Jump to:
Fix failure to reset libpq's state fully between connection attempts (Tom Lane)
An unprivileged user of dblink or postgres_fdw could bypass the checks intended to prevent use of server-side credentials, such as a ~/.pgpass file owned by the operating-system user running the server. Servers allowing peer authentication on local connections are particularly vulnerable. Other attacks such as SQL injection into a postgres_fdw session are also possible. Attacking postgres_fdw in this way requires the ability to create a foreign server object with selected connection parameters, but any user with access to dblink could exploit the problem. In general, an attacker with the ability to select the connection parameters for a libpq-using application could cause mischief, though other plausible attack scenarios are harder to think of. Our thanks to Andrew Krasichkov for reporting this issue. (CVE-2018-10915)
Fix INSERT ... ON CONFLICT UPDATE through a view that isn't just SELECT * FROM ... (Dean Rasheed, Amit Langote)
Erroneous expansion of an updatable view could lead to crashes or "attribute ... has the wrong type" errors, if the view's SELECT list doesn't match one-to-one with the underlying table's columns. Furthermore, this bug could be leveraged to allow updates of columns that an attacking user lacks UPDATE privilege for, if that user has INSERT and UPDATE privileges for some other column(s) of the table. Any user could also use it for disclosure of server memory. (CVE-2018-10925)
Prevent row-level security policies from being bypassed via selectivity estimators (Dean Rasheed)
Some of the planner's selectivity estimators apply user-defined operators to values found in pg_statistic (e.g., most-common values). A leaky operator therefore can disclose some of the entries in a data column, even if the calling user lacks permission to read that column. In CVE-2017-7484 we added restrictions to forestall that, but we failed to consider the effects of row-level security. A user who has SQL permission to read a column, but who is forbidden to see certain rows due to RLS policy, might still learn something about those rows' contents via a leaky operator. This patch further tightens the rules, allowing leaky operators to be applied to statistics data only when there is no relevant RLS policy. (CVE-2019-10130)
Require schema qualification to cast to a temporary type when using functional cast syntax (Noah Misch)
We have long required invocations of temporary functions to explicitly specify the temporary schema, that is pg_temp.func_name(args). Require this as well for casting to temporary types using functional notation, for example pg_temp.type_name(arg). Otherwise it's possible to capture a function call using a temporary object, allowing privilege escalation in much the same ways that we blocked in CVE-2007-2138. (CVE-2019-10208)
| Config parameter: | Default value: |
|---|---|
| data_sync_retry | off |
⇑ Upgrade to 9.6.10 released on 2018-08-09 - docs
Fix failure to reset libpq's state fully between connection attempts (Tom Lane)
An unprivileged user of dblink or postgres_fdw could bypass the checks intended to prevent use of server-side credentials, such as a ~/.pgpass file owned by the operating-system user running the server. Servers allowing peer authentication on local connections are particularly vulnerable. Other attacks such as SQL injection into a postgres_fdw session are also possible. Attacking postgres_fdw in this way requires the ability to create a foreign server object with selected connection parameters, but any user with access to dblink could exploit the problem. In general, an attacker with the ability to select the connection parameters for a libpq-using application could cause mischief, though other plausible attack scenarios are harder to think of. Our thanks to Andrew Krasichkov for reporting this issue. (CVE-2018-10915)
Fix INSERT ... ON CONFLICT UPDATE through a view that isn't just SELECT * FROM ... (Dean Rasheed, Amit Langote)
Erroneous expansion of an updatable view could lead to crashes or "attribute ... has the wrong type" errors, if the view's SELECT list doesn't match one-to-one with the underlying table's columns. Furthermore, this bug could be leveraged to allow updates of columns that an attacking user lacks UPDATE privilege for, if that user has INSERT and UPDATE privileges for some other column(s) of the table. Any user could also use it for disclosure of server memory. (CVE-2018-10925)
Ensure that updates to the relfrozenxid and relminmxid values for "nailed" system catalogs are processed in a timely fashion (Andres Freund)
Overoptimistic caching rules could prevent these updates from being seen by other sessions, leading to spurious errors and/or data corruption. The problem was significantly worse for shared catalogs, such as pg_authid, because the stale cache data could persist into new sessions as well as existing ones.
Fix case where a freshly-promoted standby crashes before having completed its first post-recovery checkpoint (Michael Paquier, Kyotaro Horiguchi, Pavan Deolasee, Álvaro Herrera)
This led to a situation where the server did not think it had reached a consistent database state during subsequent WAL replay, preventing restart.
Avoid emitting a bogus WAL record when recycling an all-zero btree page (Amit Kapila)
This mistake has been seen to cause assertion failures, and potentially it could result in unnecessary query cancellations on hot standby servers.
During WAL replay, guard against corrupted record lengths exceeding 1GB (Michael Paquier)
Treat such a case as corrupt data. Previously, the code would try to allocate space and get a hard error, making recovery impossible.
When ending recovery, delay writing the timeline history file as long as possible (Heikki Linnakangas)
This avoids some situations where a failure during recovery cleanup (such as a problem with a two-phase state file) led to inconsistent timeline state on-disk.
Improve performance of WAL replay for transactions that drop many relations (Fujii Masao)
This change reduces the number of times that shared buffers are scanned, so that it is of most benefit when that setting is large.
Improve performance of lock releasing in standby server WAL replay (Thomas Munro)
Make logical WAL senders report streaming state correctly (Simon Riggs, Sawada Masahiko)
The code previously mis-detected whether or not it had caught up with the upstream server.
Fix bugs in snapshot handling during logical decoding, allowing wrong decoding results in rare cases (Arseny Sher, Álvaro Herrera)
Ensure a table's cached index list is correctly rebuilt after an index creation fails partway through (Peter Geoghegan)
Previously, the failed index's OID could remain in the list, causing problems later in the same session.
Fix mishandling of empty uncompressed posting list pages in GIN indexes (Sivasubramanian Ramasubramanian, Alexander Korotkov)
This could result in an assertion failure after pg_upgrade of a pre-9.4 GIN index (9.4 and later will not create such pages).
Ensure that VACUUM will respond to signals within btree page deletion loops (Andres Freund)
Corrupted btree indexes could result in an infinite loop here, and that previously wasn't interruptible without forcing a crash.
Fix misoptimization of equivalence classes involving composite-type columns (Tom Lane)
This resulted in failure to recognize that an index on a composite column could provide the sort order needed for a mergejoin on that column.
Fix planner to avoid "ORDER/GROUP BY expression not found in targetlist" errors in some queries with set-returning functions (Tom Lane)
Fix SQL-standard FETCH FIRST syntax to allow parameters ($n), as the standard expects (Andrew Gierth)
Fix EXPLAIN's accounting for resource usage, particularly buffer accesses, in parallel workers (Amit Kapila, Robert Haas)
Fix failure to schema-qualify some object names in getObjectDescription output (Kyotaro Horiguchi, Tom Lane)
Names of collations, conversions, and text search objects were not schema-qualified when they should be.
