Merge commit '21d304dfedb4f26d0d6587d9ac39b1b5c499bb55'

This is the merge-base of PostgreSQL's master branch and REL_10_STABLE branch.
This should be the last merge from PG's master branch into XL 10 branch.
Subsequent merges must happen from REL_10_STABLE branch

31 files changed, 3966 insertions, 297 deletions

diff --git a/doc/src/sgml/backup.sgml b/doc/src/sgml/backup.sgml
index ca38573471..0aa074948f 100644
--- a/doc/src/sgml/backup.sgml
+++ b/doc/src/sgml/backup.sgml
@@ -1029,10 +1029,15 @@ SELECT pg_start_backup('label', true);
 <programlisting>
 SELECT pg_stop_backup();
 </programlisting>
-     This terminates the backup mode and performs an automatic switch to
-     the next WAL segment.  The reason for the switch is to arrange for
-     the last WAL segment file written during the backup interval to be
-     ready to archive.
+     This function, when called on a primary, terminates the backup mode and
+     performs an automatic switch to the next WAL segment. The reason for the
+     switch is to arrange for the last WAL segment written during the backup
+     interval to be ready to archive.  When called on a standby, this function
+     only terminates backup mode.  A subsequent WAL segment switch will be
+     needed in order to ensure that all WAL files needed to restore the backup
+     can be archived; if the primary does not have sufficient write activity
+     to trigger one, <function>pg_switch_wal</function> should be executed on
+     the primary.
     </para>
    </listitem>
    <listitem>
diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml
index 407ea2018c..b3d23a6426 100644
--- a/doc/src/sgml/catalogs.sgml
+++ b/doc/src/sgml/catalogs.sgml
@@ -1359,10 +1359,8 @@
       <entry><structfield>rolreplication</structfield></entry>
       <entry><type>bool</type></entry>
       <entry>
-       Role is a replication role. That is, this role can initiate streaming
-       replication (see <xref linkend="streaming-replication">) and set/unset
-       the system backup mode using <function>pg_start_backup</> and
-       <function>pg_stop_backup</>
+       Role is a replication role. A replication role can initiate replication
+       connections and create and drop replication slots.
       </entry>
      </row>
 
@@ -10107,10 +10105,8 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
       <entry><type>bool</type></entry>
       <entry></entry>
       <entry>
-       Role is a replication role. That is, this role can initiate streaming
-       replication (see <xref linkend="streaming-replication">) and set/unset
-       the system backup mode using <function>pg_start_backup</> and
-       <function>pg_stop_backup</>
+       Role is a replication role. A replication role can initiate replication
+       connections and create and drop replication slots.
       </entry>
      </row>
 
@@ -11354,17 +11350,37 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
       <entry><type>text[]</type></entry>
       <entry></entry>
       <entry>
-       User mapping specific options, as <quote>keyword=value</>
-       strings.  This column will show as null unless the current user
-       is the user being mapped, or the mapping is for
-       <literal>PUBLIC</literal> and the current user is the server
-       owner, or the current user is a superuser.  The intent is
-       to protect password information stored as user mapping option.
+       User mapping specific options, as <quote>keyword=value</> strings
       </entry>
      </row>
     </tbody>
    </tgroup>
   </table>
+
+  <para>
+   To protect password information stored as a user mapping option,
+   the <structfield>umoptions</structfield> column will read as null
+   unless one of the following applies:
+   <itemizedlist>
+    <listitem>
+     <para>
+      current user is the user being mapped, and owns the server or
+      holds <literal>USAGE</> privilege on it
+     </para>
+    </listitem>
+    <listitem>
+     <para>
+      current user is the server owner and mapping is for <literal>PUBLIC</>
+     </para>
+    </listitem>
+    <listitem>
+     <para>
+      current user is a superuser
+     </para>
+    </listitem>
+   </itemizedlist>
+  </para>
+
  </sect1>
 
 
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 747b3f05c8..e3c5bab5bc 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1216,6 +1216,30 @@ include_dir 'conf.d'
       </listitem>
      </varlistentry>
 
+     <varlistentry id="guc-ssl-dh-params-file" xreflabel="ssl_dh_params_file">
+      <term><varname>ssl_dh_params_file</varname> (<type>string</type>)
+      <indexterm>
+       <primary><varname>ssl_dh_params_file</> configuration parameter</primary>
+      </indexterm>
+      </term>
+      <listitem>
+       <para>
+        Specifies the name of the file containing Diffie-Hellman parameters
+        used for so-called ephemeral DH family of SSL ciphers. The default is
+        empty, in which case compiled-in default DH parameters used. Using
+        custom DH parameters reduces the exposure if an attacker manages to
+        crack the well-known compiled-in DH parameters. You can create your own
+        DH parameters file with the command
+        <command>openssl dhparam -out dhparams.pem 2048</command>.
+       </para>
+
+       <para>
+        This parameter can only be set in the <filename>postgresql.conf</>
+        file or on the server command line.
+       </para>
+      </listitem>
+     </varlistentry>
+
      <varlistentry id="guc-krb-server-keyfile" xreflabel="krb_server_keyfile">
       <term><varname>krb_server_keyfile</varname> (<type>string</type>)
       <indexterm>
@@ -2047,8 +2071,8 @@ include_dir 'conf.d'
        <listitem>
         <para>
          Sets the maximum number of workers that can be started by a single
-         <literal>Gather</literal> node.  Parallel workers are taken from the
-         pool of processes established by
+         <literal>Gather</literal> or <literal>Gather Merge</literal> node.
+         Parallel workers are taken from the pool of processes established by
          <xref linkend="guc-max-worker-processes">, limited by
          <xref linkend="guc-max-parallel-workers">.  Note that the requested
          number of workers may not actually be available at run time.  If this
@@ -5402,6 +5426,7 @@ log_line_prefix = '%m [%p] %q%u@%d/%a '
         longer than <xref linkend="guc-deadlock-timeout"> to acquire a
         lock.  This is useful in determining if lock waits are causing
         poor performance.  The default is <literal>off</>.
+        Only superusers can change this setting.
        </para>
       </listitem>
      </varlistentry>
diff --git a/doc/src/sgml/datatype.sgml b/doc/src/sgml/datatype.sgml
index 0ea06782b1..5962ed8622 100644
--- a/doc/src/sgml/datatype.sgml
+++ b/doc/src/sgml/datatype.sgml
@@ -3623,7 +3623,9 @@ SELECT person.name, holidays.num_weeks FROM person, holidays
     <para>
     The essential difference between <type>inet</type> and <type>cidr</type>
     data types is that <type>inet</type> accepts values with nonzero bits to
-    the right of the netmask, whereas <type>cidr</type> does not.
+    the right of the netmask, whereas <type>cidr</type> does not.  For
+    example, <literal>192.168.0.1/24</literal> is valid for <type>inet</type>
+    but not for <type>cidr</type>.
     </para>
 
       <tip>
@@ -4301,7 +4303,7 @@ SET xmloption TO { DOCUMENT | CONTENT };
     <para>
      Some XML-related functions may not work at all on non-ASCII data
      when the server encoding is not UTF-8.  This is known to be an
-     issue for <function>xpath()</> in particular.
+     issue for <function>xmltable()</> and <function>xpath()</> in particular.
     </para>
    </caution>
    </sect2>
diff --git a/doc/src/sgml/external-projects.sgml b/doc/src/sgml/external-projects.sgml
index 82aaad4e4b..82eaf4a355 100644
--- a/doc/src/sgml/external-projects.sgml
+++ b/doc/src/sgml/external-projects.sgml
@@ -97,6 +97,13 @@
      </row>
 
      <row>
+      <entry>pgtcl</entry>
+      <entry>Tcl</entry>
+      <entry></entry>
+      <entry><ulink url="https://github.com/flightaware/Pgtcl"></ulink></entry>
+     </row>
+
+     <row>
       <entry>pgtclng</entry>
       <entry>Tcl</entry>
       <entry></entry>
diff --git a/doc/src/sgml/func.sgml b/doc/src/sgml/func.sgml
index 3d56b889c7..6729c5622d 100644
--- a/doc/src/sgml/func.sgml
+++ b/doc/src/sgml/func.sgml
@@ -18639,7 +18639,12 @@ postgres=# select pg_start_backup('label_goes_here');
     WAL to be archived.  This behavior is only useful for backup
     software which independently monitors WAL archiving. Otherwise, WAL
     required to make the backup consistent might be missing and make the backup
-    useless.
+    useless.  When this parameter is set to true, <function>pg_stop_backup</>
+    will wait for WAL to be archived when archiving is enabled; on the standby,
+    this means that it will wait only when <varname>archive_mode = always</>.
+    If write activity on the primary is low, it may be useful to run
+    <function>pg_switch_wal</> on the primary in order to trigger
+    an immediate segment switch.
    </para>
 
    <para>
diff --git a/doc/src/sgml/high-availability.sgml b/doc/src/sgml/high-availability.sgml
index 464471a02c..9f010d3d6b 100644
--- a/doc/src/sgml/high-availability.sgml
+++ b/doc/src/sgml/high-availability.sgml
@@ -40,7 +40,7 @@
   server to modify the data.  Servers that can modify data are
   called read/write, <firstterm>master</> or <firstterm>primary</> servers.
   Servers that track changes in the master are called <firstterm>standby</>
-  or <firstterm>slave</> servers. A standby server that cannot be connected
+  or <firstterm>secondary</> servers. A standby server that cannot be connected
   to until it is promoted to a master server is called a <firstterm>warm
   standby</> server, and one that can accept connections and serves read-only
   queries is called a <firstterm>hot standby</> server.
diff --git a/doc/src/sgml/install-windows.sgml b/doc/src/sgml/install-windows.sgml
index f5dfb91ac1..1861e7e2f7 100644
--- a/doc/src/sgml/install-windows.sgml
+++ b/doc/src/sgml/install-windows.sgml
@@ -180,7 +180,8 @@ $ENV{MSBFLAGS}="/m";
       ActiveState Perl is required to run the build generation scripts. MinGW
       or Cygwin Perl will not work. It must also be present in the PATH.
       Binaries can be downloaded from
-      <ulink url="http://www.activestate.com"></> (Note: version 5.8 or later is required,
+      <ulink url="http://www.activestate.com"></>
+      (Note: version 5.8.3 or later is required,
       the free Standard Distribution is sufficient).
      </para></listitem>
     </varlistentry>
diff --git a/doc/src/sgml/installation.sgml b/doc/src/sgml/installation.sgml
index b6450893b7..73fb13da8e 100644
--- a/doc/src/sgml/installation.sgml
+++ b/doc/src/sgml/installation.sgml
@@ -215,6 +215,7 @@ su - postgres
       <application>PL/Perl</application> you need a full
       <productname>Perl</productname> installation, including the
       <filename>libperl</filename> library and the header files.
+      The minimum required version is <productname>Perl</productname> 5.8.3.
       Since <application>PL/Perl</application> will be a shared
       library, the <indexterm><primary>libperl</primary></indexterm>
       <filename>libperl</filename> library must be a shared library
@@ -361,7 +362,7 @@ su - postgres
        <primary>perl</primary>
       </indexterm>
 
-      <application>Perl</> 5.8 or later is needed to build from a Git checkout,
+      <application>Perl</> 5.8.3 or later is needed to build from a Git checkout,
       or if you changed the input files for any of the build steps that
       use Perl scripts.  If building on Windows you will need
       <application>Perl</> in any case.  <application>Perl</application> is
@@ -805,10 +806,26 @@ su - postgres
          Build with support for
          the <productname>ICU</productname><indexterm><primary>ICU</></>
          library.  This requires the <productname>ICU4C</productname> package
-         as well
-         as <productname>pkg-config</productname><indexterm><primary>pkg-config</></>
          to be installed.  The minimum required version
-         of <productname>ICU4C</productname> is currently 4.6.
+         of <productname>ICU4C</productname> is currently 4.2.
+        </para>
+
+        <para>
+         By default,
+         <productname>pkg-config</productname><indexterm><primary>pkg-config</></>
+         will be used to find the required compilation options.  This is
+         supported for <productname>ICU4C</productname> version 4.6 and later.
+         For older versions, or if <productname>pkg-config</productname> is
+         not available, the variables <envar>ICU_CFLAGS</envar>
+         and <envar>ICU_LIBS</envar> can be specified
+         to <filename>configure</filename>, like in this example:
+<programlisting>
+./configure ... --with-icu ICU_CFLAGS='-I/some/where/include' ICU_LIBS='-L/some/where/lib -licui18n -licuuc -licudata'
+</programlisting>
+         (If <productname>ICU4C</productname> is in the default search path
+         for the compiler, then you still need to specify a nonempty string in
+         order to avoid use of <productname>pkg-config</productname>, for
+         example, <literal>ICU_CFLAGS=' '</literal>.)
         </para>
        </listitem>
       </varlistentry>
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 5258aa998a..ebee3afa3a 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -892,8 +892,8 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
      <title>Specifying Multiple Hosts</title>
 
      <para>
-       It is possible to specify multiple hosts to connect to, so that they are 
-       tried in the given order. In the Keyword/Value format, the <literal>host</>, 
+       It is possible to specify multiple hosts to connect to, so that they are
+       tried in the given order. In the Keyword/Value format, the <literal>host</>,
        <literal>hostaddr</>, and <literal>port</> options accept a comma-separated
        list of values. The same number of elements must be given in each option, such
        that e.g. the first <literal>hostaddr</> corresponds to the first host name,
@@ -903,24 +903,24 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
      </para>
 
      <para>
-       In the connection URI format, you can list multiple <literal>host:port</> pairs 
+       In the connection URI format, you can list multiple <literal>host:port</> pairs
        separated by commas, in the <literal>host</> component of the URI. In either
        format, a single hostname can also translate to multiple network addresses. A
        common example of this is a host that has both an IPv4 and an IPv6 address.
      </para>
 
      <para>
-       When multiple hosts are specified, or when a single hostname is 
-       translated to multiple addresses,  all the hosts and addresses will be 
-       tried in order, until one succeeds. If none of the hosts can be reached, 
-       the connection fails. If a connection is established successfully, but 
+       When multiple hosts are specified, or when a single hostname is
+       translated to multiple addresses,  all the hosts and addresses will be
+       tried in order, until one succeeds. If none of the hosts can be reached,
+       the connection fails. If a connection is established successfully, but
        authentication fails, the remaining hosts in the list are not tried.
      </para>
 
      <para>
-       If a password file is used, you can have different passwords for 
-       different hosts. All the other connection options are the same for every 
-       host, it is not possible to e.g. specify a different username for 
+       If a password file is used, you can have different passwords for
+       different hosts. All the other connection options are the same for every
+       host, it is not possible to e.g. specify a different username for
        different hosts.
      </para>
    </sect3>
@@ -1844,17 +1844,36 @@ int PQprotocolVersion(const PGconn *conn);
 
      <listitem>
       <para>
-       Returns an integer representing the backend version.
+       Returns an integer representing the server version.
 <synopsis>
 int PQserverVersion(const PGconn *conn);
 </synopsis>
-       Applications might use this function to determine the version of the database
-       server they are connected to. The number is formed by converting
-       the major, minor, and revision numbers into two-decimal-digit
-       numbers and appending them together. For example, version 8.1.5
-       will be returned as 80105, and version 8.2 will be returned as
-       80200 (leading zeroes are not shown).  Zero is returned if the
-       connection is bad.
+      </para>
+
+      <para>
+       Applications might use this function to determine the version of the
+       database server they are connected to.  The result is formed by
+       multiplying the server's major version number by 10000 and adding
+       the minor version number.  For example, version 10.1 will be
+       returned as 100001, and version 11.0 will be returned as 110000.
+       Zero is returned if the connection is bad.
+      </para>
+
+      <para>
+       Prior to major version 10, <productname>PostgreSQL</> used
+       three-part version numbers in which the first two parts together
+       represented the major version.  For those
+       versions, <function>PQserverVersion</> uses two digits for each
+       part; for example version 9.1.5 will be returned as 90105, and
+       version 9.2.0 will be returned as 90200.
+      </para>
+
+      <para>
+       Therefore, for purposes of determining feature compatibility,
+       applications should divide the result of <function>PQserverVersion</>
+       by 100 not 10000 to determine a logical major version number.
+       In all release series, only the last two digits differ between
+       minor releases (bug-fix releases).
       </para>
      </listitem>
     </varlistentry>
@@ -6230,26 +6249,42 @@ int PQlibVersion(void);
 
      <para>
       The result of this function can be used to determine, at
-      run time, if specific functionality is available in the currently
+      run time, whether specific functionality is available in the currently
       loaded version of libpq. The function can be used, for example,
-      to determine which connection options are available for
-      <function>PQconnectdb</> or if the <literal>hex</> <type>bytea</>
-      output added in PostgreSQL 9.0 is supported.
+      to determine which connection options are available in
+      <function>PQconnectdb</>.
+     </para>
+
+     <para>
+      The result is formed by multiplying the library's major version
+      number by 10000 and adding the minor version number.  For example,
+      version 10.1 will be returned as 100001, and version 11.0 will be
+      returned as 110000.
+     </para>
+
+     <para>
+      Prior to major version 10, <productname>PostgreSQL</> used
+      three-part version numbers in which the first two parts together
+      represented the major version.  For those
+      versions, <function>PQlibVersion</> uses two digits for each
+      part; for example version 9.1.5 will be returned as 90105, and
+      version 9.2.0 will be returned as 90200.
      </para>
 
      <para>
-      The number is formed by converting the major, minor, and revision
-      numbers into two-decimal-digit numbers and appending them together.
-      For example, version 9.1 will be returned as 90100, and version
-      9.1.2 will be returned as 90102 (leading zeroes are not shown).
+      Therefore, for purposes of determining feature compatibility,
+      applications should divide the result of <function>PQlibVersion</>
+      by 100 not 10000 to determine a logical major version number.
+      In all release series, only the last two digits differ between
+      minor releases (bug-fix releases).
      </para>
 
      <note>
       <para>
        This function appeared in <productname>PostgreSQL</> version 9.1, so
        it cannot be used to detect required functionality in earlier
-       versions, since linking to it will create a link dependency
-       on version 9.1.
+       versions, since calling it will create a link dependency
+       on version 9.1 or later.
       </para>
      </note>
     </listitem>
diff --git a/doc/src/sgml/monitoring.sgml b/doc/src/sgml/monitoring.sgml
index be3dc672bc..5575c2c837 100644
--- a/doc/src/sgml/monitoring.sgml
+++ b/doc/src/sgml/monitoring.sgml
@@ -845,7 +845,7 @@ postgres   27093  0.0  0.0  30096  2752 ?        Ss   11:34   0:00 postgres: ser
 
