2017-08-10 This release contains a variety of fixes from 9.2.21. For information about new features in the 9.2 major release, see . The PostgreSQL community will stop releasing updates for the 9.2.X release series in September 2017. Users are encouraged to update to a newer release branch soon. A dump/restore is not required for those running 9.2.X. However, if you use foreign data servers that make use of user passwords for authentication, see the first changelog entry below. Also, if you are upgrading from a version earlier than 9.2.20, see . Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options (Noah Misch) The fix for CVE-2017-7486 was incorrect: it allowed a user to see the options in her own user mapping, even if she did not have USAGE permission on the associated foreign server. Such options might include a password that had been provided by the server owner rather than the user herself. Since information_schema.user_mapping_options does not show the options in such cases, pg_user_mappings should not either. (CVE-2017-7547) By itself, this patch will only fix the behavior in newly initdb'd databases. If you wish to apply this change in an existing database, you will need to do the following: Restart the postmaster after adding allow_system_table_mods = true to postgresql.conf. (In versions supporting ALTER SYSTEM, you can use that to make the configuration change, but you'll still need a restart.) In each database of the cluster, run the following commands as superuser: SET search_path = pg_catalog; CREATE OR REPLACE VIEW pg_user_mappings AS SELECT U.oid AS umid, S.oid AS srvid, S.srvname AS srvname, U.umuser AS umuser, CASE WHEN U.umuser = 0 THEN 'public' ELSE A.rolname END AS usename, CASE WHEN (U.umuser <> 0 AND A.rolname = current_user AND (pg_has_role(S.srvowner, 'USAGE') OR has_server_privilege(S.oid, 'USAGE'))) OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE')) OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user) THEN U.umoptions ELSE NULL END AS umoptions FROM pg_user_mapping U LEFT JOIN pg_authid A ON (A.oid = U.umuser) JOIN pg_foreign_server S ON (U.umserver = S.oid); Do not forget to include the template0 and template1 databases, or the vulnerability will still exist in databases you create later. To fix template0, you'll need to temporarily make it accept connections. In PostgreSQL 9.5 and later, you can use ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true; and then after fixing template0, undo that with ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false; In prior versions, instead use UPDATE pg_database SET datallowconn = true WHERE datname = 'template0'; UPDATE pg_database SET datallowconn = false WHERE datname = 'template0'; Finally, remove the allow_system_table_mods configuration setting, and again restart the postmaster. Disallow empty passwords in all password-based authentication methods (Heikki Linnakangas) libpq ignores empty password specifications, and does not transmit them to the server. So, if a user's password has been set to the empty string, it's impossible to log in with that password via psql or other libpq-based clients. An administrator might therefore believe that setting the password to empty is equivalent to disabling password login. However, with a modified or non-libpq-based client, logging in could be possible, depending on which authentication method is configured. In particular the most common method, md5, accepted empty passwords. Change the server to reject empty passwords in all cases. (CVE-2017-7546) On Windows, retry process creation if we fail to reserve the address range for our shared memory in the new process (Tom Lane, Amit Kapila) This is expected to fix infrequent child-process-launch failures that are probably due to interference from antivirus products. Fix low-probability corruption of shared predicate-lock hash table in Windows builds (Thomas Munro, Tom Lane) Avoid logging clean closure of an SSL connection as though it were a connection reset (Michael Paquier) Prevent sending SSL session tickets to clients (Tom Lane) This fix prevents reconnection failures with ticket-aware client-side SSL code. Fix code for setting on Solaris (Tom Lane) Fix statistics collector to honor inquiry messages issued just after a postmaster shutdown and immediate restart (Tom Lane) Statistics inquiries issued within half a second of the previous postmaster shutdown were effectively ignored. Ensure that the statistics collector's receive buffer size is at least 100KB (Tom Lane) This reduces the risk of dropped statistics data on older platforms whose default receive buffer size is less than that. Fix possible creation of an invalid WAL segment when a standby is promoted just after it processes an XLOG_SWITCH WAL record (Andres Freund) Fix SIGHUP and SIGUSR1 handling in walsender processes (Petr Jelinek, Andres Freund) Fix unnecessarily slow restarts of walreceiver processes due to race condition in postmaster (Tom Lane) Fix cases where an INSERT or UPDATE assigns to more than one element of a column that is of domain-over-array type (Tom Lane) Move autogenerated array types out of the way during ALTER ... RENAME (Vik Fearing) Previously, we would rename a conflicting autogenerated array type out of the way during CREATE; this fix extends that behavior to renaming operations. Ensure that ALTER USER ... SET accepts all the syntax variants that ALTER ROLE ... SET does (Peter Eisentraut) Properly update dependency info when changing a datatype I/O function's argument or return type from opaque to the correct type (Heikki Linnakangas) CREATE TYPE updates I/O functions declared in this long-obsolete style, but it forgot to record a dependency on the type, allowing a subsequent DROP TYPE to leave broken function definitions behind. Reduce memory usage when ANALYZE processes a tsvector column (Heikki Linnakangas) Fix unnecessary precision loss and sloppy rounding when multiplying or dividing money values by integers or floats (Tom Lane) Tighten checks for whitespace in functions that parse identifiers, such as regprocedurein() (Tom Lane) Depending on the prevailing locale, these functions could misinterpret fragments of multibyte characters as whitespace. Use relevant #define symbols from Perl while compiling PL/Perl (Ashutosh Sharma, Tom Lane) This avoids portability problems, typically manifesting as a handshake mismatch during library load, when working with recent Perl versions. In psql, fix failure when COPY FROM STDIN is ended with a keyboard EOF signal and then another COPY FROM STDIN is attempted (Thomas Munro) This misbehavior was observed on BSD-derived platforms (including macOS), but not on most others. Fix pg_dump to not emit invalid SQL for an empty operator class (Daniel Gustafsson) Fix pg_dump output to stdout on Windows (Kuntal Ghosh) A compressed plain-text dump written to stdout would contain corrupt data due to failure to put the file descriptor into binary mode. Fix pg_get_ruledef() to print correct output for the ON SELECT rule of a view whose columns have been renamed (Tom Lane) In some corner cases, pg_dump relies on pg_get_ruledef() to dump views, so that this error could result in dump/reload failures. Fix dumping of function expressions in the FROM clause in cases where the expression does not deparse into something that looks like a function call (Tom Lane) Fix pg_basebackup output to stdout on Windows (Haribabu Kommi) A backup written to stdout would contain corrupt data due to failure to put the file descriptor into binary mode. Fix pg_upgrade to ensure that the ending WAL record does not have = minimum (Bruce Momjian) This condition could prevent upgraded standby servers from reconnecting. Always use -fPIC, not -fpic, when building shared libraries with gcc (Tom Lane) This supports larger extension libraries on platforms where it makes a difference. Fix unescaped-braces issue in our build scripts for Microsoft MSVC, to avoid a warning or error from recent Perl versions (Andrew Dunstan) In MSVC builds, handle the case where the openssl library is not within a VC subdirectory (Andrew Dunstan) In MSVC builds, add proper include path for libxml2 header files (Andrew Dunstan) This fixes a former need to move things around in standard Windows installations of libxml2. In MSVC builds, recognize a Tcl library that is named tcl86.lib (Noah Misch) 2017-05-11 This release contains a variety of fixes from 9.2.20. For information about new features in the 9.2 major release, see . The PostgreSQL community will stop releasing updates for the 9.2.X release series in September 2017. Users are encouraged to update to a newer release branch soon. A dump/restore is not required for those running 9.2.X. However, if you use foreign data servers that make use of user passwords for authentication, see the first changelog entry below. Also, if you are upgrading from a version earlier than 9.2.20, see . Restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options (Michael Paquier, Feike Steenbergen) The previous coding allowed the owner of a foreign server object, or anyone he has granted server USAGE permission to, to see the options for all user mappings associated with that server. This might well include passwords for other users. Adjust the view definition to match the behavior of information_schema.user_mapping_options, namely that these options are visible to the user being mapped, or if the mapping is for PUBLIC and the current user is the server owner, or if the current user is a superuser. (CVE-2017-7486) By itself, this patch will only fix the behavior in newly initdb'd databases. If you wish to apply this change in an existing database, follow the corrected procedure shown in the changelog entry for CVE-2017-7547, in . Prevent exposure of statistical information via leaky operators (Peter Eisentraut) Some selectivity estimation functions in the planner will apply user-defined operators to values obtained from pg_statistic, such as most common values and histogram entries. This occurs before table permissions are checked, so a nefarious user could exploit the behavior to obtain these values for table columns he does not have permission to read. To fix, fall back to a default estimate if the operator's implementation function is not certified leak-proof and the calling user does not have permission to read the table column whose statistics are needed. At least one of these criteria is satisfied in most cases in practice. (CVE-2017-7484) Fix possible corruption of init forks of unlogged indexes (Robert Haas, Michael Paquier) This could result in an unlogged index being set to an invalid state after a crash and restart. Such a problem would persist until the index was dropped and rebuilt. Fix incorrect reconstruction of pg_subtrans entries when a standby server replays a prepared but uncommitted two-phase transaction (Tom Lane) In most cases this turned out to have no visible ill effects, but in corner cases it could result in circular references in pg_subtrans, potentially causing infinite loops in queries that examine rows modified by the two-phase transaction. Ensure parsing of queries in extension scripts sees the results of immediately-preceding DDL (Julien Rouhaud, Tom Lane) Due to lack of a cache flush step between commands in an extension script file, non-utility queries might not see the effects of an immediately preceding catalog change, such as ALTER TABLE ... RENAME. Skip tablespace privilege checks when ALTER TABLE ... ALTER COLUMN TYPE rebuilds an existing index (Noah Misch) The command failed if the calling user did not currently have CREATE privilege for the tablespace containing the index. That behavior seems unhelpful, so skip the check, allowing the index to be rebuilt where it is. Fix ALTER TABLE ... VALIDATE CONSTRAINT to not recurse to child tables when the constraint is marked NO INHERIT (Amit Langote) This fix prevents unwanted constraint does not exist failures when no matching constraint is present in the child tables. Fix VACUUM to account properly for pages that could not be scanned due to conflicting page pins (Andrew Gierth) This tended to lead to underestimation of the number of tuples in the table. In the worst case of a small heavily-contended table, VACUUM could incorrectly report that the table contained no tuples, leading to very bad planning choices. Ensure that bulk-tuple-transfer loops within a hash join are interruptible by query cancel requests (Tom Lane, Thomas Munro) Fix cursor_to_xml() to produce valid output with tableforest = false (Thomas Munro, Peter Eisentraut) Previously it failed to produce a wrapping <table> element. Improve performance of pg_timezone_names view (Tom Lane, David Rowley) Fix sloppy handling of corner-case errors from lseek() and close() (Tom Lane) Neither of these system calls are likely to fail in typical situations, but if they did, fd.c could get quite confused. Fix incorrect check for whether postmaster is running as a Windows service (Michael Paquier) This could result in attempting to write to the event log when that isn't accessible, so that no logging happens at all. Fix ecpg to support COMMIT PREPARED and ROLLBACK PREPARED (Masahiko Sawada) Fix a double-free error when processing dollar-quoted string literals in ecpg (Michael Meskes) In pg_dump, fix incorrect schema and owner marking for comments and security labels of some types of database objects (Giuseppe Broccolo, Tom Lane) In simple cases this caused no ill effects; but for example, a schema-selective restore might omit comments it should include, because they were not marked as belonging to the schema of their associated object. Avoid emitting an invalid list file in pg_restore -l when SQL object names contain newlines (Tom Lane) Replace newlines by spaces, which is sufficient to make the output valid for pg_restore -L's purposes. Fix pg_upgrade to transfer comments and security labels attached to large objects (blobs) (Stephen Frost) Previously, blobs were correctly transferred to the new database, but any comments or security labels attached to them were lost. Improve error handling in contrib/adminpack's pg_file_write() function (Noah Misch) Notably, it failed to detect errors reported by fclose(). In contrib/dblink, avoid leaking the previous unnamed connection when establishing a new unnamed connection (Joe Conway) Support OpenSSL 1.1.0 (Heikki Linnakangas, Andreas Karlsson, Tom Lane) This is a back-patch of work previously done in newer branches; it's needed since many platforms are adopting newer OpenSSL versions. Support Tcl 8.6 in MSVC builds (Álvaro Herrera) Sync our copy of the timezone library with IANA release tzcode2017b (Tom Lane) This fixes a bug affecting some DST transitions in January 2038. Update time zone data files to tzdata release 2017b for DST law changes in Chile, Haiti, and Mongolia, plus historical corrections for Ecuador, Kazakhstan, Liberia, and Spain. Switch to numeric abbreviations for numerous time zones in South America, the Pacific and Indian oceans, and some Asian and Middle Eastern countries. The IANA time zone database previously provided textual abbreviations for all time zones, sometimes making up abbreviations that have little or no currency among the local population. They are in process of reversing that policy in favor of using numeric UTC offsets in zones where there is no evidence of real-world use of an English abbreviation. At least for the time being, PostgreSQL will continue to accept such removed abbreviations for timestamp input. But they will not be shown in the pg_timezone_names view nor used for output. Use correct daylight-savings rules for POSIX-style time zone names in MSVC builds (David Rowley) The Microsoft MSVC build scripts neglected to install the posixrules file in the timezone directory tree. This resulted in the timezone code falling back to its built-in rule about what DST behavior to assume for a POSIX-style time zone name. For historical reasons that still corresponds to the DST rules the USA was using before 2007 (i.e., change on first Sunday in April and last Sunday in October). With this fix, a POSIX-style zone name will use the current and historical DST transition dates of the US/Eastern zone. If you don't want that, remove the posixrules file, or replace it with a copy of some other zone file (see ). Note that due to caching, you may need to restart the server to get such changes to take effect. 2017-02-09 This release contains a variety of fixes from 9.2.19. For information about new features in the 9.2 major release, see . A dump/restore is not required for those running 9.2.X. However, if your installation has been affected by the bug described in the first changelog entry below, then after updating you may need to take action to repair corrupted indexes. Also, if you are upgrading from a version earlier than 9.2.11, see . Fix a race condition that could cause indexes built with CREATE INDEX CONCURRENTLY to be corrupt (Pavan Deolasee, Tom Lane) If CREATE INDEX CONCURRENTLY was used to build an index that depends on a column not previously indexed, then rows updated by transactions that ran concurrently with the CREATE INDEX command could have received incorrect index entries. If you suspect this may have happened, the most reliable solution is to rebuild affected indexes after installing this update. Unconditionally WAL-log creation of the init fork for an unlogged table (Michael Paquier) Previously, this was skipped when = minimal, but actually it's necessary even in that case to ensure that the unlogged table is properly reset to empty after a crash. Fix WAL page header validation when re-reading segments (Takayuki Tsunakawa, Amit Kapila) In corner cases, a spurious out-of-sequence TLI error could be reported during recovery. If the stats collector dies during hot standby, restart it (Takayuki Tsunakawa) Check for interrupts while hot standby is waiting for a conflicting query (Simon Riggs) Avoid constantly respawning the autovacuum launcher in a corner case (Amit Khandekar) This fix avoids problems when autovacuum is nominally off and there are some tables that require freezing, but all such tables are already being processed by autovacuum workers. Fix check for when an extension member object can be dropped (Tom Lane) Extension upgrade scripts should be able to drop member objects, but this was disallowed for serial-column sequences, and possibly other cases. Make sure ALTER TABLE preserves index tablespace assignments when rebuilding indexes (Tom Lane, Michael Paquier) Previously, non-default settings of could result in broken indexes. Prevent dropping a foreign-key constraint if there are pending trigger events for the referenced relation (Tom Lane) This avoids could not find trigger NNN or relation NNN has no triggers errors. Fix processing of OID column when a table with OIDs is associated to a parent with OIDs via ALTER TABLE ... INHERIT (Amit Langote) The OID column should be treated the same as regular user columns in this case, but it wasn't, leading to odd behavior in later inheritance changes. Check for serializability conflicts before reporting constraint-violation failures (Thomas Munro) When using serializable transaction isolation, it is desirable that any error due to concurrent transactions should manifest as a serialization failure, thereby cueing the application that a retry might succeed. Unfortunately, this does not reliably happen for duplicate-key failures caused by concurrent insertions. This change ensures that such an error will be reported as a serialization error if the application explicitly checked for the presence of a conflicting key (and did not find it) earlier in the transaction. Ensure that column typmods are determined accurately for multi-row VALUES constructs (Tom Lane) This fixes problems occurring when the first value in a column has a determinable typmod (e.g., length for a varchar value) but later values don't share the same limit. Throw error for an unfinished Unicode surrogate pair at the end of a Unicode string (Tom Lane) Normally, a Unicode surrogate leading character must be followed by a Unicode surrogate trailing character, but the check for this was missed if the leading character was the last character in a Unicode string literal (U&'...') or Unicode identifier (U&"..."). Ensure that a purely negative text search query, such as !foo, matches empty tsvectors (Tom Dunstan) Such matches were found by GIN index searches, but not by sequential scans or GiST index searches. Prevent crash when ts_rewrite() replaces a non-top-level subtree with an empty query (Artur Zakirov) Fix performance problems in ts_rewrite() (Tom Lane) Fix ts_rewrite()'s handling of nested NOT operators (Tom Lane) Fix array_fill() to handle empty arrays properly (Tom Lane) Fix one-byte buffer overrun in quote_literal_cstr() (Heikki Linnakangas) The overrun occurred only if the input consisted entirely of single quotes and/or backslashes. Prevent multiple calls of pg_start_backup() and pg_stop_backup() from running concurrently (Michael Paquier) This avoids an assertion failure, and possibly worse things, if someone tries to run these functions in parallel. Avoid discarding interval-to-interval casts that aren't really no-ops (Tom Lane) In some cases, a cast that should result in zeroing out low-order interval fields was mistakenly deemed to be a no-op and discarded. An example is that casting from INTERVAL MONTH to INTERVAL YEAR failed to clear the months field. Fix pg_dump to dump user-defined casts and transforms that use built-in functions (Stephen Frost) Fix possible pg_basebackup failure on standby server when including WAL files (Amit Kapila, Robert Haas) Ensure that the Python exception objects we create for PL/Python are properly reference-counted (Rafa de la Torre, Tom Lane) This avoids failures if the objects are used after a Python garbage collection cycle has occurred. Fix PL/Tcl to support triggers on tables that have .tupno as a column name (Tom Lane) This matches the (previously undocumented) behavior of PL/Tcl's spi_exec and spi_execp commands, namely that a magic .tupno column is inserted only if there isn't a real column named that. Allow DOS-style line endings in ~/.pgpass files, even on Unix (Vik Fearing) This change simplifies use of the same password file across Unix and Windows machines. Fix one-byte buffer overrun if ecpg is given a file name that ends with a dot (Takayuki Tsunakawa) Fix psql's tab completion for ALTER DEFAULT PRIVILEGES (Gilles Darold, Stephen Frost) In psql, treat an empty or all-blank setting of the PAGER environment variable as meaning no pager (Tom Lane) Previously, such a setting caused output intended for the pager to vanish entirely. Improve contrib/dblink's reporting of low-level libpq errors, such as out-of-memory (Joe Conway) On Windows, ensure that environment variable changes are propagated to DLLs built with debug options (Christian Ullrich) Sync our copy of the timezone library with IANA release tzcode2016j (Tom Lane) This fixes various issues, most notably that timezone data installation failed if the target directory didn't support hard links. Update time zone data files to tzdata release 2016j for DST law changes in northern Cyprus (adding a new zone Asia/Famagusta), Russia (adding a new zone Europe/Saratov), Tonga, and Antarctica/Casey. Historical corrections for Italy, Kazakhstan, Malta, and Palestine. Switch to preferring numeric zone abbreviations for Tonga. 