Fix CREATE AGGREGATE type checking so that parallelism support functions can be attached to variadic aggregates (Alexey Bashtanov)
Widen COPY FROM's current-line-number counter from 32 to 64 bits (David Rowley)
This avoids two problems with input exceeding 4G lines: COPY FROM WITH HEADER would drop a line every 4G lines, not only the first line, and error reports could show a wrong line number.
Add a string freeing function to ecpg's pgtypes library, so that cross-module memory management problems can be avoided on Windows (Takayuki Tsunakawa)
On Windows, crashes can ensue if the free call for a given chunk of memory is not made from the same DLL that malloc'ed the memory. The pgtypes library sometimes returns strings that it expects the caller to free, making it impossible to follow this rule. Add a PGTYPESchar_free() function that just wraps free, allowing applications to follow this rule.
Fix ecpg's support for long long variables on Windows, as well as other platforms that declare strtoll/strtoull nonstandardly or not at all (Dang Minh Huong, Tom Lane)
Fix misidentification of SQL statement type in PL/pgSQL, when a rule change causes a change in the semantics of a statement intra-session (Tom Lane)
This error led to assertion failures, or in rare cases, failure to enforce the INTO STRICT option as expected.
Fix password prompting in client programs so that echo is properly disabled on Windows when stdin is not the terminal (Matthew Stickney)
Further fix mis-quoting of values for list-valued GUC variables in dumps (Tom Lane)
The previous fix for quoting of search_path and other list-valued variables in pg_dump output turned out to misbehave for empty-string list elements, and it risked truncation of long file paths.
Fix pg_dump's failure to dump REPLICA IDENTITY properties for constraint indexes (Tom Lane)
Manually created unique indexes were properly marked, but not those created by declaring UNIQUE or PRIMARY KEY constraints.
Make pg_upgrade check that the old server was shut down cleanly (Bruce Momjian)
The previous check could be fooled by an immediate-mode shutdown.
Fix contrib/hstore_plperl to look through Perl scalar references, and to not crash if it doesn't find a hash reference where it expects one (Tom Lane)
Fix crash in contrib/ltree's lca() function when the input array is empty (Pierre Ducroquet)
Fix various error-handling code paths in which an incorrect error code might be reported (Michael Paquier, Tom Lane, Magnus Hagander)
Rearrange makefiles to ensure that programs link to freshly-built libraries (such as libpq.so) rather than ones that might exist in the system library directories (Tom Lane)
This avoids problems when building on platforms that supply old copies of PostgreSQL libraries.
Update time zone data files to tzdata release 2018e for DST law changes in North Korea, plus historical corrections for Czechoslovakia.
This update includes a redefinition of "daylight savings" in Ireland, as well as for some past years in Namibia and Czechoslovakia. In those jurisdictions, legally standard time is observed in summer, and daylight savings time in winter, so that the daylight savings offset is one hour behind standard time not one hour ahead. This does not affect either the actual UTC offset or the timezone abbreviations in use; the only known effect is that the is_dst column in the pg_timezone_names view will now be true in winter and false in summer in these cases.
⇑ Upgrade to 9.6.11 released on 2018-11-08 - docs
Fix corner-case failures in has_foo_privilege() family of functions (Tom Lane)
Return NULL rather than throwing an error when an invalid object OID is provided. Some of these functions got that right already, but not all. has_column_privilege() was additionally capable of crashing on some platforms.
Avoid O(N^2) slowdown in regular expression match/split functions on long strings (Andrew Gierth)
Fix parsing of standard multi-character operators that are immediately followed by a comment or + or - (Andrew Gierth)
This oversight could lead to parse errors, or to incorrect assignment of precedence.
Avoid O(N^3) slowdown in lexer for long strings of + or - characters (Andrew Gierth)
Fix mis-execution of SubPlans when the outer query is being scanned backwards (Andrew Gierth)
Fix failure of UPDATE/DELETE ... WHERE CURRENT OF ... after rewinding the referenced cursor (Tom Lane)
A cursor that scans multiple relations (particularly an inheritance tree) could produce wrong behavior if rewound to an earlier relation.
Fix EvalPlanQual to handle conditionally-executed InitPlans properly (Andrew Gierth, Tom Lane)
This resulted in hard-to-reproduce crashes or wrong answers in concurrent updates, if they contained code such as an uncorrelated sub-SELECT inside a CASE construct.
Fix character-class checks to not fail on Windows for Unicode characters above U+FFFF (Tom Lane, Kenji Uno)
This bug affected full-text-search operations, as well as contrib/ltree and contrib/pg_trgm.
Disallow pushing sub-SELECTs containing window functions, LIMIT, or OFFSET to parallel workers (Amit Kapila)
Such cases could result in inconsistent behavior due to different workers getting different answers, as a result of indeterminacy due to row-ordering variations.
Ensure that sequences owned by a foreign table are processed by ALTER OWNER on the table (Peter Eisentraut)
The ownership change should propagate to such sequences as well, but this was missed for foreign tables.
Ensure that the server will process already-received NOTIFY and SIGTERM interrupts before waiting for client input (Jeff Janes, Tom Lane)
Fix over-allocation of space for array_out()'s result string (Keiichi Hirobe)
Fix memory leak in repeated SP-GiST index scans (Tom Lane)
This is only known to amount to anything significant in cases where an exclusion constraint using SP-GiST receives many new index entries in a single command.
Ensure that ApplyLogicalMappingFile() closes the mapping file when done with it (Tomas Vondra)
Previously, the file descriptor was leaked, eventually resulting in failures during logical decoding.
Fix logical decoding to handle cases where a mapped catalog table is repeatedly rewritten, e.g. by VACUUM FULL (Andres Freund)
Prevent starting the server with wal_level set to too low a value to support an existing replication slot (Andres Freund)
Avoid crash if a utility command causes infinite recursion (Tom Lane)
When initializing a hot standby, cope with duplicate XIDs caused by two-phase transactions on the master (Michael Paquier, Konstantin Knizhnik)
Fix event triggers to handle nested ALTER TABLE commands (Michael Paquier, Álvaro Herrera)
Propagate parent process's transaction and statement start timestamps to parallel workers (Konstantin Knizhnik)
This prevents misbehavior of functions such as transaction_timestamp() when executed in a worker.
Fix transfer of expanded datums to parallel workers so that alignment is preserved, preventing crashes on alignment-picky platforms (Tom Lane, Amit Kapila)
Fix WAL file recycling logic to work correctly on standby servers (Michael Paquier)
Depending on the setting of archive_mode, a standby might fail to remove some WAL files that could be removed.
Fix handling of commit-timestamp tracking during recovery (Masahiko Sawada, Michael Paquier)
If commit timestamp tracking has been turned on or off, recovery might fail due to trying to fetch the commit timestamp for a transaction that did not record it.