       <tbody>
        <row>
-        <entry morerows="59"><literal>LWLock</></entry>
+        <entry morerows="60"><literal>LWLock</></entry>
         <entry><literal>ShmemIndexLock</></entry>
         <entry>Waiting to find or allocate space in shared memory.</entry>
        </row>
@@ -1155,7 +1155,7 @@ postgres   27093  0.0  0.0  30096  2752 ?        Ss   11:34   0:00 postgres: ser
          <entry>Waiting to acquire a pin on a buffer.</entry>
         </row>
         <row>
-         <entry morerows="11"><literal>Activity</></entry>
+         <entry morerows="13"><literal>Activity</></entry>
          <entry><literal>ArchiverMain</></entry>
          <entry>Waiting in main loop of the archiver process.</entry>
         </row>
@@ -1176,6 +1176,14 @@ postgres   27093  0.0  0.0  30096  2752 ?        Ss   11:34   0:00 postgres: ser
          <entry>Waiting in main loop of checkpointer process.</entry>
         </row>
         <row>
+         <entry><literal>LogicalLauncherMain</></entry>
+         <entry>Waiting in main loop of logical launcher process.</entry>
+        </row>
+        <row>
+         <entry><literal>LogicalApplyMain</></entry>
+         <entry>Waiting in main loop of logical apply process.</entry>
+        </row>
+        <row>
          <entry><literal>PgStatMain</></entry>
          <entry>Waiting in main loop of the statistics collector process.</entry>
         </row>
@@ -1204,7 +1212,7 @@ postgres   27093  0.0  0.0  30096  2752 ?        Ss   11:34   0:00 postgres: ser
          <entry>Waiting in main loop of WAL writer process.</entry>
         </row>
         <row>
-         <entry morerows="5"><literal>Client</></entry>
+         <entry morerows="7"><literal>Client</></entry>
          <entry><literal>ClientRead</></entry>
          <entry>Waiting to read data from the client.</entry>
         </row>
@@ -1213,6 +1221,14 @@ postgres   27093  0.0  0.0  30096  2752 ?        Ss   11:34   0:00 postgres: ser
          <entry>Waiting to write data from the client.</entry>
         </row>
         <row>
+         <entry><literal>LibPQWalReceiverConnect</></entry>
+         <entry>Waiting in WAL receiver to establish connection to remote server.</entry>
+        </row>
+        <row>
+         <entry><literal>LibPQWalReceiverReceive</></entry>
+         <entry>Waiting in WAL receiver to receive data from remote server.</entry>
+        </row>
+        <row>
          <entry><literal>SSLOpenServer</></entry>
          <entry>Waiting for SSL while attempting connection.</entry>
         </row>
@@ -1234,7 +1250,7 @@ postgres   27093  0.0  0.0  30096  2752 ?        Ss   11:34   0:00 postgres: ser
          <entry>Waiting in an extension.</entry>
         </row>
         <row>
-         <entry morerows="12"><literal>IPC</></entry>
+         <entry morerows="16"><literal>IPC</></entry>
          <entry><literal>BgWorkerShutdown</></entry>
          <entry>Waiting for background worker to shut down.</entry>
         </row>
@@ -1251,6 +1267,14 @@ postgres   27093  0.0  0.0  30096  2752 ?        Ss   11:34   0:00 postgres: ser
          <entry>Waiting for activity from child process when executing <literal>Gather</> node.</entry>
         </row>
         <row>
+         <entry><literal>LogicalSyncData</></entry>
+         <entry>Waiting for logical replication remote server to send data for initial table synchronization.</entry>
+        </row>
+        <row>
+         <entry><literal>LogicalSyncStateChange</></entry>
+         <entry>Waiting for logical replication remote server to change state.</entry>
+        </row>
+        <row>
          <entry><literal>MessageQueueInternal</></entry>
          <entry>Waiting for other process to be attached in shared message queue.</entry>
         </row>
@@ -1271,14 +1295,22 @@ postgres   27093  0.0  0.0  30096  2752 ?        Ss   11:34   0:00 postgres: ser
          <entry>Waiting for parallel workers to finish computing.</entry>
         </row>
         <row>
-         <entry><literal>ParallelBitmapPopulate</></entry>
-         <entry>Waiting for the leader to populate the TidBitmap.</entry>
+         <entry><literal>ParallelBitmapScan</></entry>
+         <entry>Waiting for parallel bitmap scan to become initialized.</entry>
         </row>
         <row>
          <entry><literal>ProcArrayGroupUpdate</></entry>
          <entry>Waiting for group leader to clear transaction id at transaction end.</entry>
         </row>
         <row>
+         <entry><literal>ReplicationOriginDrop</></entry>
+         <entry>Waiting for a replication origin to become inactive to be dropped.</entry>
+        </row>
+        <row>
+         <entry><literal>ReplicationSlotDrop</></entry>
+         <entry>Waiting for a replication slot to become inactive to be dropped.</entry>
+        </row>
+        <row>
          <entry><literal>SafeSnapshot</></entry>
          <entry>Waiting for a snapshot for a <literal>READ ONLY DEFERRABLE</> transaction.</entry>
         </row>
diff --git a/doc/src/sgml/pageinspect.sgml b/doc/src/sgml/pageinspect.sgml
index 3809c4e7f9..4491d6fe67 100644
--- a/doc/src/sgml/pageinspect.sgml
+++ b/doc/src/sgml/pageinspect.sgml
@@ -693,8 +693,13 @@ test=# SELECT * FROM hash_bitmap_info('con_hash_index', 2052);
       <function>hash_metapage_info</function> returns information stored
       in meta page of a <acronym>HASH</acronym> index.  For example:
 <screen>
-test=# SELECT * FROM hash_metapage_info(get_raw_page('con_hash_index', 0));
--[ RECORD 1 ]-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+test=# SELECT magic, version, ntuples, ffactor, bsize, bmsize, bmshift,
+test-#     maxbucket, highmask, lowmask, ovflpoint, firstfree, nmaps, procid,
+test-#     regexp_replace(spares::text, '(,0)*}', '}') as spares,
+test-#     regexp_replace(mapp::text, '(,0)*}', '}') as mapp
+test-# FROM hash_metapage_info(get_raw_page('con_hash_index', 0));
+-[ RECORD 1 ]-------------------------------------------------------------------------------
+spares    | {0,0,0,0,0,0,1,1,1,1,1,1,1,1,3,4,4,4,45,55,58,59,508,567,628,704,1193,1202,1204}
 magic     | 105121344
 version   | 3
 ntuples   | 500500
@@ -709,8 +714,8 @@ ovflpoint | 28
 firstfree | 1204
 nmaps     | 1
 procid    | 450
-spares    | {0,0,0,0,0,0,1,1,1,1,1,1,1,1,3,4,4,4,45,55,58,59,508,567,628,704,1193,1202,1204,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}
-mapp      | {65,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}
+spares    | {0,0,0,0,0,0,1,1,1,1,1,1,1,1,3,4,4,4,45,55,58,59,508,567,628,704,1193,1202,1204}
+mapp      | {65}
 </screen>
      </para>
     </listitem>
diff --git a/doc/src/sgml/parallel.sgml b/doc/src/sgml/parallel.sgml
index ff31e7537e..2a25f21eb4 100644
--- a/doc/src/sgml/parallel.sgml
+++ b/doc/src/sgml/parallel.sgml
@@ -28,7 +28,8 @@
    <para>
     When the optimizer determines that parallel query is the fastest execution
     strategy for a particular query, it will create a query plan which includes
-    a <firstterm>Gather node</firstterm>.  Here is a simple example:
+    a <firstterm>Gather</firstterm> or <firstterm>Gather Merge</firstterm>
+    node.  Here is a simple example:
 
 <screen>
 EXPLAIN SELECT * FROM pgbench_accounts WHERE filler LIKE '%x%';
@@ -43,15 +44,16 @@ EXPLAIN SELECT * FROM pgbench_accounts WHERE filler LIKE '%x%';
    </para>
 
    <para>
-    In all cases, the <literal>Gather</literal> node will have exactly one
+    In all cases, the <literal>Gather</literal> or
+    <literal>Gather Merge</literal> node will have exactly one
     child plan, which is the portion of the plan that will be executed in
-    parallel.  If the <literal>Gather</> node is at the very top of the plan
-    tree, then the entire query will execute in parallel.  If it is somewhere
-    else in the plan tree, then only the portion of the plan below it will run
-    in parallel.  In the example above, the query accesses only one table, so
-    there is only one plan node other than the <literal>Gather</> node itself;
-    since that plan node is a child of the <literal>Gather</> node, it will
-    run in parallel.
+    parallel.  If the <literal>Gather</> or <literal>Gather Merge</> node is
+    at the very top of the plan tree, then the entire query will execute in
+    parallel.  If it is somewhere else in the plan tree, then only the portion
+    of the plan below it will run in parallel.  In the example above, the
+    query accesses only one table, so there is only one plan node other than
+    the <literal>Gather</> node itself; since that plan node is a child of the
+    <literal>Gather</> node, it will run in parallel.
    </para>
 
    <para>
@@ -60,35 +62,47 @@ EXPLAIN SELECT * FROM pgbench_accounts WHERE filler LIKE '%x%';
     during query execution, the process which is implementing the user's
     session will request a number of <link linkend="bgworker">background
     worker processes</link> equal to the number
-    of workers chosen by the planner.  The total number of background
-    workers that can exist at any one time is limited by both
+    of workers chosen by the planner.  The number of background workers that
+    the planner will consider using is limited to at most
+    <xref linkend="guc-max-parallel-workers-per-gather">.  The total number
+    of background workers that can exist at any one time is limited by both
     <xref linkend="guc-max-worker-processes"> and
-    <xref linkend="guc-max-parallel-workers">, so it is possible for a
+    <xref linkend="guc-max-parallel-workers">.  Therefore, it is possible for a
     parallel query to run with fewer workers than planned, or even with
     no workers at all.  The optimal plan may depend on the number of workers
     that are available, so this can result in poor query performance.  If this
-    occurrence is frequent, considering increasing
+    occurrence is frequent, consider increasing
     <varname>max_worker_processes</> and <varname>max_parallel_workers</>
     so that more workers can be run simultaneously or alternatively reducing
-    <xref linkend="guc-max-parallel-workers-per-gather"> so that the planner
+    <varname>max_parallel_workers_per_gather</varname> so that the planner
     requests fewer workers.
    </para>
 
    <para>
     Every background worker process which is successfully started for a given
-    parallel query will execute the portion of the plan below
-    the <literal>Gather</> node.  The leader will also execute that portion
-    of the plan, but it has an additional responsibility: it must also read
-    all of the tuples generated by the workers.  When the parallel portion of
-    the plan generates only a small number of tuples, the leader will often
-    behave very much like an additional worker, speeding up query execution.
-    Conversely, when the parallel portion of the plan generates a large number
-    of tuples, the leader may be almost entirely occupied with reading the
-    tuples generated by the workers and performing any further processing
-    steps which are required by plan nodes above the level of the
-    <literal>Gather</literal> node.  In such cases, the leader will do very
-    little of the work of executing the parallel portion of the plan.
+    parallel query will execute the parallel portion of the plan.  The leader
+    will also execute that portion of the plan, but it has an additional
+    responsibility: it must also read all of the tuples generated by the
+    workers.  When the parallel portion of the plan generates only a small
+    number of tuples, the leader will often behave very much like an additional
+    worker, speeding up query execution.  Conversely, when the parallel portion
+    of the plan generates a large number of tuples, the leader may be almost
+    entirely occupied with reading the tuples generated by the workers and
+    performing any further processing steps which are required by plan nodes
+    above the level of the <literal>Gather</literal> node or
+    <literal>Gather Merge</literal> node.  In such cases, the leader will
+    do very little of the work of executing the parallel portion of the plan.
    </para>
+
+   <para>
+    When the node at the top of the parallel portion of the plan is
+    <literal>Gather Merge</> rather than <literal>Gather</>, it indicates that
+    each process executing the parallel portion of the plan is producing
+    tuples in sorted order, and that the leader is performing an
+    order-preserving merge.  In contrast, <literal>Gather</> reads tuples
+    from the workers in whatever order is convenient, destroying any sort
+    order that may have existed.
+   </para>   
  </sect1>
 
  <sect1 id="when-can-parallel-query-be-used">
@@ -221,9 +235,9 @@ EXPLAIN SELECT * FROM pgbench_accounts WHERE filler LIKE '%x%';
         send such a message, this can only occur when using a client that
         does not rely on libpq.  If this is a frequent
         occurrence, it may be a good idea to set
-        <xref linkend="guc-max-parallel-workers-per-gather"> in sessions
-        where it is likely, so as to avoid generating query plans that may
-        be suboptimal when run serially.
+        <xref linkend="guc-max-parallel-workers-per-gather"> to zero in
+        sessions where it is likely, so as to avoid generating query plans
+        that may be suboptimal when run serially.
       </para>
     </listitem>
 
@@ -262,6 +276,8 @@ EXPLAIN SELECT * FROM pgbench_accounts WHERE filler LIKE '%x%';
     so that each process which executes the plan will generate only a
     subset of the output rows in such a way that each required output row
     is guaranteed to be generated by exactly one of the cooperating processes.
+    Generally, this means that the scan on the driving table of the query
+    must be a parallel-aware scan.
   </para>
 
  <sect2 id="parallel-scans">
@@ -302,9 +318,8 @@ EXPLAIN SELECT * FROM pgbench_accounts WHERE filler LIKE '%x%';
     </listitem>
   </itemizedlist>
 
-    Only the scan types listed above may be used for a scan on the driving
-    table within a parallel plan.  Other scan types, such as parallel scans of
-    non-btree indexes, may be supported in the future.
+    Other scan types, such as scans of non-btree indexes, may support
+    parallel scans in the future.
   </para>
  </sect2>
 
@@ -343,10 +358,10 @@ EXPLAIN SELECT * FROM pgbench_accounts WHERE filler LIKE '%x%';
     the query performs an aggregation step, producing a partial result for
     each group of which that process is aware.  This is reflected in the plan
     as a <literal>Partial Aggregate</> node.  Second, the partial results are
-    transferred to the leader via the <literal>Gather</> node.  Finally, the
-    leader re-aggregates the results across all workers in order to produce
-    the final result.  This is reflected in the plan as a
-    <literal>Finalize Aggregate</> node.
+    transferred to the leader via <literal>Gather</> or <literal>Gather
+    Merge</>.  Finally, the leader re-aggregates the results across all
+    workers in order to produce the final result.  This is reflected in the
+    plan as a <literal>Finalize Aggregate</> node.
   </para>
   
   <para>
@@ -416,8 +431,8 @@ EXPLAIN SELECT * FROM pgbench_accounts WHERE filler LIKE '%x%';
     operation is one which cannot be performed in a parallel worker, but which
     can be performed in the leader while parallel query is in use.  Therefore,
     parallel restricted operations can never occur below a <literal>Gather</>
-    node, but can occur elsewhere in a plan which contains a
-    <literal>Gather</> node.  A parallel unsafe operation is one which cannot
+    or <literal>Gather Merge</> node, but can occur elsewhere in a plan which
+    contains such a node.  A parallel unsafe operation is one which cannot
     be performed while parallel query is in use, not even in the leader.
     When a query contains anything which is parallel unsafe, parallel query
     is completely disabled for that query.
@@ -449,7 +464,7 @@ EXPLAIN SELECT * FROM pgbench_accounts WHERE filler LIKE '%x%';
 
     <listitem>
       <para>
-        Access to an <literal>InitPlan</> or <literal>SubPlan</>.
+        Access to an <literal>InitPlan</> or correlated <literal>SubPlan</>.
       </para>
     </listitem>
   </itemizedlist>
@@ -514,8 +529,8 @@ EXPLAIN SELECT * FROM pgbench_accounts WHERE filler LIKE '%x%';
     parallel-restricted functions or aggregates involved in the query in
     order to obtain a superior plan.  So, for example, if a <literal>WHERE</>
     clause applied to a particular table is parallel restricted, the query
-    planner will not consider placing the scan of that table below a
-    <literal>Gather</> node.  In some cases, it would be
+    planner will not consider performing a scan of that table in the parallel
+    portion of a plan.  In some cases, it would be
     possible (and perhaps even efficient) to include the scan of that table in
     the parallel portion of the query and defer the evaluation of the
     <literal>WHERE</> clause so that it happens above the <literal>Gather</>
diff --git a/doc/src/sgml/pgstattuple.sgml b/doc/src/sgml/pgstattuple.sgml
index d2bc7916d9..d398eecd61 100644
--- a/doc/src/sgml/pgstattuple.sgml
+++ b/doc/src/sgml/pgstattuple.sgml
@@ -373,7 +373,7 @@ pending_tuples | 0
 <programlisting>
 test=&gt; select * from pgstathashindex('con_hash_index');
 -[ RECORD 1 ]--+-----------------
-version        | 2
+version        | 4
 bucket_pages   | 33081
 overflow_pages | 0
 bitmap_pages   | 1
diff --git a/doc/src/sgml/plpgsql.sgml b/doc/src/sgml/plpgsql.sgml
index 09019df698..5d0138b70a 100644
--- a/doc/src/sgml/plpgsql.sgml
+++ b/doc/src/sgml/plpgsql.sgml
@@ -185,8 +185,26 @@
   <title>Structure of <application>PL/pgSQL</application></title>
 
   <para>
+   Functions written in <application>PL/pgSQL</application> are defined
+   to the server by executing <xref linkend="sql-createfunction"> commands.
+   Such a command would normally look like, say,
+<programlisting>
+CREATE FUNCTION somefunc(integer, text) RETURNS integer
+AS '<replaceable>function body text</>'
+LANGUAGE plpgsql;
+</programlisting>
+   The function body is simply a string literal so far as <command>CREATE
+   FUNCTION</> is concerned.  It is often helpful to use dollar quoting
+   (see <xref linkend="sql-syntax-dollar-quoting">) to write the function
+   body, rather than the normal single quote syntax.  Without dollar quoting,
+   any single quotes or backslashes in the function body must be escaped by
+   doubling them.  Almost all the examples in this chapter use dollar-quoted
+   literals for their function bodies.
+  </para>
+
+  <para>
    <application>PL/pgSQL</application> is a block-structured language.
-   The complete text of a function definition must be a
+   The complete text of a function body must be a
    <firstterm>block</>. A block is defined as:
 
 <synopsis>
diff --git a/doc/src/sgml/postgres-fdw.sgml b/doc/src/sgml/postgres-fdw.sgml
index 23558e7ec0..d83fc9e52b 100644
--- a/doc/src/sgml/postgres-fdw.sgml
+++ b/doc/src/sgml/postgres-fdw.sgml
@@ -498,8 +498,10 @@
    <filename>postgres_fdw</> attempts to optimize the query execution by
    sending the whole query to the remote server if there are no query
    <literal>WHERE</> clauses that cannot be sent to the remote server,
-   no local joins for the query, and no row-level local <literal>BEFORE</> or
-   <literal>AFTER</> triggers on the target table.  In <command>UPDATE</>,
+   no local joins for the query, no row-level local <literal>BEFORE</> or
+   <literal>AFTER</> triggers on the target table, and no
+   <literal>CHECK OPTION</> constraints from parent views.
+   In <command>UPDATE</>,
    expressions to assign to target columns must use only built-in data types,
    <literal>IMMUTABLE</> operators, or <literal>IMMUTABLE</> functions,
    to reduce the risk of misexecution of the query.
diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
index a7a3d3b2f9..de2919d75d 100644
--- a/doc/src/sgml/protocol.sgml
+++ b/doc/src/sgml/protocol.sgml
@@ -5991,6 +5991,16 @@ Commit
 </varlistentry>
 <varlistentry>
 <term>
+        Int8
+</term>
+<listitem>
+<para>
+                Flags; currently unused (must be 0).
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term>
         Int64
 </term>
 <listitem>
@@ -6170,6 +6180,26 @@ Relation
 </para>
 </listitem>
 </varlistentry>
+<varlistentry>
+<term>
+        Int32
+</term>
+<listitem>
+<para>
+                OID of the column's data type.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term>
+        Int32
+</term>
+<listitem>
+<para>
+                Type modifier of the column (<structfield>atttypmod</structfield>).
+</para>
+</listitem>
+</varlistentry>
 
 </variablelist>
 </para>
@@ -6417,7 +6447,7 @@ Delete
 
 <para>
 
-Following message parts that are shared by above messages.
+The following message parts are shared by the above messages.
 
 </para>
 
diff --git a/doc/src/sgml/queries.sgml b/doc/src/sgml/queries.sgml
index 30792f45f1..0588da2912 100644
--- a/doc/src/sgml/queries.sgml
+++ b/doc/src/sgml/queries.sgml
@@ -391,8 +391,8 @@ FROM <replaceable>table_reference</replaceable> <optional>, <replaceable>table_r
         consisting of all column names that appear in both
         input tables.  As with <literal>USING</>, these columns appear
         only once in the output table.  If there are no common
-        column names, <literal>NATURAL</literal> behaves like
-        <literal>CROSS JOIN</literal>.
+        column names, <literal>NATURAL JOIN</literal> behaves like
+        <literal>JOIN ... ON TRUE</literal>, producing a cross-product join.
        </para>
 
        <note>
diff --git a/doc/src/sgml/ref/alter_user.sgml b/doc/src/sgml/ref/alter_user.sgml
index 9b8a39b376..411a6dcc38 100644
--- a/doc/src/sgml/ref/alter_user.sgml
+++ b/doc/src/sgml/ref/alter_user.sgml
@@ -38,10 +38,10 @@ ALTER USER <replaceable class="PARAMETER">role_specification</replaceable> [ WIT
 
 ALTER USER <replaceable class="PARAMETER">name</replaceable> RENAME TO <replaceable>new_name</replaceable>
 
-ALTER USER <replaceable class="PARAMETER">role_specification</replaceable> SET <replaceable>configuration_parameter</replaceable> { TO | = } { <replaceable>value</replaceable> | DEFAULT }
-ALTER USER <replaceable class="PARAMETER">role_specification</replaceable> SET <replaceable>configuration_parameter</replaceable> FROM CURRENT
-ALTER USER <replaceable class="PARAMETER">role_specification</replaceable> RESET <replaceable>configuration_parameter</replaceable>
-ALTER USER <replaceable class="PARAMETER">role_specification</replaceable> RESET ALL
+ALTER USER { <replaceable class="PARAMETER">role_specification</replaceable> | ALL } [ IN DATABASE <replaceable class="PARAMETER">database_name</replaceable> ] SET <replaceable>configuration_parameter</replaceable> { TO | = } { <replaceable>value</replaceable> | DEFAULT }
+ALTER USER { <replaceable class="PARAMETER">role_specification</replaceable> | ALL } [ IN DATABASE <replaceable class="PARAMETER">database_name</replaceable> ] SET <replaceable>configuration_parameter</replaceable> FROM CURRENT
+ALTER USER { <replaceable class="PARAMETER">role_specification</replaceable> | ALL } [ IN DATABASE <replaceable class="PARAMETER">database_name</replaceable> ] RESET <replaceable>configuration_parameter</replaceable>
+ALTER USER { <replaceable class="PARAMETER">role_specification</replaceable> | ALL } [ IN DATABASE <replaceable class="PARAMETER">database_name</replaceable> ] RESET ALL
 
 <phrase>where <replaceable class="PARAMETER">role_specification</replaceable> can be:</phrase>
 
diff --git a/doc/src/sgml/ref/create_role.sgml b/doc/src/sgml/ref/create_role.sgml
index 43f2303b48..36772b678a 100644
--- a/doc/src/sgml/ref/create_role.sgml
+++ b/doc/src/sgml/ref/create_role.sgml
@@ -167,8 +167,11 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac
       <term><literal>NOREPLICATION</literal></term>
       <listitem>
        <para>
-        These clauses determine whether a role is allowed to initiate
-        streaming replication or put the system in and out of backup mode.
+        These clauses determine whether a role is a replication role.  A role
+        must have this attribute (or be a superuser) in order to be able to
+        connect to the server in replication mode (physical or logical
+        replication) and in order to be able to create or drop replication
+        slots.
         A role having the <literal>REPLICATION</> attribute is a very
         highly privileged role, and should only be used on roles actually
         used for replication. If not specified,
@@ -219,6 +222,17 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac
         user.  A null password can optionally be written explicitly as
         <literal>PASSWORD NULL</literal>.
        </para>
+       <note>
+         <para>
+           Specifying an empty string will also set the password to null,
+           but that was not the case before <productname>PostgreSQL</>
+           version 10. In earlier versions, an empty string could be used,
+           or not, depending on the authentication method and the exact
+           version, and libpq would refuse to use it in any case.
+           To avoid the ambiguity, specifying an empty string should be
+           avoided.
+         </para>
+       </note>
        <para>
         The password is always stored encrypted in the system catalogs. The
         <literal>ENCRYPTED</> keyword has no effect, but is accepted for
diff --git a/doc/src/sgml/ref/create_table.sgml b/doc/src/sgml/ref/create_table.sgml
index c799984f3b..cacdad1f71 100755
--- a/doc/src/sgml/ref/create_table.sgml
+++ b/doc/src/sgml/ref/create_table.sgml
@@ -99,8 +99,8 @@ CREATE [ [ GLOBAL | LOCAL ] { TEMPORARY | TEMP } | UNLOGGED ] TABLE [ IF NOT EXI
 <phrase>and <replaceable class="PARAMETER">partition_bound_spec</replaceable> is:</phrase>
 
