2012-08-17 This release contains a variety of fixes from 8.3.19. For information about new features in the 8.3 major release, see . The PostgreSQL community will stop releasing updates for the 8.3.X release series in February 2013. Users are encouraged to update to a newer release branch soon. A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.17, see the release notes for 8.3.17. Prevent access to external files/URLs via XML entity references (Noah Misch, Tom Lane) xml_parse() would attempt to fetch external files or URLs as needed to resolve DTD and entity references in an XML value, thus allowing unprivileged database users to attempt to fetch data with the privileges of the database server. While the external data wouldn't get returned directly to the user, portions of it could be exposed in error messages if the data didn't parse as valid XML; and in any case the mere ability to check existence of a file might be useful to an attacker. (CVE-2012-3489) Prevent access to external files/URLs via contrib/xml2's xslt_process() (Peter Eisentraut) libxslt offers the ability to read and write both files and URLs through stylesheet commands, thus allowing unprivileged database users to both read and write data with the privileges of the database server. Disable that through proper use of libxslt's security options. (CVE-2012-3488) Also, remove xslt_process()'s ability to fetch documents and stylesheets from external files/URLs. While this was a documented feature, it was long regarded as a bad idea. The fix for CVE-2012-3489 broke that capability, and rather than expend effort on trying to fix it, we're just going to summarily remove it. Prevent too-early recycling of btree index pages (Noah Misch) When we allowed read-only transactions to skip assigning XIDs, we introduced the possibility that a deleted btree page could be recycled while a read-only transaction was still in flight to it. This would result in incorrect index search results. The probability of such an error occurring in the field seems very low because of the timing requirements, but nonetheless it should be fixed. Fix crash-safety bug with newly-created-or-reset sequences (Tom Lane) If ALTER SEQUENCE was executed on a freshly created or reset sequence, and then precisely one nextval() call was made on it, and then the server crashed, WAL replay would restore the sequence to a state in which it appeared that no nextval() had been done, thus allowing the first sequence value to be returned again by the next nextval() call. In particular this could manifest for serial columns, since creation of a serial column's sequence includes an ALTER SEQUENCE OWNED BY step. Ensure the backup_label file is fsync'd after pg_start_backup() (Dave Kerr) Back-patch 9.1 improvement to compress the fsync request queue (Robert Haas) This improves performance during checkpoints. The 9.1 change has now seen enough field testing to seem safe to back-patch. Only allow autovacuum to be auto-canceled by a directly blocked process (Tom Lane) The original coding could allow inconsistent behavior in some cases; in particular, an autovacuum could get canceled after less than deadlock_timeout grace period. Improve logging of autovacuum cancels (Robert Haas) Fix log collector so that log_truncate_on_rotation works during the very first log rotation after server start (Tom Lane) Ensure that a whole-row reference to a subquery doesn't include any extra GROUP BY or ORDER BY columns (Tom Lane) Disallow copying whole-row references in CHECK constraints and index definitions during CREATE TABLE (Tom Lane) This situation can arise in CREATE TABLE with LIKE or INHERITS. The copied whole-row variable was incorrectly labeled with the row type of the original table not the new one. Rejecting the case seems reasonable for LIKE, since the row types might well diverge later. For INHERITS we should ideally allow it, with an implicit coercion to the parent table's row type; but that will require more work than seems safe to back-patch. Fix memory leak in ARRAY(SELECT ...) subqueries (Heikki Linnakangas, Tom Lane) Fix extraction of common prefixes from regular expressions (Tom Lane) The code could get confused by quantified parenthesized subexpressions, such as ^(foo)?bar. This would lead to incorrect index optimization of searches for such patterns. Report errors properly in contrib/xml2's xslt_process() (Tom Lane) Update time zone data files to tzdata release 2012e for DST law changes in Morocco and Tokelau 2012-06-04 This release contains a variety of fixes from 8.3.18. For information about new features in the 8.3 major release, see . A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.17, see the release notes for 8.3.17. Fix incorrect password transformation in contrib/pgcrypto's DES crypt() function (Solar Designer) If a password string contained the byte value 0x80, the remainder of the password was ignored, causing the password to be much weaker than it appeared. With this fix, the rest of the string is properly included in the DES hash. Any stored password values that are affected by this bug will thus no longer match, so the stored values may need to be updated. (CVE-2012-2143) Ignore SECURITY DEFINER and SET attributes for a procedural language's call handler (Tom Lane) Applying such attributes to a call handler could crash the server. (CVE-2012-2655) Allow numeric timezone offsets in timestamp input to be up to 16 hours away from UTC (Tom Lane) Some historical time zones have offsets larger than 15 hours, the previous limit. This could result in dumped data values being rejected during reload. Fix timestamp conversion to cope when the given time is exactly the last DST transition time for the current timezone (Tom Lane) This oversight has been there a long time, but was not noticed previously because most DST-using zones are presumed to have an indefinite sequence of future DST transitions. Fix text to name and char to name casts to perform string truncation correctly in multibyte encodings (Karl Schnaitter) Fix memory copying bug in to_tsquery() (Heikki Linnakangas) Fix slow session startup when pg_attribute is very large (Tom Lane) If pg_attribute exceeds one-fourth of shared_buffers, cache rebuilding code that is sometimes needed during session start would trigger the synchronized-scan logic, causing it to take many times longer than normal. The problem was particularly acute if many new sessions were starting at once. Ensure sequential scans check for query cancel reasonably often (Merlin Moncure) A scan encountering many consecutive pages that contain no live tuples would not respond to interrupts meanwhile. Ensure the Windows implementation of PGSemaphoreLock() clears ImmediateInterruptOK before returning (Tom Lane) This oversight meant that a query-cancel interrupt received later in the same query could be accepted at an unsafe time, with unpredictable but not good consequences. Show whole-row variables safely when printing views or rules (Abbas Butt, Tom Lane) Corner cases involving ambiguous names (that is, the name could be either a table or column name of the query) were printed in an ambiguous way, risking that the view or rule would be interpreted differently after dump and reload. Avoid the ambiguous case by attaching a no-op cast. Ensure autovacuum worker processes perform stack depth checking properly (Heikki Linnakangas) Previously, infinite recursion in a function invoked by auto-ANALYZE could crash worker processes. Fix logging collector to not lose log coherency under high load (Andrew Dunstan) The collector previously could fail to reassemble large messages if it got too busy. Fix logging collector to ensure it will restart file rotation after receiving SIGHUP (Tom Lane) Fix PL/pgSQL's GET DIAGNOSTICS command when the target is the function's first variable (Tom Lane) Fix several performance problems in pg_dump when the database contains many objects (Jeff Janes, Tom Lane) pg_dump could get very slow if the database contained many schemas, or if many objects are in dependency loops, or if there are many owned sequences. Fix contrib/dblink's dblink_exec() to not leak temporary database connections upon error (Tom Lane) Update time zone data files to tzdata release 2012c for DST law changes in Antarctica, Armenia, Chile, Cuba, Falkland Islands, Gaza, Haiti, Hebron, Morocco, Syria, and Tokelau Islands; also historical corrections for Canada. 2012-02-27 This release contains a variety of fixes from 8.3.17. For information about new features in the 8.3 major release, see . A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.17, see the release notes for 8.3.17. Require execute permission on the trigger function for CREATE TRIGGER (Robert Haas) This missing check could allow another user to execute a trigger function with forged input data, by installing it on a table he owns. This is only of significance for trigger functions marked SECURITY DEFINER, since otherwise trigger functions run as the table owner anyway. (CVE-2012-0866) Convert newlines to spaces in names written in pg_dump comments (Robert Haas) pg_dump was incautious about sanitizing object names that are emitted within SQL comments in its output script. A name containing a newline would at least render the script syntactically incorrect. Maliciously crafted object names could present a SQL injection risk when the script is reloaded. (CVE-2012-0868) Fix btree index corruption from insertions concurrent with vacuuming (Tom Lane) An index page split caused by an insertion could sometimes cause a concurrently-running VACUUM to miss removing index entries that it should remove. After the corresponding table rows are removed, the dangling index entries would cause errors (such as could not read block N in file ...) or worse, silently wrong query results after unrelated rows are re-inserted at the now-free table locations. This bug has been present since release 8.2, but occurs so infrequently that it was not diagnosed until now. If you have reason to suspect that it has happened in your database, reindexing the affected index will fix things. Allow non-existent values for some settings in ALTER USER/DATABASE SET (Heikki Linnakangas) Allow default_text_search_config, default_tablespace, and temp_tablespaces to be set to names that are not known. This is because they might be known in another database where the setting is intended to be used, or for the tablespace cases because the tablespace might not be created yet. The same issue was previously recognized for search_path, and these settings now act like that one. Track the OID counter correctly during WAL replay, even when it wraps around (Tom Lane) Previously the OID counter would remain stuck at a high value until the system exited replay mode. The practical consequences of that are usually nil, but there are scenarios wherein a standby server that's been promoted to master might take a long time to advance the OID counter to a reasonable value once values are needed. Fix regular expression back-references with * attached (Tom Lane) Rather than enforcing an exact string match, the code would effectively accept any string that satisfies the pattern sub-expression referenced by the back-reference symbol. A similar problem still afflicts back-references that are embedded in a larger quantified expression, rather than being the immediate subject of the quantifier. This will be addressed in a future PostgreSQL release. Fix recently-introduced memory leak in processing of inet/cidr values (Heikki Linnakangas) A patch in the December 2011 releases of PostgreSQL caused memory leakage in these operations, which could be significant in scenarios such as building a btree index on such a column. Avoid double close of file handle in syslogger on Windows (MauMau) Ordinarily this error was invisible, but it would cause an exception when running on a debug version of Windows. Fix I/O-conversion-related memory leaks in plpgsql (Andres Freund, Jan Urbanski, Tom Lane) Certain operations would leak memory until the end of the current function. Improve pg_dump's handling of inherited table columns (Tom Lane) pg_dump mishandled situations where a child column has a different default expression than its parent column. If the default is textually identical to the parent's default, but not actually the same (for instance, because of schema search path differences) it would not be recognized as different, so that after dump and restore the child would be allowed to inherit the parent's default. Child columns that are NOT NULL where their parent is not could also be restored subtly incorrectly. Fix pg_restore's direct-to-database mode for INSERT-style table data (Tom Lane) Direct-to-database restores from archive files made with --inserts or --column-inserts options fail when using pg_restore from a release dated September or December 2011, as a result of an oversight in a fix for another problem. The archive file itself is not at fault, and text-mode output is okay. Fix error in contrib/intarray's int[] & int[] operator (Guillaume Lelarge) If the smallest integer the two input arrays have in common is 1, and there are smaller values in either array, then 1 would be incorrectly omitted from the result. Fix error detection in contrib/pgcrypto's encrypt_iv() and decrypt_iv() (Marko Kreen) These functions failed to report certain types of invalid-input errors, and would instead return random garbage values for incorrect input. Fix one-byte buffer overrun in contrib/test_parser (Paul Guyot) The code would try to read one more byte than it should, which would crash in corner cases. Since contrib/test_parser is only example code, this is not a security issue in itself, but bad example code is still bad. Use __sync_lock_test_and_set() for spinlocks on ARM, if available (Martin Pitt) This function replaces our previous use of the SWPB instruction, which is deprecated and not available on ARMv6 and later. Reports suggest that the old code doesn't fail in an obvious way on recent ARM boards, but simply doesn't interlock concurrent accesses, leading to bizarre failures in multiprocess operation. Use -fexcess-precision=standard option when building with gcc versions that accept it (Andrew Dunstan) This prevents assorted scenarios wherein recent versions of gcc will produce creative results. Allow use of threaded Python on FreeBSD (Chris Rees) Our configure script previously believed that this combination wouldn't work; but FreeBSD fixed the problem, so remove that error check. 