Randomize the random() seed in bootstrap and standalone backends, and in initdb (Noah Misch)
The main practical effect of this change is that it avoids a scenario where initdb might mistakenly conclude that POSIX shared memory is not available, due to name collisions caused by always using the same random seed.
Allow DSM allocation to be interrupted (Chris Travers)
Avoid failure in a parallel worker when loading an extension that tries to access system caches within its init function (Thomas Munro)
We don't consider that to be good extension coding practice, but it mostly worked before parallel query, so continue to support it for now.
Properly handle turning full_page_writes on dynamically (Kyotaro Horiguchi)
Fix possible crash due to double free() during SP-GiST rescan (Andrew Gierth)
Avoid possible buffer overrun when replaying GIN page recompression from WAL (Alexander Korotkov, Sivasubramanian Ramasubramanian)
Fix missed fsync of a replication slot's directory (Konstantin Knizhnik, Michael Paquier)
Fix unexpected timeouts when using wal_sender_timeout on a slow server (Noah Misch)
Ensure that hot standby processes use the correct WAL consistency point (Alexander Kukushkin, Michael Paquier)
This prevents possible misbehavior just after a standby server has reached a consistent database state during WAL replay.
Ensure background workers are stopped properly when the postmaster receives a fast-shutdown request before completing database startup (Alexander Kukushkin)
Update the free space map during WAL replay of page all-visible/frozen flag changes (Álvaro Herrera)
Previously we were not careful about this, reasoning that the FSM is not critical data anyway. However, if it's sufficiently out of date, that can result in significant performance degradation after a standby has been promoted to primary. The FSM will eventually be healed by updates, but we'd like it to be good sooner, so work harder at maintaining it during WAL replay.
Avoid premature release of parallel-query resources when query end or tuple count limit is reached (Amit Kapila)
It's only okay to shut down the executor at this point if the caller cannot demand backwards scan afterwards.
Don't run atexit callbacks when servicing SIGQUIT (Heikki Linnakangas)
Don't record foreign-server user mappings as members of extensions (Tom Lane)
If CREATE USER MAPPING is executed in an extension script, an extension dependency was created for the user mapping, which is unexpected. Roles can't be extension members, so user mappings shouldn't be either.
Make syslogger more robust against failures in opening CSV log files (Tom Lane)
Fix psql, as well as documentation examples, to call PQconsumeInput() before each PQnotifies() call (Tom Lane)
This fixes cases in which psql would not report receipt of a NOTIFY message until after the next command.
Fix possible inconsistency in pg_dump's sorting of dissimilar object names (Jacob Champion)
Ensure that pg_restore will schema-qualify the table name when emitting DISABLE/ENABLE TRIGGER commands (Tom Lane)
This avoids failures due to the new policy of running restores with restrictive search path.
Fix pg_upgrade to handle event triggers in extensions correctly (Haribabu Kommi)
pg_upgrade failed to preserve an event trigger's extension-membership status.
Fix pg_upgrade's cluster state check to work correctly on a standby server (Bruce Momjian)
Enforce type cube's dimension limit in all contrib/cube functions (Andrey Borodin)
Previously, some cube-related functions could construct values that would be rejected by cube_in(), leading to dump/reload failures.
In contrib/postgres_fdw, don't try to ship a variable-free ORDER BY clause to the remote server (Andrew Gierth)
Fix contrib/unaccent's unaccent() function to use the unaccent text search dictionary that is in the same schema as the function (Tom Lane)
Previously it tried to look up the dictionary using the search path, which could fail if the search path has a restrictive value.
Fix build problems on macOS 10.14 (Mojave) (Tom Lane)
Adjust configure to add an -isysroot switch to CPPFLAGS; without this, PL/Perl and PL/Tcl fail to configure or build on macOS 10.14. The specific sysroot used can be overridden at configure time or build time by setting the PG_SYSROOT variable in the arguments of configure or make.
It is now recommended that Perl-related extensions write $(perl_includespec) rather than -I$(perl_archlibexp)/CORE in their compiler flags. The latter continues to work on most platforms, but not recent macOS.
Also, it should no longer be necessary to specify --with-tclconfig manually to get PL/Tcl to build on recent macOS releases.
Fix MSVC build and regression-test scripts to work on recent Perl versions (Andrew Dunstan)
Perl no longer includes the current directory in its search path by default; work around that.
On Windows, allow the regression tests to be run by an Administrator account (Andrew Dunstan)
To do this safely, pg_regress now gives up any such privileges at startup.
Allow btree comparison functions to return INT_MIN (Tom Lane)
Up to now, we've forbidden datatype-specific comparison functions from returning INT_MIN, which allows callers to invert the sort order just by negating the comparison result. However, this was never safe for comparison functions that directly return the result of memcmp(), strcmp(), etc, as POSIX doesn't place any such restriction on those functions. At least some recent versions of memcmp() can return INT_MIN, causing incorrect sort ordering. Hence, we've removed this restriction. Callers must now use the INVERT_COMPARE_RESULT() macro if they wish to invert the sort order.
Fix recursion hazard in shared-invalidation message processing (Tom Lane)
This error could, for example, result in failure to access a system catalog or index that had just been processed by VACUUM FULL.
This change adds a new result code for LockAcquire, which might possibly affect external callers of that function, though only very unusual usage patterns would have an issue with it. The API of LockAcquireExtended is also changed.
Save and restore SPI's global variables during SPI_connect() and SPI_finish() (Chapman Flack, Tom Lane)
This prevents possible interference when one SPI-using function calls another.
Avoid using potentially-under-aligned page buffers (Tom Lane)
Invent new union types PGAlignedBlock and PGAlignedXLogBlock, and use these in place of plain char arrays, ensuring that the compiler can't place the buffer at a misaligned start address. This fixes potential core dumps on alignment-picky platforms, and may improve performance even on platforms that allow misalignment.
Make src/port/snprintf.c follow the C99 standard's definition of snprintf()'s result value (Tom Lane)
On platforms where this code is used (mostly Windows), its pre-C99 behavior could lead to failure to detect buffer overrun, if the calling code assumed C99 semantics.
When building on i386 with the clang compiler, require -msse2 to be used (Andres Freund)
This avoids problems with missed floating point overflow checks.
Fix configure's detection of the result type of strerror_r() (Tom Lane)
The previous coding got the wrong answer when building with icc on Linux (and perhaps in other cases), leading to libpq not returning useful error messages for system-reported errors.
Update time zone data files to tzdata release 2018g for DST law changes in Chile, Fiji, Morocco, and Russia (Volgograd), plus historical corrections for China, Hawaii, Japan, Macau, and North Korea.
⇑ Upgrade to 9.6.12 released on 2019-02-14 - docs
By default, panic instead of retrying after fsync() failure, to avoid possible data corruption (Craig Ringer, Thomas Munro)
Some popular operating systems discard kernel data buffers when unable to write them out, reporting this as fsync() failure. If we reissue the fsync() request it will succeed, but in fact the data has been lost, so continuing risks database corruption. By raising a panic condition instead, we can replay from WAL, which may contain the only remaining copy of the data in such a situation. While this is surely ugly and inefficient, there are few alternatives, and fortunately the case happens very rarely.
