2014-07-24 This release contains a variety of fixes from 8.4.21. For information about new features in the 8.4 major release, see . This is expected to be the last PostgreSQL release in the 8.4.X series. Users are encouraged to update to a newer release branch soon. A dump/restore is not required for those running 8.4.X. However, this release corrects an index corruption problem in some GiST indexes. See the first changelog entry below to find out whether your installation has been affected and what steps you should take if so. Also, if you are upgrading from a version earlier than 8.4.19, see . Correctly initialize padding bytes in contrib/btree_gist indexes on bit columns (Heikki Linnakangas) This error could result in incorrect query results due to values that should compare equal not being seen as equal. Users with GiST indexes on bit or bit varying columns should REINDEX those indexes after installing this update. Protect against torn pages when deleting GIN list pages (Heikki Linnakangas) This fix prevents possible index corruption if a system crash occurs while the page update is being written to disk. Fix possibly-incorrect cache invalidation during nested calls to ReceiveSharedInvalidMessages (Andres Freund) Don't assume a subquery's output is unique if there's a set-returning function in its targetlist (David Rowley) This oversight could lead to misoptimization of constructs like WHERE x IN (SELECT y, generate_series(1,10) FROM t GROUP BY y). Fix failure to detoast fields in composite elements of structured types (Tom Lane) This corrects cases where TOAST pointers could be copied into other tables without being dereferenced. If the original data is later deleted, it would lead to errors like missing chunk number 0 for toast value ... when the now-dangling pointer is used. Fix record type has not been registered failures with whole-row references to the output of Append plan nodes (Tom Lane) Fix possible crash when invoking a user-defined function while rewinding a cursor (Tom Lane) Fix query-lifespan memory leak while evaluating the arguments for a function in FROM (Tom Lane) Fix session-lifespan memory leaks in regular-expression processing (Tom Lane, Arthur O'Dwyer, Greg Stark) Fix data encoding error in hungarian.stop (Tom Lane) Fix liveness checks for rows that were inserted in the current transaction and then deleted by a now-rolled-back subtransaction (Andres Freund) This could cause problems (at least spurious warnings, and at worst an infinite loop) if CREATE INDEX or CLUSTER were done later in the same transaction. Clear pg_stat_activity.xact_start during PREPARE TRANSACTION (Andres Freund) After the PREPARE, the originating session is no longer in a transaction, so it should not continue to display a transaction start time. Fix REASSIGN OWNED to not fail for text search objects (Álvaro Herrera) Block signals during postmaster startup (Tom Lane) This ensures that the postmaster will properly clean up after itself if, for example, it receives SIGINT while still starting up. Secure Unix-domain sockets of temporary postmasters started during make check (Noah Misch) Any local user able to access the socket file could connect as the server's bootstrap superuser, then proceed to execute arbitrary code as the operating-system user running the test, as we previously noted in CVE-2014-0067. This change defends against that risk by placing the server's socket in a temporary, mode 0700 subdirectory of /tmp. The hazard remains however on platforms where Unix sockets are not supported, notably Windows, because then the temporary postmaster must accept local TCP connections. A useful side effect of this change is to simplify make check testing in builds that override DEFAULT_PGSOCKET_DIR. Popular non-default values like /var/run/postgresql are often not writable by the build user, requiring workarounds that will no longer be necessary. On Windows, allow new sessions to absorb values of PGC_BACKEND parameters (such as ) from the configuration file (Amit Kapila) Previously, if such a parameter were changed in the file post-startup, the change would have no effect. Properly quote executable path names on Windows (Nikhil Deshpande) This oversight could cause initdb and pg_upgrade to fail on Windows, if the installation path contained both spaces and @ signs. Fix linking of libpython on OS X (Tom Lane) The method we previously used can fail with the Python library supplied by Xcode 5.0 and later. Avoid buffer bloat in libpq when the server consistently sends data faster than the client can absorb it (Shin-ichi Morita, Tom Lane) libpq could be coerced into enlarging its input buffer until it runs out of memory (which would be reported misleadingly as lost synchronization with server). Under ordinary circumstances it's quite far-fetched that data could be continuously transmitted more quickly than the recv() loop can absorb it, but this has been observed when the client is artificially slowed by scheduler constraints. Ensure that LDAP lookup attempts in libpq time out as intended (Laurenz Albe) Fix pg_restore's processing of old-style large object comments (Tom Lane) A direct-to-database restore from an archive file generated by a pre-9.0 version of pg_dump would usually fail if the archive contained more than a few comments for large objects. In contrib/pgcrypto functions, ensure sensitive information is cleared from stack variables before returning (Marko Kreen) In contrib/uuid-ossp, cache the state of the OSSP UUID library across calls (Tom Lane) This improves the efficiency of UUID generation and reduces the amount of entropy drawn from /dev/urandom, on platforms that have that. Update time zone data files to tzdata release 2014e for DST law changes in Crimea, Egypt, and Morocco. 2014-03-20 This release contains a variety of fixes from 8.4.20. For information about new features in the 8.4 major release, see . The PostgreSQL community will stop releasing updates for the 8.4.X release series in July 2014. Users are encouraged to update to a newer release branch soon. A dump/restore is not required for those running 8.4.X. However, if you are upgrading from a version earlier than 8.4.19, see . Restore GIN metapages unconditionally to avoid torn-page risk (Heikki Linnakangas) Although this oversight could theoretically result in a corrupted index, it is unlikely to have caused any problems in practice, since the active part of a GIN metapage is smaller than a standard 512-byte disk sector. Allow regular-expression operators to be terminated early by query cancel requests (Tom Lane) This prevents scenarios wherein a pathological regular expression could lock up a server process uninterruptably for a long time. Remove incorrect code that tried to allow OVERLAPS with single-element row arguments (Joshua Yanovski) This code never worked correctly, and since the case is neither specified by the SQL standard nor documented, it seemed better to remove it than fix it. Avoid getting more than AccessShareLock when de-parsing a rule or view (Dean Rasheed) This oversight resulted in pg_dump unexpectedly acquiring RowExclusiveLock locks on tables mentioned as the targets of INSERT/UPDATE/DELETE commands in rules. While usually harmless, that could interfere with concurrent transactions that tried to acquire, for example, ShareLock on those tables. Prevent interrupts while reporting non-ERROR messages (Tom Lane) This guards against rare server-process freezeups due to recursive entry to syslog(), and perhaps other related problems. Update time zone data files to tzdata release 2014a for DST law changes in Fiji and Turkey, plus historical changes in Israel and Ukraine. 2014-02-20 This release contains a variety of fixes from 8.4.19. For information about new features in the 8.4 major release, see . The PostgreSQL community will stop releasing updates for the 8.4.X release series in July 2014. Users are encouraged to update to a newer release branch soon. A dump/restore is not required for those running 8.4.X. However, if you are upgrading from a version earlier than 8.4.19, see . Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch) Granting a role without ADMIN OPTION is supposed to prevent the grantee from adding or removing members from the granted role, but this restriction was easily bypassed by doing SET ROLE first. The security impact is mostly that a role member can revoke the access of others, contrary to the wishes of his grantor. Unapproved role member additions are a lesser concern, since an uncooperative role member could provide most of his rights to others anyway by creating views or SECURITY DEFINER functions. (CVE-2014-0060) Prevent privilege escalation via manual calls to PL validator functions (Andres Freund) The primary role of PL validator functions is to be called implicitly during CREATE FUNCTION, but they are also normal SQL functions that a user can call explicitly. Calling a validator on a function actually written in some other language was not checked for and could be exploited for privilege-escalation purposes. The fix involves adding a call to a privilege-checking function in each validator function. Non-core procedural languages will also need to make this change to their own validator functions, if any. (CVE-2014-0061) Avoid multiple name lookups during table and index DDL (Robert Haas, Andres Freund) If the name lookups come to different conclusions due to concurrent activity, we might perform some parts of the DDL on a different table than other parts. At least in the case of CREATE INDEX, this can be used to cause the permissions checks to be performed against a different table than the index creation, allowing for a privilege escalation attack. (CVE-2014-0062) Prevent buffer overrun with long datetime strings (Noah Misch) The MAXDATELEN constant was too small for the longest possible value of type interval, allowing a buffer overrun in interval_out(). Although the datetime input functions were more careful about avoiding buffer overrun, the limit was short enough to cause them to reject some valid inputs, such as input containing a very long timezone name. The ecpg library contained these vulnerabilities along with some of its own. (CVE-2014-0063) Prevent buffer overrun due to integer overflow in size calculations (Noah Misch, Heikki Linnakangas) Several functions, mostly type input functions, calculated an allocation size without checking for overflow. If overflow did occur, a too-small buffer would be allocated and then written past. (CVE-2014-0064) Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich) Use strlcpy() and related functions to provide a clear guarantee that fixed-size buffers are not overrun. Unlike the preceding items, it is unclear whether these cases really represent live issues, since in most cases there appear to be previous constraints on the size of the input string. Nonetheless it seems prudent to silence all Coverity warnings of this type. (CVE-2014-0065) Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian) There are relatively few scenarios in which crypt() could return NULL, but contrib/chkpass would crash if it did. One practical case in which this could be an issue is if libc is configured to refuse to execute unapproved hashing algorithms (e.g., FIPS mode). (CVE-2014-0066) Document risks of make check in the regression testing instructions (Noah Misch, Tom Lane) Since the temporary server started by make check uses trust authentication, another user on the same machine could connect to it as database superuser, and then potentially exploit the privileges of the operating-system user who started the tests. A future release will probably incorporate changes in the testing procedure to prevent this risk, but some public discussion is needed first. So for the moment, just warn people against using make check when there are untrusted users on the same machine. (CVE-2014-0067) Fix possible mis-replay of WAL records when some segments of a relation aren't full size (Greg Stark, Tom Lane) The WAL update could be applied to the wrong page, potentially many pages past where it should have been. Aside from corrupting data, this error has been observed to result in significant bloat of standby servers compared to their masters, due to updates being applied far beyond where the end-of-file should have been. This failure mode does not appear to be a significant risk during crash recovery, only when initially synchronizing a standby created from a base backup taken from a quickly-changing master. Ensure that insertions into non-leaf GIN index pages write a full-page WAL record when appropriate (Heikki Linnakangas) The previous coding risked index corruption in the event of a partial-page write during a system crash. Fix race conditions during server process exit (Robert Haas) Ensure that signal handlers don't attempt to use the process's MyProc pointer after it's no longer valid. Fix unsafe references to errno within error reporting logic (Christian Kruse) This would typically lead to odd behaviors such as missing or inappropriate HINT fields. Fix possible crashes from using ereport() too early during server startup (Tom Lane) The principal case we've seen in the field is a crash if the server is started in a directory it doesn't have permission to read. Clear retry flags properly in OpenSSL socket write function (Alexander Kukushkin) This omission could result in a server lockup after unexpected loss of an SSL-encrypted connection. Fix length checking for Unicode identifiers (U&"..." syntax) containing escapes (Tom Lane) A spurious truncation warning would be printed for such identifiers if the escaped form of the identifier was too long, but the identifier actually didn't need truncation after de-escaping. Fix possible crash due to invalid plan for nested sub-selects, such as WHERE (... x IN (SELECT ...) ...) IN (SELECT ...) (Tom Lane) Ensure that ANALYZE creates statistics for a table column even when all the values in it are too wide (Tom Lane) ANALYZE intentionally omits very wide values from its histogram and most-common-values calculations, but it neglected to do something sane in the case that all the sampled entries are too wide. In ALTER TABLE ... SET TABLESPACE, allow the database's default tablespace to be used without a permissions check (Stephen Frost) CREATE TABLE has always allowed such usage, but ALTER TABLE didn't get the memo. Fix cannot accept a set error when some arms of a CASE return a set and others don't (Tom Lane) Fix checks for all-zero client addresses in pgstat functions (Kevin Grittner) Fix possible misclassification of multibyte characters by the text search parser (Tom Lane) Non-ASCII characters could be misclassified when using C locale with a multibyte encoding. On Cygwin, non-C locales could fail as well. Fix possible misbehavior in plainto_tsquery() (Heikki Linnakangas) Use memmove() not memcpy() for copying overlapping memory regions. There have been no field reports of this actually causing trouble, but it's certainly risky. Accept SHIFT_JIS as an encoding name for locale checking purposes (Tatsuo Ishii) Fix misbehavior of PQhost() on Windows (Fujii Masao) It should return localhost if no host has been specified. Improve error handling in libpq and psql for failures during COPY TO STDOUT/FROM STDIN (Tom Lane) In particular this fixes an infinite loop that could occur in 9.2 and up if the server connection was lost during COPY FROM STDIN. Variants of that scenario might be possible in older versions, or with other client applications. Fix misaligned descriptors in ecpg (MauMau) In ecpg, handle lack of a hostname in the connection parameters properly (Michael Meskes) Fix performance regression in contrib/dblink connection startup (Joe Conway) Avoid an unnecessary round trip when client and server encodings match. In contrib/isn, fix incorrect calculation of the check digit for ISMN values (Fabien Coelho) Ensure client-code-only installation procedure works as documented (Peter Eisentraut) In Mingw and Cygwin builds, install the libpq DLL in the bin directory (Andrew Dunstan) This duplicates what the MSVC build has long done. It should fix problems with programs like psql failing to start because they can't find the DLL. Don't generate plain-text HISTORY and src/test/regress/README files anymore (Tom Lane) These text files duplicated the main HTML and PDF documentation formats. The trouble involved in maintaining them greatly outweighs the likely audience for plain-text format. Distribution tarballs will still contain files by these names, but they'll just be stubs directing the reader to consult the main documentation. The plain-text INSTALL file will still be maintained, as there is arguably a use-case for that. Update time zone data files to tzdata release 2013i for DST law changes in Jordan and historical changes in Cuba. In addition, the zones Asia/Riyadh87, Asia/Riyadh88, and Asia/Riyadh89 have been removed, as they are no longer maintained by IANA, and never represented actual civil timekeeping practice. 2013-12-05 This release contains a variety of fixes from 8.4.18. For information about new features in the 8.4 major release, see . A dump/restore is not required for those running 8.4.X. However, this release corrects a potential data corruption issue. See the first changelog entry below to find out whether your installation has been affected and what steps you can take if so. Also, if you are upgrading from a version earlier than 8.4.17, see . Fix VACUUM's tests to see whether it can update relfrozenxid (Andres Freund) In some cases VACUUM (either manual or autovacuum) could incorrectly advance a table's relfrozenxid value, allowing tuples to escape freezing, causing those rows to become invisible once 2^31 transactions have elapsed. The probability of data loss is fairly low since multiple incorrect advancements would need to happen before actual loss occurs, but it's not zero. Users upgrading from release 8.4.8 or earlier are not affected, but all later versions contain the bug. The issue can be ameliorated by, after upgrading, vacuuming all tables in all databases while having vacuum_freeze_table_age set to zero. This will fix any latent corruption but will not be able to fix all pre-existing data errors. However, an installation can be presumed safe after performing this vacuuming if it has executed fewer than 2^31 update transactions in its lifetime (check this with SELECT txid_current() < 2^31). Fix race condition in GIN index posting tree page deletion (Heikki Linnakangas) This could lead to transient wrong answers or query failures. Avoid flattening a subquery whose SELECT list contains a volatile function wrapped inside a sub-SELECT (Tom Lane) This avoids unexpected results due to extra evaluations of the volatile function. Fix planner's processing of non-simple-variable subquery outputs nested within outer joins (Tom Lane) This error could lead to incorrect plans for queries involving multiple levels of subqueries within JOIN syntax. Fix premature deletion of temporary files (Andres Freund) Fix possible read past end of memory in rule printing (Peter Eisentraut) Fix array slicing of int2vector and oidvector values (Tom Lane) Expressions of this kind are now implicitly promoted to regular int2 or oid arrays. Fix incorrect behaviors when using a SQL-standard, simple GMT offset timezone (Tom Lane) In some cases, the system would use the simple GMT offset value when it should have used the regular timezone setting that had prevailed before the simple offset was selected. This change also causes the timeofday function to honor the simple GMT offset zone. Prevent possible misbehavior when logging translations of Windows error codes (Tom Lane) Properly quote generated command lines in pg_ctl (Naoya Anzai and Tom Lane) This fix applies only to Windows. Fix pg_dumpall to work when a source database sets default_transaction_read_only via ALTER DATABASE SET (Kevin Grittner) Previously, the generated script would fail during restore. Fix ecpg's processing of lists of variables declared varchar (Zoltán Böszörményi) Make contrib/lo defend against incorrect trigger definitions (Marc Cousin) Update time zone data files to tzdata release 2013h for DST law changes in Argentina, Brazil, Jordan, Libya, Liechtenstein, Morocco, and Palestine. Also, new timezone abbreviations WIB, WIT, WITA for Indonesia. 