2011-12-05 This release contains a variety of fixes from 8.3.16. For information about new features in the 8.3 major release, see . A dump/restore is not required for those running 8.3.X. However, a longstanding error was discovered in the definition of the information_schema.referential_constraints view. If you rely on correct results from that view, you should replace its definition as explained in the first changelog item below. Also, if you are upgrading from a version earlier than 8.3.8, see the release notes for 8.3.8. Fix bugs in information_schema.referential_constraints view (Tom Lane) This view was being insufficiently careful about matching the foreign-key constraint to the depended-on primary or unique key constraint. That could result in failure to show a foreign key constraint at all, or showing it multiple times, or claiming that it depends on a different constraint than the one it really does. Since the view definition is installed by initdb, merely upgrading will not fix the problem. If you need to fix this in an existing installation, you can (as a superuser) drop the information_schema schema then re-create it by sourcing SHAREDIR/information_schema.sql. (Run pg_config --sharedir if you're uncertain where SHAREDIR is.) This must be repeated in each database to be fixed. Fix TOAST-related data corruption during CREATE TABLE dest AS SELECT * FROM src or INSERT INTO dest SELECT * FROM src (Tom Lane) If a table has been modified by ALTER TABLE ADD COLUMN, attempts to copy its data verbatim to another table could produce corrupt results in certain corner cases. The problem can only manifest in this precise form in 8.4 and later, but we patched earlier versions as well in case there are other code paths that could trigger the same bug. Fix race condition during toast table access from stale syscache entries (Tom Lane) The typical symptom was transient errors like missing chunk number 0 for toast value NNNNN in pg_toast_2619, where the cited toast table would always belong to a system catalog. Make DatumGetInetP() unpack inet datums that have a 1-byte header, and add a new macro, DatumGetInetPP(), that does not (Heikki Linnakangas) This change affects no core code, but might prevent crashes in add-on code that expects DatumGetInetP() to produce an unpacked datum as per usual convention. Improve locale support in money type's input and output (Tom Lane) Aside from not supporting all standard lc_monetary formatting options, the input and output functions were inconsistent, meaning there were locales in which dumped money values could not be re-read. Don't let transform_null_equals affect CASE foo WHEN NULL ... constructs (Heikki Linnakangas) transform_null_equals is only supposed to affect foo = NULL expressions written directly by the user, not equality checks generated internally by this form of CASE. Change foreign-key trigger creation order to better support self-referential foreign keys (Tom Lane) For a cascading foreign key that references its own table, a row update will fire both the ON UPDATE trigger and the CHECK trigger as one event. The ON UPDATE trigger must execute first, else the CHECK will check a non-final state of the row and possibly throw an inappropriate error. However, the firing order of these triggers is determined by their names, which generally sort in creation order since the triggers have auto-generated names following the convention RI_ConstraintTrigger_NNNN. A proper fix would require modifying that convention, which we will do in 9.2, but it seems risky to change it in existing releases. So this patch just changes the creation order of the triggers. Users encountering this type of error should drop and re-create the foreign key constraint to get its triggers into the right order. Avoid floating-point underflow while tracking buffer allocation rate (Greg Matthews) While harmless in itself, on certain platforms this would result in annoying kernel log messages. Preserve blank lines within commands in psql's command history (Robert Haas) The former behavior could cause problems if an empty line was removed from within a string literal, for example. Fix pg_dump to dump user-defined casts between auto-generated types, such as table rowtypes (Tom Lane) Use the preferred version of xsubpp to build PL/Perl, not necessarily the operating system's main copy (David Wheeler and Alex Hunsaker) Fix incorrect coding in contrib/dict_int and contrib/dict_xsyn (Tom Lane) Some functions incorrectly assumed that memory returned by palloc() is guaranteed zeroed. Honor query cancel interrupts promptly in pgstatindex() (Robert Haas) Ensure VPATH builds properly install all server header files (Peter Eisentraut) Shorten file names reported in verbose error messages (Peter Eisentraut) Regular builds have always reported just the name of the C file containing the error message call, but VPATH builds formerly reported an absolute path name. Fix interpretation of Windows timezone names for Central America (Tom Lane) Map Central America Standard Time to CST6, not CST6CDT, because DST is generally not observed anywhere in Central America. Update time zone data files to tzdata release 2011n for DST law changes in Brazil, Cuba, Fiji, Palestine, Russia, and Samoa; also historical corrections for Alaska and British East Africa. 2011-09-26 This release contains a variety of fixes from 8.3.15. For information about new features in the 8.3 major release, see . A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.8, see the release notes for 8.3.8. Fix bugs in indexing of in-doubt HOT-updated tuples (Tom Lane) These bugs could result in index corruption after reindexing a system catalog. They are not believed to affect user indexes. Fix multiple bugs in GiST index page split processing (Heikki Linnakangas) The probability of occurrence was low, but these could lead to index corruption. Fix possible buffer overrun in tsvector_concat() (Tom Lane) The function could underestimate the amount of memory needed for its result, leading to server crashes. Fix crash in xml_recv when processing a standalone parameter (Tom Lane) Avoid possibly accessing off the end of memory in ANALYZE and in SJIS-2004 encoding conversion (Noah Misch) This fixes some very-low-probability server crash scenarios. Fix race condition in relcache init file invalidation (Tom Lane) There was a window wherein a new backend process could read a stale init file but miss the inval messages that would tell it the data is stale. The result would be bizarre failures in catalog accesses, typically could not read block 0 in file ... later during startup. Fix memory leak at end of a GiST index scan (Tom Lane) Commands that perform many separate GiST index scans, such as verification of a new GiST-based exclusion constraint on a table already containing many rows, could transiently require large amounts of memory due to this leak. Fix performance problem when constructing a large, lossy bitmap (Tom Lane) Fix array- and path-creating functions to ensure padding bytes are zeroes (Tom Lane) This avoids some situations where the planner will think that semantically-equal constants are not equal, resulting in poor optimization. Work around gcc 4.6.0 bug that breaks WAL replay (Tom Lane) This could lead to loss of committed transactions after a server crash. Fix dump bug for VALUES in a view (Tom Lane) Disallow SELECT FOR UPDATE/SHARE on sequences (Tom Lane) This operation doesn't work as expected and can lead to failures. Defend against integer overflow when computing size of a hash table (Tom Lane) Fix cases where CLUSTER might attempt to access already-removed TOAST data (Tom Lane) Fix portability bugs in use of credentials control messages for peer authentication (Tom Lane) Fix SSPI login when multiple roundtrips are required (Ahmed Shinwari, Magnus Hagander) The typical symptom of this problem was The function requested is not supported errors during SSPI login. Fix typo in pg_srand48 seed initialization (Andres Freund) This led to failure to use all bits of the provided seed. This function is not used on most platforms (only those without srandom), and the potential security exposure from a less-random-than-expected seed seems minimal in any case. Avoid integer overflow when the sum of LIMIT and OFFSET values exceeds 2^63 (Heikki Linnakangas) Add overflow checks to int4 and int8 versions of generate_series() (Robert Haas) Fix trailing-zero removal in to_char() (Marti Raudsepp) In a format with FM and no digit positions after the decimal point, zeroes to the left of the decimal point could be removed incorrectly. Fix pg_size_pretty() to avoid overflow for inputs close to 2^63 (Tom Lane) In pg_ctl, support silent mode for service registrations on Windows (MauMau) Fix psql's counting of script file line numbers during COPY from a different file (Tom Lane) Fix pg_restore's direct-to-database mode for standard_conforming_strings (Tom Lane) pg_restore could emit incorrect commands when restoring directly to a database server from an archive file that had been made with standard_conforming_strings set to on. Fix write-past-buffer-end and memory leak in libpq's LDAP service lookup code (Albe Laurenz) In libpq, avoid failures when using nonblocking I/O and an SSL connection (Martin Pihlak, Tom Lane) Improve libpq's handling of failures during connection startup (Tom Lane) In particular, the response to a server report of fork() failure during SSL connection startup is now saner. Improve libpq's error reporting for SSL failures (Tom Lane) Make ecpglib write double values with 15 digits precision (Akira Kurosawa) In ecpglib, be sure LC_NUMERIC setting is restored after an error (Michael Meskes) Apply upstream fix for blowfish signed-character bug (CVE-2011-2483) (Tom Lane) contrib/pg_crypto's blowfish encryption code could give wrong results on platforms where char is signed (which is most), leading to encrypted passwords being weaker than they should be. Fix memory leak in contrib/seg (Heikki Linnakangas) Fix pgstatindex() to give consistent results for empty indexes (Tom Lane) Allow building with perl 5.14 (Alex Hunsaker) Update configure script's method for probing existence of system functions (Tom Lane) The version of autoconf we used in 8.3 and 8.2 could be fooled by compilers that perform link-time optimization. Fix assorted issues with build and install file paths containing spaces (Tom Lane) Update time zone data files to tzdata release 2011i for DST law changes in Canada, Egypt, Russia, Samoa, and South Sudan. 2011-04-18 This release contains a variety of fixes from 8.3.14. For information about new features in the 8.3 major release, see . A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.8, see the release notes for 8.3.8. Disallow including a composite type in itself (Tom Lane) This prevents scenarios wherein the server could recurse infinitely while processing the composite type. While there are some possible uses for such a structure, they don't seem compelling enough to justify the effort required to make sure it always works safely. Avoid potential deadlock during catalog cache initialization (Nikhil Sontakke) In some cases the cache loading code would acquire share lock on a system index before locking the index's catalog. This could deadlock against processes trying to acquire exclusive locks in the other, more standard order. Fix dangling-pointer problem in BEFORE ROW UPDATE trigger handling when there was a concurrent update to the target tuple (Tom Lane) This bug has been observed to result in intermittent cannot extract system attribute from virtual tuple failures while trying to do UPDATE RETURNING ctid. There is a very small probability of more serious errors, such as generating incorrect index entries for the updated tuple. Disallow DROP TABLE when there are pending deferred trigger events for the table (Tom Lane) Formerly the DROP would go through, leading to could not open relation with OID nnn errors when the triggers were eventually fired. Fix PL/Python memory leak involving array slices (Daniel Popowich) Fix pg_restore to cope with long lines (over 1KB) in TOC files (Tom Lane) Put in more safeguards against crashing due to division-by-zero with overly enthusiastic compiler optimization (Aurelien Jarno) Support use of dlopen() in FreeBSD and OpenBSD on MIPS (Tom Lane) There was a hard-wired assumption that this system function was not available on MIPS hardware on these systems. Use a compile-time test instead, since more recent versions have it. Fix compilation failures on HP-UX (Heikki Linnakangas) Fix version-incompatibility problem with libintl on Windows (Hiroshi Inoue) Fix usage of xcopy in Windows build scripts to work correctly under Windows 7 (Andrew Dunstan) This affects the build scripts only, not installation or usage. Fix path separator used by pg_regress on Cygwin (Andrew Dunstan) Update time zone data files to tzdata release 2011f for DST law changes in Chile, Cuba, Falkland Islands, Morocco, Samoa, and Turkey; also historical corrections for South Australia, Alaska, and Hawaii. 2011-01-31 This release contains a variety of fixes from 8.3.13. For information about new features in the 8.3 major release, see . A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.8, see the release notes for 8.3.8. Avoid failures when EXPLAIN tries to display a simple-form CASE expression (Tom Lane) If the CASE's test expression was a constant, the planner could simplify the CASE into a form that confused the expression-display code, resulting in unexpected CASE WHEN clause errors. Fix assignment to an array slice that is before the existing range of subscripts (Tom Lane) If there was a gap between the newly added subscripts and the first pre-existing subscript, the code miscalculated how many entries needed to be copied from the old array's null bitmap, potentially leading to data corruption or crash. Avoid unexpected conversion overflow in planner for very distant date values (Tom Lane) The date type supports a wider range of dates than can be represented by the timestamp types, but the planner assumed it could always convert a date to timestamp with impunity. Fix pg_restore's text output for large objects (BLOBs) when standard_conforming_strings is on (Tom Lane) Although restoring directly to a database worked correctly, string escaping was incorrect if pg_restore was asked for SQL text output and standard_conforming_strings had been enabled in the source database. Fix erroneous parsing of tsquery values containing ... & !(subexpression) | ... (Tom Lane) Queries containing this combination of operators were not executed correctly. The same error existed in contrib/intarray's query_int type and contrib/ltree's ltxtquery type. Fix buffer overrun in contrib/intarray's input function for the query_int type (Apple) This bug is a security risk since the function's return address could be overwritten. Thanks to Apple Inc's security team for reporting this issue and supplying the fix. (CVE-2010-4015) Fix bug in contrib/seg's GiST picksplit algorithm (Alexander Korotkov) This could result in considerable inefficiency, though not actually incorrect answers, in a GiST index on a seg column. If you have such an index, consider REINDEXing it after installing this update. (This is identical to the bug that was fixed in contrib/cube in the previous update.) 2010-12-16 This release contains a variety of fixes from 8.3.12. For information about new features in the 8.3 major release, see . A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.8, see the release notes for 8.3.8. Force the default wal_sync_method to be fdatasync on Linux (Tom Lane, Marti Raudsepp) The default on Linux has actually been fdatasync for many years, but recent kernel changes caused PostgreSQL to choose open_datasync instead. This choice did not result in any performance improvement, and caused outright failures on certain filesystems, notably ext4 with the data=journal mount option. Fix assorted bugs in WAL replay logic for GIN indexes (Tom Lane) This could result in bad buffer id: 0 failures or corruption of index contents during replication. Fix recovery from base backup when the starting checkpoint WAL record is not in the same WAL segment as its redo point (Jeff Davis) Fix persistent slowdown of autovacuum workers when multiple workers remain active for a long time (Tom Lane) The effective vacuum_cost_limit for an autovacuum worker could drop to nearly zero if it processed enough tables, causing it to run extremely slowly. Add support for detecting register-stack overrun on IA64 (Tom Lane) The IA64 architecture has two hardware stacks. Full prevention of stack-overrun failures requires checking both. Add a check for stack overflow in copyObject() (Tom Lane) Certain code paths could crash due to stack overflow given a sufficiently complex query. Fix detection of page splits in temporary GiST indexes (Heikki Linnakangas) It is possible to have a concurrent page split in a temporary index, if for example there is an open cursor scanning the index when an insertion is done. GiST failed to detect this case and hence could deliver wrong results when execution of the cursor continued. Avoid memory leakage while ANALYZE'ing complex index expressions (Tom Lane) Ensure an index that uses a whole-row Var still depends on its table (Tom Lane) An index declared like create index i on t (foo(t.