2016-10-27 This release contains a variety of fixes from 9.2.18. For information about new features in the 9.2 major release, see . A dump/restore is not required for those running 9.2.X. However, if you are upgrading from a version earlier than 9.2.11, see . Fix EvalPlanQual rechecks involving CTE scans (Tom Lane) The recheck would always see the CTE as returning no rows, typically leading to failure to update rows that were recently updated. Fix improper repetition of previous results from hashed aggregation in a subquery (Andrew Gierth) The test to see if we can reuse a previously-computed hash table of the aggregate state values neglected the possibility of an outer query reference appearing in an aggregate argument expression. A change in the value of such a reference should lead to recalculating the hash table, but did not. Fix EXPLAIN to emit valid XML when is on (Markus Winand) Previously the XML output-format option produced syntactically invalid tags such as <I/O-Read-Time>. That is now rendered as <I-O-Read-Time>. Suppress printing of zeroes for unmeasured times in EXPLAIN (Maksim Milyutin) Certain option combinations resulted in printing zero values for times that actually aren't ever measured in that combination. Our general policy in EXPLAIN is not to print such fields at all, so do that consistently in all cases. Fix timeout length when VACUUM is waiting for exclusive table lock so that it can truncate the table (Simon Riggs) The timeout was meant to be 50 milliseconds, but it was actually only 50 microseconds, causing VACUUM to give up on truncation much more easily than intended. Set it to the intended value. Fix bugs in merging inherited CHECK constraints while creating or altering a table (Tom Lane, Amit Langote) Allow identical CHECK constraints to be added to a parent and child table in either order. Prevent merging of a valid constraint from the parent table with a NOT VALID constraint on the child. Likewise, prevent merging of a NO INHERIT child constraint with an inherited constraint. Remove artificial restrictions on the values accepted by numeric_in() and numeric_recv() (Tom Lane) We allow numeric values up to the limit of the storage format (more than 1e100000), so it seems fairly pointless that numeric_in() rejected scientific-notation exponents above 1000. Likewise, it was silly for numeric_recv() to reject more than 1000 digits in an input value. Avoid very-low-probability data corruption due to testing tuple visibility without holding buffer lock (Thomas Munro, Peter Geoghegan, Tom Lane) Fix file descriptor leakage when truncating a temporary relation of more than 1GB (Andres Freund) Disallow starting a standalone backend with standby_mode turned on (Michael Paquier) This can't do anything useful, since there will be no WAL receiver process to fetch more WAL data; and it could result in misbehavior in code that wasn't designed with this situation in mind. Don't try to share SSL contexts across multiple connections in libpq (Heikki Linnakangas) This led to assorted corner-case bugs, particularly when trying to use different SSL parameters for different connections. Avoid corner-case memory leak in libpq (Tom Lane) The reported problem involved leaking an error report during PQreset(), but there might be related cases. Make ecpg's --help and --version options work consistently with our other executables (Haribabu Kommi) In pg_dump, never dump range constructor functions (Tom Lane) This oversight led to pg_upgrade failures with extensions containing range types, due to duplicate creation of the constructor functions. Fix contrib/intarray/bench/bench.pl to print the results of the EXPLAIN it does when given the -e option (Daniel Gustafsson) Update Windows time zone mapping to recognize some time zone names added in recent Windows versions (Michael Paquier) Prevent failure of obsolete dynamic time zone abbreviations (Tom Lane) If a dynamic time zone abbreviation does not match any entry in the referenced time zone, treat it as equivalent to the time zone name. This avoids unexpected failures when IANA removes abbreviations from their time zone database, as they did in tzdata release 2016f and seem likely to do again in the future. The consequences were not limited to not recognizing the individual abbreviation; any mismatch caused the pg_timezone_abbrevs view to fail altogether. Update time zone data files to tzdata release 2016h for DST law changes in Palestine and Turkey, plus historical corrections for Turkey and some regions of Russia. Switch to numeric abbreviations for some time zones in Antarctica, the former Soviet Union, and Sri Lanka. The IANA time zone database previously provided textual abbreviations for all time zones, sometimes making up abbreviations that have little or no currency among the local population. They are in process of reversing that policy in favor of using numeric UTC offsets in zones where there is no evidence of real-world use of an English abbreviation. At least for the time being, PostgreSQL will continue to accept such removed abbreviations for timestamp input. But they will not be shown in the pg_timezone_names view nor used for output. In this update, AMT is no longer shown as being in use to mean Armenia Time. Therefore, we have changed the Default abbreviation set to interpret it as Amazon Time, thus UTC-4 not UTC+4. 2016-08-11 This release contains a variety of fixes from 9.2.17. For information about new features in the 9.2 major release, see . A dump/restore is not required for those running 9.2.X. However, if you are upgrading from a version earlier than 9.2.11, see . Fix possible mis-evaluation of nested CASE-WHEN expressions (Heikki Linnakangas, Michael Paquier, Tom Lane) A CASE expression appearing within the test value subexpression of another CASE could become confused about whether its own test value was null or not. Also, inlining of a SQL function implementing the equality operator used by a CASE expression could result in passing the wrong test value to functions called within a CASE expression in the SQL function's body. If the test values were of different data types, a crash might result; moreover such situations could be abused to allow disclosure of portions of server memory. (CVE-2016-5423) Fix client programs' handling of special characters in database and role names (Noah Misch, Nathan Bossart, Michael Paquier) Numerous places in vacuumdb and other client programs could become confused by database and role names containing double quotes or backslashes. Tighten up quoting rules to make that safe. Also, ensure that when a conninfo string is used as a database name parameter to these programs, it is correctly treated as such throughout. Fix handling of paired double quotes in psql's \connect and \password commands to match the documentation. Introduce a new -reuse-previous option in psql's \connect command to allow explicit control of whether to re-use connection parameters from a previous connection. (Without this, the choice is based on whether the database name looks like a conninfo string, as before.) This allows secure handling of database names containing special characters in pg_dumpall scripts. pg_dumpall now refuses to deal with database and role names containing carriage returns or newlines, as it seems impractical to quote those characters safely on Windows. In future we may reject such names on the server side, but that step has not been taken yet. These are considered security fixes because crafted object names containing special characters could have been used to execute commands with superuser privileges the next time a superuser executes pg_dumpall or other routine maintenance operations. (CVE-2016-5424) Fix corner-case misbehaviors for IS NULL/IS NOT NULL applied to nested composite values (Andrew Gierth, Tom Lane) The SQL standard specifies that IS NULL should return TRUE for a row of all null values (thus ROW(NULL,NULL) IS NULL yields TRUE), but this is not meant to apply recursively (thus ROW(NULL, ROW(NULL,NULL)) IS NULL yields FALSE). The core executor got this right, but certain planner optimizations treated the test as recursive (thus producing TRUE in both cases), and contrib/postgres_fdw could produce remote queries that misbehaved similarly. Make the inet and cidr data types properly reject IPv6 addresses with too many colon-separated fields (Tom Lane) Prevent crash in close_ps() (the point ## lseg operator) for NaN input coordinates (Tom Lane) Make it return NULL instead of crashing. Fix several one-byte buffer over-reads in to_number() (Peter Eisentraut) In several cases the to_number() function would read one more character than it should from the input string. There is a small chance of a crash, if the input happens to be adjacent to the end of memory. Avoid unsafe intermediate state during expensive paths through heap_update() (Masahiko Sawada, Andres Freund) Previously, these cases locked the target tuple (by setting its XMAX) but did not WAL-log that action, thus risking data integrity problems if the page were spilled to disk and then a database crash occurred before the tuple update could be completed. Avoid crash in postgres -C when the specified variable has a null string value (Michael Paquier) Avoid consuming a transaction ID during VACUUM (Alexander Korotkov) Some cases in VACUUM unnecessarily caused an XID to be assigned to the current transaction. Normally this is negligible, but if one is up against the XID wraparound limit, consuming more XIDs during anti-wraparound vacuums is a very bad thing. Avoid canceling hot-standby queries during VACUUM FREEZE (Simon Riggs, Álvaro Herrera) VACUUM FREEZE on an otherwise-idle master server could result in unnecessary cancellations of queries on its standby servers. When a manual ANALYZE specifies a column list, don't reset the table's changes_since_analyze counter (Tom Lane) If we're only analyzing some columns, we should not prevent routine auto-analyze from happening for the other columns. Fix ANALYZE's overestimation of n_distinct for a unique or nearly-unique column with many null entries (Tom Lane) The nulls could get counted as though they were themselves distinct values, leading to serious planner misestimates in some types of queries. Prevent autovacuum from starting multiple workers for the same shared catalog (Álvaro Herrera) Normally this isn't much of a problem because the vacuum doesn't take long anyway; but in the case of a severely bloated catalog, it could result in all but one worker uselessly waiting instead of doing useful work on other tables. Prevent infinite loop in GiST index build for geometric columns containing NaN component values (Tom Lane) Fix contrib/btree_gin to handle the smallest possible bigint value correctly (Peter Eisentraut) Teach libpq to correctly decode server version from future servers (Peter Eisentraut) It's planned to switch to two-part instead of three-part server version numbers for releases after 9.6. Make sure that PQserverVersion() returns the correct value for such cases. Fix ecpg's code for unsigned long long array elements (Michael Meskes) In pg_dump with both -c and -C options, avoid emitting an unwanted CREATE SCHEMA public command (David Johnston, Tom Lane) Make pg_basebackup accept -Z 0 as specifying no compression (Fujii Masao) Fix makefiles' rule for building AIX shared libraries to be safe for parallel make (Noah Misch) Fix TAP tests and MSVC scripts to work when build directory's path name contains spaces (Michael Paquier, Kyotaro Horiguchi) Make regression tests safe for Danish and Welsh locales (Jeff Janes, Tom Lane) Change some test data that triggered the unusual sorting rules of these locales. Update our copy of the timezone code to match IANA's tzcode release 2016c (Tom Lane) This is needed to cope with anticipated future changes in the time zone data files. It also fixes some corner-case bugs in coping with unusual time zones. Update time zone data files to tzdata release 2016f for DST law changes in Kemerovo and Novosibirsk, plus historical corrections for Azerbaijan, Belarus, and Morocco. 2016-05-12 This release contains a variety of fixes from 9.2.16. For information about new features in the 9.2 major release, see . A dump/restore is not required for those running 9.2.X. However, if you are upgrading from a version earlier than 9.2.11, see . Clear the OpenSSL error queue before OpenSSL calls, rather than assuming it's clear already; and make sure we leave it clear afterwards (Peter Geoghegan, Dave Vitek, Peter Eisentraut) This change prevents problems when there are multiple connections using OpenSSL within a single process and not all the code involved follows the same rules for when to clear the error queue. Failures have been reported specifically when a client application uses SSL connections in libpq concurrently with SSL connections using the PHP, Python, or Ruby wrappers for OpenSSL. It's possible for similar problems to arise within the server as well, if an extension module establishes an outgoing SSL connection. Fix failed to build any N-way joins planner error with a full join enclosed in the right-hand side of a left join (Tom Lane) Fix incorrect handling of equivalence-class tests in multilevel nestloop plans (Tom Lane) Given a three-or-more-way equivalence class of variables, such as X.X = Y.Y = Z.Z, it was possible for the planner to omit some of the tests needed to enforce that all the variables are actually equal, leading to join rows being output that didn't satisfy the WHERE clauses. For various reasons, erroneous plans were seldom selected in practice, so that this bug has gone undetected for a long time. Fix possible misbehavior of TH, th, and Y,YYY format codes in to_timestamp() (Tom Lane) These could advance off the end of the input string, causing subsequent format codes to read garbage. Fix dumping of rules and views in which the array argument of a value operator ANY (array) construct is a sub-SELECT (Tom Lane) Make pg_regress use a startup timeout from the PGCTLTIMEOUT environment variable, if that's set (Tom Lane) This is for consistency with a behavior recently added to pg_ctl; it eases automated testing on slow machines. Fix pg_upgrade to correctly restore extension membership for operator families containing only one operator class (Tom Lane) In such a case, the operator family was restored into the new database, but it was no longer marked as part of the extension. This had no immediate ill effects, but would cause later pg_dump runs to emit output that would cause (harmless) errors on restore. Back-port 9.4-era memory-barrier code changes into 9.2 and 9.3 (Tom Lane) These changes were not originally needed in pre-9.4 branches, but we recently back-patched a fix that expected the barrier code to work properly. Only IA64 (when using icc), HPPA, and Alpha platforms are affected. Reduce the number of SysV semaphores used by a build configured with --disable-spinlocks (Tom Lane) Rename internal function strtoi() to strtoint() to avoid conflict with a NetBSD library function (Thomas Munro) Fix reporting of errors from bind() and listen() system calls on Windows (Tom Lane) Reduce verbosity of compiler output when building with Microsoft Visual Studio (Christian Ullrich) Avoid possibly-unsafe use of Windows' FormatMessage() function (Christian Ullrich) Use the FORMAT_MESSAGE_IGNORE_INSERTS flag where appropriate. No live bug is known to exist here, but it seems like a good idea to be careful. Update time zone data files to tzdata release 2016d for DST law changes in Russia and Venezuela. There are new zone names Europe/Kirov and Asia/Tomsk to reflect the fact that these regions now have different time zone histories from adjacent regions. 2016-03-31 This release contains a variety of fixes from 9.2.15. For information about new features in the 9.2 major release, see . A dump/restore is not required for those running 9.2.X. However, if you are upgrading from a version earlier than 9.2.11, see . Fix incorrect handling of NULL index entries in indexed ROW() comparisons (Tom Lane) An index search using a row comparison such as ROW(a, b) > ROW('x', 'y') would stop upon reaching a NULL entry in the b column, ignoring the fact that there might be non-NULL b values associated with later values of a. Avoid unlikely data-loss scenarios due to renaming files without adequate fsync() calls before and after (Michael Paquier, Tomas Vondra, Andres Freund) Correctly handle cases where pg_subtrans is close to XID wraparound during server startup (Jeff Janes) Fix corner-case crash due to trying to free localeconv() output strings more than once (Tom Lane) Fix parsing of affix files for ispell dictionaries (Tom Lane) The code could go wrong if the affix file contained any characters whose byte length changes during case-folding, for example I in Turkish UTF8 locales. Avoid use of sscanf() to parse ispell dictionary files (Artur Zakirov) This dodges a portability problem on FreeBSD-derived platforms (including macOS). Avoid a crash on old Windows versions (before 7SP1/2008R2SP1) with an AVX2-capable CPU and a Postgres build done with Visual Studio 2013 (Christian Ullrich) This is a workaround for a bug in Visual Studio 2013's runtime library, which Microsoft have stated they will not fix in that version. Fix psql's tab completion logic to handle multibyte characters properly (Kyotaro Horiguchi, Robert Haas) Fix psql's tab completion for SECURITY LABEL (Tom Lane) Pressing TAB after SECURITY LABEL might cause a crash or offering of inappropriate keywords. Make pg_ctl accept a wait timeout from the PGCTLTIMEOUT environment variable, if none is specified on the command line (Noah Misch) This eases testing of slower buildfarm members by allowing them to globally specify a longer-than-normal timeout for postmaster startup and shutdown. Fix incorrect test for Windows service status in pg_ctl (Manuel Mathar) The previous set of minor releases attempted to fix pg_ctl to properly determine whether to send log messages to Window's Event Log, but got the test backwards. Fix pgbench to correctly handle the combination of -C and -M prepared options (Tom Lane) In PL/Perl, properly translate empty Postgres arrays into empty Perl arrays (Alex Hunsaker) Make PL/Python cope with function names that aren't valid Python identifiers (Jim Nasby) Fix multiple mistakes in the statistics returned by contrib/pgstattuple's pgstatindex() function (Tom Lane) Remove dependency on psed in MSVC builds, since it's no longer provided by core Perl (Michael Paquier, Andrew Dunstan) Update time zone data files to tzdata release 2016c for DST law changes in Azerbaijan, Chile, Haiti, Palestine, and Russia (Altai, Astrakhan, Kirov, Sakhalin, Ulyanovsk regions), plus historical corrections for Lithuania, Moldova, and Russia (Kaliningrad, Samara, Volgograd). 2016-02-11 This release contains a variety of fixes from 9.2.14. For information about new features in the 9.2 major release, see . A dump/restore is not required for those running 9.2.X. However, if you are upgrading from a version earlier than 9.2.11, see . Fix infinite loops and buffer-overrun problems in regular expressions (Tom Lane) Very large character ranges in bracket expressions could cause infinite loops in some cases, and memory overwrites in other cases. (CVE-2016-0773) Perform an immediate shutdown if the postmaster.pid file is removed (Tom Lane) The postmaster now checks every minute or so that postmaster.pid is still there and still contains its own PID. If not, it performs an immediate shutdown, as though it had received SIGQUIT. The main motivation for this change is to ensure that failed buildfarm runs will get cleaned up without manual intervention; but it also serves to limit the bad effects if a DBA forcibly removes postmaster.pid and then starts a new postmaster. In SERIALIZABLE transaction isolation mode, serialization anomalies could be missed due to race conditions during insertions (Kevin Grittner, Thomas Munro) Fix failure to emit appropriate WAL records when doing ALTER TABLE ... SET TABLESPACE for unlogged relations (Michael Paquier, Andres Freund) Even though the relation's data is unlogged, the move must be logged or the relation will be inaccessible after a standby is promoted to master. Fix possible misinitialization of unlogged relations at the end of crash recovery (Andres Freund, Michael Paquier) Fix ALTER COLUMN TYPE to reconstruct inherited check constraints properly (Tom Lane) Fix REASSIGN OWNED to change ownership of composite types properly (Álvaro Herrera) Fix REASSIGN OWNED and ALTER OWNER to correctly update granted-permissions lists when changing owners of data types, foreign data wrappers, or foreign servers (Bruce Momjian, Álvaro Herrera) Fix REASSIGN OWNED to ignore foreign user mappings, rather than fail (Álvaro Herrera) Add more defenses against bad planner cost estimates for GIN index scans when the index's internal statistics are very out-of-date (Tom Lane) Make planner cope with hypothetical GIN indexes suggested by an index advisor plug-in (Julien Rouhaud) Fix dumping of whole-row Vars in ROW() and VALUES() lists (Tom Lane) Fix possible internal overflow in numeric division (Dean Rasheed) Fix enforcement of restrictions inside parentheses within regular expression lookahead constraints (Tom Lane) Lookahead constraints aren't allowed to contain backrefs, and parentheses within them are always considered non-capturing, according to the manual. However, the code failed to handle these cases properly inside a parenthesized subexpression, and would give unexpected results. Conversion of regular expressions to indexscan bounds could produce incorrect bounds from regexps containing lookahead constraints (Tom Lane) Fix regular-expression compiler to handle loops of constraint arcs (Tom Lane) The code added for CVE-2007-4772 was both incomplete, in that it didn't handle loops involving more than one state, and incorrect, in that it could cause assertion failures (though there seem to be no bad consequences of that in a non-assert build). Multi-state loops would cause the compiler to run until the query was canceled or it reached the too-many-states error condition. Improve memory-usage accounting in regular-expression compiler (Tom Lane) This causes the code to emit regular expression is too complex errors in some cases that previously used unreasonable amounts of time and memory. Improve performance of regular-expression compiler (Tom Lane) Make %h and %r escapes in log_line_prefix work for messages emitted due to log_connections (Tom Lane) Previously, %h/%r started to work just after a new session had emitted the connection received log message; now they work for that message too. On Windows, ensure the shared-memory mapping handle gets closed in child processes that don't need it (Tom Lane, Amit Kapila) This oversight resulted in failure to recover from crashes whenever logging_collector is turned on. Fix possible failure to detect socket EOF in non-blocking mode on Windows (Tom Lane) It's not entirely clear whether this problem can happen in pre-9.5 branches, but if it did, the symptom would be that a walsender process would wait indefinitely rather than noticing a loss of connection. Avoid leaking a token handle during SSPI authentication (Christian Ullrich) In psql, ensure that libreadline's idea of the screen size is updated when the terminal window size changes (Merlin Moncure) Previously, libreadline did not notice if the window was resized during query output, leading to strange behavior during later input of multiline queries. Fix psql's \det command to interpret its pattern argument the same way as other \d commands with potentially schema-qualified patterns do (Reece Hart) Avoid possible crash in psql's \c command when previous connection was via Unix socket and command specifies a new hostname and same username (Tom Lane) In pg_ctl start -w, test child process status directly rather than relying on heuristics (Tom Lane, Michael Paquier) Previously, pg_ctl relied on an assumption that the new postmaster would always create postmaster.pid within five seconds. But that can fail on heavily-loaded systems, causing pg_ctl to report incorrectly that the postmaster failed to start. Except on Windows, this change also means that a pg_ctl start -w done immediately after another such command will now reliably fail, whereas previously it would report success if done within two seconds of the first command. In pg_ctl start -w, don't attempt to use a wildcard listen address to connect to the postmaster (Kondo Yuta) On Windows, pg_ctl would fail to detect postmaster startup if listen_addresses is set to 0.0.0.0 or ::, because it would try to use that value verbatim as the address to connect to, which doesn't work. Instead assume that 127.0.0.1 or ::1, respectively, is the right thing to use. In pg_ctl on Windows, check service status to decide where to send output, rather than checking if standard output is a terminal (Michael Paquier) In pg_dump and pg_basebackup, adopt the GNU convention for handling tar-archive members exceeding 8GB (Tom Lane) The POSIX standard for tar file format does not allow archive member files to exceed 8GB, but most modern implementations of tar support an extension that fixes that. Adopt this extension so that pg_dump with -Ft no longer fails on tables with more than 8GB of data, and so that pg_basebackup can handle files larger than 8GB. In addition, fix some portability issues that could cause failures for members between 4GB and 8GB on some platforms. Potentially these problems could cause unrecoverable data loss due to unreadable backup files. Fix assorted corner-case bugs in pg_dump's processing of extension member objects (Tom Lane) Make pg_dump mark a view's triggers as needing to be processed after its rule, to prevent possible failure during parallel pg_restore (Tom Lane) Ensure that relation option values are properly quoted in pg_dump (Kouhei Sutou, Tom Lane) A reloption value that isn't a simple identifier or number could lead to dump/reload failures due to syntax errors in CREATE statements issued by pg_dump. This is not an issue with any reloption currently supported by core PostgreSQL, but extensions could allow reloptions that cause the problem. Fix pg_upgrade's file-copying code to handle errors properly on Windows (Bruce Momjian) Install guards in pgbench against corner-case overflow conditions during evaluation of script-specified division or modulo operators (Fabien Coelho, Michael Paquier) Fix failure to localize messages emitted by pg_receivexlog and pg_recvlogical (Ioseph Kim) Avoid dump/reload problems when using both plpython2 and plpython3 (Tom Lane) In principle, both versions of PL/Python can be used in the same database, though not in the same session (because the two versions of libpython cannot safely be used concurrently). However, pg_restore and pg_upgrade both do things that can fall foul of the same-session restriction. Work around that by changing the timing of the check. Fix PL/Python regression tests to pass with Python 3.5 (Peter Eisentraut) Prevent certain PL/Java parameters from being set by non-superusers (Noah Misch) This change mitigates a PL/Java security bug (CVE-2016-0766), which was fixed in PL/Java by marking these parameters as superuser-only. To fix the security hazard for sites that update PostgreSQL more frequently than PL/Java, make the core code aware of them also. Improve libpq's handling of out-of-memory situations (Michael Paquier, Amit Kapila, Heikki Linnakangas) Fix order of arguments in ecpg-generated typedef statements (Michael Meskes) Use %g not %f format in ecpg's PGTYPESnumeric_from_double() (Tom Lane) Fix ecpg-supplied header files to not contain comments continued from a preprocessor directive line onto the next line (Michael Meskes) Such a comment is rejected by ecpg. It's not yet clear whether ecpg itself should be changed. Ensure that contrib/pgcrypto's crypt() function can be interrupted by query cancel (Andreas Karlsson) Accept flex versions later than 2.5.x (Tom Lane, Michael Paquier) Now that flex 2.6.0 has been released, the version checks in our build scripts needed to be adjusted. Install our missing script where PGXS builds can find it (Jim Nasby) This allows sane behavior in a PGXS build done on a machine where build tools such as bison are missing. Ensure that dynloader.h is included in the installed header files in MSVC builds (Bruce Momjian, Michael Paquier) Add variant regression test expected-output file to match behavior of current libxml2 (Tom Lane) The fix for libxml2's CVE-2015-7499 causes it not to output error context reports in some cases where it used to do so. This seems to be a bug, but we'll probably have to live with it for some time, so work around it. Update time zone data files to tzdata release 2016a for DST law changes in Cayman Islands, Metlakatla, and Trans-Baikal Territory (Zabaykalsky Krai), plus historical corrections for Pakistan. 