2013-10-10 This release contains a variety of fixes from 8.4.17. For information about new features in the 8.4 major release, see . A dump/restore is not required for those running 8.4.X. However, if you are upgrading from a version earlier than 8.4.17, see . Prevent corruption of multi-byte characters when attempting to case-fold identifiers (Andrew Dunstan) PostgreSQL case-folds non-ASCII characters only when using a single-byte server encoding. Fix memory leak caused by lo_open() failure (Heikki Linnakangas) Fix memory overcommit bug when work_mem is using more than 24GB of memory (Stephen Frost) Fix deadlock bug in libpq when using SSL (Stephen Frost) Properly compute row estimates for boolean columns containing many NULL values (Andrew Gierth) Previously tests like col IS NOT TRUE and col IS NOT FALSE did not properly factor in NULL values when estimating plan costs. Prevent pushing down WHERE clauses into unsafe UNION/INTERSECT subqueries (Tom Lane) Subqueries of a UNION or INTERSECT that contain set-returning functions or volatile functions in their SELECT lists could be improperly optimized, leading to run-time errors or incorrect query results. Fix rare case of failed to locate grouping columns planner failure (Tom Lane) Improve view dumping code's handling of dropped columns in referenced tables (Tom Lane) Fix possible deadlock during concurrent CREATE INDEX CONCURRENTLY operations (Tom Lane) Fix regexp_matches() handling of zero-length matches (Jeevan Chalke) Previously, zero-length matches like '^' could return too many matches. Fix crash for overly-complex regular expressions (Heikki Linnakangas) Fix regular expression match failures for back references combined with non-greedy quantifiers (Jeevan Chalke) Prevent CREATE FUNCTION from checking SET variables unless function body checking is enabled (Tom Lane) Fix pgp_pub_decrypt() so it works for secret keys with passwords (Marko Kreen) Remove rare inaccurate warning during vacuum of index-less tables (Heikki Linnakangas) Avoid possible failure when performing transaction control commands (e.g ROLLBACK) in prepared queries (Tom Lane) Ensure that floating-point data input accepts standard spellings of infinity on all platforms (Tom Lane) The C99 standard says that allowable spellings are inf, +inf, -inf, infinity, +infinity, and -infinity. Make sure we recognize these even if the platform's strtod function doesn't. Expand ability to compare rows to records and arrays (Rafal Rzepecki, Tom Lane) Update time zone data files to tzdata release 2013d for DST law changes in Israel, Morocco, Palestine, and Paraguay. Also, historical zone data corrections for Macquarie Island. 2013-04-04 This release contains a variety of fixes from 8.4.16. For information about new features in the 8.4 major release, see . A dump/restore is not required for those running 8.4.X. However, this release corrects several errors in management of GiST indexes. After installing this update, it is advisable to REINDEX any GiST indexes that meet one or more of the conditions described below. Also, if you are upgrading from a version earlier than 8.4.10, see . Reset OpenSSL randomness state in each postmaster child process (Marko Kreen) This avoids a scenario wherein random numbers generated by contrib/pgcrypto functions might be relatively easy for another database user to guess. The risk is only significant when the postmaster is configured with ssl = on but most connections don't use SSL encryption. (CVE-2013-1900) Fix GiST indexes to not use fuzzy geometric comparisons when it's not appropriate to do so (Alexander Korotkov) The core geometric types perform comparisons using fuzzy equality, but gist_box_same must do exact comparisons, else GiST indexes using it might become inconsistent. After installing this update, users should REINDEX any GiST indexes on box, polygon, circle, or point columns, since all of these use gist_box_same. Fix erroneous range-union and penalty logic in GiST indexes that use contrib/btree_gist for variable-width data types, that is text, bytea, bit, and numeric columns (Tom Lane) These errors could result in inconsistent indexes in which some keys that are present would not be found by searches, and also in useless index bloat. Users are advised to REINDEX such indexes after installing this update. Fix bugs in GiST page splitting code for multi-column indexes (Tom Lane) These errors could result in inconsistent indexes in which some keys that are present would not be found by searches, and also in indexes that are unnecessarily inefficient to search. Users are advised to REINDEX multi-column GiST indexes after installing this update. Fix infinite-loop risk in regular expression compilation (Tom Lane, Don Porter) Fix potential null-pointer dereference in regular expression compilation (Tom Lane) Fix to_char() to use ASCII-only case-folding rules where appropriate (Tom Lane) This fixes misbehavior of some template patterns that should be locale-independent, but mishandled I and i in Turkish locales. Fix unwanted rejection of timestamp 1999-12-31 24:00:00 (Tom Lane) Remove useless picksplit doesn't support secondary split log messages (Josh Hansen, Tom Lane) This message seems to have been added in expectation of code that was never written, and probably never will be, since GiST's default handling of secondary splits is actually pretty good. So stop nagging end users about it. Fix possible failure to send a session's last few transaction commit/abort counts to the statistics collector (Tom Lane) Eliminate memory leaks in PL/Perl's spi_prepare() function (Alex Hunsaker, Tom Lane) Fix pg_dumpall to handle database names containing = correctly (Heikki Linnakangas) Avoid crash in pg_dump when an incorrect connection string is given (Heikki Linnakangas) Ignore invalid indexes in pg_dump (Michael Paquier) Dumping invalid indexes can cause problems at restore time, for example if the reason the index creation failed was because it tried to enforce a uniqueness condition not satisfied by the table's data. Also, if the index creation is in fact still in progress, it seems reasonable to consider it to be an uncommitted DDL change, which pg_dump wouldn't be expected to dump anyway. Fix contrib/pg_trgm's similarity() function to return zero for trigram-less strings (Tom Lane) Previously it returned NaN due to internal division by zero. Update time zone data files to tzdata release 2013b for DST law changes in Chile, Haiti, Morocco, Paraguay, and some Russian areas. Also, historical zone data corrections for numerous places. Also, update the time zone abbreviation files for recent changes in Russia and elsewhere: CHOT, GET, IRKT, KGT, KRAT, MAGT, MAWT, MSK, NOVT, OMST, TKT, VLAT, WST, YAKT, YEKT now follow their current meanings, and VOLT (Europe/Volgograd) and MIST (Antarctica/Macquarie) are added to the default abbreviations list. 2013-02-07 This release contains a variety of fixes from 8.4.15. For information about new features in the 8.4 major release, see . A dump/restore is not required for those running 8.4.X. However, if you are upgrading from a version earlier than 8.4.10, see . Prevent execution of enum_recv from SQL (Tom Lane) The function was misdeclared, allowing a simple SQL command to crash the server. In principle an attacker might be able to use it to examine the contents of server memory. Our thanks to Sumit Soni (via Secunia SVCRP) for reporting this issue. (CVE-2013-0255) Update minimum recovery point when truncating a relation file (Heikki Linnakangas) Once data has been discarded, it's no longer safe to stop recovery at an earlier point in the timeline. Fix SQL grammar to allow subscripting or field selection from a sub-SELECT result (Tom Lane) Protect against race conditions when scanning pg_tablespace (Stephen Frost, Tom Lane) CREATE DATABASE and DROP DATABASE could misbehave if there were concurrent updates of pg_tablespace entries. Prevent DROP OWNED from trying to drop whole databases or tablespaces (Álvaro Herrera) For safety, ownership of these objects must be reassigned, not dropped. Fix error in vacuum_freeze_table_age implementation (Andres Freund) In installations that have existed for more than vacuum_freeze_min_age transactions, this mistake prevented autovacuum from using partial-table scans, so that a full-table scan would always happen instead. Prevent misbehavior when a RowExpr or XmlExpr is parse-analyzed twice (Andres Freund, Tom Lane) This mistake could be user-visible in contexts such as CREATE TABLE LIKE INCLUDING INDEXES. Improve defenses against integer overflow in hashtable sizing calculations (Jeff Davis) Reject out-of-range dates in to_date() (Hitoshi Harada) Ensure that non-ASCII prompt strings are translated to the correct code page on Windows (Alexander Law, Noah Misch) This bug affected psql and some other client programs. Fix possible crash in psql's \? command when not connected to a database (Meng Qingzhong) Fix one-byte buffer overrun in libpq's PQprintTuples (Xi Wang) This ancient function is not used anywhere by PostgreSQL itself, but it might still be used by some client code. Make ecpglib use translated messages properly (Chen Huajun) Properly install ecpg_compat and pgtypes libraries on MSVC (Jiang Guiqing) Rearrange configure's tests for supplied functions so it is not fooled by bogus exports from libedit/libreadline (Christoph Berg) Ensure Windows build number increases over time (Magnus Hagander) Make pgxs build executables with the right .exe suffix when cross-compiling for Windows (Zoltan Boszormenyi) Add new timezone abbreviation FET (Tom Lane) This is now used in some eastern-European time zones. 2012-12-06 This release contains a variety of fixes from 8.4.14. For information about new features in the 8.4 major release, see . A dump/restore is not required for those running 8.4.X. However, if you are upgrading from a version earlier than 8.4.10, see . Fix multiple bugs associated with CREATE INDEX CONCURRENTLY (Andres Freund, Tom Lane) Fix CREATE INDEX CONCURRENTLY to use in-place updates when changing the state of an index's pg_index row. This prevents race conditions that could cause concurrent sessions to miss updating the target index, thus resulting in corrupt concurrently-created indexes. Also, fix various other operations to ensure that they ignore invalid indexes resulting from a failed CREATE INDEX CONCURRENTLY command. The most important of these is VACUUM, because an auto-vacuum could easily be launched on the table before corrective action can be taken to fix or remove the invalid index. Avoid corruption of internal hash tables when out of memory (Hitoshi Harada) Fix planning of non-strict equivalence clauses above outer joins (Tom Lane) The planner could derive incorrect constraints from a clause equating a non-strict construct to something else, for example WHERE COALESCE(foo, 0) = 0 when foo is coming from the nullable side of an outer join. Improve planner's ability to prove exclusion constraints from equivalence classes (Tom Lane) Fix partial-row matching in hashed subplans to handle cross-type cases correctly (Tom Lane) This affects multicolumn NOT IN subplans, such as WHERE (a, b) NOT IN (SELECT x, y FROM ...) when for instance b and y are int4 and int8 respectively. This mistake led to wrong answers or crashes depending on the specific datatypes involved. Acquire buffer lock when re-fetching the old tuple for an AFTER ROW UPDATE/DELETE trigger (Andres Freund) In very unusual circumstances, this oversight could result in passing incorrect data to the precheck logic for a foreign-key enforcement trigger. That could result in a crash, or in an incorrect decision about whether to fire the trigger. Fix ALTER COLUMN TYPE to handle inherited check constraints properly (Pavan Deolasee) This worked correctly in pre-8.4 releases, and now works correctly in 8.4 and later. Fix REASSIGN OWNED to handle grants on tablespaces (Álvaro Herrera) Ignore incorrect pg_attribute entries for system columns for views (Tom Lane) Views do not have any system columns. However, we forgot to remove such entries when converting a table to a view. That's fixed properly for 9.3 and later, but in previous branches we need to defend against existing mis-converted views. Fix rule printing to dump INSERT INTO table DEFAULT VALUES correctly (Tom Lane) Guard against stack overflow when there are too many UNION/INTERSECT/EXCEPT clauses in a query (Tom Lane) Prevent platform-dependent failures when dividing the minimum possible integer value by -1 (Xi Wang, Tom Lane) Fix possible access past end of string in date parsing (Hitoshi Harada) Produce an understandable error message if the length of the path name for a Unix-domain socket exceeds the platform-specific limit (Tom Lane, Andrew Dunstan) Formerly, this would result in something quite unhelpful, such as Non-recoverable failure in name resolution. Fix memory leaks when sending composite column values to the client (Tom Lane) Make pg_ctl more robust about reading the postmaster.pid file (Heikki Linnakangas) Fix race conditions and possible file descriptor leakage. Fix possible crash in psql if incorrectly-encoded data is presented and the client_encoding setting is a client-only encoding, such as SJIS (Jiang Guiqing) Fix bugs in the restore.sql script emitted by pg_dump in tar output format (Tom Lane) The script would fail outright on tables whose names include upper-case characters. Also, make the script capable of restoring data in --inserts mode as well as the regular COPY mode. Fix pg_restore to accept POSIX-conformant tar files (Brian Weaver, Tom Lane) The original coding of pg_dump's tar output mode produced files that are not fully conformant with the POSIX standard. This has been corrected for version 9.3. This patch updates previous branches so that they will accept both the incorrect and the corrected formats, in hopes of avoiding compatibility problems when 9.3 comes out. Fix pg_resetxlog to locate postmaster.pid correctly when given a relative path to the data directory (Tom Lane) This mistake could lead to pg_resetxlog not noticing that there is an active postmaster using the data directory. Fix libpq's lo_import() and lo_export() functions to report file I/O errors properly (Tom Lane) Fix ecpg's processing of nested structure pointer variables (Muhammad Usama) Make contrib/pageinspect's btree page inspection functions take buffer locks while examining pages (Tom Lane) Fix pgxs support for building loadable modules on AIX (Tom Lane) Building modules outside the original source tree didn't work on AIX. Update time zone data files to tzdata release 2012j for DST law changes in Cuba, Israel, Jordan, Libya, Palestine, Western Samoa, and portions of Brazil. 2012-09-24 This release contains a variety of fixes from 8.4.13. For information about new features in the 8.4 major release, see . A dump/restore is not required for those running 8.4.X. However, if you are upgrading from a version earlier than 8.4.10, see . Fix planner's assignment of executor parameters, and fix executor's rescan logic for CTE plan nodes (Tom Lane) These errors could result in wrong answers from queries that scan the same WITH subquery multiple times. Improve page-splitting decisions in GiST indexes (Alexander Korotkov, Robert Haas, Tom Lane) Multi-column GiST indexes might suffer unexpected bloat due to this error. Fix cascading privilege revoke to stop if privileges are still held (Tom Lane) If we revoke a grant option from some role X, but X still holds that option via a grant from someone else, we should not recursively revoke the corresponding privilege from role(s) Y that X had granted it to. Fix handling of SIGFPE when PL/Perl is in use (Andres Freund) Perl resets the process's SIGFPE handler to SIG_IGN, which could result in crashes later on. Restore the normal Postgres signal handler after initializing PL/Perl. Prevent PL/Perl from crashing if a recursive PL/Perl function is redefined while being executed (Tom Lane) Work around possible misoptimization in PL/Perl (Tom Lane) Some Linux distributions contain an incorrect version of pthread.h that results in incorrect compiled code in PL/Perl, leading to crashes if a PL/Perl function calls another one that throws an error. Update time zone data files to tzdata release 2012f for DST law changes in Fiji 2012-08-17 This release contains a variety of fixes from 8.4.12. For information about new features in the 8.4 major release, see . A dump/restore is not required for those running 8.4.X. However, if you are upgrading from a version earlier than 8.4.10, see . Prevent access to external files/URLs via XML entity references (Noah Misch, Tom Lane) xml_parse() would attempt to fetch external files or URLs as needed to resolve DTD and entity references in an XML value, thus allowing unprivileged database users to attempt to fetch data with the privileges of the database server. While the external data wouldn't get returned directly to the user, portions of it could be exposed in error messages if the data didn't parse as valid XML; and in any case the mere ability to check existence of a file might be useful to an attacker. (CVE-2012-3489) Prevent access to external files/URLs via contrib/xml2's xslt_process() (Peter Eisentraut) libxslt offers the ability to read and write both files and URLs through stylesheet commands, thus allowing unprivileged database users to both read and write data with the privileges of the database server. Disable that through proper use of libxslt's security options. (CVE-2012-3488) Also, remove xslt_process()'s ability to fetch documents and stylesheets from external files/URLs. While this was a documented feature, it was long regarded as a bad idea. The fix for CVE-2012-3489 broke that capability, and rather than expend effort on trying to fix it, we're just going to summarily remove it. Prevent too-early recycling of btree index pages (Noah Misch) When we allowed read-only transactions to skip assigning XIDs, we introduced the possibility that a deleted btree page could be recycled while a read-only transaction was still in flight to it. This would result in incorrect index search results. The probability of such an error occurring in the field seems very low because of the timing requirements, but nonetheless it should be fixed. Fix crash-safety bug with newly-created-or-reset sequences (Tom Lane) If ALTER SEQUENCE was executed on a freshly created or reset sequence, and then precisely one nextval() call was made on it, and then the server crashed, WAL replay would restore the sequence to a state in which it appeared that no nextval() had been done, thus allowing the first sequence value to be