A new server parameter data_sync_retry has been added to control this; if you are certain that your kernel does not discard dirty data buffers in such scenarios, you can set data_sync_retry to on to restore the old behavior.
Include each major release branch's release notes in the documentation for only that branch, rather than that branch and all later ones (Tom Lane)
The duplication induced by the previous policy was getting out of hand. Our plan is to provide a full archive of release notes on the project's web site, but not duplicate it within each release.
Avoid possible deadlock when acquiring multiple buffer locks (Nishant Fnu)
Avoid deadlock between hot-standby queries and replay of GIN index page deletion (Alexander Korotkov)
Fix possible crashes in logical replication when index expressions or predicates are in use (Peter Eisentraut)
Avoid useless and expensive logical decoding of TOAST data during a table rewrite (Tomas Vondra)
Fix logic for stopping a subset of WAL senders when synchronous replication is enabled (Paul Guo, Michael Paquier)
Avoid possibly writing an incorrect replica identity field in a tuple deletion WAL record (Stas Kelvich)
Make the archiver prioritize WAL history files over WAL data files while choosing which file to archive next (David Steele)
Fix possible crash in UPDATE with a multiple SET clause using a sub-SELECT as source (Tom Lane)
Avoid crash if libxml2 returns a null error message (Sergio Conde Gómez)
Fix spurious grouping-related parser errors caused by inconsistent handling of collation assignment (Andrew Gierth)
In some cases, expressions that should be considered to match were not seen as matching, if they included operations on collatable data types.
Check whether the comparison function underlying LEAST() or GREATEST() is leakproof, rather than just assuming it is (Tom Lane)
Actual information leaks from btree comparison functions are typically hard to provoke, but in principle they could happen.
Fix incorrect planning of queries involving nested loops both above and below a Gather plan node (Tom Lane)
If both levels of nestloop needed to pass the same variable into their right-hand sides, an incorrect plan would be generated.
Fix incorrect planning of queries in which a lateral reference must be evaluated at a foreign table scan (Tom Lane)
Fix corner-case underestimation of the cost of a merge join (Tom Lane)
The planner could prefer a merge join when the outer key range is much smaller than the inner key range, even if there are so many duplicate keys on the inner side that this is a poor choice.
Avoid O(N^2) planning time growth when a query contains many thousand indexable clauses (Tom Lane)
Improve ANALYZE's handling of concurrently-updated rows (Jeff Janes, Tom Lane)
Previously, rows deleted by an in-progress transaction were omitted from ANALYZE's sample, but this has been found to lead to more inconsistency than including them would do. In effect, the sample now corresponds to an MVCC snapshot as of ANALYZE's start time.
Make TRUNCATE ignore inheritance child tables that are temporary tables of other sessions (Amit Langote, Michael Paquier)
This brings TRUNCATE into line with the behavior of other commands. Previously, such cases usually ended in failure.
Fix TRUNCATE to update the statistics counters for the right table (Tom Lane)
If the truncated table had a TOAST table, that table's counters were reset instead.
Process ALTER TABLE ONLY ADD COLUMN IF NOT EXISTS correctly (Greg Stark)
Allow UNLISTEN in hot-standby mode (Shay Rojansky)
This is necessarily a no-op, because LISTEN isn't allowed in hot-standby mode; but allowing the dummy operation simplifies session-state-reset logic in clients.
Fix missing role dependencies in some schema and data type permissions lists (Tom Lane)
In some cases it was possible to drop a role to which permissions had been granted. This caused no immediate problem, but a subsequent dump/reload or upgrade would fail, with symptoms involving attempts to grant privileges to all-numeric role names.
Ensure relation caches are updated properly after adding or removing foreign key constraints (Álvaro Herrera)
This oversight could result in existing sessions failing to enforce a newly-created constraint, or continuing to enforce a dropped one.
Ensure relation caches are updated properly after renaming constraints (Amit Langote)
Make autovacuum more aggressive about removing leftover temporary tables, and also remove leftover temporary tables during DISCARD TEMP (Álvaro Herrera)
This helps ensure that remnants from a crashed session are cleaned up more promptly.
Fix replay of GiST index micro-vacuum operations so that concurrent hot-standby queries do not see inconsistent state (Alexander Korotkov)
Prevent empty GIN index pages from being reclaimed too quickly, causing failures of concurrent searches (Andrey Borodin, Alexander Korotkov)
Fix edge-case failures in float-to-integer coercions (Andrew Gierth, Tom Lane)
Values very slightly above the maximum valid integer value might not be rejected, and then would overflow, producing the minimum valid integer instead. Also, values that should round to the minimum or maximum integer value might be incorrectly rejected.
When making a PAM authentication request, don't set the PAM_RHOST variable if the connection is via a Unix socket (Thomas Munro)
Previously that variable would be set to [local], which is at best unhelpful, since it's supposed to be a host name.
Disallow setting client_min_messages higher than ERROR (Jonah Harris, Tom Lane)
Previously, it was possible to set this variable to FATAL or PANIC, which had the effect of suppressing transmission of ordinary error messages to the client. However, that's contrary to guarantees that are given in the PostgreSQL wire protocol specification, and it caused some clients to become very confused. In released branches, fix this by silently treating such settings as meaning ERROR instead. Version 12 and later will reject those alternatives altogether.
Fix ecpglib to use uselocale() or _configthreadlocale() in preference to setlocale() (Michael Meskes, Tom Lane)
Since setlocale() is not thread-local, and might not even be thread-safe, the previous coding caused problems in multi-threaded ecpg applications.
Fix incorrect results for numeric data passed through an ecpg SQLDA (SQL Descriptor Area) (Daisuke Higuchi)
Values with leading zeroes were not copied correctly.
Fix psql's \g target meta-command to work with COPY TO STDOUT (Daniel Vérité)
Previously, the target option was ignored, so that the copy data always went to the current query output target.
Make psql's LaTeX output formats render special characters properly (Tom Lane)
Backslash and some other ASCII punctuation characters were not rendered correctly, leading to document syntax errors or wrong characters in the output.
Fix pg_dump's handling of materialized views with indirect dependencies on primary keys (Tom Lane)
This led to mis-labeling of such views' dump archive entries, causing harmless warnings about "archive items not in correct section order"; less harmlessly, selective-restore options depending on those labels, such as --section, might misbehave.
Avoid null-pointer-dereference crash on some platforms when pg_dump or pg_restore tries to report an error (Tom Lane)
Fix contrib/hstore to calculate correct hash values for empty hstore values that were created in version 8.4 or before (Andrew Gierth)
The previous coding did not give the same result as for an empty hstore value created by a newer version, thus potentially causing wrong results in hash joins or hash aggregation. It is advisable to reindex any hash indexes built on hstore columns, if the table might contain data that was originally stored as far back as 8.4 and was never dumped/reloaded since then.