 IN ( { <replaceable class="PARAMETER">numeric_literal</replaceable> | <replaceable class="PARAMETER">string_literal</replaceable> | NULL } [, ...] ) |
-FROM ( { <replaceable class="PARAMETER">numeric_literal</replaceable> | <replaceable class="PARAMETER">string_literal</replaceable> | UNBOUNDED } [, ...] )
-  TO ( { <replaceable class="PARAMETER">numeric_literal</replaceable> | <replaceable class="PARAMETER">string_literal</replaceable> | UNBOUNDED } [, ...] )
+FROM ( { <replaceable class="PARAMETER">numeric_literal</replaceable> | <replaceable class="PARAMETER">string_literal</replaceable> | MINVALUE | MAXVALUE } [, ...] )
+  TO ( { <replaceable class="PARAMETER">numeric_literal</replaceable> | <replaceable class="PARAMETER">string_literal</replaceable> | MINVALUE | MAXVALUE } [, ...] )
 
 <phrase><replaceable class="PARAMETER">index_parameters</replaceable> in <literal>UNIQUE</literal>, <literal>PRIMARY KEY</literal>, and <literal>EXCLUDE</literal> constraints are:</phrase>
 
@@ -281,10 +281,10 @@ FROM ( { <replaceable class="PARAMETER">numeric_literal</replaceable> | <replace
      <para>
       Each of the values specified in
       the <replaceable class="PARAMETER">partition_bound_spec</> is
-      a literal, <literal>NULL</literal>, or <literal>UNBOUNDED</literal>.
-      Each literal value must be either a numeric constant that is coercible
-      to the corresponding partition key column's type, or a string literal
-      that is valid input for that type.
+      a literal, <literal>NULL</literal>, <literal>MINVALUE</literal>, or
+      <literal>MAXVALUE</literal>.  Each literal value must be either a
+      numeric constant that is coercible to the corresponding partition key
+      column's type, or a string literal that is valid input for that type.
      </para>
 
      <para>
@@ -312,13 +312,46 @@ FROM ( { <replaceable class="PARAMETER">numeric_literal</replaceable> | <replace
      </para>
 
      <para>
-      Writing <literal>UNBOUNDED</literal> in <literal>FROM</literal>
-      signifies <literal>-infinity</literal> as the lower bound of the
-      corresponding column, whereas when written in <literal>TO</literal>,
-      it signifies <literal>+infinity</literal> as the upper bound.
-      All items following an <literal>UNBOUNDED</literal> item within
-      a <literal>FROM</literal> or <literal>TO</literal> list must also
-      be <literal>UNBOUNDED</literal>.
+      The special values <literal>MINVALUE</> and <literal>MAXVALUE</>
+      may be used when creating a range partition to indicate that there
+      is no lower or upper bound on the column's value. For example, a
+      partition defined using <literal>FROM (MINVALUE) TO (10)</> allows
+      any values less than 10, and a partition defined using
+      <literal>FROM (10) TO (MAXVALUE)</> allows any values greater than
+      or equal to 10.
+     </para>
+
+     <para>
+      When creating a range partition involving more than one column, it
+      can also make sense to use <literal>MAXVALUE</> as part of the lower
+      bound, and <literal>MINVALUE</> as part of the upper bound. For
+      example, a partition defined using
+      <literal>FROM (0, MAXVALUE) TO (10, MAXVALUE)</> allows any rows
+      where the first partition key column is greater than 0 and less than
+      or equal to 10. Similarly, a partition defined using
+      <literal>FROM ('a', MINVALUE) TO ('b', MINVALUE)</> allows any rows
+      where the first partition key column starts with "a".
+     </para>
+
+     <para>
+      Note that any values after <literal>MINVALUE</> or
+      <literal>MAXVALUE</> in a partition bound are ignored; so the bound
+      <literal>(10, MINVALUE, 0)</> is equivalent to
+      <literal>(10, MINVALUE, 10)</> and <literal>(10, MINVALUE, MINVALUE)</>
+      and <literal>(10, MINVALUE, MAXVALUE)</>.
+     </para>
+
+     <para>
+      Also note that some element types, such as <literal>timestamp</>,
+      have a notion of "infinity", which is just another value that can
+      be stored. This is different from <literal>MINVALUE</> and
+      <literal>MAXVALUE</>, which are not real values that can be stored,
+      but rather they are ways of saying that the value is unbounded.
+      <literal>MAXVALUE</> can be thought of as being greater than any
+      other value, including "infinity" and <literal>MINVALUE</> as being
+      less than any other value, including "minus infinity". Thus the range
+      <literal>FROM ('infinity') TO (MAXVALUE)</> is not an empty range; it
+      allows precisely one value to be stored &mdash; "infinity".
      </para>
 
      <para>
@@ -1758,7 +1791,7 @@ CREATE TABLE measurement_y2016m07
 <programlisting>
 CREATE TABLE measurement_ym_older
     PARTITION OF measurement_year_month
-    FOR VALUES FROM (unbounded, unbounded) TO (2016, 11);
+    FOR VALUES FROM (MINVALUE, 0) TO (2016, 11);
 
 CREATE TABLE measurement_ym_y2016m11
     PARTITION OF measurement_year_month
diff --git a/doc/src/sgml/ref/pg_restore.sgml b/doc/src/sgml/ref/pg_restore.sgml
index f623cc04d2..5180103526 100644
--- a/doc/src/sgml/ref/pg_restore.sgml
+++ b/doc/src/sgml/ref/pg_restore.sgml
@@ -273,7 +273,7 @@
       <term><option>--list</option></term>
       <listitem>
        <para>
-        List the contents of the archive. The output of this operation
+        List the table of contents of the archive. The output of this operation
         can be used as input to the <option>-L</option> option.  Note that
         if filtering switches such as <option>-n</> or <option>-t</> are
         used with <option>-l</>, they will restrict the items listed.
diff --git a/doc/src/sgml/ref/pgbench.sgml b/doc/src/sgml/ref/pgbench.sgml
index 20912879b8..ccf649dcda 100644
--- a/doc/src/sgml/ref/pgbench.sgml
+++ b/doc/src/sgml/ref/pgbench.sgml
@@ -1070,7 +1070,7 @@ f(x) = exp(-parameter * (x - min) / (max - min + 1)) / (1 - exp(-parameter))
 </literallayout>
       Then value <replaceable>i</> between <replaceable>min</> and
       <replaceable>max</> inclusive is drawn with probability:
-      <literal>f(x) - f(x + 1)</>.
+      <literal>f(i) - f(i + 1)</>.
      </para>
 
      <para>
diff --git a/doc/src/sgml/ref/pgupgrade.sgml b/doc/src/sgml/ref/pgupgrade.sgml
index bbd103f97e..d5c000d23b 100644
--- a/doc/src/sgml/ref/pgupgrade.sgml
+++ b/doc/src/sgml/ref/pgupgrade.sgml
@@ -489,7 +489,7 @@ pg_upgrade.exe
 
       <para>
        From a directory that is above the old and new database cluster
-       directories, run this for each slave:
+       directories, run this for each standby:
 
 <programlisting>
 rsync --archive --delete --hard-links --size-only old_pgdata new_pgdata remote_dir
@@ -523,7 +523,7 @@ rsync --archive --delete --hard-links --size-only old_pgdata new_pgdata remote_d
       <para>
        Configure the servers for log shipping.  (You do not need to run
        <function>pg_start_backup()</> and <function>pg_stop_backup()</>
-       or take a file system backup as the slaves are still synchronized
+       or take a file system backup as the standbys are still synchronized
        with the master.)
       </para>
      </step>
diff --git a/doc/src/sgml/ref/select.sgml b/doc/src/sgml/ref/select.sgml
index 211e4c320c..57f11e66fb 100644
--- a/doc/src/sgml/ref/select.sgml
+++ b/doc/src/sgml/ref/select.sgml
@@ -603,9 +603,12 @@ TABLE [ ONLY ] <replaceable class="parameter">table_name</replaceable> [ * ]
      <varlistentry>
       <term><literal>NATURAL</literal></term>
       <listitem>
-       <para><literal>NATURAL</literal> is shorthand for a
+       <para>
+        <literal>NATURAL</literal> is shorthand for a
         <literal>USING</> list that mentions all columns in the two
-        tables that have the same names.
+        tables that have matching names.  If there are no common
+        column names, <literal>NATURAL</literal> is equivalent
+        to <literal>ON TRUE</>.
        </para>
       </listitem>
      </varlistentry>
diff --git a/doc/src/sgml/release-10.sgml b/doc/src/sgml/release-10.sgml
index debaa80099..269f1aac86 100644
--- a/doc/src/sgml/release-10.sgml
+++ b/doc/src/sgml/release-10.sgml
@@ -6,7 +6,7 @@
 
   <formalpara>
    <title>Release date:</title>
-   <para>2017-??-?? (current as of 2017-07-09, commit 3381898f9)</para>
+   <para>2017-??-?? (current as of 2017-08-05, commit eccead9ed)</para>
   </formalpara>
 
   <sect2>
@@ -151,6 +151,43 @@
 
     <listitem>
 <!--
+2016-12-20 [1753b1b02] Add pg_sequence system catalog
+2016-11-18 [67dc4ccbb] Add pg_sequences view
+2017-05-15 [f8dc1985f] Fix ALTER SEQUENCE locking
+2017-06-01 [3d79013b9] Make ALTER SEQUENCE, including RESTART, fully transactio
+-->
+     <para>
+      Move sequences' metadata fields into a new <link
+      linkend="catalog-pg-sequence"><structname>pg_sequence</></>
+      system catalog (Peter Eisentraut)
+     </para>
+
+     <para>
+      A sequence relation now stores only the fields that can be modified
+      by <function>nextval()</>, that
+      is <structfield>last_value</>, <structfield>log_cnt</>,
+      and <structfield>is_called</>.  Other sequence properties, such as
+      the starting value and increment, are kept in a corresponding row of
+      the <structname>pg_sequence</> catalog.
+      <command>ALTER SEQUENCE</> updates are now fully transactional,
+      implying that the sequence is locked until commit.
+      The <function>nextval()</> and <function>setval()</> functions
+      remain nontransactional.
+     </para>
+
+     <para>
+      The main incompatibility introduced by this change is that selecting
+      from a sequence relation now returns only the three fields named
+      above.  To obtain the sequence's other properties, applications must
+      look into <structname>pg_sequence</>.  The new system
+      view <link linkend="view-pg-sequences"><structname>pg_sequences</></>
+      can also be used for this purpose; it provides column names that are
+      more compatible with existing code.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
 2017-01-04 [9a4d51077] Make wal streaming the default mode for pg_basebackup
 -->
      <para>
@@ -269,7 +306,7 @@
 2017-03-27 [3371e4d9b] Change default of log_directory to 'log'
 -->
      <para>
-      Change the default value of the <xref linkend="guc-log-destination">
+      Change the default value of the <xref linkend="guc-log-directory">
       server parameter from <filename>pg_log</> to <filename>log</>
       (Andreas Karlsson)
      </para>
@@ -371,6 +408,55 @@
 
     <listitem>
 <!--
+2017-07-31 [c0a15e07c] Always use 2048 bit DH parameters for OpenSSL ephemeral
+-->
+     <para>
+      Add configuration option <xref linkend="guc-ssl-dh-params-file"> to
+      specify file name for custom OpenSSL DH parameters (Heikki Linnakangas)
+     </para>
+
+     <para>
+      This replaces the hardcoded, undocumented file
+      name <filename>dh1024.pem</>.  Note that <filename>dh1024.pem</> is
+      no longer examined by default; you must set this option to use custom
+      DH parameters.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+2017-07-31 [c0a15e07c] Always use 2048 bit DH parameters for OpenSSL ephemeral
+-->
+     <para>
+      Increase the size of the default DH parameters used for OpenSSL
+      ephemeral DH ciphers to 2048 bits (Heikki Linnakangas)
+     </para>
+
+     <para>
+      The size of the compiled-in DH parameters has been increased from
+      1024 to 2048 bits, making DH key exchange more resistant to
+      brute-force attacks.  However, some old SSL implementations, notably
+      some revisions of Java Runtime Environment version 6, will not accept
+      DH parameters longer than 1024 bits, and hence will not be able to
+      connect over SSL.  If it's necessary to support such old clients, you
+      can use custom 1024-bit DH parameters instead of the compiled-in
+      defaults.  See <xref linkend="guc-ssl-dh-params-file">.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+2017-08-04 [c30f1770a] Apply ALTER ... SET NOT NULL recursively in ALTER ... AD
+-->
+     <para>
+      When <command>ALTER TABLE ... ADD PRIMARY KEY</> marks
+      columns <literal>NOT NULL</>, that change now propagates to
+      inheritance child tables as well (Michael Paquier)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
 2017-02-13 [7ada2d31f] Remove contrib/tsearch2.
 -->
      <para>
@@ -380,7 +466,7 @@
      <para>
       This module provided compatibility with the version of full text
       search that shipped in pre-8.3 <productname>PostgreSQL</> releases.
-    </para>
+     </para>
     </listitem>
 
     <listitem>
@@ -813,10 +899,11 @@
       <listitem>
 <!--
 2017-03-25 [b8d7f053c] Faster expression evaluation and targetlist projection.
+2017-07-30 [cc9f08b6b] Move ExecProcNode from dispatch to function pointer base
 -->
        <para>
-        Reduce expression evaluation overhead during query execution (Andres
-        Freund)
+        Reduce expression evaluation overhead during query execution,
+        as well as plan node calling overhead (Andres Freund)
        </para>
 
        <para>
@@ -875,35 +962,6 @@
 
       <listitem>
 <!--
-2016-12-20 [1753b1b02] Add pg_sequence system catalog
-2016-11-18 [67dc4ccbb] Add pg_sequences view
-2017-05-15 [f8dc1985f] Fix ALTER SEQUENCE locking
-2017-06-01 [3d79013b9] Make ALTER SEQUENCE, including RESTART, fully transactio
--->
-       <para>
-        Create a <link
-        linkend="catalog-pg-sequence"><structname>pg_sequence</></>
-        system catalog to store sequence metadata (Peter Eisentraut)
-       </para>
-
-       <para>
-        Sequence metadata includes the start, increment, etc, properties.
-        <command>ALTER SEQUENCE</> updates are now fully transactional,
-        implying that the sequence is locked until commit.  Sequences'
-        current values are still stored in individual table files, and
-        the <function>nextval()</> and <function>setval()</> functions
-        remain nontransactional.
-       </para>
-
-       <para>
-        Also
-        add <link linkend="view-pg-sequences"><structname>pg_sequences</></>
-        view to show all sequences.
-       </para>
-      </listitem>
-
-      <listitem>
-<!--
 2017-03-08 [f9b1a0dd4] Expose explain's SUMMARY option
 -->
        <para>
@@ -974,7 +1032,7 @@
 -->
         <para>
          Add functions to return the log and <acronym>WAL</> directory
-         names (Dave Page)
+         contents (Dave Page)
         </para>
 
         <para>
@@ -2064,12 +2122,12 @@
 <!--
 2016-11-03 [274bb2b38] libpq: Allow connection strings and URIs to specify mult
 2017-05-19 [5f374fe7a] libpq: Try next host if one of them times out.
+2017-07-10 [7b02ba62e] Allow multiple hostaddrs to go with multiple hostnames.
 -->
       <para>
-       Allow specification of <link
-       linkend="libpq-connect-host">multiple host names</> in libpq
-       connection strings and URIs
-       (Robert Haas)
+       Allow specification of <link linkend="libpq-connect-host">multiple
+       host names or addresses</> in libpq connection strings and URIs
+       (Robert Haas, Heikki Linnakangas)
       </para>
 
       <para>
diff --git a/doc/src/sgml/release-9.2.sgml b/doc/src/sgml/release-9.2.sgml
index 1f1cc12b61..14fafc0e96 100644
--- a/doc/src/sgml/release-9.2.sgml
+++ b/doc/src/sgml/release-9.2.sgml
@@ -1,16 +1,16 @@
 <!-- doc/src/sgml/release-9.2.sgml -->
 <!-- See header comment in release.sgml about typical markup -->
 
- <sect1 id="release-9-2-21">
-  <title>Release 9.2.21</title>
+ <sect1 id="release-9-2-22">
+  <title>Release 9.2.22</title>
 
   <formalpara>
   <title>Release date:</title>
-  <para>2017-05-11</para>
+  <para>2017-08-10</para>
   </formalpara>
 
   <para>
-   This release contains a variety of fixes from 9.2.20.
+   This release contains a variety of fixes from 9.2.21.
    For information about new features in the 9.2 major release, see
    <xref linkend="release-9-2">.
   </para>
@@ -22,7 +22,7 @@
   </para>
 
   <sect2>
-   <title>Migration to Version 9.2.21</title>
+   <title>Migration to Version 9.2.22</title>
 
    <para>
     A dump/restore is not required for those running 9.2.X.
@@ -47,23 +47,22 @@
 
     <listitem>
      <para>
-      Restrict visibility
+      Further restrict visibility
       of <structname>pg_user_mappings</>.<structfield>umoptions</>, to
       protect passwords stored as user mapping options
-      (Michael Paquier, Feike Steenbergen)
+      (Noah Misch)
      </para>
 
      <para>
-      The previous coding allowed the owner of a foreign server object,
-      or anyone he has granted server <literal>USAGE</> permission to,
-      to see the options for all user mappings associated with that server.
-      This might well include passwords for other users.
-      Adjust the view definition to match the behavior of
-      <structname>information_schema.user_mapping_options</>, namely that
-      these options are visible to the user being mapped, or if the mapping
-      is for <literal>PUBLIC</literal> and the current user is the server
-      owner, or if the current user is a superuser.
-      (CVE-2017-7486)
+      The fix for CVE-2017-7486 was incorrect: it allowed a user
+      to see the options in her own user mapping, even if she did not
+      have <literal>USAGE</> permission on the associated foreign server.
+      Such options might include a password that had been provided by the
+      server owner rather than the user herself.
+      Since <structname>information_schema.user_mapping_options</> does not
+      show the options in such cases, <structname>pg_user_mappings</>
+      should not either.
+      (CVE-2017-7547)
      </para>
 
      <para>
@@ -99,7 +98,9 @@ CREATE OR REPLACE VIEW pg_user_mappings AS
         ELSE
             A.rolname
         END AS usename,
-        CASE WHEN (U.umuser &lt;&gt; 0 AND A.rolname = current_user)
+        CASE WHEN (U.umuser &lt;&gt; 0 AND A.rolname = current_user
+                     AND (pg_has_role(S.srvowner, 'USAGE')
+                          OR has_server_privilege(S.oid, 'USAGE')))
                     OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE'))
                     OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user)
                     THEN U.umoptions
@@ -144,6 +145,403 @@ UPDATE pg_database SET datallowconn = false WHERE datname = 'template0';
 