returned again by the next nextval() call. In particular this could manifest for serial columns, since creation of a serial column's sequence includes an ALTER SEQUENCE OWNED BY step. Ensure the backup_label file is fsync'd after pg_start_backup() (Dave Kerr) Back-patch 9.1 improvement to compress the fsync request queue (Robert Haas) This improves performance during checkpoints. The 9.1 change has now seen enough field testing to seem safe to back-patch. Only allow autovacuum to be auto-canceled by a directly blocked process (Tom Lane) The original coding could allow inconsistent behavior in some cases; in particular, an autovacuum could get canceled after less than deadlock_timeout grace period. Improve logging of autovacuum cancels (Robert Haas) Fix log collector so that log_truncate_on_rotation works during the very first log rotation after server start (Tom Lane) Fix WITH attached to a nested set operation (UNION/INTERSECT/EXCEPT) (Tom Lane) Ensure that a whole-row reference to a subquery doesn't include any extra GROUP BY or ORDER BY columns (Tom Lane) Disallow copying whole-row references in CHECK constraints and index definitions during CREATE TABLE (Tom Lane) This situation can arise in CREATE TABLE with LIKE or INHERITS. The copied whole-row variable was incorrectly labeled with the row type of the original table not the new one. Rejecting the case seems reasonable for LIKE, since the row types might well diverge later. For INHERITS we should ideally allow it, with an implicit coercion to the parent table's row type; but that will require more work than seems safe to back-patch. Fix memory leak in ARRAY(SELECT ...) subqueries (Heikki Linnakangas, Tom Lane) Fix extraction of common prefixes from regular expressions (Tom Lane) The code could get confused by quantified parenthesized subexpressions, such as ^(foo)?bar. This would lead to incorrect index optimization of searches for such patterns. Fix bugs with parsing signed hh:mm and hh:mm:ss fields in interval constants (Amit Kapila, Tom Lane) Report errors properly in contrib/xml2's xslt_process() (Tom Lane) Update time zone data files to tzdata release 2012e for DST law changes in Morocco and Tokelau 2012-06-04 This release contains a variety of fixes from 8.4.11. For information about new features in the 8.4 major release, see . A dump/restore is not required for those running 8.4.X. However, if you are upgrading from a version earlier than 8.4.10, see . Fix incorrect password transformation in contrib/pgcrypto's DES crypt() function (Solar Designer) If a password string contained the byte value 0x80, the remainder of the password was ignored, causing the password to be much weaker than it appeared. With this fix, the rest of the string is properly included in the DES hash. Any stored password values that are affected by this bug will thus no longer match, so the stored values may need to be updated. (CVE-2012-2143) Ignore SECURITY DEFINER and SET attributes for a procedural language's call handler (Tom Lane) Applying such attributes to a call handler could crash the server. (CVE-2012-2655) Allow numeric timezone offsets in timestamp input to be up to 16 hours away from UTC (Tom Lane) Some historical time zones have offsets larger than 15 hours, the previous limit. This could result in dumped data values being rejected during reload. Fix timestamp conversion to cope when the given time is exactly the last DST transition time for the current timezone (Tom Lane) This oversight has been there a long time, but was not noticed previously because most DST-using zones are presumed to have an indefinite sequence of future DST transitions. Fix text to name and char to name casts to perform string truncation correctly in multibyte encodings (Karl Schnaitter) Fix memory copying bug in to_tsquery() (Heikki Linnakangas) Fix planner's handling of outer PlaceHolderVars within subqueries (Tom Lane) This bug concerns sub-SELECTs that reference variables coming from the nullable side of an outer join of the surrounding query. In 9.1, queries affected by this bug would fail with ERROR: Upper-level PlaceHolderVar found where not expected. But in 9.0 and 8.4, you'd silently get possibly-wrong answers, since the value transmitted into the subquery wouldn't go to null when it should. Fix slow session startup when pg_attribute is very large (Tom Lane) If pg_attribute exceeds one-fourth of shared_buffers, cache rebuilding code that is sometimes needed during session start would trigger the synchronized-scan logic, causing it to take many times longer than normal. The problem was particularly acute if many new sessions were starting at once. Ensure sequential scans check for query cancel reasonably often (Merlin Moncure) A scan encountering many consecutive pages that contain no live tuples would not respond to interrupts meanwhile. Ensure the Windows implementation of PGSemaphoreLock() clears ImmediateInterruptOK before returning (Tom Lane) This oversight meant that a query-cancel interrupt received later in the same query could be accepted at an unsafe time, with unpredictable but not good consequences. Show whole-row variables safely when printing views or rules (Abbas Butt, Tom Lane) Corner cases involving ambiguous names (that is, the name could be either a table or column name of the query) were printed in an ambiguous way, risking that the view or rule would be interpreted differently after dump and reload. Avoid the ambiguous case by attaching a no-op cast. Fix COPY FROM to properly handle null marker strings that correspond to invalid encoding (Tom Lane) A null marker string such as E'\\0' should work, and did work in the past, but the case got broken in 8.4. Ensure autovacuum worker processes perform stack depth checking properly (Heikki Linnakangas) Previously, infinite recursion in a function invoked by auto-ANALYZE could crash worker processes. Fix logging collector to not lose log coherency under high load (Andrew Dunstan) The collector previously could fail to reassemble large messages if it got too busy. Fix logging collector to ensure it will restart file rotation after receiving SIGHUP (Tom Lane) Fix WAL replay logic for GIN indexes to not fail if the index was subsequently dropped (Tom Lane) Fix memory leak in PL/pgSQL's RETURN NEXT command (Joe Conway) Fix PL/pgSQL's GET DIAGNOSTICS command when the target is the function's first variable (Tom Lane) Fix potential access off the end of memory in psql's expanded display (\x) mode (Peter Eisentraut) Fix several performance problems in pg_dump when the database contains many objects (Jeff Janes, Tom Lane) pg_dump could get very slow if the database contained many schemas, or if many objects are in dependency loops, or if there are many owned sequences. Fix contrib/dblink's dblink_exec() to not leak temporary database connections upon error (Tom Lane) Fix contrib/dblink to report the correct connection name in error messages (Kyotaro Horiguchi) Update time zone data files to tzdata release 2012c for DST law changes in Antarctica, Armenia, Chile, Cuba, Falkland Islands, Gaza, Haiti, Hebron, Morocco, Syria, and Tokelau Islands; also historical corrections for Canada. 2012-02-27 This release contains a variety of fixes from 8.4.10. For information about new features in the 8.4 major release, see . A dump/restore is not required for those running 8.4.X. However, if you are upgrading from a version earlier than 8.4.10, see . Require execute permission on the trigger function for CREATE TRIGGER (Robert Haas) This missing check could allow another user to execute a trigger function with forged input data, by installing it on a table he owns. This is only of significance for trigger functions marked SECURITY DEFINER, since otherwise trigger functions run as the table owner anyway. (CVE-2012-0866) Remove arbitrary limitation on length of common name in SSL certificates (Heikki Linnakangas) Both libpq and the server truncated the common name extracted from an SSL certificate at 32 bytes. Normally this would cause nothing worse than an unexpected verification failure, but there are some rather-implausible scenarios in which it might allow one certificate holder to impersonate another. The victim would have to have a common name exactly 32 bytes long, and the attacker would have to persuade a trusted CA to issue a certificate in which the common name has that string as a prefix. Impersonating a server would also require some additional exploit to redirect client connections. (CVE-2012-0867) Convert newlines to spaces in names written in pg_dump comments (Robert Haas) pg_dump was incautious about sanitizing object names that are emitted within SQL comments in its output script. A name containing a newline would at least render the script syntactically incorrect. Maliciously crafted object names could present a SQL injection risk when the script is reloaded. (CVE-2012-0868) Fix btree index corruption from insertions concurrent with vacuuming (Tom Lane) An index page split caused by an insertion could sometimes cause a concurrently-running VACUUM to miss removing index entries that it should remove. After the corresponding table rows are removed, the dangling index entries would cause errors (such as could not read block N in file ...) or worse, silently wrong query results after unrelated rows are re-inserted at the now-free table locations. This bug has been present since release 8.2, but occurs so infrequently that it was not diagnosed until now. If you have reason to suspect that it has happened in your database, reindexing the affected index will fix things. Update per-column permissions, not only per-table permissions, when changing table owner (Tom Lane) Failure to do this meant that any previously granted column permissions were still shown as having been granted by the old owner. This meant that neither the new owner nor a superuser could revoke the now-untraceable-to-table-owner permissions. Allow non-existent values for some settings in ALTER USER/DATABASE SET (Heikki Linnakangas) Allow default_text_search_config, default_tablespace, and temp_tablespaces to be set to names that are not known. This is because they might be known in another database where the setting is intended to be used, or for the tablespace cases because the tablespace might not be created yet. The same issue was previously recognized for search_path, and these settings now act like that one. Avoid crashing when we have problems deleting table files post-commit (Tom Lane) Dropping a table should lead to deleting the underlying disk files only after the transaction commits. In event of failure then (for instance, because of wrong file permissions) the code is supposed to just emit a warning message and go on, since it's too late to abort the transaction. This logic got broken as of release 8.4, causing such situations to result in a PANIC and an unrestartable database. Track the OID counter correctly during WAL replay, even when it wraps around (Tom Lane) Previously the OID counter would remain stuck at a high value until the system exited replay mode. The practical consequences of that are usually nil, but there are scenarios wherein a standby server that's been promoted to master might take a long time to advance the OID counter to a reasonable value once values are needed. Fix regular expression back-references with * attached (Tom Lane) Rather than enforcing an exact string match, the code would effectively accept any string that satisfies the pattern sub-expression referenced by the back-reference symbol. A similar problem still afflicts back-references that are embedded in a larger quantified expression, rather than being the immediate subject of the quantifier. This will be addressed in a future PostgreSQL release. Fix recently-introduced memory leak in processing of inet/cidr values (Heikki Linnakangas) A patch in the December 2011 releases of PostgreSQL caused memory leakage in these operations, which could be significant in scenarios such as building a btree index on such a column. Fix dangling pointer after CREATE TABLE AS/SELECT INTO in a SQL-language function (Tom Lane) In most cases this only led to an assertion failure in assert-enabled builds, but worse consequences seem possible. Avoid double close of file handle in syslogger on Windows (MauMau) Ordinarily this error was invisible, but it would cause an exception when running on a debug version of Windows. Fix I/O-conversion-related memory leaks in plpgsql (Andres Freund, Jan Urbanski, Tom Lane) Certain operations would leak memory until the end of the current function. Improve pg_dump's handling of inherited table columns (Tom Lane) pg_dump mishandled situations where a child column has a different default expression than its parent column. If the default is textually identical to the parent's default, but not actually the same (for instance, because of schema search path differences) it would not be recognized as different, so that after dump and restore the child would be allowed to inherit the parent's default. Child columns that are NOT NULL where their parent is not could also be restored subtly incorrectly. Fix pg_restore's direct-to-database mode for INSERT-style table data (Tom Lane) Direct-to-database restores from archive files made with --inserts or --column-inserts options fail when using pg_restore from a release dated September or December 2011, as a result of an oversight in a fix for another problem. The archive file itself is not at fault, and text-mode output is okay. Allow AT option in ecpg DEALLOCATE statements (Michael Meskes) The infrastructure to support this has been there for awhile, but through an oversight there was still an error check rejecting the case. Fix error in contrib/intarray's int[] & int[] operator (Guillaume Lelarge) If the smallest integer the two input arrays have in common is 1, and there are smaller values in either array, then 1 would be incorrectly omitted from the result. Fix error detection in contrib/pgcrypto's encrypt_iv() and decrypt_iv() (Marko Kreen) These functions failed to report certain types of invalid-input errors, and would instead return random garbage values for incorrect input. Fix one-byte buffer overrun in contrib/test_parser (Paul Guyot) The code would try to read one more byte than it should, which would crash in corner cases. Since contrib/test_parser is only example code, this is not a security issue in itself, but bad example code is still bad. Use __sync_lock_test_and_set() for spinlocks on ARM, if available (Martin Pitt) This function replaces our previous use of the SWPB instruction, which is deprecated and not available on ARMv6 and later. Reports suggest that the old code doesn't fail in an obvious way on recent ARM boards, but simply doesn't interlock concurrent accesses, leading to bizarre failures in multiprocess operation. Use -fexcess-precision=standard option when building with gcc versions that accept it (Andrew Dunstan) This prevents assorted scenarios wherein recent versions of gcc will produce creative results. Allow use of threaded Python on FreeBSD (Chris Rees) Our configure script previously believed that this combination wouldn't work; but FreeBSD fixed the problem, so remove that error check. 2011-12-05 This release contains a variety of fixes from 8.4.9. For information about new features in the 8.4 major release, see . A dump/restore is not required for those running 8.4.X. However, a longstanding error was discovered in the definition of the information_schema.referential_constraints view. If you rely on correct results from that view, you should replace its definition as explained in the first changelog item below. Also, if you are upgrading from a version earlier than 8.4.8, see . Fix bugs in information_schema.referential_constraints view (Tom Lane) This view was being insufficiently careful about matching the foreign-key constraint to the depended-on primary or unique key constraint. That could result in failure to show a foreign key constraint at all, or showing it multiple times, or claiming that it depends on a different constraint than the one it really does. Since the view definition is installed by initdb, merely upgrading will not fix the problem. If you need to fix this in an existing installation, you can (as a superuser) drop the information_schema schema then re-create it by sourcing SHAREDIR/information_schema.sql. (Run pg_config --sharedir if you're uncertain where SHAREDIR is.) This must be repeated in each database to be fixed. Fix incorrect replay of WAL records for GIN index updates (Tom Lane) This could result in transiently failing to find index entries after a crash, or on a hot-standby server. The problem would be repaired by the next VACUUM of the index, however. Fix TOAST-related data corruption during CREATE TABLE dest AS SELECT * FROM src or INSERT INTO dest SELECT * FROM src (Tom Lane) If a table has been modified by ALTER TABLE ADD COLUMN, attempts to copy its data verbatim to another table could produce corrupt results in certain corner cases. The problem can only manifest in this precise form in 8.4 and later, but we patched earlier versions as well in case there are other code paths that could trigger the same bug. Fix race condition during toast table access from stale syscache entries (Tom Lane) The typical symptom was transient errors like missing chunk number 0 for toast value NNNNN in pg_toast_2619, where the cited toast table would always belong to a system catalog. Track dependencies of functions on items used in parameter default expressions (Tom Lane) Previously, a referenced object could be dropped without having dropped or modified the function, leading to misbehavior when the function was used. Note that merely installing this update will not fix the missing dependency entries; to do that, you'd need to CREATE OR REPLACE each such function afterwards. If you have functions whose defaults depend on non-built-in objects, doing so is recommended. Allow inlining of set-returning SQL functions with multiple OUT parameters (Tom Lane) Make DatumGetInetP() unpack inet datums that have a 1-byte header, and add a new macro, DatumGetInetPP(), that does not (Heikki Linnakangas) This change affects no core code, but might prevent crashes in add-on code that expects DatumGetInetP() to produce an unpacked datum as per usual convention. Improve locale support in money type's input and output (Tom Lane) Aside from not supporting all standard lc_monetary formatting options, the input and output functions were inconsistent, meaning there were locales in which dumped money values could not be re-read. Don't let transform_null_equals affect CASE foo WHEN NULL ... constructs (Heikki Linnakangas) transform_null_equals is only supposed to affect foo = NULL expressions written directly by the user, not equality checks generated internally by this form of CASE. Change foreign-key trigger creation order to better support self-referential foreign keys (Tom Lane) For a cascading foreign key that references its own table, a row update will fire both the ON UPDATE trigger and the CHECK trigger as one event. The ON UPDATE trigger must execute first, else the CHECK will check a non-final state of the row and possibly throw an inappropriate error. However, the firing order of these triggers is determined by their names, which generally sort in creation order since the triggers have auto-generated names following the convention RI_ConstraintTrigger_NNNN. A proper fix would require modifying that convention, which we will do in 9.2, but it seems risky to change it in existing releases. So this patch just changes the creation order of the triggers. Users encountering this type of error should drop and re-create the foreign key constraint to get its triggers into the right order. Avoid floating-point underflow while tracking buffer allocation rate (Greg Matthews) While harmless in itself, on certain platforms this would result in annoying kernel log messages. Preserve configuration file name and line number values when starting child processes under Windows (Tom Lane) Formerly, these would not be displayed correctly in the pg_settings view. Preserve blank lines within commands in psql's command history (Robert Haas) The former behavior could cause problems if an empty line was removed from within a string literal, for example. Fix pg_dump to dump user-defined casts between auto-generated types, such as table rowtypes (Tom Lane) Use the preferred version of xsubpp to build PL/Perl, not necessarily the operating system's main copy (David Wheeler and Alex Hunsaker) Fix incorrect coding in contrib/dict_int and contrib/dict_xsyn (Tom Lane) Some functions incorrectly assumed that memory returned by palloc() is guaranteed zeroed. Honor query cancel interrupts promptly in pgstatindex() (Robert Haas) Ensure VPATH builds properly install all server header files (Peter Eisentraut) Shorten file names reported in verbose error messages (Peter Eisentraut) Regular builds have always reported just the name of the C file containing the error message call, but VPATH builds formerly reported an absolute path name. Fix interpretation of Windows timezone names for Central America (Tom Lane) Map Central America Standard Time to CST6, not CST6CDT, because DST is generally not observed anywhere in Central America. Update time zone data files to tzdata release 2011n for DST law changes in Brazil, Cuba, Fiji, Palestine, Russia, and Samoa; also historical corrections for Alaska and British East Africa. 