Avoid crashes and excessive runtime with large inputs to contrib/intarray's gist__int_ops index support (Andrew Gierth)
Support new Makefile variables PG_CFLAGS, PG_CXXFLAGS, and PG_LDFLAGS in pgxs builds (Christoph Berg)
This simplifies customization of extension build processes.
Fix Perl-coded build scripts to not assume "." is in the search path, since recent Perl versions don't include that (Andrew Dunstan)
Fix server command-line option parsing problems on OpenBSD (Tom Lane)
Relocate call of set_rel_pathlist_hook so that extensions can use it to supply partial paths for parallel queries (KaiGai Kohei)
This is not expected to affect existing use-cases.
Update time zone data files to tzdata release 2018i for DST law changes in Kazakhstan, Metlakatla, and Sao Tome and Principe. Kazakhstan's Qyzylorda zone is split in two, creating a new zone Asia/Qostanay, as some areas did not change UTC offset. Historical corrections for Hong Kong and numerous Pacific islands.
⇑ Upgrade to 9.6.13 released on 2019-05-09 - docs
Prevent row-level security policies from being bypassed via selectivity estimators (Dean Rasheed)
Some of the planner's selectivity estimators apply user-defined operators to values found in pg_statistic (e.g., most-common values). A leaky operator therefore can disclose some of the entries in a data column, even if the calling user lacks permission to read that column. In CVE-2017-7484 we added restrictions to forestall that, but we failed to consider the effects of row-level security. A user who has SQL permission to read a column, but who is forbidden to see certain rows due to RLS policy, might still learn something about those rows' contents via a leaky operator. This patch further tightens the rules, allowing leaky operators to be applied to statistics data only when there is no relevant RLS policy. (CVE-2019-10130)
Fix behavior for an UPDATE or DELETE on an inheritance tree or partitioned table in which every table can be excluded (Amit Langote, Tom Lane)
In such cases, the query did not report the correct set of output columns when a RETURNING clause was present, and if there were any statement-level triggers that should be fired, it didn't fire them.
Fix handling of explicit DEFAULT items in an INSERT ... VALUES command with multiple VALUES rows, if the target relation is an updatable view (Amit Langote, Dean Rasheed)
When the updatable view has no default for the column but its underlying table has one, a single-row INSERT ... VALUES will use the underlying table's default. In the multi-row case, however, NULL was always used. Correct it to act like the single-row case.
Fix CREATE VIEW to allow zero-column views (Ashutosh Sharma)
We should allow this for consistency with allowing zero-column tables. Since a table can be converted to a view, zero-column views could be created even with the restriction in place, leading to dump/reload failures.
Add missing support for CREATE TABLE IF NOT EXISTS ... AS EXECUTE ... (Andreas Karlsson)
The combination of IF NOT EXISTS and EXECUTE should work, but the grammar omitted it.
Ensure that sub-SELECTs appearing in row-level-security policy expressions are executed with the correct user's permissions (Dean Rasheed)
Previously, if the table having the RLS policy was accessed via a view, such checks might be executed as the user calling the view, not as the view owner as they should be.
Accept XML documents as valid values of type xml when xmloption is set to content, as required by SQL:2006 and later (Chapman Flack)
Previously PostgreSQL followed the SQL:2003 definition, which doesn't allow this. But that creates a serious problem for dump/restore: there is no setting of xmloption that will accept all valid XML data. Hence, switch to the 2006 definition.
pg_dump is also modified to emit SET xmloption = content while restoring data, ensuring that dump/restore works even if the prevailing setting is document.
Improve server's startup-time checks for whether a pre-existing shared memory segment is still in use (Noah Misch)
The postmaster is now more likely to detect that there are still active processes from a previous postmaster incarnation, even if the postmaster.pid file has been removed.
Avoid counting parallel workers' transactions as separate transactions (Haribabu Kommi)
Fix incompatibility of GIN-index WAL records (Alexander Korotkov)
A fix applied in February's minor releases was not sufficiently careful about backwards compatibility, leading to problems if a standby server of that vintage reads GIN page-deletion WAL records generated by a primary server of a previous minor release.
Tolerate EINVAL and ENOSYS error results, where appropriate, for fsync and sync_file_range calls (Thomas Munro, James Sewell)
The previous change to panic on file synchronization failures turns out to have been excessively paranoid for certain cases where a failure is predictable and essentially means "operation not supported".
Fix "failed to build any N-way joins" planner failures with lateral references leading out of FULL outer joins (Tom Lane)
Check the appropriate user's permissions when enforcing rules about letting a leaky operator see pg_statistic data (Dean Rasheed)
When an underlying table is being accessed via a view, consider the privileges of the view owner while deciding whether leaky operators may be applied to the table's statistics data, rather than the privileges of the user making the query. This makes the planner's rules about what data is visible match up with the executor's, avoiding unnecessarily-poor plans.
Speed up planning when there are many equality conditions and many potentially-relevant foreign key constraints (David Rowley)
Avoid O(N^2) performance issue when rolling back a transaction that created many tables (Tomas Vondra)
Fix race conditions in management of dynamic shared memory (Thomas Munro)
These could lead to "dsa_area could not attach to segment" or "cannot unpin a segment that is not pinned" errors.
Fix race condition in which a hot-standby postmaster could fail to shut down after receiving a smart-shutdown request (Tom Lane)
Fix possible crash when pg_identify_object_as_address() is given invalid input (Álvaro Herrera)
Tighten validation of encoded SCRAM-SHA-256 and MD5 passwords (Jonathan Katz)
A password string that had the right initial characters could be mistaken for one that is correctly hashed into SCRAM-SHA-256 or MD5 format. The password would be accepted but would be unusable later.
Fix handling of lc_time settings that imply an encoding different from the database's encoding (Juan José Santamaría Flecha, Tom Lane)
Localized month or day names that include non-ASCII characters previously caused unexpected errors or wrong output in such locales.
Fix incorrect operator_precedence_warning checks involving unary minus operators (Rikard Falkeborn)
Disallow NaN as a value for floating-point server parameters (Tom Lane)
Rearrange REINDEX processing to avoid assertion failures when reindexing individual indexes of pg_class (Andres Freund, Tom Lane)
Fix planner assertion failure for parameterized dummy paths (Tom Lane)
Insert correct test function in the result of SnapBuildInitialSnapshot() (Antonin Houska)
No core code cares about this, but some extensions do.
Fix intermittent "could not reattach to shared memory" session startup failures on Windows (Noah Misch)
A previously unrecognized source of these failures is creation of thread stacks for a process's default thread pool. Arrange for such stacks to be allocated in a different memory region.
Fix error detection in directory scanning on Windows (Konstantin Knizhnik)
Errors, such as lack of permissions to read the directory, were not detected or reported correctly; instead the code silently acted as though the directory were empty.