2015-10-08 This release contains a variety of fixes from 9.2.13. For information about new features in the 9.2 major release, see . A dump/restore is not required for those running 9.2.X. However, if you are upgrading from a version earlier than 9.2.11, see . Fix contrib/pgcrypto to detect and report too-short crypt() salts (Josh Kupershmidt) Certain invalid salt arguments crashed the server or disclosed a few bytes of server memory. We have not ruled out the viability of attacks that arrange for presence of confidential information in the disclosed bytes, but they seem unlikely. (CVE-2015-5288) Fix subtransaction cleanup after a portal (cursor) belonging to an outer subtransaction fails (Tom Lane, Michael Paquier) A function executed in an outer-subtransaction cursor could cause an assertion failure or crash by referencing a relation created within an inner subtransaction. Fix insertion of relations into the relation cache init file (Tom Lane) An oversight in a patch in the most recent minor releases caused pg_trigger_tgrelid_tgname_index to be omitted from the init file. Subsequent sessions detected this, then deemed the init file to be broken and silently ignored it, resulting in a significant degradation in session startup time. In addition to fixing the bug, install some guards so that any similar future mistake will be more obvious. Avoid O(N^2) behavior when inserting many tuples into a SPI query result (Neil Conway) Improve LISTEN startup time when there are many unread notifications (Matt Newell) Back-patch 9.3-era addition of per-resource-owner lock caches (Jeff Janes) This substantially improves performance when pg_dump tries to dump a large number of tables. Disable SSL renegotiation by default (Michael Paquier, Andres Freund) While use of SSL renegotiation is a good idea in theory, we have seen too many bugs in practice, both in the underlying OpenSSL library and in our usage of it. Renegotiation will be removed entirely in 9.5 and later. In the older branches, just change the default value of ssl_renegotiation_limit to zero (disabled). Lower the minimum values of the *_freeze_max_age parameters (Andres Freund) This is mainly to make tests of related behavior less time-consuming, but it may also be of value for installations with limited disk space. Limit the maximum value of wal_buffers to 2GB to avoid server crashes (Josh Berkus) Fix rare internal overflow in multiplication of numeric values (Dean Rasheed) Guard against hard-to-reach stack overflows involving record types, range types, json, jsonb, tsquery, ltxtquery and query_int (Noah Misch) Fix handling of DOW and DOY in datetime input (Greg Stark) These tokens aren't meant to be used in datetime values, but previously they resulted in opaque internal error messages rather than invalid input syntax. Add more query-cancel checks to regular expression matching (Tom Lane) Add recursion depth protections to regular expression, SIMILAR TO, and LIKE matching (Tom Lane) Suitable search patterns and a low stack depth limit could lead to stack-overrun crashes. Fix potential infinite loop in regular expression execution (Tom Lane) A search pattern that can apparently match a zero-length string, but actually doesn't match because of a back reference, could lead to an infinite loop. In regular expression execution, correctly record match data for capturing parentheses within a quantifier even when the match is zero-length (Tom Lane) Fix low-memory failures in regular expression compilation (Andreas Seltenreich) Fix low-probability memory leak during regular expression execution (Tom Lane) Fix rare low-memory failure in lock cleanup during transaction abort (Tom Lane) Fix unexpected out-of-memory situation during sort errors when using tuplestores with small work_mem settings (Tom Lane) Fix very-low-probability stack overrun in qsort (Tom Lane) Fix invalid memory alloc request size failure in hash joins with large work_mem settings (Tomas Vondra, Tom Lane) Fix assorted planner bugs (Tom Lane) These mistakes could lead to incorrect query plans that would give wrong answers, or to assertion failures in assert-enabled builds, or to odd planner errors such as could not devise a query plan for the given query, could not find pathkey item to sort, plan should not reference subplan's variable, or failed to assign all NestLoopParams to plan nodes. Thanks are due to Andreas Seltenreich and Piotr Stefaniak for fuzz testing that exposed these problems. Improve planner's performance for UPDATE/DELETE on large inheritance sets (Tom Lane, Dean Rasheed) Ensure standby promotion trigger files are removed at postmaster startup (Michael Paquier, Fujii Masao) This prevents unwanted promotion from occurring if these files appear in a database backup that is used to initialize a new standby server. During postmaster shutdown, ensure that per-socket lock files are removed and listen sockets are closed before we remove the postmaster.pid file (Tom Lane) This avoids race-condition failures if an external script attempts to start a new postmaster as soon as pg_ctl stop returns. Fix postmaster's handling of a startup-process crash during crash recovery (Tom Lane) If, during a crash recovery cycle, the startup process crashes without having restored database consistency, we'd try to launch a new startup process, which typically would just crash again, leading to an infinite loop. Do not print a WARNING when an autovacuum worker is already gone when we attempt to signal it, and reduce log verbosity for such signals (Tom Lane) Prevent autovacuum launcher from sleeping unduly long if the server clock is moved backwards a large amount (Álvaro Herrera) Ensure that cleanup of a GIN index's pending-insertions list is interruptable by cancel requests (Jeff Janes) Allow all-zeroes pages in GIN indexes to be reused (Heikki Linnakangas) Such a page might be left behind after a crash. Fix handling of all-zeroes pages in SP-GiST indexes (Heikki Linnakangas) VACUUM attempted to recycle such pages, but did so in a way that wasn't crash-safe. Fix off-by-one error that led to otherwise-harmless warnings about apparent wraparound in subtrans/multixact truncation (Thomas Munro) Fix misreporting of CONTINUE and MOVE statement types in PL/pgSQL's error context messages (Pavel Stehule, Tom Lane) Fix PL/Perl to handle non-ASCII error message texts correctly (Alex Hunsaker) Fix PL/Python crash when returning the string representation of a record result (Tom Lane) Fix some places in PL/Tcl that neglected to check for failure of malloc() calls (Michael Paquier, Álvaro Herrera) In contrib/isn, fix output of ISBN-13 numbers that begin with 979 (Fabien Coelho) EANs beginning with 979 (but not 9790) are considered ISBNs, but they must be printed in the new 13-digit format, not the 10-digit format. Fix contrib/sepgsql's handling of SELECT INTO statements (Kohei KaiGai) Improve libpq's handling of out-of-memory conditions (Michael Paquier, Heikki Linnakangas) Fix memory leaks and missing out-of-memory checks in ecpg (Michael Paquier) Fix psql's code for locale-aware formatting of numeric output (Tom Lane) The formatting code invoked by \pset numericlocale on did the wrong thing for some uncommon cases such as numbers with an exponent but no decimal point. It could also mangle already-localized output from the money data type. Prevent crash in psql's \c command when there is no current connection (Noah Misch) Make pg_dump handle inherited NOT VALID check constraints correctly (Tom Lane) Fix selection of default zlib compression level in pg_dump's directory output format (Andrew Dunstan) Ensure that temporary files created during a pg_dump run with tar-format output are not world-readable (Michael Paquier) Fix pg_dump and pg_upgrade to support cases where the postgres or template1 database is in a non-default tablespace (Marti Raudsepp, Bruce Momjian) Fix pg_dump to handle object privileges sanely when dumping from a server too old to have a particular privilege type (Tom Lane) When dumping data types from pre-9.2 servers, and when dumping functions or procedural languages from pre-7.3 servers, pg_dump would produce GRANT/REVOKE commands that revoked the owner's grantable privileges and instead granted all privileges to PUBLIC. Since the privileges involved are just USAGE and EXECUTE, this isn't a security problem, but it's certainly a surprising representation of the older systems' behavior. Fix it to leave the default privilege state alone in these cases. Fix pg_dump to dump shell types (Tom Lane) Shell types (that is, not-yet-fully-defined types) aren't useful for much, but nonetheless pg_dump should dump them. Fix assorted minor memory leaks in pg_dump and other client-side programs (Michael Paquier) Fix spinlock assembly code for PPC hardware to be compatible with AIX's native assembler (Tom Lane) Building with gcc didn't work if gcc had been configured to use the native assembler, which is becoming more common. On AIX, test the -qlonglong compiler option rather than just assuming it's safe to use (Noah Misch) On AIX, use -Wl,-brtllib link option to allow symbols to be resolved at runtime (Noah Misch) Perl relies on this ability in 5.8.0 and later. Avoid use of inline functions when compiling with 32-bit xlc, due to compiler bugs (Noah Misch) Use librt for sched_yield() when necessary, which it is on some Solaris versions (Oskari Saarenmaa) Fix Windows install.bat script to handle target directory names that contain spaces (Heikki Linnakangas) Make the numeric form of the PostgreSQL version number (e.g., 90405) readily available to extension Makefiles, as a variable named VERSION_NUM (Michael Paquier) Update time zone data files to tzdata release 2015g for DST law changes in Cayman Islands, Fiji, Moldova, Morocco, Norfolk Island, North Korea, Turkey, and Uruguay. There is a new zone name America/Fort_Nelson for the Canadian Northern Rockies. 2015-06-12 This release contains a small number of fixes from 9.2.12. For information about new features in the 9.2 major release, see . A dump/restore is not required for those running 9.2.X. However, if you are upgrading from a version earlier than 9.2.11, see . Fix rare failure to invalidate relation cache init file (Tom Lane) With just the wrong timing of concurrent activity, a VACUUM FULL on a system catalog might fail to update the init file that's used to avoid cache-loading work for new sessions. This would result in later sessions being unable to access that catalog at all. This is a very ancient bug, but it's so hard to trigger that no reproducible case had been seen until recently. Avoid deadlock between incoming sessions and CREATE/DROP DATABASE (Tom Lane) A new session starting in a database that is the target of a DROP DATABASE command, or is the template for a CREATE DATABASE command, could cause the command to wait for five seconds and then fail, even if the new session would have exited before that. 2015-06-04 This release contains a small number of fixes from 9.2.11. For information about new features in the 9.2 major release, see . A dump/restore is not required for those running 9.2.X. However, if you are upgrading from a version earlier than 9.2.11, see . Avoid failures while fsync'ing data directory during crash restart (Abhijit Menon-Sen, Tom Lane) In the previous minor releases we added a patch to fsync everything in the data directory after a crash. Unfortunately its response to any error condition was to fail, thereby preventing the server from starting up, even when the problem was quite harmless. An example is that an unwritable file in the data directory would prevent restart on some platforms; but it is common to make SSL certificate files unwritable by the server. Revise this behavior so that permissions failures are ignored altogether, and other types of failures are logged but do not prevent continuing. Fix pg_get_functiondef() to show functions' LEAKPROOF property, if set (Jeevan Chalke) Remove configure's check prohibiting linking to a threaded libpython on OpenBSD (Tom Lane) The failure this restriction was meant to prevent seems to not be a problem anymore on current OpenBSD versions. Allow libpq to use TLS protocol versions beyond v1 (Noah Misch) For a long time, libpq was coded so that the only SSL protocol it would allow was TLS v1. Now that newer TLS versions are becoming popular, allow it to negotiate the highest commonly-supported TLS version with the server. (PostgreSQL servers were already capable of such negotiation, so no change is needed on the server side.) This is a back-patch of a change already released in 9.4.0. 2015-05-22 This release contains a variety of fixes from 9.2.10. For information about new features in the 9.2 major release, see . A dump/restore is not required for those running 9.2.X. However, if you use contrib/citext's regexp_matches() functions, see the changelog entry below about that. Also, if you are upgrading from a version earlier than 9.2.10, see . Avoid possible crash when client disconnects just before the authentication timeout expires (Benkocs Norbert Attila) If the timeout interrupt fired partway through the session shutdown sequence, SSL-related state would be freed twice, typically causing a crash and hence denial of service to other sessions. Experimentation shows that an unauthenticated remote attacker could trigger the bug somewhat consistently, hence treat as security issue. (CVE-2015-3165) Improve detection of system-call failures (Noah Misch) Our replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure, due to our code assuming that a buffer had been overwritten when it hadn't been. Also, there were a few places in which security-relevant calls of other system library functions did not check for failure. It remains possible that some calls of the *printf() family of functions are vulnerable to information disclosure if an out-of-memory error occurs at just the wrong time. We judge the risk to not be large, but will continue analysis in this area. (CVE-2015-3166) In contrib/pgcrypto, uniformly report decryption failures as Wrong key or corrupt data (Noah Misch) Previously, some cases of decryption with an incorrect key could report other error message texts. It has been shown that such variance in error reports can aid attackers in recovering keys from other systems. While it's unknown whether pgcrypto's specific behaviors are likewise exploitable, it seems better to avoid the risk by using a one-size-fits-all message. (CVE-2015-3167) Fix incorrect declaration of contrib/citext's regexp_matches() functions (Tom Lane) These functions should return setof text[], like the core functions they are wrappers for; but they were incorrectly declared as returning just text[]. This mistake had two results: first, if there was no match you got a scalar null result, whereas what you should get is an empty set (zero rows). Second, the g flag was effectively ignored, since you would get only one result array even if there were multiple matches. While the latter behavior is clearly a bug, there might be applications depending on the former behavior; therefore the function declarations will not be changed by default until PostgreSQL 9.5. In pre-9.5 branches, the old behavior exists in version 1.0 of the citext extension, while we have provided corrected declarations in version 1.1 (which is not installed by default). To adopt the fix in pre-9.5 branches, execute ALTER EXTENSION citext UPDATE TO '1.1' in each database in which citext is installed. (You can also update back to 1.0 if you need to undo that.) Be aware that either update direction will require dropping and recreating any views or rules that use citext's regexp_matches() functions. Fix incorrect checking of deferred exclusion constraints after a HOT update (Tom Lane) If a new row that potentially violates a deferred exclusion constraint is HOT-updated (that is, no indexed columns change and the row can be stored back onto the same table page) later in the same transaction, the exclusion constraint would be reported as violated when the check finally occurred, even if the row(s) the new row originally conflicted with had been deleted. Fix planning of star-schema-style queries (Tom Lane) Sometimes, efficient scanning of a large table requires that index parameters be provided from more than one other table (commonly, dimension tables whose keys are needed to index a large fact table). The planner should be able to find such plans, but an overly restrictive search heuristic prevented it. Prevent improper reordering of antijoins (NOT EXISTS joins) versus other outer joins (Tom Lane) This oversight in the planner has been observed to cause could not find RelOptInfo for given relids errors, but it seems possible that sometimes an incorrect query plan might get past that consistency check and result in silently-wrong query output. Fix incorrect matching of subexpressions in outer-join plan nodes (Tom Lane) Previously, if textually identical non-strict subexpressions were used both above and below an outer join, the planner might try to re-use the value computed below the join, which would be incorrect because the executor would force the value to NULL in case of an unmatched outer row. Fix GEQO planner to cope with failure of its join order heuristic (Tom Lane) This oversight has been seen to lead to failed to join all relations together errors in queries involving LATERAL, and that might happen in other cases as well. Fix possible deadlock at startup when max_prepared_transactions is too small (Heikki Linnakangas) Don't archive useless preallocated WAL files after a timeline switch (Heikki Linnakangas) Avoid cannot GetMultiXactIdMembers() during recovery error (Álvaro Herrera) Recursively fsync() the data directory after a crash (Abhijit Menon-Sen, Robert Haas) This ensures consistency if another crash occurs shortly later. (The second crash would have to be a system-level crash, not just a database crash, for there to be a problem.) Fix autovacuum launcher's possible failure to shut down, if an error occurs after it receives SIGTERM (Álvaro Herrera) Cope with unexpected signals in LockBufferForCleanup() (Andres Freund) This oversight could result in spurious errors about multiple backends attempting to wait for pincount 1. Fix crash when doing COPY IN to a table with check constraints that contain whole-row references (Tom Lane) The known failure case only crashes in 9.4 and up, but there is very similar code in 9.3 and 9.2, so back-patch those branches as well. Avoid waiting for WAL flush or synchronous replication during commit of a transaction that was read-only so far as the user is concerned (Andres Freund) Previously, a delay could occur at commit in transactions that had written WAL due to HOT page pruning, leading to undesirable effects such as sessions getting stuck at startup if all synchronous replicas are down. Sessions have also been observed to get stuck in catchup interrupt processing when using synchronous replication; this will fix that problem as well. Fix crash when manipulating hash indexes on temporary tables (Heikki Linnakangas) Fix possible failure during hash index bucket split, if other processes are modifying the index concurrently (Tom Lane) Check for interrupts while analyzing index expressions (Jeff Janes) ANALYZE executes index expressions many times; if there are slow functions in such an expression, it's desirable to be able to cancel the ANALYZE before that loop finishes. Ensure tableoid of a foreign table is reported correctly when a READ COMMITTED recheck occurs after locking rows in SELECT FOR UPDATE, UPDATE, or DELETE (Etsuro Fujita) Add the name of the target server to object description strings for foreign-server user mappings (Álvaro Herrera) Recommend setting include_realm to 1 when using Kerberos/GSSAPI/SSPI authentication (Stephen Frost) Without this, identically-named users from different realms cannot be distinguished. For the moment this is only a documentation change, but it will become the default setting in PostgreSQL 9.5. Remove code for matching IPv4 pg_hba.conf entries to IPv4-in-IPv6 addresses (Tom Lane) This hack was added in 2003 in response to a report that some Linux kernels of the time would report IPv4 connections as having IPv4-in-IPv6 addresses. However, the logic was accidentally broken in 9.0. The lack of any field complaints since then shows that it's not needed anymore. Now we have reports that the broken code causes crashes on some systems, so let's just remove it rather than fix it. (Had we chosen to fix it, that would make for a subtle and potentially security-sensitive change in the effective meaning of IPv4 pg_hba.conf entries, which does not seem like a good thing to do in minor releases.) Report WAL flush, not insert, position in IDENTIFY_SYSTEM replication command (Heikki Linnakangas) This avoids a possible startup failure in pg_receivexlog. While shutting down service on Windows, periodically send status updates to the Service Control Manager to prevent it from killing the service too soon; and ensure that pg_ctl will wait for shutdown (Krystian Bigaj) Reduce risk of network deadlock when using libpq's non-blocking mode (Heikki Linnakangas) When sending large volumes of data, it's important to drain the input buffer every so often, in case the server has sent enough response data to cause it to block on output. (A typical scenario is that the server is sending a stream of NOTICE messages during COPY FROM STDIN.) This worked properly in the normal blocking mode, but not so much in non-blocking mode. We've modified libpq to opportunistically drain input when it can, but a full defense against this problem requires application cooperation: the application should watch for socket read-ready as well as write-ready conditions, and be sure to call PQconsumeInput() upon read-ready. In libpq, fix misparsing of empty values in URI connection strings (Thomas Fanghaenel) Fix array handling in ecpg (Michael Meskes) Fix psql to sanely handle URIs and conninfo strings as the first parameter to \connect (David Fetter, Andrew Dunstan, Álvaro Herrera) This syntax has been accepted (but undocumented) for a long time, but previously some parameters might be taken from the old connection instead of the given string, which was agreed to be undesirable. Suppress incorrect complaints from psql on some platforms that it failed to write ~/.psql_history at exit (Tom Lane) This misbehavior was caused by a workaround for a bug in very old (pre-2006) versions of libedit. We fixed it by removing the workaround, which will cause a similar failure to appear for anyone still using such versions of libedit. Recommendation: upgrade that library, or use libreadline. Fix pg_dump's rule for deciding which casts are system-provided casts that should not be dumped (Tom Lane) In pg_dump, fix failure to honor -Z compression level option together with -Fd (Michael Paquier) Make pg_dump consider foreign key relationships between extension configuration tables while choosing dump order (Gilles Darold, Michael Paquier, Stephen Frost) This oversight could result in producing dumps that fail to reload because foreign key constraints are transiently violated. Fix dumping of views that are just VALUES(...) but have column aliases (Tom Lane) In pg_upgrade, force timeline 1 in the new cluster (Bruce Momjian) This change prevents upgrade failures caused by bogus complaints about missing WAL history files. In pg_upgrade, check for improperly non-connectable databases before proceeding (Bruce Momjian) In pg_upgrade, quote directory paths properly in the generated delete_old_cluster script (Bruce Momjian) In pg_upgrade, preserve database-level freezing info properly (Bruce Momjian) This oversight could cause missing-clog-file errors for tables within the postgres and template1 databases. Run pg_upgrade and pg_resetxlog with restricted privileges on Windows, so that they don't fail when run by an administrator (Muhammad Asif Naeem) Improve handling of readdir() failures when scanning directories in initdb and pg_basebackup (Marco Nenciarini) Fix failure in pg_receivexlog (Andres Freund) A patch merge mistake in 9.2.10 led to could not create archive status file errors. Fix slow sorting algorithm in contrib/intarray (Tom Lane) Fix compile failure on Sparc V8 machines (Rob Rowan) Update time zone data files to tzdata release 2015d for DST law changes in Egypt, Mongolia, and Palestine, plus historical changes in Canada and Chile. Also adopt revised zone abbreviations for the America/Adak zone (HST/HDT not HAST/HADT). 