resulting in connection failures.

  • Fix pg_dump to ensure that custom operator classes are dumped in the right order (Tom Lane)

    If a user-defined opclass is the subtype opclass of a user-defined range type, related objects were dumped in the wrong order, producing an unrestorable dump. (The underlying failure to handle opclass dependencies might manifest in other cases too, but this is the only known case.)

  • Fix contrib/passwordcheck to coexist with other users of check_password_hook (Michael Paquier)

  • Fix contrib/sepgsql tests to work under recent SELinux releases (Mike Palmiotto)

  • Reduce stderr output from pg_upgrade's test script (Tom Lane)

  • Support building Postgres with Microsoft Visual Studio 2019 (Haribabu Kommi)

  • In Visual Studio builds, honor WindowsSDKVersion environment variable, if that's set (Peifeng Qiu)

    This fixes build failures in some configurations.

  • Support OpenSSL 1.1.0 and newer in Visual Studio builds (Juan José Santamaría Flecha, Michael Paquier)

  • Avoid choosing localtime or posixrules as TimeZone during initdb (Tom Lane)

    In some cases initdb would choose one of these artificial zone names over the "real" zone name. Prefer any other match to the C library's timezone behavior over these two.

  • Adjust pg_timezone_names view to show the Factory time zone if and only if it has a short abbreviation (Tom Lane)

    Historically, IANA set up this artificial zone with an "abbreviation" like Local time zone must be set--see zic manual page. Modern versions of the tzdb database show -00 instead, but some platforms alter the data to show one or another of the historical phrases. Show this zone only if it uses the modern abbreviation.

  • Sync our copy of the timezone library with IANA tzcode release 2019b (Tom Lane)

    This adds support for zic's new -b slim option to reduce the size of the installed zone files. We are not currently using that, but may enable it in future.

  • Update time zone data files to tzdata release 2019b for DST law changes in Brazil, plus historical corrections for Hong Kong, Italy, and Palestine.

• ⇑ Upgrade to 9.4.25 released on 2019-11-14 - docs

  • Prevent VACUUM from trying to freeze an old multixact ID involving a still-running transaction (Nathan Bossart, Jeremy Schneider)

    This case would lead to VACUUM failing until the old transaction terminates.

  • Ensure that offset expressions in WINDOW clauses are processed when a query's expressions are manipulated (Andrew Gierth)

    This oversight could result in assorted failures when the offsets are nontrivial expressions. One example is that a function parameter reference in such an expression would fail if the function was inlined.

  • Fix handling of whole-row variables in WITH CHECK OPTION expressions and row-level-security policy expressions (Andres Freund)

    Previously, such usage might result in bogus errors about row type mismatches.

  • Prevent possible double-free if a BEFORE UPDATE trigger returns the old tuple as-is, and it is not the last such trigger (Thomas Munro)

  • In serializable mode, ensure that row-level predicate locks are acquired on the correct version of the row (Thomas Munro, Heikki Linnakangas)

    If the visible version of the row is HOT-updated, the lock might be taken on its now-dead predecessor, resulting in subtle failures to guarantee serialization.

  • Ensure that fsync() is applied only to files that are opened read/write (Andres Freund, Michael Paquier)

    Some code paths tried to do this after opening a file read-only, but on some platforms that causes "bad file descriptor" or similar errors.

  • Allow encoding conversion to succeed on longer strings than before (Álvaro Herrera, Tom Lane)

    Previously, there was a hard limit of 0.25GB on the input string, but now it will work as long as the converted output is not over 1GB.

  • Allow repalloc() to give back space when a large chunk is reduced in size (Tom Lane)

  • Avoid failure in archive recovery if recovery_min_apply_delay is enabled (Fujii Masao)

    recovery_min_apply_delay is not typically used in this configuration, but it should work.