Fix grammar problems in ecpg (Tom Lane)
A missing semicolon led to mistranslation of SET variable = DEFAULT (but not SET variable TO DEFAULT) in ecpg programs, producing syntactically invalid output that the server would reject. Additionally, in a DROP TYPE or DROP DOMAIN command that listed multiple type names, only the first type name was actually processed.
Sync ecpg's syntax for CREATE TABLE AS with the server's (Daisuke Higuchi)
Fix possible buffer overruns in ecpg's processing of include filenames (Liu Huailing, Fei Wu)
Avoid crash in contrib/vacuumlo if an lo_unlink() call failed (Tom Lane)
Sync our copy of the timezone library with IANA tzcode release 2019a (Tom Lane)
This corrects a small bug in zic that caused it to output an incorrect year-2440 transition in the Africa/Casablanca zone, and adds support for zic's new -r option.
Update time zone data files to tzdata release 2019a for DST law changes in Palestine and Metlakatla, plus historical corrections for Israel.
Etc/UCT is now a backward-compatibility link to Etc/UTC, instead of being a separate zone that generates the abbreviation UCT, which nowadays is typically a typo. PostgreSQL will still accept UCT as an input zone abbreviation, but it won't output it.
⇑ Upgrade to 9.6.14 released on 2019-06-20 - docs
Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when the table has a partial exclusion constraint (Tom Lane)
Fix failure of COMMENT command for comments on domain constraints (Daniel Gustafsson, Michael Paquier)
Fix faulty generation of merge-append plans (Tom Lane)
This mistake could lead to "could not find pathkey item to sort" errors.
Fix incorrect printing of queries with duplicate join names (Philip Dubé)
This oversight caused a dump/restore failure for views containing such queries.
Fix misoptimization of {1,1} quantifiers in regular expressions (Tom Lane)
Such quantifiers were treated as no-ops and optimized away; but the documentation specifies that they impose greediness, or non-greediness in the case of the non-greedy variant {1,1}?, on the subexpression they're attached to, and this did not happen. The misbehavior occurred only if the subexpression contained capturing parentheses or a back-reference.
Avoid possible failures while initializing a new process's pg_stat_activity data (Tom Lane)
Certain operations that could fail, such as converting strings extracted from an SSL certificate into the database encoding, were being performed inside a critical section. Failure there would result in database-wide lockup due to violating the access protocol for shared pg_stat_activity data.
Fix race condition in check to see whether a pre-existing shared memory segment is still in use by a conflicting postmaster (Tom Lane)
Avoid attempting to do database accesses for parameter checking in processes that are not connected to a specific database (Vignesh C, Andres Freund)
This error could result in failures like "cannot read pg_class without having selected a database".
Avoid possible hang in libpq if using SSL and OpenSSL's pending-data buffer contains an exact multiple of 256 bytes (David Binderman)
Improve initdb's handling of multiple equivalent names for the system time zone (Tom Lane, Andrew Gierth)
Make initdb examine the /etc/localtime symbolic link, if that exists, to break ties between equivalent names for the system time zone. This makes initdb more likely to select the time zone name that the user would expect when multiple identical time zones exist. It will not change the behavior if /etc/localtime is not a symlink to a zone data file, nor if the time zone is determined from the TZ environment variable.
Separately, prefer UTC over other spellings of that time zone, when neither TZ nor /etc/localtime provide a hint. This fixes an annoyance introduced by tzdata 2019a's change to make the UCT and UTC zone names equivalent: initdb was then preferring UCT, which almost nobody wants.
Fix ordering of GRANT commands emitted by pg_dump and pg_dumpall for databases and tablespaces (Nathan Bossart, Michael Paquier)
If cascading grants had been issued, restore might fail due to the GRANT commands being given in an order that didn't respect their interdependencies.
Fix misleading error reports from reindexdb (Julien Rouhaud)
Ensure that vacuumdb returns correct status if an error occurs while using parallel jobs (Julien Rouhaud)
Fix contrib/auto_explain to not cause problems in parallel queries (Tom Lane)
Previously, a parallel worker might try to log its query even if the parent query were not being logged by auto_explain. This would work sometimes, but it's confusing, and in some cases it resulted in failures like "could not find key N in shm TOC".
Also, fix an off-by-one error that resulted in not necessarily logging every query even when the sampling rate is set to 1.0.
In contrib/postgres_fdw, account for possible data modifications by local BEFORE ROW UPDATE triggers (Shohei Mochizuki)
If a trigger modified a column that was otherwise not changed by the UPDATE, the new value was not transmitted to the remote server.
On Windows, avoid failure when the database encoding is set to SQL_ASCII and we attempt to log a non-ASCII string (Noah Misch)
The code had been assuming that such strings must be in UTF-8, and would throw an error if they didn't appear to be validly encoded. Now, just transmit the untranslated bytes to the log.
Make PL/pgSQL's header files C++-safe (George Tarasov)
⇑ Upgrade to 9.6.15 released on 2019-08-08 - docs
Require schema qualification to cast to a temporary type when using functional cast syntax (Noah Misch)
We have long required invocations of temporary functions to explicitly specify the temporary schema, that is pg_temp.func_name(args). Require this as well for casting to temporary types using functional notation, for example pg_temp.type_name(arg). Otherwise it's possible to capture a function call using a temporary object, allowing privilege escalation in much the same ways that we blocked in CVE-2007-2138. (CVE-2019-10208)
Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when altering multiple columns' types in one command (Tom Lane)
This fixes a regression introduced in the most recent minor releases: indexes using the altered columns were not processed correctly, leading to strange failures during ALTER TABLE.
Don't optimize away GROUP BY columns when the table involved is an inheritance parent (David Rowley)
Normally, if a table's primary key column(s) are included in GROUP BY, it's safe to drop any other grouping columns, since the primary key columns are enough to make the groups unique. This rule does not work if the query is also reading inheritance child tables, though; the parent's uniqueness does not extend to the children.
Avoid using unnecessary sort steps for some queries with GROUPING SETS (Andrew Gierth, Richard Guo)
Fix mishandling of multi-column foreign keys when rebuilding a foreign key constraint (Tom Lane)
ALTER TABLE could make an incorrect decision about whether revalidation of a foreign key is necessary, if not all columns of the key are of the same type. It seems likely that the error would always have been in the conservative direction, that is revalidating unnecessarily.
Avoid spurious deadlock errors when upgrading a tuple lock (Oleksii Kliukin)
When two or more transactions are waiting for a transaction T1 to release a tuple-level lock, and T1 upgrades its lock to a higher level, a spurious deadlock among the waiting transactions could be reported when T1 finishes.
Fix failure to resolve deadlocks involving multiple parallel worker processes (Rui Hai Jiang)
It is not clear whether this bug is reachable with non-artificial queries, but if it did happen, the queries involved in an otherwise-resolvable deadlock would block until canceled.