2015-02-05 This release contains a variety of fixes from 9.2.9. For information about new features in the 9.2 major release, see . A dump/restore is not required for those running 9.2.X. However, if you are a Windows user and are using the Norwegian (Bokmål) locale, manual action is needed after the upgrade to replace any Norwegian (Bokmål)_Norway locale names stored in PostgreSQL system catalogs with the plain-ASCII alias Norwegian_Norway. For details see Also, if you are upgrading from a version earlier than 9.2.9, see . Fix buffer overruns in to_char() (Bruce Momjian) When to_char() processes a numeric formatting template calling for a large number of digits, PostgreSQL would read past the end of a buffer. When processing a crafted timestamp formatting template, PostgreSQL would write past the end of a buffer. Either case could crash the server. We have not ruled out the possibility of attacks that lead to privilege escalation, though they seem unlikely. (CVE-2015-0241) Fix buffer overrun in replacement *printf() functions (Tom Lane) PostgreSQL includes a replacement implementation of printf and related functions. This code will overrun a stack buffer when formatting a floating point number (conversion specifiers e, E, f, F, g or G) with requested precision greater than about 500. This will crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. A database user can trigger such a buffer overrun through the to_char() SQL function. While that is the only affected core PostgreSQL functionality, extension modules that use printf-family functions may be at risk as well. This issue primarily affects PostgreSQL on Windows. PostgreSQL uses the system implementation of these functions where adequate, which it is on other modern platforms. (CVE-2015-0242) Fix buffer overruns in contrib/pgcrypto (Marko Tiikkaja, Noah Misch) Errors in memory size tracking within the pgcrypto module permitted stack buffer overruns and improper dependence on the contents of uninitialized memory. The buffer overrun cases can crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. (CVE-2015-0243) Fix possible loss of frontend/backend protocol synchronization after an error (Heikki Linnakangas) If any error occurred while the server was in the middle of reading a protocol message from the client, it could lose synchronization and incorrectly try to interpret part of the message's data as a new protocol message. An attacker able to submit crafted binary data within a command parameter might succeed in injecting his own SQL commands this way. Statement timeout and query cancellation are the most likely sources of errors triggering this scenario. Particularly vulnerable are applications that use a timeout and also submit arbitrary user-crafted data as binary query parameters. Disabling statement timeout will reduce, but not eliminate, the risk of exploit. Our thanks to Emil Lenngren for reporting this issue. (CVE-2015-0244) Fix information leak via constraint-violation error messages (Stephen Frost) Some server error messages show the values of columns that violate a constraint, such as a unique constraint. If the user does not have SELECT privilege on all columns of the table, this could mean exposing values that the user should not be able to see. Adjust the code so that values are displayed only when they came from the SQL command or could be selected by the user. (CVE-2014-8161) Lock down regression testing's temporary installations on Windows (Noah Misch) Use SSPI authentication to allow connections only from the OS user who launched the test suite. This closes on Windows the same vulnerability previously closed on other platforms, namely that other users might be able to connect to the test postmaster. (CVE-2014-0067) Cope with the Windows locale named Norwegian (Bokmål) (Heikki Linnakangas) Non-ASCII locale names are problematic since it's not clear what encoding they should be represented in. Map the troublesome locale name to a plain-ASCII alias, Norwegian_Norway. Avoid possible data corruption if ALTER DATABASE SET TABLESPACE is used to move a database to a new tablespace and then shortly later move it back to its original tablespace (Tom Lane) Avoid corrupting tables when ANALYZE inside a transaction is rolled back (Andres Freund, Tom Lane, Michael Paquier) If the failing transaction had earlier removed the last index, rule, or trigger from the table, the table would be left in a corrupted state with the relevant pg_class flags not set though they should be. Ensure that unlogged tables are copied correctly during CREATE DATABASE or ALTER DATABASE SET TABLESPACE (Pavan Deolasee, Andres Freund) Fix DROP's dependency searching to correctly handle the case where a table column is recursively visited before its table (Petr Jelinek, Tom Lane) This case is only known to arise when an extension creates both a datatype and a table using that datatype. The faulty code might refuse a DROP EXTENSION unless CASCADE is specified, which should not be required. Fix use-of-already-freed-memory problem in EvalPlanQual processing (Tom Lane) In READ COMMITTED mode, queries that lock or update recently-updated rows could crash as a result of this bug. Fix planning of SELECT FOR UPDATE when using a partial index on a child table (Kyotaro Horiguchi) In READ COMMITTED mode, SELECT FOR UPDATE must also recheck the partial index's WHERE condition when rechecking a recently-updated row to see if it still satisfies the query's WHERE condition. This requirement was missed if the index belonged to an inheritance child table, so that it was possible to incorrectly return rows that no longer satisfy the query condition. Fix corner case wherein SELECT FOR UPDATE could return a row twice, and possibly miss returning other rows (Tom Lane) In READ COMMITTED mode, a SELECT FOR UPDATE that is scanning an inheritance tree could incorrectly return a row from a prior child table instead of the one it should return from a later child table. Reject duplicate column names in the referenced-columns list of a FOREIGN KEY declaration (David Rowley) This restriction is per SQL standard. Previously we did not reject the case explicitly, but later on the code would fail with bizarre-looking errors. Restore previous behavior of conversion of domains to JSON (Tom Lane) This change causes domains over numeric and boolean to be treated like their base types for purposes of conversion to JSON. It worked like that before 9.3.5 and 9.2.9, but was unintentionally changed while fixing a related problem. Fix bugs in raising a numeric value to a large integral power (Tom Lane) The previous code could get a wrong answer, or consume excessive amounts of time and memory before realizing that the answer must overflow. In numeric_recv(), truncate away any fractional digits that would be hidden according to the value's dscale field (Tom Lane) A numeric value's display scale (dscale) should never be less than the number of nonzero fractional digits; but apparently there's at least one broken client application that transmits binary numeric values in which that's true. This leads to strange behavior since the extra digits are taken into account by arithmetic operations even though they aren't printed. The least risky fix seems to be to truncate away such hidden digits on receipt, so that the value is indeed what it prints as. Fix incorrect search for shortest-first regular expression matches (Tom Lane) Matching would often fail when the number of allowed iterations is limited by a ? quantifier or a bound expression. Reject out-of-range numeric timezone specifications (Tom Lane) Simple numeric timezone specifications exceeding +/- 168 hours (one week) would be accepted, but could then cause null-pointer dereference crashes in certain operations. There's no use-case for such large UTC offsets, so reject them. Fix bugs in tsquery @> tsquery operator (Heikki Linnakangas) Two different terms would be considered to match if they had the same CRC. Also, if the second operand had more terms than the first, it would be assumed not to be contained in the first; which is wrong since it might contain duplicate terms. Improve ispell dictionary's defenses against bad affix files (Tom Lane) Allow more than 64K phrases in a thesaurus dictionary (David Boutin) The previous coding could crash on an oversize dictionary, so this was deemed a back-patchable bug fix rather than a feature addition. Fix namespace handling in xpath() (Ali Akbar) Previously, the xml value resulting from an xpath() call would not have namespace declarations if the namespace declarations were attached to an ancestor element in the input xml value, rather than to the specific element being returned. Propagate the ancestral declaration so that the result is correct when considered in isolation. Ensure that whole-row variables expose nonempty column names to functions that pay attention to column names within composite arguments (Tom Lane) In some contexts, constructs like row_to_json(tab.*) may not produce the expected column names. This is fixed properly as of 9.4; in older branches, just ensure that we produce some nonempty name. (In some cases this will be the underlying table's column name rather than the query-assigned alias that should theoretically be visible.) Fix mishandling of system columns, particularly tableoid, in FDW queries (Etsuro Fujita) Avoid doing indexed_column = ANY (array) as an index qualifier if that leads to an inferior plan (Andrew Gierth) In some cases, = ANY conditions applied to non-first index columns would be done as index conditions even though it would be better to use them as simple filter conditions. Fix planner problems with nested append relations, such as inherited tables within UNION ALL subqueries (Tom Lane) Fail cleanly when a GiST index tuple doesn't fit on a page, rather than going into infinite recursion (Andrew Gierth) Exempt tables that have per-table cost_limit and/or cost_delay settings from autovacuum's global cost balancing rules (Álvaro Herrera) The previous behavior resulted in basically ignoring these per-table settings, which was unintended. Now, a table having such settings will be vacuumed using those settings, independently of what is going on in other autovacuum workers. This may result in heavier total I/O load than before, so such settings should be re-examined for sanity. Avoid wholesale autovacuuming when autovacuum is nominally off (Tom Lane) Even when autovacuum is nominally off, we will still launch autovacuum worker processes to vacuum tables that are at risk of XID wraparound. However, such a worker process then proceeded to vacuum all tables in the target database, if they met the usual thresholds for autovacuuming. This is at best pretty unexpected; at worst it delays response to the wraparound threat. Fix it so that if autovacuum is turned off, workers only do anti-wraparound vacuums and not any other work. During crash recovery, ensure that unlogged relations are rewritten as empty and are synced to disk before recovery is considered complete (Abhijit Menon-Sen, Andres Freund) This prevents scenarios in which unlogged relations might contain garbage data following database crash recovery. Fix race condition between hot standby queries and replaying a full-page image (Heikki Linnakangas) This mistake could result in transient errors in queries being executed in hot standby. Fix several cases where recovery logic improperly ignored WAL records for COMMIT/ABORT PREPARED (Heikki Linnakangas) The most notable oversight was that recovery_target_xid could not be used to stop at a two-phase commit. Prevent latest WAL file from being archived a second time at completion of crash recovery (Fujii Masao) Avoid creating unnecessary .ready marker files for timeline history files (Fujii Masao) Fix possible null pointer dereference when an empty prepared statement is used and the log_statement setting is mod or ddl (Fujii Masao) Change pgstat wait timeout warning message to be LOG level, and rephrase it to be more understandable (Tom Lane) This message was originally thought to be essentially a can't-happen case, but it occurs often enough on our slower buildfarm members to be a nuisance. Reduce it to LOG level, and expend a bit more effort on the wording: it now reads using stale statistics instead of current ones because stats collector is not responding. Fix SPARC spinlock implementation to ensure correctness if the CPU is being run in a non-TSO coherency mode, as some non-Solaris kernels do (Andres Freund) Warn if macOS's setlocale() starts an unwanted extra thread inside the postmaster (Noah Misch) Fix processing of repeated dbname parameters in PQconnectdbParams() (Alex Shulgin) Unexpected behavior ensued if the first occurrence of dbname contained a connection string or URI to be expanded. Ensure that libpq reports a suitable error message on unexpected socket EOF (Marko Tiikkaja, Tom Lane) Depending on kernel behavior, libpq might return an empty error string rather than something useful when the server unexpectedly closed the socket. Clear any old error message during PQreset() (Heikki Linnakangas) If PQreset() is called repeatedly, and the connection cannot be re-established, error messages from the failed connection attempts kept accumulating in the PGconn's error string. Properly handle out-of-memory conditions while parsing connection options in libpq (Alex Shulgin, Heikki Linnakangas) Fix array overrun in ecpg's version of ParseDateTime() (Michael Paquier) In initdb, give a clearer error message if a password file is specified but is empty (Mats Erik Andersson) Fix psql's \s command to work nicely with libedit, and add pager support (Stepan Rutz, Tom Lane) When using libedit rather than readline, \s printed the command history in a fairly unreadable encoded format, and on recent libedit versions might fail altogether. Fix that by printing the history ourselves rather than having the library do it. A pleasant side-effect is that the pager is used if appropriate. This patch also fixes a bug that caused newline encoding to be applied inconsistently when saving the command history with libedit. Multiline history entries written by older psql versions will be read cleanly with this patch, but perhaps not vice versa, depending on the exact libedit versions involved. Improve consistency of parsing of psql's special variables (Tom Lane) Allow variant spellings of on and off (such as 1/0) for ECHO_HIDDEN and ON_ERROR_ROLLBACK. Report a warning for unrecognized values for COMP_KEYWORD_CASE, ECHO, ECHO_HIDDEN, HISTCONTROL, ON_ERROR_ROLLBACK, and VERBOSITY. Recognize all values for all these variables case-insensitively; previously there was a mishmash of case-sensitive and case-insensitive behaviors. Fix psql's expanded-mode display to work consistently when using border = 3 and linestyle = ascii or unicode (Stephen Frost) Improve performance of pg_dump when the database contains many instances of multiple dependency paths between the same two objects (Tom Lane) Fix pg_dumpall to restore its ability to dump from pre-8.1 servers (Gilles Darold) Fix possible deadlock during parallel restore of a schema-only dump (Robert Haas, Tom Lane) Fix core dump in pg_dump --binary-upgrade on zero-column composite type (Rushabh Lathia) Prevent WAL files created by pg_basebackup -x/-X from being archived again when the standby is promoted (Andres Freund) Fix failure of contrib/auto_explain to print per-node timing information when doing EXPLAIN ANALYZE (Tom Lane) Fix upgrade-from-unpackaged script for contrib/citext (Tom Lane) Fix block number checking in contrib/pageinspect's get_raw_page() (Tom Lane) The incorrect checking logic could prevent access to some pages in non-main relation forks. Fix contrib/pgcrypto's pgp_sym_decrypt() to not fail on messages whose length is 6 less than a power of 2 (Marko Tiikkaja) Fix file descriptor leak in contrib/pg_test_fsync (Jeff Janes) This could cause failure to remove temporary files on Windows. Handle unexpected query results, especially NULLs, safely in contrib/tablefunc's connectby() (Michael Paquier) connectby() previously crashed if it encountered a NULL key value. It now prints that row but doesn't recurse further. Avoid a possible crash in contrib/xml2's xslt_process() (Mark Simonetti) libxslt seems to have an undocumented dependency on the order in which resources are freed; reorder our calls to avoid a crash. Mark some contrib I/O functions with correct volatility properties (Tom Lane) The previous over-conservative marking was immaterial in normal use, but could cause optimization problems or rejection of valid index expression definitions. Since the consequences are not large, we've just adjusted the function definitions in the extension modules' scripts, without changing version numbers. Numerous cleanups of warnings from Coverity static code analyzer (Andres Freund, Tatsuo Ishii, Marko Kreen, Tom Lane, Michael Paquier) These changes are mostly cosmetic but in some cases fix corner-case bugs, for example a crash rather than a proper error report after an out-of-memory failure. None are believed to represent security issues. Detect incompatible OpenLDAP versions during build (Noah Misch) With OpenLDAP versions 2.4.24 through 2.4.31, inclusive, PostgreSQL backends can crash at exit. Raise a warning during configure based on the compile-time OpenLDAP version number, and test the crashing scenario in the contrib/dblink regression test. In non-MSVC Windows builds, ensure libpq.dll is installed with execute permissions (Noah Misch) Make pg_regress remove any temporary installation it created upon successful exit (Tom Lane) This results in a very substantial reduction in disk space usage during make check-world, since that sequence involves creation of numerous temporary installations. Support time zone abbreviations that change UTC offset from time to time (Tom Lane) Previously, PostgreSQL assumed that the UTC offset associated with a time zone abbreviation (such as EST) never changes in the usage of any particular locale. However this assumption fails in the real world, so introduce the ability for a zone abbreviation to represent a UTC offset that sometimes changes. Update the zone abbreviation definition files to make use of this feature in timezone locales that have changed the UTC offset of their abbreviations since 1970 (according to the IANA timezone database). In such timezones, PostgreSQL will now associate the correct UTC offset with the abbreviation depending on the given date. Update time zone abbreviations lists (Tom Lane) Add CST (China Standard Time) to our lists. Remove references to ADT as Arabia Daylight Time, an abbreviation that's been out of use since 2007; therefore, claiming there is a conflict with Atlantic Daylight Time doesn't seem especially helpful. Fix entirely incorrect GMT offsets for CKT (Cook Islands), FJT, and FJST (Fiji); we didn't even have them on the proper side of the date line. Update time zone data files to tzdata release 2015a. The IANA timezone database has adopted abbreviations of the form AxST/AxDT for all Australian time zones, reflecting what they believe to be current majority practice Down Under. These names do not conflict with usage elsewhere (other than ACST for Acre Summer Time, which has been in disuse since 1994). Accordingly, adopt these names into our Default timezone abbreviation set. The Australia abbreviation set now contains only CST, EAST, EST, SAST, SAT, and WST, all of which are thought to be mostly historical usage. Note that SAST has also been changed to be South Africa Standard Time in the Default abbreviation set. Also, add zone abbreviations SRET (Asia/Srednekolymsk) and XJT (Asia/Urumqi), and use WSST/WSDT for western Samoa. Also, there were DST law changes in Chile, Mexico, the Turks & Caicos Islands (America/Grand_Turk), and Fiji. There is a new zone Pacific/Bougainville for portions of Papua New Guinea. Also, numerous corrections for historical (pre-1970) time zone data. 2014-07-24 This release contains a variety of fixes from 9.2.8. For information about new features in the 9.2 major release, see . A dump/restore is not required for those running 9.2.X. However, this release corrects an index corruption problem in some GiST indexes. See the first changelog entry below to find out whether your installation has been affected and what steps you should take if so. Also, if you are upgrading from a version earlier than 9.2.6, see . Correctly initialize padding bytes in contrib/btree_gist indexes on bit columns (Heikki Linnakangas) This error could result in incorrect query results due to values that should compare equal not being seen as equal. Users with GiST indexes on bit or bit varying columns should REINDEX those indexes after installing this update. Protect against torn pages when deleting GIN list pages (Heikki Linnakangas) This fix prevents possible index corruption if a system crash occurs while the page update is being written to disk. Don't clear the right-link of a GiST index page while replaying updates from WAL (Heikki Linnakangas) This error could lead to transiently wrong answers from GiST index scans performed in Hot Standby. Fix corner-case infinite loop during insertion into an SP-GiST text index (Tom Lane) Fix feedback status when is turned off on-the-fly (Simon Riggs) Fix possibly-incorrect cache invalidation during nested calls to ReceiveSharedInvalidMessages (Andres Freund) Fix planner's mishandling of nested PlaceHolderVars generated in nested-nestloop plans (Tom Lane) This oversight could result in variable not found in subplan target lists errors, or in silently wrong query results. Fix could not find pathkey item to sort planner failures with UNION ALL over subqueries reading from tables with inheritance children (Tom Lane) Don't assume a subquery's output is unique if there's a set-returning function in its targetlist (David Rowley) This oversight could lead to misoptimization of constructs like WHERE x IN (SELECT y, generate_series(1,10) FROM t GROUP BY y). Improve planner to drop constant-NULL inputs of AND/OR when possible (Tom Lane) This change fixes some cases where the more aggressive parameter substitution done by 9.2 and later can lead to a worse plan than older versions produced. Fix identification of input type category in to_json() and friends (Tom Lane) This is known to have led to inadequate quoting of money fields in the JSON result, and there may have been wrong results for other data types as well. Fix failure to detoast fields in composite elements of structured types (Tom Lane) This corrects cases where TOAST pointers could be copied into other tables without being dereferenced. If the original data is later deleted, it would lead to errors like missing chunk number 0 for toast value ... when the now-dangling pointer is used. Fix record type has not been registered failures with whole-row references to the output of Append plan nodes (Tom Lane) Fix possible crash when invoking a user-defined function while rewinding a cursor (Tom Lane) Fix query-lifespan memory leak while evaluating the arguments for a function in FROM (Tom Lane) Fix session-lifespan memory leaks in regular-expression processing (Tom Lane, Arthur O'Dwyer, Greg Stark) Fix data encoding error in hungarian.stop (Tom Lane) Prevent foreign tables from being created with OIDS when is true (Etsuro Fujita) Fix