  • Avoid unwanted delay during shutdown of a logical replication walsender (Craig Ringer, Álvaro Herrera)

  • Correctly time-stamp replication messages for logical decoding (Jeff Janes)

    This oversight resulted, for example, in pg_stat_subscription.last_msg_send_time usually reading as NULL.

  • In logical decoding, ensure that sub-transactions are correctly accounted for when reconstructing a snapshot (Masahiko Sawada)

    This error leads to assertion failures; it's unclear whether any bad effects exist in production builds.

  • Fix race condition during backend exit, when the backend process has previously waited for synchronous replication to occur (Dongming Liu)

  • Fix ALTER SYSTEM to cope with duplicate entries in postgresql.auto.conf (Ian Barwick)

    ALTER SYSTEM itself will not generate such a state, but external tools that modify postgresql.auto.conf could do so. Duplicate entries for the target variable will now be removed, and then the new setting (if any) will be appended at the end.

  • Avoid logging complaints about abandoned connections when using PAM authentication (Tom Lane)

    libpq-based clients will typically make two connection attempts when a password is required, since they don't prompt their user for a password until their first connection attempt fails. Therefore the server is coded not to generate useless log spam when a client closes the connection upon being asked for a password. However, the PAM authentication code hadn't gotten that memo, and would generate several messages about a phantom authentication failure.

  • Fix some cases where an incomplete date specification is not detected in time with time zone input (Alexander Lakhin)

    If a time zone with a time-varying UTC offset is specified, then a date must be as well, so that the offset can be resolved. Depending on the syntax used, this check was not enforced in some cases, allowing bogus output to be produced.

  • Fix misbehavior of bitshiftright() (Tom Lane)

    The bitstring right shift operator failed to zero out padding space that exists in the last byte of the result when the bitstring length is not a multiple of 8. While invisible to most operations, any nonzero bits there would result in unexpected comparison behavior, since bitstring comparisons don't bother to ignore the extra bits, expecting them to always be zero.

    If you have inconsistent data as a result of saving the output of bitshiftright() in a table, it's possible to fix it with something like

    UPDATE mytab SET bitcol = ~(~bitcol) WHERE bitcol != ~(~bitcol);

  • Fix detection of edge-case integer overflow in interval multiplication (Yuya Watari)

  • Fix incorrect compression logic for GIN posting lists (Heikki Linnakangas)

    A GIN posting list item can require 7 bytes if the distance between adjacent indexed TIDs exceeds 16TB. One step in the logic was out of sync with that, and might try to write the value into a 6-byte buffer. In principle this could cause a stack overrun, but on most architectures it's likely that the next byte would be unused alignment padding, making the bug harmless. In any case the bug would be very difficult to hit.

  • Fix handling of infinity, NaN, and NULL values in KNN-GiST (Alexander Korotkov)

    The query's output order could be wrong (different from a plain sort's result) if some distances computed for non-null column values are infinity or NaN.

  • Fix handling of searches for NULL in KNN-SP-GiST (Nikita Glukhov)

  • On Windows, recognize additional spellings of the "Norwegian (Bokmål)" locale name (Tom Lane)

  • Avoid compile failure if an ECPG client includes ecpglib.h while having ENABLE_NLS defined (Tom Lane)

    This risk was created by a misplaced declaration: ecpg_gettext() should not be visible to client code.

  • In psql, resynchronize internal state about the server after an unexpected connection loss and successful reconnection (Peter Billen, Tom Lane)

    Ordinarily this is unnecessary since the state would be the same anyway. But it can matter in corner cases, such as where the connection might lead to one of several servers. This change causes psql to re-issue any interactive messages that it would have issued at startup, for example about whether SSL is in use.