     <listitem>
      <para>
+      Disallow empty passwords in all password-based authentication methods
+      (Heikki Linnakangas)
+     </para>
+
+     <para>
+      <application>libpq</> ignores empty password specifications, and does
+      not transmit them to the server.  So, if a user's password has been
+      set to the empty string, it's impossible to log in with that password
+      via <application>psql</> or other <application>libpq</>-based
+      clients.  An administrator might therefore believe that setting the
+      password to empty is equivalent to disabling password login.
+      However, with a modified or non-<application>libpq</>-based client,
+      logging in could be possible, depending on which authentication
+      method is configured.  In particular the most common
+      method, <literal>md5</>, accepted empty passwords.
+      Change the server to reject empty passwords in all cases.
+      (CVE-2017-7546)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      On Windows, retry process creation if we fail to reserve the address
+      range for our shared memory in the new process (Tom Lane, Amit
+      Kapila)
+     </para>
+
+     <para>
+      This is expected to fix infrequent child-process-launch failures that
+      are probably due to interference from antivirus products.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix low-probability corruption of shared predicate-lock hash table
+      in Windows builds (Thomas Munro, Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Avoid logging clean closure of an SSL connection as though
+      it were a connection reset (Michael Paquier)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Prevent sending SSL session tickets to clients (Tom Lane)
+     </para>
+
+     <para>
+      This fix prevents reconnection failures with ticket-aware client-side
+      SSL code.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix code for setting <xref linkend="guc-tcp-keepalives-idle"> on
+      Solaris (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix statistics collector to honor inquiry messages issued just after
+      a postmaster shutdown and immediate restart (Tom Lane)
+     </para>
+
+     <para>
+      Statistics inquiries issued within half a second of the previous
+      postmaster shutdown were effectively ignored.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Ensure that the statistics collector's receive buffer size is at
+      least 100KB (Tom Lane)
+     </para>
+
+     <para>
+      This reduces the risk of dropped statistics data on older platforms
+      whose default receive buffer size is less than that.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix possible creation of an invalid WAL segment when a standby is
+      promoted just after it processes an <literal>XLOG_SWITCH</> WAL
+      record (Andres Freund)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <systemitem>SIGHUP</> and <systemitem>SIGUSR1</> handling in
+      walsender processes (Petr Jelinek, Andres Freund)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix unnecessarily slow restarts of <application>walreceiver</>
+      processes due to race condition in postmaster (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix cases where an <command>INSERT</> or <command>UPDATE</> assigns
+      to more than one element of a column that is of domain-over-array
+      type (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Move autogenerated array types out of the way during
+      <command>ALTER ... RENAME</> (Vik Fearing)
+     </para>
+
+     <para>
+      Previously, we would rename a conflicting autogenerated array type
+      out of the way during <command>CREATE</>; this fix extends that
+      behavior to renaming operations.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Ensure that <command>ALTER USER ... SET</> accepts all the syntax
+      variants that <command>ALTER ROLE ... SET</> does (Peter Eisentraut)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Properly update dependency info when changing a datatype I/O
+      function's argument or return type from <type>opaque</> to the
+      correct type (Heikki Linnakangas)
+     </para>
+
+     <para>
+      <command>CREATE TYPE</> updates I/O functions declared in this
+      long-obsolete style, but it forgot to record a dependency on the
+      type, allowing a subsequent <command>DROP TYPE</> to leave broken
+      function definitions behind.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Reduce memory usage when <command>ANALYZE</> processes
+      a <type>tsvector</> column (Heikki Linnakangas)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix unnecessary precision loss and sloppy rounding when multiplying
+      or dividing <type>money</> values by integers or floats (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Tighten checks for whitespace in functions that parse identifiers,
+      such as <function>regprocedurein()</> (Tom Lane)
+     </para>
+
+     <para>
+      Depending on the prevailing locale, these functions could
+      misinterpret fragments of multibyte characters as whitespace.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Use relevant <literal>#define</> symbols from Perl while
+      compiling <application>PL/Perl</> (Ashutosh Sharma, Tom Lane)
+     </para>
+
+     <para>
+      This avoids portability problems, typically manifesting as
+      a <quote>handshake</> mismatch during library load, when working with
+      recent Perl versions.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In <application>psql</>, fix failure when <command>COPY FROM STDIN</>
+      is ended with a keyboard EOF signal and then another <command>COPY
+      FROM STDIN</> is attempted (Thomas Munro)
+     </para>
+
+     <para>
+      This misbehavior was observed on BSD-derived platforms (including
+      macOS), but not on most others.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>pg_dump</> to not emit invalid SQL for an empty
+      operator class (Daniel Gustafsson)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>pg_dump</> output to stdout on Windows (Kuntal Ghosh)
+     </para>
+
+     <para>
+      A compressed plain-text dump written to stdout would contain corrupt
+      data due to failure to put the file descriptor into binary mode.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <function>pg_get_ruledef()</> to print correct output for
+      the <literal>ON SELECT</> rule of a view whose columns have been
+      renamed (Tom Lane)
+     </para>
+
+     <para>
+      In some corner cases, <application>pg_dump</> relies
+      on <function>pg_get_ruledef()</> to dump views, so that this error
+      could result in dump/reload failures.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix dumping of function expressions in the <literal>FROM</> clause in
+      cases where the expression does not deparse into something that looks
+      like a function call (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>pg_basebackup</> output to stdout on Windows
+      (Haribabu Kommi)
+     </para>
+
+     <para>
+      A backup written to stdout would contain corrupt data due to failure
+      to put the file descriptor into binary mode.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>pg_upgrade</> to ensure that the ending WAL record
+      does not have <xref linkend="guc-wal-level"> = <literal>minimum</>
+      (Bruce Momjian)
+     </para>
+
+     <para>
+      This condition could prevent upgraded standby servers from
+      reconnecting.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Always use <option>-fPIC</>, not <option>-fpic</>, when building
+      shared libraries with gcc (Tom Lane)
+     </para>
+
+     <para>
+      This supports larger extension libraries on platforms where it makes
+      a difference.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix unescaped-braces issue in our build scripts for Microsoft MSVC,
+      to avoid a warning or error from recent Perl versions (Andrew
+      Dunstan)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In MSVC builds, handle the case where the <application>openssl</>
+      library is not within a <filename>VC</> subdirectory (Andrew Dunstan)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In MSVC builds, add proper include path for <application>libxml2</>
+      header files (Andrew Dunstan)
+     </para>
+
+     <para>
+      This fixes a former need to move things around in standard Windows
+      installations of <application>libxml2</>.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In MSVC builds, recognize a Tcl library that is
+      named <filename>tcl86.lib</> (Noah Misch)
+     </para>
+    </listitem>
+
+   </itemizedlist>
+
+  </sect2>
+ </sect1>
+
+ <sect1 id="release-9-2-21">
+  <title>Release 9.2.21</title>
+
+  <formalpara>
+  <title>Release date:</title>
+  <para>2017-05-11</para>
+  </formalpara>
+
+  <para>
+   This release contains a variety of fixes from 9.2.20.
+   For information about new features in the 9.2 major release, see
+   <xref linkend="release-9-2">.
+  </para>
+
+  <para>
+   The <productname>PostgreSQL</> community will stop releasing updates
+   for the 9.2.X release series in September 2017.
+   Users are encouraged to update to a newer release branch soon.
+  </para>
+
+  <sect2>
+   <title>Migration to Version 9.2.21</title>
+
+   <para>
+    A dump/restore is not required for those running 9.2.X.
+   </para>
+
+   <para>
+    However, if you use foreign data servers that make use of user
+    passwords for authentication, see the first changelog entry below.
+   </para>
+
+   <para>
+    Also, if you are upgrading from a version earlier than 9.2.20,
+    see <xref linkend="release-9-2-20">.
+   </para>
+
+  </sect2>
+
+  <sect2>
+   <title>Changes</title>
+
+   <itemizedlist>
+
+    <listitem>
+     <para>
+      Restrict visibility
+      of <structname>pg_user_mappings</>.<structfield>umoptions</>, to
+      protect passwords stored as user mapping options
+      (Michael Paquier, Feike Steenbergen)
+     </para>
+
+     <para>
+      The previous coding allowed the owner of a foreign server object,
+      or anyone he has granted server <literal>USAGE</> permission to,
+      to see the options for all user mappings associated with that server.
+      This might well include passwords for other users.
+      Adjust the view definition to match the behavior of
+      <structname>information_schema.user_mapping_options</>, namely that
+      these options are visible to the user being mapped, or if the mapping
+      is for <literal>PUBLIC</literal> and the current user is the server
+      owner, or if the current user is a superuser.
+      (CVE-2017-7486)
+     </para>
+
+     <para>
+      By itself, this patch will only fix the behavior in newly initdb'd
+      databases.  If you wish to apply this change in an existing database,
+      follow the corrected procedure shown in the changelog entry for
+      CVE-2017-7547, in <xref linkend="release-9-2-22">.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
       Prevent exposure of statistical information via leaky operators
       (Peter Eisentraut)
      </para>
diff --git a/doc/src/sgml/release-9.3.sgml b/doc/src/sgml/release-9.3.sgml
index 86c1ae6d3f..e95efefd66 100644
--- a/doc/src/sgml/release-9.3.sgml
+++ b/doc/src/sgml/release-9.3.sgml
@@ -1,22 +1,22 @@
 <!-- doc/src/sgml/release-9.3.sgml -->
 <!-- See header comment in release.sgml about typical markup -->
 
- <sect1 id="release-9-3-17">
-  <title>Release 9.3.17</title>
+ <sect1 id="release-9-3-18">
+  <title>Release 9.3.18</title>
 
   <formalpara>
   <title>Release date:</title>
-  <para>2017-05-11</para>
+  <para>2017-08-10</para>
   </formalpara>
 
   <para>
-   This release contains a variety of fixes from 9.3.16.
+   This release contains a variety of fixes from 9.3.17.
    For information about new features in the 9.3 major release, see
    <xref linkend="release-9-3">.
   </para>
 
   <sect2>
-   <title>Migration to Version 9.3.17</title>
+   <title>Migration to Version 9.3.18</title>
 
    <para>
     A dump/restore is not required for those running 9.3.X.
@@ -41,23 +41,22 @@
 
     <listitem>
      <para>
-      Restrict visibility
+      Further restrict visibility
       of <structname>pg_user_mappings</>.<structfield>umoptions</>, to
       protect passwords stored as user mapping options
-      (Michael Paquier, Feike Steenbergen)
+      (Noah Misch)
      </para>
 
      <para>
-      The previous coding allowed the owner of a foreign server object,
-      or anyone he has granted server <literal>USAGE</> permission to,
-      to see the options for all user mappings associated with that server.
-      This might well include passwords for other users.
-      Adjust the view definition to match the behavior of
-      <structname>information_schema.user_mapping_options</>, namely that
-      these options are visible to the user being mapped, or if the mapping
-      is for <literal>PUBLIC</literal> and the current user is the server
-      owner, or if the current user is a superuser.
-      (CVE-2017-7486)
+      The fix for CVE-2017-7486 was incorrect: it allowed a user
+      to see the options in her own user mapping, even if she did not
+      have <literal>USAGE</> permission on the associated foreign server.
+      Such options might include a password that had been provided by the
+      server owner rather than the user herself.
+      Since <structname>information_schema.user_mapping_options</> does not
+      show the options in such cases, <structname>pg_user_mappings</>
+      should not either.
+      (CVE-2017-7547)
      </para>
 
      <para>
@@ -93,7 +92,9 @@ CREATE OR REPLACE VIEW pg_user_mappings AS
         ELSE
             A.rolname
         END AS usename,
-        CASE WHEN (U.umuser &lt;&gt; 0 AND A.rolname = current_user)
+        CASE WHEN (U.umuser &lt;&gt; 0 AND A.rolname = current_user
+                     AND (pg_has_role(S.srvowner, 'USAGE')
+                          OR has_server_privilege(S.oid, 'USAGE')))
                     OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE'))
                     OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user)
                     THEN U.umoptions
@@ -138,6 +139,496 @@ UPDATE pg_database SET datallowconn = false WHERE datname = 'template0';
 
     <listitem>
      <para>
+      Disallow empty passwords in all password-based authentication methods
+      (Heikki Linnakangas)
+     </para>
+
+     <para>
+      <application>libpq</> ignores empty password specifications, and does
+      not transmit them to the server.  So, if a user's password has been
+      set to the empty string, it's impossible to log in with that password
+      via <application>psql</> or other <application>libpq</>-based
+      clients.  An administrator might therefore believe that setting the
+      password to empty is equivalent to disabling password login.
+      However, with a modified or non-<application>libpq</>-based client,
+      logging in could be possible, depending on which authentication
+      method is configured.  In particular the most common
+      method, <literal>md5</>, accepted empty passwords.
+      Change the server to reject empty passwords in all cases.
+      (CVE-2017-7546)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix concurrent locking of tuple update chains (&Aacute;lvaro Herrera)
+     </para>
+
+     <para>
+      If several sessions concurrently lock a tuple update chain with
+      nonconflicting lock modes using an old snapshot, and they all
+      succeed, it was possible for some of them to nonetheless fail (and
+      conclude there is no live tuple version) due to a race condition.
+      This had consequences such as foreign-key checks failing to see a
+      tuple that definitely exists but is being updated concurrently.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix potential data corruption when freezing a tuple whose XMAX is a
+      multixact with exactly one still-interesting member (Teodor Sigaev)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      On Windows, retry process creation if we fail to reserve the address
+      range for our shared memory in the new process (Tom Lane, Amit
+      Kapila)
+     </para>
+
+     <para>
+      This is expected to fix infrequent child-process-launch failures that
+      are probably due to interference from antivirus products.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix low-probability corruption of shared predicate-lock hash table
+      in Windows builds (Thomas Munro, Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Avoid logging clean closure of an SSL connection as though
+      it were a connection reset (Michael Paquier)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Prevent sending SSL session tickets to clients (Tom Lane)
+     </para>
+
+     <para>
+      This fix prevents reconnection failures with ticket-aware client-side
+      SSL code.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix code for setting <xref linkend="guc-tcp-keepalives-idle"> on
+      Solaris (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix statistics collector to honor inquiry messages issued just after
+      a postmaster shutdown and immediate restart (Tom Lane)
+     </para>
+
+     <para>
+      Statistics inquiries issued within half a second of the previous
+      postmaster shutdown were effectively ignored.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Ensure that the statistics collector's receive buffer size is at
+      least 100KB (Tom Lane)
+     </para>
+
+     <para>
+      This reduces the risk of dropped statistics data on older platforms
+      whose default receive buffer size is less than that.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix possible creation of an invalid WAL segment when a standby is
+      promoted just after it processes an <literal>XLOG_SWITCH</> WAL
+      record (Andres Freund)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <systemitem>SIGHUP</> and <systemitem>SIGUSR1</> handling in
+      walsender processes (Petr Jelinek, Andres Freund)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix unnecessarily slow restarts of <application>walreceiver</>
+      processes due to race condition in postmaster (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix cases where an <command>INSERT</> or <command>UPDATE</> assigns
+      to more than one element of a column that is of domain-over-array
+      type (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Allow window functions to be used in sub-<literal>SELECT</>s that
+      are within the arguments of an aggregate function (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Move autogenerated array types out of the way during
+      <command>ALTER ... RENAME</> (Vik Fearing)
+     </para>
+
+     <para>
+      Previously, we would rename a conflicting autogenerated array type
+      out of the way during <command>CREATE</>; this fix extends that
+      behavior to renaming operations.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Ensure that <command>ALTER USER ... SET</> accepts all the syntax
+      variants that <command>ALTER ROLE ... SET</> does (Peter Eisentraut)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Properly update dependency info when changing a datatype I/O
+      function's argument or return type from <type>opaque</> to the
+      correct type (Heikki Linnakangas)
+     </para>
+
+     <para>
+      <command>CREATE TYPE</> updates I/O functions declared in this
+      long-obsolete style, but it forgot to record a dependency on the
+      type, allowing a subsequent <command>DROP TYPE</> to leave broken
+      function definitions behind.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Reduce memory usage when <command>ANALYZE</> processes
+      a <type>tsvector</> column (Heikki Linnakangas)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix unnecessary precision loss and sloppy rounding when multiplying
+      or dividing <type>money</> values by integers or floats (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Tighten checks for whitespace in functions that parse identifiers,
+      such as <function>regprocedurein()</> (Tom Lane)
+     </para>
+
+     <para>
+      Depending on the prevailing locale, these functions could
+      misinterpret fragments of multibyte characters as whitespace.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Use relevant <literal>#define</> symbols from Perl while
+      compiling <application>PL/Perl</> (Ashutosh Sharma, Tom Lane)
+     </para>
+
+     <para>
+      This avoids portability problems, typically manifesting as
+      a <quote>handshake</> mismatch during library load, when working with
+      recent Perl versions.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In <application>libpq</>, reset GSS/SASL and SSPI authentication
+      state properly after a failed connection attempt (Michael Paquier)
+     </para>
+
+     <para>
+      Failure to do this meant that when falling back from SSL to non-SSL
+      connections, a GSS/SASL failure in the SSL attempt would always cause
+      the non-SSL attempt to fail.  SSPI did not fail, but it leaked memory.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In <application>psql</>, fix failure when <command>COPY FROM STDIN</>
+      is ended with a keyboard EOF signal and then another <command>COPY
+      FROM STDIN</> is attempted (Thomas Munro)
+     </para>
+
+     <para>
+      This misbehavior was observed on BSD-derived platforms (including
+      macOS), but not on most others.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>pg_dump</> and <application>pg_restore</> to
+      emit <command>REFRESH MATERIALIZED VIEW</> commands last (Tom Lane)
+     </para>
+
+     <para>
+      This prevents errors during dump/restore when a materialized view
+      refers to tables owned by a different user.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>pg_dump</> with the <option>--clean</> option to
+      drop event triggers as expected (Tom Lane)
+     </para>
+
+     <para>
+      It also now correctly assigns ownership of event triggers; before,
+      they were restored as being owned by the superuser running the
+      restore script.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>pg_dump</> to not emit invalid SQL for an empty
+      operator class (Daniel Gustafsson)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>pg_dump</> output to stdout on Windows (Kuntal Ghosh)
+     </para>
+
+     <para>
+      A compressed plain-text dump written to stdout would contain corrupt
+      data due to failure to put the file descriptor into binary mode.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <function>pg_get_ruledef()</> to print correct output for
+      the <literal>ON SELECT</> rule of a view whose columns have been
+      renamed (Tom Lane)
+     </para>
+
+     <para>
+      In some corner cases, <application>pg_dump</> relies
+      on <function>pg_get_ruledef()</> to dump views, so that this error
+      could result in dump/reload failures.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix dumping of outer joins with empty constraints, such as the result
+      of a <literal>NATURAL LEFT JOIN</> with no common columns (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix dumping of function expressions in the <literal>FROM</> clause in
+      cases where the expression does not deparse into something that looks
+      like a function call (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>pg_basebackup</> output to stdout on Windows
+      (Haribabu Kommi)
+     </para>
+
+     <para>
+      A backup written to stdout would contain corrupt data due to failure
+      to put the file descriptor into binary mode.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>pg_upgrade</> to ensure that the ending WAL record
+      does not have <xref linkend="guc-wal-level"> = <literal>minimum</>
+      (Bruce Momjian)
+     </para>
+
+     <para>
+      This condition could prevent upgraded standby servers from
+      reconnecting.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In <filename>postgres_fdw</>, re-establish connections to remote
+      servers after <command>ALTER SERVER</> or <command>ALTER USER
+      MAPPING</> commands (Kyotaro Horiguchi)
+     </para>
+
+     <para>
+      This ensures that option changes affecting connection parameters will
+      be applied promptly.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In <filename>postgres_fdw</>, allow cancellation of remote
+      transaction control commands (Robert Haas, Rafia Sabih)
+     </para>
+
+     <para>
+      This change allows us to quickly escape a wait for an unresponsive
+      remote server in many more cases than previously.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Always use <option>-fPIC</>, not <option>-fpic</>, when building
+      shared libraries with gcc (Tom Lane)
+     </para>
+
+     <para>
+      This supports larger extension libraries on platforms where it makes
+      a difference.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix unescaped-braces issue in our build scripts for Microsoft MSVC,
+      to avoid a warning or error from recent Perl versions (Andrew
+      Dunstan)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In MSVC builds, handle the case where the <application>openssl</>
+      library is not within a <filename>VC</> subdirectory (Andrew Dunstan)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In MSVC builds, add proper include path for <application>libxml2</>
+      header files (Andrew Dunstan)
+     </para>
+
+     <para>
+      This fixes a former need to move things around in standard Windows
+      installations of <application>libxml2</>.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In MSVC builds, recognize a Tcl library that is
+      named <filename>tcl86.lib</> (Noah Misch)
+     </para>
+    </listitem>
+
+   </itemizedlist>
+
+  </sect2>
+ </sect1>
+
+ <sect1 id="release-9-3-17">
+  <title>Release 9.3.17</title>
+
+  <formalpara>
+  <title>Release date:</title>
+  <para>2017-05-11</para>
+  </formalpara>
+
+  <para>
+   This release contains a variety of fixes from 9.3.16.
+   For information about new features in the 9.3 major release, see
+   <xref linkend="release-9-3">.
+  </para>
+
+  <sect2>
+   <title>Migration to Version 9.3.17</title>
+
+   <para>
+    A dump/restore is not required for those running 9.3.X.
+   </para>
+
+   <para>
+    However, if you use foreign data servers that make use of user
+    passwords for authentication, see the first changelog entry below.
+   </para>
+
+   <para>
+    Also, if you are upgrading from a version earlier than 9.3.16,
+    see <xref linkend="release-9-3-16">.
+   </para>
+
+  </sect2>
+
+  <sect2>
+   <title>Changes</title>
+
+   <itemizedlist>
+
+    <listitem>
+     <para>
+      Restrict visibility
+      of <structname>pg_user_mappings</>.<structfield>umoptions</>, to
+      protect passwords stored as user mapping options
+      (Michael Paquier, Feike Steenbergen)
+     </para>
+
+     <para>
+      The previous coding allowed the owner of a foreign server object,
+      or anyone he has granted server <literal>USAGE</> permission to,
+      to see the options for all user mappings associated with that server.
+      This might well include passwords for other users.
+      Adjust the view definition to match the behavior of
+      <structname>information_schema.user_mapping_options</>, namely that
+      these options are visible to the user being mapped, or if the mapping
+      is for <literal>PUBLIC</literal> and the current user is the server
+      owner, or if the current user is a superuser.
+      (CVE-2017-7486)
+     </para>
+
+     <para>
+      By itself, this patch will only fix the behavior in newly initdb'd
+      databases.  If you wish to apply this change in an existing database,
+      follow the corrected procedure shown in the changelog entry for
+      CVE-2017-7547, in <xref linkend="release-9-3-18">.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
       Prevent exposure of statistical information via leaky operators
       (Peter Eisentraut)
      </para>
diff --git a/doc/src/sgml/release-9.4.sgml b/doc/src/sgml/release-9.4.sgml
index 3317c11fc2..c616c1a514 100644
--- a/doc/src/sgml/release-9.4.sgml
+++ b/doc/src/sgml/release-9.4.sgml
@@ -1,22 +1,22 @@
 <!-- doc/src/sgml/release-9.4.sgml -->
 <!-- See header comment in release.sgml about typical markup -->
 
- <sect1 id="release-9-4-12">
-  <title>Release 9.4.12</title>
+ <sect1 id="release-9-4-13">
+  <title>Release 9.4.13</title>
 
   <formalpara>
   <title>Release date:</title>
-  <para>2017-05-11</para>
+  <para>2017-08-10</para>
   </formalpara>
 
   <para>
-   This release contains a variety of fixes from 9.4.11.
+   This release contains a variety of fixes from 9.4.12.
    For information about new features in the 9.4 major release, see
    <xref linkend="release-9-4">.
   </para>
 
   <sect2>
-   <title>Migration to Version 9.4.12</title>
+   <title>Migration to Version 9.4.13</title>
 
    <para>
     A dump/restore is not required for those running 9.4.X.
@@ -28,13 +28,8 @@
    </para>
 
    <para>
-    Also, if you are using third-party replication tools that depend
-    on <quote>logical decoding</>, see the fourth changelog entry below.
-   </para>
-
-   <para>
-    Also, if you are upgrading from a version earlier than 9.4.11,
-    see <xref linkend="release-9-4-11">.
+    Also, if you are upgrading from a version earlier than 9.4.12,
+    see <xref linkend="release-9-4-12">.
    </para>
   </sect2>
 
@@ -45,23 +40,22 @@
 
     <listitem>
      <para>
-      Restrict visibility
+      Further restrict visibility
       of <structname>pg_user_mappings</>.<structfield>umoptions</>, to
       protect passwords stored as user mapping options
-      (Michael Paquier, Feike Steenbergen)
+      (Noah Misch)
      </para>
 
      <para>
-      The previous coding allowed the owner of a foreign server object,
-      or anyone he has granted server <literal>USAGE</> permission to,
-      to see the options for all user mappings associated with that server.
-      This might well include passwords for other users.
-      Adjust the view definition to match the behavior of
-      <structname>information_schema.user_mapping_options</>, namely that
-      these options are visible to the user being mapped, or if the mapping
-      is for <literal>PUBLIC</literal> and the current user is the server
-      owner, or if the current user is a superuser.
-      (CVE-2017-7486)
+      The fix for CVE-2017-7486 was incorrect: it allowed a user
+      to see the options in her own user mapping, even if she did not
+      have <literal>USAGE</> permission on the associated foreign server.
+      Such options might include a password that had been provided by the
+      server owner rather than the user herself.
+      Since <structname>information_schema.user_mapping_options</> does not
+      show the options in such cases, <structname>pg_user_mappings</>
+      should not either.
+      (CVE-2017-7547)
      </para>
 