liveness checks for rows that were inserted in the current transaction and then deleted by a now-rolled-back subtransaction (Andres Freund) This could cause problems (at least spurious warnings, and at worst an infinite loop) if CREATE INDEX or CLUSTER were done later in the same transaction. Clear pg_stat_activity.xact_start during PREPARE TRANSACTION (Andres Freund) After the PREPARE, the originating session is no longer in a transaction, so it should not continue to display a transaction start time. Fix REASSIGN OWNED to not fail for text search objects (Álvaro Herrera) Block signals during postmaster startup (Tom Lane) This ensures that the postmaster will properly clean up after itself if, for example, it receives SIGINT while still starting up. Fix client host name lookup when processing pg_hba.conf entries that specify host names instead of IP addresses (Tom Lane) Ensure that reverse-DNS lookup failures are reported, instead of just silently not matching such entries. Also ensure that we make only one reverse-DNS lookup attempt per connection, not one per host name entry, which is what previously happened if the lookup attempts failed. Allow the root user to use postgres -C variable and postgres --describe-config (MauMau) The prohibition on starting the server as root does not need to extend to these operations, and relaxing it prevents failure of pg_ctl in some scenarios. Secure Unix-domain sockets of temporary postmasters started during make check (Noah Misch) Any local user able to access the socket file could connect as the server's bootstrap superuser, then proceed to execute arbitrary code as the operating-system user running the test, as we previously noted in CVE-2014-0067. This change defends against that risk by placing the server's socket in a temporary, mode 0700 subdirectory of /tmp. The hazard remains however on platforms where Unix sockets are not supported, notably Windows, because then the temporary postmaster must accept local TCP connections. A useful side effect of this change is to simplify make check testing in builds that override DEFAULT_PGSOCKET_DIR. Popular non-default values like /var/run/postgresql are often not writable by the build user, requiring workarounds that will no longer be necessary. Fix tablespace creation WAL replay to work on Windows (MauMau) Fix detection of socket creation failures on Windows (Bruce Momjian) On Windows, allow new sessions to absorb values of PGC_BACKEND parameters (such as ) from the configuration file (Amit Kapila) Previously, if such a parameter were changed in the file post-startup, the change would have no effect. Properly quote executable path names on Windows (Nikhil Deshpande) This oversight could cause initdb and pg_upgrade to fail on Windows, if the installation path contained both spaces and @ signs. Fix linking of libpython on macOS (Tom Lane) The method we previously used can fail with the Python library supplied by Xcode 5.0 and later. Avoid buffer bloat in libpq when the server consistently sends data faster than the client can absorb it (Shin-ichi Morita, Tom Lane) libpq could be coerced into enlarging its input buffer until it runs out of memory (which would be reported misleadingly as lost synchronization with server). Under ordinary circumstances it's quite far-fetched that data could be continuously transmitted more quickly than the recv() loop can absorb it, but this has been observed when the client is artificially slowed by scheduler constraints. Ensure that LDAP lookup attempts in libpq time out as intended (Laurenz Albe) Fix ecpg to do the right thing when an array of char * is the target for a FETCH statement returning more than one row, as well as some other array-handling fixes (Ashutosh Bapat) Fix pg_restore's processing of old-style large object comments (Tom Lane) A direct-to-database restore from an archive file generated by a pre-9.0 version of pg_dump would usually fail if the archive contained more than a few comments for large objects. Fix pg_upgrade for cases where the new server creates a TOAST table but the old version did not (Bruce Momjian) This rare situation would manifest as relation OID mismatch errors. Prevent contrib/auto_explain from changing the output of a user's EXPLAIN (Tom Lane) If auto_explain is active, it could cause an EXPLAIN (ANALYZE, TIMING OFF) command to nonetheless print timing information. Fix query-lifespan memory leak in contrib/dblink (MauMau, Joe Conway) In contrib/pgcrypto functions, ensure sensitive information is cleared from stack variables before returning (Marko Kreen) Prevent use of already-freed memory in contrib/pgstattuple's pgstat_heap() (Noah Misch) In contrib/uuid-ossp, cache the state of the OSSP UUID library across calls (Tom Lane) This improves the efficiency of UUID generation and reduces the amount of entropy drawn from /dev/urandom, on platforms that have that. Update time zone data files to tzdata release 2014e for DST law changes in Crimea, Egypt, and Morocco. 2014-03-20 This release contains a variety of fixes from 9.2.7. For information about new features in the 9.2 major release, see . A dump/restore is not required for those running 9.2.X. However, if you are upgrading from a version earlier than 9.2.6, see . Restore GIN metapages unconditionally to avoid torn-page risk (Heikki Linnakangas) Although this oversight could theoretically result in a corrupted index, it is unlikely to have caused any problems in practice, since the active part of a GIN metapage is smaller than a standard 512-byte disk sector. Avoid race condition in checking transaction commit status during receipt of a NOTIFY message (Marko Tiikkaja) This prevents a scenario wherein a sufficiently fast client might respond to a notification before database updates made by the notifier have become visible to the recipient. Allow regular-expression operators to be terminated early by query cancel requests (Tom Lane) This prevents scenarios wherein a pathological regular expression could lock up a server process uninterruptibly for a long time. Remove incorrect code that tried to allow OVERLAPS with single-element row arguments (Joshua Yanovski) This code never worked correctly, and since the case is neither specified by the SQL standard nor documented, it seemed better to remove it than fix it. Avoid getting more than AccessShareLock when de-parsing a rule or view (Dean Rasheed) This oversight resulted in pg_dump unexpectedly acquiring RowExclusiveLock locks on tables mentioned as the targets of INSERT/UPDATE/DELETE commands in rules. While usually harmless, that could interfere with concurrent transactions that tried to acquire, for example, ShareLock on those tables. Improve performance of index endpoint probes during planning (Tom Lane) This change fixes a significant performance problem that occurred when there were many not-yet-committed rows at the end of the index, which is a common situation for indexes on sequentially-assigned values such as timestamps or sequence-generated identifiers. Fix walsender's failure to shut down cleanly when client is pg_receivexlog (Fujii Masao) Check WAL level and hot standby parameters correctly when doing crash recovery that will be followed by archive recovery (Heikki Linnakangas) Fix test to see if hot standby connections can be allowed immediately after a crash (Heikki Linnakangas) Prevent interrupts while reporting non-ERROR messages (Tom Lane) This guards against rare server-process freezeups due to recursive entry to syslog(), and perhaps other related problems. Fix memory leak in PL/Perl when returning a composite result, including multiple-OUT-parameter cases (Alex Hunsaker) Fix tracking of psql script line numbers during \copy from out-of-line data (Kumar Rajeev Rastogi, Amit Khandekar) \copy ... from incremented the script file line number for each data line, even if the data was not coming from the script file. This mistake resulted in wrong line numbers being reported for any errors occurring later in the same script file. Prevent intermittent could not reserve shared memory region failures on recent Windows versions (MauMau) Update time zone data files to tzdata release 2014a for DST law changes in Fiji and Turkey, plus historical changes in Israel and Ukraine. 2014-02-20 This release contains a variety of fixes from 9.2.6. For information about new features in the 9.2 major release, see . A dump/restore is not required for those running 9.2.X. However, if you are upgrading from a version earlier than 9.2.6, see . Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch) Granting a role without ADMIN OPTION is supposed to prevent the grantee from adding or removing members from the granted role, but this restriction was easily bypassed by doing SET ROLE first. The security impact is mostly that a role member can revoke the access of others, contrary to the wishes of his grantor. Unapproved role member additions are a lesser concern, since an uncooperative role member could provide most of his rights to others anyway by creating views or SECURITY DEFINER functions. (CVE-2014-0060) Prevent privilege escalation via manual calls to PL validator functions (Andres Freund) The primary role of PL validator functions is to be called implicitly during CREATE FUNCTION, but they are also normal SQL functions that a user can call explicitly. Calling a validator on a function actually written in some other language was not checked for and could be exploited for privilege-escalation purposes. The fix involves adding a call to a privilege-checking function in each validator function. Non-core procedural languages will also need to make this change to their own validator functions, if any. (CVE-2014-0061) Avoid multiple name lookups during table and index DDL (Robert Haas, Andres Freund) If the name lookups come to different conclusions due to concurrent activity, we might perform some parts of the DDL on a different table than other parts. At least in the case of CREATE INDEX, this can be used to cause the permissions checks to be performed against a different table than the index creation, allowing for a privilege escalation attack. (CVE-2014-0062) Prevent buffer overrun with long datetime strings (Noah Misch) The MAXDATELEN constant was too small for the longest possible value of type interval, allowing a buffer overrun in interval_out(). Although the datetime input functions were more careful about avoiding buffer overrun, the limit was short enough to cause them to reject some valid inputs, such as input containing a very long timezone name. The ecpg library contained these vulnerabilities along with some of its own. (CVE-2014-0063) Prevent buffer overrun due to integer overflow in size calculations (Noah Misch, Heikki Linnakangas) Several functions, mostly type input functions, calculated an allocation size without checking for overflow. If overflow did occur, a too-small buffer would be allocated and then written past. (CVE-2014-0064) Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich) Use strlcpy() and related functions to provide a clear guarantee that fixed-size buffers are not overrun. Unlike the preceding items, it is unclear whether these cases really represent live issues, since in most cases there appear to be previous constraints on the size of the input string. Nonetheless it seems prudent to silence all Coverity warnings of this type. (CVE-2014-0065) Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian) There are relatively few scenarios in which crypt() could return NULL, but contrib/chkpass would crash if it did. One practical case in which this could be an issue is if libc is configured to refuse to execute unapproved hashing algorithms (e.g., FIPS mode). (CVE-2014-0066) Document risks of make check in the regression testing instructions (Noah Misch, Tom Lane) Since the temporary server started by make check uses trust authentication, another user on the same machine could connect to it as database superuser, and then potentially exploit the privileges of the operating-system user who started the tests. A future release will probably incorporate changes in the testing procedure to prevent this risk, but some public discussion is needed first. So for the moment, just warn people against using make check when there are untrusted users on the same machine. (CVE-2014-0067) Fix possible mis-replay of WAL records when some segments of a relation aren't full size (Greg Stark, Tom Lane) The WAL update could be applied to the wrong page, potentially many pages past where it should have been. Aside from corrupting data, this error has been observed to result in significant bloat of standby servers compared to their masters, due to updates being applied far beyond where the end-of-file should have been. This failure mode does not appear to be a significant risk during crash recovery, only when initially synchronizing a standby created from a base backup taken from a quickly-changing master. Fix bug in determining when recovery has reached consistency (Tomonari Katsumata, Heikki Linnakangas) In some cases WAL replay would mistakenly conclude that the database was already consistent at the start of replay, thus possibly allowing hot-standby queries before the database was really consistent. Other symptoms such as PANIC: WAL contains references to invalid pages were also possible. Fix improper locking of btree index pages while replaying a VACUUM operation in hot-standby mode (Andres Freund, Heikki Linnakangas, Tom Lane) This error could result in PANIC: WAL contains references to invalid pages failures. Ensure that insertions into non-leaf GIN index pages write a full-page WAL record when appropriate (Heikki Linnakangas) The previous coding risked index corruption in the event of a partial-page write during a system crash. When pause_at_recovery_target and recovery_target_inclusive are both set, ensure the target record is applied before pausing, not after (Heikki Linnakangas) Fix race conditions during server process exit (Robert Haas) Ensure that signal handlers don't attempt to use the process's MyProc pointer after it's no longer valid. Fix race conditions in walsender shutdown logic and walreceiver SIGHUP signal handler (Tom Lane) Fix unsafe references to errno within error reporting logic (Christian Kruse) This would typically lead to odd behaviors such as missing or inappropriate HINT fields. Fix possible crashes from using ereport() too early during server startup (Tom Lane) The principal case we've seen in the field is a crash if the server is started in a directory it doesn't have permission to read. Clear retry flags properly in OpenSSL socket write function (Alexander Kukushkin) This omission could result in a server lockup after unexpected loss of an SSL-encrypted connection. Fix length checking for Unicode identifiers (U&"..." syntax) containing escapes (Tom Lane) A spurious truncation warning would be printed for such identifiers if the escaped form of the identifier was too long, but the identifier actually didn't need truncation after de-escaping. Allow keywords that are type names to be used in lists of roles (Stephen Frost) A previous patch allowed such keywords to be used without quoting in places such as role identifiers; but it missed cases where a list of role identifiers was permitted, such as DROP ROLE. Fix parser crash for EXISTS(SELECT * FROM zero_column_table) (Tom Lane) Fix possible crash due to invalid plan for nested sub-selects, such as WHERE (... x IN (SELECT ...) ...) IN (SELECT ...) (Tom Lane) Fix UPDATE/DELETE of an inherited target table that has UNION ALL subqueries (Tom Lane) Without this fix, UNION ALL subqueries aren't correctly inserted into the update plans for inheritance child tables after the first one, typically resulting in no update happening for those child table(s). Ensure that ANALYZE creates statistics for a table column even when all the values in it are too wide (Tom Lane) ANALYZE intentionally omits very wide values from its histogram and most-common-values calculations, but it neglected to do something sane in the case that all the sampled entries are too wide. In ALTER TABLE ... SET TABLESPACE, allow the database's default tablespace to be used without a permissions check (Stephen Frost) CREATE TABLE has always allowed such usage, but ALTER TABLE didn't get the memo. Fix cannot accept a set error when some arms of a CASE return a set and others don't (Tom Lane) Properly distinguish numbers from non-numbers when generating JSON output (Andrew Dunstan) Fix checks for all-zero client addresses in pgstat functions (Kevin Grittner) Fix possible misclassification of multibyte characters by the text search parser (Tom Lane) Non-ASCII characters could be misclassified when using C locale with a multibyte encoding. On Cygwin, non-C locales could fail as well. Fix possible misbehavior in plainto_tsquery() (Heikki Linnakangas) Use memmove() not memcpy() for copying overlapping memory regions. There have been no field reports of this actually causing trouble, but it's certainly risky. Fix placement of permissions checks in pg_start_backup() and pg_stop_backup() (Andres Freund, Magnus Hagander) The previous coding might attempt to do catalog access when it shouldn't. Accept SHIFT_JIS as an encoding name for locale checking purposes (Tatsuo Ishii) Fix *-qualification of named parameters in SQL-language functions (Tom Lane) Given a composite-type parameter named foo, $1.* worked fine, but foo.* not so much. Fix misbehavior of PQhost() on Windows (Fujii Masao) It should return localhost if no host has been specified. Improve error handling in libpq and psql for failures during COPY TO STDOUT/FROM STDIN (Tom Lane) In particular this fixes an infinite loop that could occur in 9.2 and up if the server connection was lost during COPY FROM STDIN. Variants of that scenario might be possible in older versions, or with other client applications. Fix incorrect translation handling in some psql \d commands (Peter Eisentraut, Tom Lane) Ensure pg_basebackup's background process is killed when exiting its foreground process (Magnus Hagander) Fix possible incorrect printing of filenames in pg_basebackup's verbose mode (Magnus Hagander) Avoid including tablespaces inside PGDATA twice in base backups (Dimitri Fontaine, Magnus Hagander) Fix misaligned descriptors in ecpg (MauMau) In ecpg, handle lack of a hostname in the connection parameters properly (Michael Meskes) Fix performance regression in contrib/dblink connection startup (Joe Conway) Avoid an unnecessary round trip when client and server encodings match. In contrib/isn, fix incorrect calculation of the check digit for ISMN values (Fabien Coelho) Fix contrib/pg_stat_statement's handling of CURRENT_DATE and related constructs (Kyotaro Horiguchi) Ensure client-code-only installation procedure works as documented (Peter Eisentraut) In Mingw and Cygwin builds, install the libpq DLL in the bin directory (Andrew Dunstan) This duplicates what the MSVC build has long done. It should fix problems with programs like psql failing to start because they can't find the DLL. Avoid using the deprecated dllwrap tool in Cygwin builds (Marco Atzeri) Don't generate plain-text HISTORY and src/test/regress/README files anymore (Tom Lane) These text files duplicated the main HTML and PDF documentation formats. The trouble involved in maintaining them greatly outweighs the likely audience for plain-text format. Distribution tarballs will still contain files by these names, but they'll just be stubs directing the reader to consult the main documentation. The plain-text INSTALL file will still be maintained, as there is arguably a use-case for that. Update time zone data files to tzdata release 2013i for DST law changes in Jordan and historical changes in Cuba. In addition, the zones Asia/Riyadh87, Asia/Riyadh88, and Asia/Riyadh89 have been removed, as they are no longer maintained by IANA, and never represented actual civil timekeeping practice. 2013-12-05 This release contains a variety of fixes from 9.2.5. For information about new features in the 9.2 major release, see . A dump/restore is not required for those running 9.2.X. However, this release corrects a number of potential data corruption issues. See the first two changelog entries below to find out whether your installation has been affected and what steps you can take if so. Also, if you are upgrading from a version earlier than 9.2.4, see . Fix VACUUM's tests to see whether it can update relfrozenxid (Andres Freund) In some cases VACUUM (either manual or autovacuum) could incorrectly advance a table's relfrozenxid value, allowing tuples to escape freezing, causing those rows to become invisible once 2^31 transactions have elapsed. The probability of data loss is fairly low since multiple incorrect advancements would need to happen before actual loss occurs, but it's not zero. In 9.2.0 and later, the probability of loss is higher, and it's also possible to get could not access status of transaction errors as a consequence of this bug. Users upgrading from releases 9.0.4 or 8.4.8 or earlier are not affected, but all later versions contain the bug. The issue can be ameliorated by, after upgrading, vacuuming all tables in all databases while having vacuum_freeze_table_age set to zero. This will fix any latent corruption but will not be able to fix all pre-existing data errors. However, an installation can be presumed safe after performing this vacuuming if it has executed fewer than 2^31 update transactions in its lifetime (check this with SELECT txid_current() < 2^31). Fix initialization of pg_clog and pg_subtrans during hot standby startup (Andres Freund, Heikki Linnakangas) This bug can cause data loss on standby servers at the moment they start to accept hot-standby queries, by marking committed transactions as uncommitted. The likelihood of such corruption is small unless, at the time of standby startup, the primary server has executed many updating transactions since its last checkpoint. Symptoms include missing rows, rows that should have been deleted being still visible, and obsolete versions of updated rows being still visible alongside their newer versions. This bug was introduced in versions 9.3.0, 9.2.5, 9.1.10, and 9.0.14. Standby servers that have only been running earlier releases are not at risk. It's recommended that standby servers that have ever run any of the buggy releases be re-cloned from the primary (e.g., with a new base backup) after upgrading. Fix dangling-pointer problem in fast-path locking (Tom Lane) This could lead to corruption of the lock data structures in shared memory, causing lock already held and other odd errors. Truncate pg_multixact contents during WAL replay (Andres Freund) This avoids ever-increasing disk space consumption in standby servers. Ensure an anti-wraparound VACUUM counts a page as scanned when it's only verified that no tuples need freezing (Sergey Burladyan, Jeff Janes) This bug could result in failing to advance relfrozenxid, so that the table would still be thought to need another anti-wraparound vacuum. In the worst case the database might even shut down to prevent wraparound. Fix race condition in GIN index posting tree page deletion (Heikki Linnakangas) This could lead to transient wrong answers or query failures. Fix unexpected spgdoinsert() failure error during SP-GiST index creation (Teodor Sigaev) Avoid flattening a subquery whose SELECT list contains a volatile function wrapped inside a sub-SELECT (Tom Lane) This avoids unexpected results due to extra evaluations of the volatile function. Fix planner's processing of non-simple-variable subquery outputs nested within outer joins (Tom Lane) This error could lead to incorrect plans for queries involving multiple levels of subqueries within JOIN syntax. Fix incorrect planning in cases where the same non-strict expression appears in multiple WHERE and outer JOIN equality clauses (Tom Lane) Fix planner crash with whole-row reference to a subquery (Tom Lane) Fix incorrect generation of optimized MIN()/MAX() plans for inheritance trees (Tom Lane) The planner could fail in cases where the MIN()/MAX() argument was an expression rather than a simple variable. Fix premature deletion of temporary files (Andres Freund) Prevent intra-transaction memory leak when printing range values (Tom Lane) This fix actually cures transient memory leaks in any datatype output function, but range types are the only ones known to have had a significant problem. Prevent incorrect display of dropped columns in NOT NULL and CHECK constraint violation messages (Michael Paquier and Tom Lane) Allow default arguments and named-argument notation for window functions (Tom Lane) Previously, these cases were likely to crash. Fix possible read past end of memory in rule printing (Peter Eisentraut) Fix array slicing of int2vector and oidvector values (Tom Lane) Expressions of this kind are now implicitly promoted to regular int2 or oid arrays. Fix incorrect behaviors when using a SQL-standard, simple GMT offset timezone (Tom Lane) In some cases, the system would use the simple GMT offset value when it should have used the regular timezone setting that had prevailed before the simple offset was selected. This change also causes the timeofday function to honor the simple GMT offset zone. Prevent possible misbehavior when logging translations of Windows error codes (Tom Lane) Properly quote generated command lines in pg_ctl (Naoya Anzai and Tom Lane) This fix applies only to Windows. Fix pg_dumpall to work when a source database sets default_transaction_read_only via ALTER DATABASE SET (Kevin Grittner) Previously, the generated script would fail during restore. Make ecpg search for quoted cursor names case-sensitively (Zoltán Böszörményi) Fix ecpg's processing of lists of variables declared varchar (Zoltán Böszörményi) Make contrib/lo defend against incorrect trigger definitions (Marc Cousin) Update time zone data files to tzdata release 2013h for DST law changes in Argentina, Brazil, Jordan, Libya, Liechtenstein, Morocco, and Palestine. Also, new timezone abbreviations WIB, WIT, WITA for Indonesia. 