2011-09-26 This release contains a variety of fixes from 8.4.8. For information about new features in the 8.4 major release, see . A dump/restore is not required for those running 8.4.X. However, if you are upgrading from a version earlier than 8.4.8, see . Fix bugs in indexing of in-doubt HOT-updated tuples (Tom Lane) These bugs could result in index corruption after reindexing a system catalog. They are not believed to affect user indexes. Fix multiple bugs in GiST index page split processing (Heikki Linnakangas) The probability of occurrence was low, but these could lead to index corruption. Fix possible buffer overrun in tsvector_concat() (Tom Lane) The function could underestimate the amount of memory needed for its result, leading to server crashes. Fix crash in xml_recv when processing a standalone parameter (Tom Lane) Make pg_options_to_table return NULL for an option with no value (Tom Lane) Previously such cases would result in a server crash. Avoid possibly accessing off the end of memory in ANALYZE and in SJIS-2004 encoding conversion (Noah Misch) This fixes some very-low-probability server crash scenarios. Prevent intermittent hang in interactions of startup process with bgwriter process (Simon Riggs) This affected recovery in non-hot-standby cases. Fix race condition in relcache init file invalidation (Tom Lane) There was a window wherein a new backend process could read a stale init file but miss the inval messages that would tell it the data is stale. The result would be bizarre failures in catalog accesses, typically could not read block 0 in file ... later during startup. Fix memory leak at end of a GiST index scan (Tom Lane) Commands that perform many separate GiST index scans, such as verification of a new GiST-based exclusion constraint on a table already containing many rows, could transiently require large amounts of memory due to this leak. Fix incorrect memory accounting (leading to possible memory bloat) in tuplestores supporting holdable cursors and plpgsql's RETURN NEXT command (Tom Lane) Fix performance problem when constructing a large, lossy bitmap (Tom Lane) Fix join selectivity estimation for unique columns (Tom Lane) This fixes an erroneous planner heuristic that could lead to poor estimates of the result size of a join. Fix nested PlaceHolderVar expressions that appear only in sub-select target lists (Tom Lane) This mistake could result in outputs of an outer join incorrectly appearing as NULL. Allow nested EXISTS queries to be optimized properly (Tom Lane) Fix array- and path-creating functions to ensure padding bytes are zeroes (Tom Lane) This avoids some situations where the planner will think that semantically-equal constants are not equal, resulting in poor optimization. Fix EXPLAIN to handle gating Result nodes within inner-indexscan subplans (Tom Lane) The usual symptom of this oversight was bogus varno errors. Work around gcc 4.6.0 bug that breaks WAL replay (Tom Lane) This could lead to loss of committed transactions after a server crash. Fix dump bug for VALUES in a view (Tom Lane) Disallow SELECT FOR UPDATE/SHARE on sequences (Tom Lane) This operation doesn't work as expected and can lead to failures. Fix VACUUM so that it always updates pg_class.reltuples/relpages (Tom Lane) This fixes some scenarios where autovacuum could make increasingly poor decisions about when to vacuum tables. Defend against integer overflow when computing size of a hash table (Tom Lane) Fix cases where CLUSTER might attempt to access already-removed TOAST data (Tom Lane) Fix portability bugs in use of credentials control messages for peer authentication (Tom Lane) Fix SSPI login when multiple roundtrips are required (Ahmed Shinwari, Magnus Hagander) The typical symptom of this problem was The function requested is not supported errors during SSPI login. Throw an error if pg_hba.conf contains hostssl but SSL is disabled (Tom Lane) This was concluded to be more user-friendly than the previous behavior of silently ignoring such lines. Fix typo in pg_srand48 seed initialization (Andres Freund) This led to failure to use all bits of the provided seed. This function is not used on most platforms (only those without srandom), and the potential security exposure from a less-random-than-expected seed seems minimal in any case. Avoid integer overflow when the sum of LIMIT and OFFSET values exceeds 2^63 (Heikki Linnakangas) Add overflow checks to int4 and int8 versions of generate_series() (Robert Haas) Fix trailing-zero removal in to_char() (Marti Raudsepp) In a format with FM and no digit positions after the decimal point, zeroes to the left of the decimal point could be removed incorrectly. Fix pg_size_pretty() to avoid overflow for inputs close to 2^63 (Tom Lane) Weaken plpgsql's check for typmod matching in record values (Tom Lane) An overly enthusiastic check could lead to discarding length modifiers that should have been kept. Correctly handle quotes in locale names during initdb (Heikki Linnakangas) The case can arise with some Windows locales, such as People's Republic of China. Fix pg_upgrade to preserve toast tables' relfrozenxids during an upgrade from 8.3 (Bruce Momjian) Failure to do this could lead to pg_clog files being removed too soon after the upgrade. In pg_ctl, support silent mode for service registrations on Windows (MauMau) Fix psql's counting of script file line numbers during COPY from a different file (Tom Lane) Fix pg_restore's direct-to-database mode for standard_conforming_strings (Tom Lane) pg_restore could emit incorrect commands when restoring directly to a database server from an archive file that had been made with standard_conforming_strings set to on. Be more user-friendly about unsupported cases for parallel pg_restore (Tom Lane) This change ensures that such cases are detected and reported before any restore actions have been taken. Fix write-past-buffer-end and memory leak in libpq's LDAP service lookup code (Albe Laurenz) In libpq, avoid failures when using nonblocking I/O and an SSL connection (Martin Pihlak, Tom Lane) Improve libpq's handling of failures during connection startup (Tom Lane) In particular, the response to a server report of fork() failure during SSL connection startup is now saner. Improve libpq's error reporting for SSL failures (Tom Lane) Fix PQsetvalue() to avoid possible crash when adding a new tuple to a PGresult originally obtained from a server query (Andrew Chernow) Make ecpglib write double values with 15 digits precision (Akira Kurosawa) In ecpglib, be sure LC_NUMERIC setting is restored after an error (Michael Meskes) Apply upstream fix for blowfish signed-character bug (CVE-2011-2483) (Tom Lane) contrib/pg_crypto's blowfish encryption code could give wrong results on platforms where char is signed (which is most), leading to encrypted passwords being weaker than they should be. Fix memory leak in contrib/seg (Heikki Linnakangas) Fix pgstatindex() to give consistent results for empty indexes (Tom Lane) Allow building with perl 5.14 (Alex Hunsaker) Update configure script's method for probing existence of system functions (Tom Lane) The version of autoconf we used in 8.3 and 8.2 could be fooled by compilers that perform link-time optimization. Fix assorted issues with build and install file paths containing spaces (Tom Lane) Update time zone data files to tzdata release 2011i for DST law changes in Canada, Egypt, Russia, Samoa, and South Sudan. 2011-04-18 This release contains a variety of fixes from 8.4.7. For information about new features in the 8.4 major release, see . A dump/restore is not required for those running 8.4.X. However, if your installation was upgraded from a previous major release by running pg_upgrade, you should take action to prevent possible data loss due to a now-fixed bug in pg_upgrade. The recommended solution is to run VACUUM FREEZE on all TOAST tables. More information is available at http://wiki.postgresql.org/wiki/20110408pg_upgrade_fix. Also, if you are upgrading from a version earlier than 8.4.2, see . Fix pg_upgrade's handling of TOAST tables (Bruce Momjian) The pg_class.relfrozenxid value for TOAST tables was not correctly copied into the new installation during pg_upgrade. This could later result in pg_clog files being discarded while they were still needed to validate tuples in the TOAST tables, leading to could not access status of transaction failures. This error poses a significant risk of data loss for installations that have been upgraded with pg_upgrade. This patch corrects the problem for future uses of pg_upgrade, but does not in itself cure the issue in installations that have been processed with a buggy version of pg_upgrade. Suppress incorrect PD_ALL_VISIBLE flag was incorrectly set warning (Heikki Linnakangas) VACUUM would sometimes issue this warning in cases that are actually valid. Disallow including a composite type in itself (Tom Lane) This prevents scenarios wherein the server could recurse infinitely while processing the composite type. While there are some possible uses for such a structure, they don't seem compelling enough to justify the effort required to make sure it always works safely. Avoid potential deadlock during catalog cache initialization (Nikhil Sontakke) In some cases the cache loading code would acquire share lock on a system index before locking the index's catalog. This could deadlock against processes trying to acquire exclusive locks in the other, more standard order. Fix dangling-pointer problem in BEFORE ROW UPDATE trigger handling when there was a concurrent update to the target tuple (Tom Lane) This bug has been observed to result in intermittent cannot extract system attribute from virtual tuple failures while trying to do UPDATE RETURNING ctid. There is a very small probability of more serious errors, such as generating incorrect index entries for the updated tuple. Disallow DROP TABLE when there are pending deferred trigger events for the table (Tom Lane) Formerly the DROP would go through, leading to could not open relation with OID nnn errors when the triggers were eventually fired. Prevent crash triggered by constant-false WHERE conditions during GEQO optimization (Tom Lane) Improve planner's handling of semi-join and anti-join cases (Tom Lane) Fix selectivity estimation for text search to account for NULLs (Jesper Krogh) Improve PL/pgSQL's ability to handle row types with dropped columns (Pavel Stehule) This is a back-patch of fixes previously made in 9.0. Fix PL/Python memory leak involving array slices (Daniel Popowich) Fix pg_restore to cope with long lines (over 1KB) in TOC files (Tom Lane) Put in more safeguards against crashing due to division-by-zero with overly enthusiastic compiler optimization (Aurelien Jarno) Support use of dlopen() in FreeBSD and OpenBSD on MIPS (Tom Lane) There was a hard-wired assumption that this system function was not available on MIPS hardware on these systems. Use a compile-time test instead, since more recent versions have it. Fix compilation failures on HP-UX (Heikki Linnakangas) Fix version-incompatibility problem with libintl on Windows (Hiroshi Inoue) Fix usage of xcopy in Windows build scripts to work correctly under Windows 7 (Andrew Dunstan) This affects the build scripts only, not installation or usage. Fix path separator used by pg_regress on Cygwin (Andrew Dunstan) Update time zone data files to tzdata release 2011f for DST law changes in Chile, Cuba, Falkland Islands, Morocco, Samoa, and Turkey; also historical corrections for South Australia, Alaska, and Hawaii. 2011-01-31 This release contains a variety of fixes from 8.4.6. For information about new features in the 8.4 major release, see . A dump/restore is not required for those running 8.4.X. However, if you are upgrading from a version earlier than 8.4.2, see . Avoid failures when EXPLAIN tries to display a simple-form CASE expression (Tom Lane) If the CASE's test expression was a constant, the planner could simplify the CASE into a form that confused the expression-display code, resulting in unexpected CASE WHEN clause errors. Fix assignment to an array slice that is before the existing range of subscripts (Tom Lane) If there was a gap between the newly added subscripts and the first pre-existing subscript, the code miscalculated how many entries needed to be copied from the old array's null bitmap, potentially leading to data corruption or crash. Avoid unexpected conversion overflow in planner for very distant date values (Tom Lane) The date type supports a wider range of dates than can be represented by the timestamp types, but the planner assumed it could always convert a date to timestamp with impunity. Fix pg_restore's text output for large objects (BLOBs) when standard_conforming_strings is on (Tom Lane) Although restoring directly to a database worked correctly, string escaping was incorrect if pg_restore was asked for SQL text output and standard_conforming_strings had been enabled in the source database. Fix erroneous parsing of tsquery values containing ... & !(subexpression) | ... (Tom Lane) Queries containing this combination of operators were not executed correctly. The same error existed in contrib/intarray's query_int type and contrib/ltree's ltxtquery type. Fix buffer overrun in contrib/intarray's input function for the query_int type (Apple) This bug is a security risk since the function's return address could be overwritten. Thanks to Apple Inc's security team for reporting this issue and supplying the fix. (CVE-2010-4015) Fix bug in contrib/seg's GiST picksplit algorithm (Alexander Korotkov) This could result in considerable inefficiency, though not actually incorrect answers, in a GiST index on a seg column. If you have such an index, consider REINDEXing it after installing this update. (This is identical to the bug that was fixed in contrib/cube in the previous update.) 2010-12-16 This release contains a variety of fixes from 8.4.5. For information about new features in the 8.4 major release, see . A dump/restore is not required for those running 8.4.X. However, if you are upgrading from a version earlier than 8.4.2, see . Force the default wal_sync_method to be fdatasync on Linux (Tom Lane, Marti Raudsepp) The default on Linux has actually been fdatasync for many years, but recent kernel changes caused PostgreSQL to choose open_datasync instead. This choice did not result in any performance improvement, and caused outright failures on certain filesystems, notably ext4 with the data=journal mount option. Fix assorted bugs in WAL replay logic for GIN indexes (Tom Lane) This could result in bad buffer id: 0 failures or corruption of index contents during replication. Fix recovery from base backup when the starting checkpoint WAL record is not in the same WAL segment as its redo point (Jeff Davis) Fix persistent slowdown of autovacuum workers when multiple workers remain active for a long time (Tom Lane) The effective vacuum_cost_limit for an autovacuum worker could drop to nearly zero if it processed enough tables, causing it to run extremely slowly. Add support for detecting register-stack overrun on IA64 (Tom Lane) The IA64 architecture has two hardware stacks. Full prevention of stack-overrun failures requires checking both. Add a check for stack overflow in copyObject() (Tom Lane) Certain code paths could crash due to stack overflow given a sufficiently complex query. Fix detection of page splits in temporary GiST indexes (Heikki Linnakangas) It is possible to have a concurrent page split in a temporary index, if for example there is an open cursor scanning the index when an insertion is done. GiST failed to detect this case and hence could deliver wrong results when execution of the cursor continued. Fix error checking during early connection processing (Tom Lane) The check for too many child processes was skipped in some cases, possibly leading to postmaster crash when attempting to add the new child process to fixed-size arrays. Improve efficiency of window functions (Tom Lane) Certain cases where a large number of tuples needed to be read in advance, but work_mem was large enough to allow them all to be held in memory, were unexpectedly slow. percent_rank(), cume_dist() and ntile() in particular were subject to this problem. Avoid memory leakage while ANALYZE'ing complex index expressions (Tom Lane) Ensure an index that uses a whole-row Var still depends on its table (Tom Lane) An index declared like create index i on t (foo(t.