      <para>
@@ -97,7 +91,9 @@ CREATE OR REPLACE VIEW pg_user_mappings AS
         ELSE
             A.rolname
         END AS usename,
-        CASE WHEN (U.umuser &lt;&gt; 0 AND A.rolname = current_user)
+        CASE WHEN (U.umuser &lt;&gt; 0 AND A.rolname = current_user
+                     AND (pg_has_role(S.srvowner, 'USAGE')
+                          OR has_server_privilege(S.oid, 'USAGE')))
                     OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE'))
                     OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user)
                     THEN U.umoptions
@@ -142,6 +138,615 @@ UPDATE pg_database SET datallowconn = false WHERE datname = 'template0';
 
     <listitem>
      <para>
+      Disallow empty passwords in all password-based authentication methods
+      (Heikki Linnakangas)
+     </para>
+
+     <para>
+      <application>libpq</> ignores empty password specifications, and does
+      not transmit them to the server.  So, if a user's password has been
+      set to the empty string, it's impossible to log in with that password
+      via <application>psql</> or other <application>libpq</>-based
+      clients.  An administrator might therefore believe that setting the
+      password to empty is equivalent to disabling password login.
+      However, with a modified or non-<application>libpq</>-based client,
+      logging in could be possible, depending on which authentication
+      method is configured.  In particular the most common
+      method, <literal>md5</>, accepted empty passwords.
+      Change the server to reject empty passwords in all cases.
+      (CVE-2017-7546)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Make <function>lo_put()</> check for <literal>UPDATE</> privilege on
+      the target large object (Tom Lane, Michael Paquier)
+     </para>
+
+     <para>
+      <function>lo_put()</> should surely require the same permissions
+      as <function>lowrite()</>, but the check was missing, allowing any
+      user to change the data in a large object.
+      (CVE-2017-7548)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix concurrent locking of tuple update chains (&Aacute;lvaro Herrera)
+     </para>
+
+     <para>
+      If several sessions concurrently lock a tuple update chain with
+      nonconflicting lock modes using an old snapshot, and they all
+      succeed, it was possible for some of them to nonetheless fail (and
+      conclude there is no live tuple version) due to a race condition.
+      This had consequences such as foreign-key checks failing to see a
+      tuple that definitely exists but is being updated concurrently.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix potential data corruption when freezing a tuple whose XMAX is a
+      multixact with exactly one still-interesting member (Teodor Sigaev)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Avoid integer overflow and ensuing crash when sorting more than one
+      billion tuples in-memory (Sergey Koposov)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      On Windows, retry process creation if we fail to reserve the address
+      range for our shared memory in the new process (Tom Lane, Amit
+      Kapila)
+     </para>
+
+     <para>
+      This is expected to fix infrequent child-process-launch failures that
+      are probably due to interference from antivirus products.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix low-probability corruption of shared predicate-lock hash table
+      in Windows builds (Thomas Munro, Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Avoid logging clean closure of an SSL connection as though
+      it were a connection reset (Michael Paquier)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Prevent sending SSL session tickets to clients (Tom Lane)
+     </para>
+
+     <para>
+      This fix prevents reconnection failures with ticket-aware client-side
+      SSL code.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix code for setting <xref linkend="guc-tcp-keepalives-idle"> on
+      Solaris (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix statistics collector to honor inquiry messages issued just after
+      a postmaster shutdown and immediate restart (Tom Lane)
+     </para>
+
+     <para>
+      Statistics inquiries issued within half a second of the previous
+      postmaster shutdown were effectively ignored.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Ensure that the statistics collector's receive buffer size is at
+      least 100KB (Tom Lane)
+     </para>
+
+     <para>
+      This reduces the risk of dropped statistics data on older platforms
+      whose default receive buffer size is less than that.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix possible creation of an invalid WAL segment when a standby is
+      promoted just after it processes an <literal>XLOG_SWITCH</> WAL
+      record (Andres Freund)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>walsender</> to exit promptly when client requests
+      shutdown (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <systemitem>SIGHUP</> and <systemitem>SIGUSR1</> handling in
+      walsender processes (Petr Jelinek, Andres Freund)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Prevent walsender-triggered panics during shutdown checkpoints
+      (Andres Freund, Michael Paquier)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix unnecessarily slow restarts of <application>walreceiver</>
+      processes due to race condition in postmaster (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Andres Freund <andres@anarazel.de>
+Branch: REL9_4_STABLE [23a2b818f] 2017-08-05 14:56:40 -0700
+-->
+     <para>
+      Fix logical decoding failure with very wide tuples (Andres Freund)
+     </para>
+
+     <para>
+      Logical decoding crashed on tuples that are wider than 64KB (after
+      compression, but with all data in-line).  The case arises only
+      when <literal>REPLICA IDENTITY FULL</> is enabled for a table
+      containing such tuples.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix leakage of small subtransactions spilled to disk during logical
+      decoding (Andres Freund)
+     </para>
+
+     <para>
+      This resulted in temporary files consuming excessive disk space.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Reduce the work needed to build snapshots during creation of
+      logical-decoding slots (Andres Freund, Petr Jelinek)
+     </para>
+
+     <para>
+      The previous algorithm was infeasibly expensive on a server with a
+      lot of open transactions.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix race condition that could indefinitely delay creation of
+      logical-decoding slots (Andres Freund, Petr Jelinek)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Reduce overhead in processing syscache invalidation events (Tom Lane)
+     </para>
+
+     <para>
+      This is particularly helpful for logical decoding, which triggers
+      frequent cache invalidation.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix cases where an <command>INSERT</> or <command>UPDATE</> assigns
+      to more than one element of a column that is of domain-over-array
+      type (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Allow window functions to be used in sub-<literal>SELECT</>s that
+      are within the arguments of an aggregate function (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Move autogenerated array types out of the way during
+      <command>ALTER ... RENAME</> (Vik Fearing)
+     </para>
+
+     <para>
+      Previously, we would rename a conflicting autogenerated array type
+      out of the way during <command>CREATE</>; this fix extends that
+      behavior to renaming operations.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Ensure that <command>ALTER USER ... SET</> accepts all the syntax
+      variants that <command>ALTER ROLE ... SET</> does (Peter Eisentraut)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Properly update dependency info when changing a datatype I/O
+      function's argument or return type from <type>opaque</> to the
+      correct type (Heikki Linnakangas)
+     </para>
+
+     <para>
+      <command>CREATE TYPE</> updates I/O functions declared in this
+      long-obsolete style, but it forgot to record a dependency on the
+      type, allowing a subsequent <command>DROP TYPE</> to leave broken
+      function definitions behind.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Reduce memory usage when <command>ANALYZE</> processes
+      a <type>tsvector</> column (Heikki Linnakangas)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix unnecessary precision loss and sloppy rounding when multiplying
+      or dividing <type>money</> values by integers or floats (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Tighten checks for whitespace in functions that parse identifiers,
+      such as <function>regprocedurein()</> (Tom Lane)
+     </para>
+
+     <para>
+      Depending on the prevailing locale, these functions could
+      misinterpret fragments of multibyte characters as whitespace.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Use relevant <literal>#define</> symbols from Perl while
+      compiling <application>PL/Perl</> (Ashutosh Sharma, Tom Lane)
+     </para>
+
+     <para>
+      This avoids portability problems, typically manifesting as
+      a <quote>handshake</> mismatch during library load, when working with
+      recent Perl versions.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In <application>libpq</>, reset GSS/SASL and SSPI authentication
+      state properly after a failed connection attempt (Michael Paquier)
+     </para>
+
+     <para>
+      Failure to do this meant that when falling back from SSL to non-SSL
+      connections, a GSS/SASL failure in the SSL attempt would always cause
+      the non-SSL attempt to fail.  SSPI did not fail, but it leaked memory.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In <application>psql</>, fix failure when <command>COPY FROM STDIN</>
+      is ended with a keyboard EOF signal and then another <command>COPY
+      FROM STDIN</> is attempted (Thomas Munro)
+     </para>
+
+     <para>
+      This misbehavior was observed on BSD-derived platforms (including
+      macOS), but not on most others.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>pg_dump</> and <application>pg_restore</> to
+      emit <command>REFRESH MATERIALIZED VIEW</> commands last (Tom Lane)
+     </para>
+
+     <para>
+      This prevents errors during dump/restore when a materialized view
+      refers to tables owned by a different user.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Improve <application>pg_dump</>/<application>pg_restore</>'s
+      reporting of error conditions originating in <application>zlib</>
+      (Vladimir Kunschikov, &Aacute;lvaro Herrera)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>pg_dump</> with the <option>--clean</> option to
+      drop event triggers as expected (Tom Lane)
+     </para>
+
+     <para>
+      It also now correctly assigns ownership of event triggers; before,
+      they were restored as being owned by the superuser running the
+      restore script.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>pg_dump</> to not emit invalid SQL for an empty
+      operator class (Daniel Gustafsson)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>pg_dump</> output to stdout on Windows (Kuntal Ghosh)
+     </para>
+
+     <para>
+      A compressed plain-text dump written to stdout would contain corrupt
+      data due to failure to put the file descriptor into binary mode.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <function>pg_get_ruledef()</> to print correct output for
+      the <literal>ON SELECT</> rule of a view whose columns have been
+      renamed (Tom Lane)
+     </para>
+
+     <para>
+      In some corner cases, <application>pg_dump</> relies
+      on <function>pg_get_ruledef()</> to dump views, so that this error
+      could result in dump/reload failures.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix dumping of outer joins with empty constraints, such as the result
+      of a <literal>NATURAL LEFT JOIN</> with no common columns (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix dumping of function expressions in the <literal>FROM</> clause in
+      cases where the expression does not deparse into something that looks
+      like a function call (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>pg_basebackup</> output to stdout on Windows
+      (Haribabu Kommi)
+     </para>
+
+     <para>
+      A backup written to stdout would contain corrupt data due to failure
+      to put the file descriptor into binary mode.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>pg_upgrade</> to ensure that the ending WAL record
+      does not have <xref linkend="guc-wal-level"> = <literal>minimum</>
+      (Bruce Momjian)
+     </para>
+
+     <para>
+      This condition could prevent upgraded standby servers from
+      reconnecting.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In <filename>postgres_fdw</>, re-establish connections to remote
+      servers after <command>ALTER SERVER</> or <command>ALTER USER
+      MAPPING</> commands (Kyotaro Horiguchi)
+     </para>
+
+     <para>
+      This ensures that option changes affecting connection parameters will
+      be applied promptly.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In <filename>postgres_fdw</>, allow cancellation of remote
+      transaction control commands (Robert Haas, Rafia Sabih)
+     </para>
+
+     <para>
+      This change allows us to quickly escape a wait for an unresponsive
+      remote server in many more cases than previously.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Increase <literal>MAX_SYSCACHE_CALLBACKS</> to provide more room for
+      extensions (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Always use <option>-fPIC</>, not <option>-fpic</>, when building
+      shared libraries with gcc (Tom Lane)
+     </para>
+
+     <para>
+      This supports larger extension libraries on platforms where it makes
+      a difference.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix unescaped-braces issue in our build scripts for Microsoft MSVC,
+      to avoid a warning or error from recent Perl versions (Andrew
+      Dunstan)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In MSVC builds, handle the case where the <application>openssl</>
+      library is not within a <filename>VC</> subdirectory (Andrew Dunstan)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In MSVC builds, add proper include path for <application>libxml2</>
+      header files (Andrew Dunstan)
+     </para>
+
+     <para>
+      This fixes a former need to move things around in standard Windows
+      installations of <application>libxml2</>.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In MSVC builds, recognize a Tcl library that is
+      named <filename>tcl86.lib</> (Noah Misch)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In MSVC builds, honor <literal>PROVE_FLAGS</> settings
+      on <filename>vcregress.pl</>'s command line (Andrew Dunstan)
+     </para>
+    </listitem>
+
+   </itemizedlist>
+
+  </sect2>
+ </sect1>
+
+ <sect1 id="release-9-4-12">
+  <title>Release 9.4.12</title>
+
+  <formalpara>
+  <title>Release date:</title>
+  <para>2017-05-11</para>
+  </formalpara>
+
+  <para>
+   This release contains a variety of fixes from 9.4.11.
+   For information about new features in the 9.4 major release, see
+   <xref linkend="release-9-4">.
+  </para>
+
+  <sect2>
+   <title>Migration to Version 9.4.12</title>
+
+   <para>
+    A dump/restore is not required for those running 9.4.X.
+   </para>
+
+   <para>
+    However, if you use foreign data servers that make use of user
+    passwords for authentication, see the first changelog entry below.
+   </para>
+
+   <para>
+    Also, if you are using third-party replication tools that depend
+    on <quote>logical decoding</>, see the fourth changelog entry below.
+   </para>
+
+   <para>
+    Also, if you are upgrading from a version earlier than 9.4.11,
+    see <xref linkend="release-9-4-11">.
+   </para>
+  </sect2>
+
+  <sect2>
+   <title>Changes</title>
+
+   <itemizedlist>
+
+    <listitem>
+     <para>
+      Restrict visibility
+      of <structname>pg_user_mappings</>.<structfield>umoptions</>, to
+      protect passwords stored as user mapping options
+      (Michael Paquier, Feike Steenbergen)
+     </para>
+
+     <para>
+      The previous coding allowed the owner of a foreign server object,
+      or anyone he has granted server <literal>USAGE</> permission to,
+      to see the options for all user mappings associated with that server.
+      This might well include passwords for other users.
+      Adjust the view definition to match the behavior of
+      <structname>information_schema.user_mapping_options</>, namely that
+      these options are visible to the user being mapped, or if the mapping
+      is for <literal>PUBLIC</literal> and the current user is the server
+      owner, or if the current user is a superuser.
+      (CVE-2017-7486)
+     </para>
+
+     <para>
+      By itself, this patch will only fix the behavior in newly initdb'd
+      databases.  If you wish to apply this change in an existing database,
+      follow the corrected procedure shown in the changelog entry for
+      CVE-2017-7547, in <xref linkend="release-9-4-13">.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
       Prevent exposure of statistical information via leaky operators
       (Peter Eisentraut)
      </para>
diff --git a/doc/src/sgml/release-9.5.sgml b/doc/src/sgml/release-9.5.sgml
index 14a9b9d3b0..ceece4b8a5 100644
--- a/doc/src/sgml/release-9.5.sgml
+++ b/doc/src/sgml/release-9.5.sgml
@@ -1,22 +1,22 @@
 <!-- doc/src/sgml/release-9.5.sgml -->
 <!-- See header comment in release.sgml about typical markup -->
 
- <sect1 id="release-9-5-7">
-  <title>Release 9.5.7</title>
+ <sect1 id="release-9-5-8">
+  <title>Release 9.5.8</title>
 
   <formalpara>
   <title>Release date:</title>
-  <para>2017-05-11</para>
+  <para>2017-08-10</para>
   </formalpara>
 
   <para>
-   This release contains a variety of fixes from 9.5.6.
+   This release contains a variety of fixes from 9.5.7.
    For information about new features in the 9.5 major release, see
    <xref linkend="release-9-5">.
   </para>
 
   <sect2>
-   <title>Migration to Version 9.5.7</title>
+   <title>Migration to Version 9.5.8</title>
 
    <para>
     A dump/restore is not required for those running 9.5.X.
@@ -28,13 +28,8 @@
    </para>
 
    <para>
-    Also, if you are using third-party replication tools that depend
-    on <quote>logical decoding</>, see the fourth changelog entry below.
-   </para>
-
-   <para>
-    Also, if you are upgrading from a version earlier than 9.5.6,
-    see <xref linkend="release-9-5-6">.
+    Also, if you are upgrading from a version earlier than 9.5.7,
+    see <xref linkend="release-9-5-7">.
    </para>
   </sect2>
 
@@ -45,23 +40,22 @@
 
     <listitem>
      <para>
-      Restrict visibility
+      Further restrict visibility
       of <structname>pg_user_mappings</>.<structfield>umoptions</>, to
       protect passwords stored as user mapping options
-      (Michael Paquier, Feike Steenbergen)
+      (Noah Misch)
      </para>
 
      <para>
-      The previous coding allowed the owner of a foreign server object,
-      or anyone he has granted server <literal>USAGE</> permission to,
-      to see the options for all user mappings associated with that server.
-      This might well include passwords for other users.
-      Adjust the view definition to match the behavior of
-      <structname>information_schema.user_mapping_options</>, namely that
-      these options are visible to the user being mapped, or if the mapping
-      is for <literal>PUBLIC</literal> and the current user is the server
-      owner, or if the current user is a superuser.
-      (CVE-2017-7486)
+      The fix for CVE-2017-7486 was incorrect: it allowed a user
+      to see the options in her own user mapping, even if she did not
+      have <literal>USAGE</> permission on the associated foreign server.
+      Such options might include a password that had been provided by the
+      server owner rather than the user herself.
+      Since <structname>information_schema.user_mapping_options</> does not
+      show the options in such cases, <structname>pg_user_mappings</>
+      should not either.
+      (CVE-2017-7547)
      </para>
 
      <para>
@@ -97,7 +91,9 @@ CREATE OR REPLACE VIEW pg_user_mappings AS
         ELSE
             A.rolname
         END AS usename,
-        CASE WHEN (U.umuser &lt;&gt; 0 AND A.rolname = current_user)
+        CASE WHEN (U.umuser &lt;&gt; 0 AND A.rolname = current_user
+                     AND (pg_has_role(S.srvowner, 'USAGE')
+                          OR has_server_privilege(S.oid, 'USAGE')))
                     OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE'))
                     OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user)
                     THEN U.umoptions
@@ -142,6 +138,649 @@ UPDATE pg_database SET datallowconn = false WHERE datname = 'template0';
 