Prevent incorrect canonicalization of date ranges with infinity endpoints (Laurenz Albe)
It's incorrect to try to convert an open range to a closed one or vice versa by incrementing or decrementing the endpoint value, if the endpoint is infinite; so leave the range alone in such cases.
Fix loss of fractional digits when converting very large money values to numeric (Tom Lane)
Fix spinlock assembly code for MIPS CPUs so that it works on MIPS r6 (YunQiang Su)
Make libpq ignore carriage return (\r) in connection service files (Tom Lane, Michael Paquier)
In some corner cases, service files containing Windows-style newlines could be mis-parsed, resulting in connection failures.
In psql, avoid offering incorrect tab completion options after SET variable = (Tom Lane)
Fix pg_dump to ensure that custom operator classes are dumped in the right order (Tom Lane)
If a user-defined opclass is the subtype opclass of a user-defined range type, related objects were dumped in the wrong order, producing an unrestorable dump. (The underlying failure to handle opclass dependencies might manifest in other cases too, but this is the only known case.)
Fix contrib/passwordcheck to coexist with other users of check_password_hook (Michael Paquier)
Fix contrib/sepgsql tests to work under recent SELinux releases (Mike Palmiotto)
Improve stability of src/test/recovery regression tests (Michael Paquier)
Reduce stderr output from pg_upgrade's test script (Tom Lane)
Fix TAP tests to work with msys Perl, in cases where the build directory is on a non-root msys mount point (Noah Misch)
Support building Postgres with Microsoft Visual Studio 2019 (Haribabu Kommi)
In Visual Studio builds, honor WindowsSDKVersion environment variable, if that's set (Peifeng Qiu)
This fixes build failures in some configurations.
Support OpenSSL 1.1.0 and newer in Visual Studio builds (Juan José Santamaría Flecha, Michael Paquier)
Allow make options to be passed down to gmake when non-GNU make is invoked at the top level (Thomas Munro)
Avoid choosing localtime or posixrules as TimeZone during initdb (Tom Lane)
In some cases initdb would choose one of these artificial zone names over the "real" zone name. Prefer any other match to the C library's timezone behavior over these two.
Adjust pg_timezone_names view to show the Factory time zone if and only if it has a short abbreviation (Tom Lane)
Historically, IANA set up this artificial zone with an "abbreviation" like Local time zone must be set--see zic manual page. Modern versions of the tzdb database show -00 instead, but some platforms alter the data to show one or another of the historical phrases. Show this zone only if it uses the modern abbreviation.
Sync our copy of the timezone library with IANA tzcode release 2019b (Tom Lane)
This adds support for zic's new -b slim option to reduce the size of the installed zone files. We are not currently using that, but may enable it in future.
Update time zone data files to tzdata release 2019b for DST law changes in Brazil, plus historical corrections for Hong Kong, Italy, and Palestine.
⇑ Upgrade to 9.6.16 released on 2019-11-14 - docs
Fix failure of ALTER TABLE SET with a custom relation option (Michael Paquier)
Disallow changing a multiply-inherited column's type if not all parent tables were changed (Tom Lane)
Previously, this was allowed, whereupon queries on the now-out-of-sync parent would fail.
Prevent VACUUM from trying to freeze an old multixact ID involving a still-running transaction (Nathan Bossart, Jeremy Schneider)
This case would lead to VACUUM failing until the old transaction terminates.
Ensure that offset expressions in WINDOW clauses are processed when a query's expressions are manipulated (Andrew Gierth)
This oversight could result in assorted failures when the offsets are nontrivial expressions. One example is that a function parameter reference in such an expression would fail if the function was inlined.
Fix handling of whole-row variables in WITH CHECK OPTION expressions and row-level-security policy expressions (Andres Freund)
Previously, such usage might result in bogus errors about row type mismatches.
Avoid postmaster failure if a parallel query requests a background worker when no postmaster child process array slots remain free (Tom Lane)
Prevent possible double-free if a BEFORE UPDATE trigger returns the old tuple as-is, and it is not the last such trigger (Thomas Munro)
Provide a relevant error context line when an error occurs while setting GUC parameters during parallel worker startup (Thomas Munro)
In serializable mode, ensure that row-level predicate locks are acquired on the correct version of the row (Thomas Munro, Heikki Linnakangas)
If the visible version of the row is HOT-updated, the lock might be taken on its now-dead predecessor, resulting in subtle failures to guarantee serialization.
Ensure that fsync() is applied only to files that are opened read/write (Andres Freund, Michael Paquier)
Some code paths tried to do this after opening a file read-only, but on some platforms that causes "bad file descriptor" or similar errors.
Allow encoding conversion to succeed on longer strings than before (Álvaro Herrera, Tom Lane)
Previously, there was a hard limit of 0.25GB on the input string, but now it will work as long as the converted output is not over 1GB.
Avoid creating unnecessarily-bulky tuple stores for window functions (Andrew Gierth)
In some cases the tuple storage would include all columns of the source table(s), not just the ones that are needed by the query.
Allow repalloc() to give back space when a large chunk is reduced in size (Tom Lane)
Ensure that temporary WAL and history files are removed at the end of archive recovery (Sawada Masahiko)
Avoid failure in archive recovery if recovery_min_apply_delay is enabled (Fujii Masao)
recovery_min_apply_delay is not typically used in this configuration, but it should work.
Avoid unwanted delay during shutdown of a logical replication walsender (Craig Ringer, Álvaro Herrera)
Correctly time-stamp replication messages for logical decoding (Jeff Janes)
This oversight resulted, for example, in pg_stat_subscription.last_msg_send_time usually reading as NULL.
In logical decoding, ensure that sub-transactions are correctly accounted for when reconstructing a snapshot (Masahiko Sawada)
This error leads to assertion failures; it's unclear whether any bad effects exist in production builds.
Fix race condition during backend exit, when the backend process has previously waited for synchronous replication to occur (Dongming Liu)
Fix ALTER SYSTEM to cope with duplicate entries in postgresql.auto.conf (Ian Barwick)
ALTER SYSTEM itself will not generate such a state, but external tools that modify postgresql.auto.conf could do so. Duplicate entries for the target variable will now be removed, and then the new setting (if any) will be appended at the end.
Reject include directives with empty file names in configuration files, and report include-file recursion more clearly (Ian Barwick, Tom Lane)
Avoid logging complaints about abandoned connections when using PAM authentication (Tom Lane)
libpq-based clients will typically make two connection attempts when a password is required, since they don't prompt their user for a password until their first connection attempt fails. Therefore the server is coded not to generate useless log spam when a client closes the connection upon being asked for a password. However, the PAM authentication code hadn't gotten that memo, and would generate several messages about a phantom authentication failure.
Fix some cases where an incomplete date specification is not detected in time with time zone input (Alexander Lakhin)
If a time zone with a time-varying UTC offset is specified, then a date must be as well, so that the offset can be resolved. Depending on the syntax used, this check was not enforced in some cases, allowing bogus output to be produced.