*)) would not automatically get dropped when its table was dropped. Do not inline a SQL function with multiple OUT parameters (Tom Lane) This avoids a possible crash due to loss of information about the expected result rowtype. Behave correctly if ORDER BY, LIMIT, FOR UPDATE, or WITH is attached to the VALUES part of INSERT ... VALUES (Tom Lane) Fix constant-folding of COALESCE() expressions (Tom Lane) The planner would sometimes attempt to evaluate sub-expressions that in fact could never be reached, possibly leading to unexpected errors. Fix postmaster crash when connection acceptance (accept() or one of the calls made immediately after it) fails, and the postmaster was compiled with GSSAPI support (Alexander Chernikov) Fix missed unlink of temporary files when log_temp_files is active (Tom Lane) If an error occurred while attempting to emit the log message, the unlink was not done, resulting in accumulation of temp files. Add print functionality for InhRelation nodes (Tom Lane) This avoids a failure when debug_print_parse is enabled and certain types of query are executed. Fix incorrect calculation of distance from a point to a horizontal line segment (Tom Lane) This bug affected several different geometric distance-measurement operators. Fix incorrect calculation of transaction status in ecpg (Itagaki Takahiro) Fix PL/pgSQL's handling of simple expressions to not fail in recursion or error-recovery cases (Tom Lane) Fix PL/Python's handling of set-returning functions (Jan Urbanski) Attempts to call SPI functions within the iterator generating a set result would fail. Fix bug in contrib/cube's GiST picksplit algorithm (Alexander Korotkov) This could result in considerable inefficiency, though not actually incorrect answers, in a GiST index on a cube column. If you have such an index, consider REINDEXing it after installing this update. Don't emit identifier will be truncated notices in contrib/dblink except when creating new connections (Itagaki Takahiro) Fix potential coredump on missing public key in contrib/pgcrypto (Marti Raudsepp) Fix memory leak in contrib/xml2's XPath query functions (Tom Lane) Update time zone data files to tzdata release 2010o for DST law changes in Fiji and Samoa; also historical corrections for Hong Kong. 2010-10-04 This release contains a variety of fixes from 8.4.4. For information about new features in the 8.4 major release, see . A dump/restore is not required for those running 8.4.X. However, if you are upgrading from a version earlier than 8.4.2, see . Use a separate interpreter for each calling SQL userid in PL/Perl and PL/Tcl (Tom Lane) This change prevents security problems that can be caused by subverting Perl or Tcl code that will be executed later in the same session under another SQL user identity (for example, within a SECURITY DEFINER function). Most scripting languages offer numerous ways that that might be done, such as redefining standard functions or operators called by the target function. Without this change, any SQL user with Perl or Tcl language usage rights can do essentially anything with the SQL privileges of the target function's owner. The cost of this change is that intentional communication among Perl and Tcl functions becomes more difficult. To provide an escape hatch, PL/PerlU and PL/TclU functions continue to use only one interpreter per session. This is not considered a security issue since all such functions execute at the trust level of a database superuser already. It is likely that third-party procedural languages that claim to offer trusted execution have similar security issues. We advise contacting the authors of any PL you are depending on for security-critical purposes. Our thanks to Tim Bunce for pointing out this issue (CVE-2010-3433). Prevent possible crashes in pg_get_expr() by disallowing it from being called with an argument that is not one of the system catalog columns it's intended to be used with (Heikki Linnakangas, Tom Lane) Treat exit code 128 (ERROR_WAIT_NO_CHILDREN) as non-fatal on Windows (Magnus Hagander) Under high load, Windows processes will sometimes fail at startup with this error code. Formerly the postmaster treated this as a panic condition and restarted the whole database, but that seems to be an overreaction. Fix incorrect placement of placeholder evaluation (Tom Lane) This bug could result in query outputs being non-null when they should be null, in cases where the inner side of an outer join is a sub-select with non-strict expressions in its output list. Fix possible duplicate scans of UNION ALL member relations (Tom Lane) Fix cannot handle unplanned sub-select error (Tom Lane) This occurred when a sub-select contains a join alias reference that expands into an expression containing another sub-select. Fix mishandling of whole-row Vars that reference a view or sub-select and appear within a nested sub-select (Tom Lane) Fix mishandling of cross-type IN comparisons (Tom Lane) This could result in failures if the planner tried to implement an IN join with a sort-then-unique-then-plain-join plan. Fix computation of ANALYZE statistics for tsvector columns (Jan Urbanski) The original coding could produce incorrect statistics, leading to poor plan choices later. Improve planner's estimate of memory used by array_agg(), string_agg(), and similar aggregate functions (Hitoshi Harada) The previous drastic underestimate could lead to out-of-memory failures due to inappropriate choice of a hash-aggregation plan. Fix failure to mark cached plans as transient (Tom Lane) If a plan is prepared while CREATE INDEX CONCURRENTLY is in progress for one of the referenced tables, it is supposed to be re-planned once the index is ready for use. This was not happening reliably. Reduce PANIC to ERROR in some occasionally-reported btree failure cases, and provide additional detail in the resulting error messages (Tom Lane) This should improve the system's robustness with corrupted indexes. Fix incorrect search logic for partial-match queries with GIN indexes (Tom Lane) Cases involving AND/OR combination of several GIN index conditions didn't always give the right answer, and were sometimes much slower than necessary. Prevent show_session_authorization() from crashing within autovacuum processes (Tom Lane) Defend against functions returning setof record where not all the returned rows are actually of the same rowtype (Tom Lane) Fix possible corruption of pending trigger event lists during subtransaction rollback (Tom Lane) This could lead to a crash or incorrect firing of triggers. Fix possible failure when hashing a pass-by-reference function result (Tao Ma, Tom Lane) Improve merge join's handling of NULLs in the join columns (Tom Lane) A merge join can now stop entirely upon reaching the first NULL, if the sort order is such that NULLs sort high. Take care to fsync the contents of lockfiles (both postmaster.pid and the socket lockfile) while writing them (Tom Lane) This omission could result in corrupted lockfile contents if the machine crashes shortly after postmaster start. That could in turn prevent subsequent attempts to start the postmaster from succeeding, until the lockfile is manually removed. Avoid recursion while assigning XIDs to heavily-nested subtransactions (Andres Freund, Robert Haas) The original coding could result in a crash if there was limited stack space. Avoid holding open old WAL segments in the walwriter process (Magnus Hagander, Heikki Linnakangas) The previous coding would prevent removal of no-longer-needed segments. Fix log_line_prefix's %i escape, which could produce junk early in backend startup (Tom Lane) Prevent misinterpretation of partially-specified relation options for TOAST tables (Itagaki Takahiro) In particular, fillfactor would be read as zero if any other reloption had been set for the table, leading to serious bloat. Fix inheritance count tracking in ALTER TABLE ... ADD CONSTRAINT (Robert Haas) Fix possible data corruption in ALTER TABLE ... SET TABLESPACE when archiving is enabled (Jeff Davis) Allow CREATE DATABASE and ALTER DATABASE ... SET TABLESPACE to be interrupted by query-cancel (Guillaume Lelarge) Improve CREATE INDEX's checking of whether proposed index expressions are immutable (Tom Lane) Fix REASSIGN OWNED to handle operator classes and families (Asko Tiidumaa) Fix possible core dump when comparing two empty tsquery values (Tom Lane) Fix LIKE's handling of patterns containing % followed by _ (Tom Lane) We've fixed this before, but there were still some incorrectly-handled cases. Re-allow input of Julian dates prior to 0001-01-01 AD (Tom Lane) Input such as 'J100000'::date worked before 8.4, but was unintentionally broken by added error-checking. Fix PL/pgSQL to throw an error, not crash, if a cursor is closed within a FOR loop that is iterating over that cursor (Heikki Linnakangas) In PL/Python, defend against null pointer results from PyCObject_AsVoidPtr and PyCObject_FromVoidPtr (Peter Eisentraut) In libpq, fix full SSL certificate verification for the case where both host and hostaddr are specified (Tom Lane) Make psql recognize DISCARD ALL as a command that should not be encased in a transaction block in autocommit-off mode (Itagaki Takahiro) Fix some issues in pg_dump's handling of SQL/MED objects (Tom Lane) Notably, pg_dump would always fail if run by a non-superuser, which was not intended. Improve pg_dump and pg_restore's handling of non-seekable archive files (Tom Lane, Robert Haas) This is important for proper functioning of parallel restore. Improve parallel pg_restore's ability to cope with selective restore (-L option) (Tom Lane) The original code tended to fail if the -L file commanded a non-default restore ordering. Fix ecpg to process data from RETURNING clauses correctly (Michael Meskes) Fix some memory leaks in ecpg (Zoltan Boszormenyi) Improve contrib/dblink's handling of tables containing dropped columns (Tom Lane) Fix connection leak after duplicate connection name errors in contrib/dblink (Itagaki Takahiro) Fix contrib/dblink to handle connection names longer than 62 bytes correctly (Itagaki Takahiro) Add hstore(text, text) function to contrib/hstore (Robert Haas) This function is the recommended substitute for the now-deprecated => operator. It was back-patched so that future-proofed code can be used with older server versions. Note that the patch will be effective only after contrib/hstore is installed or reinstalled in a particular database. Users might prefer to execute the CREATE FUNCTION command by hand, instead. Update build infrastructure and documentation to reflect the source code repository's move from CVS to Git (Magnus Hagander and others) Update time zone data files to tzdata release 2010l for DST law changes in Egypt and Palestine; also historical corrections for Finland. This change also adds new names for two Micronesian timezones: Pacific/Chuuk is now preferred over Pacific/Truk (and the preferred abbreviation is CHUT not TRUT) and Pacific/Pohnpei is preferred over Pacific/Ponape. Make Windows' N. Central Asia Standard Time timezone map to Asia/Novosibirsk, not Asia/Almaty (Magnus Hagander) Microsoft changed the DST behavior of this zone in the timezone update from KB976098. Asia/Novosibirsk is a better match to its new behavior. 2010-05-17 This release contains a variety of fixes from 8.4.3. For information about new features in the 8.4 major release, see . A dump/restore is not required for those running 8.4.X. However, if you are upgrading from a version earlier than 8.4.2, see . Enforce restrictions in plperl using an opmask applied to the whole interpreter, instead of using Safe.pm (Tim Bunce, Andrew Dunstan) Recent developments have convinced us that Safe.pm is too insecure to rely on for making plperl trustable. This change removes use of Safe.pm altogether, in favor of using a separate interpreter with an opcode mask that is always applied. Pleasant side effects of the change include that it is now possible to use Perl's strict pragma in a natural way in plperl, and that Perl's $a and $b variables work as expected in sort routines, and that function compilation is significantly faster. (CVE-2010-1169) Prevent PL/Tcl from executing untrustworthy code from pltcl_modules (Tom) PL/Tcl's feature for autoloading Tcl code from a database table could be exploited for trojan-horse attacks, because there was no restriction on who could create or insert into that table. This change disables the feature unless pltcl_modules is owned by a superuser. (However, the permissions on the table are not checked, so installations that really need a less-than-secure modules table can still grant suitable privileges to trusted non-superusers.) Also, prevent loading code into the unrestricted normal Tcl interpreter unless we are really going to execute a pltclu function. (CVE-2010-1170) Fix data corruption during WAL replay of ALTER ... SET TABLESPACE (Tom) When archive_mode is on, ALTER ... SET TABLESPACE generates a WAL record whose replay logic was incorrect. It could write the data to the wrong place, leading to possibly-unrecoverable data corruption. Data corruption would be observed on standby slaves, and could occur on the master as well if a database crash and recovery occurred after committing the ALTER and before the next checkpoint. Fix possible crash if a cache reset message is received during rebuild of a relcache entry (Heikki) This error was introduced in 8.4.3 while fixing a related failure. Apply per-function GUC settings while running the language validator for the function (Itagaki Takahiro) This avoids failures if the function's code is invalid without the setting; an example is that SQL functions may not parse if the search_path is not correct. Do constraint exclusion for inherited UPDATE and DELETE target tables when constraint_exclusion = partition (Tom) Due to an oversight, this setting previously only caused constraint exclusion to be checked in SELECT commands. Do not allow an unprivileged user to reset superuser-only parameter settings (Alvaro) Previously, if an unprivileged user ran ALTER USER ... RESET ALL for himself, or ALTER DATABASE ... RESET ALL for a database he owns, this would remove all special parameter settings for the user or database, even ones that are only supposed to be changeable by a superuser. Now, the ALTER will only remove the parameters that the user has permission to change. Avoid possible crash during backend shutdown if shutdown occurs when a CONTEXT addition would be made to log entries (Tom) In some cases the context-printing function would fail because the current transaction had already been rolled back when it came time to print a log message. Fix erroneous handling of %r parameter in recovery_end_command (Heikki) The value always came out zero. Ensure the archiver process responds to changes in archive_command as soon as possible (Tom) Fix pl/pgsql's CASE statement to not fail when the case expression is a query that returns no rows (Tom) Update pl/perl's ppport.h for modern Perl versions (Andrew) Fix assorted memory leaks in pl/python (Andreas Freund, Tom) Handle empty-string connect parameters properly in ecpg (Michael) Prevent infinite recursion in psql when expanding a variable that refers to itself (Tom) Fix psql's \copy to not add spaces around a dot within \copy (select ...) (Tom) Addition of spaces around the decimal point in a numeric literal would result in a syntax error. Avoid formatting failure in psql when running in a locale context that doesn't match the client_encoding (Tom) Fix unnecessary GIN indexes do not support whole-index scans errors for unsatisfiable queries using contrib/intarray operators (Tom) Ensure that contrib/pgstattuple functions respond to cancel interrupts promptly (Tatsuhito Kasahara) Make server startup deal properly with the case that shmget() returns EINVAL for an existing shared memory segment (Tom) This behavior has been observed on BSD-derived kernels including OS X. It resulted in an entirely-misleading startup failure complaining that the shared memory request size was too large. Avoid possible crashes in syslogger process on Windows (Heikki) Deal more robustly with incomplete time zone information in the Windows registry (Magnus) Update the set of known Windows time zone names (Magnus) Update time zone data files to tzdata release 2010j for DST law changes in Argentina, Australian Antarctic, Bangladesh, Mexico, Morocco, Pakistan, Palestine, Russia, Syria, Tunisia; also historical corrections for Taiwan. Also, add PKST (Pakistan Summer Time) to the default set of timezone abbreviations. 2010-03-15 This release contains a variety of fixes from 8.4.2. For information about new features in the 8.4 major release, see . A dump/restore is not required for those running 8.4.X. However, if you are upgrading from a version earlier than 8.4.2, see . Add new configuration parameter ssl_renegotiation_limit to control how often we do session key renegotiation for an SSL connection (Magnus) This can be set to zero to disable renegotiation completely, which may be required if a broken SSL library is used. In particular, some vendors are shipping stopgap patches for CVE-2009-3555 that cause renegotiation attempts to fail. Fix possible deadlock during backend startup (Tom) Fix possible crashes due to not handling errors during relcache reload cleanly (Tom) Fix possible crash due to use of dangling pointer to a cached plan (Tatsuo) Fix possible crash due to overenthusiastic invalidation of cached plan for ROLLBACK (Tom) Fix possible crashes when trying to recover from a failure in subtransaction start (Tom) Fix server memory leak associated with use of savepoints and a client encoding different from server's encoding (Tom) Fix incorrect WAL data emitted during end-of-recovery cleanup of a GIST index page split (Yoichi Hirai) This would result in index corruption, or even more likely an error during WAL replay, if we were unlucky enough to crash during end-of-recovery cleanup after having completed an incomplete GIST insertion. Fix bug in WAL redo cleanup method for GIN indexes (Heikki) Fix incorrect comparison of scan key in GIN index search (Teodor) Make substring() for bit types treat any negative length as meaning all the rest of the string (Tom) The previous coding treated only -1 that way, and would produce an invalid result value for other negative values, possibly leading to a crash (CVE-2010-0442). Fix integer-to-bit-string conversions to handle the first fractional byte correctly when the output bit width is wider than the given integer by something other than a multiple of 8 bits (Tom) Fix some cases of pathologically slow regular expression matching (Tom) Fix bug occurring when trying to inline a SQL function that returns a set of a composite type that contains dropped columns (Tom) Fix bug with trying to update a field of an element of a composite-type array column (Tom) Avoid failure when EXPLAIN has to print a FieldStore or assignment ArrayRef expression (Tom) These cases can arise now that EXPLAIN VERBOSE tries to print plan node target lists. Avoid an unnecessary coercion failure in some cases where an undecorated literal string appears in a subquery within UNION/INTERSECT/EXCEPT (Tom) This fixes a regression for some cases that worked before 8.4. Avoid undesirable rowtype compatibility check failures in some cases where a whole-row Var has a rowtype that contains dropped columns (Tom) Fix the STOP WAL LOCATION entry in backup history files to report the next WAL segment's name when the end location is exactly at a segment boundary (Itagaki Takahiro) Always pass the catalog ID to an option validator function specified in CREATE FOREIGN DATA WRAPPER (Martin Pihlak) Fix some more cases of temporary-file leakage (Heikki) This corrects a problem introduced in the previous minor release. One case that failed is when a plpgsql function returning set is called within another function's exception handler. Add support for doing FULL JOIN ON FALSE (Tom) This prevents a regression from pre-8.4 releases for some queries that can now be simplified to a constant-false join condition. Improve constraint exclusion processing of boolean-variable cases, in particular make it possible to exclude a partition that has a bool_column = false constraint (Tom) Prevent treating an INOUT cast as representing binary compatibility (Heikki) Include column name in the message when warning about inability to grant or revoke column-level privileges (Stephen Frost) This is more useful than before and helps to prevent confusion when a REVOKE generates multiple messages, which