*)) would not automatically get dropped when its table was dropped. Do not inline a SQL function with multiple OUT parameters (Tom Lane) This avoids a possible crash due to loss of information about the expected result rowtype. Behave correctly if ORDER BY, LIMIT, FOR UPDATE, or WITH is attached to the VALUES part of INSERT ... VALUES (Tom Lane) Fix constant-folding of COALESCE() expressions (Tom Lane) The planner would sometimes attempt to evaluate sub-expressions that in fact could never be reached, possibly leading to unexpected errors. Fix postmaster crash when connection acceptance (accept() or one of the calls made immediately after it) fails, and the postmaster was compiled with GSSAPI support (Alexander Chernikov) Fix missed unlink of temporary files when log_temp_files is active (Tom Lane) If an error occurred while attempting to emit the log message, the unlink was not done, resulting in accumulation of temp files. Add print functionality for InhRelation nodes (Tom Lane) This avoids a failure when debug_print_parse is enabled and certain types of query are executed. Fix incorrect calculation of distance from a point to a horizontal line segment (Tom Lane) This bug affected several different geometric distance-measurement operators. Fix PL/pgSQL's handling of simple expressions to not fail in recursion or error-recovery cases (Tom Lane) Fix PL/Python's handling of set-returning functions (Jan Urbanski) Attempts to call SPI functions within the iterator generating a set result would fail. Fix bug in contrib/cube's GiST picksplit algorithm (Alexander Korotkov) This could result in considerable inefficiency, though not actually incorrect answers, in a GiST index on a cube column. If you have such an index, consider REINDEXing it after installing this update. Don't emit identifier will be truncated notices in contrib/dblink except when creating new connections (Itagaki Takahiro) Fix potential coredump on missing public key in contrib/pgcrypto (Marti Raudsepp) Fix memory leak in contrib/xml2's XPath query functions (Tom Lane) Update time zone data files to tzdata release 2010o for DST law changes in Fiji and Samoa; also historical corrections for Hong Kong. 2010-10-04 This release contains a variety of fixes from 8.3.11. For information about new features in the 8.3 major release, see . A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.8, see the release notes for 8.3.8. Use a separate interpreter for each calling SQL userid in PL/Perl and PL/Tcl (Tom Lane) This change prevents security problems that can be caused by subverting Perl or Tcl code that will be executed later in the same session under another SQL user identity (for example, within a SECURITY DEFINER function). Most scripting languages offer numerous ways that that might be done, such as redefining standard functions or operators called by the target function. Without this change, any SQL user with Perl or Tcl language usage rights can do essentially anything with the SQL privileges of the target function's owner. The cost of this change is that intentional communication among Perl and Tcl functions becomes more difficult. To provide an escape hatch, PL/PerlU and PL/TclU functions continue to use only one interpreter per session. This is not considered a security issue since all such functions execute at the trust level of a database superuser already. It is likely that third-party procedural languages that claim to offer trusted execution have similar security issues. We advise contacting the authors of any PL you are depending on for security-critical purposes. Our thanks to Tim Bunce for pointing out this issue (CVE-2010-3433). Prevent possible crashes in pg_get_expr() by disallowing it from being called with an argument that is not one of the system catalog columns it's intended to be used with (Heikki Linnakangas, Tom Lane) Treat exit code 128 (ERROR_WAIT_NO_CHILDREN) as non-fatal on Windows (Magnus Hagander) Under high load, Windows processes will sometimes fail at startup with this error code. Formerly the postmaster treated this as a panic condition and restarted the whole database, but that seems to be an overreaction. Fix incorrect usage of non-strict OR joinclauses in Append indexscans (Tom Lane) This is a back-patch of an 8.4 fix that was missed in the 8.3 branch. This corrects an error introduced in 8.3.8 that could cause incorrect results for outer joins when the inner relation is an inheritance tree or UNION ALL subquery. Fix possible duplicate scans of UNION ALL member relations (Tom Lane) Fix cannot handle unplanned sub-select error (Tom Lane) This occurred when a sub-select contains a join alias reference that expands into an expression containing another sub-select. Fix failure to mark cached plans as transient (Tom Lane) If a plan is prepared while CREATE INDEX CONCURRENTLY is in progress for one of the referenced tables, it is supposed to be re-planned once the index is ready for use. This was not happening reliably. Reduce PANIC to ERROR in some occasionally-reported btree failure cases, and provide additional detail in the resulting error messages (Tom Lane) This should improve the system's robustness with corrupted indexes. Prevent show_session_authorization() from crashing within autovacuum processes (Tom Lane) Defend against functions returning setof record where not all the returned rows are actually of the same rowtype (Tom Lane) Fix possible failure when hashing a pass-by-reference function result (Tao Ma, Tom Lane) Improve merge join's handling of NULLs in the join columns (Tom Lane) A merge join can now stop entirely upon reaching the first NULL, if the sort order is such that NULLs sort high. Take care to fsync the contents of lockfiles (both postmaster.pid and the socket lockfile) while writing them (Tom Lane) This omission could result in corrupted lockfile contents if the machine crashes shortly after postmaster start. That could in turn prevent subsequent attempts to start the postmaster from succeeding, until the lockfile is manually removed. Avoid recursion while assigning XIDs to heavily-nested subtransactions (Andres Freund, Robert Haas) The original coding could result in a crash if there was limited stack space. Avoid holding open old WAL segments in the walwriter process (Magnus Hagander, Heikki Linnakangas) The previous coding would prevent removal of no-longer-needed segments. Fix log_line_prefix's %i escape, which could produce junk early in backend startup (Tom Lane) Fix possible data corruption in ALTER TABLE ... SET TABLESPACE when archiving is enabled (Jeff Davis) Allow CREATE DATABASE and ALTER DATABASE ... SET TABLESPACE to be interrupted by query-cancel (Guillaume Lelarge) Fix REASSIGN OWNED to handle operator classes and families (Asko Tiidumaa) Fix possible core dump when comparing two empty tsquery values (Tom Lane) Fix LIKE's handling of patterns containing % followed by _ (Tom Lane) We've fixed this before, but there were still some incorrectly-handled cases. In PL/Python, defend against null pointer results from PyCObject_AsVoidPtr and PyCObject_FromVoidPtr (Peter Eisentraut) Make psql recognize DISCARD ALL as a command that should not be encased in a transaction block in autocommit-off mode (Itagaki Takahiro) Fix ecpg to process data from RETURNING clauses correctly (Michael Meskes) Improve contrib/dblink's handling of tables containing dropped columns (Tom Lane) Fix connection leak after duplicate connection name errors in contrib/dblink (Itagaki Takahiro) Fix contrib/dblink to handle connection names longer than 62 bytes correctly (Itagaki Takahiro) Add hstore(text, text) function to contrib/hstore (Robert Haas) This function is the recommended substitute for the now-deprecated => operator. It was back-patched so that future-proofed code can be used with older server versions. Note that the patch will be effective only after contrib/hstore is installed or reinstalled in a particular database. Users might prefer to execute the CREATE FUNCTION command by hand, instead. Update build infrastructure and documentation to reflect the source code repository's move from CVS to Git (Magnus Hagander and others) Update time zone data files to tzdata release 2010l for DST law changes in Egypt and Palestine; also historical corrections for Finland. This change also adds new names for two Micronesian timezones: Pacific/Chuuk is now preferred over Pacific/Truk (and the preferred abbreviation is CHUT not TRUT) and Pacific/Pohnpei is preferred over Pacific/Ponape. Make Windows' N. Central Asia Standard Time timezone map to Asia/Novosibirsk, not Asia/Almaty (Magnus Hagander) Microsoft changed the DST behavior of this zone in the timezone update from KB976098. Asia/Novosibirsk is a better match to its new behavior. 2010-05-17 This release contains a variety of fixes from 8.3.10. For information about new features in the 8.3 major release, see . A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.8, see the release notes for 8.3.8. Enforce restrictions in plperl using an opmask applied to the whole interpreter, instead of using Safe.pm (Tim Bunce, Andrew Dunstan) Recent developments have convinced us that Safe.pm is too insecure to rely on for making plperl trustable. This change removes use of Safe.pm altogether, in favor of using a separate interpreter with an opcode mask that is always applied. Pleasant side effects of the change include that it is now possible to use Perl's strict pragma in a natural way in plperl, and that Perl's $a and $b variables work as expected in sort routines, and that function compilation is significantly faster. (CVE-2010-1169) Prevent PL/Tcl from executing untrustworthy code from pltcl_modules (Tom) PL/Tcl's feature for autoloading Tcl code from a database table could be exploited for trojan-horse attacks, because there was no restriction on who could create or insert into that table. This change disables the feature unless pltcl_modules is owned by a superuser. (However, the permissions on the table are not checked, so installations that really need a less-than-secure modules table can still grant suitable privileges to trusted non-superusers.) Also, prevent loading code into the unrestricted normal Tcl interpreter unless we are really going to execute a pltclu function. (CVE-2010-1170) Fix possible crash if a cache reset message is received during rebuild of a relcache entry (Heikki) This error was introduced in 8.3.10 while fixing a related failure. Apply per-function GUC settings while running the language validator for the function (Itagaki Takahiro) This avoids failures if the function's code is invalid without the setting; an example is that SQL functions may not parse if the search_path is not correct. Do not allow an unprivileged user to reset superuser-only parameter settings (Alvaro) Previously, if an unprivileged user ran ALTER USER ... RESET ALL for himself, or ALTER DATABASE ... RESET ALL for a database he owns, this would remove all special parameter settings for the user or database, even ones that are only supposed to be changeable by a superuser. Now, the ALTER will only remove the parameters that the user has permission to change. Avoid possible crash during backend shutdown if shutdown occurs when a CONTEXT addition would be made to log entries (Tom) In some cases the context-printing function would fail because the current transaction had already been rolled back when it came time to print a log message. Ensure the archiver process responds to changes in archive_command as soon as possible (Tom) Update pl/perl's ppport.h for modern Perl versions (Andrew) Fix assorted memory leaks in pl/python (Andreas Freund, Tom) Prevent infinite recursion in psql when expanding a variable that refers to itself (Tom) Fix psql's \copy to not add spaces around a dot within \copy (select ...) (Tom) Addition of spaces around the decimal point in a numeric literal would result in a syntax error. Fix unnecessary GIN indexes do not support whole-index scans errors for unsatisfiable queries using contrib/intarray operators (Tom) Ensure that contrib/pgstattuple functions respond to cancel interrupts promptly (Tatsuhito Kasahara) Make server startup deal properly with the case that shmget() returns EINVAL for an existing shared memory segment (Tom) This behavior has been observed on BSD-derived kernels including OS X. It resulted in an entirely-misleading startup failure complaining that the shared memory request size was too large. Avoid possible crashes in syslogger process on Windows (Heikki) Deal more robustly with incomplete time zone information in the Windows registry (Magnus) Update the set of known Windows time zone names (Magnus) Update time zone data files to tzdata release 2010j for DST law changes in Argentina, Australian Antarctic, Bangladesh, Mexico, Morocco, Pakistan, Palestine, Russia, Syria, Tunisia; also historical corrections for Taiwan. Also, add PKST (Pakistan Summer Time) to the default set of timezone abbreviations. 2010-03-15 This release contains a variety of fixes from 8.3.9. For information about new features in the 8.3 major release, see . A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.8, see the release notes for 8.3.8. Add new configuration parameter ssl_renegotiation_limit to control how often we do session key renegotiation for an SSL connection (Magnus) This can be set to zero to disable renegotiation completely, which may be required if a broken SSL library is used. In particular, some vendors are shipping stopgap patches for CVE-2009-3555 that cause renegotiation attempts to fail. Fix possible deadlock during backend startup (Tom) Fix possible crashes due to not handling errors during relcache reload cleanly (Tom) Fix possible crash due to use of dangling pointer to a cached plan (Tatsuo) Fix possible crashes when trying to recover from a failure in subtransaction start (Tom) Fix server memory leak associated with use of savepoints and a client encoding different from server's encoding (Tom) Fix incorrect WAL data emitted during end-of-recovery cleanup of a GIST index page split (Yoichi Hirai) This would result in index corruption, or even more likely an error during WAL replay, if we were unlucky enough to crash during end-of-recovery cleanup after having completed an incomplete GIST insertion. Make substring() for bit types treat any negative length as meaning all the rest of the string (Tom) The previous coding treated only -1 that way, and would produce an invalid result value for other negative values, possibly leading to a crash (CVE-2010-0442). Fix integer-to-bit-string conversions to handle the first fractional byte correctly when the output bit width is wider than the given integer by something other than a multiple of 8 bits (Tom) Fix some cases of pathologically slow regular expression matching (Tom) Fix assorted crashes in xml processing caused by sloppy memory management (Tom) This is a back-patch of changes first applied in 8.4. The 8.3 code was known buggy, but the new code was sufficiently different to not want to back-patch it until it had gotten some field testing. Fix bug with trying to update a field of an element of a composite-type array column (Tom) Fix the STOP WAL LOCATION entry in backup history files to report the next WAL segment's name when the end location is exactly at a segment boundary (Itagaki Takahiro) Fix some more cases of temporary-file leakage (Heikki) This corrects a problem introduced in the previous minor release. One case that failed is when a plpgsql function returning set is called within another