2013-10-10 This release contains a variety of fixes from 9.2.4. For information about new features in the 9.2 major release, see . A dump/restore is not required for those running 9.2.X. However, if you are upgrading from a version earlier than 9.2.4, see . Prevent corruption of multi-byte characters when attempting to case-fold identifiers (Andrew Dunstan) PostgreSQL case-folds non-ASCII characters only when using a single-byte server encoding. Fix memory leak when creating B-tree indexes on range columns (Heikki Linnakangas) Fix checkpoint memory leak in background writer when wal_level = hot_standby (Naoya Anzai) Fix memory leak caused by lo_open() failure (Heikki Linnakangas) Fix memory overcommit bug when work_mem is using more than 24GB of memory (Stephen Frost) Serializable snapshot fixes (Kevin Grittner, Heikki Linnakangas) Fix deadlock bug in libpq when using SSL (Stephen Frost) Fix possible SSL state corruption in threaded libpq applications (Nick Phillips, Stephen Frost) Improve estimate of planner cost when choosing between generic and custom plans (Tom Lane) This change will favor generic plans when planning cost is high. Properly compute row estimates for boolean columns containing many NULL values (Andrew Gierth) Previously tests like col IS NOT TRUE and col IS NOT FALSE did not properly factor in NULL values when estimating plan costs. Fix accounting for qualifier evaluation costs in UNION ALL and inheritance queries (Tom Lane) This fixes cases where suboptimal query plans could be chosen if some WHERE clauses are expensive to calculate. Prevent pushing down WHERE clauses into unsafe UNION/INTERSECT subqueries (Tom Lane) Subqueries of a UNION or INTERSECT that contain set-returning functions or volatile functions in their SELECT lists could be improperly optimized, leading to run-time errors or incorrect query results. Fix rare case of failed to locate grouping columns planner failure (Tom Lane) Fix pg_dump of foreign tables with dropped columns (Andrew Dunstan) Previously such cases could cause a pg_upgrade error. Reorder pg_dump processing of extension-related rules and event triggers (Joe Conway) Force dumping of extension tables if specified by pg_dump -t or -n (Joe Conway) Improve view dumping code's handling of dropped columns in referenced tables (Tom Lane) Fix pg_restore -l with the directory archive to display the correct format name (Fujii Masao) Properly record index comments created using UNIQUE and PRIMARY KEY syntax (Andres Freund) This fixes a parallel pg_restore failure. Cause pg_basebackup -x with an empty xlog directory to throw an error rather than crashing (Magnus Hagander, Haruka Takatsuka) Properly guarantee transmission of WAL files before clean switchover (Fujii Masao) Previously, the streaming replication connection might close before all WAL files had been replayed on the standby. Fix WAL segment timeline handling during recovery (Mitsumasa Kondo, Heikki Linnakangas) WAL file recycling during standby recovery could lead to premature recovery completion, resulting in data loss. Prevent errors in WAL replay due to references to uninitialized empty pages (Andres Freund) Fix REINDEX TABLE and REINDEX DATABASE to properly revalidate constraints and mark invalidated indexes as valid (Noah Misch) REINDEX INDEX has always worked properly. Avoid deadlocks during insertion into SP-GiST indexes (Teodor Sigaev) Fix possible deadlock during concurrent CREATE INDEX CONCURRENTLY operations (Tom Lane) Fix GiST index lookup crash (Tom Lane) Fix regexp_matches() handling of zero-length matches (Jeevan Chalke) Previously, zero-length matches like '^' could return too many matches. Fix crash for overly-complex regular expressions (Heikki Linnakangas) Fix regular expression match failures for back references combined with non-greedy quantifiers (Jeevan Chalke) Prevent CREATE FUNCTION from checking SET variables unless function body checking is enabled (Tom Lane) Allow ALTER DEFAULT PRIVILEGES to operate on schemas without requiring CREATE permission (Tom Lane) Loosen restriction on keywords used in queries (Tom Lane) Specifically, lessen keyword restrictions for role names, language names, EXPLAIN and COPY options, and SET values. This allows COPY ... (FORMAT BINARY) to work as expected; previously BINARY needed to be quoted. Print proper line number during COPY failure (Heikki Linnakangas) Fix pgp_pub_decrypt() so it works for secret keys with passwords (Marko Kreen) Make pg_upgrade use pg_dump --quote-all-identifiers to avoid problems with keyword changes between releases (Tom Lane) Remove rare inaccurate warning during vacuum of index-less tables (Heikki Linnakangas) Ensure that VACUUM ANALYZE still runs the ANALYZE phase if its attempt to truncate the file is cancelled due to lock conflicts (Kevin Grittner) Avoid possible failure when performing transaction control commands (e.g ROLLBACK) in prepared queries (Tom Lane) Ensure that floating-point data input accepts standard spellings of infinity on all platforms (Tom Lane) The C99 standard says that allowable spellings are inf, +inf, -inf, infinity, +infinity, and -infinity. Make sure we recognize these even if the platform's strtod function doesn't. Avoid unnecessary reporting when track_activities is off (Tom Lane) Expand ability to compare rows to records and arrays (Rafal Rzepecki, Tom Lane) Prevent crash when psql's PSQLRC variable contains a tilde (Bruce Momjian) Add spinlock support for ARM64 (Mark Salter) Update time zone data files to tzdata release 2013d for DST law changes in Israel, Morocco, Palestine, and Paraguay. Also, historical zone data corrections for Macquarie Island. 2013-04-04 This release contains a variety of fixes from 9.2.3. For information about new features in the 9.2 major release, see . A dump/restore is not required for those running 9.2.X. However, this release corrects several errors in management of GiST indexes. After installing this update, it is advisable to REINDEX any GiST indexes that meet one or more of the conditions described below. Also, if you are upgrading from a version earlier than 9.2.2, see . Fix insecure parsing of server command-line switches (Mitsumasa Kondo, Kyotaro Horiguchi) A connection request containing a database name that begins with - could be crafted to damage or destroy files within the server's data directory, even if the request is eventually rejected. (CVE-2013-1899) Reset OpenSSL randomness state in each postmaster child process (Marko Kreen) This avoids a scenario wherein random numbers generated by contrib/pgcrypto functions might be relatively easy for another database user to guess. The risk is only significant when the postmaster is configured with ssl = on but most connections don't use SSL encryption. (CVE-2013-1900) Make REPLICATION privilege checks test current user not authenticated user (Noah Misch) An unprivileged database user could exploit this mistake to call pg_start_backup() or pg_stop_backup(), thus possibly interfering with creation of routine backups. (CVE-2013-1901) Fix GiST indexes to not use fuzzy geometric comparisons when it's not appropriate to do so (Alexander Korotkov) The core geometric types perform comparisons using fuzzy equality, but gist_box_same must do exact comparisons, else GiST indexes using it might become inconsistent. After installing this update, users should REINDEX any GiST indexes on box, polygon, circle, or point columns, since all of these use gist_box_same. Fix erroneous range-union and penalty logic in GiST indexes that use contrib/btree_gist for variable-width data types, that is text, bytea, bit, and numeric columns (Tom Lane) These errors could result in inconsistent indexes in which some keys that are present would not be found by searches, and also in useless index bloat. Users are advised to REINDEX such indexes after installing this update. Fix bugs in GiST page splitting code for multi-column indexes (Tom Lane) These errors could result in inconsistent indexes in which some keys that are present would not be found by searches, and also in indexes that are unnecessarily inefficient to search. Users are advised to REINDEX multi-column GiST indexes after installing this update. Fix gist_point_consistent to handle fuzziness consistently (Alexander Korotkov) Index scans on GiST indexes on point columns would sometimes yield results different from a sequential scan, because gist_point_consistent disagreed with the underlying operator code about whether to do comparisons exactly or fuzzily. Fix buffer leak in WAL replay (Heikki Linnakangas) This bug could result in incorrect local pin count errors during replay, making recovery impossible. Ensure we do crash recovery before entering archive recovery, if the database was not stopped cleanly and a recovery.conf file is present (Heikki Linnakangas, Kyotaro Horiguchi, Mitsumasa Kondo) This is needed to ensure that the database is consistent in certain scenarios, such as initializing a standby server with a filesystem snapshot from a running server. Avoid deleting not-yet-archived WAL files during crash recovery (Heikki Linnakangas, Fujii Masao) Fix race condition in DELETE RETURNING (Tom Lane) Under the right circumstances, DELETE RETURNING could attempt to fetch data from a shared buffer that the current process no longer has any pin on. If some other process changed the buffer meanwhile, this would lead to garbage RETURNING output, or even a crash. Fix infinite-loop risk in regular expression compilation (Tom Lane, Don Porter) Fix potential null-pointer dereference in regular expression compilation (Tom Lane) Fix to_char() to use ASCII-only case-folding rules where appropriate (Tom Lane) This fixes misbehavior of some template patterns that should be locale-independent, but mishandled I and i in Turkish locales. Fix unwanted rejection of timestamp 1999-12-31 24:00:00 (Tom Lane) Fix SQL-language functions to be safely usable as support functions for range types (Tom Lane) Fix logic error when a single transaction does UNLISTEN then LISTEN (Tom Lane) The session wound up not listening for notify events at all, though it surely should listen in this case. Fix possible planner crash after columns have been added to a view that's depended on by another view (Tom Lane) Fix performance issue in EXPLAIN (ANALYZE, TIMING OFF) (Pavel Stehule) Remove useless picksplit doesn't support secondary split log messages (Josh Hansen, Tom Lane) This message seems to have been added in expectation of code that was never written, and probably never will be, since GiST's default handling of secondary splits is actually pretty good. So stop nagging end users about it. Remove vestigial secondary-split support in gist_box_picksplit() (Tom Lane) Not only was this implementation of secondary-split not better than the default implementation, it's actually worse. So remove it and let the default code path handle the case. Fix possible failure to send a session's last few transaction commit/abort counts to the statistics collector (Tom Lane) Eliminate memory leaks in PL/Perl's spi_prepare() function (Alex Hunsaker, Tom Lane) Fix pg_dumpall to handle database names containing = correctly (Heikki Linnakangas) Avoid crash in pg_dump when an incorrect connection string is given (Heikki Linnakangas) Ignore invalid indexes in pg_dump and pg_upgrade (Michael Paquier, Bruce Momjian) Dumping invalid indexes can cause problems at restore time, for example if the reason the index creation failed was because it tried to enforce a uniqueness condition not satisfied by the table's data. Also, if the index creation is in fact still in progress, it seems reasonable to consider it to be an uncommitted DDL change, which pg_dump wouldn't be expected to dump anyway. pg_upgrade now also skips invalid indexes rather than failing. In pg_basebackup, include only the current server version's subdirectory when backing up a tablespace (Heikki Linnakangas) Add a server version check in pg_basebackup and pg_receivexlog, so they fail cleanly with version combinations that won't work (Heikki Linnakangas) Fix contrib/dblink to handle inconsistent settings of DateStyle or IntervalStyle safely (Daniel Farina, Tom Lane) Previously, if the remote server had different settings of these parameters, ambiguous dates might be read incorrectly. This fix ensures that datetime and interval columns fetched by a dblink query will be interpreted correctly. Note however that inconsistent settings are still risky, since literal values appearing in SQL commands sent to the remote server might be interpreted differently than they would be locally. Fix contrib/pg_trgm's similarity() function to return zero for trigram-less strings (Tom Lane) Previously it returned NaN due to internal division by zero. Enable building PostgreSQL with Microsoft Visual Studio 2012 (Brar Piening, Noah Misch) Update time zone data files to tzdata release 2013b for DST law changes in Chile, Haiti, Morocco, Paraguay, and some Russian areas. Also, historical zone data corrections for numerous places. Also, update the time zone abbreviation files for recent changes in Russia and elsewhere: CHOT, GET, IRKT, KGT, KRAT, MAGT, MAWT, MSK, NOVT, OMST, TKT, VLAT, WST, YAKT, YEKT now follow their current meanings, and VOLT (Europe/Volgograd) and MIST (Antarctica/Macquarie) are added to the default abbreviations list. 2013-02-07 This release contains a variety of fixes from 9.2.2. For information about new features in the 9.2 major release, see . A dump/restore is not required for those running 9.2.X. However, if you are upgrading from a version earlier than 9.2.2, see . Prevent execution of enum_recv from SQL (Tom Lane) The function was misdeclared, allowing a simple SQL command to crash the server. In principle an attacker might be able to use it to examine the contents of server memory. Our thanks to Sumit Soni (via Secunia SVCRP) for reporting this issue. (CVE-2013-0255) Fix multiple problems in detection of when a consistent database state has been reached during WAL replay (Fujii Masao, Heikki Linnakangas, Simon Riggs, Andres Freund) Fix detection of end-of-backup point when no actual redo work is required (Heikki Linnakangas) This mistake could result in incorrect WAL ends before end of online backup errors. Update minimum recovery point when truncating a relation file (Heikki Linnakangas) Once data has been discarded, it's no longer safe to stop recovery at an earlier point in the timeline. Fix recycling of WAL segments after changing recovery target timeline (Heikki Linnakangas) Properly restore timeline history files from archive on cascading standby servers (Heikki Linnakangas) Fix lock conflict detection on hot-standby servers (Andres Freund, Robert Haas) Fix missing cancellations in hot standby mode (Noah Misch, Simon Riggs) The need to cancel conflicting hot-standby queries would sometimes be missed, allowing those queries to see inconsistent data. Prevent recovery pause feature from pausing before users can connect (Tom Lane) Fix SQL grammar to allow subscripting or field selection from a sub-SELECT result (Tom Lane) Fix performance problems with autovacuum truncation in busy workloads (Jan Wieck) Truncation of empty pages at the end of a table requires exclusive lock, but autovacuum was coded to fail (and release the table lock) when there are conflicting lock requests. Under load, it is easily possible that truncation would never occur, resulting in table bloat. Fix by performing a partial truncation, releasing the lock, then attempting to re-acquire the lock and continue. This fix also greatly reduces the average time before autovacuum releases the lock after a conflicting request arrives. Improve performance of SPI_execute and related functions, thereby improving PL/pgSQL's EXECUTE (Heikki Linnakangas, Tom Lane) Remove some data-copying overhead that was added in 9.2 as a consequence of revisions in the plan caching mechanism. This eliminates a performance regression compared to 9.1, and also saves memory, especially when the query string to be executed contains many SQL statements. A side benefit is that multi-statement query strings are now processed fully serially, that is we complete execution of earlier statements before running parse analysis and planning on the following ones. This eliminates a long-standing issue, in that DDL that should affect the behavior of a later statement will now behave as expected. Restore pre-9.2 cost estimates for index usage (Tom Lane) An ill-considered change of a fudge factor led to undesirably high cost estimates for use of very large indexes. Fix intermittent crash in DROP INDEX CONCURRENTLY (Tom Lane) Fix potential corruption of shared-memory lock table during CREATE/DROP INDEX CONCURRENTLY (Tom Lane) Fix COPY's multiple-tuple-insertion code for the case of a tuple larger than page size minus fillfactor (Heikki Linnakangas) The previous coding could get into an infinite loop. Protect against race conditions when scanning pg_tablespace (Stephen Frost, Tom Lane) CREATE DATABASE and DROP DATABASE could misbehave if there were concurrent updates of pg_tablespace entries. Prevent DROP OWNED from trying to drop whole databases or tablespaces (Álvaro Herrera) For safety, ownership of these objects must be reassigned, not dropped. Fix error in vacuum_freeze_table_age implementation (Andres Freund) In installations that have existed for more than vacuum_freeze_min_age transactions, this mistake prevented autovacuum from using partial-table scans, so that a full-table scan would always happen instead. Prevent misbehavior when a RowExpr or XmlExpr is parse-analyzed twice (Andres Freund, Tom Lane) This mistake could be user-visible in contexts such as CREATE TABLE LIKE INCLUDING INDEXES. Improve defenses against integer overflow in hashtable sizing calculations (Jeff Davis) Fix some bugs associated with privileges on datatypes (Tom Lane) There were some issues with default privileges for types, and pg_dump failed to dump such privileges at all. Fix failure to ignore leftover temporary tables after a server crash (Tom Lane) Fix failure to rotate postmaster log files for size reasons on Windows (Jeff Janes, Heikki Linnakangas) Reject out-of-range dates in to_date() (Hitoshi Harada) Fix pg_extension_config_dump() to handle extension-update cases properly (Tom Lane) This function will now replace any existing entry for the target table, making it usable in extension update scripts. Fix PL/pgSQL's reporting of plan-time errors in possibly-simple expressions (Tom Lane) The previous coding resulted in sometimes omitting the first line in the CONTEXT traceback for the error. Fix PL/Python's handling of functions used as triggers on multiple tables (Andres Freund) Ensure that non-ASCII prompt strings are translated to the correct code page on Windows (Alexander Law, Noah Misch) This bug affected psql and some other client programs. Fix possible crash in psql's \? command when not connected to a database (Meng Qingzhong) Fix possible error if a relation file is removed while pg_basebackup is running (Heikki Linnakangas) Tolerate timeline switches while pg_basebackup -X fetch is backing up a standby server (Heikki Linnakangas) Make pg_dump exclude data of unlogged tables when running on a hot-standby server (Magnus Hagander) This would fail anyway because the data is not available on the standby server, so it seems most convenient to assume --no-unlogged-table-data automatically. Fix pg_upgrade to deal with invalid indexes safely (Bruce Momjian) Fix pg_upgrade's -O/-o options (Marti Raudsepp) Fix one-byte buffer overrun in libpq's PQprintTuples (Xi Wang) This ancient function is not used anywhere by PostgreSQL itself, but it might still be used by some client code. Make ecpglib use translated messages properly (Chen Huajun) Properly install ecpg_compat and pgtypes libraries on MSVC (Jiang Guiqing) Include our version of isinf() in libecpg if it's not provided by the system (Jiang Guiqing) Rearrange configure's tests for supplied functions so it is not fooled by bogus exports from libedit/libreadline (Christoph Berg) Ensure Windows build number increases over time (Magnus Hagander) Make pgxs build executables with the right .exe suffix when cross-compiling for Windows (Zoltan Boszormenyi) Add new timezone abbreviation FET (Tom Lane) This is now used in some eastern-European time zones. 