  • Avoid platform-specific null pointer dereference in psql (Quentin Rameau)

  • Fix pg_dump's handling of circular dependencies in views (Tom Lane)

    In some cases a view may depend on an object that pg_dump needs to dump later than the view; the most common example is that a query using GROUP BY on a primary-key column may be semantically invalid without the primary key. This is now handled by emitting a dummy CREATE VIEW command that just establishes the view's column names and types, and then later emitting CREATE OR REPLACE VIEW with the full view definition. Previously, the dummy definition was actually a CREATE TABLE command, and this was automagically converted to a view by a later CREATE RULE command. The new approach has been used successfully in PostgreSQL version 10 and later. We are back-patching it into older releases now because of reports that the previous method causes bogus error messages about the view's replica identity status. This change also avoids problems when trying to use the --clean option during a restore involving such a view.

  • In pg_dump, ensure stable output order for similarly-named triggers and row-level-security policy objects (Benjie Gillam)

    Previously, if two triggers on different tables had the same names, they would be sorted in OID-based order, which is less desirable than sorting them by table name. Likewise for RLS policies.

  • Fix pg_dump to work again with pre-8.3 source servers (Tom Lane)

    A previous fix caused pg_dump to always try to query pg_opfamily, but that catalog doesn't exist before version 8.3.

  • In pg_restore, treat -f - as meaning "output to stdout" (Álvaro Herrera)

    This synchronizes pg_restore's behavior with some other applications, and in particular makes pre-v12 branches act similarly to version 12's pg_restore, simplifying creation of dump/restore scripts that work across multiple PostgreSQL versions. Before this change, pg_restore interpreted such a switch as meaning "output to a file named -", but few people would want that.

  • Improve pg_upgrade's checks for the use of a data type that has changed representation, such as line (Tomas Vondra)

    The previous coding could be fooled by cases where the data type of interest underlies a stored column of a domain or composite type.

  • Detect file read errors during pg_basebackup (Jeevan Chalke)

  • Fix failure in pg_waldump with the -s option, when a continuation WAL record ends exactly at a page boundary (Andrey Lepikhov)

  • Fix contrib/intarray's GiST opclasses to not fail for empty arrays with <@ (Tom Lane)

    A clause like array_column <@ constant_array is considered indexable, but the index search may not find empty array values; of course, such entries should trivially match the search.

    The only practical back-patchable fix for this requires making <@ index searches scan the whole index, which is what this patch does. This is unfortunate: it means that the query performance is likely worse than a plain sequential scan would be.

    Applications whose performance is adversely impacted by this change have a couple of options. They could switch to a GIN index, which doesn't have this bug, or they could replace array_column <@ constant_array with array_column <@ constant_array AND array_column && constant_array. That will provide about the same performance as before, and it will find all non-empty subsets of the given constant array, which is all that could reliably be expected of the query before.

  • Allow configure --with-python to succeed when only python3 or only python2 can be found (Peter Eisentraut, Tom Lane)

    Search for python, then python3, then python2, so that configure can succeed in the increasingly-more-common situation where there is no executable named simply python. It's still possible to override this choice by setting the PYTHON environment variable.

  • Fix configure's test for presence of libperl so that it works on recent Red Hat releases (Tom Lane)

    Previously, it could fail if the user sets CFLAGS to -O0.

  • Ensure correct code generation for spinlocks on PowerPC (Noah Misch)

    The previous spinlock coding allowed the compiler to select register zero for use with an assembly instruction that does not accept that register, causing a build failure. We have seen only one long-ago report that matches this bug, but it could cause problems for people trying to build modified PostgreSQL code or use atypical compiler options.

  • On AIX, don't use the compiler option -qsrcmsg (Noah Misch)

    This avoids an internal compiler error with xlc v16.1.0, with little consequence other than changing the format of compiler error messages.

  • Fix MSVC build process to cope with spaces in the file path of OpenSSL (Andrew Dunstan)

  • Update time zone data files to tzdata release 2019c for DST law changes in Fiji and Norfolk Island, plus historical corrections for Alberta, Austria, Belgium, British Columbia, Cambodia, Hong Kong, Indiana (Perry County), Kaliningrad, Kentucky, Michigan, Norfolk Island, South Korea, and Turkey.

• source repo
• author info
• meta-info