function's exception handler. Improve constraint exclusion processing of boolean-variable cases, in particular make it possible to exclude a partition that has a bool_column = false constraint (Tom) When reading pg_hba.conf and related files, do not treat @something as a file inclusion request if the @ appears inside quote marks; also, never treat @ by itself as a file inclusion request (Tom) This prevents erratic behavior if a role or database name starts with @. If you need to include a file whose path name contains spaces, you can still do so, but you must write @"/path to/file" rather than putting the quotes around the whole construct. Prevent infinite loop on some platforms if a directory is named as an inclusion target in pg_hba.conf and related files (Tom) Fix possible infinite loop if SSL_read or SSL_write fails without setting errno (Tom) This is reportedly possible with some Windows versions of openssl. Disallow GSSAPI authentication on local connections, since it requires a hostname to function correctly (Magnus) Make ecpg report the proper SQLSTATE if the connection disappears (Michael) Fix psql's numericlocale option to not format strings it shouldn't in latex and troff output formats (Heikki) Make psql return the correct exit status (3) when ON_ERROR_STOP and --single-transaction are both specified and an error occurs during the implied COMMIT (Bruce) Fix plpgsql failure in one case where a composite column is set to NULL (Tom) Fix possible failure when calling PL/Perl functions from PL/PerlU or vice versa (Tim Bunce) Add volatile markings in PL/Python to avoid possible compiler-specific misbehavior (Zdenek Kotala) Ensure PL/Tcl initializes the Tcl interpreter fully (Tom) The only known symptom of this oversight is that the Tcl clock command misbehaves if using Tcl 8.5 or later. Prevent crash in contrib/dblink when too many key columns are specified to a dblink_build_sql_* function (Rushabh Lathia, Joe Conway) Allow zero-dimensional arrays in contrib/ltree operations (Tom) This case was formerly rejected as an error, but it's more convenient to treat it the same as a zero-element array. In particular this avoids unnecessary failures when an ltree operation is applied to the result of ARRAY(SELECT ...) and the sub-select returns no rows. Fix assorted crashes in contrib/xml2 caused by sloppy memory management (Tom) Make building of contrib/xml2 more robust on Windows (Andrew) Fix race condition in Windows signal handling (Radu Ilie) One known symptom of this bug is that rows in pg_listener could be dropped under heavy load. Update time zone data files to tzdata release 2010e for DST law changes in Bangladesh, Chile, Fiji, Mexico, Paraguay, Samoa. 2009-12-14 This release contains a variety of fixes from 8.3.8. For information about new features in the 8.3 major release, see . A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.8, see the release notes for 8.3.8. Protect against indirect security threats caused by index functions changing session-local state (Gurjeet Singh, Tom) This change prevents allegedly-immutable index functions from possibly subverting a superuser's session (CVE-2009-4136). Reject SSL certificates containing an embedded null byte in the common name (CN) field (Magnus) This prevents unintended matching of a certificate to a server or client name during SSL validation (CVE-2009-4034). Fix possible crash during backend-startup-time cache initialization (Tom) Avoid crash on empty thesaurus dictionary (Tom) Prevent signals from interrupting VACUUM at unsafe times (Alvaro) This fix prevents a PANIC if a VACUUM FULL is canceled after it's already committed its tuple movements, as well as transient errors if a plain VACUUM is interrupted after having truncated the table. Fix possible crash due to integer overflow in hash table size calculation (Tom) This could occur with extremely large planner estimates for the size of a hashjoin's result. Fix very rare crash in inet/cidr comparisons (Chris Mikkelson) Ensure that shared tuple-level locks held by prepared transactions are not ignored (Heikki) Fix premature drop of temporary files used for a cursor that is accessed within a subtransaction (Heikki) Fix memory leak in syslogger process when rotating to a new CSV logfile (Tom) Fix Windows permission-downgrade logic (Jesse Morris) This fixes some cases where the database failed to start on Windows, often with misleading error messages such as could not locate matching postgres executable. Fix incorrect logic for GiST index page splits, when the split depends on a non-first column of the index (Paul Ramsey) Don't error out if recycling or removing an old WAL file fails at the end of checkpoint (Heikki) It's better to treat the problem as non-fatal and allow the checkpoint to complete. Future checkpoints will retry the removal. Such problems are not expected in normal operation, but have been seen to be caused by misdesigned Windows anti-virus and backup software. Ensure WAL files aren't repeatedly archived on Windows (Heikki) This is another symptom that could happen if some other process interfered with deletion of a no-longer-needed file. Fix PAM password processing to be more robust (Tom) The previous code is known to fail with the combination of the Linux pam_krb5 PAM module with Microsoft Active Directory as the domain controller. It might have problems elsewhere too, since it was making unjustified assumptions about what arguments the PAM stack would pass to it. Raise the maximum authentication token (Kerberos ticket) size in GSSAPI and SSPI authentication methods (Ian Turner) While the old 2000-byte limit was more than enough for Unix Kerberos implementations, tickets issued by Windows Domain Controllers can be much larger. Re-enable collection of access statistics for sequences (Akira Kurosawa) This used to work but was broken in 8.3. Fix processing of ownership dependencies during CREATE OR REPLACE FUNCTION (Tom) Fix incorrect handling of WHERE x=x conditions (Tom) In some cases these could get ignored as redundant, but they aren't — they're equivalent to x IS NOT NULL. Make text search parser accept underscores in XML attributes (Peter) Fix encoding handling in xml binary input (Heikki) If the XML header doesn't specify an encoding, we now assume UTF-8 by default; the previous handling was inconsistent. Fix bug with calling plperl from plperlu or vice versa (Tom) An error exit from the inner function could result in crashes due to failure to re-select the correct Perl interpreter for the outer function. Fix session-lifespan memory leak when a PL/Perl function is redefined (Tom) Ensure that Perl arrays are properly converted to PostgreSQL arrays when returned by a set-returning PL/Perl function (Andrew Dunstan, Abhijit Menon-Sen) This worked correctly already for non-set-returning functions. Fix rare crash in exception processing in PL/Python (Peter) In contrib/pg_standby, disable triggering failover with a signal on Windows (Fujii Masao) This never did anything useful, because Windows doesn't have Unix-style signals, but recent changes made it actually crash. Ensure psql's flex module is compiled with the correct system header definitions (Tom) This fixes build failures on platforms where --enable-largefile causes incompatible changes in the generated code. Make the postmaster ignore any application_name parameter in connection request packets, to improve compatibility with future libpq versions (Tom) Update the timezone abbreviation files to match current reality (Joachim Wieland) This includes adding IDT and SGT to the default timezone abbreviation set. Update time zone data files to tzdata release 2009s for DST law changes in Antarctica, Argentina, Bangladesh, Fiji, Novokuznetsk, Pakistan, Palestine, Samoa, Syria; also historical corrections for Hong Kong. 2009-09-09 This release contains a variety of fixes from 8.3.7. For information about new features in the 8.3 major release, see . A dump/restore is not required for those running 8.3.X. However, if you have any hash indexes on interval columns, you must REINDEX them after updating to 8.3.8. Also, if you are upgrading from a version earlier than 8.3.5, see the release notes for 8.3.5. Fix Windows shared-memory allocation code (Tsutomu Yamada, Magnus) This bug led to the often-reported could not reattach to shared memory error message. Force WAL segment switch during pg_start_backup() (Heikki) This avoids corner cases that could render a base backup unusable. Disallow RESET ROLE and RESET SESSION AUTHORIZATION inside security-definer functions (Tom, Heikki) This covers a case that was missed in the previous patch that disallowed SET ROLE and SET SESSION AUTHORIZATION inside security-definer functions. (See CVE-2007-6600) Make LOAD of an already-loaded loadable module into a no-op (Tom) Formerly, LOAD would attempt to unload and re-load the module, but this is unsafe and not all that useful. Disallow empty passwords during LDAP authentication (Magnus) Fix handling of sub-SELECTs appearing in the arguments of an outer-level aggregate function (Tom) Fix bugs associated with fetching a whole-row value from the output of a Sort or Materialize plan node (Tom) Prevent synchronize_seqscans from changing the results of scrollable and WITH HOLD cursors (Tom) Revert planner change that disabled partial-index and constraint exclusion optimizations when there were more than 100 clauses in an AND or OR list (Tom) Fix hash calculation for data type interval (Tom) This corrects wrong results for hash joins on interval values. It also changes the contents of hash indexes on interval columns. If you have any such indexes, you must REINDEX them after updating. Treat to_char(..., 'TH') as an uppercase ordinal suffix with 'HH'/'HH12' (Heikki) It was previously handled as 'th' (lowercase). Fix overflow for INTERVAL 'x ms' when x is more than 2 million and integer datetimes are in use (Alex Hunsaker) Fix calculation of distance between a point and a line segment (Tom) This led to incorrect results from a number of geometric operators. Fix money data type to work in locales where currency amounts have no fractional digits, e.g. Japan (Itagaki Takahiro) Fix LIKE for case where pattern contains %_ (Tom) Properly round datetime input like 00:12:57.9999999999999999999999999999 (Tom) Fix memory leaks in XML operations (Tom) Fix poor choice of page split point in GiST R-tree operator classes (Teodor) Ensure that a fast shutdown request will forcibly terminate open sessions, even if a smart shutdown was already in progress (Fujii Masao) Avoid performance degradation in bulk inserts into GIN indexes when the input values are (nearly) in sorted order (Tom) Correctly enforce NOT NULL domain constraints in some contexts in PL/pgSQL (Tom) Fix portability issues in plperl initialization (Andrew Dunstan) Fix pg_ctl to not go into an infinite loop if postgresql.conf is empty (Jeff Davis) Improve pg_dump's efficiency when there are many large objects (Tamas Vincze) Use SIGUSR1, not SIGQUIT, as the failover signal for pg_standby (Heikki) Make pg_standby's maxretries option behave as documented (Fujii Masao) Make contrib/hstore throw an error when a key or value is too long to fit in its data structure, rather than silently truncating it (Andrew Gierth) Fix contrib/xml2's xslt_process() to properly handle the maximum number of parameters (twenty) (Tom) Improve robustness of libpq's code to recover from errors during COPY FROM STDIN (Tom) Avoid including conflicting readline and editline header files when both libraries are installed (Zdenek Kotala) Update time zone data files to tzdata release 2009l for DST law changes in Bangladesh, Egypt, Jordan, Pakistan, Argentina/San_Luis, Cuba, Jordan (historical correction only), Mauritius, Morocco, Palestine, Syria, Tunisia. 2009-03-16 This release contains a variety of fixes from 8.3.6. For information about new features in the 8.3 major release, see . A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.5, see the release notes for 8.3.5. Prevent error recursion crashes when encoding conversion fails (Tom) This change extends fixes made in the last two minor releases for related failure scenarios. The previous fixes were narrowly tailored for the original problem reports, but we have now recognized that any error thrown by an encoding conversion function could potentially lead to infinite recursion while trying to report the error. The solution therefore is to disable translation and encoding conversion and report the plain-ASCII form of any error message, if we find we have gotten into a recursive error reporting situation. (CVE-2009-0922) Disallow CREATE CONVERSION with the wrong encodings for the specified conversion function (Heikki) This prevents one possible scenario for encoding conversion failure. The previous change is a backstop to guard against other kinds of failures in the same area. Fix xpath() to not modify the path expression unless necessary, and to make a saner attempt at it when necessary (Andrew) The SQL standard suggests that xpath should work on data that is a document fragment, but libxml doesn't support that, and indeed it's not clear that this is sensible according to the XPath standard. xpath attempted to work around this mismatch by modifying both the data and the path expression, but the modification was buggy and could cause valid searches to fail. Now, xpath checks whether the data is in fact a well-formed document, and if so invokes libxml with no change to the data or path expression. Otherwise, a different modification method that is somewhat less likely to fail is used. The new modification method is still not 100% satisfactory, and it seems likely that no real solution is possible. This patch should therefore be viewed as a band-aid to keep from breaking existing applications unnecessarily. It is likely that PostgreSQL 8.4 will simply reject use of xpath on data that is not a well-formed document. Fix core dump when to_char() is given format codes that are inappropriate for the type of the data argument (Tom) Fix possible failure in text search when C locale is used with a multi-byte encoding (Teodor) Crashes were possible on platforms where wchar_t is narrower than int; Windows in particular. Fix extreme inefficiency in text search parser's handling of an email-like string containing multiple @ characters (Heikki) Fix planner problem with sub-SELECT in the output list of a larger subquery (Tom) The known symptom of this bug is a failed to locate grouping columns error that is dependent on the datatype involved; but there could be other issues as well. Fix decompilation of CASE WHEN with an implicit coercion (Tom) This mistake could lead to Assert failures in an Assert-enabled build, or an unexpected CASE WHEN clause error message in other cases, when trying to examine or dump a view. Fix possible misassignment of the owner of a TOAST table's rowtype (Tom) If CLUSTER or a rewriting variant of ALTER TABLE were executed by someone other than the table owner, the pg_type entry for the table's TOAST table would end up marked as owned by that someone. This caused no immediate problems, since the permissions on the TOAST rowtype aren't examined by any ordinary database operation. However, it could lead to unexpected failures if one later tried to drop the role that issued the command (in 8.1 or 8.2), or owner of data type appears to be invalid warnings from pg_dump after having done so (in 8.3). Change UNLISTEN to exit quickly if the current session has never executed any LISTEN command (Tom) Most of the time this is not a particularly useful optimization, but since DISCARD ALL invokes UNLISTEN, the previous coding caused a substantial performance problem for applications that made heavy use of DISCARD ALL. Fix PL/pgSQL to not treat INTO after INSERT as an INTO-variables