formerly appeared to be duplicates. When reading pg_hba.conf and related files, do not treat @something as a file inclusion request if the @ appears inside quote marks; also, never treat @ by itself as a file inclusion request (Tom) This prevents erratic behavior if a role or database name starts with @. If you need to include a file whose path name contains spaces, you can still do so, but you must write @"/path to/file" rather than putting the quotes around the whole construct. Prevent infinite loop on some platforms if a directory is named as an inclusion target in pg_hba.conf and related files (Tom) Fix possible infinite loop if SSL_read or SSL_write fails without setting errno (Tom) This is reportedly possible with some Windows versions of openssl. Disallow GSSAPI authentication on local connections, since it requires a hostname to function correctly (Magnus) Protect ecpg against applications freeing strings unexpectedly (Michael) Make ecpg report the proper SQLSTATE if the connection disappears (Michael) Fix translation of cell contents in psql \d output (Heikki) Fix psql's numericlocale option to not format strings it shouldn't in latex and troff output formats (Heikki) Fix a small per-query memory leak in psql (Tom) Make psql return the correct exit status (3) when ON_ERROR_STOP and --single-transaction are both specified and an error occurs during the implied COMMIT (Bruce) Fix pg_dump's output of permissions for foreign servers (Heikki) Fix possible crash in parallel pg_restore due to out-of-range dependency IDs (Tom) Fix plpgsql failure in one case where a composite column is set to NULL (Tom) Fix possible failure when calling PL/Perl functions from PL/PerlU or vice versa (Tim Bunce) Add volatile markings in PL/Python to avoid possible compiler-specific misbehavior (Zdenek Kotala) Ensure PL/Tcl initializes the Tcl interpreter fully (Tom) The only known symptom of this oversight is that the Tcl clock command misbehaves if using Tcl 8.5 or later. Prevent ExecutorEnd from being run on portals created within a failed transaction or subtransaction (Tom) This is known to cause issues when using contrib/auto_explain. Prevent crash in contrib/dblink when too many key columns are specified to a dblink_build_sql_* function (Rushabh Lathia, Joe Conway) Allow zero-dimensional arrays in contrib/ltree operations (Tom) This case was formerly rejected as an error, but it's more convenient to treat it the same as a zero-element array. In particular this avoids unnecessary failures when an ltree operation is applied to the result of ARRAY(SELECT ...) and the sub-select returns no rows. Fix assorted crashes in contrib/xml2 caused by sloppy memory management (Tom) Make building of contrib/xml2 more robust on Windows (Andrew) Fix race condition in Windows signal handling (Radu Ilie) One known symptom of this bug is that rows in pg_listener could be dropped under heavy load. Make the configure script report failure if the C compiler does not provide a working 64-bit integer datatype (Tom) This case has been broken for some time, and no longer seems worth supporting, so just reject it at configure time instead. Update time zone data files to tzdata release 2010e for DST law changes in Bangladesh, Chile, Fiji, Mexico, Paraguay, Samoa. 2009-12-14 This release contains a variety of fixes from 8.4.1. For information about new features in the 8.4 major release, see . A dump/restore is not required for those running 8.4.X. However, if you have any hash indexes, you should REINDEX them after updating to 8.4.2, to repair possible damage. Protect against indirect security threats caused by index functions changing session-local state (Gurjeet Singh, Tom) This change prevents allegedly-immutable index functions from possibly subverting a superuser's session (CVE-2009-4136). Reject SSL certificates containing an embedded null byte in the common name (CN) field (Magnus) This prevents unintended matching of a certificate to a server or client name during SSL validation (CVE-2009-4034). Fix hash index corruption (Tom) The 8.4 change that made hash indexes keep entries sorted by hash value failed to update the bucket splitting and compaction routines to preserve the ordering. So application of either of those operations could lead to permanent corruption of an index, in the sense that searches might fail to find entries that are present. To deal with this, it is recommended to REINDEX any hash indexes you may have after installing this update. Fix possible crash during backend-startup-time cache initialization (Tom) Avoid crash on empty thesaurus dictionary (Tom) Prevent signals from interrupting VACUUM at unsafe times (Alvaro) This fix prevents a PANIC if a VACUUM FULL is canceled after it's already committed its tuple movements, as well as transient errors if a plain VACUUM is interrupted after having truncated the table. Fix possible crash due to integer overflow in hash table size calculation (Tom) This could occur with extremely large planner estimates for the size of a hashjoin's result. Fix crash if a DROP is attempted on an internally-dependent object (Tom) Fix very rare crash in inet/cidr comparisons (Chris Mikkelson) Ensure that shared tuple-level locks held by prepared transactions are not ignored (Heikki) Fix premature drop of temporary files used for a cursor that is accessed within a subtransaction (Heikki) Fix memory leak in syslogger process when rotating to a new CSV logfile (Tom) Fix memory leak in postmaster when re-parsing pg_hba.conf (Tom) Fix Windows permission-downgrade logic (Jesse Morris) This fixes some cases where the database failed to start on Windows, often with misleading error messages such as could not locate matching postgres executable. Make FOR UPDATE/SHARE in the primary query not propagate into WITH queries (Tom) For example, in WITH w AS (SELECT * FROM foo) SELECT * FROM w, bar ... FOR UPDATE the FOR UPDATE will now affect bar but not foo. This is more useful and consistent than the original 8.4 behavior, which tried to propagate FOR UPDATE into the WITH query but always failed due to assorted implementation restrictions. It also follows the design rule that WITH queries are executed as if independent of the main query. Fix bug with a WITH RECURSIVE query immediately inside another one (Tom) Fix concurrency bug in hash indexes (Tom) Concurrent insertions could cause index scans to transiently report wrong results. Fix incorrect logic for GiST index page splits, when the split depends on a non-first column of the index (Paul Ramsey) Fix wrong search results for a multi-column GIN index with fastupdate enabled (Teodor) Fix bugs in WAL entry creation for GIN indexes (Tom) These bugs were masked when full_page_writes was on, but with it off a WAL replay failure was certain if a crash occurred before the next checkpoint. Don't error out if recycling or removing an old WAL file fails at the end of checkpoint (Heikki) It's better to treat the problem as non-fatal and allow the checkpoint to complete. Future checkpoints will retry the removal. Such problems are not expected in normal operation, but have been seen to be caused by misdesigned Windows anti-virus and backup software. Ensure WAL files aren't repeatedly archived on Windows (Heikki) This is another symptom that could happen if some other process interfered with deletion of a no-longer-needed file. Fix PAM password processing to be more robust (Tom) The previous code is known to fail with the combination of the Linux pam_krb5 PAM module with Microsoft Active Directory as the domain controller. It might have problems elsewhere too, since it was making unjustified assumptions about what arguments the PAM stack would pass to it. Raise the maximum authentication token (Kerberos ticket) size in GSSAPI and SSPI authentication methods (Ian Turner) While the old 2000-byte limit was more than enough for Unix Kerberos implementations, tickets issued by Windows Domain Controllers can be much larger. Ensure that domain constraints are enforced in constructs like ARRAY[...]::domain, where the domain is over an array type (Heikki) Fix foreign-key logic for some cases involving composite-type columns as foreign keys (Tom) Ensure that a cursor's snapshot is not modified after it is created (Alvaro) This could lead to a cursor delivering wrong results if later operations in the same transaction modify the data the cursor is supposed to return. Fix CREATE TABLE to properly merge default expressions coming from different inheritance parent tables (Tom) This used to work but was broken in 8.4. Re-enable collection of access statistics for sequences (Akira Kurosawa) This used to work but was broken in 8.3. Fix processing of ownership dependencies during CREATE OR REPLACE FUNCTION (Tom) Fix incorrect handling of WHERE x=x conditions (Tom) In some cases these could get ignored as redundant, but they aren't — they're equivalent to x IS NOT NULL. Fix incorrect plan construction when using hash aggregation to implement DISTINCT for textually identical volatile expressions (Tom) Fix Assert failure for a volatile SELECT DISTINCT ON expression (Tom) Fix ts_stat() to not fail on an empty tsvector value (Tom) Make text search parser accept underscores in XML attributes (Peter) Fix encoding handling in xml binary input (Heikki) If the XML header doesn't specify an encoding, we now assume UTF-8 by default; the previous handling was inconsistent. Fix bug with calling plperl from plperlu or vice versa (Tom) An error exit from the inner function could result in crashes due to failure to re-select the correct Perl interpreter for the outer function. Fix session-lifespan memory leak when a PL/Perl function is redefined (Tom) Ensure that Perl arrays are properly converted to PostgreSQL arrays when returned by a set-returning PL/Perl function (Andrew Dunstan, Abhijit Menon-Sen) This worked correctly already for non-set-returning functions. Fix rare crash in exception processing in PL/Python (Peter) Fix ecpg problem with comments in DECLARE CURSOR statements (Michael) Fix ecpg to not treat recently-added keywords as reserved words (Tom) This affected the keywords CALLED, CATALOG, DEFINER, ENUM, FOLLOWING, INVOKER, OPTIONS, PARTITION, PRECEDING, RANGE, SECURITY, SERVER, UNBOUNDED, and WRAPPER. Re-allow regular expression special characters in psql's \df function name parameter (Tom) In contrib/fuzzystrmatch, correct the calculation of levenshtein distances with non-default costs (Marcin Mank) In contrib/pg_standby, disable triggering failover with a signal on Windows (Fujii Masao) This never did anything useful, because Windows doesn't have Unix-style signals, but recent changes made it actually crash. Put FREEZE and VERBOSE options in the right order in the VACUUM command that contrib/vacuumdb produces (Heikki) Fix possible leak of connections when contrib/dblink encounters an error (Tatsuhito Kasahara) Ensure psql's flex module is compiled with the correct system header definitions (Tom) This fixes build failures on platforms where --enable-largefile causes incompatible changes in the generated code. Make the postmaster ignore any application_name parameter in connection request packets, to improve compatibility with future libpq versions (Tom) Update the timezone abbreviation files to match current reality (Joachim Wieland) This includes adding IDT to the default timezone abbreviation set. Update time zone data files to tzdata release 2009s for DST law changes in Antarctica, Argentina, Bangladesh, Fiji, Novokuznetsk, Pakistan, Palestine, Samoa, Syria; also historical corrections for Hong Kong. 2009-09-09 This release contains a variety of fixes from 8.4. For information about new features in the 8.4 major release, see . A dump/restore is not required for those running 8.4.X. Fix WAL page header initialization at the end of archive recovery (Heikki) This could lead to failure to process the WAL in a subsequent archive recovery. Fix cannot make new WAL entries during recovery error (Tom) Fix problem that could make expired rows visible after a crash (Tom) This bug involved a page status bit potentially not being set correctly after a server crash. Disallow RESET ROLE and RESET SESSION AUTHORIZATION inside security-definer functions (Tom, Heikki) This covers a case that was missed in the previous patch that disallowed SET ROLE and SET SESSION AUTHORIZATION inside security-definer functions. (See CVE-2007-6600) Make LOAD of an already-loaded loadable module into a no-op (Tom) Formerly, LOAD would attempt to unload and re-load the module, but this is unsafe and not all that useful. Make window function PARTITION BY and ORDER BY items always be interpreted as simple expressions (Tom) In 8.4.0 these lists were parsed following the rules used for top-level GROUP BY and ORDER BY lists. But this was not correct per the SQL standard, and it led to possible circularity. Fix several errors in planning of semi-joins (Tom) These led to wrong query results in some cases where IN or EXISTS was used together with another join. Fix handling of whole-row references to subqueries that are within an outer join (Tom) An example is SELECT COUNT(ss.*) FROM ... LEFT JOIN (SELECT ...) ss ON .... Here, ss.* would be treated as ROW(NULL,NULL,...) for null-extended join rows, which is not the same as a simple NULL. Now it is treated as a simple NULL. Fix Windows shared-memory allocation code (Tsutomu Yamada, Magnus) This bug led to the often-reported could not reattach to shared memory error message. Fix locale handling with plperl (Heikki) This bug could cause the server's locale setting to change when a plperl function is called, leading to data corruption. Fix handling of reloptions to ensure setting one option doesn't force default values for others (Itagaki Takahiro) Ensure that a fast shutdown request will forcibly terminate open sessions, even if a smart shutdown was already in progress (Fujii Masao) Avoid memory leak for array_agg() in GROUP BY queries (Tom) Treat to_char(..., 'TH') as an uppercase ordinal suffix with 'HH'/'HH12' (Heikki) It was previously handled as 'th' (lowercase). Include the fractional part in the result of EXTRACT(second) and EXTRACT(milliseconds) for time and time with time zone inputs (Tom) This has always worked for floating-point datetime configurations, but was broken in the integer datetime code. Fix overflow for INTERVAL 'x ms' when x is more than 2 million and integer datetimes are in use (Alex Hunsaker) Improve performance when processing toasted values in index scans (Tom) This is particularly useful for PostGIS. Fix a typo that disabled commit_delay (Jeff Janes) Output early-startup messages to postmaster.log if the server is started in silent mode (Tom) Previously such error messages were discarded, leading to difficulty in debugging. Remove translated FAQs (Peter) They are now on the wiki. The main FAQ was moved to the wiki some time ago. Fix pg_ctl to not go into an infinite loop if postgresql.conf is empty (Jeff Davis) Fix several errors in pg_dump's --binary-upgrade mode (Bruce, Tom) pg_dump --binary-upgrade is used by pg_migrator. Fix contrib/xml2's xslt_process() to properly handle the maximum number of parameters (twenty) (Tom) Improve robustness of libpq's code to recover from errors during COPY FROM STDIN (Tom) Avoid including conflicting readline and editline header files when both libraries are installed (Zdenek Kotala) Work around gcc bug that causes floating-point exception instead of division by zero on some platforms (Tom) Update time zone data files to tzdata release 2009l for DST law changes in Bangladesh, Egypt, Mauritius. 2009-07-01 After many years of development, PostgreSQL has become feature-complete in many areas. This release shows a targeted approach to adding features (e.g., authentication, monitoring, space reuse), and adds capabilities defined in the later SQL standards. The major areas of enhancement are: Windowing Functions Common Table Expressions and Recursive Queries Default and variadic parameters for functions Parallel Restore Column Permissions Per-database locale settings Improved hash indexes Improved join performance for EXISTS and NOT EXISTS queries Easier-to-use Warm Standby Automatic sizing of the Free Space Map Visibility Map (greatly reduces vacuum overhead for slowly-changing tables) Version-aware psql (backslash commands work against older servers) Support SSL certificates for user authentication Per-function runtime statistics Easy editing of functions in psql New contrib modules: pg_stat_statements, auto_explain, citext, btree_gin The above items are explained in more detail in the sections below. A dump/restore using pg_dump is required for those wishing to migrate data from any previous release. Observe the following incompatibilities: Use 64-bit integer datetimes by default (Neil Conway) Previously this was selected by configure's --enable-integer-datetimes option. To retain the old behavior, build with --disable-integer-datetimes. Remove ipcclean utility command (Bruce) The utility only worked on a few platforms. Users should use their operating system tools instead. Change default setting for log_min_messages to warning (previously it was notice) to reduce log file volume (Tom) Change default setting for max_prepared_transactions to zero (previously it was 5) (Tom) Make debug_print_parse, debug_print_rewritten, and debug_print_plan output appear at LOG message level, not DEBUG1 as formerly (Tom) Make debug_pretty_print default to on (Tom) Remove explain_pretty_print parameter (no longer needed) (Tom) Make log_temp_files settable by superusers only, like other logging options (Simon Riggs) Remove automatic appending of the epoch timestamp when no % escapes are present in log_filename (Robert Haas) This change was made because some users wanted a fixed log filename, for use with an external log rotation tool. Remove log_restartpoints from recovery.conf; instead use log_checkpoints (Simon) Remove krb_realm and krb_server_hostname; these are now set in pg_hba.conf instead (Magnus) There are also significant changes in pg_hba.conf, as described below. Change TRUNCATE and LOCK to apply to child tables of the specified table(s) (Peter) These commands now accept an ONLY option that prevents processing child tables; this option must be used if the old behavior is needed. SELECT DISTINCT and UNION/INTERSECT/EXCEPT no longer always produce sorted output (Tom) Previously, these types of queries always removed duplicate rows by means of Sort/Unique processing (i.e., sort then remove adjacent duplicates). Now they can be implemented by hashing, which will not produce sorted output. If an application relied on the output being in sorted order, the recommended fix is to add an ORDER BY clause. As a short-term workaround, the previous behavior can be restored by disabling enable_hashagg, but that is a very performance-expensive fix. SELECT DISTINCT ON never uses hashing, however, so its behavior is unchanged. Force child tables to inherit CHECK constraints from parents (Alex Hunsaker, Nikhil Sontakke, Tom) Formerly it was possible to drop such a constraint from a child table, allowing rows that violate the constraint to be visible when scanning the parent table. This was deemed inconsistent, as well as contrary to SQL standard. Disallow negative LIMIT or OFFSET values, rather than treating them as zero (Simon) Disallow LOCK TABLE outside a transaction block (Tom) Such an operation is useless because the lock would be released immediately. Sequences now contain