Fix misbehavior of bitshiftright() (Tom Lane)
The bitstring right shift operator failed to zero out padding space that exists in the last byte of the result when the bitstring length is not a multiple of 8. While invisible to most operations, any nonzero bits there would result in unexpected comparison behavior, since bitstring comparisons don't bother to ignore the extra bits, expecting them to always be zero.
If you have inconsistent data as a result of saving the output of bitshiftright() in a table, it's possible to fix it with something like
UPDATE mytab SET bitcol = ~(~bitcol) WHERE bitcol != ~(~bitcol);
Fix detection of edge-case integer overflow in interval multiplication (Yuya Watari)
Avoid crashes if ispell text search dictionaries contain wrong affix data (Arthur Zakirov)
Fix incorrect compression logic for GIN posting lists (Heikki Linnakangas)
A GIN posting list item can require 7 bytes if the distance between adjacent indexed TIDs exceeds 16TB. One step in the logic was out of sync with that, and might try to write the value into a 6-byte buffer. In principle this could cause a stack overrun, but on most architectures it's likely that the next byte would be unused alignment padding, making the bug harmless. In any case the bug would be very difficult to hit.
Fix handling of infinity, NaN, and NULL values in KNN-GiST (Alexander Korotkov)
The query's output order could be wrong (different from a plain sort's result) if some distances computed for non-null column values are infinity or NaN.
Fix handling of searches for NULL in KNN-SP-GiST (Nikita Glukhov)
On Windows, recognize additional spellings of the "Norwegian (Bokmål)" locale name (Tom Lane)
Avoid compile failure if an ECPG client includes ecpglib.h while having ENABLE_NLS defined (Tom Lane)
This risk was created by a misplaced declaration: ecpg_gettext() should not be visible to client code.
In psql, resynchronize internal state about the server after an unexpected connection loss and successful reconnection (Peter Billen, Tom Lane)
Ordinarily this is unnecessary since the state would be the same anyway. But it can matter in corner cases, such as where the connection might lead to one of several servers. This change causes psql to re-issue any interactive messages that it would have issued at startup, for example about whether SSL is in use.
Avoid platform-specific null pointer dereference in psql (Quentin Rameau)
Fix pg_dump's handling of circular dependencies in views (Tom Lane)
In some cases a view may depend on an object that pg_dump needs to dump later than the view; the most common example is that a query using GROUP BY on a primary-key column may be semantically invalid without the primary key. This is now handled by emitting a dummy CREATE VIEW command that just establishes the view's column names and types, and then later emitting CREATE OR REPLACE VIEW with the full view definition. Previously, the dummy definition was actually a CREATE TABLE command, and this was automagically converted to a view by a later CREATE RULE command. The new approach has been used successfully in PostgreSQL version 10 and later. We are back-patching it into older releases now because of reports that the previous method causes bogus error messages about the view's replica identity status. This change also avoids problems when trying to use the --clean option during a restore involving such a view.
In pg_dump, ensure stable output order for similarly-named triggers and row-level-security policy objects (Benjie Gillam)
Previously, if two triggers on different tables had the same names, they would be sorted in OID-based order, which is less desirable than sorting them by table name. Likewise for RLS policies.
Fix pg_dump to work again with pre-8.3 source servers (Tom Lane)
A previous fix caused pg_dump to always try to query pg_opfamily, but that catalog doesn't exist before version 8.3.
In pg_restore, treat -f - as meaning "output to stdout" (Álvaro Herrera)
This synchronizes pg_restore's behavior with some other applications, and in particular makes pre-v12 branches act similarly to version 12's pg_restore, simplifying creation of dump/restore scripts that work across multiple PostgreSQL versions. Before this change, pg_restore interpreted such a switch as meaning "output to a file named -", but few people would want that.
Improve pg_upgrade's checks for the use of a data type that has changed representation, such as line (Tomas Vondra)
The previous coding could be fooled by cases where the data type of interest underlies a stored column of a domain or composite type.
Detect file read errors during pg_basebackup (Jeevan Chalke)
In pg_rewind with an online source cluster, disable timeouts, much as pg_dump does (Alexander Kukushkin)
Fix failure in pg_waldump with the -s option, when a continuation WAL record ends exactly at a page boundary (Andrey Lepikhov)
In pg_waldump, include the newitemoff field in btree page split records (Peter Geoghegan)
In pg_waldump with the --bkp-details option, avoid emitting extra newlines for WAL records involving full-page writes (Andres Freund)
Fix small memory leak in pg_waldump (Andres Freund)
Fix vacuumdb with a high --jobs option to handle running out of file descriptors better (Michael Paquier)
Fix contrib/intarray's GiST opclasses to not fail for empty arrays with <@ (Tom Lane)
A clause like array_column <@ constant_array is considered indexable, but the index search may not find empty array values; of course, such entries should trivially match the search.
The only practical back-patchable fix for this requires making <@ index searches scan the whole index, which is what this patch does. This is unfortunate: it means that the query performance is likely worse than a plain sequential scan would be.
Applications whose performance is adversely impacted by this change have a couple of options. They could switch to a GIN index, which doesn't have this bug, or they could replace array_column <@ constant_array with array_column <@ constant_array AND array_column && constant_array. That will provide about the same performance as before, and it will find all non-empty subsets of the given constant array, which is all that could reliably be expected of the query before.
Allow configure --with-python to succeed when only python3 or only python2 can be found (Peter Eisentraut, Tom Lane)
Search for python, then python3, then python2, so that configure can succeed in the increasingly-more-common situation where there is no executable named simply python. It's still possible to override this choice by setting the PYTHON environment variable.
Fix configure's test for presence of libperl so that it works on recent Red Hat releases (Tom Lane)
Previously, it could fail if the user sets CFLAGS to -O0.
Ensure correct code generation for spinlocks on PowerPC (Noah Misch)
The previous spinlock coding allowed the compiler to select register zero for use with an assembly instruction that does not accept that register, causing a build failure. We have seen only one long-ago report that matches this bug, but it could cause problems for people trying to build modified PostgreSQL code or use atypical compiler options.
On PowerPC, avoid depending on the xlc compiler's __fetch_and_add() function (Noah Misch)
xlc 13 and newer interpret this function in a way incompatible with our usage, resulting in an unusable build of PostgreSQL. Fix by using custom assembly code instead.
On AIX, don't use the compiler option -qsrcmsg (Noah Misch)
This avoids an internal compiler error with xlc v16.1.0, with little consequence other than changing the format of compiler error messages.
Fix MSVC build process to cope with spaces in the file path of OpenSSL (Andrew Dunstan)
Update time zone data files to tzdata release 2019c for DST law changes in Fiji and Norfolk Island, plus historical corrections for Alberta, Austria, Belgium, British Columbia, Cambodia, Hong Kong, Indiana (Perry County), Kaliningrad, Kentucky, Michigan, Norfolk Island, South Korea, and Turkey.