     <listitem>
      <para>
+      Disallow empty passwords in all password-based authentication methods
+      (Heikki Linnakangas)
+     </para>
+
+     <para>
+      <application>libpq</> ignores empty password specifications, and does
+      not transmit them to the server.  So, if a user's password has been
+      set to the empty string, it's impossible to log in with that password
+      via <application>psql</> or other <application>libpq</>-based
+      clients.  An administrator might therefore believe that setting the
+      password to empty is equivalent to disabling password login.
+      However, with a modified or non-<application>libpq</>-based client,
+      logging in could be possible, depending on which authentication
+      method is configured.  In particular the most common
+      method, <literal>md5</>, accepted empty passwords.
+      Change the server to reject empty passwords in all cases.
+      (CVE-2017-7546)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Make <function>lo_put()</> check for <literal>UPDATE</> privilege on
+      the target large object (Tom Lane, Michael Paquier)
+     </para>
+
+     <para>
+      <function>lo_put()</> should surely require the same permissions
+      as <function>lowrite()</>, but the check was missing, allowing any
+      user to change the data in a large object.
+      (CVE-2017-7548)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Correct the documentation about the process for upgrading standby
+      servers with <application>pg_upgrade</> (Bruce Momjian)
+     </para>
+
+     <para>
+      The previous documentation instructed users to start/stop the primary
+      server after running <application>pg_upgrade</> but before syncing
+      the standby servers.  This sequence is unsafe.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix concurrent locking of tuple update chains (&Aacute;lvaro Herrera)
+     </para>
+
+     <para>
+      If several sessions concurrently lock a tuple update chain with
+      nonconflicting lock modes using an old snapshot, and they all
+      succeed, it was possible for some of them to nonetheless fail (and
+      conclude there is no live tuple version) due to a race condition.
+      This had consequences such as foreign-key checks failing to see a
+      tuple that definitely exists but is being updated concurrently.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix potential data corruption when freezing a tuple whose XMAX is a
+      multixact with exactly one still-interesting member (Teodor Sigaev)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Avoid integer overflow and ensuing crash when sorting more than one
+      billion tuples in-memory (Sergey Koposov)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      On Windows, retry process creation if we fail to reserve the address
+      range for our shared memory in the new process (Tom Lane, Amit
+      Kapila)
+     </para>
+
+     <para>
+      This is expected to fix infrequent child-process-launch failures that
+      are probably due to interference from antivirus products.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix low-probability corruption of shared predicate-lock hash table
+      in Windows builds (Thomas Munro, Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Avoid logging clean closure of an SSL connection as though
+      it were a connection reset (Michael Paquier)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Prevent sending SSL session tickets to clients (Tom Lane)
+     </para>
+
+     <para>
+      This fix prevents reconnection failures with ticket-aware client-side
+      SSL code.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix code for setting <xref linkend="guc-tcp-keepalives-idle"> on
+      Solaris (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix statistics collector to honor inquiry messages issued just after
+      a postmaster shutdown and immediate restart (Tom Lane)
+     </para>
+
+     <para>
+      Statistics inquiries issued within half a second of the previous
+      postmaster shutdown were effectively ignored.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Ensure that the statistics collector's receive buffer size is at
+      least 100KB (Tom Lane)
+     </para>
+
+     <para>
+      This reduces the risk of dropped statistics data on older platforms
+      whose default receive buffer size is less than that.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix possible creation of an invalid WAL segment when a standby is
+      promoted just after it processes an <literal>XLOG_SWITCH</> WAL
+      record (Andres Freund)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>walsender</> to exit promptly when client requests
+      shutdown (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <systemitem>SIGHUP</> and <systemitem>SIGUSR1</> handling in
+      walsender processes (Petr Jelinek, Andres Freund)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Prevent walsender-triggered panics during shutdown checkpoints
+      (Andres Freund, Michael Paquier)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix unnecessarily slow restarts of <application>walreceiver</>
+      processes due to race condition in postmaster (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix leakage of small subtransactions spilled to disk during logical
+      decoding (Andres Freund)
+     </para>
+
+     <para>
+      This resulted in temporary files consuming excessive disk space.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Reduce the work needed to build snapshots during creation of
+      logical-decoding slots (Andres Freund, Petr Jelinek)
+     </para>
+
+     <para>
+      The previous algorithm was infeasibly expensive on a server with a
+      lot of open transactions.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix race condition that could indefinitely delay creation of
+      logical-decoding slots (Andres Freund, Petr Jelinek)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Reduce overhead in processing syscache invalidation events (Tom Lane)
+     </para>
+
+     <para>
+      This is particularly helpful for logical decoding, which triggers
+      frequent cache invalidation.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix cases where an <command>INSERT</> or <command>UPDATE</> assigns
+      to more than one element of a column that is of domain-over-array
+      type (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Allow window functions to be used in sub-<literal>SELECT</>s that
+      are within the arguments of an aggregate function (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Move autogenerated array types out of the way during
+      <command>ALTER ... RENAME</> (Vik Fearing)
+     </para>
+
+     <para>
+      Previously, we would rename a conflicting autogenerated array type
+      out of the way during <command>CREATE</>; this fix extends that
+      behavior to renaming operations.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix dangling pointer in <command>ALTER TABLE</> when there is a
+      comment on a constraint belonging to the table (David Rowley)
+     </para>
+
+     <para>
+      Re-applying the comment to the reconstructed constraint could fail
+      with a weird error message, or even crash.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Ensure that <command>ALTER USER ... SET</> accepts all the syntax
+      variants that <command>ALTER ROLE ... SET</> does (Peter Eisentraut)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Properly update dependency info when changing a datatype I/O
+      function's argument or return type from <type>opaque</> to the
+      correct type (Heikki Linnakangas)
+     </para>
+
+     <para>
+      <command>CREATE TYPE</> updates I/O functions declared in this
+      long-obsolete style, but it forgot to record a dependency on the
+      type, allowing a subsequent <command>DROP TYPE</> to leave broken
+      function definitions behind.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Reduce memory usage when <command>ANALYZE</> processes
+      a <type>tsvector</> column (Heikki Linnakangas)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix unnecessary precision loss and sloppy rounding when multiplying
+      or dividing <type>money</> values by integers or floats (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Tighten checks for whitespace in functions that parse identifiers,
+      such as <function>regprocedurein()</> (Tom Lane)
+     </para>
+
+     <para>
+      Depending on the prevailing locale, these functions could
+      misinterpret fragments of multibyte characters as whitespace.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Use relevant <literal>#define</> symbols from Perl while
+      compiling <application>PL/Perl</> (Ashutosh Sharma, Tom Lane)
+     </para>
+
+     <para>
+      This avoids portability problems, typically manifesting as
+      a <quote>handshake</> mismatch during library load, when working with
+      recent Perl versions.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In <application>libpq</>, reset GSS/SASL and SSPI authentication
+      state properly after a failed connection attempt (Michael Paquier)
+     </para>
+
+     <para>
+      Failure to do this meant that when falling back from SSL to non-SSL
+      connections, a GSS/SASL failure in the SSL attempt would always cause
+      the non-SSL attempt to fail.  SSPI did not fail, but it leaked memory.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In <application>psql</>, fix failure when <command>COPY FROM STDIN</>
+      is ended with a keyboard EOF signal and then another <command>COPY
+      FROM STDIN</> is attempted (Thomas Munro)
+     </para>
+
+     <para>
+      This misbehavior was observed on BSD-derived platforms (including
+      macOS), but not on most others.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>pg_dump</> and <application>pg_restore</> to
+      emit <command>REFRESH MATERIALIZED VIEW</> commands last (Tom Lane)
+     </para>
+
+     <para>
+      This prevents errors during dump/restore when a materialized view
+      refers to tables owned by a different user.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Improve <application>pg_dump</>/<application>pg_restore</>'s
+      reporting of error conditions originating in <application>zlib</>
+      (Vladimir Kunschikov, &Aacute;lvaro Herrera)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>pg_dump</> with the <option>--clean</> option to
+      drop event triggers as expected (Tom Lane)
+     </para>
+
+     <para>
+      It also now correctly assigns ownership of event triggers; before,
+      they were restored as being owned by the superuser running the
+      restore script.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>pg_dump</> to not emit invalid SQL for an empty
+      operator class (Daniel Gustafsson)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>pg_dump</> output to stdout on Windows (Kuntal Ghosh)
+     </para>
+
+     <para>
+      A compressed plain-text dump written to stdout would contain corrupt
+      data due to failure to put the file descriptor into binary mode.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <function>pg_get_ruledef()</> to print correct output for
+      the <literal>ON SELECT</> rule of a view whose columns have been
+      renamed (Tom Lane)
+     </para>
+
+     <para>
+      In some corner cases, <application>pg_dump</> relies
+      on <function>pg_get_ruledef()</> to dump views, so that this error
+      could result in dump/reload failures.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix dumping of outer joins with empty constraints, such as the result
+      of a <literal>NATURAL LEFT JOIN</> with no common columns (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix dumping of function expressions in the <literal>FROM</> clause in
+      cases where the expression does not deparse into something that looks
+      like a function call (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>pg_basebackup</> output to stdout on Windows
+      (Haribabu Kommi)
+     </para>
+
+     <para>
+      A backup written to stdout would contain corrupt data due to failure
+      to put the file descriptor into binary mode.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>pg_rewind</> to correctly handle files exceeding 2GB
+      (Kuntal Ghosh, Michael Paquier)
+     </para>
+
+     <para>
+      Ordinarily such files won't appear in <productname>PostgreSQL</> data
+      directories, but they could be present in some cases.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>pg_upgrade</> to ensure that the ending WAL record
+      does not have <xref linkend="guc-wal-level"> = <literal>minimum</>
+      (Bruce Momjian)
+     </para>
+
+     <para>
+      This condition could prevent upgraded standby servers from
+      reconnecting.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>pg_xlogdump</>'s computation of WAL record length
+      (Andres Freund)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In <filename>postgres_fdw</>, re-establish connections to remote
+      servers after <command>ALTER SERVER</> or <command>ALTER USER
+      MAPPING</> commands (Kyotaro Horiguchi)
+     </para>
+
+     <para>
+      This ensures that option changes affecting connection parameters will
+      be applied promptly.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In <filename>postgres_fdw</>, allow cancellation of remote
+      transaction control commands (Robert Haas, Rafia Sabih)
+     </para>
+
+     <para>
+      This change allows us to quickly escape a wait for an unresponsive
+      remote server in many more cases than previously.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Increase <literal>MAX_SYSCACHE_CALLBACKS</> to provide more room for
+      extensions (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Always use <option>-fPIC</>, not <option>-fpic</>, when building
+      shared libraries with gcc (Tom Lane)
+     </para>
+
+     <para>
+      This supports larger extension libraries on platforms where it makes
+      a difference.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: REL9_5_STABLE [af1f18259] 2017-08-02 15:07:20 -0400
+Branch: REL9_4_STABLE [8892170e7] 2017-08-02 15:07:20 -0400
+Branch: REL9_3_STABLE [3d9ae20e7] 2017-08-02 15:07:20 -0400
+Branch: REL9_2_STABLE [1188b9b2c] 2017-08-02 15:07:21 -0400
+-->
+     <para>
+      Fix unescaped-braces issue in our build scripts for Microsoft MSVC,
+      to avoid a warning or error from recent Perl versions (Andrew
+      Dunstan)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In MSVC builds, handle the case where the <application>openssl</>
+      library is not within a <filename>VC</> subdirectory (Andrew Dunstan)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In MSVC builds, add proper include path for <application>libxml2</>
+      header files (Andrew Dunstan)
+     </para>
+
+     <para>
+      This fixes a former need to move things around in standard Windows
+      installations of <application>libxml2</>.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In MSVC builds, recognize a Tcl library that is
+      named <filename>tcl86.lib</> (Noah Misch)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      In MSVC builds, honor <literal>PROVE_FLAGS</> settings
+      on <filename>vcregress.pl</>'s command line (Andrew Dunstan)
+     </para>
+    </listitem>
+
+   </itemizedlist>
+
+  </sect2>
+ </sect1>
+
+ <sect1 id="release-9-5-7">
+  <title>Release 9.5.7</title>
+
+  <formalpara>
+  <title>Release date:</title>
+  <para>2017-05-11</para>
+  </formalpara>
+
+  <para>
+   This release contains a variety of fixes from 9.5.6.
+   For information about new features in the 9.5 major release, see
+   <xref linkend="release-9-5">.
+  </para>
+
+  <sect2>
+   <title>Migration to Version 9.5.7</title>
+
+   <para>
+    A dump/restore is not required for those running 9.5.X.
+   </para>
+
+   <para>
+    However, if you use foreign data servers that make use of user
+    passwords for authentication, see the first changelog entry below.
+   </para>
+
+   <para>
+    Also, if you are using third-party replication tools that depend
+    on <quote>logical decoding</>, see the fourth changelog entry below.
+   </para>
+
+   <para>
+    Also, if you are upgrading from a version earlier than 9.5.6,
+    see <xref linkend="release-9-5-6">.
+   </para>
+  </sect2>
+
+  <sect2>
+   <title>Changes</title>
+
+   <itemizedlist>
+
+    <listitem>
+     <para>
+      Restrict visibility
+      of <structname>pg_user_mappings</>.<structfield>umoptions</>, to
+      protect passwords stored as user mapping options
+      (Michael Paquier, Feike Steenbergen)
+     </para>
+
+     <para>
+      The previous coding allowed the owner of a foreign server object,
+      or anyone he has granted server <literal>USAGE</> permission to,
+      to see the options for all user mappings associated with that server.
+      This might well include passwords for other users.
+      Adjust the view definition to match the behavior of
+      <structname>information_schema.user_mapping_options</>, namely that
+      these options are visible to the user being mapped, or if the mapping
+      is for <literal>PUBLIC</literal> and the current user is the server
+      owner, or if the current user is a superuser.
+      (CVE-2017-7486)
+     </para>
+
+     <para>
+      By itself, this patch will only fix the behavior in newly initdb'd
+      databases.  If you wish to apply this change in an existing database,
+      follow the corrected procedure shown in the changelog entry for
+      CVE-2017-7547, in <xref linkend="release-9-5-8">.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
       Prevent exposure of statistical information via leaky operators
       (Peter Eisentraut)
      </para>
diff --git a/doc/src/sgml/release-9.6.sgml b/doc/src/sgml/release-9.6.sgml
index 764f812d60..078ac87841 100644
--- a/doc/src/sgml/release-9.6.sgml
+++ b/doc/src/sgml/release-9.6.sgml
@@ -1,22 +1,22 @@
 <!-- doc/src/sgml/release-9.6.sgml -->
 <!-- See header comment in release.sgml about typical markup -->
 
- <sect1 id="release-9-6-3">
-  <title>Release 9.6.3</title>
+ <sect1 id="release-9-6-4">
+  <title>Release 9.6.4</title>
 
   <formalpara>
   <title>Release date:</title>
-  <para>2017-05-11</para>
+  <para>2017-08-10</para>
   </formalpara>
 
   <para>
-   This release contains a variety of fixes from 9.6.2.
+   This release contains a variety of fixes from 9.6.3.
    For information about new features in the 9.6 major release, see
    <xref linkend="release-9-6">.
   </para>
 
   <sect2>
-   <title>Migration to Version 9.6.3</title>
+   <title>Migration to Version 9.6.4</title>
 
    <para>
     A dump/restore is not required for those running 9.6.X.
@@ -28,13 +28,8 @@
    </para>
 
    <para>
-    Also, if you are using third-party replication tools that depend
-    on <quote>logical decoding</>, see the fourth changelog entry below.
-   </para>
-
-   <para>
-    Also, if you are upgrading from a version earlier than 9.6.2,
-    see <xref linkend="release-9-6-2">.
+    Also, if you are upgrading from a version earlier than 9.6.3,
+    see <xref linkend="release-9-6-3">.
    </para>
   </sect2>
 
@@ -46,31 +41,30 @@
     <listitem>
 <!--
 Author: Noah Misch <noah@leadboat.com>
-Branch: master [3eefc5105] 2017-05-08 07:24:24 -0700
-Branch: REL9_6_STABLE [c928addfc] 2017-05-08 07:24:27 -0700
-Branch: REL9_5_STABLE [db2158108] 2017-05-08 07:24:27 -0700
-Branch: REL9_4_STABLE [b2423f0fa] 2017-05-08 07:24:27 -0700
-Branch: REL9_3_STABLE [b5b124046] 2017-05-08 07:24:28 -0700
-Branch: REL9_2_STABLE [99cbb0bd9] 2017-05-08 07:24:28 -0700
+Branch: master [e568e1eee] 2017-08-07 07:09:28 -0700
+Branch: REL9_6_STABLE [156099630] 2017-08-07 07:09:31 -0700
+Branch: REL9_5_STABLE [36f9f6095] 2017-08-07 07:09:31 -0700
+Branch: REL9_4_STABLE [b6e39ca92] 2017-08-07 07:09:31 -0700
+Branch: REL9_3_STABLE [5e8e00914] 2017-08-07 07:09:31 -0700
+Branch: REL9_2_STABLE [e255e97a2] 2017-08-07 07:09:32 -0700
 -->
      <para>
-      Restrict visibility
+      Further restrict visibility
       of <structname>pg_user_mappings</>.<structfield>umoptions</>, to
       protect passwords stored as user mapping options
-      (Michael Paquier, Feike Steenbergen)
+      (Noah Misch)
      </para>
 
      <para>
-      The previous coding allowed the owner of a foreign server object,
-      or anyone he has granted server <literal>USAGE</> permission to,
-      to see the options for all user mappings associated with that server.
-      This might well include passwords for other users.
-      Adjust the view definition to match the behavior of
-      <structname>information_schema.user_mapping_options</>, namely that
-      these options are visible to the user being mapped, or if the mapping
-      is for <literal>PUBLIC</literal> and the current user is the server
-      owner, or if the current user is a superuser.
-      (CVE-2017-7486)
+      The fix for CVE-2017-7486 was incorrect: it allowed a user
+      to see the options in her own user mapping, even if she did not
+      have <literal>USAGE</> permission on the associated foreign server.
+      Such options might include a password that had been provided by the
+      server owner rather than the user herself.
+      Since <structname>information_schema.user_mapping_options</> does not
+      show the options in such cases, <structname>pg_user_mappings</>
+      should not either.
+      (CVE-2017-7547)
      </para>
 
      <para>
@@ -106,7 +100,9 @@ CREATE OR REPLACE VIEW pg_user_mappings AS
         ELSE
             A.rolname
         END AS usename,
-        CASE WHEN (U.umuser &lt;&gt; 0 AND A.rolname = current_user)
+        CASE WHEN (U.umuser &lt;&gt; 0 AND A.rolname = current_user
+                     AND (pg_has_role(S.srvowner, 'USAGE')
+                          OR has_server_privilege(S.oid, 'USAGE')))
                     OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE'))
                     OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user)
                     THEN U.umoptions
@@ -151,6 +147,1223 @@ UPDATE pg_database SET datallowconn = false WHERE datname = 'template0';
 