clause anywhere in the string, not only at the start; in particular, don't fail for INSERT INTO within CREATE RULE (Tom) Clean up PL/pgSQL error status variables fully at block exit (Ashesh Vashi and Dave Page) This is not a problem for PL/pgSQL itself, but the omission could cause the PL/pgSQL Debugger to crash while examining the state of a function. Retry failed calls to CallNamedPipe() on Windows (Steve Marshall, Magnus) It appears that this function can sometimes fail transiently; we previously treated any failure as a hard error, which could confuse LISTEN/NOTIFY as well as other operations. Add MUST (Mauritius Island Summer Time) to the default list of known timezone abbreviations (Xavier Bugaud) 2009-02-02 This release contains a variety of fixes from 8.3.5. For information about new features in the 8.3 major release, see . A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.5, see the release notes for 8.3.5. Make DISCARD ALL release advisory locks, in addition to everything it already did (Tom) This was decided to be the most appropriate behavior. This could affect existing applications, however. Fix whole-index GiST scans to work correctly (Teodor) This error could cause rows to be lost if a table is clustered on a GiST index. Fix crash of xmlconcat(NULL) (Peter) Fix possible crash in ispell dictionary if high-bit-set characters are used as flags (Teodor) This is known to be done by one widely available Norwegian dictionary, and the same condition may exist in others. Fix misordering of pg_dump output for composite types (Tom) The most likely problem was for user-defined operator classes to be dumped after indexes or views that needed them. Improve handling of URLs in headline() function (Teodor) Improve handling of overlength headlines in headline() function (Teodor) Prevent possible Assert failure or misconversion if an encoding conversion is created with the wrong conversion function for the specified pair of encodings (Tom, Heikki) Fix possible Assert failure if a statement executed in PL/pgSQL is rewritten into another kind of statement, for example if an INSERT is rewritten into an UPDATE (Heikki) Ensure that a snapshot is available to datatype input functions (Tom) This primarily affects domains that are declared with CHECK constraints involving user-defined stable or immutable functions. Such functions typically fail if no snapshot has been set. Make it safer for SPI-using functions to be used within datatype I/O; in particular, to be used in domain check constraints (Tom) Avoid unnecessary locking of small tables in VACUUM (Heikki) Fix a problem that sometimes kept ALTER TABLE ENABLE/DISABLE RULE from being recognized by active sessions (Tom) Fix a problem that made UPDATE RETURNING tableoid return zero instead of the correct OID (Tom) Allow functions declared as taking ANYARRAY to work on the pg_statistic columns of that type (Tom) This used to work, but was unintentionally broken in 8.3. Fix planner misestimation of selectivity when transitive equality is applied to an outer-join clause (Tom) This could result in bad plans for queries like ... from a left join b on a.a1 = b.b1 where a.a1 = 42 ... Improve optimizer's handling of long IN lists (Tom) This change avoids wasting large amounts of time on such lists when constraint exclusion is enabled. Prevent synchronous scan during GIN index build (Tom) Because GIN is optimized for inserting tuples in increasing TID order, choosing to use a synchronous scan could slow the build by a factor of three or more. Ensure that the contents of a holdable cursor don't depend on the contents of TOAST tables (Tom) Previously, large field values in a cursor result might be represented as TOAST pointers, which would fail if the referenced table got dropped before the cursor is read, or if the large value is deleted and then vacuumed away. This cannot happen with an ordinary cursor, but it could with a cursor that is held past its creating transaction. Fix memory leak when a set-returning function is terminated without reading its whole result (Tom) Fix encoding conversion problems in XML functions when the database encoding isn't UTF-8 (Tom) Fix contrib/dblink's dblink_get_result(text,bool) function (Joe) Fix possible garbage output from contrib/sslinfo functions (Tom) Fix incorrect behavior of contrib/tsearch2 compatibility trigger when it's fired more than once in a command (Teodor) Fix possible mis-signaling in autovacuum (Heikki) Support running as a service on Windows 7 beta (Dave and Magnus) Fix ecpg's handling of varchar structs (Michael) Fix configure script to properly report failure when unable to obtain linkage information for PL/Perl (Andrew) Make all documentation reference pgsql-bugs and/or pgsql-hackers as appropriate, instead of the now-decommissioned pgsql-ports and pgsql-patches mailing lists (Tom) Update time zone data files to tzdata release 2009a (for Kathmandu and historical DST corrections in Switzerland, Cuba) 2008-11-03 This release contains a variety of fixes from 8.3.4. For information about new features in the 8.3 major release, see . A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.1, see the release notes for 8.3.1. Also, if you were running a previous 8.3.X release, it is recommended to REINDEX all GiST indexes after the upgrade. Fix GiST index corruption due to marking the wrong index entry dead after a deletion (Teodor) This would result in index searches failing to find rows they should have found. Corrupted indexes can be fixed with REINDEX. Fix backend crash when the client encoding cannot represent a localized error message (Tom) We have addressed similar issues before, but it would still fail if the character has no equivalent message itself couldn't be converted. The fix is to disable localization and send the plain ASCII error message when we detect such a situation. Fix possible crash in bytea-to-XML mapping (Michael McMaster) Fix possible crash when deeply nested functions are invoked from a trigger (Tom) Improve optimization of expression IN (expression-list) queries (Tom, per an idea from Robert Haas) Cases in which there are query variables on the right-hand side had been handled less efficiently in 8.2.x and 8.3.x than in prior versions. The fix restores 8.1 behavior for such cases. Fix mis-expansion of rule queries when a sub-SELECT appears in a function call in FROM, a multi-row VALUES list, or a RETURNING list (Tom) The usual symptom of this problem is an unrecognized node type error. Fix Assert failure during rescan of an IS NULL search of a GiST index (Teodor) Fix memory leak during rescan of a hashed aggregation plan (Neil) Ensure an error is reported when a newly-defined PL/pgSQL trigger function is invoked as a normal function (Tom) Force a checkpoint before CREATE DATABASE starts to copy files (Heikki) This prevents a possible failure if files had recently been deleted in the source database. Prevent possible collision of relfilenode numbers when moving a table to another tablespace with ALTER SET TABLESPACE (Heikki) The command tried to re-use the existing filename, instead of picking one that is known unused in the destination directory. Fix incorrect text search headline generation when single query item matches first word of text (Sushant Sinha) Fix improper display of fractional seconds in interval values when using a non-ISO datestyle in an --enable-integer-datetimes build (Ron Mayer) Make ILIKE compare characters case-insensitively even when they're escaped (Andrew) Ensure DISCARD is handled properly by statement logging (Tom) Fix incorrect logging of last-completed-transaction time during PITR recovery (Tom) Ensure SPI_getvalue and SPI_getbinval behave correctly when the passed tuple and tuple descriptor have different numbers of columns (Tom) This situation is normal when a table has had columns added or removed, but these two functions didn't handle it properly. The only likely consequence is an incorrect error indication. Mark SessionReplicationRole as PGDLLIMPORT so it can be used by Slony on Windows (Magnus) Fix small memory leak when using libpq's gsslib parameter (Magnus) The space used by the parameter string was not freed at connection close. Ensure libgssapi is linked into libpq if needed (Markus Schaaf) Fix ecpg's parsing of CREATE ROLE (Michael) Fix recent breakage of pg_ctl restart (Tom) Ensure pg_control is opened in binary mode (Itagaki Takahiro) pg_controldata and pg_resetxlog did this incorrectly, and so could fail on Windows. Update time zone data files to tzdata release 2008i (for DST law changes in Argentina, Brazil, Mauritius, Syria) 2008-09-22 This release contains a variety of fixes from 8.3.3. For information about new features in the 8.3 major release, see . A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.1, see the release notes for 8.3.1. Fix bug in btree WAL recovery code (Heikki) Recovery failed if the WAL ended partway through a page split operation. Fix potential use of wrong cutoff XID for HOT page pruning (Alvaro) This error created a risk of corruption in system catalogs that are consulted by VACUUM: dead tuple versions might be removed too soon. The impact of this on actual database operations would be minimal, since the system doesn't follow MVCC rules while examining catalogs, but it might result in transiently wrong output from pg_dump or other client programs. Fix potential miscalculation of datfrozenxid (Alvaro) This error may explain some recent reports of failure to remove old pg_clog data. Fix incorrect HOT updates after pg_class is reindexed (Tom) Corruption of pg_class could occur if REINDEX TABLE pg_class was followed in the same session by an ALTER TABLE RENAME or ALTER TABLE SET SCHEMA command. Fix missed combo cid case (Karl Schnaitter) This error made rows incorrectly invisible to a transaction in which they had been deleted by multiple subtransactions that all aborted. Prevent autovacuum from crashing if the table it's currently checking is deleted at just the wrong time (Alvaro) Widen local lock counters from 32 to 64 bits (Tom) This responds to reports that the counters could overflow in sufficiently long transactions, leading to unexpected lock is already held errors. Fix possible duplicate output of tuples during a GiST index scan (Teodor) Regenerate foreign key checking queries from scratch when either table is modified (Tom) Previously, 8.3 would attempt to replan the query, but would work from previously generated query text. This led to failures if a table or column was renamed. Fix missed permissions checks when a view contains a simple UNION ALL construct (Heikki) Permissions for the referenced tables were checked properly, but not permissions for the view itself. Add checks in executor startup to ensure that the tuples produced by an INSERT or UPDATE will match the target table's current rowtype (Tom) This situation is believed to be impossible in 8.3, but it can happen in prior releases, so a check seems prudent. Fix possible repeated drops during DROP OWNED (Tom) This would typically result in strange errors such as cache lookup failed for relation NNN. Fix several memory leaks in XML operations (Kris Jurka, Tom) Fix xmlserialize() to raise error properly for unacceptable target data type (Tom) Fix a couple of places that mis-handled multibyte characters in text search configuration file parsing (Tom) Certain characters occurring in configuration files would always cause invalid byte sequence for encoding failures. Provide file name and line number location for all errors reported in text search configuration files (Tom) Fix AT TIME ZONE to first try to interpret its timezone argument as a timezone abbreviation, and only try it as a full timezone name if that fails, rather than the other way around as formerly (Tom) The timestamp input functions have always resolved ambiguous zone names in this order. Making AT TIME ZONE do so as well improves consistency, and fixes a compatibility bug introduced in 8.1: in ambiguous cases we now behave the same as 8.0 and before did, since in the older versions AT TIME ZONE accepted only abbreviations. Fix datetime input functions to correctly detect integer overflow when running on a 64-bit platform (Tom) Prevent integer overflows during units conversion when displaying a configuration parameter that has units (Tom) Improve performance of writing very long log messages to syslog (Tom) Allow spaces in the suffix part of an LDAP URL in pg_hba.conf (Tom) Fix bug in backwards scanning of a cursor on a SELECT DISTINCT ON query (Tom) Fix planner bug that could improperly push down IS NULL tests below an outer join (Tom) This was triggered by occurrence of IS NULL tests for the same relation in all arms of an upper OR clause. Fix planner bug with nested sub-select expressions (Tom) If the outer sub-select has no direct dependency on the parent query, but the inner one does, the outer value might not get recalculated for new parent query rows. Fix planner to estimate that GROUP BY expressions yielding boolean results always result in two groups, regardless of the expressions' contents (Tom) This is very substantially more accurate than the regular GROUP BY estimate for certain boolean tests like col IS NULL. Fix PL/pgSQL to not fail when a FOR loop's target variable is a record containing composite-type fields (Tom) Fix PL/Tcl to behave correctly with Tcl 8.5, and to be more careful about the encoding of data sent to or from Tcl (Tom) Improve performance of PQescapeBytea() (Rudolf Leitgeb) On Windows, work around a Microsoft bug by preventing libpq from trying to send more than 64kB per system call (Magnus) Fix ecpg to handle variables properly in SET commands (Michael) Improve pg_dump and pg_restore's error reporting after failure to send a SQL command (Tom) Fix pg_ctl to properly preserve postmaster command-line arguments across a restart (Bruce) Fix erroneous WAL file cutoff point calculation in pg_standby (Simon) Update time zone data files to tzdata release 2008f (for DST law changes in Argentina, Bahamas, Brazil, Mauritius, Morocco, Pakistan, Palestine, and Paraguay) 2008-06-12 This release contains one serious and one minor bug fix over 8.3.2. For information about new features in the 8.3 major release, see . A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.1, see the release notes for 8.3.1. Make pg_get_ruledef() parenthesize negative constants (Tom) Before this fix, a negative constant in a view or rule might be dumped as, say, -42::integer, which is subtly incorrect: it should be (-42)::integer due to operator precedence rules. Usually this would make little difference, but it could interact with another recent patch to cause PostgreSQL to reject what had been a valid SELECT DISTINCT view query. Since this could result in pg_dump output failing to reload, it is being treated as a high-priority fix. The only released versions in which dump output is actually incorrect are 8.3.1 and 8.2.7. Make ALTER AGGREGATE ... OWNER TO update pg_shdepend (Tom) This oversight could lead to problems if the aggregate was later involved in a DROP OWNED or REASSIGN OWNED operation. never released This release contains a variety of fixes from 8.3.1. For information about new features in the 8.3 major release, see . A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.1, see the release notes for 8.3.1. Fix ERRORDATA_STACK_SIZE exceeded crash that occurred on Windows when using UTF-8 database encoding and a different client encoding (Tom) Fix incorrect archive truncation point calculation for the %r macro in recovery_command parameters (Simon) This could lead to data loss if a warm-standby script relied on %r to decide when to throw away WAL segment files. Fix ALTER TABLE ADD COLUMN ... PRIMARY KEY so that the new column is correctly checked to see if it's been