2012-12-06 This release contains a variety of fixes from 9.2.1. For information about new features in the 9.2 major release, see . A dump/restore is not required for those running 9.2.X. However, you may need to perform REINDEX operations to correct problems in concurrently-built indexes, as described in the first changelog item below. Also, if you are upgrading from version 9.2.0, see . Fix multiple bugs associated with CREATE/DROP INDEX CONCURRENTLY (Andres Freund, Tom Lane, Simon Riggs, Pavan Deolasee) An error introduced while adding DROP INDEX CONCURRENTLY allowed incorrect indexing decisions to be made during the initial phase of CREATE INDEX CONCURRENTLY; so that indexes built by that command could be corrupt. It is recommended that indexes built in 9.2.X with CREATE INDEX CONCURRENTLY be rebuilt after applying this update. In addition, fix CREATE/DROP INDEX CONCURRENTLY to use in-place updates when changing the state of an index's pg_index row. This prevents race conditions that could cause concurrent sessions to miss updating the target index, thus again resulting in corrupt concurrently-created indexes. Also, fix various other operations to ensure that they ignore invalid indexes resulting from a failed CREATE INDEX CONCURRENTLY command. The most important of these is VACUUM, because an auto-vacuum could easily be launched on the table before corrective action can be taken to fix or remove the invalid index. Also fix DROP INDEX CONCURRENTLY to not disable insertions into the target index until all queries using it are done. Also fix misbehavior if DROP INDEX CONCURRENTLY is canceled: the previous coding could leave an un-droppable index behind. Correct predicate locking for DROP INDEX CONCURRENTLY (Kevin Grittner) Previously, SSI predicate locks were processed at the wrong time, possibly leading to incorrect behavior of serializable transactions executing in parallel with the DROP. Fix buffer locking during WAL replay (Tom Lane) The WAL replay code was insufficiently careful about locking buffers when replaying WAL records that affect more than one page. This could result in hot standby queries transiently seeing inconsistent states, resulting in wrong answers or unexpected failures. Fix an error in WAL generation logic for GIN indexes (Tom Lane) This could result in index corruption, if a torn-page failure occurred. Fix an error in WAL replay logic for SP-GiST indexes (Tom Lane) This could result in index corruption after a crash, or on a standby server. Fix incorrect detection of end-of-base-backup location during WAL recovery (Heikki Linnakangas) This mistake allowed hot standby mode to start up before the database reaches a consistent state. Properly remove startup process's virtual XID lock when promoting a hot standby server to normal running (Simon Riggs) This oversight could prevent subsequent execution of certain operations such as CREATE INDEX CONCURRENTLY. Avoid bogus out-of-sequence timeline ID errors in standby mode (Heikki Linnakangas) Prevent the postmaster from launching new child processes after it's received a shutdown signal (Tom Lane) This mistake could result in shutdown taking longer than it should, or even never completing at all without additional user action. Fix the syslogger process to not fail when log_rotation_age exceeds 2^31 milliseconds (about 25 days) (Tom Lane) Fix WaitLatch() to return promptly when the requested timeout expires (Jeff Janes, Tom Lane) With the previous coding, a steady stream of non-wait-terminating interrupts could delay return from WaitLatch() indefinitely. This has been shown to be a problem for the autovacuum launcher process, and might cause trouble elsewhere as well. Avoid corruption of internal hash tables when out of memory (Hitoshi Harada) Prevent file descriptors for dropped tables from being held open past transaction end (Tom Lane) This should reduce problems with long-since-dropped tables continuing to occupy disk space. Prevent database-wide crash and restart when a new child process is unable to create a pipe for its latch (Tom Lane) Although the new process must fail, there is no good reason to force a database-wide restart, so avoid that. This improves robustness when the kernel is nearly out of file descriptors. Avoid planner crash with joins to unflattened subqueries (Tom Lane) Fix planning of non-strict equivalence clauses above outer joins (Tom Lane) The planner could derive incorrect constraints from a clause equating a non-strict construct to something else, for example WHERE COALESCE(foo, 0) = 0 when foo is coming from the nullable side of an outer join. 9.2 showed this type of error in more cases than previous releases, but the basic bug has been there for a long time. Fix SELECT DISTINCT with index-optimized MIN/MAX on an inheritance tree (Tom Lane) The planner would fail with failed to re-find MinMaxAggInfo record given this combination of factors. Make sure the planner sees implicit and explicit casts as equivalent for all purposes, except in the minority of cases where there's actually a semantic difference (Tom Lane) Include join clauses when considering whether partial indexes can be used for a query (Tom Lane) A strict join clause can be sufficient to establish an x IS NOT NULL predicate, for example. This fixes a planner regression in 9.2, since previous versions could make comparable deductions. Limit growth of planning time when there are many indexable join clauses for the same index (Tom Lane) Improve planner's ability to prove exclusion constraints from equivalence classes (Tom Lane) Fix partial-row matching in hashed subplans to handle cross-type cases correctly (Tom Lane) This affects multicolumn NOT IN subplans, such as WHERE (a, b) NOT IN (SELECT x, y FROM ...) when for instance b and y are int4 and int8 respectively. This mistake led to wrong answers or crashes depending on the specific datatypes involved. Fix btree mark/restore functions to handle array keys (Tom Lane) This oversight could result in wrong answers from merge joins whose inner side is an index scan using an indexed_column = ANY(array) condition. Revert patch for taking fewer snapshots (Tom Lane) The 9.2 change to reduce the number of snapshots taken during query execution led to some anomalous behaviors not seen in previous releases, because execution would proceed with a snapshot acquired before locking the tables used by the query. Thus, for example, a query would not be guaranteed to see updates committed by a preceding transaction even if that transaction had exclusive lock. We'll probably revisit this in future releases, but meanwhile put it back the way it was before 9.2. Acquire buffer lock when re-fetching the old tuple for an AFTER ROW UPDATE/DELETE trigger (Andres Freund) In very unusual circumstances, this oversight could result in passing incorrect data to a trigger WHEN condition, or to the precheck logic for a foreign-key enforcement trigger. That could result in a crash, or in an incorrect decision about whether to fire the trigger. Fix ALTER COLUMN TYPE to handle inherited check constraints properly (Pavan Deolasee) This worked correctly in pre-8.4 releases, and now works correctly in 8.4 and later. Fix ALTER EXTENSION SET SCHEMA's failure to move some subsidiary objects into the new schema (Álvaro Herrera, Dimitri Fontaine) Handle CREATE TABLE AS EXECUTE correctly in extended query protocol (Tom Lane) Don't modify the input parse tree in DROP RULE IF NOT EXISTS and DROP TRIGGER IF NOT EXISTS (Tom Lane) This mistake would cause errors if a cached statement of one of these types was re-executed. Fix REASSIGN OWNED to handle grants on tablespaces (Álvaro Herrera) Ignore incorrect pg_attribute entries for system columns for views (Tom Lane) Views do not have any system columns. However, we forgot to remove such entries when converting a table to a view. That's fixed properly for 9.3 and later, but in previous branches we need to defend against existing mis-converted views. Fix rule printing to dump INSERT INTO table DEFAULT VALUES correctly (Tom Lane) Guard against stack overflow when there are too many UNION/INTERSECT/EXCEPT clauses in a query (Tom Lane) Prevent platform-dependent failures when dividing the minimum possible integer value by -1 (Xi Wang, Tom Lane) Fix possible access past end of string in date parsing (Hitoshi Harada) Fix failure to advance XID epoch if XID wraparound happens during a checkpoint and wal_level is hot_standby (Tom Lane, Andres Freund) While this mistake had no particular impact on PostgreSQL itself, it was bad for applications that rely on txid_current() and related functions: the TXID value would appear to go backwards. Fix pg_terminate_backend() and pg_cancel_backend() to not throw error for a non-existent target process (Josh Kupershmidt) This case already worked as intended when called by a superuser, but not so much when called by ordinary users. Fix display of pg_stat_replication.sync_state at a page boundary (Kyotaro Horiguchi) Produce an understandable error message if the length of the path name for a Unix-domain socket exceeds the platform-specific limit (Tom Lane, Andrew Dunstan) Formerly, this would result in something quite unhelpful, such as Non-recoverable failure in name resolution. Fix memory leaks when sending composite column values to the client (Tom Lane) Save some cycles by not searching for subtransaction locks at commit (Simon Riggs) In a transaction holding many exclusive locks, this useless activity could be quite costly. Make pg_ctl more robust about reading the postmaster.pid file (Heikki Linnakangas) This fixes race conditions and possible file descriptor leakage. Fix possible crash in psql if incorrectly-encoded data is presented and the client_encoding setting is a client-only encoding, such as SJIS (Jiang Guiqing) Make pg_dump dump SEQUENCE SET items in the data not pre-data section of the archive (Tom Lane) This fixes an undesirable inconsistency between the meanings of --data-only and --section=data, and also fixes dumping of sequences that are marked as extension configuration tables. Fix pg_dump's handling of DROP DATABASE commands in --clean mode (Guillaume Lelarge) Beginning in 9.2.0, pg_dump --clean would issue a DROP DATABASE command, which was either useless or dangerous depending on the usage scenario. It no longer does that. This change also fixes the combination of --clean and --create to work sensibly, i.e., emit DROP DATABASE then CREATE DATABASE before reconnecting to the target database. Fix pg_dump for views with circular dependencies and no relation options (Tom Lane) The previous fix to dump relation options when a view is involved in a circular dependency didn't work right for the case that the view has no options; it emitted ALTER VIEW foo SET () which is invalid syntax. Fix bugs in the restore.sql script emitted by pg_dump in tar output format (Tom Lane) The script would fail outright on tables whose names include upper-case characters. Also, make the script capable of restoring data in --inserts mode as well as the regular COPY mode. Fix pg_restore to accept POSIX-conformant tar files (Brian Weaver, Tom Lane) The original coding of pg_dump's tar output mode produced files that are not fully conformant with the POSIX standard. This has been corrected for version 9.3. This patch updates previous branches so that they will accept both the incorrect and the corrected formats, in hopes of avoiding compatibility problems when 9.3 comes out. Fix tar files emitted by pg_basebackup to be POSIX conformant (Brian Weaver, Tom Lane) Fix pg_resetxlog to locate postmaster.pid correctly when given a relative path to the data directory (Tom Lane) This mistake could lead to pg_resetxlog not noticing that there is an active postmaster using the data directory. Fix libpq's lo_import() and lo_export() functions to report file I/O errors properly (Tom Lane) Fix ecpg's processing of nested structure pointer variables (Muhammad Usama) Fix ecpg's ecpg_get_data function to handle arrays properly (Michael Meskes) Prevent pg_upgrade from trying to process TOAST tables for system catalogs (Bruce Momjian) This fixes an error seen when the information_schema has been dropped and recreated. Other failures were also possible. Improve pg_upgrade performance by setting synchronous_commit to off in the new cluster (Bruce Momjian) Make contrib/pageinspect's btree page inspection functions take buffer locks while examining pages (Tom Lane) Work around unportable behavior of malloc(0) and realloc(NULL, 0) (Tom Lane) On platforms where these calls return NULL, some code mistakenly thought that meant out-of-memory. This is known to have broken pg_dump for databases containing no user-defined aggregates. There might be other cases as well. Ensure that make install for an extension creates the extension installation directory (Cédric Villemain) Previously, this step was missed if MODULEDIR was set in the extension's Makefile. Fix pgxs support for building loadable modules on AIX (Tom Lane) Building modules outside the original source tree didn't work on AIX. Update time zone data files to tzdata release 2012j for DST law changes in Cuba, Israel, Jordan, Libya, Palestine, Western Samoa, and portions of Brazil. 2012-09-24 This release contains a variety of fixes from 9.2.0. For information about new features in the 9.2 major release, see . A dump/restore is not required for those running 9.2.X. However, you may need to perform REINDEX and/or VACUUM operations to recover from the effects of the data corruption bug described in the first changelog item below. Fix persistence marking of shared buffers during WAL replay (Jeff Davis) This mistake can result in buffers not being written out during checkpoints, resulting in data corruption if the server later crashes without ever having written those buffers. Corruption can occur on any server following crash recovery, but it is significantly more likely to occur on standby slave servers since those perform much more WAL replay. There is a low probability of corruption of btree and GIN indexes. There is a much higher probability of corruption of table visibility maps, which might lead to wrong answers from index-only scans. Table data proper cannot be corrupted by this bug. While no index corruption due to this bug is known to have occurred in the field, as a precautionary measure it is recommended that production installations REINDEX all btree and GIN indexes at a convenient time after upgrading to 9.2.1. Also, it is recommended to perform a VACUUM of all tables while having vacuum_freeze_table_age set to zero. This will fix any incorrect visibility map data. vacuum_cost_delay can be adjusted to reduce the performance impact of vacuuming, while causing it to take longer to finish. Fix possible incorrect sorting of output from queries involving WHERE indexed_column IN (list_of_values) (Tom Lane) Fix planner failure for queries involving GROUP BY expressions along with window functions and aggregates (Tom Lane) Fix planner's assignment of executor parameters (Tom Lane) This error could result in wrong answers from queries that scan the same WITH subquery multiple times. Improve planner's handling of join conditions in index scans (Tom Lane) Improve selectivity estimation for text search queries involving prefixes, i.e. word:* patterns (Tom Lane) Fix delayed recognition of permissions changes (Tom Lane) A command that needed no locks other than ones its transaction already had might fail to notice a concurrent GRANT or REVOKE that committed since the start of its transaction. Fix ANALYZE to not fail when a column is a domain over an array type (Tom Lane) Prevent PL/Perl from crashing if a recursive PL/Perl function is redefined while being executed (Tom Lane) Work around possible misoptimization in PL/Perl (Tom Lane) Some Linux distributions contain an incorrect version of pthread.h that results in incorrect compiled code in PL/Perl, leading to crashes if a PL/Perl function calls another one that throws an error. Remove unnecessary dependency on pg_config from pg_upgrade (Peter Eisentraut) Update time zone data files to tzdata release 2012f for DST law changes in Fiji 2012-09-10 This release has been largely focused on performance improvements, though new SQL features are not lacking. Work also continues in the area of replication support. Major enhancements include: Allow queries to retrieve data only from indexes, avoiding heap access (index-only scans) Allow the planner to generate custom plans for specific parameter values even when using prepared statements Improve the planner's ability to use nested loops with inner index scans Allow streaming replication slaves to forward data to other slaves (cascading replication) Allow pg_basebackup to make base backups from standby servers Add a pg_receivexlog tool to archive WAL file changes as they are written Add the SP-GiST (Space-Partitioned GiST) index access method Add support for range data types Add a JSON data type Add a security_barrier option for views Allow libpq connection strings to have the format of a URI Add a single-row processing mode to libpq for better handling of large result sets The above items are explained in more detail in the sections below. A dump/restore using pg_dump, or use of pg_upgrade, is required for those wishing to migrate data from any previous release. Version 9.2 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities: Remove the spclocation field from pg_tablespace (Magnus Hagander) This field was duplicative of the symbolic links that actually define tablespace locations, and thus risked errors of omission when moving a tablespace. This change allows tablespace directories to be moved while the server is down, by manually adjusting the symbolic links. To replace this field, we have added pg_tablespace_location() to allow querying of the symbolic links. Move tsvector most-common-element statistics to new pg_stats columns (Alexander Korotkov) Consult most_common_elems and most_common_elem_freqs for the data formerly available in most_common_vals and most_common_freqs for a tsvector column. Remove hstore's => operator (Robert Haas) Users should now use hstore(text, text). Since PostgreSQL 9.0, a warning message has been emitted when an operator named => is created because the SQL standard reserves that token for another use. Ensure that xpath() escapes special characters in string values (Florian Pflug) Without this it is possible for the result not to be valid XML. Make pg_relation_size() and friends return NULL if the object does not exist (Phil Sorber) This prevents queries that call these functions from returning errors immediately after a concurrent DROP. Make EXTRACT(EPOCH FROM timestamp without time zone) measure the epoch from local midnight, not UTC midnight (Tom Lane) This change reverts an ill-considered change made in release 7.3. Measuring from UTC midnight was inconsistent because it made the result dependent on the timezone setting, which computations for timestamp without time zone should not be. The previous behavior remains available by casting the input value to timestamp with time zone. Properly parse time strings with trailing yesterday, today, and tomorrow (Dean Rasheed) Previously, SELECT '04:00:00 yesterday'::timestamp returned yesterday's date at midnight. Fix to_date() and to_timestamp() to wrap incomplete dates toward 2020 (Bruce Momjian) Previously, supplied years and year masks of less than four digits wrapped inconsistently. Prevent ALTER DOMAIN from working on non-domain types (Peter Eisentraut) Owner and schema changes were previously possible on non-domain types. No longer forcibly lowercase procedural language names in CREATE FUNCTION (Robert Haas) While unquoted language identifiers are still lowercased, strings and quoted identifiers are no longer forcibly down-cased. Thus for example CREATE FUNCTION ... LANGUAGE 'C' will no longer work; it must be spelled 'c', or better omit the quotes. Change system-generated names of foreign key enforcement triggers (Tom Lane) This change ensures that the triggers fire in the correct order in some corner cases involving self-referential foreign key constraints. Provide consistent backquote, variable expansion, and quoted substring behavior in psql meta-command arguments (Tom Lane) Previously, such references were treated oddly when not separated by whitespace from adjacent text. For example 'FOO'BAR was output as FOO BAR (unexpected insertion of a space) and FOO'BAR'BAZ was output unchanged (not removing the quotes as most would expect). No longer treat clusterdb table names as double-quoted; no longer treat reindexdb table and index names as double-quoted (Bruce Momjian) Users must now include double-quotes in the command arguments if quoting is wanted. createuser no longer prompts for option settings by default (Peter Eisentraut) Use --interactive to obtain the old behavior. Disable prompting for the user name in dropuser unless --interactive is specified (Peter Eisentraut) Add server parameters for specifying the locations of server-side SSL files (Peter Eisentraut) This allows changing the names and locations of the files that were previously hard-coded as server.crt, server.key, root.crt, and root.crl in the data directory. The server will no longer examine root.crt or root.crl by default; to load these files, the associated parameters must be set to non-default values. Remove the silent_mode parameter (Heikki Linnakangas) Similar behavior can be obtained with pg_ctl start -l postmaster.log. Remove the wal_sender_delay parameter, as it is no longer needed (Tom Lane) Remove the custom_variable_classes parameter (Tom Lane) The checking provided by this setting was dubious. Now any setting can be prefixed by any class name. Rename pg_stat_activity.procpid to pid, to match other system tables (Magnus Hagander) Create a separate pg_stat_activity column to report process state (Scott Mead, Magnus Hagander) The previous query and query_start values now remain available for an idle session, allowing enhanced analysis. Rename pg_stat_activity.current_query to query because it is not cleared when the query completes (Magnus Hagander) Change all SQL-level statistics timing values to be float8 columns measured in milliseconds (Tom Lane) This change eliminates the designed-in assumption that the values are accurate to microseconds and no more (since the float8 values can be fractional). The columns affected are pg_stat_user_functions.total_time, pg_stat_user_functions.self_time, pg_stat_xact_user_functions.total_time, and pg_stat_xact_user_functions.self_time. The statistics functions underlying these columns now also return float8 milliseconds, rather than bigint microseconds. contrib/pg_stat_statements' total_time column is now also measured in milliseconds. Below you will find a detailed account of the changes between PostgreSQL 9.2 and the previous major release. Allow queries to retrieve data only from indexes, avoiding heap access (Robert Haas, Ibrar Ahmed, Heikki Linnakangas, Tom Lane) This feature is often called index-only scans. Heap access can be skipped for heap pages containing only tuples that are visible to all sessions, as reported by the visibility map; so the benefit applies mainly to mostly-static data. The visibility map was made crash-safe as a necessary part of implementing this feature. Add the SP-GiST (Space-Partitioned GiST) index access method (Teodor Sigaev, Oleg Bartunov, Tom Lane) SP-GiST is comparable to GiST in flexibility, but supports unbalanced partitioned search structures rather than balanced trees. For suitable problems, SP-GiST can be faster than GiST in both index build time and search time. Allow group commit to work effectively under heavy load (Peter Geoghegan, Simon Riggs, Heikki Linnakangas) Previously, batching of commits became ineffective as the write workload increased, because of internal lock contention. Allow uncontended locks to be managed using a new fast-path lock mechanism (Robert Haas) Reduce overhead of creating virtual transaction ID locks (Robert Haas) Reduce the overhead of serializable isolation level locks (Dan Ports) Improve PowerPC and Itanium spinlock performance (Manabu Ori, Robert Haas, Tom Lane) Reduce overhead for shared invalidation cache messages (Robert Haas) Move the frequently accessed members of the PGPROC shared memory array to a separate array (Pavan Deolasee, Heikki Linnakangas, Robert Haas) Improve COPY performance by adding tuples to the heap in batches (Heikki Linnakangas) Improve GiST index performance for geometric data types by producing better trees with less memory allocation overhead (Alexander Korotkov) Improve GiST index build times (Alexander Korotkov, Heikki Linnakangas) Allow hint bits to be set sooner for temporary and unlogged tables (Robert Haas) Allow sorting to be performed by inlined, non-SQL-callable comparison functions (Peter Geoghegan, Robert Haas, Tom Lane) Make the number of CLOG buffers scale based on shared_buffers (Robert Haas, Simon Riggs, Tom Lane) Improve performance of buffer pool scans that occur when tables or databases are dropped (Jeff Janes, Simon Riggs) Improve performance of checkpointer's fsync-request queue when many tables are being dropped or truncated (Tom Lane) Pass the safe number of file descriptors to child processes on Windows (Heikki Linnakangas) This allows Windows sessions to use more open file descriptors than before. Create a dedicated background process to perform checkpoints (Simon Riggs) Formerly the background writer did both dirty-page writing and checkpointing. Separating this into two processes allows each goal to be accomplished more predictably. Improve asynchronous commit behavior by waking the walwriter sooner (Simon Riggs) Previously, only wal_writer_delay triggered WAL flushing to disk; now filling a WAL buffer also triggers WAL writes. Allow the bgwriter, walwriter, checkpointer, statistics collector, log collector, and archiver background processes to sleep more efficiently during periods of inactivity (Peter Geoghegan, Tom Lane) This series of changes reduces the frequency of process wake-ups when there is nothing to do, dramatically reducing power consumption on idle servers. Allow the planner to generate custom plans for specific parameter values even when using prepared statements (Tom Lane) In the past, a prepared statement always had a single generic plan that was used for all parameter values, which was frequently much inferior to the plans used for non-prepared statements containing explicit constant values. Now, the planner attempts to generate custom plans for specific parameter values. A generic plan will only be used after custom plans have repeatedly proven to provide no benefit. This change should eliminate the performance penalties formerly seen from use of prepared statements (including non-dynamic statements in PL/pgSQL). Improve the planner's ability to use nested loops with inner index scans (Tom Lane) The new parameterized path mechanism allows inner index scans to use values from relations that are more than one join level up from the scan. This can greatly improve performance in situations where semantic restrictions (such as outer joins) limit the allowed join orderings. Improve the planning API for foreign data wrappers (Etsuro Fujita, Shigeru Hanada, Tom Lane) Wrappers can now provide multiple access paths for their tables, allowing more flexibility in join planning. Recognize self-contradictory restriction clauses for non-table relations (Tom Lane) This check is only performed when constraint_exclusion is on. Allow indexed_col op ANY(ARRAY[...]) conditions to be used in plain index scans and index-only scans (Tom Lane) Formerly such conditions could only be used in bitmap index scans. Support MIN/MAX index optimizations on boolean columns (Marti Raudsepp) Account for set-returning functions in SELECT target lists when setting row count estimates (Tom Lane) Fix planner to handle indexes with duplicated columns more reliably (Tom Lane) Collect and use element-frequency statistics for arrays (Alexander Korotkov, Tom Lane) This change improves selectivity estimation for the array <@, &&, and @> operators (array containment and overlaps). Allow statistics to be collected for foreign tables (Etsuro Fujita) Improve cost estimates for use of partial indexes (Tom Lane) Improve the planner's ability to use statistics for columns referenced in subqueries (Tom Lane) Improve statistical estimates for subqueries using DISTINCT (Tom Lane) Do not treat role names and samerole specified in pg_hba.conf as automatically including superusers (Andrew Dunstan) This makes it easier to use reject lines with group roles. Adjust pg_hba.conf processing to handle token parsing more consistently (Brendan Jurd, Álvaro Herrera) Disallow empty