     <listitem>
 <!--
+Author: Heikki Linnakangas <heikki.linnakangas@iki.fi>
+Branch: master [bf6b9e944] 2017-08-07 17:03:42 +0300
+Branch: REL9_6_STABLE [f6fc72cb6] 2017-08-07 17:03:49 +0300
+Branch: REL9_5_STABLE [127835ddf] 2017-08-07 17:04:00 +0300
+Branch: REL9_4_STABLE [d5d46d99b] 2017-08-07 17:04:07 +0300
+Branch: REL9_3_STABLE [b2f833ea7] 2017-08-07 17:04:12 +0300
+Branch: REL9_2_STABLE [06651648a] 2017-08-07 17:04:17 +0300
+-->
+     <para>
+      Disallow empty passwords in all password-based authentication methods
+      (Heikki Linnakangas)
+     </para>
+
+     <para>
+      <application>libpq</> ignores empty password specifications, and does
+      not transmit them to the server.  So, if a user's password has been
+      set to the empty string, it's impossible to log in with that password
+      via <application>psql</> or other <application>libpq</>-based
+      clients.  An administrator might therefore believe that setting the
+      password to empty is equivalent to disabling password login.
+      However, with a modified or non-<application>libpq</>-based client,
+      logging in could be possible, depending on which authentication
+      method is configured.  In particular the most common
+      method, <literal>md5</>, accepted empty passwords.
+      Change the server to reject empty passwords in all cases.
+      (CVE-2017-7546)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [8d9881911] 2017-08-07 10:19:19 -0400
+Branch: REL9_6_STABLE [52a414387] 2017-08-07 10:19:20 -0400
+Branch: REL9_5_STABLE [873741c68] 2017-08-07 10:19:21 -0400
+Branch: REL9_4_STABLE [f1cda6d6c] 2017-08-07 10:19:22 -0400
+-->
+     <para>
+      Make <function>lo_put()</> check for <literal>UPDATE</> privilege on
+      the target large object (Tom Lane, Michael Paquier)
+     </para>
+
+     <para>
+      <function>lo_put()</> should surely require the same permissions
+      as <function>lowrite()</>, but the check was missing, allowing any
+      user to change the data in a large object.
+      (CVE-2017-7548)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Bruce Momjian <bruce@momjian.us>
+Branch: master [0f33a719f] 2017-06-15 12:30:02 -0400
+Branch: REL9_6_STABLE [a0873fbab] 2017-06-15 12:30:02 -0400
+Branch: REL9_5_STABLE [fd376afc9] 2017-06-15 12:30:02 -0400
+-->
+     <para>
+      Correct the documentation about the process for upgrading standby
+      servers with <application>pg_upgrade</> (Bruce Momjian)
+     </para>
+
+     <para>
+      The previous documentation instructed users to start/stop the primary
+      server after running <application>pg_upgrade</> but before syncing
+      the standby servers.  This sequence is unsafe.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Alvaro Herrera <alvherre@alvh.no-ip.org>
+Branch: master [459c64d32] 2017-07-26 17:24:16 -0400
+Branch: REL9_6_STABLE [8c348765f] 2017-07-26 17:24:16 -0400
+Branch: REL9_5_STABLE [0d4604ad6] 2017-07-26 17:24:16 -0400
+Branch: REL9_4_STABLE [dfd091985] 2017-07-26 17:25:46 -0400
+Branch: REL9_3_STABLE [2efbfb94b] 2017-07-26 17:24:16 -0400
+-->
+     <para>
+      Fix concurrent locking of tuple update chains (&Aacute;lvaro Herrera)
+     </para>
+
+     <para>
+      If several sessions concurrently lock a tuple update chain with
+      nonconflicting lock modes using an old snapshot, and they all
+      succeed, it was possible for some of them to nonetheless fail (and
+      conclude there is no live tuple version) due to a race condition.
+      This had consequences such as foreign-key checks failing to see a
+      tuple that definitely exists but is being updated concurrently.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Teodor Sigaev <teodor@sigaev.ru>
+Branch: master [31b8db8e6] 2017-07-06 17:18:55 +0300
+Branch: REL9_6_STABLE [42f62e4c9] 2017-07-06 17:19:44 +0300
+Branch: REL9_5_STABLE [fb2d385e6] 2017-07-06 17:20:17 +0300
+Branch: REL9_4_STABLE [b90e4ca3e] 2017-07-06 17:20:37 +0300
+Branch: REL9_3_STABLE [f371cc9e9] 2017-07-06 17:20:56 +0300
+-->
+     <para>
+      Fix potential data corruption when freezing a tuple whose XMAX is a
+      multixact with exactly one still-interesting member (Teodor Sigaev)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [512f67c8d] 2017-07-12 13:24:16 -0400
+Branch: REL9_6_STABLE [09c598898] 2017-07-12 13:24:16 -0400
+Branch: REL9_5_STABLE [e7213fe2b] 2017-07-12 13:24:16 -0400
+Branch: REL9_4_STABLE [e439bbe99] 2017-07-12 13:24:17 -0400
+-->
+     <para>
+      Avoid integer overflow and ensuing crash when sorting more than one
+      billion tuples in-memory (Sergey Koposov)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [45e004fb4] 2017-07-10 11:00:09 -0400
+Branch: REL9_6_STABLE [c0077f738] 2017-07-10 11:00:09 -0400
+Branch: REL9_5_STABLE [afd1415a4] 2017-07-10 11:00:09 -0400
+Branch: REL9_4_STABLE [bc0f76e7a] 2017-07-10 11:00:09 -0400
+Branch: REL9_3_STABLE [59892b120] 2017-07-10 11:00:09 -0400
+Branch: REL9_2_STABLE [a4a590ee7] 2017-07-10 11:00:09 -0400
+-->
+     <para>
+      On Windows, retry process creation if we fail to reserve the address
+      range for our shared memory in the new process (Tom Lane, Amit
+      Kapila)
+     </para>
+
+     <para>
+      This is expected to fix infrequent child-process-launch failures that
+      are probably due to interference from antivirus products.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [e2c8100e6] 2017-07-24 16:45:58 -0400
+Branch: REL9_6_STABLE [51865a0a0] 2017-07-24 16:46:00 -0400
+Branch: REL9_5_STABLE [5146ca352] 2017-07-24 16:45:46 -0400
+Branch: REL9_4_STABLE [8ad35c7fa] 2017-07-24 16:45:46 -0400
+Branch: REL9_3_STABLE [4ecee1192] 2017-07-24 16:45:47 -0400
+Branch: REL9_2_STABLE [05a562d9c] 2017-07-24 16:45:47 -0400
+-->
+     <para>
+      Fix low-probability corruption of shared predicate-lock hash table
+      in Windows builds (Thomas Munro, Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Heikki Linnakangas <heikki.linnakangas@iki.fi>
+Branch: master [b93827c74] 2017-07-03 14:51:51 +0300
+Branch: REL9_6_STABLE [f73382877] 2017-07-03 14:53:01 +0300
+Branch: REL9_5_STABLE [90630a6ad] 2017-07-03 14:53:06 +0300
+Branch: REL9_4_STABLE [fb63a0aa3] 2017-07-03 14:53:08 +0300
+Branch: REL9_3_STABLE [543e00bc1] 2017-07-03 14:53:10 +0300
+Branch: REL9_2_STABLE [fb1110085] 2017-07-03 14:53:12 +0300
+-->
+     <para>
+      Avoid logging clean closure of an SSL connection as though
+      it were a connection reset (Michael Paquier)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [97d3a0b09] 2017-08-04 11:07:10 -0400
+Branch: REL9_6_STABLE [b798ea88a] 2017-08-04 11:07:10 -0400
+Branch: REL9_5_STABLE [bebee333c] 2017-08-04 11:07:10 -0400
+Branch: REL9_4_STABLE [8d05db3d8] 2017-08-04 11:07:10 -0400
+Branch: REL9_3_STABLE [dda04b9dd] 2017-08-04 11:07:10 -0400
+Branch: REL9_2_STABLE [c180d2eb7] 2017-08-04 11:07:11 -0400
+-->
+     <para>
+      Prevent sending SSL session tickets to clients (Tom Lane)
+     </para>
+
+     <para>
+      This fix prevents reconnection failures with ticket-aware client-side
+      SSL code.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [f0256c774] 2017-06-27 18:47:57 -0400
+Branch: REL9_6_STABLE [55968ed89] 2017-06-27 18:47:57 -0400
+Branch: REL9_5_STABLE [d16e96fb2] 2017-06-27 18:47:57 -0400
+Branch: REL9_4_STABLE [c2cb606a2] 2017-06-27 18:47:57 -0400
+Branch: REL9_3_STABLE [9ce7f3919] 2017-06-27 18:47:57 -0400
+Branch: REL9_2_STABLE [6ccab9242] 2017-06-27 18:47:57 -0400
+Branch: master [99255d73c] 2017-06-28 12:30:16 -0400
+Branch: REL9_6_STABLE [43c67e32f] 2017-06-28 12:30:16 -0400
+Branch: REL9_5_STABLE [63f5db8ab] 2017-06-28 12:30:16 -0400
+Branch: REL9_4_STABLE [e97b7372b] 2017-06-28 12:30:16 -0400
+Branch: REL9_3_STABLE [cc154d9a0] 2017-06-28 12:30:16 -0400
+Branch: REL9_2_STABLE [5e7447132] 2017-06-28 12:30:16 -0400
+-->
+     <para>
+      Fix code for setting <xref linkend="guc-tcp-keepalives-idle"> on
+      Solaris (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [ad1b5c842] 2017-06-26 16:17:05 -0400
+Branch: REL9_6_STABLE [f6af9c749] 2017-06-26 16:17:05 -0400
+Branch: REL9_5_STABLE [5a6b95cdf] 2017-06-26 16:17:06 -0400
+Branch: REL9_4_STABLE [fc4da1fde] 2017-06-26 16:17:06 -0400
+Branch: REL9_3_STABLE [456bf261d] 2017-06-26 16:17:06 -0400
+Branch: REL9_2_STABLE [439b6363d] 2017-06-26 16:17:06 -0400
+-->
+     <para>
+      Fix statistics collector to honor inquiry messages issued just after
+      a postmaster shutdown and immediate restart (Tom Lane)
+     </para>
+
+     <para>
+      Statistics inquiries issued within half a second of the previous
+      postmaster shutdown were effectively ignored.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [8b0b6303e] 2017-05-16 15:24:52 -0400
+Branch: REL9_6_STABLE [34782a348] 2017-05-29 20:27:45 -0400
+Branch: REL9_5_STABLE [82f8c21e0] 2017-05-29 20:27:45 -0400
+Branch: REL9_4_STABLE [54676c72c] 2017-05-29 20:27:45 -0400
+Branch: REL9_3_STABLE [4a3bb96ce] 2017-05-29 20:27:45 -0400
+Branch: REL9_2_STABLE [364100e0b] 2017-05-29 20:27:45 -0400
+-->
+     <para>
+      Ensure that the statistics collector's receive buffer size is at
+      least 100KB (Tom Lane)
+     </para>
+
+     <para>
+      This reduces the risk of dropped statistics data on older platforms
+      whose default receive buffer size is less than that.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Andres Freund <andres@anarazel.de>
+Branch: master [fb886c153] 2017-06-21 14:14:45 -0700
+Branch: REL9_6_STABLE [39e30cbc1] 2017-06-21 14:14:38 -0700
+Branch: REL9_5_STABLE [7775ebaf0] 2017-06-21 14:14:29 -0700
+Branch: REL9_4_STABLE [823a51ed3] 2017-06-21 14:14:21 -0700
+Branch: REL9_3_STABLE [511d803ca] 2017-06-21 14:14:12 -0700
+Branch: REL9_2_STABLE [81bf7b5b1] 2017-06-21 14:13:58 -0700
+-->
+     <para>
+      Fix possible creation of an invalid WAL segment when a standby is
+      promoted just after it processes an <literal>XLOG_SWITCH</> WAL
+      record (Andres Freund)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [fca85f8ef] 2017-06-30 12:00:15 -0400
+Branch: REL9_6_STABLE [e9d4aa594] 2017-06-30 12:00:03 -0400
+Branch: REL9_5_STABLE [446914f6b] 2017-06-30 12:00:03 -0400
+Branch: REL9_4_STABLE [5aa8db014] 2017-06-30 12:00:03 -0400
+-->
+     <para>
+      Fix <application>walsender</> to exit promptly when client requests
+      shutdown (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Andres Freund <andres@anarazel.de>
+Branch: master [47fd420fb] 2017-06-05 19:18:15 -0700
+Branch: REL9_6_STABLE [b3d5b6833] 2017-06-05 19:18:16 -0700
+Branch: REL9_5_STABLE [e1319f64e] 2017-06-05 19:18:16 -0700
+Branch: REL9_4_STABLE [f4e484dd0] 2017-06-05 19:18:16 -0700
+Branch: master [6e1dd2773] 2017-06-05 19:18:16 -0700
+Branch: REL9_6_STABLE [b8bd32a51] 2017-06-05 19:18:16 -0700
+Branch: REL9_5_STABLE [641a60b02] 2017-06-05 19:18:16 -0700
+Branch: REL9_4_STABLE [55d7027d5] 2017-06-05 19:18:16 -0700
+Branch: REL9_3_STABLE [45d067d50] 2017-06-05 19:18:16 -0700
+Branch: REL9_2_STABLE [133b1920c] 2017-06-05 19:18:16 -0700
+-->
+     <para>
+      Fix <systemitem>SIGHUP</> and <systemitem>SIGUSR1</> handling in
+      walsender processes (Petr Jelinek, Andres Freund)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Andres Freund <andres@anarazel.de>
+Branch: master [c6c333436] 2017-06-05 19:18:15 -0700
+Branch: REL9_6_STABLE [862204aac] 2017-06-05 19:18:16 -0700
+Branch: REL9_5_STABLE [50581f2e7] 2017-06-05 19:18:16 -0700
+Branch: REL9_4_STABLE [1cdc0ab9c] 2017-06-05 19:18:16 -0700
+-->
+     <para>
+      Prevent walsender-triggered panics during shutdown checkpoints
+      (Andres Freund, Michael Paquier)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [e5d494d78] 2017-06-26 17:31:56 -0400
+Branch: REL9_6_STABLE [a4d1ce095] 2017-06-26 17:31:56 -0400
+Branch: REL9_5_STABLE [dc311b5bd] 2017-06-26 17:31:56 -0400
+Branch: REL9_4_STABLE [47fec424c] 2017-06-26 17:31:56 -0400
+Branch: REL9_3_STABLE [cb59949f6] 2017-06-26 17:31:56 -0400
+Branch: REL9_2_STABLE [e96adaacd] 2017-06-26 17:31:56 -0400
+-->
+     <para>
+      Fix unnecessarily slow restarts of <application>walreceiver</>
+      processes due to race condition in postmaster (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Andres Freund <andres@anarazel.de>
+Branch: master [3bdea167e] 2017-06-18 19:12:56 -0700
+Branch: REL9_6_STABLE [810344436] 2017-06-18 19:13:15 -0700
+Branch: REL9_5_STABLE [1ba1adf77] 2017-06-18 19:13:50 -0700
+Branch: REL9_4_STABLE [a27c566c7] 2017-06-18 19:14:09 -0700
+-->
+     <para>
+      Fix leakage of small subtransactions spilled to disk during logical
+      decoding (Andres Freund)
+     </para>
+
+     <para>
+      This resulted in temporary files consuming excessive disk space.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Andres Freund <andres@anarazel.de>
+Branch: master [524dbc143] 2017-05-13 15:06:40 -0700
+Branch: REL9_6_STABLE [bd619fcfe] 2017-05-13 15:06:40 -0700
+Branch: REL9_5_STABLE [fa9207c74] 2017-05-13 15:06:40 -0700
+Branch: REL9_4_STABLE [2dca50b76] 2017-05-13 15:06:40 -0700
+-->
+     <para>
+      Reduce the work needed to build snapshots during creation of
+      logical-decoding slots (Andres Freund, Petr Jelinek)
+     </para>
+
+     <para>
+      The previous algorithm was infeasibly expensive on a server with a
+      lot of open transactions.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Andres Freund <andres@anarazel.de>
+Branch: master [955a684e0] 2017-05-13 14:21:00 -0700
+Branch: REL9_6_STABLE [75784859c] 2017-05-13 14:21:00 -0700
+Branch: REL9_5_STABLE [b64a68e36] 2017-05-13 14:21:00 -0700
+Branch: REL9_4_STABLE [79abd23db] 2017-05-13 14:21:00 -0700
+-->
+     <para>
+      Fix race condition that could indefinitely delay creation of
+      logical-decoding slots (Andres Freund, Petr Jelinek)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [50ee1c746] 2017-05-12 18:17:29 -0400
+Branch: REL9_6_STABLE [b7a98b14c] 2017-05-12 18:17:29 -0400
+Branch: REL9_5_STABLE [3569a9a73] 2017-05-12 18:17:29 -0400
+Branch: REL9_4_STABLE [64417f8d3] 2017-05-12 18:17:29 -0400
+Branch: master [8085a4f75] 2017-05-12 18:30:17 -0400
+Branch: REL9_6_STABLE [f7d0a31ce] 2017-05-12 18:30:02 -0400
+Branch: REL9_5_STABLE [8a7506e04] 2017-05-12 18:30:02 -0400
+Branch: REL9_4_STABLE [ef7a6b3c9] 2017-05-12 18:30:02 -0400
+Branch: master [2df5d4655] 2017-05-12 19:05:27 -0400
+Branch: REL9_6_STABLE [d0755dc32] 2017-05-12 19:05:28 -0400
+Branch: REL9_5_STABLE [e7955ac64] 2017-05-12 19:05:29 -0400
+Branch: REL9_4_STABLE [32900700f] 2017-05-12 19:05:30 -0400
+-->
+     <para>
+      Reduce overhead in processing syscache invalidation events (Tom Lane)
+     </para>
+
+     <para>
+      This is particularly helpful for logical decoding, which triggers
+      frequent cache invalidation.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [d8e6b84bd] 2017-06-19 15:33:41 -0400
+Branch: REL9_6_STABLE [1f184426b] 2017-06-19 15:33:41 -0400
+-->
+     <para>
+      Remove incorrect heuristic used in some cases to estimate join
+      selectivity based on the presence of foreign-key constraints
+      (David Rowley)
+     </para>
+
+     <para>
+      In some cases where a multi-column foreign key constraint existed but
+      did not exactly match a query's join structure, the planner used an
+      estimation heuristic that turns out not to work well at all.  Revert
+      such cases to the way they were estimated before 9.6.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [b1cb32fb6] 2017-07-11 16:48:59 -0400
+Branch: REL9_6_STABLE [123368061] 2017-07-11 16:48:59 -0400
+Branch: REL9_5_STABLE [56076b88d] 2017-07-11 16:48:59 -0400
+Branch: REL9_4_STABLE [a8358559e] 2017-07-11 16:48:59 -0400
+Branch: REL9_3_STABLE [521fede16] 2017-07-11 16:48:59 -0400
+Branch: REL9_2_STABLE [55204850a] 2017-07-11 16:48:59 -0400
+Branch: master [bc2d716ad] 2017-07-12 18:00:04 -0400
+Branch: REL9_6_STABLE [ff2d53722] 2017-07-12 18:00:04 -0400
+Branch: REL9_5_STABLE [2346f1c10] 2017-07-12 18:00:04 -0400
+Branch: REL9_4_STABLE [a2320b337] 2017-07-12 18:00:04 -0400
+Branch: REL9_3_STABLE [aea1a3f0e] 2017-07-12 18:00:04 -0400
+Branch: REL9_2_STABLE [75670ec37] 2017-07-12 18:00:04 -0400
+-->
+     <para>
+      Fix cases where an <command>INSERT</> or <command>UPDATE</> assigns
+      to more than one element of a column that is of domain-over-array
+      type (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [9c7dc8928] 2017-06-27 17:51:11 -0400
+Branch: REL9_6_STABLE [3a7bd59c4] 2017-06-27 17:51:11 -0400
+Branch: REL9_5_STABLE [9a2706572] 2017-06-27 17:51:11 -0400
+Branch: REL9_4_STABLE [dc777f9db] 2017-06-27 17:51:11 -0400
+Branch: REL9_3_STABLE [66dee28b4] 2017-06-27 17:51:11 -0400
+-->
+     <para>
+      Allow window functions to be used in sub-<literal>SELECT</>s that
+      are within the arguments of an aggregate function (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Robert Haas <rhaas@postgresql.org>
+Branch: master [7086be6e3] 2017-07-24 15:57:24 -0400
+Branch: REL9_6_STABLE [971faefc2] 2017-07-24 16:24:42 -0400
+-->
+     <para>
+      Ensure that a view's <literal>CHECK OPTIONS</> clause is enforced
+      properly when the underlying table is a foreign table (Etsuro Fujita)
+     </para>
+
+     <para>
+      Previously, the update might get pushed entirely to the foreign
+      server, but the need to verify the view conditions was missed if so.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [94aced8cd] 2017-05-26 15:16:59 -0400
+Branch: REL9_6_STABLE [acab87ece] 2017-05-26 15:16:59 -0400
+Branch: REL9_5_STABLE [9ded51719] 2017-05-26 15:16:59 -0400
+Branch: REL9_4_STABLE [8f62b388b] 2017-05-26 15:16:59 -0400
+Branch: REL9_3_STABLE [525780c62] 2017-05-26 15:16:59 -0400
+Branch: REL9_2_STABLE [da9165686] 2017-05-26 15:16:59 -0400
+-->
+     <para>
+      Move autogenerated array types out of the way during
+      <command>ALTER ... RENAME</> (Vik Fearing)
+     </para>
+
+     <para>
+      Previously, we would rename a conflicting autogenerated array type
+      out of the way during <command>CREATE</>; this fix extends that
+      behavior to renaming operations.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [12590c5d3] 2017-05-15 11:33:44 -0400
+Branch: REL9_6_STABLE [b35cce914] 2017-05-15 11:33:44 -0400
+Branch: REL9_5_STABLE [53a1aa9f9] 2017-05-15 11:33:45 -0400
+-->
+     <para>
+      Fix dangling pointer in <command>ALTER TABLE</> when there is a
+      comment on a constraint belonging to the table (David Rowley)
+     </para>
+
+     <para>
+      Re-applying the comment to the reconstructed constraint could fail
+      with a weird error message, or even crash.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Peter Eisentraut <peter_e@gmx.net>
+Branch: master [b37448122] 2017-08-03 20:34:45 -0400
+Branch: REL9_6_STABLE [df04db041] 2017-08-03 20:49:07 -0400
+Branch: REL9_5_STABLE [f2878a608] 2017-08-03 20:55:44 -0400
+Branch: REL9_4_STABLE [e0446d06e] 2017-08-03 21:08:39 -0400
+Branch: REL9_3_STABLE [b7d1bc820] 2017-08-03 21:29:36 -0400
+Branch: REL9_2_STABLE [22eb38caa] 2017-08-03 21:42:46 -0400
+-->
+     <para>
+      Ensure that <command>ALTER USER ... SET</> accepts all the syntax
+      variants that <command>ALTER ROLE ... SET</> does (Peter Eisentraut)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Robert Haas <rhaas@postgresql.org>
+Branch: master [86705aa8c] 2017-08-03 13:24:48 -0400
+Branch: REL9_6_STABLE [1f220c390] 2017-08-03 13:25:32 -0400
+-->
+     <para>
+      Allow a foreign table's <literal>CHECK</> constraints to be
+      initially <literal>NOT VALID</> (Amit Langote)
+     </para>
+
+     <para>
+      <command>CREATE TABLE</> silently drops <literal>NOT VALID</>
+      specifiers for <literal>CHECK</> constraints, reasoning that the
+      table must be empty so the constraint can be validated immediately.
+      But this is wrong for <command>CREATE FOREIGN TABLE</>, where there's
+      no reason to suppose that the underlying table is empty, and even if
+      it is it's no business of ours to decide that the constraint can be
+      treated as valid going forward.  Skip this <quote>optimization</> for
+      foreign tables.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Heikki Linnakangas <heikki.linnakangas@iki.fi>
+Branch: master [30681c830] 2017-06-16 11:33:12 +0300
+Branch: REL9_6_STABLE [a9a5eb32b] 2017-06-16 11:39:45 +0300
+Branch: REL9_5_STABLE [501e6f8b7] 2017-06-16 11:44:00 +0300
+Branch: REL9_4_STABLE [6338b50b9] 2017-06-16 11:46:15 +0300
+Branch: REL9_3_STABLE [b47e2f7a9] 2017-06-16 11:46:11 +0300
+Branch: REL9_2_STABLE [ac93a78b0] 2017-06-16 11:46:26 +0300
+-->
+     <para>
+      Properly update dependency info when changing a datatype I/O
+      function's argument or return type from <type>opaque</> to the
+      correct type (Heikki Linnakangas)
+     </para>
+
+     <para>
+      <command>CREATE TYPE</> updates I/O functions declared in this
+      long-obsolete style, but it forgot to record a dependency on the
+      type, allowing a subsequent <command>DROP TYPE</> to leave broken
+      function definitions behind.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Andres Freund <andres@anarazel.de>
+Branch: master [34aebcf42] 2017-06-02 19:11:15 -0700
+Branch: REL9_6_STABLE [8a7cd781e] 2017-06-02 19:11:23 -0700
+-->
+     <para>
+      Allow parallelism in the query plan when <command>COPY</> copies from