initialized to all non-nulls (Brendan Jurd) Previous versions neglected to check this requirement at all. Fix REASSIGN OWNED so that it works on procedural languages too (Alvaro) Fix problems with SELECT FOR UPDATE/SHARE occurring as a subquery in a query with a non-SELECT top-level operation (Tom) Fix possible CREATE TABLE failure when inheriting the same constraint from multiple parent relations that inherited that constraint from a common ancestor (Tom) Fix pg_get_ruledef() to show the alias, if any, attached to the target table of an UPDATE or DELETE (Tom) Restore the pre-8.3 behavior that an out-of-range block number in a TID being used in a TidScan plan results in silently not matching any rows (Tom) 8.3.0 and 8.3.1 threw an error instead. Fix GIN bug that could result in a too many LWLocks taken failure (Teodor) Fix broken GiST comparison function for tsquery (Teodor) Fix tsvector_update_trigger() and ts_stat() to accept domains over the types they expect to work with (Tom) Fix failure to support enum data types as foreign keys (Tom) Avoid possible crash when decompressing corrupted data (Zdenek Kotala) Fix race conditions between delayed unlinks and DROP DATABASE (Heikki) In the worst case this could result in deleting a newly created table in a new database that happened to get the same OID as the recently-dropped one; but of course that is an extremely low-probability scenario. Repair two places where SIGTERM exit of a backend could leave corrupted state in shared memory (Tom) Neither case is very important if SIGTERM is used to shut down the whole database cluster together, but there was a problem if someone tried to SIGTERM individual backends. Fix possible crash due to incorrect plan generated for an x IN (SELECT y FROM ...) clause when x and y have different data types; and make sure the behavior is semantically correct when the conversion from y's type to x's type is lossy (Tom) Fix oversight that prevented the planner from substituting known Param values as if they were constants (Tom) This mistake partially disabled optimization of unnamed extended-Query statements in 8.3.0 and 8.3.1: in particular the LIKE-to-indexscan optimization would never be applied if the LIKE pattern was passed as a parameter, and constraint exclusion depending on a parameter value didn't work either. Fix planner failure when an indexable MIN or MAX aggregate is used with DISTINCT or ORDER BY (Tom) Fix planner to ensure it never uses a physical tlist for a plan node that is feeding a Sort node (Tom) This led to the sort having to push around more data than it really needed to, since unused column values were included in the sorted data. Avoid unnecessary copying of query strings (Tom) This fixes a performance problem introduced in 8.3.0 when a very large number of commands are submitted as a single query string. Make TransactionIdIsCurrentTransactionId() use binary search instead of linear search when checking child-transaction XIDs (Heikki) This fixes some cases in which 8.3.0 was significantly slower than earlier releases. Fix conversions between ISO-8859-5 and other encodings to handle Cyrillic Yo characters (e and E with two dots) (Sergey Burladyan) Fix several datatype input functions, notably array_in(), that were allowing unused bytes in their results to contain uninitialized, unpredictable values (Tom) This could lead to failures in which two apparently identical literal values were not seen as equal, resulting in the parser complaining about unmatched ORDER BY and DISTINCT expressions. Fix a corner case in regular-expression substring matching (substring(string from pattern)) (Tom) The problem occurs when there is a match to the pattern overall but the user has specified a parenthesized subexpression and that subexpression hasn't got a match. An example is substring('foo' from 'foo(bar)?'). This should return NULL, since (bar) isn't matched, but it was mistakenly returning the whole-pattern match instead (ie, foo). Prevent cancellation of an auto-vacuum that was launched to prevent XID wraparound (Alvaro) Improve ANALYZE's handling of in-doubt tuples (those inserted or deleted by a not-yet-committed transaction) so that the counts it reports to the stats collector are more likely to be correct (Pavan Deolasee) Fix initdb to reject a relative path for its --xlogdir (-X) option (Tom) Make psql print tab characters as an appropriate number of spaces, rather than \x09 as was done in 8.3.0 and 8.3.1 (Bruce) Update time zone data files to tzdata release 2008c (for DST law changes in Morocco, Iraq, Choibalsan, Pakistan, Syria, Cuba, and Argentina/San_Luis) Add ECPGget_PGconn() function to ecpglib (Michael) Fix incorrect result from ecpg's PGTYPEStimestamp_sub() function (Michael) Fix handling of continuation line markers in ecpg (Michael) Fix possible crashes in contrib/cube functions (Tom) Fix core dump in contrib/xml2's xpath_table() function when the input query returns a NULL value (Tom) Fix contrib/xml2's makefile to not override CFLAGS, and make it auto-configure properly for libxslt present or not (Tom) 2008-03-17 This release contains a variety of fixes from 8.3.0. For information about new features in the 8.3 major release, see . A dump/restore is not required for those running 8.3.X. However, you might need to REINDEX indexes on textual columns after updating, if you are affected by the Windows locale issue described below. Fix character string comparison for Windows locales that consider different character combinations as equal (Tom) This fix applies only on Windows and only when using UTF-8 database encoding. The same fix was made for all other cases over two years ago, but Windows with UTF-8 uses a separate code path that was not updated. If you are using a locale that considers some non-identical strings as equal, you may need to REINDEX to fix existing indexes on textual columns. Repair corner-case bugs in VACUUM FULL (Tom) A potential deadlock between concurrent VACUUM FULL operations on different system catalogs was introduced in 8.2. This has now been corrected. 8.3 made this worse because the deadlock could occur within a critical code section, making it a PANIC rather than just ERROR condition. Also, a VACUUM FULL that failed partway through vacuuming a system catalog could result in cache corruption in concurrent database sessions. Another VACUUM FULL bug introduced in 8.3 could result in a crash or out-of-memory report when dealing with pages containing no live tuples. Fix misbehavior of foreign key checks involving character or bit columns (Tom) If the referencing column were of a different but compatible type (for instance varchar), the constraint was enforced incorrectly. Avoid needless deadlock failures in no-op foreign-key checks (Stephan Szabo, Tom) Fix possible core dump when re-planning a prepared query (Tom) This bug affected only protocol-level prepare operations, not SQL PREPARE, and so tended to be seen only with JDBC, DBI, and other client-side drivers that use prepared statements heavily. Fix possible failure when re-planning a query that calls an SPI-using function (Tom) Fix failure in row-wise comparisons involving columns of different datatypes (Tom) Fix longstanding LISTEN/NOTIFY race condition (Tom) In rare cases a session that had just executed a LISTEN might not get a notification, even though one would be expected because the concurrent transaction executing NOTIFY was observed to commit later. A side effect of the fix is that a transaction that has executed a not-yet-committed LISTEN command will not see any row in pg_listener for the LISTEN, should it choose to look; formerly it would have. This behavior was never documented one way or the other, but it is possible that some applications depend on the old behavior. Disallow LISTEN and UNLISTEN within a prepared transaction (Tom) This was formerly allowed but trying to do it had various unpleasant consequences, notably that the originating backend could not exit as long as an UNLISTEN remained uncommitted. Disallow dropping a temporary table within a prepared transaction (Heikki) This was correctly disallowed by 8.1, but the check was inadvertently broken in 8.2 and 8.3. Fix rare crash when an error occurs during a query using a hash index (Heikki) Fix incorrect comparison of tsquery values (Teodor) Fix incorrect behavior of LIKE with non-ASCII characters in single-byte encodings (Rolf Jentsch) Disable xmlvalidate (Tom) This function should have been removed before 8.3 release, but was inadvertently left in the source code. It poses a small security risk since unprivileged users could use it to read the first few characters of any file accessible to the server. Fix memory leaks in certain usages of set-returning functions (Neil) Make encode(bytea, 'escape') convert all high-bit-set byte values into \nnn octal escape sequences (Tom) This is necessary to avoid encoding problems when the database encoding is multi-byte. This change could pose compatibility issues for applications that are expecting specific results from encode. Fix input of datetime values for February 29 in years BC (Tom) The former coding was mistaken about which years were leap years. Fix unrecognized node type error in some variants of ALTER OWNER (Tom) Avoid tablespace permissions errors in CREATE TABLE LIKE INCLUDING INDEXES (Tom) Ensure pg_stat_activity.waiting flag is cleared when a lock wait is aborted (Tom) Fix handling of process permissions on Windows Vista (Dave, Magnus) In particular, this fix allows starting the server as the Administrator user. Update time zone data files to tzdata release 2008a (in particular, recent Chile changes); adjust timezone abbreviation VET (Venezuela) to mean UTC-4:30, not UTC-4:00 (Tom) Fix ecpg problems with arrays (Michael) Fix pg_ctl to correctly extract the postmaster's port number from command-line options (Itagaki Takahiro, Tom) Previously, pg_ctl start -w could try to contact the postmaster on the wrong port, leading to bogus reports of startup failure. Use -fwrapv to defend against possible misoptimization in recent gcc versions (Tom) This is known to be necessary when building PostgreSQL with gcc 4.3 or later. Enable building contrib/uuid-ossp with MSVC (Hiroshi Saito) 2008-02-04 With significant new functionality and performance enhancements, this release represents a major leap forward for PostgreSQL. This was made possible by a growing community that has dramatically accelerated the pace of development. This release adds the following major features: Full text search is integrated into the core database system Support for the SQL/XML standard, including new operators and an XML data type Enumerated data types (ENUM) Arrays of composite types Universally Unique Identifier (UUID) data type Add control over whether NULLs sort first or last Updatable cursors Server configuration parameters can now be set on a per-function basis User-defined types can now have type modifiers Automatically re-plan cached queries when table definitions change or statistics are updated Numerous improvements in logging and statistics collection Support Security Service Provider Interface (SSPI) for authentication on Windows Support multiple concurrent autovacuum processes, and other autovacuum improvements Allow the whole PostgreSQL distribution to be compiled with Microsoft Visual C++ Major performance improvements are listed below. Most of these enhancements are automatic and do not require user changes or tuning: Asynchronous commit delays writes to WAL during transaction commit Checkpoint writes can be spread over a longer time period to smooth the I/O spike during each checkpoint Heap-Only Tuples (HOT) accelerate space reuse for most UPDATEs and DELETEs Just-in-time background writer strategy improves disk write efficiency Using non-persistent transaction IDs for read-only transactions reduces overhead and VACUUM requirements Per-field and per-row storage overhead has been reduced Large sequential scans no longer force out frequently used cached pages Concurrent large sequential scans can now share disk reads ORDER BY ... LIMIT can be done without sorting The above items are explained in more detail in the sections below. A dump/restore using pg_dump is required for those wishing to migrate data from any previous release. Observe the following incompatibilities: Non-character data types are no longer automatically cast to TEXT (Peter, Tom) Previously, if a non-character value was supplied to an operator or function that requires text input, it was automatically cast to text, for most (though not all) built-in data types. This no longer happens: an explicit cast to text is now required for all non-character-string types. For example, these expressions formerly worked: substr(current_date, 1, 4) 23 LIKE '2%' but will now draw function does not exist and operator does not exist errors respectively. Use an explicit cast instead: substr(current_date::text, 1, 4) 23::text LIKE '2%' (Of course, you can use the more verbose CAST() syntax too.) The reason for the change is that these automatic casts too often caused surprising behavior. An example is that in previous releases, this expression was accepted but did not do what was expected: current_date < 2017-11-17 This is actually comparing a date to an integer, which should be (and now is) rejected — but in the presence of automatic casts both sides were cast to text and a textual comparison was done, because the text < text operator was able to match the expression when no other < operator could. Types char(n) and varchar(n) still cast to text automatically. Also, automatic casting to text still works for inputs to the concatenation (||) operator, so long as least one input is a character-string type. Full text search features from contrib/tsearch2 have been moved into the core server, with some minor syntax changes contrib/tsearch2 now contains a compatibility interface. ARRAY(SELECT ...), where the SELECT returns no rows, now returns an empty array, rather than NULL (Tom) The array type name for a base data type is no longer always the base type's name with an underscore prefix The old naming convention is still honored when possible, but application code should no longer depend on it. Instead use the new pg_type.typarray column to identify the array data type associated with a given type. ORDER BY ... USING operator must now use a less-than or greater-than operator that is defined in a btree operator class This restriction was added to prevent inconsistent results. SET LOCAL changes now persist until the end of the outermost transaction, unless rolled back (Tom) Previously SET LOCAL's effects were lost after subtransaction commit (RELEASE SAVEPOINT or exit from a PL/pgSQL exception block). Commands rejected in transaction blocks are now also rejected in multiple-statement query strings (Tom) For example, "BEGIN; DROP DATABASE; COMMIT" will now be rejected even if submitted as a single query message. ROLLBACK outside a transaction block now issues NOTICE instead of WARNING (Bruce) Prevent NOTIFY/LISTEN/UNLISTEN from accepting schema-qualified names (Bruce) Formerly, these commands accepted schema.relation but ignored the schema part, which was confusing. ALTER SEQUENCE no longer affects the sequence's currval() state (Tom) Foreign keys now must match indexable conditions for cross-data-type references (Tom) This improves semantic consistency and helps avoid performance problems. Restrict object size functions to users who have reasonable permissions to view such information (Tom) For example, pg_database_size() now requires CONNECT permission, which is granted to everyone by default. pg_tablespace_size() requires CREATE permission in the tablespace, or is allowed if the tablespace is the default tablespace for the database. Remove the undocumented !!