an additional start_value column (Zoltan Boszormenyi) This supports ALTER SEQUENCE ... RESTART. Make numeric zero raised to a fractional power return 0, rather than throwing an error, and make numeric zero raised to the zero power return 1, rather than error (Bruce) This matches the longstanding float8 behavior. Allow unary minus of floating-point values to produce minus zero (Tom) The changed behavior is more IEEE-standard compliant. Throw an error if an escape character is the last character in a LIKE pattern (i.e., it has nothing to escape) (Tom) Previously, such an escape character was silently ignored, thus possibly masking application logic errors. Remove ~=~ and ~<>~ operators formerly used for LIKE index comparisons (Tom) Pattern indexes now use the regular equality operator. xpath() now passes its arguments to libxml without any changes (Andrew) This means that the XML argument must be a well-formed XML document. The previous coding attempted to allow XML fragments, but it did not work well. Make xmlelement() format attribute values just like content values (Peter) Previously, attribute values were formatted according to the normal SQL output behavior, which is sometimes at odds with XML rules. Rewrite memory management for libxml-using functions (Tom) This change should avoid some compatibility problems with use of libxml in PL/Perl and other add-on code. Adopt a faster algorithm for hash functions (Kenneth Marshall, based on work of Bob Jenkins) Many of the built-in hash functions now deliver different results on little-endian and big-endian platforms. DateStyle no longer controls interval output formatting; instead there is a new variable IntervalStyle (Ron Mayer) Improve consistency of handling of fractional seconds in timestamp and interval output (Ron Mayer) This may result in displaying a different number of fractional digits than before, or rounding instead of truncating. Make to_char()'s localized month/day names depend on LC_TIME, not LC_MESSAGES (Euler Taveira de Oliveira) Cause to_date() and to_timestamp() to more consistently report errors for invalid input (Brendan Jurd) Previous versions would often ignore or silently misread input that did not match the format string. Such cases will now result in an error. Fix to_timestamp() to not require upper/lower case matching for meridian (AM/PM) and era (BC/AD) format designations (Brendan Jurd) For example, input value ad now matches the format string AD. Below you will find a detailed account of the changes between PostgreSQL 8.4 and the previous major release. Improve optimizer statistics calculations (Jan Urbanski, Tom) In particular, estimates for full-text-search operators are greatly improved. Allow SELECT DISTINCT and UNION/INTERSECT/EXCEPT to use hashing (Tom) This means that these types of queries no longer automatically produce sorted output. Create explicit concepts of semi-joins and anti-joins (Tom) This work formalizes our previous ad-hoc treatment of IN (SELECT ...) clauses, and extends it to EXISTS and NOT EXISTS clauses. It should result in significantly better planning of EXISTS and NOT EXISTS queries. In general, logically equivalent IN and EXISTS clauses should now have similar performance, whereas previously IN often won. Improve optimization of sub-selects beneath outer joins (Tom) Formerly, a sub-select or view could not be optimized very well if it appeared within the nullable side of an outer join and contained non-strict expressions (for instance, constants) in its result list. Improve the performance of text_position() and related functions by using Boyer-Moore-Horspool searching (David Rowley) This is particularly helpful for long search patterns. Reduce I/O load of writing the statistics collection file by writing the file only when requested (Martin Pihlak) Improve performance for bulk inserts (Robert Haas, Simon) Increase the default value of default_statistics_target from 10 to 100 (Greg Sabino Mullane, Tom) The maximum value was also increased from 1000 to 10000. Perform constraint_exclusion checking by default in queries involving inheritance or UNION ALL (Tom) A new constraint_exclusion setting, partition, was added to specify this behavior. Allow I/O read-ahead for bitmap index scans (Greg Stark) The amount of read-ahead is controlled by effective_io_concurrency. This feature is available only if the kernel has posix_fadvise() support. Inline simple set-returning SQL functions in FROM clauses (Richard Rowell) Improve performance of multi-batch hash joins by providing a special case for join key values that are especially common in the outer relation (Bryce Cutt, Ramon Lawrence) Reduce volume of temporary data in multi-batch hash joins by suppressing physical tlist optimization (Michael Henderson, Ramon Lawrence) Avoid waiting for idle-in-transaction sessions during CREATE INDEX CONCURRENTLY (Simon) Improve performance of shared cache invalidation (Tom) Convert many postgresql.conf settings to enumerated values so that pg_settings can display the valid values (Magnus) Add cursor_tuple_fraction parameter to control the fraction of a cursor's rows that the planner assumes will be fetched (Robert Hell) Allow underscores in the names of custom variable classes in postgresql.conf (Tom) Remove support for the (insecure) crypt authentication method (Magnus) This effectively obsoletes pre-PostgreSQL 7.2 client libraries, as there is no longer any non-plaintext password method that they can use. Support regular expressions in pg_ident.conf (Magnus) Allow Kerberos/GSSAPI parameters to be changed without restarting the postmaster (Magnus) Support SSL certificate chains in server certificate file (Andrew Gierth) Including the full certificate chain makes the client able to verify the certificate without having all intermediate CA certificates present in the local store, which is often the case for commercial CAs. Report appropriate error message for combination of MD5 authentication and db_user_namespace enabled (Bruce) Change all authentication options to use name=value syntax (Magnus) This makes incompatible changes to the ldap, pam and ident authentication methods. All pg_hba.conf entries with these methods need to be rewritten using the new format. Remove the ident sameuser option, instead making that behavior the default if no usermap is specified (Magnus) Allow a usermap parameter for all external authentication methods (Magnus) Previously a usermap was only supported for ident authentication. Add clientcert option to control requesting of a client certificate (Magnus) Previously this was controlled by the presence of a root certificate file in the server's data directory. Add cert authentication method to allow user authentication via SSL certificates (Magnus) Previously SSL certificates could only verify that the client had access to a certificate, not authenticate a user. Allow krb5, gssapi and sspi realm and krb5 host settings to be specified in pg_hba.conf (Magnus) These override the settings in postgresql.conf. Add include_realm parameter for krb5, gssapi, and sspi methods (Magnus) This allows identical usernames from different realms to be authenticated as different database users using usermaps. Parse pg_hba.conf fully when it is loaded, so that errors are reported immediately (Magnus) Previously, most errors in the file wouldn't be detected until clients tried to connect, so an erroneous file could render the system unusable. With the new behavior, if an error is detected during reload then the bad file is rejected and the postmaster continues to use its old copy. Show all parsing errors in pg_hba.conf instead of aborting after the first one (Selena Deckelmann) Support ident authentication over Unix-domain sockets on Solaris (Garick Hamlin) Provide an option to pg_start_backup() to force its implied checkpoint to finish as quickly as possible (Tom) The default behavior avoids excess I/O consumption, but that is pointless if no concurrent query activity is going on. Make pg_stop_backup() wait for modified WAL files to be archived (Simon) This guarantees that the backup is valid at the time pg_stop_backup() completes. When archiving is enabled, rotate the last WAL segment at shutdown so that all transactions can be archived immediately (Guillaume Smet, Heikki) Delay smart shutdown while a continuous archiving base backup is in progress (Laurenz Albe) Cancel a continuous archiving base backup if fast shutdown is requested (Laurenz Albe) Allow recovery.conf boolean variables to take the same range of string values as postgresql.conf boolean variables (Bruce) Add pg_conf_load_time() to report when the PostgreSQL configuration files were last loaded (George Gensure) Add pg_terminate_backend() to safely terminate a backend (the SIGTERM signal works also) (Tom, Bruce) While it's always been possible to SIGTERM a single backend, this was previously considered unsupported; and testing of the case found some bugs that are now fixed. Add ability to track user-defined functions' call counts and runtimes (Martin Pihlak) Function statistics appear in a new system view, pg_stat_user_functions. Tracking is controlled by the new parameter track_functions. Allow specification of the maximum query string size in pg_stat_activity via new track_activity_query_size parameter (Thomas Lee) Increase the maximum line length sent to syslog, in hopes of improving performance (Tom) Add read-only configuration variables segment_size, wal_block_size, and wal_segment_size (Bernd Helmle) When reporting a deadlock, report the text of all queries involved in the deadlock to the server log (Itagaki Takahiro) Add pg_stat_get_activity(pid) function to return information about a specific process id (Magnus) Allow the location of the server's statistics file to be specified via stats_temp_directory (Magnus) This allows the statistics file to be placed in a RAM-resident directory to reduce I/O requirements. On startup/shutdown, the file is copied to its traditional location ($PGDATA/global/) so it is preserved across restarts. Add support for WINDOW functions (Hitoshi Harada) Add support for WITH clauses (CTEs), including WITH RECURSIVE (Yoshiyuki Asaba, Tatsuo Ishii, Tom) Add TABLE command (Peter) TABLE tablename is a SQL standard short-hand for SELECT * FROM tablename. Allow AS to be optional when specifying a SELECT (or RETURNING) column output label (Hiroshi Saito) This works so long as the column label is not any PostgreSQL keyword; otherwise AS is still needed. Support set-returning functions in SELECT result lists even for functions that return their result via a tuplestore (Tom) In particular, this means that functions written in PL/pgSQL and other PL languages can now be called this way. Support set-returning functions in the output of aggregation and grouping queries (Tom) Allow SELECT FOR UPDATE/SHARE to work on inheritance trees (Tom) Add infrastructure for SQL/MED (Martin Pihlak, Peter) There are no remote or external SQL/MED capabilities yet, but this change provides a standardized and future-proof system for managing connection information for modules like dblink and plproxy. Invalidate cached plans when referenced schemas, functions, operators, or operator classes are modified (Martin Pihlak, Tom) This improves the system's ability to respond to on-the-fly DDL changes. Allow comparison of composite types and allow arrays of anonymous composite types (Tom) This allows constructs such as row(1, 1.1) = any (array[row(7, 7.7), row(1, 1.0)]). This is particularly useful in recursive queries. Add support for Unicode string literal and identifier specifications using code points, e.g. U&'d\0061t\+000061' (Peter) Reject \000 in string literals and COPY data (Tom) Previously, this was accepted but had the effect of terminating the string contents. Improve the parser's ability to report error locations (Tom) An error location is now reported for many semantic errors, such as mismatched datatypes, that previously could not be localized. Support statement-level ON TRUNCATE triggers (Simon) Add RESTART/CONTINUE IDENTITY options for TRUNCATE TABLE (Zoltan Boszormenyi) The start value of a sequence can be changed by ALTER SEQUENCE START WITH. Allow TRUNCATE tab1, tab1 to succeed (Bruce) Add a separate TRUNCATE permission (Robert Haas) Make EXPLAIN VERBOSE show the output columns of each plan node (Tom) Previously EXPLAIN VERBOSE output an internal representation of the query plan. (That behavior is now available via debug_print_plan.) Make EXPLAIN identify subplans and initplans with individual labels (Tom) Make EXPLAIN honor debug_print_plan (Tom) Allow EXPLAIN on CREATE TABLE AS (Peter) Allow sub-selects in LIMIT and OFFSET (Tom) Add SQL-standard syntax for LIMIT/OFFSET capabilities (Peter) To wit, OFFSET num {ROW|ROWS} FETCH {FIRST|NEXT} [num] {ROW|ROWS} ONLY. Add support for column-level privileges (Stephen Frost, KaiGai Kohei) Refactor multi-object DROP operations to reduce the need for CASCADE (Alex Hunsaker) For example, if table B has a dependency on table A, the command DROP TABLE A, B no longer requires the CASCADE option. Fix various problems with concurrent DROP commands by ensuring that locks are taken before we begin to drop dependencies of an object (Tom) Improve reporting of dependencies during DROP commands (Tom) Add WITH [NO] DATA clause to CREATE TABLE AS, per the SQL standard (Peter, Tom) Add support for user-defined I/O conversion casts (Heikki) Allow CREATE AGGREGATE to use an internal transition datatype (Tom) Add LIKE clause to CREATE TYPE (Tom) This simplifies creation of data types that use the same internal representation as an existing type. Allow specification of the type category and preferred status for user-defined base types (Tom) This allows more control over the coercion behavior of user-defined types. Allow CREATE OR REPLACE VIEW to add columns to the end of a view (Robert Haas) Add ALTER TYPE RENAME (Petr Jelinek) Add ALTER SEQUENCE ... RESTART (with no parameter) to reset a sequence to its initial value (Zoltan Boszormenyi) Modify the ALTER TABLE syntax to allow all reasonable combinations for tables, indexes, sequences, and views (Tom) This change allows the following new syntaxes: ALTER SEQUENCE OWNER TO ALTER VIEW ALTER COLUMN SET/DROP DEFAULT ALTER VIEW OWNER TO ALTER VIEW SET SCHEMA There is no actual new functionality here, but formerly you had to say ALTER TABLE to do these things, which was confusing. Add support for the syntax ALTER TABLE ... ALTER COLUMN ... SET DATA TYPE (Peter) This is SQL-standard syntax for functionality that was already supported. Make ALTER TABLE SET WITHOUT OIDS rewrite the table to physically remove OID values (Tom) Also, add ALTER TABLE SET WITH OIDS to rewrite the table to add OIDs. Improve reporting of CREATE/DROP/RENAME DATABASE failure when uncommitted prepared transactions are the cause (Tom) Make LC_COLLATE and LC_CTYPE into per-database settings (Radek Strnad, Heikki) This makes collation similar to encoding, which was always configurable per database. Improve checks that the database encoding, collation (LC_COLLATE), and character classes (LC_CTYPE) match (Heikki, Tom) Note in particular that a new database's encoding and locale settings can be changed only when copying from template0. This prevents possibly copying data that doesn't match the settings. Add ALTER DATABASE SET TABLESPACE to move a database to a new tablespace (Guillaume Lelarge, Bernd Helmle) Add a VERBOSE option to the CLUSTER command and clusterdb (Jim Cox) Decrease memory requirements for recording pending trigger events (Tom) Dramatically improve the speed of building and accessing hash indexes (Tom Raney, Shreya Bhargava) This allows hash indexes to be sometimes faster than btree indexes. However, hash indexes are still not crash-safe. Make hash indexes store only the hash code, not the full value of the indexed column (Xiao Meng) This greatly reduces the size of hash indexes for long indexed values, improving performance. Implement fast update option for GIN indexes (Teodor, Oleg) This option greatly improves update speed at a small penalty in search speed. xxx_pattern_ops indexes can now be used for simple equality comparisons, not only for LIKE (Tom) Remove the requirement to use @@@ when doing GIN weighted lookups on full text indexes (Tom, Teodor) The normal @@ text search operator can be used instead. Add an optimizer selectivity function for @@ text search operations (Jan Urbanski) Allow prefix matching in full text searches (Teodor Sigaev, Oleg Bartunov) Support multi-column GIN indexes (Teodor Sigaev) Improve support for Nepali language and Devanagari alphabet (Teodor) Track free space in separate per-relation fork files (Heikki) Free space discovered by VACUUM is now recorded in *_fsm files, rather than in a fixed-sized shared memory area. The max_fsm_pages and max_fsm_relations settings have been removed, greatly simplifying administration of free space management. Add a visibility map to track pages that do not require vacuuming (Heikki) This allows VACUUM to avoid scanning all of a table when only a portion of the table needs vacuuming. The visibility map is stored in per-relation fork files. Add vacuum_freeze_table_age parameter to control when VACUUM should ignore the visibility map and do a full table scan to freeze tuples (Heikki) Track transaction snapshots more carefully (Alvaro) This improves VACUUM's ability to reclaim space in the presence of long-running transactions. Add ability to specify per-relation autovacuum and TOAST parameters in CREATE TABLE (Alvaro, Euler Taveira de Oliveira) Autovacuum options used to be stored in a system table. Add --freeze option to vacuumdb (Bruce) Add a CaseSensitive option for text search synonym dictionaries (Simon) Improve the precision of NUMERIC division (Tom) Add basic arithmetic operators for int2 with int8 (Tom) This eliminates the need for explicit casting in some situations. Allow UUID input to accept an optional hyphen after every fourth digit (Robert Haas) Allow on/off as input for the boolean data type (Itagaki Takahiro) Allow spaces around NaN in the input string for type numeric (Sam Mason) Reject year 0 BC and years 000 and 0000 (Tom) Previously these were interpreted as 1 BC. (Note: years 0 and 00 are still assumed to be the year 2000.) Include SGT (Singapore time) in the default list of known time zone abbreviations (Tom) Support infinity and -infinity as values of type date (Tom) Make parsing of interval literals more standard-compliant (Tom, Ron Mayer) For example, INTERVAL '1' YEAR now does what it's supposed to. Allow interval fractional-seconds precision to be specified after the second keyword, for SQL standard compliance (Tom) Formerly the precision had to be specified after the keyword interval. (For backwards compatibility, this syntax is still supported, though deprecated.) Data type definitions will now be output using the standard format. Support the IS0 8601 interval syntax (Ron Mayer, Kevin Grittner) For example, INTERVAL 'P1Y2M3DT4H5M6.7S' is now supported. Add IntervalStyle parameter which controls how interval values are output (Ron Mayer) Valid values are: postgres, postgres_verbose, sql_standard, iso_8601. This setting also controls the handling of negative interval input when only some fields have positive/negative designations. Improve consistency of handling of fractional seconds in timestamp and interval output (Ron Mayer) Improve the handling of casts applied to ARRAY[] constructs, such as ARRAY[...]::integer[] (Brendan