+      a query's result (Andres Freund)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Heikki Linnakangas <heikki.linnakangas@iki.fi>
+Branch: master [da11977de] 2017-07-12 22:06:13 +0300
+Branch: REL9_6_STABLE [bbeec3c74] 2017-07-12 22:06:10 +0300
+Branch: REL9_5_STABLE [209970ded] 2017-07-12 22:03:58 +0300
+Branch: REL9_4_STABLE [852902822] 2017-07-12 22:04:03 +0300
+Branch: REL9_3_STABLE [11854dee0] 2017-07-12 22:04:08 +0300
+Branch: REL9_2_STABLE [40ba61b44] 2017-07-12 22:04:15 +0300
+-->
+     <para>
+      Reduce memory usage when <command>ANALYZE</> processes
+      a <type>tsvector</> column (Heikki Linnakangas)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [d761fe218] 2017-05-21 13:05:16 -0400
+Branch: REL9_6_STABLE [c101d83a3] 2017-05-21 13:05:17 -0400
+Branch: REL9_5_STABLE [5032f704e] 2017-05-21 13:05:17 -0400
+Branch: REL9_4_STABLE [83f4e8f71] 2017-05-21 13:05:17 -0400
+Branch: REL9_3_STABLE [b3c536bce] 2017-05-21 13:05:17 -0400
+Branch: REL9_2_STABLE [798d2321e] 2017-05-21 13:05:17 -0400
+-->
+     <para>
+      Fix unnecessary precision loss and sloppy rounding when multiplying
+      or dividing <type>money</> values by integers or floats (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [9ae2661fe] 2017-05-24 15:28:34 -0400
+Branch: REL9_6_STABLE [8527132e5] 2017-05-24 15:28:34 -0400
+Branch: REL9_5_STABLE [2c5e3fab3] 2017-05-24 15:28:35 -0400
+Branch: REL9_4_STABLE [a3043d363] 2017-05-24 15:28:35 -0400
+Branch: REL9_3_STABLE [971a158e6] 2017-05-24 15:28:35 -0400
+Branch: REL9_2_STABLE [a047270d5] 2017-05-24 15:28:35 -0400
+-->
+     <para>
+      Tighten checks for whitespace in functions that parse identifiers,
+      such as <function>regprocedurein()</> (Tom Lane)
+     </para>
+
+     <para>
+      Depending on the prevailing locale, these functions could
+      misinterpret fragments of multibyte characters as whitespace.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [bebe174bb] 2017-07-28 12:25:43 -0400
+Branch: REL9_6_STABLE [30a5c8bfb] 2017-07-31 12:10:36 -0400
+Branch: REL9_5_STABLE [99eea89db] 2017-07-31 12:10:36 -0400
+Branch: REL9_4_STABLE [d48180ec8] 2017-07-31 12:10:36 -0400
+Branch: REL9_3_STABLE [b92f17277] 2017-07-31 12:10:36 -0400
+Branch: REL9_2_STABLE [b4b958251] 2017-07-31 12:10:36 -0400
+Branch: master [3c163a7fc] 2017-07-28 14:25:28 -0400
+Branch: REL9_6_STABLE [1e58c503e] 2017-07-31 12:38:35 -0400
+Branch: REL9_5_STABLE [df52739ce] 2017-07-31 12:38:35 -0400
+Branch: REL9_4_STABLE [9cbdc6894] 2017-07-31 12:38:35 -0400
+Branch: REL9_3_STABLE [0d8f015e7] 2017-07-31 12:38:35 -0400
+Branch: REL9_2_STABLE [456c7dff2] 2017-07-31 12:38:35 -0400
+-->
+     <para>
+      Use relevant <literal>#define</> symbols from Perl while
+      compiling <application>PL/Perl</> (Ashutosh Sharma, Tom Lane)
+     </para>
+
+     <para>
+      This avoids portability problems, typically manifesting as
+      a <quote>handshake</> mismatch during library load, when working with
+      recent Perl versions.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Heikki Linnakangas <heikki.linnakangas@iki.fi>
+Branch: master [e6c33d594] 2017-06-07 14:01:46 +0300
+Branch: REL9_6_STABLE [f44c609ea] 2017-06-07 14:04:54 +0300
+Branch: REL9_5_STABLE [739cb7f8b] 2017-06-07 14:03:27 +0300
+Branch: REL9_4_STABLE [1fe1fc449] 2017-06-07 14:04:49 +0300
+Branch: REL9_3_STABLE [f2fa0c651] 2017-06-07 14:04:44 +0300
+-->
+     <para>
+      In <application>libpq</>, reset GSS/SASL and SSPI authentication
+      state properly after a failed connection attempt (Michael Paquier)
+     </para>
+
+     <para>
+      Failure to do this meant that when falling back from SSL to non-SSL
+      connections, a GSS/SASL failure in the SSL attempt would always cause
+      the non-SSL attempt to fail.  SSPI did not fail, but it leaked memory.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [9485516ea] 2017-05-17 12:24:19 -0400
+Branch: REL9_6_STABLE [bee9e8698] 2017-05-17 12:24:19 -0400
+Branch: REL9_5_STABLE [49dfbb53c] 2017-05-17 12:24:19 -0400
+Branch: REL9_4_STABLE [ff0e30512] 2017-05-17 12:24:19 -0400
+Branch: REL9_3_STABLE [6bc710f6d] 2017-05-17 12:24:19 -0400
+Branch: REL9_2_STABLE [07477130e] 2017-05-17 12:24:19 -0400
+-->
+     <para>
+      In <application>psql</>, fix failure when <command>COPY FROM STDIN</>
+      is ended with a keyboard EOF signal and then another <command>COPY
+      FROM STDIN</> is attempted (Thomas Munro)
+     </para>
+
+     <para>
+      This misbehavior was observed on BSD-derived platforms (including
+      macOS), but not on most others.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [3eb9a5e7c] 2017-08-03 17:36:39 -0400
+Branch: REL9_6_STABLE [3d7632829] 2017-08-03 17:36:41 -0400
+Branch: REL9_5_STABLE [65048cf23] 2017-08-03 17:36:42 -0400
+Branch: REL9_4_STABLE [b93217653] 2017-08-03 17:36:43 -0400
+Branch: REL9_3_STABLE [035bb8222] 2017-08-03 17:36:23 -0400
+-->
+     <para>
+      Fix <application>pg_dump</> and <application>pg_restore</> to
+      emit <command>REFRESH MATERIALIZED VIEW</> commands last (Tom Lane)
+     </para>
+
+     <para>
+      This prevents errors during dump/restore when a materialized view
+      refers to tables owned by a different user.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Alvaro Herrera <alvherre@alvh.no-ip.org>
+Branch: master [4d57e8381] 2017-08-02 18:26:59 -0400
+Branch: REL9_6_STABLE [060393f2a] 2017-08-02 18:26:58 -0400
+Branch: REL9_5_STABLE [f3142c027] 2017-08-02 18:26:58 -0400
+Branch: REL9_4_STABLE [330e68734] 2017-08-02 18:26:57 -0400
+Branch: master [9a3b5d3ad] 2017-08-03 14:54:28 -0400
+Branch: REL9_6_STABLE [611840074] 2017-08-03 14:55:18 -0400
+Branch: REL9_5_STABLE [12f1e523a] 2017-08-03 14:55:17 -0400
+Branch: REL9_4_STABLE [69ad12b58] 2017-08-03 14:55:17 -0400
+-->
+     <para>
+      Improve <application>pg_dump</>/<application>pg_restore</>'s
+      reporting of error conditions originating in <application>zlib</>
+      (Vladimir Kunschikov, &Aacute;lvaro Herrera)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [93f039b49] 2017-07-22 20:20:09 -0400
+Branch: REL9_6_STABLE [82ebda7ff] 2017-07-22 20:20:09 -0400
+Branch: REL9_5_STABLE [7debd9f79] 2017-07-22 20:20:09 -0400
+Branch: REL9_4_STABLE [502ead3d6] 2017-07-22 20:20:10 -0400
+Branch: REL9_3_STABLE [68a22bc69] 2017-07-22 20:20:10 -0400
+-->
+     <para>
+      Fix <application>pg_dump</> with the <option>--clean</> option to
+      drop event triggers as expected (Tom Lane)
+     </para>
+
+     <para>
+      It also now correctly assigns ownership of event triggers; before,
+      they were restored as being owned by the superuser running the
+      restore script.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Stephen Frost <sfrost@snowman.net>
+Branch: master [4500edc7e] 2017-06-28 10:33:57 -0400
+Branch: REL9_6_STABLE [a2de017b3] 2017-06-28 10:34:01 -0400
+-->
+     <para>
+      Fix <application>pg_dump</> with the <option>--clean</> option to not
+      fail when the <literal>public</> schema doesn't exist (Stephen Frost)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [0461b66e3] 2017-05-26 12:51:05 -0400
+Branch: REL9_6_STABLE [5886c7d58] 2017-05-26 12:51:05 -0400
+Branch: REL9_5_STABLE [41c4eb5ec] 2017-05-26 12:51:05 -0400
+Branch: REL9_4_STABLE [1cfc9dc75] 2017-05-26 12:51:05 -0400
+Branch: REL9_3_STABLE [a561254e4] 2017-05-26 12:51:05 -0400
+Branch: REL9_2_STABLE [f62e1eff5] 2017-05-26 12:51:06 -0400
+-->
+     <para>
+      Fix <application>pg_dump</> to not emit invalid SQL for an empty
+      operator class (Daniel Gustafsson)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [bd61d5a19] 2017-06-19 11:02:45 -0400
+Branch: REL9_6_STABLE [3ef40dcec] 2017-06-19 11:03:02 -0400
+Branch: REL9_5_STABLE [4fc274dd8] 2017-06-19 11:03:07 -0400
+Branch: REL9_4_STABLE [d063f972d] 2017-06-19 11:03:11 -0400
+Branch: REL9_3_STABLE [2943c04f7] 2017-06-19 11:03:16 -0400
+Branch: REL9_2_STABLE [c10cbf77a] 2017-06-19 11:03:21 -0400
+-->
+     <para>
+      Fix <application>pg_dump</> output to stdout on Windows (Kuntal Ghosh)
+     </para>
+
+     <para>
+      A compressed plain-text dump written to stdout would contain corrupt
+      data due to failure to put the file descriptor into binary mode.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [b4af9e3f3] 2017-07-24 15:16:31 -0400
+Branch: REL9_6_STABLE [3a07ba128] 2017-07-24 15:16:31 -0400
+Branch: REL9_5_STABLE [f579580be] 2017-07-24 15:16:31 -0400
+Branch: REL9_4_STABLE [f0f255a34] 2017-07-24 15:16:31 -0400
+Branch: REL9_3_STABLE [b6d640047] 2017-07-24 15:16:31 -0400
+Branch: REL9_2_STABLE [d9874fde8] 2017-07-24 15:16:31 -0400
+-->
+     <para>
+      Fix <function>pg_get_ruledef()</> to print correct output for
+      the <literal>ON SELECT</> rule of a view whose columns have been
+      renamed (Tom Lane)
+     </para>
+
+     <para>
+      In some corner cases, <application>pg_dump</> relies
+      on <function>pg_get_ruledef()</> to dump views, so that this error
+      could result in dump/reload failures.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [eb145fdfe] 2017-07-20 11:29:36 -0400
+Branch: REL9_6_STABLE [41ada8377] 2017-07-20 11:29:36 -0400
+Branch: REL9_5_STABLE [c2bbec9f2] 2017-07-20 11:29:36 -0400
+Branch: REL9_4_STABLE [6ab4a1136] 2017-07-20 11:29:36 -0400
+Branch: REL9_3_STABLE [e947838ae] 2017-07-20 11:29:36 -0400
+-->
+     <para>
+      Fix dumping of outer joins with empty constraints, such as the result
+      of a <literal>NATURAL LEFT JOIN</> with no common columns (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [a3ca72ae9] 2017-07-13 19:25:03 -0400
+Branch: REL9_6_STABLE [3b0c2dbed] 2017-07-13 19:24:44 -0400
+Branch: REL9_5_STABLE [3fbebd781] 2017-07-13 19:24:44 -0400
+Branch: REL9_4_STABLE [26d867875] 2017-07-13 19:24:44 -0400
+Branch: REL9_3_STABLE [0ecc407d9] 2017-07-13 19:24:44 -0400
+Branch: REL9_2_STABLE [bccfb1776] 2017-07-13 19:24:44 -0400
+-->
+     <para>
+      Fix dumping of function expressions in the <literal>FROM</> clause in
+      cases where the expression does not deparse into something that looks
+      like a function call (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Heikki Linnakangas <heikki.linnakangas@iki.fi>
+Branch: master [8046465c2] 2017-07-14 16:02:53 +0300
+Branch: REL9_6_STABLE [cedd25ae8] 2017-07-14 16:03:05 +0300
+Branch: REL9_5_STABLE [f20d58a6f] 2017-07-14 16:03:12 +0300
+Branch: REL9_4_STABLE [240299806] 2017-07-14 16:03:16 +0300
+Branch: REL9_3_STABLE [f3633689f] 2017-07-14 16:03:23 +0300
+Branch: REL9_2_STABLE [4b994a96c] 2017-07-14 16:03:27 +0300
+-->
+     <para>
+      Fix <application>pg_basebackup</> output to stdout on Windows
+      (Haribabu Kommi)
+     </para>
+
+     <para>
+      A backup written to stdout would contain corrupt data due to failure
+      to put the file descriptor into binary mode.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Robert Haas <rhaas@postgresql.org>
+Branch: master [a46fe6e8b] 2017-07-21 14:25:36 -0400
+Branch: REL9_6_STABLE [73fbf3d3d] 2017-07-21 22:04:55 -0400
+Branch: REL9_5_STABLE [ed367be64] 2017-07-21 22:05:07 -0400
+-->
+     <para>
+      Fix <application>pg_rewind</> to correctly handle files exceeding 2GB
+      (Kuntal Ghosh, Michael Paquier)
+     </para>
+
+     <para>
+      Ordinarily such files won't appear in <productname>PostgreSQL</> data
+      directories, but they could be present in some cases.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Bruce Momjian <bruce@momjian.us>
+Branch: master [b710248dd] 2017-06-20 13:20:10 -0400
+Branch: REL9_6_STABLE [0efdbd323] 2017-06-20 13:20:02 -0400
+Branch: REL9_5_STABLE [f4f867bda] 2017-06-20 13:20:02 -0400
+Branch: REL9_4_STABLE [a0e854881] 2017-06-20 13:20:02 -0400
+Branch: REL9_3_STABLE [5c890645d] 2017-06-20 13:20:02 -0400
+Branch: REL9_2_STABLE [65beccae5] 2017-06-20 13:20:02 -0400
+-->
+     <para>
+      Fix <application>pg_upgrade</> to ensure that the ending WAL record
+      does not have <xref linkend="guc-wal-level"> = <literal>minimum</>
+      (Bruce Momjian)
+     </para>
+
+     <para>
+      This condition could prevent upgraded standby servers from
+      reconnecting.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Andres Freund <andres@anarazel.de>
+Branch: master [c25ed2006] 2017-06-05 16:10:07 -0700
+Branch: REL9_6_STABLE [d3ca4b4b4] 2017-06-05 16:10:07 -0700
+Branch: REL9_5_STABLE [25653c171] 2017-06-05 16:10:07 -0700
+-->
+     <para>
+      Fix <application>pg_xlogdump</>'s computation of WAL record length
+      (Andres Freund)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [8bf58c0d9] 2017-07-21 12:51:38 -0400
+Branch: REL9_6_STABLE [d86a2b7b5] 2017-07-21 12:51:38 -0400
+Branch: REL9_5_STABLE [72318eaed] 2017-07-21 12:51:38 -0400
+Branch: REL9_4_STABLE [cb2b1cac0] 2017-07-21 12:51:38 -0400
+Branch: REL9_3_STABLE [69711415e] 2017-07-21 12:51:38 -0400
+Branch: master [88f48b57f] 2017-07-21 14:20:43 -0400
+Branch: REL9_6_STABLE [0d503dd1f] 2017-07-21 14:20:43 -0400
+Branch: REL9_5_STABLE [90877d28e] 2017-07-21 14:20:43 -0400
+Branch: REL9_4_STABLE [a648fc70a] 2017-07-21 14:20:43 -0400
+Branch: REL9_3_STABLE [6d9de660d] 2017-07-21 14:20:43 -0400
+-->
+     <para>
+      In <filename>postgres_fdw</>, re-establish connections to remote
+      servers after <command>ALTER SERVER</> or <command>ALTER USER
+      MAPPING</> commands (Kyotaro Horiguchi)
+     </para>
+
+     <para>
+      This ensures that option changes affecting connection parameters will
+      be applied promptly.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Robert Haas <rhaas@postgresql.org>
+Branch: master [ae9bfc5d6] 2017-06-07 15:14:55 -0400
+Branch: REL9_6_STABLE [fd849956c] 2017-06-07 15:24:22 -0400
+Branch: REL9_5_STABLE [b7665f079] 2017-06-07 15:33:32 -0400
+Branch: REL9_4_STABLE [c02c450cf] 2017-06-07 15:40:35 -0400
+Branch: REL9_3_STABLE [fc267a0c3] 2017-06-07 15:41:05 -0400
+-->
+     <para>
+      In <filename>postgres_fdw</>, allow cancellation of remote
+      transaction control commands (Robert Haas, Rafia Sabih)
+     </para>
+
+     <para>
+      This change allows us to quickly escape a wait for an unresponsive
+      remote server in many more cases than previously.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [596a7c8df] 2017-05-11 14:51:21 -0400
+Branch: REL9_6_STABLE [128e133cc] 2017-05-11 14:51:33 -0400
+Branch: REL9_5_STABLE [6f2fe2468] 2017-05-11 14:51:38 -0400
+Branch: REL9_4_STABLE [5c633f76b] 2017-05-11 14:51:46 -0400
+-->
+     <para>
+      Increase <literal>MAX_SYSCACHE_CALLBACKS</> to provide more room for
+      extensions (Tom Lane)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [e9a3c047a] 2017-06-01 13:32:55 -0400
+Branch: REL9_6_STABLE [8d9b4fe01] 2017-06-01 13:32:56 -0400
+Branch: REL9_5_STABLE [68938ab8e] 2017-06-01 13:32:56 -0400
+Branch: REL9_4_STABLE [894ce0e97] 2017-06-01 13:32:56 -0400
+Branch: REL9_3_STABLE [cee7238de] 2017-06-01 13:32:56 -0400
+Branch: REL9_2_STABLE [a378b9bc2] 2017-06-01 13:32:56 -0400
+-->
+     <para>
+      Always use <option>-fPIC</>, not <option>-fpic</>, when building
+      shared libraries with gcc (Tom Lane)
+     </para>
+
+     <para>
+      This supports larger extension libraries on platforms where it makes
+      a difference.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Andrew Dunstan <andrew@dunslane.net>
+Branch: master [614350a3a] 2017-06-05 14:24:42 -0400
+Branch: REL9_6_STABLE [b64ff9c5a] 2017-06-05 14:27:59 -0400
+Branch: REL9_5_STABLE [0fde390f6] 2017-06-05 14:28:13 -0400
+Branch: REL9_4_STABLE [307fc49d5] 2017-06-05 14:28:26 -0400
+Branch: REL9_3_STABLE [fe39a086d] 2017-06-05 14:28:44 -0400
+Branch: REL9_2_STABLE [545dc4d21] 2017-06-05 14:29:00 -0400
+Branch: master [2e02136fe] 2017-06-05 20:38:46 -0400
+Branch: REL9_6_STABLE [ec504aff7] 2017-06-05 20:39:53 -0400
+Branch: REL9_5_STABLE [b2482ab83] 2017-06-05 20:40:11 -0400
+Branch: REL9_4_STABLE [6da999635] 2017-06-05 20:40:27 -0400
+Branch: REL9_3_STABLE [da30fa603] 2017-06-05 20:40:47 -0400
+Branch: REL9_2_STABLE [f964a7c5a] 2017-06-05 20:41:01 -0400
+-->
+     <para>
+      In MSVC builds, handle the case where the <application>openssl</>
+      library is not within a <filename>VC</> subdirectory (Andrew Dunstan)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Andrew Dunstan <andrew@dunslane.net>
+Branch: master [b757e01f6] 2017-05-12 10:21:13 -0400
+Branch: REL9_6_STABLE [69ce3ead1] 2017-05-12 10:22:20 -0400
+Branch: REL9_5_STABLE [8ec82ee6a] 2017-05-12 10:23:39 -0400
+Branch: REL9_4_STABLE [616dd9978] 2017-05-12 10:24:00 -0400
+Branch: REL9_3_STABLE [2c7d2114b] 2017-05-12 10:24:16 -0400
+Branch: REL9_2_STABLE [614f83c12] 2017-05-12 10:24:36 -0400
+-->
+     <para>
+      In MSVC builds, add proper include path for <application>libxml2</>
+      header files (Andrew Dunstan)
+     </para>
+
+     <para>
+      This fixes a former need to move things around in standard Windows
+      installations of <application>libxml2</>.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Noah Misch <noah@leadboat.com>
+Branch: master [71ad8000d] 2017-07-23 23:53:27 -0700
+Branch: REL9_6_STABLE [bcc2c3b45] 2017-07-23 23:53:37 -0700
+Branch: REL9_5_STABLE [bef96e57e] 2017-07-23 23:53:41 -0700
+Branch: REL9_4_STABLE [0328bd1ef] 2017-07-23 23:53:46 -0700
+Branch: REL9_3_STABLE [9842c1b55] 2017-07-23 23:53:51 -0700
+Branch: REL9_2_STABLE [4885e5c88] 2017-07-23 23:53:55 -0700
+-->
+     <para>
+      In MSVC builds, recognize a Tcl library that is
+      named <filename>tcl86.lib</> (Noah Misch)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Andrew Dunstan <andrew@dunslane.net>
+Branch: master [56b6ef893] 2017-05-12 11:11:49 -0400
+Branch: REL9_6_STABLE [cb701af78] 2017-05-12 11:21:20 -0400
+Branch: REL9_5_STABLE [054a897c4] 2017-05-12 11:26:40 -0400
+Branch: REL9_4_STABLE [d39d968f5] 2017-05-12 11:27:56 -0400
+Branch: master [93b7d9731] 2017-06-10 10:19:06 -0400
+Branch: REL9_6_STABLE [3c017a545] 2017-06-10 10:22:14 -0400
+Branch: REL9_5_STABLE [11aa362c8] 2017-06-10 10:23:21 -0400
+Branch: REL9_4_STABLE [6b2a0b475] 2017-06-10 10:23:43 -0400
+Branch: master [fd2487e49] 2017-07-16 11:24:29 -0400
+Branch: REL9_6_STABLE [b4a1d69ed] 2017-07-16 11:27:00 -0400
+Branch: REL9_5_STABLE [7eb4124da] 2017-07-16 11:27:07 -0400
+Branch: REL9_4_STABLE [9c3f502b4] 2017-07-16 11:27:15 -0400
+-->
+     <para>
+      In MSVC builds, honor <literal>PROVE_FLAGS</> settings
+      on <filename>vcregress.pl</>'s command line (Andrew Dunstan)
+     </para>
+    </listitem>
+
+   </itemizedlist>
+
+  </sect2>
+ </sect1>
+
+ <sect1 id="release-9-6-3">
+  <title>Release 9.6.3</title>
+
+  <formalpara>
+  <title>Release date:</title>
+  <para>2017-05-11</para>
+  </formalpara>
+
+  <para>
+   This release contains a variety of fixes from 9.6.2.
+   For information about new features in the 9.6 major release, see
+   <xref linkend="release-9-6">.
+  </para>
+
+  <sect2>
+   <title>Migration to Version 9.6.3</title>
+
+   <para>
+    A dump/restore is not required for those running 9.6.X.
+   </para>
+
+   <para>
+    However, if you use foreign data servers that make use of user
+    passwords for authentication, see the first changelog entry below.
+   </para>
+
+   <para>
+    Also, if you are using third-party replication tools that depend
+    on <quote>logical decoding</>, see the fourth changelog entry below.
+   </para>
+
+   <para>
+    Also, if you are upgrading from a version earlier than 9.6.2,
+    see <xref linkend="release-9-6-2">.
+   </para>
+  </sect2>
+
+  <sect2>
+   <title>Changes</title>
+
+   <itemizedlist>
+
+    <listitem>
+<!--
+Author: Noah Misch <noah@leadboat.com>
+Branch: master [3eefc5105] 2017-05-08 07:24:24 -0700
+Branch: REL9_6_STABLE [c928addfc] 2017-05-08 07:24:27 -0700
+Branch: REL9_5_STABLE [db2158108] 2017-05-08 07:24:27 -0700
+Branch: REL9_4_STABLE [b2423f0fa] 2017-05-08 07:24:27 -0700
+Branch: REL9_3_STABLE [b5b124046] 2017-05-08 07:24:28 -0700
+Branch: REL9_2_STABLE [99cbb0bd9] 2017-05-08 07:24:28 -0700
+-->
+     <para>
+      Restrict visibility
+      of <structname>pg_user_mappings</>.<structfield>umoptions</>, to
+      protect passwords stored as user mapping options
+      (Michael Paquier, Feike Steenbergen)
+     </para>
+
+     <para>
+      The previous coding allowed the owner of a foreign server object,
+      or anyone he has granted server <literal>USAGE</> permission to,
+      to see the options for all user mappings associated with that server.
+      This might well include passwords for other users.
+      Adjust the view definition to match the behavior of
+      <structname>information_schema.user_mapping_options</>, namely that
+      these options are visible to the user being mapped, or if the mapping
+      is for <literal>PUBLIC</literal> and the current user is the server
+      owner, or if the current user is a superuser.
+      (CVE-2017-7486)
+     </para>
+
+     <para>
+      By itself, this patch will only fix the behavior in newly initdb'd
+      databases.  If you wish to apply this change in an existing database,
+      follow the corrected procedure shown in the changelog entry for
+      CVE-2017-7547, in <xref linkend="release-9-6-4">.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
 Author: Peter Eisentraut <peter_e@gmx.net>
 Branch: master [e2d4ef8de] 2017-05-08 09:26:32 -0400
 Branch: REL9_6_STABLE [c33c42362] 2017-05-08 09:18:57 -0400