= (not in) operator (Tom) NOT IN (SELECT ...) is the proper way to perform this operation. Internal hashing functions are now more uniformly-distributed (Tom) If application code was computing and storing hash values using internal PostgreSQL hashing functions, the hash values must be regenerated. C-code conventions for handling variable-length data values have changed (Greg Stark, Tom) The new SET_VARSIZE() macro must be used to set the length of generated varlena values. Also, it might be necessary to expand (de-TOAST) input values in more cases. Continuous archiving no longer reports each successful archive operation to the server logs unless DEBUG level is used (Simon) Numerous changes in administrative server parameters bgwriter_lru_percent, bgwriter_all_percent, bgwriter_all_maxpages, stats_start_collector, and stats_reset_on_server_start are removed. redirect_stderr is renamed to logging_collector. stats_command_string is renamed to track_activities. stats_block_level and stats_row_level are merged into track_counts. A new boolean configuration parameter, archive_mode, controls archiving. Autovacuum's default settings have changed. Remove stats_start_collector parameter (Tom) We now always start the collector process, unless UDP socket creation fails. Remove stats_reset_on_server_start parameter (Tom) This was removed because pg_stat_reset() can be used for this purpose. Commenting out a parameter in postgresql.conf now causes it to revert to its default value (Joachim Wieland) Previously, commenting out an entry left the parameter's value unchanged until the next server restart. Add more checks for invalidly-encoded data (Andrew) This change plugs some holes that existed in literal backslash escape string processing and COPY escape processing. Now the de-escaped string is rechecked to see if the result created an invalid multi-byte character. Disallow database encodings that are inconsistent with the server's locale setting (Tom) On most platforms, C locale is the only locale that will work with any database encoding. Other locale settings imply a specific encoding and will misbehave if the database encoding is something different. (Typical symptoms include bogus textual sort order and wrong results from upper() or lower().) The server now rejects attempts to create databases that have an incompatible encoding. Ensure that chr() cannot create invalidly-encoded values (Andrew) In UTF8-encoded databases the argument of chr() is now treated as a Unicode code point. In other multi-byte encodings chr()'s argument must designate a 7-bit ASCII character. Zero is no longer accepted. ascii() has been adjusted to match. Adjust convert() behavior to ensure encoding validity (Andrew) The two argument form of convert() has been removed. The three argument form now takes a bytea first argument and returns a bytea. To cover the loss of functionality, three new functions have been added: convert_from(bytea, name) returns text — converts the first argument from the named encoding to the database encoding convert_to(text, name) returns bytea — converts the first argument from the database encoding to the named encoding length(bytea, name) returns integer — gives the length of the first argument in characters in the named encoding Remove convert(argument USING conversion_name) (Andrew) Its behavior did not match the SQL standard. Make JOHAB encoding client-only (Tatsuo) JOHAB is not safe as a server-side encoding. Below you will find a detailed account of the changes between PostgreSQL 8.3 and the previous major release. Asynchronous commit delays writes to WAL during transaction commit (Simon) This feature dramatically increases performance for short data-modifying transactions. The disadvantage is that because disk writes are delayed, if the database or operating system crashes before data is written to the disk, committed data will be lost. This feature is useful for applications that can accept some data loss. Unlike turning off fsync, using asynchronous commit does not put database consistency at risk; the worst case is that after a crash the last few reportedly-committed transactions might not be committed after all. This feature is enabled by turning off synchronous_commit (which can be done per-session or per-transaction, if some transactions are critical and others are not). wal_writer_delay can be adjusted to control the maximum delay before transactions actually reach disk. Checkpoint writes can be spread over a longer time period to smooth the I/O spike during each checkpoint (Itagaki Takahiro and Heikki Linnakangas) Previously all modified buffers were forced to disk as quickly as possible during a checkpoint, causing an I/O spike that decreased server performance. This new approach spreads out disk writes during checkpoints, reducing peak I/O usage. (User-requested and shutdown checkpoints are still written as quickly as possible.) Heap-Only Tuples (HOT) accelerate space reuse for most UPDATEs and DELETEs (Pavan Deolasee, with ideas from many others) UPDATEs and DELETEs leave dead tuples behind, as do failed INSERTs. Previously only VACUUM could reclaim space taken by dead tuples. With HOT dead tuple space can be automatically reclaimed at the time of INSERT or UPDATE if no changes are made to indexed columns. This allows for more consistent performance. Also, HOT avoids adding duplicate index entries. Just-in-time background writer strategy improves disk write efficiency (Greg Smith, Itagaki Takahiro) This greatly reduces the need for manual tuning of the background writer. Per-field and per-row storage overhead have been reduced (Greg Stark, Heikki Linnakangas) Variable-length data types with data values less than 128 bytes long will see a storage decrease of 3 to 6 bytes. For example, two adjacent char(1) fields now use 4 bytes instead of 16. Row headers are also 4 bytes shorter than before. Using non-persistent transaction IDs for read-only transactions reduces overhead and VACUUM requirements (Florian Pflug) Non-persistent transaction IDs do not increment the global transaction counter. Therefore, they reduce the load on pg_clog and increase the time between forced vacuums to prevent transaction ID wraparound. Other performance improvements were also made that should improve concurrency. Avoid incrementing the command counter after a read-only command (Tom) There was formerly a hard limit of 232 (4 billion) commands per transaction. Now only commands that actually changed the database count, so while this limit still exists, it should be significantly less annoying. Create a dedicated WAL writer process to off-load work from backends (Simon) Skip unnecessary WAL writes for CLUSTER and COPY (Simon) Unless WAL archiving is enabled, the system now avoids WAL writes for CLUSTER and just fsync()s the table at the end of the command. It also does the same for COPY if the table was created in the same transaction. Large sequential scans no longer force out frequently used cached pages (Simon, Heikki, Tom) Concurrent large sequential scans can now share disk reads (Jeff Davis) This is accomplished by starting the new sequential scan in the middle of the table (where another sequential scan is already in-progress) and wrapping around to the beginning to finish. This can affect the order of returned rows in a query that does not specify ORDER BY. The synchronize_seqscans configuration parameter can be used to disable this if necessary. ORDER BY ... LIMIT can be done without sorting (Greg Stark) This is done by sequentially scanning the table and tracking just the top N candidate rows, rather than performing a full sort of the entire table. This is useful when there is no matching index and the LIMIT is not large. Put a rate limit on messages sent to the statistics collector by backends (Tom) This reduces overhead for short transactions, but might sometimes increase the delay before statistics are tallied. Improve hash join performance for cases with many NULLs (Tom) Speed up operator lookup for cases with non-exact datatype matches (Tom) Autovacuum is now enabled by default (Alvaro) Several changes were made to eliminate disadvantages of having autovacuum enabled, thereby justifying the change in default. Several other autovacuum parameter defaults were also modified. Support multiple concurrent autovacuum processes (Alvaro, Itagaki Takahiro) This allows multiple vacuums to run concurrently. This prevents vacuuming of a large table from delaying vacuuming of smaller tables. Automatically re-plan cached queries when table definitions change or statistics are updated (Tom) Previously PL/pgSQL functions that referenced temporary tables would fail if the temporary table was dropped and recreated between function invocations, unless EXECUTE was used. This improvement fixes that problem and many related issues. Add a temp_tablespaces parameter to control the tablespaces for temporary tables and files (Jaime Casanova, Albert Cervera, Bernd Helmle) This parameter defines a list of tablespaces to be used. This enables spreading the I/O load across multiple tablespaces. A random tablespace is chosen each time a temporary object is created. Temporary files are no longer stored in per-database pgsql_tmp/ directories but in per-tablespace directories. Place temporary tables' TOAST tables in special schemas named pg_toast_temp_nnn (Tom) This allows low-level code to recognize these tables as temporary, which enables various optimizations such as not WAL-logging changes and using local rather than shared buffers for access. This also fixes a bug wherein backends unexpectedly held open file references to temporary TOAST tables. Fix problem that a constant flow of new connection requests could indefinitely delay the postmaster from completing a shutdown or a crash restart (Tom) Guard against a very-low-probability data loss scenario by preventing re-use of a deleted table's relfilenode until after the next checkpoint (Heikki) Fix CREATE CONSTRAINT TRIGGER to convert old-style foreign key trigger definitions into regular foreign key constraints (Tom) This will ease porting of foreign key constraints carried forward from pre-7.3 databases, if they were never converted using contrib/adddepend. Fix DEFAULT NULL to override inherited defaults (Tom) DEFAULT NULL was formerly considered a noise phrase, but it should (and now does) override non-null defaults that would otherwise be inherited from a parent table or domain. Add new encodings EUC_JIS_2004 and SHIFT_JIS_2004 (Tatsuo) These new encodings can be converted to and from UTF-8. Change server startup log message from database system is ready to database system is ready to accept connections, and adjust its timing The message now appears only when the postmaster is really ready to accept connections. Add log_autovacuum_min_duration parameter to support configurable logging of autovacuum activity (Simon, Alvaro) Add log_lock_waits parameter to log lock waiting (Simon) Add log_temp_files parameter to log temporary file usage (Bill Moran) Add log_checkpoints parameter to improve logging of checkpoints (Greg Smith, Heikki) log_line_prefix now supports %s and %c escapes in all processes (Andrew) Previously these escapes worked only for user sessions, not for background database processes. Add log_restartpoints to control logging of point-in-time recovery restart points (Simon) Last transaction end time is now logged at end of recovery and at each logged restart point (Simon) Autovacuum now reports its activity start time in pg_stat_activity (Tom) Allow server log output in comma-separated value (CSV) format (Arul Shaji, Greg Smith, Andrew Dunstan) CSV-format log files can easily be loaded into a database table for subsequent analysis. Use PostgreSQL-supplied timezone support for formatting timestamps displayed in the server log (Tom) This avoids Windows-specific problems with localized time zone names that are in the wrong encoding. There is a new log_timezone parameter that controls the timezone used in log messages, independently of the client-visible timezone parameter. New system view pg_stat_bgwriter displays statistics about background writer activity (Magnus) Add new columns for database-wide tuple statistics to pg_stat_database (Magnus) Add an xact_start (transaction start time) column to pg_stat_activity (Neil) This makes it easier to identify long-running transactions. Add n_live_tuples and n_dead_tuples columns to pg_stat_all_tables and related views (Glen Parker) Merge stats_block_level and stats_row_level parameters into a single parameter track_counts, which controls all messages sent to the statistics collector process (Tom) Rename stats_command_string parameter to track_activities (Tom) Fix statistical counting of live and dead tuples to recognize that committed and aborted transactions have different effects (Tom) Support Security Service Provider Interface (SSPI) for authentication on Windows (Magnus) Support GSSAPI authentication (Henry Hotz, Magnus) This should be preferred to native Kerberos authentication because GSSAPI is an industry standard. Support a global SSL configuration file (Victor Wagner) Add ssl_ciphers parameter to control accepted SSL ciphers (Victor Wagner) Add a Kerberos realm parameter, krb_realm (Magnus) Change the timestamps recorded in transaction WAL records from time_t to TimestampTz representation (Tom) This provides sub-second resolution in WAL, which can be useful for point-in-time recovery. Reduce WAL disk space needed by warm standby servers (Simon) This change allows a warm standby server to pass the name of the earliest still-needed WAL file to the recovery script, allowing automatic removal of no-longer-needed WAL files. This is done using %r in the restore_command parameter of recovery.conf. New boolean configuration parameter, archive_mode, controls archiving (Simon) Previously setting archive_command to an empty string turned off archiving. Now archive_mode turns archiving on and off, independently of archive_command. This is useful for stopping archiving temporarily. Full text search is integrated into the core database system (Teodor, Oleg) Text search has been improved, moved into the core code, and is now installed by default. contrib/tsearch2 now contains a compatibility interface. Add control over whether NULLs sort first or last (Teodor, Tom) The syntax is ORDER BY ... NULLS FIRST/LAST. Allow per-column ascending/descending (ASC/DESC) ordering options for indexes (Teodor, Tom) Previously a query using ORDER BY with mixed ASC/DESC specifiers could not fully use an index. Now an index can be fully used in such cases if the index was created with matching ASC/DESC specifications. NULL sort order within an index can be controlled, too. Allow col IS NULL to use an index (Teodor) Updatable cursors (Arul Shaji, Tom) This eliminates the need to reference a primary key to UPDATE or DELETE rows returned by a cursor. The syntax is UPDATE/DELETE WHERE CURRENT OF. Allow FOR UPDATE in cursors (Arul Shaji, Tom) Create a general mechanism that supports casts to and from the standard string types (TEXT, VARCHAR, CHAR) for every datatype, by invoking the datatype's I/O functions (Tom) Previously, such casts were available only for types that had specialized function(s) for the purpose. These new casts are assignment-only in the to-string direction, explicit-only in the other direction, and therefore should create no surprising behavior. Allow UNION and related constructs to return a domain type, when all inputs are of that domain type (Tom) Formerly, the output would be considered to be of the domain's base type. Allow limited hashing when using two different data types (Tom) This allows hash joins, hash indexes, hashed subplans, and hash aggregation to be used in situations involving cross-data-type comparisons, if the data