Jurd) Formerly PostgreSQL attempted to determine a data type for the ARRAY[] construct without reference to the ensuing cast. This could fail unnecessarily in many cases, in particular when the ARRAY[] construct was empty or contained only ambiguous entries such as NULL. Now the cast is consulted to determine the type that the array elements must be. Make SQL-syntax ARRAY dimensions optional to match the SQL standard (Peter) Add array_ndims() to return the number of dimensions of an array (Robert Haas) Add array_length() to return the length of an array for a specified dimension (Jim Nasby, Robert Haas, Peter Eisentraut) Add aggregate function array_agg(), which returns all aggregated values as a single array (Robert Haas, Jeff Davis, Peter) Add unnest(), which converts an array to individual row values (Tom) This is the opposite of array_agg(). Add array_fill() to create arrays initialized with a value (Pavel Stehule) Add generate_subscripts() to simplify generating the range of an array's subscripts (Pavel Stehule) Consider TOAST compression on values as short as 32 bytes (previously 256 bytes) (Greg Stark) Require 25% minimum space savings before using TOAST compression (previously 20% for small values and any-savings-at-all for large values) (Greg) Improve TOAST heuristics for rows that have a mix of large and small toastable fields, so that we prefer to push large values out of line and don't compress small values unnecessarily (Greg, Tom) Document that setseed() allows values from -1 to 1 (not just 0 to 1), and enforce the valid range (Kris Jurka) Add server-side function lo_import(filename, oid) (Tatsuo) Add quote_nullable(), which behaves like quote_literal() but returns the string NULL for a null argument (Brendan Jurd) Improve full text search headline() function to allow extracting several fragments of text (Sushant Sinha) Add suppress_redundant_updates_trigger() trigger function to avoid overhead for non-data-changing updates (Andrew) Add div(numeric, numeric) to perform numeric division without rounding (Tom) Add timestamp and timestamptz versions of generate_series() (Hitoshi Harada) Implement current_query() for use by functions that need to know the currently running query (Tomas Doran) Add pg_get_keywords() to return a list of the parser keywords (Dave Page) Add pg_get_functiondef() to see a function's definition (Abhijit Menon-Sen) Allow the second argument of pg_get_expr() to be zero when deparsing an expression that does not contain variables (Tom) Modify pg_relation_size() to use regclass (Heikki) pg_relation_size(data_type_name) no longer works. Add boot_val and reset_val columns to pg_settings output (Greg Smith) Add source file name and line number columns to pg_settings output for variables set in a configuration file (Magnus, Alvaro) For security reasons, these columns are only visible to superusers. Add support for CURRENT_CATALOG, CURRENT_SCHEMA, SET CATALOG, SET SCHEMA (Peter) These provide SQL-standard syntax for existing features. Add pg_typeof() which returns the data type of any value (Brendan Jurd) Make version() return information about whether the server is a 32- or 64-bit binary (Bruce) Fix the behavior of information schema columns is_insertable_into and is_updatable to be consistent (Peter) Improve the behavior of information schema datetime_precision columns (Peter) These columns now show zero for date columns, and 6 (the default precision) for time, timestamp, and interval without a declared precision, rather than showing null as formerly. Convert remaining builtin set-returning functions to use OUT parameters (Jaime Casanova) This makes it possible to call these functions without specifying a column list: pg_show_all_settings(), pg_lock_status(), pg_prepared_xact(), pg_prepared_statement(), pg_cursor() Make pg_*_is_visible() and has_*_privilege() functions return NULL for invalid OIDs, rather than reporting an error (Tom) Extend has_*_privilege() functions to allow inquiring about the OR of multiple privileges in one call (Stephen Frost, Tom) Add has_column_privilege() and has_any_column_privilege() functions (Stephen Frost, Tom) Support variadic functions (functions with a variable number of arguments) (Pavel Stehule) Only trailing arguments can be optional, and they all must be of the same data type. Support default values for function arguments (Pavel Stehule) Add CREATE FUNCTION ... RETURNS TABLE clause (Pavel Stehule) Allow SQL-language functions to return the output of an INSERT/UPDATE/DELETE RETURNING clause (Tom) Support EXECUTE USING for easier insertion of data values into a dynamic query string (Pavel Stehule) Allow looping over the results of a cursor using a FOR loop (Pavel Stehule) Support RETURN QUERY EXECUTE (Pavel Stehule) Improve the RAISE command (Pavel Stehule) Support DETAIL and HINT fields Support specification of the SQLSTATE error code Support an exception name parameter Allow RAISE without parameters in an exception block to re-throw the current error Allow specification of SQLSTATE codes in EXCEPTION lists (Pavel Stehule) This is useful for handling custom SQLSTATE codes. Support the CASE statement (Pavel Stehule) Make RETURN QUERY set the special FOUND and GET DIAGNOSTICS ROW_COUNT variables (Pavel Stehule) Make FETCH and MOVE set the GET DIAGNOSTICS ROW_COUNT variable (Andrew Gierth) Make EXIT without a label always exit the innermost loop (Tom) Formerly, if there were a BEGIN block more closely nested than any loop, it would exit that block instead. The new behavior matches Oracle(TM) and is also what was previously stated by our own documentation. Make processing of string literals and nested block comments match the main SQL parser's processing (Tom) In particular, the format string in RAISE now works the same as any other string literal, including being subject to standard_conforming_strings. This change also fixes other cases in which valid commands would fail when standard_conforming_strings is on. Avoid memory leakage when the same function is called at varying exception-block nesting depths (Tom) Fix pg_ctl restart to preserve command-line arguments (Bruce) Add -w/--no-password option that prevents password prompting in all utilities that have a -W/--password option (Peter) Remove -q (quiet) option of createdb, createuser, dropdb, dropuser (Peter) These options have had no effect since PostgreSQL 8.3. Remove verbose startup banner; now just suggest help (Joshua Drake) Make help show common backslash commands (Greg Sabino Mullane) Add \pset format wrapped mode to wrap output to the screen width, or file/pipe output too if \pset columns is set (Bryce Nesbitt) Allow all supported spellings of boolean values in \pset, rather than just on and off (Bruce) Formerly, any string other than off was silently taken to mean true. psql will now complain about unrecognized spellings (but still take them as true). Use the pager for wide output (Bruce) Require a space between a one-letter backslash command and its first argument (Bernd Helmle) This removes a historical source of ambiguity. Improve tab completion support for schema-qualified and quoted identifiers (Greg Sabino Mullane) Add optional on/off argument for \timing (David Fetter) Display access control rights on multiple lines (Brendan Jurd, Andreas Scherbaum) Make \l show database access privileges (Andrew Gilligan) Make \l+ show database sizes, if permissions allow (Andrew Gilligan) Add the \ef command to edit function definitions (Abhijit Menon-Sen) Make \d* commands that do not have a pattern argument show system objects only if the S modifier is specified (Greg Sabino Mullane, Bruce) The former behavior was inconsistent across different variants of \d, and in most cases it provided no easy way to see just user objects. Improve \d* commands to work with older PostgreSQL server versions (back to 7.4), not only the current server version (Guillaume Lelarge) Make \d show foreign-key constraints that reference the selected table (Kenneth D'Souza) Make \d on a sequence show its column values (Euler Taveira de Oliveira) Add column storage type and other relation options to the \d+ display (Gregory Stark, Euler Taveira de Oliveira) Show relation size in \dt+ output (Dickson S. Guedes) Show the possible values of enum types in \dT+ (David Fetter) Allow \dC to accept a wildcard pattern, which matches either datatype involved in the cast (Tom) Add a function type column to \df's output, and add options to list only selected types of functions (David Fetter) Make \df not hide functions that take or return type cstring (Tom) Previously, such functions were hidden because most of them are datatype I/O functions, which were deemed uninteresting. The new policy about hiding system functions by default makes this wart unnecessary. Add a --no-tablespaces option to pg_dump/pg_dumpall/pg_restore so that dumps can be restored to clusters that have non-matching tablespace layouts (Gavin Roy) Remove -d and -D options from pg_dump and pg_dumpall (Tom) These options were too frequently confused with the option to select a database name in other PostgreSQL client applications. The functionality is still available, but you must now spell out the long option name --inserts or --column-inserts. Remove -i/--ignore-version option from pg_dump and pg_dumpall (Tom) Use of this option does not throw an error, but it has no effect. This option was removed because the version checks are necessary for safety. Disable statement_timeout during dump and restore (Joshua Drake) Add pg_dump/pg_dumpall option --lock-wait-timeout (David Gould) This allows dumps to fail if unable to acquire a shared lock within the specified amount of time. Reorder pg_dump --data-only output to dump tables referenced by foreign keys before the referencing tables (Tom) This allows data loads when foreign keys are already present. If circular references make a safe ordering impossible, a NOTICE is issued. Allow pg_dump, pg_dumpall, and pg_restore to use a specified role (Benedek László) Allow pg_restore to use multiple concurrent connections to do the restore (Andrew) The number of concurrent connections is controlled by the option --jobs. This is supported only for custom-format archives. Allow the OID to be specified when importing a large object, via new function lo_import_with_oid() (Tatsuo) Add events support (Andrew Chernow, Merlin Moncure) This adds the ability to register callbacks to manage private data associated with PGconn and PGresult objects. Improve error handling to allow the return of multiple error messages as multi-line error reports (Magnus) Make PQexecParams() and related functions return PGRES_EMPTY_QUERY for an empty query (Tom) They previously returned PGRES_COMMAND_OK. Document how to avoid the overhead of WSACleanup() on Windows (Andrew Chernow) Do not rely on Kerberos tickets to determine the default database username (Magnus) Previously, a Kerberos-capable build of libpq would use the principal name from any available Kerberos ticket as default database username, even if the connection wasn't using Kerberos authentication. This was deemed inconsistent and confusing. The default username is now determined the same way with or without Kerberos. Note however that the database username must still match the ticket when Kerberos authentication is used. Fix certificate validation for SSL connections (Magnus) libpq now supports verifying both the certificate and the name of the server when making SSL connections. If a root certificate is not available to use for verification, SSL connections will fail. The sslmode parameter is used to enable certificate verification and set the level of checking. The default is still not to do any verification, allowing connections to SSL-enabled servers without requiring a root certificate on the client. Support wildcard server certificates (Magnus) If a certificate CN starts with *, it will be treated as a wildcard when matching the hostname, allowing the use of the same certificate for multiple servers. Allow the file locations for client certificates to be specified (Mark Woodward, Alvaro, Magnus) Add a PQinitOpenSSL function to allow greater control over OpenSSL/libcrypto initialization (Andrew Chernow) Make libpq unregister its OpenSSL callbacks when no database connections remain open (Bruce, Magnus, Russell Smith) This is required for applications that unload the libpq library, otherwise invalid OpenSSL callbacks will remain. Add localization support for messages (Euler Taveira de Oliveira) ecpg parser is now automatically generated from the server parser (Michael) Previously the ecpg parser was hand-maintained. Add support for single-use plans with out-of-line parameters (Tom) Add new SPI_OK_REWRITTEN return code for SPI_execute() (Heikki) This is used when a command is rewritten to another type of command. Remove unnecessary inclusions from executor/spi.h (Tom) SPI-using modules might need to add some #include lines if they were depending on spi.h to include things for them. Update build system to use Autoconf 2.61 (Peter) Require GNU bison for source code builds (Peter) This has effectively been required for several years, but now there is no infrastructure claiming to support other parser tools. Add pg_config --htmldir option (Peter) Pass float4 by value inside the server (Zoltan Boszormenyi) Add configure option --disable-float4-byval to use the old behavior. External C functions that use old-style (version 0) call convention and pass or return float4 values will be broken by this change, so you may need the configure option if you have such functions and don't want to update them. Pass float8, int8, and related datatypes by value inside the server on 64-bit platforms (Zoltan Boszormenyi) Add configure option --disable-float8-byval to use the old behavior. As above, this change might break old-style external C functions. Add configure options --with-segsize, --with-blocksize, --with-wal-blocksize, --with-wal-segsize (Zdenek Kotala, Tom) This simplifies build-time control over several constants that previously could only be changed by editing pg_config_manual.h. Allow threaded builds on Solaris 2.5 (Bruce) Use the system's getopt_long() on Solaris (Zdenek Kotala, Tom) This makes option processing more consistent with what Solaris users expect. Add support for the Sun Studio compiler on Linux (Julius Stroffek) Append the major version number to the backend gettext domain, and the soname major version number to libraries' gettext domain (Peter) This simplifies parallel installations of multiple versions. Add support for code coverage testing with gcov (Michelle Caisse) Allow out-of-tree builds on Mingw and Cygwin (Richard Evans) Fix the use of Mingw as a cross-compiling source platform (Peter) Support 64-bit time zone data files (Heikki) This adds support for daylight saving time (DST) calculations beyond the year 2038. Deprecate use of platform's time_t data type (Tom) Some platforms have migrated to 64-bit time_t, some have not, and Windows can't make up its mind what it's doing. Define pg_time_t to have the same meaning as time_t, but always be 64 bits (unless the platform has no 64-bit integer type), and use that type in all module APIs and on-disk data formats. Fix bug in handling of the time zone database when cross-compiling (Richard Evans) Link backend object files in one step, rather than in stages (Peter) Improve gettext support to allow better translation of plurals (Peter) Add message translation support to the PL languages (Alvaro, Peter) Add more DTrace probes (Robert Lor) Enable DTrace support on Mac OS X Leopard and other non-Solaris platforms (Robert Lor) Simplify and standardize conversions between C strings and text datums, by providing common functions for the purpose (Brendan Jurd, Tom) Clean up the include/catalog/ header files so that frontend programs can include them without including postgres.h (Zdenek Kotala) Make name char-aligned, and suppress zero-padding of name entries in indexes (Tom) Recover better if dynamically-loaded code executes exit() (Tom) Add a hook to let plug-ins monitor the executor (Itagaki Takahiro) Add a hook to allow the planner's statistics lookup behavior to be overridden (Simon Riggs) Add shmem_startup_hook() for custom shared memory requirements (Tom) Replace the index access method amgetmulti entry point with amgetbitmap, and extend the API for amgettuple to support run-time determination of operator lossiness (Heikki, Tom, Teodor) The API for GIN and GiST opclass consistent functions has been extended as well. Add support for partial-match searches in GIN indexes (Teodor Sigaev, Oleg Bartunov) Replace pg_class column reltriggers with boolean relhastriggers (Simon) Also remove unused pg_class columns relukeys, relfkeys, and relrefs. Add a relistemp column to pg_class to ease identification of temporary tables (Tom) Move platform FAQs into the main documentation (Peter) Prevent parser input files from being built with any conflicts (Peter) Add support for the KOI8U (Ukrainian) encoding (Peter) Add Japanese message translations (Japan PostgreSQL Users Group) This used to be maintained as a separate project. Fix problem when setting LC_MESSAGES on MSVC-built systems (Hiroshi Inoue, Hiroshi Saito, Magnus) Add contrib/auto_explain to automatically run EXPLAIN on queries exceeding a specified duration (Itagaki Takahiro, Tom) Add contrib/btree_gin to allow GIN indexes to handle more datatypes (Oleg, Teodor) Add contrib/citext to provide a case-insensitive, multibyte-aware text data type (David Wheeler) Add contrib/pg_stat_statements for server-wide tracking of statement execution statistics (Itagaki Takahiro) Add duration and query mode options to contrib/pgbench (Itagaki Takahiro) Make contrib/pgbench use table names pgbench_accounts, pgbench_branches, pgbench_history, and pgbench_tellers, rather than just accounts, branches, history, and tellers (Tom) This is to reduce the risk of accidentally destroying real data by running pgbench. Fix contrib/pgstattuple to handle tables and indexes with over 2 billion pages (Tatsuhito Kasahara) In contrib/fuzzystrmatch, add a version of the Levenshtein string-distance function that allows the user to specify the costs of insertion, deletion, and substitution (Volkan Yazici) Make contrib/ltree support multibyte encodings (laser) Enable contrib/dblink to use connection information stored in the SQL/MED catalogs (Joe Conway) Improve contrib/dblink's reporting of errors from the remote server (Joe Conway) Make contrib/dblink set client_encoding to match the local database's encoding (Joe Conway) This prevents encoding problems when communicating with a remote database that uses a different encoding. Make sure contrib/dblink uses a password supplied by the user, and not accidentally taken from the server's .pgpass file (Joe Conway) This is a minor security enhancement. Add fsm_page_contents() to contrib/pageinspect (Heikki) Modify get_raw_page() to support free space map (*_fsm) files. Also update contrib/pg_freespacemap. Add support for multibyte encodings to contrib/pg_trgm (Teodor) Rewrite contrib/intagg to use new functions array_agg() and unnest() (Tom) Make contrib/pg_standby recover all available WAL before failover (Fujii Masao, Simon, Heikki) To make this work safely, you now need to set the new recovery_end_command option in recovery.conf to clean up the trigger file after failover. pg_standby will no longer remove the trigger file itself. contrib/pg_standby's -l option is now a no-op, because it is unsafe to use a symlink (Simon)