pg_hba.conf files (Tom Lane) This was done to more quickly detect misconfiguration. Make superuser privilege imply replication privilege (Noah Misch) This avoids the need to explicitly assign such privileges. Attempt to log the current query string during a backend crash (Marti Raudsepp) Make logging of autovacuum I/O activity more verbose (Greg Smith, Noah Misch) This logging is triggered by log_autovacuum_min_duration. Make WAL replay report failures sooner (Fujii Masao) There were some cases where failures were only reported once the server went into master mode. Add pg_xlog_location_diff() to simplify WAL location comparisons (Euler Taveira de Oliveira) This is useful for computing replication lag. Support configurable event log application names on Windows (MauMau, Magnus Hagander) This allows different instances to use the event log with different identifiers, by setting the event_source server parameter, which is similar to how syslog_ident works. Change unexpected EOF messages to DEBUG1 level, except when there is an open transaction (Magnus Hagander) This change reduces log chatter caused by applications that close database connections ungracefully. Track temporary file sizes and file counts in the pg_stat_database system view (Tomas Vondra) Add a deadlock counter to the pg_stat_database system view (Magnus Hagander) Add a server parameter track_io_timing to track I/O timings (Ants Aasma, Robert Haas) Report checkpoint timing information in pg_stat_bgwriter (Greg Smith, Peter Geoghegan) Silently ignore nonexistent schemas specified in search_path (Tom Lane) This makes it more convenient to use generic path settings, which might include some schemas that don't exist in all databases. Allow superusers to set deadlock_timeout per-session, not just per-cluster (Noah Misch) This allows deadlock_timeout to be reduced for transactions that are likely to be involved in a deadlock, thus detecting the failure more quickly. Alternatively, increasing the value can be used to reduce the chances of a session being chosen for cancellation due to a deadlock. Add a server parameter temp_file_limit to constrain temporary file space usage per session (Mark Kirkwood) Allow a superuser to SET an extension's superuser-only custom variable before loading the associated extension (Tom Lane) The system now remembers whether a SET was performed by a superuser, so that proper privilege checking can be done when the extension is loaded. Add postmaster -C option to query configuration parameters (Bruce Momjian) This allows pg_ctl to better handle cases where PGDATA or -D points to a configuration-only directory. Replace an empty locale name with the implied value in CREATE DATABASE (Tom Lane) This prevents cases where pg_database.datcollate or datctype could be interpreted differently after a server restart. Allow multiple errors in postgresql.conf to be reported, rather than just the first one (Alexey Klyukin, Tom Lane) Allow a reload of postgresql.conf to be processed by all sessions, even if there are some settings that are invalid for particular sessions (Alexey Klyukin) Previously, such not-valid-within-session values would cause all setting changes to be ignored by that session. Add an include_if_exists facility for configuration files (Greg Smith) This works the same as include, except that an error is not thrown if the file is missing. Identify the server time zone during initdb, and set postgresql.conf entries timezone and log_timezone accordingly (Tom Lane) This avoids expensive time zone probes during server start. Fix pg_settings to report postgresql.conf line numbers on Windows (Tom Lane) Allow streaming replication slaves to forward data to other slaves (cascading replication) (Fujii Masao) Previously, only the master server could supply streaming replication log files to standby servers. Add new synchronous_commit mode remote_write (Fujii Masao, Simon Riggs) This mode waits for the standby server to write transaction data to its own operating system, but does not wait for the data to be flushed to the standby's disk. Add a pg_receivexlog tool to archive WAL file changes as they are written, rather than waiting for completed WAL files (Magnus Hagander) Allow pg_basebackup to make base backups from standby servers (Jun Ishizuka, Fujii Masao) This feature lets the work of making new base backups be off-loaded from the primary server. Allow streaming of WAL files while pg_basebackup is performing a backup (Magnus Hagander) This allows passing of WAL files to the standby before they are discarded on the primary. Cancel the running query if the client gets disconnected (Florian Pflug) If the backend detects loss of client connection during a query, it will now cancel the query rather than attempting to finish it. Retain column names at run time for row expressions (Andrew Dunstan, Tom Lane) This change allows better results when a row value is converted to hstore or json type: the fields of the resulting value will now have the expected names. Improve column labels used for sub-SELECT results (Marti Raudsepp) Previously, the generic label ?column? was used. Improve heuristics for determining the types of unknown values (Tom Lane) The longstanding rule that an unknown constant might have the same type as the value on the other side of the operator using it is now applied when considering polymorphic operators, not only for simple operator matches. Warn about creating casts to or from domain types (Robert Haas) Such casts have no effect. When a row fails a CHECK or NOT NULL constraint, show the row's contents as error detail (Jan Kundrát) This should make it easier to identify which row is problematic when an insert or update is processing many rows. Provide more reliable operation during concurrent DDL (Robert Haas, Noah Misch) This change adds locking that should eliminate cache lookup failed errors in many scenarios. Also, it is no longer possible to add relations to a schema that is being concurrently dropped, a scenario that formerly led to inconsistent system catalog contents. Add CONCURRENTLY option to DROP INDEX (Simon Riggs) This allows index removal without blocking other sessions. Allow foreign data wrappers to have per-column options (Shigeru Hanada) Improve pretty-printing of view definitions (Andrew Dunstan) Allow CHECK constraints to be declared NOT VALID (Álvaro Herrera) Adding a NOT VALID constraint does not cause the table to be scanned to verify that existing rows meet the constraint. Subsequently, newly added or updated rows are checked. Such constraints are ignored by the planner when considering constraint_exclusion, since it is not certain that all rows meet the constraint. The new ALTER TABLE VALIDATE command allows NOT VALID constraints to be checked for existing rows, after which they are converted into ordinary constraints. Allow CHECK constraints to be declared NO INHERIT (Nikhil Sontakke, Alex Hunsaker, Álvaro Herrera) This makes them enforceable only on the parent table, not on child tables. Add the ability to rename constraints (Peter Eisentraut) Reduce need to rebuild tables and indexes for certain ALTER TABLE ... ALTER COLUMN TYPE operations (Noah Misch) Increasing the length limit for a varchar or varbit column, or removing the limit altogether, no longer requires a table rewrite. Similarly, increasing the allowable precision of a numeric column, or changing a column from constrained numeric to unconstrained numeric, no longer requires a table rewrite. Table rewrites are also avoided in similar cases involving the interval, timestamp, and timestamptz types. Avoid having ALTER TABLE revalidate foreign key constraints in some cases where it is not necessary (Noah Misch) Add IF EXISTS options to some ALTER commands (Pavel Stehule) For example, ALTER FOREIGN TABLE IF EXISTS foo RENAME TO bar. Add ALTER FOREIGN DATA WRAPPER ... RENAME and ALTER SERVER ... RENAME (Peter Eisentraut) Add ALTER DOMAIN ... RENAME (Peter Eisentraut) You could already rename domains using ALTER TYPE. Throw an error for ALTER DOMAIN ... DROP CONSTRAINT on a nonexistent constraint (Peter Eisentraut) An IF EXISTS option has been added to provide the previous behavior. Allow CREATE TABLE (LIKE ...) from foreign tables, views, and composite types (Peter Eisentraut) For example, this allows a table to be created whose schema matches a view. Fix CREATE TABLE (LIKE ...) to avoid index name conflicts when copying index comments (Tom Lane) Fix CREATE TABLE ... AS EXECUTE to handle WITH NO DATA and column name specifications (Tom Lane) Add a security_barrier option for views (KaiGai Kohei, Robert Haas) This option prevents optimizations that might allow view-protected data to be exposed to users, for example pushing a clause involving an insecure function into the WHERE clause of the view. Such views can be expected to perform more poorly than ordinary views. Add a new LEAKPROOF function attribute to mark functions that can safely be pushed down into security_barrier views (KaiGai Kohei) Add support for privileges on data types (Peter Eisentraut) This adds support for the SQL-conforming USAGE privilege on types and domains. The intent is to be able to restrict which users can create dependencies on types, since such dependencies limit the owner's ability to alter the type. Check for INSERT privileges in SELECT INTO / CREATE TABLE AS (KaiGai Kohei) Because the object is being created by SELECT INTO or CREATE TABLE AS, the creator would ordinarily have insert permissions; but there are corner cases where this is not true, such as when ALTER DEFAULT PRIVILEGES has removed such permissions. Allow VACUUM to more easily skip pages that cannot be locked (Simon Riggs, Robert Haas) This change should greatly reduce the incidence of VACUUM getting stuck waiting for other sessions. Make EXPLAIN (BUFFERS) count blocks dirtied and written (Robert Haas) Make EXPLAIN ANALYZE report the number of rows rejected by filter steps (Marko Tiikkaja) Allow EXPLAIN ANALYZE to avoid timing overhead when time values are not wanted (Tomas Vondra) This is accomplished by setting the new TIMING option to FALSE. Add support for range data types (Jeff Davis, Tom Lane, Alexander Korotkov) A range data type stores a lower and upper bound belonging to its base data type. It supports operations like contains, overlaps, and intersection. Add a JSON data type (Robert Haas) This type stores JSON (JavaScript Object Notation) data with proper validation. Add array_to_json() and row_to_json() (Andrew Dunstan) Add a SMALLSERIAL data type (Mike Pultz) This is like SERIAL, except it stores the sequence in a two-byte integer column (int2). Allow domains to be declared NOT VALID (Álvaro Herrera) This option can be set at domain creation time, or via ALTER DOMAIN ... ADD CONSTRAINT ... NOT VALID. ALTER DOMAIN ... VALIDATE CONSTRAINT fully validates the constraint. Support more locale-specific formatting options for the money data type (Tom Lane) Specifically, honor all the POSIX options for ordering of the value, sign, and currency symbol in monetary output. Also, make sure that the thousands separator is only inserted to the left of the decimal point, as required by POSIX. Add bitwise and, or, and not operators for the macaddr data type (Brendan Jurd) Allow xpath() to return a single-element XML array when supplied a scalar value (Florian Pflug) Previously, it returned an empty array. This change will also cause xpath_exists() to return true, not false, for such expressions. Improve XML error handling to be more robust (Florian Pflug) Allow non-superusers to use pg_cancel_backend() and pg_terminate_backend() on other sessions belonging to the same user (Magnus Hagander, Josh Kupershmidt, Dan Farina) Previously only superusers were allowed to use these functions. Allow importing and exporting of transaction snapshots (Joachim Wieland, Tom Lane) This allows multiple transactions to share identical views of the database state. Snapshots are exported via pg_export_snapshot() and imported via SET TRANSACTION SNAPSHOT. Only snapshots from currently-running transactions can be imported. Support COLLATION FOR on expressions (Peter Eisentraut) This returns a string representing the collation of the expression. Add pg_opfamily_is_visible() (Josh Kupershmidt) Add a numeric variant of pg_size_pretty() for use with pg_xlog_location_diff() (Fujii Masao) Add a pg_trigger_depth() function (Kevin Grittner) This reports the current trigger call depth. Allow string_agg() to process bytea values (Pavel Stehule) Fix regular expressions in which a back-reference occurs within a larger quantified subexpression (Tom Lane) For example, ^(\w+)( \1)+$. Previous releases did not check that the back-reference actually matched the first occurrence. Add information schema views role_udt_grants, udt_privileges, and user_defined_types (Peter Eisentraut) Add composite-type attributes to the information schema element_types view (Peter Eisentraut) Implement interval_type columns in the information schema (Peter Eisentraut) Formerly these columns read as nulls. Implement collation-related columns in the information schema attributes, columns, domains, and element_types views (Peter Eisentraut) Implement the with_hierarchy column in the information schema table_privileges view (Peter Eisentraut) Add display of sequence USAGE privileges to information schema (Peter Eisentraut) Make the information schema show default privileges (Peter Eisentraut) Previously, non-empty default permissions were not represented in the views. Allow the PL/pgSQL OPEN cursor command to supply parameters by name (Yeb Havinga) Add a GET STACKED DIAGNOSTICS PL/pgSQL command to retrieve exception info (Pavel Stehule) Speed up PL/pgSQL array assignment by caching type information (Pavel Stehule) Improve performance and memory consumption for long chains of ELSIF clauses (Tom Lane) Output the function signature, not just the name, in PL/pgSQL error messages (Pavel Stehule) Add PL/Python SPI cursor support (Jan Urbanski) This allows PL/Python to read partial result sets. Add result metadata functions to PL/Python (Peter Eisentraut) Specifically, this adds result object functions .colnames, .coltypes, and .coltypmods. Remove support for Python 2.2 (Peter Eisentraut) Allow SQL-language functions to reference parameters by name (Matthew Draper) To use this, simply name the function arguments and then reference the argument names in the SQL function body. Add initdb options --auth-local and --auth-host (Peter Eisentraut) This allows separate control of local and host pg_hba.conf authentication settings. --auth still controls both. Add --replication/--no-replication flags to createuser to control replication permission (Fujii Masao) Add the --if-exists option to dropdb and dropuser (Josh Kupershmidt) Give command-line tools the ability to specify the name of the database to connect to, and fall back to template1 if a postgres database connection fails (Robert Haas) Add a display mode to auto-expand output based on the display width (Peter Eisentraut) This adds the auto option to the \x command, which switches to the expanded mode when the normal output would be wider than the screen. Allow inclusion of a script file that is named relative to the directory of the file from which it was invoked (Gurjeet Singh) This is done with a new command \ir. Add support for non-ASCII characters in psql variable names (Tom Lane) Add support for major-version-specific .psqlrc files (Bruce Momjian) psql already supported minor-version-specific .psqlrc files. Provide environment variable overrides for psql history and startup file locations (Andrew Dunstan) PSQL_HISTORY and PSQLRC now determine these file names if set. Add a \setenv command to modify the environment variables passed to child processes (Andrew Dunstan) Name psql's temporary editor files with a .sql extension (Peter Eisentraut) This allows extension-sensitive editors to select the right mode. Allow psql to use zero-byte field and record separators (Peter Eisentraut) Various shell tools use zero-byte (NUL) separators, e.g. find. Make the \timing option report times for failed queries (Magnus Hagander) Previously times were reported only for successful queries. Unify and tighten psql's treatment of \copy and SQL COPY (Noah Misch) This fix makes failure behavior more predictable and honors \set ON_ERROR_ROLLBACK. Make \d on a sequence show the table/column name owning it (Magnus Hagander) Show statistics target for columns in \d+ (Magnus Hagander) Show role password expiration dates in \du (Fabrízio de Royes Mello) Display comments for casts, conversions, domains, and languages (Josh Kupershmidt) These are included in the output of \dC+, \dc+, \dD+, and \dL respectively. Display comments for SQL/MED objects (Josh Kupershmidt) These are included in the output of \des+, \det+, and \dew+ for foreign servers, foreign tables, and foreign data wrappers respectively. Change \dd to display comments only for object types without their own backslash command (Josh Kupershmidt) In psql tab completion, complete SQL keywords in either upper or lower case according to the new COMP_KEYWORD_CASE setting (Peter Eisentraut) Add tab completion support for EXECUTE (Andreas Karlsson) Allow tab completion of role references in GRANT/REVOKE (Peter Eisentraut) Allow tab completion of file names to supply quotes, when necessary (Noah Misch) Change tab completion support for TABLE to also include views (Magnus Hagander) Add an --exclude-table-data option to pg_dump (Andrew Dunstan) This allows dumping of a table's definition but not its data, on a per-table basis. Add a --section option to pg_dump and pg_restore (Andrew Dunstan) Valid values are pre-data, data, and post-data. The option can be given more than once to select two or more sections. Make pg_dumpall dump all roles first, then all configuration settings on roles (Phil Sorber) This allows a role's configuration settings to mention other roles without generating an error. Allow pg_dumpall to avoid errors if the postgres database is missing in the new cluster (Robert Haas) Dump foreign server user mappings in user name order (Peter Eisentraut) This helps produce deterministic dump files. Dump operators in a predictable order (Peter Eisentraut) Tighten rules for when extension configuration tables are dumped by pg_dump (Tom Lane) Make pg_dump emit more useful dependency information (Tom Lane) The dependency links included in archive-format dumps were formerly of very limited use, because they frequently referenced objects that appeared nowhere in the dump. Now they represent actual dependencies (possibly indirect) among the dumped objects. Improve pg_dump's performance when dumping many database objects (Tom Lane) Allow libpq connection strings to have the format of a URI (Alexander Shulgin) The syntax begins with postgres://. This can allow applications to avoid implementing their own parser for URIs representing database connections. Add a connection option to disable SSL compression (Laurenz Albe) This can be used to remove the overhead of SSL compression on fast networks. Add a single-row processing mode for better handling of large result sets (Kyotaro Horiguchi, Marko Kreen) Previously, libpq always collected the entire query result in memory before passing it back to the application. Add const qualifiers to the declarations of the functions PQconnectdbParams, PQconnectStartParams, and PQpingParams (Lionel Elie Mamane) Allow the .pgpass file to include escaped characters in the password field (Robert Haas) Make library functions use abort() instead of exit() when it is necessary to terminate the process (Peter Eisentraut) This choice does not interfere with the normal exit codes used by the program, and generates a signal that can be caught by the caller. Remove dead ports (Peter Eisentraut) The following platforms are no longer supported: dgux, nextstep, sunos4, svr4, ultrix4, univel, bsdi. Add support for building with MS Visual Studio 2010 (Brar Piening) Enable compiling with the MinGW-w64 32-bit compiler (Lars Kanis) Install plpgsql.h into include/server during installation (Heikki Linnakangas) Improve the latch facility to include detection of postmaster death (Peter Geoghegan, Heikki Linnakangas, Tom Lane) This eliminates one of the main reasons that background processes formerly had to wake up to poll for events. Use C flexible array members, where supported (Peter Eisentraut) Improve the concurrent transaction regression tests (isolationtester) (Noah Misch) Modify thread_test to create its test files in the current directory, rather than /tmp (Bruce Momjian) Improve flex and bison warning and error reporting (Tom Lane) Add memory barrier support (Robert Haas) This is currently unused. Modify pgindent to use a typedef file (Bruce Momjian) Add a hook for processing messages due to be sent to the server log (Martin Pihlak) Add object access hooks for DROP commands (KaiGai Kohei) Centralize DROP handling for some object types (KaiGai Kohei) Add a pg_upgrade test suite (Peter Eisentraut) Sync regular expression code with TCL 8.5.11 and improve internal processing (Tom Lane) Move CRC tables to libpgport, and provide them in a separate include file (Daniel Farina) Add options to git_changelog for use in major release note creation (Bruce Momjian) Support Linux's /proc/self/oom_score_adj API (Tom Lane) Improve efficiency of dblink by using libpq's new single-row processing mode (Kyotaro Horiguchi, Marko Kreen) This improvement does not apply to dblink_send_query()/dblink_get_result(). Support force_not_null option in file_fdw (Shigeru Hanada) Implement dry-run mode for pg_archivecleanup (Gabriele Bartolini) This only outputs the names of files to be deleted. Add new pgbench switches --unlogged-tables, --tablespace, and --index-tablespace (Robert Haas) Change pg_test_fsync to test for a fixed amount of time, rather than a fixed number of cycles (Bruce Momjian) The -o/cycles option was removed, and -s/seconds added. Add a pg_test_timing utility to measure clock monotonicity and timing overhead (Ants Aasma, Greg Smith) Add a tcn (triggered change notification) module to generate NOTIFY events on table changes (Kevin Grittner) Adjust pg_upgrade environment variables (Bruce Momjian) Rename data, bin, and port environment variables to begin with PG, and support PGPORTOLD/PGPORTNEW, to replace PGPORT. Overhaul pg_upgrade logging and failure reporting (Bruce Momjian) Create four append-only log files, and delete them on success. Add -r/--retain option to unconditionally retain these files. Also remove pg_upgrade options -g/-G/-l options as unnecessary, and tighten log file permissions. Make pg_upgrade create a script to incrementally generate more accurate optimizer statistics (Bruce Momjian) This reduces the time needed to generate minimal cluster statistics after an upgrade. Allow pg_upgrade to upgrade an old cluster that does not have a postgres database (Bruce Momjian) Allow pg_upgrade to handle cases where some old or new databases are missing, as long as they are empty (Bruce Momjian) Allow pg_upgrade to handle configuration-only directory installations (Bruce Momjian) In pg_upgrade, add -o/-O options to pass parameters to the servers (Bruce Momjian) This is useful for configuration-only directory installs. Change pg_upgrade to use port 50432 by default (Bruce Momjian) This helps avoid unintended client connections during the upgrade. Reduce cluster locking in pg_upgrade (Bruce Momjian) Specifically, only lock the old cluster if link mode is used, and do it right after the schema is restored. Allow pg_stat_statements to aggregate similar queries via SQL text normalization (Peter Geoghegan, Tom Lane) Users with applications that use non-parameterized SQL will now be able to monitor query performance without detailed log analysis. Add dirtied and written block counts and read/write times to pg_stat_statements (Robert Haas, Ants Aasma) Prevent pg_stat_statements from double-counting PREPARE and EXECUTE commands (Tom Lane) Support SECURITY LABEL on global objects (KaiGai Kohei, Robert Haas) Specifically, add security labels to databases, tablespaces, and roles. Allow sepgsql to honor database labels (KaiGai Kohei) Perform sepgsql permission checks during the creation of various objects (KaiGai Kohei) Add sepgsql_setcon() and related functions to control the sepgsql security domain (KaiGai Kohei) Add a user space access cache to sepgsql to improve performance (KaiGai Kohei) Add a rule to optionally build HTML documentation using the stylesheet from the website (Magnus Hagander) Use gmake STYLE=website draft. Improve EXPLAIN documentation (Tom Lane) Document that user/database names are preserved with double-quoting by command-line tools like vacuumdb (Bruce Momjian) Document the actual string returned by the client for MD5 authentication (Cyan Ogilvie) Deprecate use of GLOBAL and LOCAL in CREATE TEMP TABLE (Noah Misch) PostgreSQL has long treated these keyword as no-ops, and continues to do so; but in future they might mean what the SQL standard says they mean, so applications should avoid using them.