types have compatible hash functions. Currently, cross-data-type hashing support exists for smallint/integer/bigint, and for float4/float8. Improve optimizer logic for detecting when variables are equal in a WHERE clause (Tom) This allows mergejoins to work with descending sort orders, and improves recognition of redundant sort columns. Improve performance when planning large inheritance trees in cases where most tables are excluded by constraints (Tom) Arrays of composite types (David Fetter, Andrew, Tom) In addition to arrays of explicitly-declared composite types, arrays of the rowtypes of regular tables and views are now supported, except for rowtypes of system catalogs, sequences, and TOAST tables. Server configuration parameters can now be set on a per-function basis (Tom) For example, functions can now set their own search_path to prevent unexpected behavior if a different search_path exists at run-time. Security definer functions should set search_path to avoid security loopholes. CREATE/ALTER FUNCTION now supports COST and ROWS options (Tom) COST allows specification of the cost of a function call. ROWS allows specification of the average number or rows returned by a set-returning function. These values are used by the optimizer in choosing the best plan. Implement CREATE TABLE LIKE ... INCLUDING INDEXES (Trevor Hardcastle, Nikhil Sontakke, Neil) Allow CREATE INDEX CONCURRENTLY to ignore transactions in other databases (Simon) Add ALTER VIEW ... RENAME TO and ALTER SEQUENCE ... RENAME TO (David Fetter, Neil) Previously this could only be done via ALTER TABLE ... RENAME TO. Make CREATE/DROP/RENAME DATABASE wait briefly for conflicting backends to exit before failing (Tom) This increases the likelihood that these commands will succeed. Allow triggers and rules to be deactivated in groups using a configuration parameter, for replication purposes (Jan) This allows replication systems to disable triggers and rewrite rules as a group without modifying the system catalogs directly. The behavior is controlled by ALTER TABLE and a new parameter session_replication_role. User-defined types can now have type modifiers (Teodor, Tom) This allows a user-defined type to take a modifier, like ssnum(7). Previously only built-in data types could have modifiers. Non-superuser database owners now are able to add trusted procedural languages to their databases by default (Jeremy Drake) While this is reasonably safe, some administrators might wish to revoke the privilege. It is controlled by pg_pltemplate.tmpldbacreate. Allow a session's current parameter setting to be used as the default for future sessions (Tom) This is done with SET ... FROM CURRENT in CREATE/ALTER FUNCTION, ALTER DATABASE, or ALTER ROLE. Implement new commands DISCARD ALL, DISCARD PLANS, DISCARD TEMPORARY, CLOSE ALL, and DEALLOCATE ALL (Marko Kreen, Neil) These commands simplify resetting a database session to its initial state, and are particularly useful for connection-pooling software. Make CLUSTER MVCC-safe (Heikki Linnakangas) Formerly, CLUSTER would discard all tuples that were committed dead, even if there were still transactions that should be able to see them under MVCC visibility rules. Add new CLUSTER syntax: CLUSTER table USING index (Holger Schurig) The old CLUSTER syntax is still supported, but the new form is considered more logical. Fix EXPLAIN so it can show complex plans more accurately (Tom) References to subplan outputs are now always shown correctly, instead of using ?columnN? for complicated cases. Limit the amount of information reported when a user is dropped (Alvaro) Previously, dropping (or attempting to drop) a user who owned many objects could result in large NOTICE or ERROR messages listing all these objects; this caused problems for some client applications. The length of the message is now limited, although a full list is still sent to the server log. Support for the SQL/XML standard, including new operators and an XML data type (Nikolay Samokhvalov, Pavel Stehule, Peter) Enumerated data types (ENUM) (Tom Dunstan) This feature provides convenient support for fields that have a small, fixed set of allowed values. An example of creating an ENUM type is CREATE TYPE mood AS ENUM ('sad', 'ok', 'happy'). Universally Unique Identifier (UUID) data type (Gevik Babakhani, Neil) This closely matches RFC 4122. Widen the MONEY data type to 64 bits (D'Arcy Cain) This greatly increases the range of supported MONEY values. Fix float4/float8 to handle Infinity and NAN (Not A Number) consistently (Bruce) The code formerly was not consistent about distinguishing Infinity from overflow conditions. Allow leading and trailing whitespace during input of boolean values (Neil) Prevent COPY from using digits and lowercase letters as delimiters (Tom) Add new regular expression functions regexp_matches(), regexp_split_to_array(), and regexp_split_to_table() (Jeremy Drake, Neil) These functions provide extraction of regular expression subexpressions and allow splitting a string using a POSIX regular expression. Add lo_truncate() for large object truncation (Kris Jurka) Implement width_bucket() for the float8 data type (Neil) Add pg_stat_clear_snapshot() to discard statistics snapshots collected during the current transaction (Tom) The first request for statistics in a transaction takes a statistics snapshot that does not change during the transaction. This function allows the snapshot to be discarded and a new snapshot loaded during the next statistics query. This is particularly useful for PL/pgSQL functions, which are confined to a single transaction. Add isodow option to EXTRACT() and date_part() (Bruce) This returns the day of the week, with Sunday as seven. (dow returns Sunday as zero.) Add ID (ISO day of week) and IDDD (ISO day of year) format codes for to_char(), to_date(), and to_timestamp() (Brendan Jurd) Make to_timestamp() and to_date() assume TM (trim) option for potentially variable-width fields (Bruce) This matches Oracle's behavior. Fix off-by-one conversion error in to_date()/to_timestamp() D (non-ISO day of week) fields (Bruce) Make setseed() return void, rather than a useless integer value (Neil) Add a hash function for NUMERIC (Neil) This allows hash indexes and hash-based plans to be used with NUMERIC columns. Improve efficiency of LIKE/ILIKE, especially for multi-byte character sets like UTF-8 (Andrew, Itagaki Takahiro) Make currtid() functions require SELECT privileges on the target table (Tom) Add several txid_*() functions to query active transaction IDs (Jan) This is useful for various replication solutions. Add scrollable cursor support, including directional control in FETCH (Pavel Stehule) Allow IN as an alternative to FROM in PL/pgSQL's FETCH statement, for consistency with the backend's FETCH command (Pavel Stehule) Add MOVE to PL/pgSQL (Magnus, Pavel Stehule, Neil) Implement RETURN QUERY (Pavel Stehule, Neil) This adds convenient syntax for PL/pgSQL set-returning functions that want to return the result of a query. RETURN QUERY is easier and more efficient than a loop around RETURN NEXT. Allow function parameter names to be qualified with the function's name (Tom) For example, myfunc.myvar. This is particularly useful for specifying variables in a query where the variable name might match a column name. Make qualification of variables with block labels work properly (Tom) Formerly, outer-level block labels could unexpectedly interfere with recognition of inner-level record or row references. Tighten requirements for FOR loop STEP values (Tom) Prevent non-positive STEP values, and handle loop overflows. Improve accuracy when reporting syntax error locations (Tom) Allow type-name arguments to PL/Perl spi_prepare() to be data type aliases in addition to names found in pg_type (Andrew) Allow type-name arguments to PL/Python plpy.prepare() to be data type aliases in addition to names found in pg_type (Andrew) Allow type-name arguments to PL/Tcl spi_prepare to be data type aliases in addition to names found in pg_type (Andrew) Enable PL/PythonU to compile on Python 2.5 (Marko Kreen) Support a true PL/Python boolean type in compatible Python versions (Python 2.3 and later) (Marko Kreen) Fix PL/Tcl problems with thread-enabled libtcl spawning multiple threads within the backend (Steve Marshall, Paul Bayer, Doug Knight) This caused all sorts of unpleasantness. List disabled triggers separately in \d output (Brendan Jurd) In \d patterns, always match $ literally (Tom) Show aggregate return types in \da output (Greg Sabino Mullane) Add the function's volatility status to the output of \df+ (Neil) Add \prompt capability (Chad Wagner) Allow \pset, \t, and \x to specify on or off, rather than just toggling (Chad Wagner) Add \sleep capability (Jan) Enable \timing output for \copy (Andrew) Improve \timing resolution on Windows (Itagaki Takahiro) Flush \o output after each backslash command (Tom) Correctly detect and report errors while reading a -f input file (Peter) Remove -u option (this option has long been deprecated) (Tom) Add --tablespaces-only and --roles-only options to pg_dumpall (Dave Page) Add an output file option to pg_dumpall (Dave Page) This is primarily useful on Windows, where output redirection of child pg_dump processes does not work. Allow pg_dumpall to accept an initial-connection database name rather than the default template1 (Dave Page) In -n and -t switches, always match $ literally (Tom) Improve performance when a database has thousands of objects (Tom) Remove -u option (this option has long been deprecated) (Tom) In initdb, allow the location of the pg_xlog directory to be specified (Euler Taveira de Oliveira) Enable server core dump generation in pg_regress on supported operating systems (Andrew) Add a -t (timeout) parameter to pg_ctl (Bruce) This controls how long pg_ctl will wait when waiting for server startup or shutdown. Formerly the timeout was hard-wired as 60 seconds. Add a pg_ctl option to control generation of server core dumps (Andrew) Allow Control-C to cancel clusterdb, reindexdb, and vacuumdb (Itagaki Takahiro, Magnus) Suppress command tag output for createdb, createuser, dropdb, and dropuser (Peter) The --quiet option is ignored and will be removed in 8.4. Progress messages when acting on all databases now go to stdout instead of stderr because they are not actually errors. Interpret the dbName parameter of PQsetdbLogin() as a conninfo string if it contains an equals sign (Andrew) This allows use of conninfo strings in client programs that still use PQsetdbLogin(). Support a global SSL configuration file (Victor Wagner) Add environment variable PGSSLKEY to control SSL hardware keys (Victor Wagner) Add lo_truncate() for large object truncation (Kris Jurka) Add PQconnectionNeedsPassword() that returns true if the server required a password but none was supplied (Joe Conway, Tom) If this returns true after a failed connection attempt, a client application should prompt the user for a password. In the past applications have had to check for a specific error message string to decide whether a password is needed; that approach is now deprecated. Add PQconnectionUsedPassword() that returns true if the supplied password was actually used (Joe Conway, Tom) This is useful in some security contexts where it is important to know whether a user-supplied password is actually valid. Use V3 frontend/backend protocol (Michael) This adds support for server-side prepared statements. Use native threads, instead of pthreads, on Windows (Magnus) Improve thread-safety of ecpglib (Itagaki Takahiro) Make the ecpg libraries export only necessary API symbols (Michael) Allow the whole PostgreSQL distribution to be compiled with Microsoft Visual C++ (Magnus and others) This allows Windows-based developers to use familiar development and debugging tools. Windows executables made with Visual C++ might also have better stability and performance than those made with other tool sets. The client-only Visual C++ build scripts have been removed. Drastically reduce postmaster's memory usage when it has many child processes (Magnus) Allow regression tests to be started by an administrative user (Magnus) Add native shared memory implementation (Magnus) Add cursor-related functionality in SPI (Pavel Stehule) Allow access to the cursor-related planning options, and add FETCH/MOVE routines. Allow execution of cursor commands through SPI_execute (Tom) The macro SPI_ERROR_CURSOR still exists but will never be returned. SPI plan pointers are now declared as SPIPlanPtr instead of void * (Tom) This does not break application code, but switching is recommended to help catch simple programming mistakes. Add configure option --enable-profiling to enable code profiling (works only with gcc) (Korry Douglas and Nikhil Sontakke) Add configure option --with-system-tzdata to use the operating system's time zone database (Peter) Fix PGXS so extensions can be built against PostgreSQL installations whose pg_config program does not appear first in the PATH (Tom) Support gmake draft when building the SGML documentation (Bruce) Unless draft is used, the documentation build will now be repeated if necessary to ensure the index is up-to-date. Rename macro DLLIMPORT to PGDLLIMPORT to avoid conflicting with third party includes (like Tcl) that define DLLIMPORT (Magnus) Create operator families to improve planning of queries involving cross-data-type comparisons (Tom) Update GIN extractQuery() API to allow signalling that nothing can satisfy the query (Teodor) Move NAMEDATALEN definition from postgres_ext.h to pg_config_manual.h (Peter) Provide strlcpy() and strlcat() on all platforms, and replace error-prone uses of strncpy(), strncat(), etc (Peter) Create hooks to let an external plugin monitor (or even replace) the planner and create plans for hypothetical situations (Gurjeet Singh, Tom) Create a function variable join_search_hook to let plugins override the join search order portion of the planner (Julius Stroffek) Add tas() support for Renesas' M32R processor (Kazuhiro Inaoka) quote_identifier() and pg_dump no longer quote keywords that are unreserved according to the grammar (Tom) Change the on-disk representation of the NUMERIC data type so that the sign_dscale word comes before the weight (Tom) Use SYSV semaphores rather than POSIX on Darwin >= 6.0, i.e., OS X 10.2 and up (Chris Marcellino) Add acronym and NFS documentation sections (Bruce) "Postgres" is now documented as an accepted alias for "PostgreSQL" (Peter) Add documentation about preventing database server spoofing when the server is down (Bruce) Move contrib README content into the main PostgreSQL documentation (Albert Cervera i Areny) Add contrib/pageinspect module for low-level page inspection (Simon, Heikki) Add contrib/pg_standby module for controlling warm standby operation (Simon) Add contrib/uuid-ossp module for generating UUID values using the OSSP UUID library (Peter) Use configure --with-ossp-uuid to activate. This takes advantage of the new UUID builtin type. Add contrib/dict_int, contrib/dict_xsyn, and contrib/test_parser modules to provide sample add-on text search dictionary templates and parsers (Sergey Karpov) Allow contrib/pgbench to set the fillfactor (Pavan Deolasee) Add timestamps to contrib/pgbench -l (Greg Smith) Add usage count statistics to contrib/pgbuffercache (Greg Smith) Add GIN support for contrib/hstore (Teodor) Add GIN support for contrib/pg_trgm (Guillaume Smet, Teodor) Update OS/X startup scripts in contrib/start-scripts (Mark Cotner, David Fetter) Restrict pgrowlocks() and dblink_get_pkey() to users who have SELECT privilege on the target table (Tom) Restrict contrib/pgstattuple functions to superusers (Tom) contrib/xml2 is deprecated and planned for removal in 8.4 (Peter) The new XML support in core PostgreSQL supersedes this module.